On 14-02-13 02:52 AM, Trevor Cordes wrote:
Hmm, I didn't see that in my (brief) multicast research, but I'll take your word for it. I did find that TTL=1 means local-subnet-only and these packets are indeed showing a TTL of 1.
Your google-fu is weak, as usual. From the Wikipedia page on "Multicast address": 224.0.0.1 The/All Hosts/multicast group addresses all hosts on the same network segment.
By definition, all IGMP packets will have a TTL of 1 - they're only supposed to discover directly-connected hosts that also run IGMP.
I just did some more checks and see that I have the MAC for the source of the packets, and looking in arp I see the MAC belongs to my next-hop, a Shaw router. So either it is generating these, or this packet is indeed crossing a subnet boundary. No?
The router will be generating them. Only multicast-capable routers should ever generate IGMP packets. (Some switches intercept and occasionally modify them, but that's an acceptable special case.)
Hey, what if it's some attempt by Shaw to detect and shutdown hackers trying to run IGMP?
No. IGMP is a completely normal thing, and is not indicative of a "hacker".
As long as the black helicopters aren't outside my house, this is more of a curiosity than a big concern. Well, except it is putting 208 bytes into my /v/l/messages every minute. ;-)
A perfect example of why I've never found it worthwhile to log incoming traffic that got dropped.