Zoom is a popular platform for video communications and team collaboration. As many other cloud services, network administrators need to supervise Zoom network traffic usage. DPI toolkits such as nDPI are useful for identifying Zoom traffic for supervising the network bandwidth used by your Zoom calls.
Recently we have took advantage of this research work to improve Zoom protocol dissection in order to
- Recognise Zoom video, audio, and screen sharing streams (previously they were classified just with a generic Zoom label).
- In addition to existing metrics such as bandwidth or latency, interpret correctly Zoom traffic hence to compute traffic quality metrics.
For this reason we have enhanced nDPI, ntopng and nProbe to report comprehensive Zoom traffic statistics and thus be able to better evaluate the traffic quality. Before we continue this discussion, let’s see how Zoom traffic looks like (you can use this Wireshark):
- TLS is used to communicate with the Zoom servers for connection setup, char, lifecycle and everything not related to multimedia data.
- Video, audio and screen sharing data is transported on UDP port 8081. Based on the Zoom session (e.g. you start with audio, then share the screen), the same UDP flow can carry audio, video and screen sharing. For a single call multiple UDP flows can be active from your system to the Zoom servers. Both audio and video sessions use a Zoom-proprietary header before encapsulating real data over RTP. The UDP stream can also carry encapsulated RTCP traffic, that on non-Zoom communications is usually reported on a separate UDP flow.
In ntopng you can now see the flow nature (e.g. audio, video, or screen sharing) and so account the amount of traffic for each flow type.
Below you can see flow details that displays the Zoom flow nature.
nProbe is now able to report communication quality. In addition to traditional network metrics (e.g. bytes and packets), it can report for audio and video streams
- Packet Loss (per direction)
- Pseudo MOS that can be used to determine the call quality: 3.6-4.0 acceptable quality, 4.0 and up desirable quality.
10/Dec/2022 20:37:32 [rtpPlugin.c:185] 192.168.1.178:59212 -> 220.127.116.11:8801 [src2dst][RTT: 18.50][Jitter: 13.97][# Packet Lost: 0.00 %][R-Factor: 91.79][Pseudo MOS: 4.38][Zoom: Zoom Video] 10/Dec/2022 20:37:32 [rtpPlugin.c:185] 18.104.22.168:8801 -> 192.168.1.178:59212 [dst2src][RTT: 20.32][Jitter: 27.73][# Packet Lost: 9.79 %][R-Factor: 66.58][Pseudo MOS: 3.43][Zoom: Zoom Video] 10/Dec/2022 20:37:32 [rtpPlugin.c:185] 192.168.1.178:58290 -> 22.214.171.124:8801 [src2dst][RTT: 40.56][Jitter: 6.35][# Packet Lost: 0.00 %][R-Factor: 91.62][Pseudo MOS: 4.38][Zoom: Zoom Audio]
The above trace is produced for instance using the command below that can be used with both live and pcap captures:
- nprobe –dont-reforge-timestamps -T “@NTOPNG@ @RTP@” -b 2 -i ~/pcap/zoom_video.pcapng | grep MOS
Thanks to these enhancements, you can now monitor in detail Zoom traffic and:
- Determine how much bandwidth is used by Zoom audio/video/screen calls.
- Perceived user call quality using standard metrics already used in VoIP calls.