STUN: improve detection of Telegram calls (#2671)

author: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> 2025-01-14 17:33:34 +0100
committer: GitHub <noreply@github.com> 2025-01-14 17:33:34 +0100
commit: 252be78acce7d286f3a40924b98abcf8ecb72f79 (patch)
tree: 83e5ab5e16b08604e710cd1b9cefb04b238a4edf /src/lib/protocols/telegram.c
parent: af011e338e20ad065de958f00624b6b341579d81 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c
index 23f7cca51..affeede36 100644
--- a/src/lib/protocols/telegram.c
+++ b/src/lib/protocols/telegram.c
@@ -93,6 +93,14 @@ static void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struc
 
 	if(found == 12)	{
 	  ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
+	  /* It seems this kind of traffic is used:
+             * for "normal" stuff (at least years ago... and now? TODO)
+             * for calls, as a custom encapsulation of STUN/DTLS/RTP packets
+             Since we are not able to tell the former from the latter, always
+             switch to STUN dissection. If we find STUN/DTLS/RTP stuff we will
+             update the classification to something like STUN/Telegram_voip,
+             otherwise it will remain Telegram */
+	  switch_extra_dissection_to_stun(ndpi_struct, flow, 0);
 	  return;
 	}
       }
author	Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>	2025-01-14 17:33:34 +0100
committer	GitHub <noreply@github.com>	2025-01-14 17:33:34 +0100
commit	252be78acce7d286f3a40924b98abcf8ecb72f79 (patch)
tree	83e5ab5e16b08604e710cd1b9cefb04b238a4edf /src/lib/protocols/telegram.c
parent	af011e338e20ad065de958f00624b6b341579d81 (diff)