On 2014-02-11 Sean Walberg wrote:
Packets to 224.0.0.1 are only for the local subnet and should not be
Hmm, I didn't see that in my (brief) multicast research, but I'll take your word for it. I did find that TTL=1 means local-subnet-only and these packets are indeed showing a TTL of 1.
Occam's razor would suggest that it's a misconfiguration or some other crap on the network.
Or I guess someone sending out spoof packets hoping to find someone running IGMP to mess with?
DOS went away. Wondering if there's some pattern in the numbers.
Well, it's still going on, every minute on the button.
I just did some more checks and see that I have the MAC for the source of the packets, and looking in arp I see the MAC belongs to my next-hop, a Shaw router. So either it is generating these, or this packet is indeed crossing a subnet boundary. No?
Can anyone else on Shaw (obviously without a non-linux router in the way) do a quick check to see they get these packets also?
Hey, what if it's some attempt by Shaw to detect and shutdown hackers trying to run IGMP?
As long as the black helicopters aren't outside my house, this is more of a curiosity than a big concern. Well, except it is putting 208 bytes into my /v/l/messages every minute. ;-)