diff options
| author | Luca Deri <deri@ntop.org> | 2022-12-09 21:32:45 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2022-12-09 21:32:45 +0100 |
| commit | eacc2b8e32e83e014c9863683c32d77ecb3ea607 (patch) | |
| tree | f10c78e3368801cb687cc53e39302118db5cf385 | |
| parent | fc7b070030cc33029fc16a71ecd6bbe140bd105c (diff) | |
Added Zoom screen share detection
| -rw-r--r-- | example/ndpiReader.c | 4 | ||||
| -rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
| -rw-r--r-- | src/lib/protocols/rtp.c | 17 | ||||
| -rw-r--r-- | tests/result/zoom2.pcap.out | 2 |
4 files changed, 22 insertions, 4 deletions
diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b384e4b5a..7faff3b69 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1533,6 +1533,10 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa const char *what; switch(flow->rtp.stream_type) { + case rtp_screen_share: + what = "screen_share"; + break; + case rtp_audio: what = "audio"; break; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 8c73723b2..ad33eb5e6 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1281,8 +1281,9 @@ struct ndpi_risk_information { enum ndpi_rtp_stream_type { rtp_unknown = 0, rtp_audio, - rtp_video, + rtp_video, rtp_audio_video, + rtp_screen_share }; struct ndpi_flow_struct { diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 1c48af7a4..5c0e68f40 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -100,7 +100,7 @@ PACK_ON struct zoom_sfu_encapsulation { } PACK_OFF; PACK_ON struct zoom_media_encapsulation { - u_int8_t enc_type; /* 15 = Audio, 16 = Video, 34 = RTCP */ + u_int8_t enc_type; /* 13/30 = Screen Share, 15 = Audio, 16 = Video, 33/34/35 = RTCP */ u_int32_t unknown_1, unknown_2; u_int16_t sequence_num; u_int32_t timestamp; @@ -128,6 +128,12 @@ static u_int8_t isZoom(u_int16_t sport, u_int16_t dport, *zoom_stream_type = enc->enc_type; switch(enc->enc_type) { + case 13: /* Screen Share */ + case 30: /* Screen Share */ + *is_rtp = 0; + *payload_offset = 27; + break; + case 15: /* Audio */ *is_rtp = 0; *payload_offset = 27; @@ -137,8 +143,10 @@ static u_int8_t isZoom(u_int16_t sport, u_int16_t dport, *is_rtp = 1; *payload_offset = 32; break; - + + case 33: /* RTCP */ case 34: /* RTCP */ + case 35: /* RTCP */ *is_rtp = 1; *payload_offset = 36; break; @@ -184,6 +192,11 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, */ switch(zoom_stream_type) { + case 13: /* Screen Share */ + case 30: /* Screen Share */ + flow->protos.rtp.stream_type = rtp_screen_share; + break; + case 15: /* Audio */ flow->protos.rtp.stream_type = rtp_audio; break; diff --git a/tests/result/zoom2.pcap.out b/tests/result/zoom2.pcap.out index da7c2f333..652f2bbea 100644 --- a/tests/result/zoom2.pcap.out +++ b/tests/result/zoom2.pcap.out @@ -32,5 +32,5 @@ JA3 Host Stats: 1 UDP 192.168.1.178:60653 <-> 144.195.73.154:8801 [proto: 87.189/RTP.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][cat: Video/26][3824 pkts/4162390 bytes <-> 4907 pkts/4203451 bytes][Goodput ratio: 96/95][40.59 sec][bytes ratio: -0.005 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/6 101/100 10/10][Pkt Len c2s/s2c min/avg/max/stddev: 94/60 1088/857 1339/1339 242/271][PLAIN TEXT (replace)][Plen Bins: 0,2,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,1,74,3,1,0,1,9,1,0,0,0,0,0,0,0,0,0] 2 UDP 192.168.1.178:58117 <-> 144.195.73.154:8801 [proto: 87.189/RTP.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][cat: Video/26][1283 pkts/302584 bytes <-> 947 pkts/159626 bytes][Goodput ratio: 82/75][39.98 sec][bytes ratio: 0.309 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 28/36 141/131 26/34][Pkt Len c2s/s2c min/avg/max/stddev: 106/60 236/169 376/369 87/64][PLAIN TEXT (replace)][Plen Bins: 0,1,64,18,7,0,0,4,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 3 TCP 192.168.1.178:50076 <-> 144.195.73.154:443 [proto: 91.189/TLS.Zoom][IP: 189/Zoom][Encrypted][Confidence: DPI][cat: Video/26][491 pkts/108525 bytes <-> 411 pkts/58625 bytes][Goodput ratio: 70/54][44.41 sec][Hostname/SNI: zoomsjccv154mmr.sjc.zoom.us][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: 0.299 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 75/109 1466/1467 185/193][Pkt Len c2s/s2c min/avg/max/stddev: 54/60 221/143 1506/1506 285/210][Risk: ** TLS (probably) Not Carrying HTTPS **][Risk Score: 10][Risk Info: No ALPN][TLSv1.2][JA3C: 832952db10f1453442636675bed2702b][ServerNames: *.sjc.zoom.us][JA3S: 8aca82d60194883e764ab2743e60c380][Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1][Subject: C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us][Certificate SHA-1: 43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7][Firefox][Validity: 2021-04-13 00:00:00 - 2022-04-20 23:59:59][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 0,15,17,13,5,3,8,2,1,0,1,0,1,1,3,1,2,4,2,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0] - 4 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 87.189/RTP.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 UDP 192.168.1.178:57953 <-> 144.195.73.154:8801 [proto: 87.189/RTP.Zoom][IP: 189/Zoom][ClearText][Confidence: DPI][cat: Video/26][43 pkts/5229 bytes <-> 44 pkts/4520 bytes][Goodput ratio: 65/59][39.68 sec][RTP Stream Type: screen_share][bytes ratio: 0.073 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 941/849 3580/3749 1440/1522][Pkt Len c2s/s2c min/avg/max/stddev: 69/60 122/103 185/133 41/28][PLAIN TEXT (replace)][Plen Bins: 35,2,43,13,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] 5 ICMP 192.168.1.178:0 -> 144.195.73.154:0 [proto: 81/ICMP][IP: 189/Zoom][ClearText][Confidence: DPI][cat: Network/14][27 pkts/1890 bytes -> 0 pkts/0 bytes][Goodput ratio: 40/0][0.15 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 6/0 20/0 6/0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70/0 70/0 0/0][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No server to client traffic][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |