| 1 |
4ae45b10
|
Ermal Luçi
|
# H.323 - Voice over IP.
|
| 2 |
|
|
# Pattern attributes: ok veryfast fast
|
| 3 |
|
|
# Protocol groups: voip itu-t_standard
|
| 4 |
|
|
# Wiki: http://www.protocolinfo.org/wiki/H.323
|
| 5 |
66f2dd0e
|
Ermal Lu?i
|
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
|
| 6 |
4ae45b10
|
Ermal Luçi
|
#
|
| 7 |
|
|
# This pattern is written without knowledge of the principles of H.323.
|
| 8 |
|
|
# It has only been tested with gnomemeeting and may not work for other
|
| 9 |
|
|
# clients.
|
| 10 |
|
|
#
|
| 11 |
|
|
# Also, it has been reported that:
|
| 12 |
|
|
# "the pattern ... match[es] only first H.323 stream (conntrack for H.323 was
|
| 13 |
|
|
# enabled). Also the major chunk of traffic was of RTP which went untracked."
|
| 14 |
|
|
#
|
| 15 |
|
|
# Also, it may very well match other things that use TPKT and
|
| 16 |
|
|
# Q.931.
|
| 17 |
|
|
|
| 18 |
|
|
# Note that to take full advantage of this pattern, you will need to
|
| 19 |
|
|
# have connection tracking of H.323 support in your kernel. This
|
| 20 |
|
|
# support is not in the stock kernel. A patch can be found at
|
| 21 |
|
|
# http://netfilter.org
|
| 22 |
|
|
|
| 23 |
|
|
h323
|
| 24 |
|
|
# TPKT format: http://www.ietf.org/rfc/rfc1006.txt
|
| 25 |
|
|
# \x03 = TPKT version. It was 3 in May 1987 and gnomemeeting still uses 3.
|
| 26 |
|
|
# ..? = null reserved byte and packet length field.
|
| 27 |
|
|
# Q.931 format: http://www.freesoft.org/CIE/Topics/126.htm
|
| 28 |
|
|
# \x08 = Q.931
|
| 29 |
|
|
# . = length of call reference
|
| 30 |
|
|
# The next byte was: \x18 = message sent from originating side.
|
| 31 |
|
|
# But based on experimentation, it seems that just . is better.
|
| 32 |
|
|
# .?.?.?.?.?.?.?.?.?.?.?.?.?.?.? = call reference (0-15 bytes (0 for nulls))
|
| 33 |
|
|
# \x05 = setup message
|
| 34 |
|
|
#
|
| 35 |
|
|
# Yup, it doesn't actually include any H.323 protocol information.
|
| 36 |
|
|
^\x03..?\x08...?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x05
|