On Fri, Jan 30, 2009 at 11:07:03PM +1100, Steve Laurie wrote:
> Hi all,
>
> I noticed something I can't explain or find any explanation for
> anywhere.
>
> I have one machine setup as a NTP server and another setup as couple of
> others setup as NTP clients.
>
> I ran tcpdump on the server listening for packets from 224.0.1.1 to know
> when it's transmitting, on the default router machine that's running pf as
> well
> as on the client.
>
> The server of course showed the packets and so did the gateway machine
> but tcpdump on the client wouldn't detect the packets unless the ntp
> daemon was actually running.
>
> Shouldn't tcpdump have picked up the packets off the wire regardless of
> whether the ntp daemon was running or not? The packets are still being
> broadcast and the daemon can't stop that. I'd have thought tcpdump would
> have detected the packets lower down the stack before they even got to
> the daemon.
Multicast packets get filtered pretty low (in some cases even by the
hardware) if no program registered. See ip(4), IP_ADD_MEMBERSHIP part.
-Otto
