[gentoo-user] IGMP, what is this?

[gentoo-user] IGMP, what is this?

[Dale]

Hi,

I noticed a little modem activity while I was idle.  I wasn't sure what
it was so I used wireshark to capture and exported it.  I did a google
search and even read the wikipedia thing but I'm still not sure what to
make of this.  Here is what I got from wireshark:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

No.     Time        Source                Destination           Protocol
Info
     20 113.958458  209.244.187.170       224.0.0.1             IGMP    
V2 Membership Query, general

Frame 20 (44 bytes on wire, 44 bytes captured)
    Arrival Time: Nov 21, 2008 06:41:55.382585000
    [Time delta from previous captured frame: 29.711333000 seconds]
    [Time delta from previous displayed frame: 29.711333000 seconds]
    [Time since reference or first frame: 113.958458000 seconds]
    Frame Number: 20
    Frame Length: 44 bytes
    Capture Length: 44 bytes
    [Frame is marked: False]
    [Protocols in frame: sll:ip:igmp]
    [Coloring Rule Name: Routing]
    [Coloring Rule String: hsrp || eigrp || ospf || bgp || cdp || vrrp
|| gvrp || igmp || ismp]
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src: 209.244.187.170 (209.244.187.170), Dst:
224.0.0.1 (224.0.0.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 28
    Identification: 0x7a8b (31371)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 1
    Protocol: IGMP (0x02)
    Header checksum: 0xd1b4 [correct]
        [Good: True]
        [Bad : False]
    Source: 209.244.187.170 (209.244.187.170)
    Destination: 224.0.0.1 (224.0.0.1)
Internet Group Management Protocol
    IGMP Version: 2
    Type: Membership Query (0x11)
    Max Response Time: 10.0 sec (0x64)
    Header checksum: 0xee9b [correct]
    Multicast Address: 0.0.0.0 (0.0.0.0)

0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08 00   ................
0010  45 00 00 1c 7a 8b 00 00 01 02 d1 b4 d1 f4 bb aa   E...z...........
0020  e0 00 00 01 11 64 ee 9b 00 00 00 00               .....d......


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Ideas?  Thanks

Dale

:-)  :-) 

Re: [gentoo-user] IGMP, what is this?

[Patric Schmitz]

On Fri, 21 Nov 2008 06:50:04 -0600
Dale <rdalek1967@gmail.com> wrote:

> Hi,
> 
> I noticed a little modem activity while I was idle.  I wasn't sure
> what it was so I used wireshark to capture and exported it.  I did a
> google search and even read the wikipedia thing but I'm still not
> sure what to make of this.  Here is what I got from wireshark:
> 
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> No.     Time        Source                Destination
> Protocol Info
>      20 113.958458  209.244.187.170       224.0.0.1
> IGMP V2 Membership Query, general
> 
> Frame 20 (44 bytes on wire, 44 bytes captured)
>     Arrival Time: Nov 21, 2008 06:41:55.382585000
>     [Time delta from previous captured frame: 29.711333000 seconds]
>     [Time delta from previous displayed frame: 29.711333000 seconds]
>     [Time since reference or first frame: 113.958458000 seconds]
>     Frame Number: 20
>     Frame Length: 44 bytes
>     Capture Length: 44 bytes
>     [Frame is marked: False]
>     [Protocols in frame: sll:ip:igmp]
>     [Coloring Rule Name: Routing]
>     [Coloring Rule String: hsrp || eigrp || ospf || bgp || cdp || vrrp
> || gvrp || igmp || ismp]
> Linux cooked capture
>     Packet type: Unicast to us (0)
>     Link-layer address type: 512
>     Link-layer address length: 0
>     Source: <MISSING>
>     Protocol: IP (0x0800)
> Internet Protocol, Src: 209.244.187.170 (209.244.187.170), Dst:
> 224.0.0.1 (224.0.0.1)
>     Version: 4
>     Header length: 20 bytes
>     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
> 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00)
>         .... ..0. = ECN-Capable Transport (ECT): 0
>         .... ...0 = ECN-CE: 0
>     Total Length: 28
>     Identification: 0x7a8b (31371)
>     Flags: 0x00
>         0... = Reserved bit: Not set
>         .0.. = Don't fragment: Not set
>         ..0. = More fragments: Not set
>     Fragment offset: 0
>     Time to live: 1
>     Protocol: IGMP (0x02)
>     Header checksum: 0xd1b4 [correct]
>         [Good: True]
>         [Bad : False]
>     Source: 209.244.187.170 (209.244.187.170)
>     Destination: 224.0.0.1 (224.0.0.1)
> Internet Group Management Protocol
>     IGMP Version: 2
>     Type: Membership Query (0x11)
>     Max Response Time: 10.0 sec (0x64)
>     Header checksum: 0xee9b [correct]
>     Multicast Address: 0.0.0.0 (0.0.0.0)
> 
> 0000  00 00 02 00 00 00 00 00 00 00 00 00 00 00 08
> 00   ................ 0010  45 00 00 1c 7a 8b 00 00 01 02 d1 b4 d1 f4
> bb aa   E...z........... 0020  e0 00 00 01 11 64 ee 9b 00 00 00
> 00               .....d......
> 
> 
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 
> Ideas?  Thanks

Hmm it looks like an IGMP multicast group membership
query. I have seen the (SAP) service discovery function of VLC
broadcasting those (or something similar, i might be mixing up things
here).

On http://www.networksorcery.com/enp/protocol/igmp.htm i found:

"0x11   Group Membership Query, general or group-specific. General
Query is used to learn which groups have members on an attached
network. Group-Specific Query is used to learn if a particular group
has any members on an attached network. These two messages are
differentiated by the Group Address."

I hope this is of any help,
Patric

Re: [gentoo-user] IGMP, what is this?

[Dale]

Patric Schmitz wrote:
> On Fri, 21 Nov 2008 06:50:04 -0600
> Dale <rdalek1967@gmail.com> wrote:
>
>   
>> Hi,
>>
>> I noticed a little modem activity while I was idle.  I wasn't sure
>> what it was so I used wireshark to capture and exported it.  I did a
>> google search and even read the wikipedia thing but I'm still not
>> sure what to make of this.  Here is what I got from wireshark:
>>
>> <<< SNOP >>
>>
>> Ideas?  Thanks
>>     
>
> Hmm it looks like an IGMP multicast group membership
> query. I have seen the (SAP) service discovery function of VLC
> broadcasting those (or something similar, i might be mixing up things
> here).
>
> On http://www.networksorcery.com/enp/protocol/igmp.htm i found:
>
> "0x11   Group Membership Query, general or group-specific. General
> Query is used to learn which groups have members on an attached
> network. Group-Specific Query is used to learn if a particular group
> has any members on an attached network. These two messages are
> differentiated by the Group Address."
>
> I hope this is of any help,
> Patric
>
>
>   

I was trying to figure out if someone was snooping in on my connection
or something.  I got a new ISP and I sort of think it is something their
network does.  Since I do my banking and credit card on this thing, I
was just wanting to make sure I was safe to do that.  I know they are
encrypted but still want to make sure.

Dale

:-)  :-)