Re: TCPDUMP filter for multicast

["Ernest L. Williams Jr." <ernesto () ornl gov>]

On Sat, 2004-06-19 at 23:46, Guy Harris wrote:
> On Sat, Jun 19, 2004 at 10:35:54PM -0400, Ernest L. Williams Jr. wrote:
> > Do I have to join the list? Looks like there is a post block on me at
> > the moment.
>
> You might have to join the list in order to be able to mail to it.  It's
> not very high-volume....
>
> > However, I am only getting address starting with 224.
> > I would like to see my 239 guys as well. 
>
> Try capturing with "ip net 239.0.0.0/8" - and see what the MAC addresses
> are for those packets. 
The multicast traffic has subsided for now.  So, I will use the filter
you suggest on a previously captured dump file:
==========================================================================
[root@matrix williams]# tcpdump -e -r lin-ics-netsw1d1-port1.dmp ip net
239.0.0.0/8 |more
reading from file lin-ics-netsw1d1-port1.dmp, link-type EN10MB
(Ethernet)
10:51:59.793551 00:00:bc:03:f4:43 > 01:00:5e:40:45:a2, ethertype IPv4
(0x0800), length 108: IP 172.31.74.37.62308 > 239.192.69.162.2222: UDP,
length 66
10:51:59.793612 00:00:bc:06:08:7d > 01:00:5e:40:2b:00, ethertype IPv4
(0x0800), length 74: IP 172.31.73.80.2222 > 239.192.43.0.2222: UDP,
length 32
10:51:59.793639 00:00:bc:05:4b:fd > 01:00:5e:40:51:20, ethertype IPv4
(0x0800), length 146: IP 172.31.74.129.2222 > 239.192.81.32.2222: UDP,
length 104
10:51:59.793666 00:00:bc:05:5c:6c > 01:00:5e:40:51:e1, ethertype IPv4
(0x0800), length 100: IP 172.31.74.135.2222 > 239.192.81.225.2222: UDP,
length 58
10:51:59.793714 00:00:bc:05:4b:fd > 01:00:5e:40:51:27, ethertype IPv4
(0x0800), length 100: IP 172.31.74.129.2222 > 239.192.81.39.2222: UDP,
length 58
10:51:59.793741 00:00:bc:03:f4:5c > 01:00:5e:40:45:82, ethertype IPv4
(0x0800), length 108: IP 172.31.74.36.65394 > 239.192.69.130.2222: UDP,
length 66

> If they have multicast MAC addresses, "multicast
> and not broadcast" *should* capture them, so there might be a bug
> somewhere.

> From the output, I have received looks like "01:00:5E:XX:XX:XX" is
indeed the multicast signature, right?

Also, unfortunately I executed the filter you suggested after the
"239.X.X.X" multicast traffic had subsided.  If I try the filter again
on the previously captured file I get:
====================================================================
[root@matrix williams]# tcpdump -r lin-ics-netsw1d1-port1.dmp ip
multicast and not broadcast |more
reading from file lin-ics-netsw1d1-port1.dmp, link-type EN10MB
(Ethernet)
10:51:59.793551 IP 172.31.74.37.62308 > 239.192.69.162.2222: UDP, length
66
10:51:59.793612 IP 172.31.73.80.2222 > 239.192.43.0.2222: UDP, length 32
10:51:59.793639 IP 172.31.74.129.2222 > 239.192.81.32.2222: UDP, length
104
10:51:59.793666 IP 172.31.74.135.2222 > 239.192.81.225.2222: UDP, length
58
10:51:59.793714 IP 172.31.74.129.2222 > 239.192.81.39.2222: UDP, length
58
10:51:59.793741 IP 172.31.74.36.65394 > 239.192.69.130.2222: UDP, length
66
10:51:59.793768 IP 172.31.74.35.65498 > 239.192.69.96.2222: UDP, length
104
10:51:59.793795 IP 172.31.74.32.49798 > 239.192.69.1.2222: UDP, length
66
========================================================================


So, the filter you originally suggested works perfectly!!
Thanks for the help.

I am now subscribed to the tcpdump mailing list as well.






Thanks,
-- 
Ernest L. Williams Jr. <ernesto () ornl gov>

-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.