Improved RTP dissection with EVS and other mobile voice codecs

Author: lucaderi

example/ndpiReader.c

@@ -1872,9 +1872,21 @@ static void printFlow(u_int32_t id, struct ndpi_flow_info *flow, u_int16_t threa
 
     if((flow->detected_protocol.proto.master_protocol == NDPI_PROTOCOL_RTP) || (flow->detected_protocol.proto.app_protocol == NDPI_PROTOCOL_RTP))
       {
-	fprintf(out, "[Payload Type: %s (%u)]",
-		ndpi_rtp_payload_type2str(flow->rtp.payload_type),
-		flow->rtp.payload_type);
+	if (flow->rtp[0 /* cli -> srv */].payload_detected || flow->rtp[1].payload_detected) {
+	  fprintf(out, "[Payload Type: ");
+
+	  if (flow->rtp[0].payload_detected)
+	    fprintf(out, "%s (%u.%u)",
+		    ndpi_rtp_payload_type2str(flow->rtp[0].payload_type, flow->rtp[0].evs_subtype), flow->rtp[0].payload_type, flow->rtp[0].evs_subtype);
+
+	  if(flow->rtp[1 /* srv -> cli */].payload_detected) {
+	    if (flow->rtp[0].payload_detected) fprintf(out, " / ");
+	    
+	    fprintf(out, "%s (%u.%u)]",
+		    ndpi_rtp_payload_type2str(flow->rtp[1].payload_type, flow->rtp[1].evs_subtype), flow->rtp[1].payload_type, flow->rtp[1].evs_subtype);
+	  } else
+	    fprintf(out, "]");
+	}
       }
 
     fprintf(out, "[%s]",

example/reader_util.c

@@ -1216,7 +1216,6 @@ static void serialize_monitoring_metadata(struct ndpi_flow_info *flow)
     case NDPI_PROTOCOL_STUN:
     case NDPI_PROTOCOL_DTLS:
     case NDPI_PROTOCOL_SRTP:
-
       ndpi_serialize_start_of_block(&flow->ndpi_flow_serializer, "stun");
 
       if(flow->stun.mapped_address.num_aps > 0) {
@@ -1638,7 +1637,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
   }
 
   if(is_ndpi_proto(flow, NDPI_PROTOCOL_RTP))
-    flow->rtp.payload_type = flow->ndpi_flow->protos.rtp.payload_type;
+    memcpy(&flow->rtp, &flow->ndpi_flow->protos.rtp, sizeof(flow->rtp));
 
   ndpi_snprintf(flow->http.user_agent,
                 sizeof(flow->http.user_agent),

example/reader_util.h

@@ -316,9 +316,7 @@ typedef struct ndpi_flow_info {
     u_int response_status_code;
   } http;
 
-  struct {
-    u_int8_t payload_type;
-  } rtp;
+  struct rtp_info rtp[2 /* directions */];
 
   struct {
     ndpi_address_port_list mapped_address, peer_address,

src/include/ndpi_api.h

@@ -602,10 +602,11 @@ extern "C" {
   /**
    * Return the name of a RTP payload type
    *
-   * @par     payload_type = the RTP payload type
+   * @par     payload_type     = the RTP payload type
+   * @par     evs_payload_type = EVS payload type (only in case payload_type is EVS)
    * @return  The symbolic payload type or "Unknown" if not found
    */
-  const char* ndpi_rtp_payload_type2str(u_int8_t payload_type);
+  const char* ndpi_rtp_payload_type2str(u_int8_t payload_type, u_int32_t evs_payload_type);
 
   /**
    * Check if subprotocols of the specified master protocol are just

src/include/ndpi_private.h

@@ -296,6 +296,7 @@ struct ndpi_detection_module_config_struct {
 
   int stun_opportunistic_tls_enabled;
   int stun_max_packets_extra_dissection;
+  int rtp_max_packets_extra_dissection;
   int stun_mapped_address_enabled;
   int stun_response_origin_enabled;
   int stun_other_address_enabled;

src/include/ndpi_typedefs.h

@@ -1301,6 +1301,12 @@ struct ndpi_tls_obfuscated_heuristic_matching_set {
   u_int32_t pkts[4];
 };
 
+struct rtp_info {
+  u_int8_t payload_type;
+  u_int32_t evs_subtype;
+  bool payload_detected;
+};
+
 struct ndpi_flow_struct {
   u_int16_t detected_protocol_stack[NDPI_PROTOCOL_SIZE];
 
@@ -1601,10 +1607,8 @@ struct ndpi_flow_struct {
       char *user_agent;
     } ssdp;
 
-    struct {
-      u_int8_t payload_type;
-    } rtp;
-} protos;
+    struct rtp_info rtp[2 /* directions */];
+  } protos;
 
   /* **Packet** metadata for flows where monitoring is enabled. It is reset after each packet! */
   struct ndpi_metadata_monitoring *monit;

src/lib/ndpi_main.c

@@ -11791,7 +11791,8 @@ static const struct cfg_param {
   { "zoom",          "max_packets_extra_dissection",            "4", "0", "255", CFG_PARAM_INT, __OFF(zoom_max_packets_extra_dissection), NULL },
 
   { "rtp",           "search_for_stun",                         "disable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(rtp_search_for_stun), NULL },
-
+  { "rtp",           "max_packets_extra_dissection",            "32", "0", "255", CFG_PARAM_INT, __OFF(rtp_max_packets_extra_dissection), NULL },
+  
   { "openvpn",       "dpi.heuristics",                          "0x00", "0", "0x01", CFG_PARAM_INT, __OFF(openvpn_heuristics), NULL },
   { "openvpn",       "dpi.heuristics.num_messages",             "10", "0", "255", CFG_PARAM_INT, __OFF(openvpn_heuristics_num_msgs), NULL },
   { "openvpn",       "subclassification_by_ip",                 "enable", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(openvpn_subclassification_by_ip), NULL },

src/lib/ndpi_utils.c

@@ -4236,7 +4236,8 @@ ndpi_protocol_qoe_category_t ndpi_find_protocol_qoe(struct ndpi_detection_module
 
 /* ************************************************************** */
 
-const char* ndpi_rtp_payload_type2str(u_int8_t payload_type) {
+/* https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-rtp.c */
+const char* ndpi_rtp_payload_type2str(u_int8_t payload_type, u_int32_t evs_payload_type) {
   switch(payload_type) {
   case 0:   return("ITU-T G.711 PCMU");
   case 1:   return("USA Federal Standard FS-1016");
@@ -4265,7 +4266,62 @@ const char* ndpi_rtp_payload_type2str(u_int8_t payload_type) {
   case 33:  return("MPEG-II transport streams");
   case 34:  return("ITU-T H.263");
   case 98:  return("AMR-WB");
-  case 127: return("EVS");
+  case 118: return("AMR"); /* Adptive Multirate */
+  case 126: /* Enhanced Voice Services */
+  case 127: /* Enhanced Voice Services */
+    {
+      switch(evs_payload_type) {
+	/* https://gitlab.com/wireshark/wireshark/-/blob/master/epan/dissectors/packet-evs.c */
+
+      case 0x0: return("AMR-WB IO 6.6 kbps");
+      case 0x1: return("AMR-WB IO 8.85 kbps");
+      case 0x2: return("AMR-WB IO 12.65 kbps");
+      case 0x3: return("AMR-WB IO 14.24 kbps");
+      case 0x4: return("AMR-WB IO 15.85 kbps");
+      case 0x5: return("AMR-WB IO 18.25 kbps");
+      case 0x6: return("AMR-WB IO 19.85 kbps");
+      case 0x7: return("AMR-WB IO 23.05 kbps");
+      case 0x8: return("AMR-WB IO 23.85 kbps");
+      case 0x9: return("AMR-WB IO 2.0 kbps SID");
+	
+	/* ** */
+	/* Dummy SWB 30 offset */
+      case 0x3+30: return("SWB 9.6 kbps");
+      case 0x4+30: return("SWB 13.2 kbps");
+      case 0x5+30: return("SWB 16.4 kbps");
+      case 0x6+30: return("SWB 24.4 kbps");
+      case 0x7+30: return("SWB 32 kbps");
+      case 0x8+30: return("SWB 48 kbps");
+      case 0x9+30: return("SWB 64 kbps");
+      case 0xa+30: return("SWB 96 kbps");
+      case 0xb+30: return("SWB 128 kbps");
+	
+
+      case    48: return("EVS Primary SID 2.4");
+      case   136: return("EVS AMR-WB IO 6.6");
+      case   144: return("EVS Primary 7.2");
+      case   160: return("EVS Primary 8.0");
+      case   184: return("EVS AMR-WB IO 8.85");
+      case   192: return("EVS Primary 9.6");
+      case   256: return("EVS AMR-WB IO 12.65");
+      case   264: return("EVS Primary 13.2");
+      case   288: return("EVS AMR-WB IO 14.25");
+      case   320: return("EVS AMR-WB IO 15.85");
+      case   328: return("EVS Primary 16.4");
+      case   368: return("EVS AMR-WB IO 18.25");
+      case   400: return("EVS AMR-WB IO 19.85");
+      case   464: return("EVS AMR-WB IO 23.05");
+      case   480: return("EVS AMR-WB IO 23.85");
+      case   488: return("EVS Primary 24.4");
+      case   640: return("EVS Primary 32.0");
+      case   960: return("EVS Primary 48.0");
+      case  1280: return("EVS Primary 64.0");
+      case  1920: return("EVS Primary 96.0");
+      case  2560: return("EVS Primary 128.0");
+      default:    return("EVS 13.2");
+      }
+    }
+    break;
   default:  return("Unknown");
   }
 }