search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-messageanalyzer.c
blob75c9d1816ce8c058598a4853c4996ea96ce3f52e
1 /* packet-messageanalyzer.c
2 * Routines for Message Analyzer capture dissection
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 */
10
11 #include "config.h"
12
13 #include <epan/packet.h>
14 #include <epan/addr_resolv.h>
15 #include <epan/ipproto.h>
16 #include <epan/unit_strings.h>
17
18 #include <wsutil/array.h>
19 #include <wsutil/utf8_entities.h>
20
21 #include "packet-netmon.h"
22 #include "packet-windows-common.h"
23 #include "packet-ipv6.h"
24
25 void proto_register_message_analyzer(void);
26 void proto_reg_handoff_message_analyzer(void);
27
28 /* Initialize the protocol and registered fields */
29 static int proto_ma_wfp_capture_v4;
30 static int proto_ma_wfp_capture2_v4;
31 static int proto_ma_wfp_capture_v6;
32 static int proto_ma_wfp_capture2_v6;
33 static int proto_ma_wfp_capture_auth_v4;
34 static int proto_ma_wfp_capture_auth_v6;
35 static int proto_etw_wfp_capture;
36 static int proto_etw_ndis;
37
38 static int hf_ma_wfp_capture_flow_context;
39 static int hf_ma_wfp_capture_payload_length;
40 static int hf_ma_wfp_capture_auth_src_port;
41 static int hf_ma_wfp_capture_auth_dst_port;
42 static int hf_ma_wfp_capture_auth_interface_id;
43 static int hf_ma_wfp_capture_auth_direction;
44 static int hf_ma_wfp_capture_auth_process_id;
45 static int hf_ma_wfp_capture_auth_process_path;
46
47 static int hf_etw_wfp_capture_event_id;
48 static int hf_etw_wfp_capture_driver_name;
49 static int hf_etw_wfp_capture_major_version;
50 static int hf_etw_wfp_capture_minor_version;
51 static int hf_etw_wfp_capture_callout;
52 static int hf_etw_wfp_capture_filter_id;
53 static int hf_etw_wfp_capture_filter_weight;
54 static int hf_etw_wfp_capture_driver_error_message;
55 static int hf_etw_wfp_capture_nt_status;
56 static int hf_etw_wfp_capture_callout_error_message;
57
58 static int hf_etw_ndis_event_id;
59 static int hf_etw_ndis_miniport_if_index;
60 static int hf_etw_ndis_lower_if_index;
61 static int hf_etw_ndis_fragment_size;
62 static int hf_etw_ndis_fragment;
63 static int hf_etw_ndis_metadata_size;
64 static int hf_etw_ndis_metadata;
65 static int hf_etw_ndis_source_port_id;
66 static int hf_etw_ndis_source_port_name;
67 static int hf_etw_ndis_source_nic_name;
68 static int hf_etw_ndis_source_nic_type;
69 static int hf_etw_ndis_destination_count;
70 static int hf_etw_ndis_destination_port_id;
71 static int hf_etw_ndis_destination_port_name;
72 static int hf_etw_ndis_destination_nic_name;
73 static int hf_etw_ndis_destination_nic_type;
74 static int hf_etw_ndis_oob_data_size;
75 static int hf_etw_ndis_oob_data;
76 static int hf_etw_ndis_rules_count;
77 static int hf_etw_ndis_friendly_name;
78 static int hf_etw_ndis_unique_name;
79 static int hf_etw_ndis_service_name;
80 static int hf_etw_ndis_version;
81 static int hf_etw_ndis_media_type;
82 static int hf_etw_ndis_reference_context;
83 static int hf_etw_ndis_rule_id;
84 static int hf_etw_ndis_directive;
85 static int hf_etw_ndis_value_length;
86 static int hf_etw_ndis_value;
87 static int hf_etw_ndis_error_code;
88 static int hf_etw_ndis_location;
89 static int hf_etw_ndis_context;
90 static int hf_etw_ndis_previous_state;
91 static int hf_etw_ndis_next_state;
92 static int hf_etw_ndis_source_id;
93 static int hf_etw_ndis_rundown_id;
94 static int hf_etw_ndis_param1;
95 static int hf_etw_ndis_param2;
96 static int hf_etw_ndis_param_str;
97 static int hf_etw_ndis_description;
98 static int hf_etw_ndis_source_name;
99 static int hf_etw_ndis_if_index;
100 static int hf_etw_ndis_layer_count;
101 static int hf_etw_ndis_layer_id;
102 static int hf_etw_ndis_layer_name;
103 static int hf_etw_ndis_keyword;
104 static int hf_etw_ndis_keyword_ethernet8023;
105 static int hf_etw_ndis_keyword_reserved1;
106 static int hf_etw_ndis_keyword_wireless_wan;
107 static int hf_etw_ndis_keyword_reserved2;
108 static int hf_etw_ndis_keyword_tunnel;
109 static int hf_etw_ndis_keyword_native80211;
110 static int hf_etw_ndis_keyword_reserved3;
111 static int hf_etw_ndis_keyword_vmswitch;
112 static int hf_etw_ndis_keyword_reserved4;
113 static int hf_etw_ndis_keyword_packet_start;
114 static int hf_etw_ndis_keyword_packet_end;
115 static int hf_etw_ndis_keyword_send_path;
116 static int hf_etw_ndis_keyword_receive_path;
117 static int hf_etw_ndis_keyword_l3_connect_path;
118 static int hf_etw_ndis_keyword_l2_connect_path;
119 static int hf_etw_ndis_keyword_close_path;
120 static int hf_etw_ndis_keyword_authentication;
121 static int hf_etw_ndis_keyword_configuration;
122 static int hf_etw_ndis_keyword_global;
123 static int hf_etw_ndis_keyword_dropped;
124 static int hf_etw_ndis_keyword_pii_present;
125 static int hf_etw_ndis_keyword_packet;
126 static int hf_etw_ndis_keyword_address;
127 static int hf_etw_ndis_keyword_std_template_hint;
128 static int hf_etw_ndis_keyword_state_transition;
129 static int hf_etw_ndis_keyword_reserved5;
130 static int hf_etw_ndis_packet_metadata_type;
131 static int hf_etw_ndis_packet_metadata_revision;
132 static int hf_etw_ndis_packet_metadata_size;
133 static int hf_etw_ndis_packet_metadata_wifi_flags;
134 static int hf_etw_ndis_packet_metadata_wifi_phytype;
135 static int hf_etw_ndis_packet_metadata_wifi_channel;
136 static int hf_etw_ndis_packet_metadata_wifi_mpdus_received;
137 static int hf_etw_ndis_packet_metadata_wifi_mpdu_padding;
138 static int hf_etw_ndis_packet_metadata_wifi_rssi;
139 static int hf_etw_ndis_packet_metadata_wifi_datarate;
140 static int hf_etw_ndis_packet_metadata_data;
141 static int hf_etw_ndis_tcp_ip_checksum_net_buffer_list;
142 static int hf_etw_ndis_ipsec_offload_v1_net_buffer_list_info;
143 static int hf_etw_ndis_tcp_large_send_net_buffer_list_info;
144 static int hf_etw_ndis_classification_handle_net_buffer_list_info;
145 static int hf_etw_ndis_ieee8021q_net_buffer_list_info;
146 static int hf_etw_ndis_net_buffer_cancel_id;
147 static int hf_etw_ndis_media_specific_information;
148 static int hf_etw_ndis_net_buffer_list_frame_type;
149 static int hf_etw_ndis_net_buffer_list_hash_value;
150 static int hf_etw_ndis_net_buffer_list_hash_info;
151 static int hf_etw_ndis_wpf_net_buffer_list_info;
152 static int hf_etw_ndis_max_net_buffer_list_info;
153
154 /* Fields used from other common dissectors */
155 static int hf_ip_src;
156 static int hf_ip_addr;
157 static int hf_ip_src_host;
158 static int hf_ip_host;
159 static int hf_ip_dst;
160 static int hf_ip_dst_host;
161 static int hf_ip_proto;
162 static int hf_ipv6_src;
163 static int hf_ipv6_addr;
164 static int hf_ipv6_src_host;
165 static int hf_ipv6_host;
166 static int hf_ipv6_dst;
167 static int hf_ipv6_dst_host;
168
169
170 /* Initialize the subtree pointers */
171 static int ett_ma_wfp_capture_v4;
172 static int ett_ma_wfp_capture_v6;
173 static int ett_ma_wfp_capture_auth;
174 static int ett_etw_wfp_capture;
175 static int ett_etw_ndis;
176 static int ett_etw_ndis_dest;
177 static int ett_etw_ndis_layer;
178 static int ett_etw_ndis_keyword;
179 static int ett_etw_ndis_packet_metadata;
180 static int ett_etw_ndis_oob_data;
181
182 static dissector_handle_t ma_wfp_capture_v4_handle;
183 static dissector_handle_t ma_wfp_capture2_v4_handle;
184 static dissector_handle_t ma_wfp_capture_v6_handle;
185 static dissector_handle_t ma_wfp_capture2_v6_handle;
186 static dissector_handle_t ma_wfp_capture_auth_v4_handle;
187 static dissector_handle_t ma_wfp_capture_auth_v6_handle;
188 static dissector_handle_t ip_handle;
189 static dissector_handle_t eth_handle;
190 static dissector_handle_t ieee80211_handle;
191
192 static dissector_table_t ip_dissector_table;
193
194 static void
195 add_ipv4_src_address(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int offset, proto_item* parent_item)
196 {
197 proto_item *item;
198 uint32_t addr;
199
200 set_address_tvb(&pinfo->net_src, AT_IPv4, 4, tvb, offset);
201 copy_address_shallow(&pinfo->src, &pinfo->net_src);
202
203 if (tree) {
204 const char *src_host;
205
206 memcpy(&addr, pinfo->net_src.data, 4);
207 src_host = get_hostname(addr);
208 proto_item_append_text(parent_item, ", Src: %s", address_with_resolution_to_str(pinfo->pool, &pinfo->net_src));
209
210 proto_tree_add_ipv4(tree, hf_ip_src, tvb, offset, 4, addr);
211 item = proto_tree_add_ipv4(tree, hf_ip_addr, tvb, offset, 4, addr);
212 proto_item_set_hidden(item);
213
214 item = proto_tree_add_string(tree, hf_ip_src_host, tvb, offset, 4, src_host);
215 proto_item_set_generated(item);
216 proto_item_set_hidden(item);
217
218 item = proto_tree_add_string(tree, hf_ip_host, tvb, offset, 4, src_host);
219 proto_item_set_generated(item);
220 proto_item_set_hidden(item);
221 }
222 }
223
224 static void
225 add_ipv4_dst_address(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int offset, proto_item* parent_item)
226 {
227 proto_item *item;
228 uint32_t addr;
229
230 set_address_tvb(&pinfo->net_dst, AT_IPv4, 4, tvb, offset);
231 copy_address_shallow(&pinfo->dst, &pinfo->net_dst);
232
233 if (tree) {
234 const char *dst_host;
235
236 memcpy(&addr, pinfo->net_dst.data, 4);
237 dst_host = get_hostname(addr);
238 proto_item_append_text(parent_item, ", Dst: %s", address_with_resolution_to_str(pinfo->pool, &pinfo->net_dst));
239
240 proto_tree_add_ipv4(tree, hf_ip_dst, tvb, offset, 4, addr);
241 item = proto_tree_add_ipv4(tree, hf_ip_addr, tvb, offset, 4, addr);
242 proto_item_set_hidden(item);
243
244 item = proto_tree_add_string(tree, hf_ip_dst_host, tvb, offset, 4, dst_host);
245 proto_item_set_generated(item);
246 proto_item_set_hidden(item);
247
248 item = proto_tree_add_string(tree, hf_ip_host, tvb, offset, 4, dst_host);
249 proto_item_set_generated(item);
250 proto_item_set_hidden(item);
251 }
252 }
253
254 static void
255 add_ipv6_src_address(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int offset)
256 {
257 proto_item *item;
258
259 set_address_tvb(&pinfo->net_src, AT_IPv6, IPv6_ADDR_SIZE, tvb, offset);
260 copy_address_shallow(&pinfo->src, &pinfo->net_src);
261
262 if (tree) {
263 const char *src_host;
264
265 src_host = address_to_display(pinfo->pool, &pinfo->net_src);
266
267 proto_tree_add_item(tree, hf_ipv6_src, tvb, offset, IPv6_ADDR_SIZE, ENC_NA);
268 item = proto_tree_add_item(tree, hf_ipv6_addr, tvb, offset, IPv6_ADDR_SIZE, ENC_NA);
269 proto_item_set_hidden(item);
270
271 item = proto_tree_add_string(tree, hf_ipv6_src_host, tvb, offset, IPv6_ADDR_SIZE, src_host);
272 proto_item_set_generated(item);
273 proto_item_set_hidden(item);
274
275 item = proto_tree_add_string(tree, hf_ipv6_host, tvb, offset, IPv6_ADDR_SIZE, src_host);
276 proto_item_set_generated(item);
277 proto_item_set_hidden(item);
278 }
279 }
280
281 static void
282 add_ipv6_dst_address(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int offset)
283 {
284 proto_item *item;
285
286 set_address_tvb(&pinfo->net_dst, AT_IPv6, IPv6_ADDR_SIZE, tvb, offset);
287 copy_address_shallow(&pinfo->dst, &pinfo->net_dst);
288
289 if (tree) {
290 const char *dst_host;
291
292 dst_host = address_to_display(pinfo->pool, &pinfo->net_dst);
293
294 proto_tree_add_item(tree, hf_ipv6_dst, tvb, offset, IPv6_ADDR_SIZE, ENC_NA);
295 item = proto_tree_add_item(tree, hf_ipv6_addr, tvb, offset, IPv6_ADDR_SIZE, ENC_NA);
296 proto_item_set_hidden(item);
297
298 item = proto_tree_add_string(tree, hf_ipv6_dst_host, tvb, offset, IPv6_ADDR_SIZE, dst_host);
299 proto_item_set_generated(item);
300 proto_item_set_hidden(item);
301
302 item = proto_tree_add_string(tree, hf_ipv6_host, tvb, offset, IPv6_ADDR_SIZE, dst_host);
303 proto_item_set_generated(item);
304 proto_item_set_hidden(item);
305 }
306 }
307
308 static int
309 dissect_ma_wfp_capture_v4_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto)
310 {
311 proto_item *ti;
312 proto_tree *wfp_tree;
313 int offset = 0;
314 uint32_t ip_proto, payload_length;
315 tvbuff_t *next_tvb;
316
317 ti = proto_tree_add_item(tree, proto, tvb, 0, -1, ENC_NA);
318 wfp_tree = proto_item_add_subtree(ti, ett_ma_wfp_capture_v4);
319
320 add_ipv4_src_address(wfp_tree, tvb, pinfo, offset, ti);
321 offset += 4;
322
323 add_ipv4_dst_address(wfp_tree, tvb, pinfo, offset, ti);
324 offset += 4;
325
326 proto_tree_add_item_ret_uint(wfp_tree, hf_ip_proto, tvb, offset, 1, ENC_NA, &ip_proto);
327 col_add_fstr(pinfo->cinfo, COL_INFO, "%s (%u)", ipprotostr(ip_proto), ip_proto);
328 offset += 1;
329
330 if (proto == proto_ma_wfp_capture2_v4)
331 {
332 proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_flow_context, tvb, offset, 8, ENC_LITTLE_ENDIAN);
333 offset += 8;
334 }
335
336 proto_tree_add_item_ret_uint(wfp_tree, hf_ma_wfp_capture_payload_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &payload_length);
337 offset += 2;
338
339 proto_item_set_len(ti, offset);
340
341 next_tvb = tvb_new_subset_remaining(tvb, offset);
342
343 if (!dissector_try_uint_with_data(ip_dissector_table, ip_proto, next_tvb, pinfo, tree, true, NULL)) {
344 call_data_dissector(next_tvb, pinfo, tree);
345 }
346
347 return tvb_captured_length(tvb);
348 }
349
350 static int
351 dissect_ma_wfp_capture_v4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
352 {
353 col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture v4");
354 col_clear(pinfo->cinfo, COL_INFO);
355
356 return dissect_ma_wfp_capture_v4_common(tvb, pinfo, tree, proto_ma_wfp_capture_v4);
357 }
358
359 static int
360 dissect_ma_wfp_capture2_v4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
361 {
362 col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture2 v4");
363 col_clear(pinfo->cinfo, COL_INFO);
364
365 return dissect_ma_wfp_capture_v4_common(tvb, pinfo, tree, proto_ma_wfp_capture2_v4);
366 }
367
368 static int
369 dissect_ma_wfp_capture_v6_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto)
370 {
371 proto_item *ti;
372 proto_tree *wfp_tree;
373 int offset = 0;
374 uint32_t ip_proto, payload_length;
375 tvbuff_t *next_tvb;
376
377 ti = proto_tree_add_item(tree, proto, tvb, 0, -1, ENC_NA);
378 wfp_tree = proto_item_add_subtree(ti, ett_ma_wfp_capture_v4);
379
380 add_ipv6_src_address(wfp_tree, tvb, pinfo, offset);
381 offset += IPv6_ADDR_SIZE;
382
383 add_ipv6_dst_address(wfp_tree, tvb, pinfo, offset);
384 offset += IPv6_ADDR_SIZE;
385
386 proto_tree_add_item_ret_uint(wfp_tree, hf_ip_proto, tvb, offset, 1, ENC_NA, &ip_proto);
387 col_add_fstr(pinfo->cinfo, COL_INFO, "%s (%u)", ipprotostr(ip_proto), ip_proto);
388 offset += 1;
389
390 if (proto == proto_ma_wfp_capture2_v6)
391 {
392 proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_flow_context, tvb, offset, 8, ENC_LITTLE_ENDIAN);
393 offset += 8;
394 }
395
396 proto_tree_add_item_ret_uint(wfp_tree, hf_ma_wfp_capture_payload_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &payload_length);
397 offset += 2;
398
399 next_tvb = tvb_new_subset_remaining(tvb, offset);
400
401 proto_item_set_len(ti, offset);
402
403 if (!dissector_try_uint_with_data(ip_dissector_table, ip_proto, next_tvb, pinfo, tree, true, NULL)) {
404 call_data_dissector(next_tvb, pinfo, tree);
405 }
406
407 return tvb_captured_length(tvb);
408 }
409
410 static int
411 dissect_ma_wfp_capture_v6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
412 {
413 col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture v6");
414 col_clear(pinfo->cinfo, COL_INFO);
415
416 return dissect_ma_wfp_capture_v6_common(tvb, pinfo, tree, proto_ma_wfp_capture_v6);
417 }
418
419 static int
420 dissect_ma_wfp_capture2_v6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
421 {
422 col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture2 v6");
423 col_clear(pinfo->cinfo, COL_INFO);
424
425 return dissect_ma_wfp_capture_v6_common(tvb, pinfo, tree, proto_ma_wfp_capture2_v6);
426 }
427
428 static int
429 dissect_ma_wfp_capture_auth_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto)
430 {
431 proto_item *ti;
432 proto_tree *wfp_tree;
433 int offset = 0;
434 uint32_t length, ip_proto;
435
436 ti = proto_tree_add_item(tree, proto, tvb, 0, -1, ENC_NA);
437 wfp_tree = proto_item_add_subtree(ti, ett_ma_wfp_capture_auth);
438
439 if (proto == proto_ma_wfp_capture_auth_v4)
440 {
441 add_ipv4_src_address(wfp_tree, tvb, pinfo, offset, ti);
442 offset += 4;
443 }
444 else
445 {
446 add_ipv6_src_address(wfp_tree, tvb, pinfo, offset);
447 offset += IPv6_ADDR_SIZE;
448 }
449
450 if (proto == proto_ma_wfp_capture_auth_v4)
451 {
452 add_ipv4_dst_address(wfp_tree, tvb, pinfo, offset, ti);
453 offset += 4;
454 }
455 else
456 {
457 add_ipv6_dst_address(wfp_tree, tvb, pinfo, offset);
458 offset += IPv6_ADDR_SIZE;
459 }
460
461 proto_tree_add_item_ret_uint(wfp_tree, hf_ma_wfp_capture_auth_src_port, tvb, offset, 2, ENC_LITTLE_ENDIAN, &pinfo->srcport);
462 offset += 2;
463 proto_tree_add_item_ret_uint(wfp_tree, hf_ma_wfp_capture_auth_dst_port, tvb, offset, 2, ENC_LITTLE_ENDIAN, &pinfo->destport);
464 offset += 2;
465 col_add_fstr(pinfo->cinfo, COL_INFO, "%d %s %d", pinfo->srcport, UTF8_RIGHTWARDS_ARROW, pinfo->destport);
466
467 proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_auth_interface_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
468 offset += 8;
469 proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_auth_direction, tvb, offset, 1, ENC_LITTLE_ENDIAN);
470 offset += 1;
471 proto_tree_add_item_ret_uint(wfp_tree, hf_ip_proto, tvb, offset, 1, ENC_LITTLE_ENDIAN, &ip_proto);
472 col_add_fstr(pinfo->cinfo, COL_INFO, "%s (%u)", ipprotostr(ip_proto), ip_proto);
473 offset += 1;
474
475 proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_flow_context, tvb, offset, 8, ENC_LITTLE_ENDIAN);
476 offset += 8;
477 proto_tree_add_item(wfp_tree, hf_ma_wfp_capture_auth_process_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
478 offset += 8;
479 proto_tree_add_item_ret_length(wfp_tree, hf_ma_wfp_capture_auth_process_path, tvb, offset, 2, ENC_LITTLE_ENDIAN|ENC_UTF_16, &length);
480 offset += length;
481
482 proto_item_set_len(ti, offset);
483
484 return tvb_captured_length(tvb);
485 }
486
487 static int
488 dissect_ma_wfp_capture_auth_v4(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
489 {
490 col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture AUTH v4");
491 col_clear(pinfo->cinfo, COL_INFO);
492
493 return dissect_ma_wfp_capture_auth_common(tvb, pinfo, tree, proto_ma_wfp_capture_auth_v4);
494 }
495
496 static int
497 dissect_ma_wfp_capture_auth_v6(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
498 {
499 col_set_str(pinfo->cinfo, COL_PROTOCOL, "MA WFP Capture AUTH v6");
500 col_clear(pinfo->cinfo, COL_INFO);
501
502 return dissect_ma_wfp_capture_auth_common(tvb, pinfo, tree, proto_ma_wfp_capture_auth_v6);
503 }
504
505 static const value_string etw_wfp_capture_event_vals[] = {
506 { 10001, "DriverLoad"},
507 { 10002, "DriverUnload"},
508 { 10003, "CalloutRegister"},
509 { 10004, "CalloutUnregister"},
510 { 10005, "CalloutNotifyFilterAdd"},
511 { 10006, "CalloutNotifyFilterDelete"},
512 { 20001, "DriverLoadError"},
513 { 20002, "DriverUnloadError"},
514 { 20003, "CalloutRegisterError"},
515 { 20004, "CalloutUnregisterError"},
516 { 20005, "CalloutClassifyError"},
517 { 60011, "TransportMessageV4"},
518 { 60012, "TransportMessage2V4"},
519 { 60021, "TransportMessageV6"},
520 { 60022, "TransportMessage2V6"},
521 { 60031, "AleAuthMessageV4"},
522 { 60041, "AleAuthMessageV6"},
523 { 60050, "Discard"},
524 { 0, NULL }
525 };
526
527 static const value_string etw_wfp_capture_callout_vals[] = {
528 { 0, "CALLOUT_INBOUND_TRANSPORT_V4"},
529 { 1, "CALLOUT_OUTBOUND_TRANSPORT_V4"},
530 { 2, "CALLOUT_OUTBOUND_TRANSPORT_V6"},
531 { 3, "CALLOUT_ALE_AUTH_CONNECT_V4"},
532 { 4, "CALLOUT_ALE_AUTH_CONNECT_V6"},
533 { 5, "CALLOUT_ALE_AUTH_RECV_ACCEPT_V4"},
534 { 6, "CALLOUT_ALE_AUTH_RECV_ACCEPT_V6"},
535 { 7, "CALLOUT_INBOUND_IPPACKET_V4_DISCARD"},
536 { 8, "CALLOUT_INBOUND_IPPACKET_V6_DISCARD"},
537 { 9, "CALLOUT_OUTBOUND_IPPACKET_V4_DISCARD"},
538 { 10, "CALLOUT_OUTBOUND_IPPACKET_V6_DISCARD"},
539 { 11, "CALLOUT_IPFORWARD_V4_DISCARD"},
540 { 12, "CALLOUT_IPFORWARD_V6_DISCARD"},
541 { 13, "CALLOUT_INBOUND_TRANSPORT_V4_DISCARD"},
542 { 14, "CALLOUT_INBOUND_TRANSPORT_V6_DISCARD"},
543 { 15, "CALLOUT_OUTBOUND_TRANSPORT_V4_DISCARD"},
544 { 16, "CALLOUT_OUTBOUND_TRANSPORT_V6_DISCARD"},
545 { 17, "CALLOUT_DATAGRAM_DATA_V4_DISCARD"},
546 { 18, "CALLOUT_DATAGRAM_DATA_V6_DISCARD"},
547 { 19, "CALLOUT_INBOUND_ICMP_ERROR_V4_DISCARD"},
548 { 20, "CALLOUT_INBOUND_ICMP_ERROR_V6_DISCARD"},
549 { 21, "CALLOUT_OUTBOUND_ICMP_ERROR_V4_DISCARD"},
550 { 22, "CALLOUT_OUTBOUND_ICMP_ERROR_V6_DISCARD"},
551 { 23, "CALLOUT_ALE_RESOURCE_ASSIGNMENT_V4_DISCARD"},
552 { 24, "CALLOUT_ALE_RESOURCE_ASSIGNMENT_V6_DISCARD"},
553 { 25, "CALLOUT_ALE_AUTH_LISTEN_V4_DISCARD"},
554 { 26, "CALLOUT_ALE_AUTH_LISTEN_V6_DISCARD"},
555 { 27, "CALLOUT_ALE_AUTH_RECV_ACCEPT_V4_DISCARD"},
556 { 28, "CALLOUT_ALE_AUTH_RECV_ACCEPT_V6_DISCARD"},
557 { 29, "CALLOUT_ALE_AUTH_CONNECT_V4_DISCARD"},
558 { 30, "CALLOUT_ALE_AUTH_CONNECT_V6_DISCARD"},
559 { 31, "CALLOUT_ALE_FLOW_ESTABLISHED_V4_DISCARD"},
560 { 32, "CALLOUT_ALE_FLOW_ESTABLISHED_V6_DISCARD"},
561 { 0, NULL }
562 };
563
564 static int
565 dissect_etw_wfp_capture(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
566 {
567 proto_item *ti, *generated;
568 proto_tree *etw_tree;
569 int offset = 0;
570 struct netmon_provider_id_data *provider_id_data = (struct netmon_provider_id_data*)data;
571 unsigned length;
572
573 DISSECTOR_ASSERT(provider_id_data != NULL);
574
575 col_set_str(pinfo->cinfo, COL_PROTOCOL, "ETW WFP Capture");
576 col_clear(pinfo->cinfo, COL_INFO);
577
578 ti = proto_tree_add_item(tree, proto_etw_wfp_capture, tvb, 0, -1, ENC_NA);
579 etw_tree = proto_item_add_subtree(ti, ett_etw_wfp_capture);
580
581 generated = proto_tree_add_uint(etw_tree, hf_etw_wfp_capture_event_id, tvb, 0, 0, provider_id_data->event_id);
582 proto_item_set_generated(generated);
583 col_set_str(pinfo->cinfo, COL_INFO, val_to_str_const(provider_id_data->event_id, etw_wfp_capture_event_vals, "Unknown"));
584
585 switch (provider_id_data->event_id)
586 {
587 case 10001: // DriverLoad
588 case 10002: // DriverUnload
589 length = tvb_unicode_strsize(tvb, offset);
590 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_driver_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
591 offset += length;
592 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_major_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
593 offset += 2;
594 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_minor_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
595 offset += 2;
596 break;
597
598 case 10003: // CalloutRegister
599 case 10004: // CalloutUnregister
600 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_callout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
601 offset += 4;
602 break;
603
604 case 10005: // CalloutNotifyFilterAdd
605 case 10006: // CalloutNotifyFilterDelete
606 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_filter_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
607 offset += 8;
608 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_callout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
609 offset += 4;
610 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_filter_weight, tvb, offset, 8, ENC_LITTLE_ENDIAN);
611 offset += 8;
612 break;
613
614 case 20001: // DriverLoadError
615 case 20002: // DriverUnloadError
616 length = tvb_unicode_strsize(tvb, offset);
617 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_driver_error_message, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
618 offset += length;
619 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
620 offset += 4;
621 break;
622
623 case 20003: // CalloutRegisterError
624 case 20004: // CalloutUnregisterError
625 case 20005: // CalloutClassifyError
626 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_callout, tvb, offset, 4, ENC_LITTLE_ENDIAN);
627 offset += 4;
628 length = tvb_unicode_strsize(tvb, offset);
629 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_callout_error_message, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
630 offset += length;
631 proto_tree_add_item(etw_tree, hf_etw_wfp_capture_nt_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
632 offset += 4;
633 break;
634
635 case 60011: // TransportMessageV4
636 call_dissector(ma_wfp_capture_v4_handle, tvb, pinfo, tree);
637 break;
638
639 case 60012: // TransportMessage2V4
640 call_dissector(ma_wfp_capture2_v4_handle, tvb, pinfo, tree);
641 break;
642
643 case 60021: // TransportMessageV6
644 call_dissector(ma_wfp_capture_v6_handle, tvb, pinfo, tree);
645 break;
646
647 case 60022: // TransportMessage2V6
648 call_dissector(ma_wfp_capture2_v6_handle, tvb, pinfo, tree);
649 break;
650
651 case 60031: // AleAuthMessageV4
652 call_dissector(ma_wfp_capture_auth_v4_handle, tvb, pinfo, tree);
653 break;
654
655 case 60041: // AleAuthMessageV6
656 call_dissector(ma_wfp_capture_auth_v6_handle, tvb, pinfo, tree);
657 break;
658 }
659
660 proto_item_set_len(ti, offset);
661 return tvb_captured_length(tvb);
662 }
663
664 static const value_string etw_ndis_event_vals[] = {
665 { 1001, "EventPacketFragment"},
666 { 1002, "EventPacketMetadata"},
667 { 1003, "EventVMSwitchPacketFragment"},
668 { 1011, "EventCaptureRules"},
669 { 1012, "EventDriverLoad"},
670 { 1013, "EventDriverUnload"},
671 { 1014, "EventLayerLoad"},
672 { 1015, "EventLayerUnload"},
673 { 1016, "EventCaptureRule"},
674 { 2001, "EventDriverLoadError"},
675 { 2002, "EventLayerLoadError"},
676 { 2003, "EventRuleLoadError"},
677 { 3001, "EventStartLayerLoad"},
678 { 3002, "EventEndLayerLoad"},
679 { 5000, "EventRxPacketStart"},
680 { 5001, "EventRxPacketComplete"},
681 { 5002, "EventTxPacketStart"},
682 { 5003, "EventTxPacketComplete"},
683 { 5100, "EventStateRundown"},
684 { 5101, "EventPktSourceInfo"},
685 { 0, NULL }
686 };
687
688 static const value_string etw_ndis_rule_vals[] = {
689 { 2, "FrameControl"},
690 { 3, "MultiLayer"},
691 { 4, "InterfaceIndex"},
692 { 6, "EtherType"},
693 { 7, "Source_MAC_Address"},
694 { 8, "Destination_MAC_Address"},
695 { 9, "Any_MAC_Address"},
696 { 10, "Source_IPv4_Address"},
697 { 11, "Destination_IPv4_Address"},
698 { 12, "Any_IPv4_Address"},
699 { 13, "Source_IPv6_Address"},
700 { 14, "Destination_IPv6_Address"},
701 { 15, "Any_IPv6_Address"},
702 { 16, "IP_Protocol"},
703 { 17, "Packet_Truncate_Bytes"},
704 { 18, "Custom_MAC_Offset"},
705 { 19, "Custom_IP_Offset"},
706 { 0, NULL }
707 };
708
709 static const value_string etw_ndis_directive_vals[] = {
710 { 0, "OFF"},
711 { 1, "LTE"},
712 { 2, "GTE"},
713 { 3, "EQU"},
714 { 4, "MASK"},
715 { 5, "LIST"},
716 { 6, "RANGE"},
717 { 131, "NEQ"},
718 { 132, "NMASK"},
719 { 133, "NLIST"},
720 { 134, "NRANGE"},
721 { 0, NULL }
722 };
723
724 static const value_string etw_ndis_opcode_vals[] = {
725 { 1, "Start_State"},
726 { 2, "End_State"},
727 { 21, "Loading_State"},
728 { 22, "Unloading_State"},
729 { 0, NULL }
730 };
731
732 static const value_string etw_ndis_map_capture_vals[] = {
733 { 0, "Undefined"},
734 { 1, "NDIS"},
735 { 2, "VM_Switch"},
736 { 3, "Test"},
737 { 0, NULL }
738 };
739
740 #define ETW_NDIS_WIFI_PHYTYPE_80211A 4
741 #define ETW_NDIS_WIFI_PHYTYPE_80211B 5
742 #define ETW_NDIS_WIFI_PHYTYPE_80211G 6
743 #define ETW_NDIS_WIFI_PHYTYPE_80211N 7
744
745 static const value_string etw_ndis_wifi_phytype_vals[] = {
746 { ETW_NDIS_WIFI_PHYTYPE_80211A, "802.11a"},
747 { ETW_NDIS_WIFI_PHYTYPE_80211B, "802.11b"},
748 { ETW_NDIS_WIFI_PHYTYPE_80211G, "802.11g"},
749 { ETW_NDIS_WIFI_PHYTYPE_80211N, "802.11n"},
750 { 0, NULL }
751 };
752
753
754 #define ETW_NDIS_KEYWORD_ETHERNET8023 UINT64_C(0x0000000000000001)
755 #define ETW_NDIS_KEYWORD_RESERVED1 UINT64_C(0x00000000000001FE)
756 #define ETW_NDIS_KEYWORD_WIRELESS_WAN UINT64_C(0x0000000000000200)
757 #define ETW_NDIS_KEYWORD_RESERVED2 UINT64_C(0x0000000000007C00)
758 #define ETW_NDIS_KEYWORD_TUNNEL UINT64_C(0x0000000000008000)
759 #define ETW_NDIS_KEYWORD_NATIVE_80211 UINT64_C(0x0000000000010000)
760 #define ETW_NDIS_KEYWORD_RESERVED3 UINT64_C(0x0000000000FE0000)
761 #define ETW_NDIS_KEYWORD_VM_SWITCH UINT64_C(0x0000000001000000)
762 #define ETW_NDIS_KEYWORD_RESERVED4 UINT64_C(0x000000003E000000)
763 #define ETW_NDIS_KEYWORD_PACKET_START UINT64_C(0x0000000040000000)
764 #define ETW_NDIS_KEYWORD_PACKET_END UINT64_C(0x0000000080000000)
765 #define ETW_NDIS_KEYWORD_SEND_PATH UINT64_C(0x0000000100000000)
766 #define ETW_NDIS_KEYWORD_RECV_PATH UINT64_C(0x0000000200000000)
767 #define ETW_NDIS_KEYWORD_L3_CONN_PATH UINT64_C(0x0000000400000000)
768 #define ETW_NDIS_KEYWORD_L2_CONN_PATH UINT64_C(0x0000000800000000)
769 #define ETW_NDIS_KEYWORD_CLOSE_PATH UINT64_C(0x0000001000000000)
770 #define ETW_NDIS_KEYWORD_AUTHENTICATION UINT64_C(0x0000002000000000)
771 #define ETW_NDIS_KEYWORD_CONFIGURATION UINT64_C(0x0000004000000000)
772 #define ETW_NDIS_KEYWORD_GLOBAL UINT64_C(0x0000008000000000)
773 #define ETW_NDIS_KEYWORD_DROPPED UINT64_C(0x0000010000000000)
774 #define ETW_NDIS_KEYWORD_PII_PRESENT UINT64_C(0x0000020000000000)
775 #define ETW_NDIS_KEYWORD_PACKET UINT64_C(0x0000040000000000)
776 #define ETW_NDIS_KEYWORD_ADDRESS UINT64_C(0x0000080000000000)
777 #define ETW_NDIS_KEYWORD_STD_TEMPLATE_HINT UINT64_C(0x0000100000000000)
778 #define ETW_NDIS_KEYWORD_STATE_TRANSITION UINT64_C(0x0000200000000000)
779 #define ETW_NDIS_KEYWORD_RESERVED5 UINT64_C(0xFFFFC00000000000)
780
781 static void
782 etw_ndis_packet_metadata(proto_tree *tree, tvbuff_t *tvb, packet_info *pinfo, int offset)
783 {
784 int start_offset = offset;
785 proto_tree* metadata_tree;
786 proto_item* metadata_item;
787 uint32_t revision, length;
788
789 metadata_tree = proto_tree_add_subtree(tree, tvb, offset, 4, ett_etw_ndis_packet_metadata, &metadata_item, "WiFiMetadata");
790
791 proto_tree_add_item(metadata_tree, hf_etw_ndis_packet_metadata_type, tvb, offset, 1, ENC_LITTLE_ENDIAN);
792 offset += 1;
793 proto_tree_add_item_ret_uint(metadata_tree, hf_etw_ndis_packet_metadata_revision, tvb, offset, 1, ENC_LITTLE_ENDIAN, &revision);
794 offset += 1;
795 proto_tree_add_item_ret_uint(metadata_tree, hf_etw_ndis_packet_metadata_size, tvb, offset, 2, ENC_LITTLE_ENDIAN, &length);
796 offset += 2;
797
798 if (revision == 1)
799 {
800 uint32_t phytype, channel, rate;
801 int32_t rssi;
802
803 proto_tree_add_item(metadata_tree, hf_etw_ndis_packet_metadata_wifi_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
804 offset += 4;
805 proto_tree_add_item_ret_uint(metadata_tree, hf_etw_ndis_packet_metadata_wifi_phytype, tvb, offset, 4, ENC_LITTLE_ENDIAN, &phytype);
806 offset += 4;
807 channel = tvb_get_letohl(tvb, offset);
808 if (channel > 0)
809 {
810 if (phytype == ETW_NDIS_WIFI_PHYTYPE_80211A)
811 {
812 channel = (channel-5180)/5 + 36;
813 }
814 else
815 {
816 channel = (channel-2412)/5 + 1;
817 }
818 }
819 proto_tree_add_uint(metadata_tree, hf_etw_ndis_packet_metadata_wifi_channel, tvb, offset, 4, channel);
820 offset += 4;
821 proto_tree_add_item(metadata_tree, hf_etw_ndis_packet_metadata_wifi_mpdus_received, tvb, offset, 2, ENC_LITTLE_ENDIAN);
822 offset += 2;
823 proto_tree_add_item(metadata_tree, hf_etw_ndis_packet_metadata_wifi_mpdu_padding, tvb, offset, 2, ENC_NA);
824 offset += 2;
825 proto_tree_add_item_ret_int(metadata_tree, hf_etw_ndis_packet_metadata_wifi_rssi, tvb, offset, 4, ENC_LITTLE_ENDIAN, &rssi);
826 offset += 4;
827 rate = tvb_get_uint8(tvb, offset);
828 proto_tree_add_uint_format_value(metadata_tree, hf_etw_ndis_packet_metadata_wifi_datarate, tvb, offset, 1, rate, "%u.%u Mbps", rate / 2, rate % 2 > 0 ? 5 : 0);
829 offset += 1;
830 col_append_fstr(pinfo->cinfo, COL_INFO, ": RSSI = %d dBm, Rate = %u.%u Mbps", rssi, rate / 2, rate % 2 > 0 ? 5 : 0);
831 }
832 else
833 {
834 proto_tree_add_item(metadata_tree, hf_etw_ndis_packet_metadata_data, tvb, offset, length, ENC_NA);
835 offset += length;
836 }
837
838 proto_item_set_len(metadata_item, offset-start_offset);
839 }
840
841
842 static int
843 dissect_etw_ndis(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
844 {
845 proto_item *ti, *generated, *dest_item, *layer_item;
846 proto_tree *etw_tree, *dest_tree, *layer_tree, *oob_tree;
847 int offset = 0, dest_start, layer_start;
848 struct netmon_provider_id_data *provider_id_data = (struct netmon_provider_id_data*)data;
849 unsigned i, length;
850 tvbuff_t *next_tvb;
851
852 static int * const keyword_fields[] = {
853 &hf_etw_ndis_keyword_ethernet8023,
854 &hf_etw_ndis_keyword_reserved1,
855 &hf_etw_ndis_keyword_wireless_wan,
856 &hf_etw_ndis_keyword_reserved2,
857 &hf_etw_ndis_keyword_tunnel,
858 &hf_etw_ndis_keyword_native80211,
859 &hf_etw_ndis_keyword_reserved3,
860 &hf_etw_ndis_keyword_vmswitch,
861 &hf_etw_ndis_keyword_reserved4,
862 &hf_etw_ndis_keyword_packet_start,
863 &hf_etw_ndis_keyword_packet_end,
864 &hf_etw_ndis_keyword_send_path,
865 &hf_etw_ndis_keyword_receive_path,
866 &hf_etw_ndis_keyword_l3_connect_path,
867 &hf_etw_ndis_keyword_l2_connect_path,
868 &hf_etw_ndis_keyword_close_path,
869 &hf_etw_ndis_keyword_authentication,
870 &hf_etw_ndis_keyword_configuration,
871 &hf_etw_ndis_keyword_global,
872 &hf_etw_ndis_keyword_dropped,
873 &hf_etw_ndis_keyword_pii_present,
874 &hf_etw_ndis_keyword_packet,
875 &hf_etw_ndis_keyword_address,
876 &hf_etw_ndis_keyword_std_template_hint,
877 &hf_etw_ndis_keyword_state_transition,
878 &hf_etw_ndis_keyword_reserved5,
879 NULL
880 };
881
882 DISSECTOR_ASSERT(provider_id_data != NULL);
883
884 col_set_str(pinfo->cinfo, COL_PROTOCOL, "ETW Ndis");
885 col_clear(pinfo->cinfo, COL_INFO);
886
887 ti = proto_tree_add_item(tree, proto_etw_ndis, tvb, 0, -1, ENC_NA);
888 etw_tree = proto_item_add_subtree(ti, ett_etw_ndis);
889
890 generated = proto_tree_add_uint(etw_tree, hf_etw_ndis_event_id, tvb, 0, 0, provider_id_data->event_id);
891 proto_item_set_generated(generated);
892 col_set_str(pinfo->cinfo, COL_INFO, val_to_str_const(provider_id_data->event_id, etw_ndis_event_vals, "Unknown"));
893 generated = proto_tree_add_bitmask_value(etw_tree, tvb, 0, hf_etw_ndis_keyword, ett_etw_ndis_keyword, keyword_fields, provider_id_data->keyword);
894 proto_item_set_generated(generated);
895
896
897
898 switch (provider_id_data->event_id)
899 {
900 case 1001: // EventPacketFragment
901 proto_tree_add_item(etw_tree, hf_etw_ndis_miniport_if_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
902 offset += 4;
903 proto_tree_add_item(etw_tree, hf_etw_ndis_lower_if_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
904 offset += 4;
905 proto_tree_add_item_ret_uint(etw_tree, hf_etw_ndis_fragment_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
906 offset += 4;
907 if ((provider_id_data->keyword & (ETW_NDIS_KEYWORD_PACKET_START|ETW_NDIS_KEYWORD_PACKET_END)) == (ETW_NDIS_KEYWORD_PACKET_START|ETW_NDIS_KEYWORD_PACKET_END))
908 {
909 /* This is a complete packet */
910 next_tvb = tvb_new_subset_length(tvb, offset, length);
911
912 if (provider_id_data->keyword & ETW_NDIS_KEYWORD_ETHERNET8023)
913 {
914 call_dissector(eth_handle, next_tvb, pinfo, tree);
915 }
916 else if (provider_id_data->keyword & ETW_NDIS_KEYWORD_NATIVE_80211)
917 {
918 call_dissector(ieee80211_handle, next_tvb, pinfo, tree);
919 }
920 else if (provider_id_data->keyword & ETW_NDIS_KEYWORD_WIRELESS_WAN)
921 {
922 call_dissector(ip_handle, next_tvb, pinfo, tree);
923 }
924 }
925 else
926 {
927 proto_tree_add_item(etw_tree, hf_etw_ndis_fragment, tvb, offset, length, ENC_NA);
928 offset += length;
929 }
930 break;
931
932 case 1002: // EventPacketMetadata
933 proto_tree_add_item(etw_tree, hf_etw_ndis_miniport_if_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
934 offset += 4;
935 proto_tree_add_item(etw_tree, hf_etw_ndis_lower_if_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
936 offset += 4;
937 proto_tree_add_item_ret_uint(etw_tree, hf_etw_ndis_metadata_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
938 offset += 4;
939 if (provider_id_data->keyword & ETW_NDIS_KEYWORD_NATIVE_80211)
940 {
941 etw_ndis_packet_metadata(etw_tree, tvb, pinfo, offset);
942 }
943 else
944 {
945 proto_tree_add_item(etw_tree, hf_etw_ndis_metadata, tvb, offset, length, ENC_NA);
946 }
947 offset += length;
948 break;
949
950 case 1003: // EventVMSwitchPacketFragment
951 proto_tree_add_item(etw_tree, hf_etw_ndis_miniport_if_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
952 offset += 4;
953 proto_tree_add_item(etw_tree, hf_etw_ndis_lower_if_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
954 offset += 4;
955 proto_tree_add_item(etw_tree, hf_etw_ndis_source_port_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
956 offset += 4;
957 length = tvb_unicode_strsize(tvb, offset);
958 proto_tree_add_item(etw_tree, hf_etw_ndis_source_port_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
959 offset += length;
960 length = tvb_unicode_strsize(tvb, offset);
961 proto_tree_add_item(etw_tree, hf_etw_ndis_source_nic_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
962 offset += length;
963 length = tvb_unicode_strsize(tvb, offset);
964 proto_tree_add_item(etw_tree, hf_etw_ndis_source_nic_type, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
965 offset += length;
966 proto_tree_add_item_ret_uint(etw_tree, hf_etw_ndis_destination_count, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
967 offset += 4;
968 for (i = 1; i <= length; i++)
969 {
970 dest_start = offset;
971 dest_tree = proto_tree_add_subtree_format(etw_tree, tvb, offset, 4, ett_etw_ndis_dest, &dest_item, "Destination #%d", i);
972
973 proto_tree_add_item(dest_tree, hf_etw_ndis_destination_port_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
974 offset += 4;
975 length = tvb_unicode_strsize(tvb, offset);
976 proto_tree_add_item(dest_tree, hf_etw_ndis_destination_port_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
977 offset += length;
978 length = tvb_unicode_strsize(tvb, offset);
979 proto_tree_add_item(dest_tree, hf_etw_ndis_destination_nic_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
980 offset += length;
981 length = tvb_unicode_strsize(tvb, offset);
982 proto_tree_add_item(dest_tree, hf_etw_ndis_destination_nic_type, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
983 offset += length;
984
985 proto_item_set_len(dest_item, offset-dest_start);
986 }
987
988 proto_tree_add_item_ret_uint(etw_tree, hf_etw_ndis_fragment_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
989 offset += 4;
990 if (provider_id_data->keyword & ETW_NDIS_KEYWORD_PACKET_START)
991 {
992 /* This is a complete packet */
993 next_tvb = tvb_new_subset_length(tvb, offset, length);
994
995 if (provider_id_data->keyword & ETW_NDIS_KEYWORD_ETHERNET8023)
996 {
997 call_dissector(eth_handle, next_tvb, pinfo, tree);
998 }
999 else if (provider_id_data->keyword & ETW_NDIS_KEYWORD_NATIVE_80211)
1000 {
1001 call_dissector(ieee80211_handle, next_tvb, pinfo, tree);
1002 }
1003 else if (provider_id_data->keyword & ETW_NDIS_KEYWORD_WIRELESS_WAN)
1004 {
1005 call_dissector(ip_handle, next_tvb, pinfo, tree);
1006 }
1007 }
1008 else
1009 {
1010 proto_tree_add_item(etw_tree, hf_etw_ndis_fragment, tvb, offset, length, ENC_NA);
1011 offset += length;
1012 }
1013 proto_tree_add_item_ret_uint(etw_tree, hf_etw_ndis_oob_data_size, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
1014 offset += 4;
1015
1016 if ((int)length == tvb_reported_length_remaining(tvb, offset))
1017 {
1018 oob_tree = proto_tree_add_subtree(etw_tree, tvb, offset, length, ett_etw_ndis_oob_data, NULL, "OOB Data");
1019
1020 /* XXX - Need Provider ID version information here */
1021 if (provider_id_data->event_flags & EVENT_HEADER_FLAG_64_BIT_HEADER)
1022 {
1023 proto_tree_add_item(oob_tree, hf_etw_ndis_tcp_ip_checksum_net_buffer_list, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1024 offset += 8;
1025 proto_tree_add_item(oob_tree, hf_etw_ndis_ipsec_offload_v1_net_buffer_list_info, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1026 offset += 8;
1027 proto_tree_add_item(oob_tree, hf_etw_ndis_tcp_large_send_net_buffer_list_info, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1028 offset += 8;
1029 proto_tree_add_item(oob_tree, hf_etw_ndis_classification_handle_net_buffer_list_info, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1030 offset += 8;
1031 proto_tree_add_item(oob_tree, hf_etw_ndis_ieee8021q_net_buffer_list_info, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1032 offset += 8;
1033 proto_tree_add_item(oob_tree, hf_etw_ndis_net_buffer_cancel_id, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1034 offset += 8;
1035 proto_tree_add_item(oob_tree, hf_etw_ndis_media_specific_information, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1036 offset += 8;
1037 proto_tree_add_item(oob_tree, hf_etw_ndis_net_buffer_list_frame_type, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1038 offset += 8;
1039 proto_tree_add_item(oob_tree, hf_etw_ndis_net_buffer_list_hash_value, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1040 offset += 8;
1041 proto_tree_add_item(oob_tree, hf_etw_ndis_net_buffer_list_hash_info, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1042 offset += 8;
1043 proto_tree_add_item(oob_tree, hf_etw_ndis_wpf_net_buffer_list_info, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1044 offset += 8;
1045 proto_tree_add_item(oob_tree, hf_etw_ndis_max_net_buffer_list_info, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1046 offset += 8;
1047 }
1048 else
1049 {
1050 proto_tree_add_item(oob_tree, hf_etw_ndis_tcp_ip_checksum_net_buffer_list, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1051 offset += 4;
1052 proto_tree_add_item(oob_tree, hf_etw_ndis_ipsec_offload_v1_net_buffer_list_info, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1053 offset += 4;
1054 proto_tree_add_item(oob_tree, hf_etw_ndis_tcp_large_send_net_buffer_list_info, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1055 offset += 4;
1056 proto_tree_add_item(oob_tree, hf_etw_ndis_classification_handle_net_buffer_list_info, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1057 offset += 4;
1058 proto_tree_add_item(oob_tree, hf_etw_ndis_ieee8021q_net_buffer_list_info, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1059 offset += 4;
1060 proto_tree_add_item(oob_tree, hf_etw_ndis_net_buffer_cancel_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1061 offset += 4;
1062 proto_tree_add_item(oob_tree, hf_etw_ndis_media_specific_information, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1063 offset += 4;
1064 proto_tree_add_item(oob_tree, hf_etw_ndis_net_buffer_list_frame_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1065 offset += 4;
1066 proto_tree_add_item(oob_tree, hf_etw_ndis_net_buffer_list_hash_value, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1067 offset += 4;
1068 proto_tree_add_item(oob_tree, hf_etw_ndis_net_buffer_list_hash_info, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1069 offset += 4;
1070 proto_tree_add_item(oob_tree, hf_etw_ndis_wpf_net_buffer_list_info, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1071 offset += 4;
1072 proto_tree_add_item(oob_tree, hf_etw_ndis_max_net_buffer_list_info, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1073 offset += 4;
1074 }
1075 }
1076 else
1077 {
1078 proto_tree_add_item(etw_tree, hf_etw_ndis_oob_data, tvb, offset, length, ENC_NA);
1079 offset += length;
1080 }
1081 break;
1082
1083 case 1011: // EventCaptureRules
1084 proto_tree_add_item(etw_tree, hf_etw_ndis_rules_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1085 offset += 4;
1086 break;
1087
1088 case 1012: // EventDriverLoad
1089 case 1013: // EventDriverUnload
1090 length = tvb_unicode_strsize(tvb, offset);
1091 proto_tree_add_item(etw_tree, hf_etw_ndis_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1092 offset += length;
1093 length = tvb_unicode_strsize(tvb, offset);
1094 proto_tree_add_item(etw_tree, hf_etw_ndis_unique_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1095 offset += length;
1096 length = tvb_unicode_strsize(tvb, offset);
1097 proto_tree_add_item(etw_tree, hf_etw_ndis_service_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1098 offset += length;
1099 length = tvb_unicode_strsize(tvb, offset);
1100 proto_tree_add_item(etw_tree, hf_etw_ndis_version, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1101 offset += length;
1102 break;
1103
1104 case 1014: // EventLayerLoad
1105 case 1015: // EventLayerUnload
1106 proto_tree_add_item(etw_tree, hf_etw_ndis_miniport_if_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1107 offset += 4;
1108 proto_tree_add_item(etw_tree, hf_etw_ndis_lower_if_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1109 offset += 4;
1110 proto_tree_add_item(etw_tree, hf_etw_ndis_media_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1111 offset += 4;
1112 proto_tree_add_item(etw_tree, hf_etw_ndis_reference_context, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1113 offset += 4;
1114 break;
1115
1116 case 1016: // EventCaptureRule
1117 case 2003: // EventRuleLoadError
1118 proto_tree_add_item(etw_tree, hf_etw_ndis_rule_id, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1119 offset += 1;
1120 proto_tree_add_item(etw_tree, hf_etw_ndis_directive, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1121 offset += 1;
1122 proto_tree_add_item_ret_uint(etw_tree, hf_etw_ndis_value_length, tvb, offset, 4, ENC_LITTLE_ENDIAN, &length);
1123 offset += 4;
1124 proto_tree_add_item(etw_tree, hf_etw_ndis_value, tvb, offset, length, ENC_NA);
1125 offset += length;
1126 break;
1127
1128 case 2001: // EventDriverLoadError
1129 case 2002: // EventLayerLoadError
1130 proto_tree_add_item(etw_tree, hf_etw_ndis_error_code, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1131 offset += 4;
1132 proto_tree_add_item(etw_tree, hf_etw_ndis_location, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1133 offset += 4;
1134 proto_tree_add_item(etw_tree, hf_etw_ndis_context, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1135 offset += 4;
1136 break;
1137
1138 case 3001: // EventStartLayerLoad
1139 case 3002: // EventEndLayerLoad
1140 proto_tree_add_item(etw_tree, hf_etw_ndis_previous_state, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1141 offset += 1;
1142 proto_tree_add_item(etw_tree, hf_etw_ndis_next_state, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1143 offset += 1;
1144 proto_tree_add_item(etw_tree, hf_etw_ndis_location, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1145 offset += 4;
1146 proto_tree_add_item(etw_tree, hf_etw_ndis_context, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1147 offset += 4;
1148 break;
1149
1150 case 5000: // EventRxPacketStart
1151 case 5001: // EventRxPacketComplete
1152 case 5002: // EventTxPacketStart
1153 case 5003: // EventTxPacketComplete
1154 break;
1155
1156 case 5100: // EventStateRundown
1157 proto_tree_add_item(etw_tree, hf_etw_ndis_source_id, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1158 offset += 1;
1159 proto_tree_add_item(etw_tree, hf_etw_ndis_rundown_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1160 offset += 4;
1161 proto_tree_add_item(etw_tree, hf_etw_ndis_param1, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1162 offset += 4;
1163 proto_tree_add_item(etw_tree, hf_etw_ndis_param2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1164 offset += 4;
1165 length = tvb_unicode_strsize(tvb, offset);
1166 proto_tree_add_item(etw_tree, hf_etw_ndis_param_str, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1167 offset += length;
1168 length = tvb_unicode_strsize(tvb, offset);
1169 proto_tree_add_item(etw_tree, hf_etw_ndis_description, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1170 offset += length;
1171 break;
1172
1173 case 5101: // EventPktSourceInfo
1174 proto_tree_add_item(etw_tree, hf_etw_ndis_source_id, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1175 offset += 1;
1176 length = tvb_unicode_strsize(tvb, offset);
1177 proto_tree_add_item(etw_tree, hf_etw_ndis_source_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1178 offset += length;
1179 proto_tree_add_item(etw_tree, hf_etw_ndis_if_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1180 offset += 4;
1181 proto_tree_add_item_ret_uint(etw_tree, hf_etw_ndis_layer_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &length);
1182 offset += 2;
1183 for (i = 1; i <= length; i++)
1184 {
1185 layer_start = offset;
1186 layer_tree = proto_tree_add_subtree_format(etw_tree, tvb, offset, 4, ett_etw_ndis_layer, &layer_item, "Layer #%d", i);
1187 proto_tree_add_item(layer_tree, hf_etw_ndis_layer_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1188 offset += 4;
1189 length = tvb_unicode_strsize(tvb, offset);
1190 proto_tree_add_item(layer_tree, hf_etw_ndis_layer_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1191 offset += length;
1192
1193 proto_item_set_len(layer_item, offset-layer_start);
1194 }
1195 break;
1196 }
1197
1198 proto_item_set_len(ti, offset);
1199 return offset;
1200 }
1201
1202 void proto_register_message_analyzer(void)
1203 {
1204 static hf_register_info hf_wfp_capture[] = {
1205 { &hf_ma_wfp_capture_flow_context,
1206 { "Flow Context", "message_analyzer.wfp_capture.flow_context",
1207 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
1208 },
1209 { &hf_ma_wfp_capture_payload_length,
1210 { "Payload Length", "message_analyzer.wfp_capture.payload_length",
1211 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1212 },
1213 };
1214
1215 static hf_register_info hf_wfp_capture_auth[] = {
1216 { &hf_ma_wfp_capture_auth_src_port,
1217 { "Source Port", "message_analyzer.wfp_capture.auth.src_port",
1218 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1219 },
1220 { &hf_ma_wfp_capture_auth_dst_port,
1221 { "Destination Port", "message_analyzer.wfp_capture.auth.dst_port",
1222 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1223 },
1224 { &hf_ma_wfp_capture_auth_interface_id,
1225 { "Interface ID", "message_analyzer.wfp_capture.auth.interface_id",
1226 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
1227 },
1228 { &hf_ma_wfp_capture_auth_direction,
1229 { "Direction", "message_analyzer.wfp_capture.auth.direction",
1230 FT_UINT8, BASE_HEX, NULL, 0x0, NULL, HFILL }
1231 },
1232 { &hf_ma_wfp_capture_auth_process_id,
1233 { "Process ID", "message_analyzer.wfp_capture.auth.process_id",
1234 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
1235 },
1236 { &hf_ma_wfp_capture_auth_process_path,
1237 { "Payload Length", "message_analyzer.wfp_capture.auth.process_path",
1238 FT_UINT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1239 },
1240 };
1241
1242 static hf_register_info hf_etw_wfp_capture[] = {
1243 { &hf_etw_wfp_capture_event_id,
1244 { "Event ID", "etw.wfp_capture.event_id",
1245 FT_UINT32, BASE_DEC_HEX, VALS(etw_wfp_capture_event_vals), 0x0, NULL, HFILL }
1246 },
1247 { &hf_etw_wfp_capture_driver_name,
1248 { "Driver Name", "etw.wfp_capture.driver_name",
1249 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1250 },
1251 { &hf_etw_wfp_capture_major_version,
1252 { "Major Version", "etw.wfp_capture.major_version",
1253 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1254 },
1255 { &hf_etw_wfp_capture_minor_version,
1256 { "Minor Version", "etw.wfp_capture.minor_version",
1257 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1258 },
1259 { &hf_etw_wfp_capture_callout,
1260 { "Callout", "etw.wfp_capture.callout",
1261 FT_UINT32, BASE_DEC, VALS(etw_wfp_capture_callout_vals), 0x0, NULL, HFILL }
1262 },
1263 { &hf_etw_wfp_capture_filter_id,
1264 { "Filter ID", "etw.wfp_capture.filter_id",
1265 FT_UINT64, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }
1266 },
1267 { &hf_etw_wfp_capture_filter_weight,
1268 { "Filter Weight", "etw.wfp_capture.filter_weight",
1269 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1270 },
1271 { &hf_etw_wfp_capture_driver_error_message,
1272 { "Driver Name", "etw.wfp_capture.driver_error_message",
1273 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1274 },
1275 { &hf_etw_wfp_capture_callout_error_message,
1276 { "Driver Name", "etw.wfp_capture.callout_error_message",
1277 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1278 },
1279 { &hf_etw_wfp_capture_nt_status,
1280 { "NT Status", "etw.wfp_capture.nt_status",
1281 FT_UINT32, BASE_HEX|BASE_EXT_STRING, &HRES_errors_ext, 0x0, NULL, HFILL }
1282 },
1283 };
1284
1285 static hf_register_info hf_etw_ndis[] = {
1286 { &hf_etw_ndis_event_id,
1287 { "Event ID", "etw.ndis.event_id",
1288 FT_UINT32, BASE_DEC_HEX, VALS(etw_ndis_event_vals), 0x0, NULL, HFILL }
1289 },
1290 { &hf_etw_ndis_miniport_if_index,
1291 { "MiniportIfIndex", "etw.ndis.miniport_if_index",
1292 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1293 },
1294 { &hf_etw_ndis_lower_if_index,
1295 { "LowerIfIndex", "etw.ndis.lower_if_index",
1296 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1297 },
1298 { &hf_etw_ndis_fragment_size,
1299 { "Fragment size", "etw.ndis.fragment_size",
1300 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1301 },
1302 { &hf_etw_ndis_fragment,
1303 { "Fragment", "etw.ndis.fragment",
1304 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
1305 },
1306 { &hf_etw_ndis_metadata_size,
1307 { "Metadata size", "etw.ndis.metadata_size",
1308 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1309 },
1310 { &hf_etw_ndis_metadata,
1311 { "Metadata", "etw.ndis.metadata",
1312 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
1313 },
1314 { &hf_etw_ndis_source_port_id,
1315 { "Source port ID", "etw.ndis.source_port_id",
1316 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1317 },
1318 { &hf_etw_ndis_source_port_name,
1319 { "Source port name", "etw.ndis.source_port_name",
1320 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1321 },
1322 { &hf_etw_ndis_source_nic_name,
1323 { "Source NIC name", "etw.ndis.source_nic_name",
1324 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1325 },
1326 { &hf_etw_ndis_source_nic_type,
1327 { "Source NIC type", "etw.ndis.source_nic_type",
1328 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1329 },
1330 { &hf_etw_ndis_destination_count,
1331 { "Destination count", "etw.ndis.destination_count",
1332 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1333 },
1334 { &hf_etw_ndis_destination_port_id,
1335 { "Destination port ID", "etw.ndis.destination_port_id",
1336 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1337 },
1338 { &hf_etw_ndis_destination_port_name,
1339 { "Destination port name", "etw.ndis.destination_port_name",
1340 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1341 },
1342 { &hf_etw_ndis_destination_nic_name,
1343 { "Destination NIC name", "etw.ndis.destination_nic_name",
1344 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1345 },
1346 { &hf_etw_ndis_destination_nic_type,
1347 { "Destination NIC type", "etw.ndis.destination_nic_type",
1348 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1349 },
1350 { &hf_etw_ndis_oob_data_size,
1351 { "OOB data size", "etw.ndis.oob_data_size",
1352 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1353 },
1354 { &hf_etw_ndis_oob_data,
1355 { "OOB data", "etw.ndis.oob_data",
1356 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
1357 },
1358 { &hf_etw_ndis_rules_count,
1359 { "Rules count", "etw.ndis.rules_count",
1360 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1361 },
1362 { &hf_etw_ndis_friendly_name,
1363 { "Friendly name", "etw.ndis.friendly_name",
1364 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1365 },
1366 { &hf_etw_ndis_unique_name,
1367 { "Unique name", "etw.ndis.unique_name",
1368 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1369 },
1370 { &hf_etw_ndis_service_name,
1371 { "Service name", "etw.ndis.service_name",
1372 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1373 },
1374 { &hf_etw_ndis_version,
1375 { "Version", "etw.ndis.version",
1376 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1377 },
1378 { &hf_etw_ndis_media_type,
1379 { "Media types", "etw.ndis.media_type",
1380 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1381 },
1382 { &hf_etw_ndis_reference_context,
1383 { "Reference context", "etw.ndis.reference_context",
1384 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1385 },
1386 { &hf_etw_ndis_rule_id,
1387 { "Rule ID", "etw.ndis.rule_id",
1388 FT_UINT8, BASE_DEC, VALS(etw_ndis_rule_vals), 0x0, NULL, HFILL }
1389 },
1390 { &hf_etw_ndis_directive,
1391 { "Directive", "etw.ndis.directive",
1392 FT_UINT8, BASE_DEC, VALS(etw_ndis_directive_vals), 0x0, NULL, HFILL }
1393 },
1394 { &hf_etw_ndis_value_length,
1395 { "Value length", "etw.ndis.value_length",
1396 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1397 },
1398 { &hf_etw_ndis_value,
1399 { "Value", "etw.ndis.value",
1400 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
1401 },
1402 { &hf_etw_ndis_previous_state,
1403 { "Previous state", "etw.ndis.previous_state",
1404 FT_UINT8, BASE_DEC, VALS(etw_ndis_opcode_vals), 0x0, NULL, HFILL }
1405 },
1406 { &hf_etw_ndis_next_state,
1407 { "Next state", "etw.ndis.next_state",
1408 FT_UINT8, BASE_DEC, VALS(etw_ndis_opcode_vals), 0x0, NULL, HFILL }
1409 },
1410 { &hf_etw_ndis_error_code,
1411 { "Error code", "etw.ndis.error_code",
1412 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
1413 },
1414 { &hf_etw_ndis_location,
1415 { "Location", "etw.ndis.location",
1416 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
1417 },
1418 { &hf_etw_ndis_context,
1419 { "Context", "etw.ndis.context",
1420 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
1421 },
1422 { &hf_etw_ndis_source_id,
1423 { "Source ID", "etw.ndis.source_id",
1424 FT_UINT8, BASE_DEC, VALS(etw_ndis_map_capture_vals), 0x0, NULL, HFILL }
1425 },
1426 { &hf_etw_ndis_rundown_id,
1427 { "Rundown ID", "etw.ndis.rundown_id",
1428 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1429 },
1430 { &hf_etw_ndis_param1,
1431 { "Param1", "etw.ndis.param1",
1432 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
1433 },
1434 { &hf_etw_ndis_param2,
1435 { "Param2", "etw.ndis.param2",
1436 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
1437 },
1438 { &hf_etw_ndis_param_str,
1439 { "Param String", "etw.ndis.param_str",
1440 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1441 },
1442 { &hf_etw_ndis_description,
1443 { "Description", "etw.ndis.description",
1444 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1445 },
1446 { &hf_etw_ndis_source_name,
1447 { "Source name", "etw.ndis.source_name",
1448 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1449 },
1450 { &hf_etw_ndis_if_index,
1451 { "IfIndex", "etw.ndis.if_index",
1452 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1453 },
1454 { &hf_etw_ndis_layer_count,
1455 { "Layer count", "etw.ndis.layer_count",
1456 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1457 },
1458 { &hf_etw_ndis_layer_id,
1459 { "Layer ID", "etw.ndis.layer_id",
1460 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1461 },
1462 { &hf_etw_ndis_layer_name,
1463 { "Layer name", "etw.ndis.layer_name",
1464 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1465 },
1466 { &hf_etw_ndis_keyword,
1467 { "Keyword", "etw.ndis.keyword",
1468 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
1469 },
1470 { &hf_etw_ndis_keyword_ethernet8023,
1471 { "KW_MEDIA_802_3", "etw.ndis.keyword.ethernet8023",
1472 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_ETHERNET8023, NULL, HFILL }
1473 },
1474 { &hf_etw_ndis_keyword_reserved1,
1475 { "Reserved1", "etw.ndis.keyword.reserved1",
1476 FT_UINT64, BASE_HEX, NULL, ETW_NDIS_KEYWORD_RESERVED1, NULL, HFILL }
1477 },
1478 { &hf_etw_ndis_keyword_wireless_wan,
1479 { "KW_MEDIA_WIRELESS_WAN", "etw.ndis.keyword.wireless_wan",
1480 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_WIRELESS_WAN, NULL, HFILL }
1481 },
1482 { &hf_etw_ndis_keyword_reserved2,
1483 { "Reserved2", "etw.ndis.keyword.reserved2",
1484 FT_UINT64, BASE_HEX, NULL, ETW_NDIS_KEYWORD_RESERVED2, NULL, HFILL }
1485 },
1486 { &hf_etw_ndis_keyword_tunnel,
1487 { "KW_MEDIA_TUNNEL", "etw.ndis.keyword.tunnel",
1488 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_TUNNEL, NULL, HFILL }
1489 },
1490 { &hf_etw_ndis_keyword_native80211,
1491 { "KW_MEDIA_NATIVE_802_11", "etw.ndis.keyword.native80211",
1492 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_NATIVE_80211, NULL, HFILL }
1493 },
1494 { &hf_etw_ndis_keyword_reserved3,
1495 { "Reserved3", "etw.ndis.keyword.reserved3",
1496 FT_UINT64, BASE_HEX, NULL, ETW_NDIS_KEYWORD_RESERVED3, NULL, HFILL }
1497 },
1498 { &hf_etw_ndis_keyword_vmswitch,
1499 { "KW_VMSWITCH", "etw.ndis.keyword.vmswitch",
1500 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_VM_SWITCH, NULL, HFILL }
1501 },
1502 { &hf_etw_ndis_keyword_reserved4,
1503 { "Reserved4", "etw.ndis.keyword.reserved4",
1504 FT_UINT64, BASE_HEX, NULL, ETW_NDIS_KEYWORD_RESERVED4, NULL, HFILL }
1505 },
1506 { &hf_etw_ndis_keyword_packet_start,
1507 { "KW_PACKET_START", "etw.ndis.keyword.packet_start",
1508 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_PACKET_START, NULL, HFILL }
1509 },
1510 { &hf_etw_ndis_keyword_packet_end,
1511 { "KW_PACKET_END", "etw.ndis.keyword.packet_end",
1512 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_PACKET_END, NULL, HFILL }
1513 },
1514 { &hf_etw_ndis_keyword_send_path,
1515 { "KW_SEND", "etw.ndis.keyword.send_path",
1516 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_SEND_PATH, NULL, HFILL }
1517 },
1518 { &hf_etw_ndis_keyword_receive_path,
1519 { "KW_RECEIVE", "etw.ndis.keyword.receive_path",
1520 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_RECV_PATH, NULL, HFILL }
1521 },
1522 { &hf_etw_ndis_keyword_l3_connect_path,
1523 { "KW_L3_CONNECT", "etw.ndis.keyword.l3_connect_path",
1524 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_L3_CONN_PATH, NULL, HFILL }
1525 },
1526 { &hf_etw_ndis_keyword_l2_connect_path,
1527 { "KW_L2_CONNECT", "etw.ndis.keyword.connect_path",
1528 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_L2_CONN_PATH, NULL, HFILL }
1529 },
1530 { &hf_etw_ndis_keyword_close_path,
1531 { "KW_CLOSE", "etw.ndis.keyword.close_path",
1532 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_CLOSE_PATH, NULL, HFILL }
1533 },
1534 { &hf_etw_ndis_keyword_authentication,
1535 { "KW_AUTHENTICATION", "etw.ndis.keyword.authentication",
1536 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_AUTHENTICATION, NULL, HFILL }
1537 },
1538 { &hf_etw_ndis_keyword_configuration,
1539 { "KW_CONFIGURATION", "etw.ndis.keyword.configuration",
1540 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_CONFIGURATION, NULL, HFILL }
1541 },
1542 { &hf_etw_ndis_keyword_global,
1543 { "KW_GLOBAL", "etw.ndis.keyword.global",
1544 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_GLOBAL, NULL, HFILL }
1545 },
1546 { &hf_etw_ndis_keyword_dropped,
1547 { "KW_DROPPED", "etw.ndis.keyword.dropped",
1548 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_DROPPED, NULL, HFILL }
1549 },
1550 { &hf_etw_ndis_keyword_pii_present,
1551 { "KW_PII_PRESENT", "etw.ndis.keyword.pii_present",
1552 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_PII_PRESENT, NULL, HFILL }
1553 },
1554 { &hf_etw_ndis_keyword_packet,
1555 { "KW_PACKET", "etw.ndis.keyword.packet",
1556 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_PACKET, NULL, HFILL }
1557 },
1558 { &hf_etw_ndis_keyword_address,
1559 { "KW_ADDRESS", "etw.ndis.keyword.address",
1560 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_ADDRESS, NULL, HFILL }
1561 },
1562 { &hf_etw_ndis_keyword_std_template_hint,
1563 { "KW_STD_TEMPLATE_HINT", "etw.ndis.keyword.std_template_hint",
1564 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_STD_TEMPLATE_HINT, NULL, HFILL }
1565 },
1566 { &hf_etw_ndis_keyword_state_transition,
1567 { "KW_STATE_TRANSITION", "etw.ndis.keyword.state_transition",
1568 FT_BOOLEAN, 64, NULL, ETW_NDIS_KEYWORD_STATE_TRANSITION, NULL, HFILL }
1569 },
1570 { &hf_etw_ndis_keyword_reserved5,
1571 { "Reserved5", "etw.ndis.keyword.reserved5",
1572 FT_UINT64, BASE_HEX, NULL, ETW_NDIS_KEYWORD_RESERVED5, NULL, HFILL }
1573 },
1574 { &hf_etw_ndis_packet_metadata_type,
1575 { "Type", "etw.ndis.packet_metadata.type",
1576 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
1577 },
1578 { &hf_etw_ndis_packet_metadata_revision,
1579 { "Revision", "etw.ndis.packet_metadata.revision",
1580 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
1581 },
1582 { &hf_etw_ndis_packet_metadata_size,
1583 { "Size", "etw.ndis.packet_metadata.size",
1584 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1585 },
1586 { &hf_etw_ndis_packet_metadata_wifi_flags,
1587 { "Flags", "etw.ndis.packet_metadata.wifi_flags",
1588 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
1589 },
1590 { &hf_etw_ndis_packet_metadata_wifi_phytype,
1591 { "PHY type", "etw.ndis.packet_metadata.wifi_phytype",
1592 FT_UINT32, BASE_DEC, VALS(etw_ndis_wifi_phytype_vals), 0x0, NULL, HFILL }
1593 },
1594 { &hf_etw_ndis_packet_metadata_wifi_channel,
1595 { "Channel", "etw.ndis.packet_metadata.wifi_channel",
1596 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1597 },
1598 { &hf_etw_ndis_packet_metadata_wifi_mpdus_received,
1599 { "MPDUs received", "etw.ndis.packet_metadata.wifi_mpdus_received",
1600 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1601 },
1602 { &hf_etw_ndis_packet_metadata_wifi_mpdu_padding,
1603 { "MPDU padding", "etw.ndis.packet_metadata.wifi_mpdu_padding",
1604 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
1605 },
1606 { &hf_etw_ndis_packet_metadata_wifi_rssi,
1607 { "RSSI", "etw.ndis.packet_metadata.wifi_rssi",
1608 FT_INT32, BASE_DEC|BASE_UNIT_STRING, UNS(&units_dbm), 0x0, NULL, HFILL }
1609 },
1610 { &hf_etw_ndis_packet_metadata_wifi_datarate,
1611 { "Datarate", "etw.ndis.packet_metadata.wifi_datarate",
1612 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
1613 },
1614 { &hf_etw_ndis_packet_metadata_data,
1615 { "MPDU padding", "etw.ndis.packet_metadata.data",
1616 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
1617 },
1618 { &hf_etw_ndis_tcp_ip_checksum_net_buffer_list,
1619 { "TcpIpChecksumNetBufferListInfoOrTcpOffloadBytesTransferred", "etw.ndis.tcp_ip_checksum_net_buffer_list",
1620 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1621 },
1622 { &hf_etw_ndis_ipsec_offload_v1_net_buffer_list_info,
1623 { "IPsecOffloadV1NetBufferListInfo", "etw.ndis.ipsec_offload_v1_net_buffer_list_info",
1624 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1625 },
1626 { &hf_etw_ndis_tcp_large_send_net_buffer_list_info,
1627 { "TcpLargeSendNetBufferListInfoOrTcpReceiveNoPush", "etw.ndis.tcp_large_send_net_buffer_list_info",
1628 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1629 },
1630 { &hf_etw_ndis_classification_handle_net_buffer_list_info,
1631 { "ClassificationHandleNetBufferListInfo", "etw.ndis.classification_handle_net_buffer_list_info",
1632 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1633 },
1634 { &hf_etw_ndis_ieee8021q_net_buffer_list_info,
1635 { "Ieee8021QNetBufferListInfo", "etw.ndis.ieee8021q_net_buffer_list_info",
1636 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1637 },
1638 { &hf_etw_ndis_net_buffer_cancel_id,
1639 { "NetBufferListCancelId", "etw.ndis.net_buffer_cancel_id",
1640 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1641 },
1642 { &hf_etw_ndis_media_specific_information,
1643 { "MediaSpecificInformation", "etw.ndis.media_specific_information",
1644 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1645 },
1646 { &hf_etw_ndis_net_buffer_list_frame_type,
1647 { "NetBufferListFrameTypeOrNetBufferListProtocolId", "etw.ndis.net_buffer_list_frame_type",
1648 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1649 },
1650 { &hf_etw_ndis_net_buffer_list_hash_value,
1651 { "NetBufferListHashValue", "etw.ndis.net_buffer_list_hash_value",
1652 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1653 },
1654 { &hf_etw_ndis_net_buffer_list_hash_info,
1655 { "NetBufferListHashInfo", "etw.ndis.net_buffer_list_hash_info",
1656 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1657 },
1658 { &hf_etw_ndis_wpf_net_buffer_list_info,
1659 { "WfpNetBufferListInfo", "etw.ndis.wpf_net_buffer_list_info",
1660 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1661 },
1662 { &hf_etw_ndis_max_net_buffer_list_info,
1663 { "MaxNetBufferListInfo", "etw.ndis.max_net_buffer_list_info",
1664 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
1665 },
1666 };
1667
1668 static int *ett[] = {
1669 &ett_ma_wfp_capture_v4,
1670 &ett_ma_wfp_capture_v6,
1671 &ett_ma_wfp_capture_auth,
1672 &ett_etw_wfp_capture,
1673 &ett_etw_ndis,
1674 &ett_etw_ndis_dest,
1675 &ett_etw_ndis_layer,
1676 &ett_etw_ndis_keyword,
1677 &ett_etw_ndis_packet_metadata,
1678 &ett_etw_ndis_oob_data,
1679 };
1680
1681 proto_ma_wfp_capture_v4 = proto_register_protocol ("Message Analyzer WFP Capture v4", "MA WFP Capture v4", "message_analyzer.wfp_capture.v4" );
1682 proto_ma_wfp_capture2_v4 = proto_register_protocol ("Message Analyzer WFP Capture2 v4", "MA WFP Capture2 v4", "message_analyzer.wfp_capture2.v4" );
1683 proto_ma_wfp_capture_v6 = proto_register_protocol ("Message Analyzer WFP Capture v6", "MA WFP Capture v6", "message_analyzer.wfp_capture.v6" );
1684 proto_ma_wfp_capture2_v6 = proto_register_protocol ("Message Analyzer WFP Capture2 v6", "MA WFP Capture2 v6", "message_analyzer.wfp_capture2.v6" );
1685 proto_ma_wfp_capture_auth_v4 = proto_register_protocol ("Message Analyzer WFP Capture AUTH v4", "MA WFP Capture AUTH v4", "message_analyzer.wfp_capture.auth.v4" );
1686 proto_ma_wfp_capture_auth_v6 = proto_register_protocol ("Message Analyzer WFP Capture AUTH v6", "MA WFP Capture AUTH v6", "message_analyzer.wfp_capture.auth.v6" );
1687 proto_etw_wfp_capture = proto_register_protocol ("ETW WFP Capture", "ETW WFP Capture", "etw.wfp_capture" );
1688 proto_etw_ndis = proto_register_protocol ("ETW Ndis", "ETW Ndis", "etw.ndis" );
1689
1690 proto_register_field_array(proto_ma_wfp_capture_v4, hf_wfp_capture, array_length(hf_wfp_capture));
1691 proto_register_field_array(proto_ma_wfp_capture_auth_v4, hf_wfp_capture_auth, array_length(hf_wfp_capture_auth));
1692 proto_register_field_array(proto_etw_wfp_capture, hf_etw_wfp_capture, array_length(hf_etw_wfp_capture));
1693 proto_register_field_array(proto_etw_ndis, hf_etw_ndis, array_length(hf_etw_ndis));
1694 proto_register_subtree_array(ett, array_length(ett));
1695 }
1696
1697 void proto_reg_handoff_message_analyzer(void)
1698 {
1699 dissector_handle_t etw_wfp_capture_handle, etw_ndis_handle;
1700 static guid_key etw_wfp_capture_guid = {{ 0xc22d1b14, 0xc242, 0x49de, { 0x9f, 0x17, 0x1d, 0x76, 0xb8, 0xb9, 0xc4, 0x58 }}, 0 };
1701 static guid_key etw_ndis_guid = {{ 0x2ed6006e, 0x4729, 0x4609, { 0xb4, 0x23, 0x3e, 0xe7, 0xbc, 0xd6, 0x78, 0xef }}, 0 };
1702
1703 ma_wfp_capture_v4_handle = create_dissector_handle(dissect_ma_wfp_capture_v4, proto_ma_wfp_capture_v4);
1704 ma_wfp_capture2_v4_handle = create_dissector_handle(dissect_ma_wfp_capture2_v4, proto_ma_wfp_capture2_v4);
1705 ma_wfp_capture_v6_handle = create_dissector_handle(dissect_ma_wfp_capture_v6, proto_ma_wfp_capture_v6);
1706 ma_wfp_capture2_v6_handle = create_dissector_handle(dissect_ma_wfp_capture2_v6, proto_ma_wfp_capture2_v6);
1707 ma_wfp_capture_auth_v4_handle = create_dissector_handle(dissect_ma_wfp_capture_auth_v4, proto_ma_wfp_capture_auth_v4);
1708 ma_wfp_capture_auth_v6_handle = create_dissector_handle(dissect_ma_wfp_capture_auth_v6, proto_ma_wfp_capture_auth_v6);
1709
1710 dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_V4, ma_wfp_capture_v4_handle);
1711 dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_2V4, ma_wfp_capture2_v4_handle);
1712 dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_V6, ma_wfp_capture_v6_handle);
1713 dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_2V6, ma_wfp_capture2_v6_handle);
1714 dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V4, ma_wfp_capture_auth_v4_handle);
1715 dissector_add_uint("wtap_encap", WTAP_ENCAP_MA_WFP_CAPTURE_AUTH_V6, ma_wfp_capture_auth_v6_handle);
1716
1717 etw_wfp_capture_handle = create_dissector_handle( dissect_etw_wfp_capture, proto_etw_wfp_capture);
1718 dissector_add_guid( "netmon.provider_id", &etw_wfp_capture_guid, etw_wfp_capture_handle);
1719 etw_ndis_handle = create_dissector_handle( dissect_etw_ndis, proto_etw_ndis);
1720 dissector_add_guid( "netmon.provider_id", &etw_ndis_guid, etw_ndis_handle);
1721
1722 ip_dissector_table = find_dissector_table("ip.proto");
1723 ip_handle = find_dissector_add_dependency("ip", proto_etw_ndis);
1724 eth_handle = find_dissector_add_dependency("eth_withoutfcs", proto_etw_ndis);
1725 ieee80211_handle = find_dissector_add_dependency("wlan", proto_etw_ndis);
1726
1727 /* Find all of the fields used from other common dissectors */
1728 hf_ip_src = proto_registrar_get_id_byname("ip.src");
1729 hf_ip_addr = proto_registrar_get_id_byname("ip.addr");
1730 hf_ip_src_host = proto_registrar_get_id_byname("ip.src_host");
1731 hf_ip_dst = proto_registrar_get_id_byname("ip.dst");
1732 hf_ip_dst_host = proto_registrar_get_id_byname("ip.dst_host");
1733 hf_ip_host = proto_registrar_get_id_byname("ip.host");
1734 hf_ip_proto = proto_registrar_get_id_byname("ip.proto");
1735 hf_ipv6_src = proto_registrar_get_id_byname("ipv6.src");
1736 hf_ipv6_addr = proto_registrar_get_id_byname("ipv6.addr");
1737 hf_ipv6_src_host = proto_registrar_get_id_byname("ipv6.src_host");
1738 hf_ipv6_host = proto_registrar_get_id_byname("ipv6.host");
1739 hf_ipv6_dst = proto_registrar_get_id_byname("ipv6.dst");
1740 hf_ipv6_dst_host = proto_registrar_get_id_byname("ipv6.dst_host");
1741
1742 }
1743
1744 /*
1745 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1746 *
1747 * Local variables:
1748 * c-basic-offset: 8
1749 * tab-width: 8
1750 * indent-tabs-mode: t
1751 * End:
1752 *
1753 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
1754 * :indentSize=8:tabSize=8:noTabs=false:
1755 */
Metzes wireshark repo