Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Multicast problem

From: Lars Lars <laasunde@xxxxxxxxxxx>
Date: Thu, 6 Nov 2008 08:19:27 +0100
The problem turns out to be the firewall after all. It was not enough to just turn off the damn thing, by uninstalling the software package the problem was fixed.

Thank you for your time and effort.



Date: Wed, 5 Nov 2008 10:18:19 +1100
From: martinvisser99@xxxxxxxxx
To: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Multicast problem

I fairly certain that a switch will not hairpin multicast traffic back to a sender. (Basically because of the learned source MAC address). So if you do receive packets (on the working) machine that you send, it must be within the local stack. There are two things I can think of here

1. Is there possibly a timing issue in the broken machine. You are binding both as a listener and sender and it is possible that may mean (at least in the broken case) that your listener is not ready when you are sending. (I'm not sure if this is actually possible not knowing a lot of details about your code or the stack
2. There is at least one registry setting IGMPLevel that is incorrectly set, will mean the IP stack will not receive multicast. The concise info on this is here http://www.windowsreference.com/windows-vista/control-multicast-support-and-set-igmp-version-in-windows-server-2008-vista/ (and yes it does apply to Windows XP as per http://support.microsoft.com/kb/314053


Regards, Martin

On Tue, Nov 4, 2008 at 8:20 PM, Lars Lars <laasunde@xxxxxxxxxxx> wrote:
Using WinXP Professional tried with both sp2 and sp3 - no difference.

Using Wireshark 1.0.4

Firewall is disabled.

Server application is C++ using winsock 1.1

Both on a working setup and on the faulty setup I see a IGMP packet from 172.21.100.1 (server) to 224.0.0.22 with type = 0x22 and m_address = 230.21.1.200

Both on a working setup and on the faulty setup I see the server sending multiple UDP packets as multicast from 172.21.100.1 (server) to 230.21.1.200 (src and dst port equal 14800) at regular intervals.

In all the literature I've come across on this subject the multicast loop is performed on the host's ip stack and the behaviour is by default enabled.

Using windump or wireshark on the server seems to affect the behaviour of the server. Do not know how to debug this problem without affecting the outcome. Also do not know how to verify that ip stack is actually returning a copy of multicast to itself.

Appreciate any input.


> Date: Fri, 31 Oct 2008 09:10:35 -0400
> From: SYSJHY@xxxxxxxxxxxxxxx
> Subject: Re: [Wireshark-users] Multicast problem
>
> Hello Lars,
>
> >>> Lars Lars <laasunde@xxxxxxxxxxx> 10/31/08 6:32 AM >>>
> > Here are some observations:
> > Running server application and running wireshark but
> > not listening to any adapter - no multicasts are received
> > on the server.
> >
> > Running server application and just opening
> > Capture -> Interface... to show "Wireshark. Capture Interfaces"
> > - this triggers the server application to receive multicast
> > packets. I'm only showing the dialog window - not using it.
> > By closing the window the server stops receiving the
> > multicasts.
> >
> > Running server application and opening Capture -> Options...
> > in wireshark select correct adapter and disabled promiscues
> > mode - click Start and then the server starts to receive
> > multicast messages. By stoping the capture then the
> > server stops receiving multicasts. Tried enabling and
> > disabling various settings within Wireshark: Capture
> > options dialog window but it does not seem to affect
> > the behaviour - it seems, regardless of mode or
> > settings by listening to the adapter the server
> > receives the multicasts.
> >
> > Can anyone shed some light on what wireshark
> > does to 'cause' the behaviour I am describing.Thank you
>
> A few questions:
>
> What platform is this multicast server application
> running on? (Windows (XP, Vista), Linux, etc)?
>
> What version of Wireshark are you using?
>
> Do you have any firewall installed on this system?
>
> What type of multicast server application is this?
>
> When your server actually subscribes to the multicast
> group 230.21.1.200 it should send an IGMP message
> indicating that fact. Do you see IGMP packets
> egressing from your server machine?
>
> If your machine is sending IGMP packets, what do
> these IGMP packets contain?
>
> If your system is NOT sending any packet, then your
> system (for some reason) is NOT advertising its desire
> to subscribe to the multicast group 230.21.1.200.
>
> Is this the ONLY system that produces (sends) data for
> this multicast group (230.21.1.200:14800)?
>
> If not, does this same server system receive multicast
> packets from other systems that are sending on this
> group (230.21.1.200:14800)?
>
> I am assuming you have multicast aware networking
> equipment?
>
> If your networking equipment is multicast aware,
> and you (or your networking group) have access
> to the management interface of the switch, you
> should be able to query its multicast forwarding
> tables to determine if your machine has subscribed
> to the multicast 230.21.1.200 group or not.
>
> I also agree with the earlier reply to this thread regarding
> hair-pinning. It is extremely unlikely that the switch
> equipment would locally (Layer 2) send a multicast packet
> back to the same switch port that it originated on.
>
> But if the multicast packet is ultimately forwarded to a
> rendevous point then perhaps a copy of your multicast
> packet could ultimately be sent back to the same switch
> port that it originated on.
>
> Does the switch port that your server is connected to
> have multiple vlans exposed on it?
>
> Answers to the above might help narrow down
> possibilities.
>
> Best regards,
>
> Jim Y.
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users


Windows Live SkyDrive. På tide å glemme minnepinnen.

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users




--
Regards, Martin

MartinVisser99@xxxxxxxxx


Windows Live Messenger på mobilen. Hold kontakten hvor som helst når som helst.