A lightweight PowerShell script that detects rogue DHCP servers on your network using tshark (from Wireshark).
It continuously monitors DHCP OFFER and ACK packets and alerts when the responding server is not in your list of trusted DHCP servers.
- Detects unauthorized DHCP servers in real time
- Logs suspicious activity to a file
- Highlights rogue servers in red, trusted ones in green
- Easy to configure with your own trusted DHCP server IPs
- Windows with PowerShell
- Wireshark (for
tshark.exe) - Administrative privileges (required to capture network traffic)
At the top of the script you can configure:
- Authorized DHCP server
- LOG file path
- tshark path
- Interface number (you can find it with tshark.exe -D)
You can test the script with the following utilities:
- Microsoft Rogue Check Tool (sends a DHCP request)
- Tftpd64 (rogue DHCP server)
