<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> Hari Sekhon wrote: <blockquote cite="mid44CDE55B.9000200@googlemail.com" type="cite"> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> <title></title> Eli Stair wrote: <blockquote cite="midC0EF9113.2CC4C%25estair@ilm.com" type="cite"> <pre wrap="">Use CPAN's Net::DHCP::Packet to quickly create a DHCPDISCOVER packet, and IO::Socket::INET to read raw incoming data to port 68, count the number of DHCPOFFER's you get. Set your script output to proper OK/WARN/CRIT state and the number/names of "rogue" servers in the text. Just a suggestion. /eli On 7/28/06 9:40 AM, "Hari Sekhon" <a class="moz-txt-link-rfc2396E" href="mailto:hpsekhon@gmail.com"><hpsekhon@gmail.com></a> wrote: </pre> <blockquote type="cite"> <pre wrap="">I was wondering what the best way of detecting a rogue dhcp server on the network is. I ask because some idiot at work installed vmware with it's dhcp server which stuffed the company laptops which rely on dhcp since they got sent to the wrong subnet. Nagios actually drew my attention to this when troubleshooting because it said 2 DHCP offers received. I'm thinking about writing a shell wrapper to parse the output from the check_dhcp plug-in and raise a warning status if it returns more than 1 dhcp offer. Any other ideas? Hari ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash <a class="moz-txt-link-freetext" href="http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV">http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV</a> _______________________________________________ Nagios-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a> <a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/nagios-users">https://lists.sourceforge.net/lists/listinfo/nagios-users</a> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. ::: Messages without supporting info will risk being sent to /dev/null </pre> </blockquote> <pre wrap=""> </pre> </blockquote> or even easier than that perl I could use a bash wrapper to check_dhcp and check the output from that and raise the warning code if more than 1 offer was received, it seems quicker and easier which is probably what I will do thinking about it.... -h </blockquote> Does anybody have any other ideas regarding checking for rogue DHCP servers on a network. Really there should be an option to this plugin to check if there is more than N offers received and also there should be an option to make sure that the offer is received from the correct server to ensure it hasn't been usurped by another dhcp server. There is already an option to check the address is in the right range, which I guess amounts to a similar thing. If this option can be present then the option to make sure that the address was supplied by the correct server/servers isn't too far a stretch..... Hari </body> </html>