在本地网络上嗅探IGMP消息 [英] Sniffing IGMP messages on the local network

问题描述

我正试图在本地网络上嗅探所有IGMP消息（出于疯狂的原因不被讨论;-)）。
我有一些与此相关的问题，因为我不是IGMP /路由专家。

I'm trying to sniff all IGMP messages on the local network (for crazy reasons not to be discussed ;-)). I have some questions related to this, as I'm not really an IGMP/routing expert.

甚至可能吗？我知道我可以从原始套接字读取IGMP，我知道你可以使用Wireshark来监控到达本地计算机的IGMP消息，但令我困惑的是：

Is it even possible? I know I can read IGMP from a raw socket, and I know you can use Wireshark to monitor the IGMP messages that reach your local computer, but what puzzles me is this:

我在另一台计算机上使用一个程序（通过交换机与运行Wireshark的计算机分开），它将加入一个多播地址 - 但是，我并不总是在Wireshark中看到成员报告/ JOIN。现在有谁知道是否保证每个 IGMP加入都在整个本地网络上展开？有时我看到Wireshark中的连接，有时我没有。

I use a program on another computer (separated from the one running Wireshark by a switch) which will join a multicast address - BUT - it's not always that I even see the Membership report/JOIN in Wireshark. Now does anyone know if it's guaranteed that every IGMP join is spread out on the entire local network? Sometimes I see the join in Wireshark, sometimes I don't.

假设所有IGMP加入消息总是发送到网络上的每个站，不应该是可能的监视哪些站点是哪个组播组的成员做这样的事情（posix socket c ++ code）：

Assuming all IGMP join messages are always sent to every station on the network, shouldn't it be possible to monitor which stations are members of which multicast groups doing something like this (posix socket c++ code):

int rawSock = ::socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);

uint8_t buf[10*1024];
while(true)
{
    ssize_t rval = ::recv(rawSock, buf, sizeof(buf), 0);
    iphdr *iph = (iphdr*)buf;
    printf("Received %d bytes - protocol %d\n", rval, iph->protocol);
    /*do whatever needed to the IGMP message*/
} 

推荐答案

您的问题可能就是这样......每个IGMP数据包必须具有IP TTL = 1，这意味着IGMP永远不会越过路由边界（例如vlan） ）。

Your problem could be this... Every IGMP packet must have an IP TTL=1, that means that IGMP will never cross a routed boundary (such as a vlan).

来自 RFC 2236 - IGMP第2版：

   Like ICMP, IGMP is a integral part of IP.  It is required to be
   implemented by all hosts wishing to receive IP multicasts.  IGMP
   messages are encapsulated in IP datagrams, with an IP protocol number
   of 2.  All IGMP messages described in this document are sent with IP
   TTL 1, and contain the IP Router Alert option [RFC 2113] in their IP
   header.

这意味着你不能在任何地方看到IGMP;您应该检查以确保您的IGMP接收器位于与发件人相同的IP子网。您还可以检查您的机器是否正在接收带有 tshark 或 wireshark ...

This means you can't be anywhere and see IGMP; you should check to be sure that your IGMP receiver above is on the same IP subnet as the sender. You also might check to see whether your machine is receiving IGMP with tshark or wireshark...

这篇关于在本地网络上嗅探IGMP消息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！