Why is one of my computers reaching out to :

[G+_Rud Dog]

Why is one of my computers reaching out to :

 

233.89.188.1

[G+_Jared Messervy]

That's a multicast address. Perhaps you installed something?

[G+_Rud Dog]

I have to ask then I typed in reverse lookup and the address above I was taken to this URL and it looks like it has been assigned or am I reading this wrong?

 

myip.ms - 233.89.188.1 IP Address Whois - Owner Internet Assigned Numbers Authority 12025 Waterfront Drive, Suite 300 Los Angeles CA 90094, USA

[G+_Scott Snodgrass]

It is a reserved multicast address. Something on your local network.

[G+_Jared Messervy]

If you look at the comment section on that page you will see "Addresses starting with a number between 224 and 239 are used for IP multicast. IP multicast is a technology for efficiently sending the same content to multiple destinations. It is commonly used for distributing financial information and video streams, among other things"

As for who is using it, or why your device is reaching out to it, I can't say without a lot more information.

[G+_William L. DeRieux IV]

Rud Dog It's owned by IANA (and classified as Special Use, multicast).

 

iana.org - IPv4 Multicast Address Space Registry

[G+_Rud Dog]

Thanks, guys, if you all could clarify one last thing. Here is what I could find on the subject:

A message sent to a broadcast address may be received by all network-attached hosts.

So the source IP address, in this case, is sending out a broadcast.

And it is sent to the address shown which shows up as the destination.

How do you find the genesis of this LAN traffic?

[G+_Jason Marsh]

You can see who's sending it using EtherApe or Wireshark, or if you don't like GUI there's netcat, pcap, et al...

[G+_William L. DeRieux IV]

Rud Dog

en.wikipedia.org - Broadcast address - Wikipedia

 

Broadcast address: 255.255.255.255 (mac=FF:FF:FF:FF)

 

To find the host where the traffic originated from would require you monitoring the packets using wireshark or another pcap tool.

 

You can filter the packet list by using (for wireshark):

ip.dst == 255.255.255.255

 

You would then need to look at the packet's source ip and mac address.

 

Often the broadcast address is used for DHCP/ARP, and NDP.

(so this might actually be normal behavior...)

[G+_Rud Dog]

This is what my comments were attempting to solve. The source IP address is an laptop on my lan and the destination address it the multicast address I showed earlier.

[G+_Rud Dog]

William L. DeRieux IV Thank you. Is there a cheat sheet for Wireshark. Like the helping hint, you gave me on ip.dst== address. Very useful.

[G+_William L. DeRieux IV]

Rud Dog Ubiquiti UniFi uses 233.89.188.1 and 255.255.255.255 as part of its method for joing end-point devices to the network

(ie: unifi-inform-protocol).

 

So, if you are using a Unifi then this github page might be of interest to you....

https://github.com/jk-5/unifi-inform-protocol

 

PS: You find a list of display filters for wireshark here:

http://packetlife.net/media/library/13/Wireshark_Display_Filters.pdf

[G+_Rud Dog]

Thank you again and yes I use the Unifi software and the cameras.

[G+_William L. DeRieux IV]

Rud Dog Well, then it is most likely the Unifi software trying to announce its presence to the controller.

I guess the next question should be.....why is it being so chatty....wasn't once enough?

[G+_Rud Dog]

William L. DeRieux IV Interesting enough went back to capture the cast again and it does not show up?