You never stop learning. One topic that hadn’t crossed my path in the past decade is: Multicast. Whew. Alongside all the technical literature, online presentations, and various blog posts, I decided to approach it the classic way – through packet captures. ;)
So here’s a new part of the #UltimatePCAP, which contains quite a bit of PIM traffic, including Hello, Join/Prune, Register (via unicast!), and more. Of course, for IPv6 and legacy IP (IPv4). Let’s have a look:
Please note that I’m *not* a multicast expert. Luckily, there are many good resources out there. I recommend this Cisco Live presentation from Aleksandar Sofranic (YouTube): IP Multicast Introduction and Troubleshooting, or this (partially free) multicast course on NetworkLessons.com, or this blog post series from Emil Boklund.
Lab Setup
This is my lab, consisting of 2x Cisco router 2811 with IOS version 15.1(4)M12a and 1x Palo Alto Networks firewall PA-440 with PAN-OS 11.1.10-h1 (which only supports legacy IP for multicast, not IPv6). Everything is routed via OSPF/OSPFv3, while PIM is used for multicast traffic. The rendezvous point (RP) is statically configured on R1’s loopback address. A Raspberry Pi on the right-hand side is offering a multicast stream. Three clients are placed in the lab to receive the streams. The capture point was between the routers R1 and R2, leveraging a real TAP, namely the ProfiShark from Profitap.
Raspberry Pi ffmpeg stream (thanks to this Reddit posting):
|
1 |
ffmpeg -f lavfi -re -i "testsrc=size=640x360:rate=30:decimals=2" -c:v libx264 -f mpegts "udp://239.23.11.10:1234?pkt_size=1316" |
Similar for IPv6:
|
1 |
ffmpeg -f lavfi -re -i "testsrc=size=640x360:rate=25:decimals=2" -c:v libx264 -f mpegts "udp://[ff05::2311]:1234?pkt_size=1316" |
The clients/receivers used VLC to play the streams via udp://@239.23.11.10:1234, respectively udp://@[ff05::2311]:1234.
It’s Capturing Time!
This was the sequence of events that I captured for IPv4 on 2025-11-26. All times in UTC:
- 15:27 – cable between R1 and R2 was plugged into/through the TAP
- 15:31 – start of ffmpeg on the Raspberry Pi, sending to 239.23.11.10 on port 1234
- 15:34 – client 1 starts listening to the multicast stream via VLC
- 15:36 – client 1 stopped viewing (stream is cropped in the PCAP)
- 15:42 – stop of ffmpeg on the Raspberry Pi
- 15:49 – client 1 starts again, though the stream is not present anymore
- 15:50 – client 1 stops
- 15:51 – client 2 starts VLC, though the stream is not present
- 15:53 – client 2 stops
For IPv6, the following sequence was captured on 2025-12-03, all times are in UTC as well:
- 11:07 – cable between R1 and R2 was plugged into/through the TAP
- 11:10 – start of ffmpeg on Raspi, sending to [ff05::2311]:1234
- 11:12 – client 3 starts listening to the multicast stream via VLC
- 11:14 – client 3 stops
- 11:16 – stop of ffmpeg on the Raspi
- 11:22 – client 3 starts again, though stream not running
- 11:23 – client 3 stops
Some notes concerning the capture:
- I left only the beginning of the actual H.264 streams in there to keep the file as small as possible. (Can you decode them? ;))
- Neither IGMP (for IPv4) nor MLD (for IPv6) is interesting in this capture, as I captured between the two routers R1 and R2 rather than on the source or destination subnet of the multicast stream. Hence, we’re merely looking at PIM here.
- I don’t know why there’s PIMv1 traffic in there, since PIMv2 is the default at all.
- For IPv4, there are some unrelated PIM joins in there, as the clients requested some other multicast groups as well.
- Concerning IPv6, there’s a lot of ICMPv6 traffic in the capture, which relates to RS/RA, NS/NA, and MLD. I left them within the trace, as I left ARP for IPv4 there as well.
Wiresharking
Please download the UltimatePCAP by yourself in order to have a closer look at all those packets and sessions. The following screenshots give a rough overview, though.
5x for legacy IP, 5x for IPv6:
Shows & Configurations
Here are some multicast routing table outputs during the tests, all taken from R1:
As the stream started, but nobody was listening yet:
|
1 2 3 4 5 6 7 8 9 |
R1#show ip mroute (*, 239.23.11.10), 00:00:25/stopped, RP 10.0.0.1, flags: SP Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: Null (192.168.124.12, 239.23.11.10), 00:00:25/00:02:34, flags: P Incoming interface: FastEthernet0/1, RPF nbr 10.23.0.2 Outgoing interface list: Null |
Client 1 listens to the stream:
|
1 2 3 4 5 6 7 8 9 10 11 |
R1#show ip mroute (*, 239.23.11.10), 00:03:46/00:03:17, RP 10.0.0.1, flags: S Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: FastEthernet0/0, Forward/Sparse, 00:00:16/00:03:17 (192.168.124.12, 239.23.11.10), 00:03:46/00:01:13, flags: T Incoming interface: FastEthernet0/1, RPF nbr 10.23.0.2 Outgoing interface list: FastEthernet0/0, Forward/Sparse, 00:00:16/00:03:17 |
Stream was not present anymore, client 2 requested it:
|
1 2 3 4 5 6 |
R1#show ip mroute (*, 239.23.11.10), 00:00:38/00:03:27, RP 10.0.0.1, flags: S Incoming interface: Null, RPF nbr 0.0.0.0 Outgoing interface list: FastEthernet0/0, Forward/Sparse, 00:00:38/00:03:27 |
Same for IPv6: Stream started, no one listening yet:
|
1 2 3 4 5 6 |
R1#show ipv6 mroute (2A00:6020:AD0B:83C1:E37:DC1D:6FB8:B0DC, FF05::2311), 00:00:09/00:03:20, flags: SP Incoming interface: FastEthernet0/1 RPF nbr: FE80::21A:6CFF:FEA1:2B98 Outgoing interface list: Null |
Client 3 listens to the stream:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
R1#show ipv6 mroute (*, FF05::2311), 00:00:37/never, RP 2A00:6020:AD0B:8399::1, flags: SCJ Incoming interface: Tunnel1 RPF nbr: 2A00:6020:AD0B:8399::1 Immediate Outgoing interface list: FastEthernet0/0, Forward, 00:00:37/never (2A00:6020:AD0B:83C1:E37:DC1D:6FB8:B0DC, FF05::2311), 00:03:14/00:03:01, flags: SJT Incoming interface: FastEthernet0/1 RPF nbr: FE80::21A:6CFF:FEA1:2B98 Inherited Outgoing interface list: FastEthernet0/0, Forward, 00:00:37/never |
Stream not present anymore, client 3 requesting it nevertheless:
|
1 2 3 4 5 6 7 |
R1#show ipv6 mroute (*, FF05::2311), 00:00:02/never, RP 2A00:6020:AD0B:8399::1, flags: SCJ Incoming interface: Tunnel1 RPF nbr: 2A00:6020:AD0B:8399::1 Immediate Outgoing interface list: FastEthernet0/0, Forward, 00:00:02/never |
For the sake of completeness, here are the configuration commands related to IP routing and multicast for both routers:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 |
############ R1 ############ ip cef ip multicast-routing ipv6 unicast-routing ipv6 cef ipv6 multicast-routing ! interface Loopback0 ip address 10.0.0.1 255.255.255.255 ipv6 address 2A00:6020:AD0B:8399::1/128 ! interface FastEthernet0/0 description Switch-gi1/0/39 ip address 192.168.3.99 255.255.255.0 ip pim sparse-mode ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 0331783E321E13567A053D170D175C3837 ipv6 address 2A00:6020:AD0B:8303::99/64 ipv6 ospf 6 area 0.0.0.0 ipv6 ospf authentication ipsec spi 305419896 sha1 7 0327785F572B711B6B51415C35472F5A557A0D050D646D074B5F335B59750C0D0A715A563C47090A06 bfd interval 999 min_rx 999 multiplier 3 ! interface FastEthernet0/1 description Switch-gi1/0/40 ip address 10.23.0.1 255.255.255.0 ip pim sparse-mode ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 1422313E38151831102417273816502230 ipv6 address 2A00:6020:AD0B:83C0::1/64 ipv6 ospf 6 area 0.0.0.0 bfd interval 999 min_rx 999 multiplier 3 ! router ospf 1 router-id 10.0.0.1 redistribute connected subnets network 10.23.0.0 0.0.0.255 area 0.0.0.0 network 192.168.3.0 0.0.0.255 area 0.0.0.0 bfd all-interfaces ! ip pim rp-address 10.0.0.1 ! ipv6 pim rp-address 2A00:6020:AD0B:8399::1 ipv6 router ospf 6 router-id 10.0.0.1 bfd all-interfaces redistribute connected ! ############ R2 ############ ip cef ip multicast-routing ipv6 unicast-routing ipv6 cef ipv6 multicast-routing ! interface Loopback0 ip address 10.0.0.2 255.255.255.255 ipv6 address 2A00:6020:AD0B:8399::2/128 ! interface FastEthernet0/0 description Switch-gi1/0/41 ip address 10.23.0.2 255.255.255.0 ip pim sparse-mode ip ospf authentication message-digest ip ospf message-digest-key 1 md5 7 133034273F1D36301F280C212F27443325 ipv6 address 2A00:6020:AD0B:83C0::2/64 ipv6 nd ra suppress all ipv6 ospf 6 area 0.0.0.0 bfd interval 999 min_rx 999 multiplier 3 ! interface FastEthernet0/1 description Switch-gi1/0/42 no ip address ! interface FastEthernet0/1.124 description R2-Netz1 encapsulation dot1Q 124 ip address 192.168.124.1 255.255.255.0 ip pim sparse-mode ipv6 address 2A00:6020:AD0B:83C1::1/64 ! interface FastEthernet0/1.125 description R2-Netz2 encapsulation dot1Q 125 ip address 192.168.125.1 255.255.255.0 ip pim sparse-mode ipv6 address 2A00:6020:AD0B:83C2::1/64 ! router ospf 1 router-id 10.0.0.2 redistribute connected subnets network 10.23.0.0 0.0.0.255 area 0.0.0.0 bfd all-interfaces ! ip pim rp-address 10.0.0.1 ! ipv6 pim rp-address 2A00:6020:AD0B:8399::1 ipv6 router ospf 6 router-id 10.0.0.2 bfd all-interfaces redistribute connected ! |
Soli Deo Gloria!