epan/dissectors/pidl/samr/samr.cnf cnf_dissect_lsa_BinaryString => lsarpc_dissect_str...
[wireshark-sm.git] / epan / dissectors / file-pcapng-darwin.c
blob181d80e75dc53c85b53087755cfc22b2b4b36e48
1 /* file-pcapng-darwin.c
3 * Wireshark - Network traffic analyzer
4 * By Gerald Combs <gerald@wireshark.org>
5 * Copyright 1998 Gerald Combs
7 * SPDX-License-Identifier: GPL-2.0-or-later
8 */
10 #include "config.h"
12 #include <epan/packet.h>
13 #include <epan/addr_resolv.h>
14 #include <wsutil/array.h>
16 #include <epan/dissectors/file-pcapng.h>
19 * Apple's Pcapng Darwin Process Event Block
21 * A Darwin Process Event Block (DPEB) is an Apple defined container
22 * for information describing a Darwin process.
24 * Tools that write / read the capture file associate an incrementing
25 * 32-bit number (starting from '0') to each Darwin Process Event Block,
26 * called the DPEB ID for the process in question. This number is
27 * unique within each Section and identifies a specific DPEB; a DPEB ID
28 * is only unique inside the current section. Two Sections can have different
29 * processes identified by the same DPEB ID values. DPEB ID are referenced
30 * by Enhanced Packet Blocks that include options to indicate the Darwin
31 * process to which the EPB refers.
34 * 0 1 2 3
35 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
36 * +---------------------------------------------------------------+
37 * 0 | Block Type = 0x80000001 |
38 * +---------------------------------------------------------------+
39 * 4 | Block Total Length |
40 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
41 * 8 | Process ID |
42 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
43 * 12 / /
44 * / Options (variable) /
45 * / /
46 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
47 * | Block Total Length |
48 * +---------------------------------------------------------------+
50 * Figure XXX.1: Darwin Process Event Block
52 * The meaning of the fields are:
54 * o Block Type: The block type of a Darwin Process Event Block is 2147483649.
56 * Note: This specific block type number falls into the range defined
57 * for "local use" but has in fact been available publicly since Darwin
58 * 13.0 for pcapng files generated by Apple's tcpdump when using the PKTAP
59 * enhanced interface.
61 * o Block Total Length: Total size of this block, as described in
62 * Pcapng Section 3.1 (General Block Structure).
64 * o Process ID: The process ID (PID) of the process.
66 * Note: It is not known if this field is officially defined as a 32 bits
67 * (4 octets) or something smaller since Darwin PIDs currently appear to
68 * be limited to maximum value of 100000.
70 * o Options: A list of options (formatted according to the rules defined
71 * in Section 3.5) can be present.
73 * In addition to the options defined in Section 3.5, the following
74 * Apple defined Darwin options are valid within this block:
76 * +------------------+------+----------+-------------------+
77 * | Name | Code | Length | Multiple allowed? |
78 * +------------------+------+----------+-------------------+
79 * | darwin_proc_name | 2 | variable | no |
80 * | darwin_proc_uuid | 4 | 16 | no |
81 * +------------------+------+----------+-------------------+
83 * Table XXX.1: Darwin Process Description Block Options
85 * darwin_proc_name:
86 * The darwin_proc_name option is a UTF-8 string containing the
87 * name of a process producing or consuming an EPB.
89 * Examples: "mDNSResponder", "GoogleSoftwareU".
91 * Note: It appears that Apple's tcpdump currently truncates process
92 * names to a maximum of 15 octets followed by a NUL character.
93 * Multi-byte UTF-8 sequences in process names might be truncated
94 * resulting in an invalid final UTF-8 character.
96 * This is probably because the process name comes from the
97 * p_comm field in a proc structure in the kernel; that field
98 * is MAXCOMLEN+1 bytes long, with the +1 being for the NUL
99 * terminator. That would give 16 characters, but the
100 * proc_info kernel interface has a structure with a
101 * process name field of only MAXCOMLEN bytes.
103 * This all ultimately dates back to the "kernel accounting"
104 * mechanism that appeared in V7 UNIX, with an "accounting
105 * file" with entries appended whenever a process exits; not
106 * surprisingly, that code thinks a file name is just a bunch
107 * of "char"s, with no multi-byte encodings (1979 called, they
108 * want their character encoding back), so, yes, this can
109 * mangle UTF-8 file names containing non-ASCII characters.
111 * darwin_proc_uuid:
112 * The darwin_proc_uuid option is a set of 16 octets representing
113 * the process UUID.
117 static int proto_pcapng_darwin_process_info;
119 void proto_register_pcapng_darwin_process_info(void);
120 void proto_reg_handoff_pcapng_darwin_process_info(void);
123 static int hf_pcapng_option_code_darwin_process_info;
124 static int hf_pcapng_darwin_process_id;
125 static int hf_pcapng_option_darwin_process_name;
126 static int hf_pcapng_option_darwin_process_uuid;
128 #define BLOCK_DARWIN_PROCESS 0x80000001
129 #define BLOCK_DARWIN_PROCESS_NAME "Darwin Process Event Block"
132 static const value_string option_code_darwin_process_info_vals[] = {
133 { 0, "End of Options" },
134 { 1, "Comment" },
135 { 2, "Darwin Process Name" },
136 { 4, "Darwin Process UUID" },
137 { 0, NULL }
140 /* Dissect an individual option */
141 static
142 void dissect_darwin_process_info_option(proto_tree *option_tree, proto_item *option_item,
143 packet_info *pinfo, tvbuff_t *tvb, int offset,
144 int unknown_option_hf,
145 uint32_t option_code, uint32_t option_length,
146 unsigned encoding _U_)
148 char *str;
149 e_guid_t uuid;
151 switch (option_code) {
152 case 2: /* Darwin Process Name */
153 proto_tree_add_item_ret_display_string(option_tree, hf_pcapng_option_darwin_process_name, tvb, offset, option_length, ENC_NA | ENC_UTF_8, pinfo->pool, &str);
154 break;
156 case 4: /* Darwin Process UUID */
157 proto_tree_add_item(option_tree, hf_pcapng_option_darwin_process_uuid, tvb, offset, option_length, ENC_BIG_ENDIAN);
158 tvb_get_guid(tvb, offset, &uuid, ENC_BIG_ENDIAN);
160 proto_item_append_text(option_item, " = %s",
161 guid_to_str(pinfo->pool, &uuid));
163 break;
164 default:
165 proto_tree_add_item(option_tree, unknown_option_hf, tvb, offset, option_length, ENC_NA);
166 break;
170 /* Dissect this block type */
171 static void
172 dissect_darwin_process_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
173 block_data_arg *argp)
175 int offset = 0;
177 /* Show current nuber of these blocks, and increment */
178 proto_item_append_text(argp->block_item, " %u", argp->info->darwin_process_event_number);
179 argp->info->darwin_process_event_number += 1;
181 /* Process ID */
182 proto_tree_add_item(tree, hf_pcapng_darwin_process_id, tvb, offset, 4, argp->info->encoding);
183 offset += 4;
185 /* Options */
186 dissect_options(tree, pinfo, BLOCK_DARWIN_PROCESS, tvb, offset, argp->info->encoding, NULL);
190 void
191 proto_register_pcapng_darwin_process_info(void)
193 static hf_register_info hf[] = {
195 { &hf_pcapng_option_code_darwin_process_info,
196 { "Code", "pcapng.darwin.options.option.code",
197 FT_UINT16, BASE_DEC, VALS(option_code_darwin_process_info_vals), 0x00,
198 "Darwin Process Info block option", HFILL }
200 { &hf_pcapng_darwin_process_id,
201 { "Darwin Process ID", "pcapng.darwin.process_id",
202 FT_UINT32, BASE_DEC_HEX, NULL, 0x00,
203 "Process ID for Darwin Process Info", HFILL }
205 { &hf_pcapng_option_darwin_process_name,
206 { "Darwin Process Name", "pcapng.darwin.process_name",
207 FT_STRING, BASE_NONE, NULL, 0x00,
208 "Process name for Darwin Process Info", HFILL }
210 { &hf_pcapng_option_darwin_process_uuid,
211 { "Darwin Process UUID", "pcapng.darwin.process_uuid",
212 FT_GUID, BASE_NONE, NULL, 0x00,
213 "Process UUID for Darwin Process Info", HFILL }
217 proto_pcapng_darwin_process_info = proto_register_protocol("PCAPNG Darwin Process Information Block", "Darwin-Process-Information", "pcapng.darwin");
219 proto_register_field_array(proto_pcapng_darwin_process_info, hf, array_length(hf));
222 void
223 proto_reg_handoff_pcapng_darwin_process_info(void)
225 /* Register with pcapng dissector */
226 static local_block_callback_info_t dissector_info;
227 dissector_info.name = BLOCK_DARWIN_PROCESS_NAME;
228 /* Block-dissector function */
229 dissector_info.dissector = dissect_darwin_process_data;
230 /* Options-related */
231 dissector_info.option_root_hf = hf_pcapng_option_code_darwin_process_info;
232 dissector_info.option_vals = option_code_darwin_process_info_vals;
233 dissector_info.option_dissector = dissect_darwin_process_info_option;
235 register_pcapng_local_block_dissector(BLOCK_DARWIN_PROCESS, &dissector_info);
239 * Editor modelines - https://www.wireshark.org/tools/modelines.html
241 * Local variables:
242 * c-basic-offset: 4
243 * tab-width: 8
244 * indent-tabs-mode: nil
245 * End:
247 * vi: set shiftwidth=4 tabstop=8 expandtab:
248 * :indentSize=4:tabSize=8:noTabs=true: