|
1
|
# H.323 - Voice over IP.
|
|
2
|
# Pattern attributes: ok veryfast fast
|
|
3
|
# Protocol groups: voip itu-t_standard
|
|
4
|
# Wiki: http://www.protocolinfo.org/wiki/H.323
|
|
5
|
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
|
|
6
|
#
|
|
7
|
# This pattern is written without knowledge of the principles of H.323.
|
|
8
|
# It has only been tested with gnomemeeting and may not work for other
|
|
9
|
# clients.
|
|
10
|
#
|
|
11
|
# Also, it has been reported that:
|
|
12
|
# "the pattern ... match[es] only first H.323 stream (conntrack for H.323 was
|
|
13
|
# enabled). Also the major chunk of traffic was of RTP which went untracked."
|
|
14
|
#
|
|
15
|
# Also, it may very well match other things that use TPKT and
|
|
16
|
# Q.931.
|
|
17
|
|
|
18
|
# Note that to take full advantage of this pattern, you will need to
|
|
19
|
# have connection tracking of H.323 support in your kernel. This
|
|
20
|
# support is not in the stock kernel. A patch can be found at
|
|
21
|
# http://netfilter.org
|
|
22
|
|
|
23
|
h323
|
|
24
|
# TPKT format: http://www.ietf.org/rfc/rfc1006.txt
|
|
25
|
# \x03 = TPKT version. It was 3 in May 1987 and gnomemeeting still uses 3.
|
|
26
|
# ..? = null reserved byte and packet length field.
|
|
27
|
# Q.931 format: http://www.freesoft.org/CIE/Topics/126.htm
|
|
28
|
# \x08 = Q.931
|
|
29
|
# . = length of call reference
|
|
30
|
# The next byte was: \x18 = message sent from originating side.
|
|
31
|
# But based on experimentation, it seems that just . is better.
|
|
32
|
# .?.?.?.?.?.?.?.?.?.?.?.?.?.?.? = call reference (0-15 bytes (0 for nulls))
|
|
33
|
# \x05 = setup message
|
|
34
|
#
|
|
35
|
# Yup, it doesn't actually include any H.323 protocol information.
|
|
36
|
^\x03..?\x08...?.?.?.?.?.?.?.?.?.?.?.?.?.?.?\x05
|