This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Monitoring Zoom Traffic with NetFlow Traffic Analyzer (NTA)

With remote workers becoming more and more common, collaboration software is being leveraged by more organizations.  Monitoring Zoom traffic in your network can offer some insights into collaboration usage trends over time.

This the third article in our series describing how to craft custom applications in NTA.

Next Generation Network-Based Application Recognition Protocol (NBAR2)

If your networking infrastructure supports the NBAR2 protocol and you are running Protocol Pack 41.0.0 or later, then you are already seeing Zoom as its own application family.  It will appear (after being detected) as “zoom-meetings.”

If your network infrastructure doesn’t support NBAR2, you can still get the classification for Zoom communications.

Custom Application Build

A custom application to monitor Zoom requires two parts.  The first part is building a custom IP Group with the target addresses of the application.  Thankfully, Zoom is good about publishing the IP information.

Build the IP Group

From the NetFlow settings page, scroll down to IP Address Groups.

KMSigma_0-1584637448436.png

Build a new group and add the addresses.

KMSigma_1-1584637448460.png

These are rarely small lists, so we’ve expedited the process by providing a file you can import.

KMSigma_2-1584637448467.png

If you choose to import it, be sure to “append” to the existing list of IPs.

Build the Multi-Port Application

The last step for building the custom application is configuring the ports for traffic matching.  From the NetFlow settings page, select “Application and Service Ports.”

Click “Add Application” and give it a name, enter “80, 443, 3478-3479, 8801-8810” in the port list, and select Zoom in the Destination IP Address.

KMSigma_3-1584637448476.png

Submit all your changes.

Now the new custom application will show up in your Flow Navigator.

 
Parents
  • This is very helpful. I tried the above but unfortunately i am not able to see the zoom traffic in NTA. Not sure what i am doing wrong. I added via the custom application as described. I see other traffic but Zoom meetings I know users had did not register. Any thoughts? 

    Showing data not available when filtering the custom app.

  • There's a chance that Zoom changes the IP list or port numbers from when this article was originally published.  That's why we have links off to the Zoom configuration page so people can update as needed.

Reply Children