diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/protocols/whatsapp.c | 66 |
1 files changed, 65 insertions, 1 deletions
diff --git a/src/lib/protocols/whatsapp.c b/src/lib/protocols/whatsapp.c index 412caf957..6202a85ab 100644 --- a/src/lib/protocols/whatsapp.c +++ b/src/lib/protocols/whatsapp.c @@ -23,8 +23,53 @@ #include "ndpi_api.h" +static void ndpi_whatsapp_dissect_extra(struct ndpi_flow_struct * const flow, + u_int8_t const * const payload, + u_int32_t payload_len) +{ + size_t offset = 18; + + while (offset + 1 < payload_len) + { + u_int8_t op = payload[offset]; + u_int8_t len = payload[offset + 1]; + + offset += 2; + if (offset + len >= payload_len) + { + break; + } + + switch (op) + { + case 0x28: + case 0x08: + break; + + case 0x12: + flow->http.user_agent = ndpi_malloc(len + 1); + if (flow->http.user_agent != NULL) + { + memcpy(flow->http.user_agent, &payload[offset], len); + flow->http.user_agent[len] = '\0'; + } + offset += len; + break; + + case 0x3a: + ndpi_hostname_sni_set(flow, &payload[offset], len); + break; + + default: + offset += len; + break; + } + } +} + void ndpi_search_whatsapp(struct ndpi_detection_module_struct *ndpi_struct, - struct ndpi_flow_struct *flow) { + struct ndpi_flow_struct *flow) +{ struct ndpi_packet_struct *packet = &ndpi_struct->packet; static u_int8_t whatsapp_sequence[] = { 0x45, 0x44, 0x0, 0x01, 0x0, 0x0, 0x02, 0x08, @@ -36,6 +81,25 @@ void ndpi_search_whatsapp(struct ndpi_detection_module_struct *ndpi_struct, NDPI_LOG_DBG(ndpi_struct, "search WhatsApp\n"); + if (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x45440001) + { + NDPI_LOG_INFO(ndpi_struct, "found WhatsApp preface\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + + if (packet->payload_packet_len >= 32 && + ntohs(get_u_int16_t(packet->payload, 0)) == 0xc2fe && + packet->payload[3] == 0x05 && + ntohl(get_u_int32_t(packet->payload, 8)) == 0x00020016 && + packet->payload[16] == 0x08) + { + NDPI_LOG_INFO(ndpi_struct, "found WhatsApp (additional info available)\n"); + ndpi_whatsapp_dissect_extra(flow, packet->payload, packet->payload_packet_len); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHATSAPP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI); + return; + } + /* This is a very old sequence (2015?) but we still have it in our unit tests. Try to detect it, without too much effort... */ if(flow->l4.tcp.wa_matched_so_far == 0 && |