diff options
| -rw-r--r-- | src/lib/protocols/http.c | 13 | ||||
| -rw-r--r-- | src/lib/protocols/rtsp.c | 3 | ||||
| -rw-r--r-- | tests/pcap/rtsp.pcap | bin | 0 -> 119892 bytes | |||
| -rw-r--r-- | tests/result/rtsp.pcap.out | 13 |
4 files changed, 26 insertions, 3 deletions
diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index 647bd6c2b..a2dd25f3c 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -963,8 +963,17 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct NDPI_EXCLUDE_PROTO(ndpi_struct, flow); http_bitmask_exclude_other(flow); return; - } else - ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB); + } else { + /* This check is required as RTSP is pretty similiar to HTTP (prevent false-positives). */ + if (strncmp((const char *)packet->payload + filename_start, + "rtsp://", ndpi_min(7, packet->payload_packet_len - filename_start)) == 0) + { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + } else { + ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP, NDPI_PROTOCOL_CATEGORY_WEB); + } + } NDPI_LOG_DBG2(ndpi_struct, "Filename HTTP found: %d, we look for line info..\n", filename_start); diff --git a/src/lib/protocols/rtsp.c b/src/lib/protocols/rtsp.c index 033c5c324..5a14f1d83 100644 --- a/src/lib/protocols/rtsp.c +++ b/src/lib/protocols/rtsp.c @@ -51,8 +51,8 @@ void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct { ndpi_parse_packet_line_info(ndpi_struct, flow); } + if (packet->parsed_lines > 0 && - LINE_STARTS(packet->line[0], "SETUP rtsp://") != 0 && LINE_ENDS(packet->line[0], "RTSP/1.0") != 0) { ndpi_int_rtsp_add_connection(ndpi_struct, flow); @@ -102,6 +102,7 @@ void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct return; } } + if (packet->udp != NULL && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN && ((NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP) == 0) || (NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTCP) == 0) diff --git a/tests/pcap/rtsp.pcap b/tests/pcap/rtsp.pcap Binary files differnew file mode 100644 index 000000000..3b431aa5f --- /dev/null +++ b/tests/pcap/rtsp.pcap diff --git a/tests/result/rtsp.pcap.out b/tests/result/rtsp.pcap.out new file mode 100644 index 000000000..5c9fec522 --- /dev/null +++ b/tests/result/rtsp.pcap.out @@ -0,0 +1,13 @@ +Guessed flow protos: 0 + +DPI Packets (TCP): 87 (12.43 pkts/flow) + +RTSP 568 100872 7 + + 1 TCP 10.1.1.10:52478 <-> 10.2.2.2:8554 [proto: 50/RTSP][cat: Media/1][44 pkts/6374 bytes <-> 60 pkts/11092 bytes][Goodput ratio: 59/68][59.02 sec][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1730/3 58323/42 9852/8][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 145/185 257/751 77/190][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (OPTIONS rtsp)][Plen Bins: 0,0,0,16,25,8,16,0,16,0,8,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 2 TCP 10.1.1.10:52472 <-> 10.2.2.2:8554 [proto: 50/RTSP][cat: Media/1][40 pkts/6114 bytes <-> 56 pkts/10878 bytes][Goodput ratio: 62/70][58.23 sec][bytes ratio: -0.280 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1872/2 58022/20 10252/6][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 153/194 258/751 77/194][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (OPTIONS rtsp)][Plen Bins: 0,0,0,16,25,8,16,0,16,0,8,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 3 TCP 10.1.1.10:52480 <-> 10.2.2.2:8554 [proto: 50/RTSP][cat: Media/1][40 pkts/6114 bytes <-> 52 pkts/10628 bytes][Goodput ratio: 62/71][59.74 sec][bytes ratio: -0.270 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1921/2 59529/21 10518/6][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 153/204 258/751 77/198][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (OPTIONS rtsp)][Plen Bins: 0,0,0,16,25,8,16,0,16,0,8,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 4 TCP 10.1.1.10:52476 <-> 10.2.2.2:8554 [proto: 50/RTSP][cat: Media/1][44 pkts/5778 bytes <-> 52 pkts/10636 bytes][Goodput ratio: 55/71][7.66 sec][bytes ratio: -0.296 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 3/2 63/20 12/6][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 131/205 258/751 79/198][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (OPTIONS rtsp)][Plen Bins: 0,0,0,18,18,9,18,0,18,0,9,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 5 TCP 10.1.1.10:52474 <-> 10.2.2.2:8554 [proto: 50/RTSP][cat: Media/1][40 pkts/6114 bytes <-> 44 pkts/10152 bytes][Goodput ratio: 62/75][58.31 sec][bytes ratio: -0.248 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1816/2 58099/23 10109/6][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 153/231 258/751 77/204][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (OPTIONS rtsp)][Plen Bins: 0,0,0,16,25,8,16,0,16,0,8,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 6 TCP 10.1.1.10:52482 <-> 10.2.2.2:8554 [proto: 50/RTSP][cat: Media/1][36 pkts/5294 bytes <-> 48 pkts/10394 bytes][Goodput ratio: 60/73][0.20 sec][bytes ratio: -0.325 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/2 6/20 1/6][Pkt Len c2s/s2c min/avg/max/stddev: 56/56 147/217 258/751 79/201][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (OPTIONS rtsp)][Plen Bins: 0,0,0,18,18,9,18,0,18,0,9,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] + 7 TCP 10.1.1.10:52470 <-> 10.2.2.2:8554 [proto: 50/RTSP][cat: Media/1][4 pkts/820 bytes <-> 8 pkts/484 bytes][Goodput ratio: 73/0][< 1 sec][bytes ratio: 0.258 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 0/0 0/0 0/0][Pkt Len c2s/s2c min/avg/max/stddev: 205/56 205/60 205/62 0/3][Risk: ** Known protocol on non standard port **][Risk Score: 10][PLAIN TEXT (PARAMETER rtsp)][Plen Bins: 0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] |