Generating Multicast Traffic

If you're a protocol junkie like me, you probably enjoy investigating a variety of network traffic types. I don't encounter multicast traffic too often, so the following caught my eye.

I'm using Iperf for some simple testing, and I notice it has a multicast option. Here's how I used it.

In the following scenario, I have two hosts (cel433 and cel600) on the same segment. This is important because the router(s) in this test network are not configured to support multicast.

I set up cel433 as a Iperf server listening on multicast address 224.0.55.55.

cel433:/root# iperf -s -u -B 224.0.55.55 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Binding to local address 224.0.55.55
Joining multicast group 224.0.55.55
Receiving 1470 byte datagrams
UDP buffer size: 41.1 KByte (default)

Now I generate multicast traffic from cel600.

cel600:/root# iperf -c 224.0.55.55 -u -T 32 -t 3 -i 1
------------------------------------------------------------
Client connecting to 224.0.55.55, UDP port 5001
Sending 1470 byte datagrams
Setting multicast TTL to 32
UDP buffer size: 9.00 KByte (default)
------------------------------------------------------------
[ 3] local 10.1.10.3 port 51296 connected with 224.0.55.55 port 5001
[ 3] 0.0- 1.0 sec 129 KBytes 1.06 Mbits/sec
[ 3] 1.0- 2.0 sec 128 KBytes 1.05 Mbits/sec
[ 3] 2.0- 3.0 sec 128 KBytes 1.05 Mbits/sec
[ 3] 0.0- 3.0 sec 386 KBytes 1.05 Mbits/sec
[ 3] Sent 269 datagrams

Here is what cel433 sees:

------------------------------------------------------------
[ 3] local 224.0.55.55 port 5001 connected with 10.1.10.3 port 51296
[ 3] 0.0- 1.0 sec 128 KBytes 1.05 Mbits/sec 0.146 ms 0/ 89 (0%)
[ 3] 1.0- 2.0 sec 128 KBytes 1.05 Mbits/sec 0.100 ms 0/ 89 (0%)
[ 3] 2.0- 3.0 sec 128 KBytes 1.05 Mbits/sec 0.110 ms 0/ 89 (0%)
[ 3] 0.0- 3.0 sec 386 KBytes 1.05 Mbits/sec 0.098 ms 0/ 268 (0%)
[ 3] 0.0- 3.0 sec 1 datagrams received out-of-order

The traffic looks like this:

cel433:/root# tcpdump -n -i xl0 -s 1515 udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on xl0, link-type EN10MB (Ethernet), capture size 1515 bytes
15:29:53.669508 IP 10.1.10.3.51296 > 224.0.55.55.5001: UDP, length 1470
15:29:53.680789 IP 10.1.10.3.51296 > 224.0.55.55.5001: UDP, length 1470
15:29:53.691934 IP 10.1.10.3.51296 > 224.0.55.55.5001: UDP, length 1470
...truncated...

This is a simple way to generate multicast traffic and ensure a member of the multicast group actually receives it.

Update: I forgot to show the IGMP messages one would see when starting a multicast listener.

This is the interface listening for multicast:

cel433:/root# ifconfig xl0
xl0: flags=8843 mtu 1500
options=9
inet6 fe80::2c0:4fff:fe1c:102b%xl0 prefixlen 64 scopeid 0x6
inet 10.1.10.2 netmask 0xffffff00 broadcast 10.1.10.255
ether 00:c0:4f:1c:10:2b
media: Ethernet autoselect (100baseTX )
status: active

Here are IGMP report and leave messages.

cel433:/root# tcpdump -nevv -i xl0 -s 1515 igmp
tcpdump: listening on xl0, link-type EN10MB (Ethernet), capture size 1515 bytes
06:28:40.887868 00:c0:4f:1c:10:2b > 01:00:5e:00:37:37, ethertype IPv4 (0x0800),
length 46: (tos 0x0, ttl 1, id 59915, offset 0, flags [none], proto: IGMP (2),
length: 32, options
( RA (148) len 4 )) 10.1.10.2 > 224.0.55.55: igmp v2 report 224.0.55.55

06:28:42.196233 00:c0:4f:1c:10:2b > 01:00:5e:00:00:02, ethertype IPv4 (0x0800),
length 46: (tos 0x0, ttl 1, id 59920, offset 0, flags [none], proto: IGMP (2),
length: 32, options
( RA (148) len 4 )) 10.1.10.2 > 224.0.0.2: igmp leave 224.0.55.55

I used the -e option to show the MAC addresses. Notice the destination MAC for these multicast packets.

06:31:21.467919 00:b0:d0:14:b2:11 > 01:00:5e:00:37:37, ethertype IPv4 (0x0800),
length 1512: (tos 0x0, ttl 32, id 1652, offset 0, flags [none], proto: UDP (17),
length: 1498)
10.1.10.3.58479 > 224.0.55.55.5001: [udp sum ok] UDP, length 1470

The 01:00:5e:00:37:37 MAC address is a mapping derived from the 24-bit IANA multicast OUI 01:00:5e and the multicast IP address 224.0.55.55.

Comments

Anonymous said…
Richard:

IPerf was the name of the tool I was trying to remember at the Think Tank :) Glad to see you found it.

You may also want to check out a few other tools I've looked at, including netperf.

http://staff.science.uva.nl/~jblom/datatag/wp3_1/tools/test_tools.html




Eric Hines
Applied Watch Technologies
Anonymous said…
[ 3] 0.0- 3.0 sec 1 datagrams received out-of-order

excuse me, do you have any idea when server binding to listen a special port, why does it receive pkt out of order?
Unknown said…
Hi Richard,

Thanks very much - I'll give it a try.

Just one small point about multicast MAC addresses,

The 01:00:5e:00:37:37 MAC address is a mapping derived from the 24-bit (MH: should say 25-bit of 01:00:5E:00:00:00) IANA multicast OUI 01:00:5e and the (MH: bottom 23 bits of) multicast IP address 224.0.55.55.

01:00:5E:00:00:00=
0000 0001:0000 0000:0101 1110:0000 0000:0000 0000:0000 0000

224.0.55.55=
1110 0000.0000 0000.0011 0111.0011 0111

Resultant m’cast MAC addr=
0000 0001:0000 0000:0101 1110:0000 0000.0011 0111.0011 0111
01:00:5E:00:37:37

Regards, MH

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics