Detecting Netflix Traffic On Your Network
Netflix is a provider of on demand internet streaming media and is available to users in the majority of locations all over the world. The service is becoming increasingly popular and by the end of last year had a total of 57.4 million subscribers. In parallel with this growth, we have seen a corresponding increase in the number of people questioning the impact that Netflix traffic is having on their network.
Watching Netflix can use around 1 GB of data per hour for each stream when viewing in standard definition and up to 3 GB per hour for streaming content in high definition. The ‘Internet is slow today’ could easily be as a result of a single user streaming Netflix.
There are a couple of ways you can check for Netflix traffic on your network after installing LANGuardian. The easiest way to do this is to click on, reports, top website domains and simply type in Netflix into the appropriate field.
Example below from our demo system shows Skype appearing on the network. It is the same idea for Netflix, simply type in the website name and click on view. You can also drill-down from here to find the associated username and IP addresses.
An alternative way is to look at the IDS rule set in LANGuardian. The IDS in LANGuardian contains two signatures to detect Netflix on your network and they can be found under sid: 2007638 and 2013498 which are included below:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix On-demand User-Agent”; flow:to_server,established; content:”|0d 0a|User-Agent|3a| WmpHostInternetConnection”; nocase; reference:url,doc.emergingthreats.net/2007638; classtype:policy-violation; sid:2007638; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”POLICY Netflix Streaming Player Access”; flow:to_server,established; uricontent:”/WiPlayer?movieid=”; content:”|0d 0a|Host|3a| movies.netflix.com|0d 0a|”; nocase; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:2;)
You could also create a custom report which would allow you to search for specific IDS events like Netflix by following the guide here on the forum.