Capturing WoW traffic with NetFlow
This is a question I get asked a lot. How can I tell if my employees are gaming during company hours? I’m going to explain how you can use NetFlow to determine if there is World of Warcraft traffic on your network. With over 12 million subscribers I figured network administrators would find this information useful.
First and foremost, you need to know exactly what type of traffic you are looking for. Traffic could range anywhere from P2P to HTTP. Wikipedia, Google and the World of Warcraft website provide a great starting point.
Here comes the fun part. First, we are going to jump into our favorite NetFlow analyzer, Scrutinizer. Find the interface and host that you want to review the traffic for with the source/destination and host filter. Now let’s take a look at the grouped flows report. After reading Blizzard’s support site, I see that Blizzard lists a range of TCP ports used to play (1119, 3724, 6112, 6113, 6114, and 4000) and UDP port 3724 for in game voice chat. In the grouped flows report below, you can see that port 3724 shows up, which is my World of Warcraft traffic.
So, I hope everyone that reads this blog walks away with the knowledge that with the right filters you can have a new insight to what exactly is going on in the network you administrate.