diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-05-29 18:31:10 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-29 18:31:10 +0200 |
| commit | 81e42b748e46666158596cc22224b0ec11d85be0 (patch) | |
| tree | 8deb2ebecddd9556607dbee28c5de51d0c4c74c7 | |
| parent | 6127e04900d14682f524cca5b5720b2fb9f0e283 (diff) | |
RTP: fix detection over TCP (#2462)
RFC4571 is not the only way to wrap RTP messages in TCP streams.
For example, when RTP is encapsulated over TURN flows (i.e. via DATA
attribute) there is no additional framing.
See also 6127e0490
| -rw-r--r-- | src/include/ndpi_private.h | 3 | ||||
| -rw-r--r-- | src/lib/protocols/line.c | 2 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 15 | ||||
| -rw-r--r-- | src/lib/protocols/stun.c | 2 | ||||
| -rw-r--r-- | tests/cfgs/default/pcap/stun_dtls_rtp.pcapng | bin | 10120 -> 30096 bytes | |||
| -rw-r--r-- | tests/cfgs/default/result/stun_dtls_rtp.pcapng.out | 16 | ||||
| -rw-r--r-- | tests/cfgs/stun_extra_dissection/config.txt | 2 | ||||
| l--------- | tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng | 1 | ||||
| -rw-r--r-- | tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out | 34 |
9 files changed, 54 insertions, 21 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 4ecb7c1b8..341d01900 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -648,7 +648,8 @@ const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_struct, /* RTP */ int is_valid_rtp_payload_type(uint8_t type); -int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t *seq); +int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, + const u_int8_t *payload, u_int16_t payload_len, u_int16_t *seq); u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type); /* Bittorrent */ diff --git a/src/lib/protocols/line.c b/src/lib/protocols/line.c index da28e613b..933693ed9 100644 --- a/src/lib/protocols/line.c +++ b/src/lib/protocols/line.c @@ -83,7 +83,7 @@ static void ndpi_search_line(struct ndpi_detection_module_struct *ndpi_struct, /* It might be a RTP/RTCP packet. Ignore it and keep looking for the LINE packet numbers */ /* Basic RTP detection */ - rc = is_rtp_or_rtcp(ndpi_struct, NULL); + rc = is_rtp_or_rtcp(ndpi_struct, packet->payload, packet->payload_packet_len, NULL); if(rc == IS_RTCP || rc == IS_RTP) { if(flow->packet_counter < 10) { NDPI_LOG_DBG(ndpi_struct, "Probably RTP; keep looking for LINE\n"); diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index b543e8b99..d8c09be3a 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -83,23 +83,16 @@ static int is_valid_rtcp_payload_type(uint8_t type) { return (type >= 192 && type <= 213); } -int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t *seq) +int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, + const u_int8_t *payload, u_int16_t payload_len, u_int16_t *seq) { - struct ndpi_packet_struct *packet = &ndpi_struct->packet; u_int8_t csrc_count, ext_header; u_int16_t ext_len; u_int32_t min_len; - const u_int8_t *payload = packet->payload; - u_int16_t payload_len = packet->payload_packet_len; if(payload_len < 2) return NO_RTP_RTCP; - if(packet->tcp != NULL) { - payload_len -= 2; - payload += 2; /* Skip the length field */ - } - if((payload[0] & 0xC0) != 0x80) { /* Version 2 */ NDPI_LOG_DBG(ndpi_struct, "Not version 2\n"); return NO_RTP_RTCP; @@ -149,10 +142,12 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t is_rtp; struct ndpi_packet_struct *packet = &ndpi_struct->packet; const u_int8_t *payload = packet->payload; + u_int16_t payload_len = packet->payload_packet_len; u_int16_t seq; if(packet->tcp != NULL) { payload += 2; /* Skip the length field */ + payload_len -= 2; } NDPI_LOG_DBG(ndpi_struct, "search RTP (stage %d/%d)\n", flow->rtp_stage, flow->rtcp_stage); @@ -169,7 +164,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, return; } - is_rtp = is_rtp_or_rtcp(ndpi_struct, &seq); + is_rtp = is_rtp_or_rtcp(ndpi_struct, payload, payload_len, &seq); if(is_rtp == IS_RTP) { if(flow->rtp_stage == 2) { diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index aca6540fc..877379abc 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -796,7 +796,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "QUIC range. Unexpected\n"); } else if(first_byte <= 191) { - rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, NULL); + rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, packet->payload, packet->payload_packet_len, NULL); if(rtp_rtcp == IS_RTP) { NDPI_LOG_DBG(ndpi_struct, "RTP (dir %d)\n", packet->packet_direction); NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n"); diff --git a/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng b/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng Binary files differindex 9d51e7ca7..2d1308ec7 100644 --- a/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng +++ b/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng diff --git a/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out index d396ffb37..2e4518519 100644 --- a/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out +++ b/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out @@ -1,9 +1,10 @@ +DPI Packets (TCP): 11 (11.00 pkts/flow) DPI Packets (UDP): 17 (17.00 pkts/flow) -Confidence DPI : 1 (flows) -Num dissector calls: 6 (6.00 diss/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 13 (6.50 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) -LRU cache stun: 4/0/0 (insert/search/found) +LRU cache stun: 7/0/0 (insert/search/found) LRU cache tls_cert: 0/1/0 (insert/search/found) LRU cache mining: 0/0/0 (insert/search/found) LRU cache msteams: 0/0/0 (insert/search/found) @@ -17,16 +18,17 @@ Patricia risk mask: 2/0 (search/found) Patricia risk mask IPv6: 0/0 (search/found) Patricia risk: 0/0 (search/found) Patricia risk IPv6: 0/0 (search/found) -Patricia protocols: 1/1 (search/found) +Patricia protocols: 2/2 (search/found) Patricia protocols IPv6: 0/0 (search/found) -GoogleCall 39 8413 1 +GoogleCall 102 26347 2 -Acceptable 39 8413 1 +Acceptable 102 26347 2 JA3 Host Stats: IP Address # JA3C 1 192.168.12.156 1 - 1 UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 17][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Mapped IP/Port: 93.35.171.3:61536][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA4: dd2d110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] + 1 TCP 192.168.12.182:50221 <-> 142.250.82.249:3478 [proto: 78.404/STUN.GoogleCall][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 11][cat: VoIP/10][28 pkts/3492 bytes <-> 35 pkts/14442 bytes][Goodput ratio: 56/87][0.89 sec][Hostname/SNI: turn.l.google.com][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/13 55/55 17/18][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 125/413 250/1162 71/442][Mapped IP/Port: 93.35.170.27:64994][Peer IP/Port: 10.13.0.50:1259][Relayed IP/Port: 10.13.0.62:15530][PLAIN TEXT (Lvsrdelc)][Plen Bins: 2,2,12,15,21,10,2,0,0,0,5,0,0,0,0,0,0,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 17][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Mapped IP/Port: 93.35.171.3:61536][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA4: dd2d110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] diff --git a/tests/cfgs/stun_extra_dissection/config.txt b/tests/cfgs/stun_extra_dissection/config.txt index 8f6faf085..87f466543 100644 --- a/tests/cfgs/stun_extra_dissection/config.txt +++ b/tests/cfgs/stun_extra_dissection/config.txt @@ -1 +1 @@ ---cfg=stun,max_packets_extra_dissection,255 +--cfg=stun,max_packets_extra_dissection,255 -U 0 -T 0 --cfg=packets_limit_per_flow,255 diff --git a/tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng b/tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng new file mode 120000 index 000000000..d30bde120 --- /dev/null +++ b/tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng @@ -0,0 +1 @@ +../../default/pcap/stun_dtls_rtp.pcapng
\ No newline at end of file diff --git a/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out new file mode 100644 index 000000000..afe07e3c2 --- /dev/null +++ b/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out @@ -0,0 +1,34 @@ +DPI Packets (TCP): 63 (63.00 pkts/flow) +DPI Packets (UDP): 39 (39.00 pkts/flow) +Confidence DPI : 2 (flows) +Num dissector calls: 13 (6.50 diss/flow) +LRU cache ookla: 0/0/0 (insert/search/found) +LRU cache bittorrent: 0/0/0 (insert/search/found) +LRU cache stun: 42/0/0 (insert/search/found) +LRU cache tls_cert: 0/1/0 (insert/search/found) +LRU cache mining: 0/0/0 (insert/search/found) +LRU cache msteams: 0/0/0 (insert/search/found) +LRU cache stun_zoom: 0/0/0 (insert/search/found) +Automa host: 0/0 (search/found) +Automa domain: 0/0 (search/found) +Automa tls cert: 0/0 (search/found) +Automa risk mask: 0/0 (search/found) +Automa common alpns: 0/0 (search/found) +Patricia risk mask: 2/0 (search/found) +Patricia risk mask IPv6: 0/0 (search/found) +Patricia risk: 0/0 (search/found) +Patricia risk IPv6: 0/0 (search/found) +Patricia protocols: 2/2 (search/found) +Patricia protocols IPv6: 0/0 (search/found) + +GoogleCall 102 26347 2 + +Acceptable 102 26347 2 + +JA3 Host Stats: + IP Address # JA3C + 1 192.168.12.156 1 + + + 1 TCP 192.168.12.182:50221 <-> 142.250.82.249:3478 [proto: 338.404/SRTP.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][DPI packets: 63][cat: VoIP/10][28 pkts/3492 bytes <-> 35 pkts/14442 bytes][Goodput ratio: 56/87][0.89 sec][Hostname/SNI: turn.l.google.com][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/13 55/55 17/18][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 125/413 250/1162 71/442][Mapped IP/Port: 10.13.0.62:15530][Peer IP/Port: 10.13.0.50:1259][Relayed IP/Port: 10.13.0.62:15530][PLAIN TEXT (Lvsrdelc)][Plen Bins: 2,2,12,15,21,10,2,0,0,0,5,0,0,0,0,0,0,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][DPI packets: 39][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Mapped IP/Port: 93.35.171.3:61536][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA4: dd2d110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] |