I was visiting one of the largest football stadiums in Europe a few weeks back. The network manager gave me a very interesting tour, which focused on the IT infrastructure. Systems such as security cameras, crowd control monitoring, public announcement systems and the large screens around the arena are all now connected to a shared computer network. This gives greater flexibility when deploying these systems as you don't need to run separate cables. However, it does create challenges for the IT manager as this data is now carried on their network.
This type of network traffic is not limited to places like arenas with lots of TV screens. While reviewing traffic rates on a university network recently, I found that over 75% of all traffic was associated with IP-based security cameras. They had a flat network with a single VLAN so it was becoming a big problem.
If you want to check for this activity on your network, I suggest you should be familiar with layers 2 and 3 of the OSI model. Over on the EtherGeek blog, Josh Stephens has some useful information on understanding layer 2 of the OSI model and understanding layer 3 of the OSI model.
In most cases, systems which generate audio or video outputs will stream this data onto a network using one of these methods.
- Multicast traffic. IP multicast is typically used for sending IP datagram's to a group of interested receivers in a single transmission
- User Datagram Protocol (UDP) traffic with specific source and destination IP addresses.
I would also suggest that you check for this activity on your network. You can either do a periodic audit or have a system in place that constantly checks your network. There are two things to watch out for:
- Monitor traffic as it goes through the core of your network. You are looking for UDP activity. Normally applications which use TCP are the most active. If you find lots of UDP traffic, look at the source and destination IP addresses. If these are associated with media streaming then it could be time to consider moving this to a separate VLAN.
- Check for multicast activity. If your traffic analysis system allows you to use filters, check for activity associated with the 220.127.116.11/4 network. This block of IP addresses has been reserved for multicast. If you also use IPv6, then you should also check for activity associated with the ff00::/8 prefix.