(c) leosol 2021
With the help of jpclaudino, jkoya and otaviomaciel
WhatsApp uses encrypted SIP/RTP protocols and uses STUN/TURN to make a P2P communication.
This has been reported by Marvin Schirrmacher.
There's also something about it at ntop project
And also here
As a consequence, sometimes, it's [sometimes] possible to identify each party IP address.
It was not only possible to check this, but we built a tool that can be used to try to identify each party IP address. As the picture shows, it's possible to be ready to identify parties IP addresses during a call.
WhatsApp leaves a forensic evidence of the IP address used during the call handled by STUN/TURN. See the binding info that is recorded in the WhatsApp internal logs. When STUN/TURN succeds, WhatsApp registers a 0x102 code in it's internal log files. For the forensic examiner, this might be very usefull since sometimes each party phone number is known, but the investigators have no idea of a physical address. In this case, finding a party IP address can be very useful. It's also possible to get info about party network, if it's Cellular or Wifi.
- Phone must be rooted
- Needs to allow adb install and not verify apps installed by usb
adb install waip.apk
tshark -r /sdcard/capture.pcap stun | grep 'Binding' |tr -s ' '|cut -d ' ' -f 3-5 | sort -u
grep -Eio 'Local:(.*), Remote:(.*), priority: 0x102' /data/data/com.whatsapp/files/Logs/whatsapp.log
grep -Eio 'Peer (.*) network medium type updated: (.*)'
tshark -r /sdcard/capture.pcap -o gui.column.format:"Source","%us","source port","%uS","Destination","%ud","dest port","%uD" 'udp.port==3478||tcp.port==3478'|busybox awk 'BEGIN{OFS=""}{print $1,":",$2," -> ",$3,":",$4;}'
It's not true that every call uses STUN/TURN. This means: do not expect to have the other party IP address every time.