1

I have some igmp query that comes each 2 minutes out of bond0 interface.

IP 0.0.0.0 > 224.0.0.1: igmp query v2.

Is it possible to track which process/programm is making this query?

From the checking I found that the source MAC address of the query is the mac address of bond0 address.

Since this query takes a couple CPU cycles, I am not sure I will find it in ps or netstat. I think I need some tracking tool like perf or systemtap. I am new in the world of debugging and tracking, so I need some help to find a correct command and parametrs.

Thanks.

Max
  • 1,150
  • 1
  • 10
  • 16
  • 1
    An IGMP query will have the source address of the router making the query. That is essential because if there are multiple multicast routers, the lowest source IP address becomes the Querier, and the other routers need to enter the non-Querier state. See _[RFC 2236, Internet Group Management Protocol, Version 2](https://tools.ietf.org/html/rfc2236)_: "_If a multicast router hears a Query message from a router with a lower IP address, it MUST become a Non-Querier on that network._" – Ron Maupin Feb 23 '17 at 15:33
  • Since you know and IGMP query is coming from IP, maybe you should just look for the process running IP. – Ron Maupin Feb 25 '17 at 19:38

1 Answers1

1

As you probably know IGMP works on layer 3 so it maybe a bit tricky. It doesn't have to bind between a port and process id.

You have to use a combination of these tools:

tcpdump (to be certain IGMP is being sent out)
netstat -avnp
ps -ef | fgrep <pid>
lsof

While you do the tcpdump, I suggest making an aggressive ps -ef monitor

while [[ true ]]; do
  ps -ef >> /tmp/ps.out
  netstat -natp | grep 234.55.55.55 >> /tmp/netstat.out
  sleep .5
done

You would then need to do process of elimination.

NinjaGaiden
  • 3,046
  • 6
  • 28
  • 49
  • "_IGMP works on layer 2 and 3_" No, IGMP is part of IP, a layer-3 protocol. From _[RFC 2236, Internet Group Management Protocol, Version 2](https://tools.ietf.org/html/rfc2236)_: "_Like ICMP, IGMP is a integral part of IP._" Multicast uses both layer-2 and layer-3. – Ron Maupin Feb 23 '17 at 15:44