epan/dissectors/file-pcapng-darwin.c

   1 /* file-pcapng-darwin.c
   2  *
   3  * Wireshark - Network traffic analyzer
   4  * By Gerald Combs <gerald@wireshark.org>
   5  * Copyright 1998 Gerald Combs
   6  *
   7  * SPDX-License-Identifier: GPL-2.0-or-later
   8  */
   9
  10 #include "config.h"
  11
  12 #include <epan/packet.h>
  13 #include <epan/addr_resolv.h>
  14 #include <wsutil/array.h>
  15
  16 #include <epan/dissectors/file-pcapng.h>
  17
  18 /*
  19  * Apple's Pcapng Darwin Process Event Block
  20  *
  21  *    A Darwin Process Event Block (DPEB) is an Apple defined container
  22  *    for information describing a Darwin process.
  23  *
  24  *    Tools that write / read the capture file associate an incrementing
  25  *    32-bit number (starting from '0') to each Darwin Process Event Block,
  26  *    called the DPEB ID for the process in question.  This number is
  27  *    unique within each Section and identifies a specific DPEB; a DPEB ID
  28  *    is only unique inside the current section. Two Sections can have different
  29  *    processes identified by the same DPEB ID values.  DPEB ID are referenced
  30  *    by Enhanced Packet Blocks that include options to indicate the Darwin
  31  *    process to which the EPB refers.
  32  *
  33  *
  34  *         0                   1                   2                   3
  35  *         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  36  *         +---------------------------------------------------------------+
  37  *       0 |                   Block Type = 0x80000001                     |
  38  *         +---------------------------------------------------------------+
  39  *       4 |                     Block Total Length                        |
  40  *         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  41  *       8 |                          Process ID                           |
  42  *         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  43  *      12 /                                                               /
  44  *         /                      Options (variable)                       /
  45  *         /                                                               /
  46  *         +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  47  *         |                     Block Total Length                        |
  48  *         +---------------------------------------------------------------+
  49  *
  50  *                   Figure XXX.1: Darwin Process Event Block
  51  *
  52  *    The meaning of the fields are:
  53  *
  54  *    o  Block Type: The block type of a Darwin Process Event Block is 2147483649.
  55  *
  56  *       Note: This specific block type number falls into the range defined
  57  *       for "local use" but has in fact been available publicly since Darwin
  58  *       13.0 for pcapng files generated by Apple's tcpdump when using the PKTAP
  59  *       enhanced interface.
  60  *
  61  *    o  Block Total Length: Total size of this block, as described in
  62  *       Pcapng Section 3.1 (General Block Structure).
  63  *
  64  *    o  Process ID: The process ID (PID) of the process.
  65  *
  66  *       Note: It is not known if this field is officially defined as a 32 bits
  67  *       (4 octets) or something smaller since Darwin PIDs currently appear to
  68  *       be limited to maximum value of 100000.
  69  *
  70  *    o  Options: A list of options (formatted according to the rules defined
  71  *       in Section 3.5) can be present.
  72  *
  73  *    In addition to the options defined in Section 3.5, the following
  74  *    Apple defined Darwin options are valid within this block:
  75  *
  76  *           +------------------+------+----------+-------------------+
  77  *           | Name             | Code | Length   | Multiple allowed? |
  78  *           +------------------+------+----------+-------------------+
  79  *           | darwin_proc_name | 2    | variable | no                |
  80  *           | darwin_proc_uuid | 4    | 16       | no                |
  81  *           +------------------+------+----------+-------------------+
  82  *
  83  *              Table XXX.1: Darwin Process Description Block Options
  84  *
  85  *    darwin_proc_name:
  86  *            The darwin_proc_name option is a UTF-8 string containing the
  87  *            name of a process producing or consuming an EPB.
  88  *
  89  *            Examples: "mDNSResponder", "GoogleSoftwareU".
  90  *
  91  *            Note: It appears that Apple's tcpdump currently truncates process
  92  *            names to a maximum of 15 octets followed by a NUL character.
  93  *            Multi-byte UTF-8 sequences in process names might be truncated
  94  *            resulting in an invalid final UTF-8 character.
  95  *
  96  *            This is probably because the process name comes from the
  97  *            p_comm field in a proc structure in the kernel; that field
  98  *            is MAXCOMLEN+1 bytes long, with the +1 being for the NUL
  99  *            terminator.  That would give 16 characters, but the
 100  *            proc_info kernel interface has a structure with a
 101  *            process name field of only MAXCOMLEN bytes.
 102  *
 103  *            This all ultimately dates back to the "kernel accounting"
 104  *            mechanism that appeared in V7 UNIX, with an "accounting
 105  *            file" with entries appended whenever a process exits; not
 106  *            surprisingly, that code thinks a file name is just a bunch
 107  *            of "char"s, with no multi-byte encodings (1979 called, they
 108  *            want their character encoding back), so, yes, this can
 109  *            mangle UTF-8 file names containing non-ASCII characters.
 110  *
 111  *    darwin_proc_uuid:
 112  *            The darwin_proc_uuid option is a set of 16 octets representing
 113  *            the process UUID.
 114  *
 115  */
 116
 117 static int proto_pcapng_darwin_process_info;
 118
 119 void proto_register_pcapng_darwin_process_info(void);
 120 void proto_reg_handoff_pcapng_darwin_process_info(void);
 121
 122
 123 static int hf_pcapng_option_code_darwin_process_info;
 124 static int hf_pcapng_darwin_process_id;
 125 static int hf_pcapng_option_darwin_process_name;
 126 static int hf_pcapng_option_darwin_process_uuid;
 127
 128 #define BLOCK_DARWIN_PROCESS         0x80000001
 129 #define BLOCK_DARWIN_PROCESS_NAME    "Darwin Process Event Block"
 130
 131
 132 static const value_string option_code_darwin_process_info_vals[] = {
 133     { 0,  "End of Options" },
 134     { 1,  "Comment" },
 135     { 2,  "Darwin Process Name" },
 136     { 4,  "Darwin Process UUID" },
 137     { 0, NULL }
 138 };
 139
 140 /* Dissect an individual option */
 141 static
 142 void dissect_darwin_process_info_option(proto_tree *option_tree, proto_item *option_item,
 143                                         packet_info *pinfo, tvbuff_t *tvb, int offset,
 144                                         int unknown_option_hf,
 145                                         uint32_t option_code, uint32_t option_length,
 146                                         unsigned encoding _U_)
 147 {
 148     char         *str;
 149     e_guid_t      uuid;
 150
 151     switch (option_code) {
 152         case 2: /* Darwin Process Name */
 153             proto_tree_add_item_ret_display_string(option_tree, hf_pcapng_option_darwin_process_name, tvb, offset, option_length, ENC_NA | ENC_UTF_8, pinfo->pool, &str);
 154             break;
 155
 156         case 4: /* Darwin Process UUID */
 157             proto_tree_add_item(option_tree, hf_pcapng_option_darwin_process_uuid, tvb, offset, option_length, ENC_BIG_ENDIAN);
 158             tvb_get_guid(tvb, offset, &uuid, ENC_BIG_ENDIAN);
 159
 160             proto_item_append_text(option_item, " = %s",
 161                 guid_to_str(pinfo->pool, &uuid));
 162
 163             break;
 164         default:
 165             proto_tree_add_item(option_tree, unknown_option_hf, tvb, offset, option_length, ENC_NA);
 166             break;
 167     }
 168 }
 169
 170 /* Dissect this block type */
 171 static void
 172 dissect_darwin_process_data(proto_tree *tree, packet_info *pinfo, tvbuff_t *tvb,
 173                             block_data_arg *argp)
 174 {
 175     int offset = 0;
 176
 177     /* Show current nuber of these blocks, and increment */
 178     proto_item_append_text(argp->block_item, " %u", argp->info->darwin_process_event_number);
 179     argp->info->darwin_process_event_number += 1;
 180
 181     /* Process ID */
 182     proto_tree_add_item(tree, hf_pcapng_darwin_process_id, tvb, offset, 4, argp->info->encoding);
 183     offset += 4;
 184
 185     /* Options */
 186     dissect_options(tree, pinfo, BLOCK_DARWIN_PROCESS, tvb, offset, argp->info->encoding, NULL);
 187 }
 188
 189
 190 void
 191 proto_register_pcapng_darwin_process_info(void)
 192 {
 193     static hf_register_info hf[] = {
 194
 195         { &hf_pcapng_option_code_darwin_process_info,
 196             { "Code",                                      "pcapng.darwin.options.option.code",
 197             FT_UINT16, BASE_DEC, VALS(option_code_darwin_process_info_vals), 0x00,
 198             "Darwin Process Info block option", HFILL }
 199         },
 200         { &hf_pcapng_darwin_process_id,
 201             { "Darwin Process ID",                         "pcapng.darwin.process_id",
 202             FT_UINT32, BASE_DEC_HEX, NULL, 0x00,
 203             "Process ID for Darwin Process Info", HFILL }
 204         },
 205         { &hf_pcapng_option_darwin_process_name,
 206             { "Darwin Process Name",                       "pcapng.darwin.process_name",
 207             FT_STRING, BASE_NONE, NULL, 0x00,
 208             "Process name for Darwin Process Info", HFILL }
 209         },
 210         { &hf_pcapng_option_darwin_process_uuid,
 211             { "Darwin Process UUID",                       "pcapng.darwin.process_uuid",
 212             FT_GUID, BASE_NONE, NULL, 0x00,
 213             "Process UUID for Darwin Process Info", HFILL }
 214         },
 215     };
 216
 217     proto_pcapng_darwin_process_info = proto_register_protocol("PCAPNG Darwin Process Information Block", "Darwin-Process-Information", "pcapng.darwin");
 218
 219     proto_register_field_array(proto_pcapng_darwin_process_info, hf, array_length(hf));
 220 }
 221
 222 void
 223 proto_reg_handoff_pcapng_darwin_process_info(void)
 224 {
 225     /* Register with pcapng dissector */
 226     static local_block_callback_info_t dissector_info;
 227     dissector_info.name = BLOCK_DARWIN_PROCESS_NAME;
 228     /* Block-dissector function */
 229     dissector_info.dissector = dissect_darwin_process_data;
 230     /* Options-related */
 231     dissector_info.option_root_hf = hf_pcapng_option_code_darwin_process_info;
 232     dissector_info.option_vals = option_code_darwin_process_info_vals;
 233     dissector_info.option_dissector = dissect_darwin_process_info_option;
 234
 235     register_pcapng_local_block_dissector(BLOCK_DARWIN_PROCESS, &dissector_info);
 236 }
 237
 238 /*
 239  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 240  *
 241  * Local variables:
 242  * c-basic-offset: 4
 243  * tab-width: 8
 244  * indent-tabs-mode: nil
 245  * End:
 246  *
 247  * vi: set shiftwidth=4 tabstop=8 expandtab:
 248  * :indentSize=4:tabSize=8:noTabs=true:
 249  */