Build network check tool

Hi everyone,

First of all, thank you all for the amazing work you are doing!

I’m planning to build a small tool to check the connectivity status between client machine and the VB servers, to check if 10000/udp port connections are blocked or not.

I know there is a way to check using netcat and other tools, but I think they required the VB to be stopped and run netcat server on port 10000/udp in the server side.

What I planning to do is to build a tool to communicate with the VB directly over port 10000.
I tried to communicate with JVB over port 10000/udp but there is no response from the server.

I opened Wireshark and capture the traffic from a real client and replay the first packet which JVB responded to it, which is a STUN packet, but it did not work, there is no response from the server either.

I also tried STUN client with JVB also did not work.

am I missing something? is there anything I can lookup in the source code or hints where to look? I need any data to be in the request that make JVB respond with anything even error is fine,

TL;TR: what payload I can send to VB over udp socket which make it respond?

Note: I’m sure port 10000/udp is fine in the testing JVB.

What looks like a STUN binding is actually the start of ICE. But JVB probably won’t talk to you if a channel has not been allocated (e.g. by Jicofo) with a candidate matching your IP first.

Is there anything that I can send to JVB to make it talk back? even an error in this case is okay.

I would hope not — since it’s UDP, anything that would get JVB to respond to any unauthenticated client without them being allocated a channel would be a potential risk for reflected DoS.

A proper test would involve connecting to the XMPP server (Prosody), joining a room with >=2 participants so that Jicofo sends you a session-initiate, sending the session-accept back to Jicofo and then starting ICE with JVB.

Alternatively if you just want to check if 10000/udp is blocked, make a simple network server that listens on 10000/udp and test to that. Just make sure it is secure against being abused for a reflected attack, and consider implementing ICE followed by DTLS-SRTP, or at least something that looks close to it, so that if the user is behind a firewall that is doing DPI, the firewall will be seeing traffic that looks similar to real JVB traffic so that your test is accurate. At that point you might find it is easier to just do a real test with allocating channels on JVB.

Thank you for the detailed explanation!
so basically I need to re-implement the client side, will this is an interesting task =)

What about creating an option in JVB, like ALLOW_CONNECTIVITY_TESTING which would allow JVB to respond to “Hello” packet just to test port connectivity?