Implemented Zoom/Teams stream type detection

author: Luca Deri <deri@ntop.org> 2023-06-14 23:44:57 +0200
committer: Luca Deri <deri@ntop.org> 2023-06-14 23:44:57 +0200
commit: d0609ea601f6e0e9fac7cfe622d07e41f0129e89 (patch)
tree: 7c94c0dabb6d119ee37ee451a72f0791ec5ef93f /src/lib
parent: 66bee475ae1b1f4b1b4104555b7bb4d38c3e20b6 (diff)
3 files changed, 53 insertions, 31 deletions
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 9253d0f2a..b338839c8 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -2889,27 +2889,27 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
     ndpi_exit_detection_module(ndpi_str);
     return(NULL);
   }
-  
+
   ndpi_str->host_risk_mask_automa.ac_automa = ac_automata_init(ac_domain_match_handler);
   if(!ndpi_str->host_risk_mask_automa.ac_automa) {
     ndpi_exit_detection_module(ndpi_str);
     return(NULL);
   }
-  
+
   ndpi_str->common_alpns_automa.ac_automa = ac_automata_init(ac_domain_match_handler);
   if(!ndpi_str->common_alpns_automa.ac_automa) {
     ndpi_exit_detection_module(ndpi_str);
     return(NULL);
   }
-  
+
   load_common_alpns(ndpi_str);
-  
+
   ndpi_str->tls_cert_subject_automa.ac_automa = ac_automata_init(NULL);
   if(!ndpi_str->tls_cert_subject_automa.ac_automa) {
     ndpi_exit_detection_module(ndpi_str);
     return(NULL);
   }
-  
+
   ndpi_str->malicious_ja3_hashmap = NULL; /* Initialized on demand */
   ndpi_str->malicious_sha1_hashmap = NULL; /* Initialized on demand */
   ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */
@@ -3214,23 +3214,23 @@ int ndpi_get_automa_stats(struct ndpi_detection_module_struct *ndpi_struct,
   case NDPI_AUTOMA_HOST:
     ndpi_automa_get_stats(ndpi_struct->host_automa.ac_automa, stats);
     return 0;
-    
+
   case NDPI_AUTOMA_DOMAIN:
     ndpi_automa_get_stats(ndpi_struct->risky_domain_automa.ac_automa, stats);
     return 0;
-    
+
   case NDPI_AUTOMA_TLS_CERT:
     ndpi_automa_get_stats(ndpi_struct->tls_cert_subject_automa.ac_automa, stats);
     return 0;
-    
+
   case NDPI_AUTOMA_RISK_MASK:
     ndpi_automa_get_stats(ndpi_struct->host_risk_mask_automa.ac_automa, stats);
     return 0;
-    
+
   case NDPI_AUTOMA_COMMON_ALPNS:
     ndpi_automa_get_stats(ndpi_struct->common_alpns_automa.ac_automa, stats);
     return 0;
-    
+
   default:
     return -1;
   }
@@ -6036,7 +6036,7 @@ static u_int32_t make_msteams_key(struct ndpi_flow_struct *flow, u_int8_t use_cl
     else
       key = ntohl(flow->s_address.v4);
   }
-  
+
   return key;
 }
 
@@ -6052,7 +6052,7 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi
     u_int16_t dport = ntohs(flow->s_port);
     u_int8_t  s_match = ((sport >= 3478) && (sport <= 3481)) ? 1 : 0;
     u_int8_t  d_match = ((dport >= 3478) && (dport <= 3481)) ? 1 : 0;
-    
+
     if(s_match || d_match) {
       ndpi_int_change_protocol(ndpi_str, flow,
 			       NDPI_PROTOCOL_SKYPE_TEAMS, flow->detected_protocol_stack[1],
@@ -6065,7 +6065,7 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi
 			      ndpi_get_current_time(flow));
 
     }
-  }  
+  }
 }
 
 /* ********************************************************************************* */
@@ -6077,22 +6077,13 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 
   /* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup() */
 
-#if 0
-  if(flow) {
-    /* Do not go for DNS when there is an application protocol. Example DNS.Apple */
-    if((flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)
-       && (flow->detected_protocol_stack[0] /* app */ != flow->detected_protocol_stack[1] /* major */))
-      NDPI_CLR_BIT(flow->risk, NDPI_SUSPICIOUS_DGA_DOMAIN);
-  }
-#endif
-
   // printf("====>> %u.%u [%u]\n", ret->master_protocol, ret->app_protocol, flow->detected_protocol_stack[0]);
 
   switch(ret->app_protocol) {
   case NDPI_PROTOCOL_MICROSOFT_AZURE:
     ndpi_reconcile_msteams_udp(ndpi_str, flow);
     break;
-    
+
     /*
       Skype for a host doing MS Teams means MS Teams
       (MS Teams uses Skype as transport protocol for voice/video)
@@ -6113,7 +6104,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
     if(flow && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE))
       ndpi_reconcile_msteams_udp(ndpi_str, flow);
     break;
-      
+
   case NDPI_PROTOCOL_NETFLOW:
   case NDPI_PROTOCOL_SFLOW:
   case NDPI_PROTOCOL_RTP:
@@ -6138,7 +6129,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
        && ndpi_str->msteams_cache
       ) {
       u_int16_t dummy;
-      
+
       if(ndpi_lru_find_cache(ndpi_str->msteams_cache,
 			     make_msteams_key(flow, 1 /* client */),
 			     &dummy, 0 /* Don't remove it as it can be used for other connections */,
@@ -6146,10 +6137,10 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 	ndpi_int_change_protocol(ndpi_str, flow,
 				 NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_TLS,
 				 NDPI_CONFIDENCE_DPI_PARTIAL);
-      }      
+      }
     }
     break;
-    
+
   case NDPI_PROTOCOL_SKYPE_TEAMS:
   case NDPI_PROTOCOL_SKYPE_TEAMS_CALL:
     if(flow->l4_proto == IPPROTO_UDP && ndpi_str->msteams_cache) {
@@ -6167,6 +6158,32 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 				ndpi_get_current_time(flow));
       }
     }
+
+    if(ret->app_protocol == NDPI_PROTOCOL_SKYPE_TEAMS_CALL) {
+      struct ndpi_packet_struct *packet = &ndpi_str->packet;
+
+      if((packet != NULL) && (packet->udp != NULL)) {
+	u_int16_t sport = ntohs(packet->udp->source);
+	u_int16_t dport = ntohs(packet->udp->dest);
+
+	/*
+	  https://extremeportal.force.com/ExtrArticleDetail?an=000101782
+
+	  Audio:   UDP 50000-50019; 3478; 3479
+	  Video:   UDP 50020-50039; 3480
+	  Sharing: UDP 50040-50059; 3481
+	*/
+
+	if((dport == 3478) || (dport == 3479) || ((sport >= 50000) && (sport <= 50019)))
+	  flow->skype_teams.flow_type = ndpi_multimedia_audio_flow;
+	else if((dport == 3480) || ((sport >= 50020) && (sport <= 50039)))
+	  flow->skype_teams.flow_type = ndpi_multimedia_video_flow;
+	else if((dport == 3481) || ((sport >= 50040) && (sport <= 50059)))
+	  flow->skype_teams.flow_type = ndpi_multimedia_screen_sharing_flow;
+	else
+	  flow->skype_teams.flow_type = ndpi_multimedia_unknown_flow;
+      }
+    }
     break;
 
   case NDPI_PROTOCOL_RDP:
@@ -8057,7 +8074,7 @@ ndpi_protocol ndpi_guess_undetected_protocol_v4(struct ndpi_detection_module_str
       return(ret);
     }
   }
-  
+
   return(ndpi_guess_undetected_protocol(ndpi_str, flow, proto));
 }
 
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 10328380c..8356c39b3 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2995,3 +2995,4 @@ char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen) {
 
   return(cp);
 }
+
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index a0d6352f7..c727cca58 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -105,7 +105,8 @@ PACK_ON struct zoom_media_encapsulation {
 
 #define ZOOM_PORT 8801
 
-static u_int8_t isZoom(u_int16_t sport, u_int16_t dport,
+static u_int8_t isZoom(struct ndpi_flow_struct *flow,
+		       u_int16_t sport, u_int16_t dport,
 		       const u_int8_t *payload, const u_int16_t payloadLen,
 		       u_int8_t *is_rtp, u_int8_t *zoom_stream_type,
 		       u_int16_t *payload_offset) {
@@ -118,7 +119,7 @@ static u_int8_t isZoom(u_int16_t sport, u_int16_t dport,
   if((sport == ZOOM_PORT) || (dport == ZOOM_PORT)) {
     struct zoom_sfu_encapsulation *enc = (struct zoom_sfu_encapsulation*)payload;
 
-    /* traceEvent(TRACE_NORMAL, "==> %u <-> %u [type: %u]", sport, dport, enc->sfu_type); */
+    /* printf("==> %u <-> %u [type: %u]\n", sport, dport, enc->sfu_type); */
 
     if((enc->sfu_type >= 3) && (enc->sfu_type <= 5)) {
       struct zoom_media_encapsulation *enc = (struct zoom_media_encapsulation*)(&payload[sizeof(struct zoom_sfu_encapsulation)]);
@@ -130,16 +131,19 @@ static u_int8_t isZoom(u_int16_t sport, u_int16_t dport,
       case 30: /* Screen Share */
 	*is_rtp = 0;
 	*payload_offset = 27;
+	flow->zoom.flow_type = ndpi_multimedia_screen_sharing_flow;
 	break;
 	
       case 15: /* Audio */
 	*is_rtp = 1;
 	*payload_offset = 27;
+	flow->zoom.flow_type = ndpi_multimedia_audio_flow;
 	break;
 	
       case 16: /* Video */
 	*is_rtp = 1;
 	*payload_offset = 32;
+	flow->zoom.flow_type = ndpi_multimedia_video_flow;
 	break;
 
       case 33: /* RTCP */
@@ -181,7 +185,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
     return;
   }
 
-  if(isZoom(s_port, d_port, payload, payload_len,
+  if(isZoom(flow, s_port, d_port, payload, payload_len,
 	    &is_rtp, &zoom_stream_type, &payload_offset)) {
     if(payload_offset < payload_len) {
       /*
author	Luca Deri <deri@ntop.org>	2023-06-14 23:44:57 +0200
committer	Luca Deri <deri@ntop.org>	2023-06-14 23:44:57 +0200
commit	d0609ea601f6e0e9fac7cfe622d07e41f0129e89 (patch)
tree	7c94c0dabb6d119ee37ee451a72f0791ec5ef93f /src/lib
parent	66bee475ae1b1f4b1b4104555b7bb4d38c3e20b6 (diff)