Multicast Traffic???

Unanswered Question
Nov 6th, 2007

We have been experiencing high bandwidth (~5Mbps) usage on one of our WAN links out of normal office hours when we would expect there to be very little activity.

A packet capture from the main core switch has shown a lot of what we believe to be multicast traffic, but we have been unable to verify this and track the source. An example packet is below.

How is it best to go about identifying and tracing this traffic?


No. Time Source Destination Protocol Info

1 0.000000 00:00:00_00:fe:00 01:00:5e:0f:01:fa 0x7005 Ethernet II

Frame 1 (1322 bytes on wire, 1322 bytes captured)

Arrival Time: Nov 6, 2007 09:47:28.018484000

[Time delta from previous captured frame: 0.000000000 seconds]

[Time delta from previous displayed frame: 0.000000000 seconds]

[Time since reference or first frame: 0.000000000 seconds]

Frame Number: 1

Frame Length: 1322 bytes

Capture Length: 1322 bytes

[Frame is marked: False]

[Protocols in frame: eth:data]

Ethernet II, Src: 00:00:00_00:fe:00 (00:00:00:00:fe:00), Dst: 01:00:5e:0f:01:fa (01:00:5e:0f:01:fa)

Destination: 01:00:5e:0f:01:fa (01:00:5e:0f:01:fa)

Address: 01:00:5e:0f:01:fa (01:00:5e:0f:01:fa)

.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Source: 00:00:00_00:fe:00 (00:00:00:00:fe:00)

Address: 00:00:00_00:fe:00 (00:00:00:00:fe:00)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: Unknown (0x7005)

Data (1308 bytes)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Tue, 11/06/2007 - 08:06

It is an interesting frame shown in the capture. If you look at the destination MAC address it certainly looks like an IP multicast frame. The first part of the address 01:00:5e is the reserved OUI for IP multicast. The last part of the address indicates that the destination IP address would have been x.1.1.250 or x.129.1.250 (where x is in the range 224 through 239).

However the source MAC address appears to be invalid since it is all 0s. This makes identifying the source quite a problem. Was this capture on a SPAN port? If so what was the source of the SPAN session?



Anonymous (not verified) Wed, 11/07/2007 - 00:01

This was a capture from a span port; the source was the primary connection to one of our internal firewalls - a Nokia IP530 running Check Point NGX R60.

There are some development environments that sit behind this firewall, but as far as we know there should be nothing that is using any multicast addresses.

Richard Burts Wed, 11/07/2007 - 06:30

I am surprised that it got through the firewall (or out of the firewall) with an invalid source MAC address.



Anonymous (not verified) Tue, 11/13/2007 - 01:47

It turns out that this was not the traffic that we were seeing across the WAN; this was down to a user who had a script running that was not quite working properly.

However, we are seeing a lot of this on the local LAN segment so we are still trying to find what is generating it.

Thanks for your help.


This Discussion