none
What is the best way to filter VoIP/SIP activity? RRS feed

  • Question

  • Hi, I am new to WFP area. I have read online document and sample code, but I am not sure if my knowledge about WFP is good enough to make any technical decisions yet.

    What I would like to do is to get a notification when a VoIP activity has occurred. For example, I would like to know when Skype or Lync call has arrived.

    What is the best way to monitor VoIP/SIP activity? Do I have to build a kernel driver for this? Which layer should my driver to filter?

    Is there anyway to achieve my goal without writing a kernel WFP callout driver?

    What about RTC (Real Time Communication) framework? I know that I can write a Skype like application using RTC APIs, but I am not sure if RTC has any capability to monitor SIP protocol.

    Thanks,

    zhong

    Friday, February 14, 2014 10:49 PM

All replies

  • WFP is meant for all of your TCP/IP stack filtering needs.

    Static filtering (no kernel driver) is only used to BLOCK / ALLOW traffic based on predefined conditions (i.e. IPPACKET layers expose the local and remote addresses).

    In order to do anything else (examine, modify, etc), then you need a kernel callout driver.

    You could use WFP's auditing (and allow filters) to find out if a Skype or Lync call has occurred, however this isn't very efficient, and I doubt what you are wanting.

    I would suggest a callout driver sitting at ALE_AUTH_RECV_ACCEPT (for incoming calls).  The callout can then do whatever you need it to do based on the connection (i.e. log the connection information to a security log).  If you want to monitor the connection for it's endurance, then you would sit at more layers...

    I suggest taking a look at the WFPSampler.  (The BASIC_PACKET_EXAMINATION scenario is likely your best starting point).

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, February 17, 2014 8:02 PM
    Moderator
  • Thanks for your advice! I will take a look.

    zhongsheng

    Tuesday, February 18, 2014 6:56 PM
  • Hi Dusty,

    I have read the sample code you have provided. It looks very straightforward. Thanks for pointing this sample to me!

    I hope you can give me more suggestions. What I would like to do is to filter on this string:

    SIP/2.0 180 OK

    This is the signal for any VoIP application to play ringtone. Two keywords (SIP and 180) are things I am interested in. This message is in TCP data section and it can only be retrieved after the packet has been decrypted.

    In addition to that, what is the overhead on CPU usage for a WFP filter driver like this based on your experience. I am very performance sensitive.

    Thanks,

    zhongsheng

    Tuesday, February 18, 2014 7:38 PM
  • For this you would need to likely want to sit at either INBOUND / OUTBOUND_TRANSPORT, STREAM_PACKET. or STREAM

    INBOUND / OUTBOUND TRANSPORT will give you the headers and payload on a per direction basis (you'd filter by at least IPPROTOCOL).

    STREAM_PACKET will give you the headers and payload bi-directionally on a packet by packet basis (only TCP traffic will show here)

    STREAM will give you just the payload bidirectionally for TCP packets.

    STREAM has a significant perf hit.

    As for the encryption, it really depends on where that takes place.  If the application is doing the encryption (which I believe is the case for VoIP), then the stack doesn't see any unencrypted data, so WFP won't help you in that regard (unless you know how to decrypt the payload)

    If it was encrypted via IPsec, then the stack will see it unencrypted at the TRANSPORT layers.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, February 18, 2014 8:34 PM
    Moderator
  • Thanks Dusty,

    For me INBOUND TRANSPORT seems to be good enough. However, I was not able to intercept SIP message. Everything I see is all scrambled message. Is that true that IPsec has been decrypted at INBOUND_TRANSPORT layer?

    Thanks,

    zhongsheng

    Monday, February 24, 2014 7:56 PM
  • IPsec does get decrypted @ INBOUND_TRANSPORT.  If you are sitting higher than the IPsec sublayer, then you will still see the data encrypted.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Monday, February 24, 2014 11:59 PM
    Moderator