See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/339173919

Traffic Analysis of WhatsApp Calls

Conference Paper · July 2019

DOI: 10.1109/ICAIT47043.2019.8987315

CITATIONS READS

3 2,154

3 authors, including:

Sushma Sa Asha K H
National Institute of Karnataka Don Bosco Technical Institute
8 PUBLICATIONS 39 CITATIONS 11 PUBLICATIONS 16 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Sushma Sa on 03 November 2022.

The user has requested enhancement of the downloaded file.

 2019 1st International Conference on Advances in Information Technology

TRAFFIC ANALYSIS OF WHATSAPP CALLS

Shubha C1, Sushma S. A2, Asha K.H3
1,2 Assistant Professor, Dept. of ISE, Siddaganga Institute of Technology, Tumkuru, India
3 Assistant Professor, Dept. of CSE, Don Bosco Institute of Technology, Bengaluru, India

Abstract— There has been an increase in usage of calling, status updates which are visible for 24 hours. In
applications for the ordinance of instant messages and 2018, it introduced the group voice calling and group video
voice and video calls known as Voice over Internet calling feature. Also, due to the constant circulation of faulty
Protocol (VoIP). WhatsApp being one of such messages, WhatsApp is trying to incorporate a search engine
applications which uses messaging protocols and Voice within the application for its users to use to confirm the
over Internet Protocol (VoIP) which has, over the years, validity of messages sent and/or forwarded.
became a very popular functionality. The advent of VoIP
necessitates the analysis of the forensics of WhatsApp. The main advantage of WhatsApp is its easiness in
The possibility of differentiation of the multiple calls in a expanding its user base and upgrading its services in a timely
given traffic using blind traffic detection is carried out in duration. When installed, it easily lets its users to differentiate
this project. between the people using WhatsApp and those who aren’t.
Keywords—VoIP, BlindTraffic Detection, WhatsApp. The easy accessibility of all the contacts due it’s amazing
syncing capabilities is one of the most sought out feature
among the users. It also does not take up much space as an
I. Introduction application when installed.
Currently, a lot of social applications have
emerged, and the communication services and technology are There are multiple reasons as to why people
changing the world. With every new application which enters have been selecting WhatsApp over other such
the cat race of various other communicative applications and few of them are: 1) The existence of
applications, these other applications up their game by enormous number of people using it which makes it quite
adding a new feature. Recent additions of new features are easy for people to have all their friends using the same
VoIP, end to end encryption, sharing of live locations, etc. The application. This also leads to the popularity of the
study and comparative analysis of which is not very clear and application among varied population The second issue with
not analyzed. other such application platforms is that they’ve at times
The traffic carried over the network is very crucial advertisements in between the usage of the application.
because this is the place where anyone can tap the packets Whereas WhatsApp doesn’t have such advertisements
and identify definite characters of the packets if not the data which makes it quite upfront about the funding it has3)
that the packets are carrying due to end-to-end It also is desktop friendly i.e.., it lets users to connect their
encryption. The WhatsApp traffic is carried over the application to their laptops seamlessly without any wired
application layer and the WhatsApp call specifically make connections needed. Hence, it lets the users to be able to
use of only TCP and UDP ports for their transfer. The instant message just like the Skype option;
detection of the WhatsApp over the network is quite 4) It’s vast features of encryption, statuses, delivery of
difficult to the encryption provided by Open Whisper messages, blocking, group texting and calling, hiding
System. In this work, we provide a Blind Traffic Detection specific set of people from the statuses, encryption models,
technique through which we are able to differentiate unique read receipts and many more have made it the most sought out
calls and group all the packets of that one unique call into a messaging application in the market. Although, this
file. This work does not make use of traditional Deep paper provides superficial knowledge about WhatsApp, and in-
Packet Inspection technique which requires the need to depth analysis of WhatsApp Traffic.
understand the internal protocols used. The paper is III Literature Survey
structured as follows: Firstly, it includes an introduction
to WhatsApp followed by the literature survey. Then is 1. [1] This paper shows a set of capture sessions. This
the proposed system following it is the result analysis, Paper focuses on WebRTC, an open source project
conclusion and future work. Lastly, the references can be that provides browsers and flexible applications like
found. mobile for simultaneous exchange of
information with the help of telecommunication
II WhatsApp service from sender to receiver. As mentioned in
In the recent past, WhatsApp has become the most used this paper WhatsApp introduced the new feature
personal messaging mobile application with average of 1.3 called Voice calls for Android phone. This Voice
billion monthly users and more than 1 billion daily users. It Calls feature gives some inspiration in the
has been upgrading its services provided constantly after it WebRTC world. So, they estimated to capture the
was acquired by Facebook in 2014. After acquisition by network traffic from WhatsApp and displayed the
Facebook, in its initial years of acquisition it planned on TCP/IP and other packets information that are
charging USD 0.99 as a yearly subscription to its users, but present in an Android phone. This paper shows a
was later cancelled in the year 2016. WhatsApp has services sequence of captured network traffic. In first
of instant messaging, audio messaging, voice calling, video session Android phone is connected to laptop
through Wi-Fi and consider laptop as router. Now

978-1-7281-3241-9/19/$31.00 © 2019 IEEE 256

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on August 31,2022 at 12:14:19 UTC from IEEE Xplore. Restrictions apply.
 2019 1st International Conference on Advances in Information Technology

place call from sender side. In second session performance metrics proved that hybrid approach
the same procedure is repeated but switch the has better results.
role to receiver side. In third session a test is
conducted for not answered call which describes IV Proposed System
the allocation behavior. In fourth session tests The main objective is “To identify and extract all
WhatsApp call packets that belongs to a specific call, when
muting is used to understand the bitrates in
given a traffic consisting of multiple sessions and
video files. In fifth session a test is conducted
multiple other applications data as an input”.
to check when the connection between two peers is
blocked. In sixth session repeat the same procedure Traffic is captured with the help of Wireshark which
in the middle of call. In seventh session a test is contains both single and multiple of sessions. The traffic
conducted to confirm if the caller can place a call which has been captured is a blend of WhatsApp and Non-
where 3478 port is blocked. But in this method, WhatsApp traffic. Laptop acts as router to which android
there are some disadvantages in RTT because of phone was connected to capture the traffic. WhatsApp
TURN authority. And also, it conceals the IP application was pre-installed in android phone as shown
addresses of sender and receiver. in Fig.1

2. [2] This paper describes about decrypting the

network traffic and obtaining forensic artifacts
which is related to this new calling feature such as
WhatsApp phone numbers, its server IP addresses,
audio codec (Opus), call duration, and call
termination. Also, this is a first paper that focuses on
signaling messages which is used by WhatsApp for
establishing new feature. They explained about the
tools and techniques used for decrypting the
traffic and elaborated on findings the WhatsApp
signaling messages. They have also provided the
tool that helps in the visualizing WhatsApp
protocol messages. Initially, they decrypted the
WhatsApp client connection to its servers and
visualized messages exchange. They were able to Fig 1: Analyzing the WhatsApp application through
uncover the hypothesized signaling messages of the dynamin WhatsApp server
WhatsApp call which revealed what codec is being The set of features independently contribute to
actually used for media transfer (Opus), as well as the uniqueness of the WhatsApp voice call traffic. Based on
forensically relevant metadata about the call the observations from the analysis phase, the following
establishment, termination, duration and phone features are considered to be uniquely describing the
numbers associated with the call. WhatsApp voice call traffic.

3. [3] The paper introduced the basic concept of The call traffic of WhatsApp mainly uses TCP and UDP
machine learning, test data and training data. It ports which makes the initial filtering of the calls ‟traffic
differentiated between supervised, unsupervised easy. After this first filtering is undertaken, the traffic still
and hybrid approaches. To solve network contains traffic of other sites. In order to differentiate just the
management problem, Real-time IP traffic WhatsApp traffic on the given traffic, we analyzed the
classification was used instead of known TCP or characteristics and came to a conclusion that WhatsApp’s IP
UDP port numbers. An application of Machine addresses for a particular traffic at the collected time shows
Learning techniques was introduced to IP traffic some relative characteristics which helps in differentiating
classification where IP networking and data mining the WhatsApp traffic from the rest.
techniques are bind together. Comparisons of 1. Ports used by TCP and UDP
different supervised and un-supervised Machine
i. TCP Ports; 443, 4244, 5222, 5223, 5228, 5242
Learning classification technique was used to
classify IP traffic. Multilevel classification was ii. UDP Ports: 3478.
introduced to get completeness and accuracy.
Continuous classification and Feature computation 2. UDP packets always contact STUN servers which are:
was calculated along with real-time classification. i. 31.13.78.51
The Real-time classification can be done only on ii. 31.13.79.52
small number of packets captured. Small, average iii. 157.240.7.51
and complex set of features was used where feature iv. 157.240.13.51
computation was calculated as low, average and v. 157.240.16.51
high respectively. Continuous Classification was vi. 157.240.23.52
considered as issued and solved using different
techniques. This paper lacked technical details. The

978-1-7281-3241-9/19/$31.00 © 2019 IEEE 257

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on August 31,2022 at 12:14:19 UTC from IEEE Xplore. Restrictions apply.
 2019 1st International Conference on Advances in Information Technology

Fig.2 depicts the network traffic that has been captured from bought by Facebook, at times the IP addresses allotted are of
WhatsApp application running on an Android phone using Facebook used too.
Wireshark. The collected IP addresses stored are identified in
the packets collected and hence the differentiation of
multiple calls in the same traffic is provided. Also, every
time this needs to be executed on a new set of traffic, the
defining characteristics of the traffic needs to be done.
Fig.3 depicts a graph showing number of packets
after filtering verses number of packets captured
in Wireshark.

Fig 2. Capturing WhatsApp traffic through

Wireshark

A. Algorithm
The data is in “. Pcapng or. pcap” format which can be
directly used in programming using inbuilt libraries. Hence,
the data is extracted from pcap file and traffic is filtered. To Fig 3. Number of packets after filtering.
filter the traffic, we need input and output file which is pcap
file.
VI. Conclusion
Main objective of our algorithm is to filter the traffic for
WhatsApp. Since, WhatsApp uses TCP and UDP protocols, The analysis shows that the WhatsApp
we initially filter the traffic based on protocols. Later, we traffic collected can be categorized on the basis on the
filter the filtered traffic based on port numbers and IP calls defining characteristics. Also, our work is the first
addresses of WhatsApp Calls. of its kind to have been able to differentiate the calls
from other calls and store the packets into a unique file.
Step 1: start
Step 2: read input file which is pcap file Through traffic analysis of WhatsApp call we
were able to evaluate and collect data that eventually
Step 3: Give filter expression with value "TCP and UDP" used to build logic and execute code that segregate out
Step 4: opening input file using pcap_open_offline() WhatsApp voice packets. A complete code is written
which is cable to filtering out WhatsApp calls
Step 5: pcap_compile() is used to compile the filter packets when mixture of WhatsApp and non-
expression to filter program WhatsApp traffic is given. The WhatsApp call
packets are being identified from testing traffic. The
Step 6: the filtered program is specified using
information about the users are also being identified.
pcap_set_filter()
Both the outputs are being stored in separate files for
Step 7: each packet is processed by calling organized documentation.
pcap_loop()
where new node is initialized and a value is assigned to it. REFERENCES

[1] Philipp “Fippo” Hancke &yet Chief WebRTC

VI Result Analysis Engineer WebRTCHacks Contributor
“WHATSAPP EXPOSED Investigative Report”
The study shows that the IP addresses are dynamic,
which means every time a user tries to connect with the [2] F. Karpisek, I. Baggili, F. Breitinger “WhatsApp
network forensics: Decrypting and understanding
server, the allotted IP addresses are unique. Moreover, other
the WhatsApp call signaling messages,
defining characteristic noticed was, since WhatsApp was
978-1-7281-3241-9/19/$31.00 © 2019 IEEE 258

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on August 31,2022 at 12:14:19 UTC from IEEE Xplore. Restrictions apply.
 2019 1st International Conference on Advances in Information Technology

“Article in Digital Investigation. Published in

September, 2015.

978-1-7281-3241-9/19/$31.00 © 2019 IEEE 259

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on August 31,2022 at 12:14:19 UTC from IEEE Xplore. Restrictions apply.
 2019 1st International Conference on Advances in Information Technology

[3] Thuy T.T.Nguyen,Grenville Armitage “A survey of

technique for internet classification using machine
learning”, Published in 2002.
[4] Antonio Cuadra-Sanchez, Javier Aracil “A novel blind
traffic analysis technique for detection of WhatsApp
VoIP calls”, Published in January 2017.
[5] Pongpisit Wuttidittachotti and Worawat, Comparison of
VoIP-QoE from Skype, Line, Tango and Viber over
3G networks in Thailand, Akapan Published in ICUFN
2015
[6] M. Young, The Technical Writer‟s Handbook. Mill
Valley, CA: University Science, 1989.
[7] Matthew Kiley, Shira Dankner and Marcus Rogers,
Published in 2008 in IFIP International Federation for
Information Processing, Volume 285; Chapter11:
Forensic Analysis of Volatile Instant Messaging

978-1-7281-3241-9/19/$31.00 © 2019 IEEE 260

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on August 31,2022 at 12:14:19 UTC from IEEE Xplore. Restrictions apply.
View publication stats