Hey guys, I´m trying to analyze my networktraffic and I´m not a networking pro, so I got some questions regarding the traffic. If there are stupid I apologize in front. The first thing I see are three IGMP Messages. 192.168.2.1 224.0.0.22 IGMP 62 V3 Membership Report /Join group 224.0.0.252 for any sources / Join group 239.255.255.254 for any sources 10.0.0.0 224.0.0.1 IGMP 60 v3 Membership Query, general 192.168.2.1 224.0.0.22 IGMP 62 port /Join group 224.0.0.252 for any sources / Join group 239.255.255.254 for any sources the first and third one are marked black, so there is an error, despite I don´t really know why. So, I figured out IGMP has something to do with broadcasting and I figured out the IGMP messages are send at the start of the capture no matter when I start them. So I assume the have something to do with Wireshark. The next thin I assume is, that every time I start wireshark it is looking for some broadcast groups. Since it´s marked false, I assume that nobody is answering. So wireshark tries but with no success. So, could you please let me know what this have to do with wireshark, I know I don´t have a clue about the stuff, but I couldn´t find anythin on the internet. Cheers Michael asked 25 Nov '11, 04:30 Michael86 |
2 Answers:
Google is your friend here. These are multicast addresses. So, if you look them up they say:
So these all have to do with name resolving. And indeed that's something Wireshark does use, so that makes sense. answered 25 Nov '11, 11:34 Jaap ♦ |
When resolving names, what Wireshark is doing is attempting to translate IP addresses to names; it does so either by calling the host operating system's routines or by using the ADNS or C-ARES name resolution packages. Perhaps whichever one of those is being used sends out LLMNR packets. Wireshark itself does not explicitly try to join any multicast groups; it puts the network adapter into promiscuous mode so that it can see all traffic sent on the network port into which the network adapter is plugged. Perhaps, in some OSes, the networking stack will attempt to join multicast groups if the adapter is put into promiscuous mode, in the hopes of convincing a switch to send multicast traffic for those groups to the port in question. 224.0.0.22 is an IP address for IGMP v3. answered 26 Nov '11, 12:08 Guy Harris ♦♦ |
Thanks for the quick response. But I´m still not certain, why wireshark is doing this.
I learned that you need a software on your computer to be able to receive this multicast traffic. So i assume wireshark is trying to get in this multicast group to read the all traffic. Make sense for a network sniffer, but
first who is 224.0.0.22? I mean, is there are service on my network who is responding to wireshark? It says join group 224.0.0.252 for any sources, so does it mean, wireshark is trying to get in this group and furthermore does wireshark succed? Can I now read the multicast traffic?
Second, who is 10.0.0.0, he is sending a Membership Query general to 224.0.0.1. But I don´t have a clue what this is doing there.
The main question is, why is wireshark doing this?
224.0.0.22 is the address all IGMPv3-capable multicast routers listen to. They have to learn of your host joining a multicast group, so they can forward you multicast messages send to this group. This has nothing to do with the capture itself, just the DNS functions used by Wireshark. A join is never acknowledged, the router just starts forwarding any relevant traffic. 10.0.0.0 is the address of an IGMP querier in the local network who tries to reaffirm multicast group memberships. If all hosts have dropped off the local net there's no need for multicast traffic to be forwarded there anymore.