• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 614
  • Last Modified:

Determine the source of unauthorized IGMP traffic

We're seeing bouts of IGMP traffic on our network, and haven't managed to figure out who's doing it... or really, how to even go about figuring it out.  

Wireshark tells us it's happening, we see the high CPU utilization on the switches, and we see the MAC 01:00:5e:7f:ff:fa and it's IP 239.255.255.250, but we can't link it to a port.

What am I missing?
0
MU-IT
Asked:
MU-IT
  • 5
  • 4
1 Solution
 
pmasottaCommented:
that its multicast traffic that shouldn't get to your network... you should be able to trace it with wireshark and see were it is coming from.
0
 
MU-ITAuthor Commented:
Wireshark only shows the IP 239.255.255.250, and a MAC 01:00:5e:7f:ff:fa ... which we can't link to an actual device.

http://wiki.wireshark.org/IGMP

0
 
IronmannenCommented:
Hello
Can you provide the wireshark file and output from the switches mac address table?
regards
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
pmasottaCommented:
iit is not an specific device it is multicast traffic, can you post a wireshark pcap file here?
0
 
MU-ITAuthor Commented:
I had the capture running waiting for an instance of high switch CPU to start so I could see what was going on... so the pcap file is large, +/-20mb,  Let me trim it and find a place to post it.

we listed the ARP cache from our core and the 01:00:5e:7f:ff:fa wasn't there.  

What would you look for?  I'd rather learn how to figure it out than have someone tell me.

0
 
pmasottaCommented:
you have to see the multicast traffic,

see here
http://www.dslreports.com/forum/r20675819-My-ISPs-router-sends-me-over-1000-IGMP-hits-per-day
http://en.wikipedia.org/wiki/IP_multicast
http://technet.microsoft.com/en-us/library/cc957928.aspx


you should allow multicast traffic if not necessary

you do not have to analyze a 20 Meg pcap, just see the part where the traffic occurs...
0
 
pmasottaCommented:
I ment "should not allow"
0
 
MU-ITAuthor Commented:
Ah, found it.  Turns out to be an unauthorized Roku player.  

I was doing some filters to isolate the traffic and noticed the 239 IP in SSDP packets... in the data of one of the packets was the link to a functioning Roku box.    The high CPU times coincided.

Thanks PMasotta for making me dig around in there a bit more.  I was taking the wrong approach.
0
 
MU-ITAuthor Commented:
This led me down the right path.
0
 
pmasottaCommented:
I'm glad u got it ;-)
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now