search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
epan/dissectors/pidl/samr/samr.cnf cnf_dissect_lsa_BinaryString => lsarpc_dissect_str...
[wireshark-sm.git] / epan / dissectors / packet-systemd-journal.c
blobe602a415488f1925a2f5a42378e968e3b5e59795
1 /* packet-systemd-journal.c
2 * Routines for systemd journal export (application/vnd.fdo.journal) dissection
3 * Copyright 2018, Gerald Combs <gerald@wireshark.org>
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11
12 /*
13 * Dissector for systemd's mostly-text-based Journal Export Format described
14 * at https://www.freedesktop.org/wiki/Software/systemd/export/.
15 *
16 * Registered MIME type: application/vnd.fdo.journal
17 *
18 * To do:
19 * - Rename systemd_journal to sdjournal? It's easier to type.
20 * - Add an extcap module.
21 * - Add errno strings.
22 * - Pretty-print _CAP_EFFECTIVE
23 * - Handle Journal JSON Format? https://www.freedesktop.org/wiki/Software/systemd/json/
24 * - Handle raw journal files? https://www.freedesktop.org/wiki/Software/systemd/journal-files/
25 */
26
27 #include <config.h>
28
29 #include <epan/exceptions.h>
30 #include <epan/packet.h>
31 #include <epan/expert.h>
32 #include <wiretap/wtap.h>
33 #include <wsutil/strtoi.h>
34 #include <wsutil/array.h>
35
36 #include "packet-syslog.h"
37
38 #define PNAME "systemd Journal Entry"
39 #define PSNAME "systemd Journal"
40 #define PFNAME "systemd_journal"
41
42 void proto_reg_handoff_systemd_journal(void);
43 void proto_register_systemd_journal(void);
44
45 /* Initialize the protocol and registered fields */
46 static int proto_systemd_journal;
47
48 // Official entries, listed in
49 // https://www.freedesktop.org/software/systemd/man/systemd.journal-fields.html
50 // as of 2018-08.
51 static int hf_sj_message;
52 static int hf_sj_message_id;
53 static int hf_sj_priority;
54 static int hf_sj_code_file;
55 static int hf_sj_code_line;
56 static int hf_sj_code_func;
57 static int hf_sj_errno;
58 static int hf_sj_syslog_facility;
59 static int hf_sj_syslog_identifier;
60 static int hf_sj_syslog_pid;
61
62 static int hf_sj_pid;
63 static int hf_sj_uid;
64 static int hf_sj_gid;
65 static int hf_sj_comm;
66 static int hf_sj_exe;
67 static int hf_sj_cmdline;
68 static int hf_sj_cap_effective;
69 static int hf_sj_audit_session;
70 static int hf_sj_audit_loginuid;
71 static int hf_sj_systemd_cgroup;
72 static int hf_sj_systemd_slice;
73 static int hf_sj_systemd_unit;
74 static int hf_sj_systemd_user_unit;
75 static int hf_sj_systemd_session;
76 static int hf_sj_systemd_owner_uid;
77
78 static int hf_sj_selinux_context;
79 static int hf_sj_source_realtime_timestamp;
80 static int hf_sj_boot_id;
81 static int hf_sj_machine_id;
82 static int hf_sj_systemd_invocation_id;
83 static int hf_sj_hostname;
84 static int hf_sj_transport;
85 static int hf_sj_stream_id;
86 static int hf_sj_line_break;
87
88 static int hf_sj_kernel_device;
89 static int hf_sj_kernel_subsystem;
90 static int hf_sj_udev_sysname;
91 static int hf_sj_udev_devnode;
92 static int hf_sj_udev_devlink;
93
94 static int hf_sj_coredump_unit;
95 static int hf_sj_coredump_user_unit;
96 static int hf_sj_object_pid;
97 static int hf_sj_object_uid;
98 static int hf_sj_object_gid;
99 static int hf_sj_object_comm;
100 static int hf_sj_object_exe;
101 static int hf_sj_object_cmdline;
102 static int hf_sj_object_audit_session;
103 static int hf_sj_object_audit_loginuid;
104 static int hf_sj_object_cap_effective;
105 static int hf_sj_object_selinux_context;
106 static int hf_sj_object_systemd_cgroup;
107 static int hf_sj_object_systemd_session;
108 static int hf_sj_object_systemd_owner_uid;
109 static int hf_sj_object_systemd_unit;
110 static int hf_sj_object_systemd_user_unit;
111 static int hf_sj_object_systemd_slice;
112 static int hf_sj_object_systemd_user_slice;
113 static int hf_sj_object_systemd_invocation_id;
114
115 static int hf_sj_cursor;
116 static int hf_sj_realtime_timestamp;
117 static int hf_sj_monotonic_timestamp;
118
119 // Unofficial(?) fields. Not listed in the documentation but present in logs.
120 static int hf_sj_result;
121 static int hf_sj_source_monotonic_timestamp;
122 static int hf_sj_journal_name;
123 static int hf_sj_journal_path;
124 static int hf_sj_current_use;
125 static int hf_sj_current_use_pretty;
126 static int hf_sj_max_use;
127 static int hf_sj_max_use_pretty;
128 static int hf_sj_disk_keep_free;
129 static int hf_sj_disk_keep_free_pretty;
130 static int hf_sj_disk_available;
131 static int hf_sj_disk_available_pretty;
132 static int hf_sj_limit;
133 static int hf_sj_limit_pretty;
134 static int hf_sj_available;
135 static int hf_sj_available_pretty;
136 static int hf_sj_audit_type;
137 static int hf_sj_audit_id;
138 static int hf_sj_audit_field_apparmor;
139 static int hf_sj_audit_field_operation;
140 static int hf_sj_audit_field_profile;
141 static int hf_sj_audit_field_name;
142 static int hf_sj_seat_id;
143 static int hf_sj_kernel_usec;
144 static int hf_sj_userspace_usec;
145 static int hf_sj_session_id;
146 static int hf_sj_user_id;
147 static int hf_sj_leader;
148 static int hf_sj_job_type;
149 static int hf_sj_job_result;
150 static int hf_sj_user_invocation_id;
151 static int hf_sj_systemd_user_slice;
152
153 // Metadata.
154 static int hf_sj_binary_data_len;
155 static int hf_sj_unknown_field;
156 static int hf_sj_unknown_field_name;
157 static int hf_sj_unknown_field_value;
158 static int hf_sj_unknown_field_data;
159 static int hf_sj_unhandled_field_type;
160
161 static expert_field ei_unhandled_field_type;
162 static expert_field ei_nonbinary_field;
163 static expert_field ei_undecoded_field;
164
165 static dissector_handle_t sje_handle;
166
167 #define MAX_DATA_SIZE 262144 // WTAP_MAX_PACKET_SIZE_STANDARD. Increase if needed.
168
169 /* Initialize the subtree pointers */
170 static int ett_systemd_journal_entry;
171 static int ett_systemd_binary_data;
172 static int ett_systemd_unknown_field;
173
174 // XXX Use a value_string instead?
175 typedef struct _journal_field_hf_map {
176 int hfid;
177 const char *name;
178 } journal_field_hf_map;
179
180 static journal_field_hf_map *jf_to_hf;
181
182 static void init_jf_to_hf_map(void) {
183 journal_field_hf_map jhmap[] = {
184 // Official.
185 { hf_sj_message, "MESSAGE=" },
186 { hf_sj_message_id, "MESSAGE_ID=" },
187 { hf_sj_priority, "PRIORITY=" },
188 { hf_sj_code_file, "CODE_FILE=" },
189 { hf_sj_code_line, "CODE_LINE=" },
190 { hf_sj_code_func, "CODE_FUNC=" },
191 { hf_sj_result, "RESULT=" },
192 { hf_sj_errno, "ERRNO=" },
193 { hf_sj_syslog_facility, "SYSLOG_FACILITY=" },
194 { hf_sj_syslog_identifier, "SYSLOG_IDENTIFIER=" },
195 { hf_sj_syslog_pid, "SYSLOG_PID=" },
196
197 { hf_sj_pid, "_PID=" },
198 { hf_sj_uid, "_UID=" },
199 { hf_sj_gid, "_GID=" },
200 { hf_sj_comm, "_COMM=" },
201 { hf_sj_exe, "_EXE=" },
202 { hf_sj_cmdline, "_CMDLINE=" },
203 { hf_sj_cap_effective, "_CAP_EFFECTIVE=" },
204 { hf_sj_audit_session, "_AUDIT_SESSION=" },
205 { hf_sj_audit_loginuid, "_AUDIT_LOGINUID=" },
206 { hf_sj_systemd_cgroup, "_SYSTEMD_CGROUP=" },
207 { hf_sj_systemd_slice, "_SYSTEMD_SLICE=" },
208 { hf_sj_systemd_unit, "_SYSTEMD_UNIT=" },
209 { hf_sj_systemd_user_unit, "_SYSTEMD_USER_UNIT=" },
210 { hf_sj_systemd_session, "_SYSTEMD_SESSION=" },
211 { hf_sj_systemd_owner_uid, "_SYSTEMD_OWNER_UID=" },
212
213 { hf_sj_selinux_context, "_SELINUX_CONTEXT=" },
214 { hf_sj_source_realtime_timestamp, "_SOURCE_REALTIME_TIMESTAMP=" },
215 { hf_sj_source_monotonic_timestamp, "_SOURCE_MONOTONIC_TIMESTAMP=" },
216 { hf_sj_boot_id, "_BOOT_ID=" },
217 { hf_sj_machine_id, "_MACHINE_ID=" },
218 { hf_sj_systemd_invocation_id, "_SYSTEMD_INVOCATION_ID=" },
219 { hf_sj_hostname, "_HOSTNAME=" },
220 { hf_sj_transport, "_TRANSPORT=" },
221 { hf_sj_stream_id, "_STREAM_ID=" },
222 { hf_sj_line_break, "_LINE_BREAK=" },
223
224 { hf_sj_kernel_device, "_KERNEL_DEVICE=" },
225 { hf_sj_kernel_subsystem, "_KERNEL_SUBSYSTEM=" },
226 { hf_sj_udev_sysname, "_UDEV_SYSNAME=" },
227 { hf_sj_udev_devnode, "_UDEV_DEVNODE=" },
228 { hf_sj_udev_devlink, "_UDEV_DEVLINK=" },
229
230 { hf_sj_coredump_unit, "COREDUMP_UNIT=" },
231 { hf_sj_coredump_user_unit, "COREDUMP_USER_UNIT=" },
232 { hf_sj_object_pid, "OBJECT_PID=" },
233 { hf_sj_object_uid, "OBJECT_UID=" },
234 { hf_sj_object_gid, "OBJECT_GID=" },
235 { hf_sj_object_comm, "OBJECT_COMM=" },
236 { hf_sj_object_exe, "OBJECT_EXE=" },
237 { hf_sj_object_cmdline, "OBJECT_CMDLINE=" },
238 { hf_sj_object_audit_session, "OBJECT_AUDIT_SESSION=" },
239 { hf_sj_object_audit_loginuid, "OBJECT_AUDIT_LOGINUID=" },
240 { hf_sj_object_cap_effective, "OBJECT_CAP_EFFECTIVE=" },
241 { hf_sj_object_selinux_context, "OBJECT_SELINUX_CONTEXT=" },
242 { hf_sj_object_systemd_cgroup, "OBJECT_SYSTEMD_CGROUP=" },
243 { hf_sj_object_systemd_session, "OBJECT_SYSTEMD_SESSION=" },
244 { hf_sj_object_systemd_owner_uid, "OBJECT_SYSTEMD_OWNER_UID=" },
245 { hf_sj_object_systemd_unit, "OBJECT_SYSTEMD_UNIT=" },
246 { hf_sj_object_systemd_user_unit, "OBJECT_SYSTEMD_USER_UNIT=" },
247 { hf_sj_object_systemd_slice, "OBJECT_SYSTEMD_SLICE=" },
248 { hf_sj_object_systemd_user_slice, "OBJECT_SYSTEMD_USER_SLICE=" },
249 { hf_sj_object_systemd_invocation_id, "OBJECT_SYSTEMD_INVOCATION_ID=" },
250
251 { hf_sj_cursor, "__CURSOR=" },
252 { hf_sj_realtime_timestamp, "__REALTIME_TIMESTAMP=" },
253 { hf_sj_monotonic_timestamp, "__MONOTONIC_TIMESTAMP=" },
254
255 // Unofficial?
256 { hf_sj_journal_name, "JOURNAL_NAME=" }, // systemd-journald: Runtime journal (/run/log/journal/) is ...
257 { hf_sj_journal_path, "JOURNAL_PATH=" }, // ""
258 { hf_sj_current_use, "CURRENT_USE=" }, // ""
259 { hf_sj_current_use_pretty, "CURRENT_USE_PRETTY=" }, // ""
260 { hf_sj_max_use, "MAX_USE=" }, // ""
261 { hf_sj_max_use_pretty, "MAX_USE_PRETTY=" }, // ""
262 { hf_sj_disk_keep_free, "DISK_KEEP_FREE=" }, // ""
263 { hf_sj_disk_keep_free_pretty, "DISK_KEEP_FREE_PRETTY=" }, // ""
264 { hf_sj_disk_available, "DISK_AVAILABLE=" }, // ""
265 { hf_sj_disk_available_pretty, "DISK_AVAILABLE_PRETTY=" }, // ""
266 { hf_sj_limit, "LIMIT=" }, // ""
267 { hf_sj_limit_pretty, "LIMIT_PRETTY=" }, // ""
268 { hf_sj_available, "AVAILABLE=" }, // ""
269 { hf_sj_available_pretty, "AVAILABLE_PRETTY=" }, // ""
270 { hf_sj_code_func, "CODE_FUNCTION=" }, // Dup / alias of CODE_FUNC?
271 { hf_sj_systemd_user_unit, "UNIT=" }, // Dup / alias of _SYSTEMD_UNIT?
272 { hf_sj_systemd_user_unit, "USER_UNIT=" }, // Dup / alias of _SYSTEMD_USER_UNIT?
273 { hf_sj_audit_type, "_AUDIT_TYPE=" },
274 { hf_sj_audit_id, "_AUDIT_ID=" },
275 { hf_sj_audit_field_apparmor, "_AUDIT_FIELD_APPARMOR=" },
276 { hf_sj_audit_field_operation, "_AUDIT_FIELD_OPERATION=" },
277 { hf_sj_audit_field_profile, "_AUDIT_FIELD_PROFILE=" },
278 { hf_sj_audit_field_name, "_AUDIT_FIELD_NAME=" },
279 { hf_sj_seat_id, "SEAT_ID=" },
280 { hf_sj_kernel_usec, "KERNEL_USEC=" },
281 { hf_sj_userspace_usec, "USERSPACE_USEC" },
282 { hf_sj_session_id, "SESSION_ID" },
283 { hf_sj_user_id, "USER_ID" },
284 { hf_sj_leader, "LEADER" },
285 { hf_sj_job_type, "JOB_TYPE" },
286 { hf_sj_job_result, "JOB_RESULT" },
287 { hf_sj_user_invocation_id, "USER_INVOCATION_ID" },
288 { hf_sj_systemd_user_slice, "_SYSTEMD_USER_SLICE=" },
289 { 0, NULL }
290 };
291 jf_to_hf = (journal_field_hf_map*) g_memdup2(jhmap, sizeof(jhmap));
292 }
293
294 static void
295 dissect_sjle_time_usecs(proto_tree *tree, int hf_idx, tvbuff_t *tvb, int offset, int len) {
296 uint64_t rt_ts = 0;
297 char *time_str = tvb_format_text(wmem_packet_scope(), tvb, offset, len);
298 bool ok = ws_strtou64(time_str, NULL, &rt_ts);
299 if (ok) {
300 nstime_t ts;
301 ts.secs = (time_t) (rt_ts / 1000000);
302 ts.nsecs = (rt_ts % 1000000) * 1000;
303 proto_tree_add_time(tree, hf_idx, tvb, offset, len, &ts);
304 } else {
305 proto_tree_add_expert_format(tree, NULL, &ei_undecoded_field, tvb, offset, len, "Invalid time value %s", time_str);
306 }
307 }
308
309 static void
310 dissect_sjle_uint(proto_tree *tree, int hf_idx, tvbuff_t *tvb, int offset, int len) {
311 uint32_t uint_val = (uint32_t) strtoul(tvb_format_text(wmem_packet_scope(), tvb, offset, len), NULL, 10);
312 proto_tree_add_uint(tree, hf_idx, tvb, offset, len, uint_val);
313 }
314
315 static void
316 dissect_sjle_int(proto_tree *tree, int hf_idx, tvbuff_t *tvb, int offset, int len) {
317 int32_t int_val = (int32_t) strtol(tvb_format_text(wmem_packet_scope(), tvb, offset, len), NULL, 10);
318 proto_tree_add_int(tree, hf_idx, tvb, offset, len, int_val);
319 }
320
321 /* Dissect a line-based journal export entry */
322 static int
323 dissect_systemd_journal_line_entry(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree,
324 void *data _U_)
325 {
326 proto_item *ti;
327 proto_tree *sje_tree;
328 int offset = 0, next_offset = 0;
329
330 col_set_str(pinfo->cinfo, COL_PROTOCOL, PSNAME);
331 col_clear(pinfo->cinfo, COL_INFO);
332 col_set_str(pinfo->cinfo, COL_INFO, "Journal Entry");
333
334 ti = proto_tree_add_item(tree, proto_systemd_journal, tvb, 0, -1, ENC_NA);
335 sje_tree = proto_item_add_subtree(ti, ett_systemd_journal_entry);
336
337 while (tvb_offset_exists(tvb, offset)) {
338 int line_len = tvb_find_line_end(tvb, offset, -1, &next_offset, false);
339 if (line_len < 3) {
340 // Invalid or zero length.
341 // XXX Add an expert item for non-empty lines.
342 offset = next_offset;
343 continue;
344 }
345 bool found = false;
346 int eq_off = tvb_find_uint8(tvb, offset, line_len, '=') + 1;
347 int val_len = offset + line_len - eq_off;
348
349 for (int i = 0; jf_to_hf[i].name; i++) {
350 if (tvb_memeql(tvb, offset, (const uint8_t*) jf_to_hf[i].name, strlen(jf_to_hf[i].name)) == 0) {
351 int hf_idx = jf_to_hf[i].hfid;
352 switch (proto_registrar_get_ftype(hf_idx)) {
353 case FT_ABSOLUTE_TIME:
354 case FT_RELATIVE_TIME:
355 dissect_sjle_time_usecs(sje_tree, hf_idx, tvb, eq_off, val_len);
356 break;
357 case FT_UINT32:
358 case FT_UINT16:
359 case FT_UINT8:
360 dissect_sjle_uint(sje_tree, hf_idx, tvb, eq_off, val_len);
361 break;
362 case FT_INT32:
363 case FT_INT16:
364 case FT_INT8:
365 dissect_sjle_int(sje_tree, hf_idx, tvb, eq_off, val_len);
366 break;
367 case FT_STRING:
368 proto_tree_add_item(sje_tree, jf_to_hf[i].hfid, tvb, eq_off, val_len, ENC_UTF_8|ENC_NA);
369 break;
370 default:
371 {
372 proto_item *expert_ti = proto_tree_add_item(sje_tree, hf_sj_unhandled_field_type, tvb, offset, line_len,
373 ENC_UTF_8);
374 expert_add_info(pinfo, expert_ti, &ei_unhandled_field_type);
375 break;
376 }
377 }
378 if (hf_idx == hf_sj_message) {
379 col_clear(pinfo->cinfo, COL_INFO);
380 col_add_str(pinfo->cinfo, COL_INFO, (char *) tvb_get_string_enc(pinfo->pool, tvb, eq_off, val_len, ENC_UTF_8));
381 }
382 found = true;
383 }
384 }
385
386 if (!found && eq_off > offset + 1) {
387 proto_item *unk_ti = proto_tree_add_none_format(sje_tree, hf_sj_unknown_field, tvb, offset, line_len,
388 "Unknown text field: %s", tvb_get_string_enc(pinfo->pool, tvb, offset, eq_off - offset - 1, ENC_UTF_8));
389 proto_tree *unk_tree = proto_item_add_subtree(unk_ti, ett_systemd_unknown_field);
390 proto_tree_add_item(unk_tree, hf_sj_unknown_field_name, tvb, offset, eq_off - offset - 1, ENC_UTF_8);
391 proto_tree_add_item(unk_tree, hf_sj_unknown_field_value, tvb, eq_off, val_len, ENC_UTF_8);
392 offset = next_offset;
393 continue;
394 }
395
396 // Try again, looking for binary fields.
397 if (!found) {
398 for (int i = 0; jf_to_hf[i].name; i++) {
399 int noeql_len = (int) strlen(jf_to_hf[i].name) - 1;
400 if (tvb_memeql(tvb, offset, (const uint8_t *) jf_to_hf[i].name, (size_t) noeql_len) == 0 && tvb_memeql(tvb, offset+noeql_len, (const uint8_t *) "\n", 1) == 0) {
401 int hf_idx = jf_to_hf[i].hfid;
402 uint64_t data_len = tvb_get_letoh64(tvb, offset + noeql_len + 1);
403 int data_off = offset + noeql_len + 1 + 8; // \n + data len
404 next_offset = data_off + (int) data_len + 1;
405 if (proto_registrar_get_ftype(hf_idx) == FT_STRING) {
406 proto_item *bin_ti = proto_tree_add_item(sje_tree, hf_idx, tvb, data_off, (int) data_len, ENC_NA);
407 proto_tree *bin_tree = proto_item_add_subtree(bin_ti, ett_systemd_binary_data);
408 proto_tree_add_item(bin_tree, hf_sj_binary_data_len, tvb, offset + noeql_len + 1, 8, ENC_LITTLE_ENDIAN);
409 if (hf_idx == hf_sj_message) {
410 col_clear(pinfo->cinfo, COL_INFO);
411 col_add_str(pinfo->cinfo, COL_INFO, tvb_format_text(pinfo->pool, tvb, data_off, (int) data_len));
412 }
413 } else {
414 proto_item *unk_ti = proto_tree_add_none_format(sje_tree, hf_sj_unknown_field, tvb, offset, line_len,
415 "Unknown data field: %s", tvb_format_text(pinfo->pool, tvb, offset, eq_off - offset - 1));
416 proto_tree *unk_tree = proto_item_add_subtree(unk_ti, ett_systemd_unknown_field);
417 proto_item *expert_ti = proto_tree_add_item(unk_tree, hf_sj_unknown_field_name, tvb, offset, offset + noeql_len, ENC_UTF_8);
418 proto_tree_add_item(unk_tree, hf_sj_unknown_field_data, tvb, data_off, (int) data_len, ENC_UTF_8);
419 expert_add_info(pinfo, expert_ti, &ei_nonbinary_field);
420 }
421 }
422 }
423 }
424 offset = next_offset;
425 }
426
427 return offset;
428 }
429
430 /*
431 * Register the protocol with Wireshark.
432 */
433 void
434 proto_register_systemd_journal(void)
435 {
436 expert_module_t *expert_systemd_journal;
437
438 static hf_register_info hf[] = {
439 { &hf_sj_message,
440 { "Message", "systemd_journal.message",
441 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
442 },
443 { &hf_sj_message_id,
444 { "Message ID", "systemd_journal.message_id",
445 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
446 },
447 { &hf_sj_priority,
448 { "Priority", "systemd_journal.priority",
449 FT_UINT8, BASE_DEC, VALS(syslog_level_vals), 0x0, NULL, HFILL }
450 },
451 { &hf_sj_code_file,
452 { "Code file", "systemd_journal.code_file",
453 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
454 },
455 { &hf_sj_code_line,
456 { "Code line", "systemd_journal.code_line",
457 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
458 },
459 { &hf_sj_code_func,
460 { "Code func", "systemd_journal.code_func",
461 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
462 },
463 { &hf_sj_errno,
464 { "Errno", "systemd_journal.errno",
465 FT_INT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
466 },
467 { &hf_sj_syslog_facility,
468 { "Syslog facility", "systemd_journal.syslog_facility",
469 FT_UINT8, BASE_NONE, VALS(syslog_facility_vals), 0x0, NULL, HFILL }
470 },
471 { &hf_sj_syslog_identifier,
472 { "Syslog identifier", "systemd_journal.syslog_id",
473 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
474 },
475 { &hf_sj_syslog_pid,
476 { "Syslog PID", "systemd_journal.syslog_pid",
477 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
478 },
479
480 { &hf_sj_pid,
481 { "PID", "systemd_journal.pid",
482 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
483 },
484 { &hf_sj_uid,
485 { "UID", "systemd_journal.uid",
486 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
487 },
488 { &hf_sj_gid,
489 { "GID", "systemd_journal.gid",
490 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
491 },
492 { &hf_sj_comm,
493 { "Command name", "systemd_journal.comm",
494 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
495 },
496 { &hf_sj_exe,
497 { "Executable path", "systemd_journal.exe",
498 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
499 },
500 { &hf_sj_cmdline,
501 { "Command line", "systemd_journal.cmdline",
502 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
503 },
504 { &hf_sj_cap_effective,
505 { "Effective capability", "systemd_journal.cap_effective",
506 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
507 },
508 { &hf_sj_audit_session,
509 { "Audit session", "systemd_journal.audit_session",
510 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
511 },
512 { &hf_sj_audit_loginuid,
513 { "Audit login UID", "systemd_journal.audit_loginuid",
514 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
515 },
516
517 { &hf_sj_systemd_cgroup,
518 { "Systemd cgroup", "systemd_journal.systemd_cgroup",
519 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
520 },
521 { &hf_sj_systemd_slice,
522 { "Systemd slice", "systemd_journal.systemd_slice",
523 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
524 },
525 { &hf_sj_systemd_unit,
526 { "Systemd unit", "systemd_journal.systemd_unit",
527 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
528 },
529 { &hf_sj_systemd_user_unit,
530 { "Systemd user unit", "systemd_journal.systemd_user_unit",
531 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
532 },
533 { &hf_sj_systemd_session,
534 { "Systemd session", "systemd_journal.systemd_session",
535 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
536 },
537 { &hf_sj_systemd_owner_uid,
538 { "Systemd owner UID", "systemd_journal.systemd_owner_uid",
539 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
540 },
541
542 { &hf_sj_selinux_context,
543 { "SELinux context", "systemd_journal.selinux_context",
544 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
545 },
546 { &hf_sj_source_realtime_timestamp,
547 { "Source realtime timestamp", "systemd_journal.source_realtime_timestamp",
548 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL }
549 },
550 { &hf_sj_boot_id,
551 { "Boot ID", "systemd_journal.boot_id",
552 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
553 },
554 { &hf_sj_machine_id,
555 { "Machine ID", "systemd_journal.machine_id",
556 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
557 },
558 { &hf_sj_systemd_invocation_id,
559 { "Systemd invocation ID", "systemd_journal.systemd_invocation_id",
560 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
561 },
562 { &hf_sj_hostname,
563 { "Hostname", "systemd_journal.hostname",
564 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
565 },
566 { &hf_sj_transport,
567 { "Transport", "systemd_journal.transport",
568 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
569 },
570 { &hf_sj_stream_id,
571 { "Stream ID", "systemd_journal.stream_id",
572 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
573 },
574 { &hf_sj_line_break,
575 { "Line break", "systemd_journal.line_break",
576 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
577 },
578
579 { &hf_sj_kernel_device,
580 { "Kernel device", "systemd_journal.kernel_device",
581 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
582 },
583 { &hf_sj_kernel_subsystem,
584 { "Kernel subsystem", "systemd_journal.kernel_subsystem",
585 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
586 },
587 { &hf_sj_udev_sysname,
588 { "Device tree name", "systemd_journal.udev_sysname",
589 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
590 },
591 { &hf_sj_udev_devnode,
592 { "Device tree node", "systemd_journal.udev_devnode",
593 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
594 },
595 { &hf_sj_udev_devlink,
596 { "Device tree symlink", "systemd_journal.udev_devlink",
597 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
598 },
599
600 { &hf_sj_coredump_unit,
601 { "Coredump unit", "systemd_journal.coredump_unit",
602 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
603 },
604 { &hf_sj_coredump_user_unit,
605 { "Coredump user unit", "systemd_journal.coredump_user_unit",
606 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
607 },
608 { &hf_sj_object_pid,
609 { "Object PID", "systemd_journal.object_pid",
610 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
611 },
612 { &hf_sj_object_uid,
613 { "Object UID", "systemd_journal.object_uid",
614 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
615 },
616 { &hf_sj_object_gid,
617 { "Object GID", "systemd_journal.object_gid",
618 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
619 },
620 { &hf_sj_object_comm,
621 { "Object command name", "systemd_journal.object_comm",
622 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
623 },
624 { &hf_sj_object_exe,
625 { "Object executable path", "systemd_journal.object_exe",
626 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
627 },
628 { &hf_sj_object_cmdline,
629 { "Object command line", "systemd_journal.object_cmdline",
630 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
631 },
632 { &hf_sj_object_audit_session,
633 { "Object audit session", "systemd_journal.object_audit_session",
634 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
635 },
636 { &hf_sj_object_audit_loginuid,
637 { "Object audit login UID", "systemd_journal.object_audit_loginuid",
638 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
639 },
640 { &hf_sj_object_cap_effective,
641 { "Object effective capability", "systemd_journal.object_cap_effective",
642 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
643 },
644 { &hf_sj_object_selinux_context,
645 { "Object SELinux context", "systemd_journal.object_selinux_context",
646 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
647 },
648 { &hf_sj_object_systemd_cgroup,
649 { "Object systemd cgroup", "systemd_journal.object_systemd_cgroup",
650 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
651 },
652 { &hf_sj_object_systemd_session,
653 { "Object systemd session", "systemd_journal.object_systemd_session",
654 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
655 },
656 { &hf_sj_object_systemd_owner_uid,
657 { "Object systemd owner UID", "systemd_journal.object_systemd_owner_uid",
658 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
659 },
660 { &hf_sj_object_systemd_unit,
661 { "Object systemd unit", "systemd_journal.object_systemd_unit",
662 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
663 },
664 { &hf_sj_object_systemd_user_unit,
665 { "Object systemd user unit", "systemd_journal.object_systemd_user_unit",
666 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
667 },
668 { &hf_sj_object_systemd_slice,
669 { "Object systemd slice", "systemd_journal.object_systemd_slice",
670 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
671 },
672 { &hf_sj_object_systemd_user_slice,
673 { "Object systemd user slice", "systemd_journal.object_systemd_user_slice",
674 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
675 },
676 { &hf_sj_object_systemd_invocation_id,
677 { "Object systemd invocation ID", "systemd_journal.object_systemd_invocation_id",
678 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
679 },
680
681 { &hf_sj_cursor,
682 { "Cursor", "systemd_journal.cursor",
683 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
684 },
685 { &hf_sj_realtime_timestamp,
686 { "Realtime Timestamp", "systemd_journal.realtime_timestamp",
687 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL }
688 },
689 { &hf_sj_monotonic_timestamp,
690 { "Monotonic Timestamp", "systemd_journal.monotonic_timestamp",
691 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0, NULL, HFILL }
692 },
693
694 { &hf_sj_journal_name,
695 { "Journal name", "systemd_journal.journal_name",
696 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
697 },
698 { &hf_sj_journal_path,
699 { "Journal path", "systemd_journal.journal_path",
700 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
701 },
702 { &hf_sj_current_use,
703 { "Current use", "systemd_journal.current_use",
704 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
705 },
706 { &hf_sj_current_use_pretty,
707 { "Human readable current use", "systemd_journal.current_use_pretty",
708 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
709 },
710 { &hf_sj_max_use,
711 { "Max use", "systemd_journal.max_use",
712 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
713 },
714 { &hf_sj_max_use_pretty,
715 { "Human readable max use", "systemd_journal.max_use_pretty",
716 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
717 },
718 { &hf_sj_disk_keep_free,
719 { "Disk keep free", "systemd_journal.disk_keep_free",
720 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
721 },
722 { &hf_sj_disk_keep_free_pretty,
723 { "Human readable disk keep free", "systemd_journal.disk_keep_free_pretty",
724 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
725 },
726 { &hf_sj_disk_available,
727 { "Disk available", "systemd_journal.disk_available",
728 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
729 },
730 { &hf_sj_disk_available_pretty,
731 { "Human readable disk available", "systemd_journal.disk_available_pretty",
732 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
733 },
734 { &hf_sj_limit,
735 { "Limit", "systemd_journal.limit",
736 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
737 },
738 { &hf_sj_limit_pretty,
739 { "Human readable limit", "systemd_journal.limit_pretty",
740 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
741 },
742 { &hf_sj_available,
743 { "Available", "systemd_journal.available",
744 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
745 },
746 { &hf_sj_available_pretty,
747 { "Human readable available", "systemd_journal.available_pretty",
748 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
749 },
750 { &hf_sj_result,
751 { "Result", "systemd_journal.result",
752 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
753 },
754 { &hf_sj_source_monotonic_timestamp,
755 { "Source monotonic timestamp", "systemd_journal.source_monotonic_timestamp",
756 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0, NULL, HFILL }
757 },
758 { &hf_sj_audit_type,
759 { "Audit type", "systemd_journal.audit_type",
760 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
761 },
762 { &hf_sj_audit_id,
763 { "Audit ID", "systemd_journal.audit_id",
764 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
765 },
766 { &hf_sj_audit_field_apparmor,
767 { "Audit field AppArmor", "systemd_journal.audit_field_apparmor",
768 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
769 },
770 { &hf_sj_audit_field_operation,
771 { "Audit field operation", "systemd_journal.audit_field_operation",
772 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
773 },
774 { &hf_sj_audit_field_profile,
775 { "Audit field profile", "systemd_journal.audit_field_profile",
776 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
777 },
778 { &hf_sj_audit_field_name,
779 { "Audit field name", "systemd_journal.audit_field_name",
780 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
781 },
782 { &hf_sj_seat_id,
783 { "Seat ID", "systemd_journal.seat_id",
784 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
785 },
786 { &hf_sj_kernel_usec,
787 { "Kernel microseconds", "systemd_journal.kernel_usec",
788 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0, NULL, HFILL }
789 },
790 { &hf_sj_userspace_usec,
791 { "Userspace microseconds", "systemd_journal.userspace_usec",
792 FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0, NULL, HFILL }
793 },
794 { &hf_sj_session_id,
795 { "Session ID", "systemd_journal.session_id",
796 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
797 },
798 { &hf_sj_user_id,
799 { "User ID", "systemd_journal.user_id",
800 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
801 },
802 { &hf_sj_leader,
803 { "Leader", "systemd_journal.leader",
804 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
805 },
806 { &hf_sj_job_type,
807 { "Job type", "systemd_journal.job_type",
808 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
809 },
810 { &hf_sj_job_result,
811 { "Job result", "systemd_journal.job_result",
812 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
813 },
814 { &hf_sj_user_invocation_id,
815 { "User invocation ID", "systemd_journal.user_invocation_id",
816 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
817 },
818 { &hf_sj_systemd_user_slice,
819 { "Systemd user slice", "systemd_journal.systemd_user_slice",
820 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
821 },
822
823 { &hf_sj_binary_data_len,
824 { "Binary data length", "systemd_journal.binary_data_len",
825 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
826 },
827 { &hf_sj_unknown_field,
828 { "Unknown field", "systemd_journal.field",
829 FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }
830 },
831 { &hf_sj_unknown_field_name,
832 { "Field name", "systemd_journal.field.name",
833 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
834 },
835 { &hf_sj_unknown_field_value,
836 { "Field value", "systemd_journal.field.value",
837 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
838 },
839 { &hf_sj_unknown_field_data,
840 { "Field data", "systemd_journal.field.data",
841 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
842 },
843 { &hf_sj_unhandled_field_type,
844 { "Field data", "systemd_journal.unhandled_field_type",
845 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
846 }
847 };
848
849 /* Setup protocol subtree array */
850 static int *ett[] = {
851 &ett_systemd_journal_entry,
852 &ett_systemd_binary_data,
853 &ett_systemd_unknown_field
854 };
855
856 /* Setup protocol expert items */
857 static ei_register_info ei[] = {
858 { &ei_unhandled_field_type,
859 { "systemd_journal.unhandled_field_type.undecoded", PI_UNDECODED, PI_ERROR,
860 "Unhandled field type", EXPFILL }
861 },
862 { &ei_nonbinary_field,
863 { "systemd_journal.nonbinary_field", PI_UNDECODED, PI_WARN,
864 "Field shouldn't be binary", EXPFILL }
865 },
866 { &ei_undecoded_field,
867 { "systemd_journal.undecoded_field", PI_UNDECODED, PI_WARN,
868 "Unable to decode field", EXPFILL }
869 }
870 };
871
872 /* Register the protocol name and description */
873 proto_systemd_journal = proto_register_protocol(PNAME, PSNAME, PFNAME);
874
875 /* Required function calls to register the header fields and subtrees */
876 proto_register_field_array(proto_systemd_journal, hf, array_length(hf));
877 proto_register_subtree_array(ett, array_length(ett));
878
879 /* Required function calls to register expert items */
880 expert_systemd_journal = expert_register_protocol(proto_systemd_journal);
881 expert_register_field_array(expert_systemd_journal, ei, array_length(ei));
882
883 sje_handle = register_dissector("systemd_journal", dissect_systemd_journal_line_entry,
884 proto_systemd_journal);
885
886 init_jf_to_hf_map();
887 }
888
889 #define BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT 0x0000009
890 void
891 proto_reg_handoff_systemd_journal(void)
892 {
893 int file_type_subtype_systemd_journal;
894
895 file_type_subtype_systemd_journal = wtap_name_to_file_type_subtype("systemd_journal");
896 if (file_type_subtype_systemd_journal != -1)
897 dissector_add_uint("wtap_fts_rec", file_type_subtype_systemd_journal, sje_handle);
898 dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSTEMD_JOURNAL_EXPORT, sje_handle);
899 // It's possible to ship journal entries over HTTP/HTTPS using
900 // systemd-journal-remote. Dissecting them on the wire isn't very
901 // useful since it's easy to end up with a packet containing a
902 // single, huge reassembled journal with many entries.
903 dissector_add_string("media_type", "application/vnd.fdo.journal", sje_handle);
904 }
905
906 /*
907 * Editor modelines - https://www.wireshark.org/tools/modelines.html
908 *
909 * Local variables:
910 * c-basic-offset: 4
911 * tab-width: 8
912 * indent-tabs-mode: nil
913 * End:
914 *
915 * vi: set shiftwidth=4 tabstop=8 expandtab:
916 * :indentSize=4:tabSize=8:noTabs=true:
917 */
Metzes wireshark repo