I an new at sniffing traffic, we are seeing numerous packages from one IP address with a destination address that is Multicast. I know we have multicast turned on to help lower utilization but how can I determine what the destination IP really is so I can find out where the data is really going?

Thanks

Darren

Ok, you need to understand how multicast works if you need to do this.

Firstly, in one broadcast domain (normally a IP range segment), the multicast has been flooded the same way as broadcast. It would be sent out from each port of the switch. All hosts in the broadcast domain would have received it.

The multicast IP address will be mapped to some specific mac addresses. These mac addresses are all start with a odd number as the first octet.

Secondly, the host will accept the multicast if they have joined the multicast group. (This is been decided by the applications. Like install and run a multicast software). If not joined, the host will simply drop the multicast packet in the data-link layer because the mac (mapped) is not what they want. Broadcast is bad, all the hosts have accepted broadcast packets in the data-link layer because the mac is all FF, and they can only drop them in the layer 3 -- the protocol layer. (this would waste a lot of resources)

Finally, multicast traffic can be routed, which means you can decide there is going to be multicast in IP range 192.168.1.0/24, but no multicast in 192.168.2.0/24. But you will not be able to control there is multicast send to 192.168.1.1 but not send to 192.168.1.2.

In a single broadcast domain, multicast is not really "only send to nodes which want it", but actually "send to every node" & "only be accepted by those who want it".

If you need to know where the data is really going, then I can tell you everywhere in a single broadcast domain.
If you wanna know which broadcast domain the multicast is going, then the answer is check the multicast route in your router.
If you would like to know who is receiving and enjoying the multicast traffic, you can use Capsa to monitor which host had ever send a IGMP packet with message "Join group".


Am I making a mess on this? Hope you understand it.

You do make sense and I understand why it works, but I want to make sure that I understand how to find the who is chatting with whom. So if I go to the Router, it should designate the multicast IP range? example, we are on a 10.214.XXX.XXX network, the multicast ip is 239.0.30, 239.255.255.250 or 239.255.2.2.

From this I would gather I would get into the router and look at the table for the Multicast and it should show me who 239.255.255.250 is or at least what Switch it was broadcasted from?

Thanks

As I already told you, you can find out the multicast is flooding to which broadcast domain on the router/layer 3 switch, or, find out which IP host is accepting the multicast by sniffing through capsa.

To accomplish what you required -- " look at the table for the Multicast and it should show me who 239.255.255.250 is or at least what Switch it was broadcasted from", (this depends on the router platform, for example Cisco IOS) you can logon the router and use the command "show ip mroute", and you will see the multicast routing table like:

IP Multicast Routing Table
Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
R - RP-bit set, F - Register flag, T - SPT-bit set
Timers: Uptime/Expires
Interface state: Interface, Next-Hop, State/Mode
(*, 224.0.255.1), uptime 0:57:31, expires 0:02:59, RP is 0.0.0.0, flags: DC
Incoming interface: Null, RPF neighbor 0.0.0.0, Dvmrp
Outgoing interface list:
Ethernet0, Forward/Dense, 0:57:31/0:02:52
Tunnel0, Forward/Dense, 0:56:55/0:01:28
(198.92.37.100/32, 224.0.255.1), uptime 20:20:00, expires 0:02:55, flags: C
Incoming interface: Tunnel0, RPF neighbor 10.20.37.33, Dvmrp
Outgoing interface list:
Ethernet0, Forward/Dense, 20:20:00/0:02:52


Attention the part after "Outgoing interface list". The interface in the list is what you need.