What does "ICMP to 224.0.0.2" mean?

Discussion in 'Computer Security' started by Mozzy, Oct 27, 2004.

  1. Mozzy

    Mozzy Guest

    Soon after booting my system and then re-connecting the cable modem
    lead to the PC (as it had unplugged itself) I got this message from
    my Sygate firewall

    "Windows Explorer (explorer.exe) is trying to broadcast an ICMP Type
    10 (Router Solicitation) packet to [224.0.0.2]. Do you want to
    allow this program to access the network?"

    The IP address does not seem to resolve to ayone in particular. I
    get some sort of info about "multicast".

    I am a single home PC attached to the Net. Should I allow this sort
    of thing through?
     
    Mozzy, Oct 27, 2004
    #1
    1. Advertising

  2. Mozzy

    BRG Guest

    Mozzy <> wrote in
    news:958FE34FC12F351A7E@62.253.162.201:

    > Soon after booting my system and then re-connecting the cable
    > modem lead to the PC (as it had unplugged itself) I got this
    > message from my Sygate firewall
    >
    > "Windows Explorer (explorer.exe) is trying to broadcast an ICMP
    > Type 10 (Router Solicitation) packet to [224.0.0.2]. Do you
    > want to allow this program to access the network?"
    >
    > The IP address does not seem to resolve to ayone in particular.
    > I get some sort of info about "multicast".
    >
    > I am a single home PC attached to the Net. Should I allow this
    > sort of thing through?
    >


    I can't answer your question, but it is a great example of why
    software firewalls are pretty damned useless.

    User doesn't know the right answer and guesses. Its then 50:50 as
    whether the user has just ignored a Trojan or inadvertently
    disabled a valid software function.
     
    BRG, Oct 27, 2004
    #2
    1. Advertising


  3. >
    > "Windows Explorer (explorer.exe) is trying to broadcast an ICMP Type
    > 10 (Router Solicitation) packet to [224.0.0.2]. Do you want to
    > allow this program to access the network?"


    I'm not the one (sorry) to fully answer and provide a solution, but...

    ICMP is the family name for 'ping,' a way of checking that a connection is
    alive. You can see that Google's server is alive by opening up a command
    prompt and typing (no quotes) "ping google.com"
    You should get 3 responses, showing how long they took etc.

    Router Solicitation basically means that windows is looking for a router; I
    assume this is just one way of finding an Internet connection. I'm not a
    Windows techie so can't fill you in on the details.

    224.0.0.2 will be an IP address, it might be a subnet, hopefully someone
    else can clear that up.

    The picture it gives is that windows is looking for a means of connecting to
    the internet, and is probably harmless. As another reply says, software
    firewalls complain all the time and I've found (through installing such
    firewalls for non-techie friends) that it makes people panic over many
    things which just aren't important at all.
     
    George Hewitt, Oct 27, 2004
    #3
  4. It's a IP Multicast address.

    http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/ipmulti.htm

    224.0.0.2 is used for "All routers on this subnet"

    Dave



    "Mozzy" <> wrote in message news:958FE34FC12F351A7E@62.253.162.201...
    | Soon after booting my system and then re-connecting the cable modem
    | lead to the PC (as it had unplugged itself) I got this message from
    | my Sygate firewall
    |
    | "Windows Explorer (explorer.exe) is trying to broadcast an ICMP Type
    | 10 (Router Solicitation) packet to [224.0.0.2]. Do you want to
    | allow this program to access the network?"
    |
    | The IP address does not seem to resolve to ayone in particular. I
    | get some sort of info about "multicast".
    |
    | I am a single home PC attached to the Net. Should I allow this sort
    | of thing through?
     
    David H. Lipman, Oct 27, 2004
    #4
  5. Mozzy

    mike Guest

    windows explorer is looking for a router to connect to the internet.
    normally caused by using the favourites pulldown whilst in explorer.

    see here:

    http://www.talkroot.com/archive/topic/1364-1.html

    try a search engine first, it's normally got the answer.

    mike

    "Mozzy" <> wrote in message
    news:958FE34FC12F351A7E@62.253.162.201...
    > Soon after booting my system and then re-connecting the cable modem
    > lead to the PC (as it had unplugged itself) I got this message from
    > my Sygate firewall
    >
    > "Windows Explorer (explorer.exe) is trying to broadcast an ICMP Type
    > 10 (Router Solicitation) packet to [224.0.0.2]. Do you want to
    > allow this program to access the network?"
    >
    > The IP address does not seem to resolve to ayone in particular. I
    > get some sort of info about "multicast".
    >
    > I am a single home PC attached to the Net. Should I allow this sort
    > of thing through?



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.783 / Virus Database: 529 - Release Date: 25/10/2004
     
    mike, Oct 27, 2004
    #5
  6. Please don't post sites that want to install Spyware !

    If you must reference a site, PLEASE reference an authorative site not a scum site.

    Dave




    "mike" <> wrote in message news:tPUfd.317$...
    | windows explorer is looking for a router to connect to the internet.
    | normally caused by using the favourites pulldown whilst in explorer.
    |
    | see here:
    |
    | http://www.talkroot.com/archive/topic/1364-1.html
    |
    | try a search engine first, it's normally got the answer.
    |
    | mike
    |
    | "Mozzy" <> wrote in message
    | news:958FE34FC12F351A7E@62.253.162.201...
    | > Soon after booting my system and then re-connecting the cable modem
    | > lead to the PC (as it had unplugged itself) I got this message from
    | > my Sygate firewall
    | >
    | > "Windows Explorer (explorer.exe) is trying to broadcast an ICMP Type
    | > 10 (Router Solicitation) packet to [224.0.0.2]. Do you want to
    | > allow this program to access the network?"
    | >
    | > The IP address does not seem to resolve to ayone in particular. I
    | > get some sort of info about "multicast".
    | >
    | > I am a single home PC attached to the Net. Should I allow this sort
    | > of thing through?
    |
    |
    | ---
    | Outgoing mail is certified Virus Free.
    | Checked by AVG anti-virus system (http://www.grisoft.com).
    | Version: 6.0.783 / Virus Database: 529 - Release Date: 25/10/2004
    |
    |
     
    David H. Lipman, Oct 27, 2004
    #6
  7. Mozzy

    Nick H Guest

    Mozzy wrote:
    > Soon after booting my system and then re-connecting the cable modem
    > lead to the PC (as it had unplugged itself) I got this message from
    > my Sygate firewall
    >
    > "Windows Explorer (explorer.exe) is trying to broadcast an ICMP Type
    > 10 (Router Solicitation) packet to [224.0.0.2]. Do you want to
    > allow this program to access the network?"
    >
    > The IP address does not seem to resolve to ayone in particular. I
    > get some sort of info about "multicast".
    >
    > I am a single home PC attached to the Net. Should I allow this sort
    > of thing through?

    Do you by any chance have Novell Netware installed on your PC?
     
    Nick H, Oct 28, 2004
    #7
  8. mike wrote:
    > windows explorer is looking for a router to connect to the internet.
    > normally caused by using the favourites pulldown whilst in explorer.
    >
    > see here:
    >
    > http://www.talkroot.com/archive/topic/1364-1.html
    >
    > try a search engine first, it's normally got the answer.
    >
    > mike


    Idiot. That site tries to install an active x control and won't work
    without it.

    People that use sites like the one above are the same people that make
    firewalls so neccessary! (IE: they are clueless!)
     
    T. Sean Weintz, Oct 28, 2004
    #8
  9. Nick H wrote:
    > Mozzy wrote:


    > Do you by any chance have Novell Netware installed on your PC?


    If he was running netware on his PC, he wouldn't likely be running
    intenet explorer and the sygate firewall, now would he? Those are
    windows apps. Netware is it's own OS, and you can't run windows apps on it.

    I think you might have meant to ask if he was running the Novell
    supplied (as opposed to the microsoft supplied) Netware Client?
     
    T. Sean Weintz, Oct 28, 2004
    #9
  10. Mozzy

    stephen Guest

    "Mozzy" <> wrote in message
    news:958FE34FC12F351A7E@62.253.162.201...
    > Soon after booting my system and then re-connecting the cable modem
    > lead to the PC (as it had unplugged itself) I got this message from
    > my Sygate firewall
    >
    > "Windows Explorer (explorer.exe) is trying to broadcast an ICMP Type
    > 10 (Router Solicitation) packet to [224.0.0.2]. Do you want to
    > allow this program to access the network?"


    icmp is the family of IP protocols that do network maintenance.

    The destination address is a local IP multicast - it should never be
    forwarded by a router.

    cant remeber which one it is but it is either "all routers" or "all hosts"
    destination - these are used for setup and group handling.

    the PC is either looking for a service or trying to register a multicast
    address with a local multicast fowarder.

    ICMP router solicitation is the PC trying to find a local default gateway -
    maybe you havent configured that on your LAN NIC card?

    either way it doesnt seem like something a firewall should worry about if
    you are set up to "trust" your local LAN.
    >
    > The IP address does not seem to resolve to ayone in particular. I
    > get some sort of info about "multicast".
    >
    > I am a single home PC attached to the Net. Should I allow this sort
    > of thing through?

    --
    Regards

    Stephen Hope - return address needs fewer xxs
     
    stephen, Nov 2, 2004
    #10
  11. Mozzy

    Zarbol Tsar Guest

    > Mozzy wrote:
    >> Soon after booting my system and then re-connecting the cable
    >> modem lead to the PC (as it had unplugged itself) I got this
    >> message from my Sygate firewall
    >>
    >> "Windows Explorer (explorer.exe) is trying to broadcast an ICMP
    >> Type 10 (Router Solicitation) packet to [224.0.0.2]. Do you
    >> want to allow this program to access the network?"
    >>
    >> The IP address does not seem to resolve to ayone in particular.
    >> I get some sort of info about "multicast".
    >>
    >> I am a single home PC attached to the Net. Should I allow this
    >> sort of thing through?


    On 28 Oct 2004, Nick H wrote:
    >
    > Do you by any chance have Novell Netware installed on your PC?



    No, I don't have Novell or any networking software (as far as I
    know!)
     
    Zarbol Tsar, Nov 19, 2004
    #11
  12. Mozzy

    Zarbol Tsar Guest

    On 02 Nov 2004, stephen wrote:

    > "Mozzy" <> wrote in message
    > news:958FE34FC12F351A7E@62.253.162.201...
    >> Soon after booting my system and then re-connecting the cable
    >> modem lead to the PC (as it had unplugged itself) I got this
    >> message from my Sygate firewall
    >>
    >> "Windows Explorer (explorer.exe) is trying to broadcast an ICMP
    >> Type 10 (Router Solicitation) packet to [224.0.0.2]. Do you
    >> want to allow this program to access the network?"

    >
    > icmp is the family of IP protocols that do network maintenance.
    >
    > The destination address is a local IP multicast - it should
    > never be forwarded by a router.
    >
    > cant remeber which one it is but it is either "all routers" or
    > "all hosts" destination - these are used for setup and group
    > handling.
    >
    > the PC is either looking for a service or trying to register a
    > multicast address with a local multicast fowarder.
    >
    > ICMP router solicitation is the PC trying to find a local
    > default gateway - maybe you havent configured that on your LAN
    > NIC card?
    >
    > either way it doesnt seem like something a firewall should worry
    > about if you are set up to "trust" your local LAN.



    Stephen, I may have misunderstood you but I don't have a local LAN or
    any LAN at all. My PC is standalone. The only connection it has is
    via Ethernet to my cable modem.


    >>
    >> The IP address does not seem to resolve to ayone in particular.
    >> I get some sort of info about "multicast".
    >>
    >> I am a single home PC attached to the Net. Should I allow this
    >> sort of thing through?
     
    Zarbol Tsar, Nov 19, 2004
    #12
  13. Mozzy

    Don Kelloway Guest

    "Zarbol Tsar" <> wrote in message
    news:95A63ED2D38A51D7E@194.168.222.124...
    > On 02 Nov 2004, stephen wrote:
    >
    > Stephen, I may have misunderstood you but I don't have a local LAN or
    > any LAN at all. My PC is standalone. The only connection it has is
    > via Ethernet to my cable modem.
    >


    What you are seeing is called multicasting. It's nothing to worry about.
    Think of it as your PC attempting to identify the routers along the
    connection to the Internet.

    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your Security
    on the Internet".
     
    Don Kelloway, Nov 19, 2004
    #13
  14. Mozzy

    stephen Guest

    "Zarbol Tsar" <> wrote in message
    news:95A63ED2D38A51D7E@194.168.222.124...
    > On 02 Nov 2004, stephen wrote:
    >
    > > "Mozzy" <> wrote in message
    > > news:958FE34FC12F351A7E@62.253.162.201...
    > >> Soon after booting my system and then re-connecting the cable
    > >> modem lead to the PC (as it had unplugged itself) I got this
    > >> message from my Sygate firewall
    > >>
    > >> "Windows Explorer (explorer.exe) is trying to broadcast an ICMP
    > >> Type 10 (Router Solicitation) packet to [224.0.0.2]. Do you
    > >> want to allow this program to access the network?"

    > >
    > > icmp is the family of IP protocols that do network maintenance.
    > >
    > > The destination address is a local IP multicast - it should
    > > never be forwarded by a router.
    > >
    > > cant remeber which one it is but it is either "all routers" or
    > > "all hosts" destination - these are used for setup and group
    > > handling.
    > >
    > > the PC is either looking for a service or trying to register a
    > > multicast address with a local multicast fowarder.
    > >
    > > ICMP router solicitation is the PC trying to find a local
    > > default gateway - maybe you havent configured that on your LAN
    > > NIC card?
    > >
    > > either way it doesnt seem like something a firewall should worry
    > > about if you are set up to "trust" your local LAN.

    >
    >
    > Stephen, I may have misunderstood you but I don't have a local LAN or
    > any LAN at all. My PC is standalone. The only connection it has is
    > via Ethernet to my cable modem.


    but - that is a "LAN" as far as the PC can tell - you only have 1 PC and
    your cable modem attached.

    >
    > >>
    > >> The IP address does not seem to resolve to ayone in particular.
    > >> I get some sort of info about "multicast".
    > >>
    > >> I am a single home PC attached to the Net. Should I allow this
    > >> sort of thing through?


    IP multicast should not cross a router unless the router is set up to handle
    it, and normal internet feeds dont support IP multicast, so the default
    sohuld be to ignore it.

    Also, when multicast was introduced, there were some precautions taken in
    the standards to limit the effect on existing equipment.

    The packet should have the TTL set to 1 (i.e. it is only intended to exist
    on the local subnet), so it should not propagate across a router, even if
    the router doesnt understand how to handle IP multicast correctly.
    --
    Regards

    Stephen Hope - return address needs fewer xxs
     
    stephen, Nov 19, 2004
    #14
  15. On Fri, 19 Nov 2004 00:23:39 GMT, Zarbol Tsar <> wrote:

    >Stephen, I may have misunderstood you but I don't have a local LAN or
    >any LAN at all. My PC is standalone. The only connection it has is
    >via Ethernet to my cable modem.


    Your cable modem is effectively a 1-port router.

    You might find a google for your exact subject line would be useful
    too. This is from CISCO's website:

    Reserved Link Local Addresses

    The IANA has reserved addresses in the 224.0.0.0 through 224.0.0.255
    to be used by network protocols on a local network segment. Packets
    with these addresses should never be forwarded by a router; they
    remain local on a particular LAN segment. They are always transmitted
    with a time-to-live (TTL) of 1.

    Network protocols use these addresses for automatic router discovery
    and to communicate important routing information. For example, OSPF
    uses 224.0.0.5 and 224.0.0.6 to exchange link state information. Table
    43-1 lists some of the well-known addresses.

    Table 43-1: Link Local Addresses
    Address Usage

    224.0.0.1 All systems on this subnet
    224.0.0.2 All routers on this subnet

    In other words, this is benign local traffic and if your firewall is
    blocking it, then its misconfigured or misdesigned.
     
    Mark McIntyre, Nov 19, 2004
    #15
  16. Mozzy

    Andy Searle Guest

    "Mark McIntyre" <> wrote in message
    news:...
    > On Fri, 19 Nov 2004 00:23:39 GMT, Zarbol Tsar <> wrote:
    >
    > >Stephen, I may have misunderstood you but I don't have a local LAN or
    > >any LAN at all. My PC is standalone. The only connection it has is
    > >via Ethernet to my cable modem.

    >
    > Your cable modem is effectively a 1-port router.
    >
    > You might find a google for your exact subject line would be useful
    > too. This is from CISCO's website:
    >
    > Reserved Link Local Addresses
    >
    > The IANA has reserved addresses in the 224.0.0.0 through 224.0.0.255
    > to be used by network protocols on a local network segment. Packets
    > with these addresses should never be forwarded by a router; they
    > remain local on a particular LAN segment. They are always transmitted
    > with a time-to-live (TTL) of 1.
    >
    > Network protocols use these addresses for automatic router discovery
    > and to communicate important routing information. For example, OSPF
    > uses 224.0.0.5 and 224.0.0.6 to exchange link state information. Table
    > 43-1 lists some of the well-known addresses.
    >
    > Table 43-1: Link Local Addresses
    > Address Usage
    >
    > 224.0.0.1 All systems on this subnet
    > 224.0.0.2 All routers on this subnet
    >
    > In other words, this is benign local traffic and if your firewall is
    > blocking it, then its misconfigured or misdesigned.


    It could be the "Universal Plug & Play" feature running under XP announcing
    its presence to multicast routers on the local network. UP&P can be disabled
    as nothing uses it yet - basically it will be a network plug and play
    protocol one day - maybe! Info here on how to disable it
    http://grc.com/UnPnP/UnPnP.htm
     
    Andy Searle, Nov 20, 2004
    #16
  17. No uPnP uses -- 239.255.255.250

    Dave




    "Andy Searle" <> wrote in message
    news:ipxnd.734$...
    |
    | It could be the "Universal Plug & Play" feature running under XP announcing
    | its presence to multicast routers on the local network. UP&P can be disabled
    | as nothing uses it yet - basically it will be a network plug and play
    | protocol one day - maybe! Info here on how to disable it
    | http://grc.com/UnPnP/UnPnP.htm
    |
    |
     
    David H. Lipman, Nov 20, 2004
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    1,309
  2. Kelvin @ SG
    Replies:
    4
    Views:
    635
    *Vanguard*
    Feb 6, 2004
  3. johns
    Replies:
    2
    Views:
    568
    johns
    Feb 6, 2004
  4. Mozzy

    Re: What does "ICMP to 224.0.0.2" mean?

    Mozzy, Dec 10, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    7,048
    Mozzy
    Dec 13, 2004
  5. John Ritchie

    What does "driver does not support your hardware" mean?

    John Ritchie, Aug 2, 2007, in forum: Computer Information
    Replies:
    2
    Views:
    742
    John Ritchie
    Aug 4, 2007
Loading...

Share This Page