Improved whatsapp detection/dissection.improved/whatsapp

Signed-off-by: lns <matzeton@googlemail.com>
author: lns <matzeton@googlemail.com> 2022-04-21 00:49:25 +0200
committer: lns <matzeton@googlemail.com> 2022-04-21 14:17:06 +0200
commit: 759ab0860b0fbf676f7a95ecd209a2d576dac053 (patch)
tree: bda68d6f8b326a8fc884067da22c5ad33c064830
parent: c1d46ebc4e2d99f253ac7141164e6b5f497d6677 (diff)
4 files changed, 80 insertions, 2 deletions
diff --git a/example/reader_util.c b/example/reader_util.c
index 730d14625..278ec63d7 100644
--- a/example/reader_util.c
+++ b/example/reader_util.c
@@ -1118,7 +1118,9 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl
       ndpi_snprintf(flow->http.request_content_type, sizeof(flow->http.request_content_type), "%s", flow->ndpi_flow->http.request_content_type ? flow->ndpi_flow->http.request_content_type : "");
       ndpi_snprintf(flow->http.user_agent, sizeof(flow->http.user_agent), "%s", flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : "");
     }
-  } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSDP)) {
+  } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_SSDP) ||
+            (flow->detected_protocol.master_protocol != NDPI_PROTOCOL_TLS &&
+             is_ndpi_proto(flow, NDPI_PROTOCOL_WHATSAPP))) {
     ndpi_snprintf(flow->http.user_agent, sizeof(flow->http.user_agent), "%s", flow->ndpi_flow->http.user_agent ? flow->ndpi_flow->http.user_agent : "");
   } else if(is_ndpi_proto(flow, NDPI_PROTOCOL_TELNET)) {
     if(flow->ndpi_flow->protos.telnet.username[0] != '\0')
diff --git a/src/lib/protocols/whatsapp.c b/src/lib/protocols/whatsapp.c
index 412caf957..6202a85ab 100644
--- a/src/lib/protocols/whatsapp.c
+++ b/src/lib/protocols/whatsapp.c
@@ -23,8 +23,53 @@
 
 #include "ndpi_api.h"
 
+static void ndpi_whatsapp_dissect_extra(struct ndpi_flow_struct * const flow,
+                                        u_int8_t const * const payload,
+                                        u_int32_t payload_len)
+{
+  size_t offset = 18;
+
+  while (offset + 1 < payload_len)
+  {
+    u_int8_t op = payload[offset];
+    u_int8_t len = payload[offset + 1];
+
+    offset += 2;
+    if (offset + len >= payload_len)
+    {
+      break;
+    }
+
+    switch (op)
+    {
+      case 0x28:
+      case 0x08:
+        break;
+
+      case 0x12:
+        flow->http.user_agent = ndpi_malloc(len + 1);
+        if (flow->http.user_agent != NULL)
+        {
+          memcpy(flow->http.user_agent, &payload[offset], len);
+          flow->http.user_agent[len] = '\0';
+        }
+        offset += len;
+        break;
+
+      case 0x3a:
+        ndpi_hostname_sni_set(flow, &payload[offset], len);
+        break;
+
+      default:
+        offset += len;
+        break;
+    }
+  }
+}
+
 void ndpi_search_whatsapp(struct ndpi_detection_module_struct *ndpi_struct,
-			  struct ndpi_flow_struct *flow) {
+                          struct ndpi_flow_struct *flow)
+{
   struct ndpi_packet_struct *packet = &ndpi_struct->packet;
   static u_int8_t whatsapp_sequence[] = {
     0x45, 0x44, 0x0, 0x01, 0x0, 0x0, 0x02, 0x08,
@@ -36,6 +81,25 @@ void ndpi_search_whatsapp(struct ndpi_detection_module_struct *ndpi_struct,
 
   NDPI_LOG_DBG(ndpi_struct, "search WhatsApp\n");
 
+  if (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x45440001)
+  {
+    NDPI_LOG_INFO(ndpi_struct, "found WhatsApp preface\n");
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+    return;
+  }
+
+  if (packet->payload_packet_len >= 32 &&
+      ntohs(get_u_int16_t(packet->payload, 0)) == 0xc2fe &&
+      packet->payload[3] == 0x05 &&
+      ntohl(get_u_int32_t(packet->payload, 8)) == 0x00020016 &&
+      packet->payload[16] == 0x08)
+  {
+    NDPI_LOG_INFO(ndpi_struct, "found WhatsApp (additional info available)\n");
+    ndpi_whatsapp_dissect_extra(flow, packet->payload, packet->payload_packet_len);
+    ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
+    return;
+  }
+
   /* This is a very old sequence (2015?) but we still have it in our unit tests.
      Try to detect it, without too much effort... */
   if(flow->l4.tcp.wa_matched_so_far == 0 &&
diff --git a/tests/pcap/whatsapp.pcap b/tests/pcap/whatsapp.pcap
new file mode 100644
index 000000000..0289cd31b
--- /dev/null
+++ b/tests/pcap/whatsapp.pcap
diff --git a/tests/result/whatsapp.pcap.out b/tests/result/whatsapp.pcap.out
new file mode 100644
index 000000000..ed9667d0b
--- /dev/null
+++ b/tests/result/whatsapp.pcap.out
@@ -0,0 +1,12 @@
+Guessed flow protos:	0
+
+DPI Packets (TCP):	20	(4.00 pkts/flow)
+Confidence DPI              : 5 (flows)
+
+WhatsApp	75	11010	5
+
+	1	TCP 192.168.2.100:45106 <-> 18.193.233.122:5222 [proto: 142/WhatsApp][Encrypted][Confidence: DPI][cat: Chat/9][8 pkts/2061 bytes <-> 7 pkts/1063 bytes][Goodput ratio: 74/56][359.14 sec][Hostname/SNI: fr-app-chat-global-xiaomi-net2-2117517874.eu-central-1.elb.amazonaws.com][bytes ratio: 0.319 (Upload)][IAT c2s/s2c min/avg/max/stddev: 7/1 59816/100 358553/211 133599/79][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 258/152 1014/488 311/142][User-Agent: Redmi Note 8T][PLAIN TEXT (xiaomi.com)][Plen Bins: 14,0,14,14,0,0,14,0,0,0,14,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	2	TCP 192.168.2.100:37708 <-> 3.127.176.74:5222 [proto: 142/WhatsApp][Encrypted][Confidence: DPI][cat: Chat/9][8 pkts/1983 bytes <-> 7 pkts/641 bytes][Goodput ratio: 73/27][455.15 sec][Hostname/SNI: fr-app-chat-global-xiaomi-net1-1667981913.eu-central-1.elb.amazonaws.com:5222][bytes ratio: 0.511 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 75808/90740 453408/453409 168869/181335][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 248/92 999/171 303/39][User-Agent: Redmi Note 9 Pro][PLAIN TEXT (xiaomi.com)][Plen Bins: 16,0,16,16,0,0,0,16,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	3	TCP 192.168.2.100:47918 <-> 179.60.195.33:5222 [proto: 142/WhatsApp][Encrypted][Confidence: DPI][cat: Chat/9][8 pkts/1796 bytes <-> 7 pkts/584 bytes][Goodput ratio: 70/19][0.31 sec][bytes ratio: 0.509 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 9/55 34/231 12/89][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 224/83 1311/123 411/25][Plen Bins: 50,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0]
+	4	TCP 192.168.2.100:46244 <-> 157.240.201.61:5222 [proto: 142/WhatsApp][Encrypted][Confidence: DPI][cat: Chat/9][8 pkts/859 bytes <-> 7 pkts/584 bytes][Goodput ratio: 38/19][0.35 sec][bytes ratio: 0.191 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 7/0 54/58 150/122 49/50][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107/83 345/123 91/25][Plen Bins: 33,50,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	5	TCP 192.168.2.100:56119 <-> 179.60.195.49:5222 [proto: 142/WhatsApp][Encrypted][Confidence: DPI][cat: Chat/9][8 pkts/855 bytes <-> 7 pkts/584 bytes][Goodput ratio: 37/19][0.32 sec][bytes ratio: 0.188 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 1/0 49/46 173/113 59/38][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 107/83 341/123 89/25][Plen Bins: 33,50,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
author	lns <matzeton@googlemail.com>	2022-04-21 00:49:25 +0200
committer	lns <matzeton@googlemail.com>	2022-04-21 14:17:06 +0200
commit	759ab0860b0fbf676f7a95ecd209a2d576dac053 (patch)
tree	bda68d6f8b326a8fc884067da22c5ad33c064830
parent	c1d46ebc4e2d99f253ac7141164e6b5f497d6677 (diff)