3 files changed, 37 insertions, 7 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 526aeaa04..9c0356ec8 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8505,7 +8505,6 @@ ndpi_protocol_match host_match[] = {
   { "g.whatsapp.net", NULL, "g\\.whatsapp" TLD,                        "WhatsApp",         NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
   { "v.whatsapp.net", NULL, "v\\.whatsapp" TLD,                        "WhatsApp",         NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
   { "mmg.whatsapp.net", NULL, "mmg\\.whatsapp" TLD,                    "WhatsApp",         NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
-  { "graph.facebook.com", NULL, "graph\\.facebook" TLD,                "WhatsApp",         NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_CATEGORY_CHAT, NDPI_PROTOCOL_ACCEPTABLE },
 
   { ".yahoo.", NULL, "\\.yahoo" TLD,                                   "Yahoo",            NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
   { ".yimg.com", NULL, "\\.yimg" TLD,                                  "Yahoo",            NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index aa2d9c7af..896b8a43c 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -1666,7 +1666,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0));      /* UDP */
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_HANGOUT_DUO,
 			    0 /* can_have_a_subprotocol */, no_master,
-			    no_master, "GoogleHangout", NDPI_PROTOCOL_CATEGORY_VOIP,
+			    no_master, "GoogleHangoutDuo", NDPI_PROTOCOL_CATEGORY_VOIP,
 			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
 			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_BJNP,
@@ -1727,8 +1727,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp
     ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_AMAZON_VIDEO,
 			    0 /* can_have_a_subprotocol */, no_master,
 			    no_master, "AmazonVideo", NDPI_PROTOCOL_CATEGORY_CLOUD,
-			    ndpi_build_default_ports(ports_a, 443, 80, 0, 0, 0) /* TCP */,
-			    ndpi_build_default_ports(ports_b, 443, 80, 0, 0, 0) /* UDP */);
+			    ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */,
+			    ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */);
 
     /* calling function for host and content matched protocols */
     init_string_based_protocols(ndpi_mod);
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index b53bed73d..f4749b71a 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -30,6 +30,8 @@
 
 #define MAX_NUM_STUN_PKTS     8
 
+// #define DEBUG_STUN 1
+
 struct stun_packet_header {
   u_int16_t msg_type, msg_len;
   u_int32_t cookie;
@@ -46,6 +48,17 @@ typedef enum {
   NDPI_IS_NOT_STUN
 } ndpi_int_stun_t;
 
+
+static int is_google_ip_address(u_int32_t host) {
+  if(
+     ((host & 0xFFFF0000 /* 255.255.0.0 */) == 0x4A7D0000 /* 74.125.0.0/16 */)
+     || ((host & 0xFFFF0000 /* 255.255.0.0 */) == 0x42660000 /* 66.102.0.0/16 */)
+     )
+    return(1);
+  else
+    return(0);
+}
+
 static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *ndpi_struct,
 					   struct ndpi_flow_struct *flow,
 					   const u_int8_t * payload,
@@ -87,10 +100,15 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
   if(msg_type == 0x01 /* Binding Request */) {
     flow->protos.stun_ssl.stun.num_binding_requests++;
-    if((msg_len == 0)  && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)) {
+    if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)) {
       flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
     }
   }
+
+  if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN)) {
+    NDPI_EXCLUDE_PROTO(ndpi_struct, flow);
+    return(NDPI_IS_NOT_STUN);
+  }
   
   flow->protos.stun_ssl.stun.num_udp_pkts++;
 
@@ -199,9 +217,16 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 	  }
 	  break;
 
+	case 0xFF03:
+	  can_this_be_whatsapp_voice = 0;
+	  flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO;
+	  break;
+	  
 	default:
 	  /* This means this STUN packet cannot be confused with whatsapp voice */
-	  /* printf("==> %04X\n", attribute); */
+#ifdef DEBUG_STUN
+	  printf("==> %04X\n", attribute);
+#endif
 	  can_this_be_whatsapp_voice = 0;
 	  break;
 	}
@@ -223,8 +248,14 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *
 
  udp_stun_found:
   if(can_this_be_whatsapp_voice) {
+    struct ndpi_packet_struct *packet = &flow->packet;
+    
     flow->protos.stun_ssl.stun.num_processed_pkts++;
-    flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_VOICE;
+#ifdef DEBUG_STUN
+    printf("==>> NDPI_PROTOCOL_WHATSAPP_VOICE\n");
+#endif
+
+    flow->guessed_host_protocol_id = (is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr))) ? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_VOICE;
     return((flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN);
   } else {
     /*