search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-riemann.c
blob3c1a20e38434299669fbc6052ad9be1dfb21593c
1 /**
2 * packet-riemann.c
3 * Routines for Riemann dissection
4 * Copyright 2014, Sergey Avseyev <sergey.avseyev@gmail.com>
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 /* Riemann (http://riemann.io) aggregates events from servers and
14 * applications with a powerful stream processing language.
15 *
16 * Protobuf structures layout:
17 * https://github.com/riemann/riemann-java-client/blob/master/riemann-java-client/src/main/proto/riemann/proto.proto
18 *
19 * message State {
20 * optional int64 time = 1;
21 * optional string state = 2;
22 * optional string service = 3;
23 * optional string host = 4;
24 * optional string description = 5;
25 * optional bool once = 6;
26 * repeated string tags = 7;
27 * optional float ttl = 8;
28 * }
29 *
30 * message Event {
31 * optional int64 time = 1;
32 * optional string state = 2;
33 * optional string service = 3;
34 * optional string host = 4;
35 * optional string description = 5;
36 * repeated string tags = 7;
37 * optional float ttl = 8;
38 * repeated Attribute attributes = 9;
39 *
40 * optional int64 time_micros = 10;
41 * optional sint64 metric_sint64 = 13;
42 * optional double metric_d = 14;
43 * optional float metric_f = 15;
44 * }
45 *
46 * message Query {
47 * optional string string = 1;
48 * }
49 *
50 * message Msg {
51 * optional bool ok = 2;
52 * optional string error = 3;
53 * repeated State states = 4;
54 * optional Query query = 5;
55 * repeated Event events = 6;
56 * }
57 *
58 * message Attribute {
59 * required string key = 1;
60 * optional string value = 2;
61 * }
62 */
63
64 #include "config.h"
65
66 #include <epan/packet.h>
67 #include <epan/expert.h>
68 #include "packet-tcp.h"
69
70 void proto_reg_handoff_riemann(void);
71 void proto_register_riemann(void);
72
73 static dissector_handle_t riemann_udp_handle, riemann_tcp_handle;
74
75 static int proto_riemann;
76 static int hf_riemann_msg_ok;
77 static int hf_riemann_msg_error;
78 static int hf_riemann_attribute;
79 static int hf_riemann_attribute_key;
80 static int hf_riemann_attribute_value;
81 static int hf_riemann_query;
82 static int hf_riemann_query_string;
83 static int hf_riemann_event;
84 static int hf_riemann_event_state;
85 static int hf_riemann_event_service;
86 static int hf_riemann_event_host;
87 static int hf_riemann_event_description;
88 static int hf_riemann_event_tag;
89 static int hf_riemann_event_ttl;
90 static int hf_riemann_event_time;
91 static int hf_riemann_event_metric_d;
92 static int hf_riemann_event_metric_f;
93 static int hf_riemann_event_time_micros;
94 static int hf_riemann_event_metric_sint64;
95 static int hf_riemann_state;
96 static int hf_riemann_state_service;
97 static int hf_riemann_state_host;
98 static int hf_riemann_state_description;
99 static int hf_riemann_state_tag;
100 static int hf_riemann_state_ttl;
101 static int hf_riemann_state_time;
102 static int hf_riemann_state_state;
103 static int hf_riemann_state_once;
104
105 static int ett_riemann;
106 static int ett_query;
107 static int ett_event;
108 static int ett_attribute;
109 static int ett_state;
110
111 #define RIEMANN_MIN_LENGTH 16
112 #define RIEMANN_MIN_NEEDED_FOR_HEURISTICS 10
113
114 /* field numbers. see protocol definition above */
115 #define RIEMANN_FN_MSG_OK 2
116 #define RIEMANN_FN_MSG_ERROR 3
117 #define RIEMANN_FN_MSG_STATES 4
118 #define RIEMANN_FN_MSG_QUERY 5
119 #define RIEMANN_FN_MSG_EVENTS 6
120
121 #define RIEMANN_FN_EVENT_TIME 1
122 #define RIEMANN_FN_EVENT_STATE 2
123 #define RIEMANN_FN_EVENT_SERVICE 3
124 #define RIEMANN_FN_EVENT_HOST 4
125 #define RIEMANN_FN_EVENT_DESCRIPTION 5
126 #define RIEMANN_FN_EVENT_TAGS 7
127 #define RIEMANN_FN_EVENT_TTL 8
128 #define RIEMANN_FN_EVENT_ATTRIBUTES 9
129 #define RIEMANN_FN_EVENT_TIME_MICROS 10
130 #define RIEMANN_FN_EVENT_METRIC_SINT64 13
131 #define RIEMANN_FN_EVENT_METRIC_D 14
132 #define RIEMANN_FN_EVENT_METRIC_F 15
133
134 #define RIEMANN_FN_ATTRIBUTE_KEY 1
135 #define RIEMANN_FN_ATTRIBUTE_VALUE 2
136
137 #define RIEMANN_FN_STATE_TIME 1
138 #define RIEMANN_FN_STATE_STATE 2
139 #define RIEMANN_FN_STATE_SERVICE 3
140 #define RIEMANN_FN_STATE_HOST 4
141 #define RIEMANN_FN_STATE_DESCRIPTION 5
142 #define RIEMANN_FN_STATE_ONCE 6
143 #define RIEMANN_FN_STATE_TAGS 7
144 #define RIEMANN_FN_STATE_TTL 8
145
146 #define RIEMANN_FN_QUERY_STRING 1
147
148 /* type codes. see protocol definition above */
149 #define RIEMANN_WIRE_INTEGER 0
150 #define RIEMANN_WIRE_DOUBLE 1
151 #define RIEMANN_WIRE_BYTES 2
152 #define RIEMANN_WIRE_FLOAT 5
153
154 static expert_field ei_error_unknown_wire_tag;
155 static expert_field ei_error_unknown_field_number;
156 static expert_field ei_error_insufficient_data;
157
158 static void
159 riemann_verify_wire_format(uint64_t field_number, const char *field_name, int expected, int actual,
160 packet_info *pinfo, proto_item *pi)
161 {
162 if (expected != actual) {
163 const char *wire_name;
164
165 switch (expected) {
166 case RIEMANN_WIRE_INTEGER:
167 wire_name = "integer";
168 break;
169 case RIEMANN_WIRE_BYTES:
170 wire_name = "bytes/string";
171 break;
172 case RIEMANN_WIRE_FLOAT:
173 wire_name = "float";
174 break;
175 case RIEMANN_WIRE_DOUBLE:
176 wire_name = "double";
177 break;
178 default:
179 wire_name = "unknown (check packet-riemann.c)";
180 break;
181 }
182 expert_add_info_format(pinfo, pi, &ei_error_unknown_wire_tag,
183 "Expected %s (%d) field to be an %s (%d), but it is %d",
184 field_name, (int)field_number, wire_name, expected, actual);
185 }
186 }
187
188 #define VERIFY_WIRE_FORMAT(field_name, expected) \
189 riemann_verify_wire_format(fn, field_name, expected, wire, pinfo, pi)
190
191 #define UNKNOWN_FIELD_NUMBER_FOR(message_name) \
192 expert_add_info_format(pinfo, pi, &ei_error_unknown_field_number, \
193 "Unknown field number %d for " message_name " (wire format %d)", \
194 (int)fn, (int)wire);
195
196 #define VERIFY_SIZE_FOR(message_name) \
197 if (size < 0) { \
198 expert_add_info_format(pinfo, pi, &ei_error_insufficient_data, \
199 "Insufficient data for " message_name " (%d bytes needed)", \
200 (int)size * -1); \
201 }
202
203 static uint64_t
204 riemann_get_uint64(tvbuff_t *tvb, unsigned offset, unsigned *len)
205 {
206 uint64_t num = 0;
207 unsigned shift = 0;
208 *len = 0;
209 while (1) {
210 uint8_t b;
211 if (shift >= 64) {
212 return 0;
213 }
214 b = tvb_get_uint8(tvb, offset++);
215 num |= ((uint64_t)(b & 0x7f) << shift);
216 shift += 7;
217 (*len)++;
218 if ((b & 0x80) == 0) {
219 return num;
220 }
221 }
222 return 0;
223 }
224
225 static uint8_t *
226 riemann_get_string(wmem_allocator_t *scope, tvbuff_t *tvb, int offset)
227 {
228 uint64_t size;
229 unsigned len = 0;
230
231 size = riemann_get_uint64(tvb, offset, &len);
232 offset += len;
233 return tvb_get_string_enc(scope, tvb, offset, (int)size, ENC_ASCII);
234 }
235
236 static unsigned
237 riemann_dissect_int64(proto_tree *riemann_tree, tvbuff_t *tvb, unsigned offset, int hf_index)
238 {
239 uint64_t num;
240 unsigned len = 0;
241
242 num = riemann_get_uint64(tvb, offset, &len);
243 proto_tree_add_int64(riemann_tree, hf_index, tvb, offset, len, num);
244 return len;
245 }
246
247 static unsigned
248 riemann_dissect_sint64(proto_tree *riemann_tree, tvbuff_t *tvb, unsigned offset, int hf_index)
249 {
250 uint64_t num;
251 int64_t snum;
252 unsigned len = 0;
253
254 num = riemann_get_uint64(tvb, offset, &len);
255 /* zigzag decoding */
256 if (num & 1) {
257 snum = -((int64_t)(num >> 1)) - 1;
258 } else {
259 snum = (int64_t)(num >> 1);
260 }
261
262 proto_tree_add_int64(riemann_tree, hf_index, tvb, offset, len, snum);
263 return len;
264 }
265
266 static unsigned
267 riemann_dissect_string(proto_tree *riemann_tree, tvbuff_t *tvb, unsigned offset, int hf_index)
268 {
269 uint64_t size;
270 unsigned len = 0, orig_offset = offset;
271
272 size = riemann_get_uint64(tvb, offset, &len);
273 offset += len;
274 proto_tree_add_item(riemann_tree, hf_index, tvb, offset, (int)size, ENC_ASCII);
275 offset += (int)size;
276
277 return offset - orig_offset;
278 }
279
280 static unsigned
281 riemann_dissect_attribute(packet_info *pinfo, proto_tree *riemann_tree,
282 tvbuff_t *tvb, unsigned offset)
283 {
284 uint64_t tag, fn;
285 int64_t size;
286 uint8_t wire;
287 unsigned len = 0;
288 unsigned orig_offset = offset;
289 proto_item *pi;
290 proto_tree *attribute_tree;
291
292 size = (int64_t)riemann_get_uint64(tvb, offset, &len);
293 pi = proto_tree_add_item(riemann_tree, hf_riemann_attribute, tvb, (int)offset, (int)(size + len), ENC_NA);
294 attribute_tree = proto_item_add_subtree(pi, ett_attribute);
295 offset += len;
296
297 while (size > 0) {
298 tag = riemann_get_uint64(tvb, offset, &len);
299 fn = tag >> 3;
300 wire = tag & 0x7;
301 offset += len;
302 size -= len;
303 switch (fn) {
304 case RIEMANN_FN_ATTRIBUTE_KEY:
305 VERIFY_WIRE_FORMAT("Attribute.key", RIEMANN_WIRE_BYTES);
306 len = riemann_dissect_string(attribute_tree, tvb, offset, hf_riemann_attribute_key);
307 break;
308 case RIEMANN_FN_ATTRIBUTE_VALUE:
309 VERIFY_WIRE_FORMAT("Attribute.value", RIEMANN_WIRE_BYTES);
310 len = riemann_dissect_string(attribute_tree, tvb, offset, hf_riemann_attribute_value);
311 break;
312 default:
313 len = 0;
314 UNKNOWN_FIELD_NUMBER_FOR("Attribute");
315 }
316 offset += len;
317 size -= len;
318 }
319 VERIFY_SIZE_FOR("Attribute");
320
321 return offset - orig_offset;
322 }
323
324 static unsigned
325 riemann_dissect_query(packet_info *pinfo, proto_tree *riemann_tree,
326 tvbuff_t *tvb, unsigned offset)
327 {
328 uint64_t tag, fn;
329 int64_t size;
330 uint8_t wire;
331 unsigned orig_offset = offset, len = 0;
332 proto_item *pi;
333 proto_tree *query_tree;
334
335 size = (int64_t)riemann_get_uint64(tvb, offset, &len);
336 pi = proto_tree_add_item(riemann_tree, hf_riemann_query, tvb, (int)offset, (int)(size + len), ENC_NA);
337 query_tree = proto_item_add_subtree(pi, ett_query);
338 offset += len;
339
340 while (size > 0) {
341 tag = riemann_get_uint64(tvb, offset, &len);
342 fn = tag >> 3;
343 wire = tag & 0x7;
344 offset += len;
345 size -= len;
346 switch (fn) {
347 case RIEMANN_FN_QUERY_STRING:
348 VERIFY_WIRE_FORMAT("Query.string", RIEMANN_WIRE_BYTES);
349 col_append_str(pinfo->cinfo, COL_INFO, riemann_get_string(pinfo->pool, tvb, offset));
350 len = riemann_dissect_string(query_tree, tvb, offset, hf_riemann_query_string);
351 break;
352 default:
353 len = 0;
354 UNKNOWN_FIELD_NUMBER_FOR("Query");
355 }
356 offset += len;
357 size -= len;
358 }
359 VERIFY_SIZE_FOR("Query");
360
361 return offset - orig_offset;
362 }
363
364 static unsigned
365 riemann_dissect_event(packet_info *pinfo, proto_tree *riemann_tree,
366 tvbuff_t *tvb, unsigned offset)
367 {
368 unsigned orig_offset = offset, len = 0;
369 uint64_t tag, fn;
370 int64_t size;
371 uint8_t wire;
372 proto_item *pi;
373 proto_tree *event_tree;
374 bool need_comma = false;
375
376 size = riemann_get_uint64(tvb, offset, &len);
377 pi = proto_tree_add_item(riemann_tree, hf_riemann_event, tvb, (int)offset, (int)(size + len), ENC_NA);
378 event_tree = proto_item_add_subtree(pi, ett_event);
379 offset += len;
380
381 while (size > 0) {
382 const char *comma = need_comma ? ", " : "";
383 tag = riemann_get_uint64(tvb, offset, &len);
384 fn = tag >> 3;
385 wire = tag & 0x7;
386 offset += len;
387 size -= len;
388 switch (fn) {
389 case RIEMANN_FN_EVENT_TIME:
390 VERIFY_WIRE_FORMAT("Event.time", RIEMANN_WIRE_INTEGER);
391 len = riemann_dissect_int64(event_tree, tvb, offset, hf_riemann_event_time);
392 break;
393 case RIEMANN_FN_EVENT_STATE:
394 VERIFY_WIRE_FORMAT("Event.state", RIEMANN_WIRE_BYTES);
395 len = riemann_dissect_string(event_tree, tvb, offset, hf_riemann_event_state);
396 break;
397 case RIEMANN_FN_EVENT_SERVICE:
398 VERIFY_WIRE_FORMAT("Event.service", RIEMANN_WIRE_BYTES);
399 col_append_fstr(pinfo->cinfo, COL_INFO, "%s%s", comma, riemann_get_string(pinfo->pool, tvb, offset));
400 len = riemann_dissect_string(event_tree, tvb, offset, hf_riemann_event_service);
401 need_comma = true;
402 break;
403 case RIEMANN_FN_EVENT_HOST:
404 VERIFY_WIRE_FORMAT("Event.host", RIEMANN_WIRE_BYTES);
405 col_append_fstr(pinfo->cinfo, COL_INFO, "%s%s", comma, riemann_get_string(pinfo->pool, tvb, offset));
406 len = riemann_dissect_string(event_tree, tvb, offset, hf_riemann_event_host);
407 need_comma = true;
408 break;
409 case RIEMANN_FN_EVENT_DESCRIPTION:
410 VERIFY_WIRE_FORMAT("Event.description", RIEMANN_WIRE_BYTES);
411 len = riemann_dissect_string(event_tree, tvb, offset, hf_riemann_event_description);
412 break;
413 case RIEMANN_FN_EVENT_TAGS:
414 VERIFY_WIRE_FORMAT("Event.tags", RIEMANN_WIRE_BYTES);
415 len = riemann_dissect_string(event_tree, tvb, offset, hf_riemann_event_tag);
416 break;
417 case RIEMANN_FN_EVENT_TTL:
418 VERIFY_WIRE_FORMAT("Event.ttl", RIEMANN_WIRE_FLOAT);
419 proto_tree_add_item(event_tree, hf_riemann_event_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
420 len = 4;
421 break;
422 case RIEMANN_FN_EVENT_ATTRIBUTES:
423 VERIFY_WIRE_FORMAT("Event.attributes", RIEMANN_WIRE_BYTES);
424 len = riemann_dissect_attribute(pinfo, event_tree, tvb, offset);
425 break;
426 case RIEMANN_FN_EVENT_TIME_MICROS:
427 VERIFY_WIRE_FORMAT("Event.time_micros", RIEMANN_WIRE_INTEGER);
428 len = riemann_dissect_int64(event_tree, tvb, offset, hf_riemann_event_time_micros);
429 break;
430 case RIEMANN_FN_EVENT_METRIC_SINT64:
431 VERIFY_WIRE_FORMAT("Event.metric_sint64", RIEMANN_WIRE_INTEGER);
432 len = riemann_dissect_sint64(event_tree, tvb, offset, hf_riemann_event_metric_sint64);
433 break;
434 case RIEMANN_FN_EVENT_METRIC_D:
435 VERIFY_WIRE_FORMAT("Event.metric_d", RIEMANN_WIRE_DOUBLE);
436 proto_tree_add_item(event_tree, hf_riemann_event_metric_d, tvb, offset, 8, ENC_LITTLE_ENDIAN);
437 len = 8;
438 break;
439 case RIEMANN_FN_EVENT_METRIC_F:
440 VERIFY_WIRE_FORMAT("Event.metric_f", RIEMANN_WIRE_FLOAT);
441 proto_tree_add_item(event_tree, hf_riemann_event_metric_f, tvb, offset, 4, ENC_LITTLE_ENDIAN);
442 len = 4;
443 break;
444 default:
445 len = 0;
446 UNKNOWN_FIELD_NUMBER_FOR("Event");
447 }
448 offset += len;
449 size -= len;
450 }
451 col_append_str(pinfo->cinfo, COL_INFO, "; ");
452 VERIFY_SIZE_FOR("Event");
453
454 return offset - orig_offset;
455 }
456
457 static unsigned
458 riemann_dissect_state(packet_info *pinfo, proto_tree *riemann_tree,
459 tvbuff_t *tvb, unsigned offset)
460 {
461 unsigned orig_offset = offset, len = 0;
462 uint64_t tag, fn;
463 int64_t size;
464 uint8_t wire;
465 proto_item *pi;
466 proto_tree *state_tree;
467 bool need_comma = false;
468
469 size = riemann_get_uint64(tvb, offset, &len);
470 pi = proto_tree_add_item(riemann_tree, hf_riemann_state, tvb, offset, (int)(size + len), ENC_NA);
471 state_tree = proto_item_add_subtree(pi, ett_state);
472 offset += len;
473
474 while (size > 0) {
475 const char *comma = need_comma ? ", " : "";
476 tag = riemann_get_uint64(tvb, offset, &len);
477 fn = tag >> 3;
478 wire = tag & 0x7;
479 offset += len;
480 size -= len;
481 switch (fn) {
482 case RIEMANN_FN_STATE_TIME:
483 VERIFY_WIRE_FORMAT("State.time", RIEMANN_WIRE_INTEGER);
484 len = riemann_dissect_int64(state_tree, tvb, offset, hf_riemann_state_time);
485 break;
486 case RIEMANN_FN_STATE_SERVICE:
487 VERIFY_WIRE_FORMAT("State.service", RIEMANN_WIRE_BYTES);
488 col_append_fstr(pinfo->cinfo, COL_INFO, "%s%s", comma, riemann_get_string(pinfo->pool, tvb, offset));
489 len = riemann_dissect_string(state_tree, tvb, offset, hf_riemann_state_service);
490 need_comma = true;
491 break;
492 case RIEMANN_FN_STATE_HOST:
493 VERIFY_WIRE_FORMAT("State.host", RIEMANN_WIRE_BYTES);
494 col_append_fstr(pinfo->cinfo, COL_INFO, "%s%s", comma, riemann_get_string(pinfo->pool, tvb, offset));
495 len = riemann_dissect_string(state_tree, tvb, offset, hf_riemann_state_host);
496 need_comma = true;
497 break;
498 case RIEMANN_FN_STATE_DESCRIPTION:
499 VERIFY_WIRE_FORMAT("State.description", RIEMANN_WIRE_BYTES);
500 len = riemann_dissect_string(state_tree, tvb, offset, hf_riemann_state_description);
501 break;
502 case RIEMANN_FN_STATE_TAGS:
503 VERIFY_WIRE_FORMAT("State.tags", RIEMANN_WIRE_BYTES);
504 len = riemann_dissect_string(state_tree, tvb, offset, hf_riemann_state_tag);
505 break;
506 case RIEMANN_FN_STATE_TTL:
507 VERIFY_WIRE_FORMAT("State.ttl", RIEMANN_WIRE_FLOAT);
508 proto_tree_add_item(state_tree, hf_riemann_state_ttl, tvb, offset, 4, ENC_LITTLE_ENDIAN);
509 len = 4;
510 break;
511 case RIEMANN_FN_STATE_STATE:
512 VERIFY_WIRE_FORMAT("State.state", RIEMANN_WIRE_BYTES);
513 len = riemann_dissect_string(state_tree, tvb, offset, hf_riemann_state_state);
514 break;
515 case RIEMANN_FN_STATE_ONCE:
516 VERIFY_WIRE_FORMAT("State.once", RIEMANN_WIRE_INTEGER);
517 proto_tree_add_item(state_tree, hf_riemann_state_once, tvb, offset, 1, ENC_NA);
518 len = 1;
519 break;
520 default:
521 len = 0;
522 UNKNOWN_FIELD_NUMBER_FOR("State");
523 }
524 offset += len;
525 size -= len;
526 }
527 col_append_str(pinfo->cinfo, COL_INFO, "; ");
528 VERIFY_SIZE_FOR("State");
529
530 return offset - orig_offset;
531 }
532
533 static unsigned
534 riemann_dissect_msg(packet_info *pinfo, proto_item *pi, proto_tree *riemann_tree,
535 tvbuff_t *tvb, unsigned offset)
536 {
537 uint64_t tag, fn;
538 int64_t size = (int64_t)tvb_reported_length_remaining(tvb, offset);
539 uint8_t wire;
540 unsigned len, orig_offset = offset;
541 bool cinfo_set = false;
542
543 while (size > 0) {
544 tag = riemann_get_uint64(tvb, offset, &len);
545 fn = tag >> 3;
546 wire = tag & 0x7;
547 offset += len;
548 size -= len;
549
550 switch (fn) {
551 case RIEMANN_FN_MSG_OK:
552 VERIFY_WIRE_FORMAT("Msg.ok", RIEMANN_WIRE_INTEGER);
553 proto_tree_add_item(riemann_tree, hf_riemann_msg_ok, tvb, offset, 1, ENC_NA);
554 len = 1;
555 break;
556 case RIEMANN_FN_MSG_ERROR:
557 VERIFY_WIRE_FORMAT("Msg.error", RIEMANN_WIRE_BYTES);
558 len = riemann_dissect_string(riemann_tree, tvb, offset, hf_riemann_msg_error);
559 break;
560 case RIEMANN_FN_MSG_QUERY:
561 VERIFY_WIRE_FORMAT("Msg.query", RIEMANN_WIRE_BYTES);
562 if (!cinfo_set) {
563 col_set_str(pinfo->cinfo, COL_INFO, "Query: ");
564 cinfo_set = true;
565 }
566 len = riemann_dissect_query(pinfo, riemann_tree, tvb, offset);
567 break;
568 case RIEMANN_FN_MSG_EVENTS:
569 VERIFY_WIRE_FORMAT("Msg.events", RIEMANN_WIRE_BYTES);
570 if (!cinfo_set) {
571 col_set_str(pinfo->cinfo, COL_INFO, "Event: ");
572 cinfo_set = true;
573 }
574 len = riemann_dissect_event(pinfo, riemann_tree, tvb, offset);
575 break;
576 case RIEMANN_FN_MSG_STATES:
577 VERIFY_WIRE_FORMAT("Msg.states", RIEMANN_WIRE_BYTES);
578 if (!cinfo_set) {
579 col_set_str(pinfo->cinfo, COL_INFO, "State: ");
580 cinfo_set = true;
581 }
582 len = riemann_dissect_state(pinfo, riemann_tree, tvb, offset);
583 break;
584 default:
585 len = 0;
586 UNKNOWN_FIELD_NUMBER_FOR("Msg");
587 }
588 offset += len;
589 size -= len;
590 }
591 VERIFY_SIZE_FOR("Msg");
592
593 return offset - orig_offset;
594 }
595
596 static bool
597 is_riemann(tvbuff_t *tvb, unsigned offset)
598 {
599 uint32_t reported_length = tvb_reported_length_remaining(tvb, offset);
600 uint32_t captured_length = tvb_captured_length_remaining(tvb, offset);
601 uint64_t tag, field_number, wire_format;
602 unsigned len;
603
604 if ((reported_length < RIEMANN_MIN_LENGTH) ||
605 (captured_length < RIEMANN_MIN_NEEDED_FOR_HEURISTICS)) {
606 return false;
607 }
608 tag = riemann_get_uint64(tvb, offset, &len);
609 field_number = tag >> 3;
610 wire_format = tag & 0x7;
611 if ((field_number == RIEMANN_FN_MSG_OK && wire_format == RIEMANN_WIRE_INTEGER) ||
612 (field_number == RIEMANN_FN_MSG_ERROR && wire_format == RIEMANN_WIRE_BYTES) ||
613 (field_number == RIEMANN_FN_MSG_QUERY && wire_format == RIEMANN_WIRE_BYTES) ||
614 (field_number == RIEMANN_FN_MSG_EVENTS && wire_format == RIEMANN_WIRE_BYTES) ||
615 (field_number == RIEMANN_FN_MSG_STATES && wire_format == RIEMANN_WIRE_BYTES)) {
616 return true;
617 }
618 return false;
619 }
620
621 static int
622 dissect_riemann(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, unsigned offset)
623 {
624 proto_item *pi;
625 proto_tree *riemann_tree;
626
627 if (!is_riemann(tvb, offset))
628 return 0;
629
630 col_set_str(pinfo->cinfo, COL_PROTOCOL, "riemann");
631 col_clear(pinfo->cinfo, COL_INFO);
632
633 pi = proto_tree_add_item(tree, proto_riemann, tvb, offset, -1, ENC_NA);
634 riemann_tree = proto_item_add_subtree(pi, ett_riemann);
635
636 return riemann_dissect_msg(pinfo, pi, riemann_tree, tvb, offset);
637 }
638
639 static int
640 dissect_riemann_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
641 {
642 return dissect_riemann(tvb, pinfo, tree, 0);
643 }
644
645 static int
646 dissect_riemann_tcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
647 {
648 return dissect_riemann(tvb, pinfo, tree, 4);
649 }
650
651 static unsigned
652 get_riemann_tcp_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb,
653 int offset, void *data _U_)
654 {
655 return (tvb_get_ntohl(tvb, offset) + 4);
656 }
657
658 static int
659 dissect_riemann_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
660 {
661 tcp_dissect_pdus(tvb, pinfo, tree, true, 4, get_riemann_tcp_pdu_len, dissect_riemann_tcp_pdu, data);
662
663 return tvb_captured_length(tvb);
664 }
665
666 void
667 proto_register_riemann(void)
668 {
669 expert_module_t *riemann_expert_module;
670
671 static hf_register_info hf[] = {
672 { &hf_riemann_msg_ok,
673 { "ok", "riemann.msg.ok",
674 FT_BOOLEAN, BASE_NONE, NULL, 0, NULL, HFILL }
675 },
676 { &hf_riemann_msg_error,
677 { "error", "riemann.msg.error",
678 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
679 },
680 { &hf_riemann_attribute,
681 { "attribute", "riemann.attribute",
682 FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }
683 },
684 { &hf_riemann_attribute_key,
685 { "key", "riemann.attribute.key",
686 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
687 },
688 { &hf_riemann_attribute_value,
689 { "value", "riemann.attribute.value",
690 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
691 },
692 { &hf_riemann_query,
693 { "query", "riemann.query",
694 FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }
695 },
696 { &hf_riemann_query_string,
697 { "string", "riemann.query.string",
698 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
699 },
700 { &hf_riemann_event,
701 { "event", "riemann.event",
702 FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }
703 },
704 { &hf_riemann_event_state,
705 { "state", "riemann.event.state",
706 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
707 },
708 { &hf_riemann_event_service,
709 { "service", "riemann.event.service",
710 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
711 },
712 { &hf_riemann_event_host,
713 { "host", "riemann.event.host",
714 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
715 },
716 { &hf_riemann_event_description,
717 { "description", "riemann.event.description",
718 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
719 },
720 { &hf_riemann_event_tag,
721 { "tag", "riemann.event.tag",
722 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
723 },
724 { &hf_riemann_event_time,
725 { "time", "riemann.event.time",
726 FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL }
727 },
728 { &hf_riemann_event_ttl,
729 { "ttl", "riemann.event.ttl",
730 FT_FLOAT, BASE_NONE, NULL, 0, NULL, HFILL }
731 },
732 { &hf_riemann_event_metric_d,
733 { "metric_d", "riemann.event.metric_d",
734 FT_DOUBLE, BASE_NONE, NULL, 0, NULL, HFILL }
735 },
736 { &hf_riemann_event_metric_f,
737 { "metric_f", "riemann.event.metric_f",
738 FT_FLOAT, BASE_NONE, NULL, 0, NULL, HFILL }
739 },
740 { &hf_riemann_event_time_micros,
741 { "time_micros", "riemann.event.time_micros",
742 FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL }
743 },
744 { &hf_riemann_event_metric_sint64,
745 { "metric_sint64", "riemann.event.metric_sint64",
746 FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL }
747 },
748 { &hf_riemann_state,
749 { "state", "riemann.state",
750 FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }
751 },
752 { &hf_riemann_state_service,
753 { "service", "riemann.state.service",
754 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
755 },
756 { &hf_riemann_state_host,
757 { "host", "riemann.state.host",
758 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
759 },
760 { &hf_riemann_state_description,
761 { "description", "riemann.state.description",
762 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
763 },
764 { &hf_riemann_state_tag,
765 { "tag", "riemann.state.tag",
766 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
767 },
768 { &hf_riemann_state_time,
769 { "time", "riemann.state.time",
770 FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL }
771 },
772 { &hf_riemann_state_ttl,
773 { "ttl", "riemann.state.ttl",
774 FT_FLOAT, BASE_NONE, NULL, 0, NULL, HFILL }
775 },
776 { &hf_riemann_state_state,
777 { "state", "riemann.state.state",
778 FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }
779 },
780 { &hf_riemann_state_once,
781 { "once", "riemann.state.once",
782 FT_BOOLEAN, BASE_NONE, NULL, 0, NULL, HFILL }
783 }
784 };
785
786 static ei_register_info ei[] = {
787 { &ei_error_unknown_wire_tag,
788 { "riemann.unknown_wire_tag", PI_MALFORMED, PI_ERROR,
789 "Invalid format type", EXPFILL }},
790 { &ei_error_unknown_field_number,
791 { "riemann.unknown_field_number", PI_MALFORMED, PI_ERROR,
792 "Unknown field number", EXPFILL }},
793 { &ei_error_insufficient_data,
794 { "riemann.insufficient_data", PI_MALFORMED, PI_ERROR,
795 "Insufficient data", EXPFILL }}
796 };
797
798 static int *ett[] = {
799 &ett_riemann,
800 &ett_query,
801 &ett_event,
802 &ett_attribute,
803 &ett_state
804 };
805
806 proto_riemann = proto_register_protocol("Riemann", "Riemann", "riemann");
807 riemann_expert_module = expert_register_protocol(proto_riemann);
808 expert_register_field_array(riemann_expert_module, ei, array_length(ei));
809
810 proto_register_field_array(proto_riemann, hf, array_length(hf));
811 proto_register_subtree_array(ett, array_length(ett));
812
813 riemann_udp_handle = register_dissector("riemann.udp", dissect_riemann_udp, proto_riemann);
814 riemann_tcp_handle = register_dissector("riemann.tcp", dissect_riemann_tcp, proto_riemann);
815 }
816
817 void
818 proto_reg_handoff_riemann(void)
819 {
820 dissector_add_for_decode_as_with_preference("tcp.port", riemann_tcp_handle);
821 dissector_add_for_decode_as_with_preference("udp.port", riemann_udp_handle);
822 }
823
824 /*
825 * Editor modelines - https://www.wireshark.org/tools/modelines.html
826 *
827 * Local variables:
828 * c-basic-offset: 4
829 * tab-width: 8
830 * indent-tabs-mode: nil
831 * End:
832 *
833 * vi: set shiftwidth=4 tabstop=8 expandtab:
834 * :indentSize=4:tabSize=8:noTabs=true:
835 */
Metzes wireshark repo