diff --git a/epan/dissectors/packet-erf.c b/epan/dissectors/packet-erf.c index 2ccf699634..3ba3703d4c 100644 --- a/epan/dissectors/packet-erf.c +++ b/epan/dissectors/packet-erf.c @@ -136,6 +136,11 @@ static int hf_erf_source_current = -1; static int hf_erf_source_next = -1; static int hf_erf_source_prev = -1; +/* Entropy extension header */ +static int hf_erf_ehdr_entropy_entropy = -1; +static int hf_erf_ehdr_entropy_entropy_raw = -1; +static int hf_erf_ehdr_entropy_reserved = -1; + /* Unknown extension header */ static int hf_erf_ehdr_unk = -1; @@ -247,6 +252,7 @@ static gint ett_erf_meta_tag = -1; static gint ett_erf_source = -1; static gint ett_erf_anchor = -1; static gint ett_erf_anchor_flags = -1; +static gint ett_erf_entropy_value = -1; static expert_field ei_erf_extension_headers_not_shown = EI_INIT; static expert_field ei_erf_packet_loss = EI_INIT; @@ -434,12 +440,32 @@ static const value_string ehdr_type_vals[] = { { ERF_EXT_HDR_TYPE_BFS , "BFS Filter/Hash"}, { ERF_EXT_HDR_TYPE_CHANNELISED , "Channelised"}, { ERF_EXT_HDR_TYPE_SIGNATURE , "Signature"}, + { ERF_EXT_HDR_TYPE_PKT_ID , "Packet ID"}, { ERF_EXT_HDR_TYPE_FLOW_ID , "Flow ID"}, { ERF_EXT_HDR_TYPE_HOST_ID , "Host ID"}, { ERF_EXT_HDR_TYPE_ANCHOR_ID , "Anchor ID"}, + { ERF_EXT_HDR_TYPE_ENTROPY , "Entropy"}, { 0, NULL } }; +/* Used for Provenance ext_hdrs_added/remvoed, should match the field abbreviation */ +static const value_string ehdr_type_vals_short[] = { + { ERF_EXT_HDR_TYPE_CLASSIFICATION , "class"}, + { ERF_EXT_HDR_TYPE_INTERCEPTID , "int"}, + { ERF_EXT_HDR_TYPE_RAW_LINK , "raw"}, + { ERF_EXT_HDR_TYPE_BFS , "bfs"}, + { ERF_EXT_HDR_TYPE_CHANNELISED , "chan"}, + { ERF_EXT_HDR_TYPE_SIGNATURE , "signature"}, + { ERF_EXT_HDR_TYPE_PKT_ID , "packetid"}, + { ERF_EXT_HDR_TYPE_FLOW_ID , "flowid"}, + { ERF_EXT_HDR_TYPE_HOST_ID , "hostid"}, + { ERF_EXT_HDR_TYPE_ANCHOR_ID , "anchorid"}, + { ERF_EXT_HDR_TYPE_ENTROPY , "entropy"}, + { 0, NULL } +}; + +/* XXX: Must be at least array_length(ehdr_type_vals). */ +#define ERF_HF_VALUES_PER_TAG 32 static const value_string raw_link_types[] = { { 0x00, "raw SONET"}, @@ -576,6 +602,39 @@ static const value_string erf_clk_port_proto[] = { { 0, NULL } }; +static const value_string erf_tap_mode[] = { + { 0x00, "Invalid" }, + { 0x01, "Off" }, + { 0x02, "Active" }, + { 0x03, "Monitor" }, + { 0x04, "Bypass" }, + { 0x05, "Blocking" }, + { 0, NULL } +}; + +static const value_string erf_tap_fail_mode[] = { + { 0x00, "Invalid" }, + { 0x01, "Off" }, + { 0x02, "Open" }, + { 0x03, "Closed" }, + { 0, NULL } +}; + +static const value_string erf_dpi_state[] = { + { 0x00, "Terminated"}, + { 0x01, "Inspecting"}, + { 0x02, "Monitoring"}, + { 0x03, "Classified"}, + { 0, NULL} +}; + +static const value_string erf_flow_state[] = { + { 0x00, "Active"}, + { 0x01, "Terminated"}, + { 0x02, "Expired"}, + { 0, NULL} +}; + /* Used as templates for ERF_META_TAG_tunneling_mode */ static const header_field_info erf_tunneling_modes[] = { { "IP-in-IP", "ip_in_ip", FT_BOOLEAN, 32, NULL, 0x1, NULL, HFILL }, @@ -619,8 +678,24 @@ static const header_field_info erf_parent_section[] = { { "Section ID", "section_id", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } }; -/* XXX: Must be at least array_length(erf_tunneling_modes). */ -#define ERF_HF_VALUES_PER_TAG 8 +/* Used as templates for ERF_META_TAG_stream_flags */ +static const header_field_info erf_stream_flags[] = { + { "Relative Snapping", "relative_snap", FT_BOOLEAN, 32, NULL, 0x1, NULL, HFILL }, + { "Entropy Snapping", "entropy_snap", FT_BOOLEAN, 32, NULL, 0x2, NULL, HFILL } +}; + +/* Used as templates for ERF_META_TAG_ext_hdrs_added/removed subtrees */ +static const header_field_info erf_ext_hdr_items[] = { + { "Extension Headers 0 to 31", "0_31", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }, + { "Extension Headers 32 to 63", "32_63", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }, + { "Extension Headers 64 to 95", "64_95", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }, + { "Extension Headers 96 to 127", "96_127", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } +}; + +/* Used as templates for ERF_META_TAG_smart_trunc_default */ +static const header_field_info erf_smart_trunc_default_flags[] = { + { "Truncation Candidate", "trunc_candidate", FT_BOOLEAN, 32, &tfs_yes_no, 0x1, NULL, HFILL } +}; typedef struct { guint16 code; @@ -630,9 +705,12 @@ typedef struct { typedef struct { gint ett_value; /* - * XXX: Must be at least array_length(erf_tunneling_modes). Should change to + * XXX: Must be at least array_length(ehdr_type_vals). Should change to * dynamic (possibly using new proto tree API) if many more fields defined. + * Non-trivial as bitmask functions take an array of pointers not values. * Either that or add a value-string-like automatic bitmask flags proto_item. + * + * Note that this struct is only added for tags that need it. */ int hf_values[ERF_HF_VALUES_PER_TAG]; } erf_meta_tag_info_ex_t; @@ -749,6 +827,12 @@ static const erf_meta_hf_template_t erf_meta_tags[] = { { ERF_META_TAG_cpu_numa_nodes, { "CPU NUMA Nodes", "cpu_numa_nodes", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_dag_attribute, { "DAG Attribute", "dag_attribute", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_dag_version, { "DAG Software Version", "dag_version", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_stream_flags, { "Stream Flags", "stream_flags", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_entropy_threshold, { "Entropy Threshold", "entropy_threshold", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_smart_trunc_default, { "Smart Truncation Default", "smart_trunc_default",FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_ext_hdrs_added, { "Extension Headers Added", "ext_hdrs_added", FT_BYTES, BASE_NO_DISPLAY_VALUE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_ext_hdrs_removed, { "Extension Headers Removed", "ext_hdrs_removed", FT_BYTES, BASE_NO_DISPLAY_VALUE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_relative_snaplen, { "Relative Snap Length", "relative_snaplen", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_if_num, { "Interface Number", "if_num", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_if_vc, { "Interface Virtual Circuit", "if_vc", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, @@ -771,6 +855,10 @@ static const erf_meta_hf_template_t erf_meta_tags[] = { { ERF_META_TAG_if_phy_mode, { "Interface Endace PHY Mode", "if_phy_mode", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_if_port_type, { "Interface Port Type", "if_port_type", FT_UINT32, BASE_DEC, VALS(erf_port_type), 0x0, NULL, HFILL } }, { ERF_META_TAG_if_rx_latency, { "Interface Uncorrected RX Latency", "if_rx_latency", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_tap_mode, { "Tap Mode", "tap_mode", FT_UINT32, BASE_DEC, VALS(erf_tap_mode), 0x0, NULL, HFILL } }, + { ERF_META_TAG_tap_fail_mode, { "Tap Failover Mode", "tap_fail_mode", FT_UINT32, BASE_DEC, VALS(erf_tap_fail_mode), 0x0, NULL, HFILL } }, + { ERF_META_TAG_watchdog_expired, { "Watchdog Expired", "watchdog_expired", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_watchdog_interval, { "Watchdog Interval (ms)", "watchdog_interval", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_src_ipv4, { "Source IPv4 address", "src_ipv4", FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_dest_ipv4, { "Destination IPv4 address", "dest_ipv4", FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } }, @@ -791,10 +879,25 @@ static const erf_meta_hf_template_t erf_meta_tags[] = { { ERF_META_TAG_src_port, { "Source Port", "src_port", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_dest_port, { "Destination Port", "dest_port", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_ip_proto, { "IP Protocol", "ip_proto", FT_UINT32, BASE_DEC|BASE_EXT_STRING, &ipproto_val_ext, 0x0, NULL, HFILL } }, - { ERF_META_TAG_flow_hash, { "Flow Hash", "flow_hash", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_flow_hash, { "Flow Hash", "flow_hash", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_filter_match, { "Filter Match", "filter_match", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_filter_match_name, { "Filter Match Name", "filter_match_name", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_error_flags, { "Error Flags", "error_flags", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_initiator_pkts, { "Initiator Packets", "initiator_pkts", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_responder_pkts, { "Responder Packets", "responder_pkts", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_initiator_bytes, { "Initiator Bytes", "initiator_bytes", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_responder_bytes, { "Responder Bytes", "responder_bytes", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_initiator_min_entropy, { "Initiator Minimum Entropy", "initiator_min_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_responder_min_entropy, { "Responder Minimum Entropy", "responder_min_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_initiator_avg_entropy, { "Initiator Average Entropy", "initiator_avg_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_responder_avg_entropy, { "Responder Average Entropy", "responder_avg_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_initiator_max_entropy, { "Initiator Maximum Entropy", "initiator_max_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_responder_max_entropy, { "Responder Maximum Entropy", "responder_max_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_dpi_application, { "DPI Application", "dpi_application", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_dpi_confidence, { "DPI Confidence", "dpi_confidence", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_dpi_state, { "DPI State", "dpi_state", FT_UINT32, BASE_NONE, VALS(erf_dpi_state), 0x0, NULL, HFILL } }, + { ERF_META_TAG_dpi_protocol_stack, { "DPI Protocol Stack", "dpi_protocol_stack", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } }, + { ERF_META_TAG_flow_state, { "Flow State", "flow_state", FT_UINT32, BASE_NONE, VALS(erf_flow_state), 0x0, NULL, HFILL } }, { ERF_META_TAG_start_time, { "Start Time", "start_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0, NULL, HFILL } }, { ERF_META_TAG_end_time, { "End Time", "end_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0, NULL, HFILL } }, @@ -1009,6 +1112,34 @@ init_tag_value_subfields(wmem_array_t *hfri_table, erf_meta_tag_info_t *tag_info return tag_info; } +static erf_meta_tag_info_t* +init_ext_hdrs_tag_value_subfields(wmem_array_t *hfri_table, erf_meta_tag_info_t *tag_info) +{ + gsize i = 0; + gsize num_known_ext_hdrs = array_length(ehdr_type_vals) -1 /*null terminated*/; + hf_register_info hfri_tmp = { NULL, { NULL, NULL, FT_BOOLEAN, 32, NULL, 0x1, NULL, HFILL } }; /* Value, will be filled from template */ + + DISSECTOR_ASSERT(array_length(ehdr_type_vals_short) > num_known_ext_hdrs); + /* XXX: this currently supports only up to 27 known extension headers */ + DISSECTOR_ASSERT(ERF_HF_VALUES_PER_TAG > num_known_ext_hdrs - 4); /* -1 sentinel terminated */ + /* Use the first 4 hf_values for 32-bit subtree */ + init_tag_value_subfields(hfri_table, tag_info, erf_ext_hdr_items, array_length(erf_ext_hdr_items)); + DISSECTOR_ASSERT(tag_info->extra); + + /*Fill in the rest of the remaining 27 entries with any known tag entries values */ + for (i = 0; i < num_known_ext_hdrs; i++) { + /* Add value subfield */ + hfri_tmp.p_id = &tag_info->extra->hf_values[4+i]; + hfri_tmp.hfinfo.bitmask = (guint64)1 << ehdr_type_vals[i].value; + hfri_tmp.hfinfo.name = ehdr_type_vals[i].strptr; + hfri_tmp.hfinfo.abbrev = wmem_strconcat(wmem_epan_scope(), + "erf.meta.", tag_info->section_template->hfinfo.abbrev, ".", tag_info->tag_template->hfinfo.abbrev, ".", ehdr_type_vals_short[i].strptr, NULL); + wmem_array_append_one(hfri_table, hfri_tmp); + } + + return tag_info; +} + static erf_meta_tag_info_t* init_ns_addr_tag_value_fields(wmem_array_t *hfri_table, erf_meta_tag_info_t *tag_info) { @@ -1085,6 +1216,17 @@ init_tag_fields(wmem_array_t *hfri_table, wmem_array_t *ett_table, const erf_met break; case ERF_META_TAG_ptp_gm_clock_quality: init_tag_value_subfields(hfri_table, tag_info, erf_ptp_clock_quality, array_length(erf_ptp_clock_quality)); + break; + case ERF_META_TAG_stream_flags: + init_tag_value_subfields(hfri_table, tag_info, erf_stream_flags, array_length(erf_stream_flags)); + break; + case ERF_META_TAG_smart_trunc_default: + init_tag_value_subfields(hfri_table, tag_info, erf_smart_trunc_default_flags, array_length(erf_smart_trunc_default_flags)); + break; + case ERF_META_TAG_ext_hdrs_added: + case ERF_META_TAG_ext_hdrs_removed: + init_ext_hdrs_tag_value_subfields(hfri_table, tag_info); + break; } /* Add ett entries */ @@ -1632,6 +1774,36 @@ dissect_flow_id_ex_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i } } +float entropy_from_entropy_header_value(guint8 entropy_hdr_value) +{ + /* mapping 1-255 to 0.0-8.0 */ + /* 255 is 8.0 */ + /* 1 represent any value less than 2/32 */ + /* 0 represents not calculated */ + return (float)((entropy_hdr_value == 0)?0.0: (((float)entropy_hdr_value+1) / 32.0)); +} + +static void +dissect_entropy_ex_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int idx) +{ + if(tree) { + guint64 hdr = pinfo->pseudo_header->erf.ehdr_list[idx].ehdr; + guint8 entropy_hdr_value = (guint8)((hdr >> 48) & 0xFF); + float entropy; + proto_item *pi; + proto_tree *entropy_value_tree; + + entropy = entropy_from_entropy_header_value(entropy_hdr_value); + + pi = proto_tree_add_float_format_value(tree, hf_erf_ehdr_entropy_entropy, tvb, 0, 0, entropy, + "%.2f %s", entropy, entropy == 0.0 ? "(not calculated)":"bits"); + entropy_value_tree = proto_item_add_subtree(pi, ett_erf_entropy_value); + proto_tree_add_uint(entropy_value_tree, hf_erf_ehdr_entropy_entropy_raw, tvb, 0, 0, entropy_hdr_value); + + proto_tree_add_uint64(tree, hf_erf_ehdr_entropy_reserved, tvb, 0, 0, (hdr & 0xFFFFFFFFFFFF)); + } +} + static guint64 find_host_id(packet_info *pinfo, gboolean *has_anchor_definition) { guint64 hdr; @@ -2153,6 +2325,9 @@ dissect_erf_pseudo_extension_header(tvbuff_t *tvb, packet_info *pinfo, proto_tre } dissect_host_anchor_id(tvb, pinfo, tree, host_id, hdr & ERF_EHDR_ANCHOR_ID_MASK, (guint8)(hdr >> 48)); break; + case ERF_EXT_HDR_TYPE_ENTROPY: + dissect_entropy_ex_header(tvb, pinfo, ehdr_tree, i); + break; default: dissect_unknown_ex_header(tvb, pinfo, ehdr_tree, i); break; @@ -2250,6 +2425,77 @@ dissect_meta_tag_bitfield(proto_item *section_tree, tvbuff_t *tvb, int offset, e return tag_pi; } +static proto_item* +dissect_meta_tag_ext_hdrs(proto_item *section_tree, tvbuff_t *tvb, int offset, gint taglength, erf_meta_tag_info_t *tag_info, proto_item **out_tag_tree, expert_field **out_truncated_expert) +{ + proto_item *tag_pi = NULL; + proto_tree *subtree = NULL; + proto_item *subtree_pi = NULL; + int i; + guint32 ext_hdrs[4] = {0, 0, 0, 0}; + int int_offset = 0; + int int_avail = MIN(taglength / 4, 4);; + int bit_offset = 0; + int ext_hdr_num = 0; + gboolean first = TRUE; + gboolean all_set = TRUE; + + DISSECTOR_ASSERT(tag_info->extra); + + tag_pi = proto_tree_add_item(section_tree, tag_info->hf_value, tvb, offset + 4, taglength, ENC_BIG_ENDIAN); + *out_tag_tree = proto_item_add_subtree(tag_pi, tag_info->ett); + + for (int_offset = 0; int_offset < int_avail; int_offset++) { + ext_hdrs[int_offset] = tvb_get_guint32(tvb, offset + 4 + int_offset*4, ENC_BIG_ENDIAN); + if (ext_hdrs[int_offset] != G_MAXUINT32) + all_set = FALSE; + } + + /* Special case: all specified bits are 1 means all extension headers */ + if (all_set) + proto_item_append_text(tag_pi, ": "); + + /* Add 4 subtrees, one for each uint32 representing 32 extension header numbers */ + for (int_offset = 0; int_offset < int_avail; int_offset++) { + /* TODO: Put subtree hf values somewhere better than first 4 hf_values */ + subtree_pi = proto_tree_add_item(*out_tag_tree, tag_info->extra->hf_values[int_offset], tvb, offset + 4 + int_offset*4, 4, ENC_BIG_ENDIAN); + + /* Add the individual bit dissections */ + /* XXX: This currently assumes we only know up to the first 32 */ + if (int_offset == 0) { + subtree = proto_item_add_subtree(subtree_pi, tag_info->ett); + for (i = 4; tag_info->extra->hf_values[i] != -1; i++) { + proto_tree_add_boolean(subtree, tag_info->extra->hf_values[i], tvb, offset + 4 + int_offset*4, 4, ext_hdrs[int_offset]); + } + } + + /* Add all set bits to the header, including the ones we don't understand */ + for (bit_offset = 0; bit_offset < 32; bit_offset++) { + if (ext_hdrs[int_offset] & (1 << bit_offset)) { + proto_item_append_text(subtree_pi, ", %s", val_to_str(ext_hdr_num, ehdr_type_vals, "%d")); + + /* Also add to the top level */ + if (!all_set) + proto_item_append_text(tag_pi, "%s %s", first ? ":" : ",", val_to_str(ext_hdr_num, ehdr_type_vals, "%d")); + + first = FALSE; + } + + ext_hdr_num++; + } + } + + if (first) + proto_item_append_text(tag_pi, ": "); + + /* Check for truncated tag (i.e. last uint32 is partial) */ + if (int_avail < 4 && taglength % 4 != 0) { + *out_truncated_expert = &ei_erf_meta_truncated_tag; + } + + return tag_pi; +} + static void erf_ts_to_nstime(guint64 timestamp, nstime_t* t, gboolean is_relative) { guint64 ts = timestamp; @@ -2355,6 +2601,12 @@ meta_tag_expected_length(erf_meta_tag_info_t *tag_info) { /* 16-byte WWNs */ expected_length = 16; break; + + case ERF_META_TAG_ext_hdrs_added: + case ERF_META_TAG_ext_hdrs_removed: + /* 1 to 4 uint32 fields */ + expected_length = 4; + break; } return expected_length; @@ -2572,6 +2824,8 @@ dissect_meta_record_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { case ERF_META_TAG_tunneling_mode: case ERF_META_TAG_ptp_time_properties: case ERF_META_TAG_ptp_gm_clock_quality: + case ERF_META_TAG_stream_flags: + case ERF_META_TAG_smart_trunc_default: tag_pi = dissect_meta_tag_bitfield(section_tree, tvb, offset, tag_info, &tag_tree); break; @@ -2626,6 +2880,28 @@ dissect_meta_record_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) { break; } + case ERF_META_TAG_entropy_threshold: + case ERF_META_TAG_initiator_min_entropy: + case ERF_META_TAG_responder_min_entropy: + case ERF_META_TAG_initiator_avg_entropy: + case ERF_META_TAG_responder_avg_entropy: + case ERF_META_TAG_initiator_max_entropy: + case ERF_META_TAG_responder_max_entropy: + { + float entropy; + value32 = tvb_get_ntohl(tvb, offset + 4); + entropy = entropy_from_entropy_header_value(value32); + + tag_pi = proto_tree_add_float_format_value(section_tree, tag_info->hf_value, tvb, 0, 0, entropy, + "%.2f %s", entropy, entropy == 0.0 ? "(not calculated)":"bits"); + break; + } + + case ERF_META_TAG_ext_hdrs_added: + case ERF_META_TAG_ext_hdrs_removed: + tag_pi = dissect_meta_tag_ext_hdrs(section_tree, tvb, offset, taglength, tag_info, &tag_tree, &truncated_expert); + break; + default: dissected = FALSE; break; @@ -3228,6 +3504,17 @@ proto_register_erf(void) { "Previous Metadata in Source", "erf.source_meta_frame_prev", FT_FRAMENUM, BASE_NONE, NULL, 0, NULL, HFILL } }, + /* Entropy Extension Header */ + { &hf_erf_ehdr_entropy_entropy, + { "Entropy", "erf.ehdr.entropy.entropy", + FT_FLOAT, BASE_NONE, NULL, 0, NULL, HFILL} }, + { &hf_erf_ehdr_entropy_entropy_raw, + { "Raw Entropy", "erf.ehdr.entropy.entropy.raw", + FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL} }, + { &hf_erf_ehdr_entropy_reserved, + { "Reserved", "erf.ehdr.entropy.rsvd", + FT_UINT48, BASE_HEX, NULL, 0, NULL, HFILL} }, + /* Unknown Extension Header */ { &hf_erf_ehdr_unk, { "Data", "erf.ehdr.unknown.data", @@ -3485,7 +3772,8 @@ proto_register_erf(void) &ett_erf_meta_tag, &ett_erf_source, &ett_erf_anchor, - &ett_erf_anchor_flags + &ett_erf_anchor_flags, + &ett_erf_entropy_value }; static const enum_val_t erf_hdlc_options[] = { diff --git a/wiretap/erf.h b/wiretap/erf.h index 271e2156d4..8da7d00d08 100644 --- a/wiretap/erf.h +++ b/wiretap/erf.h @@ -101,9 +101,11 @@ #define ERF_EXT_HDR_TYPE_BFS 6 #define ERF_EXT_HDR_TYPE_CHANNELISED 12 #define ERF_EXT_HDR_TYPE_SIGNATURE 14 +#define ERF_EXT_HDR_TYPE_PKT_ID 15 #define ERF_EXT_HDR_TYPE_FLOW_ID 16 #define ERF_EXT_HDR_TYPE_HOST_ID 17 #define ERF_EXT_HDR_TYPE_ANCHOR_ID 18 +#define ERF_EXT_HDR_TYPE_ENTROPY 19 /* Host ID and Anchor ID*/ #define ERF_EHDR_HOST_ID_MASK G_GUINT64_CONSTANT(0xffffffffffff) @@ -188,6 +190,12 @@ #define ERF_META_TAG_cpu_numa_nodes 51 #define ERF_META_TAG_dag_attribute 52 #define ERF_META_TAG_dag_version 53 +#define ERF_META_TAG_stream_flags 54 +#define ERF_META_TAG_entropy_threshold 55 +#define ERF_META_TAG_smart_trunc_default 56 +#define ERF_META_TAG_ext_hdrs_added 57 +#define ERF_META_TAG_ext_hdrs_removed 58 +#define ERF_META_TAG_relative_snaplen 59 #define ERF_META_TAG_if_num 64 #define ERF_META_TAG_if_vc 65 @@ -210,6 +218,10 @@ #define ERF_META_TAG_if_phy_mode 82 #define ERF_META_TAG_if_port_type 83 #define ERF_META_TAG_if_rx_latency 84 +#define ERF_META_TAG_tap_mode 85 +#define ERF_META_TAG_tap_fail_mode 86 +#define ERF_META_TAG_watchdog_expired 87 +#define ERF_META_TAG_watchdog_interval 88 #define ERF_META_TAG_src_ipv4 128 #define ERF_META_TAG_dest_ipv4 129 @@ -234,6 +246,21 @@ #define ERF_META_TAG_filter_match 148 #define ERF_META_TAG_filter_match_name 149 #define ERF_META_TAG_error_flags 150 +#define ERF_META_TAG_initiator_pkts 151 +#define ERF_META_TAG_responder_pkts 152 +#define ERF_META_TAG_initiator_bytes 153 +#define ERF_META_TAG_responder_bytes 154 +#define ERF_META_TAG_initiator_min_entropy 155 +#define ERF_META_TAG_responder_min_entropy 156 +#define ERF_META_TAG_initiator_avg_entropy 157 +#define ERF_META_TAG_responder_avg_entropy 158 +#define ERF_META_TAG_initiator_max_entropy 159 +#define ERF_META_TAG_responder_max_entropy 160 +#define ERF_META_TAG_dpi_application 161 +#define ERF_META_TAG_dpi_confidence 162 +#define ERF_META_TAG_dpi_state 163 +#define ERF_META_TAG_dpi_protocol_stack 164 +#define ERF_META_TAG_flow_state 165 #define ERF_META_TAG_start_time 193 #define ERF_META_TAG_end_time 194