osmocom
/
wireshark
11
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

pcapng: Add Sysdig meta event types 

Add support for Sysdig meta events. In file-pcapng.c, use the blocks
defined in pcapng_module.h and expand the block name list.
This commit is contained in:
Gerald Combs 2023-09-12 18:26:52 -07:00 committed by AndersBroman
parent bd07966d3a
commit b261f2a7eb
9 changed files with 419 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
epan/dissectors/file-pcapng.c
View File

@ -19,6 +19,7 @@
#include <epan/exceptions.h>
#include <epan/show_exception.h>
#include <epan/addr_resolv.h>
#include <wiretap/pcapng_module.h>
#include <wiretap/secrets-types.h>
#include "file-pcapng.h"
@ -212,40 +213,42 @@ static int * const hfx_pcapng_option_data_packet_darwin_flags[] = {
static gboolean pref_dissect_next_layer = FALSE;
#define BLOCK_INTERFACE_DESCRIPTION 0x00000001
#define BLOCK_PACKET 0x00000002
#define BLOCK_SIMPLE_PACKET 0x00000003
#define BLOCK_NAME_RESOLUTION 0x00000004
#define BLOCK_INTERFACE_STATISTICS 0x00000005
#define BLOCK_ENHANCED_PACKET 0x00000006
#define BLOCK_IRIG_TIMESTAMP 0x00000007
#define BLOCK_ARINC_429 0x00000008
#define BLOCK_SYSTEMD_JOURNAL_EXPORT 0x00000009
#define BLOCK_DSB 0x0000000a
#define BLOCK_CB_COPY 0x00000BAD
#define BLOCK_CB_NO_COPY 0x40000BAD
#define BLOCK_SECTION_HEADER 0x0A0D0D0A
static const value_string block_type_vals[] = {
{ 0x00000001, "Interface Description Block" },
{ 0x00000002, "Packet Block" },
{ 0x00000003, "Simple Packet Block" },
{ 0x00000004, "Name Resolution Block" },
{ 0x00000005, "Interface Statistics Block" },
{ 0x00000006, "Enhanced Packet Block" },
{ 0x00000007, "IRIG Timestamp Block" },
{ 0x00000008, "Arinc 429 in AFDX Encapsulation Information Block" },
{ 0x00000009, "systemd Journal Export Block" },
{ 0x0000000A, "Decryption Secrets Block" },
{ 0x00000204, "Sysdig Event Block" },
{ 0x00000208, "Sysdig Event Block with flags" },
{ 0x00000216, "Sysdig Event Block v2" },
{ 0x00000217, "Sysdig Event Block with flags v2" },
{ 0x00000221, "Sysdig Event Block v2 large payload" },
{ 0x00000222, "Sysdig Event Block with flags v2 large payload" },
{ 0x00000BAD, "Custom Block which can be copied"},
{ 0x40000BAD, "Custom Block which should not be copied"},
{ 0x0A0D0D0A, "Section Header Block" },
{ BLOCK_TYPE_IDB, "Interface Description Block" },
{ BLOCK_TYPE_PB, "Packet Block" },
{ BLOCK_TYPE_SPB, "Simple Packet Block" },
{ BLOCK_TYPE_NRB, "Name Resolution Block" },
{ BLOCK_TYPE_ISB, "Interface Statistics Block" },
{ BLOCK_TYPE_EPB, "Enhanced Packet Block" },
{ BLOCK_TYPE_IRIG_TS, "IRIG Timestamp Block" },
{ BLOCK_TYPE_ARINC_429, "Arinc 429 in AFDX Encapsulation Information Block" },
{ BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT, "systemd Journal Export Block" },
{ BLOCK_TYPE_DSB, "Decryption Secrets Block" },
{ BLOCK_TYPE_SYSDIG_MI, "Sysdig Machine Info Block" },
{ BLOCK_TYPE_SYSDIG_PL_V1, "Sysdig Process List Block" },
{ BLOCK_TYPE_SYSDIG_FDL_V1, "Sysdig File Descriptor List Block" },
{ BLOCK_TYPE_SYSDIG_EVENT, "Sysdig Event Block" },
{ BLOCK_TYPE_SYSDIG_IL_V1, "Sysdig Interface List Block" },
{ BLOCK_TYPE_SYSDIG_UL_V1, "Sysdig User List Block" },
{ BLOCK_TYPE_SYSDIG_PL_V2, "Sysdig Process List Block version 2" },
{ BLOCK_TYPE_SYSDIG_EVF, "Sysdig Event Block with flags" },
{ BLOCK_TYPE_SYSDIG_PL_V3, "Sysdig Process List Block version 3" },
{ BLOCK_TYPE_SYSDIG_PL_V4, "Sysdig Process List Block version 4" },
{ BLOCK_TYPE_SYSDIG_PL_V5, "Sysdig Process List Block version 5" },
{ BLOCK_TYPE_SYSDIG_PL_V6, "Sysdig Process List Block version 6" },
{ BLOCK_TYPE_SYSDIG_PL_V7, "Sysdig Process List Block version 7" },
{ BLOCK_TYPE_SYSDIG_PL_V8, "Sysdig Process List Block version 8" },
{ BLOCK_TYPE_SYSDIG_PL_V9, "Sysdig Process List Block version 9" },
{ BLOCK_TYPE_SYSDIG_EVENT_V2, "Sysdig Event Block v2" },
{ BLOCK_TYPE_SYSDIG_EVF_V2, "Sysdig Event Block with flags v2" },
{ BLOCK_TYPE_SYSDIG_FDL_V2, "Sysdig File Descriptor List Block" },
{ BLOCK_TYPE_SYSDIG_IL_V2, "Sysdig Interface List Block version 2" },
{ BLOCK_TYPE_SYSDIG_UL_V2, "Sysdig User List Block version 2" },
{ BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE, "Sysdig Event Block v2 large payload" },
{ BLOCK_TYPE_SYSDIG_EVF_V2_LARGE, "Sysdig Event Block with flags v2 large payload" },
{ BLOCK_TYPE_CB_COPY, "Custom Block which can be copied"},
{ BLOCK_TYPE_CB_NO_COPY, "Custom Block which should not be copied"},
{ BLOCK_TYPE_SHB, "Section Header Block" },
{ 0, NULL }
};
@ -605,27 +608,27 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
/* TODO: could have done this once outside of loop? */
switch (block_type) {
case BLOCK_SECTION_HEADER:
case BLOCK_TYPE_SHB:
hfj_pcapng_option_code = hf_pcapng_option_code_section_header;
vals = option_code_section_header_vals;
break;
case BLOCK_INTERFACE_DESCRIPTION:
case BLOCK_TYPE_IDB:
hfj_pcapng_option_code = hf_pcapng_option_code_interface_description;
vals = option_code_interface_description_vals;
break;
case BLOCK_ENHANCED_PACKET:
case BLOCK_TYPE_EPB:
hfj_pcapng_option_code = hf_pcapng_option_code_enhanced_packet;
vals = option_code_enhanced_packet_vals;
break;
case BLOCK_PACKET:
case BLOCK_TYPE_PB:
hfj_pcapng_option_code = hf_pcapng_option_code_packet;
vals = option_code_packet_vals;
break;
case BLOCK_NAME_RESOLUTION:
case BLOCK_TYPE_NRB:
hfj_pcapng_option_code = hf_pcapng_option_code_name_resolution;
vals = option_code_name_resolution_vals;
break;
case BLOCK_INTERFACE_STATISTICS:
case BLOCK_TYPE_ISB:
hfj_pcapng_option_code = hf_pcapng_option_code_interface_statistics;
vals = option_code_interface_statistics_vals;
break;
@ -662,7 +665,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
dissect_custom_options(option_tree, pinfo, tvb, offset, option_code, option_length, encoding);
offset += option_length;
} else switch (block_type) {
case BLOCK_SECTION_HEADER:
case BLOCK_TYPE_SHB:
switch (option_code) {
case 2:
proto_tree_add_item_ret_display_string(option_tree, hf_pcapng_option_data_section_header_hardware, tvb, offset, option_length, ENC_NA | ENC_UTF_8, pinfo->pool, &str);
@ -684,7 +687,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
offset += option_length;
}
break;
case BLOCK_INTERFACE_DESCRIPTION: {
case BLOCK_TYPE_IDB: {
struct interface_description *interface_description = (struct interface_description *) user_data;
switch (option_code) {
@ -978,7 +981,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
}
}
break;
case BLOCK_PACKET:
case BLOCK_TYPE_PB:
switch (option_code) {
case 2:
if (option_length != 4) {
@ -1016,7 +1019,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
}
break;
case BLOCK_NAME_RESOLUTION:
case BLOCK_TYPE_NRB:
switch (option_code) {
case 2:
proto_tree_add_item_ret_display_string(option_tree, hf_pcapng_option_data_dns_name, tvb, offset, option_length, ENC_NA | ENC_UTF_8, pinfo->pool, &str);
@ -1060,7 +1063,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
}
break;
case BLOCK_INTERFACE_STATISTICS:
case BLOCK_TYPE_ISB:
switch (option_code) {
case 2:
if (option_length != 8) {
@ -1150,7 +1153,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
}
break;
case BLOCK_ENHANCED_PACKET:
case BLOCK_TYPE_EPB:
switch (option_code) {
case 2:
if (option_length != 4) {
@ -1431,7 +1434,7 @@ dissect_shb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
proto_tree_add_item(tree, hf_pcapng_section_header_section_length, tvb, offset, 8, argp->info->encoding);
offset += 8;
dissect_options(tree, pinfo, BLOCK_SECTION_HEADER, tvb, offset, argp->info->encoding, NULL);
dissect_options(tree, pinfo, BLOCK_TYPE_SHB, tvb, offset, argp->info->encoding, NULL);
return TRUE;
}
@ -1460,7 +1463,7 @@ dissect_idb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
interface_description.snap_len = tvb_get_guint32(tvb, offset, argp->info->encoding);
offset += 4;
dissect_options(tree, pinfo, BLOCK_INTERFACE_DESCRIPTION, tvb, offset, argp->info->encoding, &interface_description);
dissect_options(tree, pinfo, BLOCK_TYPE_IDB, tvb, offset, argp->info->encoding, &interface_description);
wmem_array_append_one(argp->info->interfaces, interface_description);
}
@ -1520,7 +1523,7 @@ dissect_pb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
offset += ((captured_length % 4) ?(4 - (captured_length % 4)):0);
}
dissect_options(tree, pinfo, BLOCK_PACKET, tvb, offset, argp->info->encoding, NULL);
dissect_options(tree, pinfo, BLOCK_TYPE_PB, tvb, offset, argp->info->encoding, NULL);
}
static void
@ -1692,7 +1695,7 @@ dissect_nrb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
}
proto_item_set_end(records_item, tvb, offset);
dissect_options(tree, pinfo, BLOCK_NAME_RESOLUTION, tvb, offset, argp->info->encoding, NULL);
dissect_options(tree, pinfo, BLOCK_TYPE_NRB, tvb, offset, argp->info->encoding, NULL);
}
static void
@ -1712,7 +1715,7 @@ dissect_isb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
pcapng_add_timestamp(tree, pinfo, tvb, offset, argp->info->encoding, interface_description);
offset += 8;
dissect_options(tree, pinfo, BLOCK_INTERFACE_STATISTICS, tvb, offset, argp->info->encoding, NULL);
dissect_options(tree, pinfo, BLOCK_TYPE_ISB, tvb, offset, argp->info->encoding, NULL);
}
static void
@ -1767,7 +1770,7 @@ dissect_epb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
offset += ((captured_length % 4) ?(4 - (captured_length % 4)):0);
}
dissect_options(tree, pinfo, BLOCK_ENHANCED_PACKET, tvb, offset, argp->info->encoding, NULL);
dissect_options(tree, pinfo, BLOCK_TYPE_EPB, tvb, offset, argp->info->encoding, NULL);
}
static void
@ -1790,7 +1793,7 @@ dissect_dsb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
offset += padlen;
}
dissect_options(tree, pinfo, BLOCK_DSB, tvb, offset, argp->info->encoding, NULL);
dissect_options(tree, pinfo, BLOCK_TYPE_DSB, tvb, offset, argp->info->encoding, NULL);
}
static void
@ -1866,7 +1869,7 @@ gint dissect_block(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, struct i
arg.block_tree = block_tree;
arg.info = info;
if (block_type == BLOCK_SECTION_HEADER) {
if (block_type == BLOCK_TYPE_SHB) {
/* Section Header Block - this needs special byte-order handling */
volatile gboolean byte_order_magic_bad = FALSE;
@ -1941,33 +1944,33 @@ gint dissect_block(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, struct i
*/
TRY {
switch (block_type) {
case BLOCK_INTERFACE_DESCRIPTION:
case BLOCK_TYPE_IDB:
dissect_idb_data(block_data_tree, pinfo, next_tvb, &arg);
break;
case BLOCK_PACKET:
case BLOCK_TYPE_PB:
dissect_pb_data(block_data_tree, pinfo, next_tvb, &arg);
break;
case BLOCK_SIMPLE_PACKET:
case BLOCK_TYPE_SPB:
dissect_spb_data(block_data_tree, pinfo, next_tvb, &arg);
break;
case BLOCK_NAME_RESOLUTION:
case BLOCK_TYPE_NRB:
dissect_nrb_data(block_data_tree, pinfo, next_tvb, &arg);
break;
case BLOCK_INTERFACE_STATISTICS:
case BLOCK_TYPE_ISB:
dissect_isb_data(block_data_tree, pinfo, next_tvb, &arg);
break;
case BLOCK_ENHANCED_PACKET:
case BLOCK_TYPE_EPB:
dissect_epb_data(block_data_tree, pinfo, next_tvb, &arg);
break;
case BLOCK_DSB:
case BLOCK_TYPE_DSB:
dissect_dsb_data(block_data_tree, pinfo, next_tvb, &arg);
break;
case BLOCK_CB_COPY:
case BLOCK_CB_NO_COPY:
case BLOCK_TYPE_CB_COPY:
case BLOCK_TYPE_CB_NO_COPY:
dissect_cb_data(block_data_tree, pinfo, next_tvb, &arg);
break;
case BLOCK_IRIG_TIMESTAMP:
case BLOCK_ARINC_429:
case BLOCK_TYPE_IRIG_TS:
case BLOCK_TYPE_ARINC_429:
break;
default:

14
wiretap/file_access.c
View File

@ -2377,6 +2377,8 @@ wtap_dump_init_dumper(int file_type_subtype, wtap_compression_type compression_t
/* Set Decryption Secrets Blocks */
wdh->dsbs_initial = params->dsbs_initial;
wdh->dsbs_growing = params->dsbs_growing;
/* Set Sysdig meta events */
wdh->sysdig_mev_growing = params->sysdig_mev_growing;
return wdh;
}
@ -2749,6 +2751,18 @@ wtap_dump_discard_decryption_secrets(wtap_dumper *wdh)
}
}
void
wtap_dump_discard_sysdig_meta_events(wtap_dumper *wdh)
{
/* As above for DSBs. */
if (wdh->sysdig_mev_growing) {
/*
* Pretend we've written all of them.
*/
wdh->sysdig_mev_growing_written = wdh->sysdig_mev_growing->len;
}
}
/* internally open a file for writing (compressed or not) */
#ifdef HAVE_ZLIB
static WFILE_T

232
wiretap/pcapng.c
View File

@ -16,6 +16,7 @@
*/
#include "config.h"
#include "wtap_opttypes.h"
#define WS_LOG_DOMAIN LOG_DOMAIN_WIRETAP
@ -297,9 +298,26 @@ register_pcapng_block_type_handler(guint block_type, block_reader reader,
case BLOCK_TYPE_DSB:
case BLOCK_TYPE_CB_COPY:
case BLOCK_TYPE_CB_NO_COPY:
case BLOCK_TYPE_SYSDIG_MI:
case BLOCK_TYPE_SYSDIG_PL_V1:
case BLOCK_TYPE_SYSDIG_FDL_V1:
case BLOCK_TYPE_SYSDIG_EVENT:
case BLOCK_TYPE_SYSDIG_IL_V1:
case BLOCK_TYPE_SYSDIG_UL_V1:
case BLOCK_TYPE_SYSDIG_PL_V2:
case BLOCK_TYPE_SYSDIG_EVF:
case BLOCK_TYPE_SYSDIG_PL_V3:
case BLOCK_TYPE_SYSDIG_PL_V4:
case BLOCK_TYPE_SYSDIG_PL_V5:
case BLOCK_TYPE_SYSDIG_PL_V6:
case BLOCK_TYPE_SYSDIG_PL_V7:
case BLOCK_TYPE_SYSDIG_PL_V8:
case BLOCK_TYPE_SYSDIG_PL_V9:
case BLOCK_TYPE_SYSDIG_EVENT_V2:
case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE:
case BLOCK_TYPE_SYSDIG_EVF_V2:
case BLOCK_TYPE_SYSDIG_FDL_V2:
case BLOCK_TYPE_SYSDIG_IL_V2:
case BLOCK_TYPE_SYSDIG_UL_V2:
case BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT:
/*
* Yes; we already handle it, and don't allow a replacement to
@ -313,9 +331,6 @@ register_pcapng_block_type_handler(guint block_type, block_reader reader,
case BLOCK_TYPE_IRIG_TS:
case BLOCK_TYPE_ARINC_429:
case BLOCK_TYPE_SYSDIG_EVF:
case BLOCK_TYPE_SYSDIG_EVF_V2:
case BLOCK_TYPE_SYSDIG_EVF_V2_LARGE:
/*
* Yes, and we don't already handle it. Allow a plugin to
* handle it.
@ -438,8 +453,8 @@ static GHashTable *option_handlers[NUM_BT_INDICES];
* or even if there is a fixed answer for all blocks of that type,
* so we err on the side of not processing.
*/
static gboolean
get_block_type_internal(guint block_type)
static bool
get_block_type_internal(unsigned block_type)
{
switch (block_type) {
@ -448,12 +463,28 @@ get_block_type_internal(guint block_type)
case BLOCK_TYPE_NRB:
case BLOCK_TYPE_DSB:
case BLOCK_TYPE_ISB: /* XXX: ISBs should probably not be internal. */
return TRUE;
case BLOCK_TYPE_SYSDIG_MI:
case BLOCK_TYPE_SYSDIG_PL_V1:
case BLOCK_TYPE_SYSDIG_FDL_V1:
case BLOCK_TYPE_SYSDIG_IL_V1:
case BLOCK_TYPE_SYSDIG_UL_V1:
case BLOCK_TYPE_SYSDIG_PL_V2:
case BLOCK_TYPE_SYSDIG_PL_V3:
case BLOCK_TYPE_SYSDIG_PL_V4:
case BLOCK_TYPE_SYSDIG_PL_V5:
case BLOCK_TYPE_SYSDIG_PL_V6:
case BLOCK_TYPE_SYSDIG_PL_V7:
case BLOCK_TYPE_SYSDIG_PL_V8:
case BLOCK_TYPE_SYSDIG_PL_V9:
case BLOCK_TYPE_SYSDIG_FDL_V2:
case BLOCK_TYPE_SYSDIG_IL_V2:
case BLOCK_TYPE_SYSDIG_UL_V2:
return true;
case BLOCK_TYPE_PB:
case BLOCK_TYPE_EPB:
case BLOCK_TYPE_SPB:
return FALSE;
return false;
case BLOCK_TYPE_CB_COPY:
case BLOCK_TYPE_CB_NO_COPY:
@ -461,7 +492,7 @@ get_block_type_internal(guint block_type)
case BLOCK_TYPE_SYSDIG_EVENT_V2:
case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE:
case BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT:
return FALSE;
return false;
default:
#ifdef HAVE_PLUGINS
@ -519,7 +550,22 @@ get_block_type_index(guint block_type, guint *bt_index)
case BLOCK_TYPE_SYSDIG_EVENT:
case BLOCK_TYPE_SYSDIG_EVENT_V2:
case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE:
/* case BLOCK_TYPE_SYSDIG_EVF: */
case BLOCK_TYPE_SYSDIG_MI:
case BLOCK_TYPE_SYSDIG_PL_V1:
case BLOCK_TYPE_SYSDIG_FDL_V1:
case BLOCK_TYPE_SYSDIG_IL_V1:
case BLOCK_TYPE_SYSDIG_UL_V1:
case BLOCK_TYPE_SYSDIG_PL_V2:
case BLOCK_TYPE_SYSDIG_PL_V3:
case BLOCK_TYPE_SYSDIG_PL_V4:
case BLOCK_TYPE_SYSDIG_PL_V5:
case BLOCK_TYPE_SYSDIG_PL_V6:
case BLOCK_TYPE_SYSDIG_PL_V7:
case BLOCK_TYPE_SYSDIG_PL_V8:
case BLOCK_TYPE_SYSDIG_PL_V9:
case BLOCK_TYPE_SYSDIG_FDL_V2:
case BLOCK_TYPE_SYSDIG_IL_V2:
case BLOCK_TYPE_SYSDIG_UL_V2:
*bt_index = BT_INDEX_EVT;
break;
@ -1791,6 +1837,55 @@ pcapng_read_decryption_secrets_block(FILE_T fh, pcapng_block_header_t *bh,
return TRUE;
}
static bool
pcapng_read_sysdig_meta_event_block(FILE_T fh, pcapng_block_header_t *bh,
wtapng_block_t *wblock,
int *err, gchar **err_info)
{
guint to_read;
wtapng_sysdig_mev_mandatory_t *mev_mand;
/*
* Set wblock->block to a newly-allocated Sysdig meta event block.
*/
wblock->block = wtap_block_create(WTAP_BLOCK_SYSDIG_META_EVENT);
/*
* Set the mandatory values for the block.
*/
mev_mand = (wtapng_sysdig_mev_mandatory_t *)wtap_block_get_mandatory_data(wblock->block);
mev_mand->mev_type = bh->block_type;
mev_mand->mev_data_len = bh->block_total_length -
(int)sizeof(pcapng_block_header_t) -
(int)sizeof(bh->block_total_length);
/* Sanity check: assume event data can't be larger than 1 GiB */
if (mev_mand->mev_data_len > 1024 * 1024 * 1024) {
*err = WTAP_ERR_BAD_FILE;
*err_info = ws_strdup_printf("pcapng: Sysdig mev block is too large: %u", mev_mand->mev_data_len);
return false;
}
mev_mand->mev_data = (uint8_t *)g_malloc(mev_mand->mev_data_len);
if (!wtap_read_bytes(fh, mev_mand->mev_data, mev_mand->mev_data_len, err, err_info)) {
ws_debug("failed to read Sysdig mev");
return false;
}
/* Skip past padding and discard options (not supported yet). */
to_read = bh->block_total_length - MIN_BLOCK_SIZE - mev_mand->mev_data_len;
if (!wtap_read_bytes(fh, NULL, to_read, err, err_info)) {
ws_debug("failed to read Sysdig mev options");
return FALSE;
}
/*
* We don't return these to the caller in pcapng_read().
*/
wblock->internal = true;
return true;
}
static gboolean
pcapng_process_packet_block_option(wtapng_block_t *wblock,
const section_info_t *section_info,
@ -3438,6 +3533,25 @@ pcapng_read_block(wtap *wth, FILE_T fh, pcapng_t *pn,
if (!pcapng_read_decryption_secrets_block(fh, &bh, section_info, wblock, err, err_info))
return FALSE;
break;
case BLOCK_TYPE_SYSDIG_MI:
case BLOCK_TYPE_SYSDIG_PL_V1:
case BLOCK_TYPE_SYSDIG_FDL_V1:
case BLOCK_TYPE_SYSDIG_IL_V1:
case BLOCK_TYPE_SYSDIG_UL_V1:
case BLOCK_TYPE_SYSDIG_PL_V2:
case BLOCK_TYPE_SYSDIG_PL_V3:
case BLOCK_TYPE_SYSDIG_PL_V4:
case BLOCK_TYPE_SYSDIG_PL_V5:
case BLOCK_TYPE_SYSDIG_PL_V6:
case BLOCK_TYPE_SYSDIG_PL_V7:
case BLOCK_TYPE_SYSDIG_PL_V8:
case BLOCK_TYPE_SYSDIG_PL_V9:
case BLOCK_TYPE_SYSDIG_FDL_V2:
case BLOCK_TYPE_SYSDIG_IL_V2:
case BLOCK_TYPE_SYSDIG_UL_V2:
if (!pcapng_read_sysdig_meta_event_block(fh, &bh, wblock, err, err_info))
return FALSE;
break;
case(BLOCK_TYPE_CB_COPY):
case(BLOCK_TYPE_CB_NO_COPY):
if (!pcapng_read_custom_block(fh, &bh, section_info, wblock, err, err_info))
@ -3530,6 +3644,16 @@ pcapng_process_dsb(wtap *wth, wtapng_block_t *wblock)
g_array_append_val(wth->dsbs, wblock->block);
}
/* Process a Sysdig meta event block that we have just read. */
static void
pcapng_process_sysdig_mev(wtap *wth, wtapng_block_t *wblock)
{
// XXX add wtapng_process_sysdig_meb(wth, wblock->block);
/* Store meta event such that it can be saved by the dumper. */
g_array_append_val(wth->sysdig_meta_events, wblock->block);
}
static void
pcapng_process_internal_block(wtap *wth, pcapng_t *pcapng, section_info_t *current_section, section_info_t new_section, wtapng_block_t *wblock, const gint64 *data_offset)
{
@ -3629,6 +3753,28 @@ pcapng_process_internal_block(wtap *wth, pcapng_t *pcapng, section_info_t *curre
wtap_block_unref(wblock->block);
break;
case BLOCK_TYPE_SYSDIG_MI:
case BLOCK_TYPE_SYSDIG_PL_V1:
case BLOCK_TYPE_SYSDIG_FDL_V1:
case BLOCK_TYPE_SYSDIG_IL_V1:
case BLOCK_TYPE_SYSDIG_UL_V1:
case BLOCK_TYPE_SYSDIG_PL_V2:
case BLOCK_TYPE_SYSDIG_PL_V3:
case BLOCK_TYPE_SYSDIG_PL_V4:
case BLOCK_TYPE_SYSDIG_PL_V5:
case BLOCK_TYPE_SYSDIG_PL_V6:
case BLOCK_TYPE_SYSDIG_PL_V7:
case BLOCK_TYPE_SYSDIG_PL_V8:
case BLOCK_TYPE_SYSDIG_PL_V9:
case BLOCK_TYPE_SYSDIG_FDL_V2:
case BLOCK_TYPE_SYSDIG_IL_V2:
case BLOCK_TYPE_SYSDIG_UL_V2:
/* Decryption secrets. */
ws_debug("block type Sysdig meta event");
pcapng_process_sysdig_mev(wth, wblock);
/* Do not free wblock->block, it is consumed by pcapng_process_sysdig_meb */
break;
default:
/* XXX - improve handling of "unknown" blocks */
ws_debug("Unknown block type 0x%08x", wblock->type);
@ -3783,11 +3929,13 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
wth->subtype_close = pcapng_close;
wth->file_type_subtype = pcapng_file_type_subtype;
/* Always initialize the lists of Decryption Secret Blocks and
* Name Resolution Blocks such that a wtap_dumper can refer to
* them right after opening the capture file. */
/* Always initialize the lists of Decryption Secret Blocks, Name
* Resolution Blocks, and Sysdig meta event blocks such that a
* wtap_dumper can refer to them right after opening the capture
* file. */
wth->dsbs = g_array_new(FALSE, FALSE, sizeof(wtap_block_t));
wth->nrbs = g_array_new(FALSE, FALSE, sizeof(wtap_block_t));
wth->sysdig_meta_events = g_array_new(FALSE, FALSE, sizeof(wtap_block_t));
/* Most other capture types (such as pcap) support a single link-layer
* type, indicated in the header, and don't support WTAP_ENCAP_PER_PACKET.
@ -5453,6 +5601,39 @@ pcapng_write_decryption_secrets_block(wtap_dumper *wdh, wtap_block_t sdata, int
return TRUE;
}
static bool
pcapng_write_sysdig_meta_event_block(wtap_dumper *wdh, wtap_block_t mev_data, int *err)
{
pcapng_block_header_t bh;
wtapng_sysdig_mev_mandatory_t *mand_data = (wtapng_sysdig_mev_mandatory_t *)wtap_block_get_mandatory_data(mev_data);
unsigned pad_len = (4 - (mand_data->mev_data_len & 3)) & 3;
/* write block header */
bh.block_type = mand_data->mev_type;
bh.block_total_length = MIN_BLOCK_SIZE + mand_data->mev_data_len + pad_len;
ws_debug("Sysdig mev total len %u", bh.block_total_length);
if (!wtap_dump_file_write(wdh, &bh, sizeof bh, err))
return false;
/* write block fixed content */
if (!wtap_dump_file_write(wdh, mand_data->mev_data, mand_data->mev_data_len, err))
return false;
if (pad_len) {
const uint32_t zero_pad = 0;
if (!wtap_dump_file_write(wdh, &zero_pad, pad_len, err))
return false;
}
/* write block footer */
if (!wtap_dump_file_write(wdh, &bh.block_total_length,
sizeof bh.block_total_length, err))
return false;
return true;
}
/*
* libpcap's maximum pcapng block size is currently 16MB.
*
@ -6093,6 +6274,19 @@ static gboolean pcapng_write_internal_blocks(wtap_dumper *wdh, int *err)
}
}
/* Write (optional) Sysdig Meta Event Blocks that were collected while
* reading packet blocks. */
if (wdh->sysdig_mev_growing) {
for (unsigned i = wdh->sysdig_mev_growing_written; i < wdh->sysdig_mev_growing->len; i++) {
ws_debug("writing Sysdig mev %u", i);
wtap_block_t mev = g_array_index(wdh->sysdig_mev_growing, wtap_block_t, i);
if (!pcapng_write_sysdig_meta_event_block(wdh, mev, err)) {
return false;
}
++wdh->sysdig_mev_growing_written;
}
}
/* Write any hostname resolution info from wtap_dump_set_addrinfo_list() */
if (!wtap_addrinfo_list_empty(wdh->addrinfo_lists)) {
/*
@ -6450,6 +6644,15 @@ static const struct supported_option_type decryption_secrets_block_options_suppo
{ OPT_CUSTOM_BIN_NO_COPY, MULTIPLE_OPTIONS_SUPPORTED }
};
/* Options for Sysdig meta event blocks. */
static const struct supported_option_type sysdig_meta_events_block_options_supported[] = {
{ OPT_COMMENT, MULTIPLE_OPTIONS_SUPPORTED },
{ OPT_CUSTOM_STR_COPY, MULTIPLE_OPTIONS_SUPPORTED },
{ OPT_CUSTOM_BIN_COPY, MULTIPLE_OPTIONS_SUPPORTED },
{ OPT_CUSTOM_STR_NO_COPY, MULTIPLE_OPTIONS_SUPPORTED },
{ OPT_CUSTOM_BIN_NO_COPY, MULTIPLE_OPTIONS_SUPPORTED }
};
/* Options for packet blocks. */
static const struct supported_option_type packet_block_options_supported[] = {
{ OPT_COMMENT, MULTIPLE_OPTIONS_SUPPORTED },
@ -6508,6 +6711,9 @@ static const struct supported_block_type pcapng_blocks_supported[] = {
/* Multiple blocks of decryption secrets. */
{ WTAP_BLOCK_DECRYPTION_SECRETS, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(decryption_secrets_block_options_supported) },
/* Multiple blocks of decryption secrets. */
{ WTAP_BLOCK_SYSDIG_META_EVENT, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(sysdig_meta_events_block_options_supported) },
/* And, obviously, multiple packets. */
{ WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(packet_block_options_supported) },

16
wiretap/pcapng_module.h
View File

@ -26,10 +26,26 @@
#define BLOCK_TYPE_ARINC_429 0x00000008 /* ARINC 429 in AFDX Encapsulation Information Block */
#define BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT 0x00000009 /* systemd journal entry */
#define BLOCK_TYPE_DSB 0x0000000A /* Decryption Secrets Block */
#define BLOCK_TYPE_SYSDIG_MI 0x00000201 /* Sysdig Machine Info Block */
#define BLOCK_TYPE_SYSDIG_PL_V1 0x00000202 /* Sysdig Process List Block */
#define BLOCK_TYPE_SYSDIG_FDL_V1 0x00000203 /* Sysdig File Descriptor List Block */
#define BLOCK_TYPE_SYSDIG_EVENT 0x00000204 /* Sysdig Event Block */
#define BLOCK_TYPE_SYSDIG_IL_V1 0x00000205 /* Sysdig Interface List Block */
#define BLOCK_TYPE_SYSDIG_UL_V1 0x00000206 /* Sysdig User List Block */
#define BLOCK_TYPE_SYSDIG_PL_V2 0x00000207 /* Sysdig Process List Block version 2 */
#define BLOCK_TYPE_SYSDIG_EVF 0x00000208 /* Sysdig Event Block with flags */
#define BLOCK_TYPE_SYSDIG_PL_V3 0x00000209 /* Sysdig Process List Block version 3 */
#define BLOCK_TYPE_SYSDIG_PL_V4 0x00000210 /* Sysdig Process List Block version 4 */
#define BLOCK_TYPE_SYSDIG_PL_V5 0x00000211 /* Sysdig Process List Block version 5 */
#define BLOCK_TYPE_SYSDIG_PL_V6 0x00000212 /* Sysdig Process List Block version 6 */
#define BLOCK_TYPE_SYSDIG_PL_V7 0x00000213 /* Sysdig Process List Block version 7 */
#define BLOCK_TYPE_SYSDIG_PL_V8 0x00000214 /* Sysdig Process List Block version 8 */
#define BLOCK_TYPE_SYSDIG_PL_V9 0x00000215 /* Sysdig Process List Block version 9 */
#define BLOCK_TYPE_SYSDIG_EVENT_V2 0x00000216 /* Sysdig Event Block version 2 */
#define BLOCK_TYPE_SYSDIG_EVF_V2 0x00000217 /* Sysdig Event Block with flags version 2 */
#define BLOCK_TYPE_SYSDIG_FDL_V2 0x00000218 /* Sysdig File Descriptor List Block */
#define BLOCK_TYPE_SYSDIG_IL_V2 0x00000219 /* Sysdig Interface List Block version 2 */
#define BLOCK_TYPE_SYSDIG_UL_V2 0x00000220 /* Sysdig User List Block version 2 */
#define BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE 0x00000221 /* Sysdig Event Block version 2 with large payload */
#define BLOCK_TYPE_SYSDIG_EVF_V2_LARGE 0x00000222 /* Sysdig Event Block with flags version 2 with large payload */
#define BLOCK_TYPE_CB_COPY 0x00000BAD /* Custom Block which can be copied */

10
wiretap/wtap-int.h
View File

@ -44,6 +44,7 @@ struct wtap {
guint next_interface_data; /**< Next interface data that wtap_get_next_interface_description() will show */
GArray *nrbs; /**< holds the Name Res Blocks, or NULL */
GArray *dsbs; /**< An array of DSBs (of type wtap_block_t), or NULL if not supported. */
GArray *sysdig_meta_events; /**< An array of Sysdig meta eventss (of type wtap_block_t), or NULL if not supported. */
char *pathname; /**< File pathname; might just be "-" */
@ -73,6 +74,7 @@ struct wtap {
wtap_new_ipv4_callback_t add_new_ipv4;
wtap_new_ipv6_callback_t add_new_ipv6;
wtap_new_secrets_callback_t add_new_secrets;
wtap_new_sysdig_meta_event_callback_t add_new_sysdig_meta_event;
GPtrArray *fast_seek;
};
@ -123,8 +125,10 @@ struct wtap_dumper {
*/
const GArray *nrbs_growing; /**< A reference to an array of NRBs (of type wtap_block_t) */
const GArray *dsbs_growing; /**< A reference to an array of DSBs (of type wtap_block_t) */
const GArray *sysdig_mev_growing; /**< A reference to an array of Sysdig meta events (of type wtap_block_t) */
guint nrbs_growing_written; /**< Number of already processed NRBs in nrbs_growing. */
guint dsbs_growing_written; /**< Number of already processed DSBs in dsbs_growing. */
guint sysdig_mev_growing_written; /**< Number of already processed meta events in sysdig_mev_growing. */
};
WS_DLL_PUBLIC gboolean wtap_dump_file_write(wtap_dumper *wdh, const void *buf,
@ -358,6 +362,12 @@ wtapng_process_nrb(wtap *wth, wtap_block_t nrb);
void
wtapng_process_dsb(wtap *wth, wtap_block_t dsb);
/**
* Invokes the callback with the given Sysdig meta event block.
*/
void
wtapng_process_sysdig_mev(wtap *wth, wtap_block_t mev);
void
wtap_register_compatibility_file_subtype_name(const char *old_name,
const char *new_name);

37
wiretap/wtap.c
View File

@ -220,6 +220,26 @@ wtap_file_discard_decryption_secrets(wtap *wth)
return TRUE;
}
void
wtap_file_add_sysdig_meta_event(wtap *wth, const wtap_block_t mev)
{
if (!wth->sysdig_meta_events) {
wth->sysdig_meta_events = g_array_new(FALSE, FALSE, sizeof(wtap_block_t));
}
g_array_append_val(wth->sysdig_meta_events, mev);
}
gboolean
wtap_file_discard_sysdig_meta_events(wtap *wth)
{
if (!wth->sysdig_meta_events || wth->sysdig_meta_events->len == 0)
return false;
wtap_block_array_free(wth->sysdig_meta_events);
wth->sysdig_meta_events = NULL;
return true;
}
void
wtap_add_idb(wtap *wth, wtap_block_t idb)
{
@ -497,6 +517,7 @@ wtap_dump_params_init(wtap_dump_params *params, wtap *wth)
* as they become available. */
params->nrbs_growing = wth->nrbs;
params->dsbs_growing = wth->dsbs;
params->sysdig_mev_growing = wth->sysdig_meta_events;
params->dont_copy_idbs = FALSE;
}
@ -537,6 +558,12 @@ wtap_dump_params_discard_decryption_secrets(wtap_dump_params *params)
params->dsbs_growing = NULL;
}
void
wtap_dump_params_discard_sysdig_meta_events(wtap_dump_params *params)
{
params->sysdig_mev_growing = NULL;
}
void
wtap_dump_params_cleanup(wtap_dump_params *params)
{
@ -1514,6 +1541,7 @@ wtap_close(wtap *wth)
wtap_block_array_free(wth->nrbs);
wtap_block_array_free(wth->interface_data);
wtap_block_array_free(wth->dsbs);
wtap_block_array_free(wth->sysdig_meta_events);
g_free(wth);
}
@ -1623,6 +1651,15 @@ wtapng_process_dsb(wtap *wth, wtap_block_t dsb)
wth->add_new_secrets(dsb_mand->secrets_type, dsb_mand->secrets_data, dsb_mand->secrets_len);
}
void
wtapng_process_sysdig_meta_event(wtap *wth, wtap_block_t mev)
{
const wtapng_sysdig_mev_mandatory_t *mev_mand = (wtapng_sysdig_mev_mandatory_t*)wtap_block_get_mandatory_data(mev);
if (wth->add_new_sysdig_meta_event)
wth->add_new_sysdig_meta_event(mev_mand->mev_type, mev_mand->mev_data, mev_mand->mev_data_len);
}
/* Perform per-packet initialization */
static void
wtap_init_rec(wtap *wth, wtap_rec *rec)

10
wiretap/wtap.h
View File

@ -1497,6 +1497,9 @@ typedef struct wtap_dump_params {
const GArray *dsbs_growing; /**< DSBs that will be written while writing packets, or NULL.
This array may grow since the dumper was opened and will subsequently
be written before newer packets are written in wtap_dump. */
const GArray *sysdig_mev_growing; /**< Meta events that will be written while writing packets, or NULL.
This array may grow since the dumper was opened and will subsequently
be written before newer packets are written in wtap_dump. */
gboolean dont_copy_idbs; /**< XXX - don't copy IDBs; this should eventually always be the case. */
} wtap_dump_params;
@ -1842,6 +1845,13 @@ typedef void (*wtap_new_secrets_callback_t)(guint32 secrets_type, const void *se
WS_DLL_PUBLIC
void wtap_set_cb_new_secrets(wtap *wth, wtap_new_secrets_callback_t add_new_secrets);
/**
* Set callback function to receive new sysdig meta events. Currently pcapng-only.
*/
typedef void (*wtap_new_sysdig_meta_event_callback_t)(uint32_t mev_type, const uint8_t *mev_data, unsigned mev_data_size);
WS_DLL_PUBLIC
void wtap_set_cb_new_sysdig_meta_event(wtap *wth, wtap_new_sysdig_meta_event_callback_t add_new_sysdig_meta_event);
/** Read the next record in the file, filling in *phdr and *buf.
*
* @wth a wtap * returned by a call that opened a file for reading.

36
wiretap/wtap_opttypes.c
View File

@ -1710,6 +1710,27 @@ static void dsb_copy_mand(wtap_block_t dest_block, wtap_block_t src_block)
dst->secrets_data = (guint8 *)g_memdup2(src->secrets_data, src->secrets_len);
}
static void sysdig_mev_create(wtap_block_t block)
{
block->mandatory_data = g_new0(wtapng_sysdig_mev_mandatory_t, 1);
}
static void sysdig_mev_free_mand(wtap_block_t block)
{
wtapng_sysdig_mev_mandatory_t *mand = (wtapng_sysdig_mev_mandatory_t *)block->mandatory_data;
g_free(mand->mev_data);
}
static void sysdig_mev_copy_mand(wtap_block_t dest_block, wtap_block_t src_block)
{
wtapng_sysdig_mev_mandatory_t *src = (wtapng_sysdig_mev_mandatory_t *)src_block->mandatory_data;
wtapng_sysdig_mev_mandatory_t *dst = (wtapng_sysdig_mev_mandatory_t *)dest_block->mandatory_data;
dst->mev_type = src->mev_type;
dst->mev_data_len = src->mev_data_len;
g_free(dst->mev_data);
dst->mev_data = (guint8 *)g_memdup2(src->mev_data, src->mev_data_len);
}
static void pkt_create(wtap_block_t block)
{
/* Commented out for now, there's no mandatory data that isn't handled by
@ -1921,6 +1942,16 @@ void wtap_opttypes_initialize(void)
0
};
static wtap_blocktype_t sysdig_mev_block = {
WTAP_BLOCK_SYSDIG_META_EVENT,
"Sysdig MEV",
"Sysdig Meta Event Block",
sysdig_mev_create,
sysdig_mev_free_mand,
sysdig_mev_copy_mand,
NULL
};
static wtap_blocktype_t pkt_block = {
WTAP_BLOCK_PACKET, /* block_type */
"EPB/SPB/PB", /* name */
@ -2033,6 +2064,11 @@ void wtap_opttypes_initialize(void)
*/
wtap_opttype_block_register(&dsb_block);
/*
* Register the Sysdig MEV, currently no options are defined.
*/
wtap_opttype_block_register(&sysdig_mev_block);
/*
* Register EPB/SPB/PB and the options that can appear in it/them.
* NB: Simple Packet Blocks have no options.

10
wiretap/wtap_opttypes.h
View File

@ -185,6 +185,7 @@ typedef enum {
WTAP_BLOCK_FT_SPECIFIC_REPORT,
WTAP_BLOCK_FT_SPECIFIC_EVENT,
WTAP_BLOCK_SYSDIG_EVENT,
WTAP_BLOCK_SYSDIG_META_EVENT,
WTAP_BLOCK_SYSTEMD_JOURNAL_EXPORT,
WTAP_BLOCK_CUSTOM,
MAX_WTAP_BLOCK_TYPE_VALUE
@ -253,6 +254,15 @@ typedef struct wtapng_dsb_mandatory_s {
guint8 *secrets_data; /** Buffer of secrets (not NUL-terminated) */
} wtapng_dsb_mandatory_t;
/**
* Holds the required data from a WTAP_BLOCK_SYSDIG_META_EVENT.
*/
typedef struct wtapng_sysdig_mev_mandatory_s {
uint32_t mev_type; /** pcapng block type of the event, e.g. BLOCK_TYPE_SYSDIG_MI */
uint32_t mev_data_len; /** Length of the mev data in bytes */
uint8_t *mev_data; /** Buffer of mev data (not NUL-terminated) */
} wtapng_sysdig_mev_mandatory_t;
/**
* Holds the required data from a WTAP_BLOCK_PACKET.
* This includes Enhanced Packet Block, Simple Packet Block, and the deprecated Packet Block.