Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sniffing for multicast traffic

From: Sake Blok <sake () euronet nl>
Date: Thu, 20 May 2010 19:12:37 +0200
On 20 mei 2010, at 18:45, Kevin Cullimore wrote:


On 5/20/2010 10:08 AM, Ronald Nutter wrote:

I am getting ready to make a change to the network at my company and need to verify what traffic is going over 
multicast. 
I have been able to see existing multicast traffic by using a capture filter net 224.0.0.0/4.  How can I see any 
multicast traffic that
Is on the network and isn’t using the normal multicast range ?  Havent worked with multicast much, so just trying to 
be on the careful side.
 

In order to transmit & receive multicast traffic using non-standard destination addresses, you'd probably need to 
modify the protocol stacks of

-The participating hosts' operating system
-The operating systems of all IP-aware intermediate system the traffic would traverse

Sounds expensive, but some corporate interests go to great lengths in order to earn the "non-RFC-compliant" 
designation.

When faced with a task requiring a comprehensive collection of multicast packets seen on/through a given 
network/internetwork, I therefore worry far less about out-of-spec traffic such as you describe.


I totally agree, focus on the legitimate multicast traffic, but... if you're really concerned about non-compliant 
multicast traffic, you could search for it. Let's assume that there are no customized NICs in your company, then for 
the NIC to process a packet, it needs to be sent to:

1)  the mac address of the NIC for unicast traffic... we're not interested in that traffic in your case
2)  the broadcast address (ff:ff:ff:ff:ff:ff) for broadcast traffic... which we are also not interested in your case
3)  a destination mac-address with the least significant bit set in the first octet for multicast traffic... that's 
what we can filter on :-)

So, to catch all non-RFC-compliant multicast traffic we can use the filter:

"ether multicast and not ether broadcast and not ip multicast"

Cheers,
Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: