Multicast connections are an easy way to send data packets in IP networks to various receiving devices without having to address and supply each of these devices separately. The packet’s sender distributes this task to the various nodes of the subnets involved, thereby saving valuable resources. Real-time internet applications used by many users benefit especially from this form of multipoint connection created with the help of special multicast groups. The IGMP protocol, which is the basis for smooth IPv4 multicast communication between sender, router, and receiver, plays a major role in the organisation of these groups. In addition, multicast traffic can be filtered via IGMP messages to reduce the load on individual target networks. This is also known as IGMP snooping.


IGMP stands for “Internet Group Management Protocol” – the IPv4 protocol for managing multicast groups. The counterpart for IPv6 connections is the “Multicast Listener Discovery” (MLD) protocol.

What is IGMP snooping?

Multicast packets often pass through multiple stations on their way to the target hosts. Routers use the protocol-independent multicast (PIM) method to calculate the optimal route so they can forward the data stream as efficiently as possible. Network switches or multifunctional internet routers in private households, on the other hand, find it considerably more difficult to transmit multicast packets. This is because the usual attempt to sign the packets using the designated MAC address fails (it only works with unicast connections), so the devices forward the incoming packets to all available devices in the respective subnet for lack of alternatives.

This is where IGMP snooping (sometimes also known as “multicast snooping”) comes into play: this process lives up to its name and listens to all IGMP traffic exchanged between multicast routers and hosts. Switches or internet routers that have IGMP snooping enabled are therefore able to monitor the multicast activities of the individual network participants. Specifically, this means that the devices are notified when a host joins (“multicast query”) or leaves (“leave message” from IGMPv2 onwards) a multicast group. Based on this information, an entry for the network interface connected to the host can then be created or removed in the MAC address table.


IGMP-Snooping is specified in RFC 4541 where this request for comments (RFC) only has the status “informational.” This is because two organisations can be considered as responsible standardisation bodies for the technology – the IEEE (Institute of Electrical and Electronics Engineers), which standardises Ethernet switches, and the IETF (Internet Engineering Task Force), which is responsible for the IP multicasting standard, among other things.

Why and when is IGMP snooping worth it?

Multicast snooping helps switches and internet routers to efficiently deliver multicast data streams to the desired destination(s). How valuable this support is becomes clear when a filtering method of multipoint transmission is missing: the incoming multicast packets are then sent to all hosts of the network that the switch or internet router reaches. In larger networks, especially, this approach ensures unnecessarily high traffic, which can even lead to network congestion. Criminals can take advantage of this and flood individual hosts or the entire network with multicast packets to bring them down, just like a classic DoS/DDoS attack.

With IGMP snooping enabled, overload problems and attacks like these won’t be cause for concern. All network hosts only receive multicast traffic for which they have previously registered via group request. The use of this eavesdropping technology is therefore worthwhile wherever applications are used that require a great deal of bandwidth. Examples include IPTV and other streaming services as well as web conference solutions. Networks in which there are only a few subscribers and hardly any multicast traffic, however, do not benefit from the filter procedure. Even if the switch or router offers the multicast snooping feature, it should remain off in this case to prevent unnecessary eavesdropping.

Page top