all-systems.mcast.net flood / DIR-655

Discussion in 'Network Routers' started by Alan Browne, Oct 3, 2012.

  1. Alan Browne

    Alan Browne Guest

    From time to time, I notice a constant flow into my computer at about
    1.1 to 1.5 kB/s. Shut off apps 1 by 1 - no change.

    I disconnected the WAN (ethernet) and it keeps going.

    I ran Wireshark and I see a constant message:

    Source: my router (192.168.0.1)

    Destination: all-systems.mcast.net IGMP V2 Memberhsip Query,
    general (60 bytes long).

    Then occasionally I'll see my computer, or another on the net reply to it.

    It doesn't bother me that it's going out, but it's going out about 20
    times per second and last 20 minutes or so.

    It's silly (!).

    Multicast (DIR-655 WiFi router) is on.

    I don't recall seeing this before - but I did update to the latest
    router F/W about 2 weeks ago. (I noticed this behavior a few days ago).

    Other than that:

    - is this normal?
    - can it be tamed? (I don't see why it needs to hose at 20 Hz for 20
    minutes).

    (I poked around various forums and one poster says a "factory reset"
    cured it. I'll go that way if nothing else pops up.

    Thanks!
     
    Alan Browne, Oct 3, 2012
    #1
    1. Advertisements

  2. Alan Browne

    VanguardLH Guest

    A firmware update most likely incurs a reset of the router. Your custom
    settings were lost.

    Have you tried disabling/blocking/filtering out multicasting in your
    router? http://en.wikipedia.org/wiki/Multicast. You really need that
    in your network?

    Also try disabling (blocking) UPnP broadcasting in the router.

    Since IGMP is involved, do you have a host that is trying to ping all
    other hosts? You sure there isn't one? Maybe your kids are probing
    around your network.
     
    VanguardLH, Oct 3, 2012
    #2
    1. Advertisements

  3. Alan Browne

    Alan Browne Guest

    I recovered them from a saved config file after re-booting.
    Yes. Some Bonjour services need it unfortunately. (Mac OS X).
    I'll try that. (was on).
    No. I turned off other computers and programs on my computer. It's out
    of the router (source is the router IP).

    It repeats for very close to 20 minutes at about 20 times second. That's
    about 24000 tries (!). The computers on the network do reply to it
    (every once in a while) so it should shutoff. There are only 10 client
    IP addresses on the network - most unassigned at any time and the router
    should know that.

    Hasn't happened since then (that I've noticed). If it does it in the
    middle of the night or while I'm out during the day I wouldn't see it.

    I suppose I could leave Wireshark up and running and filtering on just
    IGMP packets...
     
    Alan Browne, Oct 3, 2012
    #3
  4. Alan Browne

    Alan Browne Guest

    It appears that the ~20 minute deluge only appears sometime after a
    re-boot and only once. Presently it's outputting a query once every
    minutes and 5 seconds. Reasonable.

    I'll try a re-boot later this week to confirm. If it's just a question
    of waiting for the deluge to pass once and then it ends, and even if it
    occurs from time to time, then it's nothing other than an irritation.
     
    Alan Browne, Oct 4, 2012
    #4
  5. Alan Browne

    Char Jackson Guest

    Is it an irritation because you know it's happening, or because it's
    disruptive in some way?
     
    Char Jackson, Oct 4, 2012
    #5
  6. Alan Browne

    Alan Browne Guest

    Maybe too strong a word.

    It's an irritation when I see the b/w meter at a constant D/L for no
    valid reason. At first I thought it may be some probing from the
    outside and I was relieved it wasn't.

    Once I figured it out, the security side of it became a non-issue /
    irritation.

    Once I observed that it died after 20 minutes, it became more of a
    curiosity.

    So, if I confirm that it only occurs after a re-boot, once, then I'll
    happily downgrade it from irritation to tolerable curiosity - I don't
    reboot the router often. Even if it were to occur once every few days
    it would be tolerable since it's within the LAN (Gb).
     
    Alan Browne, Oct 5, 2012
    #6
  7. Alan Browne

    Char Jackson Guest

    Sounds good, thanks.
     
    Char Jackson, Oct 5, 2012
    #7
  8. Alan Browne

    Alan Browne Guest

    UPDATE 2.

    I rebooted the router yesterday evening and a few seconds after starting
    it began the 21 minute, 13 seconds long IGMP deluge at ~20 messages/second.

    After that it fell into the pattern of 1 IGMP every 2 minutes and 5 seconds.

    I surmise there is a bug but it's not that bad, it settles down and as
    far as I can tell does not repeat again. I'll keep my eye out for it
    though.
     
    Alan Browne, Oct 5, 2012
    #8
  9. Alan Browne

    VanguardLH Guest

    Even with UPnP disabled in the *router*? According to:

    http://upnp.org/download/UPnP_Vendor_Implementation_Guide_Jan2001.htm
    http://www.networksorcery.com/enp/protocol/igmp.htm
    http://www.dell.com/downloads/global/products/pwcnt/en/app_note_18.pdf

    UPnP uses the IGMP Join Message via multicasting to discover other UPnP
    enabled devices on the network (your other hosts, other routers, APs,
    whatever).
     
    VanguardLH, Oct 6, 2012
    #9
  10. Alan Browne

    Alan Browne Guest

    I still haven't tried disabling the UPnP, though I said I would. I may
    get around to it ... I believe one of my printers (ethernet) needs it,
    but I'll check.
     
    Alan Browne, Oct 6, 2012
    #10
  11. Alan Browne

    Alan Browne Guest

    I disabled UPnP and the same IGMP flood for 20 minutes or so occurred
    after the re-boot.
     
    Alan Browne, Oct 6, 2012
    #11
  12. Alan Browne

    VanguardLH Guest

    I came across the following and wonder, since you're using Wireshark, if
    it isn't using Wireshark that is producing the IGMP multicast flood:

    http://ask.wireshark.org/questions/7629/what-are-the-igmp-messages-doing-in-my-network

    I suppose that after awhile of not getting any responses that the probe
    decides no one else exists to respond to the IGMP requests. I suspect
    Wireshark is trying to get hostnames but maybe it can be configured not
    to do that and just show IP addresses which don't need to be looked up.
     
    VanguardLH, Oct 6, 2012
    #12
  13. Alan Browne

    Alan Browne Guest

    No. The source address resolves to the router, not the computer - and
    what prompted me to look is the traffic meter on my computer showing the
    incoming deluge from the router - Wireshark was not running.

    And if nothing else is going on Wireshark is quiet. Re-boot the router
    and a few seconds after it completes re-start the IGMP traffic starts
    (amongst the other stuff).
     
    Alan Browne, Oct 6, 2012
    #13
  14. Alan Browne

    VanguardLH Guest

    How old is that D-Link router? Typical lifespan for D-Link stuff is 3
    years. Linksys is 5-6 years. They don't just die with a puff of smoke
    and completely stop working. First they start doing screwy behavior,
    like sometimes you can connect, sometimes you can't, and sometimes
    bandwidth is all over the place. Since it's not hurting your networking
    (after the deluge subsides), I'd say just keep using it but keep an eye
    out for sales on a replacement.
     
    VanguardLH, Oct 7, 2012
    #14
  15. Alan Browne

    Alan Browne Guest

    It's about 2 years old. I have no complaints other than the idiotic
    need to reboot after minor configuration changes. (Really the idiotic
    need it has to stop working to write config changes to flash).

    No urgency to replace but I would like a dual band WiFi as there are
    periods where the neighborhood signal use skyrockets in the 2.4 GHz band
    which really kills throughput. AFAICT using iStumbler nobody is using 5
    GHz yet.

    As to the deluge, it doesn't hurt anything even when it's on - 1.5 kB/s
    on a gigabit network is pretty much noise. It's just "wrong" behaviour.
    But once it's gone it appears to be permanently gone so no harm.
     
    Alan Browne, Oct 7, 2012
    #15
  16. Alan Browne

    Trainwreck1123

    Joined:
    Oct 9, 2012
    Messages:
    1
    Likes Received:
    0
    IGMP occurs on your network after a reboot because a network device is building its routing table. Almost all dynamic routing protocols such as IGMP uses a multicast address to achieve this and most send updates every 5 seconds as well. I see this as completely normal network traffic. i would hesitate to try to disable because it may prevent a network device from having a fully updated table.
     
    Last edited by a moderator: Oct 9, 2012
    Trainwreck1123, Oct 9, 2012
    #16
  17. Alan Browne

    ahmadsheikh56

    Joined:
    Oct 20, 2012
    Messages:
    2
    Likes Received:
    0
    Thanks for sharing such a vital information, actually I am looking for information regarding. Now this thread definitely help me a lot.
     
    ahmadsheikh56, Oct 20, 2012
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.