Protocols > PPLive P2P Video

PPLive is an interesting new concept I hadn't seen in any app before inspecting this application upon the tip of a friend.  PPLive is a streaming live television application, except that the streaming is done via p2p.  That is, you connect to other clients watching the same streaming TV station you are, and help further stream it to other people.  It's kind of interesting.  None the less, I was able to identify this protocol.  There are two portions of this application: UDP Stuff and TCP stuff.  I'm sure once I get to actually writing the HiPPIE modules for this protocol and not just breaking the protocol, that these signatures will be a little more detailed, but these signatures are sufficient to accurately break this protocol and not over-classify.

UDP

There are 4 potential types of packets you could run into starting a session with the UDP portions of PPLive.  There are two types of initial packets, and two other types of packets in the streaming process.  The first two packets both start with the exact same four bytes, one of which is 77 bytes long (including IP, UDP headers), and one of which is 81 bytes long including headers.  They both start with the following 4 bytes:

01 00 00 02

The other two types of packets that are easily findable with PPLive look very similar.  The first of which starts with the bytes:

02 00 00 02

and is 70 bytes long with headers, while the final UDP type to easily identify being 82 bytes long and starting with the bytes:

03 00 00 02

TCP

There are 3 types of TCP packets you can find to easily identify PPLive TCP traffic.  The first one is the simplest to identify, and is always the first packet in a PPLive session.  The packet is 44 bytes long (including IP, TCP headers) and contains only these 4 bytes in the TCP data section:

2c 00 00 00

Also, there are two other potential packets to run into on the TCP side, the first of which is 89 bytes long and starts with the following 4 bytes:

01 00 00 02

The last type of packet to identify this protocol is 84 bytes long and starts with the following 4 bytes:

03 00 00 02

This should be plenty efficient to break this protocol and most likely do full classification, but I will verify that later as I write the HiPPIE identification module for it.  It might get cleaned up even more after that as well.