Re: How do I chase down who is doing a multicast?

[ToddAndMargo <ToddAndMargo () zoho com>]

On 04/06/2018 04:25 PM, ToddAndMargo wrote:
> On 04/06/2018 04:23 PM, ToddAndMargo wrote:
> > Hi All,
> >
> > How do I use namp to chase down who is doing a multicast
> > (224.0.0.252) on my local network.
> >
> > My Windows Security log is gobsmacked with the following:
> >
> > Network Information:
> >      Direction:        Inbound
> >      Source Address:        224.0.0.252
> >      Source Port:        5355
> >      Destination Address:    192.168.202.215
> >      Destination Port:        52860
> >      Protocol:        17
> >
> > This gets me no where:
> >
> > # nmap -A -T4 -Pn 224.0.0.252
> >
> > Starting Nmap 7.60 ( https://nmap.org ) at 2018-04-06 16:22 PDT
> > Nmap done: 1 IP address (0 hosts up) scanned in 0.85 seconds
> >
> >
> > Many thanks,
> > -T
>
> My firewall shows no traffic outbound to 224.0.0.252

Follow up:

It transpires that this was being caused by Windows
clients running the default Link-Local_Multicast_Name_
Resolution (LLMNR).  The vclue was port 5355.

So basically, EVERYONE was running it.  Fortunately,
LLMNR is not routable.

I turned LLMNR off on all the clients.  Let me know if
you want me notes on how to do this.

I would still love to know if there is a way to trace
back a particular offender.

-T

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/