On Fri, Jan 30, 2009 at 11:07:03PM +1100, Steve Laurie wrote: > Hi all, > > I noticed something I can't explain or find any explanation for > anywhere. > > I have one machine setup as a NTP server and another setup as couple of > others setup as NTP clients. > > I ran tcpdump on the server listening for packets from 224.0.1.1 to know > when it's transmitting, on the default router machine that's running pf as > well > as on the client. > > The server of course showed the packets and so did the gateway machine > but tcpdump on the client wouldn't detect the packets unless the ntp > daemon was actually running. > > Shouldn't tcpdump have picked up the packets off the wire regardless of > whether the ntp daemon was running or not? The packets are still being > broadcast and the daemon can't stop that. I'd have thought tcpdump would > have detected the packets lower down the stack before they even got to > the daemon.
Multicast packets get filtered pretty low (in some cases even by the hardware) if no program registered. See ip(4), IP_ADD_MEMBERSHIP part. -Otto