pcapng: Add Sysdig meta event types
Add support for Sysdig meta events. In file-pcapng.c, use the blocks defined in pcapng_module.h and expand the block name list.
This commit is contained in:
parent
bd07966d3a
commit
b261f2a7eb
|
@ -19,6 +19,7 @@
|
|||
#include <epan/exceptions.h>
|
||||
#include <epan/show_exception.h>
|
||||
#include <epan/addr_resolv.h>
|
||||
#include <wiretap/pcapng_module.h>
|
||||
#include <wiretap/secrets-types.h>
|
||||
|
||||
#include "file-pcapng.h"
|
||||
|
@ -212,40 +213,42 @@ static int * const hfx_pcapng_option_data_packet_darwin_flags[] = {
|
|||
|
||||
static gboolean pref_dissect_next_layer = FALSE;
|
||||
|
||||
#define BLOCK_INTERFACE_DESCRIPTION 0x00000001
|
||||
#define BLOCK_PACKET 0x00000002
|
||||
#define BLOCK_SIMPLE_PACKET 0x00000003
|
||||
#define BLOCK_NAME_RESOLUTION 0x00000004
|
||||
#define BLOCK_INTERFACE_STATISTICS 0x00000005
|
||||
#define BLOCK_ENHANCED_PACKET 0x00000006
|
||||
#define BLOCK_IRIG_TIMESTAMP 0x00000007
|
||||
#define BLOCK_ARINC_429 0x00000008
|
||||
#define BLOCK_SYSTEMD_JOURNAL_EXPORT 0x00000009
|
||||
#define BLOCK_DSB 0x0000000a
|
||||
#define BLOCK_CB_COPY 0x00000BAD
|
||||
#define BLOCK_CB_NO_COPY 0x40000BAD
|
||||
#define BLOCK_SECTION_HEADER 0x0A0D0D0A
|
||||
|
||||
static const value_string block_type_vals[] = {
|
||||
{ 0x00000001, "Interface Description Block" },
|
||||
{ 0x00000002, "Packet Block" },
|
||||
{ 0x00000003, "Simple Packet Block" },
|
||||
{ 0x00000004, "Name Resolution Block" },
|
||||
{ 0x00000005, "Interface Statistics Block" },
|
||||
{ 0x00000006, "Enhanced Packet Block" },
|
||||
{ 0x00000007, "IRIG Timestamp Block" },
|
||||
{ 0x00000008, "Arinc 429 in AFDX Encapsulation Information Block" },
|
||||
{ 0x00000009, "systemd Journal Export Block" },
|
||||
{ 0x0000000A, "Decryption Secrets Block" },
|
||||
{ 0x00000204, "Sysdig Event Block" },
|
||||
{ 0x00000208, "Sysdig Event Block with flags" },
|
||||
{ 0x00000216, "Sysdig Event Block v2" },
|
||||
{ 0x00000217, "Sysdig Event Block with flags v2" },
|
||||
{ 0x00000221, "Sysdig Event Block v2 large payload" },
|
||||
{ 0x00000222, "Sysdig Event Block with flags v2 large payload" },
|
||||
{ 0x00000BAD, "Custom Block which can be copied"},
|
||||
{ 0x40000BAD, "Custom Block which should not be copied"},
|
||||
{ 0x0A0D0D0A, "Section Header Block" },
|
||||
{ BLOCK_TYPE_IDB, "Interface Description Block" },
|
||||
{ BLOCK_TYPE_PB, "Packet Block" },
|
||||
{ BLOCK_TYPE_SPB, "Simple Packet Block" },
|
||||
{ BLOCK_TYPE_NRB, "Name Resolution Block" },
|
||||
{ BLOCK_TYPE_ISB, "Interface Statistics Block" },
|
||||
{ BLOCK_TYPE_EPB, "Enhanced Packet Block" },
|
||||
{ BLOCK_TYPE_IRIG_TS, "IRIG Timestamp Block" },
|
||||
{ BLOCK_TYPE_ARINC_429, "Arinc 429 in AFDX Encapsulation Information Block" },
|
||||
{ BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT, "systemd Journal Export Block" },
|
||||
{ BLOCK_TYPE_DSB, "Decryption Secrets Block" },
|
||||
{ BLOCK_TYPE_SYSDIG_MI, "Sysdig Machine Info Block" },
|
||||
{ BLOCK_TYPE_SYSDIG_PL_V1, "Sysdig Process List Block" },
|
||||
{ BLOCK_TYPE_SYSDIG_FDL_V1, "Sysdig File Descriptor List Block" },
|
||||
{ BLOCK_TYPE_SYSDIG_EVENT, "Sysdig Event Block" },
|
||||
{ BLOCK_TYPE_SYSDIG_IL_V1, "Sysdig Interface List Block" },
|
||||
{ BLOCK_TYPE_SYSDIG_UL_V1, "Sysdig User List Block" },
|
||||
{ BLOCK_TYPE_SYSDIG_PL_V2, "Sysdig Process List Block version 2" },
|
||||
{ BLOCK_TYPE_SYSDIG_EVF, "Sysdig Event Block with flags" },
|
||||
{ BLOCK_TYPE_SYSDIG_PL_V3, "Sysdig Process List Block version 3" },
|
||||
{ BLOCK_TYPE_SYSDIG_PL_V4, "Sysdig Process List Block version 4" },
|
||||
{ BLOCK_TYPE_SYSDIG_PL_V5, "Sysdig Process List Block version 5" },
|
||||
{ BLOCK_TYPE_SYSDIG_PL_V6, "Sysdig Process List Block version 6" },
|
||||
{ BLOCK_TYPE_SYSDIG_PL_V7, "Sysdig Process List Block version 7" },
|
||||
{ BLOCK_TYPE_SYSDIG_PL_V8, "Sysdig Process List Block version 8" },
|
||||
{ BLOCK_TYPE_SYSDIG_PL_V9, "Sysdig Process List Block version 9" },
|
||||
{ BLOCK_TYPE_SYSDIG_EVENT_V2, "Sysdig Event Block v2" },
|
||||
{ BLOCK_TYPE_SYSDIG_EVF_V2, "Sysdig Event Block with flags v2" },
|
||||
{ BLOCK_TYPE_SYSDIG_FDL_V2, "Sysdig File Descriptor List Block" },
|
||||
{ BLOCK_TYPE_SYSDIG_IL_V2, "Sysdig Interface List Block version 2" },
|
||||
{ BLOCK_TYPE_SYSDIG_UL_V2, "Sysdig User List Block version 2" },
|
||||
{ BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE, "Sysdig Event Block v2 large payload" },
|
||||
{ BLOCK_TYPE_SYSDIG_EVF_V2_LARGE, "Sysdig Event Block with flags v2 large payload" },
|
||||
{ BLOCK_TYPE_CB_COPY, "Custom Block which can be copied"},
|
||||
{ BLOCK_TYPE_CB_NO_COPY, "Custom Block which should not be copied"},
|
||||
{ BLOCK_TYPE_SHB, "Section Header Block" },
|
||||
{ 0, NULL }
|
||||
};
|
||||
|
||||
|
@ -605,27 +608,27 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
|
|||
|
||||
/* TODO: could have done this once outside of loop? */
|
||||
switch (block_type) {
|
||||
case BLOCK_SECTION_HEADER:
|
||||
case BLOCK_TYPE_SHB:
|
||||
hfj_pcapng_option_code = hf_pcapng_option_code_section_header;
|
||||
vals = option_code_section_header_vals;
|
||||
break;
|
||||
case BLOCK_INTERFACE_DESCRIPTION:
|
||||
case BLOCK_TYPE_IDB:
|
||||
hfj_pcapng_option_code = hf_pcapng_option_code_interface_description;
|
||||
vals = option_code_interface_description_vals;
|
||||
break;
|
||||
case BLOCK_ENHANCED_PACKET:
|
||||
case BLOCK_TYPE_EPB:
|
||||
hfj_pcapng_option_code = hf_pcapng_option_code_enhanced_packet;
|
||||
vals = option_code_enhanced_packet_vals;
|
||||
break;
|
||||
case BLOCK_PACKET:
|
||||
case BLOCK_TYPE_PB:
|
||||
hfj_pcapng_option_code = hf_pcapng_option_code_packet;
|
||||
vals = option_code_packet_vals;
|
||||
break;
|
||||
case BLOCK_NAME_RESOLUTION:
|
||||
case BLOCK_TYPE_NRB:
|
||||
hfj_pcapng_option_code = hf_pcapng_option_code_name_resolution;
|
||||
vals = option_code_name_resolution_vals;
|
||||
break;
|
||||
case BLOCK_INTERFACE_STATISTICS:
|
||||
case BLOCK_TYPE_ISB:
|
||||
hfj_pcapng_option_code = hf_pcapng_option_code_interface_statistics;
|
||||
vals = option_code_interface_statistics_vals;
|
||||
break;
|
||||
|
@ -662,7 +665,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
|
|||
dissect_custom_options(option_tree, pinfo, tvb, offset, option_code, option_length, encoding);
|
||||
offset += option_length;
|
||||
} else switch (block_type) {
|
||||
case BLOCK_SECTION_HEADER:
|
||||
case BLOCK_TYPE_SHB:
|
||||
switch (option_code) {
|
||||
case 2:
|
||||
proto_tree_add_item_ret_display_string(option_tree, hf_pcapng_option_data_section_header_hardware, tvb, offset, option_length, ENC_NA | ENC_UTF_8, pinfo->pool, &str);
|
||||
|
@ -684,7 +687,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
|
|||
offset += option_length;
|
||||
}
|
||||
break;
|
||||
case BLOCK_INTERFACE_DESCRIPTION: {
|
||||
case BLOCK_TYPE_IDB: {
|
||||
struct interface_description *interface_description = (struct interface_description *) user_data;
|
||||
|
||||
switch (option_code) {
|
||||
|
@ -978,7 +981,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
|
|||
}
|
||||
}
|
||||
break;
|
||||
case BLOCK_PACKET:
|
||||
case BLOCK_TYPE_PB:
|
||||
switch (option_code) {
|
||||
case 2:
|
||||
if (option_length != 4) {
|
||||
|
@ -1016,7 +1019,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
|
|||
}
|
||||
|
||||
break;
|
||||
case BLOCK_NAME_RESOLUTION:
|
||||
case BLOCK_TYPE_NRB:
|
||||
switch (option_code) {
|
||||
case 2:
|
||||
proto_tree_add_item_ret_display_string(option_tree, hf_pcapng_option_data_dns_name, tvb, offset, option_length, ENC_NA | ENC_UTF_8, pinfo->pool, &str);
|
||||
|
@ -1060,7 +1063,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
|
|||
}
|
||||
|
||||
break;
|
||||
case BLOCK_INTERFACE_STATISTICS:
|
||||
case BLOCK_TYPE_ISB:
|
||||
switch (option_code) {
|
||||
case 2:
|
||||
if (option_length != 8) {
|
||||
|
@ -1150,7 +1153,7 @@ gint dissect_options(proto_tree *tree, packet_info *pinfo,
|
|||
}
|
||||
|
||||
break;
|
||||
case BLOCK_ENHANCED_PACKET:
|
||||
case BLOCK_TYPE_EPB:
|
||||
switch (option_code) {
|
||||
case 2:
|
||||
if (option_length != 4) {
|
||||
|
@ -1431,7 +1434,7 @@ dissect_shb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
|
|||
proto_tree_add_item(tree, hf_pcapng_section_header_section_length, tvb, offset, 8, argp->info->encoding);
|
||||
offset += 8;
|
||||
|
||||
dissect_options(tree, pinfo, BLOCK_SECTION_HEADER, tvb, offset, argp->info->encoding, NULL);
|
||||
dissect_options(tree, pinfo, BLOCK_TYPE_SHB, tvb, offset, argp->info->encoding, NULL);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
@ -1460,7 +1463,7 @@ dissect_idb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
|
|||
interface_description.snap_len = tvb_get_guint32(tvb, offset, argp->info->encoding);
|
||||
offset += 4;
|
||||
|
||||
dissect_options(tree, pinfo, BLOCK_INTERFACE_DESCRIPTION, tvb, offset, argp->info->encoding, &interface_description);
|
||||
dissect_options(tree, pinfo, BLOCK_TYPE_IDB, tvb, offset, argp->info->encoding, &interface_description);
|
||||
|
||||
wmem_array_append_one(argp->info->interfaces, interface_description);
|
||||
}
|
||||
|
@ -1520,7 +1523,7 @@ dissect_pb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
|
|||
offset += ((captured_length % 4) ?(4 - (captured_length % 4)):0);
|
||||
}
|
||||
|
||||
dissect_options(tree, pinfo, BLOCK_PACKET, tvb, offset, argp->info->encoding, NULL);
|
||||
dissect_options(tree, pinfo, BLOCK_TYPE_PB, tvb, offset, argp->info->encoding, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -1692,7 +1695,7 @@ dissect_nrb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
|
|||
}
|
||||
proto_item_set_end(records_item, tvb, offset);
|
||||
|
||||
dissect_options(tree, pinfo, BLOCK_NAME_RESOLUTION, tvb, offset, argp->info->encoding, NULL);
|
||||
dissect_options(tree, pinfo, BLOCK_TYPE_NRB, tvb, offset, argp->info->encoding, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -1712,7 +1715,7 @@ dissect_isb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
|
|||
pcapng_add_timestamp(tree, pinfo, tvb, offset, argp->info->encoding, interface_description);
|
||||
offset += 8;
|
||||
|
||||
dissect_options(tree, pinfo, BLOCK_INTERFACE_STATISTICS, tvb, offset, argp->info->encoding, NULL);
|
||||
dissect_options(tree, pinfo, BLOCK_TYPE_ISB, tvb, offset, argp->info->encoding, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -1767,7 +1770,7 @@ dissect_epb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
|
|||
offset += ((captured_length % 4) ?(4 - (captured_length % 4)):0);
|
||||
}
|
||||
|
||||
dissect_options(tree, pinfo, BLOCK_ENHANCED_PACKET, tvb, offset, argp->info->encoding, NULL);
|
||||
dissect_options(tree, pinfo, BLOCK_TYPE_EPB, tvb, offset, argp->info->encoding, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -1790,7 +1793,7 @@ dissect_dsb_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
|
|||
offset += padlen;
|
||||
}
|
||||
|
||||
dissect_options(tree, pinfo, BLOCK_DSB, tvb, offset, argp->info->encoding, NULL);
|
||||
dissect_options(tree, pinfo, BLOCK_TYPE_DSB, tvb, offset, argp->info->encoding, NULL);
|
||||
}
|
||||
|
||||
static void
|
||||
|
@ -1866,7 +1869,7 @@ gint dissect_block(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, struct i
|
|||
arg.block_tree = block_tree;
|
||||
arg.info = info;
|
||||
|
||||
if (block_type == BLOCK_SECTION_HEADER) {
|
||||
if (block_type == BLOCK_TYPE_SHB) {
|
||||
/* Section Header Block - this needs special byte-order handling */
|
||||
volatile gboolean byte_order_magic_bad = FALSE;
|
||||
|
||||
|
@ -1941,33 +1944,33 @@ gint dissect_block(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb, struct i
|
|||
*/
|
||||
TRY {
|
||||
switch (block_type) {
|
||||
case BLOCK_INTERFACE_DESCRIPTION:
|
||||
case BLOCK_TYPE_IDB:
|
||||
dissect_idb_data(block_data_tree, pinfo, next_tvb, &arg);
|
||||
break;
|
||||
case BLOCK_PACKET:
|
||||
case BLOCK_TYPE_PB:
|
||||
dissect_pb_data(block_data_tree, pinfo, next_tvb, &arg);
|
||||
break;
|
||||
case BLOCK_SIMPLE_PACKET:
|
||||
case BLOCK_TYPE_SPB:
|
||||
dissect_spb_data(block_data_tree, pinfo, next_tvb, &arg);
|
||||
break;
|
||||
case BLOCK_NAME_RESOLUTION:
|
||||
case BLOCK_TYPE_NRB:
|
||||
dissect_nrb_data(block_data_tree, pinfo, next_tvb, &arg);
|
||||
break;
|
||||
case BLOCK_INTERFACE_STATISTICS:
|
||||
case BLOCK_TYPE_ISB:
|
||||
dissect_isb_data(block_data_tree, pinfo, next_tvb, &arg);
|
||||
break;
|
||||
case BLOCK_ENHANCED_PACKET:
|
||||
case BLOCK_TYPE_EPB:
|
||||
dissect_epb_data(block_data_tree, pinfo, next_tvb, &arg);
|
||||
break;
|
||||
case BLOCK_DSB:
|
||||
case BLOCK_TYPE_DSB:
|
||||
dissect_dsb_data(block_data_tree, pinfo, next_tvb, &arg);
|
||||
break;
|
||||
case BLOCK_CB_COPY:
|
||||
case BLOCK_CB_NO_COPY:
|
||||
case BLOCK_TYPE_CB_COPY:
|
||||
case BLOCK_TYPE_CB_NO_COPY:
|
||||
dissect_cb_data(block_data_tree, pinfo, next_tvb, &arg);
|
||||
break;
|
||||
case BLOCK_IRIG_TIMESTAMP:
|
||||
case BLOCK_ARINC_429:
|
||||
case BLOCK_TYPE_IRIG_TS:
|
||||
case BLOCK_TYPE_ARINC_429:
|
||||
break;
|
||||
|
||||
default:
|
||||
|
|
|
@ -2377,6 +2377,8 @@ wtap_dump_init_dumper(int file_type_subtype, wtap_compression_type compression_t
|
|||
/* Set Decryption Secrets Blocks */
|
||||
wdh->dsbs_initial = params->dsbs_initial;
|
||||
wdh->dsbs_growing = params->dsbs_growing;
|
||||
/* Set Sysdig meta events */
|
||||
wdh->sysdig_mev_growing = params->sysdig_mev_growing;
|
||||
return wdh;
|
||||
}
|
||||
|
||||
|
@ -2749,6 +2751,18 @@ wtap_dump_discard_decryption_secrets(wtap_dumper *wdh)
|
|||
}
|
||||
}
|
||||
|
||||
void
|
||||
wtap_dump_discard_sysdig_meta_events(wtap_dumper *wdh)
|
||||
{
|
||||
/* As above for DSBs. */
|
||||
if (wdh->sysdig_mev_growing) {
|
||||
/*
|
||||
* Pretend we've written all of them.
|
||||
*/
|
||||
wdh->sysdig_mev_growing_written = wdh->sysdig_mev_growing->len;
|
||||
}
|
||||
}
|
||||
|
||||
/* internally open a file for writing (compressed or not) */
|
||||
#ifdef HAVE_ZLIB
|
||||
static WFILE_T
|
||||
|
|
232
wiretap/pcapng.c
232
wiretap/pcapng.c
|
@ -16,6 +16,7 @@
|
|||
*/
|
||||
|
||||
#include "config.h"
|
||||
#include "wtap_opttypes.h"
|
||||
|
||||
#define WS_LOG_DOMAIN LOG_DOMAIN_WIRETAP
|
||||
|
||||
|
@ -297,9 +298,26 @@ register_pcapng_block_type_handler(guint block_type, block_reader reader,
|
|||
case BLOCK_TYPE_DSB:
|
||||
case BLOCK_TYPE_CB_COPY:
|
||||
case BLOCK_TYPE_CB_NO_COPY:
|
||||
case BLOCK_TYPE_SYSDIG_MI:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_EVENT:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_EVF:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V3:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V4:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V5:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V6:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V7:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V8:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V9:
|
||||
case BLOCK_TYPE_SYSDIG_EVENT_V2:
|
||||
case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE:
|
||||
case BLOCK_TYPE_SYSDIG_EVF_V2:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V2:
|
||||
case BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT:
|
||||
/*
|
||||
* Yes; we already handle it, and don't allow a replacement to
|
||||
|
@ -313,9 +331,6 @@ register_pcapng_block_type_handler(guint block_type, block_reader reader,
|
|||
|
||||
case BLOCK_TYPE_IRIG_TS:
|
||||
case BLOCK_TYPE_ARINC_429:
|
||||
case BLOCK_TYPE_SYSDIG_EVF:
|
||||
case BLOCK_TYPE_SYSDIG_EVF_V2:
|
||||
case BLOCK_TYPE_SYSDIG_EVF_V2_LARGE:
|
||||
/*
|
||||
* Yes, and we don't already handle it. Allow a plugin to
|
||||
* handle it.
|
||||
|
@ -438,8 +453,8 @@ static GHashTable *option_handlers[NUM_BT_INDICES];
|
|||
* or even if there is a fixed answer for all blocks of that type,
|
||||
* so we err on the side of not processing.
|
||||
*/
|
||||
static gboolean
|
||||
get_block_type_internal(guint block_type)
|
||||
static bool
|
||||
get_block_type_internal(unsigned block_type)
|
||||
{
|
||||
switch (block_type) {
|
||||
|
||||
|
@ -448,12 +463,28 @@ get_block_type_internal(guint block_type)
|
|||
case BLOCK_TYPE_NRB:
|
||||
case BLOCK_TYPE_DSB:
|
||||
case BLOCK_TYPE_ISB: /* XXX: ISBs should probably not be internal. */
|
||||
return TRUE;
|
||||
case BLOCK_TYPE_SYSDIG_MI:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V3:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V4:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V5:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V6:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V7:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V8:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V9:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V2:
|
||||
return true;
|
||||
|
||||
case BLOCK_TYPE_PB:
|
||||
case BLOCK_TYPE_EPB:
|
||||
case BLOCK_TYPE_SPB:
|
||||
return FALSE;
|
||||
return false;
|
||||
|
||||
case BLOCK_TYPE_CB_COPY:
|
||||
case BLOCK_TYPE_CB_NO_COPY:
|
||||
|
@ -461,7 +492,7 @@ get_block_type_internal(guint block_type)
|
|||
case BLOCK_TYPE_SYSDIG_EVENT_V2:
|
||||
case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE:
|
||||
case BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT:
|
||||
return FALSE;
|
||||
return false;
|
||||
|
||||
default:
|
||||
#ifdef HAVE_PLUGINS
|
||||
|
@ -519,7 +550,22 @@ get_block_type_index(guint block_type, guint *bt_index)
|
|||
case BLOCK_TYPE_SYSDIG_EVENT:
|
||||
case BLOCK_TYPE_SYSDIG_EVENT_V2:
|
||||
case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE:
|
||||
/* case BLOCK_TYPE_SYSDIG_EVF: */
|
||||
case BLOCK_TYPE_SYSDIG_MI:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V3:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V4:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V5:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V6:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V7:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V8:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V9:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V2:
|
||||
*bt_index = BT_INDEX_EVT;
|
||||
break;
|
||||
|
||||
|
@ -1791,6 +1837,55 @@ pcapng_read_decryption_secrets_block(FILE_T fh, pcapng_block_header_t *bh,
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
static bool
|
||||
pcapng_read_sysdig_meta_event_block(FILE_T fh, pcapng_block_header_t *bh,
|
||||
wtapng_block_t *wblock,
|
||||
int *err, gchar **err_info)
|
||||
{
|
||||
guint to_read;
|
||||
wtapng_sysdig_mev_mandatory_t *mev_mand;
|
||||
|
||||
/*
|
||||
* Set wblock->block to a newly-allocated Sysdig meta event block.
|
||||
*/
|
||||
wblock->block = wtap_block_create(WTAP_BLOCK_SYSDIG_META_EVENT);
|
||||
|
||||
/*
|
||||
* Set the mandatory values for the block.
|
||||
*/
|
||||
mev_mand = (wtapng_sysdig_mev_mandatory_t *)wtap_block_get_mandatory_data(wblock->block);
|
||||
mev_mand->mev_type = bh->block_type;
|
||||
mev_mand->mev_data_len = bh->block_total_length -
|
||||
(int)sizeof(pcapng_block_header_t) -
|
||||
(int)sizeof(bh->block_total_length);
|
||||
|
||||
/* Sanity check: assume event data can't be larger than 1 GiB */
|
||||
if (mev_mand->mev_data_len > 1024 * 1024 * 1024) {
|
||||
*err = WTAP_ERR_BAD_FILE;
|
||||
*err_info = ws_strdup_printf("pcapng: Sysdig mev block is too large: %u", mev_mand->mev_data_len);
|
||||
return false;
|
||||
}
|
||||
mev_mand->mev_data = (uint8_t *)g_malloc(mev_mand->mev_data_len);
|
||||
if (!wtap_read_bytes(fh, mev_mand->mev_data, mev_mand->mev_data_len, err, err_info)) {
|
||||
ws_debug("failed to read Sysdig mev");
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Skip past padding and discard options (not supported yet). */
|
||||
to_read = bh->block_total_length - MIN_BLOCK_SIZE - mev_mand->mev_data_len;
|
||||
if (!wtap_read_bytes(fh, NULL, to_read, err, err_info)) {
|
||||
ws_debug("failed to read Sysdig mev options");
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/*
|
||||
* We don't return these to the caller in pcapng_read().
|
||||
*/
|
||||
wblock->internal = true;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static gboolean
|
||||
pcapng_process_packet_block_option(wtapng_block_t *wblock,
|
||||
const section_info_t *section_info,
|
||||
|
@ -3438,6 +3533,25 @@ pcapng_read_block(wtap *wth, FILE_T fh, pcapng_t *pn,
|
|||
if (!pcapng_read_decryption_secrets_block(fh, &bh, section_info, wblock, err, err_info))
|
||||
return FALSE;
|
||||
break;
|
||||
case BLOCK_TYPE_SYSDIG_MI:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V3:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V4:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V5:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V6:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V7:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V8:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V9:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V2:
|
||||
if (!pcapng_read_sysdig_meta_event_block(fh, &bh, wblock, err, err_info))
|
||||
return FALSE;
|
||||
break;
|
||||
case(BLOCK_TYPE_CB_COPY):
|
||||
case(BLOCK_TYPE_CB_NO_COPY):
|
||||
if (!pcapng_read_custom_block(fh, &bh, section_info, wblock, err, err_info))
|
||||
|
@ -3530,6 +3644,16 @@ pcapng_process_dsb(wtap *wth, wtapng_block_t *wblock)
|
|||
g_array_append_val(wth->dsbs, wblock->block);
|
||||
}
|
||||
|
||||
/* Process a Sysdig meta event block that we have just read. */
|
||||
static void
|
||||
pcapng_process_sysdig_mev(wtap *wth, wtapng_block_t *wblock)
|
||||
{
|
||||
// XXX add wtapng_process_sysdig_meb(wth, wblock->block);
|
||||
|
||||
/* Store meta event such that it can be saved by the dumper. */
|
||||
g_array_append_val(wth->sysdig_meta_events, wblock->block);
|
||||
}
|
||||
|
||||
static void
|
||||
pcapng_process_internal_block(wtap *wth, pcapng_t *pcapng, section_info_t *current_section, section_info_t new_section, wtapng_block_t *wblock, const gint64 *data_offset)
|
||||
{
|
||||
|
@ -3629,6 +3753,28 @@ pcapng_process_internal_block(wtap *wth, pcapng_t *pcapng, section_info_t *curre
|
|||
wtap_block_unref(wblock->block);
|
||||
break;
|
||||
|
||||
case BLOCK_TYPE_SYSDIG_MI:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V1:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V3:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V4:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V5:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V6:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V7:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V8:
|
||||
case BLOCK_TYPE_SYSDIG_PL_V9:
|
||||
case BLOCK_TYPE_SYSDIG_FDL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_IL_V2:
|
||||
case BLOCK_TYPE_SYSDIG_UL_V2:
|
||||
/* Decryption secrets. */
|
||||
ws_debug("block type Sysdig meta event");
|
||||
pcapng_process_sysdig_mev(wth, wblock);
|
||||
/* Do not free wblock->block, it is consumed by pcapng_process_sysdig_meb */
|
||||
break;
|
||||
|
||||
default:
|
||||
/* XXX - improve handling of "unknown" blocks */
|
||||
ws_debug("Unknown block type 0x%08x", wblock->type);
|
||||
|
@ -3783,11 +3929,13 @@ pcapng_open(wtap *wth, int *err, gchar **err_info)
|
|||
wth->subtype_close = pcapng_close;
|
||||
wth->file_type_subtype = pcapng_file_type_subtype;
|
||||
|
||||
/* Always initialize the lists of Decryption Secret Blocks and
|
||||
* Name Resolution Blocks such that a wtap_dumper can refer to
|
||||
* them right after opening the capture file. */
|
||||
/* Always initialize the lists of Decryption Secret Blocks, Name
|
||||
* Resolution Blocks, and Sysdig meta event blocks such that a
|
||||
* wtap_dumper can refer to them right after opening the capture
|
||||
* file. */
|
||||
wth->dsbs = g_array_new(FALSE, FALSE, sizeof(wtap_block_t));
|
||||
wth->nrbs = g_array_new(FALSE, FALSE, sizeof(wtap_block_t));
|
||||
wth->sysdig_meta_events = g_array_new(FALSE, FALSE, sizeof(wtap_block_t));
|
||||
|
||||
/* Most other capture types (such as pcap) support a single link-layer
|
||||
* type, indicated in the header, and don't support WTAP_ENCAP_PER_PACKET.
|
||||
|
@ -5453,6 +5601,39 @@ pcapng_write_decryption_secrets_block(wtap_dumper *wdh, wtap_block_t sdata, int
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
static bool
|
||||
pcapng_write_sysdig_meta_event_block(wtap_dumper *wdh, wtap_block_t mev_data, int *err)
|
||||
{
|
||||
pcapng_block_header_t bh;
|
||||
wtapng_sysdig_mev_mandatory_t *mand_data = (wtapng_sysdig_mev_mandatory_t *)wtap_block_get_mandatory_data(mev_data);
|
||||
unsigned pad_len = (4 - (mand_data->mev_data_len & 3)) & 3;
|
||||
|
||||
/* write block header */
|
||||
bh.block_type = mand_data->mev_type;
|
||||
bh.block_total_length = MIN_BLOCK_SIZE + mand_data->mev_data_len + pad_len;
|
||||
ws_debug("Sysdig mev total len %u", bh.block_total_length);
|
||||
|
||||
if (!wtap_dump_file_write(wdh, &bh, sizeof bh, err))
|
||||
return false;
|
||||
|
||||
/* write block fixed content */
|
||||
if (!wtap_dump_file_write(wdh, mand_data->mev_data, mand_data->mev_data_len, err))
|
||||
return false;
|
||||
|
||||
if (pad_len) {
|
||||
const uint32_t zero_pad = 0;
|
||||
if (!wtap_dump_file_write(wdh, &zero_pad, pad_len, err))
|
||||
return false;
|
||||
}
|
||||
|
||||
/* write block footer */
|
||||
if (!wtap_dump_file_write(wdh, &bh.block_total_length,
|
||||
sizeof bh.block_total_length, err))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/*
|
||||
* libpcap's maximum pcapng block size is currently 16MB.
|
||||
*
|
||||
|
@ -6093,6 +6274,19 @@ static gboolean pcapng_write_internal_blocks(wtap_dumper *wdh, int *err)
|
|||
}
|
||||
}
|
||||
|
||||
/* Write (optional) Sysdig Meta Event Blocks that were collected while
|
||||
* reading packet blocks. */
|
||||
if (wdh->sysdig_mev_growing) {
|
||||
for (unsigned i = wdh->sysdig_mev_growing_written; i < wdh->sysdig_mev_growing->len; i++) {
|
||||
ws_debug("writing Sysdig mev %u", i);
|
||||
wtap_block_t mev = g_array_index(wdh->sysdig_mev_growing, wtap_block_t, i);
|
||||
if (!pcapng_write_sysdig_meta_event_block(wdh, mev, err)) {
|
||||
return false;
|
||||
}
|
||||
++wdh->sysdig_mev_growing_written;
|
||||
}
|
||||
}
|
||||
|
||||
/* Write any hostname resolution info from wtap_dump_set_addrinfo_list() */
|
||||
if (!wtap_addrinfo_list_empty(wdh->addrinfo_lists)) {
|
||||
/*
|
||||
|
@ -6450,6 +6644,15 @@ static const struct supported_option_type decryption_secrets_block_options_suppo
|
|||
{ OPT_CUSTOM_BIN_NO_COPY, MULTIPLE_OPTIONS_SUPPORTED }
|
||||
};
|
||||
|
||||
/* Options for Sysdig meta event blocks. */
|
||||
static const struct supported_option_type sysdig_meta_events_block_options_supported[] = {
|
||||
{ OPT_COMMENT, MULTIPLE_OPTIONS_SUPPORTED },
|
||||
{ OPT_CUSTOM_STR_COPY, MULTIPLE_OPTIONS_SUPPORTED },
|
||||
{ OPT_CUSTOM_BIN_COPY, MULTIPLE_OPTIONS_SUPPORTED },
|
||||
{ OPT_CUSTOM_STR_NO_COPY, MULTIPLE_OPTIONS_SUPPORTED },
|
||||
{ OPT_CUSTOM_BIN_NO_COPY, MULTIPLE_OPTIONS_SUPPORTED }
|
||||
};
|
||||
|
||||
/* Options for packet blocks. */
|
||||
static const struct supported_option_type packet_block_options_supported[] = {
|
||||
{ OPT_COMMENT, MULTIPLE_OPTIONS_SUPPORTED },
|
||||
|
@ -6508,6 +6711,9 @@ static const struct supported_block_type pcapng_blocks_supported[] = {
|
|||
/* Multiple blocks of decryption secrets. */
|
||||
{ WTAP_BLOCK_DECRYPTION_SECRETS, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(decryption_secrets_block_options_supported) },
|
||||
|
||||
/* Multiple blocks of decryption secrets. */
|
||||
{ WTAP_BLOCK_SYSDIG_META_EVENT, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(sysdig_meta_events_block_options_supported) },
|
||||
|
||||
/* And, obviously, multiple packets. */
|
||||
{ WTAP_BLOCK_PACKET, MULTIPLE_BLOCKS_SUPPORTED, OPTION_TYPES_SUPPORTED(packet_block_options_supported) },
|
||||
|
||||
|
|
|
@ -26,10 +26,26 @@
|
|||
#define BLOCK_TYPE_ARINC_429 0x00000008 /* ARINC 429 in AFDX Encapsulation Information Block */
|
||||
#define BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT 0x00000009 /* systemd journal entry */
|
||||
#define BLOCK_TYPE_DSB 0x0000000A /* Decryption Secrets Block */
|
||||
#define BLOCK_TYPE_SYSDIG_MI 0x00000201 /* Sysdig Machine Info Block */
|
||||
#define BLOCK_TYPE_SYSDIG_PL_V1 0x00000202 /* Sysdig Process List Block */
|
||||
#define BLOCK_TYPE_SYSDIG_FDL_V1 0x00000203 /* Sysdig File Descriptor List Block */
|
||||
#define BLOCK_TYPE_SYSDIG_EVENT 0x00000204 /* Sysdig Event Block */
|
||||
#define BLOCK_TYPE_SYSDIG_IL_V1 0x00000205 /* Sysdig Interface List Block */
|
||||
#define BLOCK_TYPE_SYSDIG_UL_V1 0x00000206 /* Sysdig User List Block */
|
||||
#define BLOCK_TYPE_SYSDIG_PL_V2 0x00000207 /* Sysdig Process List Block version 2 */
|
||||
#define BLOCK_TYPE_SYSDIG_EVF 0x00000208 /* Sysdig Event Block with flags */
|
||||
#define BLOCK_TYPE_SYSDIG_PL_V3 0x00000209 /* Sysdig Process List Block version 3 */
|
||||
#define BLOCK_TYPE_SYSDIG_PL_V4 0x00000210 /* Sysdig Process List Block version 4 */
|
||||
#define BLOCK_TYPE_SYSDIG_PL_V5 0x00000211 /* Sysdig Process List Block version 5 */
|
||||
#define BLOCK_TYPE_SYSDIG_PL_V6 0x00000212 /* Sysdig Process List Block version 6 */
|
||||
#define BLOCK_TYPE_SYSDIG_PL_V7 0x00000213 /* Sysdig Process List Block version 7 */
|
||||
#define BLOCK_TYPE_SYSDIG_PL_V8 0x00000214 /* Sysdig Process List Block version 8 */
|
||||
#define BLOCK_TYPE_SYSDIG_PL_V9 0x00000215 /* Sysdig Process List Block version 9 */
|
||||
#define BLOCK_TYPE_SYSDIG_EVENT_V2 0x00000216 /* Sysdig Event Block version 2 */
|
||||
#define BLOCK_TYPE_SYSDIG_EVF_V2 0x00000217 /* Sysdig Event Block with flags version 2 */
|
||||
#define BLOCK_TYPE_SYSDIG_FDL_V2 0x00000218 /* Sysdig File Descriptor List Block */
|
||||
#define BLOCK_TYPE_SYSDIG_IL_V2 0x00000219 /* Sysdig Interface List Block version 2 */
|
||||
#define BLOCK_TYPE_SYSDIG_UL_V2 0x00000220 /* Sysdig User List Block version 2 */
|
||||
#define BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE 0x00000221 /* Sysdig Event Block version 2 with large payload */
|
||||
#define BLOCK_TYPE_SYSDIG_EVF_V2_LARGE 0x00000222 /* Sysdig Event Block with flags version 2 with large payload */
|
||||
#define BLOCK_TYPE_CB_COPY 0x00000BAD /* Custom Block which can be copied */
|
||||
|
|
|
@ -44,6 +44,7 @@ struct wtap {
|
|||
guint next_interface_data; /**< Next interface data that wtap_get_next_interface_description() will show */
|
||||
GArray *nrbs; /**< holds the Name Res Blocks, or NULL */
|
||||
GArray *dsbs; /**< An array of DSBs (of type wtap_block_t), or NULL if not supported. */
|
||||
GArray *sysdig_meta_events; /**< An array of Sysdig meta eventss (of type wtap_block_t), or NULL if not supported. */
|
||||
|
||||
char *pathname; /**< File pathname; might just be "-" */
|
||||
|
||||
|
@ -73,6 +74,7 @@ struct wtap {
|
|||
wtap_new_ipv4_callback_t add_new_ipv4;
|
||||
wtap_new_ipv6_callback_t add_new_ipv6;
|
||||
wtap_new_secrets_callback_t add_new_secrets;
|
||||
wtap_new_sysdig_meta_event_callback_t add_new_sysdig_meta_event;
|
||||
GPtrArray *fast_seek;
|
||||
};
|
||||
|
||||
|
@ -123,8 +125,10 @@ struct wtap_dumper {
|
|||
*/
|
||||
const GArray *nrbs_growing; /**< A reference to an array of NRBs (of type wtap_block_t) */
|
||||
const GArray *dsbs_growing; /**< A reference to an array of DSBs (of type wtap_block_t) */
|
||||
const GArray *sysdig_mev_growing; /**< A reference to an array of Sysdig meta events (of type wtap_block_t) */
|
||||
guint nrbs_growing_written; /**< Number of already processed NRBs in nrbs_growing. */
|
||||
guint dsbs_growing_written; /**< Number of already processed DSBs in dsbs_growing. */
|
||||
guint sysdig_mev_growing_written; /**< Number of already processed meta events in sysdig_mev_growing. */
|
||||
};
|
||||
|
||||
WS_DLL_PUBLIC gboolean wtap_dump_file_write(wtap_dumper *wdh, const void *buf,
|
||||
|
@ -358,6 +362,12 @@ wtapng_process_nrb(wtap *wth, wtap_block_t nrb);
|
|||
void
|
||||
wtapng_process_dsb(wtap *wth, wtap_block_t dsb);
|
||||
|
||||
/**
|
||||
* Invokes the callback with the given Sysdig meta event block.
|
||||
*/
|
||||
void
|
||||
wtapng_process_sysdig_mev(wtap *wth, wtap_block_t mev);
|
||||
|
||||
void
|
||||
wtap_register_compatibility_file_subtype_name(const char *old_name,
|
||||
const char *new_name);
|
||||
|
|
|
@ -220,6 +220,26 @@ wtap_file_discard_decryption_secrets(wtap *wth)
|
|||
return TRUE;
|
||||
}
|
||||
|
||||
void
|
||||
wtap_file_add_sysdig_meta_event(wtap *wth, const wtap_block_t mev)
|
||||
{
|
||||
if (!wth->sysdig_meta_events) {
|
||||
wth->sysdig_meta_events = g_array_new(FALSE, FALSE, sizeof(wtap_block_t));
|
||||
}
|
||||
g_array_append_val(wth->sysdig_meta_events, mev);
|
||||
}
|
||||
|
||||
gboolean
|
||||
wtap_file_discard_sysdig_meta_events(wtap *wth)
|
||||
{
|
||||
if (!wth->sysdig_meta_events || wth->sysdig_meta_events->len == 0)
|
||||
return false;
|
||||
|
||||
wtap_block_array_free(wth->sysdig_meta_events);
|
||||
wth->sysdig_meta_events = NULL;
|
||||
return true;
|
||||
}
|
||||
|
||||
void
|
||||
wtap_add_idb(wtap *wth, wtap_block_t idb)
|
||||
{
|
||||
|
@ -497,6 +517,7 @@ wtap_dump_params_init(wtap_dump_params *params, wtap *wth)
|
|||
* as they become available. */
|
||||
params->nrbs_growing = wth->nrbs;
|
||||
params->dsbs_growing = wth->dsbs;
|
||||
params->sysdig_mev_growing = wth->sysdig_meta_events;
|
||||
params->dont_copy_idbs = FALSE;
|
||||
}
|
||||
|
||||
|
@ -537,6 +558,12 @@ wtap_dump_params_discard_decryption_secrets(wtap_dump_params *params)
|
|||
params->dsbs_growing = NULL;
|
||||
}
|
||||
|
||||
void
|
||||
wtap_dump_params_discard_sysdig_meta_events(wtap_dump_params *params)
|
||||
{
|
||||
params->sysdig_mev_growing = NULL;
|
||||
}
|
||||
|
||||
void
|
||||
wtap_dump_params_cleanup(wtap_dump_params *params)
|
||||
{
|
||||
|
@ -1514,6 +1541,7 @@ wtap_close(wtap *wth)
|
|||
wtap_block_array_free(wth->nrbs);
|
||||
wtap_block_array_free(wth->interface_data);
|
||||
wtap_block_array_free(wth->dsbs);
|
||||
wtap_block_array_free(wth->sysdig_meta_events);
|
||||
|
||||
g_free(wth);
|
||||
}
|
||||
|
@ -1623,6 +1651,15 @@ wtapng_process_dsb(wtap *wth, wtap_block_t dsb)
|
|||
wth->add_new_secrets(dsb_mand->secrets_type, dsb_mand->secrets_data, dsb_mand->secrets_len);
|
||||
}
|
||||
|
||||
void
|
||||
wtapng_process_sysdig_meta_event(wtap *wth, wtap_block_t mev)
|
||||
{
|
||||
const wtapng_sysdig_mev_mandatory_t *mev_mand = (wtapng_sysdig_mev_mandatory_t*)wtap_block_get_mandatory_data(mev);
|
||||
|
||||
if (wth->add_new_sysdig_meta_event)
|
||||
wth->add_new_sysdig_meta_event(mev_mand->mev_type, mev_mand->mev_data, mev_mand->mev_data_len);
|
||||
}
|
||||
|
||||
/* Perform per-packet initialization */
|
||||
static void
|
||||
wtap_init_rec(wtap *wth, wtap_rec *rec)
|
||||
|
|
|
@ -1497,6 +1497,9 @@ typedef struct wtap_dump_params {
|
|||
const GArray *dsbs_growing; /**< DSBs that will be written while writing packets, or NULL.
|
||||
This array may grow since the dumper was opened and will subsequently
|
||||
be written before newer packets are written in wtap_dump. */
|
||||
const GArray *sysdig_mev_growing; /**< Meta events that will be written while writing packets, or NULL.
|
||||
This array may grow since the dumper was opened and will subsequently
|
||||
be written before newer packets are written in wtap_dump. */
|
||||
gboolean dont_copy_idbs; /**< XXX - don't copy IDBs; this should eventually always be the case. */
|
||||
} wtap_dump_params;
|
||||
|
||||
|
@ -1842,6 +1845,13 @@ typedef void (*wtap_new_secrets_callback_t)(guint32 secrets_type, const void *se
|
|||
WS_DLL_PUBLIC
|
||||
void wtap_set_cb_new_secrets(wtap *wth, wtap_new_secrets_callback_t add_new_secrets);
|
||||
|
||||
/**
|
||||
* Set callback function to receive new sysdig meta events. Currently pcapng-only.
|
||||
*/
|
||||
typedef void (*wtap_new_sysdig_meta_event_callback_t)(uint32_t mev_type, const uint8_t *mev_data, unsigned mev_data_size);
|
||||
WS_DLL_PUBLIC
|
||||
void wtap_set_cb_new_sysdig_meta_event(wtap *wth, wtap_new_sysdig_meta_event_callback_t add_new_sysdig_meta_event);
|
||||
|
||||
/** Read the next record in the file, filling in *phdr and *buf.
|
||||
*
|
||||
* @wth a wtap * returned by a call that opened a file for reading.
|
||||
|
|
|
@ -1710,6 +1710,27 @@ static void dsb_copy_mand(wtap_block_t dest_block, wtap_block_t src_block)
|
|||
dst->secrets_data = (guint8 *)g_memdup2(src->secrets_data, src->secrets_len);
|
||||
}
|
||||
|
||||
static void sysdig_mev_create(wtap_block_t block)
|
||||
{
|
||||
block->mandatory_data = g_new0(wtapng_sysdig_mev_mandatory_t, 1);
|
||||
}
|
||||
|
||||
static void sysdig_mev_free_mand(wtap_block_t block)
|
||||
{
|
||||
wtapng_sysdig_mev_mandatory_t *mand = (wtapng_sysdig_mev_mandatory_t *)block->mandatory_data;
|
||||
g_free(mand->mev_data);
|
||||
}
|
||||
|
||||
static void sysdig_mev_copy_mand(wtap_block_t dest_block, wtap_block_t src_block)
|
||||
{
|
||||
wtapng_sysdig_mev_mandatory_t *src = (wtapng_sysdig_mev_mandatory_t *)src_block->mandatory_data;
|
||||
wtapng_sysdig_mev_mandatory_t *dst = (wtapng_sysdig_mev_mandatory_t *)dest_block->mandatory_data;
|
||||
dst->mev_type = src->mev_type;
|
||||
dst->mev_data_len = src->mev_data_len;
|
||||
g_free(dst->mev_data);
|
||||
dst->mev_data = (guint8 *)g_memdup2(src->mev_data, src->mev_data_len);
|
||||
}
|
||||
|
||||
static void pkt_create(wtap_block_t block)
|
||||
{
|
||||
/* Commented out for now, there's no mandatory data that isn't handled by
|
||||
|
@ -1921,6 +1942,16 @@ void wtap_opttypes_initialize(void)
|
|||
0
|
||||
};
|
||||
|
||||
static wtap_blocktype_t sysdig_mev_block = {
|
||||
WTAP_BLOCK_SYSDIG_META_EVENT,
|
||||
"Sysdig MEV",
|
||||
"Sysdig Meta Event Block",
|
||||
sysdig_mev_create,
|
||||
sysdig_mev_free_mand,
|
||||
sysdig_mev_copy_mand,
|
||||
NULL
|
||||
};
|
||||
|
||||
static wtap_blocktype_t pkt_block = {
|
||||
WTAP_BLOCK_PACKET, /* block_type */
|
||||
"EPB/SPB/PB", /* name */
|
||||
|
@ -2033,6 +2064,11 @@ void wtap_opttypes_initialize(void)
|
|||
*/
|
||||
wtap_opttype_block_register(&dsb_block);
|
||||
|
||||
/*
|
||||
* Register the Sysdig MEV, currently no options are defined.
|
||||
*/
|
||||
wtap_opttype_block_register(&sysdig_mev_block);
|
||||
|
||||
/*
|
||||
* Register EPB/SPB/PB and the options that can appear in it/them.
|
||||
* NB: Simple Packet Blocks have no options.
|
||||
|
|
|
@ -185,6 +185,7 @@ typedef enum {
|
|||
WTAP_BLOCK_FT_SPECIFIC_REPORT,
|
||||
WTAP_BLOCK_FT_SPECIFIC_EVENT,
|
||||
WTAP_BLOCK_SYSDIG_EVENT,
|
||||
WTAP_BLOCK_SYSDIG_META_EVENT,
|
||||
WTAP_BLOCK_SYSTEMD_JOURNAL_EXPORT,
|
||||
WTAP_BLOCK_CUSTOM,
|
||||
MAX_WTAP_BLOCK_TYPE_VALUE
|
||||
|
@ -253,6 +254,15 @@ typedef struct wtapng_dsb_mandatory_s {
|
|||
guint8 *secrets_data; /** Buffer of secrets (not NUL-terminated) */
|
||||
} wtapng_dsb_mandatory_t;
|
||||
|
||||
/**
|
||||
* Holds the required data from a WTAP_BLOCK_SYSDIG_META_EVENT.
|
||||
*/
|
||||
typedef struct wtapng_sysdig_mev_mandatory_s {
|
||||
uint32_t mev_type; /** pcapng block type of the event, e.g. BLOCK_TYPE_SYSDIG_MI */
|
||||
uint32_t mev_data_len; /** Length of the mev data in bytes */
|
||||
uint8_t *mev_data; /** Buffer of mev data (not NUL-terminated) */
|
||||
} wtapng_sysdig_mev_mandatory_t;
|
||||
|
||||
/**
|
||||
* Holds the required data from a WTAP_BLOCK_PACKET.
|
||||
* This includes Enhanced Packet Block, Simple Packet Block, and the deprecated Packet Block.
|
||||
|
|
Loading…
Reference in New Issue