Inside Linux VM I've started tcpdump to capture on it's NIC and I've opened the trace file in Wireshark. What i don't understand why do I see packets originating from a different IP source address that is assigned on the VM's NIC (even the Layer 2 address is not matching). These are SSDP packets btw. Any ideas? asked 23 Aug '16, 02:30  adasko |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Why are you surprised by receiving packets on your VM's network interface? Are you saying this NIC is not connected?
When running netstat -g ( I use this to see all sockets which are bound to a multicast address) I can see only the following IPv6/IPv4 Group Membership :
224.0.0.1 - The All Hosts multicast group addresses all hosts on the same network segment.
So why I can SSDP packet targeted to multicast address 239.255.255.250 ?
The fact that you are receiving multicast traffic at your network interface is not that unusual. The actual joined MC group (All Hosts) is what's being accepted by the network stack, but lower down more traffic may come in. This has to do with the way multicast addresses are mapped onto MAC addresses, and how the (HW/emulated)NIC can filter those.
I'm not sure i understood you correctly, but do you mean that we should be able to see ALL multicast traffic even if promiscuous mode is not enabled ? Please correct me if I misunderstood you.
That's correct. Broadcast and often also multicast traffic is received even if promiscuous mode is off because the hardware MAC address filter on the network card always lets frames with broadcast or multicast destination MAC through. "Promiscuous mode on" actually means "switch off the destination MAC address filter", but the filter only acts on unicast MAC addresses.
What @Jaap was saying is that if your machine has not subscribed to some multicast group, frames with that group's MAC address as destination are ignored by the IP stack in the kernel even though the MAC filter on the network card lets them in.
This may vary, however, depending on the driver and hardware capabilities of the card, some cards may save the kernel from extra load by using more complex filters which can let through only multicast frames with a particular group's destination MAC address. In your case of a virtual NIC, it doesn't make a difference whether the multicast frames are filtered at one place or the other if it is always the CPU which provides that functionality.