From 9b106b500c432a362880b4a5f715e15abc45350e Mon Sep 17 00:00:00 2001 From: Gerald Combs Date: Mon, 3 Jan 2022 18:30:28 -0800 Subject: [PATCH] Sysdig Bridge: Update the Sysdig Plugin fields. Update the Sysdig Plugin fields to match falcosecurity/libs scap.c. --- .../epan/sysdig_bridge/packet-sysdig-bridge.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/plugins/epan/sysdig_bridge/packet-sysdig-bridge.c b/plugins/epan/sysdig_bridge/packet-sysdig-bridge.c index 60f7c44994..d5783565cf 100644 --- a/plugins/epan/sysdig_bridge/packet-sysdig-bridge.c +++ b/plugins/epan/sysdig_bridge/packet-sysdig-bridge.c @@ -57,10 +57,17 @@ guint n_conv_fields = 0; /* * Fields */ +static int hf_sdp_source_id_size = -1; static int hf_sdp_lengths = -1; static int hf_sdp_source_id = -1; static hf_register_info hf[] = { + { &hf_sdp_source_id_size, + { "Plugin ID size", "sysdig_plugin.id.size", + FT_UINT32, BASE_DEC, + NULL, 0x0, + NULL, HFILL } + }, { &hf_sdp_lengths, { "Field Lengths", "sysdig_plugin.lens", FT_UINT32, BASE_HEX, @@ -72,7 +79,7 @@ static hf_register_info hf[] = { FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } - } + }, }; /* @@ -599,14 +606,16 @@ dissect_sdplugin(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree _U_, void * /* Clear out stuff in the info column */ col_clear(pinfo->cinfo,COL_INFO); - proto_item *ti = proto_tree_add_item(tree, proto_sdplugin, tvb, 0, 8, ENC_NA); + // https://github.com/falcosecurity/libs/blob/9c942f27/userspace/libscap/scap.c#L1900 + proto_item *ti = proto_tree_add_item(tree, proto_sdplugin, tvb, 0, 12, ENC_NA); proto_tree *sdplugin_tree = proto_item_add_subtree(ti, ett_sdplugin); - proto_tree_add_item(sdplugin_tree, hf_sdp_lengths, tvb, 0, 4, ENC_BIG_ENDIAN); - proto_item *idti = proto_tree_add_item(sdplugin_tree, hf_sdp_source_id, tvb, 4, 4, ENC_LITTLE_ENDIAN); + proto_tree_add_item(sdplugin_tree, hf_sdp_source_id_size, tvb, 0, 4, ENC_LITTLE_ENDIAN); + proto_tree_add_item(sdplugin_tree, hf_sdp_lengths, tvb, 4, 4, ENC_BIG_ENDIAN); + proto_item *idti = proto_tree_add_item(sdplugin_tree, hf_sdp_source_id, tvb, 8, 4, ENC_LITTLE_ENDIAN); guint32 source_id = tvb_get_guint32(tvb, 8, ENC_LITTLE_ENDIAN); bridge_info* bi = get_bridge_info(source_id); - col_add_fstr(pinfo->cinfo, COL_INFO, "Plugin ID: %u", (unsigned)source_id); + col_add_fstr(pinfo->cinfo, COL_INFO, "Plugin ID: %u", source_id); if (bi == NULL) { proto_item_append_text(idti, " (NOT SUPPORTED)");