From 252be78acce7d286f3a40924b98abcf8ecb72f79 Mon Sep 17 00:00:00 2001
From: Ivan Nardi <12729895+IvanNardi@users.noreply.github.com>
Date: Tue, 14 Jan 2025 17:33:34 +0100
Subject: STUN: improve detection of Telegram calls (#2671)

---
 src/lib/protocols/telegram.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/lib/protocols/telegram.c')

diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c
index 23f7cca51..affeede36 100644
--- a/src/lib/protocols/telegram.c
+++ b/src/lib/protocols/telegram.c
@@ -93,6 +93,14 @@ static void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struc
 
 	if(found == 12)	{
 	  ndpi_int_telegram_add_connection(ndpi_struct, flow, NDPI_CONFIDENCE_DPI);
+	  /* It seems this kind of traffic is used:
+             * for "normal" stuff (at least years ago... and now? TODO)
+             * for calls, as a custom encapsulation of STUN/DTLS/RTP packets
+             Since we are not able to tell the former from the latter, always
+             switch to STUN dissection. If we find STUN/DTLS/RTP stuff we will
+             update the classification to something like STUN/Telegram_voip,
+             otherwise it will remain Telegram */
+	  switch_extra_dissection_to_stun(ndpi_struct, flow, 0);
 	  return;
 	}
       }
-- 
cgit v1.2.3