diff options
| author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-06-07 13:12:04 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-07 13:12:04 +0200 |
| commit | b90d39c4ac039464798a323ef96dc92262504852 (patch) | |
| tree | 9e027c4631b2aa5cacf9447a6626b86b569675fc /src/lib/protocols/rtp.c | |
| parent | 070a0908b30c055bf0590fb0d10557c1acf70401 (diff) | |
RTP/STUN: look for STUN packets after RTP/RTCP classification (#2465)
After a flow has been classified as RTP or RTCP, nDPI might analyse more
packets to look for STUN/DTLS packets, i.e. to try to tell if this flow
is a "pure" RTP/RTCP flow or if the RTP/RTCP packets are multiplexed with
STUN/DTLS.
Useful for proper (sub)classification when the beginning of the flows
are not captured or if there are lost packets in the the captured traffic.
Disabled by default
Diffstat (limited to 'src/lib/protocols/rtp.c')
| -rw-r--r-- | src/lib/protocols/rtp.c | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index d8c09be3a..e05d0ee89 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -135,6 +135,24 @@ int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, return NO_RTP_RTCP; } + +static void ndpi_int_rtp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t proto) +{ + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_UNKNOWN, proto, + NDPI_CONFIDENCE_DPI); + if(ndpi_struct->cfg.rtp_search_for_stun) { + /* It makes sense to look for STUN only if we didn't capture the entire flow, + from the beginning */ + if(!(flow->l4_proto == IPPROTO_TCP && ndpi_seen_flow_beginning(flow))) { + NDPI_LOG_DBG(ndpi_struct, "Enabling (STUN) extra dissection\n"); + switch_extra_dissection_to_stun(ndpi_struct, flow); + } + } +} + /* *************************************************************** */ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, @@ -186,9 +204,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, rtp_get_stream_type(payload[1] & 0x7F, &flow->flow_multimedia_type); NDPI_LOG_INFO(ndpi_struct, "Found RTP\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTP, - NDPI_CONFIDENCE_DPI); + ndpi_int_rtp_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTP); } return; } @@ -202,16 +218,14 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, } else if(is_rtp == IS_RTCP && flow->rtp_stage == 0) { if(flow->rtcp_stage == 3) { NDPI_LOG_INFO(ndpi_struct, "Found RTCP\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, - NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTCP, - NDPI_CONFIDENCE_DPI); + ndpi_int_rtp_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); return; } flow->rtcp_stage += 1; } else { if(flow->rtp_stage || flow->rtcp_stage) { - u_int16_t app_proto; /* unused */ u_int32_t unused; + u_int16_t app_proto = NDPI_PROTOCOL_UNKNOWN; /* TODO: we should switch to the demultiplexing-code in stun dissector */ if(is_stun(ndpi_struct, flow, &app_proto) != 0 && |