We help IT Professionals succeed at work.

Large amount of igmp v2 membership report on wireshark, killing file server

We recently installed a new server for a client of ours.  Everything had been going great, and today i swapped out a router and noticed that i was getting dropped packets to the new server.  I ran wireshark and saw a whole lot of IGMP traffic.

I dont know what this is, but about every 2 minutes there is a huge peak in the networking graph, and i lose internet and file sharing for about 60 seconds.

Wireshark lists  some IPs  Destination: 224.0.0.251 and source:207.114.144.210

these IPS have nothing to do with us.

Any thoughts on how i can solve this would be great!

thanks!
Comment
Watch Question

Top Expert 2015
Commented:
224.0.0.251 ir mDNS aka bonjour by apple installed by quicktime.
pay attention to net drivers on server, update them to latest HCL, if no luck disable offload engines, and chimney
if still no luck - script MSI uninstall of bonjour (no damage to quicktime by doing this)

Author

Commented:
I dont have Quicktime installed on this server.  Although i discovered that the 207 IP is somehow related to the organization.  i found it listed on a who is, with the org name on there.

This one is really stumping me, the server is fully up to date.  Im not sure how to disable the offload engines.

its a Windows Server running 2008 server.  Any other ideas?  ive never seen Bonjour do something like this.

Author

Commented:
Here is what the wireshark looks like just in case you are curious.
Screen-shot-2010-06-15-at-5.56.2.png
Top Expert 2015

Commented:
so you see bonjour
Software Engineer
Distinguished Expert 2019
Commented:
mDNS etc. are not only for apple anymore., it is also known as avahi, zeroconf.
This protocol is nowadays widely used to resolve LAN name queries by having the owner of a service answer in stead of asking a DNS for info.

You might want to limit Multicast traffic from the internet at large to some specific address/port combinations that you actually need.

Please check what the sources of the addresses are. It might be an attempt to map out your network by taking notes of responses.

IGMP is the protocol with which Multicast Listeners inform their uplink (Routers) that they are interested in certain traffic. Such a router will then pass traffic onto that LAN segment.
Many switches implement something called IGMP-Snooping to enhance this by not broadcasting the packets to all connected systems but only to interested ones.
This subscription needs to be renewed every few minutes.

Author

Commented:
Solution was related to the comments provided, but not directly because of comments provided.

Author

Commented:
After a good deal of network diagraming i found a router attached to a network jack had the WAN port plugged into one of the other switch ports.  Removed it and resolved the issue.  Its a shame this wasnt more obvious, maybe its time for switchport security
nociSoftware Engineer
Distinguished Expert 2019

Commented:
Switchport security is for switches in one broadcast domain. If there is a router in between you loose it there. A router effectivly strips all packets from their relation with a MAC address.