嗅探本地网络上的 IGMP 消息

发布于 2024-12-11 23:46:31 字数 745 浏览 0 评论 0原文

我正在尝试嗅探本地网络上的所有 IGMP 消息（出于不予讨论的疯狂原因;-)）。我有一些与此相关的问题，因为我并不是真正的 IGMP/路由专家。

有可能吗？我知道我可以从原始套接字读取 IGMP，并且我知道您可以使用 Wireshark 来监视到达本地计算机的 IGMP 消息，但令我困惑的是：

我在另一台计算机上使用一个程序（与运行 Wireshark 的计算机分开）通过交换机）将加入多播地址 - 但是 - 我什至并不总是在 Wireshark 中看到成员报告/加入。现在有人知道是否可以保证每个 IGMP 加入都分布在整个本地网络上？有时我在 Wireshark 中看到连接，有时则看不到。

假设所有 IGMP 加入消息始终发送到网络上的每个站点，那么是否可以监视哪些站点是哪些多播组的成员，执行如下操作（posix 套接字 c++ 代码）：

int rawSock = ::socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);

uint8_t buf[10*1024];
while(true)
{
    ssize_t rval = ::recv(rawSock, buf, sizeof(buf), 0);
    iphdr *iph = (iphdr*)buf;
    printf("Received %d bytes - protocol %d\n", rval, iph->protocol);
    /*do whatever needed to the IGMP message*/
}

原文

I'm trying to sniff all IGMP messages on the local network (for crazy reasons not to be discussed ;-)).
I have some questions related to this, as I'm not really an IGMP/routing expert.

Is it even possible? I know I can read IGMP from a raw socket, and I know you can use Wireshark to monitor the IGMP messages that reach your local computer, but what puzzles me is this:

I use a program on another computer (separated from the one running Wireshark by a switch) which will join a multicast address - BUT - it's not always that I even see the Membership report/JOIN in Wireshark. Now does anyone know if it's guaranteed that every IGMP join is spread out on the entire local network? Sometimes I see the join in Wireshark, sometimes I don't.

Assuming all IGMP join messages are always sent to every station on the network, shouldn't it be possible to monitor which stations are members of which multicast groups doing something like this (posix socket c++ code):

int rawSock = ::socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);

uint8_t buf[10*1024];
while(true)
{
    ssize_t rval = ::recv(rawSock, buf, sizeof(buf), 0);
    iphdr *iph = (iphdr*)buf;
    printf("Received %d bytes - protocol %d\n", rval, iph->protocol);
    /*do whatever needed to the IGMP message*/
}

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

月寒剑心 2024-12-18 23:46:31

您的问题可能是这样的...每个 IGMP 数据包必须有一个 IP TTL=1，这意味着 IGMP 永远不会跨越路由边界（例如 VLAN）。

来自 RFC 2236 - IGMP 版本 2：

   Like ICMP, IGMP is a integral part of IP.  It is required to be
   implemented by all hosts wishing to receive IP multicasts.  IGMP
   messages are encapsulated in IP datagrams, with an IP protocol number
   of 2.  All IGMP messages described in this document are sent with IP
   TTL 1, and contain the IP Router Alert option [RFC 2113] in their IP
   header.

这意味着您无法在任何地方并且参见 IGMP；您应该检查以确保上面的 IGMP 接收方位于与发送方相同的 IP 子网。您还可以检查您的计算机是否正在使用 tshark 或 wireshark 接收 IGMP...

Your problem could be this... Every IGMP packet must have an IP TTL=1, that means that IGMP will never cross a routed boundary (such as a vlan).

From RFC 2236 - IGMP Version 2:

   Like ICMP, IGMP is a integral part of IP.  It is required to be
   implemented by all hosts wishing to receive IP multicasts.  IGMP
   messages are encapsulated in IP datagrams, with an IP protocol number
   of 2.  All IGMP messages described in this document are sent with IP
   TTL 1, and contain the IP Router Alert option [RFC 2113] in their IP
   header.

This means you can't be anywhere and see IGMP; you should check to be sure that your IGMP receiver above is on the same IP subnet as the sender. You also might check to see whether your machine is receiving IGMP with tshark or wireshark...

回复收藏 0 原文

~没有更多了~