This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark can’t capture multicast packet in promiscuous mode without IGMP join

0

I write a program to send multicast packets to 225.0.0.37 continuously on a Linux box, then I use wireshark in promiscuous mode on my Mac to see if it can see the packets, but no good. Both of them are connected to the same wifi. I know I should send IGMP join message first if I want to receive the multicast message in general(I did receive if I send IGMP join), but if I am in promiscuous mode, I should see the packets anyway. Is my understanding wrong?

asked 07 Mar '17, 21:49

jfly's gravatar image

jfly
41459
accept rate: 0%

edited 07 Mar '17, 22:45


One Answer:

2

The IGMP report or join is used to indicate to the infrastructure your intent to consume the multicast group. This way, the infrastructure knows to forward the group to your physical interface.

Promiscuous mode allows the network interface on your system to pass up all frames and not provide any type of filter. However, if the infrastructure is not sending them to the interface, promisc mode will not help - they are not there to be passed up.

So you really need both: the infrastructure has to send you the frames, and then they need to be sent up the stack for handling in the packet capture tool.

Now WiFi adds an entirely different level of complexity. Multicast is handled in very different ways by different WiFi systems. For instance: some do a multicast_to_unicast conversion, sometimes; some don't send out multicast at all and they just drop it; some send any multicast received from wireless right back on the wireless side but are selective about wired side; some manage their own IGMP snooping states and only transmit multicast if a host asked for it, and this can be either as true multicast or unicast. If encryption is used, multicast or unicast is important because the encryption keys from WPA2 would be different in the two cases.

On top of this, all multicast sent from a host to the network over WiFi are actually unicast at layer 2 (802.11) destined for the access point so you will only see this traffic if you are in monitor+promisc mode on a wifi capture system.

answered 08 Mar '17, 02:58

Bob%20Jones's gravatar image

Bob Jones
1.0k2515
accept rate: 21%