Win XP discover/offer/req/ack loop (Help!)

David W. Hankins David_Hankins at
Thu Aug 24 21:35:33 UTC 2006

On Thu, Aug 24, 2006 at 04:44:37PM -0400, Jeff A. Earickson wrote:
> Do you mean tcpdump from the ISC DHCP server, or some networky
> packet sniffer on the 202 subnet?  Our network guy is contemplating
> the idea that somebody attached a rogue dhcp/wireless/NAT device
> to the 202 subnet and disrupted traffic there.  This issue just 
> started today.  Since it is near the start of school, new people
> and new devices are showing up on our network...

Considering your next most recent message, I think that is highly
likely.  Someone has probably installed a dhcp server that gives
out the 192.168.0.x addresses, and because it is closer to the
clients than your dhcp server, the clients are selecting that
server's OFFERs (hence no visible REQUEST).

I recommend copious use of an aluminium bat.  They're young,
they'll heal.  Wrapping the bat in cloth and bathing it in
broken glass is probably unwarranted, but also highly satisfying.

An easy way to find out, if you weren't already aware, is to visit
the network in question with a laptop that you can tcpdump on
locally.  Do your own DHCP client thing and look at the offers.
Trace the source mac address of the OFFER on the ethernet switches'
forwarding databases to find the culprit.

ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DDNS & DHCP.  Email training at
David W. Hankins	"If you don't do it right the first time,
Software Engineer		you'll just have to do it again."
Internet Systems Consortium, Inc.	-- Jack T. Hankins

More information about the dhcp-users mailing list