(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 6, September 2010
The fabricated TCP header is inserted/deleted in the data link frame, this means that the original RTP/UDP protocol is usedwithout modification. Nonetheless the fabricated packets canstill bypass the NAT as authenticated ones.
Figure 2. Proposed frame structure
As these extra bytes (fabricated TCP header) will be addedwhen the packet is in the data link layer, this may cause thepacket to exceed the Maximum Transfer Unit (MTU) of thenetwork. Since, no packet must exceed the Maximum TransferUnit (MTU) of the network , 
, therefore, the sender’s
MTU must be decreased by length of the fabricated TCPheader length (20 bytes).The whole proposed system is composed of two mainmodules. The first module resides on the streaming clientwhile the second resides on the streaming server. Figure (3)shows the video streaming network topology.
Figure 3. Video streaming network topology
Each module consists of the following components:A component (hooking function in Fig. 1) that provides away to access the frame at the data link layer. This componentaccesses the frames in data link layer which is in the kernelmode and moves it into the user mode and vice versa.A component that finds the required frame based on itscontent. This component extracts the specified packets fromthe frames which have to be changed (fabricated/restored)depending on sending direction (income/outcome).A component that makes the required modifications(fabricating/restoring) to the predetermined packets. Thiscomponent changes the predetermined packets depending thesending direction (send/receive). In sending, the componentchanges the RTP/UDP packet into fabricated TCP packet. Inreceiving, the component restores the fabricated TCP packetinto its original RTP/UDP content. This component also re-computes length and checksums.
Client Side Module
As mentioned earlier, the module has to access the kernel(at data link layer). This is done by accessing the NDIS driver.The module listens until a packet event has occurred. Thereare two possible scenarios:Incoming packet: If the packet is coming from thestreaming server, then the program will look for the TCP thatcontains an RTSP packet. If this RTSP packet contains both
the client’s and server’s streaming ports, then record thisconnection’s information into an array. This is happened
normally at the setup phase of the RTSP connection. Later(when the video streaming data is transfered), the client willcheck every TCP packet if it contains a specified signature. If this signature is raised (in the TCP header), this mean that thisTCP packet is fabricated and it contains the originalRTP/UDP packet. The program will remove the TCP headerand recomputed the UDP and IP checksums. All these stepsare done before sending the packet to the rest of TCP/IPprotocol stack Outgoing packet: If the packet is outgoing to the streamingserver and the outgoing packet was a RTP/UDP packet, theninsert a new fabricated TCP header before the UDP header.This fabricated TCP header contains the TCP connectioninformation taken from the appropriate record from an array
containing all streaming connections’ details. This TCP
header also contains a specified signature that has to beenrecognized from the streaming server in order to return thepacket back to its original RTP/UDP packet. This operationalso needs to recompute the checksums. All these steps aredone before sending the packet to the adapter. Figure 4 showsthe flowchart of client side module.
Access the Datalink layer (inkernel mode)Wait untilpacket eventoccurs
Packet eventMove the packetto the user modeapplicationYes
NoTCP or UDPIncomingTCP withsignatureReturn back to itsoriginal UDPpacketYESTCP or UDPOutgoingNormal orStreaming UDPUDP
Add a fabricatedTCP header withsignature
StreamingMove the packetto the kernel modeMove the packetto the kernel mode
Send packet tothe physicallayerSend packet tothe upperlayer
informationNormalUDPNORecompute thechecksumsRecompute thechecksumsNoYesTCPTCP
Figure 4. Flowchart of the client side module