Rename Sysdig Bridge to Falco Bridge.

The Sysdig Bridge plugin loads Falco plugins, so rename it to Falco
Bridge.

Make it optional and dependent on libsinsp+libscap, similar to our codec
plugins.

Remove some unused code.

CMakeLists.txt

@@ -1299,6 +1299,10 @@ ws_find_package(ILBC ENABLE_ILBC HAVE_ILBC)
 
 ws_find_package(OPUS ENABLE_OPUS HAVE_OPUS)
 
+# libsinsp+libscap, required for falco-bridge
+ws_find_package(Sinsp ENABLE_SINSP HAVE_SINSP)
+
+
 # CMake 3.9 and below used 'LIBXML2_LIBRARIES' as the name of the cache entry
 # storing the find_library result. Transfer it to the new cache variable such
 # that reset_find_package can detect and clear outdated cache variables.
@@ -1593,7 +1597,6 @@ if(ENABLE_PLUGINS)
 		plugins/epan/opcua
 		plugins/epan/profinet
 		plugins/epan/stats_tree
-		plugins/epan/sysdig_bridge
 		plugins/epan/transum
 		plugins/epan/unistim
 		plugins/epan/wimax
@@ -1604,6 +1607,11 @@ if(ENABLE_PLUGINS)
 		plugins/codecs/l16_mono
 		${CUSTOM_PLUGIN_SRC_DIR}
 	)
+	if(SINSP_FOUND)
+		list(APPEND PLUGIN_SRC_DIRS
+			plugins/epan/falco_bridge
+		)
+	endif()
 	if(SPANDSP_FOUND)
 		list(APPEND PLUGIN_SRC_DIRS
 			plugins/codecs/G722
@@ -1816,6 +1824,11 @@ set_package_properties(PCRE2 PROPERTIES
 	DESCRIPTION "Regular expression pattern matching using the same syntax and semantics as Perl 5"
 	PURPOSE "Support for regular expressions"
 )
+set_package_properties(Sinsp PROPERTIES
+	DESCRIPTION "libsinsp and libscap"
+	URL "https://github.com/falcosecurity/libs/"
+	PURPOSE "Support for Falco plugins"
+)
 
 string(TOUPPER "${CMAKE_BUILD_TYPE}" _build_type)
 message(STATUS "C-Flags: ${CMAKE_C_FLAGS} ${CMAKE_C_FLAGS_${_build_type}}")

CMakeOptions.txt

@@ -117,6 +117,7 @@ option(ENABLE_BCG729     "Build with G.729 codec support in RTP Player" ON)
 option(ENABLE_ILBC       "Build with iLBC codec support in RTP Player" ON)
 option(ENABLE_LIBXML2    "Build with libxml2 support" ON)
 option(ENABLE_OPUS       "Build with opus support" ON)
+option(ENABLE_SINSP      "Build with libsinsp+libscap support" ON)
 
 # How to install
 set(DUMPCAP_INSTALL_OPTION   "normal" CACHE STRING "Permissions to install")

epan/conversation_filter.c

@@ -20,7 +20,7 @@
 GList *conv_filter_list = NULL;
 
 
-void do_register_conversation_filter(const char *proto_name, const char *display_name,
+static void do_register_conversation_filter(const char *proto_name, const char *display_name,
                                         is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string) {
     conversation_filter_t *entry;
 
@@ -42,7 +42,7 @@ void register_conversation_filter(const char *proto_name, const char *display_na
                                         build_filter_string);
 }
 
-void register_conversation_filter_logshark(const char *proto_name, const char *display_name,
+void register_log_conversation_filter(const char *proto_name, const char *display_name,
                                   is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string) {
     do_register_conversation_filter(proto_name,
                                         display_name,

epan/conversation_filter.h

@@ -28,12 +28,12 @@ typedef gboolean (*is_filter_valid_func)(struct _packet_info *pinfo);
     Filter needs to be freed after use */
 typedef gchar* (*build_filter_string_func)(struct _packet_info *pinfo);
 
-/** register a dissector filter */
+/** register a dissector filter for packets */
 WS_DLL_PUBLIC void register_conversation_filter(const char *proto_name, const char *display_name,
                                                       is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string);
 
-/** register a dissector filter, tailshark version */
+/** register a dissector filter for logs */
-WS_DLL_PUBLIC void register_conversation_filter_logshark(const char *proto_name, const char *display_name,
+WS_DLL_PUBLIC void register_log_conversation_filter(const char *proto_name, const char *display_name,
                                                       is_filter_valid_func is_filter_valid, build_filter_string_func build_filter_string);
 
 WS_DLL_PUBLIC struct conversation_filter_s* find_conversation_filter(const char *proto_name);

epan/dissectors/packet-sysdig-event.c

@@ -2290,9 +2290,8 @@ dissect_event_params(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int off
 
 
 static int
-dissect_plugin_event(tvbuff_t *tvb _U_, packet_info *pinfo, proto_tree *tree _U_, void *data _U_)
+dissect_plugin_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
 {
-    //json_dissector_handle = find_dissector("json");
     if (!plugin_dissector_handle) {
         return 0;
     }
@@ -2302,7 +2301,7 @@ dissect_plugin_event(tvbuff_t *tvb _U_, packet_info *pinfo, proto_tree *tree _U_
 
 static int
 dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
-        void *data _U_)
+        void *data)
 {
     proto_item *ti;
     proto_tree *se_tree, *syscall_tree;
@@ -2651,7 +2650,7 @@ proto_reg_handoff_sysdig_event(void)
     dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2, sysdig_event_handle);
     dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE, sysdig_event_handle);
 
-    plugin_dissector_handle = find_dissector("sdplugin");
+    plugin_dissector_handle = find_dissector("falcobridge");
 }
 
 /*

plugins/epan/falco_bridge/CMakeLists.txt

@@ -10,10 +10,10 @@
 include(WiresharkPlugin)
 
 # Plugin name and version info (major minor micro extra)
-set_module_info(sysdig-plugins 0 0 4 0)
+set_module_info(falco-bridge 0 0 4 0)
 
 set(DISSECTOR_SRC
-	packet-sysdig-bridge.c
+	packet-falco-bridge.c
 	sinsp-span.cpp
 )
 
@@ -33,31 +33,29 @@ register_plugin_files(plugin.c
 	${DISSECTOR_SRC}
 )
 
-add_plugin_library(sysdig-plugins epan)
+add_plugin_library(falco-bridge epan)
-
-find_package(Sinsp REQUIRED)
 
 # XXX Hacks; need to fix in falcosecurity-libs.
-target_compile_definitions(sysdig-plugins PRIVATE
+target_compile_definitions(falco-bridge PRIVATE
 	HAVE_STRLCPY=1
 	)
-# target_compile_options(sysdig-plugins PRIVATE -Wno-address-of-packed-member)
+# target_compile_options(falco-bridge PRIVATE -Wno-address-of-packed-member)
 
-target_include_directories(sysdig-plugins SYSTEM PRIVATE
+target_include_directories(falco-bridge SYSTEM PRIVATE
 	${SINSP_INCLUDE_DIRS}
 )
 
-target_link_libraries(sysdig-plugins
+target_link_libraries(falco-bridge
 	epan
 	${SINSP_LIBRARIES}
 )
 
-install_plugin(sysdig-plugins epan)
+install_plugin(falco-bridge epan)
 
 file(GLOB DISSECTOR_HEADERS RELATIVE "${CMAKE_CURRENT_SOURCE_DIR}" "*.h")
 CHECKAPI(
 	NAME
-	  sysdig-plugins
+	  falco-bridge
 	SWITCHES
 	  --group dissectors-prohibited
 	  --group dissectors-restricted

plugins/epan/falco_bridge/README.md

@@ -0,0 +1,17 @@
+# Falco Bridge
+
+This plugin is a bridge between [Falco plugins](https://github.com/falcosecurity/plugins/) and Wireshark, so that Falco plugins can be used as dissectors.
+It requires [libsinsp and libscap](https://github.com/falcosecurity/libs/).
+
+## Building the Falco Bridge plugin
+
+1. Download and compile [libsinsp and libscap](https://github.com/falcosecurity/libs/).
+
+1. Configure Wireshark with `cmake ... -DSINSP_INCLUDE_DIR=/path/to/falcosecurity-libs -DSINSP_LIBDIR=/path/to/falcosecurity-libs/build ...`
+
+## Quick Start
+
+1. Create a directory named "falco" at the same level as the "epan" plugin folder.
+You can find the global and per-user plugin folder locations on your system in About → Folders or in the [User's Guide](https://www.wireshark.org/docs/wsug_html_chunked/ChPluginFolders.html).
+
+1. Build your desired [Falco plugin](https://github.com/falcosecurity/plugins/) and place it in the "falco" plugin directory.

plugins/epan/falco_bridge/conversation-macros.h

@@ -20,7 +20,7 @@ build_filter_string_func bfs_func[MAX_N_CONV_FILTERS];
     if (is_right_proto == FALSE) { \
         return FALSE; \
     } \
-    char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_CONVINFO_USER_##N); \
+    char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_CONVINFO_USER_##N); \
     if (bi == NULL) { \
         return FALSE; \
     } \
@@ -28,10 +28,10 @@ build_filter_string_func bfs_func[MAX_N_CONV_FILTERS];
 } \
 static gchar* \
 conv_filter_build_##N(packet_info *pinfo) { \
-    char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_CONVINFO_USER_##N); \
+    char* bi = p_get_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_CONVINFO_USER_##N); \
     const char* fname = conv_fld_infos[N].field_info->hfinfo.abbrev; \
     return g_strdup_printf("%s eq \"%s\"", fname, bi); \
-} 
+}
 
 #define MAP_CONV_FLT_FUNCS(N) fv_func[N] = conv_filter_valid_##N; \
 bfs_func[N] = conv_filter_build_##N;
@@ -51,7 +51,7 @@ DECLARE_CONV_FLT_FUNCS(11) \
 DECLARE_CONV_FLT_FUNCS(12) \
 DECLARE_CONV_FLT_FUNCS(13) \
 DECLARE_CONV_FLT_FUNCS(14) \
-DECLARE_CONV_FLT_FUNCS(15) 
+DECLARE_CONV_FLT_FUNCS(15)
 
 #define MAP_CONV_FLTS() MAP_CONV_FLT_FUNCS(0) \
 MAP_CONV_FLT_FUNCS(1) \
@@ -68,4 +68,4 @@ MAP_CONV_FLT_FUNCS(11) \
 MAP_CONV_FLT_FUNCS(12) \
 MAP_CONV_FLT_FUNCS(13) \
 MAP_CONV_FLT_FUNCS(14) \
-MAP_CONV_FLT_FUNCS(15) 
+MAP_CONV_FLT_FUNCS(15)

plugins/epan/falco_bridge/packet-falco-bridge.c

@@ -1,4 +1,4 @@
-/* packet-sysdig-bridge.c
+/* packet-falco-bridge.c
  *
  * By Loris Degioanni
  * Copyright (C) 2021 Sysdig, Inc.
@@ -38,16 +38,16 @@
 #include <epan/conversation_filter.h>
 
 #include "sinsp-span.h"
-#include "packet-sysdig-bridge.h"
+#include "packet-falco-bridge.h"
 #include "conversation-macros.h"
 
-static int proto_sdplugin = -1;
+static int proto_falco_bridge = -1;
-static gint ett_sdplugin = -1;
+static gint ett_falco_bridge = -1;
-static gint ett_bridge = -1;
+static gint ett_sinsp_span = -1;
 static dissector_table_t ptype_dissector_table;
 
-static int dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_);
+static int dissect_falco_bridge(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_);
-static int dissect_plg_bridge(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_);
+static int dissect_sinsp_span(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_);
 
 void register_conversation_filters_mappings(void);
 
@@ -72,19 +72,19 @@ static int hf_sdp_source_id = -1;
 
 static hf_register_info hf[] = {
     { &hf_sdp_source_id_size,
-        { "Plugin ID size", "sysdig_plugin.id.size",
+        { "Plugin ID size", "falco_plugin.id.size",
         FT_UINT32, BASE_DEC,
         NULL, 0x0,
         NULL, HFILL }
     },
     { &hf_sdp_lengths,
-        { "Field Lengths", "sysdig_plugin.lens",
+        { "Field Lengths", "falco_plugin.lens",
         FT_UINT32, BASE_DEC,
         NULL, 0x0,
         NULL, HFILL }
     },
     { &hf_sdp_source_id,
-        { "Plugin ID", "sysdig_plugin.id",
+        { "Plugin ID", "falco_plugin.id",
         FT_UINT32, BASE_DEC,
         NULL, 0x0,
         NULL, HFILL }
@@ -202,12 +202,12 @@ configure_plugin(bridge_info* bi, char* config _U_)
                 conv_fld_infos[conv_fld_cnt].field_info = ri;
                 const char *source_name = get_sinsp_source_name(bi->ssi);
                 conv_fld_infos[conv_fld_cnt].proto_name = source_name;
-                register_conversation_filter_logshark(source_name, finfo.hfinfo.name, fv_func[conv_fld_cnt], bfs_func[conv_fld_cnt]);
+                register_log_conversation_filter(source_name, finfo.hfinfo.name, fv_func[conv_fld_cnt], bfs_func[conv_fld_cnt]);
                 conv_fld_cnt++;
             }
             fld_cnt++;
         }
-        proto_register_field_array(proto_sdplugin, bi->hf, fld_cnt);
+        proto_register_field_array(proto_falco_bridge, bi->hf, fld_cnt);
     }
 }
 
@@ -235,8 +235,8 @@ import_plugin(char* fname)
         );
 
     static dissector_handle_t ct_handle;
-    ct_handle = create_dissector_handle(dissect_plg_bridge, bi->proto);
+    ct_handle = create_dissector_handle(dissect_sinsp_span, bi->proto);
-    dissector_add_uint("sysdig_plugin.id", bi->source_id, ct_handle);
+    dissector_add_uint("falco_plugin.id", bi->source_id, ct_handle);
 }
 
 static void
@@ -247,21 +247,21 @@ on_wireshark_exit(void)
 }
 
 void
-proto_register_sdplugin(void)
+proto_register_falcoplugin(void)
 {
-    proto_sdplugin = proto_register_protocol (
+    proto_falco_bridge = proto_register_protocol (
-        "Sysdig Plugin", /* name       */
+        "Falco Bridge", /* name       */
-        "SDPLUGIN",      /* short name */
+        "Falco Bridge", /* short name */
-        "sdplugin"       /* abbrev     */
+        "falcobridge"   /* abbrev     */
         );
-    register_dissector("sdplugin", dissect_sdplugin, proto_sdplugin);
+    register_dissector("falcobridge", dissect_falco_bridge, proto_falco_bridge);
 
     /*
      * Create the dissector table that we will use to route the dissection to
-     * the appropriate sysdig plugin.
+     * the appropriate Falco plugin.
      */
-    ptype_dissector_table = register_dissector_table("sysdig_plugin.id",
+    ptype_dissector_table = register_dissector_table("falco_plugin.id",
-        "Plugin ID", proto_sdplugin, FT_UINT32, BASE_DEC);
+        "Falco Plugin ID", proto_falco_bridge, FT_UINT32, BASE_DEC);
 
     /*
      * Create the mapping infrastructure for conversation filtering
@@ -273,10 +273,8 @@ proto_register_sdplugin(void)
      */
     WS_DIR *dir;
     WS_DIRENT *file;
-    gchar *filename;
+    char *filename;
-    char dname[2048];
+    char *dname = g_build_filename(get_plugins_dir_with_version(), "falco", NULL);
-    const char *wspgdname = get_plugins_dir();
-    snprintf(dname, sizeof(dname), "%s/../sysdig", wspgdname);
 
     /*
      * We scan the plugins directory twice. The first time we count how many
@@ -302,17 +300,17 @@ proto_register_sdplugin(void)
         }
         ws_dir_close(dir);
     }
-
+    g_free(dname);
 
     /*
      * Setup protocol subtree array
      */
     static gint *ett[] = {
-        &ett_sdplugin,
+        &ett_falco_bridge,
-        &ett_bridge,
+        &ett_sinsp_span,
     };
 
-    proto_register_field_array(proto_sdplugin, hf, array_length(hf));
+    proto_register_field_array(proto_falco_bridge, hf, array_length(hf));
     proto_register_subtree_array(ett, array_length(ett));
 
     register_shutdown_routine(on_wireshark_exit);
@@ -333,20 +331,20 @@ get_bridge_info(guint32 source_id)
 }
 
 static int
-dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
+dissect_falco_bridge(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
 {
     conv_vals_cnt = 0;
 
-    col_set_str(pinfo->cinfo, COL_PROTOCOL, "Sysdig Plugin");
+    col_set_str(pinfo->cinfo, COL_PROTOCOL, "Falco Bridge");
     /* Clear out stuff in the info column */
     col_clear(pinfo->cinfo,COL_INFO);
 
     // https://github.com/falcosecurity/libs/blob/9c942f27/userspace/libscap/scap.c#L1900
-    proto_item *ti = proto_tree_add_item(tree, proto_sdplugin, tvb, 0, 12, ENC_NA);
+    proto_item *ti = proto_tree_add_item(tree, proto_falco_bridge, tvb, 0, 12, ENC_NA);
-    proto_tree *sdplugin_tree = proto_item_add_subtree(ti, ett_sdplugin);
+    proto_tree *fb_tree = proto_item_add_subtree(ti, ett_falco_bridge);
-    proto_tree_add_item(sdplugin_tree, hf_sdp_source_id_size, tvb, 0, 4, ENC_LITTLE_ENDIAN);
+    proto_tree_add_item(fb_tree, hf_sdp_source_id_size, tvb, 0, 4, ENC_LITTLE_ENDIAN);
-    proto_tree_add_item(sdplugin_tree, hf_sdp_lengths, tvb, 4, 4, ENC_LITTLE_ENDIAN);
+    proto_tree_add_item(fb_tree, hf_sdp_lengths, tvb, 4, 4, ENC_LITTLE_ENDIAN);
-    proto_item *idti = proto_tree_add_item(sdplugin_tree, hf_sdp_source_id, tvb, 8, 4, ENC_LITTLE_ENDIAN);
+    proto_item *idti = proto_tree_add_item(fb_tree, hf_sdp_source_id, tvb, 8, 4, ENC_LITTLE_ENDIAN);
 
     guint32 source_id = tvb_get_guint32(tvb, 8, ENC_LITTLE_ENDIAN);
     bridge_info* bi = get_bridge_info(source_id);
@@ -364,7 +362,7 @@ dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data
 
     dissector_handle_t dissector = dissector_get_uint_handle(ptype_dissector_table, source_id);
     if (dissector) {
-        p_add_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_BRIDGE_HANDLE, bi);
+        p_add_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_BRIDGE_HANDLE, bi);
         tvbuff_t* next_tvb = tvb_new_subset_length(tvb, 12, tvb_captured_length(tvb) - 12);
         call_dissector_with_data(dissector, next_tvb, pinfo, tree, data);
     }
@@ -373,9 +371,9 @@ dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data
 }
 
 static int
-dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* data _U_)
+dissect_sinsp_span(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* data _U_)
 {
-    bridge_info* bi = p_get_proto_data(pinfo->pool, pinfo, proto_sdplugin, PROTO_DATA_BRIDGE_HANDLE);
+    bridge_info* bi = p_get_proto_data(pinfo->pool, pinfo, proto_falco_bridge, PROTO_DATA_BRIDGE_HANDLE);
     guint plen = tvb_captured_length(tvb);
     const char *source_name = get_sinsp_source_name(bi->ssi);
 
@@ -384,7 +382,7 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da
     col_clear(pinfo->cinfo, COL_INFO);
 
     proto_item* ti = proto_tree_add_item(tree, bi->proto, tvb, 0, plen, ENC_NA);
-    proto_tree* sdplugin_tree = proto_item_add_subtree(ti, ett_bridge);
+    proto_tree* fb_tree = proto_item_add_subtree(ti, ett_sinsp_span);
 
     guint8* payload = (guint8*)tvb_get_ptr(tvb, 0, plen);
 
@@ -398,14 +396,14 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da
 
         bool rc = extract_sisnp_source_field(bi->ssi, pinfo->num, payload, plen, pinfo->pool, &sfe);
         if (!rc) {
-            REPORT_DISSECTOR_BUG("sysdig plugin %s extract error", get_sinsp_source_name(bi->ssi));
+            REPORT_DISSECTOR_BUG("Falco plugin %s extract error", get_sinsp_source_name(bi->ssi));
         }
         if (!sfe.is_present) {
             continue;
         }
 
         if (sfe.type == SFT_STRINGZ && hfinfo->type == FT_STRINGZ) {
-            proto_item *pi = proto_tree_add_string(sdplugin_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_str);
+            proto_item *pi = proto_tree_add_string(fb_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_str);
             if (bi->field_flags[fld_idx] & BFF_INFO) {
                 col_append_sep_fstr(pinfo->cinfo, COL_INFO, ", ", "%s", sfe.res_str);
                 // Mark it hidden, otherwise we end up with a bunch of empty "Info" tree items.
@@ -417,7 +415,7 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da
                 sprintf(cvalptr, "%s", sfe.res_str);
                 p_add_proto_data(pinfo->pool,
                                  pinfo,
-                                 proto_sdplugin,
+                                 proto_falco_bridge,
                                  PROTO_DATA_CONVINFO_USER_BASE + conv_vals_cnt, cvalptr);
             }
 
@@ -426,7 +424,7 @@ dissect_plg_bridge(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree, void* da
             }
         }
         else if (sfe.type == SFT_UINT64 && hfinfo->type == FT_UINT64) {
-            proto_tree_add_uint64(sdplugin_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_u64);
+            proto_tree_add_uint64(fb_tree, bi->hf_ids[fld_idx], tvb, 0, plen, sfe.res_u64);
         }
         else {
             REPORT_DISSECTOR_BUG("field %s has an unrecognized or mismatched type %u != %u",

plugins/epan/falco_bridge/packet-falco-bridge.h

@@ -1,4 +1,4 @@
-/* packet-sysdig-bridge.h
+/* packet-falco-bridge.h
  *
  * By Loris Degioanni
  * Copyright (C) 2021 Sysdig, Inc.
@@ -10,8 +10,8 @@
 * SPDX-License-Identifier: GPL-2.0-or-later
 */
 
-#ifndef __PACKET_SYSDIG_BRIDGE_H__
+#ifndef __PACKET_FALCO_BRIDGE_H__
-#define __PACKET_SYSDIG_BRIDGE_H__
+#define __PACKET_FALCO_BRIDGE_H__
 
 /*
  * API versions of this plugin engine
@@ -228,4 +228,4 @@ typedef struct conv_fld_info {
     char field_val[4096];
 } conv_fld_info;
 
-#endif // __PACKET_SYSDIG_BRIDGE_H__
+#endif // __PACKET_FALCO_BRIDGE_H__

plugins/epan/falco_bridge/sinsp-span.cpp

@@ -1,4 +1,4 @@
-/* sinsp-connector.c
+/* sinsp-span.cpp
  *
  * By Gerald Combs
  * Copyright (C) 2022 Sysdig, Inc.

plugins/epan/falco_bridge/sinsp-span.h

@@ -1,4 +1,4 @@
-/* sinsp-connector.c
+/* sinsp-span.h
  *
  * By Gerald Combs
  * Copyright (C) 2022 Sysdig, Inc.
@@ -46,14 +46,6 @@ typedef struct sinsp_field_info_t {
     bool is_info;
 } sinsp_field_info_t;
 
-//typedef struct
-//{
-//    uint64_t evtnum;
-//    const uint8_t *data;
-//    uint32_t datalen;
-//    uint64_t ts;
-//} ss_plugin_event;
-
 typedef struct sinsp_field_extract_t {
     uint32_t field_id;          // in
     const char *field_name;     // in

plugins/epan/sysdig_bridge/README

@@ -1,2 +0,0 @@
-This plugin is a bridge between sysdig plugins and Wireshark, so that sysdig 
-plugins can be used as dissectors.