All things related to multicast

[Bill Owens <>]

Or, properly a 'till' since it's in the UK.

This morning I was trying to troubleshoot some odd log messages on one of our 
Juniper EX9208 routers (which I still haven't figured out) and decided that I 
would try tcpdump on the router, since Junipers can do that. After applying a 
few filters to clear up traffic that I knew was legit, I started to see a lot 
of this:

12:37:47.044973  In IP elvyn-bar-till-1.lut.ac.uk.19264 > 224.1.1.1.8051: PGM 
0x000000000000 SPM seq 55283 trail 4965 lead 4964 nla 131.231.22.78 [0]
12:38:04.382642  In IP elvynbar-2.epo.lut.ac.uk.12586 > 224.1.1.1.8051: PGM 
0x000000000000 SPM seq 15619 trail 2809 lead 2808 nla 131.231.22.92 [0]

I didn't expect to see *any* multicast traffic to the router, so first I 
wanted to see what was actually using that group, and why. A check of MSDP 
SAs showed three sources, all at Longborough University in the UK:

224.1.1.1       131.231.22.78   199.109.0.73    212.219.212.232 Accept
224.1.1.1       131.231.22.92   199.109.0.73    212.219.212.232 Accept
224.1.1.1       131.231.179.207 199.109.0.73    194.82.152.254  Accept

I decided to run wireshark against the traffic, so I joined the group from my 
Mac and started capturing. Most of the packets are pragmatic general 
multicast and they all have the router alert option set, which I think is why 
I'm seeing them come to the CPU:

    Options: (4 bytes), Router Alert
        Router Alert (4 bytes): Router shall examine packet (0)
            Type: 148
                1... .... = Copy on fragmentation: Yes
                .00. .... = Class: Control (0)
                ...1 0100 = Number: Router Alert (20)
            Length: 4
            Router Alert: Router shall examine packet (0)

Most of them appear to be heartbeat packets, though I admit that I haven't 
tried to really understand PGM; however, one has data and it's quite 
interesting:

<?xml version="1.0" encoding="utf-16"?>
<OperatorData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
xmlns:xsd="http://www.w3.org/2001/XMLSchema";>
    <OwnerId>
        231891
    </OwnerId>
    <OwnerName>
        Jack Lakin
    </OwnerName>
    <IsLeftHanded>
        false
    </IsLeftHanded>
    <ListShowOperatorId>
        true
    </ListShowOperatorId>
    <ListShowTransactionName>
        true
    </ListShowTransactionName>
    <ListShowCovers>
        false
    </ListShowCovers>
    <ListShowSubtotal>
        true
    </ListShowSubtotal>
    <ListShowDrawerEvents>
        false
    </ListShowDrawerEvents>
    <ListShowTime>
        true
    </ListShowTime>
    <TransactionIdHistory>
        <unsignedLong>
            145236
        </unsignedLong>
    </TransactionIdHistory>
... and so on.

I was very confused about what this all meant until I looked up the PTR for 
the source:

78.22.231.131.in-addr.arpa. 86400 IN    PTR elvyn-bar-till-1.lut.ac.uk.

Yes, there is a bar at Longborough called the Elvyn, and it presumably has a 
till. Which, for some reason, is using multicast, with a global (and 
reserved) group address. And setting an apparently unnecessary flag that 
makes the packets go to every router, everywhere.

I think it's extremely unlikely that I would ever be able to find Jack Lakin 
or a networking person at lut.ac.uk who would be interested in reconfiguring 
their cash register, so I'll be filtering that myself...

Bill.