STUN: tell RTP from RTCP while in monitoring state (#2027)

ntop · Jun 27, 2023 · 86e89b4 · 86e89b4
1 parent 2c7fb91
commit 86e89b4
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 24 deletions.
diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h
@@ -671,6 +671,12 @@ typedef enum {
   NDPI_PTREE_MAX	/* Last one! */
 } ptree_type;
 
+enum {
+  NO_RTP_RTCP = 0,
+  IS_RTP = 1,
+  IS_RTCP = 2,
+};
+
 typedef enum {
   NDPI_AUTOMA_HOST = 0,
   NDPI_AUTOMA_DOMAIN,

diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c
@@ -31,12 +31,6 @@
 #define RTP_MIN_HEADER	12
 #define RTCP_MIN_HEADER	8
 
-enum {
-  NO_RTP_RTCP = 0,
-  IS_RTP = 1,
-  IS_RTCP = 2,
-};
-
 /* https://www.iana.org/assignments/rtp-parameters/rtp-parameters.xhtml */
 int is_valid_rtp_payload_type(uint8_t type)
 {

diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
@@ -38,12 +38,16 @@
 
 extern void switch_to_tls(struct ndpi_detection_module_struct *ndpi_struct,
 			  struct ndpi_flow_struct *flow);
+extern int is_rtp_or_rtcp(struct ndpi_detection_module_struct *ndpi_struct,
+                          struct ndpi_flow_struct *flow);
+extern u_int8_t rtp_get_stream_type(u_int8_t payloadType, ndpi_multimedia_flow_type *s_type);
 extern int is_dtls(const u_int8_t *buf, u_int32_t buf_len, u_int32_t *block_len);
 
 static int stun_monitoring(struct ndpi_detection_module_struct *ndpi_struct,
                            struct ndpi_flow_struct *flow)
 {
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+  int rtp_rtcp;
   u_int8_t first_byte;
 
 #ifdef DEBUG_MONITORING
@@ -56,22 +60,67 @@ static int stun_monitoring(struct ndpi_detection_module_struct *ndpi_struct,
   first_byte = packet->payload[0];
 
   /* draft-ietf-avtcore-rfc7983bis */
-  if(first_byte >= 128 && first_byte <= 191) { /* TODO: should we tell RTP from RTCP? */
-    NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n");
-    if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) {
-      /* STUN/SUBPROTO -> SUBPROTO/RTP */
-      ndpi_set_detected_protocol(ndpi_struct, flow,
-                                 NDPI_PROTOCOL_RTP, flow->detected_protocol_stack[0],
-                                 NDPI_CONFIDENCE_DPI);
+  if(first_byte <= 3) {
+#ifdef DEBUG_MONITORING
+    printf("[STUN-MON] Still STUN\n");
+#endif
+    return 1;
+  } else if(first_byte <= 19) {
+#ifdef DEBUG_MONITORING
+    printf("[STUN-MON] DROP or ZRTP range. Unexpected but keep looking\n");
+#endif
+    return 1;
+  } else if(first_byte <= 63) {
+#ifdef DEBUG_MONITORING
+    printf("[STUN-MON] DTLS\n");
+#endif
+    /* TODO */
+    return 1;
+  } else if(first_byte <= 127) {
+#ifdef DEBUG_MONITORING
+    printf("[STUN-MON] QUIC or TURN range. Unexpected but keep looking\n");
+#endif
+    return 1;
+  } else if(first_byte <= 191) {
+
+    rtp_rtcp = is_rtp_or_rtcp(ndpi_struct, flow);
+    if(rtp_rtcp == IS_RTP) {
+#ifdef DEBUG_MONITORING
+      printf("[STUN-MON] RTP (dir %d)\n", packet->packet_direction);
+#endif
+      NDPI_LOG_INFO(ndpi_struct, "Found RTP over STUN\n");
+
+      rtp_get_stream_type(packet->payload[1] & 0x7F, &flow->flow_multimedia_type);
+
+      if(flow->detected_protocol_stack[1] != NDPI_PROTOCOL_UNKNOWN) {
+        /* STUN/SUBPROTO -> SUBPROTO/RTP */
+        ndpi_set_detected_protocol(ndpi_struct, flow,
+                                   NDPI_PROTOCOL_RTP, flow->detected_protocol_stack[0],
+                                   NDPI_CONFIDENCE_DPI);
+      } else {
+        /* STUN -> STUN/RTP */
+        ndpi_set_detected_protocol(ndpi_struct, flow,
+                                   NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_STUN,
+                                   NDPI_CONFIDENCE_DPI);
+      }
+      return 0; /* Stop */
+    } else if(rtp_rtcp == IS_RTCP) {
+#ifdef DEBUG_MONITORING
+      printf("[STUN-MON] RTCP\n");
+#endif
+      return 1;
     } else {
-      /* STUN -> STUN/RTP */
-      ndpi_set_detected_protocol(ndpi_struct, flow,
-                                 NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_STUN,
-                                 NDPI_CONFIDENCE_DPI);
+#ifdef DEBUG_MONITORING
+      printf("[STUN-MON] Unexpected\n");
+#endif
+      return 1;
     }
-    return 0; /* Stop */
+  } else {
+#ifdef DEBUG_MONITORING
+    printf("[STUN-MON] QUIC range. Unexpected but keep looking\n");
+#endif
+    return 1;
   }
-  return 1; /* Keep going */
 }
 
 /* ************************************************************ */

diff --git a/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out b/tests/cfgs/default/result/lru_ipv6_caches.pcapng.out
@@ -1,7 +1,7 @@
 Guessed flow protos:	3
 
 DPI Packets (TCP):	9	(3.00 pkts/flow)
-DPI Packets (UDP):	37	(4.11 pkts/flow)
+DPI Packets (UDP):	39	(4.33 pkts/flow)
 Confidence DPI (cache)      : 6 (flows)
 Confidence DPI              : 6 (flows)
 Num dissector calls: 762 (63.50 diss/flow)
@@ -24,14 +24,14 @@ Patricia protocols:   0/0 (search/found)
 
 BitTorrent	25	4546	5
 WhatsAppCall	24	3996	3
-RTP	30	3450	1
+STUN	30	3450	1
 Cloudflare	9	8862	3
 
 JA3 Host Stats: 
 		 IP Address                  	 # JA3C     
 
 
-	1	UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78.87/STUN.RTP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 13][cat: Network/14][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	1	UDP [32fb:f967:681e:e96b:face:b00c::74fd]:3478 <-> [20ed:470f:6f73:ce60:60be:8b4f:df37:b080]:45658 [proto: 78/STUN][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 15][cat: Network/14][14 pkts/1612 bytes <-> 16 pkts/1838 bytes][Goodput ratio: 46/46][2.71 sec][bytes ratio: -0.066 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 12/1 188/155 778/396 231/147][Pkt Len c2s/s2c min/avg/max/stddev: 84/84 115/115 214/206 44/39][PLAIN TEXT (4/WtFTidwfa)][Plen Bins: 46,23,16,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	2	TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44144 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.16 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0]
 	3	TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44150 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0]
 	4	TCP [2001:db8:200::1]:443 -> [2001:db8:1::1]:44192 [proto: 91.220/TLS.Cloudflare][IP: 0/Unknown][Encrypted][Confidence: DPI (cache)][DPI packets: 3][cat: Web/5][3 pkts/2954 bytes -> 0 pkts/0 bytes][Goodput ratio: 92/0][0.15 sec][(Negotiated) ALPN: h2][Risk: ** Unidirectional Traffic **][Risk Score: 10][Risk Info: No client to server traffic][TLSv1.2][ServerNames: *.bikroy.com,sni.cloudflaressl.com,bikroy.com][JA3S: 9ebc57def2efb523f25c77af13aa6d48][Issuer: C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3][Subject: C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com][Certificate SHA-1: FA:93:76:9C:39:4D:08:97:FA:8F:CE:80:E4:7A:8F:8E:CF:71:30:A0][Validity: 2021-06-29 00:00:00 - 2022-06-28 23:59:59][Cipher: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256][Plen Bins: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0]

diff --git a/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out b/tests/cfgs/enable_stun_monitoring_with_subproto/result/wa_voice.pcap.out
@@ -1,7 +1,7 @@
 Guessed flow protos:	8
 
 DPI Packets (TCP):	20	(3.33 pkts/flow)
-DPI Packets (UDP):	100	(4.76 pkts/flow)
+DPI Packets (UDP):	102	(4.86 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
 Confidence DPI              : 27 (flows)
@@ -48,7 +48,7 @@ JA3 Host Stats:
 	3	UDP 91.252.56.51:32704 <-> 192.168.2.12:56328 [proto: 45.87/WhatsAppCall.RTP][IP: 0/Unknown][Encrypted][Confidence: DPI][DPI packets: 7][cat: VoIP/10][87 pkts/14598 bytes <-> 77 pkts/17336 bytes][Goodput ratio: 75/81][11.91 sec][bytes ratio: -0.086 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 136/121 921/265 137/64][Pkt Len c2s/s2c min/avg/max/stddev: 68/68 168/225 318/331 61/68][Risk: ** Known Proto on Non Std Port **][Risk Score: 50][PLAIN TEXT (KEXQD/)][Plen Bins: 6,4,7,27,16,4,11,12,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	4	TCP 192.168.2.12:50503 <-> 31.13.86.51:443 [proto: 91.242/TLS.WhatsAppFiles][IP: 142/WhatsApp][Encrypted][Confidence: DPI][DPI packets: 6][cat: Download/7][25 pkts/2993 bytes <-> 25 pkts/21759 bytes][Goodput ratio: 44/92][0.39 sec][Hostname/SNI: media-mxp1-1.cdn.whatsapp.net][(Advertised) ALPNs: h2;h2-16;h2-15;h2-14;spdy/3.1;spdy/3;http/1.1][TLS Supported Versions: TLSv1.3;TLSv1.2;TLSv1.1;TLSv1][bytes ratio: -0.758 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 8/10 127/126 28/30][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 120/870 583/1454 124/639][TLSv1.3][JA3C: b92a79ed03c3ff5611abb2305370d3e3][JA3S: 475c9302dc42b2751db9edcac3b74891][Safari][Cipher: TLS_CHACHA20_POLY1305_SHA256][Plen Bins: 7,14,7,0,0,3,0,0,7,0,3,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,47,0,0,0,0]
 	5	TCP 192.168.2.12:49354 <-> 17.242.60.84:5223 [proto: 238/ApplePush][IP: 140/Apple][Encrypted][Confidence: DPI][DPI packets: 1][cat: Cloud/13][14 pkts/6933 bytes <-> 10 pkts/1074 bytes][Goodput ratio: 87/39][54.11 sec][bytes ratio: 0.732 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 4462/757 43773/5113 12515/1779][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 495/107 1506/215 607/44][Plen Bins: 0,42,14,0,7,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,21,0,0]
-	6	UDP 192.168.2.12:56328 <-> 31.13.86.48:3478 [proto: 45.87/WhatsAppCall.RTP][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 19][cat: VoIP/10][21 pkts/2349 bytes <-> 28 pkts/3668 bytes][Goodput ratio: 62/68][34.51 sec][bytes ratio: -0.219 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1959/1447 12194/12196 2978/2626][Pkt Len c2s/s2c min/avg/max/stddev: 48/44 112/131 249/326 64/101][Plen Bins: 40,20,0,20,0,0,8,4,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	6	UDP 192.168.2.12:56328 <-> 31.13.86.48:3478 [proto: 45.87/WhatsAppCall.RTP][IP: 119/Facebook][Encrypted][Confidence: DPI][DPI packets: 21][cat: VoIP/10][21 pkts/2349 bytes <-> 28 pkts/3668 bytes][Goodput ratio: 62/68][34.51 sec][bytes ratio: -0.219 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/0 1959/1447 12194/12196 2978/2626][Pkt Len c2s/s2c min/avg/max/stddev: 48/44 112/131 249/326 64/101][Plen Bins: 40,20,0,20,0,0,8,4,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	7	UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Network/14][5 pkts/1710 bytes -> 0 pkts/0 bytes][Goodput ratio: 88/0][17.30 sec][Hostname/SNI: lucas-imac][DHCP Fingerprint: 1,121,3,6,15,119,252,95,44,46][Plen Bins: 0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	8	UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 1][cat: Cloud/13][4 pkts/1528 bytes -> 0 pkts/0 bytes][Goodput ratio: 89/0][30.05 sec][PLAIN TEXT (version)][Plen Bins: 0,0,0,0,0,0,0,0,0,0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	9	UDP 192.168.2.12:56328 -> 1.60.78.64:64282 [proto: 78.45/STUN.WhatsAppCall][IP: 0/Unknown][ClearText][Confidence: DPI][DPI packets: 16][cat: VoIP/10][16 pkts/1376 bytes -> 0 pkts/0 bytes][Goodput ratio: 51/0][9.38 sec][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 625/0 643/0 8/0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86/0 86/0 0/0][Risk: ** Known Proto on Non Std Port **** Unidirectional Traffic **][Risk Score: 60][Risk Info: No server to client traffic][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]