Switch from loading the cloudtrail plugin directly to doing so
indirectly via libsinsp. This should let us start leveraging the rich
functionality offered by libsinsp.
Fix
logshark/plugins/epan/sysdig_bridge/packet-sysdig-bridge.c:86:39: error: this old-style function definition is not preceded by a prototype [-Werror,-Wstrict-prototypes]
register_conversation_filters_mappings()
^
1 error generated.
Prior versions had a dedicated plugin API function for this, but we
removed it from the plugin API, so just use the plugin name.
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
avoid moving plugin states around the address space by mallocing all of the memory at the beginning instead of using realloc every time a plugin is detected. This prevents crashes and other types of bad behavior that were caused by plugins accessing garbage memory.
register_cleanup_routine is called after reading a single capture
file. Since the async extraction is set up per plugin instead of
per-instance, we want register_shutdown_routine().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
Update to reflect newest API changes (single extract_fields
func). This simplifies dissect_plg_bridge a bit, as the setup/calling
plugin function can mostly be unified based on the field type, with
just looking at the res_str/res_u64 part of the field struct
afterward.
Although not used by wireshark directly, update
plugin_next/plugin_next_batch to note they return structs for events
instead of pointers + lens + timestamps.
Extract functions now use field names, so no need to extract or keep
track of field ids. The a "abbrev" property of header_field_info
contains the field name e.g. ct.xxx.
It recently changed from 320 to 322, probably as a result of a rebase
to master, so reflect that change here.
It won't change once the plugin changes code is merged to master.
This commit introduces a new wireshark plugin which is able to act as proxy to sysdig plugins, loading them into Wireshark and transforming their output into dissectors that Wireshark can use to display the data.
3GPP.User-Equipment-Info AVP should contain the IMEISV (if type is 0).
However some implementations put the IMEI there: decode it but display a
protocol error indication too.
Add support for masking of bits. Before the bitwise operator
could only test bits, it did not support clearing bits.
This allows testing if any combination of bits are set/unset
more naturally with a single test. Previously this was only
possible by combining several bitwise predicates.
Bitwise is implemented as a test node, even though it is not.
Maybe the test node should be renamed to something else.
Fixes#17246.
The DFVM instructions arguments are generic boxed types but instead
of using FVALUE and PCRE types the code passes aroung REGISTER types
instead. Change that to pass constants in the instruction.
The Sysdig Event dissector handles BLOCK_TYPE_SYSDIG_EVENT_V2 and
BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE blocks. Add them to dumpcap's packet
count so that we don't get a "No packets captured." error.
Only reassemble if reply chunk size is non-zero to avoid reassembly
of a single fragment. The RPC-over-RDMA reply has no data when the
reply chunk size is non-zero but it needs to reassemble all
fragments (more_frags = FALSE) in this frame. On the other hand
when the reply chunk size is zero, the whole message is given in
this frame therefore there is no need to reassemble.
dissect_http_message might get called with a nonzero offset into
the tvb if there are multiple messages/segments in a frame. Only
send data starting from that offset to the follow tap, instead of
starting at tvb offset 0. Fix#18006