Project

General

Profile

Download (1.7 KB) Statistics
| Branch: | Tag: | Revision:

root/usr/local/share/protocols/rtp.pat @ a4edef21

1 4ae45b10 Ermal Luçi 
# RTP - Real-time Transport Protocol - RFC 3550
2 66f2dd0e Ermal Lu?i 
# Pattern attributes: ok overmatch undermatch fast fast
3 4ae45b10 Ermal Luçi 
# Protocol groups: streaming_video ietf_internet_standard
4 
# Wiki: http://www.protocolinfo.org/wiki/RTP
5 66f2dd0e Ermal Lu?i 
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
6 4ae45b10 Ermal Luçi 
#
7 
# RTP headers are *very* short and compact.  They have almost nothing in
8 66f2dd0e Ermal Lu?i 
# them that can be matched by l7-filter.  As RTP connections take place
9 
# between even numbered ports, you should probably check for that before
10 
# applying this pattern.  If you want to match them along with their
11 
# associated SIP packets, you might try setting up some iptables rules
12 
# that watch for SIP packets and then also match any other UDP packets
13 
# that are going between the same two IP addresses.
14 4ae45b10 Ermal Luçi 
#
15 
# I think we can count on the first bit being 1 and the second bit being
16 
# 0 (meaning protocol version 2). The next two bits could go either way,
17 
# but in the example I've seen, they are zero, so I'll assume they are
18 
# usually zero.  The next four bits are a count of "contributing source
19 
# identifiers".  I'm not sure how big that could be, but in the example
20 
# I've seen, they're zero, so I'll assume they're usually zero. So that
21 66f2dd0e Ermal Lu?i 
# gives us ^\x80.  The next bit is a tossup. Next is the payload type, 7
22 
# bits.  I've taken likely values from the WireShark code: 0-34, 96-127
23 
# (decimal). The rest of the header is random numbers (sequence number,
24 
# timestamp, synchronization source identifier), so that's no help at
25 
# all.
26 4ae45b10 Ermal Luçi 

      

      

        27
        
        
        
        
        
rtp


      

      

        28
        
            66f2dd0e
        
        
            Ermal Lu?i
        
        
^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80


      

      

        29
        
            4ae45b10
        
        
            Ermal Luçi
        
        

      

      

        30
        
        
        
        
        
# Might also try this.  It's a bit slower (one packet and not too much extra


      

      

        31
        
        
        
        
        
# regexec load) and a bit more accurate:


      

      

        32
        
            66f2dd0e
        
        
            Ermal Lu?i
        
        
#^\x80[\x01-"`-\x7f\x80-\xa2\xe0-\xff]?..........*\x80.*\x80