diff options
author | Ivan Nardi <12729895+IvanNardi@users.noreply.github.com> | 2024-05-06 10:19:46 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-05-06 10:19:46 +0200 |
commit | 266af0275241b96346372bbae936cd3dd1a35159 (patch) | |
tree | cbadf21cb1852ff65b1c87404c0fb0ba6d8f86e6 /src | |
parent | a1845da3594c080bc59318ea9b465e15f0c5012c (diff) |
Merge RTP and RTCP logic (#2416)
Avoid code duplication between these two protocols.
We remove support for RTCP over TCP; it is quite rare to find this kind
of traffic and, more important, we have never had support for RTP
over TCP: we should try to add both detecion as follow-up.
Fix a message log in the LINE code
Diffstat (limited to 'src')
-rw-r--r-- | src/include/ndpi_private.h | 3 | ||||
-rw-r--r-- | src/include/ndpi_typedefs.h | 3 | ||||
-rw-r--r-- | src/lib/ndpi_main.c | 3 | ||||
-rw-r--r-- | src/lib/protocols/line.c | 2 | ||||
-rw-r--r-- | src/lib/protocols/rtcp.c | 85 | ||||
-rw-r--r-- | src/lib/protocols/rtp.c | 44 | ||||
-rw-r--r-- | src/lib/protocols/stun.c | 3 |
7 files changed, 38 insertions, 105 deletions
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h index 935f58377..c5192f2be 100644 --- a/src/include/ndpi_private.h +++ b/src/include/ndpi_private.h @@ -668,6 +668,9 @@ int search_into_bittorrent_cache(struct ndpi_detection_module_struct *ndpi_struc /* Stun */ int stun_search_into_zoom_cache(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); +int is_stun(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t *app_proto); /* TPKT */ int tpkt_verify_hdr(const struct ndpi_packet_struct * const packet); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 9b5e294da..0f01a4a87 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -914,6 +914,9 @@ struct ndpi_flow_udp_struct { /* NDPI_PROTOCOL_RTP */ u_int32_t rtp_stage:2; + /* NDPI_PROTOCOL_RTCP */ + u_int32_t rtcp_stage:2; + /* NDPI_PROTOCOL_QUIC */ u_int32_t quic_0rtt_found:1; u_int32_t quic_vn_pair:1; diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index ee58c2cdb..2a081f8a4 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -5745,9 +5745,6 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) { /* SKINNY */ init_skinny_dissector(ndpi_str, &a); - /* RTCP */ - init_rtcp_dissector(ndpi_str, &a); - /* RSYNC */ init_rsync_dissector(ndpi_str, &a); diff --git a/src/lib/protocols/line.c b/src/lib/protocols/line.c index 0de5e856e..6b69d690c 100644 --- a/src/lib/protocols/line.c +++ b/src/lib/protocols/line.c @@ -86,7 +86,7 @@ static void ndpi_search_line(struct ndpi_detection_module_struct *ndpi_struct, (packet->payload[1] == 201 || /* RTCP, Receiver Report */ packet->payload[1] == 200 || /* RTCP, Sender Report */ is_valid_rtp_payload_type(packet->payload[1] & 0x7F)) /* RTP */) { - NDPI_LOG_DBG(ndpi_struct, "Probably RTP; keep looking for LINE"); + NDPI_LOG_DBG(ndpi_struct, "Probably RTP; keep looking for LINE\n"); return; } else { if((u_int8_t)(flow->l4.udp.line_base_cnt[packet->packet_direction] + diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c deleted file mode 100644 index 25910a602..000000000 --- a/src/lib/protocols/rtcp.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * rtcp.c (RTP Control Protocol) - * - * Copyright (C) 2013 Remy Mudingay <mudingay@ill.fr> - * - */ -#include "ndpi_protocol_ids.h" - -#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTCP - -#include "ndpi_api.h" -#include "ndpi_private.h" - -static void ndpi_int_rtcp_add_connection(struct ndpi_detection_module_struct - *ndpi_struct, struct ndpi_flow_struct *flow) -{ - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP, - NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); -} - -static void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) -{ - struct ndpi_packet_struct *packet = &ndpi_struct->packet; - u_int16_t dport = 0, sport = 0; - - NDPI_LOG_DBG(ndpi_struct, "search RTCP\n"); - - if(packet->tcp != NULL) { - sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); - NDPI_LOG_DBG2(ndpi_struct, "calculating dport over tcp\n"); - - if(packet->payload_packet_len > 13 && (sport == 554 || dport == 554) && - packet->payload[0] == 0x00 && packet->payload[1] == 0x00 && - packet->payload[2] == 0x01 && packet->payload[3] == 0x01 && - packet->payload[4] == 0x08 && packet->payload[5] == 0x0a && - packet->payload[6] == 0x00 && packet->payload[7] == 0x01) { - NDPI_LOG_INFO(ndpi_struct, "found rtcp\n"); - ndpi_int_rtcp_add_connection(ndpi_struct, flow); - } - - if(flow->packet_counter > 3) - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } else if(packet->udp != NULL) { - /* Let's check first the RTCP packet length */ - u_int32_t len, offset = 0, rtcp_section_len; - - while(offset + 3 < packet->payload_packet_len) { - len = packet->payload[2+offset] * 256 + packet->payload[2+offset+1]; - rtcp_section_len = (len + 1) * 4; - - if(((offset+rtcp_section_len) > packet->payload_packet_len) || (rtcp_section_len == 0) || (len == 0)) { - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - return; - } else - offset += rtcp_section_len; - } - - NDPI_LOG_DBG2(ndpi_struct, "calculating dport over udp\n"); - /* TODO changed a pair of length condition to the && from ||. Is it correct? */ - if(((packet->payload_packet_len >= 28 && packet->payload_packet_len <= 1200) && - ((packet->payload[0] == 0x80) && ((packet->payload[1] == 0xc8) || (packet->payload[1] == 0xc9)) && (packet->payload[2] == 0x00))) - || (packet->payload_packet_len >= 3 && ((packet->payload[0] == 0x81) && ((packet->payload[1] == 0xc8) || (packet->payload[1] == 0xc9)) - && (packet->payload[2] == 0x00)))) { - NDPI_LOG_INFO(ndpi_struct, "found rtcp\n"); - ndpi_int_rtcp_add_connection(ndpi_struct, flow); - } - - if(flow->packet_counter > 3) - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); - } -} - - -void init_rtcp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id) -{ - ndpi_set_bitmask_protocol_detection("RTCP", ndpi_struct, *id, - NDPI_PROTOCOL_RTCP, - ndpi_search_rtcp, - NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_OR_UDP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION, - SAVE_DETECTION_BITMASK_AS_UNKNOWN, - ADD_TO_DETECTION_BITMASK); - - *id += 1; -} diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index afa5e2bf2..9a4c15117 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -150,22 +150,26 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &ndpi_struct->packet; const u_int8_t *payload = packet->payload; - NDPI_LOG_DBG(ndpi_struct, "search RTP\n"); + NDPI_LOG_DBG(ndpi_struct, "search RTP (stage %d/%d)\n", flow->l4.udp.rtp_stage, flow->l4.udp.rtcp_stage); if(d_port == 5355 || /* LLMNR_PORT */ d_port == 5353 || /* MDNS_PORT */ d_port == 9600 /* FINS_PORT */) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); return; } - /* * Let some "unknown" packets at the beginning - * search for 3 consecutive RTP/RTCP packets - */ + /* * Let some "unknown" packets at the beginning: + * search for 3/4 consecutive RTP/RTCP packets. + * Wait a little longer (4 vs 3 pkts) for RTCP to try to tell if there are only + * RTCP packets in the flow or if RTP/RTCP are multiplexed together */ if(flow->packet_counter > 3 && - flow->l4.udp.rtp_stage == 0) { + flow->l4.udp.rtp_stage == 0 && + flow->l4.udp.rtcp_stage == 0) { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); return; } @@ -189,10 +193,26 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, flow->l4.udp.rtp_stage += 1; } else if(is_rtp == IS_RTCP && flow->l4.udp.rtp_stage > 0) { /* RTCP after (some) RTP. Keep looking for RTP */ + } else if(is_rtp == IS_RTCP && flow->l4.udp.rtp_stage == 0) { + if(flow->l4.udp.rtcp_stage == 3) { + NDPI_LOG_INFO(ndpi_struct, "Found RTCP\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, + NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_RTCP, + NDPI_CONFIDENCE_DPI); + return; + } + flow->l4.udp.rtcp_stage += 1; } else { - if(flow->l4.udp.rtp_stage) { - flow->l4.udp.rtp_stage = 0; - NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + if(flow->l4.udp.rtp_stage || flow->l4.udp.rtcp_stage) { + u_int16_t app_proto; /* unused */ + u_int32_t unused; + + /* TODO: we should switch to the demultiplexing-code in stun dissector */ + if(!is_stun(ndpi_struct, flow, &app_proto) && + !is_dtls(packet->payload, packet->payload_packet_len, &unused)) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); + } } } } @@ -205,16 +225,14 @@ static void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, st u_int16_t source = ntohs(packet->udp->source); u_int16_t dest = ntohs(packet->udp->dest); - // printf("==> %s()\n", __FUNCTION__); - - /* printf("*** %s(pkt=%d)\n", __FUNCTION__, flow->packet_counter); */ - if((source != 30303) && (dest != 30303 /* Avoid to mix it with Ethereum that looks alike */) && (dest > 1023) ) ndpi_rtp_search(ndpi_struct, flow); - else + else { NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + NDPI_EXCLUDE_PROTO_EXT(ndpi_struct, flow, NDPI_PROTOCOL_RTCP); + } } /* *************************************************************** */ diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 40f00dca0..0cc0d1d80 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -311,9 +311,6 @@ static void parse_xor_ip_port_attribute(struct ndpi_detection_module_struct *ndp } } } -#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -static -#endif int is_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int16_t *app_proto) |