search

ntop / nDPI

Open Source Deep Packet Inspection Software Toolkit
http://www.ntop.org
GNU Lesser General Public License v3.0
3.84k stars 896 forks source link

Meta Data on The Whatsapp call #530

Open mhdtbc opened 6 years ago

mhdtbc commented 6 years ago

Dear All,

I would like to submit an idea, maybe it can be an enhancement on the whatapp voice signature detection. The idea would be to extract some metadata related to a particular whatsapp call from the STUN session establishement.

A very valuable information would be indication about the two parts (calling and called) of the whatsapp calls. This can be deducted by inspecting the STUN session and particulary the exchange between the peer who is establishing the call and the whatsapp/facebook stun server.

Basically the STUN session would look like this :

-> the calling would query “STUN” servers to get a xored public ip of the calling and the called -> Try to establish a STUN session directly with the called public IP Adress (please check the capture)

The two public ip adress can give an information about the two networks of the calling and the called, knowing that inspecting the rest of the call (encrypted sip/rtp ...) would be useless in IP layer as the facebook/whatsapp bridge is almost the endpoint of all the messages. only a part of the STUN messages can give this extra info.

Hoping that i'm clear, i think it could be a great idea, and the great advantage for this community driven DPI.

Thanks. capture

kYroL01 commented 6 years ago

HI @mehdi-erroussafi . I don't know if I understand well you idea, but basically you want to consider the XOX-MAPPED-ADDRESS to extract additional information, right ? Could be a nice idea.

Can u pass me a good pcap with that traffic, please ?

mhdtbc commented 6 years ago

Dear @kYroL01 ,

Thank you for your reply. Indeed i think in the STUN flow we can analyse to extract the 2 public IP adresses of both calling and called :

  1. The A number's public IP would be : the XOR MAPPED ADDRESS
  2. The B number's public IP would be : the first public IP adress to which the stun packet "bind request" is sent.

A query then to a geoip database would give us the operator or ASN of each IP and therefor know the call going from which country/city/ASN to which country/city/ASN.

Such metadata would be great for people who want to analyse the calls of whatsapp and their destination.

Please find attached the pcap trace with STUN filter on. whatsapp_stun_orig_call.zip

Thanks.

mhdtbc commented 6 years ago

Dear all,

Any news on this idea ?

Thank you very much.

kYroL01 commented 6 years ago

Hi @mehdi-erroussafi . For now we don't think about it. Please be patient or if you have a suggestion, send an initial pull request. Thank you