天天看點
傳回

查找區域網路中的DHCP伺服器

某天,在xenserver中的某一台主機啟動後發現IP位址是DHCP獲得的,但是網段卻是我從沒有配置過的。想了很久都不記得自己曾經架過這麼一台DHCP伺服器。我要做的就是揪出它,看看是哪台機器在提供DHCP服務。google了下,找到了通過抓包的方法,經驗證是可行的。

檢視dhcp client的IP位址是172.20.10.54

eth0      Link encap:Ethernet  HWaddr 00:16:3E:14:0A:74 

          inet addr:172.20.10.54  Bcast:172.20.10.255  Mask:255.255.255.0 

          inet6 addr: fe80::216:3eff:fe14:a74/64 Scope:Link 

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1 

          RX packets:2657 errors:0 dropped:0 overruns:0 frame:0 

          TX packets:188 errors:0 dropped:0 overruns:0 carrier:0 

          collisions:0 txqueuelen:1000 

          RX bytes:232533 (227.0 KiB)  TX bytes:33943 (33.1 KiB)

  登陸到dhcp client上,利用tcpdump軟體抓包,指定端口是67(也有可能是68).如果不确定,可以先用

netstat -an|grep 67

netstat -an|grep 68

  檢視哪個端口目前在監聽,tcpdump的port選項就填正listen的那個端口。

  開始抓包

[root@centos ~]# tcpdump -e -i eth0 -nn port 67 

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 

09:12:24.805483 00:16:3e:14:0a:75 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:75, length: 300 

09:12:24.806055 00:16:3e:14:0a:75 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:75, length: 300 

09:13:39.274700 00:16:3e:14:0a:73 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:73, length: 300 

09:14:36.020156 00:16:3e:14:0a:74 > 14:fe:b5:d9:05:d8, ethertype IPv4 (0x0800), length 342: 172.20.10.116.68 > 172.20.10.230.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:74, length: 300 

09:14:36.020564 14:fe:b5:d9:05:d8 > 00:16:3e:14:0a:74, ethertype IPv4 (0x0800), length 342: 172.20.10.230.67 > 172.20.10.116.68: BOOTP/DHCP, Reply, length: 300

  如果用tcpdump這個指令等了一會還是沒有包出來後,可以人為的ping某台機器試試,例如

[root@centos ~]# ping 172.20.10.117 

PING 172.20.10.117 (172.20.10.117) 56(84) bytes of data. 

64 bytes from 172.20.10.117: icmp_seq=1 ttl=64 time=0.367 ms 

64 bytes from 172.20.10.117: icmp_seq=2 ttl=64 time=0.157 ms 

64 bytes from 172.20.10.117: icmp_seq=3 ttl=64 time=0.172 ms 

64 bytes from 172.20.10.117: icmp_seq=4 ttl=64 time=0.159 ms 

64 bytes from 172.20.10.117: icmp_seq=5 ttl=64 time=0.157 ms

   這樣就能利用tcpdump抓到dhcp的包了,就能發現到底是哪台dhcp伺服器在作祟了。

   可以看到原來是172.20.10.230這台伺服器在提供dhcp服務,ssh連上去停掉dhcp服務即可!!

本文轉自 taojin1240 51CTO部落格,原文連結:http://blog.51cto.com/taotao1240/741760,如需轉載請自行聯系原作者

機器學習/深度學習 網絡安全 dhcp伺服器 dhcp配置伺服器 深度學習安全 dhcp搭建伺服器 dhcp中繼伺服器
上一篇: React之ref詳細用法
下一篇: 6 React Props

繼續閱讀