Implemented Zoom/Teams stream type detection

4 files changed, 72 insertions, 35 deletions

diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
index b04b8b644..a64601f3d 100644
--- a/src/include/ndpi_typedefs.h
+++ b/src/include/ndpi_typedefs.h
@@ -54,10 +54,17 @@ typedef enum {
 } ndpi_log_level_t;
 
 typedef enum {
-	      ndpi_l4_proto_unknown = 0,
-	      ndpi_l4_proto_tcp_only,
-	      ndpi_l4_proto_udp_only,
-	      ndpi_l4_proto_tcp_and_udp,
+  ndpi_multimedia_unknown_flow = 0,
+  ndpi_multimedia_audio_flow,
+  ndpi_multimedia_video_flow,
+  ndpi_multimedia_screen_sharing_flow,
+} ndpi_multimedia_flow_type;
+
+typedef enum {
+  ndpi_l4_proto_unknown = 0,
+  ndpi_l4_proto_tcp_only,
+  ndpi_l4_proto_udp_only,
+  ndpi_l4_proto_tcp_and_udp,
 } ndpi_l4_proto_info;
 
 typedef enum {
@@ -1437,6 +1444,14 @@ struct ndpi_flow_struct {
     char *nat_ip; /* Via HTTP X-Forwarded-For */
   } http;
 
+  struct {
+    ndpi_multimedia_flow_type flow_type;
+  } skype_teams;
+
+  struct {
+    ndpi_multimedia_flow_type flow_type;
+  } zoom;
+
   /*
      Put outside of the union to avoid issues in case the protocol
      is remapped to something other than Kerberos due to a faulty
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 9253d0f2a..b338839c8 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -2889,27 +2889,27 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(ndpi_init_prefs
     ndpi_exit_detection_module(ndpi_str);
     return(NULL);
   }
-  
+
   ndpi_str->host_risk_mask_automa.ac_automa = ac_automata_init(ac_domain_match_handler);
   if(!ndpi_str->host_risk_mask_automa.ac_automa) {
     ndpi_exit_detection_module(ndpi_str);
     return(NULL);
   }
-  
+
   ndpi_str->common_alpns_automa.ac_automa = ac_automata_init(ac_domain_match_handler);
   if(!ndpi_str->common_alpns_automa.ac_automa) {
     ndpi_exit_detection_module(ndpi_str);
     return(NULL);
   }
-  
+
   load_common_alpns(ndpi_str);
-  
+
   ndpi_str->tls_cert_subject_automa.ac_automa = ac_automata_init(NULL);
   if(!ndpi_str->tls_cert_subject_automa.ac_automa) {
     ndpi_exit_detection_module(ndpi_str);
     return(NULL);
   }
-  
+
   ndpi_str->malicious_ja3_hashmap = NULL; /* Initialized on demand */
   ndpi_str->malicious_sha1_hashmap = NULL; /* Initialized on demand */
   ndpi_str->risky_domain_automa.ac_automa = NULL; /* Initialized on demand */
@@ -3214,23 +3214,23 @@ int ndpi_get_automa_stats(struct ndpi_detection_module_struct *ndpi_struct,
   case NDPI_AUTOMA_HOST:
     ndpi_automa_get_stats(ndpi_struct->host_automa.ac_automa, stats);
     return 0;
-    
+
   case NDPI_AUTOMA_DOMAIN:
     ndpi_automa_get_stats(ndpi_struct->risky_domain_automa.ac_automa, stats);
     return 0;
-    
+
   case NDPI_AUTOMA_TLS_CERT:
     ndpi_automa_get_stats(ndpi_struct->tls_cert_subject_automa.ac_automa, stats);
     return 0;
-    
+
   case NDPI_AUTOMA_RISK_MASK:
     ndpi_automa_get_stats(ndpi_struct->host_risk_mask_automa.ac_automa, stats);
     return 0;
-    
+
   case NDPI_AUTOMA_COMMON_ALPNS:
     ndpi_automa_get_stats(ndpi_struct->common_alpns_automa.ac_automa, stats);
     return 0;
-    
+
   default:
     return -1;
   }
@@ -6036,7 +6036,7 @@ static u_int32_t make_msteams_key(struct ndpi_flow_struct *flow, u_int8_t use_cl
     else
       key = ntohl(flow->s_address.v4);
   }
-  
+
   return key;
 }
 
@@ -6052,7 +6052,7 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi
     u_int16_t dport = ntohs(flow->s_port);
     u_int8_t  s_match = ((sport >= 3478) && (sport <= 3481)) ? 1 : 0;
     u_int8_t  d_match = ((dport >= 3478) && (dport <= 3481)) ? 1 : 0;
-    
+
     if(s_match || d_match) {
       ndpi_int_change_protocol(ndpi_str, flow,
 			       NDPI_PROTOCOL_SKYPE_TEAMS, flow->detected_protocol_stack[1],
@@ -6065,7 +6065,7 @@ static void ndpi_reconcile_msteams_udp(struct ndpi_detection_module_struct *ndpi
 			      ndpi_get_current_time(flow));
 
     }
-  }  
+  }
 }
 
 /* ********************************************************************************* */
@@ -6077,22 +6077,13 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 
   /* This function can NOT access &ndpi_str->packet since it is called also from ndpi_detection_giveup() */
 
-#if 0
-  if(flow) {
-    /* Do not go for DNS when there is an application protocol. Example DNS.Apple */
-    if((flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN)
-       && (flow->detected_protocol_stack[0] /* app */ != flow->detected_protocol_stack[1] /* major */))
-      NDPI_CLR_BIT(flow->risk, NDPI_SUSPICIOUS_DGA_DOMAIN);
-  }
-#endif
-
   // printf("====>> %u.%u [%u]\n", ret->master_protocol, ret->app_protocol, flow->detected_protocol_stack[0]);
 
   switch(ret->app_protocol) {
   case NDPI_PROTOCOL_MICROSOFT_AZURE:
     ndpi_reconcile_msteams_udp(ndpi_str, flow);
     break;
-    
+
     /*
       Skype for a host doing MS Teams means MS Teams
       (MS Teams uses Skype as transport protocol for voice/video)
@@ -6113,7 +6104,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
     if(flow && (flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_MICROSOFT_AZURE))
       ndpi_reconcile_msteams_udp(ndpi_str, flow);
     break;
-      
+
   case NDPI_PROTOCOL_NETFLOW:
   case NDPI_PROTOCOL_SFLOW:
   case NDPI_PROTOCOL_RTP:
@@ -6138,7 +6129,7 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
        && ndpi_str->msteams_cache
       ) {
       u_int16_t dummy;
-      
+
       if(ndpi_lru_find_cache(ndpi_str->msteams_cache,
 			     make_msteams_key(flow, 1 /* client */),
 			     &dummy, 0 /* Don't remove it as it can be used for other connections */,
@@ -6146,10 +6137,10 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 	ndpi_int_change_protocol(ndpi_str, flow,
 				 NDPI_PROTOCOL_SKYPE_TEAMS, NDPI_PROTOCOL_TLS,
 				 NDPI_CONFIDENCE_DPI_PARTIAL);
-      }      
+      }
     }
     break;
-    
+
   case NDPI_PROTOCOL_SKYPE_TEAMS:
   case NDPI_PROTOCOL_SKYPE_TEAMS_CALL:
     if(flow->l4_proto == IPPROTO_UDP && ndpi_str->msteams_cache) {
@@ -6167,6 +6158,32 @@ static void ndpi_reconcile_protocols(struct ndpi_detection_module_struct *ndpi_s
 				ndpi_get_current_time(flow));
       }
     }
+
+    if(ret->app_protocol == NDPI_PROTOCOL_SKYPE_TEAMS_CALL) {
+      struct ndpi_packet_struct *packet = &ndpi_str->packet;
+
+      if((packet != NULL) && (packet->udp != NULL)) {
+	u_int16_t sport = ntohs(packet->udp->source);
+	u_int16_t dport = ntohs(packet->udp->dest);
+
+	/*
+	  https://extremeportal.force.com/ExtrArticleDetail?an=000101782
+
+	  Audio:   UDP 50000-50019; 3478; 3479
+	  Video:   UDP 50020-50039; 3480
+	  Sharing: UDP 50040-50059; 3481
+	*/
+
+	if((dport == 3478) || (dport == 3479) || ((sport >= 50000) && (sport <= 50019)))
+	  flow->skype_teams.flow_type = ndpi_multimedia_audio_flow;
+	else if((dport == 3480) || ((sport >= 50020) && (sport <= 50039)))
+	  flow->skype_teams.flow_type = ndpi_multimedia_video_flow;
+	else if((dport == 3481) || ((sport >= 50040) && (sport <= 50059)))
+	  flow->skype_teams.flow_type = ndpi_multimedia_screen_sharing_flow;
+	else
+	  flow->skype_teams.flow_type = ndpi_multimedia_unknown_flow;
+      }
+    }
     break;
 
   case NDPI_PROTOCOL_RDP:
@@ -8057,7 +8074,7 @@ ndpi_protocol ndpi_guess_undetected_protocol_v4(struct ndpi_detection_module_str
       return(ret);
     }
   }
-  
+
   return(ndpi_guess_undetected_protocol(ndpi_str, flow, proto));
 }
 
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 10328380c..8356c39b3 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2995,3 +2995,4 @@ char* ndpi_intoav4(unsigned int addr, char* buf, u_int16_t bufLen) {
 
   return(cp);
 }
+
diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
index a0d6352f7..c727cca58 100644
--- a/src/lib/protocols/rtp.c
+++ b/src/lib/protocols/rtp.c
@@ -105,7 +105,8 @@ PACK_ON struct zoom_media_encapsulation {
 
 #define ZOOM_PORT 8801
 
-static u_int8_t isZoom(u_int16_t sport, u_int16_t dport,
+static u_int8_t isZoom(struct ndpi_flow_struct *flow,
+		       u_int16_t sport, u_int16_t dport,
 		       const u_int8_t *payload, const u_int16_t payloadLen,
 		       u_int8_t *is_rtp, u_int8_t *zoom_stream_type,
 		       u_int16_t *payload_offset) {
@@ -118,7 +119,7 @@ static u_int8_t isZoom(u_int16_t sport, u_int16_t dport,
   if((sport == ZOOM_PORT) || (dport == ZOOM_PORT)) {
     struct zoom_sfu_encapsulation *enc = (struct zoom_sfu_encapsulation*)payload;
 
-    /* traceEvent(TRACE_NORMAL, "==> %u <-> %u [type: %u]", sport, dport, enc->sfu_type); */
+    /* printf("==> %u <-> %u [type: %u]\n", sport, dport, enc->sfu_type); */
 
     if((enc->sfu_type >= 3) && (enc->sfu_type <= 5)) {
       struct zoom_media_encapsulation *enc = (struct zoom_media_encapsulation*)(&payload[sizeof(struct zoom_sfu_encapsulation)]);
@@ -130,16 +131,19 @@ static u_int8_t isZoom(u_int16_t sport, u_int16_t dport,
       case 30: /* Screen Share */
 	*is_rtp = 0;
 	*payload_offset = 27;
+	flow->zoom.flow_type = ndpi_multimedia_screen_sharing_flow;
 	break;
 	
       case 15: /* Audio */
 	*is_rtp = 1;
 	*payload_offset = 27;
+	flow->zoom.flow_type = ndpi_multimedia_audio_flow;
 	break;
 	
       case 16: /* Video */
 	*is_rtp = 1;
 	*payload_offset = 32;
+	flow->zoom.flow_type = ndpi_multimedia_video_flow;
 	break;
 
       case 33: /* RTCP */
@@ -181,7 +185,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
     return;
   }
 
-  if(isZoom(s_port, d_port, payload, payload_len,
+  if(isZoom(flow, s_port, d_port, payload, payload_len,
 	    &is_rtp, &zoom_stream_type, &payload_offset)) {
     if(payload_offset < payload_len) {
       /*