-
June 13th, 2006, 09:16 PM
#1
Multicast ISP traffic ?
Hello all,
I have a small question for the network specialists ...
I'm playing around with ethereal on my network so now and then, to learn about network some more.
Now I see alot of this traffic:
Now ...Am I correct in asuming this is muticast traffic from my ISP, or can it be some other router related traffic ...Or something else entirely ??
Thanks for any info.
.C.
Back when I was a boy, we carved our own IC's out of wood.
-
June 13th, 2006, 10:46 PM
#2
Hi
IANA actually has assigned the multicast IP addresses[1]
(224.0.0.0-239.255.255.255). Usually, multicast packets
have a TTL of 1, hence they are not routeable. Why are
you suspecting your ISP to send you multicast packets?
The sender's IP refers to what? The subnet mask is
255.255.255.254? I have not enough information for
a full analysis, sorry
Actually, another useful information is the MAC-address
assigned to the packets. These are also assigned[2].
224.0.0.1
224.0.0.1 is the all-hosts group. If you ping that group,
all multicast capable hosts on the network should answer,
as every multicast capable host must join that group at
start-up on all it's multicast capable interfaces[3].
It is entirely possible that within your subnet a device
is asking around with IGMP[4].
224.0.1.60
224.0.1.60 is assigned to hp-devices...familiar?
...255.250
Is it 239.255.255.250? Then check out this
thread[5]. In XP, Universal Plug and Play devices are
looked for by the SSDP discovery service using
239.255.255.250:1900. If some device answers, the so called
control point (your service) learns about the device capabilities,
like its address and discovers the device itself (get URL
for description).
...255.254
Is it 239.255.255.254? Then, you might have a device trying
to discover a MADCAP server[6], which is similar to a DHCP server
for multicast addresses, mainly used for conferencing etc. While
the discovery process for a DHCP server involves a packet to
255.255.255.255 (sender 0.0.0.0), it requires a packet to 239.255.255.254
to have the MADCAP server answering.
And for the paranoids - you might a some crazy malware trying to
discover new target machines using multicast broadcasts
Cheers
[1] http://www.iana.org/assignments/multicast-addresses
[2] http://www.microsoft.com/technet/com...uy/cg0202.mspx
[3] http://www.tldp.org/HOWTO/Multicast-HOWTO-2.html
[4] http://www.cisco.com/univercd/cc/td/...i.htm#xtocid13
[5] http://www.antionline.com/showthread...r=1#post799358
[6] http://www.windowsitpro.com/Windows/...11/pg/2/2.html
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
June 13th, 2006, 11:33 PM
#3
They aren't sending you multicast per se, what you see is an IGMP enabled router. IGMP is what allows you to route multicast traffic. When a router is IGMP enabled it basically tracks all your multicast groups for you, so that group membership can be shared with other IGMP enabled routers. You are seeing a query from the router and any hosts that are subscribing to a multicast address would let the router know. A host that no longer wishes to subscribe to the traffic can also send a 'leave' and is dropped from the routers list of hosts subscribed to that group. There may not be any multicast traffic on your segment, but the router is just checking at the configured interval.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
June 14th, 2006, 06:21 AM
#4
Allllrighty .... Reading that loud and clear ...This is the explanation I was looking for ... clear and simple .
224.0.0.1 is the all-hosts group. If you ping that group,all multicast capable hosts on the network should answer,
as every multicast capable host must join that group at
start-up on all it's multicast capable interfaces[3].
It is entirely possible that within your subnet a device
is asking around with IGMP[4].
224.0.1.60 is assigned to hp-devices...familiar?
Yep
They aren't sending you multicast per se, what you see is an IGMP enabled router. IGMP is what allows you to route multicast traffic. When a router is IGMP enabled it basically tracks all your multicast groups for you, so that group membership can be shared with other IGMP enabled routers. You are seeing a query from the router and any hosts that are subscribing to a multicast address would let the router know. A host that no longer wishes to subscribe to the traffic can also send a 'leave' and is dropped from the routers list of hosts subscribed to that group. There may not be any multicast traffic on your segment, but the router is just checking at the configured interval.
Thanks for the clarification guys, much appreciated. ...I better check my network config ... Who knows it might even be from my own setup (It probably is )
Thanks again !
.C.
Back when I was a boy, we carved our own IC's out of wood.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|