So which one of the gods of Multicast would like to take a look at a short tcpdump and tell me if the multicast broadcast storm is a problem with the protocol, the Microsoft implementation, or just a really weird coincidence?
We run a fixed wireless network that for various reasons is bridged. Yes - it's a crappy design and we are working on changing it but that's not really the point. I have been trying to track down a broadcast storm that shows up on the network intermittently. I finally managed to capture the start of one tonight.
The process starts with a slightly mangled packet (intentional? - can't tell yet) with the 'multicast promiscuous bit' set. All of the customers with Microsoft routers (and one Belkin) then rewrite the mangled packet into a multicast packet, decriment the TTL, and forward it back out the interface it came in on. This process then repeats with each of the Microsoft routers responding to the packets from the other routers and sending them out again. With 4 of these routers it manages to generate 20,000+ packets before all of the TTL's drop to 0.
Needless to say this results in a little bit of a performance hit. I have blocked Multicast at several points on the network so the problem should be gone for now. The tcpdump file is at http://www.amplex.net/images/multicast.cap