OT - IGMP Protocol query

Baron Grazic · #1 September 14th, 2004, 03:43 AM

I was wondering if anyone has come across the problem of a brand new Windows XP machine sending IGMP packets to the address of 224.0.0.22.
Any suggestion or links as to how I can stop this from happening?
Thanks.

narf poit chez BOOM · #2 September 14th, 2004, 04:29 AM

Virusscan, spyware scan. Try ad-aware and um...spybot S&D. That's what everybody here seems to recommend.

Thermodyne · #3 September 14th, 2004, 01:15 PM

Where did you get this info from? Firewall?

Looks like the system is asking a router for info on other systems in its group. Is the system in the workgroup named "workgroup"?

Baron Grazic · #4 September 14th, 2004, 10:38 PM

This is a new Test XP machine, that I built to test a new Internal Firewall on our Domain. This Fireall is blocking the IGMP packets and brought it to my attention.
At least a couple of times a day, the XP machine sends packets to the address of 224.0.0.22, which routes to igmp.mcast.net
We are not using any Multicasting software, and this XP box is pure Windows XP, no other software except for the Virus/Firewall client that I am testing.
Suggestions?

Instar · #5 September 14th, 2004, 10:47 PM

http://www.webopedia.com/TERM/I/IGMP.html
Not exactly a wordy definition.
I can't find what mcast.net is. I haven't been able to ping it or anything. Whois comes up blank. I can't say what that is or what it is doing. What brand of A/V stuff are you using? Firewall?

Baron Grazic · #6 September 16th, 2004, 01:42 AM

Thanks Instar.
I am testing TrendMicro OfficeScan Anti-Virus software and Firewall.
There is a couple of references to igmp.mcast.net but not why XP would be attempting to connect to it, once a day.

Instar · #7 September 16th, 2004, 01:52 AM

I used to use Trend Micro. It was good enough.
Anyhow, its a weird thing, trying to contact a non-existant site (unless its an evil government plot! The ILLUMINATTI are coming!)
Its a multicast IP protocol... hmm
No harm in continuing blocking it. I know IE has a toolbar thing that Adaware considers spyware. Get Adaware on disk and see what happens when you run it.

Thermodyne · #8 September 16th, 2004, 08:44 AM

It�s an unassigned IGMP address. I would just block it at the firewall. It�s probably just a multicast from your system (host) looking for members.

Here�s a link to IGMP

http://www.freesoft.org/CIE/RFC/1112/18.htm

As a rule of thumb, you should build a list of what the firewall needs to pass and then lock everything else down. In practice, we lock it all down and then open as needed. Often, we apply filters to the PIX�s on a per machine basis. Allowing all internally originating traffic is no longer seen as acceptable.

PS: TM's antivirus has had some bigtime patch blowups in the past.

Instar · #9 September 16th, 2004, 09:56 AM

"PS: TM's antivirus has had some bigtime patch blowups in the past. "
I didn't notice that when I used it, then again, I had a fast connection to download the patches with, and I had a huge HD anyhow.

Thermodyne · #10 September 16th, 2004, 10:08 AM

I had it on a small net with about 15 clients, two times in a 1 year period it blew up during update installs. Once it needed to be reinstalled and once it forced me to reload the systems. (thank god for ghost) Both times it was a known issue that they pushed the update out with. After that, I only support Norton in the contracts. If they want to skimp on AV, then it's T&M if it goes down.