Raknet/RTP: avoid Raknet false positives and harden RTP heuristic (#2427)

There is some overlap between RTP and Raknet detection: give precedence
to RTP logic.
Consequences:
* Raknet might require a little bit more packets for some flows (not a
big issue)
* some very small (1-2 pkts) Raknet flows are not classified (not sure
what do do about that..)

1 files changed, 6 insertions, 2 deletions

diff --git a/src/lib/protocols/raknet.c b/src/lib/protocols/raknet.c
index 8aeaddc2d..b11107ec3 100644
--- a/src/lib/protocols/raknet.c
+++ b/src/lib/protocols/raknet.c
@@ -294,7 +294,9 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct,
         /* We've dissected enough to be sure. */
         if (frame_offset == packet->payload_packet_len)
         {
-          ndpi_int_raknet_add_connection(ndpi_struct, flow);
+          /* This packet might also be a RTP/RTCP one: give precedence to RTP/RTCP dissector */
+          if(flow->l4.udp.rtp_stage == 0 && flow->l4.udp.rtcp_stage == 0)
+            ndpi_int_raknet_add_connection(ndpi_struct, flow);
         } else {
           exclude_proto(ndpi_struct, flow);
         }
@@ -363,7 +365,9 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct,
 
         if (record_index == record_count && record_offset == packet->payload_packet_len)
         {
-          ndpi_int_raknet_add_connection(ndpi_struct, flow);
+          /* This packet might also be a RTP/RTCP one: give precedence to RTP/RTCP dissector */
+          if(flow->l4.udp.rtp_stage == 0 && flow->l4.udp.rtcp_stage == 0)
+            ndpi_int_raknet_add_connection(ndpi_struct, flow);
         } else {
           exclude_proto(ndpi_struct, flow);
         }