Thread: How do I chase down who is doing a multicast?
View Single Post
  #3  
Old April 7th 18, 01:10 AM posted to alt.windows7.general
T
external usenet poster
  
Posts: 4,600
Default How do I chase down who is doing a multicast?
On 04/06/2018 04:42 PM, VanguardLH wrote:
T wrote:

5355

Based on that port number:

https://en.wikipedia.org/wiki/Link-L...ame_Resolution

which also has a hyperlink to:

https://technet.microsoft.com/library/bb878128

Seems that every host running the DNS client is going to use LLMNR. I
suspect if you disable LLMNR that sharing services could get impacted.

http://www.pciqsatalk.com/2016/03/di...r-netbios.html

Are you allowing rogue hosts to enter your intranet, like letting users
bring their own laptops into work to connect directly to the corporate
network instead of into a DMZ'ed subnet? LLMNR traffic is not routable
(because it is a local link protocol); that is, it cannot pass across
routers, so the problem is not with external hacking into your intranet.

https://tools.ietf.org/rfc/rfc4795.txt

So do you trust the hosts permitted to physically connect to the same
subnet within your intranet?


Good Lord Vanguard! I have been google'ing my ass over
all this for hours before asking for help. You hit it
out of the ball park. And give me a way to figure the next
out out myself. Wow! Impressive!

Anyway, to answer your question, this network leg is their
general office and not a high security Point of Sale (POS)
leg. They are allowed to bring "certain" devices, with
permission, and run them on this leg. (They are
under threat of death of doing that on the POS legs.)

I did an arp scan and everyone is legit. Just the usual
suspects.

The traffic on multicast traffic on port 5355 is so
prodigious that my File Integrity Monitoring (FIM) software
server is crashing trying to log the tidal was of notices
placed in the client's security logs.

Thank you!
-T
Ads