Add conversation_new_full and find_conversation_full, which take
arbitrary element lists instead of fixed addresses and ports.
Update the comments in conversation.h to be more Doxygen-conformant.
Update README.dissector.
Use the new functionality to add initial conversation support to the
Falco Bridge dissector.
libsinsp currently only supports string and unsigned 64-bit integer
field types. For string fields that might contain a parseable address,
add ".v4" and ".v6" subtree items with a corresponding field type.
For example, the ct.srcip field now dissects as
Sysdig Event 1: 880 bytes
Falco Bridge
cloudtrail Plugin
[ ... ]
Source IP: 3.92.225.50
[Source IP (IPv4): 3.92.225.50]
The extract_fields struct and calling convention changed, so update to
match. Extract all of our fields at once, which noticeably speeds up
dissection here.
Convert our conversation protocols to a dynamic list and add
add_conversation_filter_protocol(). Use it in the Falco Bridge plugin to
add protocols with conversation filters.
Split the counts of IO data objects and IOCS between
input and output. Remove increment of IO data objects
in station information, sometimes leading to extremely
high and invalid number of IO data objects.
Remove unused header definitions in packet-falco-bridge.h and move the
remaining content to packet-falco-bridge.c and conversation-macros.h.
Explicitly set our header files in CMakeLists.txt.
Fix
../plugins/epan/falco_bridge/packet-falco-bridge.c: In function ‘register_conversation_filters_mappings’:
../plugins/epan/falco_bridge/packet-falco-bridge.c:105:1: error: old-style function definition [-Werror=old-style-definition]
register_conversation_filters_mappings()
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Sysdig Bridge plugin loads Falco plugins, so rename it to Falco
Bridge.
Make it optional and dependent on libsinsp+libscap, similar to our codec
plugins.
Remove some unused code.
Add a FindSinsp CMake module, and use it in the Sysdig Bridge plugin
CMakeLists.txt. It still needs work, but should at least be usable on
more machines.
Conflicts:
plugins/epan/sysdig_bridge/CMakeLists.txt
Switch from loading the cloudtrail plugin directly to doing so
indirectly via libsinsp. This should let us start leveraging the rich
functionality offered by libsinsp.
Fix
logshark/plugins/epan/sysdig_bridge/packet-sysdig-bridge.c:86:39: error: this old-style function definition is not preceded by a prototype [-Werror,-Wstrict-prototypes]
register_conversation_filters_mappings()
^
1 error generated.
Prior versions had a dedicated plugin API function for this, but we
removed it from the plugin API, so just use the plugin name.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
avoid moving plugin states around the address space by mallocing all of the memory at the beginning instead of using realloc every time a plugin is detected. This prevents crashes and other types of bad behavior that were caused by plugins accessing garbage memory.
register_cleanup_routine is called after reading a single capture
file. Since the async extraction is set up per plugin instead of
per-instance, we want register_shutdown_routine().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Update to reflect newest API changes (single extract_fields
func). This simplifies dissect_plg_bridge a bit, as the setup/calling
plugin function can mostly be unified based on the field type, with
just looking at the res_str/res_u64 part of the field struct
afterward.
Although not used by wireshark directly, update
plugin_next/plugin_next_batch to note they return structs for events
instead of pointers + lens + timestamps.
Extract functions now use field names, so no need to extract or keep
track of field ids. The a "abbrev" property of header_field_info
contains the field name e.g. ct.xxx.
This commit introduces a new wireshark plugin which is able to act as proxy to sysdig plugins, loading them into Wireshark and transforming their output into dissectors that Wireshark can use to display the data.
Dirk Ziegelmeier