This is a static archive of our old Q&A Site. Please post any new questions and answers at

What are the IGMP Messages doing in my network?


Hey guys,

I´m trying to analyze my networktraffic and I´m not a networking pro, so I got some questions regarding the traffic. If there are stupid I apologize in front.

The first thing I see are three IGMP Messages. IGMP 62 V3 Membership Report /Join group for any sources / Join group for any sources IGMP 60 v3 Membership Query, general IGMP 62 port /Join group for any sources / Join group for any sources

the first and third one are marked black, so there is an error, despite I don´t really know why.

So, I figured out IGMP has something to do with broadcasting and I figured out the IGMP messages are send at the start of the capture no matter when I start them. So I assume the have something to do with Wireshark.

The next thin I assume is, that every time I start wireshark it is looking for some broadcast groups. Since it´s marked false, I assume that nobody is answering. So wireshark tries but with no success.

So, could you please let me know what this have to do with wireshark, I know I don´t have a clue about the stuff, but I couldn´t find anythin on the internet.



asked 25 Nov '11, 04:30

Michael86's gravatar image

accept rate: 0%

2 Answers:


Google is your friend here. These are multicast addresses.

So, if you look them up they say:

  • : Internet Group Management Protocol (IGMP) Version 3
  • : Link-local Multicast Name Resolution (LLMNR) address
  • : Multicast Address Dynamic Client Allocation Protocol (MADCAP)

So these all have to do with name resolving. And indeed that's something Wireshark does use, so that makes sense.

answered 25 Nov '11, 11:34

Jaap's gravatar image

Jaap ♦
accept rate: 14%

Thanks for the quick response. But I´m still not certain, why wireshark is doing this.

I learned that you need a software on your computer to be able to receive this multicast traffic. So i assume wireshark is trying to get in this multicast group to read the all traffic. Make sense for a network sniffer, but

first who is I mean, is there are service on my network who is responding to wireshark? It says join group for any sources, so does it mean, wireshark is trying to get in this group and furthermore does wireshark succed? Can I now read the multicast traffic?

Second, who is, he is sending a Membership Query general to But I don´t have a clue what this is doing there.

The main question is, why is wireshark doing this?

(26 Nov '11, 05:29) Michael86 is the address all IGMPv3-capable multicast routers listen to. They have to learn of your host joining a multicast group, so they can forward you multicast messages send to this group. This has nothing to do with the capture itself, just the DNS functions used by Wireshark. A join is never acknowledged, the router just starts forwarding any relevant traffic. is the address of an IGMP querier in the local network who tries to reaffirm multicast group memberships. If all hosts have dropped off the local net there's no need for multicast traffic to be forwarded there anymore.

(27 Nov '11, 02:52) Jaap ♦


When resolving names, what Wireshark is doing is attempting to translate IP addresses to names; it does so either by calling the host operating system's routines or by using the ADNS or C-ARES name resolution packages. Perhaps whichever one of those is being used sends out LLMNR packets.

Wireshark itself does not explicitly try to join any multicast groups; it puts the network adapter into promiscuous mode so that it can see all traffic sent on the network port into which the network adapter is plugged. Perhaps, in some OSes, the networking stack will attempt to join multicast groups if the adapter is put into promiscuous mode, in the hopes of convincing a switch to send multicast traffic for those groups to the port in question. is an IP address for IGMP v3.

answered 26 Nov '11, 12:08

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%