search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
epan/dissectors/pidl/ C99 drsuapi
[wireshark-sm.git] / extcap / etwdump.c
blob2031ba7d240c146f40a1c914d2d8f4ddd3e2fc7c
1 /* etwdump.c
2 * etwdump is an extcap tool used to dump etw to pcapng
3 *
4 * Copyright 2020, Odysseus Yang
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13 #include "config.h"
14 #define WS_LOG_DOMAIN "etwdump"
15
16 #include "extcap-base.h"
17
18 #include <wsutil/strtoi.h>
19 #include <wsutil/filesystem.h>
20 #include <wsutil/privileges.h>
21 #include <wsutil/please_report_bug.h>
22 #include <wsutil/wslog.h>
23
24 #include <cli_main.h>
25 #include <wsutil/cmdarg_err.h>
26 #include "etl.h"
27
28 #include <signal.h>
29
30 /* extcap-interface has to be unique, or it may use wrong option output by a different extcapbin */
31 #define ETW_EXTCAP_INTERFACE "etwdump"
32 #define ETWDUMP_VERSION_MAJOR "1"
33 #define ETWDUMP_VERSION_MINOR "0"
34 #define ETWDUMP_VERSION_RELEASE "0"
35
36 enum {
37 EXTCAP_BASE_OPTIONS_ENUM,
38 OPT_HELP,
39 OPT_VERSION,
40 OPT_INCLUDE_UNDECIDABLE_EVENT,
41 OPT_ETLFILE,
42 OPT_PARAMS
43 };
44
45 static const struct ws_option longopts[] = {
46 EXTCAP_BASE_OPTIONS,
47 { "help", ws_no_argument, NULL, OPT_HELP},
48 { "version", ws_no_argument, NULL, OPT_VERSION},
49 { "iue", ws_optional_argument, NULL, OPT_INCLUDE_UNDECIDABLE_EVENT},
50 { "etlfile", ws_required_argument, NULL, OPT_ETLFILE},
51 { "params", ws_required_argument, NULL, OPT_PARAMS},
52 { 0, 0, 0, 0 }
53 };
54
55 int g_include_undecidable_event;
56
57 void SignalHandler(_U_ int signal)
58 {
59 SUPER_EVENT_TRACE_PROPERTIES super_trace_properties = { 0 };
60 super_trace_properties.prop.Wnode.BufferSize = sizeof(SUPER_EVENT_TRACE_PROPERTIES);
61 super_trace_properties.prop.Wnode.ClientContext = 2;
62 super_trace_properties.prop.Wnode.Flags = WNODE_FLAG_TRACED_GUID;
63 super_trace_properties.prop.LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
64 super_trace_properties.prop.LogFileMode = EVENT_TRACE_REAL_TIME_MODE;
65 /* Close trace when press CONTROL+C when running this console alone */
66 ControlTrace((TRACEHANDLE)NULL, LOGGER_NAME, &super_trace_properties.prop, EVENT_TRACE_CONTROL_STOP);
67 }
68
69 static void help(extcap_parameters* extcap_conf)
70 {
71 extcap_help_print(extcap_conf);
72 }
73
74 static int list_config(char* interface)
75 {
76 unsigned inc = 0;
77
78 if (!interface) {
79 ws_warning("No interface specified.");
80 return EXIT_FAILURE;
81 }
82
83 if (g_strcmp0(interface, ETW_EXTCAP_INTERFACE)) {
84 ws_warning("Interface must be %s", ETW_EXTCAP_INTERFACE);
85 return EXIT_FAILURE;
86 }
87 /*
88 * required=true agu will be displayed before required=false on UI
89 *
90 * Empty etlfile and unempty params, read etw events from a live session with the params as the filter
91 * Unempty etlfile and empty params, read etw events from the etl file without filter
92 * Unempty etlfile and unemtpy params, read etw events from the etl file with the params as the filter
93 * Empty eltfile and empty params, invalid
94 */
95 printf("arg {number=%u}{call=--etlfile}{display=etl file}"
96 "{type=fileselect}{tooltip=Select etl file to display in Wireshark}{required=false}{group=Capture}\n",
97 inc++);
98 printf("arg {number=%u}{call=--params}{display=filter parameters}"
99 "{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}\n",
100 inc++);
101 /*
102 * The undecidable events are those that either don't have sub-dissector or don't have anthing meaningful to display except for the EVENT_HEADER.
103 */
104 printf("arg {number=%u}{call=--iue}{display=Should undecidable events be included}"
105 "{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}\n",
106 inc++);
107
108 extcap_config_debug(&inc);
109 return EXIT_SUCCESS;
110 }
111
112 int main(int argc, char* argv[])
113 {
114 char* err_msg;
115 int option_idx = 0;
116 int result;
117 int ret = EXIT_FAILURE;
118
119 char* etlfile = NULL;
120 char* params = NULL;
121
122 extcap_parameters* extcap_conf = g_new0(extcap_parameters, 1);
123 char* help_url;
124 char* help_header = NULL;
125
126 /* Set the program name. */
127 g_set_prgname("etwdump");
128
129 /* Initialize log handler early so we can have proper logging during startup. */
130 extcap_log_init();
131
132 /*
133 * Get credential information for later use.
134 */
135 init_process_policies();
136
137 /*
138 * Attempt to get the pathname of the directory containing the
139 * executable file.
140 */
141 err_msg = configuration_init(argv[0]);
142 if (err_msg != NULL) {
143 ws_warning("Can't get pathname of directory containing the extcap program: %s.",
144 err_msg);
145 g_free(err_msg);
146 }
147
148 help_url = data_file_url("etwdump.html");
149 extcap_base_set_util_info(extcap_conf, argv[0], ETWDUMP_VERSION_MAJOR, ETWDUMP_VERSION_MINOR,
150 ETWDUMP_VERSION_RELEASE, help_url);
151 g_free(help_url);
152 extcap_base_register_interface(extcap_conf, ETW_EXTCAP_INTERFACE, "Event Tracing for Windows (ETW) reader", 290, "DLT_ETW");
153
154 help_header = ws_strdup_printf(
155 " %s --extcap-interfaces\n"
156 " %s --extcap-interface=%s --extcap-dlts\n"
157 " %s --extcap-interface=%s --extcap-config\n"
158 " %s --extcap-interface=%s --etlfile c:\\wwansvc.etl \n"
159 "--fifo=FILENAME --capture\n", argv[0], argv[0], ETW_EXTCAP_INTERFACE, argv[0], ETW_EXTCAP_INTERFACE,
160 argv[0], ETW_EXTCAP_INTERFACE);
161 extcap_help_add_header(extcap_conf, help_header);
162 g_free(help_header);
163
164 extcap_help_add_option(extcap_conf, "--help", "print this help");
165 extcap_help_add_option(extcap_conf, "--version", "print the version");
166 extcap_help_add_option(extcap_conf, "--etlfile <filename>", "A etl filename");
167 extcap_help_add_option(extcap_conf, "--iue", "Choose if undecidable event is included");
168
169 if (argc == 1) {
170 help(extcap_conf);
171 goto end;
172 }
173
174 while ((result = ws_getopt_long(argc, argv, ":", longopts, &option_idx)) != -1) {
175 switch (result) {
176 case OPT_VERSION:
177 extcap_version_print(extcap_conf);
178 ret = EXIT_SUCCESS;
179 goto end;
180
181 case OPT_HELP:
182 help(extcap_conf);
183 ret = EXIT_SUCCESS;
184 goto end;
185
186 case OPT_ETLFILE:
187 etlfile = g_strdup(ws_optarg);
188 break;
189
190 case OPT_PARAMS:
191 /* Add params as the prefix since getopt_long will ignore the first argument always */
192 params = ws_strdup_printf("params %s", ws_optarg);
193 break;
194
195 case OPT_INCLUDE_UNDECIDABLE_EVENT:
196 g_include_undecidable_event = true;
197 break;
198
199 case ':':
200 /* missing option argument */
201 ws_warning("Option '%s' requires an argument", argv[ws_optind - 1]);
202 break;
203
204 default:
205 /* Handle extcap specific options */
206 if (!extcap_base_parse_options(extcap_conf, result - EXTCAP_OPT_LIST_INTERFACES, ws_optarg))
207 {
208 ws_warning("Invalid option: %s", argv[ws_optind - 1]);
209 goto end;
210 }
211 }
212 }
213
214 extcap_cmdline_debug(argv, argc);
215
216 if (extcap_base_handle_interface(extcap_conf)) {
217 ret = EXIT_SUCCESS;
218 goto end;
219 }
220
221 if (extcap_conf->show_config) {
222 ret = list_config(extcap_conf->interface);
223 goto end;
224 }
225
226 if (extcap_conf->capture) {
227
228 if (g_strcmp0(extcap_conf->interface, ETW_EXTCAP_INTERFACE)) {
229 ws_warning("ERROR: invalid interface");
230 goto end;
231 }
232
233 if (etlfile == NULL && params == NULL)
234 {
235 ws_warning("ERROR: Both --etlfile and --params arguments are empty");
236 goto end;
237 }
238
239 wtap_init(false);
240
241 signal(SIGINT, SignalHandler);
242
243 switch(etw_dump(etlfile, extcap_conf->fifo, params, &ret, &err_msg))
244 {
245 case WTAP_OPEN_ERROR:
246 if (err_msg != NULL) {
247 ws_warning("etw_dump failed: %s.",
248 err_msg);
249 g_free(err_msg);
250 }
251 else
252 {
253 ws_warning("etw_dump failed");
254 }
255 break;
256 case WTAP_OPEN_NOT_MINE:
257 if (etlfile == NULL)
258 {
259 if (err_msg != NULL) {
260 ws_warning("The live session didn't capture any event. Error message: %s.",
261 err_msg);
262 g_free(err_msg);
263 }
264 else
265 {
266 ws_warning("The live session didn't capture any event");
267 }
268 }
269 else
270 {
271 if (err_msg != NULL) {
272 ws_warning("The file %s is not etl format. Error message: %s.",
273 etlfile, err_msg);
274 g_free(err_msg);
275 }
276 else
277 {
278 ws_warning("The file %s is not etl format", etlfile);
279 }
280 }
281 break;
282 case WTAP_OPEN_MINE:
283 ret = EXIT_SUCCESS;
284 break;
285 }
286 }
287
288 end:
289 /* clean up stuff */
290 extcap_base_cleanup(&extcap_conf);
291
292 if (etlfile != NULL)
293 {
294 g_free(etlfile);
295 }
296 if (params != NULL)
297 {
298 g_free(params);
299 }
300
301 return ret;
302 }
303
304 /*
305 * Editor modelines - https://www.wireshark.org/tools/modelines.html
306 *
307 * Local variables:
308 * c-basic-offset: 4
309 * tab-width: 8
310 * indent-tabs-mode: nil
311 * End:
312 *
313 * vi: set shiftwidth=4 tabstop=8 expandtab:
314 * :indentSize=4:tabSize=8:noTabs=true:
315 */
Metzes wireshark repo