Capturing multicast traffic with tcpdump

To capture multicast traffic with tcpdump use

tcpdump ether multicast or
tcpdump ‘ip[16]>=224’

I set out to capture multicast traffic at home because I read ntp uses multicast to sync with each other. I might have read and forgotten. Doing is remembering. I want to capture traffic to remember.

tcpdump ether multicast

On a second terminal

systemctl stop ntp
nptdate $ntpserver

I find it is not just ntp that is using multicast in my little home network. MiniDLNA daemon is listening on a multicast address and so is my wife’s iPad!

root@ahp:~# netstat -lup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 192.168.1.3:51522       *:*                                 2246/minidlnad  
udp        0      0 239.255.255.250:1900    *:*                                 2246/minidlnad  



root@ahp:~# tcpdump ether multicast
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:35:38.356849 IP 192.168.1.1  all-routers.mcast.net: igmp v2 report all-routers.mcast.net
02:35:41.220933 IP 192.168.1.3  239.255.255.250: igmp v2 report 239.255.255.250  
02:35:41.223782 IP 192.168.1.5  239.255.255.250: igmp v2 report 239.255.255.250
02:35:46.447392 IP 192.168.1.7.52542  239.255.255.250.1900: UDP, length 125
02:35:46.549823 IP 192.168.1.7.52542  239.255.255.250.1900: UDP, length 125
02:35:47.268296 IP 192.168.1.1.1900  239.255.255.250.1900: UDP, length 340
02:35:47.271666 IP 192.168.1.1.1900  239.255.255.250.1900: UDP, length 285
02:35:47.274749 IP 192.168.1.1.1900  239.255.255.250.1900: UDP, length 276
02:35:47.278646 IP 192.168.1.1.1900  239.255.255.250.1900: UDP, length 350
02:35:56.380164 IP 192.168.1.7.52542  239.255.255.250.1900: UDP, length 125
02:35:56.482582 IP 192.168.1.7.52542  239.255.255.250.1900: UDP, length 125
02:35:56.585911 IP 192.168.1.7.52542  239.255.255.250.1900: UDP, length 125
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s