Dear Professor Phil,
We have been very surprised to learn that one-third of all traffic on our university network is video. This was discovered by a consultant who was trying to uncover why there was a high level of broadcast traffic. We used some of the standard network management tools, but they didn’t seem to alert us to this fact. How is this possible?
—Sharma, New York, NY
Many network monitoring tools fail to recognize common video types. Unlike, VoIP traffic, which is characterized by usually having a RTP (Real Time Protocol) header, video comes in several formats. Also, sometimes the video is encrypted using SSL (Secure Sockets Layer). This hides the contents of the traffic from all but the most cleverly designed software tools.
Let’s consider a few examples. In videoconferencing, the accompanying video and audio are ordinarily carried in RTP packets. During call set-up, the better tools detect the UDP ports being used. Consequently, they will be able to recognize it as conference traffic even if the payload is encrypted. If the video is not encrypted, often the audio and video can be extracted and played back. This can be good for management but could cause potential threat if the traffic falls into the wrong hands.
Now, consider IPTV traffic, which is often used in hospitals and universities. This usually doesn’t use RTP. As a result, it may be misdiagnosed as data traffic. Since these streams can use a great deal of bandwidth, they can represent large quantities of undetected video.
Streaming video traffic, also known as adaptive video, is the type of video that is most often missed by monitoring software. For example, Microsoft Smooth Streaming (Silverlight), Adobe HDS (HTTP Dynamic Streaming), Apple HLS (HTTP Live Streaming) and DASH (Dynamic Adaptive streaming over HTTP) transmit the video as a series of short file transfers using HTTP. As a result, it is many times classified as web server traffic representing web page retrievals.
Finally, there is a growing presence of security camera traffic on enterprise networks. It often uses RTSP for control, but TCP on port 554 for delivery of the video. Those management tools looking for RTP aren’t smart enough to look inside the TCP payload where the RTP is encapsulated. This traffic is usually characterized as data file transfers such as system backups.
The network monitoring and testing vendors were caught off-guard by the rapid expansion of video types. Gradually, they are catching up. Until they do, we will need to do more intensive investigation when it’s important to monitor the levels of video on the network.
Phil Hippensteel, PhD, has spent more than forty years in higher education and now teaches at Penn State Harrisburg. Send your AV/IT questions to firstname.lastname@example.org.