diff --git a/CMakeLists.txt b/CMakeLists.txt index 65fb90b403..511d8a4673 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1299,6 +1299,10 @@ ws_find_package(ILBC ENABLE_ILBC HAVE_ILBC) ws_find_package(OPUS ENABLE_OPUS HAVE_OPUS) +# libsinsp+libscap, required for falco-bridge +ws_find_package(Sinsp ENABLE_SINSP HAVE_SINSP) + + # CMake 3.9 and below used 'LIBXML2_LIBRARIES' as the name of the cache entry # storing the find_library result. Transfer it to the new cache variable such # that reset_find_package can detect and clear outdated cache variables. @@ -1593,7 +1597,6 @@ if(ENABLE_PLUGINS) plugins/epan/opcua plugins/epan/profinet plugins/epan/stats_tree - plugins/epan/sysdig_bridge plugins/epan/transum plugins/epan/unistim plugins/epan/wimax @@ -1604,6 +1607,11 @@ if(ENABLE_PLUGINS) plugins/codecs/l16_mono ${CUSTOM_PLUGIN_SRC_DIR} ) + if(SINSP_FOUND) + list(APPEND PLUGIN_SRC_DIRS + plugins/epan/falco_bridge + ) + endif() if(SPANDSP_FOUND) list(APPEND PLUGIN_SRC_DIRS plugins/codecs/G722 @@ -1816,6 +1824,11 @@ set_package_properties(PCRE2 PROPERTIES DESCRIPTION "Regular expression pattern matching using the same syntax and semantics as Perl 5" PURPOSE "Support for regular expressions" ) +set_package_properties(Sinsp PROPERTIES + DESCRIPTION "libsinsp and libscap" + URL "https://github.com/falcosecurity/libs/" + PURPOSE "Support for Falco plugins" +) string(TOUPPER "${CMAKE_BUILD_TYPE}" _build_type) message(STATUS "C-Flags: ${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${_build_type}}") diff --git a/CMakeOptions.txt b/CMakeOptions.txt index e130951bc9..26d76df7d6 100644 --- a/CMakeOptions.txt +++ b/CMakeOptions.txt @@ -117,6 +117,7 @@ option(ENABLE_BCG729 "Build with G.729 codec support in RTP Player" ON) option(ENABLE_ILBC "Build with iLBC codec support in RTP Player" ON) option(ENABLE_LIBXML2 "Build with libxml2 support" ON) option(ENABLE_OPUS "Build with opus support" ON) +option(ENABLE_SINSP "Build with libsinsp+libscap support" ON) # How to install set(DUMPCAP_INSTALL_OPTION "normal" CACHE STRING "Permissions to install") diff --git a/epan/conversation_filter.c b/epan/conversation_filter.c index 41ba207edc..314041b430 100644 --- a/epan/conversation_filter.c +++ b/epan/conversation_filter.c @@ -20,7 +20,7 @@ GList *conv_filter_list = NULL; -void do_register_conversation_filter(const char *proto_name, const char *display_name, +static void do_register_conversation_filter(const char *proto_name, const char *display_name, is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string) { conversation_filter_t *entry; @@ -42,7 +42,7 @@ void register_conversation_filter(const char *proto_name, const char *display_na build_filter_string); } -void register_conversation_filter_logshark(const char *proto_name, const char *display_name, +void register_log_conversation_filter(const char *proto_name, const char *display_name, is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string) { do_register_conversation_filter(proto_name, display_name, diff --git a/epan/conversation_filter.h b/epan/conversation_filter.h index 51a279c8dd..d63f97d03a 100644 --- a/epan/conversation_filter.h +++ b/epan/conversation_filter.h @@ -28,12 +28,12 @@ typedef gboolean (*is_filter_valid_func)(struct _packet_info *pinfo); Filter needs to be freed after use */ typedef gchar* (*build_filter_string_func)(struct _packet_info *pinfo); -/** register a dissector filter */ +/** register a dissector filter for packets */ WS_DLL_PUBLIC void register_conversation_filter(const char *proto_name, const char *display_name, is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string); -/** register a dissector filter, tailshark version */ -WS_DLL_PUBLIC void register_conversation_filter_logshark(const char *proto_name, const char *display_name, +/** register a dissector filter for logs */ +WS_DLL_PUBLIC void register_log_conversation_filter(const char *proto_name, const char *display_name, is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string); WS_DLL_PUBLIC struct conversation_filter_s* find_conversation_filter(const char *proto_name); diff --git a/epan/dissectors/packet-sysdig-event.c b/epan/dissectors/packet-sysdig-event.c index e7b55dadc6..abe39eb2f1 100644 --- a/epan/dissectors/packet-sysdig-event.c +++ b/epan/dissectors/packet-sysdig-event.c @@ -2290,9 +2290,8 @@ dissect_event_params(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int off static int -dissect_plugin_event(tvbuff_t *tvb _U_, packet_info *pinfo, proto_tree *tree _U_, void *data _U_) +dissect_plugin_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { - //json_dissector_handle = find_dissector("json"); if (!plugin_dissector_handle) { return 0; } @@ -2302,7 +2301,7 @@ dissect_plugin_event(tvbuff_t *tvb _U_, packet_info *pinfo, proto_tree *tree _U_ static int dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, - void *data _U_) + void *data) { proto_item *ti; proto_tree *se_tree, *syscall_tree; @@ -2651,7 +2650,7 @@ proto_reg_handoff_sysdig_event(void) dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2, sysdig_event_handle); dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE, sysdig_event_handle); - plugin_dissector_handle = find_dissector("sdplugin"); + plugin_dissector_handle = find_dissector("falcobridge"); } /* diff --git a/plugins/epan/sysdig_bridge/AUTHORS b/plugins/epan/falco_bridge/AUTHORS similarity index 100% rename from plugins/epan/sysdig_bridge/AUTHORS rename to plugins/epan/falco_bridge/AUTHORS diff --git a/plugins/epan/sysdig_bridge/CMakeLists.txt b/plugins/epan/falco_bridge/CMakeLists.txt similarity index 72% rename from plugins/epan/sysdig_bridge/CMakeLists.txt rename to plugins/epan/falco_bridge/CMakeLists.txt index 1226a2d126..9d5bac1c14 100644 --- a/plugins/epan/sysdig_bridge/CMakeLists.txt +++ b/plugins/epan/falco_bridge/CMakeLists.txt @@ -10,10 +10,10 @@ include(WiresharkPlugin) # Plugin name and version info (major minor micro extra) -set_module_info(sysdig-plugins 0 0 4 0) +set_module_info(falco-bridge 0 0 4 0) set(DISSECTOR_SRC - packet-sysdig-bridge.c + packet-falco-bridge.c sinsp-span.cpp ) @@ -33,31 +33,29 @@ register_plugin_files(plugin.c ${DISSECTOR_SRC} ) -add_plugin_library(sysdig-plugins epan) - -find_package(Sinsp REQUIRED) +add_plugin_library(falco-bridge epan) # XXX Hacks; need to fix in falcosecurity-libs. -target_compile_definitions(sysdig-plugins PRIVATE +target_compile_definitions(falco-bridge PRIVATE HAVE_STRLCPY=1 ) -# target_compile_options(sysdig-plugins PRIVATE -Wno-address-of-packed-member) +# target_compile_options(falco-bridge PRIVATE -Wno-address-of-packed-member) -target_include_directories(sysdig-plugins SYSTEM PRIVATE +target_include_directories(falco-bridge SYSTEM PRIVATE ${SINSP_INCLUDE_DIRS} ) -target_link_libraries(sysdig-plugins +target_link_libraries(falco-bridge epan ${SINSP_LIBRARIES} ) -install_plugin(sysdig-plugins epan) +install_plugin(falco-bridge epan) file(GLOB DISSECTOR_HEADERS RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "*.h") CHECKAPI( NAME - sysdig-plugins + falco-bridge SWITCHES --group dissectors-prohibited --group dissectors-restricted diff --git a/plugins/epan/falco_bridge/README.md b/plugins/epan/falco_bridge/README.md new file mode 100644 index 0000000000..2b2e4daf9e --- /dev/null +++ b/plugins/epan/falco_bridge/README.md @@ -0,0 +1,17 @@ +# Falco Bridge + +This plugin is a bridge between [Falco plugins](https://github.com/falcosecurity/plugins/) and Wireshark, so that Falco plugins can be used as dissectors. +It requires [libsinsp and libscap](https://github.com/falcosecurity/libs/). + +## Building the Falco Bridge plugin + +1. Download and compile [libsinsp and libscap](https://github.com/falcosecurity/libs/). + +1. Configure Wireshark with `cmake ... -DSINSP_INCLUDE_DIR=/path/to/falcosecurity-libs -DSINSP_LIBDIR=/path/to/falcosecurity-libs/build ...` + +## Quick Start + +1. Create a directory named "falco" at the same level as the "epan" plugin folder. +You can find the global and per-user plugin folder locations on your system in About → Folders or in the [User's Guide](https://www.wireshark.org/docs/wsug_html_chunked/ChPluginFolders.html). + +1. Build your desired [Falco plugin](https://github.com/falcosecurity/plugins/) and place it in the "falco" plugin directory. diff --git a/plugins/epan/sysdig_bridge/conversation-macros.h b/plugins/epan/falco_bridge/conversation-macros.h similarity index 87% rename from plugins/epan/sysdig_bridge/conversation-macros.h rename to plugins/epan/falco_bridge/conversation-macros.h index e2afb651b9..b815de19ff 100644 --- a/plugins/epan/sysdig_bridge/conversation-macros.h +++ b/plugins/epan/falco_bridge/conversation-macros.h @@ -20,7 +20,7 @@ build_filter_string_func bfs_func[MAX_N_CONV_FILTERS]; if (is_right_proto == FALSE) { \ return FALSE; \ } \ - char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_CONVINFO_USER_##N); \ + char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_CONVINFO_USER_##N); \ if (bi == NULL) { \ return FALSE; \ } \ @@ -28,10 +28,10 @@ build_filter_string_func bfs_func[MAX_N_CONV_FILTERS]; } \ static gchar* \ conv_filter_build_##N(packet_info *pinfo) { \ - char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_CONVINFO_USER_##N); \ + char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_CONVINFO_USER_##N); \ const char* fname = conv_fld_infos[N].field_info->hfinfo.abbrev; \ return g_strdup_printf("%s eq \"%s\"", fname, bi); \ -} +} #define MAP_CONV_FLT_FUNCS(N) fv_func[N] = conv_filter_valid_##N; \ bfs_func[N] = conv_filter_build_##N; @@ -51,7 +51,7 @@ DECLARE_CONV_FLT_FUNCS(11) \ DECLARE_CONV_FLT_FUNCS(12) \ DECLARE_CONV_FLT_FUNCS(13) \ DECLARE_CONV_FLT_FUNCS(14) \ -DECLARE_CONV_FLT_FUNCS(15) +DECLARE_CONV_FLT_FUNCS(15) #define MAP_CONV_FLTS() MAP_CONV_FLT_FUNCS(0) \ MAP_CONV_FLT_FUNCS(1) \ @@ -68,4 +68,4 @@ MAP_CONV_FLT_FUNCS(11) \ MAP_CONV_FLT_FUNCS(12) \ MAP_CONV_FLT_FUNCS(13) \ MAP_CONV_FLT_FUNCS(14) \ -MAP_CONV_FLT_FUNCS(15) +MAP_CONV_FLT_FUNCS(15) diff --git a/plugins/epan/sysdig_bridge/packet-sysdig-bridge.c b/plugins/epan/falco_bridge/packet-falco-bridge.c similarity index 80% rename from plugins/epan/sysdig_bridge/packet-sysdig-bridge.c rename to plugins/epan/falco_bridge/packet-falco-bridge.c index 5e6d38c542..632a86ecd6 100644 --- a/plugins/epan/sysdig_bridge/packet-sysdig-bridge.c +++ b/plugins/epan/falco_bridge/packet-falco-bridge.c @@ -1,4 +1,4 @@ -/* packet-sysdig-bridge.c +/* packet-falco-bridge.c * * By Loris Degioanni * Copyright (C) 2021 Sysdig, Inc. @@ -38,16 +38,16 @@ #include #include "sinsp-span.h" -#include "packet-sysdig-bridge.h" +#include "packet-falco-bridge.h" #include "conversation-macros.h" -static int proto_sdplugin = -1; -static gint ett_sdplugin = -1; -static gint ett_bridge = -1; +static int proto_falco_bridge = -1; +static gint ett_falco_bridge = -1; +static gint ett_sinsp_span = -1; static dissector_table_t ptype_dissector_table; -static int dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_); -static int dissect_plg_bridge(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_); +static int dissect_falco_bridge(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_); +static int dissect_sinsp_span(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_); void register_conversation_filters_mappings(void); @@ -72,19 +72,19 @@ static int hf_sdp_source_id = -1; static hf_register_info hf[] = { { &hf_sdp_source_id_size, - { "Plugin ID size", "sysdig_plugin.id.size", + { "Plugin ID size", "falco_plugin.id.size", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_sdp_lengths, - { "Field Lengths", "sysdig_plugin.lens", + { "Field Lengths", "falco_plugin.lens", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { &hf_sdp_source_id, - { "Plugin ID", "sysdig_plugin.id", + { "Plugin ID", "falco_plugin.id", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } @@ -202,12 +202,12 @@ configure_plugin(bridge_info* bi, char* config _U_) conv_fld_infos[conv_fld_cnt].field_info = ri; const char *source_name = get_sinsp_source_name(bi->ssi); conv_fld_infos[conv_fld_cnt].proto_name = source_name; - register_conversation_filter_logshark(source_name, finfo.hfinfo.name, fv_func[conv_fld_cnt], bfs_func[conv_fld_cnt]); + register_log_conversation_filter(source_name, finfo.hfinfo.name, fv_func[conv_fld_cnt], bfs_func[conv_fld_cnt]); conv_fld_cnt++; } fld_cnt++; } - proto_register_field_array(proto_sdplugin, bi->hf, fld_cnt); + proto_register_field_array(proto_falco_bridge, bi->hf, fld_cnt); } } @@ -235,8 +235,8 @@ import_plugin(char* fname) ); static dissector_handle_t ct_handle; - ct_handle = create_dissector_handle(dissect_plg_bridge, bi->proto); - dissector_add_uint("sysdig_plugin.id", bi->source_id, ct_handle); + ct_handle = create_dissector_handle(dissect_sinsp_span, bi->proto); + dissector_add_uint("falco_plugin.id", bi->source_id, ct_handle); } static void @@ -247,21 +247,21 @@ on_wireshark_exit(void) } void -proto_register_sdplugin(void) +proto_register_falcoplugin(void) { - proto_sdplugin = proto_register_protocol ( - "Sysdig Plugin", /* name */ - "SDPLUGIN", /* short name */ - "sdplugin" /* abbrev */ + proto_falco_bridge = proto_register_protocol ( + "Falco Bridge", /* name */ + "Falco Bridge", /* short name */ + "falcobridge" /* abbrev */ ); - register_dissector("sdplugin", dissect_sdplugin, proto_sdplugin); + register_dissector("falcobridge", dissect_falco_bridge, proto_falco_bridge); /* * Create the dissector table that we will use to route the dissection to - * the appropriate sysdig plugin. + * the appropriate Falco plugin. */ - ptype_dissector_table = register_dissector_table("sysdig_plugin.id", - "Plugin ID", proto_sdplugin, FT_UINT32, BASE_DEC); + ptype_dissector_table = register_dissector_table("falco_plugin.id", + "Falco Plugin ID", proto_falco_bridge, FT_UINT32, BASE_DEC); /* * Create the mapping infrastructure for conversation filtering @@ -273,10 +273,8 @@ proto_register_sdplugin(void) */ WS_DIR *dir; WS_DIRENT *file; - gchar *filename; - char dname[2048]; - const char *wspgdname = get_plugins_dir(); - snprintf(dname, sizeof(dname), "%s/../sysdig", wspgdname); + char *filename; + char *dname = g_build_filename(get_plugins_dir_with_version(), "falco", NULL); /* * We scan the plugins directory twice. The first time we count how many @@ -302,17 +300,17 @@ proto_register_sdplugin(void) } ws_dir_close(dir); } - + g_free(dname); /* * Setup protocol subtree array */ static gint *ett[] = { - &ett_sdplugin, - &ett_bridge, + &ett_falco_bridge, + &ett_sinsp_span, }; - proto_register_field_array(proto_sdplugin, hf, array_length(hf)); + proto_register_field_array(proto_falco_bridge, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); register_shutdown_routine(on_wireshark_exit); @@ -333,20 +331,20 @@ get_bridge_info(guint32 source_id) } static int -dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_) +dissect_falco_bridge(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) { conv_vals_cnt = 0; - col_set_str(pinfo->cinfo, COL_PROTOCOL, "Sysdig Plugin"); + col_set_str(pinfo->cinfo, COL_PROTOCOL, "Falco Bridge"); /* Clear out stuff in the info column */ col_clear(pinfo->cinfo,COL_INFO); // https://github.com/falcosecurity/libs/blob/9c942f27/userspace/libscap/scap.c#L1900 - proto_item *ti = proto_tree_add_item(tree, proto_sdplugin, tvb, 0, 12, ENC_NA); - proto_tree *sdplugin_tree = proto_item_add_subtree(ti, ett_sdplugin); - proto_tree_add_item(sdplugin_tree, hf_sdp_source_id_size, tvb, 0, 4, ENC_LITTLE_ENDIAN); - proto_tree_add_item(sdplugin_tree, hf_sdp_lengths, tvb, 4, 4, ENC_LITTLE_ENDIAN); - proto_item *idti = proto_tree_add_item(sdplugin_tree, hf_sdp_source_id, tvb, 8, 4, ENC_LITTLE_ENDIAN); + proto_item *ti = proto_tree_add_item(tree, proto_falco_bridge, tvb, 0, 12, ENC_NA); + proto_tree *fb_tree = proto_item_add_subtree(ti, ett_falco_bridge); + proto_tree_add_item(fb_tree, hf_sdp_source_id_size, tvb, 0, 4, ENC_LITTLE_ENDIAN); + proto_tree_add_item(fb_tree, hf_sdp_lengths, tvb, 4, 4, ENC_LITTLE_ENDIAN); + proto_item *idti = proto_tree_add_item(fb_tree, hf_sdp_source_id, tvb, 8, 4, ENC_LITTLE_ENDIAN); guint32 source_id = tvb_get_guint32(tvb, 8, ENC_LITTLE_ENDIAN); bridge_info* bi = get_bridge_info(source_id); @@ -364,7 +362,7 @@ dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data dissector_handle_t dissector = dissector_get_uint_handle(ptype_dissector_table, source_id); if (dissector) { - p_add_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_BRIDGE_HANDLE, bi); + p_add_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_BRIDGE_HANDLE, bi); tvbuff_t* next_tvb = tvb_new_subset_length(tvb, 12, tvb_captured_length(tvb) - 12); call_dissector_with_data(dissector, next_tvb, pinfo, tree, data); } @@ -373,9 +371,9 @@ dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data } static int -dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* data _U_) +dissect_sinsp_span(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* data _U_) { - bridge_info* bi = p_get_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_BRIDGE_HANDLE); + bridge_info* bi = p_get_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_BRIDGE_HANDLE); guint plen = tvb_captured_length(tvb); const char *source_name = get_sinsp_source_name(bi->ssi); @@ -384,7 +382,7 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da col_clear(pinfo->cinfo, COL_INFO); proto_item* ti = proto_tree_add_item(tree, bi->proto, tvb, 0, plen, ENC_NA); - proto_tree* sdplugin_tree = proto_item_add_subtree(ti, ett_bridge); + proto_tree* fb_tree = proto_item_add_subtree(ti, ett_sinsp_span); guint8* payload = (guint8*)tvb_get_ptr(tvb, 0, plen); @@ -398,14 +396,14 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da bool rc = extract_sisnp_source_field(bi->ssi, pinfo->num, payload, plen, pinfo->pool, &sfe); if (!rc) { - REPORT_DISSECTOR_BUG("sysdig plugin %s extract error", get_sinsp_source_name(bi->ssi)); + REPORT_DISSECTOR_BUG("Falco plugin %s extract error", get_sinsp_source_name(bi->ssi)); } if (!sfe.is_present) { continue; } if (sfe.type == SFT_STRINGZ && hfinfo->type == FT_STRINGZ) { - proto_item *pi = proto_tree_add_string(sdplugin_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_str); + proto_item *pi = proto_tree_add_string(fb_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_str); if (bi->field_flags[fld_idx] & BFF_INFO) { col_append_sep_fstr(pinfo->cinfo, COL_INFO, ", ", "%s", sfe.res_str); // Mark it hidden, otherwise we end up with a bunch of empty "Info" tree items. @@ -417,7 +415,7 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da sprintf(cvalptr, "%s", sfe.res_str); p_add_proto_data(pinfo->pool, pinfo, - proto_sdplugin, + proto_falco_bridge, PROTO_DATA_CONVINFO_USER_BASE + conv_vals_cnt, cvalptr); } @@ -426,7 +424,7 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da } } else if (sfe.type == SFT_UINT64 && hfinfo->type == FT_UINT64) { - proto_tree_add_uint64(sdplugin_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_u64); + proto_tree_add_uint64(fb_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_u64); } else { REPORT_DISSECTOR_BUG("field %s has an unrecognized or mismatched type %u != %u", diff --git a/plugins/epan/sysdig_bridge/packet-sysdig-bridge.h b/plugins/epan/falco_bridge/packet-falco-bridge.h similarity index 98% rename from plugins/epan/sysdig_bridge/packet-sysdig-bridge.h rename to plugins/epan/falco_bridge/packet-falco-bridge.h index 1e7371fd25..37592afcf7 100644 --- a/plugins/epan/sysdig_bridge/packet-sysdig-bridge.h +++ b/plugins/epan/falco_bridge/packet-falco-bridge.h @@ -1,4 +1,4 @@ -/* packet-sysdig-bridge.h +/* packet-falco-bridge.h * * By Loris Degioanni * Copyright (C) 2021 Sysdig, Inc. @@ -10,8 +10,8 @@ * SPDX-License-Identifier: GPL-2.0-or-later */ -#ifndef __PACKET_SYSDIG_BRIDGE_H__ -#define __PACKET_SYSDIG_BRIDGE_H__ +#ifndef __PACKET_FALCO_BRIDGE_H__ +#define __PACKET_FALCO_BRIDGE_H__ /* * API versions of this plugin engine @@ -228,4 +228,4 @@ typedef struct conv_fld_info { char field_val[4096]; } conv_fld_info; -#endif // __PACKET_SYSDIG_BRIDGE_H__ +#endif // __PACKET_FALCO_BRIDGE_H__ diff --git a/plugins/epan/sysdig_bridge/sinsp-span.cpp b/plugins/epan/falco_bridge/sinsp-span.cpp similarity index 99% rename from plugins/epan/sysdig_bridge/sinsp-span.cpp rename to plugins/epan/falco_bridge/sinsp-span.cpp index ca4de9df17..a21c6d7b2f 100644 --- a/plugins/epan/sysdig_bridge/sinsp-span.cpp +++ b/plugins/epan/falco_bridge/sinsp-span.cpp @@ -1,4 +1,4 @@ -/* sinsp-connector.c +/* sinsp-span.cpp * * By Gerald Combs * Copyright (C) 2022 Sysdig, Inc. diff --git a/plugins/epan/sysdig_bridge/sinsp-span.h b/plugins/epan/falco_bridge/sinsp-span.h similarity index 94% rename from plugins/epan/sysdig_bridge/sinsp-span.h rename to plugins/epan/falco_bridge/sinsp-span.h index ae3ee65a6e..0d153b956a 100644 --- a/plugins/epan/sysdig_bridge/sinsp-span.h +++ b/plugins/epan/falco_bridge/sinsp-span.h @@ -1,4 +1,4 @@ -/* sinsp-connector.c +/* sinsp-span.h * * By Gerald Combs * Copyright (C) 2022 Sysdig, Inc. @@ -46,14 +46,6 @@ typedef struct sinsp_field_info_t { bool is_info; } sinsp_field_info_t; -//typedef struct -//{ -// uint64_t evtnum; -// const uint8_t *data; -// uint32_t datalen; -// uint64_t ts; -//} ss_plugin_event; - typedef struct sinsp_field_extract_t { uint32_t field_id; // in const char *field_name; // in diff --git a/plugins/epan/sysdig_bridge/README b/plugins/epan/sysdig_bridge/README deleted file mode 100644 index ea6ed30292..0000000000 --- a/plugins/epan/sysdig_bridge/README +++ /dev/null @@ -1,2 +0,0 @@ -This plugin is a bridge between sysdig plugins and Wireshark, so that sysdig -plugins can be used as dissectors. \ No newline at end of file