On 14-02-13 02:52 AM, Trevor Cordes
wrote:
Hmm, I didn't see that in my (brief) multicast research, but I'll take
your word for it. I did find that TTL=1 means local-subnet-only and
these packets are indeed showing a TTL of 1.
Your google-fu is weak, as usual. From the Wikipedia page on
"Multicast address":
| 224.0.0.1 |
The All
Hosts multicast
group addresses all hosts on the same network segment. |
By definition, all IGMP packets will have a TTL of 1 - they're only
supposed to discover directly-connected hosts that also run IGMP.
I just did some more checks and see that I have the MAC for the source
of the packets, and looking in arp I see the MAC belongs to my
next-hop, a Shaw router. So either it is generating these, or this
packet is indeed crossing a subnet boundary. No?
The router will be generating them. Only multicast-capable routers
should ever generate IGMP packets. (Some switches intercept and
occasionally modify them, but that's an acceptable special case.)
Hey, what if it's some attempt by Shaw to detect and shutdown hackers
trying to run IGMP?
No. IGMP is a completely normal thing, and is not indicative of a
"hacker".
As long as the black helicopters aren't outside my house, this is more
of a curiosity than a big concern. Well, except it is putting 208
bytes into my /v/l/messages every minute. ;-)
A perfect example of why I've never found it worthwhile to log
incoming traffic that got dropped.
--
-Adam Thompson
athompso@athompso.net