search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-etw.c
blob32bd38c3e502585f94703a2f44031cacf2ac7cfb
1 /* packet-etw.c
2 * Routines for ETW Dissection
3 *
4 * Copyright 2020, Odysseus Yang
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 /* Dissector based on ETW Trace
14 * https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal
15 */
16
17 #include "config.h"
18
19 #include <epan/packet.h>
20 #include <wiretap/wtap.h>
21
22 void proto_register_etw(void);
23 void proto_reg_handoff_etw(void);
24
25 static dissector_handle_t etw_handle;
26
27 static int proto_etw;
28 static int hf_etw_size;
29 static int hf_etw_header_type;
30 static int hf_etw_header_flag_extended_info;
31 static int hf_etw_header_flag_private_session;
32 static int hf_etw_header_flag_string_only;
33 static int hf_etw_header_flag_trace_message;
34 static int hf_etw_header_flag_no_cputime;
35 static int hf_etw_header_flag_32_bit_header;
36 static int hf_etw_header_flag_64_bit_header;
37 static int hf_etw_header_flag_decode_guid;
38 static int hf_etw_header_flag_classic_header;
39 static int hf_etw_header_flag_processor_index;
40 static int hf_etw_flags;
41 static int hf_etw_event_property;
42 static int hf_etw_event_property_xml;
43 static int hf_etw_event_property_forwarded_xml;
44 static int hf_etw_event_property_legacy_eventlog;
45 static int hf_etw_event_property_legacy_reloggable;
46 static int hf_etw_thread_id;
47 static int hf_etw_process_id;
48 static int hf_etw_time_stamp;
49 static int hf_etw_provider_id;
50 static int hf_etw_buffer_context_processor_number;
51 static int hf_etw_buffer_context_alignment;
52 static int hf_etw_buffer_context_logger_id;
53 static int hf_etw_message_length;
54 static int hf_etw_provider_name_length;
55 static int hf_etw_provider_name;
56 static int hf_etw_message;
57 static int hf_etw_user_data_length;
58 static int hf_etw_descriptor_id;
59 static int hf_etw_descriptor_version;
60 static int hf_etw_descriptor_channel;
61 static int hf_etw_descriptor_level;
62 static int hf_etw_descriptor_opcode;
63 static int hf_etw_descriptor_task;
64 static int hf_etw_descriptor_keywords;
65 static int hf_etw_processor_time;
66 static int hf_etw_activity_id;
67
68 static int ett_etw_header;
69 static int ett_etw_descriptor;
70 static int ett_etw_buffer_context;
71 static int ett_etw_header_flags;
72 static int ett_etw_event_property_types;
73
74 static dissector_handle_t mbim_dissector;
75
76 static e_guid_t mbim_net_providerid = { 0xA42FE227, 0xA7BF, 0x4483, {0xA5, 0x02, 0x6B, 0xCD, 0xA4, 0x28, 0xCD, 0x96} };
77
78 #define ROUND_UP_COUNT(Count,Pow2) \
79 ( ((Count)+(Pow2)-1) & (~(((int)(Pow2))-1)) )
80 #define ETW_HEADER_SIZE 0x60
81
82 static int etw_counter;
83
84 static int
85 dissect_etw(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree _U_, void* data _U_)
86 {
87 proto_tree* etw_header, * etw_descriptor, * etw_buffer_context;
88 tvbuff_t* mbim_tvb;
89 uint32_t message_offset, message_length, provider_name_offset, provider_name_length, user_data_offset, user_data_length;
90 e_guid_t provider_id;
91 int offset = 0;
92 static int * const etw_header_flags[] = {
93 &hf_etw_header_flag_extended_info,
94 &hf_etw_header_flag_private_session,
95 &hf_etw_header_flag_string_only,
96 &hf_etw_header_flag_trace_message,
97 &hf_etw_header_flag_no_cputime,
98 &hf_etw_header_flag_32_bit_header,
99 &hf_etw_header_flag_64_bit_header,
100 &hf_etw_header_flag_decode_guid,
101 &hf_etw_header_flag_classic_header,
102 &hf_etw_header_flag_processor_index,
103 NULL
104 };
105
106 static int * const etw_event_property_opt[] = {
107 &hf_etw_event_property_xml,
108 &hf_etw_event_property_forwarded_xml,
109 &hf_etw_event_property_legacy_eventlog,
110 &hf_etw_event_property_legacy_reloggable,
111 NULL
112 };
113
114 etw_header = proto_tree_add_subtree(tree, tvb, 0, ETW_HEADER_SIZE, ett_etw_header, NULL, "ETW Header");
115 proto_tree_add_item(etw_header, hf_etw_size, tvb, offset, 2, ENC_LITTLE_ENDIAN);
116 offset += 2;
117 proto_tree_add_item(etw_header, hf_etw_header_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
118 offset += 2;
119 proto_tree_add_bitmask(etw_header, tvb, offset, hf_etw_flags,
120 ett_etw_header_flags, etw_header_flags, ENC_LITTLE_ENDIAN);
121 offset += 2;
122 proto_tree_add_bitmask(etw_header, tvb, offset, hf_etw_event_property,
123 ett_etw_event_property_types, etw_event_property_opt, ENC_LITTLE_ENDIAN);
124 offset += 2;
125 proto_tree_add_item(etw_header, hf_etw_thread_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
126 offset += 4;
127 proto_tree_add_item(etw_header, hf_etw_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
128 offset += 4;
129 proto_tree_add_item(etw_header, hf_etw_time_stamp, tvb, offset, 8, ENC_LITTLE_ENDIAN);
130 offset += 8;
131 tvb_get_letohguid(tvb, offset, &provider_id);
132 proto_tree_add_item(etw_header, hf_etw_provider_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
133 offset += 16;
134
135 etw_descriptor = proto_tree_add_subtree(etw_header, tvb, 40, 16, ett_etw_descriptor, NULL, "Descriptor");
136 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
137 offset += 2;
138 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
139 offset += 1;
140 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_channel, tvb, offset, 1, ENC_LITTLE_ENDIAN);
141 offset += 1;
142 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_level, tvb, offset, 1, ENC_LITTLE_ENDIAN);
143 offset += 1;
144 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_opcode, tvb, offset, 1, ENC_LITTLE_ENDIAN);
145 offset += 1;
146 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_task, tvb, offset, 2, ENC_LITTLE_ENDIAN);
147 offset += 2;
148 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_keywords, tvb, offset, 8, ENC_LITTLE_ENDIAN);
149 offset += 8;
150
151 proto_tree_add_item(etw_header, hf_etw_processor_time, tvb, offset, 8, ENC_LITTLE_ENDIAN);
152 offset += 8;
153 proto_tree_add_item(etw_header, hf_etw_activity_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
154 offset += 16;
155
156 etw_buffer_context = proto_tree_add_subtree(etw_header, tvb, 80, 4, ett_etw_descriptor, NULL, "Buffer Context");
157 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_processor_number, tvb, offset, 1, ENC_LITTLE_ENDIAN);
158 offset += 1;
159 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_alignment, tvb, offset, 1, ENC_LITTLE_ENDIAN);
160 offset += 1;
161 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_logger_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
162 offset += 2;
163 proto_tree_add_item_ret_uint(etw_header, hf_etw_user_data_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &user_data_length);
164 offset += 4;
165 proto_tree_add_item_ret_uint(etw_header, hf_etw_message_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &message_length);
166 offset += 4;
167 proto_tree_add_item_ret_uint(etw_header, hf_etw_provider_name_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &provider_name_length);
168 offset += 4;
169 user_data_offset = offset;
170 message_offset = user_data_offset + ROUND_UP_COUNT(user_data_length, sizeof(int32_t));
171 if (message_length) {
172 proto_tree_add_item(etw_header, hf_etw_message, tvb, message_offset, message_length, ENC_LITTLE_ENDIAN | ENC_UTF_16);
173 }
174 provider_name_offset = message_offset + ROUND_UP_COUNT(message_length, sizeof(int32_t));
175 if (provider_name_length) {
176 proto_tree_add_item(etw_header, hf_etw_provider_name, tvb, provider_name_offset, provider_name_length, ENC_LITTLE_ENDIAN | ENC_UTF_16);
177 }
178
179 col_set_str(pinfo->cinfo, COL_DEF_SRC, "windows");
180 col_set_str(pinfo->cinfo, COL_DEF_DST, "windows");
181 if (memcmp(&mbim_net_providerid, &provider_id, sizeof(e_guid_t)) == 0) {
182 uint32_t pack_flags;
183
184 if (WTAP_OPTTYPE_SUCCESS == wtap_block_get_uint32_option_value(pinfo->rec->block, OPT_PKT_FLAGS, &pack_flags)) {
185 switch(PACK_FLAGS_DIRECTION(pack_flags)) {
186 case PACK_FLAGS_DIRECTION_INBOUND:
187 col_set_str(pinfo->cinfo, COL_DEF_SRC, "device");
188 col_set_str(pinfo->cinfo, COL_DEF_DST, "host");
189 break;
190 case PACK_FLAGS_DIRECTION_OUTBOUND:
191 col_set_str(pinfo->cinfo, COL_DEF_SRC, "host");
192 col_set_str(pinfo->cinfo, COL_DEF_DST, "device");
193 break;
194 }
195 }
196 mbim_tvb = tvb_new_subset_remaining(tvb, user_data_offset);
197 call_dissector_only(mbim_dissector, mbim_tvb, pinfo, tree, data);
198 }
199 else if (message_length){
200 char* message = (char*)tvb_get_string_enc(pinfo->pool, tvb, message_offset, message_length, ENC_LITTLE_ENDIAN | ENC_UTF_16);
201 col_set_str(pinfo->cinfo, COL_INFO, message);
202 if (provider_name_offset) {
203 char* provider_name = (char*)tvb_get_string_enc(pinfo->pool, tvb, provider_name_offset, provider_name_length, ENC_LITTLE_ENDIAN | ENC_UTF_16);
204 col_set_str(pinfo->cinfo, COL_PROTOCOL, provider_name);
205 }
206 } else {
207 col_set_str(pinfo->cinfo, COL_INFO, guids_resolve_guid_to_str(&provider_id, pinfo->pool));
208 }
209
210 etw_counter += 1;
211 return tvb_captured_length(tvb);
212 }
213
214 void
215 proto_register_etw(void)
216 {
217 static hf_register_info hf[] = {
218 { &hf_etw_size,
219 { "Size", "etw.size",
220 FT_UINT16, BASE_DEC, NULL, 0,
221 NULL, HFILL }
222 },
223 { &hf_etw_header_type,
224 { "Header Type", "etw.header_type",
225 FT_UINT16, BASE_DEC, NULL, 0,
226 NULL, HFILL }
227 },
228 { &hf_etw_flags,
229 { "Flags", "etw.flags",
230 FT_UINT16, BASE_DEC, NULL, 0,
231 NULL, HFILL }
232 },
233 { &hf_etw_header_flag_extended_info,
234 { "Extended Info", "etw.header.flag.extended_info",
235 FT_UINT32, BASE_DEC, NULL, 0x0001,
236 NULL, HFILL }
237 },
238 { &hf_etw_header_flag_private_session,
239 { "Private Session", "etw.header.flag.private_session",
240 FT_UINT32, BASE_DEC, NULL, 0x0002,
241 NULL, HFILL }
242 },
243 { &hf_etw_header_flag_string_only,
244 { "String Only", "etw.header.flag.string_only",
245 FT_UINT32, BASE_DEC, NULL, 0x0004,
246 NULL, HFILL }
247 },
248 { &hf_etw_header_flag_trace_message,
249 { "Trace Message", "etw.header.flag.trace_message",
250 FT_UINT32, BASE_DEC, NULL, 0x0008,
251 NULL, HFILL }
252 },
253 { &hf_etw_header_flag_no_cputime,
254 { "No CPU time", "etw.header.flag.no_cputime",
255 FT_UINT32, BASE_DEC, NULL, 0x0010,
256 NULL, HFILL }
257 },
258 { &hf_etw_header_flag_32_bit_header,
259 { "32-bit Header", "etw.header.flag.32_bit_header",
260 FT_UINT32, BASE_DEC, NULL, 0x0020,
261 NULL, HFILL }
262 },
263 { &hf_etw_header_flag_64_bit_header,
264 { "64-bit Header", "etw.header.flag.64_bit_header",
265 FT_UINT32, BASE_DEC, NULL, 0x0040,
266 NULL, HFILL }
267 },
268 { &hf_etw_header_flag_decode_guid,
269 { "Decode GUID", "etw.header.flag.decode_guid",
270 FT_UINT32, BASE_DEC, NULL, 0x0080,
271 NULL, HFILL }
272 },
273 { &hf_etw_header_flag_classic_header,
274 { "Classic Header", "etw.header.flag.classic_header",
275 FT_UINT32, BASE_DEC, NULL, 0x0100,
276 NULL, HFILL }
277 },
278 { &hf_etw_header_flag_processor_index,
279 { "Processor Index", "etw.header.flag.processor_index",
280 FT_UINT32, BASE_DEC, NULL, 0x0200,
281 NULL, HFILL }
282 },
283 { &hf_etw_event_property,
284 { "Event Property", "etw.event_property",
285 FT_UINT16, BASE_DEC, NULL, 0,
286 NULL, HFILL }
287 },
288 { &hf_etw_event_property_xml,
289 { "XML", "etw.property.xml",
290 FT_UINT32, BASE_DEC, NULL, 0x0001,
291 NULL, HFILL }
292 },
293 { &hf_etw_event_property_forwarded_xml,
294 { "Forwarded XML", "etw.property.forwarded_xml",
295 FT_UINT32, BASE_DEC, NULL, 0x0002,
296 NULL, HFILL }
297 },
298 { &hf_etw_event_property_legacy_eventlog,
299 { "Legacy Event Log", "etw.property.legacy_event",
300 FT_UINT32, BASE_DEC, NULL, 0x0004,
301 NULL, HFILL }
302 },
303 { &hf_etw_event_property_legacy_reloggable,
304 { "Legacy Reloggable", "etw.property.legacy_reloggable",
305 FT_UINT32, BASE_DEC, NULL, 0x0008,
306 NULL, HFILL }
307 },
308 { &hf_etw_thread_id,
309 { "Thread ID", "etw.thread_id",
310 FT_UINT32, BASE_DEC, NULL, 0,
311 NULL, HFILL }
312 },
313 { &hf_etw_process_id,
314 { "Process ID", "etw.process_id",
315 FT_UINT32, BASE_DEC, NULL, 0,
316 NULL, HFILL }
317 },
318 { &hf_etw_time_stamp,
319 { "Time Stamp", "etw.time_stamp",
320 FT_UINT64, BASE_DEC, NULL, 0,
321 NULL, HFILL }
322 },
323 { &hf_etw_provider_id,
324 { "Provider ID", "etw.provider_id",
325 FT_GUID, BASE_NONE, NULL, 0,
326 NULL, HFILL }
327 },
328 { &hf_etw_buffer_context_processor_number,
329 { "Processor Number", "etw.buffer_context.processor_number",
330 FT_UINT8, BASE_DEC, NULL, 0,
331 NULL, HFILL }
332 },
333 { &hf_etw_buffer_context_alignment,
334 { "Alignment", "etw.buffer_context.alignment",
335 FT_UINT8, BASE_DEC, NULL, 0,
336 NULL, HFILL }
337 },
338 { &hf_etw_buffer_context_logger_id,
339 { "ID", "etw.buffer_context.logger_id",
340 FT_UINT16, BASE_DEC, NULL, 0,
341 NULL, HFILL }
342 },
343 { &hf_etw_message_length,
344 { "Message Length", "etw.message_length",
345 FT_UINT32, BASE_DEC, NULL, 0,
346 NULL, HFILL }
347 },
348 { &hf_etw_provider_name_length,
349 { "Provider Name Length", "etw.provider_name_length",
350 FT_UINT32, BASE_DEC, NULL, 0,
351 NULL, HFILL }
352 },
353 { &hf_etw_provider_name,
354 { "Provider Name", "etw.provider_name",
355 FT_STRINGZ, BASE_NONE, NULL, 0,
356 NULL, HFILL }
357 },
358 { &hf_etw_message,
359 { "Event Message", "etw.message",
360 FT_STRINGZ, BASE_NONE, NULL, 0,
361 NULL, HFILL }
362 },
363 { &hf_etw_user_data_length,
364 { "User Data Length", "etw.user_data_length",
365 FT_UINT32, BASE_DEC, NULL, 0,
366 NULL, HFILL }
367 },
368 { &hf_etw_descriptor_id,
369 { "ID", "etw.descriptor.id",
370 FT_UINT16, BASE_DEC, NULL, 0,
371 NULL, HFILL }
372 },
373 { &hf_etw_descriptor_version,
374 { "Version", "etw.descriptor.version",
375 FT_UINT8, BASE_DEC, NULL, 0,
376 NULL, HFILL }
377 },
378 { &hf_etw_descriptor_channel,
379 { "Channel", "etw.descriptor.channel",
380 FT_UINT8, BASE_DEC, NULL, 0,
381 NULL, HFILL }
382 },
383 { &hf_etw_descriptor_level,
384 { "Level", "etw.descriptor.level",
385 FT_UINT8, BASE_DEC, NULL, 0,
386 NULL, HFILL }
387 },
388 { &hf_etw_descriptor_opcode,
389 { "Opcode", "etw.descriptor.opcode",
390 FT_UINT8, BASE_DEC, NULL, 0,
391 NULL, HFILL }
392 },
393 { &hf_etw_descriptor_task,
394 { "Task", "etw.descriptor.task",
395 FT_UINT16, BASE_DEC, NULL, 0,
396 NULL, HFILL }
397 },
398 { &hf_etw_descriptor_keywords,
399 { "Keywords", "etw.descriptor.keywords",
400 FT_UINT64, BASE_DEC, NULL, 0,
401 NULL, HFILL }
402 },
403 { &hf_etw_processor_time,
404 { "Processor Time", "etw.processor_time",
405 FT_UINT64, BASE_DEC, NULL, 0,
406 NULL, HFILL }
407 },
408 { &hf_etw_activity_id,
409 { "Activity ID", "etw.activity_id",
410 FT_GUID, BASE_NONE, NULL, 0,
411 NULL, HFILL }
412 }
413 };
414
415 static int *ett[] = {
416 &ett_etw_header,
417 &ett_etw_descriptor,
418 &ett_etw_buffer_context,
419 &ett_etw_header_flags,
420 &ett_etw_event_property_types
421 };
422
423 proto_etw = proto_register_protocol("Event Tracing for Windows", "ETW", "etw");
424 proto_register_field_array(proto_etw, hf, array_length(hf));
425 proto_register_subtree_array(ett, array_length(ett));
426
427 etw_handle = register_dissector("etw", dissect_etw, proto_etw);
428 }
429
430 void
431 proto_reg_handoff_etw(void)
432 {
433 dissector_add_uint("wtap_encap", WTAP_ENCAP_ETW, etw_handle);
434
435 mbim_dissector = find_dissector("mbim.control");
436 }
437
438 /*
439 * Editor modelines - https://www.wireshark.org/tools/modelines.html
440 *
441 * Local variables:
442 * c-basic-offset: 4
443 * tab-width: 8
444 * indent-tabs-mode: nil
445 * End:
446 *
447 * vi: set shiftwidth=4 tabstop=8 expandtab:
448 * :indentSize=4:tabSize=8:noTabs=true:
449 */
Metzes wireshark repo