From 518df786ed1734266b33f6a82699cb9824366068 Mon Sep 17 00:00:00 2001 From: emanuele-f Date: Thu, 19 Sep 2019 16:08:29 +0200 Subject: Add ndpi_parse_ip_string and ndpi_get_ip_string API --- src/lib/ndpi_main.c | 56 +++++++++++++++++++++-------------------------------- 1 file changed, 22 insertions(+), 34 deletions(-) (limited to 'src/lib/ndpi_main.c') diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index eee4dbb93..25c352e37 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -5517,58 +5517,46 @@ void ndpi_packet_dst_ip_get(const struct ndpi_packet_struct *packet, ndpi_ip_add /* ********************************************************************************* */ -#ifdef NDPI_ENABLE_DEBUG_MESSAGES -/* get the string representation of ip - * returns a pointer to a static string - * only valid until the next call of this function */ -char *ndpi_get_ip_string(struct ndpi_detection_module_struct *ndpi_struct, - const ndpi_ip_addr_t * ip) -{ +char *ndpi_get_ip_string(const ndpi_ip_addr_t * ip, char *buf, u_int buf_len) { const u_int8_t *a = (const u_int8_t *) &ip->ipv4; #ifdef NDPI_DETECTION_SUPPORT_IPV6 - if(ip->ipv6.u6_addr.u6_addr32[0] != 0 || - ip->ipv6.u6_addr.u6_addr32[1] != 0 || + if(ip->ipv6.u6_addr.u6_addr32[1] != 0 || ip->ipv6.u6_addr.u6_addr32[2] != 0 || ip->ipv6.u6_addr.u6_addr32[3] != 0) { - const u_int16_t *b = ip->ipv6.u6_addr.u6_addr16; - snprintf(ndpi_struct->ip_string, 32, "%x:%x:%x:%x:%x:%x:%x:%x", - ntohs(b[0]), ntohs(b[1]), ntohs(b[2]), ntohs(b[3]), - ntohs(b[4]), ntohs(b[5]), ntohs(b[6]), ntohs(b[7])); + if(inet_ntop(AF_INET6, &ip->ipv6.u6_addr, buf, buf_len) == NULL) + buf[0] = '\0'; - return ndpi_struct->ip_string; + return buf; } #endif - snprintf(ndpi_struct->ip_string, 32, "%u.%u.%u.%u", a[0], a[1], a[2], a[3]); + snprintf(buf, buf_len, "%u.%u.%u.%u", a[0], a[1], a[2], a[3]); - return ndpi_struct->ip_string; + return buf; } -/* ********************************************************************************* */ +/* ****************************************************** */ -/* get the string representation of the source ip address from packet */ -char *ndpi_get_packet_src_ip_string(struct ndpi_detection_module_struct *ndpi_struct, - const struct ndpi_packet_struct *packet) -{ - ndpi_ip_addr_t ip; - ndpi_packet_src_ip_get(packet, &ip); - return ndpi_get_ip_string(ndpi_struct, &ip); -} +/* Returns -1 on failutre, otherwise fills parsed_ip and returns the IP version */ +int ndpi_parse_ip_string(const char *ip_str, ndpi_ip_addr_t *parsed_ip) { + int rv = -1; + memset(parsed_ip, 0, sizeof(*parsed_ip)); -/* ********************************************************************************* */ + if(strchr(ip_str, '.')) { + if(inet_pton(AF_INET, ip_str, &parsed_ip->ipv4) > 0) + rv = 4; +#ifdef NDPI_DETECTION_SUPPORT_IPV6 + } else { + if(inet_pton(AF_INET6, ip_str, &parsed_ip->ipv6) > 0) + rv = 6; +#endif + } -/* get the string representation of the destination ip address from packet */ -char *ndpi_get_packet_dst_ip_string(struct ndpi_detection_module_struct *ndpi_struct, - const struct ndpi_packet_struct *packet) -{ - ndpi_ip_addr_t ip; - ndpi_packet_dst_ip_get(packet, &ip); - return ndpi_get_ip_string(ndpi_struct, &ip); + return(rv); } -#endif /* NDPI_ENABLE_DEBUG_MESSAGES */ /* ****************************************************** */ -- cgit v1.2.3 From f9716c5139faa9431bb37a83815b404c75ca12ac Mon Sep 17 00:00:00 2001 From: Luca Date: Fri, 20 Sep 2019 17:37:41 +0200 Subject: Unified WhatsApp Video and Audio under WhatsAppCall --- src/include/ndpi_protocol_ids.h | 6 ++-- src/lib/ndpi_main.c | 12 +++---- src/lib/protocols/stun.c | 17 +++++----- tests/result/whatsapp_login_call.pcap.out | 42 ++++++++++++------------ tests/result/whatsapp_voice_and_message.pcap.out | 18 +++++----- 5 files changed, 47 insertions(+), 48 deletions(-) (limited to 'src/lib/ndpi_main.c') diff --git a/src/include/ndpi_protocol_ids.h b/src/include/ndpi_protocol_ids.h index ceb3cf2c9..b1be9fd69 100644 --- a/src/include/ndpi_protocol_ids.h +++ b/src/include/ndpi_protocol_ids.h @@ -79,7 +79,7 @@ typedef enum { NDPI_PROTOCOL_MINING = 42, /* Bitcoin, Ethereum, ZCash, Monero */ NDPI_PROTOCOL_NEST_LOG_SINK = 43, /* Nest Log Sink (Nest Protect) - Darryl Sokoloski */ NDPI_PROTOCOL_MODBUS = 44, /* Modbus */ - NDPI_PROTOCOL_WHATSAPP_VIDEO = 45, + NDPI_PROTOCOL_WHATSAPP_CALL = 45, /* WhatsApp video ad audio calls go here */ NDPI_PROTOCOL_DATASAVER = 46, /* Protocols used to save data on Internet communications */ NDPI_PROTOCOL_XBOX = 47, NDPI_PROTOCOL_QQ = 48, @@ -98,7 +98,7 @@ typedef enum { NDPI_PROTOCOL_QQLIVE = 61, NDPI_PROTOCOL_THUNDER = 62, NDPI_PROTOCOL_SOULSEEK = 63, - NDPI_FREE_64 = 64, + NDPI_PROTOCOL_FREE_64 = 64, NDPI_PROTOCOL_IRC = 65, NDPI_PROTOCOL_AYIYA = 66, NDPI_PROTOCOL_UNENCRYPTED_JABBER = 67, @@ -223,7 +223,7 @@ typedef enum { NDPI_PROTOCOL_VEVO = 186, NDPI_PROTOCOL_PANDORA = 187, NDPI_PROTOCOL_QUIC = 188, /* Andrea Buscarinu - Michele Campus */ - NDPI_PROTOCOL_WHATSAPP_VOICE = 189, + NDPI_PROTOCOL_FREE_189 = 189, NDPI_PROTOCOL_EAQ = 190, NDPI_PROTOCOL_OOKLA = 191, NDPI_PROTOCOL_AMQP = 192, diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 25c352e37..c3fece4a3 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1006,9 +1006,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "Modbus", NDPI_PROTOCOL_CATEGORY_NETWORK, /* Perhaps IoT in the future */ ndpi_build_default_ports(ports_a, 502, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_VIDEO, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_CALL, 0 /* can_have_a_subprotocol */, no_master, - no_master, "WhatsAppVideo", NDPI_PROTOCOL_CATEGORY_VOIP, + no_master, "WhatsAppCall", NDPI_PROTOCOL_CATEGORY_VOIP, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_DATASAVER, @@ -1122,7 +1122,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_FREE_64, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_FUN, NDPI_PROTOCOL_FREE_64, 0 /* can_have_a_subprotocol */, no_master, no_master, "Free64", NDPI_PROTOCOL_CATEGORY_DOWNLOAD_FT, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, @@ -1249,9 +1249,9 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "PcAnywhere", NDPI_PROTOCOL_CATEGORY_REMOTE_ACCESS, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_VOICE, + ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_FREE_189, 0 /* can_have_a_subprotocol */, no_master, - no_master, "WhatsAppVoice", NDPI_PROTOCOL_CATEGORY_VOIP, + no_master, "Free189", NDPI_PROTOCOL_CATEGORY_VOIP, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); ndpi_set_proto_defaults(ndpi_mod, NDPI_PROTOCOL_ACCEPTABLE, NDPI_PROTOCOL_WHATSAPP_FILES, @@ -4055,7 +4055,7 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st goto check_stun_export; else if((flow->guessed_protocol_id == NDPI_PROTOCOL_HANGOUT_DUO) || (flow->guessed_protocol_id == NDPI_PROTOCOL_MESSENGER) - || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_VOICE)) + || (flow->guessed_protocol_id == NDPI_PROTOCOL_WHATSAPP_CALL)) ndpi_set_detected_protocol(ndpi_struct, flow, flow->guessed_protocol_id, NDPI_PROTOCOL_UNKNOWN); else if((flow->l4.tcp.tls_seen_client_cert == 1) && (flow->protos.stun_ssl.ssl.client_certificate[0] != '\0')) { diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 9df041c26..1717277e0 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -45,8 +45,7 @@ static u_int8_t is_stun_based_proto(u_int16_t proto) { switch(proto) { case NDPI_PROTOCOL_WHATSAPP: - case NDPI_PROTOCOL_WHATSAPP_VOICE: - case NDPI_PROTOCOL_WHATSAPP_VIDEO: + case NDPI_PROTOCOL_WHATSAPP_CALL: case NDPI_PROTOCOL_MESSENGER: case NDPI_PROTOCOL_HANGOUT_DUO: case NDPI_PROTOCOL_SKYPE_CALL: @@ -318,7 +317,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * switch(flow->guessed_protocol_id) { case NDPI_PROTOCOL_HANGOUT_DUO: case NDPI_PROTOCOL_MESSENGER: - case NDPI_PROTOCOL_WHATSAPP_VOICE: + case NDPI_PROTOCOL_WHATSAPP_CALL: /* Don't overwrite the protocol with sub-STUN protocols */ break; @@ -502,15 +501,15 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * flow->protos.stun_ssl.stun.num_processed_pkts++; #ifdef DEBUG_STUN - printf("==>> NDPI_PROTOCOL_WHATSAPP_VOICE\n"); + printf("==>> NDPI_PROTOCOL_WHATSAPP_CALL\n"); #endif if((ntohs(packet->udp->source) == 3478) || (ntohs(packet->udp->dest) == 3478)) { flow->guessed_host_protocol_id = (is_messenger_ip_address(ntohl(packet->iph->saddr)) || is_messenger_ip_address(ntohl(packet->iph->daddr))) ? - NDPI_PROTOCOL_MESSENGER : NDPI_PROTOCOL_WHATSAPP_VOICE; + NDPI_PROTOCOL_MESSENGER : NDPI_PROTOCOL_WHATSAPP_CALL; } else flow->guessed_host_protocol_id = (is_google_ip_address(ntohl(packet->iph->saddr)) || is_google_ip_address(ntohl(packet->iph->daddr))) - ? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_VOICE; + ? NDPI_PROTOCOL_HANGOUT_DUO : NDPI_PROTOCOL_WHATSAPP_CALL; rc = (flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN; @@ -571,7 +570,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */ ndpi_int_stun_add_connection(ndpi_struct, flow, - is_whatsapp ? (is_whatsapp == 1 ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_WHATSAPP_VIDEO) : NDPI_PROTOCOL_STUN, + is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_CALL : NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN); } @@ -604,8 +603,8 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n } else { NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); ndpi_int_stun_add_connection(ndpi_struct, flow, - is_whatsapp ? (is_whatsapp == 1 ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_WHATSAPP_VIDEO) - : NDPI_PROTOCOL_STUN, NDPI_PROTOCOL_UNKNOWN); + is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_CALL : NDPI_PROTOCOL_STUN, + NDPI_PROTOCOL_UNKNOWN); } return; diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 696337945..6d8bd54a8 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -1,13 +1,13 @@ HTTP 11 726 3 MDNS 8 952 4 DHCP 10 3420 1 +WhatsAppCall 803 102942 20 ICMP 10 700 1 TLS 8 589 2 Dropbox 4 2176 1 Apple 190 50263 21 WhatsApp 182 25154 2 Spotify 3 258 1 -WhatsAppVoice 803 102942 20 ApplePush 22 5926 1 JA3 Host Stats: @@ -15,35 +15,35 @@ JA3 Host Stats: 1 192.168.2.4 1 - 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][bytes ratio: 0.021 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 49.3/34.3 209/352 59.0/50.4][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 145.3/93.1 525/488 100.0/64.5][PLAIN TEXT (zTdFPOk)] - 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 51.7/132.2 307/539 65.0/84.2][Pkt Len c2s/s2c min/avg/max/stddev: 65/68 124.3/226.1 484/552 75.0/128.5] + 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][186 pkts/27025 bytes <-> 278 pkts/25895 bytes][bytes ratio: 0.021 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 49.3/34.3 209/352 59.0/50.4][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 145.3/93.1 525/488 100.0/64.5][PLAIN TEXT (zTdFPOk)] + 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][141 pkts/17530 bytes <-> 57 pkts/12888 bytes][bytes ratio: 0.153 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 51.7/132.2 307/539 65.0/84.2][Pkt Len c2s/s2c min/avg/max/stddev: 65/68 124.3/226.1 484/552 75.0/128.5] 3 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][cat: Chat/9][100 pkts/14711 bytes <-> 80 pkts/10163 bytes][bytes ratio: 0.183 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1356.0/1696.8 28162/28146 4142.9/4597.2][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 147.1/127.0 1506/754 238.5/99.0][PLAIN TEXT (iPhone)] 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][bytes ratio: 0.281 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 1224.0/1483.8 31033/31176 5745.1/6337.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 405.9/275.5 1494/1002 488.5/347.9][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/TLS.Apple][cat: Web/5][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][bytes ratio: -0.112 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1641.8/2031.8 30435/30711 6607.5/7407.5][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 364.0/563.3 1494/1494 552.5/634.4][TLSv1.2][Client: query.ess.apple.com][JA3C: 799135475da362592a4be9199d258726][Server: *.ess.apple.com][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Organization: Apple Inc.][Certificate SHA-1: BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B][Validity: 2014-03-08 01:53:04 - 2029-03-08 01:53:04][Cipher: TLS_RSA_WITH_RC4_128_MD5] 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/TLS.Apple][cat: Web/5][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][bytes ratio: 0.271 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 58.5/50.1 271/228 96.9/86.1][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 362.7/235.9 1494/1002 464.1/321.5][TLSv1.2][Client: p53-buy.itunes.apple.com][JA3C: 799135475da362592a4be9199d258726][JA3S: c253ec3ad88e42f8da4032682892f9a0 (INSECURE)][Cipher: TLS_RSA_WITH_RC4_128_MD5] 7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 238/ApplePush][cat: Cloud/13][11 pkts/4732 bytes <-> 11 pkts/1194 bytes][bytes ratio: 0.597 (Upload)][IAT c2s/s2c min/avg/max/stddev: 53/0 12518.4/12519.7 101116/101113 30245.8/30246.0][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 430.2/108.5 1506/300 466.8/82.6][PLAIN TEXT (yfV.nY)] - 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2652.5/1821.0 18656/18299 5702.0/5214.6][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5] + 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/2341 bytes <-> 12 pkts/2484 bytes][bytes ratio: -0.030 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 2652.5/1821.0 18656/18299 5702.0/5214.6][Pkt Len c2s/s2c min/avg/max/stddev: 64/68 195.1/207.0 331/358 97.6/107.5] 9 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][cat: Network/14][10 pkts/3420 bytes -> 0 pkts/0 bytes][Host: lucas-imac][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 1255/0 6659.6/0.0 9061/0 2879.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 342/0 342.0/0.0 342/0 0.0/0.0][DHCP Fingerprint: 1,3,6,15,119,95,252,44,46] - 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1790.6/713.6 6986/6468 2740.8/1919.9][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8] + 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][9 pkts/1842 bytes <-> 11 pkts/1151 bytes][bytes ratio: 0.231 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/1 1790.6/713.6 6986/6468 2740.8/1919.9][Pkt Len c2s/s2c min/avg/max/stddev: 68/64 204.7/104.6 331/128 81.8/22.8] 11 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][cat: Cloud/13][4 pkts/2176 bytes -> 0 pkts/0 bytes][PLAIN TEXT ( 3375359593)] 12 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][cat: Web/5][9 pkts/1130 bytes <-> 8 pkts/868 bytes][bytes ratio: 0.131 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 9/53 116.9/111.0 275/175 106.0/50.4][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 125.6/108.5 236/151 68.4/42.5] - 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.7/0.0 667/0 12.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] - 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] + 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][15 pkts/1290 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 614/0 631.7/0.0 667/0 12.9/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] + 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][12 pkts/1032 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 625/0 631.1/0.0 644/0 5.5/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 86/0 86.0/0.0 86/0 0.0/0.0] 15 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][cat: Network/14][10 pkts/700 bytes -> 0 pkts/0 bytes][bytes ratio: 1.000 (Upload)][IAT c2s/s2c min/avg/max/stddev: 2/0 4794.7/0.0 42598/0 13366.1/0.0][Pkt Len c2s/s2c min/avg/max/stddev: 70/0 70.0/0.0 70/0 0.0/0.0] - 16 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 17 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 18 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 19 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 20 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 21 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 22 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 23 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 24 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 25 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][PLAIN TEXT (ay.OF@)] - 26 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 27 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 28 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 29 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 16 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 17 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 18 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 19 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 20 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 21 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 22 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 23 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 24 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 25 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes][PLAIN TEXT (ay.OF@)] + 26 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 27 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 28 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 29 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] 30 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/TLS][cat: Web/5][3 pkts/174 bytes <-> 2 pkts/217 bytes] 31 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][cat: Web/5][3 pkts/198 bytes <-> 2 pkts/132 bytes] 32 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][cat: Web/5][1 pkts/79 bytes <-> 1 pkts/251 bytes][Host: query.ess.apple.com][PLAIN TEXT (akadns)] diff --git a/tests/result/whatsapp_voice_and_message.pcap.out b/tests/result/whatsapp_voice_and_message.pcap.out index 601d041f4..3e220eab3 100644 --- a/tests/result/whatsapp_voice_and_message.pcap.out +++ b/tests/result/whatsapp_voice_and_message.pcap.out @@ -1,16 +1,16 @@ +WhatsAppCall 44 5916 8 WhatsApp 217 22139 5 -WhatsAppVoice 44 5916 8 1 TCP 10.8.0.1:42241 <-> 173.192.222.189:5222 [proto: 142/WhatsApp][cat: Chat/9][30 pkts/2539 bytes <-> 32 pkts/3070 bytes][bytes ratio: -0.095 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 1648.8/1542.2 28667/28718 5223.8/5079.2][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 84.6/95.9 299/559 55.4/94.3][PLAIN TEXT (Android)] 2 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 142/WhatsApp][cat: Chat/9][24 pkts/3029 bytes <-> 22 pkts/1961 bytes][bytes ratio: 0.214 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 586.2/638.9 10696/10748 2161.3/2265.3][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 126.2/89.1 590/469 124.1/91.7][PLAIN TEXT (Android)] 3 TCP 10.8.0.1:44819 <-> 158.85.58.42:5222 [proto: 142/WhatsApp][cat: Chat/9][15 pkts/2690 bytes <-> 15 pkts/2019 bytes][bytes ratio: 0.142 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 614.6/602.7 8044/4043 2061.7/1396.6][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 179.3/134.6 590/1022 202.7/240.7][PLAIN TEXT (Android)] 4 TCP 10.8.0.1:49721 <-> 158.85.58.109:5222 [proto: 142/WhatsApp][cat: Chat/9][26 pkts/2311 bytes <-> 26 pkts/2300 bytes][bytes ratio: 0.002 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 402.6/402.2 6149/6160 1222.3/1226.4][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 88.9/88.5 299/308 58.4/60.8][PLAIN TEXT (Android)] 5 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 142/WhatsApp][cat: Chat/9][14 pkts/1123 bytes <-> 13 pkts/1097 bytes][bytes ratio: 0.012 (Mixed)][IAT c2s/s2c min/avg/max/stddev: 0/0 102.8/102.9 318/331 97.7/90.0][Pkt Len c2s/s2c min/avg/max/stddev: 54/54 80.2/84.4 231/286 43.9/62.4][PLAIN TEXT (Android)] - 6 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][5 pkts/840 bytes <-> 4 pkts/344 bytes][bytes ratio: 0.419 (Upload)][IAT c2s/s2c min/avg/max/stddev: 208/189 15170.2/209.7 60006/241 25885.9/22.5][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168.0/86.0 168/86 0.0/0.0] - 7 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 8 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 9 UDP 10.8.0.1:53620 <-> 31.13.79.192:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 10 UDP 10.8.0.1:53620 <-> 31.13.84.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 11 UDP 10.8.0.1:53620 <-> 31.13.93.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 12 UDP 10.8.0.1:53620 <-> 173.252.121.1:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 13 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78.189/STUN.WhatsAppVoice][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 6 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][5 pkts/840 bytes <-> 4 pkts/344 bytes][bytes ratio: 0.419 (Upload)][IAT c2s/s2c min/avg/max/stddev: 208/189 15170.2/209.7 60006/241 25885.9/22.5][Pkt Len c2s/s2c min/avg/max/stddev: 168/86 168.0/86.0 168/86 0.0/0.0] + 7 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 8 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 9 UDP 10.8.0.1:53620 <-> 31.13.79.192:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 10 UDP 10.8.0.1:53620 <-> 31.13.84.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 11 UDP 10.8.0.1:53620 <-> 31.13.93.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 12 UDP 10.8.0.1:53620 <-> 173.252.121.1:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 13 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78.45/STUN.WhatsAppCall][cat: VoIP/10][3 pkts/504 bytes <-> 2 pkts/172 bytes] -- cgit v1.2.3 From bdcc6dc173c52d17a1d4b5b7f16e7e4454a91044 Mon Sep 17 00:00:00 2001 From: Luca Date: Fri, 20 Sep 2019 18:47:39 +0200 Subject: STUN protocol dissector code cleanup --- src/include/ndpi_typedefs.h | 2 +- src/lib/ndpi_main.c | 10 +- src/lib/protocols/stun.c | 136 ++++++++-------------------- src/lib/protocols/tls.c | 3 +- tests/result/skype-conference-call.pcap.out | 2 +- 5 files changed, 43 insertions(+), 110 deletions(-) (limited to 'src/lib/ndpi_main.c') diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 0e60151cd..7e7c85995 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -1182,7 +1182,7 @@ struct ndpi_flow_struct { } ssl; struct { - u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests, is_skype; + u_int8_t num_udp_pkts, num_processed_pkts, num_binding_requests; } stun; /* We can have STUN over SSL/TLS thus they need to live together */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index c3fece4a3..8bd7367f6 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -4131,13 +4131,9 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st check_stun_export: if(flow->protos.stun_ssl.stun.num_processed_pkts || flow->protos.stun_ssl.stun.num_udp_pkts) { // if(/* (flow->protos.stun_ssl.stun.num_processed_pkts >= NDPI_MIN_NUM_STUN_DETECTION) */ - if(flow->protos.stun_ssl.stun.num_processed_pkts && flow->protos.stun_ssl.stun.is_skype) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); - } else { - ndpi_set_detected_protocol(ndpi_struct, flow, - flow->guessed_host_protocol_id, - NDPI_PROTOCOL_STUN); - } + ndpi_set_detected_protocol(ndpi_struct, flow, + flow->guessed_host_protocol_id, + NDPI_PROTOCOL_STUN); } } diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index 1717277e0..77ddf6ca0 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -44,7 +44,6 @@ struct stun_packet_header { static u_int8_t is_stun_based_proto(u_int16_t proto) { switch(proto) { - case NDPI_PROTOCOL_WHATSAPP: case NDPI_PROTOCOL_WHATSAPP_CALL: case NDPI_PROTOCOL_MESSENGER: case NDPI_PROTOCOL_HANGOUT_DUO: @@ -53,7 +52,7 @@ static u_int8_t is_stun_based_proto(u_int16_t proto) { case NDPI_PROTOCOL_STUN: return(1); } - + return(0); } @@ -70,7 +69,7 @@ u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) { void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, - u_int app_proto, u_int proto) { + u_int proto, u_int app_proto) { if(ndpi_struct->stun_cache == NULL) ndpi_struct->stun_cache = ndpi_lru_cache_init(1024); @@ -100,12 +99,12 @@ void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *ndpi_stru } else { if(app_proto != NDPI_PROTOCOL_STUN) { /* No sense to ass STUN, but only subprotocols */ - + #ifdef DEBUG_LRU printf("[LRU] ADDING %u / %u.%u [%u -> %u]\n", key, proto, app_proto, ntohs(flow->packet.udp->source), ntohs(flow->packet.udp->dest)); #endif - + ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key, app_proto); ndpi_lru_add_to_cache(ndpi_struct->stun_cache, key_rev, app_proto); } @@ -159,11 +158,7 @@ static int is_messenger_ip_address(u_int32_t host) { static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const u_int8_t * payload, - const u_int16_t payload_length, - u_int8_t *is_whatsapp, - u_int8_t *is_messenger, - u_int8_t *is_duo - ) { + const u_int16_t payload_length) { u_int16_t msg_type, msg_len; struct stun_packet_header *h = (struct stun_packet_header*)payload; u_int8_t can_this_be_whatsapp_voice = 1; @@ -171,15 +166,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * /* STUN over TCP does not look good */ if(flow->packet.tcp) return(NDPI_IS_NOT_STUN); - *is_whatsapp = 0, *is_messenger = 0, *is_duo = 0; - if(payload_length >= 512) { return(NDPI_IS_NOT_STUN); } else if(payload_length < sizeof(struct stun_packet_header)) { /* This looks like an invalid packet */ if(flow->protos.stun_ssl.stun.num_udp_pkts > 0) { - *is_whatsapp = 1; + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; return(NDPI_IS_STUN); /* This is WhatsApp Voice */ } else return(NDPI_IS_NOT_STUN); @@ -198,7 +191,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * #ifdef DEBUG_STUN printf("[STUN] msg_type = %04X\n", msg_type); #endif - + if(is_stun_based_proto(flow->guessed_host_protocol_id)) { /* In this case we have the detected the typical STUN pattern @@ -206,11 +199,11 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * something else that has nothing to do with STUN anymore */ ndpi_int_stun_add_connection(ndpi_struct, flow, - flow->guessed_host_protocol_id, - NDPI_PROTOCOL_STUN); + flow->guessed_protocol_id, + flow->guessed_host_protocol_id); return(NDPI_IS_STUN); } - + return(NDPI_IS_NOT_STUN); } @@ -246,21 +239,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * flow->guessed_host_protocol_id = proto, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - switch(proto) { - case NDPI_PROTOCOL_WHATSAPP: - *is_whatsapp = 1; - break; - case NDPI_PROTOCOL_MESSENGER: - *is_messenger = 1; - break; - case NDPI_PROTOCOL_HANGOUT_DUO: - *is_duo = 1; - break; - case NDPI_PROTOCOL_SKYPE_CALL: - flow->protos.stun_ssl.stun.is_skype = 1; - break; - } - return(NDPI_IS_STUN); } else { #ifdef DEBUG_LRU @@ -279,7 +257,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if((msg_len == 0) && (flow->guessed_host_protocol_id == NDPI_PROTOCOL_GOOGLE)) flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO; else - flow->guessed_host_protocol_id = NDPI_PROTOCOL_STUN; + flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; if(msg_len == 0) { /* flow->protos.stun_ssl.stun.num_udp_pkts++; */ @@ -302,12 +280,12 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if(((payload[0] == 0x80) && (payload_length < 512) && ((msg_len+20) <= payload_length)) /* WhatsApp Voice */) { - *is_whatsapp = 1; + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; return(NDPI_IS_STUN); /* This is WhatsApp Voice */ } else if((payload[0] == 0x90) && (((msg_len+11) == payload_length) /* WhatsApp Video */ || (flow->protos.stun_ssl.stun.num_binding_requests >= 4))) { - *is_whatsapp = 2; + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; return(NDPI_IS_STUN); /* This is WhatsApp Video */ } @@ -355,8 +333,8 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * #endif switch(attribute) { - case 0x0008: /* Message Integrity */ - case 0x0020: /* XOR-MAPPED-ADDRESSES */ + // case 0x0008: /* Message Integrity */ + // case 0x0020: /* XOR-MAPPED-ADDRESSES */ case 0x4000: case 0x4001: case 0x4002: @@ -381,7 +359,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * #endif if(strstr((char*)flow->host_server_name, "google.com") != NULL) { - *is_duo = 1; flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; return(NDPI_IS_STUN); } else if(strstr((char*)flow->host_server_name, "whispersystems.org") != NULL) { @@ -395,12 +372,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * case 0xC057: /* Messeger */ if(msg_type == 0x0001) { if((msg_len == 100) || (msg_len == 104)) { - *is_messenger = 1; + flow->guessed_host_protocol_id = NDPI_PROTOCOL_MESSENGER, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; return(NDPI_IS_STUN); } else if(msg_len == 76) { #if 0 - *is_duo = 1; - if(1) { flow->guessed_host_protocol_id = NDPI_PROTOCOL_HANGOUT_DUO, flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; return(NDPI_IS_NOT_STUN); /* This case is found also with signal traffic */ @@ -422,7 +397,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * printf("==> Skype found\n"); #endif flow->guessed_protocol_id = NDPI_PROTOCOL_SKYPE_CALL; - flow->protos.stun_ssl.stun.is_skype = 1; return(NDPI_IS_STUN); } break; @@ -443,7 +417,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * #endif flow->guessed_protocol_id = NDPI_PROTOCOL_SKYPE_CALL; - flow->protos.stun_ssl.stun.is_skype = 1; return(NDPI_IS_STUN); break; @@ -456,7 +429,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * && ((payload[offset+7] == 0x02) || (payload[offset+7] == 0x03)) ) { flow->guessed_protocol_id = NDPI_PROTOCOL_SKYPE_CALL; - flow->protos.stun_ssl.stun.is_skype = 1; #ifdef DEBUG_STUN printf("==> Skype (3) found\n"); #endif @@ -483,13 +455,13 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * } goto udp_stun_found; } else if(msg_type == 0x0800) { - *is_whatsapp = 1; + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; return(NDPI_IS_STUN); /* This is WhatsApp */ } } if((flow->protos.stun_ssl.stun.num_udp_pkts > 0) && (msg_type <= 0x00FF)) { - *is_whatsapp = 1; + flow->guessed_host_protocol_id = NDPI_PROTOCOL_WHATSAPP_CALL; return(NDPI_IS_STUN); /* This is WhatsApp Voice */ } else return(NDPI_IS_NOT_STUN); @@ -498,7 +470,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if(can_this_be_whatsapp_voice) { struct ndpi_packet_struct *packet = &flow->packet; int rc; - + flow->protos.stun_ssl.stun.num_processed_pkts++; #ifdef DEBUG_STUN printf("==>> NDPI_PROTOCOL_WHATSAPP_CALL\n"); @@ -514,7 +486,9 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * rc = (flow->protos.stun_ssl.stun.num_udp_pkts < MAX_NUM_STUN_PKTS) ? NDPI_IS_NOT_STUN : NDPI_IS_STUN; if(rc == NDPI_IS_STUN) - ndpi_int_stun_add_connection(ndpi_struct, flow, flow->guessed_host_protocol_id, NDPI_IS_STUN); + ndpi_int_stun_add_connection(ndpi_struct, flow, + NDPI_IS_STUN, + flow->guessed_host_protocol_id); return(rc); } else { @@ -530,7 +504,6 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - u_int8_t is_whatsapp = 0, is_messenger = 0, is_duo = 0; NDPI_LOG_DBG(ndpi_struct, "search stun\n"); @@ -549,64 +522,27 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n * improved by checking only the STUN packet of given length */ if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2, - packet->payload_packet_len - 2, - &is_whatsapp, &is_messenger, &is_duo) == NDPI_IS_STUN) { - if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - - if(is_messenger) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN); - return; - } else if(is_duo) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); - return; - } else if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_SIGNAL) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_STUN); - return; - } else if(flow->protos.stun_ssl.stun.is_skype || (flow->guessed_host_protocol_id = NDPI_PROTOCOL_SKYPE_CALL)) { - NDPI_LOG_INFO(ndpi_struct, "found Skype\n"); - - // if((flow->protos.stun_ssl.stun.num_processed_pkts >= 8) || (flow->protos.stun_ssl.stun.num_binding_requests >= 4)) - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); - } else { - NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); /* Ummmmm we're in the TCP branch. This code looks bad */ - ndpi_int_stun_add_connection(ndpi_struct, flow, - is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_CALL : NDPI_PROTOCOL_STUN, - NDPI_PROTOCOL_UNKNOWN); - } - - return; + packet->payload_packet_len - 2) == NDPI_IS_STUN) { + goto udp_stun_match; } } } /* UDP */ if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, - packet->payload_packet_len, - &is_whatsapp, &is_messenger, &is_duo) == NDPI_IS_STUN) { - if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; - - if(is_messenger) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_MESSENGER, NDPI_PROTOCOL_STUN); - return; - } else if(is_duo) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT_DUO, NDPI_PROTOCOL_STUN); - return; - } else if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_SIGNAL) { - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SIGNAL, NDPI_PROTOCOL_STUN); - return; - } else if(flow->protos.stun_ssl.stun.is_skype) { - NDPI_LOG_INFO(ndpi_struct, "Found Skype\n"); - - /* flow->protos.stun_ssl.stun.num_binding_requests < 4) ? NDPI_PROTOCOL_SKYPE_CALL_IN : NDPI_PROTOCOL_SKYPE_CALL_OUT */ - // if((flow->protos.stun_ssl.stun.num_udp_pkts >= 6) || (flow->protos.stun_ssl.stun.num_binding_requests >= 3)) - ndpi_int_stun_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE_CALL, NDPI_PROTOCOL_SKYPE); - } else { - NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); - ndpi_int_stun_add_connection(ndpi_struct, flow, - is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_CALL : NDPI_PROTOCOL_STUN, - NDPI_PROTOCOL_UNKNOWN); - } + packet->payload_packet_len) == NDPI_IS_STUN) { + udp_stun_match: + if(flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) + flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + if(flow->guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) { + flow->guessed_host_protocol_id = flow->guessed_protocol_id; + flow->guessed_protocol_id = NDPI_PROTOCOL_STUN; + } + + ndpi_int_stun_add_connection(ndpi_struct, flow, + flow->guessed_protocol_id, + flow->guessed_host_protocol_id); return; } diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c index 5be39c714..f63da2067 100644 --- a/src/lib/protocols/tls.c +++ b/src/lib/protocols/tls.c @@ -628,7 +628,7 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t version_len = packet->payload[offset+4]; if(version_len == (extension_len-1)) { - /* Sanity check */ +#ifdef DEBUG_TLS u_int8_t j; for(j=0; j 104.46.40.49:60642 [proto: 125.38/Skype.SkypeCall][cat: VoIP/10][133 pkts/24845 bytes <-> 67 pkts/14842 bytes][bytes ratio: 0.252 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/22.4 159/203 24.8/47.7][Pkt Len c2s/s2c min/avg/max/stddev: 74/77 186.8/221.5 957/957 244.4/233.0][PLAIN TEXT (vRKSoR)] + 1 UDP 192.168.2.20:49282 <-> 104.46.40.49:60642 [proto: 78.38/STUN.SkypeCall][cat: VoIP/10][133 pkts/24845 bytes <-> 67 pkts/14842 bytes][bytes ratio: 0.252 (Upload)][IAT c2s/s2c min/avg/max/stddev: 0/0 10.8/22.4 159/203 24.8/47.7][Pkt Len c2s/s2c min/avg/max/stddev: 74/77 186.8/221.5 957/957 244.4/233.0][PLAIN TEXT (vRKSoR)] -- cgit v1.2.3