Strange Traffic Patterns on MPLS Network

[Curiosityx]

Greetings, we implemented an MPLS network for a customer several months ago for 6 sites, ever since the implementation i have noticed increased usage on all the circuits.

Ive fired up Nbar on one of the CPE routers and noticed that "Winmx" traffic on TCP Port 6699 was being flagged, ok so naturally i thought it could be P2P.

I applied an access list on the LAN facing interface blocking TCP Port 6699 both inbound and outbound but it doesnt match any traffic.

Ive checked the Nbar port-map which is set correctly to TCP Port 6699, could it be the case that P2P traffic is being tunneled using HTTP or is there something else a miss?

Regards

 

[Curiosityx]

Cheers for the reply, indeed i have tried applying a class map to one of the interfaces which does successfully match winmx traffic although all im doing at present is marking it marked down to dscp 0 rather than dropping it at present.

The source addresses appear to be comming from the majority of the machines across all sites which makes me a little concerned as it could be a valid applications using the above either as a source or destination port.

Ill try the two ranges below first and see if i get any matches against them, the other option i havent yet tried is using the Winmx PDLM's from Cisco.com