WhatsApp improvements

author: Luca Deri <deri@ntop.org> 2019-06-20 23:11:16 +0200
committer: Luca Deri <deri@ntop.org> 2019-06-20 23:11:16 +0200
commit: 936a95e10edcd83aad1d07075374d97c4faccf10 (patch)
tree: ee2e21589c32df98ecdb5fef7ede8cac1054867f /src
parent: 13e8354f37d89936ca331000a4bfd119d82db122 (diff)
3 files changed, 27 insertions, 8 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 730050a2e..a58d80e25 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8485,6 +8485,7 @@ ndpi_protocol_match host_match[] = {
   { "audio-fa.scdn.co", NULL, "audio-fa\\.scdn" TLD,                   "Spotify",          NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_CATEGORY_MUSIC, NDPI_PROTOCOL_FUN },
 
   { "edge-mqtt.facebook.com", NULL, "edge-mqtt\\.facebook" TLD,        "Messenger",        NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
+  { "mqtt-mini.facebook.com", NULL, "mqtt-mini\\.facebook" TLD,        "Messenger",        NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN }, /* Messenger Lite */
   { "messenger.com", NULL, "messenger\\.com" TLD,                      "Messenger",        NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_FUN },
 
   { ".pandora.com", NULL, "\\.pandora" TLD,                            "Pandora",          NDPI_PROTOCOL_PANDORA,  NDPI_PROTOCOL_CATEGORY_STREAMING, NDPI_PROTOCOL_FUN },
diff --git a/src/lib/protocols/btlib.c b/src/lib/protocols/btlib.c
index ea06a6348..309a10717 100644
--- a/src/lib/protocols/btlib.c
+++ b/src/lib/protocols/btlib.c
@@ -64,7 +64,8 @@ static char *print20b(char *s,const u_int8_t *b) {
 }
 
 static char *print_id_ip_p(char *s, const struct bt_nodes_data *b) {
-  u_int8_t *p = (void*)b;
+  u_int8_t *p = (u_int8_t*)b;
+  
   print20b(s,b->id);
   snprintf(s+40,39," %d.%d.%d.%d:%u",
 	   p[20], p[21], p[22], p[23], htons(b->port));
@@ -72,14 +73,16 @@ static char *print_id_ip_p(char *s, const struct bt_nodes_data *b) {
 }
 
 static char *print_ip_p(char *s, const struct bt_ipv4p *b,int np) {
-  const u_int8_t *p = (const void*)b;
+  const u_int8_t *p = (const u_int8_t*)b;
+  
   snprintf(s,39,!np ? "%d.%d.%d.%d:%u":"%d.%d.%d.%d",
 	   p[0], p[1], p[2], p[3], htons(b->port));
   return s;
 }
 
 static char *print_ip6_p(char *s, const struct bt_ipv6p *b,int np) {
-  u_int16_t *p = (void*)b;
+  u_int16_t *p = (u_int16_t*)b;
+  
   snprintf(s,79,!np ? "%x:%x:%x:%x:%x:%x:%x:%x.%u":"%x:%x:%x:%x:%x:%x:%x:%x",
 	   htons(p[0]), htons(p[1]), htons(p[2]), htons(p[3]),
 	   htons(p[4]), htons(p[5]), htons(p[6]), htons(p[7]),
@@ -507,6 +510,7 @@ const u_int8_t *bt_decode(const u_int8_t *b, size_t *l, int *ret, bt_parse_data_
     cbd->level--;
     return b;
   }
+
  bad_data:
   *ret=-1;
   return b;
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index c169a47db..dc6a3cfd5 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -28,7 +28,7 @@
 
 #include "ndpi_api.h"
 
-#define MAX_NUM_STUN_PKTS     10
+#define MAX_NUM_STUN_PKTS     8
 
 struct stun_packet_header {
   u_int16_t msg_type, msg_len;
@@ -53,7 +53,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 					   u_int8_t *is_whatsapp) {
   u_int16_t msg_type, msg_len;
   struct stun_packet_header *h = (struct stun_packet_header*)payload;
-  u_int8_t can_this_be_whatsapp_voice = 1;
+  u_int8_t can_this_be_whatsapp_voice = 1, wa = 0;
 
   flow->protos.stun_ssl.stun.num_processed_pkts++;
   
@@ -75,14 +75,26 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
   if(ntohs(h->msg_type) == 0x01 /* Binding Request */)
     flow->protos.stun_ssl.stun.num_binding_requests++;
+
+  // printf("[%02X][%02X][payload_length: %u]\n", payload[0], payload[1], payload_length);
   
+  if(((payload[0] == 0x80) && ((msg_len+20) <= payload_length)) /* WhatsApp Voice */) {
+    *is_whatsapp = 1;
+    return NDPI_IS_STUN; /* This is WhatsApp Voice */
+  } else if((payload[0] == 0x90) && ((msg_len+11) == payload_length) /* WhatsApp Video */) {
+    *is_whatsapp = 2;
+    return NDPI_IS_STUN; /* This is WhatsApp Video */
+  }
+
   if((payload[0] != 0x80) && ((msg_len+20) > payload_length))
     return(NDPI_IS_NOT_STUN);
-
-  if((payload_length == (msg_len+20))
-     && ((msg_type <= 0x000b) /* http://www.3cx.com/blog/voip-howto/stun-details/ */)) {
+  
+  if(((payload_length == (msg_len+20))
+      && ((msg_type <= 0x000b) /* http://www.3cx.com/blog/voip-howto/stun-details/ */))) {
     u_int offset = 20;
 
+    // printf("[%02X][%02X][%02X][%02X][payload_length: %u]\n", payload[offset], payload[offset+1], payload[offset+2], payload[offset+3],payload_length);
+    
     /*
       This can either be the standard RTCP or Ms Lync RTCP that
       later will become Ms Lync RTP. In this case we need to
@@ -103,6 +115,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
       switch(attribute) {
       case 0x0008: /* Message Integrity */
       case 0x0020: /* XOR-MAPPED-ADDRESSES */
+      case 0x4000:
       case 0x4002:
 	/* These are the only messages apparently whatsapp voice can use */
 	break;
@@ -148,6 +161,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
       default:
 	/* This means this STUN packet cannot be confused with whatsapp voice */
+	printf("==> %04X\n", attribute);
 	can_this_be_whatsapp_voice = 0;
 	break;
       }
author	Luca Deri <deri@ntop.org>	2019-06-20 23:11:16 +0200
committer	Luca Deri <deri@ntop.org>	2019-06-20 23:11:16 +0200
commit	936a95e10edcd83aad1d07075374d97c4faccf10 (patch)
tree	ee2e21589c32df98ecdb5fef7ede8cac1054867f /src
parent	13e8354f37d89936ca331000a4bfd119d82db122 (diff)