Multicast ISP traffic ?
Results 1 to 4 of 4

Thread: Multicast ISP traffic ?

  1. #1
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491

    Multicast ISP traffic ?

    Hello all,

    I have a small question for the network specialists ...

    I'm playing around with ethereal on my network so now and then, to learn about network some more.
    Now I see alot of this traffic:



    Now ...Am I correct in asuming this is muticast traffic from my ISP, or can it be some other router related traffic ...Or something else entirely ??

    Thanks for any info.

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi


    IANA actually has assigned the multicast IP addresses[1]
    (224.0.0.0-239.255.255.255). Usually, multicast packets
    have a TTL of 1, hence they are not routeable. Why are
    you suspecting your ISP to send you multicast packets?
    The sender's IP refers to what? The subnet mask is
    255.255.255.254? I have not enough information for
    a full analysis, sorry

    Actually, another useful information is the MAC-address
    assigned to the packets. These are also assigned[2].



    224.0.0.1

    224.0.0.1 is the all-hosts group. If you ping that group,
    all multicast capable hosts on the network should answer,
    as every multicast capable host must join that group at
    start-up on all it's multicast capable interfaces[3].

    It is entirely possible that within your subnet a device
    is asking around with IGMP[4].

    224.0.1.60

    224.0.1.60 is assigned to hp-devices...familiar?


    ...255.250

    Is it 239.255.255.250? Then check out this
    thread[5]. In XP, Universal Plug and Play devices are
    looked for by the SSDP discovery service using
    239.255.255.250:1900. If some device answers, the so called
    control point (your service) learns about the device capabilities,
    like its address and discovers the device itself (get URL
    for description).

    ...255.254

    Is it 239.255.255.254? Then, you might have a device trying
    to discover a MADCAP server[6], which is similar to a DHCP server
    for multicast addresses, mainly used for conferencing etc. While
    the discovery process for a DHCP server involves a packet to
    255.255.255.255 (sender 0.0.0.0), it requires a packet to 239.255.255.254
    to have the MADCAP server answering.

    And for the paranoids - you might a some crazy malware trying to
    discover new target machines using multicast broadcasts


    Cheers

    [1] http://www.iana.org/assignments/multicast-addresses
    [2] http://www.microsoft.com/technet/com...uy/cg0202.mspx
    [3] http://www.tldp.org/HOWTO/Multicast-HOWTO-2.html
    [4] http://www.cisco.com/univercd/cc/td/...i.htm#xtocid13
    [5] http://www.antionline.com/showthread...r=1#post799358
    [6] http://www.windowsitpro.com/Windows/...11/pg/2/2.html
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    They aren't sending you multicast per se, what you see is an IGMP enabled router. IGMP is what allows you to route multicast traffic. When a router is IGMP enabled it basically tracks all your multicast groups for you, so that group membership can be shared with other IGMP enabled routers. You are seeing a query from the router and any hosts that are subscribing to a multicast address would let the router know. A host that no longer wishes to subscribe to the traffic can also send a 'leave' and is dropped from the routers list of hosts subscribed to that group. There may not be any multicast traffic on your segment, but the router is just checking at the configured interval.

    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  4. #4
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Allllrighty .... Reading that loud and clear ...This is the explanation I was looking for ... clear and simple .

    224.0.0.1 is the all-hosts group. If you ping that group,all multicast capable hosts on the network should answer,
    as every multicast capable host must join that group at
    start-up on all it's multicast capable interfaces[3].

    It is entirely possible that within your subnet a device
    is asking around with IGMP[4].
    224.0.1.60 is assigned to hp-devices...familiar?
    Yep

    They aren't sending you multicast per se, what you see is an IGMP enabled router. IGMP is what allows you to route multicast traffic. When a router is IGMP enabled it basically tracks all your multicast groups for you, so that group membership can be shared with other IGMP enabled routers. You are seeing a query from the router and any hosts that are subscribing to a multicast address would let the router know. A host that no longer wishes to subscribe to the traffic can also send a 'leave' and is dropped from the routers list of hosts subscribed to that group. There may not be any multicast traffic on your segment, but the router is just checking at the configured interval.

    Thanks for the clarification guys, much appreciated. ...I better check my network config ... Who knows it might even be from my own setup (It probably is )

    Thanks again !

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides