Monitor IGMP Join/Leave Frequency

Owned by Yuki Bradley Kondo
Sept 26, 2023
3 min read

Overview:

Our customer is an ISP and mobile carrier that provides access to millions of subscribers to online or internal services. Their reach spans several countries in Southeast Asia.

The Problem:

  • Our customer has issues with inconsistent content delivery to their subscribers especially with high bandwidth applications such as IPTV, cloud applications, and online gaming. They need a solution that can monitor their environment (PON G/XG), send alerts, and at the same time be able to quickly identify the source of the incident with 24/7 availability and record all traffic information beyond just the header.

The Solution:

  • With PureInsight, our customer was able to monitor areas of interest such as IGMP join/leave frequency, successful join, alerts based on DNS queries/responses, and DHCPv4/v6 discovers/requests. In addition, they can visualize their network traffic and quickly distinguish between broadcast, multicast, or unicast traffic.

Workflow:

1. Alerts

  • Go to Alerts and set igmp.record_type == 3 and igmp.record_type == 2 filters. (Capture the network traffic with the QP series)

  • Alerts grab the number of packets at a specific point in time based on the filter. In this case, an IGMP spike could be a leak spike which means a particular service dropped and the router or switch had some effects.

2. Check the Timeline Alert Graphs

  • Click the plus button to add and remove filters.

3. Check the Timestamp on the Spike

  • If you zoom in, you will see that there is also network data at the bottom of the graph.

4. Flow Analysis

  • If you zoom in on the spike, you can see the top of the spike.

5. Download a PCAP File

  • Hover over the top portion of the spike and check the time stamp.

  • Perform a search by date and time before and after the timestamp observed in the alert.

  • Interactive Search can be used to categorize captured traffic data based on IP addresses, port numbers, protocols, and regular expressions. You can visualize the network traffic as a Nodal Graph with details of each node displayed.

7. Flow Analysis

  • Flow Analysis is used to create network streams from the PCAP files. Streams are plotted based on 5-tuple information, which contains source/destination IP, source/destination port, and timestamp extracted from each packet. The streams are plotted as the number of packets (y-axis) vs. time (x-axis).

  • Enter the files extracted in the interactive search. Use the lasso tool to highlight the flows you want to see in particular.

8. Download a PCAP File

  • The entire packet data can be downloaded in a PCAP format file for further investigation with third-party tools such as Wireshark.