Wireshark/IPv4 multicast
Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze IPv4 multicast traffic.
Readings
[edit | edit source]- Wikipedia: Multicast
- Wikipedia: Multicast Address
- Wikipedia: Simple Service Discovery Protocol (SSDP)
- Wikipedia: Web Services Dynamic Discovery (WS-Discovery)
Preparation
[edit | edit source]To prepare for this activity:
- Start Windows.
- Log in if necessary.
- Install Wireshark.
Activity 1 - Capture IPv4 Multicast Traffic
[edit | edit source]To capture IPv4 multicast traffic:
- Start a Wireshark capture.
- In Windows, select Start and then type Network and Sharing Center in the Run box. Press Enter.
- Select Change advanced sharing settings.
- Note the current status of Network discovery. If it is already on, select Turn off network discovery and Save changes.
- Select Turn on network discovery and Save changes.
- Wait a few seconds for network discovery to generate multicast traffic.
- If Network discovery was initially off, select Turn off network discovery and Save changes to return the status to the original setting. If network discovery was initially on, leave it on.
- Stop the Wireshark capture.
Activity 2 - Analyze IPv4 Multicast Traffic
[edit | edit source]To analyze IPv4 multicast traffic:
- Observe the traffic captured in the top Wireshark packet list pane. To view only IPv4 multicast traffic, type ip.addr >= 224.0.0.0 (lower case) in the Filter box and press Enter.
- The traffic you are most likely to see is Simple Service Discovery Protocol (SSDP) traffic. You may also see Web Services Dynamic Discovery (WS-Discovery) traffic or other multicast traffic. Whatever you find, select the first frame.
- Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 frame.
- Expand Ethernet II to view the Ethernet details.
- Observe the Destination address. Notice that it starts with 01:00:5e, the Ethernet multicast address for IPv4.
- Expand Internet Protocol Version 4 to view IPv4 details.
- Observe the Destination address. Notice that it is in the 224.0.0.0 - 239.255.255.255 IPv4 multicast range. If it is SSDP or WS-Discovery traffic, it will be addressed to 239.255.255.250.
- Select additional frames and observe the Ethernet and IPv4 details for multicast traffic.
- Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.