From d4650f0f817c8d1663284b7dd225df802104a60b Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Thu, 9 May 2024 21:18:18 +0200
Subject: Raknet/RTP: avoid Raknet false positives and harden RTP heuristic
 (#2427)

There is some overlap between RTP and Raknet detection: give precedence
to RTP logic.
Consequences:
* Raknet might require a little bit more packets for some flows (not a
big issue)
* some very small (1-2 pkts) Raknet flows are not classified (not sure
what do do about that..)
---
 src/lib/protocols/raknet.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src/lib/protocols/raknet.c')

diff --git a/src/lib/protocols/raknet.c b/src/lib/protocols/raknet.c
index 8aeaddc2d..b11107ec3 100644
--- a/src/lib/protocols/raknet.c
+++ b/src/lib/protocols/raknet.c
@@ -294,7 +294,9 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct,
         /* We've dissected enough to be sure. */
         if (frame_offset == packet->payload_packet_len)
         {
-          ndpi_int_raknet_add_connection(ndpi_struct, flow);
+          /* This packet might also be a RTP/RTCP one: give precedence to RTP/RTCP dissector */
+          if(flow->l4.udp.rtp_stage == 0 && flow->l4.udp.rtcp_stage == 0)
+            ndpi_int_raknet_add_connection(ndpi_struct, flow);
         } else {
           exclude_proto(ndpi_struct, flow);
         }
@@ -363,7 +365,9 @@ static void ndpi_search_raknet(struct ndpi_detection_module_struct *ndpi_struct,
 
         if (record_index == record_count && record_offset == packet->payload_packet_len)
         {
-          ndpi_int_raknet_add_connection(ndpi_struct, flow);
+          /* This packet might also be a RTP/RTCP one: give precedence to RTP/RTCP dissector */
+          if(flow->l4.udp.rtp_stage == 0 && flow->l4.udp.rtcp_stage == 0)
+            ndpi_int_raknet_add_connection(ndpi_struct, flow);
         } else {
           exclude_proto(ndpi_struct, flow);
         }
-- 
cgit v1.2.3