Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


This software was part of the dissertation that I presented the 04/07/2011 for the master degree in computer engineering under the title “Steganography over SIP/RTP protocols”. The work was conducted under the supervision of professor Luigi Ciminiera at the Politecnico di Torino.

StegoSIP covers an IP tunnel into SIP/RTP protocol using LSB and LACK steganographic methods. The hidden channel is a point-to-point IP tunnel between the two peers communicating via the SIP call.


Install the required dependencies.

$ sudo apt-get install nfqueue-bindings-python python-dpkt

Download StegoSIP in both endpoints PC-Alice and PC-Bob. Make sure to specify the tunnel IP addresses of the two endpoints as shown below.

# On PC-Alice
$ gedit stegosip.conf        # set Alice IP option address as
# On PC-Bob
$ gedit stegosip.conf          # set Bob IP address as


Start StegoSIP in Alice and Bob hosts

# On PC-Alice
$ sudo ./
# On PC-Bob
$ sudo ./

StegoSIP starts inspecting the SIP traffic on the machines waiting for inbound or outbound SIP calls. When it detects a RTP stream, it would raise a stego0 network interface in both endpoints which can be used as a private hidden network between the peers.


The software is SIP client agnostic, but has been tested with Ekiga. Find below a commented example of an outgoing call from PC-Alice to PC-Bob which is used to establish the covert channel.

# PC-Alice. 
# The command must be run on PC-Bob as well.
$ sudo ./

# Load filter to incercept incoming and outgoing SIP calls
[SIP] added dissector and netfilter rules on udp 5060 ports.
# Outgoing-call between alice and bob intercepted 
[SIP] [OUTGOING-CALL:647604] alice@>bob@ 
[SIP] [OUTGOING-CALL-ESTAB:647604] alice@>bob@ 
# Extract RTP port and other parameters from collected SDP
[SDP] local: remote: 
# Load filter to intercept RTP connection
[RTP] added dissector and netfilter rules on udp 5072<->5076 ports.
# Starting stego0 interface with ip
[TUN] Started Interface stego0 up netmask mtu 1392
# Module to inject and extract data from tunnel loaded.
[RTP] Injector 'LACK' module loaded

Alice and Bob can now communicate using and hosts.

# PC-Alice
$ ping

PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=64 time=50.1 ms
64 bytes from icmp_req=2 ttl=64 time=58.7 ms


TCP tunnel over RTP/SIP






No releases published


No packages published