diff options
| author | Luca Deri <deri@ntop.org> | 2023-06-12 23:29:20 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2023-06-12 23:29:20 +0200 |
| commit | b02adcc38105b83ce3e1a15096de4724920b9f50 (patch) | |
| tree | c2edd87ee9370f9324b6fa6740a0858376253d90 | |
| parent | 4e284b5e40f08e708af9ddeb9ca04d9642636dcd (diff) | |
Added check to avoid skype heuristic false positives
| -rw-r--r-- | src/lib/protocols/skype.c | 11 | ||||
| -rw-r--r-- | tests/cfgs/default/result/skype_udp.pcap.out | 8 |
2 files changed, 12 insertions, 7 deletions
diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index bec650f25..cfe102f99 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -78,7 +78,7 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s const uint8_t id_flags_iv_crc_len = 11; const uint8_t crc_len = sizeof(flow->l4.udp.skype_crc); const uint8_t crc_offset = id_flags_iv_crc_len - crc_len; - + /* Look for two pkts with the same crc */ if((payload_len >= id_flags_iv_crc_len) && (packet->payload[2] == 0x02 /* Payload flag */ )) { @@ -87,8 +87,13 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s } else { if(memcmp(flow->l4.udp.skype_crc, &packet->payload[crc_offset], crc_len) == 0) { NDPI_LOG_INFO(ndpi_struct, "found SKYPE_TEAMS\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); - return; + + /* As there is some heuristic we need to double check before detecting the protocol */ + if((flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE) + || (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_SKYPE_TEAMS)) { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } } } /* No idea if the two pkts need to be consecutive; in doubt wait for some more pkts */ diff --git a/tests/cfgs/default/result/skype_udp.pcap.out b/tests/cfgs/default/result/skype_udp.pcap.out index f26093a3c..32599b6f1 100644 --- a/tests/cfgs/default/result/skype_udp.pcap.out +++ b/tests/cfgs/default/result/skype_udp.pcap.out @@ -1,8 +1,8 @@ Guessed flow protos: 0 -DPI Packets (UDP): 2 (2.00 pkts/flow) +DPI Packets (UDP): 4 (4.00 pkts/flow) Confidence DPI : 1 (flows) -Num dissector calls: 126 (126.00 diss/flow) +Num dissector calls: 164 (164.00 diss/flow) LRU cache ookla: 0/0/0 (insert/search/found) LRU cache bittorrent: 0/0/0 (insert/search/found) LRU cache zoom: 0/0/0 (insert/search/found) @@ -20,6 +20,6 @@ Patricia risk mask: 2/0 (search/found) Patricia risk: 0/0 (search/found) Patricia protocols: 2/0 (search/found) -Skype_Teams 5 339 1 +Skype_TeamsCall 5 339 1 - 1 UDP 192.168.1.2:35990 <-> 24.224.190.149:39262 [proto: 125/Skype_Teams][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 2][cat: VoIP/10][4 pkts/279 bytes <-> 1 pkts/60 bytes][Goodput ratio: 40/30][72.51 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 1 UDP 192.168.1.2:35990 <-> 24.224.190.149:39262 [proto: 125.38/Skype_Teams.Skype_TeamsCall][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 4][cat: VoIP/10][4 pkts/279 bytes <-> 1 pkts/60 bytes][Goodput ratio: 40/30][72.51 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |