<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 14-02-13 02:52 AM, Trevor Cordes
wrote:<br>
</div>
<blockquote cite="mid:20140213025221.6a4812d3@pog.tecnopolis.ca"
type="cite">
<pre wrap="">Hmm, I didn't see that in my (brief) multicast research, but I'll take
your word for it. I did find that TTL=1 means local-subnet-only and
these packets are indeed showing a TTL of 1.</pre>
</blockquote>
Your google-fu is weak, as usual. From the Wikipedia page on
"Multicast address":<br>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<table class="wikitable" style="font-size: 13px; margin: 1em 0px;
background-color: rgb(249, 249, 249); border: 1px solid rgb(170,
170, 170); border-collapse: collapse; color: rgb(0, 0, 0);
font-family: sans-serif; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
19.200000762939453px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<tbody>
<tr>
<td style="border: 1px solid rgb(170, 170, 170); padding:
0.2em;">224.0.0.1</td>
<td style="border: 1px solid rgb(170, 170, 170); padding:
0.2em;">The<span class="Apple-converted-space"> </span><i>All
Hosts</i><span class="Apple-converted-space"> </span>multicast
group addresses all hosts on the same network segment.</td>
</tr>
</tbody>
</table>
<br>
By definition, all IGMP packets will have a TTL of 1 - they're only
supposed to discover directly-connected hosts that also run IGMP.<br>
<br>
<blockquote cite="mid:20140213025221.6a4812d3@pog.tecnopolis.ca"
type="cite"><br>
<pre wrap="">I just did some more checks and see that I have the MAC for the source
of the packets, and looking in arp I see the MAC belongs to my
next-hop, a Shaw router. So either it is generating these, or this
packet is indeed crossing a subnet boundary. No?</pre>
</blockquote>
The router will be generating them. Only multicast-capable routers
should ever generate IGMP packets. (Some switches intercept and
occasionally modify them, but that's an acceptable special case.)<br>
<br>
<blockquote cite="mid:20140213025221.6a4812d3@pog.tecnopolis.ca"
type="cite">
<pre wrap="">Hey, what if it's some attempt by Shaw to detect and shutdown hackers
trying to run IGMP?</pre>
</blockquote>
No. IGMP is a completely normal thing, and is not indicative of a
"hacker".<br>
<br>
<blockquote cite="mid:20140213025221.6a4812d3@pog.tecnopolis.ca"
type="cite">
<pre wrap="">As long as the black helicopters aren't outside my house, this is more
of a curiosity than a big concern. Well, except it is putting 208
bytes into my /v/l/messages every minute. ;-)
</pre>
</blockquote>
A perfect example of why I've never found it worthwhile to log
incoming traffic that got dropped.<br>
<br>
<pre class="moz-signature" cols="72">--
-Adam Thompson
<a class="moz-txt-link-abbreviated" href="mailto:athompso@athompso.net">athompso@athompso.net</a>
</pre>
</body>
</html>