RTP: fix detection over TCP (#2462)

RFC4571 is not the only way to wrap RTP messages in TCP streams. For example, when RTP is encapsulated over TURN flows (i.e. via DATA attribute) there is no additional framing. See also 6127e04
ntop · May 29, 2024 · 81e42b7 · 81e42b7
1 parent 6127e04
commit 81e42b7
Show file tree

Hide file tree

Showing 9 changed files with 54 additions and 21 deletions.
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
@@ -648,7 +648,8 @@ const uint8_t *get_crypto_data(struct ndpi_detection_module_struct *ndpi_struct,
 
 /* RTP */
 int is_valid_rtp_payload_type(uint8_t type);
-int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t *seq);
+int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
+                   const u_int8_t *payload, u_int16_t payload_len, u_int16_t *seq);
 u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type);
 
 /* Bittorrent */

diff --git a/src/lib/protocols/line.c b/src/lib/protocols/line.c
@@ -83,7 +83,7 @@ static void ndpi_search_line(struct ndpi_detection_module_struct *ndpi_struct,
       /* It might be a RTP/RTCP packet. Ignore it and keep looking for the
          LINE packet numbers */
       /* Basic RTP detection */
-      rc = is_rtp_or_rtcp(ndpi_struct, NULL);
+      rc = is_rtp_or_rtcp(ndpi_struct, packet->payload, packet->payload_packet_len, NULL);
       if(rc == IS_RTCP || rc == IS_RTP) {
         if(flow->packet_counter < 10) {
           NDPI_LOG_DBG(ndpi_struct, "Probably RTP; keep looking for LINE\n");

diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
@@ -83,23 +83,16 @@ static int is_valid_rtcp_payload_type(uint8_t type) {
   return (type >= 192 && type <= 213);
 }
 
-int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t *seq)
+int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
+                   const u_int8_t *payload, u_int16_t payload_len, u_int16_t *seq)
 {
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   u_int8_t csrc_count, ext_header;
   u_int16_t ext_len;
   u_int32_t min_len;
-  const u_int8_t *payload = packet->payload;
-  u_int16_t payload_len = packet->payload_packet_len;
 
   if(payload_len < 2)
     return NO_RTP_RTCP;
 
-  if(packet->tcp != NULL) {
-    payload_len -= 2;
-    payload += 2; /* Skip the length field */
-  }
-
   if((payload[0] & 0xC0) != 0x80) { /* Version 2 */
     NDPI_LOG_DBG(ndpi_struct, "Not version 2\n");
     return NO_RTP_RTCP;
@@ -149,10 +142,12 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
   u_int8_t is_rtp;
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   const u_int8_t *payload = packet->payload;
+  u_int16_t payload_len = packet->payload_packet_len;
   u_int16_t seq;
 
   if(packet->tcp != NULL) {
       payload += 2; /* Skip the length field */
+      payload_len -= 2;
   }
   NDPI_LOG_DBG(ndpi_struct, "search RTP (stage %d/%d)\n", flow->rtp_stage, flow->rtcp_stage);
 
@@ -169,7 +164,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct,
     return;
   }
 
-  is_rtp = is_rtp_or_rtcp(ndpi_struct, &seq);
+  is_rtp = is_rtp_or_rtcp(ndpi_struct, payload, payload_len, &seq);
 
   if(is_rtp == IS_RTP) {
     if(flow->rtp_stage == 2) {

diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
@@ -796,7 +796,7 @@ static int stun_search_again(struct ndpi_detection_module_struct *ndpi_struct,
     NDPI_LOG_DBG(ndpi_struct, "QUIC range. Unexpected\n");
   } else if(first_byte <= 191) {
 
-    rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, NULL);
+    rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, packet->payload, packet->payload_packet_len, NULL);
     if(rtp_rtcp == IS_RTP) {
       NDPI_LOG_DBG(ndpi_struct, "RTP (dir %d)\n", packet->packet_direction);
       NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n");

diff --git a/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng b/tests/cfgs/default/pcap/stun_dtls_rtp.pcapng
diff --git a/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/default/result/stun_dtls_rtp.pcapng.out
@@ -1,9 +1,10 @@
+DPI Packets (TCP):	11	(11.00 pkts/flow)
 DPI Packets (UDP):	17	(17.00 pkts/flow)
-Confidence DPI              : 1 (flows)
-Num dissector calls: 6 (6.00 diss/flow)
+Confidence DPI              : 2 (flows)
+Num dissector calls: 13 (6.50 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
-LRU cache stun:       4/0/0 (insert/search/found)
+LRU cache stun:       7/0/0 (insert/search/found)
 LRU cache tls_cert:   0/1/0 (insert/search/found)
 LRU cache mining:     0/0/0 (insert/search/found)
 LRU cache msteams:    0/0/0 (insert/search/found)
@@ -17,16 +18,17 @@ Patricia risk mask:   2/0 (search/found)
 Patricia risk mask IPv6: 0/0 (search/found)
 Patricia risk:        0/0 (search/found)
 Patricia risk IPv6:   0/0 (search/found)
-Patricia protocols:   1/1 (search/found)
+Patricia protocols:   2/2 (search/found)
 Patricia protocols IPv6: 0/0 (search/found)
 
-GoogleCall	39	8413	1
+GoogleCall	102	26347	2
 
-Acceptable                      39 8413          1            
+Acceptable                     102 26347         2            
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
 	1	 192.168.12.156           	 1      
 
 
-	1	UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 17][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Mapped IP/Port: 93.35.171.3:61536][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA4: dd2d110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
+	1	TCP 192.168.12.182:50221 <-> 142.250.82.249:3478 [proto: 78.404/STUN.GoogleCall][IP: 126/Google][ClearText][Confidence: DPI][DPI packets: 11][cat: VoIP/10][28 pkts/3492 bytes <-> 35 pkts/14442 bytes][Goodput ratio: 56/87][0.89 sec][Hostname/SNI: turn.l.google.com][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/13 55/55 17/18][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 125/413 250/1162 71/442][Mapped IP/Port: 93.35.170.27:64994][Peer IP/Port: 10.13.0.50:1259][Relayed IP/Port: 10.13.0.62:15530][PLAIN TEXT (Lvsrdelc)][Plen Bins: 2,2,12,15,21,10,2,0,0,0,5,0,0,0,0,0,0,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][IP: 126/Google][Encrypted][Confidence: DPI][DPI packets: 17][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Mapped IP/Port: 93.35.171.3:61536][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA4: dd2d110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]
diff --git a/tests/cfgs/stun_extra_dissection/config.txt b/tests/cfgs/stun_extra_dissection/config.txt
@@ -1 +1 @@
---cfg=stun,max_packets_extra_dissection,255
+--cfg=stun,max_packets_extra_dissection,255 -U 0 -T 0 --cfg=packets_limit_per_flow,255
diff --git a/tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng b/tests/cfgs/stun_extra_dissection/pcap/stun_dtls_rtp.pcapng
@@ -0,0 +1 @@
+../../default/pcap/stun_dtls_rtp.pcapng
diff --git a/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out b/tests/cfgs/stun_extra_dissection/result/stun_dtls_rtp.pcapng.out
@@ -0,0 +1,34 @@
+DPI Packets (TCP):	63	(63.00 pkts/flow)
+DPI Packets (UDP):	39	(39.00 pkts/flow)
+Confidence DPI              : 2 (flows)
+Num dissector calls: 13 (6.50 diss/flow)
+LRU cache ookla:      0/0/0 (insert/search/found)
+LRU cache bittorrent: 0/0/0 (insert/search/found)
+LRU cache stun:       42/0/0 (insert/search/found)
+LRU cache tls_cert:   0/1/0 (insert/search/found)
+LRU cache mining:     0/0/0 (insert/search/found)
+LRU cache msteams:    0/0/0 (insert/search/found)
+LRU cache stun_zoom:  0/0/0 (insert/search/found)
+Automa host:          0/0 (search/found)
+Automa domain:        0/0 (search/found)
+Automa tls cert:      0/0 (search/found)
+Automa risk mask:     0/0 (search/found)
+Automa common alpns:  0/0 (search/found)
+Patricia risk mask:   2/0 (search/found)
+Patricia risk mask IPv6: 0/0 (search/found)
+Patricia risk:        0/0 (search/found)
+Patricia risk IPv6:   0/0 (search/found)
+Patricia protocols:   2/2 (search/found)
+Patricia protocols IPv6: 0/0 (search/found)
+
+GoogleCall	102	26347	2
+
+Acceptable                     102 26347         2            
+
+JA3 Host Stats: 
+		 IP Address                  	 # JA3C     
+	1	 192.168.12.156           	 1      
+
+
+	1	TCP 192.168.12.182:50221 <-> 142.250.82.249:3478 [proto: 338.404/SRTP.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][DPI packets: 63][cat: VoIP/10][28 pkts/3492 bytes <-> 35 pkts/14442 bytes][Goodput ratio: 56/87][0.89 sec][Hostname/SNI: turn.l.google.com][bytes ratio: -0.611 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 11/13 55/55 17/18][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 125/413 250/1162 71/442][Mapped IP/Port: 10.13.0.62:15530][Peer IP/Port: 10.13.0.50:1259][Relayed IP/Port: 10.13.0.62:15530][PLAIN TEXT (Lvsrdelc)][Plen Bins: 2,2,12,15,21,10,2,0,0,0,5,0,0,0,0,0,0,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	UDP 192.168.12.156:37967 <-> 142.250.82.76:19305 [proto: 30.404/DTLS.GoogleCall][IP: 126/Google][Stream Content: Audio][Encrypted][Confidence: DPI][DPI packets: 39][cat: VoIP/10][25 pkts/4202 bytes <-> 14 pkts/4211 bytes][Goodput ratio: 75/86][0.88 sec][bytes ratio: -0.001 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 37/35 203/107 47/36][Pkt Len c2s/s2c min/avg/max/stddev: 103/82 168/301 587/1245 125/320][Mapped IP/Port: 93.35.171.3:61536][DTLSv1.2][JA3C: c14667d7da3e6f7a7ab5519ef78c2452][JA4: dd2d110700_c45550529adf_d9dd6182da81][JA3S: 1f5d6a6d0bc5d514dd84d13e6283d309][Issuer: CN=hangouts][Subject: CN=hangouts][Certificate SHA-1: AF:DD:BF:F5:59:23:0C:D1:B0:9F:B1:04:2E:89:DF:4C:1B:AB:BE:CC][Validity: 2022-11-30 17:35:18 - 2023-12-01 17:35:18][Cipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256][PLAIN TEXT (ShSURJhNF)][Plen Bins: 0,5,47,30,2,0,0,0,0,0,0,0,0,2,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]