Creating multicast join for tcpdump captures

I want to write a linux shell script which will capture specific multicast traffic. Specific as in, I want to create a pcap file that has all the traffic for one specific multicast group/port.

Here is the command line I am using to view traffic:

tcpdump -nnXs 0 -i eth1 udp port 22001 and dst

This works fine so long as I have a multicast subscription to that group already established. For example, if I run this in another console:

mdump 22001

tcpdump will see packets. If mdump is not running, tcpdump sees nothing.

Is there a standard linux-y way to establish these multicast joins before starting the captures? I could use mdump to establish these joins, but that seems wasteful since mdump will process all that data on the group, bbut I’m just going to throw it away.

Note that because my specific environment, I have been discouraged from putting the interface in to promiscuous mode. It may, in fact, be prohibited.

Asked By: John Dibling


TL;DR – Pick one:

sudo ip addr add dev eth1 autojoin

socat STDIO UDP4-RECV:22001,ip-add-membership= > /dev/null

At first I was going to say "just use ip maddress add and be done with it". The problem is ip maddress only affects link layer multicast addresses not protocol multicast addresses (man 8 ip-maddress).

That being said using the autojoin flag with the address verb does the trick just nicely.

This raises some subsequent questions though. I assume since you’ll be running tcpdump or tshark that you have root permission. In the event that you do not 22001 is a high numbered port and other utilities like socat will also get things done.

Don’t take my word for it though. Just to test this out we can generate multicast UDP packets with socat or ncat (generally packaged via nmap/nmap-ncat).

On some number of hosts run one of the following two combinations:

Option 1:

sudo ip addr add dev eth1 autojoin

Option 2:

socat -u UDP4-RECV:22001,ip-add-membership= /dev/null &

The first option will require either root, or at least the capability CAP_NET_ADMIN. The second option doesn’t require root, but also expects to run in the foreground and thus may be less conducive to scripting (though tracking the child process ID and cleaning it up with a trap in BASH may be just what you’re looking for.

Once that’s done (but before we go nuts testing our tcpdump/tshark command) make sure that the kernel recognizes the interface having joined the correct IGMP group. If you’re feeling super fancy you can go nuts parsing the hex out of /proc/net/igmp, but I’d suggest just running netstat -gn.

Once you’ve verified that you see the interface subscribed to the correct group fire up your tcpdump command:

tcpdump -nnXs 0 -i eth1 udp port 22001 and dst

Alternatively, if you don’t want to fully go the route of tcpdump (or stumbled upon this answer and are just curious to see multicast in action) you can use socat command above to join and echo the content to STDOUT by replacing /dev/null with STDOUT:

socat -u UDP4-RECV:22001,ip-add-membership=

Then, from another machine use one of the following two options to send some simple test data:

Option 1:


Option 2:

ncat  -u 22001

When you run either of those commands it will then interactively wait for input. Just type some things in, hit enter to send, then CTRL+D when you’re done to send an EOF message.

At this point you should have seen an end to end test and with a few commands built the worst, most insecure chat system in the world.

N.B. If you want to leave the multicast group joined using ip addr add ... (option 1), you can do this:

sudo ip addr del dev eth1 autojoin
Answered By: Brian Redbeard