forked from osmocom/wireshark
Rename Sysdig Bridge to Falco Bridge.
The Sysdig Bridge plugin loads Falco plugins, so rename it to Falco Bridge. Make it optional and dependent on libsinsp+libscap, similar to our codec plugins. Remove some unused code.
This commit is contained in:
parent
be03aa1a4d
commit
110dbffbe9
|
@ -1299,6 +1299,10 @@ ws_find_package(ILBC ENABLE_ILBC HAVE_ILBC)
|
||||||
|
|
||||||
ws_find_package(OPUS ENABLE_OPUS HAVE_OPUS)
|
ws_find_package(OPUS ENABLE_OPUS HAVE_OPUS)
|
||||||
|
|
||||||
|
# libsinsp+libscap, required for falco-bridge
|
||||||
|
ws_find_package(Sinsp ENABLE_SINSP HAVE_SINSP)
|
||||||
|
|
||||||
|
|
||||||
# CMake 3.9 and below used 'LIBXML2_LIBRARIES' as the name of the cache entry
|
# CMake 3.9 and below used 'LIBXML2_LIBRARIES' as the name of the cache entry
|
||||||
# storing the find_library result. Transfer it to the new cache variable such
|
# storing the find_library result. Transfer it to the new cache variable such
|
||||||
# that reset_find_package can detect and clear outdated cache variables.
|
# that reset_find_package can detect and clear outdated cache variables.
|
||||||
|
@ -1593,7 +1597,6 @@ if(ENABLE_PLUGINS)
|
||||||
plugins/epan/opcua
|
plugins/epan/opcua
|
||||||
plugins/epan/profinet
|
plugins/epan/profinet
|
||||||
plugins/epan/stats_tree
|
plugins/epan/stats_tree
|
||||||
plugins/epan/sysdig_bridge
|
|
||||||
plugins/epan/transum
|
plugins/epan/transum
|
||||||
plugins/epan/unistim
|
plugins/epan/unistim
|
||||||
plugins/epan/wimax
|
plugins/epan/wimax
|
||||||
|
@ -1604,6 +1607,11 @@ if(ENABLE_PLUGINS)
|
||||||
plugins/codecs/l16_mono
|
plugins/codecs/l16_mono
|
||||||
${CUSTOM_PLUGIN_SRC_DIR}
|
${CUSTOM_PLUGIN_SRC_DIR}
|
||||||
)
|
)
|
||||||
|
if(SINSP_FOUND)
|
||||||
|
list(APPEND PLUGIN_SRC_DIRS
|
||||||
|
plugins/epan/falco_bridge
|
||||||
|
)
|
||||||
|
endif()
|
||||||
if(SPANDSP_FOUND)
|
if(SPANDSP_FOUND)
|
||||||
list(APPEND PLUGIN_SRC_DIRS
|
list(APPEND PLUGIN_SRC_DIRS
|
||||||
plugins/codecs/G722
|
plugins/codecs/G722
|
||||||
|
@ -1816,6 +1824,11 @@ set_package_properties(PCRE2 PROPERTIES
|
||||||
DESCRIPTION "Regular expression pattern matching using the same syntax and semantics as Perl 5"
|
DESCRIPTION "Regular expression pattern matching using the same syntax and semantics as Perl 5"
|
||||||
PURPOSE "Support for regular expressions"
|
PURPOSE "Support for regular expressions"
|
||||||
)
|
)
|
||||||
|
set_package_properties(Sinsp PROPERTIES
|
||||||
|
DESCRIPTION "libsinsp and libscap"
|
||||||
|
URL "https://github.com/falcosecurity/libs/"
|
||||||
|
PURPOSE "Support for Falco plugins"
|
||||||
|
)
|
||||||
|
|
||||||
string(TOUPPER "${CMAKE_BUILD_TYPE}" _build_type)
|
string(TOUPPER "${CMAKE_BUILD_TYPE}" _build_type)
|
||||||
message(STATUS "C-Flags: ${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${_build_type}}")
|
message(STATUS "C-Flags: ${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${_build_type}}")
|
||||||
|
|
|
@ -117,6 +117,7 @@ option(ENABLE_BCG729 "Build with G.729 codec support in RTP Player" ON)
|
||||||
option(ENABLE_ILBC "Build with iLBC codec support in RTP Player" ON)
|
option(ENABLE_ILBC "Build with iLBC codec support in RTP Player" ON)
|
||||||
option(ENABLE_LIBXML2 "Build with libxml2 support" ON)
|
option(ENABLE_LIBXML2 "Build with libxml2 support" ON)
|
||||||
option(ENABLE_OPUS "Build with opus support" ON)
|
option(ENABLE_OPUS "Build with opus support" ON)
|
||||||
|
option(ENABLE_SINSP "Build with libsinsp+libscap support" ON)
|
||||||
|
|
||||||
# How to install
|
# How to install
|
||||||
set(DUMPCAP_INSTALL_OPTION "normal" CACHE STRING "Permissions to install")
|
set(DUMPCAP_INSTALL_OPTION "normal" CACHE STRING "Permissions to install")
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
GList *conv_filter_list = NULL;
|
GList *conv_filter_list = NULL;
|
||||||
|
|
||||||
|
|
||||||
void do_register_conversation_filter(const char *proto_name, const char *display_name,
|
static void do_register_conversation_filter(const char *proto_name, const char *display_name,
|
||||||
is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string) {
|
is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string) {
|
||||||
conversation_filter_t *entry;
|
conversation_filter_t *entry;
|
||||||
|
|
||||||
|
@ -42,7 +42,7 @@ void register_conversation_filter(const char *proto_name, const char *display_na
|
||||||
build_filter_string);
|
build_filter_string);
|
||||||
}
|
}
|
||||||
|
|
||||||
void register_conversation_filter_logshark(const char *proto_name, const char *display_name,
|
void register_log_conversation_filter(const char *proto_name, const char *display_name,
|
||||||
is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string) {
|
is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string) {
|
||||||
do_register_conversation_filter(proto_name,
|
do_register_conversation_filter(proto_name,
|
||||||
display_name,
|
display_name,
|
||||||
|
|
|
@ -28,12 +28,12 @@ typedef gboolean (*is_filter_valid_func)(struct _packet_info *pinfo);
|
||||||
Filter needs to be freed after use */
|
Filter needs to be freed after use */
|
||||||
typedef gchar* (*build_filter_string_func)(struct _packet_info *pinfo);
|
typedef gchar* (*build_filter_string_func)(struct _packet_info *pinfo);
|
||||||
|
|
||||||
/** register a dissector filter */
|
/** register a dissector filter for packets */
|
||||||
WS_DLL_PUBLIC void register_conversation_filter(const char *proto_name, const char *display_name,
|
WS_DLL_PUBLIC void register_conversation_filter(const char *proto_name, const char *display_name,
|
||||||
is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string);
|
is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string);
|
||||||
|
|
||||||
/** register a dissector filter, tailshark version */
|
/** register a dissector filter for logs */
|
||||||
WS_DLL_PUBLIC void register_conversation_filter_logshark(const char *proto_name, const char *display_name,
|
WS_DLL_PUBLIC void register_log_conversation_filter(const char *proto_name, const char *display_name,
|
||||||
is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string);
|
is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string);
|
||||||
|
|
||||||
WS_DLL_PUBLIC struct conversation_filter_s* find_conversation_filter(const char *proto_name);
|
WS_DLL_PUBLIC struct conversation_filter_s* find_conversation_filter(const char *proto_name);
|
||||||
|
|
|
@ -2290,9 +2290,8 @@ dissect_event_params(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int off
|
||||||
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
dissect_plugin_event(tvbuff_t *tvb _U_, packet_info *pinfo, proto_tree *tree _U_, void *data _U_)
|
dissect_plugin_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
|
||||||
{
|
{
|
||||||
//json_dissector_handle = find_dissector("json");
|
|
||||||
if (!plugin_dissector_handle) {
|
if (!plugin_dissector_handle) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -2302,7 +2301,7 @@ dissect_plugin_event(tvbuff_t *tvb _U_, packet_info *pinfo, proto_tree *tree _U_
|
||||||
|
|
||||||
static int
|
static int
|
||||||
dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
|
||||||
void *data _U_)
|
void *data)
|
||||||
{
|
{
|
||||||
proto_item *ti;
|
proto_item *ti;
|
||||||
proto_tree *se_tree, *syscall_tree;
|
proto_tree *se_tree, *syscall_tree;
|
||||||
|
@ -2651,7 +2650,7 @@ proto_reg_handoff_sysdig_event(void)
|
||||||
dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2, sysdig_event_handle);
|
dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2, sysdig_event_handle);
|
||||||
dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE, sysdig_event_handle);
|
dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE, sysdig_event_handle);
|
||||||
|
|
||||||
plugin_dissector_handle = find_dissector("sdplugin");
|
plugin_dissector_handle = find_dissector("falcobridge");
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -10,10 +10,10 @@
|
||||||
include(WiresharkPlugin)
|
include(WiresharkPlugin)
|
||||||
|
|
||||||
# Plugin name and version info (major minor micro extra)
|
# Plugin name and version info (major minor micro extra)
|
||||||
set_module_info(sysdig-plugins 0 0 4 0)
|
set_module_info(falco-bridge 0 0 4 0)
|
||||||
|
|
||||||
set(DISSECTOR_SRC
|
set(DISSECTOR_SRC
|
||||||
packet-sysdig-bridge.c
|
packet-falco-bridge.c
|
||||||
sinsp-span.cpp
|
sinsp-span.cpp
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -33,31 +33,29 @@ register_plugin_files(plugin.c
|
||||||
${DISSECTOR_SRC}
|
${DISSECTOR_SRC}
|
||||||
)
|
)
|
||||||
|
|
||||||
add_plugin_library(sysdig-plugins epan)
|
add_plugin_library(falco-bridge epan)
|
||||||
|
|
||||||
find_package(Sinsp REQUIRED)
|
|
||||||
|
|
||||||
# XXX Hacks; need to fix in falcosecurity-libs.
|
# XXX Hacks; need to fix in falcosecurity-libs.
|
||||||
target_compile_definitions(sysdig-plugins PRIVATE
|
target_compile_definitions(falco-bridge PRIVATE
|
||||||
HAVE_STRLCPY=1
|
HAVE_STRLCPY=1
|
||||||
)
|
)
|
||||||
# target_compile_options(sysdig-plugins PRIVATE -Wno-address-of-packed-member)
|
# target_compile_options(falco-bridge PRIVATE -Wno-address-of-packed-member)
|
||||||
|
|
||||||
target_include_directories(sysdig-plugins SYSTEM PRIVATE
|
target_include_directories(falco-bridge SYSTEM PRIVATE
|
||||||
${SINSP_INCLUDE_DIRS}
|
${SINSP_INCLUDE_DIRS}
|
||||||
)
|
)
|
||||||
|
|
||||||
target_link_libraries(sysdig-plugins
|
target_link_libraries(falco-bridge
|
||||||
epan
|
epan
|
||||||
${SINSP_LIBRARIES}
|
${SINSP_LIBRARIES}
|
||||||
)
|
)
|
||||||
|
|
||||||
install_plugin(sysdig-plugins epan)
|
install_plugin(falco-bridge epan)
|
||||||
|
|
||||||
file(GLOB DISSECTOR_HEADERS RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "*.h")
|
file(GLOB DISSECTOR_HEADERS RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "*.h")
|
||||||
CHECKAPI(
|
CHECKAPI(
|
||||||
NAME
|
NAME
|
||||||
sysdig-plugins
|
falco-bridge
|
||||||
SWITCHES
|
SWITCHES
|
||||||
--group dissectors-prohibited
|
--group dissectors-prohibited
|
||||||
--group dissectors-restricted
|
--group dissectors-restricted
|
|
@ -0,0 +1,17 @@
|
||||||
|
# Falco Bridge
|
||||||
|
|
||||||
|
This plugin is a bridge between [Falco plugins](https://github.com/falcosecurity/plugins/) and Wireshark, so that Falco plugins can be used as dissectors.
|
||||||
|
It requires [libsinsp and libscap](https://github.com/falcosecurity/libs/).
|
||||||
|
|
||||||
|
## Building the Falco Bridge plugin
|
||||||
|
|
||||||
|
1. Download and compile [libsinsp and libscap](https://github.com/falcosecurity/libs/).
|
||||||
|
|
||||||
|
1. Configure Wireshark with `cmake ... -DSINSP_INCLUDE_DIR=/path/to/falcosecurity-libs -DSINSP_LIBDIR=/path/to/falcosecurity-libs/build ...`
|
||||||
|
|
||||||
|
## Quick Start
|
||||||
|
|
||||||
|
1. Create a directory named "falco" at the same level as the "epan" plugin folder.
|
||||||
|
You can find the global and per-user plugin folder locations on your system in About → Folders or in the [User's Guide](https://www.wireshark.org/docs/wsug_html_chunked/ChPluginFolders.html).
|
||||||
|
|
||||||
|
1. Build your desired [Falco plugin](https://github.com/falcosecurity/plugins/) and place it in the "falco" plugin directory.
|
|
@ -20,7 +20,7 @@ build_filter_string_func bfs_func[MAX_N_CONV_FILTERS];
|
||||||
if (is_right_proto == FALSE) { \
|
if (is_right_proto == FALSE) { \
|
||||||
return FALSE; \
|
return FALSE; \
|
||||||
} \
|
} \
|
||||||
char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_CONVINFO_USER_##N); \
|
char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_CONVINFO_USER_##N); \
|
||||||
if (bi == NULL) { \
|
if (bi == NULL) { \
|
||||||
return FALSE; \
|
return FALSE; \
|
||||||
} \
|
} \
|
||||||
|
@ -28,7 +28,7 @@ build_filter_string_func bfs_func[MAX_N_CONV_FILTERS];
|
||||||
} \
|
} \
|
||||||
static gchar* \
|
static gchar* \
|
||||||
conv_filter_build_##N(packet_info *pinfo) { \
|
conv_filter_build_##N(packet_info *pinfo) { \
|
||||||
char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_CONVINFO_USER_##N); \
|
char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_CONVINFO_USER_##N); \
|
||||||
const char* fname = conv_fld_infos[N].field_info->hfinfo.abbrev; \
|
const char* fname = conv_fld_infos[N].field_info->hfinfo.abbrev; \
|
||||||
return g_strdup_printf("%s eq \"%s\"", fname, bi); \
|
return g_strdup_printf("%s eq \"%s\"", fname, bi); \
|
||||||
}
|
}
|
|
@ -1,4 +1,4 @@
|
||||||
/* packet-sysdig-bridge.c
|
/* packet-falco-bridge.c
|
||||||
*
|
*
|
||||||
* By Loris Degioanni
|
* By Loris Degioanni
|
||||||
* Copyright (C) 2021 Sysdig, Inc.
|
* Copyright (C) 2021 Sysdig, Inc.
|
||||||
|
@ -38,16 +38,16 @@
|
||||||
#include <epan/conversation_filter.h>
|
#include <epan/conversation_filter.h>
|
||||||
|
|
||||||
#include "sinsp-span.h"
|
#include "sinsp-span.h"
|
||||||
#include "packet-sysdig-bridge.h"
|
#include "packet-falco-bridge.h"
|
||||||
#include "conversation-macros.h"
|
#include "conversation-macros.h"
|
||||||
|
|
||||||
static int proto_sdplugin = -1;
|
static int proto_falco_bridge = -1;
|
||||||
static gint ett_sdplugin = -1;
|
static gint ett_falco_bridge = -1;
|
||||||
static gint ett_bridge = -1;
|
static gint ett_sinsp_span = -1;
|
||||||
static dissector_table_t ptype_dissector_table;
|
static dissector_table_t ptype_dissector_table;
|
||||||
|
|
||||||
static int dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_);
|
static int dissect_falco_bridge(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_);
|
||||||
static int dissect_plg_bridge(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_);
|
static int dissect_sinsp_span(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_);
|
||||||
|
|
||||||
void register_conversation_filters_mappings(void);
|
void register_conversation_filters_mappings(void);
|
||||||
|
|
||||||
|
@ -72,19 +72,19 @@ static int hf_sdp_source_id = -1;
|
||||||
|
|
||||||
static hf_register_info hf[] = {
|
static hf_register_info hf[] = {
|
||||||
{ &hf_sdp_source_id_size,
|
{ &hf_sdp_source_id_size,
|
||||||
{ "Plugin ID size", "sysdig_plugin.id.size",
|
{ "Plugin ID size", "falco_plugin.id.size",
|
||||||
FT_UINT32, BASE_DEC,
|
FT_UINT32, BASE_DEC,
|
||||||
NULL, 0x0,
|
NULL, 0x0,
|
||||||
NULL, HFILL }
|
NULL, HFILL }
|
||||||
},
|
},
|
||||||
{ &hf_sdp_lengths,
|
{ &hf_sdp_lengths,
|
||||||
{ "Field Lengths", "sysdig_plugin.lens",
|
{ "Field Lengths", "falco_plugin.lens",
|
||||||
FT_UINT32, BASE_DEC,
|
FT_UINT32, BASE_DEC,
|
||||||
NULL, 0x0,
|
NULL, 0x0,
|
||||||
NULL, HFILL }
|
NULL, HFILL }
|
||||||
},
|
},
|
||||||
{ &hf_sdp_source_id,
|
{ &hf_sdp_source_id,
|
||||||
{ "Plugin ID", "sysdig_plugin.id",
|
{ "Plugin ID", "falco_plugin.id",
|
||||||
FT_UINT32, BASE_DEC,
|
FT_UINT32, BASE_DEC,
|
||||||
NULL, 0x0,
|
NULL, 0x0,
|
||||||
NULL, HFILL }
|
NULL, HFILL }
|
||||||
|
@ -202,12 +202,12 @@ configure_plugin(bridge_info* bi, char* config _U_)
|
||||||
conv_fld_infos[conv_fld_cnt].field_info = ri;
|
conv_fld_infos[conv_fld_cnt].field_info = ri;
|
||||||
const char *source_name = get_sinsp_source_name(bi->ssi);
|
const char *source_name = get_sinsp_source_name(bi->ssi);
|
||||||
conv_fld_infos[conv_fld_cnt].proto_name = source_name;
|
conv_fld_infos[conv_fld_cnt].proto_name = source_name;
|
||||||
register_conversation_filter_logshark(source_name, finfo.hfinfo.name, fv_func[conv_fld_cnt], bfs_func[conv_fld_cnt]);
|
register_log_conversation_filter(source_name, finfo.hfinfo.name, fv_func[conv_fld_cnt], bfs_func[conv_fld_cnt]);
|
||||||
conv_fld_cnt++;
|
conv_fld_cnt++;
|
||||||
}
|
}
|
||||||
fld_cnt++;
|
fld_cnt++;
|
||||||
}
|
}
|
||||||
proto_register_field_array(proto_sdplugin, bi->hf, fld_cnt);
|
proto_register_field_array(proto_falco_bridge, bi->hf, fld_cnt);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -235,8 +235,8 @@ import_plugin(char* fname)
|
||||||
);
|
);
|
||||||
|
|
||||||
static dissector_handle_t ct_handle;
|
static dissector_handle_t ct_handle;
|
||||||
ct_handle = create_dissector_handle(dissect_plg_bridge, bi->proto);
|
ct_handle = create_dissector_handle(dissect_sinsp_span, bi->proto);
|
||||||
dissector_add_uint("sysdig_plugin.id", bi->source_id, ct_handle);
|
dissector_add_uint("falco_plugin.id", bi->source_id, ct_handle);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
|
@ -247,21 +247,21 @@ on_wireshark_exit(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
proto_register_sdplugin(void)
|
proto_register_falcoplugin(void)
|
||||||
{
|
{
|
||||||
proto_sdplugin = proto_register_protocol (
|
proto_falco_bridge = proto_register_protocol (
|
||||||
"Sysdig Plugin", /* name */
|
"Falco Bridge", /* name */
|
||||||
"SDPLUGIN", /* short name */
|
"Falco Bridge", /* short name */
|
||||||
"sdplugin" /* abbrev */
|
"falcobridge" /* abbrev */
|
||||||
);
|
);
|
||||||
register_dissector("sdplugin", dissect_sdplugin, proto_sdplugin);
|
register_dissector("falcobridge", dissect_falco_bridge, proto_falco_bridge);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Create the dissector table that we will use to route the dissection to
|
* Create the dissector table that we will use to route the dissection to
|
||||||
* the appropriate sysdig plugin.
|
* the appropriate Falco plugin.
|
||||||
*/
|
*/
|
||||||
ptype_dissector_table = register_dissector_table("sysdig_plugin.id",
|
ptype_dissector_table = register_dissector_table("falco_plugin.id",
|
||||||
"Plugin ID", proto_sdplugin, FT_UINT32, BASE_DEC);
|
"Falco Plugin ID", proto_falco_bridge, FT_UINT32, BASE_DEC);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Create the mapping infrastructure for conversation filtering
|
* Create the mapping infrastructure for conversation filtering
|
||||||
|
@ -273,10 +273,8 @@ proto_register_sdplugin(void)
|
||||||
*/
|
*/
|
||||||
WS_DIR *dir;
|
WS_DIR *dir;
|
||||||
WS_DIRENT *file;
|
WS_DIRENT *file;
|
||||||
gchar *filename;
|
char *filename;
|
||||||
char dname[2048];
|
char *dname = g_build_filename(get_plugins_dir_with_version(), "falco", NULL);
|
||||||
const char *wspgdname = get_plugins_dir();
|
|
||||||
snprintf(dname, sizeof(dname), "%s/../sysdig", wspgdname);
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We scan the plugins directory twice. The first time we count how many
|
* We scan the plugins directory twice. The first time we count how many
|
||||||
|
@ -302,17 +300,17 @@ proto_register_sdplugin(void)
|
||||||
}
|
}
|
||||||
ws_dir_close(dir);
|
ws_dir_close(dir);
|
||||||
}
|
}
|
||||||
|
g_free(dname);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Setup protocol subtree array
|
* Setup protocol subtree array
|
||||||
*/
|
*/
|
||||||
static gint *ett[] = {
|
static gint *ett[] = {
|
||||||
&ett_sdplugin,
|
&ett_falco_bridge,
|
||||||
&ett_bridge,
|
&ett_sinsp_span,
|
||||||
};
|
};
|
||||||
|
|
||||||
proto_register_field_array(proto_sdplugin, hf, array_length(hf));
|
proto_register_field_array(proto_falco_bridge, hf, array_length(hf));
|
||||||
proto_register_subtree_array(ett, array_length(ett));
|
proto_register_subtree_array(ett, array_length(ett));
|
||||||
|
|
||||||
register_shutdown_routine(on_wireshark_exit);
|
register_shutdown_routine(on_wireshark_exit);
|
||||||
|
@ -333,20 +331,20 @@ get_bridge_info(guint32 source_id)
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
|
dissect_falco_bridge(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
|
||||||
{
|
{
|
||||||
conv_vals_cnt = 0;
|
conv_vals_cnt = 0;
|
||||||
|
|
||||||
col_set_str(pinfo->cinfo, COL_PROTOCOL, "Sysdig Plugin");
|
col_set_str(pinfo->cinfo, COL_PROTOCOL, "Falco Bridge");
|
||||||
/* Clear out stuff in the info column */
|
/* Clear out stuff in the info column */
|
||||||
col_clear(pinfo->cinfo,COL_INFO);
|
col_clear(pinfo->cinfo,COL_INFO);
|
||||||
|
|
||||||
// https://github.com/falcosecurity/libs/blob/9c942f27/userspace/libscap/scap.c#L1900
|
// https://github.com/falcosecurity/libs/blob/9c942f27/userspace/libscap/scap.c#L1900
|
||||||
proto_item *ti = proto_tree_add_item(tree, proto_sdplugin, tvb, 0, 12, ENC_NA);
|
proto_item *ti = proto_tree_add_item(tree, proto_falco_bridge, tvb, 0, 12, ENC_NA);
|
||||||
proto_tree *sdplugin_tree = proto_item_add_subtree(ti, ett_sdplugin);
|
proto_tree *fb_tree = proto_item_add_subtree(ti, ett_falco_bridge);
|
||||||
proto_tree_add_item(sdplugin_tree, hf_sdp_source_id_size, tvb, 0, 4, ENC_LITTLE_ENDIAN);
|
proto_tree_add_item(fb_tree, hf_sdp_source_id_size, tvb, 0, 4, ENC_LITTLE_ENDIAN);
|
||||||
proto_tree_add_item(sdplugin_tree, hf_sdp_lengths, tvb, 4, 4, ENC_LITTLE_ENDIAN);
|
proto_tree_add_item(fb_tree, hf_sdp_lengths, tvb, 4, 4, ENC_LITTLE_ENDIAN);
|
||||||
proto_item *idti = proto_tree_add_item(sdplugin_tree, hf_sdp_source_id, tvb, 8, 4, ENC_LITTLE_ENDIAN);
|
proto_item *idti = proto_tree_add_item(fb_tree, hf_sdp_source_id, tvb, 8, 4, ENC_LITTLE_ENDIAN);
|
||||||
|
|
||||||
guint32 source_id = tvb_get_guint32(tvb, 8, ENC_LITTLE_ENDIAN);
|
guint32 source_id = tvb_get_guint32(tvb, 8, ENC_LITTLE_ENDIAN);
|
||||||
bridge_info* bi = get_bridge_info(source_id);
|
bridge_info* bi = get_bridge_info(source_id);
|
||||||
|
@ -364,7 +362,7 @@ dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data
|
||||||
|
|
||||||
dissector_handle_t dissector = dissector_get_uint_handle(ptype_dissector_table, source_id);
|
dissector_handle_t dissector = dissector_get_uint_handle(ptype_dissector_table, source_id);
|
||||||
if (dissector) {
|
if (dissector) {
|
||||||
p_add_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_BRIDGE_HANDLE, bi);
|
p_add_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_BRIDGE_HANDLE, bi);
|
||||||
tvbuff_t* next_tvb = tvb_new_subset_length(tvb, 12, tvb_captured_length(tvb) - 12);
|
tvbuff_t* next_tvb = tvb_new_subset_length(tvb, 12, tvb_captured_length(tvb) - 12);
|
||||||
call_dissector_with_data(dissector, next_tvb, pinfo, tree, data);
|
call_dissector_with_data(dissector, next_tvb, pinfo, tree, data);
|
||||||
}
|
}
|
||||||
|
@ -373,9 +371,9 @@ dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* data _U_)
|
dissect_sinsp_span(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* data _U_)
|
||||||
{
|
{
|
||||||
bridge_info* bi = p_get_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_BRIDGE_HANDLE);
|
bridge_info* bi = p_get_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_BRIDGE_HANDLE);
|
||||||
guint plen = tvb_captured_length(tvb);
|
guint plen = tvb_captured_length(tvb);
|
||||||
const char *source_name = get_sinsp_source_name(bi->ssi);
|
const char *source_name = get_sinsp_source_name(bi->ssi);
|
||||||
|
|
||||||
|
@ -384,7 +382,7 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da
|
||||||
col_clear(pinfo->cinfo, COL_INFO);
|
col_clear(pinfo->cinfo, COL_INFO);
|
||||||
|
|
||||||
proto_item* ti = proto_tree_add_item(tree, bi->proto, tvb, 0, plen, ENC_NA);
|
proto_item* ti = proto_tree_add_item(tree, bi->proto, tvb, 0, plen, ENC_NA);
|
||||||
proto_tree* sdplugin_tree = proto_item_add_subtree(ti, ett_bridge);
|
proto_tree* fb_tree = proto_item_add_subtree(ti, ett_sinsp_span);
|
||||||
|
|
||||||
guint8* payload = (guint8*)tvb_get_ptr(tvb, 0, plen);
|
guint8* payload = (guint8*)tvb_get_ptr(tvb, 0, plen);
|
||||||
|
|
||||||
|
@ -398,14 +396,14 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da
|
||||||
|
|
||||||
bool rc = extract_sisnp_source_field(bi->ssi, pinfo->num, payload, plen, pinfo->pool, &sfe);
|
bool rc = extract_sisnp_source_field(bi->ssi, pinfo->num, payload, plen, pinfo->pool, &sfe);
|
||||||
if (!rc) {
|
if (!rc) {
|
||||||
REPORT_DISSECTOR_BUG("sysdig plugin %s extract error", get_sinsp_source_name(bi->ssi));
|
REPORT_DISSECTOR_BUG("Falco plugin %s extract error", get_sinsp_source_name(bi->ssi));
|
||||||
}
|
}
|
||||||
if (!sfe.is_present) {
|
if (!sfe.is_present) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (sfe.type == SFT_STRINGZ && hfinfo->type == FT_STRINGZ) {
|
if (sfe.type == SFT_STRINGZ && hfinfo->type == FT_STRINGZ) {
|
||||||
proto_item *pi = proto_tree_add_string(sdplugin_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_str);
|
proto_item *pi = proto_tree_add_string(fb_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_str);
|
||||||
if (bi->field_flags[fld_idx] & BFF_INFO) {
|
if (bi->field_flags[fld_idx] & BFF_INFO) {
|
||||||
col_append_sep_fstr(pinfo->cinfo, COL_INFO, ", ", "%s", sfe.res_str);
|
col_append_sep_fstr(pinfo->cinfo, COL_INFO, ", ", "%s", sfe.res_str);
|
||||||
// Mark it hidden, otherwise we end up with a bunch of empty "Info" tree items.
|
// Mark it hidden, otherwise we end up with a bunch of empty "Info" tree items.
|
||||||
|
@ -417,7 +415,7 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da
|
||||||
sprintf(cvalptr, "%s", sfe.res_str);
|
sprintf(cvalptr, "%s", sfe.res_str);
|
||||||
p_add_proto_data(pinfo->pool,
|
p_add_proto_data(pinfo->pool,
|
||||||
pinfo,
|
pinfo,
|
||||||
proto_sdplugin,
|
proto_falco_bridge,
|
||||||
PROTO_DATA_CONVINFO_USER_BASE + conv_vals_cnt, cvalptr);
|
PROTO_DATA_CONVINFO_USER_BASE + conv_vals_cnt, cvalptr);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -426,7 +424,7 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if (sfe.type == SFT_UINT64 && hfinfo->type == FT_UINT64) {
|
else if (sfe.type == SFT_UINT64 && hfinfo->type == FT_UINT64) {
|
||||||
proto_tree_add_uint64(sdplugin_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_u64);
|
proto_tree_add_uint64(fb_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_u64);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
REPORT_DISSECTOR_BUG("field %s has an unrecognized or mismatched type %u != %u",
|
REPORT_DISSECTOR_BUG("field %s has an unrecognized or mismatched type %u != %u",
|
|
@ -1,4 +1,4 @@
|
||||||
/* packet-sysdig-bridge.h
|
/* packet-falco-bridge.h
|
||||||
*
|
*
|
||||||
* By Loris Degioanni
|
* By Loris Degioanni
|
||||||
* Copyright (C) 2021 Sysdig, Inc.
|
* Copyright (C) 2021 Sysdig, Inc.
|
||||||
|
@ -10,8 +10,8 @@
|
||||||
* SPDX-License-Identifier: GPL-2.0-or-later
|
* SPDX-License-Identifier: GPL-2.0-or-later
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef __PACKET_SYSDIG_BRIDGE_H__
|
#ifndef __PACKET_FALCO_BRIDGE_H__
|
||||||
#define __PACKET_SYSDIG_BRIDGE_H__
|
#define __PACKET_FALCO_BRIDGE_H__
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* API versions of this plugin engine
|
* API versions of this plugin engine
|
||||||
|
@ -228,4 +228,4 @@ typedef struct conv_fld_info {
|
||||||
char field_val[4096];
|
char field_val[4096];
|
||||||
} conv_fld_info;
|
} conv_fld_info;
|
||||||
|
|
||||||
#endif // __PACKET_SYSDIG_BRIDGE_H__
|
#endif // __PACKET_FALCO_BRIDGE_H__
|
|
@ -1,4 +1,4 @@
|
||||||
/* sinsp-connector.c
|
/* sinsp-span.cpp
|
||||||
*
|
*
|
||||||
* By Gerald Combs
|
* By Gerald Combs
|
||||||
* Copyright (C) 2022 Sysdig, Inc.
|
* Copyright (C) 2022 Sysdig, Inc.
|
|
@ -1,4 +1,4 @@
|
||||||
/* sinsp-connector.c
|
/* sinsp-span.h
|
||||||
*
|
*
|
||||||
* By Gerald Combs
|
* By Gerald Combs
|
||||||
* Copyright (C) 2022 Sysdig, Inc.
|
* Copyright (C) 2022 Sysdig, Inc.
|
||||||
|
@ -46,14 +46,6 @@ typedef struct sinsp_field_info_t {
|
||||||
bool is_info;
|
bool is_info;
|
||||||
} sinsp_field_info_t;
|
} sinsp_field_info_t;
|
||||||
|
|
||||||
//typedef struct
|
|
||||||
//{
|
|
||||||
// uint64_t evtnum;
|
|
||||||
// const uint8_t *data;
|
|
||||||
// uint32_t datalen;
|
|
||||||
// uint64_t ts;
|
|
||||||
//} ss_plugin_event;
|
|
||||||
|
|
||||||
typedef struct sinsp_field_extract_t {
|
typedef struct sinsp_field_extract_t {
|
||||||
uint32_t field_id; // in
|
uint32_t field_id; // in
|
||||||
const char *field_name; // in
|
const char *field_name; // in
|
|
@ -1,2 +0,0 @@
|
||||||
This plugin is a bridge between sysdig plugins and Wireshark, so that sysdig
|
|
||||||
plugins can be used as dissectors.
|
|
Loading…
Reference in New Issue