nDPI icon indicating copy to clipboard operation
nDPI copied to clipboard

Published 20 hours ago verified publisher icon ntop

Meta Data on The Whatsapp call

Open mhdtbc opened this issue 6 years ago • 4 comments

Dear All,

I would like to submit an idea, maybe it can be an enhancement on the whatapp voice signature detection. The idea would be to extract some metadata related to a particular whatsapp call from the STUN session establishement.

A very valuable information would be indication about the two parts (calling and called) of the whatsapp calls. This can be deducted by inspecting the STUN session and particulary the exchange between the peer who is establishing the call and the whatsapp/facebook stun server.

Basically the STUN session would look like this :

-> the calling would query “STUN” servers to get a xored public ip of the calling and the called -> Try to establish a STUN session directly with the called public IP Adress (please check the capture)

The two public ip adress can give an information about the two networks of the calling and the called, knowing that inspecting the rest of the call (encrypted sip/rtp ...) would be useless in IP layer as the facebook/whatsapp bridge is almost the endpoint of all the messages. only a part of the STUN messages can give this extra info.

Hoping that i'm clear, i think it could be a great idea, and the great advantage for this community driven DPI.

Thanks. capture

mhdtbc avatar Mar 05 '18 18:03 mhdtbc

HI @mehdi-erroussafi . I don't know if I understand well you idea, but basically you want to consider the XOX-MAPPED-ADDRESS to extract additional information, right ? Could be a nice idea.

Can u pass me a good pcap with that traffic, please ?

kYroL01 avatar Mar 05 '18 21:03 kYroL01

Dear @kYroL01 ,

Thank you for your reply. Indeed i think in the STUN flow we can analyse to extract the 2 public IP adresses of both calling and called :

  1. The A number's public IP would be : the XOR MAPPED ADDRESS
  2. The B number's public IP would be : the first public IP adress to which the stun packet "bind request" is sent.

A query then to a geoip database would give us the operator or ASN of each IP and therefor know the call going from which country/city/ASN to which country/city/ASN.

Such metadata would be great for people who want to analyse the calls of whatsapp and their destination.

Please find attached the pcap trace with STUN filter on. whatsapp_stun_orig_call.zip

Thanks.

mhdtbc avatar Mar 06 '18 10:03 mhdtbc

Dear all,

Any news on this idea ?

Thank you very much.

mhdtbc avatar Jun 26 '18 13:06 mhdtbc

Hi @mehdi-erroussafi . For now we don't think about it. Please be patient or if you have a suggestion, send an initial pull request. Thank you

kYroL01 avatar Jul 02 '18 12:07 kYroL01