Zoom: fix detection of screen sharing (#2476)

ntop · Jun 17, 2024 · 9feede9 · 9feede9
1 parent 26cc1f1
commit 9feede9
Showing 1 changed file with 26 additions and 12 deletions.
diff --git a/src/lib/protocols/zoom.c b/src/lib/protocols/zoom.c
@@ -50,8 +50,14 @@ static int zoom_search_again(struct ndpi_detection_module_struct *ndpi_struct,
 static int keep_extra_dissection(struct ndpi_flow_struct *flow);
 
 static void ndpi_int_zoom_add_connection(struct ndpi_detection_module_struct *ndpi_struct,
-					 struct ndpi_flow_struct *flow,
-					 u_int16_t master) {
+					 struct ndpi_flow_struct *flow) {
+  u_int16_t master;
+
+  if(flow->flow_multimedia_type != ndpi_multimedia_unknown_flow)
+    master = NDPI_PROTOCOL_SRTP;
+  else
+    master = NDPI_PROTOCOL_UNKNOWN;
+
   NDPI_LOG_INFO(ndpi_struct, "found Zoom\n");
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZOOM, master, NDPI_CONFIDENCE_DPI);
 
@@ -82,10 +88,18 @@ static int is_zme(struct ndpi_detection_module_struct *ndpi_struct,
     struct zoom_media_enc *enc = (struct zoom_media_enc *)payload;
 
     switch(enc->enc_type) {
-    case 13: /* Screen Share */
-    case 30: /* Screen Share */
-      if(payload_len > 27 &&
-         is_rtp_or_rtcp(ndpi_struct, payload + 27, payload_len - 27, NULL) == IS_RTP) {
+    case 13: /* Screen Share: RTP is not always there, expecially at the beginning of the flow */
+      if(payload_len > 27) {
+         if(is_rtp_or_rtcp(ndpi_struct, payload + 27, payload_len - 27, NULL) == IS_RTP) {
+           flow->flow_multimedia_type = ndpi_multimedia_screen_sharing_flow;
+         }
+         return 1;
+      }
+      break;
+
+    case 30: /* P2P Screen Share: it seems RTP is always present */
+      if(payload_len > 20 &&
+         is_rtp_or_rtcp(ndpi_struct, payload + 20, payload_len - 20, NULL) == IS_RTP) {
         flow->flow_multimedia_type = ndpi_multimedia_screen_sharing_flow;
         return 1;
       }
@@ -150,11 +164,11 @@ static int zoom_search_again(struct ndpi_detection_module_struct *ndpi_struct,
 
   if(!flow->l4.udp.zoom_p2p &&
      is_sfu_5(ndpi_struct, flow)) {
-    ndpi_int_zoom_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SRTP);
+    ndpi_int_zoom_add_connection(ndpi_struct, flow);
   }
   if(flow->l4.udp.zoom_p2p &&
      is_zme(ndpi_struct, flow, packet->payload, packet->payload_packet_len)) {
-    ndpi_int_zoom_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SRTP);
+    ndpi_int_zoom_add_connection(ndpi_struct, flow);
   }
 
   return keep_extra_dissection(flow);
@@ -178,20 +192,20 @@ static void ndpi_search_zoom(struct ndpi_detection_module_struct *ndpi_struct,
        memcmp(packet->payload, tomatch_a, 3) == 0 ||
        memcmp(packet->payload, tomatch2, 3) == 0 ||
        memcmp(packet->payload, tomatch2_a, 3) == 0) {
-      ndpi_int_zoom_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
+      ndpi_int_zoom_add_connection(ndpi_struct, flow);
       return;
 
     /* SFU types 3 and 4. This check is quite weak: let give time to the other
        dissectors to kick in */
     } else if((packet->payload[0] == 0x03 || packet->payload[0] == 0x04)) {
       if(flow->packet_counter < 4)
         return;
-      ndpi_int_zoom_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
+      ndpi_int_zoom_add_connection(ndpi_struct, flow);
       return;
 
     /* SFU types 5 */
     } else if(is_sfu_5(ndpi_struct, flow)) {
-      ndpi_int_zoom_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SRTP);
+      ndpi_int_zoom_add_connection(ndpi_struct, flow);
       return;
     }
   } else if(packet->payload_packet_len > 36 &&
@@ -219,7 +233,7 @@ static void ndpi_search_zoom(struct ndpi_detection_module_struct *ndpi_struct,
       if(packet->payload_packet_len == 24 + 4 + ip_len + 4 + uuid_len + 4) {
         NDPI_LOG_DBG(ndpi_struct, "found P2P Zoom\n");
         flow->l4.udp.zoom_p2p = 1;
-        ndpi_int_zoom_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNKNOWN);
+        ndpi_int_zoom_add_connection(ndpi_struct, flow);
         return;
       }
     }