print

Tip of the Month

August 2001

Stranger in a Strange LAN

Have you ever noticed some strange-looking IP addresses on your network and wondered what was going on? Perhaps they appeared only as destination addresses and didn't look like other IP addresses you'd seen before. If they're in the range of 224.x.x.x through 239.x.x.x, they're actually IP Multicasts and may be quite normal for your network.

How to look for IP Multicast Addresses
From Conversation statistics (under Statistics from the main menu bar), or from the Conversations Tab in EtherPeek, AiroPeek or TokenPeek, you'll see columns labeled as Source Node, Destination Node, Protocol, Bytes, and Packets. The Destination Node column is the one in which we are interested. Click on that column header to sort so that all of those high-valued IP addresses are showing up at the top (or bottom) of your list. Have a look. Are you seeing some addresses in the range mentioned above?

What is an IP Multicast?
IP Multicasting is a technique developed to send packets from one location on the network or Internet to many other locations, without unnecessary packet duplication. In multicasting, one packet is sent from a source and is replicated as needed throughout the network to reach as many end-devices as necessary.

Class D IP addresses are used to specify that packets are to go to a group of devices. That's where the 224 through 239 addresses range comes from - they are the address space for class D.

Who uses Multicasts?
The Internet Group Management Protocol (IGMP) protocol sends to the all-hosts IP multicast address (224.0.0.1) or other multicast address to declare its membership in a specific host group. Routing protocols such as RIP v2 and OSPF (Open Shortest Path First) also make use of IP addresses starting with 224.0.0.X to multicast out their routing table information.

Want to Delve Further?
Use the "Peeks" Select Related Packets function within the Conversations view to hone in on the Multicasts. Or, set up a filter based on IP address and use the '/' notation of 224.0.0.0/8.

Want to Delve Even Further?
Join us at one of our scheduled WildPackets Academy public training classes and unravel more mysteries of network traffic through packet analysis taught by expert Instructors!

WILDPACKETS ACADEMY COURSES

• WP-101 Network Troubleshooting Methods Using EtherPeek
• WP-102 Full-Duplex and Switched Ethernet Analysis
• WP-103 TCP/IP Protocol Analysis Methods
• WP-104 Advanced TCP/IP Protocol Analysis
• WP-105 AppleTalk and Mac OS/X Network Analysis
• WP-106 802.11 Wireless Network Analysis Using AiroPeek
• WP-107 LAN/WAN Special Topics

For more information on WildPackets Academy, to download a course catalogue, to peruse the training schedule, or to register for any of our courses, please visit http://www.wildpackets.com/services/academy/overview.