Free Wireshark Training Course Online

Take a free Wireshark Jumpstart training class online at

Tuesday, May 27, 2008

Homework Interferes with World of Warcraft!

No, no, kids... put those schoolbooks away. Right now! I mean it! <... putting on my best Mom-is-in-charge-here look, crossing my arms and tapping my foot impatiently...> The looks on their faces question my sanity... nothing new.


Cheers all around! Papers and books are shoved into backpacks at a frenzied pace. The bags are tossed unceremoniously into the corner of the room - making way for a much more important project - capturing network traffic! Ok, ok... my kids sound a bit strange... but this is a project they've waited for. The day had finally arrived.

In preparation for TechEd 2008, I wanted to pull together new trace files for...

MMORPGPCA (Massive Multiplayer Online Role-Playing Game Packet Capture and Analysis!)

Most of the games were pre-installed on the lab systems. All I needed were players... hmm... now where would I find fanatical players who would generate the much-needed traffic showing character creation, acquisition of quests, travel through surreal worlds to slash nightstalkers, destroy or tame ravagers, dual with other loyal Alliance members, pzwn noobs, kill the dreaded Horde and obtain mystical skills to use in a constant quest to level up?

Yes! This must be why I had kids!
[In the olden days of IPX-based game analysis, I gathered a group of 'professional game players' in my garage and found the experience very frustrating... these folks didn't take direction well - my trace files were a mess of processes that took me hours to sort out - not to mention the bankroll I blew on candy bars and the unique aroma that made me seriously regret I'd removed the automatic garage door system and didn't install a window for ventilation!]

On today's plate:

- World of Warcraft
- GuildWars
- Team Fortress
- AdventureQuest

My goal - identify the transport methods, static ports (if any), related DNS queries, bandwidth usage and any game signatures. How could a network analyst detect this traffic and, if desired, how could an IT professional block it?

This family-based lab exercise (which lasted well past bedtime to the delight of my kids) yielded almost 100 trace files showing all aspects of game play - information I'll show next month at TechEd (Session SEC356: Analyzing Questionable Traffic) and include in the hands-on labs in my preconference seminar at HP TechForum - both taking place.

"Family Night" has evolved!