diff options
| author | Luca Deri <deri@ntop.org> | 2015-07-25 10:13:47 +0200 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2015-07-25 10:13:47 +0200 |
| commit | aced1e96734489cfda44a4d8f2168942c9a358e4 (patch) | |
| tree | 892213a0f0aaa158e91029c24695a4f73c68f361 | |
| parent | e37be3b43d400b6e0f81fe622ac3fa96bc4eface (diff) | |
Improvements to WhatsApp voice
| -rw-r--r-- | src/lib/protocols/stun.c | 13 | ||||
| -rw-r--r-- | tests/pcap/whatsapp_voice_and_message.pcap | bin | 0 -> 32255 bytes | |||
| -rw-r--r-- | tests/result/whatsapp_voice_and_message.pcap.out | 16 |
3 files changed, 25 insertions, 4 deletions
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index e3338971c..1f84b268f 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -50,8 +50,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * struct ndpi_flow_struct *flow, const u_int8_t * payload, const u_int16_t payload_length, - u_int8_t *is_whatsapp) -{ + u_int8_t *is_whatsapp) { u_int16_t msg_type, msg_len; struct stun_packet_header *h = (struct stun_packet_header*)payload; @@ -66,6 +65,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * msg_type = ntohs(h->msg_type) & 0x3EEF, msg_len = ntohs(h->msg_len); + if((payload[0] != 0x80) && ((msg_len+20) > payload_length)) + return(NDPI_IS_NOT_STUN); + if((payload_length == (msg_len+20)) && ((msg_type <= 0x000b) /* http://www.3cx.com/blog/voip-howto/stun-details/ */)) goto udp_stun_found; @@ -171,11 +173,14 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * #endif - if((flow->num_stun_udp_pkts > 0) && ((payload[0] == 0x80) || (payload[0] == 0x81))) { + if( + ((flow->num_stun_udp_pkts > 0) && (msg_type = 0x0800)) + || ((msg_type = 0x0800) && (msg_len == 106)) + ) { *is_whatsapp = 1; return NDPI_IS_STUN; /* This is WhatsApp Voice */ } else - return NDPI_IS_NOT_STUN; + return NDPI_IS_NOT_STUN; udp_stun_found: flow->num_stun_udp_pkts++; diff --git a/tests/pcap/whatsapp_voice_and_message.pcap b/tests/pcap/whatsapp_voice_and_message.pcap Binary files differnew file mode 100644 index 000000000..e607890fe --- /dev/null +++ b/tests/pcap/whatsapp_voice_and_message.pcap diff --git a/tests/result/whatsapp_voice_and_message.pcap.out b/tests/result/whatsapp_voice_and_message.pcap.out new file mode 100644 index 000000000..a03fab0ac --- /dev/null +++ b/tests/result/whatsapp_voice_and_message.pcap.out @@ -0,0 +1,16 @@ +STUN 44 5916 8 +WhatsApp 217 22139 5 + + 1 UDP 10.8.0.1:53620 <-> 31.13.84.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 2 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 3 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 4 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78/STUN][9 pkts/1184 bytes] + 5 UDP 10.8.0.1:53620 <-> 31.13.79.192:3478 [proto: 78/STUN][5 pkts/676 bytes] + 6 UDP 10.8.0.1:53620 <-> 31.13.93.48:3478 [proto: 78/STUN][5 pkts/676 bytes] + 7 TCP 10.8.0.1:42241 <-> 173.192.222.189:5222 [proto: 142/WhatsApp][62 pkts/5609 bytes] + 8 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 142/WhatsApp][46 pkts/4990 bytes] + 9 TCP 10.8.0.1:44819 <-> 158.85.58.42:5222 [proto: 142/WhatsApp][30 pkts/4709 bytes] + 10 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 142/WhatsApp][27 pkts/2220 bytes] + 11 TCP 10.8.0.1:49721 <-> 158.85.58.109:5222 [proto: 142/WhatsApp][52 pkts/4611 bytes] + 12 UDP 10.8.0.1:53620 <-> 173.252.121.1:3478 [proto: 78/STUN][5 pkts/676 bytes] + 13 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78/STUN][5 pkts/676 bytes] |