This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hey guys,

I´m trying to analyze my networktraffic and I´m not a networking pro, so I got some questions regarding the traffic. If there are stupid I apologize in front.

The first thing I see are three IGMP Messages. 192.168.2.1 224.0.0.22 IGMP 62 V3 Membership Report /Join group 224.0.0.252 for any sources / Join group 239.255.255.254 for any sources

10.0.0.0 224.0.0.1 IGMP 60 v3 Membership Query, general

192.168.2.1 224.0.0.22 IGMP 62 port /Join group 224.0.0.252 for any sources / Join group 239.255.255.254 for any sources

the first and third one are marked black, so there is an error, despite I don´t really know why.

So, I figured out IGMP has something to do with broadcasting and I figured out the IGMP messages are send at the start of the capture no matter when I start them. So I assume the have something to do with Wireshark.

The next thin I assume is, that every time I start wireshark it is looking for some broadcast groups. Since it´s marked false, I assume that nobody is answering. So wireshark tries but with no success.

So, could you please let me know what this have to do with wireshark, I know I don´t have a clue about the stuff, but I couldn´t find anythin on the internet.

Cheers

Michael

asked 25 Nov '11, 04:30

Michael86's gravatar image

Michael86
1111
accept rate: 0%


Google is your friend here. These are multicast addresses.

So, if you look them up they say:

  • 224.0.0.22 : Internet Group Management Protocol (IGMP) Version 3
  • 224.0.0.252 : Link-local Multicast Name Resolution (LLMNR) address
  • 239.255.255.254 : Multicast Address Dynamic Client Allocation Protocol (MADCAP)

So these all have to do with name resolving. And indeed that's something Wireshark does use, so that makes sense.

permanent link

answered 25 Nov '11, 11:34

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks for the quick response. But I´m still not certain, why wireshark is doing this.

I learned that you need a software on your computer to be able to receive this multicast traffic. So i assume wireshark is trying to get in this multicast group to read the all traffic. Make sense for a network sniffer, but

first who is 224.0.0.22? I mean, is there are service on my network who is responding to wireshark? It says join group 224.0.0.252 for any sources, so does it mean, wireshark is trying to get in this group and furthermore does wireshark succed? Can I now read the multicast traffic?

Second, who is 10.0.0.0, he is sending a Membership Query general to 224.0.0.1. But I don´t have a clue what this is doing there.

The main question is, why is wireshark doing this?

(26 Nov '11, 05:29) Michael86

224.0.0.22 is the address all IGMPv3-capable multicast routers listen to. They have to learn of your host joining a multicast group, so they can forward you multicast messages send to this group. This has nothing to do with the capture itself, just the DNS functions used by Wireshark. A join is never acknowledged, the router just starts forwarding any relevant traffic. 10.0.0.0 is the address of an IGMP querier in the local network who tries to reaffirm multicast group memberships. If all hosts have dropped off the local net there's no need for multicast traffic to be forwarded there anymore.

(27 Nov '11, 02:52) Jaap ♦

When resolving names, what Wireshark is doing is attempting to translate IP addresses to names; it does so either by calling the host operating system's routines or by using the ADNS or C-ARES name resolution packages. Perhaps whichever one of those is being used sends out LLMNR packets.

Wireshark itself does not explicitly try to join any multicast groups; it puts the network adapter into promiscuous mode so that it can see all traffic sent on the network port into which the network adapter is plugged. Perhaps, in some OSes, the networking stack will attempt to join multicast groups if the adapter is put into promiscuous mode, in the hopes of convincing a switch to send multicast traffic for those groups to the port in question.

224.0.0.22 is an IP address for IGMP v3.

permanent link

answered 26 Nov '11, 12:08

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×5

question asked: 25 Nov '11, 04:30

question was seen: 50,548 times

last updated: 27 Nov '11, 02:52

p​o​w​e​r​e​d by O​S​Q​A