Detecting Netflix Traffic On Your Network

Detecting Netflix Traffic On Your NetworkNetflix is a provider of on demand internet streaming media and is available to users in the majority of locations all over the world. The service is becoming increasingly popular and by the end of last year had a total of 57.4 million subscribers. In parallel with this growth, we have seen a corresponding increase in the number of people questioning the impact that Netflix traffic is having on their network.

Watching Netflix can use around 1 GB of data per hour for each stream when viewing in standard definition and up to 3 GB per hour for each stream in high definition. The ‘Internet is slow today’ could easily be as a result of a single user streaming Netflix.

There are a couple of ways you can check for Netflix traffic on your network after installing LANGuardian. The easiest way to do this is to click on, reports, top website domains and simply type in Netflix into the appropriate field.

Detecting Netflix Traffic On Your Network

Example below from our demo system shows Skype appearing on the network. It is the same idea for Netflix, simply type in the website name and click on view. You can also drill-down from here to find the associated username and IP addresses.

Detecting Netflix Traffic On Your Network

An alternative way is to look at the IDS rule set in LANGuardian. The IDS in LANGuardian contains two signatures to detect Netflix on your network and they can be found under sid: 2007638 and 2013498 which are included below:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix On-demand User-Agent”; flow:to_server,established; content:”|0d 0a|User-Agent|3a| WmpHostInternetConnection”; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:5;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix Streaming Player Access”; flow:to_server,established; uricontent:”/WiPlayer?movieid=”; content:”|0d 0a|Host|3a| movies.netflix.com|0d 0a|”; nocase; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:2;)

You could also create a custom report which would allow you to search for specific IDS events like Netflix by following the guide here on the forum.

Thanks to NetFort for the article.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: