extcap/etwdump.c

   1 /* etwdump.c
   2  * etwdump is an extcap tool used to dump etw to pcapng
   3  *
   4  * Copyright 2020, Odysseus Yang
   5  *
   6  * Wireshark - Network traffic analyzer
   7  * By Gerald Combs <gerald@wireshark.org>
   8  * Copyright 1998 Gerald Combs
   9  *
  10  * SPDX-License-Identifier: GPL-2.0-or-later
  11  */
  12
  13 #include "config.h"
  14 #define WS_LOG_DOMAIN "etwdump"
  15
  16 #include "extcap-base.h"
  17
  18 #include <wsutil/strtoi.h>
  19 #include <wsutil/filesystem.h>
  20 #include <wsutil/privileges.h>
  21 #include <wsutil/please_report_bug.h>
  22 #include <wsutil/wslog.h>
  23
  24 #include <cli_main.h>
  25 #include <wsutil/cmdarg_err.h>
  26 #include "etl.h"
  27
  28 #include <signal.h>
  29
  30 /* extcap-interface has to be unique, or it may use wrong option output by a different extcapbin */
  31 #define ETW_EXTCAP_INTERFACE "etwdump"
  32 #define ETWDUMP_VERSION_MAJOR "1"
  33 #define ETWDUMP_VERSION_MINOR "0"
  34 #define ETWDUMP_VERSION_RELEASE "0"
  35
  36 enum {
  37     EXTCAP_BASE_OPTIONS_ENUM,
  38     OPT_HELP,
  39     OPT_VERSION,
  40     OPT_INCLUDE_UNDECIDABLE_EVENT,
  41     OPT_ETLFILE,
  42     OPT_PARAMS
  43 };
  44
  45 static struct ws_option longopts[] = {
  46     EXTCAP_BASE_OPTIONS,
  47     { "help",    ws_no_argument,       NULL, OPT_HELP},
  48     { "version", ws_no_argument,       NULL, OPT_VERSION},
  49     { "iue",     ws_optional_argument, NULL, OPT_INCLUDE_UNDECIDABLE_EVENT},
  50     { "etlfile", ws_required_argument, NULL, OPT_ETLFILE},
  51     { "params",  ws_required_argument, NULL, OPT_PARAMS},
  52     { 0, 0, 0, 0 }
  53 };
  54
  55 int g_include_undecidable_event = false;
  56
  57 void SignalHandler(_U_ int signal)
  58 {
  59     SUPER_EVENT_TRACE_PROPERTIES super_trace_properties = { 0 };
  60     super_trace_properties.prop.Wnode.BufferSize = sizeof(SUPER_EVENT_TRACE_PROPERTIES);
  61     super_trace_properties.prop.Wnode.ClientContext = 2;
  62     super_trace_properties.prop.Wnode.Flags = WNODE_FLAG_TRACED_GUID;
  63     super_trace_properties.prop.LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
  64     super_trace_properties.prop.LogFileMode = EVENT_TRACE_REAL_TIME_MODE;
  65     /* Close trace when press CONTROL+C when running this console alone */
  66     ControlTrace((TRACEHANDLE)NULL, LOGGER_NAME, &super_trace_properties.prop, EVENT_TRACE_CONTROL_STOP);
  67 }
  68
  69 static void help(extcap_parameters* extcap_conf)
  70 {
  71     extcap_help_print(extcap_conf);
  72 }
  73
  74 static int list_config(char* interface)
  75 {
  76     unsigned inc = 0;
  77
  78     if (!interface) {
  79         ws_warning("No interface specified.");
  80         return EXIT_FAILURE;
  81     }
  82
  83     if (g_strcmp0(interface, ETW_EXTCAP_INTERFACE)) {
  84         ws_warning("Interface must be %s", ETW_EXTCAP_INTERFACE);
  85         return EXIT_FAILURE;
  86     }
  87     /*
  88      * required=true agu will be displayed before required=false on UI
  89      *
  90      * Empty etlfile and unempty params, read etw events from a live session with the params as the filter
  91      * Unempty etlfile and empty params, read etw events from the etl file without filter
  92      * Unempty etlfile and unemtpy params, read etw events from the etl file with the params as the filter
  93      * Empty eltfile and empty params, invalid
  94      */
  95     printf("arg {number=%u}{call=--etlfile}{display=etl file}"
  96         "{type=fileselect}{tooltip=Select etl file to display in Wireshark}{required=false}{group=Capture}\n",
  97         inc++);
  98     printf("arg {number=%u}{call=--params}{display=filter parameters}"
  99         "{type=string}{tooltip=Input providers, keyword and level filters for the etl file and live session}{group=Capture}\n",
 100         inc++);
 101     /*
 102     * The undecidable events are those that either don't have sub-dissector or don't have anthing meaningful to display except for the EVENT_HEADER.
 103     */
 104     printf("arg {number=%u}{call=--iue}{display=Should undecidable events be included}"
 105         "{type=boolflag}{default=false}{tooltip=Choose if the undecidable event is included}{group=Capture}\n",
 106         inc++);
 107
 108     extcap_config_debug(&inc);
 109     return EXIT_SUCCESS;
 110 }
 111
 112 int main(int argc, char* argv[])
 113 {
 114     char* err_msg;
 115     int option_idx = 0;
 116     int result;
 117     int ret = EXIT_FAILURE;
 118
 119     char* etlfile = NULL;
 120     char* params = NULL;
 121
 122     extcap_parameters* extcap_conf = g_new0(extcap_parameters, 1);
 123     char* help_url;
 124     char* help_header = NULL;
 125
 126     /* Initialize log handler early so we can have proper logging during startup. */
 127     extcap_log_init("etwdump");
 128
 129     /*
 130      * Get credential information for later use.
 131      */
 132     init_process_policies();
 133
 134     /*
 135      * Attempt to get the pathname of the directory containing the
 136      * executable file.
 137      */
 138     err_msg = configuration_init(argv[0], NULL);
 139     if (err_msg != NULL) {
 140         ws_warning("Can't get pathname of directory containing the extcap program: %s.",
 141             err_msg);
 142         g_free(err_msg);
 143     }
 144
 145     help_url = data_file_url("etwdump.html");
 146     extcap_base_set_util_info(extcap_conf, argv[0], ETWDUMP_VERSION_MAJOR, ETWDUMP_VERSION_MINOR,
 147         ETWDUMP_VERSION_RELEASE, help_url);
 148     g_free(help_url);
 149     extcap_base_register_interface(extcap_conf, ETW_EXTCAP_INTERFACE, "Event Tracing for Windows (ETW) reader", 290, "DLT_ETW");
 150
 151     help_header = ws_strdup_printf(
 152         " %s --extcap-interfaces\n"
 153         " %s --extcap-interface=%s --extcap-dlts\n"
 154         " %s --extcap-interface=%s --extcap-config\n"
 155         " %s --extcap-interface=%s --etlfile c:\\wwansvc.etl \n"
 156         "--fifo=FILENAME --capture\n", argv[0], argv[0], ETW_EXTCAP_INTERFACE, argv[0], ETW_EXTCAP_INTERFACE,
 157         argv[0], ETW_EXTCAP_INTERFACE);
 158     extcap_help_add_header(extcap_conf, help_header);
 159     g_free(help_header);
 160
 161     extcap_help_add_option(extcap_conf, "--help", "print this help");
 162     extcap_help_add_option(extcap_conf, "--version", "print the version");
 163     extcap_help_add_option(extcap_conf, "--etlfile <filename>", "A etl filename");
 164     extcap_help_add_option(extcap_conf, "--iue", "Choose if undecidable event is included");
 165
 166     if (argc == 1) {
 167         help(extcap_conf);
 168         goto end;
 169     }
 170
 171     while ((result = ws_getopt_long(argc, argv, ":", longopts, &option_idx)) != -1) {
 172         switch (result) {
 173         case OPT_VERSION:
 174             extcap_version_print(extcap_conf);
 175             ret = EXIT_SUCCESS;
 176             goto end;
 177
 178         case OPT_HELP:
 179             help(extcap_conf);
 180             ret = EXIT_SUCCESS;
 181             goto end;
 182
 183         case OPT_ETLFILE:
 184             etlfile = g_strdup(ws_optarg);
 185             break;
 186
 187         case OPT_PARAMS:
 188             /* Add params as the prefix since getopt_long will ignore the first argument always */
 189             params = ws_strdup_printf("params %s", ws_optarg);
 190             break;
 191
 192         case OPT_INCLUDE_UNDECIDABLE_EVENT:
 193             g_include_undecidable_event = true;
 194             break;
 195
 196         case ':':
 197             /* missing option argument */
 198             ws_warning("Option '%s' requires an argument", argv[ws_optind - 1]);
 199             break;
 200
 201         default:
 202             /* Handle extcap specific options */
 203             if (!extcap_base_parse_options(extcap_conf, result - EXTCAP_OPT_LIST_INTERFACES, ws_optarg))
 204             {
 205                 ws_warning("Invalid option: %s", argv[ws_optind - 1]);
 206                 goto end;
 207             }
 208         }
 209     }
 210
 211     extcap_cmdline_debug(argv, argc);
 212
 213     if (extcap_base_handle_interface(extcap_conf)) {
 214         ret = EXIT_SUCCESS;
 215         goto end;
 216     }
 217
 218     if (extcap_conf->show_config) {
 219         ret = list_config(extcap_conf->interface);
 220         goto end;
 221     }
 222
 223     if (extcap_conf->capture) {
 224
 225         if (g_strcmp0(extcap_conf->interface, ETW_EXTCAP_INTERFACE)) {
 226             ws_warning("ERROR: invalid interface");
 227             goto end;
 228         }
 229
 230         if (etlfile == NULL && params == NULL)
 231         {
 232             ws_warning("ERROR: Both --etlfile and --params arguments are empty");
 233             goto end;
 234         }
 235
 236         wtap_init(false);
 237
 238         signal(SIGINT, SignalHandler);
 239
 240         switch(etw_dump(etlfile, extcap_conf->fifo, params, &ret, &err_msg))
 241         {
 242         case WTAP_OPEN_ERROR:
 243             if (err_msg != NULL) {
 244                 ws_warning("etw_dump failed: %s.",
 245                     err_msg);
 246                 g_free(err_msg);
 247             }
 248             else
 249             {
 250                 ws_warning("etw_dump failed");
 251             }
 252             break;
 253         case WTAP_OPEN_NOT_MINE:
 254             if (etlfile == NULL)
 255             {
 256                 if (err_msg != NULL) {
 257                     ws_warning("The live session didn't capture any event. Error message: %s.",
 258                         err_msg);
 259                     g_free(err_msg);
 260                 }
 261                 else
 262                 {
 263                     ws_warning("The live session didn't capture any event");
 264                 }
 265             }
 266             else
 267             {
 268                 if (err_msg != NULL) {
 269                     ws_warning("The file %s is not etl format. Error message: %s.",
 270                         etlfile, err_msg);
 271                     g_free(err_msg);
 272                 }
 273                 else
 274                 {
 275                     ws_warning("The file %s is not etl format", etlfile);
 276                 }
 277             }
 278             break;
 279         case WTAP_OPEN_MINE:
 280             ret = EXIT_SUCCESS;
 281             break;
 282         }
 283     }
 284
 285 end:
 286     /* clean up stuff */
 287     extcap_base_cleanup(&extcap_conf);
 288
 289     if (etlfile != NULL)
 290     {
 291         g_free(etlfile);
 292     }
 293     if (params != NULL)
 294     {
 295         g_free(params);
 296     }
 297
 298     return ret;
 299 }
 300
 301 /*
 302  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 303  *
 304  * Local variables:
 305  * c-basic-offset: 4
 306  * tab-width: 8
 307  * indent-tabs-mode: nil
 308  * End:
 309  *
 310  * vi: set shiftwidth=4 tabstop=8 expandtab:
 311  * :indentSize=4:tabSize=8:noTabs=true:
 312  */