0

I'm trying to sniff all IGMP messages on the local network (for crazy reasons not to be discussed ;-)). I have some questions related to this, as I'm not really an IGMP/routing expert.

Is it even possible? I know I can read IGMP from a raw socket, and I know you can use Wireshark to monitor the IGMP messages that reach your local computer, but what puzzles me is this:

I use a program on another computer (separated from the one running Wireshark by a switch) which will join a multicast address - BUT - it's not always that I even see the Membership report/JOIN in Wireshark. Now does anyone know if it's guaranteed that every IGMP join is spread out on the entire local network? Sometimes I see the join in Wireshark, sometimes I don't.

Assuming all IGMP join messages are always sent to every station on the network, shouldn't it be possible to monitor which stations are members of which multicast groups doing something like this (posix socket c++ code):

int rawSock = ::socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);

uint8_t buf[10*1024];
while(true)
{
    ssize_t rval = ::recv(rawSock, buf, sizeof(buf), 0);
    iphdr *iph = (iphdr*)buf;
    printf("Received %d bytes - protocol %d\n", rval, iph->protocol);
    /*do whatever needed to the IGMP message*/
}
arserbin3
  • 6,010
  • 8
  • 36
  • 52
Vanvid
  • 83
  • 1
  • 9

1 Answers1

2

Your problem could be this... Every IGMP packet must have an IP TTL=1, that means that IGMP will never cross a routed boundary (such as a vlan).

From RFC 2236 - IGMP Version 2:

   Like ICMP, IGMP is a integral part of IP.  It is required to be
   implemented by all hosts wishing to receive IP multicasts.  IGMP
   messages are encapsulated in IP datagrams, with an IP protocol number
   of 2.  All IGMP messages described in this document are sent with IP
   TTL 1, and contain the IP Router Alert option [RFC 2113] in their IP
   header.

This means you can't be anywhere and see IGMP; you should check to be sure that your IGMP receiver above is on the same IP subnet as the sender. You also might check to see whether your machine is receiving IGMP with tshark or wireshark...

Mike Pennington
  • 41,899
  • 19
  • 136
  • 174
  • I'm pretty sure both machines are on the same subnet (they both have 192.168.1.* addresses). But from what I understand, the IGMP messages _should_ arrive at all machines on the same subnet? Care to take a guess at why the C++ code posted never detects IGMP messages send from machines other than itself? – Vanvid Oct 26 '11 at 12:42
  • @Vanvid, I don't know c++; however, I do know that you must put your interface in promiscuous mode to see traffic other than your own, and this means you need to run the code as root. Are you doing both of these things? – Mike Pennington Oct 27 '11 at 00:10
  • Yeah, it's in promiscuous mode, and I'm running as root. Thanks for your time :-) – Vanvid Nov 02 '11 at 07:39
  • Hi Mike, I am having a similar issue. I set the SocketOption "AddMembership" to send IGMP join packet, and despite how I set the MulticastTimeToLive value, the IGMP join packet always has the TTL=1. I have read the RFC 2236 you mentioned, but it does not state it TTL must be 1, so I am wondering if IGMP join packet MUST has the TTL=1 or is there a way to increase it? – Lex L Mar 22 '21 at 20:45
  • @LexL, regarding IGMP TTL must be 1, please look at page 1 of RFC 2236: *" All IGMP messages described in this document are sent with IP TTL 1"* – Mike Pennington Mar 31 '21 at 12:34
  • Thank you for the explanation. Someone insisted that it has to be greater than 1, but we have this sorted out thanks for the answers from here. – Lex L Apr 16 '21 at 07:16