Usually you can identify them by looking at highport to highport comms
via UDP that looks like a flood. Network gaming usually takes up a lot
of bandwidth. From a Snort or signature perspective its not that
effective because you can assign your own port number usage for most
games. You can look at resources such as IANA's port list or even game
vendors sites but the reality is they make it easier for knowledgeable
server operators (The guy/gal who starts the game) to change this.

I use Shadow and also occasional spot checks where I'll spark up a
sniffer like TCPDump on a subnet and just watch the traffic (say at lunch
time :-).

Good luck in your game hunting. You might be better to ask your users
via email what port to connect to at lunch time or what port the server
is going to be on. I bet you'd get a few emails back and probably a
bunch of doughnuts from your new found friends.

Cheers,
Jamie French

>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 2002-01-03, 15:39:11, Richard.CTR.Mickeytc.faa.gov wrote regarding
how can I track networked games:

> I would like to watch for networked games (such as Doom), but it seems
they use a multitude of options for connecting. I found clients that
connect via IPX, TCP, UDP and Server side Java applets just poking around
the Internet.

> Any help with Snort rules or general strategies for monitoring these will
be appreciated.

> Thanks in Advance.

> Rich

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]