what is the multicast doing on 224.0.0.251?

rubo77 picture rubo77 · Sep 18, 2012 · Viewed 151.5k times · Source

On my debian server (squeeze) I get this message every few seconds:

Sep 18 21:28:14 myhost kernel: [7903784.720091] AIF:UNPRIV connect attempt: IN=eth0 OUT= MAC= SRC=my_serverip_eth0 DST=224.0.0.251 LEN=72 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=52

the packets are coming from inside my server (i replaced it with my_serverip_eth0) and seem to be blocked going out to the destination 224.0.0.251.

So some task inside my server is contacting 224.0.0.251 and this is blocked by my arnos_firewall.

How can I find out who or which task is trying to do that and if it is useful or not?

And if I don't need it, how can I suppress that message then?

Answer

Suman picture Suman · Sep 18, 2012

Those look much like Bonjour / mDNS requests to me. Those packets use multicast IP address 224.0.0.251 and port 5353.

The most likely source for this is Apple iTunes, which comes pre-installed on Mac computers (and is a popular install on Windows machines as well). Apple iTunes uses it to discover other iTunes-compatible devices in the same WiFi network.

mDNS is also used (primarily by Apple's Mac and iOS devices) to discover mDNS-compatible devices such as printers on the same network.

If this is a Linux box instead, it's probably the Avahi daemon then. Avahi is ZeroConf/Bonjour compatible and installed by default, but if you don't use DNS-SD or mDNS, it can be disabled.