Capturing WoW traffic with NetFlow

World of Warcraft

 

This is a question I get asked a lot. How can I tell if my employees are gaming during company hours?  I’m going to explain how you can use NetFlow to determine if there is World of Warcraft traffic on your network. With over 12 million subscribers I figured network administrators would find this information useful.

First and foremost, you need to know exactly what type of traffic you are looking for. Traffic could range anywhere from P2P to HTTP. Wikipedia, Google and the World of Warcraft website provide a great starting point.

Here comes the fun part. First, we are going to jump into our favorite NetFlow analyzer, Scrutinizer. Find the interface and host that you want to review the traffic for with the source/destination and host filter. Now let’s take a look at the grouped flows report. After reading Blizzard’s support site, I see that Blizzard lists a range of TCP ports used to play  (1119, 3724, 6112, 6113, 6114, and 4000) and UDP port 3724 for in game voice chat.  In the grouped flows report below, you can see that port 3724 shows up, which is my World of Warcraft traffic.

 

World of Warcraft Traffic

So, I hope everyone that reads this blog walks away with the knowledge that with the right filters you can have a new insight to what exactly is going on in the network you administrate.

Jake Bergeron author pic

Jake

Jake Bergeron is currently one of Plixer's Sr. Solutions Engineers - He is currently responsible for providing customers with onsite training and configurations to make sure that Scrutinizer is setup to their need. Previously he was responsible for teaching Plixer's Advanced NetFlow Training / Malware Response Training. When he's not learning more about NetFlow and Malware detection he also enjoys Fishing and Hiking.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply