Raknet/RTP: avoid Raknet false positives and harden RTP heuristic (#2427)

There is some overlap between RTP and Raknet detection: give precedence
to RTP logic.
Consequences:
* Raknet might require a little bit more packets for some flows (not a
big issue)
* some very small (1-2 pkts) Raknet flows are not classified (not sure
what do do about that..)

2 files changed, 5 insertions, 1 deletions

diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index 358138f70..65cdd9891 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -652,7 +652,7 @@ const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_struct,
 
 /* RTP */
 int is_valid_rtp_payload_type(uint8_t type);
-int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct);
+int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t *seq);
 u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type);
 
 /* Bittorrent */
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index 9a65e292a..08b8e490f 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -930,6 +930,10 @@ struct ndpi_flow_udp_struct {
   /* NDPI_PROTOCOL_RAKNET */
   u_int32_t raknet_custom:1;
 
+  /* NDPI_PROTOCOL_RTP */
+  u_int16_t rtp_seq[2];
+  u_int8_t rtp_seq_set[2];
+
   /* NDPI_PROTOCOL_EAQ */
   u_int8_t eaq_pkt_id;
   u_int32_t eaq_sequence;