Wireshark-users: Re: [Wireshark-users] Multicast problem

From: Lars Lars <laasunde@xxxxxxxxxxx>
Date: Tue, 4 Nov 2008 10:20:40 +0100
Using WinXP Professional tried with both sp2 and sp3 - no difference.

Using Wireshark 1.0.4

Firewall is disabled.

Server application is C++ using winsock 1.1

Both on a working setup and on the faulty setup I see a IGMP packet from 172.21.100.1 (server) to 224.0.0.22 with type = 0x22 and m_address = 230.21.1.200

Both on a working setup and on the faulty setup I see the server sending multiple UDP packets as multicast from 172.21.100.1 (server) to 230.21.1.200 (src and dst port equal 14800) at regular intervals.

In all the literature I've come across on this subject the multicast loop is performed on the host's ip stack and the behaviour is by default enabled.

Using windump or wireshark on the server seems to affect the behaviour of the server. Do not know how to debug this problem without affecting the outcome. Also do not know how to verify that ip stack is actually returning a copy of multicast to itself.

Appreciate any input.


> Date: Fri, 31 Oct 2008 09:10:35 -0400
> From: SYSJHY@xxxxxxxxxxxxxxx
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: Re: [Wireshark-users] Multicast problem
>
> Hello Lars,
>
> >>> Lars Lars <laasunde@xxxxxxxxxxx> 10/31/08 6:32 AM >>>
> > Here are some observations:
> > Running server application and running wireshark but
> > not listening to any adapter - no multicasts are received
> > on the server.
> >
> > Running server application and just opening
> > Capture -> Interface... to show "Wireshark. Capture Interfaces"
> > - this triggers the server application to receive multicast
> > packets. I'm only showing the dialog window - not using it.
> > By closing the window the server stops receiving the
> > multicasts.
> >
> > Running server application and opening Capture -> Options...
> > in wireshark select correct adapter and disabled promiscues
> > mode - click Start and then the server starts to receive
> > multicast messages. By stoping the capture then the
> > server stops receiving multicasts. Tried enabling and
> > disabling various settings within Wireshark: Capture
> > options dialog window but it does not seem to affect
> > the behaviour - it seems, regardless of mode or
> > settings by listening to the adapter the server
> > receives the multicasts.
> >
> > Can anyone shed some light on what wireshark
> > does to 'cause' the behaviour I am describing.Thank you
>
> A few questions:
>
> What platform is this multicast server application
> running on? (Windows (XP, Vista), Linux, etc)?
>
> What version of Wireshark are you using?
>
> Do you have any firewall installed on this system?
>
> What type of multicast server application is this?
>
> When your server actually subscribes to the multicast
> group 230.21.1.200 it should send an IGMP message
> indicating that fact. Do you see IGMP packets
> egressing from your server machine?
>
> If your machine is sending IGMP packets, what do
> these IGMP packets contain?
>
> If your system is NOT sending any packet, then your
> system (for some reason) is NOT advertising its desire
> to subscribe to the multicast group 230.21.1.200.
>
> Is this the ONLY system that produces (sends) data for
> this multicast group (230.21.1.200:14800)?
>
> If not, does this same server system receive multicast
> packets from other systems that are sending on this
> group (230.21.1.200:14800)?
>
> I am assuming you have multicast aware networking
> equipment?
>
> If your networking equipment is multicast aware,
> and you (or your networking group) have access
> to the management interface of the switch, you
> should be able to query its multicast forwarding
> tables to determine if your machine has subscribed
> to the multicast 230.21.1.200 group or not.
>
> I also agree with the earlier reply to this thread regarding
> hair-pinning. It is extremely unlikely that the switch
> equipment would locally (Layer 2) send a multicast packet
> back to the same switch port that it originated on.
>
> But if the multicast packet is ultimately forwarded to a
> rendevous point then perhaps a copy of your multicast
> packet could ultimately be sent back to the same switch
> port that it originated on.
>
> Does the switch port that your server is connected to
> have multiple vlans exposed on it?
>
> Answers to the above might help narrow down
> possibilities.
>
> Best regards,
>
> Jim Y.
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users


Windows Live SkyDrive. På tide å glemme minnepinnen.