search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-netmon.c
blob6178d48299aaec2ceb29176002226885c8a3bd95
1 /* packet-netmon.c
2 * Routines for Network Monitor capture dissection
3 *
4 * Wireshark - Network traffic analyzer
5 * By Gerald Combs <gerald@wireshark.org>
6 * Copyright 1998 Gerald Combs
7 *
8 * SPDX-License-Identifier: GPL-2.0-or-later
9 *
10 * Network Event Tracing event taken from:
11 *
12 * https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header
13 */
14
15 #include "config.h"
16
17 #include <epan/packet.h>
18 #include <epan/to_str.h>
19 #include <epan/expert.h>
20 #include <epan/tfs.h>
21 #include <wsutil/array.h>
22 #include <wiretap/wtap.h>
23 #include "packet-netmon.h"
24
25 void proto_register_netmon(void);
26 void proto_reg_handoff_netmon(void);
27
28 #define EVENT_HEADER_PROPERTY_XML 0x0001
29 #define EVENT_HEADER_PROPERTY_FORWARDED_XML 0x0002
30 #define EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG 0x0004
31
32 static const value_string event_level_vals[] = {
33 { 0, "Log Always"},
34 { 1, "Critical"},
35 { 2, "Error"},
36 { 3, "Warning"},
37 { 4, "Info"},
38 { 5, "Verbose"},
39 { 6, "Reserved"},
40 { 7, "Reserved"},
41 { 8, "Reserved"},
42 { 9, "Reserved"},
43 { 10, "Reserved"},
44 { 11, "Reserved"},
45 { 12, "Reserved"},
46 { 13, "Reserved"},
47 { 14, "Reserved"},
48 { 15, "Reserved"},
49 { 0, NULL }
50 };
51
52 static const value_string opcode_vals[] = {
53 { 0, "Info"},
54 { 1, "Start"},
55 { 2, "Stop"},
56 { 3, "DC Start"},
57 { 4, "DC Stop"},
58 { 5, "Extension"},
59 { 6, "Reply"},
60 { 7, "Resume"},
61 { 8, "Suspend"},
62 { 9, "Transfer"},
63 { 0, NULL }
64 };
65
66 static const range_string filter_types[] = {
67 { 0, 0, "Display Filter" },
68 { 1, 1, "Capture Filter" },
69 { 2, 0xFFFFFFFF, "Display Filter" },
70 { 0, 0, NULL }
71 };
72
73 static dissector_table_t provider_id_table;
74
75 /* Initialize the protocol and registered fields */
76 static int proto_netmon_header;
77 static int proto_netmon_event;
78 static int proto_netmon_filter;
79 static int proto_netmon_network_info;
80 static int proto_netmon_system_trace;
81 static int proto_netmon_system_config;
82 static int proto_netmon_process;
83
84 static int hf_netmon_header_title_comment;
85 static int hf_netmon_header_description_comment;
86
87 static int hf_netmon_event_size;
88 static int hf_netmon_event_header_type;
89 static int hf_netmon_event_flags;
90 static int hf_netmon_event_flags_extended_info;
91 static int hf_netmon_event_flags_private_session;
92 static int hf_netmon_event_flags_string_only;
93 static int hf_netmon_event_flags_trace_message;
94 static int hf_netmon_event_flags_no_cputime;
95 static int hf_netmon_event_flags_32bit_header;
96 static int hf_netmon_event_flags_64bit_header;
97 static int hf_netmon_event_flags_classic_header;
98 static int hf_netmon_event_event_property;
99 static int hf_netmon_event_event_property_xml;
100 static int hf_netmon_event_event_property_forwarded_xml;
101 static int hf_netmon_event_event_property_legacy_eventlog;
102 static int hf_netmon_event_thread_id;
103 static int hf_netmon_event_process_id;
104 static int hf_netmon_event_timestamp;
105 static int hf_netmon_event_provider_id;
106 static int hf_netmon_event_event_desc_id;
107 static int hf_netmon_event_event_desc_version;
108 static int hf_netmon_event_event_desc_channel;
109 static int hf_netmon_event_event_desc_level;
110 static int hf_netmon_event_event_desc_opcode;
111 static int hf_netmon_event_event_desc_task;
112 static int hf_netmon_event_event_desc_keyword;
113 static int hf_netmon_event_kernel_time;
114 static int hf_netmon_event_user_time;
115 static int hf_netmon_event_processor_time;
116 static int hf_netmon_event_activity_id;
117 static int hf_netmon_event_processor_number;
118 static int hf_netmon_event_alignment;
119 static int hf_netmon_event_logger_id;
120 static int hf_netmon_event_extended_data_count;
121 static int hf_netmon_event_user_data_length;
122 static int hf_netmon_event_reassembled;
123 static int hf_netmon_event_extended_data_reserved;
124 static int hf_netmon_event_extended_data_type;
125 static int hf_netmon_event_extended_data_linkage;
126 static int hf_netmon_event_extended_data_reserved2;
127 static int hf_netmon_event_extended_data_size;
128 static int hf_netmon_event_extended_data;
129 static int hf_netmon_event_user_data;
130
131 static int hf_netmon_filter_version;
132 static int hf_netmon_filter_type;
133 static int hf_netmon_filter_app_major_version;
134 static int hf_netmon_filter_app_minor_version;
135 static int hf_netmon_filter_app_name;
136 static int hf_netmon_filter_filter;
137
138 static int hf_netmon_network_info_version;
139 static int hf_netmon_network_info_adapter_count;
140 static int hf_netmon_network_info_computer_name;
141 static int hf_netmon_network_info_friendly_name;
142 static int hf_netmon_network_info_description;
143 static int hf_netmon_network_info_miniport_guid;
144 static int hf_netmon_network_info_media_type;
145 static int hf_netmon_network_info_mtu;
146 static int hf_netmon_network_info_link_speed;
147 static int hf_netmon_network_info_mac_address;
148 static int hf_netmon_network_info_ipv4_count;
149 static int hf_netmon_network_info_ipv6_count;
150 static int hf_netmon_network_info_gateway_count;
151 static int hf_netmon_network_info_dhcp_server_count;
152 static int hf_netmon_network_info_dns_ipv4_count;
153 static int hf_netmon_network_info_dns_ipv6_count;
154 static int hf_netmon_network_info_ipv4;
155 static int hf_netmon_network_info_subnet;
156 static int hf_netmon_network_info_ipv6;
157 static int hf_netmon_network_info_gateway;
158 static int hf_netmon_network_info_dhcp_server;
159 static int hf_netmon_network_info_dns_ipv4;
160 static int hf_netmon_network_info_dns_ipv6;
161
162 static int hf_netmon_system_trace_buffer_size;
163 static int hf_netmon_system_trace_version;
164 static int hf_netmon_system_trace_provider_version;
165 static int hf_netmon_system_trace_num_processors;
166 static int hf_netmon_system_trace_end_time;
167 static int hf_netmon_system_trace_timer_resolution;
168 static int hf_netmon_system_trace_max_file_size;
169 static int hf_netmon_system_trace_log_file_mode;
170 static int hf_netmon_system_trace_buffers_written;
171 static int hf_netmon_system_trace_start_buffers;
172 static int hf_netmon_system_trace_pointers_size;
173 static int hf_netmon_system_trace_events_lost;
174 static int hf_netmon_system_trace_cpu_speed;
175 static int hf_netmon_system_trace_logger_name;
176 static int hf_netmon_system_trace_log_file_name_ptr;
177 static int hf_netmon_system_trace_time_zone_info;
178 static int hf_netmon_system_trace_boot_time;
179 static int hf_netmon_system_trace_perf_freq;
180 static int hf_netmon_system_trace_start_time;
181 static int hf_netmon_system_trace_reserved_flags;
182 static int hf_netmon_system_trace_buffers_lost;
183 static int hf_netmon_system_trace_session_name;
184 static int hf_netmon_system_trace_log_file_name;
185 static int hf_netmon_system_trace_group_mask1;
186 static int hf_netmon_system_trace_group_mask2;
187 static int hf_netmon_system_trace_group_mask3;
188 static int hf_netmon_system_trace_group_mask4;
189 static int hf_netmon_system_trace_group_mask5;
190 static int hf_netmon_system_trace_group_mask6;
191 static int hf_netmon_system_trace_group_mask7;
192 static int hf_netmon_system_trace_group_mask8;
193 static int hf_netmon_system_trace_kernel_event_version;
194
195 static int hf_netmon_system_config_mhz;
196 static int hf_netmon_system_config_num_processors;
197 static int hf_netmon_system_config_mem_size;
198 static int hf_netmon_system_config_page_size;
199 static int hf_netmon_system_config_allocation_granularity;
200 static int hf_netmon_system_config_computer_name;
201 static int hf_netmon_system_config_domain_name;
202 static int hf_netmon_system_config_hyper_threading_flag;
203 static int hf_netmon_system_config_disk_number;
204 static int hf_netmon_system_config_bytes_per_sector;
205 static int hf_netmon_system_config_sectors_per_track;
206 static int hf_netmon_system_config_tracks_per_cylinder;
207 static int hf_netmon_system_config_cylinders;
208 static int hf_netmon_system_config_scsi_port;
209 static int hf_netmon_system_config_scsi_path;
210 static int hf_netmon_system_config_scsi_target;
211 static int hf_netmon_system_config_scsi_lun;
212 static int hf_netmon_system_config_manufacturer;
213 static int hf_netmon_system_config_partition_count;
214 static int hf_netmon_system_config_write_cache_enabled;
215 static int hf_netmon_system_config_pad;
216 static int hf_netmon_system_config_boot_drive_letter;
217 static int hf_netmon_system_config_spare;
218 static int hf_netmon_system_config_start_offset;
219 static int hf_netmon_system_config_partition_size;
220 static int hf_netmon_system_config_size;
221 static int hf_netmon_system_config_drive_type;
222 static int hf_netmon_system_config_drive_letter;
223 static int hf_netmon_system_config_partition_number;
224 static int hf_netmon_system_config_sectors_per_cluster;
225 static int hf_netmon_system_config_num_free_clusters;
226 static int hf_netmon_system_config_total_num_clusters;
227 static int hf_netmon_system_config_file_system;
228 static int hf_netmon_system_config_volume_ext;
229 static int hf_netmon_system_config_physical_addr;
230 static int hf_netmon_system_config_physical_addr_len;
231 static int hf_netmon_system_config_ipv4_index;
232 static int hf_netmon_system_config_ipv6_index;
233 static int hf_netmon_system_config_nic_description;
234 static int hf_netmon_system_config_ipaddresses;
235 static int hf_netmon_system_config_dns_server_addresses;
236 static int hf_netmon_system_config_memory_size;
237 static int hf_netmon_system_config_x_resolution;
238 static int hf_netmon_system_config_y_resolution;
239 static int hf_netmon_system_config_bits_per_pixel;
240 static int hf_netmon_system_config_vrefresh;
241 static int hf_netmon_system_config_chip_type;
242 static int hf_netmon_system_config_dac_type;
243 static int hf_netmon_system_config_adapter_string;
244 static int hf_netmon_system_config_bios_string;
245 static int hf_netmon_system_config_device_id;
246 static int hf_netmon_system_config_state_flags;
247 static int hf_netmon_system_config_process_id;
248 static int hf_netmon_system_config_service_state;
249 static int hf_netmon_system_config_sub_process_tag;
250 static int hf_netmon_system_config_service_name;
251 static int hf_netmon_system_config_display_name;
252 static int hf_netmon_system_config_process_name;
253 static int hf_netmon_system_config_s1;
254 static int hf_netmon_system_config_s2;
255 static int hf_netmon_system_config_s3;
256 static int hf_netmon_system_config_s4;
257 static int hf_netmon_system_config_s5;
258 static int hf_netmon_system_config_tcb_table_partitions;
259 static int hf_netmon_system_config_max_hash_table_size;
260 static int hf_netmon_system_config_max_user_port;
261 static int hf_netmon_system_config_tcp_timed_wait_delay;
262 static int hf_netmon_system_config_irq_affinity;
263 static int hf_netmon_system_config_irq_num;
264 static int hf_netmon_system_config_device_desc_len;
265 static int hf_netmon_system_config_device_desc;
266 static int hf_netmon_system_config_device_id_len;
267 static int hf_netmon_system_config_friendly_name_len;
268 static int hf_netmon_system_config_friendly_name;
269 static int hf_netmon_system_config_target_id;
270 static int hf_netmon_system_config_device_type;
271 static int hf_netmon_system_config_device_timing_mode;
272 static int hf_netmon_system_config_location_information_len;
273 static int hf_netmon_system_config_location_information;
274 static int hf_netmon_system_config_system_manufacturer;
275 static int hf_netmon_system_config_system_product_name;
276 static int hf_netmon_system_config_bios_date;
277 static int hf_netmon_system_config_bios_version;
278 static int hf_netmon_system_config_load_order_group;
279 static int hf_netmon_system_config_svc_host_group;
280 static int hf_netmon_system_config_irq_group;
281 static int hf_netmon_system_config_pdo_name;
282 static int hf_netmon_system_config_nic_name;
283 static int hf_netmon_system_config_index;
284 static int hf_netmon_system_config_physical_addr_str;
285 static int hf_netmon_system_config_ip_address;
286 static int hf_netmon_system_config_subnet_mask;
287 static int hf_netmon_system_config_dhcp_server;
288 static int hf_netmon_system_config_gateway;
289 static int hf_netmon_system_config_primary_wins_server;
290 static int hf_netmon_system_config_secondary_wins_server;
291 static int hf_netmon_system_config_dns_server1;
292 static int hf_netmon_system_config_dns_server2;
293 static int hf_netmon_system_config_dns_server3;
294 static int hf_netmon_system_config_dns_server4;
295 static int hf_netmon_system_config_data;
296
297
298
299 static int hf_netmon_process_unique_process_key;
300 static int hf_netmon_process_process_id;
301 static int hf_netmon_process_parent_id;
302 static int hf_netmon_process_session_id;
303 static int hf_netmon_process_exit_status;
304 static int hf_netmon_process_directory_table_base;
305 static int hf_netmon_process_unknown;
306 static int hf_netmon_process_user_sid_revision;
307 static int hf_netmon_process_user_sid_subauth_count;
308 static int hf_netmon_process_user_sid_id;
309 static int hf_netmon_process_user_sid_authority;
310 static int hf_netmon_process_image_file_name;
311 static int hf_netmon_process_command_line;
312 static int hf_netmon_process_page_directory_base;
313 static int hf_netmon_process_page_fault_count;
314 static int hf_netmon_process_handle_count;
315 static int hf_netmon_process_reserved;
316 static int hf_netmon_process_peak_virtual_size;
317 static int hf_netmon_process_peak_working_set_size;
318 static int hf_netmon_process_peak_page_file_usage;
319 static int hf_netmon_process_quota_peak_paged_pool_usage;
320 static int hf_netmon_process_quota_peak_non_paged_pool_usage;
321 static int hf_netmon_process_virtual_size;
322 static int hf_netmon_process_workingset_size;
323 static int hf_netmon_process_pagefile_usage;
324 static int hf_netmon_process_quota_paged_pool_usage;
325 static int hf_netmon_process_quota_non_paged_pool_usage;
326 static int hf_netmon_process_private_page_count;
327 static int hf_netmon_process_directory_table_base32;
328
329
330 static int ett_netmon_header;
331 static int ett_netmon_event;
332 static int ett_netmon_event_desc;
333 static int ett_netmon_event_flags;
334 static int ett_netmon_event_property;
335 static int ett_netmon_event_extended_data;
336 static int ett_netmon_filter;
337 static int ett_netmon_network_info;
338 static int ett_netmon_network_info_list;
339 static int ett_netmon_network_info_adapter;
340 static int ett_netmon_system_trace;
341 static int ett_netmon_event_buffer_context;
342 static int ett_netmon_process;
343 static int ett_netmon_sid;
344 static int ett_netmon_system_config;
345
346 static expert_field ei_netmon_process_user_sid;
347
348 static dissector_table_t wtap_encap_table;
349
350 void
351 netmon_etl_field(proto_tree *tree, tvbuff_t *tvb, int* offset, int hf, uint16_t flags)
352 {
353 if (flags & EVENT_HEADER_FLAG_64_BIT_HEADER) {
354 /* XXX - This seems to be how values are displayed in Network Monitor */
355 uint64_t value = tvb_get_letoh64(tvb, *offset) & 0xFFFFFFFF;
356 proto_tree_add_uint64(tree, hf, tvb, *offset, 8, value);
357 (*offset) += 8;
358 } else {
359 proto_tree_add_item(tree, hf, tvb, *offset, 4, ENC_LITTLE_ENDIAN);
360 (*offset) += 4;
361 }
362 }
363
364 void
365 netmon_sid_field(proto_tree *tree, tvbuff_t *tvb, int* offset, packet_info *pinfo,
366 int hf_revision, int hf_subauthority_count, int hf_sid_id, int hf_sid_authority, expert_field* invalid_sid, bool conformant _U_)
367 {
368 proto_item *ti, *sid_item;
369 proto_tree *sid_tree;
370 int start_offset = *offset;
371 uint32_t i, revision, count;
372
373 sid_tree = proto_tree_add_subtree(tree, tvb, *offset, 2, ett_netmon_sid, &sid_item, "SID");
374
375 ti = proto_tree_add_item_ret_uint(sid_tree, hf_revision, tvb, *offset, 1, ENC_LITTLE_ENDIAN, &revision);
376 (*offset) += 1;
377 if (revision != 1)
378 {
379 expert_add_info(pinfo, ti, invalid_sid);
380 }
381 proto_tree_add_item_ret_uint(sid_tree, hf_subauthority_count, tvb, *offset, 1, ENC_LITTLE_ENDIAN, &count);
382 (*offset) += 1;
383 if (count > 15)
384 {
385 expert_add_info(pinfo, ti, invalid_sid);
386 }
387
388 proto_tree_add_item(sid_tree, hf_sid_id, tvb, *offset, 6, ENC_NA);
389 (*offset) += 6;
390
391 for (i = 0; i < count; i++)
392 {
393 proto_tree_add_item(sid_tree, hf_sid_authority, tvb, *offset, 4, ENC_LITTLE_ENDIAN);
394 (*offset) += 4;
395 }
396
397 proto_item_set_len(sid_item, (*offset)-start_offset);
398 }
399
400 /* Code to actually dissect the packets */
401 static int
402 dissect_netmon_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
403 {
404 proto_item *ti;
405 proto_tree *header_tree;
406 union wtap_pseudo_header temp_header;
407 char *comment;
408
409 ti = proto_tree_add_item(tree, proto_netmon_header, tvb, 0, 0, ENC_NA);
410 header_tree = proto_item_add_subtree(ti, ett_netmon_header);
411
412 if (pinfo->pseudo_header->netmon.title != NULL) {
413 ti = proto_tree_add_string(header_tree, hf_netmon_header_title_comment, tvb, 0, 0, pinfo->pseudo_header->netmon.title);
414 proto_item_set_generated(ti);
415 }
416
417 if (pinfo->pseudo_header->netmon.description != NULL) {
418 /* Description comment is only ASCII. However, it's
419 * RTF, not raw text.
420 */
421
422 /* Ensure string termination */
423 comment = wmem_strndup(pinfo->pool, pinfo->pseudo_header->netmon.description, pinfo->pseudo_header->netmon.descLength);
424
425 ti = proto_tree_add_string(header_tree, hf_netmon_header_description_comment, tvb, 0, 0, comment);
426 proto_item_set_generated(ti);
427 }
428
429 /* Save the pseudo header data to a temp variable before it's copied to
430 * real pseudo header
431 */
432 switch (pinfo->pseudo_header->netmon.sub_encap)
433 {
434 case WTAP_ENCAP_ATM_PDUS:
435 memcpy(&temp_header.atm, &pinfo->pseudo_header->netmon.subheader.atm, sizeof(temp_header.atm));
436 memcpy(&pinfo->pseudo_header->atm, &temp_header.atm, sizeof(temp_header.atm));
437 break;
438 case WTAP_ENCAP_ETHERNET:
439 memcpy(&temp_header.eth, &pinfo->pseudo_header->netmon.subheader.eth, sizeof(temp_header.eth));
440 memcpy(&pinfo->pseudo_header->eth, &temp_header.eth, sizeof(temp_header.eth));
441 break;
442 case WTAP_ENCAP_IEEE_802_11_NETMON:
443 memcpy(&temp_header.ieee_802_11, &pinfo->pseudo_header->netmon.subheader.ieee_802_11, sizeof(temp_header.ieee_802_11));
444 memcpy(&pinfo->pseudo_header->ieee_802_11, &temp_header.ieee_802_11, sizeof(temp_header.ieee_802_11));
445 break;
446 }
447
448 if (!dissector_try_uint_with_data(wtap_encap_table,
449 pinfo->pseudo_header->netmon.sub_encap, tvb, pinfo, tree, true,
450 (void *)pinfo->pseudo_header)) {
451 call_data_dissector(tvb, pinfo, tree);
452 }
453
454 return tvb_captured_length(tvb);
455 }
456
457 static int
458 dissect_netmon_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
459 {
460 proto_item *ti, *extended_data_item;
461 proto_tree *event_tree, *event_desc_tree, *extended_data_tree, *buffer_context_tree;
462 int offset = 0, extended_data_count_offset;
463 uint32_t i, thread_id, process_id, extended_data_count, extended_data_size, user_data_size;
464 nstime_t timestamp;
465 tvbuff_t *provider_id_tvb;
466 guid_key provider_guid;
467 bool is_etl;
468 uint32_t event_size;
469 struct netmon_provider_id_data provider_id_data;
470 static int * const event_flags[] = {
471 &hf_netmon_event_flags_extended_info,
472 &hf_netmon_event_flags_private_session,
473 &hf_netmon_event_flags_string_only,
474 &hf_netmon_event_flags_trace_message,
475 &hf_netmon_event_flags_no_cputime,
476 &hf_netmon_event_flags_32bit_header,
477 &hf_netmon_event_flags_64bit_header,
478 &hf_netmon_event_flags_classic_header,
479 NULL
480 };
481 static int * const event_property[] = {
482 &hf_netmon_event_event_property_xml,
483 &hf_netmon_event_event_property_forwarded_xml,
484 &hf_netmon_event_event_property_legacy_eventlog,
485 NULL
486 };
487
488 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon Event");
489 /* Clear out stuff in the info column */
490 col_clear(pinfo->cinfo, COL_INFO);
491
492 memset(&provider_id_data, 0, sizeof(provider_id_data));
493
494 is_etl = pinfo->rec->rec_header.packet_header.pkt_encap == WTAP_ENCAP_ETL;
495 ti = proto_tree_add_item(tree, proto_netmon_event, tvb, offset, -1, ENC_NA);
496 event_tree = proto_item_add_subtree(ti, ett_netmon_event);
497
498
499 proto_tree_add_item_ret_uint(event_tree, hf_netmon_event_size, tvb, offset, 2, ENC_LITTLE_ENDIAN, &event_size);
500 offset += 2;
501 proto_tree_add_item(event_tree, hf_netmon_event_header_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
502 offset += 2;
503 provider_id_data.event_flags = tvb_get_letohs(tvb, offset);
504 proto_tree_add_bitmask(event_tree, tvb, offset, hf_netmon_event_flags, ett_netmon_event_flags, event_flags, ENC_LITTLE_ENDIAN);
505 offset += 2;
506 proto_tree_add_bitmask(event_tree, tvb, offset, hf_netmon_event_event_property, ett_netmon_event_property, event_property, ENC_LITTLE_ENDIAN);
507 offset += 2;
508 proto_tree_add_item_ret_uint(event_tree, hf_netmon_event_thread_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &thread_id);
509 offset += 4;
510 proto_tree_add_item_ret_uint(event_tree, hf_netmon_event_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &process_id);
511 offset += 4;
512
513 timestamp.secs = 0;
514 timestamp.nsecs = 0;
515 filetime_to_nstime(&timestamp, tvb_get_letoh64(tvb, offset));
516 proto_tree_add_time(event_tree, hf_netmon_event_timestamp, tvb, offset, 8, &timestamp);
517 offset += 8;
518
519 proto_tree_add_item(event_tree, hf_netmon_event_provider_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
520 /* Save the GUID to use in dissector table */
521 if (is_etl)
522 tvb_get_letohguid(tvb, offset, &provider_guid.guid);
523 else
524 tvb_memcpy(tvb, &provider_guid.guid, offset, 16);
525
526 provider_guid.ver = 0; //version field not used
527 offset += 16;
528
529 col_add_fstr(pinfo->cinfo, COL_INFO, "Thread ID: %d, Process ID: %d, Provider ID: %s",
530 thread_id, process_id, guid_to_str(pinfo->pool, &provider_guid.guid));
531
532 event_desc_tree = proto_tree_add_subtree(event_tree, tvb, offset, 16, ett_netmon_event_desc, NULL, "Event Descriptor");
533 proto_tree_add_item_ret_uint(event_desc_tree, hf_netmon_event_event_desc_id, tvb, offset, 2, ENC_LITTLE_ENDIAN, &provider_id_data.event_id);
534 offset += 2;
535 provider_id_data.event_version = tvb_get_uint8(tvb, offset);
536 proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
537 offset += 1;
538 proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_channel, tvb, offset, 1, ENC_LITTLE_ENDIAN);
539 offset += 1;
540 proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_level, tvb, offset, 1, ENC_LITTLE_ENDIAN);
541 offset += 1;
542 provider_id_data.opcode = tvb_get_uint8(tvb, offset);
543 proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_opcode, tvb, offset, 1, ENC_LITTLE_ENDIAN);
544 offset += 1;
545 proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_task, tvb, offset, 2, ENC_LITTLE_ENDIAN);
546 offset += 2;
547 proto_tree_add_item_ret_uint64(event_desc_tree, hf_netmon_event_event_desc_keyword, tvb, offset, 8, ENC_LITTLE_ENDIAN, &provider_id_data.keyword);
548 offset += 8;
549
550 if (provider_id_data.event_flags & (EVENT_HEADER_FLAG_PRIVATE_SESSION | EVENT_HEADER_FLAG_NO_CPUTIME))
551 {
552 /* Kernel and User time are a union with processor time */
553 proto_tree_add_item(event_tree, hf_netmon_event_kernel_time, tvb, offset, 4, ENC_LITTLE_ENDIAN);
554 offset += 4;
555 proto_tree_add_item(event_tree, hf_netmon_event_user_time, tvb, offset, 4, ENC_LITTLE_ENDIAN);
556 offset += 4;
557 }
558 else
559 {
560 proto_tree_add_item(event_tree, hf_netmon_event_processor_time, tvb, offset, 8, ENC_LITTLE_ENDIAN);
561 offset += 8;
562 }
563
564 proto_tree_add_item(event_tree, hf_netmon_event_activity_id, tvb, offset, 16, ENC_LITTLE_ENDIAN);
565 offset += 16;
566
567 if (is_etl) {
568 user_data_size = event_size - offset;
569 } else {
570 buffer_context_tree = proto_tree_add_subtree(event_tree, tvb, offset, 4, ett_netmon_event_buffer_context, NULL, "BufferContext");
571 proto_tree_add_item(buffer_context_tree, hf_netmon_event_processor_number, tvb, offset, 1, ENC_LITTLE_ENDIAN);
572 offset += 1;
573 proto_tree_add_item(buffer_context_tree, hf_netmon_event_alignment, tvb, offset, 1, ENC_LITTLE_ENDIAN);
574 offset += 1;
575 proto_tree_add_item(buffer_context_tree, hf_netmon_event_logger_id, tvb, offset, 2, ENC_LITTLE_ENDIAN);
576 offset += 2;
577
578 proto_tree_add_item_ret_uint(event_tree, hf_netmon_event_extended_data_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &extended_data_count);
579 offset += 2;
580 proto_tree_add_item_ret_uint(event_tree, hf_netmon_event_user_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &user_data_size);
581 offset += 2;
582 proto_tree_add_item(event_tree, hf_netmon_event_reassembled, tvb, offset, 1, ENC_LITTLE_ENDIAN);
583 offset += 1;
584
585 for (i = 1; i <= extended_data_count; i++)
586 {
587 extended_data_count_offset = offset;
588 extended_data_tree = proto_tree_add_subtree_format(event_tree, tvb, offset, 4, ett_netmon_event_extended_data, &extended_data_item, "Extended Data Item #%d", i);
589 proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN);
590 offset += 2;
591 proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
592 offset += 2;
593 proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data_linkage, tvb, offset, 2, ENC_LITTLE_ENDIAN);
594 proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data_reserved2, tvb, offset, 2, ENC_LITTLE_ENDIAN);
595 offset += 2;
596 proto_tree_add_item_ret_uint(extended_data_tree, hf_netmon_event_extended_data_size, tvb, offset, 2, ENC_LITTLE_ENDIAN, &extended_data_size);
597 offset += 2;
598 proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data, tvb, offset, extended_data_size, ENC_NA);
599 offset += extended_data_size;
600 proto_item_set_len(extended_data_item, offset-extended_data_count_offset);
601 }
602 }
603 provider_id_tvb = tvb_new_subset_remaining(tvb, offset);
604 if (!dissector_try_guid_with_data(provider_id_table, &provider_guid, provider_id_tvb, pinfo, tree, true, &provider_id_data))
605 {
606 proto_tree_add_item(event_tree, hf_netmon_event_user_data, tvb, offset, user_data_size, ENC_NA);
607 offset += user_data_size;
608 }
609 proto_item_set_len(ti, offset);
610 return tvb_captured_length(tvb);
611 }
612
613
614 static int
615 dissect_netmon_filter(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
616 {
617 proto_item *ti;
618 proto_tree *filter_tree;
619 int offset = 0;
620 unsigned length;
621 const uint8_t* filter;
622
623 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon Filter");
624 /* Clear out stuff in the info column */
625 col_clear(pinfo->cinfo, COL_INFO);
626
627 ti = proto_tree_add_item(tree, proto_netmon_filter, tvb, offset, -1, ENC_NA);
628 filter_tree = proto_item_add_subtree(ti, ett_netmon_filter);
629
630 proto_tree_add_item(filter_tree, hf_netmon_filter_version, tvb, offset, 2, ENC_BIG_ENDIAN);
631 offset += 2;
632 proto_tree_add_item(filter_tree, hf_netmon_filter_type, tvb, offset, 4, ENC_BIG_ENDIAN);
633 offset += 4;
634 proto_tree_add_item(filter_tree, hf_netmon_filter_app_major_version, tvb, offset, 4, ENC_BIG_ENDIAN);
635 offset += 4;
636 proto_tree_add_item(filter_tree, hf_netmon_filter_app_minor_version, tvb, offset, 4, ENC_BIG_ENDIAN);
637 offset += 4;
638 length = tvb_unicode_strsize(tvb, offset);
639 proto_tree_add_item(filter_tree, hf_netmon_filter_app_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
640 offset += length;
641 length = tvb_unicode_strsize(tvb, offset);
642 proto_tree_add_item_ret_string(filter_tree, hf_netmon_filter_filter, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16,
643 pinfo->pool, &filter);
644 col_add_fstr(pinfo->cinfo, COL_INFO, "Filter: %s", filter);
645
646 return tvb_captured_length(tvb);
647 }
648
649
650 static int
651 dissect_netmon_network_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
652 {
653 proto_item *ti, *list_item, *adapter_item;
654 proto_tree *network_info_tree, *list_tree, *adapter_tree;
655 int offset = 0, list_start_offset, adapter_start_offset;
656 unsigned adapter, adapter_count, length;
657 uint64_t link_speed;
658
659 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon Network Info");
660 /* Clear out stuff in the info column */
661 col_clear(pinfo->cinfo, COL_INFO);
662
663 ti = proto_tree_add_item(tree, proto_netmon_network_info, tvb, offset, -1, ENC_NA);
664 network_info_tree = proto_item_add_subtree(ti, ett_netmon_network_info);
665
666 proto_tree_add_item(network_info_tree, hf_netmon_network_info_version, tvb, offset, 2, ENC_BIG_ENDIAN);
667 offset += 2;
668
669 proto_tree_add_item_ret_uint(network_info_tree, hf_netmon_network_info_adapter_count, tvb, offset, 2, ENC_BIG_ENDIAN, &adapter_count);
670 offset += 2;
671 col_add_fstr(pinfo->cinfo, COL_INFO, "Adapter count: %d", adapter_count);
672
673 length = tvb_unicode_strsize(tvb, offset);
674 proto_tree_add_item(network_info_tree, hf_netmon_network_info_computer_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
675 offset += length;
676 if (adapter_count > 0)
677 {
678 list_start_offset = offset;
679 list_tree = proto_tree_add_subtree(network_info_tree, tvb, offset, 1, ett_netmon_network_info_list, &list_item, "NetworkInfo");
680 for (adapter = 1; adapter <= adapter_count; adapter++)
681 {
682 uint32_t loop, ipv4_count, ipv6_count, gateway_count, dhcp_server_count, dns_ipv4_count, dns_ipv6_count;
683
684 adapter_start_offset = offset;
685 adapter_tree = proto_tree_add_subtree_format(list_tree, tvb, offset, 1, ett_netmon_network_info_adapter, &adapter_item, "Adapter #%d", adapter);
686
687 length = tvb_unicode_strsize(tvb, offset);
688 proto_tree_add_item(adapter_tree, hf_netmon_network_info_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
689 offset += length;
690 length = tvb_unicode_strsize(tvb, offset);
691 proto_tree_add_item(adapter_tree, hf_netmon_network_info_description, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
692 offset += length;
693 length = tvb_unicode_strsize(tvb, offset);
694 proto_tree_add_item(adapter_tree, hf_netmon_network_info_miniport_guid, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
695 offset += length;
696 proto_tree_add_item(adapter_tree, hf_netmon_network_info_media_type, tvb, offset, 4, ENC_BIG_ENDIAN);
697 offset += 4;
698 proto_tree_add_item(adapter_tree, hf_netmon_network_info_mtu, tvb, offset, 4, ENC_BIG_ENDIAN);
699 offset += 4;
700 link_speed = tvb_get_ntoh64(tvb, offset);
701 if (link_speed == 0xFFFFFFFFFFFFFFFF)
702 {
703 proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "(Unknown)");
704 }
705 else if (link_speed >= 1000 * 1000 * 1000)
706 {
707 proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "%" PRIu64 " Gbps", link_speed/(1000*1000*1000));
708 }
709 else if (link_speed >= 1000 * 1000)
710 {
711 proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "%" PRIu64 " Mbps", link_speed/(1000*1000));
712 }
713 else if (link_speed >= 1000)
714 {
715 proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "%" PRIu64 " Kbps", link_speed/1000);
716 }
717 else
718 {
719 proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "%" PRIu64 " bps", link_speed);
720 }
721 offset += 8;
722 proto_tree_add_item(adapter_tree, hf_netmon_network_info_mac_address, tvb, offset, 6, ENC_NA);
723 offset += 6;
724
725 proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_ipv4_count, tvb, offset, 2, ENC_BIG_ENDIAN, &ipv4_count);
726 offset += 2;
727 proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_ipv6_count, tvb, offset, 2, ENC_BIG_ENDIAN, &ipv6_count);
728 offset += 2;
729 proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_gateway_count, tvb, offset, 2, ENC_BIG_ENDIAN, &gateway_count);
730 offset += 2;
731 proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_dhcp_server_count, tvb, offset, 2, ENC_BIG_ENDIAN, &dhcp_server_count);
732 offset += 2;
733 proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_dns_ipv4_count, tvb, offset, 2, ENC_BIG_ENDIAN, &dns_ipv4_count);
734 offset += 2;
735 proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_dns_ipv6_count, tvb, offset, 2, ENC_BIG_ENDIAN, &dns_ipv6_count);
736 offset += 2;
737
738 for (loop = 0; loop < ipv4_count; loop++)
739 {
740 proto_tree_add_item(adapter_tree, hf_netmon_network_info_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN);
741 offset += 4;
742 }
743 for (loop = 0; loop < ipv4_count; loop++)
744 {
745 proto_tree_add_item(adapter_tree, hf_netmon_network_info_subnet, tvb, offset, 4, ENC_BIG_ENDIAN);
746 offset += 4;
747 }
748 for (loop = 0; loop < ipv6_count; loop++)
749 {
750 proto_tree_add_item(adapter_tree, hf_netmon_network_info_ipv6, tvb, offset, 16, ENC_NA);
751 offset += 16;
752 }
753 for (loop = 0; loop < gateway_count; loop++)
754 {
755 proto_tree_add_item(adapter_tree, hf_netmon_network_info_gateway, tvb, offset, 4, ENC_BIG_ENDIAN);
756 offset += 4;
757 }
758 for (loop = 0; loop < dhcp_server_count; loop++)
759 {
760 proto_tree_add_item(adapter_tree, hf_netmon_network_info_dhcp_server, tvb, offset, 4, ENC_BIG_ENDIAN);
761 offset += 4;
762 }
763 for (loop = 0; loop < dns_ipv4_count; loop++)
764 {
765 proto_tree_add_item(adapter_tree, hf_netmon_network_info_dns_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN);
766 offset += 4;
767 }
768 for (loop = 0; loop < dns_ipv6_count; loop++)
769 {
770 proto_tree_add_item(adapter_tree, hf_netmon_network_info_dns_ipv6, tvb, offset, 16, ENC_NA);
771 offset += 16;
772 }
773
774 proto_item_set_len(adapter_item, offset-adapter_start_offset);
775 }
776
777 proto_item_set_len(list_item, offset-list_start_offset);
778 }
779
780 return tvb_captured_length(tvb);
781 }
782
783 static int
784 dissect_netmon_system_trace(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
785 {
786 proto_item *ti;
787 proto_tree *system_tree;
788 int offset = 0;
789 struct netmon_provider_id_data *provider_id_data = (struct netmon_provider_id_data*)data;
790 unsigned length;
791 nstime_t timestamp;
792 uint64_t raw_timestamp;
793
794 DISSECTOR_ASSERT(provider_id_data != NULL);
795
796 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon System Trace");
797 col_clear(pinfo->cinfo, COL_INFO);
798
799 ti = proto_tree_add_item(tree, proto_netmon_system_trace, tvb, 0, -1, ENC_NA);
800 system_tree = proto_item_add_subtree(ti, ett_netmon_system_trace);
801
802 switch (provider_id_data->opcode)
803 {
804 case 0:
805 proto_tree_add_item(system_tree, hf_netmon_system_trace_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
806 offset += 4;
807 proto_tree_add_item(system_tree, hf_netmon_system_trace_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
808 offset += 4;
809 proto_tree_add_item(system_tree, hf_netmon_system_trace_provider_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
810 offset += 4;
811 proto_tree_add_item(system_tree, hf_netmon_system_trace_num_processors, tvb, offset, 4, ENC_LITTLE_ENDIAN);
812 offset += 4;
813
814 raw_timestamp = tvb_get_letoh64(tvb, offset);
815 if (raw_timestamp != 0)
816 {
817 timestamp.secs = 0;
818 timestamp.nsecs = 0;
819 filetime_to_nstime(&timestamp, raw_timestamp);
820 proto_tree_add_time(system_tree, hf_netmon_system_trace_end_time, tvb, offset, 8, &timestamp);
821 }
822 else
823 {
824 proto_tree_add_time_format_value(system_tree, hf_netmon_system_trace_end_time, tvb, offset, 8, &timestamp, "(None)");
825 }
826 offset += 8;
827
828 proto_tree_add_item(system_tree, hf_netmon_system_trace_timer_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN);
829 offset += 4;
830 proto_tree_add_item(system_tree, hf_netmon_system_trace_max_file_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
831 offset += 4;
832 proto_tree_add_item(system_tree, hf_netmon_system_trace_log_file_mode, tvb, offset, 4, ENC_LITTLE_ENDIAN);
833 offset += 4;
834 proto_tree_add_item(system_tree, hf_netmon_system_trace_buffers_written, tvb, offset, 4, ENC_LITTLE_ENDIAN);
835 offset += 4;
836 proto_tree_add_item(system_tree, hf_netmon_system_trace_start_buffers, tvb, offset, 4, ENC_LITTLE_ENDIAN);
837 offset += 4;
838 proto_tree_add_item(system_tree, hf_netmon_system_trace_pointers_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
839 offset += 4;
840 proto_tree_add_item(system_tree, hf_netmon_system_trace_events_lost, tvb, offset, 4, ENC_LITTLE_ENDIAN);
841 offset += 4;
842 proto_tree_add_item(system_tree, hf_netmon_system_trace_cpu_speed, tvb, offset, 4, ENC_LITTLE_ENDIAN);
843 offset += 4;
844 netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_trace_logger_name, provider_id_data->event_flags);
845 netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_trace_log_file_name_ptr, provider_id_data->event_flags);
846 proto_tree_add_item(system_tree, hf_netmon_system_trace_time_zone_info, tvb, offset, 176, ENC_NA);
847 offset += 176;
848
849 timestamp.secs = 0;
850 timestamp.nsecs = 0;
851 filetime_to_nstime(&timestamp, tvb_get_letoh64(tvb, offset));
852 proto_tree_add_time(system_tree, hf_netmon_system_trace_boot_time, tvb, offset, 8, &timestamp);
853 offset += 8;
854
855 proto_tree_add_item(system_tree, hf_netmon_system_trace_perf_freq, tvb, offset, 8, ENC_LITTLE_ENDIAN);
856 offset += 8;
857
858 timestamp.secs = 0;
859 timestamp.nsecs = 0;
860 filetime_to_nstime(&timestamp, tvb_get_letoh64(tvb, offset));
861 proto_tree_add_time(system_tree, hf_netmon_system_trace_start_time, tvb, offset, 8, &timestamp);
862 offset += 8;
863
864 proto_tree_add_item(system_tree, hf_netmon_system_trace_reserved_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
865 offset += 4;
866 proto_tree_add_item(system_tree, hf_netmon_system_trace_buffers_lost, tvb, offset, 4, ENC_LITTLE_ENDIAN);
867 offset += 4;
868 length = tvb_unicode_strsize(tvb, offset);
869 proto_tree_add_item(system_tree, hf_netmon_system_trace_session_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
870 offset += length;
871 length = tvb_unicode_strsize(tvb, offset);
872 proto_tree_add_item(system_tree, hf_netmon_system_trace_log_file_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
873 break;
874 case 5:
875 case 32:
876 proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask1, tvb, offset, 4, ENC_LITTLE_ENDIAN);
877 offset += 4;
878 proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask2, tvb, offset, 4, ENC_LITTLE_ENDIAN);
879 offset += 4;
880 proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask3, tvb, offset, 4, ENC_LITTLE_ENDIAN);
881 offset += 4;
882 proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask4, tvb, offset, 4, ENC_LITTLE_ENDIAN);
883 offset += 4;
884 proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask5, tvb, offset, 4, ENC_LITTLE_ENDIAN);
885 offset += 4;
886 proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask6, tvb, offset, 4, ENC_LITTLE_ENDIAN);
887 offset += 4;
888 proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask7, tvb, offset, 4, ENC_LITTLE_ENDIAN);
889 offset += 4;
890 proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask8, tvb, offset, 4, ENC_LITTLE_ENDIAN);
891 offset += 4;
892 proto_tree_add_item(system_tree, hf_netmon_system_trace_kernel_event_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
893 offset += 4;
894 break;
895 case 8: // EventTrace_RDComplete
896 break;
897 }
898
899 return tvb_captured_length(tvb);
900 }
901
902 static int
903 dissect_netmon_system_config(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
904 {
905 proto_item *ti;
906 proto_tree *system_tree;
907 int offset = 0;
908 struct netmon_provider_id_data *provider_id_data = (struct netmon_provider_id_data*)data;
909 unsigned length;
910 uint32_t field1, field2;
911 const uint8_t *str_field1, *str_field2, *str_field3, *str_field4;
912
913 DISSECTOR_ASSERT(provider_id_data != NULL);
914
915 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon System Config");
916 col_clear(pinfo->cinfo, COL_INFO);
917
918 ti = proto_tree_add_item(tree, proto_netmon_system_config, tvb, 0, -1, ENC_NA);
919 system_tree = proto_item_add_subtree(ti, ett_netmon_system_config);
920
921 switch (provider_id_data->event_version)
922 {
923 // SystemConfig_V0
924 case 0:
925 switch (provider_id_data->opcode)
926 {
927 case 10:
928 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_mhz, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
929 offset += 4;
930 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_num_processors, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field2);
931 offset += 4;
932 col_add_fstr(pinfo->cinfo, COL_INFO, "Processors: %u, (%u MHz)", field2, field1);
933
934 proto_tree_add_item(system_tree, hf_netmon_system_config_mem_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
935 offset += 4;
936 proto_tree_add_item(system_tree, hf_netmon_system_config_page_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
937 offset += 4;
938 proto_tree_add_item(system_tree, hf_netmon_system_config_allocation_granularity, tvb, offset, 4, ENC_LITTLE_ENDIAN);
939 offset += 4;
940 proto_tree_add_item(system_tree, hf_netmon_system_config_computer_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
941 offset += 512;
942 proto_tree_add_item(system_tree, hf_netmon_system_config_domain_name, tvb, offset, 264, ENC_LITTLE_ENDIAN|ENC_UTF_16);
943 offset += 264;
944 netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_config_hyper_threading_flag, provider_id_data->event_flags);
945 break;
946 case 11:
947 proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
948 offset += 4;
949 proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
950 offset += 4;
951 proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_track, tvb, offset, 4, ENC_LITTLE_ENDIAN);
952 offset += 4;
953 proto_tree_add_item(system_tree, hf_netmon_system_config_tracks_per_cylinder, tvb, offset, 4, ENC_LITTLE_ENDIAN);
954 offset += 4;
955 proto_tree_add_item(system_tree, hf_netmon_system_config_cylinders, tvb, offset, 8, ENC_LITTLE_ENDIAN);
956 offset += 8;
957 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_port, tvb, offset, 4, ENC_LITTLE_ENDIAN);
958 offset += 4;
959 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_path, tvb, offset, 4, ENC_LITTLE_ENDIAN);
960 offset += 4;
961 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_target, tvb, offset, 4, ENC_LITTLE_ENDIAN);
962 offset += 4;
963 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_lun, tvb, offset, 4, ENC_LITTLE_ENDIAN);
964 offset += 4;
965 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_manufacturer, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
966 offset += 512;
967 proto_tree_add_item(system_tree, hf_netmon_system_config_partition_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
968 offset += 4;
969 proto_tree_add_item(system_tree, hf_netmon_system_config_write_cache_enabled, tvb, offset, 1, ENC_LITTLE_ENDIAN);
970 offset += 1;
971 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 1, ENC_NA);
972 offset += 1;
973 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_boot_drive_letter, tvb, offset, 6, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
974 offset += 6;
975 proto_tree_add_item(system_tree, hf_netmon_system_config_spare, tvb, offset, 4, ENC_LITTLE_ENDIAN|ENC_UTF_16);
976 offset += 4;
977
978 col_add_fstr(pinfo->cinfo, COL_INFO, "Manufacturer: %s, BootDriveLetter: %s", str_field1, str_field2);
979 break;
980 case 12:
981 proto_tree_add_item(system_tree, hf_netmon_system_config_start_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
982 offset += 8;
983 proto_tree_add_item(system_tree, hf_netmon_system_config_partition_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
984 offset += 8;
985 proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
986 offset += 4;
987 proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
988 offset += 4;
989 proto_tree_add_item(system_tree, hf_netmon_system_config_drive_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
990 offset += 4;
991 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_drive_letter, tvb, offset, 8, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
992 offset += 8;
993 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA);
994 offset += 4;
995 proto_tree_add_item(system_tree, hf_netmon_system_config_partition_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
996 offset += 4;
997 proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_cluster, tvb, offset, 4, ENC_LITTLE_ENDIAN);
998 offset += 4;
999 proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1000 offset += 4;
1001 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA);
1002 offset += 4;
1003 proto_tree_add_item(system_tree, hf_netmon_system_config_num_free_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1004 offset += 8;
1005 proto_tree_add_item(system_tree, hf_netmon_system_config_total_num_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1006 offset += 8;
1007 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_file_system, tvb, offset, 32, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1008 offset += 32;
1009 col_add_fstr(pinfo->cinfo, COL_INFO, "Drive: %s, FileSystem: %s", str_field1, str_field2);
1010 proto_tree_add_item(system_tree, hf_netmon_system_config_volume_ext, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1011 offset += 4;
1012 break;
1013 case 13:
1014 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_nic_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1015 offset += 512;
1016 proto_tree_add_item(system_tree, hf_netmon_system_config_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1017 offset += 4;
1018 proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1019 offset += 4;
1020 proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_str, tvb, offset, 16, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1021 offset += 16;
1022 proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1023 offset += 4;
1024 proto_tree_add_item(system_tree, hf_netmon_system_config_ip_address, tvb, offset, 4, ENC_BIG_ENDIAN);
1025 col_add_fstr(pinfo->cinfo, COL_INFO, "NIC: %s, Address: %s", str_field1, tvb_ip_to_str(pinfo->pool, tvb, offset));
1026 offset += 4;
1027 proto_tree_add_item(system_tree, hf_netmon_system_config_subnet_mask, tvb, offset, 4, ENC_BIG_ENDIAN);
1028 offset += 4;
1029 proto_tree_add_item(system_tree, hf_netmon_system_config_dhcp_server, tvb, offset, 4, ENC_BIG_ENDIAN);
1030 offset += 4;
1031 proto_tree_add_item(system_tree, hf_netmon_system_config_gateway, tvb, offset, 4, ENC_BIG_ENDIAN);
1032 offset += 4;
1033 proto_tree_add_item(system_tree, hf_netmon_system_config_primary_wins_server, tvb, offset, 4, ENC_BIG_ENDIAN);
1034 offset += 4;
1035 proto_tree_add_item(system_tree, hf_netmon_system_config_secondary_wins_server, tvb, offset, 4, ENC_BIG_ENDIAN);
1036 offset += 4;
1037 proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server1, tvb, offset, 4, ENC_BIG_ENDIAN);
1038 offset += 4;
1039 proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server2, tvb, offset, 4, ENC_BIG_ENDIAN);
1040 offset += 4;
1041 proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server3, tvb, offset, 4, ENC_BIG_ENDIAN);
1042 offset += 4;
1043 proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server4, tvb, offset, 4, ENC_BIG_ENDIAN);
1044 offset += 4;
1045 proto_tree_add_item(system_tree, hf_netmon_system_config_data, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1046 offset += 4;
1047 break;
1048 case 14:
1049 proto_tree_add_item(system_tree, hf_netmon_system_config_memory_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1050 offset += 4;
1051 proto_tree_add_item(system_tree, hf_netmon_system_config_x_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1052 offset += 4;
1053 proto_tree_add_item(system_tree, hf_netmon_system_config_y_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1054 offset += 4;
1055 proto_tree_add_item(system_tree, hf_netmon_system_config_bits_per_pixel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1056 offset += 4;
1057 proto_tree_add_item(system_tree, hf_netmon_system_config_vrefresh, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1058 offset += 4;
1059 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_chip_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1060 offset += 512;
1061 proto_tree_add_item(system_tree, hf_netmon_system_config_dac_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1062 offset += 512;
1063 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_adapter_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1064 offset += 512;
1065 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field3);
1066 offset += 512;
1067 col_add_fstr(pinfo->cinfo, COL_INFO, "Chip: %s, Adapter: %s, Bios: %s", str_field1, str_field2, str_field3);
1068 proto_tree_add_item(system_tree, hf_netmon_system_config_device_id, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1069 offset += 512;
1070 proto_tree_add_item(system_tree, hf_netmon_system_config_state_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1071 offset += 4;
1072 break;
1073 case 15:
1074 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_service_name, tvb, offset, 68, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1075 offset += 68;
1076 proto_tree_add_item(system_tree, hf_netmon_system_config_display_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1077 offset += 512;
1078 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_process_name, tvb, offset, 68, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1079 offset += 68;
1080 col_add_fstr(pinfo->cinfo, COL_INFO, "Service: %s, Process: %s", str_field1, str_field2);
1081 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1082 offset += 4;
1083 break;
1084 case 16:
1085 proto_tree_add_item(system_tree, hf_netmon_system_config_s1, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1086 offset += 1;
1087 proto_tree_add_item(system_tree, hf_netmon_system_config_s2, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1088 offset += 1;
1089 proto_tree_add_item(system_tree, hf_netmon_system_config_s3, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1090 offset += 1;
1091 proto_tree_add_item(system_tree, hf_netmon_system_config_s4, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1092 offset += 1;
1093 proto_tree_add_item(system_tree, hf_netmon_system_config_s5, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1094 offset += 1;
1095 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 3, ENC_NA);
1096 offset += 3;
1097 break;
1098 case 21:
1099 proto_tree_add_item(system_tree, hf_netmon_system_config_irq_affinity, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1100 offset += 8;
1101 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_irq_num, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1102 offset += 4;
1103 col_add_fstr(pinfo->cinfo, COL_INFO, "IRQ: %u", field1);
1104 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1105 offset += 4;
1106 /* XXX - can we trust size above? */
1107 length = tvb_unicode_strsize(tvb, offset);
1108 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1109 offset += length;
1110 break;
1111 case 22:
1112 proto_tree_add_item(system_tree, hf_netmon_system_config_device_id_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1113 offset += 4;
1114 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1115 offset += 4;
1116 proto_tree_add_item(system_tree, hf_netmon_system_config_friendly_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1117 offset += 4;
1118 /* XXX - can we trust sizes above? */
1119 length = tvb_unicode_strsize(tvb, offset);
1120 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_device_id, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1121 offset += length;
1122 length = tvb_unicode_strsize(tvb, offset);
1123 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1124 offset += length;
1125 length = tvb_unicode_strsize(tvb, offset);
1126 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1127 offset += length;
1128 col_add_fstr(pinfo->cinfo, COL_INFO, "ID: %s, Name: %s", str_field1, str_field2);
1129 length = tvb_unicode_strsize(tvb, offset);
1130 proto_tree_add_item(system_tree, hf_netmon_system_config_pdo_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1131 offset += length;
1132 break;
1133 }
1134 break;
1135 // SystemConfig_V1
1136 case 1:
1137 switch (provider_id_data->opcode)
1138 {
1139 case 10:
1140 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_mhz, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1141 offset += 4;
1142 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_num_processors, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field2);
1143 offset += 4;
1144 col_add_fstr(pinfo->cinfo, COL_INFO, "Processors: %u, (%u MHz)", field2, field1);
1145
1146 proto_tree_add_item(system_tree, hf_netmon_system_config_mem_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1147 offset += 4;
1148 proto_tree_add_item(system_tree, hf_netmon_system_config_page_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1149 offset += 4;
1150 proto_tree_add_item(system_tree, hf_netmon_system_config_allocation_granularity, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1151 offset += 4;
1152 proto_tree_add_item(system_tree, hf_netmon_system_config_computer_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1153 offset += 512;
1154 proto_tree_add_item(system_tree, hf_netmon_system_config_domain_name, tvb, offset, 264, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1155 offset += 264;
1156 netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_config_hyper_threading_flag, provider_id_data->event_flags);
1157 break;
1158 case 11:
1159 proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1160 offset += 4;
1161 proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1162 offset += 4;
1163 proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_track, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1164 offset += 4;
1165 proto_tree_add_item(system_tree, hf_netmon_system_config_tracks_per_cylinder, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1166 offset += 4;
1167 proto_tree_add_item(system_tree, hf_netmon_system_config_cylinders, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1168 offset += 8;
1169 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_port, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1170 offset += 4;
1171 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_path, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1172 offset += 4;
1173 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_target, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1174 offset += 4;
1175 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_lun, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1176 offset += 4;
1177 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_manufacturer, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1178 offset += 512;
1179 proto_tree_add_item(system_tree, hf_netmon_system_config_partition_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1180 offset += 4;
1181 proto_tree_add_item(system_tree, hf_netmon_system_config_write_cache_enabled, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1182 offset += 1;
1183 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 1, ENC_NA);
1184 offset += 1;
1185 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_boot_drive_letter, tvb, offset, 6, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1186 offset += 6;
1187 proto_tree_add_item(system_tree, hf_netmon_system_config_spare, tvb, offset, 4, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1188 offset += 4;
1189
1190 col_add_fstr(pinfo->cinfo, COL_INFO, "Manufacturer: %s, BootDriveLetter: %s", str_field1, str_field2);
1191 break;
1192 case 12:
1193 proto_tree_add_item(system_tree, hf_netmon_system_config_start_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1194 offset += 8;
1195 proto_tree_add_item(system_tree, hf_netmon_system_config_partition_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1196 offset += 8;
1197 proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1198 offset += 4;
1199 proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1200 offset += 4;
1201 proto_tree_add_item(system_tree, hf_netmon_system_config_drive_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1202 offset += 4;
1203 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_drive_letter, tvb, offset, 8, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1204 offset += 8;
1205 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA);
1206 offset += 4;
1207 proto_tree_add_item(system_tree, hf_netmon_system_config_partition_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1208 offset += 4;
1209 proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_cluster, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1210 offset += 4;
1211 proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1212 offset += 4;
1213 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA);
1214 offset += 4;
1215 proto_tree_add_item(system_tree, hf_netmon_system_config_num_free_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1216 offset += 8;
1217 proto_tree_add_item(system_tree, hf_netmon_system_config_total_num_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1218 offset += 8;
1219 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_file_system, tvb, offset, 32, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1220 offset += 32;
1221 col_add_fstr(pinfo->cinfo, COL_INFO, "Drive: %s, FileSystem: %s", str_field1, str_field2);
1222 proto_tree_add_item(system_tree, hf_netmon_system_config_volume_ext, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1223 offset += 4;
1224 break;
1225 case 13:
1226 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_nic_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1227 offset += 512;
1228 proto_tree_add_item(system_tree, hf_netmon_system_config_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1229 offset += 4;
1230 proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1231 offset += 4;
1232 proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_str, tvb, offset, 16, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1233 offset += 16;
1234 proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1235 offset += 4;
1236 proto_tree_add_item(system_tree, hf_netmon_system_config_ip_address, tvb, offset, 4, ENC_BIG_ENDIAN);
1237 col_add_fstr(pinfo->cinfo, COL_INFO, "NIC: %s, Address: %s", str_field1, tvb_ip_to_str(pinfo->pool, tvb, offset));
1238 offset += 4;
1239 proto_tree_add_item(system_tree, hf_netmon_system_config_subnet_mask, tvb, offset, 4, ENC_BIG_ENDIAN);
1240 offset += 4;
1241 proto_tree_add_item(system_tree, hf_netmon_system_config_dhcp_server, tvb, offset, 4, ENC_BIG_ENDIAN);
1242 offset += 4;
1243 proto_tree_add_item(system_tree, hf_netmon_system_config_gateway, tvb, offset, 4, ENC_BIG_ENDIAN);
1244 offset += 4;
1245 proto_tree_add_item(system_tree, hf_netmon_system_config_primary_wins_server, tvb, offset, 4, ENC_BIG_ENDIAN);
1246 offset += 4;
1247 proto_tree_add_item(system_tree, hf_netmon_system_config_secondary_wins_server, tvb, offset, 4, ENC_BIG_ENDIAN);
1248 offset += 4;
1249 proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server1, tvb, offset, 4, ENC_BIG_ENDIAN);
1250 offset += 4;
1251 proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server2, tvb, offset, 4, ENC_BIG_ENDIAN);
1252 offset += 4;
1253 proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server3, tvb, offset, 4, ENC_BIG_ENDIAN);
1254 offset += 4;
1255 proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server4, tvb, offset, 4, ENC_BIG_ENDIAN);
1256 offset += 4;
1257 proto_tree_add_item(system_tree, hf_netmon_system_config_data, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1258 offset += 4;
1259 break;
1260 case 14:
1261 proto_tree_add_item(system_tree, hf_netmon_system_config_memory_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1262 offset += 4;
1263 proto_tree_add_item(system_tree, hf_netmon_system_config_x_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1264 offset += 4;
1265 proto_tree_add_item(system_tree, hf_netmon_system_config_y_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1266 offset += 4;
1267 proto_tree_add_item(system_tree, hf_netmon_system_config_bits_per_pixel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1268 offset += 4;
1269 proto_tree_add_item(system_tree, hf_netmon_system_config_vrefresh, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1270 offset += 4;
1271 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_chip_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1272 offset += 512;
1273 proto_tree_add_item(system_tree, hf_netmon_system_config_dac_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1274 offset += 512;
1275 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_adapter_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1276 offset += 512;
1277 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field3);
1278 offset += 512;
1279 col_add_fstr(pinfo->cinfo, COL_INFO, "Chip: %s, Adapter: %s, Bios: %s", str_field1, str_field2, str_field3);
1280 proto_tree_add_item(system_tree, hf_netmon_system_config_device_id, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1281 offset += 512;
1282 proto_tree_add_item(system_tree, hf_netmon_system_config_state_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1283 offset += 4;
1284 break;
1285 case 15:
1286 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_service_name, tvb, offset, 68, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1287 offset += 68;
1288 proto_tree_add_item(system_tree, hf_netmon_system_config_display_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1289 offset += 512;
1290 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_process_name, tvb, offset, 68, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1291 offset += 68;
1292 col_add_fstr(pinfo->cinfo, COL_INFO, "Service: %s, Process: %s", str_field1, str_field2);
1293 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1294 offset += 4;
1295 break;
1296 case 16:
1297 proto_tree_add_item(system_tree, hf_netmon_system_config_s1, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1298 offset += 1;
1299 proto_tree_add_item(system_tree, hf_netmon_system_config_s2, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1300 offset += 1;
1301 proto_tree_add_item(system_tree, hf_netmon_system_config_s3, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1302 offset += 1;
1303 proto_tree_add_item(system_tree, hf_netmon_system_config_s4, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1304 offset += 1;
1305 proto_tree_add_item(system_tree, hf_netmon_system_config_s5, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1306 offset += 1;
1307 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 3, ENC_NA);
1308 offset += 3;
1309 break;
1310 case 21:
1311 proto_tree_add_item(system_tree, hf_netmon_system_config_irq_affinity, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1312 offset += 8;
1313 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_irq_num, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1314 offset += 4;
1315 col_add_fstr(pinfo->cinfo, COL_INFO, "IRQ: %u", field1);
1316 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1317 offset += 4;
1318 /* XXX - can we trust size above? */
1319 length = tvb_unicode_strsize(tvb, offset);
1320 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1321 offset += length;
1322 break;
1323 case 22:
1324 proto_tree_add_item(system_tree, hf_netmon_system_config_device_id_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1325 offset += 4;
1326 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1327 offset += 4;
1328 proto_tree_add_item(system_tree, hf_netmon_system_config_friendly_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1329 offset += 4;
1330 /* XXX - can we trust sizes above? */
1331 length = tvb_unicode_strsize(tvb, offset);
1332 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_device_id, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1333 offset += length;
1334 length = tvb_unicode_strsize(tvb, offset);
1335 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1336 offset += length;
1337 length = tvb_unicode_strsize(tvb, offset);
1338 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1339 offset += length;
1340 col_add_fstr(pinfo->cinfo, COL_INFO, "ID: %s, Name: %s", str_field1, str_field2);
1341 length = tvb_unicode_strsize(tvb, offset);
1342 proto_tree_add_item(system_tree, hf_netmon_system_config_pdo_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1343 offset += length;
1344 break;
1345 }
1346 break;
1347 // SystemConfig_V2
1348 case 2:
1349 switch (provider_id_data->opcode)
1350 {
1351 case 10:
1352 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_mhz, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1353 offset += 4;
1354 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_num_processors, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field2);
1355 offset += 4;
1356 col_add_fstr(pinfo->cinfo, COL_INFO, "Processors: %u, (%u MHz)", field2, field1);
1357
1358 proto_tree_add_item(system_tree, hf_netmon_system_config_mem_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1359 offset += 4;
1360 proto_tree_add_item(system_tree, hf_netmon_system_config_page_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1361 offset += 4;
1362 proto_tree_add_item(system_tree, hf_netmon_system_config_allocation_granularity, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1363 offset += 4;
1364 proto_tree_add_item(system_tree, hf_netmon_system_config_computer_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1365 offset += 512;
1366 proto_tree_add_item(system_tree, hf_netmon_system_config_domain_name, tvb, offset, 268, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1367 offset += 268;
1368 netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_config_hyper_threading_flag, provider_id_data->event_flags);
1369 break;
1370 case 11:
1371 proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1372 offset += 4;
1373 proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1374 offset += 4;
1375 proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_track, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1376 offset += 4;
1377 proto_tree_add_item(system_tree, hf_netmon_system_config_tracks_per_cylinder, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1378 offset += 4;
1379 proto_tree_add_item(system_tree, hf_netmon_system_config_cylinders, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1380 offset += 8;
1381 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_port, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1382 offset += 4;
1383 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_path, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1384 offset += 4;
1385 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_target, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1386 offset += 4;
1387 proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_lun, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1388 offset += 4;
1389 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_manufacturer, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1390 offset += 512;
1391 proto_tree_add_item(system_tree, hf_netmon_system_config_partition_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1392 offset += 4;
1393 proto_tree_add_item(system_tree, hf_netmon_system_config_write_cache_enabled, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1394 offset += 1;
1395 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 1, ENC_NA);
1396 offset += 1;
1397 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_boot_drive_letter, tvb, offset, 6, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1398 offset += 6;
1399 proto_tree_add_item(system_tree, hf_netmon_system_config_spare, tvb, offset, 4, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1400 offset += 4;
1401
1402 col_add_fstr(pinfo->cinfo, COL_INFO, "Manufacturer: %s, BootDriveLetter: %s", str_field1, str_field2);
1403 break;
1404 case 12:
1405 proto_tree_add_item(system_tree, hf_netmon_system_config_start_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1406 offset += 8;
1407 proto_tree_add_item(system_tree, hf_netmon_system_config_partition_size, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1408 offset += 8;
1409 proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1410 offset += 4;
1411 proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1412 offset += 4;
1413 proto_tree_add_item(system_tree, hf_netmon_system_config_drive_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1414 offset += 4;
1415 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_drive_letter, tvb, offset, 8, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1416 offset += 8;
1417 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA);
1418 offset += 4;
1419 proto_tree_add_item(system_tree, hf_netmon_system_config_partition_number, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1420 offset += 4;
1421 proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_cluster, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1422 offset += 4;
1423 proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1424 offset += 4;
1425 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA);
1426 offset += 4;
1427 proto_tree_add_item(system_tree, hf_netmon_system_config_num_free_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1428 offset += 8;
1429 proto_tree_add_item(system_tree, hf_netmon_system_config_total_num_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1430 offset += 8;
1431 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_file_system, tvb, offset, 32, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1432 offset += 32;
1433 col_add_fstr(pinfo->cinfo, COL_INFO, "Drive: %s, FileSystem: %s", str_field1, str_field2);
1434 proto_tree_add_item(system_tree, hf_netmon_system_config_volume_ext, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1435 offset += 4;
1436 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA);
1437 offset += 4;
1438 break;
1439 case 13:
1440 proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1441 offset += 8;
1442 proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1443 offset += 4;
1444 proto_tree_add_item(system_tree, hf_netmon_system_config_ipv4_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1445 offset += 4;
1446 proto_tree_add_item(system_tree, hf_netmon_system_config_ipv6_index, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1447 offset += 4;
1448 length = tvb_unicode_strsize(tvb, offset);
1449 proto_tree_add_item(system_tree, hf_netmon_system_config_nic_description, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1450 offset += length;
1451 length = tvb_unicode_strsize(tvb, offset);
1452 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_ipaddresses, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1453 offset += length;
1454 col_add_fstr(pinfo->cinfo, COL_INFO, "IP Addresses: %s", str_field1);
1455 length = tvb_unicode_strsize(tvb, offset);
1456 proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server_addresses, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1457 offset += length;
1458 break;
1459 case 14:
1460 proto_tree_add_item(system_tree, hf_netmon_system_config_memory_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1461 offset += 4;
1462 proto_tree_add_item(system_tree, hf_netmon_system_config_x_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1463 offset += 4;
1464 proto_tree_add_item(system_tree, hf_netmon_system_config_y_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1465 offset += 4;
1466 proto_tree_add_item(system_tree, hf_netmon_system_config_bits_per_pixel, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1467 offset += 4;
1468 proto_tree_add_item(system_tree, hf_netmon_system_config_vrefresh, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1469 offset += 4;
1470 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_chip_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1471 offset += 512;
1472 proto_tree_add_item(system_tree, hf_netmon_system_config_dac_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1473 offset += 512;
1474 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_adapter_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1475 offset += 512;
1476 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field3);
1477 offset += 512;
1478 col_add_fstr(pinfo->cinfo, COL_INFO, "Chip: %s, Adapter: %s, Bios: %s", str_field1, str_field2, str_field3);
1479 proto_tree_add_item(system_tree, hf_netmon_system_config_device_id, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1480 offset += 512;
1481 proto_tree_add_item(system_tree, hf_netmon_system_config_state_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1482 offset += 4;
1483 break;
1484 case 15:
1485 proto_tree_add_item(system_tree, hf_netmon_system_config_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1486 offset += 4;
1487 proto_tree_add_item(system_tree, hf_netmon_system_config_service_state, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1488 offset += 4;
1489 proto_tree_add_item(system_tree, hf_netmon_system_config_sub_process_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1490 offset += 4;
1491 length = tvb_unicode_strsize(tvb, offset);
1492 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_service_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1493 offset += length;
1494 length = tvb_unicode_strsize(tvb, offset);
1495 proto_tree_add_item(system_tree, hf_netmon_system_config_display_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1496 offset += length;
1497 length = tvb_unicode_strsize(tvb, offset);
1498 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_process_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1499 offset += length;
1500 col_add_fstr(pinfo->cinfo, COL_INFO, "Service: %s, Process: %s", str_field1, str_field2);
1501 break;
1502 case 16:
1503 proto_tree_add_item(system_tree, hf_netmon_system_config_s1, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1504 offset += 1;
1505 proto_tree_add_item(system_tree, hf_netmon_system_config_s2, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1506 offset += 1;
1507 proto_tree_add_item(system_tree, hf_netmon_system_config_s3, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1508 offset += 1;
1509 proto_tree_add_item(system_tree, hf_netmon_system_config_s4, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1510 offset += 1;
1511 proto_tree_add_item(system_tree, hf_netmon_system_config_s5, tvb, offset, 1, ENC_LITTLE_ENDIAN);
1512 offset += 1;
1513 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 3, ENC_NA);
1514 offset += 3;
1515 break;
1516 case 17:
1517 proto_tree_add_item(system_tree, hf_netmon_system_config_tcb_table_partitions, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1518 offset += 4;
1519 proto_tree_add_item(system_tree, hf_netmon_system_config_max_hash_table_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1520 offset += 4;
1521 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_max_user_port, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1522 offset += 4;
1523 proto_tree_add_item(system_tree, hf_netmon_system_config_tcp_timed_wait_delay, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1524 offset += 4;
1525 col_add_fstr(pinfo->cinfo, COL_INFO, "MaxUserPort: %u", field1);
1526 break;
1527 case 21:
1528 proto_tree_add_item(system_tree, hf_netmon_system_config_irq_affinity, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1529 offset += 8;
1530 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_irq_num, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1531 offset += 4;
1532 col_add_fstr(pinfo->cinfo, COL_INFO, "IRQ: %u", field1);
1533 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1534 offset += 4;
1535 /* XXX - can we trust size above? */
1536 length = tvb_unicode_strsize(tvb, offset);
1537 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1538 offset += length;
1539 break;
1540 case 22:
1541 proto_tree_add_item(system_tree, hf_netmon_system_config_device_id_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1542 offset += 4;
1543 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1544 offset += 4;
1545 proto_tree_add_item(system_tree, hf_netmon_system_config_friendly_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1546 offset += 4;
1547 /* XXX - can we trust sizes above? */
1548 length = tvb_unicode_strsize(tvb, offset);
1549 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_device_id, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1550 offset += length;
1551 length = tvb_unicode_strsize(tvb, offset);
1552 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1553 offset += length;
1554 length = tvb_unicode_strsize(tvb, offset);
1555 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1556 offset += length;
1557 col_add_fstr(pinfo->cinfo, COL_INFO, "ID: %s, Name: %s", str_field1, str_field2);
1558 break;
1559 case 23:
1560 proto_tree_add_item(system_tree, hf_netmon_system_config_target_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1561 offset += 4;
1562 proto_tree_add_item(system_tree, hf_netmon_system_config_device_type, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1563 offset += 4;
1564 proto_tree_add_item(system_tree, hf_netmon_system_config_device_timing_mode, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1565 offset += 4;
1566 proto_tree_add_item(system_tree, hf_netmon_system_config_location_information_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1567 offset += 4;
1568 length = tvb_unicode_strsize(tvb, offset);
1569 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_location_information, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1570 offset += length;
1571 col_add_fstr(pinfo->cinfo, COL_INFO, "Location: %s", str_field1);
1572 break;
1573 case 25:
1574 length = tvb_unicode_strsize(tvb, offset);
1575 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_system_manufacturer, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1576 offset += length;
1577 length = tvb_unicode_strsize(tvb, offset);
1578 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_system_product_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1579 offset += length;
1580 length = tvb_unicode_strsize(tvb, offset);
1581 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_date, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field3);
1582 offset += length;
1583 length = tvb_unicode_strsize(tvb, offset);
1584 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_version, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field4);
1585 offset += length;
1586 col_add_fstr(pinfo->cinfo, COL_INFO, "Manufacturer: %s, ProductName: %s, BiosDate: %s, BiosVersion: %s", str_field1, str_field2, str_field3, str_field4);
1587 break;
1588 }
1589 break;
1590 // SystemConfig_V3
1591 case 3:
1592 switch (provider_id_data->opcode)
1593 {
1594 case 15:
1595 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1596 offset += 4;
1597 proto_tree_add_item(system_tree, hf_netmon_system_config_service_state, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1598 offset += 4;
1599 proto_tree_add_item(system_tree, hf_netmon_system_config_sub_process_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1600 offset += 4;
1601 length = tvb_unicode_strsize(tvb, offset);
1602 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_service_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1603 offset += length;
1604 col_add_fstr(pinfo->cinfo, COL_INFO, "Service: %s, (PID=%d)", str_field1, field1);
1605 length = tvb_unicode_strsize(tvb, offset);
1606 proto_tree_add_item(system_tree, hf_netmon_system_config_display_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1607 offset += length;
1608 length = tvb_unicode_strsize(tvb, offset);
1609 proto_tree_add_item(system_tree, hf_netmon_system_config_process_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1610 offset += length;
1611 length = tvb_unicode_strsize(tvb, offset);
1612 proto_tree_add_item(system_tree, hf_netmon_system_config_load_order_group, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1613 offset += length;
1614 length = tvb_unicode_strsize(tvb, offset);
1615 proto_tree_add_item(system_tree, hf_netmon_system_config_svc_host_group, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1616 offset += length;
1617 break;
1618 case 21:
1619 proto_tree_add_item(system_tree, hf_netmon_system_config_irq_affinity, tvb, offset, 8, ENC_LITTLE_ENDIAN);
1620 offset += 8;
1621 proto_tree_add_item(system_tree, hf_netmon_system_config_irq_group, tvb, offset, 2, ENC_LITTLE_ENDIAN);
1622 offset += 2;
1623 proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 2, ENC_NA);
1624 offset += 2;
1625 proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_irq_num, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1);
1626 offset += 4;
1627 col_add_fstr(pinfo->cinfo, COL_INFO, "IRQ: %u", field1);
1628 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1629 offset += 4;
1630 /* XXX - can we trust size above? */
1631 length = tvb_unicode_strsize(tvb, offset);
1632 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1633 offset += length;
1634 break;
1635 case 22:
1636 proto_tree_add_item(system_tree, hf_netmon_system_config_device_id_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1637 offset += 4;
1638 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1639 offset += 4;
1640 proto_tree_add_item(system_tree, hf_netmon_system_config_friendly_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1641 offset += 4;
1642 /* XXX - can we trust sizes above? */
1643 length = tvb_unicode_strsize(tvb, offset);
1644 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_device_id, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1);
1645 offset += length;
1646 length = tvb_unicode_strsize(tvb, offset);
1647 proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1648 offset += length;
1649 length = tvb_unicode_strsize(tvb, offset);
1650 proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2);
1651 offset += length;
1652 col_add_fstr(pinfo->cinfo, COL_INFO, "ID: %s, Name: %s", str_field1, str_field2);
1653 length = tvb_unicode_strsize(tvb, offset);
1654 proto_tree_add_item(system_tree, hf_netmon_system_config_pdo_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1655 offset += length;
1656 break;
1657 }
1658 break;
1659 }
1660
1661 return offset;
1662 }
1663
1664 static int
1665 dissect_netmon_process(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
1666 {
1667 proto_item *ti;
1668 proto_tree *process_tree;
1669 int offset = 0;
1670 struct netmon_provider_id_data *provider_id_data = (struct netmon_provider_id_data*)data;
1671 unsigned length;
1672 const uint8_t *filename;
1673
1674 DISSECTOR_ASSERT(provider_id_data != NULL);
1675
1676 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon Process");
1677 col_clear(pinfo->cinfo, COL_INFO);
1678
1679 ti = proto_tree_add_item(tree, proto_netmon_process, tvb, 0, -1, ENC_NA);
1680 process_tree = proto_item_add_subtree(ti, ett_netmon_process);
1681
1682 switch (provider_id_data->event_version)
1683 {
1684 case 0:
1685 switch (provider_id_data->opcode)
1686 {
1687 case 1:
1688 case 2:
1689 case 3:
1690 case 4:
1691 proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1692 offset += 4;
1693 proto_tree_add_item(process_tree, hf_netmon_process_parent_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1694 offset += 4;
1695 netmon_sid_field(process_tree, tvb, &offset, pinfo, hf_netmon_process_user_sid_revision,
1696 hf_netmon_process_user_sid_subauth_count, hf_netmon_process_user_sid_id, hf_netmon_process_user_sid_authority,
1697 &ei_netmon_process_user_sid, false);
1698 length = tvb_strsize(tvb, offset);
1699 proto_tree_add_item_ret_string(process_tree, hf_netmon_process_image_file_name, tvb, offset, length, ENC_NA|ENC_ASCII,
1700 pinfo->pool, &filename);
1701 col_add_fstr(pinfo->cinfo, COL_INFO, "Filename: %s", filename);
1702 offset += length;
1703 break;
1704
1705 }
1706 break;
1707 case 1:
1708 switch (provider_id_data->opcode)
1709 {
1710 case 1:
1711 case 2:
1712 case 3:
1713 case 4:
1714 netmon_etl_field(process_tree, tvb, &offset, hf_netmon_process_page_directory_base, provider_id_data->event_flags);
1715 proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1716 offset += 4;
1717 proto_tree_add_item(process_tree, hf_netmon_process_parent_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1718 offset += 4;
1719 proto_tree_add_item(process_tree, hf_netmon_process_session_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1720 offset += 4;
1721 proto_tree_add_item(process_tree, hf_netmon_process_exit_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1722 offset += 4;
1723 netmon_sid_field(process_tree, tvb, &offset, pinfo, hf_netmon_process_user_sid_revision,
1724 hf_netmon_process_user_sid_subauth_count, hf_netmon_process_user_sid_id, hf_netmon_process_user_sid_authority,
1725 &ei_netmon_process_user_sid, false);
1726 length = tvb_strsize(tvb, offset);
1727 proto_tree_add_item_ret_string(process_tree, hf_netmon_process_image_file_name, tvb, offset, length, ENC_NA|ENC_ASCII,
1728 pinfo->pool, &filename);
1729 col_add_fstr(pinfo->cinfo, COL_INFO, "Filename: %s", filename);
1730 offset += length;
1731 break;
1732 }
1733 break;
1734 case 2:
1735 switch (provider_id_data->opcode)
1736 {
1737 case 1:
1738 case 2:
1739 case 3:
1740 case 4:
1741 case 39:
1742 netmon_etl_field(process_tree, tvb, &offset, hf_netmon_process_unique_process_key, provider_id_data->event_flags);
1743 proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1744 offset += 4;
1745 proto_tree_add_item(process_tree, hf_netmon_process_parent_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1746 offset += 4;
1747 proto_tree_add_item(process_tree, hf_netmon_process_session_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1748 offset += 4;
1749 proto_tree_add_item(process_tree, hf_netmon_process_exit_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1750 offset += 4;
1751 if (provider_id_data->event_flags & EVENT_HEADER_FLAG_64_BIT_HEADER)
1752 {
1753 proto_tree_add_item(process_tree, hf_netmon_process_unknown, tvb, offset, 16, ENC_NA);
1754 offset += 16;
1755 }
1756 else
1757 {
1758 proto_tree_add_item(process_tree, hf_netmon_process_unknown, tvb, offset, 8, ENC_NA);
1759 offset += 8;
1760 }
1761 netmon_sid_field(process_tree, tvb, &offset, pinfo, hf_netmon_process_user_sid_revision,
1762 hf_netmon_process_user_sid_subauth_count, hf_netmon_process_user_sid_id, hf_netmon_process_user_sid_authority,
1763 &ei_netmon_process_user_sid, false);
1764 length = tvb_strsize(tvb, offset);
1765 proto_tree_add_item_ret_string(process_tree, hf_netmon_process_image_file_name, tvb, offset, length, ENC_NA|ENC_ASCII,
1766 pinfo->pool, &filename);
1767 col_add_fstr(pinfo->cinfo, COL_INFO, "Filename: %s", filename);
1768 offset += length;
1769
1770 length = tvb_unicode_strsize(tvb, offset);
1771 proto_tree_add_item(process_tree, hf_netmon_process_command_line, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1772 offset += length;
1773 break;
1774
1775 case 32:
1776 case 33:
1777 proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1778 offset += 4;
1779 proto_tree_add_item(process_tree, hf_netmon_process_page_fault_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1780 offset += 4;
1781 proto_tree_add_item(process_tree, hf_netmon_process_handle_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1782 offset += 4;
1783 proto_tree_add_item(process_tree, hf_netmon_process_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1784 offset += 4;
1785 proto_tree_add_item(process_tree, hf_netmon_process_peak_virtual_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1786 offset += 4;
1787 proto_tree_add_item(process_tree, hf_netmon_process_peak_working_set_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1788 offset += 4;
1789 proto_tree_add_item(process_tree, hf_netmon_process_peak_page_file_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1790 offset += 4;
1791 proto_tree_add_item(process_tree, hf_netmon_process_quota_peak_paged_pool_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1792 offset += 4;
1793 proto_tree_add_item(process_tree, hf_netmon_process_quota_peak_non_paged_pool_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1794 offset += 4;
1795 proto_tree_add_item(process_tree, hf_netmon_process_virtual_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1796 offset += 4;
1797 proto_tree_add_item(process_tree, hf_netmon_process_workingset_size, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1798 offset += 4;
1799 proto_tree_add_item(process_tree, hf_netmon_process_pagefile_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1800 offset += 4;
1801 proto_tree_add_item(process_tree, hf_netmon_process_quota_paged_pool_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1802 offset += 4;
1803 proto_tree_add_item(process_tree, hf_netmon_process_quota_non_paged_pool_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1804 offset += 4;
1805 proto_tree_add_item(process_tree, hf_netmon_process_private_page_count, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1806 offset += 4;
1807 break;
1808 case 35:
1809 proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1810 offset += 4;
1811 proto_tree_add_item(process_tree, hf_netmon_process_directory_table_base32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1812 offset += 4;
1813 break;
1814 }
1815 break;
1816 case 3:
1817 switch (provider_id_data->opcode)
1818 {
1819 case 1:
1820 case 2:
1821 case 3:
1822 case 4:
1823 case 39:
1824 netmon_etl_field(process_tree, tvb, &offset, hf_netmon_process_unique_process_key, provider_id_data->event_flags);
1825 proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1826 offset += 4;
1827 proto_tree_add_item(process_tree, hf_netmon_process_parent_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1828 offset += 4;
1829 proto_tree_add_item(process_tree, hf_netmon_process_session_id, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1830 offset += 4;
1831 proto_tree_add_item(process_tree, hf_netmon_process_exit_status, tvb, offset, 4, ENC_LITTLE_ENDIAN);
1832 offset += 4;
1833 netmon_etl_field(process_tree, tvb, &offset, hf_netmon_process_directory_table_base, provider_id_data->event_flags);
1834 if (provider_id_data->event_flags & EVENT_HEADER_FLAG_64_BIT_HEADER)
1835 {
1836 proto_tree_add_item(process_tree, hf_netmon_process_unknown, tvb, offset, 16, ENC_NA);
1837 offset += 16;
1838 }
1839 else
1840 {
1841 proto_tree_add_item(process_tree, hf_netmon_process_unknown, tvb, offset, 8, ENC_NA);
1842 offset += 8;
1843 }
1844 netmon_sid_field(process_tree, tvb, &offset, pinfo, hf_netmon_process_user_sid_revision,
1845 hf_netmon_process_user_sid_subauth_count, hf_netmon_process_user_sid_id, hf_netmon_process_user_sid_authority,
1846 &ei_netmon_process_user_sid, false);
1847 length = tvb_strsize(tvb, offset);
1848 proto_tree_add_item_ret_string(process_tree, hf_netmon_process_image_file_name, tvb, offset, length, ENC_NA|ENC_ASCII,
1849 pinfo->pool, &filename);
1850 col_add_fstr(pinfo->cinfo, COL_INFO, "Filename: %s", filename);
1851 offset += length;
1852
1853 length = tvb_unicode_strsize(tvb, offset);
1854 proto_tree_add_item(process_tree, hf_netmon_process_command_line, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16);
1855 offset += length;
1856 break;
1857 }
1858 break;
1859 }
1860
1861 return tvb_captured_length(tvb);
1862 }
1863
1864 void proto_register_netmon(void)
1865 {
1866 static hf_register_info hf_header[] = {
1867 { &hf_netmon_header_title_comment,
1868 { "Comment title", "netmon_header.title_comment",
1869 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1870 },
1871 { &hf_netmon_header_description_comment,
1872 { "Comment description", "netmon_header.description_comment",
1873 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
1874 },
1875 };
1876
1877
1878 static hf_register_info hf_event[] = {
1879 { &hf_netmon_event_size,
1880 { "Size", "netmon_event.size",
1881 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1882 },
1883 { &hf_netmon_event_header_type,
1884 { "Header type", "netmon_event.header_type",
1885 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
1886 },
1887 { &hf_netmon_event_flags,
1888 { "Flags", "netmon_event.flags",
1889 FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }
1890 },
1891 { &hf_netmon_event_flags_extended_info,
1892 { "Extended Info", "netmon_event.flags.extended_info",
1893 FT_BOOLEAN, 16, TFS(&tfs_present_not_present), EVENT_HEADER_FLAG_EXTENDED_INFO, NULL, HFILL }
1894 },
1895 { &hf_netmon_event_flags_private_session,
1896 { "Private Sessions", "netmon_event.flags.private_session",
1897 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_PRIVATE_SESSION, NULL, HFILL }
1898 },
1899 { &hf_netmon_event_flags_string_only,
1900 { "Null-terminated Unicode string", "netmon_event.flags.string_only",
1901 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_STRING_ONLY, NULL, HFILL }
1902 },
1903 { &hf_netmon_event_flags_trace_message,
1904 { "TraceMessage logged", "netmon_event.flags.trace_message",
1905 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_TRACE_MESSAGE, NULL, HFILL }
1906 },
1907 { &hf_netmon_event_flags_no_cputime,
1908 { "Use ProcessorTime", "netmon_event.flags.no_cputime",
1909 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_NO_CPUTIME, NULL, HFILL }
1910 },
1911 { &hf_netmon_event_flags_32bit_header,
1912 { "Provider running on 32-bit computer", "netmon_event.flags.32bit_header",
1913 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_32_BIT_HEADER, NULL, HFILL }
1914 },
1915 { &hf_netmon_event_flags_64bit_header,
1916 { "Provider running on 64-bit computer", "netmon_event.flags.64bit_header",
1917 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_64_BIT_HEADER, NULL, HFILL }
1918 },
1919 { &hf_netmon_event_flags_classic_header,
1920 { "Use TraceEvent", "netmon_event.flags.classic_header",
1921 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_CLASSIC_HEADER, NULL, HFILL }
1922 },
1923 { &hf_netmon_event_event_property,
1924 { "Event property", "netmon_event.event_property",
1925 FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }
1926 },
1927 { &hf_netmon_event_event_property_xml,
1928 { "Need manifest", "netmon_event.event_property.xml",
1929 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_PROPERTY_XML, NULL, HFILL }
1930 },
1931 { &hf_netmon_event_event_property_forwarded_xml,
1932 { "Event data contains fully-rendered XML", "netmon_event.event_property.forwarded_xml",
1933 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_PROPERTY_FORWARDED_XML, NULL, HFILL }
1934 },
1935 { &hf_netmon_event_event_property_legacy_eventlog,
1936 { "Need WMI MOF class", "netmon_event.event_property.legacy_eventlog",
1937 FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG, NULL, HFILL }
1938 },
1939 { &hf_netmon_event_thread_id,
1940 { "Thread ID", "netmon_event.thread_id",
1941 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1942 },
1943 { &hf_netmon_event_process_id,
1944 { "Process ID", "netmon_event.process_id",
1945 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1946 },
1947 { &hf_netmon_event_timestamp,
1948 { "Timestamp", "netmon_event.timestamp",
1949 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL }
1950 },
1951 { &hf_netmon_event_provider_id,
1952 { "Provider ID", "netmon_event.provider_id",
1953 FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }
1954 },
1955 { &hf_netmon_event_event_desc_id,
1956 { "ID", "netmon_event.event_desc.id",
1957 FT_UINT16, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }
1958 },
1959 { &hf_netmon_event_event_desc_version,
1960 { "Version", "netmon_event.event_desc.version",
1961 FT_UINT8, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }
1962 },
1963 { &hf_netmon_event_event_desc_channel,
1964 { "Channel", "netmon_event.event_desc.channel",
1965 FT_UINT8, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }
1966 },
1967 { &hf_netmon_event_event_desc_level,
1968 { "Level", "netmon_event.event_desc.level",
1969 FT_UINT8, BASE_DEC, VALS(event_level_vals), 0x0, NULL, HFILL }
1970 },
1971 { &hf_netmon_event_event_desc_opcode,
1972 { "Opcode", "netmon_event.event_desc.opcode",
1973 FT_UINT8, BASE_HEX, VALS(opcode_vals), 0x0, NULL, HFILL }
1974 },
1975 { &hf_netmon_event_event_desc_task,
1976 { "Task", "netmon_event.event_desc.task",
1977 FT_UINT16, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }
1978 },
1979 { &hf_netmon_event_event_desc_keyword,
1980 { "Keyword", "netmon_event.event_desc.keyword",
1981 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
1982 },
1983 { &hf_netmon_event_kernel_time,
1984 { "Kernel time", "netmon_event.kernel_time",
1985 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1986 },
1987 { &hf_netmon_event_user_time,
1988 { "User time", "netmon_event.user_time",
1989 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
1990 },
1991 { &hf_netmon_event_processor_time,
1992 { "Processor time", "netmon_event.processor_time",
1993 FT_UINT64, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }
1994 },
1995 { &hf_netmon_event_activity_id,
1996 { "Activity ID", "netmon_event.activity_id",
1997 FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL }
1998 },
1999 { &hf_netmon_event_processor_number,
2000 { "Processor number", "netmon_event.processor_number",
2001 FT_UINT8, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }
2002 },
2003 { &hf_netmon_event_alignment,
2004 { "Alignment", "netmon_event.alignment",
2005 FT_UINT8, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }
2006 },
2007 { &hf_netmon_event_logger_id,
2008 { "Logger ID", "netmon_event.logger_id",
2009 FT_UINT16, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL }
2010 },
2011 { &hf_netmon_event_extended_data_count,
2012 { "Extended data count", "netmon_event.extended_data_count",
2013 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2014 },
2015 { &hf_netmon_event_user_data_length,
2016 { "User data length", "netmon_event.user_data_length",
2017 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2018 },
2019 { &hf_netmon_event_reassembled,
2020 { "Reassembled", "netmon_event.reassembled",
2021 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2022 },
2023 { &hf_netmon_event_extended_data_reserved,
2024 { "Reserved", "netmon_event.extended_data.reserved",
2025 FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL }
2026 },
2027 { &hf_netmon_event_extended_data_type,
2028 { "Extended info type", "netmon_event.extended_data.type",
2029 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2030 },
2031 { &hf_netmon_event_extended_data_linkage,
2032 { "Additional extended data", "netmon_event.extended_data.linkage",
2033 FT_BOOLEAN, 16, TFS(&tfs_yes_no), 0x0001, NULL, HFILL }
2034 },
2035 { &hf_netmon_event_extended_data_reserved2,
2036 { "Reserved", "netmon_event.extended_data.reserved2",
2037 FT_UINT16, BASE_HEX, NULL, 0xFFFE, NULL, HFILL }
2038 },
2039 { &hf_netmon_event_extended_data_size,
2040 { "Extended data size", "netmon_event.extended_data.size",
2041 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2042 },
2043 { &hf_netmon_event_extended_data,
2044 { "Extended data", "netmon_event.extended_data",
2045 FT_BYTES, BASE_NONE|BASE_ALLOW_ZERO, NULL, 0x0, NULL, HFILL }
2046 },
2047 { &hf_netmon_event_user_data,
2048 { "User data", "netmon_event.user_data",
2049 FT_BYTES, BASE_NONE|BASE_ALLOW_ZERO, NULL, 0x0, NULL, HFILL }
2050 },
2051 };
2052
2053 static hf_register_info hf_filter[] = {
2054 { &hf_netmon_filter_version,
2055 { "Version", "netmon_filter.version",
2056 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2057 },
2058 { &hf_netmon_filter_type,
2059 { "Filter type", "netmon_filter.type",
2060 FT_UINT32, BASE_DEC|BASE_RANGE_STRING, RVALS(filter_types), 0x0, NULL, HFILL }
2061 },
2062 { &hf_netmon_filter_app_major_version,
2063 { "App Major Version", "netmon_filter.app_major_version",
2064 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2065 },
2066 { &hf_netmon_filter_app_minor_version,
2067 { "App Minor Version", "netmon_filter.app_minor_version",
2068 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2069 },
2070 { &hf_netmon_filter_app_name,
2071 { "Application Name", "netmon_filter.app_name",
2072 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2073 },
2074 { &hf_netmon_filter_filter,
2075 { "Filter", "netmon_filter.filter",
2076 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2077 },
2078 };
2079
2080 static hf_register_info hf_network_info[] = {
2081 { &hf_netmon_network_info_version,
2082 { "Version", "netmon_network_info.version",
2083 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2084 },
2085 { &hf_netmon_network_info_adapter_count,
2086 { "Adapter count", "netmon_network_info.adapter_count",
2087 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2088 },
2089 { &hf_netmon_network_info_computer_name,
2090 { "Computer name", "netmon_network_info.computer_name",
2091 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2092 },
2093 { &hf_netmon_network_info_friendly_name,
2094 { "Friendly name", "netmon_network_info.friendly_name",
2095 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2096 },
2097 { &hf_netmon_network_info_description,
2098 { "Description", "netmon_network_info.description",
2099 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2100 },
2101 { &hf_netmon_network_info_miniport_guid,
2102 { "Miniport GUID", "netmon_network_info.miniport_guid",
2103 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2104 },
2105 { &hf_netmon_network_info_media_type,
2106 { "Media type", "netmon_network_info.media_type",
2107 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2108 },
2109 { &hf_netmon_network_info_mtu,
2110 { "MTU", "netmon_network_info.mtu",
2111 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2112 },
2113 { &hf_netmon_network_info_link_speed,
2114 { "Link speed", "netmon_network_info.link_speed",
2115 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
2116 },
2117 { &hf_netmon_network_info_mac_address,
2118 { "MAC address", "netmon_network_info.mac_address",
2119 FT_ETHER, BASE_NONE, NULL, 0x0, NULL, HFILL }
2120 },
2121 { &hf_netmon_network_info_ipv4_count,
2122 { "IPv4 count", "netmon_network_info.ipv4_count",
2123 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2124 },
2125 { &hf_netmon_network_info_ipv6_count,
2126 { "IPv6 count", "netmon_network_info.ipv6_count",
2127 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2128 },
2129 { &hf_netmon_network_info_gateway_count,
2130 { "Gateway count", "netmon_network_info.gateway_count",
2131 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2132 },
2133 { &hf_netmon_network_info_dhcp_server_count,
2134 { "DHCP server count", "netmon_network_info.dhcp_server_count",
2135 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2136 },
2137 { &hf_netmon_network_info_dns_ipv4_count,
2138 { "DNS IPv4 count", "netmon_network_info.dns_ipv4_count",
2139 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2140 },
2141 { &hf_netmon_network_info_dns_ipv6_count,
2142 { "DNS IPv6 count", "netmon_network_info.dns_ipv6_count",
2143 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2144 },
2145 { &hf_netmon_network_info_ipv4,
2146 { "IPv4 address", "netmon_network_info.ipv4",
2147 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2148 },
2149 { &hf_netmon_network_info_subnet,
2150 { "Subnet mask", "netmon_network_info.subnet",
2151 FT_IPv4, BASE_NETMASK, NULL, 0x0, NULL, HFILL }
2152 },
2153 { &hf_netmon_network_info_ipv6,
2154 { "IPv6 address", "netmon_network_info.ipv6",
2155 FT_IPv6, BASE_NONE, NULL, 0x0, NULL, HFILL }
2156 },
2157 { &hf_netmon_network_info_gateway,
2158 { "Gateway address", "netmon_network_info.gateway",
2159 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2160 },
2161 { &hf_netmon_network_info_dhcp_server,
2162 { "DHCP Server", "netmon_network_info.dhcp_server",
2163 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2164 },
2165 { &hf_netmon_network_info_dns_ipv4,
2166 { "DNS IPv4 address", "netmon_network_info.dns_ipv4",
2167 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2168 },
2169 { &hf_netmon_network_info_dns_ipv6,
2170 { "DNS IPv6 address", "netmon_network_info.dns_ipv6",
2171 FT_IPv6, BASE_NONE, NULL, 0x0, NULL, HFILL }
2172 },
2173 };
2174
2175 static hf_register_info hf_system_trace[] = {
2176 { &hf_netmon_system_trace_buffer_size,
2177 { "Buffer size", "netmon_system_trace.buffer_size",
2178 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2179 },
2180 { &hf_netmon_system_trace_version,
2181 { "Version", "netmon_system_trace.version",
2182 FT_UINT32, BASE_HEX_DEC, NULL, 0x0, NULL, HFILL }
2183 },
2184 { &hf_netmon_system_trace_provider_version,
2185 { "Provider version", "netmon_system_trace.provider_version",
2186 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2187 },
2188 { &hf_netmon_system_trace_num_processors,
2189 { "Number of processors", "netmon_system_trace.num_processors",
2190 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2191 },
2192 { &hf_netmon_system_trace_end_time,
2193 { "End time", "netmon_system_trace.end_time",
2194 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL }
2195 },
2196 { &hf_netmon_system_trace_timer_resolution,
2197 { "Timer resolution", "netmon_system_trace.timer_resolution",
2198 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2199 },
2200 { &hf_netmon_system_trace_max_file_size,
2201 { "Max file size", "netmon_system_trace.max_file_size",
2202 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2203 },
2204 { &hf_netmon_system_trace_log_file_mode,
2205 { "Log file mode", "netmon_system_trace.log_file_mode",
2206 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2207 },
2208 { &hf_netmon_system_trace_buffers_written,
2209 { "Buffers written", "netmon_system_trace.buffers_written",
2210 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2211 },
2212 { &hf_netmon_system_trace_start_buffers,
2213 { "Start buffers", "netmon_system_trace.start_buffers",
2214 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2215 },
2216 { &hf_netmon_system_trace_pointers_size,
2217 { "Pointers size", "netmon_system_trace.pointers_size",
2218 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2219 },
2220 { &hf_netmon_system_trace_events_lost,
2221 { "Events lost", "netmon_system_trace.events_lost",
2222 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2223 },
2224 { &hf_netmon_system_trace_cpu_speed,
2225 { "CPU speed", "netmon_system_trace.cpu_speed",
2226 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2227 },
2228 { &hf_netmon_system_trace_logger_name,
2229 { "Logger name", "netmon_system_trace.logger_name",
2230 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
2231 },
2232 { &hf_netmon_system_trace_log_file_name_ptr,
2233 { "Log file name", "netmon_system_trace.log_file_name_ptr",
2234 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
2235 },
2236 { &hf_netmon_system_trace_time_zone_info,
2237 { "Time zone info", "netmon_system_trace.time_zone_info",
2238 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
2239 },
2240 { &hf_netmon_system_trace_boot_time,
2241 { "Boot time", "netmon_system_trace.boot_time",
2242 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL }
2243 },
2244 { &hf_netmon_system_trace_perf_freq,
2245 { "Perf freq", "netmon_system_trace.pref_freq",
2246 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
2247 },
2248 { &hf_netmon_system_trace_start_time,
2249 { "Start time", "netmon_system_trace.start_time",
2250 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL }
2251 },
2252 { &hf_netmon_system_trace_reserved_flags,
2253 { "Reserved Flags", "netmon_system_trace.reserved_flags",
2254 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2255 },
2256 { &hf_netmon_system_trace_buffers_lost,
2257 { "Buffers lost", "netmon_system_trace.buffers_lost",
2258 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2259 },
2260 { &hf_netmon_system_trace_session_name,
2261 { "Session name", "netmon_system_trace.session_name",
2262 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2263 },
2264 { &hf_netmon_system_trace_log_file_name,
2265 { "Log file name", "netmon_system_trace.log_file_name",
2266 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2267 },
2268 { &hf_netmon_system_trace_group_mask1,
2269 { "Group Mask1", "netmon_system_trace.group_mask1",
2270 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2271 },
2272 { &hf_netmon_system_trace_group_mask2,
2273 { "Group Mask2", "netmon_system_trace.group_mask2",
2274 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2275 },
2276 { &hf_netmon_system_trace_group_mask3,
2277 { "Group Mask3", "netmon_system_trace.group_mask3",
2278 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2279 },
2280 { &hf_netmon_system_trace_group_mask4,
2281 { "Group Mask4", "netmon_system_trace.group_mask4",
2282 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2283 },
2284 { &hf_netmon_system_trace_group_mask5,
2285 { "Group Mask5", "netmon_system_trace.group_mask5",
2286 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2287 },
2288 { &hf_netmon_system_trace_group_mask6,
2289 { "Group Mask6", "netmon_system_trace.group_mask6",
2290 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2291 },
2292 { &hf_netmon_system_trace_group_mask7,
2293 { "Group Mask7", "netmon_system_trace.group_mask7",
2294 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2295 },
2296 { &hf_netmon_system_trace_group_mask8,
2297 { "Group Mask8", "netmon_system_trace.group_mask8",
2298 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2299 },
2300 { &hf_netmon_system_trace_kernel_event_version,
2301 { "Kernel event version", "netmon_system_trace.kernel_event_version",
2302 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2303 },
2304 };
2305
2306 static hf_register_info hf_system_config[] = {
2307 { &hf_netmon_system_config_mhz,
2308 { "Mhz", "netmon_system_config.mhz",
2309 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2310 },
2311 { &hf_netmon_system_config_num_processors,
2312 { "Number of processors", "netmon_system_config.num_processors",
2313 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2314 },
2315 { &hf_netmon_system_config_mem_size,
2316 { "Memory size", "netmon_system_config.mem_size",
2317 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2318 },
2319 { &hf_netmon_system_config_page_size,
2320 { "Page size", "netmon_system_config.page_size",
2321 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2322 },
2323 { &hf_netmon_system_config_allocation_granularity,
2324 { "Allocation granularity", "netmon_system_config.allocation_granularity",
2325 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2326 },
2327 { &hf_netmon_system_config_computer_name,
2328 { "Computer name", "netmon_system_config.computer_name",
2329 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2330 },
2331 { &hf_netmon_system_config_domain_name,
2332 { "Domain name", "netmon_system_config.domain_name",
2333 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2334 },
2335 { &hf_netmon_system_config_hyper_threading_flag,
2336 { "Hyper threading flag", "netmon_system_config.hyper_threading_flag",
2337 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
2338 },
2339 { &hf_netmon_system_config_disk_number,
2340 { "Disk number", "netmon_system_config.disk_number",
2341 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2342 },
2343 { &hf_netmon_system_config_bytes_per_sector,
2344 { "Bytes per sector", "netmon_system_config.bytes_per_sector",
2345 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2346 },
2347 { &hf_netmon_system_config_sectors_per_track,
2348 { "Sectors per track", "netmon_system_config.sectors_per_track",
2349 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2350 },
2351 { &hf_netmon_system_config_tracks_per_cylinder,
2352 { "Tracks per cylinder", "netmon_system_config.tracks_per_cylinder",
2353 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2354 },
2355 { &hf_netmon_system_config_cylinders,
2356 { "Cylinders", "netmon_system_config.cylinders",
2357 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
2358 },
2359 { &hf_netmon_system_config_scsi_port,
2360 { "SCSI port", "netmon_system_config.scsi_port",
2361 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2362 },
2363 { &hf_netmon_system_config_scsi_path,
2364 { "SCSI path", "netmon_system_config.scsi_path",
2365 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2366 },
2367 { &hf_netmon_system_config_scsi_target,
2368 { "SCSI target", "netmon_system_config.csi_target",
2369 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2370 },
2371 { &hf_netmon_system_config_scsi_lun,
2372 { "SCSI lun", "netmon_system_config.scsi_lun",
2373 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2374 },
2375 { &hf_netmon_system_config_manufacturer,
2376 { "Manufacturer", "netmon_system_config.manufacturer",
2377 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2378 },
2379 { &hf_netmon_system_config_partition_count,
2380 { "Partition count", "netmon_system_config.partition_count",
2381 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2382 },
2383 { &hf_netmon_system_config_write_cache_enabled,
2384 { "Write cache enabled", "netmon_system_config.write_cache_enabled",
2385 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
2386 },
2387 { &hf_netmon_system_config_pad,
2388 { "Pad", "netmon_system_config.pad",
2389 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
2390 },
2391 { &hf_netmon_system_config_boot_drive_letter,
2392 { "Boot drive letter", "netmon_system_config.boot_drive_letter",
2393 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2394 },
2395 { &hf_netmon_system_config_spare,
2396 { "Spare", "netmon_system_config.spare",
2397 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2398 },
2399 { &hf_netmon_system_config_start_offset,
2400 { "Start offset", "netmon_system_config.start_offset",
2401 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
2402 },
2403 { &hf_netmon_system_config_partition_size,
2404 { "Partition size", "netmon_system_config.partition_size",
2405 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
2406 },
2407 { &hf_netmon_system_config_size,
2408 { "Size", "netmon_system_config.size",
2409 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2410 },
2411 { &hf_netmon_system_config_drive_type,
2412 { "Drive type", "netmon_system_config.drive_type",
2413 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2414 },
2415 { &hf_netmon_system_config_drive_letter,
2416 { "Drive letter", "netmon_system_config.drive_letter",
2417 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2418 },
2419 { &hf_netmon_system_config_partition_number,
2420 { "Partition number", "netmon_system_config.partition_number",
2421 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2422 },
2423 { &hf_netmon_system_config_sectors_per_cluster,
2424 { "Sectors per cluster", "netmon_system_config.sectors_per_cluster",
2425 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2426 },
2427 { &hf_netmon_system_config_num_free_clusters,
2428 { "Number of free clusters", "netmon_system_config.num_free_clusters",
2429 FT_INT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
2430 },
2431 { &hf_netmon_system_config_total_num_clusters,
2432 { "Total number of clusters", "netmon_system_config.total_num_clusters",
2433 FT_INT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
2434 },
2435 { &hf_netmon_system_config_file_system,
2436 { "File system", "netmon_system_config.file_system",
2437 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2438 },
2439 { &hf_netmon_system_config_volume_ext,
2440 { "Volume ext", "netmon_system_config.volume_ext",
2441 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2442 },
2443 { &hf_netmon_system_config_physical_addr,
2444 { "Physical address", "netmon_system_config.physical_addr",
2445 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
2446 },
2447 { &hf_netmon_system_config_physical_addr_len,
2448 { "Physical address length", "netmon_system_config.physical_addr_len",
2449 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2450 },
2451 { &hf_netmon_system_config_ipv4_index,
2452 { "IPv4 index", "netmon_system_config.ipv4_index",
2453 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2454 },
2455 { &hf_netmon_system_config_ipv6_index,
2456 { "IPv6 index", "netmon_system_config.ipv6_index",
2457 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2458 },
2459 { &hf_netmon_system_config_nic_description,
2460 { "File system", "netmon_system_config.file_system",
2461 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2462 },
2463 { &hf_netmon_system_config_ipaddresses,
2464 { "IP addresses", "netmon_system_config.ipaddresses",
2465 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2466 },
2467 { &hf_netmon_system_config_dns_server_addresses,
2468 { "DNS server addresses", "netmon_system_config.dns_server_addresses",
2469 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2470 },
2471 { &hf_netmon_system_config_memory_size,
2472 { "Memory size", "netmon_system_config.memory_size",
2473 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2474 },
2475 { &hf_netmon_system_config_x_resolution,
2476 { "X resolution", "netmon_system_config.x_resolution",
2477 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2478 },
2479 { &hf_netmon_system_config_y_resolution,
2480 { "Y resolution", "netmon_system_config.y_resolution",
2481 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2482 },
2483 { &hf_netmon_system_config_bits_per_pixel,
2484 { "Bits per pixel", "netmon_system_config.bits_per_pixel",
2485 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2486 },
2487 { &hf_netmon_system_config_vrefresh,
2488 { "VRefresh", "netmon_system_config.vrefresh",
2489 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2490 },
2491 { &hf_netmon_system_config_chip_type,
2492 { "Chip type", "netmon_system_config.chip_type",
2493 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2494 },
2495 { &hf_netmon_system_config_dac_type,
2496 { "DAC type", "netmon_system_config.dac_type",
2497 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2498 },
2499 { &hf_netmon_system_config_adapter_string,
2500 { "Adapter string", "netmon_system_config.adapter_string",
2501 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2502 },
2503 { &hf_netmon_system_config_bios_string,
2504 { "BIOS string", "netmon_system_config.bios_string",
2505 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2506 },
2507 { &hf_netmon_system_config_device_id,
2508 { "Device ID", "netmon_system_config.device_id",
2509 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2510 },
2511 { &hf_netmon_system_config_state_flags,
2512 { "State flags", "netmon_system_config.state_flags",
2513 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2514 },
2515 { &hf_netmon_system_config_process_id,
2516 { "Process ID", "netmon_system_config.process_id",
2517 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2518 },
2519 { &hf_netmon_system_config_service_state,
2520 { "Service state", "netmon_system_config.service_state",
2521 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2522 },
2523 { &hf_netmon_system_config_sub_process_tag,
2524 { "Subprocess tag", "netmon_system_config.sub_process_tag",
2525 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2526 },
2527 { &hf_netmon_system_config_service_name,
2528 { "Service name", "netmon_system_config.service_name",
2529 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2530 },
2531 { &hf_netmon_system_config_display_name,
2532 { "Display name", "netmon_system_config.display_name",
2533 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2534 },
2535 { &hf_netmon_system_config_process_name,
2536 { "Process name", "netmon_system_config.process_name",
2537 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2538 },
2539 { &hf_netmon_system_config_s1,
2540 { "S1", "netmon_system_config.s1",
2541 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
2542 },
2543 { &hf_netmon_system_config_s2,
2544 { "S2", "netmon_system_config.s2",
2545 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
2546 },
2547 { &hf_netmon_system_config_s3,
2548 { "S3", "netmon_system_config.s3",
2549 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
2550 },
2551 { &hf_netmon_system_config_s4,
2552 { "S4", "netmon_system_config.s4",
2553 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
2554 },
2555 { &hf_netmon_system_config_s5,
2556 { "S5", "netmon_system_config.s5",
2557 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
2558 },
2559 { &hf_netmon_system_config_tcb_table_partitions,
2560 { "Tcb table partitions", "netmon_system_config.tcb_table_partitions",
2561 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2562 },
2563 { &hf_netmon_system_config_max_hash_table_size,
2564 { "Max hash table size", "netmon_system_config.max_hash_table_size",
2565 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2566 },
2567 { &hf_netmon_system_config_max_user_port,
2568 { "Max user port", "netmon_system_config.max_user_port",
2569 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2570 },
2571 { &hf_netmon_system_config_tcp_timed_wait_delay,
2572 { "TCP timed wait delay", "netmon_system_config.tcp_timed_wait_delay",
2573 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2574 },
2575 { &hf_netmon_system_config_irq_affinity,
2576 { "IRQ affinity", "netmon_system_config.irq_affinity",
2577 FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL }
2578 },
2579 { &hf_netmon_system_config_irq_num,
2580 { "IRQ", "netmon_system_config.irq_num",
2581 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2582 },
2583 { &hf_netmon_system_config_device_desc_len,
2584 { "Device description length", "netmon_system_config.device_desc_len",
2585 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2586 },
2587 { &hf_netmon_system_config_device_desc,
2588 { "Device description", "netmon_system_config.device_desc",
2589 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2590 },
2591 { &hf_netmon_system_config_friendly_name,
2592 { "Friendly name", "netmon_system_config.friendly_name",
2593 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2594 },
2595 { &hf_netmon_system_config_device_id_len,
2596 { "Device ID length", "netmon_system_config.device_id_len",
2597 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2598 },
2599 { &hf_netmon_system_config_friendly_name_len,
2600 { "Friendly name length", "netmon_system_config.friendly_name_len",
2601 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2602 },
2603 { &hf_netmon_system_config_target_id,
2604 { "Target ID", "netmon_system_config.target_id",
2605 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2606 },
2607 { &hf_netmon_system_config_device_type,
2608 { "Device type", "netmon_system_config.device_type",
2609 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2610 },
2611 { &hf_netmon_system_config_device_timing_mode,
2612 { "Device timing mode", "netmon_system_config.device_timing_mode",
2613 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2614 },
2615 { &hf_netmon_system_config_location_information_len,
2616 { "Location information length", "netmon_system_config.location_information_len",
2617 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2618 },
2619 { &hf_netmon_system_config_location_information,
2620 { "Location information", "netmon_system_config.location_information",
2621 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2622 },
2623 { &hf_netmon_system_config_system_manufacturer,
2624 { "System manufacturer", "netmon_system_config.system_manufacturer",
2625 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2626 },
2627 { &hf_netmon_system_config_system_product_name,
2628 { "System product name", "netmon_system_config.system_product_name",
2629 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2630 },
2631 { &hf_netmon_system_config_bios_date,
2632 { "BIOS date", "netmon_system_config.bios_date",
2633 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2634 },
2635 { &hf_netmon_system_config_bios_version,
2636 { "BIOS version", "netmon_system_config.bios_version",
2637 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2638 },
2639 { &hf_netmon_system_config_load_order_group,
2640 { "Load order group", "netmon_system_config.load_order_group",
2641 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2642 },
2643 { &hf_netmon_system_config_svc_host_group,
2644 { "svchost group", "netmon_system_config.svc_host_group",
2645 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2646 },
2647 { &hf_netmon_system_config_irq_group,
2648 { "IRQ group", "netmon_system_config.irq_group",
2649 FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
2650 },
2651 { &hf_netmon_system_config_pdo_name,
2652 { "PDO name", "netmon_system_config.pdo_name",
2653 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2654 },
2655 { &hf_netmon_system_config_nic_name,
2656 { "NIC name", "netmon_system_config.nic_name",
2657 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2658 },
2659 { &hf_netmon_system_config_index,
2660 { "Index", "netmon_system_config.index",
2661 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2662 },
2663 { &hf_netmon_system_config_physical_addr_str,
2664 { "Physical address", "netmon_system_config.physical_addr_str",
2665 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2666 },
2667 { &hf_netmon_system_config_ip_address,
2668 { "IP address", "netmon_system_config.ip_address",
2669 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2670 },
2671 { &hf_netmon_system_config_subnet_mask,
2672 { "Subnet mask", "netmon_system_config.subnet_mask",
2673 FT_IPv4, BASE_NETMASK, NULL, 0x0, NULL, HFILL }
2674 },
2675 { &hf_netmon_system_config_dhcp_server,
2676 { "DHCP server", "netmon_system_config.dhcp_server",
2677 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2678 },
2679 { &hf_netmon_system_config_gateway,
2680 { "Gateway", "netmon_system_config.gateway",
2681 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2682 },
2683 { &hf_netmon_system_config_primary_wins_server,
2684 { "Primary WINS server", "netmon_system_config.primary_wins_server",
2685 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2686 },
2687 { &hf_netmon_system_config_secondary_wins_server,
2688 { "Secondary WINS server", "netmon_system_config.secondary_wins_server",
2689 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2690 },
2691 { &hf_netmon_system_config_dns_server1,
2692 { "DNS server1", "netmon_system_config.dns_server1",
2693 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2694 },
2695 { &hf_netmon_system_config_dns_server2,
2696 { "DNS server2", "netmon_system_config.dns_server2",
2697 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2698 },
2699 { &hf_netmon_system_config_dns_server3,
2700 { "DNS server3", "netmon_system_config.dns_server3",
2701 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2702 },
2703 { &hf_netmon_system_config_dns_server4,
2704 { "DNS server4", "netmon_system_config.dns_server4",
2705 FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL }
2706 },
2707 { &hf_netmon_system_config_data,
2708 { "Data", "netmon_system_config.data",
2709 FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
2710 },
2711 };
2712
2713 static hf_register_info hf_process[] = {
2714 { &hf_netmon_process_unique_process_key,
2715 { "Unique process key", "netmon_process.unique_process_key",
2716 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
2717 },
2718 { &hf_netmon_process_process_id,
2719 { "Process ID", "netmon_process.process_id",
2720 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2721 },
2722 { &hf_netmon_process_parent_id,
2723 { "Parent ID", "netmon_process.parent_id",
2724 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2725 },
2726 { &hf_netmon_process_session_id,
2727 { "Session ID", "netmon_process.session_id",
2728 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2729 },
2730 { &hf_netmon_process_exit_status,
2731 { "Exit status", "netmon_process.exit_status",
2732 FT_INT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2733 },
2734 { &hf_netmon_process_directory_table_base,
2735 { "Directory table base", "netmon_process.directory_table_base",
2736 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
2737 },
2738 { &hf_netmon_process_unknown,
2739 { "Unknown", "netmon_process.unknown",
2740 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
2741 },
2742 { &hf_netmon_process_user_sid_revision,
2743 { "User SID Revision", "netmon_process.user_sid.revision",
2744 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
2745 },
2746 { &hf_netmon_process_user_sid_subauth_count,
2747 { "User SID Subauth count", "netmon_process.user_sid.subauth_count",
2748 FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL }
2749 },
2750 { &hf_netmon_process_user_sid_id,
2751 { "User SID Identifier Authority", "netmon_process.user_sid.id",
2752 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
2753 },
2754 { &hf_netmon_process_user_sid_authority,
2755 { "User SID Authority", "netmon_process.user_sid.authority",
2756 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2757 },
2758 { &hf_netmon_process_image_file_name,
2759 { "Image file name", "netmon_process.image_file_name",
2760 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2761 },
2762 { &hf_netmon_process_command_line,
2763 { "Commandline", "netmon_process.command_line",
2764 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }
2765 },
2766 { &hf_netmon_process_page_directory_base,
2767 { "Page directory base", "netmon_process.page_directory_base",
2768 FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL }
2769 },
2770 { &hf_netmon_process_page_fault_count,
2771 { "Page fault count", "netmon_process.page_fault_count",
2772 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2773 },
2774 { &hf_netmon_process_handle_count,
2775 { "Handle count", "netmon_process.handle_count",
2776 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2777 },
2778 { &hf_netmon_process_reserved,
2779 { "Reserved", "netmon_process.reserved",
2780 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2781 },
2782 { &hf_netmon_process_peak_virtual_size,
2783 { "Peak virtual size", "netmon_process.peak_virtual_size",
2784 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2785 },
2786 { &hf_netmon_process_peak_working_set_size,
2787 { "Peak working set size", "netmon_process.peak_working_set_size",
2788 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2789 },
2790 { &hf_netmon_process_peak_page_file_usage,
2791 { "Peak page file usage", "netmon_process.peak_page_file_usage",
2792 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2793 },
2794 { &hf_netmon_process_quota_peak_paged_pool_usage,
2795 { "Quota peak paged pool usage", "netmon_process.quota_peak_paged_pool_usage",
2796 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2797 },
2798 { &hf_netmon_process_quota_peak_non_paged_pool_usage,
2799 { "Quota peak non-paged pool usage", "netmon_process.quota_peak_non_paged_pool_usage",
2800 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2801 },
2802 { &hf_netmon_process_virtual_size,
2803 { "Virtual size", "netmon_process.virtual_size",
2804 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2805 },
2806 { &hf_netmon_process_workingset_size,
2807 { "Working set size", "netmon_process.workingset_size",
2808 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2809 },
2810 { &hf_netmon_process_pagefile_usage,
2811 { "Pagefile usage", "netmon_process.pagefile_usage",
2812 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2813 },
2814 { &hf_netmon_process_quota_paged_pool_usage,
2815 { "Quota paged pool usage", "netmon_process.quota_paged_pool_usage",
2816 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2817 },
2818 { &hf_netmon_process_quota_non_paged_pool_usage,
2819 { "Quota nonpaged pool usage", "netmon_process.quota_non_paged_pool_usage",
2820 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2821 },
2822 { &hf_netmon_process_private_page_count,
2823 { "Private page count", "netmon_process.private_page_count",
2824 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2825 },
2826 { &hf_netmon_process_directory_table_base32,
2827 { "Directory table base", "netmon_process.directory_table_base32",
2828 FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }
2829 },
2830 };
2831
2832 static int *ett[] = {
2833 &ett_netmon_header,
2834 &ett_netmon_event,
2835 &ett_netmon_event_desc,
2836 &ett_netmon_event_flags,
2837 &ett_netmon_event_property,
2838 &ett_netmon_event_extended_data,
2839 &ett_netmon_filter,
2840 &ett_netmon_network_info,
2841 &ett_netmon_network_info_list,
2842 &ett_netmon_network_info_adapter,
2843 &ett_netmon_system_trace,
2844 &ett_netmon_event_buffer_context,
2845 &ett_netmon_process,
2846 &ett_netmon_sid,
2847 &ett_netmon_system_config,
2848 };
2849
2850 static ei_register_info ei_process[] = {
2851 { &ei_netmon_process_user_sid, { "netmon_process.process_user_sid.invalid", PI_MALFORMED, PI_WARN, "Invalid SID", EXPFILL }},
2852 };
2853
2854 expert_module_t *expert_process;
2855
2856 proto_netmon_header = proto_register_protocol ("Network Monitor Header", "NetMon Header", "netmon_header" );
2857 proto_netmon_event = proto_register_protocol ("Network Monitor Event", "NetMon Event", "netmon_event" );
2858 proto_netmon_filter = proto_register_protocol ("Network Monitor Filter", "NetMon Filter", "netmon_filter" );
2859 proto_netmon_network_info = proto_register_protocol ("Network Monitor Network Info", "NetMon Network Info", "netmon_network_info" );
2860 proto_netmon_system_trace = proto_register_protocol ("Network Monitor System Trace", "NetMon System Trace", "netmon_system_trace" );
2861 proto_netmon_system_config = proto_register_protocol ("Network Monitor System Config", "NetMon System Config", "netmon_system_config" );
2862 proto_netmon_process = proto_register_protocol ("Network Monitor Process", "NetMon Process", "netmon_process" );
2863
2864 provider_id_table = register_dissector_table("netmon.provider_id", "NetMon Provider IDs", proto_netmon_event, FT_GUID, BASE_HEX);
2865
2866 proto_register_field_array(proto_netmon_header, hf_header, array_length(hf_header));
2867 proto_register_field_array(proto_netmon_event, hf_event, array_length(hf_event));
2868 proto_register_field_array(proto_netmon_filter, hf_filter, array_length(hf_filter));
2869 proto_register_field_array(proto_netmon_network_info, hf_network_info, array_length(hf_network_info));
2870 proto_register_field_array(proto_netmon_system_trace, hf_system_trace, array_length(hf_system_trace));
2871 proto_register_field_array(proto_netmon_system_config, hf_system_config, array_length(hf_system_config));
2872 proto_register_field_array(proto_netmon_process, hf_process, array_length(hf_process));
2873 proto_register_subtree_array(ett, array_length(ett));
2874
2875 expert_process = expert_register_protocol(proto_netmon_process);
2876 expert_register_field_array(expert_process, ei_process, array_length(ei_process));
2877 }
2878
2879 void proto_reg_handoff_netmon(void)
2880 {
2881 dissector_handle_t netmon_event_handle, netmon_filter_handle,
2882 netmon_network_info_handle, netmon_header_handle,
2883 system_trace_handle, system_config_handle, process_handle;
2884
2885 static guid_key system_trace_guid = {{ 0x68fdd900, 0x4a3e, 0x11d1, { 0x84, 0xf4, 0x00, 0x00, 0xf8, 0x04, 0x64, 0xe3 }}, 0 };
2886 static guid_key system_config_guid = {{ 0x01853a65, 0x418f, 0x4f36, { 0xae, 0xfc, 0xdc, 0x0f, 0x1d, 0x2f, 0xd2, 0x35 }}, 0 };
2887 static guid_key process_guid = {{ 0x3d6fa8d0, 0xfe05, 0x11d0, { 0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c }}, 0 };
2888
2889 netmon_event_handle = create_dissector_handle(dissect_netmon_event, proto_netmon_event);
2890 netmon_filter_handle = create_dissector_handle(dissect_netmon_filter, proto_netmon_filter);
2891 netmon_network_info_handle = create_dissector_handle(dissect_netmon_network_info, proto_netmon_network_info);
2892 netmon_header_handle = create_dissector_handle(dissect_netmon_header, proto_netmon_header);
2893 system_trace_handle = create_dissector_handle(dissect_netmon_system_trace, proto_netmon_system_trace);
2894 system_config_handle = create_dissector_handle(dissect_netmon_system_config, proto_netmon_system_config);
2895 process_handle = create_dissector_handle(dissect_netmon_process, proto_netmon_process);
2896
2897 dissector_add_uint("wtap_encap", WTAP_ENCAP_NETMON_NET_NETEVENT, netmon_event_handle);
2898 dissector_add_uint("wtap_encap", WTAP_ENCAP_ETL, netmon_event_handle);
2899 dissector_add_uint("wtap_encap", WTAP_ENCAP_NETMON_NET_FILTER, netmon_filter_handle);
2900 dissector_add_uint("wtap_encap", WTAP_ENCAP_NETMON_NETWORK_INFO_EX, netmon_network_info_handle);
2901 dissector_add_uint("wtap_encap", WTAP_ENCAP_NETMON_HEADER, netmon_header_handle);
2902
2903 dissector_add_guid( "netmon.provider_id", &system_trace_guid, system_trace_handle);
2904 dissector_add_guid( "netmon.provider_id", &system_config_guid, system_config_handle);
2905 dissector_add_guid( "netmon.provider_id", &process_guid, process_handle);
2906
2907 wtap_encap_table = find_dissector_table("wtap_encap");
2908 }
2909
2910 /*
2911 * Editor modelines - https://www.wireshark.org/tools/modelines.html
2912 *
2913 * Local variables:
2914 * c-basic-offset: 8
2915 * tab-width: 8
2916 * indent-tabs-mode: t
2917 * End:
2918 *
2919 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
2920 * :indentSize=8:tabSize=8:noTabs=false:
2921 */
Metzes wireshark repo