Skip to content
Go to file

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


This software was part of the dissertation that I presented the 04/07/2011 for the master degree in computer engineering under the title “Steganography over SIP/RTP protocols”. The work was conducted under the supervision of professor Luigi Ciminiera at the Politecnico di Torino.

StegoSIP covers an IP tunnel into SIP/RTP protocol using LSB and LACK steganographic methods. The hidden channel is a point-to-point IP tunnel between the two peers communicating via the SIP call.


Install the required dependencies.

$ sudo apt-get install nfqueue-bindings-python python-dpkt

Download StegoSIP in both endpoints PC-Alice and PC-Bob. Make sure to specify the tunnel IP addresses of the two endpoints as shown below.

# On PC-Alice
$ gedit stegosip.conf        # set Alice IP option address as
# On PC-Bob
$ gedit stegosip.conf          # set Bob IP address as


Start StegoSIP in Alice and Bob hosts

# On PC-Alice
$ sudo ./
# On PC-Bob
$ sudo ./

StegoSIP starts inspecting the SIP traffic on the machines waiting for inbound or outbound SIP calls. When it detects a RTP stream, it would raise a stego0 network interface in both endpoints which can be used as a private hidden network between the peers.


The software is SIP client agnostic, but has been tested with Ekiga. Find below a commented example of an outgoing call from PC-Alice to PC-Bob which is used to establish the covert channel.

# PC-Alice. 
# The command must be run on PC-Bob as well.
$ sudo ./

# Load filter to incercept incoming and outgoing SIP calls
[SIP] added dissector and netfilter rules on udp 5060 ports.
# Outgoing-call between alice and bob intercepted 
[SIP] [OUTGOING-CALL:647604] alice@>bob@ 
[SIP] [OUTGOING-CALL-ESTAB:647604] alice@>bob@ 
# Extract RTP port and other parameters from collected SDP
[SDP] local: remote: 
# Load filter to intercept RTP connection
[RTP] added dissector and netfilter rules on udp 5072<->5076 ports.
# Starting stego0 interface with ip
[TUN] Started Interface stego0 up netmask mtu 1392
# Module to inject and extract data from tunnel loaded.
[RTP] Injector 'LACK' module loaded

Alice and Bob can now communicate using and hosts.

# PC-Alice
$ ping

PING ( 56(84) bytes of data.
64 bytes from icmp_req=1 ttl=64 time=50.1 ms
64 bytes from icmp_req=2 ttl=64 time=58.7 ms


TCP tunnel over RTP/SIP



No releases published


No packages published
You can’t perform that action at this time.