This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Multicast works when wireshark starts

0

Hello all,

I have a strange behavior in my lab. I have configure an application server to receive a multicast stream from a camera, but nothing is received. So I started wireshark and magically I received the multicast stream. If I stopped wireshark, I do not receive the stream Multicast.

It seems that when wireshark listens to the server NIC, this wake up the nic and allow to receive the multicasts. By stopping wireshark to listen to the nic card, then the server also stops receiving the multicast. What wireshark do exactly when listening to the traffic?

Can someone explain me this behavior?

Thank you very much

Alex.O

asked 28 Jan '14, 01:56

Alexo's gravatar image

Alexo
1111
accept rate: 0%

2 Answers:

0

What wireshark do exactly when listening to the traffic?

It puts the interface in 'promiscuous mode'. In that mode the system will accept all ethernet frames, not just the ones with the MAC address of the NIC (or broadcast or multicast).

Please check the MAC address of your frames. It is most certainly not the broadcast address (or a multicast address).

BTW: can you post a sample frame on cloudshark.org ?

Regards
Kurt

answered 28 Jan '14, 02:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

hello Kurt,

All cameras have multicast mac address beginning by 01:00:5e

Alex

(28 Jan '14, 02:58) Alexo

Can you please post a sample capture file?

(28 Jan '14, 03:35) Kurt Knochner ♦

0

Been there... had that problem...

Assuming that we're talking IP Multicast (i.e., an IP camera):

The short answer:

I would guess that the server application is not configured properly to receive the traffic for the required IP multicast group address matching that being used by the camera.

The longer answer:

The multicast listener (server) must exec some code to "join" the desired IP Multicast group. The effect is basically that the group address is translated to a specific ethernet MAC group address and then that address is added to the list of MAC addresses for which the NIC card accepts traffic.

As Kurt indicated, if the NIC is in promiscuous mode, then all frames are accepted and things work.

So: (assuming that the server application has the code to do the "join") there's probably a configuration issue (wrong group address ?).

If the application is homegrown, the code needs to do a "join". (I don't remember if the "join" can be done using a command level tool before running the application).

(A web search for 'camera "IP multicast"' will find lots of info).

answered 28 Jan '14, 06:01

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 28 Jan '14, 08:20