> I was watching TCPDUMP display traffic on my LAN at home last night and
> saw this scroll by.
>
> 0.210654 ip68-2-176-35.ph.ph.cox.net > MICROSOFT-DS.MCAST.NET: igmp v2
> report MICROSOFT-DS.MCAST.NET [ttl 1]
> 23:39:00.221615 ip68-2-177-28.ph.ph.cox.net > 239.255.255.250: igmp v1
> report 239.255.255.250 [ttl 1]
>
> Being that is clearly said microsoft I questioned why when my laptop was
> running Linux. My question is what is that mcast.net and why is it
> showing up on my "LAN's Freeway"? My roommate runs XP and I think the
> computer in the living room is W2K but if they are invoking it, why?
Welcome to the world of tcpdumping.... This is a multicast (the IGMP version
2 and IP address should give it away). You roommate ought to turn off UPnP.
They aren't 'doing' anything, it is a built in 'feature' or a default
installation.
As far as multicasts go, anything starting with 239 is 'the wild wild west'.
(see RFC 2365) The whole 239 block is 'administratively scoped' and it isn't
supposed to get routed outside your network. This means any multicast hacks
that the local admins dream up, like making some unicast stream multicast,
will end up here.... Hopefully.
The 239.255.255.0/24 network is a local scope, and isn't supposed to leave
your subnet (hence the TTL of 1 in the packet).
This guy did a little writeup about uPnP:
<
http://www.incidents.org/archives/intrusions/msg03062.html>
HTH,
Tony Wasson
(text/plain)