Hi Sebastien, it might really depend on the scalability versus the accuracy of the solution you need to develop. I see you having pretty much two ways to go:
a) Basic behavioural analysis. Assume all packets flying between the known range of RTP ports are RTP packets. If you know in advance the expected packet size, double check this assumption by dividing the number bytes by the number of packets. You might proceed without restricting such check to only the RTP ports, but might be tricky depending on the scenario. A dumb variation of this approach is possible if you know in advance the RTP payload size (and accuracy is not a prime issue): using the Pre-Tagging infrastructure to tag all, say, UDP packets matching a particular payload size. b) Packet classification. The SIP pattern from the L7-filter project recognizes SIP traffic; pmacct features a connection tracking module for SIP which allows to expect upcoming RTP flows by looking into INVITE and 200 messages. This might turn into a far more accurate solution (again, depending on the scenario) but with potential drawbacks due to the required deep-packet inspection. On a side node, remember a stateful approach like the one relying on packet classification is more sensible to outages compared to behavioural analysis. Of course, nothing prevents any combination of the two solutions. Here i'm assuming the easiest way to accomplish this, ie. every host in the network is forced to speak RTP only passing through a proxy and/or an AS does not hold. Cheers, Paolo On Wed, Sep 03, 2008 at 02:26:29PM +0200, S?bastien CRAMATTE wrote: > Hello > > What is the best way to account SIP/RTP traffic with PMACCT ? > Might we should use L7-filter ? I mean essentialy for RTP traffic not > for SIP signalling > > Regards _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
