Capturing multicast traffic with tcpdump

To capture multicast traffic with tcpdump use

tcpdump ether multicast or
tcpdump ‘ip[16]>=224’

I set out to capture multicast traffic at home because I read ntp uses multicast to sync with each other. I might have read and forgotten. Doing is remembering. I want to capture traffic to remember.

tcpdump ether multicast

On a second terminal

systemctl stop ntp
nptdate $ntpserver

I find it is not just ntp that is using multicast in my little home network. MiniDLNA daemon is listening on a multicast address and so is my wife’s iPad!

root@ahp:~# netstat -lup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0       *:*                                 2246/minidlnad  
udp        0      0    *:*                                 2246/minidlnad  

root@ahp:~# tcpdump ether multicast
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:35:38.356849 IP igmp v2 report
02:35:41.220933 IP igmp v2 report  
02:35:41.223782 IP igmp v2 report
02:35:46.447392 IP UDP, length 125
02:35:46.549823 IP UDP, length 125
02:35:47.268296 IP UDP, length 340
02:35:47.271666 IP UDP, length 285
02:35:47.274749 IP UDP, length 276
02:35:47.278646 IP UDP, length 350
02:35:56.380164 IP UDP, length 125
02:35:56.482582 IP UDP, length 125
02:35:56.585911 IP UDP, length 125

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s