A technique for classification of VoIP flows in UDP media streams using VoIP signalling traffic

VoIP applications are becoming popular these days. A lot of Internet traffic are being generated by them. Detection of VoIP traffic is becoming important because of QoS issues and security concerns. A VoIP client typically opens a number of network connection between VoIP client and VoIP client, VoIP client and VoIP server. In the case of peer to peer VoIP applications like Skype network, connections may be between client to client, client to Super Node, client to login server, Super Node to Super Node. Typically, VoIP media traffic are carried by UDP unless firewalls blocks UDP, in which case media and signalling traffic are carried by TCP. Many VoIP applications uses RTP to carry media traffic. Notable examples includes GTalk, Google+ Hangouts, Asterisk based VoIP and Apple's FaceTime. On the other hand, Skype uses a proprietary protocol based on P2P architecture. It uses encryption for end to end communications and adopts obfuscation and anti reverse engineering techniques to prevent reverse engineering of the Skype protocol. This makes the detection of Skype flows a challenging task. Although Skype encrypts all communications, still a portion of Skype payload header known as Start of Message (SoM) is left unecrypted. In this paper, we develop a method for detection of VoIP flows in UDP media streams. Our detection method relies on signalling traffic generated by VoIP applications and heuristics based on the information contained in Skype SoM and RTP/RTCP headers.