Archive of August 2011

Thu 18 Aug

The Case of the Mystery IGMP Query Request

I've spent two days trying to track down the source of mystery IGMP query requests on a network emulation testbed I'm building. All the machines are (essentially) stock installations of Ubuntu 11.04, with no services running besides sshd.

One of my machines acts as a poor man's Ethernet tap. Its two NICs, which are connected to the two machines that run the system I'm testing, are bridged together, allowing me to run tcpdump on the bridge interface (br0) to capture packet traces from the experiments I run*.

I noticed some strange IGMP queries originating from this monitor machine, and after several hours of hunting for the source I found that it was actually coming from this bridge device! It turns out that the bridge module in Linux supports IGMP snooping. I'm sure this is a useful feature for certain scenarios, but when you're trying to make sure no non-intentional traffic is moving across your NICs it is not at all useful.

Anyway, once you've figured this out the solution is simple: just disable IGMP snooping. You can (thankfully) do this via a sysctl variable:

cd /sys/devices/virtual/net/br0/bridge
echo 0 | sudo tee multicast_snooping

Once you do this, the pesky IGMP queries will go away. You can make this permanent (in Ubuntu, anyway) by adding these lines to a script under /etc/network/if-up.d/.

This page was helpful in solving this problem, as it provides documentation about the sysfs features of the bridge module.

*Yes, I know this is not a real Ethernet tap, but with the equipment, budget, and schedule I have (as well as my desire to run at 1Gbps, rather than 100Mbps) this is the best I can do.