aboutsummaryrefslogtreecommitdiff
path: root/src/lib/protocols/stun.c
diff options
context:
space:
mode:
authorIvan Nardi <12729895+IvanNardi@users.noreply.github.com>2023-06-27 10:33:28 +0200
committerGitHub <noreply@github.com>2023-06-27 10:33:28 +0200
commit2c7fb9179493c1d1d4e4763e5757bc98db61b518 (patch)
tree0c5336bb4588af95b4f94e03e9dd8da14eafb36d /src/lib/protocols/stun.c
parent31a9da238cdbb2f5d7cd3d3d508e246f12dcdc8b (diff)
Hangout: detect Hangout/Duo/GoogleMeet/... in the STUN code (#2025)
Regardless of the name, the removed trace doesn't contain meaningful Hangout traffic. Remove last piece of sub-classifiction based only on ip addresses.
Diffstat (limited to 'src/lib/protocols/stun.c')
-rw-r--r--src/lib/protocols/stun.c32
1 files changed, 28 insertions, 4 deletions
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 1bd27643c..be96a1500 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -125,10 +125,34 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
ndpi_confidence_t confidence = NDPI_CONFIDENCE_DPI;
if(app_proto == NDPI_PROTOCOL_UNKNOWN) {
- if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_GOOGLE)
- app_proto = NDPI_PROTOCOL_HANGOUT_DUO;
- else if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_FACEBOOK)
- app_proto = NDPI_PROTOCOL_FACEBOOK_VOIP;
+ /* https://support.google.com/a/answer/1279090?hl=en */
+ if((ntohs(flow->c_port) >= 19302 && ntohs(flow->c_port) <= 19309) ||
+ ntohs(flow->c_port) == 3478 ||
+ (ntohs(flow->s_port) >= 19302 && ntohs(flow->s_port) <= 19309) ||
+ ntohs(flow->s_port) == 3478) {
+ if(flow->is_ipv6) {
+ u_int64_t pref1 = 0x2001486048640005; /* 2001:4860:4864:5::/64 */
+ u_int64_t pref2 = 0x2001486048640006; /* 2001:4860:4864:6::/64 */
+
+ if(memcmp(&flow->c_address.v6, &pref1, sizeof(pref1)) == 0 ||
+ memcmp(&flow->c_address.v6, &pref2, sizeof(pref2)) == 0 ||
+ memcmp(&flow->s_address.v6, &pref1, sizeof(pref1)) == 0 ||
+ memcmp(&flow->s_address.v6, &pref2, sizeof(pref2)) == 0) {
+ app_proto = NDPI_PROTOCOL_HANGOUT_DUO;
+ }
+ } else {
+ u_int32_t c_address, s_address;
+
+ c_address = ntohl(flow->c_address.v4);
+ s_address = ntohl(flow->s_address.v4);
+ if((c_address & 0xFFFFFFF0) == 0x4a7dfa00 || /* 74.125.250.0/24 */
+ (c_address & 0xFFFFFFF0) == 0x8efa5200 || /* 142.250.82.0/24 */
+ (s_address & 0xFFFFFFF0) == 0x4a7dfa00 ||
+ (s_address & 0xFFFFFFF0) == 0x8efa5200) {
+ app_proto = NDPI_PROTOCOL_HANGOUT_DUO;
+ }
+ }
+ }
}
if(ndpi_struct->stun_cache
Powered by cgit, Themed by Ted Yin.