Tracking down Multicast

Discussion in 'Capsa Network Analyzer' started by allisondk, Jan 8, 2009.

Thread Status:
Not open for further replies.
  1. allisondk

    allisondk Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    6
    I an new at sniffing traffic, we are seeing numerous packages from one IP address with a destination address that is Multicast. I know we have multicast turned on to help lower utilization but how can I determine what the destination IP really is so I can find out where the data is really going?

    Thanks

    Darren
     
  2. Nelson

    Nelson Registered Member

    Joined:
    May 26, 2005
    Posts:
    36
    Ok, you need to understand how multicast works if you need to do this.

    Firstly, in one broadcast domain (normally a IP range segment), the multicast has been flooded the same way as broadcast. It would be sent out from each port of the switch. All hosts in the broadcast domain would have received it.

    The multicast IP address will be mapped to some specific mac addresses. These mac addresses are all start with a odd number as the first octet.

    Secondly, the host will accept the multicast if they have joined the multicast group. (This is been decided by the applications. Like install and run a multicast software). If not joined, the host will simply drop the multicast packet in the data-link layer because the mac (mapped) is not what they want. Broadcast is bad, all the hosts have accepted broadcast packets in the data-link layer because the mac is all FF, and they can only drop them in the layer 3 -- the protocol layer. (this would waste a lot of resources)

    Finally, multicast traffic can be routed, which means you can decide there is going to be multicast in IP range 192.168.1.0/24, but no multicast in 192.168.2.0/24. But you will not be able to control there is multicast send to 192.168.1.1 but not send to 192.168.1.2.

    In a single broadcast domain, multicast is not really "only send to nodes which want it", but actually "send to every node" & "only be accepted by those who want it".

    If you need to know where the data is really going, then I can tell you everywhere in a single broadcast domain.
    If you wanna know which broadcast domain the multicast is going, then the answer is check the multicast route in your router.
    If you would like to know who is receiving and enjoying the multicast traffic, you can use Capsa to monitor which host had ever send a IGMP packet with message "Join group".


    Am I making a mess on this? Hope you understand it.
     
    Last edited: Jan 12, 2009
  3. allisondk

    allisondk Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    6
    You do make sense and I understand why it works, but I want to make sure that I understand how to find the who is chatting with whom. So if I go to the Router, it should designate the multicast IP range? example, we are on a 10.214.XXX.XXX network, the multicast ip is 239.0.30, 239.255.255.250 or 239.255.2.2.

    From this I would gather I would get into the router and look at the table for the Multicast and it should show me who 239.255.255.250 is or at least what Switch it was broadcasted from?

    Thanks
     
  4. Nelson

    Nelson Registered Member

    Joined:
    May 26, 2005
    Posts:
    36
    As I already told you, you can find out the multicast is flooding to which broadcast domain on the router/layer 3 switch, or, find out which IP host is accepting the multicast by sniffing through capsa.

    To accomplish what you required -- " look at the table for the Multicast and it should show me who 239.255.255.250 is or at least what Switch it was broadcasted from", (this depends on the router platform, for example Cisco IOS) you can logon the router and use the command "show ip mroute", and you will see the multicast routing table like:

    IP Multicast Routing Table
    Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned
    R - RP-bit set, F - Register flag, T - SPT-bit set
    Timers: Uptime/Expires
    Interface state: Interface, Next-Hop, State/Mode
    (*, 224.0.255.1), uptime 0:57:31, expires 0:02:59, RP is 0.0.0.0, flags: DC
    Incoming interface: Null, RPF neighbor 0.0.0.0, Dvmrp
    Outgoing interface list:
    Ethernet0, Forward/Dense, 0:57:31/0:02:52
    Tunnel0, Forward/Dense, 0:56:55/0:01:28
    (198.92.37.100/32, 224.0.255.1), uptime 20:20:00, expires 0:02:55, flags: C
    Incoming interface: Tunnel0, RPF neighbor 10.20.37.33, Dvmrp
    Outgoing interface list:
    Ethernet0, Forward/Dense, 20:20:00/0:02:52


    Attention the part after "Outgoing interface list". The interface in the list is what you need.
     
Thread Status:
Not open for further replies.