SIP detection in PcapPlusPlus relies solely on port 5060 #2022
Description
I was developing an application that, among other things, counts SIP packets in a PCAP file using PcapPlusPlus. However, I noticed that in some cases, PcapPlusPlus fails to correctly identify SIP packets.
Upon reviewing the source code, I found that PcapPlusPlus determines whether a packet is SIP based solely on whether the source or destination port is 5060. If the port differs, the packet is classified as unknown.
This logic can be seen in UdpLayer.cpp:
else if (SipLayer::isSipPort(portDst) || SipLayer::isSipPort(portSrc))
{
if (SipRequestFirstLine::parseMethod((char*)udpData, udpDataLen) != SipRequestLayer::SipMethodUnknown)
m_NextLayer = new SipRequestLayer(udpData, udpDataLen, this, m_Packet);
else if (SipResponseFirstLine::parseStatusCode((char*)udpData, udpDataLen) !=
SipResponseLayer::SipStatusCodeUnknown &&
SipResponseFirstLine::parseVersion((char*)udpData, udpDataLen) != "")
m_NextLayer = new SipResponseLayer(udpData, udpDataLen, this, m_Packet);
else
m_NextLayer = new PayloadLayer(udpData, udpDataLen, this, m_Packet);
}Interestingly, when I opened the same PCAP file in Wireshark, it correctly identified the packets as SIP.
After examining Wireshark's source code, I found that it uses a more flexible heuristic for SIP detection, as implemented in packet-sip.c:
static bool
dissect_sip_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
{
int remaining_length = tvb_captured_length(tvb);
return dissect_sip_common(tvb, 0, remaining_length, pinfo, tree, false, false) > 0;
}If you’re open to it, I’d be happy to contribute a pull request to enhance SIP detection in PcapPlusPlus so that it aligns more closely with Wireshark’s approach.