Hangout: detect Hangout/Duo/GoogleMeet/... in the STUN code (#2025)

Regardless of the name, the removed trace doesn't contain meaningful Hangout traffic. Remove last piece of sub-classifiction based only on ip addresses.
ntop · Jun 27, 2023 · 2c7fb91 · 2c7fb91
1 parent 31a9da2
commit 2c7fb91
Show file tree

Hide file tree

Showing 178 changed files with 207 additions and 322 deletions.
diff --git a/src/include/ndpi_protocols.h b/src/include/ndpi_protocols.h
@@ -173,7 +173,6 @@ void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int
 void init_someip_dissector (struct ndpi_detection_module_struct *ndpi_struct,u_int32_t *id);
 void init_rx_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_git_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
-void init_hangout_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_drda_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_bjnp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);
 void init_smpp_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id);

diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
@@ -4757,9 +4757,6 @@ static int ndpi_callback_init(struct ndpi_detection_module_struct *ndpi_str) {
   /* GIT */
   init_git_dissector(ndpi_str, &a);
 
-  /* HANGOUT */
-  init_hangout_dissector(ndpi_str, &a);
-
   /* DRDA */
   init_drda_dissector(ndpi_str, &a);
 

diff --git a/src/lib/protocols/hangout.c b/src/lib/protocols/hangout.c
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
@@ -125,10 +125,34 @@ static void ndpi_int_stun_add_connection(struct ndpi_detection_module_struct *nd
   ndpi_confidence_t confidence = NDPI_CONFIDENCE_DPI;
 
   if(app_proto == NDPI_PROTOCOL_UNKNOWN) {
-    if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_GOOGLE)
-      app_proto = NDPI_PROTOCOL_HANGOUT_DUO;
-    else if(flow->guessed_protocol_id_by_ip == NDPI_PROTOCOL_FACEBOOK)
-      app_proto = NDPI_PROTOCOL_FACEBOOK_VOIP;
+    /* https://support.google.com/a/answer/1279090?hl=en */
+    if((ntohs(flow->c_port) >= 19302 && ntohs(flow->c_port) <= 19309) ||
+       ntohs(flow->c_port) == 3478 ||
+       (ntohs(flow->s_port) >= 19302 && ntohs(flow->s_port) <= 19309) ||
+       ntohs(flow->s_port) == 3478) {
+      if(flow->is_ipv6) {
+	u_int64_t pref1 = 0x2001486048640005; /* 2001:4860:4864:5::/64 */
+	u_int64_t pref2 = 0x2001486048640006; /* 2001:4860:4864:6::/64 */
+
+        if(memcmp(&flow->c_address.v6, &pref1, sizeof(pref1)) == 0 ||
+           memcmp(&flow->c_address.v6, &pref2, sizeof(pref2)) == 0 ||
+           memcmp(&flow->s_address.v6, &pref1, sizeof(pref1)) == 0 ||
+           memcmp(&flow->s_address.v6, &pref2, sizeof(pref2)) == 0) {
+          app_proto = NDPI_PROTOCOL_HANGOUT_DUO;
+	}
+      } else {
+        u_int32_t c_address, s_address;
+
+	c_address = ntohl(flow->c_address.v4);
+	s_address = ntohl(flow->s_address.v4);
+        if((c_address & 0xFFFFFFF0) == 0x4a7dfa00 || /* 74.125.250.0/24 */
+           (c_address & 0xFFFFFFF0) == 0x8efa5200 || /* 142.250.82.0/24 */
+           (s_address & 0xFFFFFFF0) == 0x4a7dfa00 ||
+           (s_address & 0xFFFFFFF0) == 0x8efa5200) {
+          app_proto = NDPI_PROTOCOL_HANGOUT_DUO;
+	}
+      }
+    }
   }
 
   if(ndpi_struct->stun_cache

diff --git a/tests/cfgs/caches_cfg/result/ookla.pcap.out b/tests/cfgs/caches_cfg/result/ookla.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	1
 DPI Packets (TCP):	40	(6.67 pkts/flow)
 Confidence Match by port    : 1 (flows)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 493 (82.17 diss/flow)
+Num dissector calls: 490 (81.67 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/caches_cfg/result/teams.pcap.out b/tests/cfgs/caches_cfg/result/teams.pcap.out
@@ -7,7 +7,7 @@ Confidence Unknown          : 1 (flows)
 Confidence Match by port    : 1 (flows)
 Confidence DPI (partial)    : 1 (flows)
 Confidence DPI              : 80 (flows)
-Num dissector calls: 499 (6.01 diss/flow)
+Num dissector calls: 497 (5.99 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/pcap/hangout.pcap b/tests/cfgs/default/pcap/hangout.pcap
diff --git a/tests/cfgs/default/result/1kxun.pcap.out b/tests/cfgs/default/result/1kxun.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	120	(1.21 pkts/flow)
 Confidence Unknown          : 14 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI              : 177 (flows)
-Num dissector calls: 4537 (23.03 diss/flow)
+Num dissector calls: 4520 (22.94 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/60/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/443-chrome.pcap.out b/tests/cfgs/default/result/443-chrome.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	1	(1.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 118 (118.00 diss/flow)
+Num dissector calls: 117 (117.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/443-opvn.pcap.out b/tests/cfgs/default/result/443-opvn.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	6	(6.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 119 (119.00 diss/flow)
+Num dissector calls: 118 (118.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/4in4tunnel.pcap.out b/tests/cfgs/default/result/4in4tunnel.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (UDP):	5	(5.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 177 (177.00 diss/flow)
+Num dissector calls: 176 (176.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/6in6tunnel.pcap.out b/tests/cfgs/default/result/6in6tunnel.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (UDP):	2	(2.00 pkts/flow)
 Confidence Unknown          : 1 (flows)
-Num dissector calls: 126 (126.00 diss/flow)
+Num dissector calls: 125 (125.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/EAQ.pcap.out b/tests/cfgs/default/result/EAQ.pcap.out
@@ -3,7 +3,7 @@ Guessed flow protos:	0
 DPI Packets (TCP):	12	(6.00 pkts/flow)
 DPI Packets (UDP):	116	(4.00 pkts/flow)
 Confidence DPI              : 31 (flows)
-Num dissector calls: 4397 (141.84 diss/flow)
+Num dissector calls: 4368 (140.90 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out b/tests/cfgs/default/result/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	7	(1.40 pkts/flow)
 Confidence DPI              : 5 (flows)
-Num dissector calls: 135 (27.00 diss/flow)
+Num dissector calls: 134 (26.80 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/KakaoTalk_chat.pcap.out b/tests/cfgs/default/result/KakaoTalk_chat.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	36	(2.00 pkts/flow)
 DPI Packets (other):	1	(1.00 pkts/flow)
 Confidence Match by port    : 5 (flows)
 Confidence DPI              : 33 (flows)
-Num dissector calls: 528 (13.89 diss/flow)
+Num dissector calls: 526 (13.84 diss/flow)
 LRU cache ookla:      0/1/0 (insert/search/found)
 LRU cache bittorrent: 0/15/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/KakaoTalk_talk.pcap.out b/tests/cfgs/default/result/KakaoTalk_talk.pcap.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	10	(2.00 pkts/flow)
 Confidence Match by port    : 8 (flows)
 Confidence DPI              : 11 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 1071 (53.55 diss/flow)
+Num dissector calls: 1065 (53.25 diss/flow)
 LRU cache ookla:      0/2/0 (insert/search/found)
 LRU cache bittorrent: 0/27/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/Oscar.pcap.out b/tests/cfgs/default/result/Oscar.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	1
 
 DPI Packets (TCP):	21	(21.00 pkts/flow)
 Confidence Match by port    : 1 (flows)
-Num dissector calls: 245 (245.00 diss/flow)
+Num dissector calls: 244 (244.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/activision.pcap.out b/tests/cfgs/default/result/activision.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	4	(1.00 pkts/flow)
 Confidence DPI              : 4 (flows)
-Num dissector calls: 384 (96.00 diss/flow)
+Num dissector calls: 380 (95.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/adult_content.pcap.out b/tests/cfgs/default/result/adult_content.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 147 (147.00 diss/flow)
+Num dissector calls: 146 (146.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/3/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/agora-sd-rtn.pcap.out b/tests/cfgs/default/result/agora-sd-rtn.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	26	(1.00 pkts/flow)
 Confidence DPI              : 26 (flows)
-Num dissector calls: 2314 (89.00 diss/flow)
+Num dissector calls: 2288 (88.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/alexa-app.pcapng.out b/tests/cfgs/default/result/alexa-app.pcapng.out
@@ -5,7 +5,7 @@ DPI Packets (UDP):	64	(1.94 pkts/flow)
 DPI Packets (other):	6	(1.00 pkts/flow)
 Confidence Match by port    : 14 (flows)
 Confidence DPI              : 146 (flows)
-Num dissector calls: 494 (3.09 diss/flow)
+Num dissector calls: 493 (3.08 diss/flow)
 LRU cache ookla:      0/5/0 (insert/search/found)
 LRU cache bittorrent: 0/42/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/alicloud.pcap.out b/tests/cfgs/default/result/alicloud.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	60	(4.00 pkts/flow)
 Confidence DPI              : 15 (flows)
-Num dissector calls: 1635 (109.00 diss/flow)
+Num dissector calls: 1620 (108.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/amqp.pcap.out b/tests/cfgs/default/result/amqp.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	9	(3.00 pkts/flow)
 Confidence DPI              : 3 (flows)
-Num dissector calls: 370 (123.33 diss/flow)
+Num dissector calls: 367 (122.33 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/anyconnect-vpn.pcap.out b/tests/cfgs/default/result/anyconnect-vpn.pcap.out
@@ -6,7 +6,7 @@ DPI Packets (other):	10	(1.00 pkts/flow)
 Confidence Unknown          : 2 (flows)
 Confidence Match by port    : 6 (flows)
 Confidence DPI              : 61 (flows)
-Num dissector calls: 859 (12.45 diss/flow)
+Num dissector calls: 857 (12.42 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/24/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/avast.pcap.out b/tests/cfgs/default/result/avast.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	40	(4.00 pkts/flow)
 Confidence DPI              : 10 (flows)
-Num dissector calls: 1100 (110.00 diss/flow)
+Num dissector calls: 1090 (109.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/avast_securedns.pcapng.out b/tests/cfgs/default/result/avast_securedns.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	39	(1.00 pkts/flow)
 Confidence DPI              : 39 (flows)
-Num dissector calls: 3354 (86.00 diss/flow)
+Num dissector calls: 3315 (85.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/117/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/bittorrent.pcap.out b/tests/cfgs/default/result/bittorrent.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	24	(1.00 pkts/flow)
 Confidence DPI              : 24 (flows)
-Num dissector calls: 1828 (76.17 diss/flow)
+Num dissector calls: 1806 (75.25 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 120/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out b/tests/cfgs/default/result/bittorrent_tcp_miss.pcapng.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	10	(10.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 220 (220.00 diss/flow)
+Num dissector calls: 219 (219.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 5/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/bittorrent_utp.pcap.out b/tests/cfgs/default/result/bittorrent_utp.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (UDP):	4	(4.00 pkts/flow)
 Confidence DPI              : 1 (flows)
-Num dissector calls: 76 (76.00 diss/flow)
+Num dissector calls: 75 (75.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 5/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/cassandra.pcap.out b/tests/cfgs/default/result/cassandra.pcap.out
@@ -2,7 +2,7 @@ Guessed flow protos:	0
 
 DPI Packets (TCP):	18	(9.00 pkts/flow)
 Confidence DPI              : 2 (flows)
-Num dissector calls: 332 (166.00 diss/flow)
+Num dissector calls: 330 (165.00 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/0/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)

diff --git a/tests/cfgs/default/result/cloudflare-warp.pcap.out b/tests/cfgs/default/result/cloudflare-warp.pcap.out
@@ -4,7 +4,7 @@ DPI Packets (TCP):	41	(5.12 pkts/flow)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 5 (flows)
 Confidence Match by IP      : 1 (flows)
-Num dissector calls: 175 (21.88 diss/flow)
+Num dissector calls: 174 (21.75 diss/flow)
 LRU cache ookla:      0/0/0 (insert/search/found)
 LRU cache bittorrent: 0/9/0 (insert/search/found)
 LRU cache zoom:       0/0/0 (insert/search/found)