802.11 Sniffer Capture Analysis – Multicast


Thu, 05/31/2012 - 19:14
Apr 9th, 2012
User Badges:
  • Cisco Employee,


Multicast Sniffing


The controller performs multicasting in two modes:

  • Unicast      mode—In this mode, the controller unicasts every multicast packet to every AP associated to the controller. This mode is inefficient but might be      required on networks that do not support multicasting.
  • Multicast      mode—In this mode, the controller sends multicast packets to an LWAPP multicast group. This method reduces overhead on the controller processor      and shifts the work of packet replication to your network, which is much      more efficient than the unicast method.
  • You can enable multicast mode using the controller GUI or CLI.

IGMP Snooping on WLC

In controller software release 4.2, IGMP snooping is introduced to better direct multicast packets. When this feature is enabled, the controller gathers IGMP reports from the clients, processes the reports, creates unique multicast group IDs (MGIDs) from the IGMP reports after checking the Layer 3 multicast address and the VLAN number, and sends the IGMP reports to the infrastructure switch. The controller sends these reports with the source address as the interface address on which it received the reports from the clients.

The controller then updates the access point MGID table on the AP with the client MAC address. When the controller receives multicast traffic for a particular multicast group, it forwards it to all the APs. However, only those APs that have active clients listening or subscribed to that multicast group send multicast traffic on that particular WLAN. IP packets are forwarded with an MGID that is unique for an ingress VLAN and the destination multicast group. Layer 2 multicast packets are forwarded with an MGID that is unique for the ingress interface.

Note: IGMP snooping is not supported on the 2000 series controllers, the 2100 series controllers, or the Cisco Wireless LAN Controller Network Module for Cisco Integrated Services Routers.

Guidelines for Using Multicast Mode

Use these guidelines when you enable multicast mode on your network:

The Cisco Unified Wireless Network solution uses some IP address ranges for specific purposes. Keep these ranges in mind when you configure a      multicast group: Although not recommended, any multicast address can be assigned to the LWAPP multicast group; this includes the reserved link local multicast addresses used by OSPF, EIGRP, PIM, HSRP, and other multicast protocols.

Cisco recommends that multicast addresses be assigned from the administratively scoped block 239/8. IANA has reserved the range of as administratively scoped addresses for use in private multicast domains. See the note for additional restrictions. These addresses are similar in nature to the reserved private IP unicast ranges, such as, defined in RFC 1918. Network administrators are free to use the multicast addresses in this range inside of their domain without fear of conflict with others elsewhere in the Internet. This administrative or private address space must be used within the enterprise and its leave or entry blocked from the autonomous domain (AS).

Note: Do not use the 239.0.0.X address range or the 239.128.0.X address range. Addresses in these ranges overlap with the link local MAC addresses and flood out all switch ports, even with IGMP snooping turned on.

Cisco recommends that enterprise network administrators further subdivide this address range into smaller geographical administrative scopes within the enterprise network to limit the "scope" of particular multicast applications. This prevents high-rate multicast traffic from leaving a campus (where bandwidth is plentiful) and congesting the WAN links. It also allows for efficient filtering of the high bandwidth multicast from reaching the controller and the wireless network.

When you enable multicast mode on the controller, you must configure an LWAPP multicast group address on the controller. APs subscribe to the LWAPP multicast group using Internet Group Management Protocol (IGMP).

  • Cisco      1100, 1130, 1200, 1230, and 1240 APs use IGMP versions 1, 2, and 3.      However, Cisco 1000 Series APs use only IGMP v1 to join the multicast      group.
  • Multicast      mode works only in Layer 3 LWAPP mode.
  • APs in      monitor mode, sniffer mode, or rogue detector mode do not join the LWAPP      multicast group address.
  • When      you use controllers that run version 4.1 or earlier, you can use the same      multicast address on all the controllers. If you use controllers that run      version 4.2 or later, the LWAPP multicast group configured on the      controllers must be different for each controller used on the network.
  • If you      use controllers with version 4.1 or earlier, the multicast mode does not      work across intersubnet mobility events, such as guest tunneling,      site-specific VLANs, or interface override that uses RADIUS. The multicast      mode does work in these subnet mobility events when you disable the Layer      2 IGMP snooping/CGMP features on the wired LAN.

In later versions, that is, 4.2 or later, the multicast mode does not operate across intersubnet mobility events, such as guest tunneling. It does, however, operate with interface overrides that use RADIUS (but only when IGMP snooping is enabled) and with site-specific VLANs (access point group VLANs).

  • The      controller drops any multicast packets sent to the UDP port numbers 12222,      12223, and 12224. Make sure the multicast applications on your network do      not use those port numbers.
  • Multicast      traffic is transmitted at 6 Mbps in an 802.11a network. Therefore, if      several WLANs attempt to transmit at 1.5 Mbps, packet loss occurs. This      breaks the multicast session.

Configuring Multicast (Using Multicast-Multicast Mode)

Select Mutlicast - Multicast and configure your group, each WLC in your mobility group should use a unique address.

Enable multicast routing on the L3 device and enable PIM on the following VLANs.  Management, AP-Manger, VLAN on which the AP are in and as well as the VLAN where the cleints that will receive the multicast stream. Example :

VLAN 40 is the WLC management, VLAN 40 is for AP, and VLAN 50 is where my clients are. So under all of these SVI I need to issue the multicst commands.

Issue all Multicast show command to verify, example : show ip mroute, show ip igmp groups to validate that the group for the AP is built properly.

We can also enable IGMP Snoping on the WLC. The WLC will hold it's own snooping table for the IGMP messages that it receives, so that it knows who is requesting the stream.

On Wireless LAN Controller

Enable Global Multicast on the WLC and Enable Multicast – Multicast mode on the WLC

Once the client sends the multicast join, we will see the below on the WLC MGID

Multicast configuration on Wired network

Configure Multicast routing Globally and then enable PIM on each interface..

6504-WLCBUG#sh run | i multicast

ip multicast-routing

6504-WLCBUG#sh run int vla 50

Building configuration...

Current configuration : 119 bytes


interface Vlan50

description // WLAN DHCP pool VLAN //

ip address

ip pim dense-mode


6504-WLCBUG#sh run int vla 40

Building configuration...

Current configuration : 121 bytes


interface Vlan40

description // Management Vlan //

ip address

ip pim dense-mode


6504-WLCBUG#sh ip pim interface vlan 40

Address         Interface               Ver/   Nbr   Query DR    

                                                       DR Mode   Count Intvl Prior   Vlan40                   v2/D   0     30     1

6504-WLCBUG#sh ip pim interface vlan 50

Address         Interface               Ver/   Nbr   Query DR     DR

                                                        Mode   Count Intvl Prior       Vlan50                   v2/D   0     30     1

6504-WLCBUG#sh ip mroute

IP Multicast Routing Table

Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,

       L - Local, P - Pruned, R - RP-bit set, F - Register flag,

       T - SPT-bit set, J - Join SPT, M - MSDP created entry,

       X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,

       U - URD, I - Received Source Specific Host Report,

       Z - Multicast Tunnel, z - MDT-data group sender,

      Y - Joined MDT-data group, y - Sending to MDT-data group

       V - RD & Vector, v - Vector

Outgoing interface flags: H - Hardware switched, A - Assert winner

Timers: Uptime/Expires

Interface state: Interface, Next-Hop or VCD, State/Mode

(*,, 4d17h/00:02:03, RP, flags: DC

Incoming interface: Null, RPF nbr

Outgoing interface list:

   Vlan40, Forward/Dense, 4d17h/00:00:00

(*,, 2w1d/00:02:07, RP, flags: DC

Incoming interface: Null, RPF nbr

Outgoing interface list:

   Vlan40, Forward/Dense, 3d10h/00:00:00

(*,, 2w1d/00:02:13, RP, flags: DCL

Incoming interface: Null, RPF nbr

Outgoing interface list:

   Vlan11, Forward/Dense, 2w1d/00:00:00

Packet Captures


Wired PC ----------- 6500 Switch -------- WISM ------- AP )))) ((((( Wireless Client

Vlan 50                       Vlan 40                   Vlan 40       Vlan 40             Vlan 50

MCAST Traffic Generator Tool is used on the Wired PC to Generate Multicast Stream – Continuous UDP packets.

Wired Wireshark packet capture on the MCAST generator

Windows Netmon Capture on the Mcast packet generator

MCAST Receiver Tool is used on the Wireless Client to Receive the Multicast traffic from the Source (Wired PC).

Wireshark Captures on the Wireless interface of the Wireless client

Netmon Capture on the Wireless interface of the Wireless Client



This Document

Related Content



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode