Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-etw.c
Warning:line 638, column 13
Value stored to 'offset' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-etw.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2026-05-10-100320-3641-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-etw.c
1/* packet-etw.c
2 * Routines for ETW Dissection
3 *
4 * Copyright 2020, Odysseus Yang
5 * 2026, Gabriel Potter
6 *
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
10 *
11 * SPDX-License-Identifier: GPL-2.0-or-later
12 */
13
14/* Dissector based on ETW Trace
15* https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal
16*/
17
18#include "config.h"
19
20#include <epan/packet.h>
21#include <wiretap/wtap.h>
22
23#include "packet-windows-common.h"
24
25#define MAX_SMALL_BUFFER4 4
26
27void proto_register_etw(void);
28void proto_reg_handoff_etw(void);
29
30static dissector_handle_t etw_handle;
31
32// ETW fields
33static int proto_etw;
34static int hf_etw_size;
35static int hf_etw_header_type;
36static int hf_etw_header_flag_extended_info;
37static int hf_etw_header_flag_private_session;
38static int hf_etw_header_flag_string_only;
39static int hf_etw_header_flag_trace_message;
40static int hf_etw_header_flag_no_cputime;
41static int hf_etw_header_flag_32_bit_header;
42static int hf_etw_header_flag_64_bit_header;
43static int hf_etw_header_flag_decode_guid;
44static int hf_etw_header_flag_classic_header;
45static int hf_etw_header_flag_processor_index;
46static int hf_etw_flags;
47static int hf_etw_event_property;
48static int hf_etw_event_property_xml;
49static int hf_etw_event_property_forwarded_xml;
50static int hf_etw_event_property_legacy_eventlog;
51static int hf_etw_event_property_legacy_reloggable;
52static int hf_etw_thread_id;
53static int hf_etw_process_id;
54static int hf_etw_time_stamp;
55static int hf_etw_provider_id;
56static int hf_etw_buffer_context_processor_number;
57static int hf_etw_buffer_context_alignment;
58static int hf_etw_buffer_context_logger_id;
59static int hf_etw_properties_count;
60static int hf_etw_provider_name;
61static int hf_etw_message;
62static int hf_etw_extended_data_count;
63static int hf_etw_extended_data;
64static int hf_etw_edata;
65static int hf_etw_edata_reserved1;
66static int hf_etw_edata_exttype;
67static int hf_etw_edata_linkage;
68static int hf_etw_edata_datasize;
69static int hf_etw_edata_dataptr;
70static int hf_etw_edata_data;
71static int hf_etw_edata_stacktrace_matchid;
72static int hf_etw_edata_stacktrace_address;
73static int hf_etw_edata_schematl_size;
74static int hf_etw_edata_schematl_reserved1;
75static int hf_etw_edata_schematl_name;
76static int hf_etw_edata_schematl_field;
77static int hf_etw_edata_schematl_field_key;
78static int hf_etw_edata_schematl_field_flags;
79static int hf_etw_edata_schematl_field_type;
80static int hf_etw_edata_schematl_field_ccount;
81static int hf_etw_edata_schematl_field_vcount;
82static int hf_etw_edata_schematl_field_chain;
83static int hf_etw_edata_traits_traitssize;
84static int hf_etw_edata_traits_providername;
85static int hf_etw_property;
86static int hf_etw_property_offset;
87static int hf_etw_property_keylen;
88static int hf_etw_property_valuelen;
89static int hf_etw_property_key;
90static int hf_etw_property_value;
91static int hf_etw_tlv_count;
92static int hf_etw_tlv_length;
93static int hf_etw_tlv_offset;
94static int hf_etw_tlv_type;
95static int hf_etw_user_data;
96static int hf_etw_descriptor_id;
97static int hf_etw_descriptor_version;
98static int hf_etw_descriptor_channel;
99static int hf_etw_descriptor_level;
100static int hf_etw_descriptor_opcode;
101static int hf_etw_descriptor_task;
102static int hf_etw_descriptor_keywords;
103static int hf_etw_processor_time;
104static int hf_etw_activity_id;
105
106// Generated fields
107static int hf_etw_type;
108static int hf_etw_message_formatted;
109
110static int ett_etw_header;
111static int ett_etw_data;
112static int ett_etw_descriptor;
113static int ett_etw_buffer_context;
114static int ett_etw_extended_data;
115static int ett_etw_property;
116static int ett_etw_edata;
117static int ett_etw_edata_data;
118static int ett_etw_edata_schematl_schema;
119static int ett_etw_schematl_flags;
120static int ett_etw_header_flags;
121static int ett_etw_event_property_types;
122static int ett_etw_tlvs;
123static int ett_etw_tlv;
124
125static dissector_handle_t mbim_dissector;
126
127static e_guid_t mbim_net_providerid = { 0xA42FE227, 0xA7BF, 0x4483, {0xA5, 0x02, 0x6B, 0xCD, 0xA4, 0x28, 0xCD, 0x96} };
128
129static const value_string etw_edata_types[] = {
130 { 0x0001, "RELATED_ACTIVITYID" },
131 { 0x0002, "SID" },
132 { 0x0003, "TS_ID" },
133 { 0x0004, "INSTANCE_INFO" },
134 { 0x0005, "STACK_TRACE32" },
135 { 0x0006, "STACK_TRACE64" },
136 { 0x0007, "PEBS_INDEX" },
137 { 0x0008, "PMC_COUNTERS" },
138 { 0x0009, "PSM_KEY" },
139 { 0x000A, "EVENT_KEY" },
140 { 0x000B, "EVENT_SCHEMA_TL" },
141 { 0x000C, "PROV_TRAITS" },
142 { 0x000D, "PROCESS_START_KEY" },
143 { 0x000E, "CONTROL_GUID" },
144 { 0x000F, "QPC_DELTA" },
145 { 0x0010, "CONTAINER_ID" },
146 { 0x0011, "STACK_KEY32" },
147 { 0x0012, "STACK_KEY64" },
148 { 0, NULL((void*)0) }
149};
150
151static const value_string etw_tlv_types[] = {
152 { 0x0000, "USER_DATA" },
153 { 0x0001, "MESSAGE" },
154 { 0x0002, "PROVIDER_NAME" },
155 { 0, NULL((void*)0) }
156};
157
158static const value_string etw_schematl_types[] = {
159 { 0x01, "UNICODESTRING" },
160 { 0x02, "ANSISTRING" },
161 { 0x03, "INT8" },
162 { 0x04, "UINT8" },
163 { 0x05, "INT16" },
164 { 0x06, "UINT16" },
165 { 0x07, "INT32" },
166 { 0x08, "UINT32" },
167 { 0x09, "INT64" },
168 { 0x0A, "UINT64" },
169 { 0x0B, "FLOAT" },
170 { 0x0C, "DOUBLE" },
171 { 0x0D, "BOOL32" },
172 { 0x0E, "BINARY" },
173 { 0x0F, "GUID" },
174 { 0x11, "FILETIME" },
175 { 0x12, "SYSTEMTIME" },
176 { 0x13, "SID" },
177 { 0x14, "HEXINT32" },
178 { 0x15, "HEXINT64" },
179 { 0x16, "COUNTEDSTRING" },
180 { 0x17, "COUNTEDANSISTRING" },
181 { 0x18, "STRUCT" },
182 { 0x19, "COUNTEDBINARY" },
183 { 0, NULL((void*)0) }
184};
185
186static int* const etw_schematl_flags[] = {
187 &hf_etw_edata_schematl_field_type,
188 &hf_etw_edata_schematl_field_ccount,
189 &hf_etw_edata_schematl_field_vcount,
190 &hf_etw_edata_schematl_field_chain,
191 NULL((void*)0)
192};
193
194#define ETW_HEADER_SIZE0x5C 0x5C
195
196static int etw_counter;
197
198typedef struct Property_Key_Value
199{
200 const unsigned char *key;
201 const unsigned char *value;
202} PROPERTY_KEY_VALUE;
203
204
205/// <summary>
206/// Function to format the properties into the eventlog message
207/// </summary>
208/// <param name="lpszMessage"></param>
209/// <param name="propArray"></param>
210/// <param name="dwPropertyCount"></param>
211/// <param name="lpszOutBuffer"></param>
212/// <param name="dwOutBufferCount"></param>
213static int
214format_message(char* lpszMessage, wmem_array_t* propArray, wmem_allocator_t* allocator, wmem_strbuf_t** out_buffer)
215{
216 uint16_t startLoc = 0;
217 int percent_loc = 0;
218 PROPERTY_KEY_VALUE key_value;
219 *out_buffer = wmem_strbuf_new(allocator, NULL((void*)0));
220
221 for (int i = 0; lpszMessage[i] != '\0';)
222 {
223 if (lpszMessage[i] != '%')
224 {
225 i++;
226 continue;
227 }
228
229 percent_loc = i;
230 i++;
231
232 if (g_ascii_isdigit(lpszMessage[i])((g_ascii_table[(guchar) (lpszMessage[i])] & G_ASCII_DIGIT
) != 0))
233 {
234 uint16_t dwDigitalCount = 0;
235 char smallBuffer[MAX_SMALL_BUFFER4] = { 0 };
236 while (g_ascii_isdigit(lpszMessage[i])((g_ascii_table[(guchar) (lpszMessage[i])] & G_ASCII_DIGIT
) != 0))
237 {
238 if (dwDigitalCount < (MAX_SMALL_BUFFER4 - 1))
239 {
240 smallBuffer[dwDigitalCount] = lpszMessage[i];
241 }
242 dwDigitalCount++;
243 i++;
244 }
245
246 /* We are not parsing this */
247 if (dwDigitalCount >= (MAX_SMALL_BUFFER4 - 1))
248 {
249 continue;
250 }
251
252 gint64 num = g_ascii_strtoll(smallBuffer, NULL((void*)0), 10);
253 /* We are not parsing this */
254 if (num <= 0 || num >= G_MAXUSHORT(32767 * 2 + 1) || wmem_array_try_index(propArray, (unsigned int) num - 1, &key_value) != 0 || key_value.value == NULL((void*)0))
255 {
256 continue;
257 }
258
259 if (lpszMessage[i] == '!' && lpszMessage[i + 1] == 'S' && lpszMessage[i + 2] == '!')
260 {
261 i += 3;
262 }
263
264 /* We have everything */
265 lpszMessage[percent_loc] = '\0';
266 wmem_strbuf_append(*out_buffer, lpszMessage + startLoc);
267 wmem_strbuf_append(*out_buffer, (char*) key_value.value);
268 startLoc = i;
269 continue; // for
270 }
271 }
272 wmem_strbuf_append(*out_buffer, lpszMessage + startLoc);
273
274 return 0;
275}
276
277static int
278dissect_properties(tvbuff_t* tvb, packet_info* pinfo, proto_tree* edata_tree, uint32_t offset, uint32_t count, wmem_allocator_t* allocator, wmem_array_t** propArray)
279{
280 uint32_t i;
281 proto_item* ti;
282 proto_tree* prop_tree;
283 uint32_t item_offset = offset;
284 uint16_t item_key_length = 0, item_value_length = 0;
285
286 PROPERTY_KEY_VALUE prop;
287 *propArray = wmem_array_new(allocator, sizeof(PROPERTY_KEY_VALUE));
288
289 for (i = 0; i < count; i++)
290 {
291 ti = proto_tree_add_item(edata_tree, hf_etw_property, tvb, offset, 8, ENC_NA0x00000000);
292 prop_tree = proto_item_add_subtree(ti, ett_etw_property);
293
294 proto_tree_add_item_ret_uint32(prop_tree, hf_etw_property_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &item_offset);
295 offset += 4;
296 proto_tree_add_item_ret_uint16(prop_tree, hf_etw_property_keylen, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &item_key_length);
297 offset += 2;
298 proto_tree_add_item_ret_uint16(prop_tree, hf_etw_property_valuelen, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &item_value_length);
299 offset += 2;
300
301 proto_tree_add_item_ret_string(prop_tree, hf_etw_property_key, tvb, item_offset, item_key_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, &prop.key);
302 proto_tree_add_item_ret_string(prop_tree, hf_etw_property_value, tvb, item_offset + item_key_length, item_value_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, &prop.value);
303
304 proto_item_set_text(prop_tree, "%s=%s", prop.key, prop.value);
305 wmem_array_append(*propArray, &prop, 1);
306 }
307 offset = item_offset + item_key_length + item_value_length;
308
309 return offset;
310}
311
312/// <summary>
313/// Dissect the "Extended Data" blobs
314/// </summary>
315static int
316dissect_edata_tlvs(tvbuff_t* tvb, packet_info* pinfo, proto_tree* edata_tree, uint32_t offset, uint16_t extended_data_count, bool_Bool* is_tl)
317{
318 uint16_t i;
319 proto_item* ti;
320 proto_tree* edata_item_tree, *edata_item_data_tree, *edata_schematl_schema;
321 uint64_t edata_off64;
322 uint32_t edata_off = offset, edata_off_int;
323 uint16_t edata_sz = 0, edata_type = 0;
324
325 for (i = 0; i < extended_data_count; i++)
326 {
327 ti = proto_tree_add_item(edata_tree, hf_etw_edata, tvb, offset, 16, ENC_NA0x00000000);
328 edata_item_tree = proto_item_add_subtree(ti, ett_etw_edata);
329
330 proto_tree_add_item(edata_item_tree, hf_etw_edata_reserved1, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
331 offset += 2;
332 proto_tree_add_item_ret_uint16(edata_item_tree, hf_etw_edata_exttype, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &edata_type);
333 offset += 2;
334 proto_tree_add_item(edata_item_tree, hf_etw_edata_linkage, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
335 offset += 2;
336 proto_tree_add_item_ret_uint16(edata_item_tree, hf_etw_edata_datasize, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &edata_sz);
337 offset += 2;
338 proto_tree_add_item_ret_uint64(edata_item_tree, hf_etw_edata_dataptr, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000, &edata_off64);
339 offset += 8;
340
341 if (edata_off64 > UINT32_MAX(4294967295U))
342 continue; // should never happen, but to be safe
343
344 edata_off = (uint32_t) edata_off64;
345
346 ti = proto_tree_add_item(edata_item_tree, hf_etw_edata_data, tvb, edata_off, edata_sz, ENC_NA0x00000000);
347 edata_item_data_tree = proto_item_add_subtree(ti, ett_etw_edata_data);
348
349 edata_off_int = edata_off;
350 switch (edata_type)
351 {
352 case 0x0002: // SID
353 proto_item_set_text(ti, "Data (SID)");
354 dissect_nt_sid(tvb, pinfo, edata_off_int, edata_item_data_tree, "SID", NULL((void*)0), -1);
355
356 break;
357 case 0x0006: // EVENT_STACK_TRACE64
358 proto_item_set_text(ti, "Data (EVENT_STACK_TRACE64)");
359
360 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_stacktrace_matchid, tvb, edata_off_int, 8, ENC_LITTLE_ENDIAN0x80000000);
361 edata_off_int += 8;
362
363 while (edata_off_int < edata_off + edata_sz)
364 {
365 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_stacktrace_address, tvb, edata_off_int, 8, ENC_LITTLE_ENDIAN0x80000000);
366 edata_off_int += 8;
367 }
368 break;
369
370 case 0x000B: // EVENT_SCHEMA_TL
371 {
372 uint8_t schema_size = 0;
373 int item_size = 0;
374
375 *is_tl = true1;
376 proto_item_set_text(ti, "Data (EVENT_SCHEMA_TL)");
377
378 proto_tree_add_item_ret_uint8(edata_item_data_tree, hf_etw_edata_schematl_size, tvb, edata_off_int, 1, ENC_LITTLE_ENDIAN0x80000000, &schema_size);
379 edata_off_int += 1;
380 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_schematl_reserved1, tvb, edata_off_int, 2, ENC_LITTLE_ENDIAN0x80000000);
381 edata_off_int += 2;
382 proto_tree_add_item_ret_length(edata_item_data_tree, hf_etw_edata_schematl_name, tvb, edata_off_int, -1, ENC_LITTLE_ENDIAN0x80000000, &item_size);
383 edata_off_int += item_size;
384
385 while (edata_off_int < edata_off + schema_size)
386 {
387 ti = proto_tree_add_item(edata_item_data_tree, hf_etw_edata_schematl_field, tvb, edata_off_int, 0, ENC_NA0x00000000);
388 edata_schematl_schema = proto_item_add_subtree(ti, ett_etw_edata_schematl_schema);
389
390 proto_tree_add_item_ret_length(edata_schematl_schema, hf_etw_edata_schematl_field_key, tvb, edata_off_int, -1, ENC_LITTLE_ENDIAN0x80000000, &item_size);
391 edata_off_int += item_size;
392 proto_tree_add_bitmask(edata_schematl_schema, tvb, edata_off_int, hf_etw_edata_schematl_field_flags,
393 ett_etw_schematl_flags, etw_schematl_flags, ENC_LITTLE_ENDIAN0x80000000);
394 edata_off_int += 1;
395 }
396 break;
397 }
398 case 0x000C: // PROV_TRAITS
399 {
400 // https://learn.microsoft.com/en-us/windows/win32/etw/provider-traits
401 uint16_t traits_size = 0;
402
403 proto_item_set_text(ti, "Data (PROV_TRAITS)");
404
405 proto_tree_add_item_ret_uint16(edata_item_data_tree, hf_etw_edata_traits_traitssize, tvb, edata_off_int, 2, ENC_LITTLE_ENDIAN0x80000000, &traits_size);
406 edata_off_int += 2;
407 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_traits_providername, tvb, edata_off_int, traits_size - 2, ENC_NA0x00000000 | ENC_UTF_80x00000002);
408 edata_off_int += traits_size;
409 break;
410 }
411
412 default:
413 break;
414 }
415
416
417 }
418
419 return offset;
420}
421
422static int
423dissect_etw(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree _U___attribute__((unused)), void* data _U___attribute__((unused)))
424{
425 // We parse an "ETL->Wireshark encapsulation" format, which is defined in etl.c. This format
426 // includes the actual ETW header, in addition to formatted structures which we added during
427 // the dump process.
428
429 proto_tree* etw_header, * etw_descriptor, * etw_buffer_context, * edata_tree, * etw_data, * etw_tlvs;
430 proto_item* ti;
431 tvbuff_t* mbim_tvb;
432 char* provider_name;
433 uint32_t message_offset = 0, message_length = 0, provider_name_offset = 0, provider_name_length = 0, user_data_offset = 0, user_data_length = 0;
434 uint32_t properties_offset, properties_count;
435 uint16_t extended_data_count, tlv_count;
436 uint64_t flags;
437 wmem_array_t* propArray = NULL((void*)0);
438 bool_Bool is_tl = false0;
439 e_guid_t provider_id;
440 nstime_t timestamp;
441 uint64_t ts;
442 int offset = 0;
443 static int * const etw_header_flags[] = {
444 &hf_etw_header_flag_extended_info,
445 &hf_etw_header_flag_private_session,
446 &hf_etw_header_flag_string_only,
447 &hf_etw_header_flag_trace_message,
448 &hf_etw_header_flag_no_cputime,
449 &hf_etw_header_flag_32_bit_header,
450 &hf_etw_header_flag_64_bit_header,
451 &hf_etw_header_flag_decode_guid,
452 &hf_etw_header_flag_classic_header,
453 &hf_etw_header_flag_processor_index,
454 NULL((void*)0)
455 };
456
457 static int * const etw_event_property_opt[] = {
458 &hf_etw_event_property_xml,
459 &hf_etw_event_property_forwarded_xml,
460 &hf_etw_event_property_legacy_eventlog,
461 &hf_etw_event_property_legacy_reloggable,
462 NULL((void*)0)
463 };
464
465 // Header
466
467 etw_header = proto_tree_add_subtree(tree, tvb, 0, ETW_HEADER_SIZE0x5C, ett_etw_header, NULL((void*)0), "ETW Header");
468 proto_tree_add_item(etw_header, hf_etw_size, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
469 offset += 2;
470 proto_tree_add_item(etw_header, hf_etw_header_type, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
471 offset += 2;
472 proto_tree_add_bitmask_ret_uint64(etw_header, tvb, offset, hf_etw_flags,
473 ett_etw_header_flags, etw_header_flags, ENC_LITTLE_ENDIAN0x80000000, &flags);
474 offset += 2;
475 proto_tree_add_bitmask(etw_header, tvb, offset, hf_etw_event_property,
476 ett_etw_event_property_types, etw_event_property_opt, ENC_LITTLE_ENDIAN0x80000000);
477 offset += 2;
478 proto_tree_add_item(etw_header, hf_etw_thread_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
479 offset += 4;
480 proto_tree_add_item(etw_header, hf_etw_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
481 offset += 4;
482 ts = tvb_get_letoh64(tvb, offset) - INT64_C(0x019DB1DED53E8000)0x019DB1DED53E8000L;
483 timestamp.secs = (unsigned)(ts / 10000000);
484 timestamp.nsecs = (unsigned)((ts % 10000000) * 100);
485 proto_tree_add_time(etw_header, hf_etw_time_stamp, tvb, offset, 8, &timestamp);
486 offset += 8;
487 tvb_get_letohguid(tvb, offset, &provider_id);
488 proto_tree_add_item(etw_header, hf_etw_provider_id, tvb, offset, 16, ENC_LITTLE_ENDIAN0x80000000);
489 offset += 16;
490
491 etw_descriptor = proto_tree_add_subtree(etw_header, tvb, 40, 16, ett_etw_descriptor, NULL((void*)0), "Descriptor");
492 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_id, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
493 offset += 2;
494 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_version, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
495 offset += 1;
496 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_channel, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
497 offset += 1;
498 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_level, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
499 offset += 1;
500 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_opcode, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
501 offset += 1;
502 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_task, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
503 offset += 2;
504 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_keywords, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
505 offset += 8;
506
507 proto_tree_add_item(etw_header, hf_etw_processor_time, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
508 offset += 8;
509 proto_tree_add_item(etw_header, hf_etw_activity_id, tvb, offset, 16, ENC_LITTLE_ENDIAN0x80000000);
510 offset += 16;
511
512 etw_buffer_context = proto_tree_add_subtree(etw_header, tvb, 80, 4, ett_etw_descriptor, NULL((void*)0), "Buffer Context");
513 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_processor_number, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
514 offset += 1;
515 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_alignment, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
516 offset += 1;
517 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_logger_id, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
518 offset += 2;
519 proto_tree_add_item_ret_uint16(etw_header, hf_etw_extended_data_count, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &extended_data_count);
520 offset += 2;
521 proto_tree_add_item_ret_uint16(etw_header, hf_etw_tlv_count, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &tlv_count);
522 offset += 2;
523 proto_tree_add_item_ret_uint(etw_header, hf_etw_properties_count, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &properties_count);
524 offset += 4;
525
526 // Extended data
527
528 ti = proto_tree_add_item(etw_header, hf_etw_extended_data, tvb, offset, extended_data_count * 16, ENC_NA0x00000000); // sizeof(EVENT_HEADER_EXTENDED_DATA_ITEM) = 16
529 edata_tree = proto_item_add_subtree(ti, ett_etw_extended_data);
530 offset = dissect_edata_tlvs(tvb, pinfo, edata_tree, offset, extended_data_count, &is_tl);
531
532 // Expert info
533
534 if (flags & 0x0008) // EVENT_HEADER_FLAG_TRACE_MESSAGE
535 {
536 // WPP
537 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "WPP");
538 }
539 else if (flags & 0x0100) // EVENT_HEADER_FLAG_CLASSIC_HEADER
540 {
541 // MOF (CLASSIC)
542 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "MOF (classic)");
543 }
544 else if (is_tl)
545 {
546 // TRACELOGGING
547 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "TraceLogging");
548 }
549 else
550 {
551 // MANIFEST
552 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "Manifest-based");
553 }
554 proto_item_set_generated(ti);
555
556 // Now is the bunch of TLVs that include formatted stuff
557 if (tlv_count > 0)
558 {
559 etw_tlvs = proto_tree_add_subtree(etw_header, tvb, offset, tlv_count * 12, ett_etw_tlvs, NULL((void*)0), "Extra Information");
560
561 for (uint16_t i = 0; i < tlv_count; i++)
562 {
563 uint32_t tlv_type, tlv_offset, tlv_length;
564
565 proto_tree* etw_tlv = proto_tree_add_subtree(etw_tlvs, tvb, offset, 12, ett_etw_tlv, NULL((void*)0), "Extra Information Item");
566
567 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_type, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_type);
568 offset += 4;
569 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_offset);
570 offset += 4;
571 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_length);
572 offset += 4;
573
574 if (tlv_type == 0)
575 {
576 // TLV_USER_DATA
577 proto_item_set_text(etw_tlv, "Extra Information Item (USER_DATA)");
578 user_data_offset = tlv_offset;
579 user_data_length = tlv_length;
580 }
581 else if (tlv_type == 1)
582 {
583 // TLV_MESSAGE
584 proto_item_set_text(etw_tlv, "Extra Information Item (MESSAGE)");
585 message_offset = tlv_offset;
586 message_length = tlv_length;
587 }
588 else if (tlv_type == 2)
589 {
590 // TLV_PROVIDER_NAME
591 proto_item_set_text(etw_tlv, "Extra Information Item (PROVIDER_NAME)");
592 provider_name_offset = tlv_offset;
593 provider_name_length = tlv_length;
594 }
595 }
596 }
597
598 // Now it's the properties (we parse them later)
599
600 properties_offset = offset;
601
602 // We're done with the header. Starting adding "Data" elements.
603
604 if (provider_name_length) {
605 // Specifically for the provider name, we keep it in the "Data" header to handle the MBIM case
606 proto_tree_add_item_ret_string(etw_header, hf_etw_provider_name, tvb, provider_name_offset, provider_name_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, (const uint8_t **) & provider_name);
607 }
608
609 // User data + set columns
610
611 col_set_str(pinfo->cinfo, COL_DEF_SRC, "windows");
612 col_set_str(pinfo->cinfo, COL_DEF_DST, "windows");
613 if (memcmp(&mbim_net_providerid, &provider_id, sizeof(e_guid_t)) == 0) {
614 // Special case for MBIM
615 uint32_t pack_flags;
616
617 if (WTAP_OPTTYPE_SUCCESS == wtap_block_get_uint32_option_value(pinfo->rec->block, OPT_PKT_FLAGS2, &pack_flags)) {
618 switch(PACK_FLAGS_DIRECTION(pack_flags)(((pack_flags) & 0x00000003) >> 0)) {
619 case PACK_FLAGS_DIRECTION_INBOUND1:
620 col_set_str(pinfo->cinfo, COL_DEF_SRC, "device");
621 col_set_str(pinfo->cinfo, COL_DEF_DST, "host");
622 break;
623 case PACK_FLAGS_DIRECTION_OUTBOUND2:
624 col_set_str(pinfo->cinfo, COL_DEF_SRC, "host");
625 col_set_str(pinfo->cinfo, COL_DEF_DST, "device");
626 break;
627 }
628 }
629 mbim_tvb = tvb_new_subset_remaining(tvb, user_data_offset);
630 call_dissector_only(mbim_dissector, mbim_tvb, pinfo, tree, data);
631 }
632 else
633 {
634 // Other provider: add "Data" header
635
636 etw_data = proto_tree_add_subtree(tree, tvb, offset, 0, ett_etw_data, NULL((void*)0), "ETW Data");
637 if (properties_count) {
638 offset = dissect_properties(tvb, pinfo, etw_data, properties_offset, properties_count, pinfo->pool, &propArray);
Value stored to 'offset' is never read
639 }
640 if (user_data_length) {
641 proto_tree_add_item(etw_data, hf_etw_user_data, tvb, user_data_offset, user_data_length, ENC_NA0x00000000);
642 }
643
644 if (provider_name_length) {
645 col_set_str(pinfo->cinfo, COL_PROTOCOL, provider_name);
646 }
647
648 if (message_length) {
649 char* message;
650
651 proto_tree_add_item_ret_string(etw_data, hf_etw_message, tvb, message_offset, message_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, (const uint8_t**)& message);
652 if (propArray != NULL((void*)0))
653 {
654 wmem_strbuf_t* out_buffer;
655 format_message(message, propArray, pinfo->pool, &out_buffer);
656 message = out_buffer->str;
657 ti = proto_tree_add_string(etw_data, hf_etw_message_formatted, tvb, 0, -1, message);
658 proto_item_set_generated(ti);
659 }
660 col_set_str(pinfo->cinfo, COL_INFO, message);
661 }
662 else
663 {
664 col_set_str(pinfo->cinfo, COL_INFO, guids_resolve_guid_to_str(&provider_id, pinfo->pool));
665 }
666 }
667
668 etw_counter += 1;
669 return tvb_captured_length(tvb);
670}
671
672void
673proto_register_etw(void)
674{
675 static hf_register_info hf[] = {
676 { &hf_etw_size,
677 { "Size", "etw.size",
678 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
679 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
680 },
681 { &hf_etw_header_type,
682 { "Header Type", "etw.header_type",
683 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
684 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
685 },
686 { &hf_etw_flags,
687 { "Flags", "etw.flags",
688 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
689 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
690 },
691 { &hf_etw_header_flag_extended_info,
692 { "Extended Info", "etw.header.flag.extended_info",
693 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0001,
694 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
695 },
696 { &hf_etw_header_flag_private_session,
697 { "Private Session", "etw.header.flag.private_session",
698 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0002,
699 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
700 },
701 { &hf_etw_header_flag_string_only,
702 { "String Only", "etw.header.flag.string_only",
703 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0004,
704 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
705 },
706 { &hf_etw_header_flag_trace_message,
707 { "Trace Message", "etw.header.flag.trace_message",
708 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0008,
709 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
710 },
711 { &hf_etw_header_flag_no_cputime,
712 { "No CPU time", "etw.header.flag.no_cputime",
713 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0010,
714 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
715 },
716 { &hf_etw_header_flag_32_bit_header,
717 { "32-bit Header", "etw.header.flag.32_bit_header",
718 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0020,
719 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
720 },
721 { &hf_etw_header_flag_64_bit_header,
722 { "64-bit Header", "etw.header.flag.64_bit_header",
723 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0040,
724 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
725 },
726 { &hf_etw_header_flag_decode_guid,
727 { "Decode GUID", "etw.header.flag.decode_guid",
728 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0080,
729 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
730 },
731 { &hf_etw_header_flag_classic_header,
732 { "Classic Header", "etw.header.flag.classic_header",
733 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0100,
734 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
735 },
736 { &hf_etw_header_flag_processor_index,
737 { "Processor Index", "etw.header.flag.processor_index",
738 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0200,
739 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
740 },
741 { &hf_etw_event_property,
742 { "Event Property", "etw.event_property",
743 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
744 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
745 },
746 { &hf_etw_event_property_xml,
747 { "XML", "etw.property.xml",
748 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0001,
749 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
750 },
751 { &hf_etw_event_property_forwarded_xml,
752 { "Forwarded XML", "etw.property.forwarded_xml",
753 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0002,
754 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
755 },
756 { &hf_etw_event_property_legacy_eventlog,
757 { "Legacy Event Log", "etw.property.legacy_event",
758 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0004,
759 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
760 },
761 { &hf_etw_event_property_legacy_reloggable,
762 { "Legacy Reloggable", "etw.property.legacy_reloggable",
763 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0008,
764 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
765 },
766 { &hf_etw_thread_id,
767 { "Thread ID", "etw.thread_id",
768 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
769 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
770 },
771 { &hf_etw_process_id,
772 { "Process ID", "etw.process_id",
773 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
774 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
775 },
776 { &hf_etw_time_stamp,
777 { "Time Stamp", "etw.time_stamp",
778 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL((void*)0), 0,
779 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
780 },
781 { &hf_etw_provider_id,
782 { "Provider ID", "etw.provider_id",
783 FT_GUID, BASE_NONE, NULL((void*)0), 0,
784 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
785 },
786 { &hf_etw_buffer_context_processor_number,
787 { "Processor Number", "etw.buffer_context.processor_number",
788 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
789 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
790 },
791 { &hf_etw_buffer_context_alignment,
792 { "Alignment", "etw.buffer_context.alignment",
793 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
794 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
795 },
796 { &hf_etw_buffer_context_logger_id,
797 { "ID", "etw.buffer_context.logger_id",
798 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
799 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
800 },
801 { &hf_etw_tlv_count,
802 { "Extra Information Count", "etw.tlv_count",
803 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
804 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
805 },
806 { &hf_etw_tlv_offset,
807 { "Offset", "etw.tlv.offset",
808 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
809 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
810 },
811 { &hf_etw_tlv_length,
812 { "Length", "etw.tlv.length",
813 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
814 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
815 },
816 { &hf_etw_tlv_type,
817 { "Type", "etw.tlv.type",
818 FT_UINT32, BASE_DEC, VALS(etw_tlv_types)((0 ? (const struct _value_string*)0 : ((etw_tlv_types)))), 0,
819 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
820 },
821 { &hf_etw_properties_count,
822 { "Properties count", "etw.props_count",
823 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
824 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
825 },
826 { &hf_etw_provider_name,
827 { "Provider Name", "etw.provider_name",
828 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
829 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
830 },
831 { &hf_etw_message,
832 { "Event Message", "etw.message",
833 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
834 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
835 },
836 { &hf_etw_extended_data_count,
837 { "Extended Data Count", "etw.extended_data_count",
838 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
839 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
840 },
841 { &hf_etw_extended_data,
842 { "Extended Data", "etw.extended_data",
843 FT_NONE, BASE_NONE, NULL((void*)0), 0,
844 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
845 },
846 { &hf_etw_edata,
847 { "Extended Data Item", "etw.edata",
848 FT_NONE, BASE_NONE, NULL((void*)0), 0,
849 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
850 },
851 { &hf_etw_edata_reserved1,
852 { "Reserved1", "etw.edata.reserved1",
853 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
854 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
855 },
856 { &hf_etw_edata_exttype,
857 { "ExtType", "etw.edata.exttype",
858 FT_UINT16, BASE_DEC, VALS(etw_edata_types)((0 ? (const struct _value_string*)0 : ((etw_edata_types)))), 0,
859 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
860 },
861 { &hf_etw_edata_linkage,
862 { "Linkage", "etw.edata.linkage",
863 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
864 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
865 },
866 { &hf_etw_edata_datasize,
867 { "DataSize", "etw.edata.datasize",
868 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
869 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
870 },
871 { &hf_etw_edata_dataptr,
872 { "DataPtr", "etw.edata.dataptr",
873 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
874 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
875 },
876 { &hf_etw_edata_data,
877 { "Data", "etw.edata.data",
878 FT_NONE, BASE_NONE, NULL((void*)0), 0,
879 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
880 },
881 { &hf_etw_edata_stacktrace_matchid,
882 { "MatchId", "etw.edata.stacktrace.matchid",
883 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
884 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
885 },
886 { &hf_etw_edata_stacktrace_address,
887 { "Address", "etw.edata.stacktrace.address",
888 FT_UINT64, BASE_HEX, NULL((void*)0), 0,
889 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
890 },
891 { &hf_etw_edata_schematl_size,
892 { "Size", "etw.edata.schematl.size",
893 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
894 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
895 },
896 { &hf_etw_edata_schematl_reserved1,
897 { "Unknown", "etw.edata.schematl.reserved1",
898 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
899 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
900 },
901 { &hf_etw_edata_schematl_name,
902 { "Event Name", "etw.edata.schematl.name",
903 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
904 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
905 },
906 { &hf_etw_edata_schematl_field,
907 { "Schema Field", "etw.edata.schematl.field",
908 FT_NONE, BASE_NONE, NULL((void*)0), 0,
909 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
910 },
911 { &hf_etw_edata_schematl_field_key,
912 { "Key", "etw.edata.schematl.field.key",
913 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
914 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
915 },
916 { &hf_etw_edata_schematl_field_flags,
917 { "Flags", "etw.edata.schematl.field.flags",
918 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
919 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
920 },
921 { &hf_etw_edata_schematl_field_type,
922 { "Type", "etw.edata.schematl.field.type",
923 FT_UINT8, BASE_DEC, VALS(etw_schematl_types)((0 ? (const struct _value_string*)0 : ((etw_schematl_types))
)), 0x1F,
924 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
925 },
926 { &hf_etw_edata_schematl_field_ccount,
927 { "Constant array count", "etw.edata.schematl.field.ccount",
928 FT_UINT8, BASE_DEC, NULL((void*)0), 0x20,
929 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
930 },
931 { &hf_etw_edata_schematl_field_vcount,
932 { "Variable array count", "etw.edata.schematl.field.vcount",
933 FT_UINT8, BASE_DEC, NULL((void*)0), 0x40,
934 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
935 },
936 { &hf_etw_edata_schematl_field_chain,
937 { "Chain", "etw.edata.schematl.field.chain",
938 FT_UINT8, BASE_DEC, NULL((void*)0), 0x80,
939 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
940 },
941 { &hf_etw_edata_traits_traitssize,
942 { "Trait size", "etw.edata.traits.traitssize",
943 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
944 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
945 },
946 { &hf_etw_edata_traits_providername,
947 { "Trait provider name", "etw.edata.traits.providername",
948 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
949 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
950 },
951 { &hf_etw_property,
952 { "Property", "etw.prop",
953 FT_NONE, BASE_NONE, NULL((void*)0), 0,
954 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
955 },
956 { &hf_etw_property_offset,
957 { "Offset", "etw.prop.offset",
958 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
959 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
960 },
961 { &hf_etw_property_keylen,
962 { "Key Length", "etw.prop.keylen",
963 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
964 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
965 },
966 { &hf_etw_property_valuelen,
967 { "Value Length", "etw.prop.valuelen",
968 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
969 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
970 },
971 { &hf_etw_property_key,
972 { "Key", "etw.prop.key",
973 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
974 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
975 },
976 { &hf_etw_property_value,
977 { "Value", "etw.prop.value",
978 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
979 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
980 },
981 { &hf_etw_user_data,
982 { "Raw User Data", "etw.user_data",
983 FT_NONE, BASE_NONE, NULL((void*)0), 0,
984 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
985 },
986 { &hf_etw_descriptor_id,
987 { "ID", "etw.descriptor.id",
988 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
989 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
990 },
991 { &hf_etw_descriptor_version,
992 { "Version", "etw.descriptor.version",
993 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
994 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
995 },
996 { &hf_etw_descriptor_channel,
997 { "Channel", "etw.descriptor.channel",
998 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
999 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1000 },
1001 { &hf_etw_descriptor_level,
1002 { "Level", "etw.descriptor.level",
1003 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1004 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1005 },
1006 { &hf_etw_descriptor_opcode,
1007 { "Opcode", "etw.descriptor.opcode",
1008 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1009 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1010 },
1011 { &hf_etw_descriptor_task,
1012 { "Task", "etw.descriptor.task",
1013 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1014 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1015 },
1016 { &hf_etw_descriptor_keywords,
1017 { "Keywords", "etw.descriptor.keywords",
1018 FT_UINT64, BASE_HEX, NULL((void*)0), 0,
1019 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1020 },
1021 { &hf_etw_processor_time,
1022 { "Processor Time", "etw.processor_time",
1023 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
1024 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1025 },
1026 { &hf_etw_activity_id,
1027 { "Activity ID", "etw.activity_id",
1028 FT_GUID, BASE_NONE, NULL((void*)0), 0,
1029 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1030 },
1031 // Generated fields
1032 { &hf_etw_type,
1033 { "Event Type", "etw.type",
1034 FT_STRING, BASE_NONE, NULL((void*)0), 0,
1035 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1036 },
1037 { &hf_etw_message_formatted,
1038 { "Message (formatted)", "etw.message_formatted",
1039 FT_STRING, BASE_NONE, NULL((void*)0), 0,
1040 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1041 },
1042 };
1043
1044 static int *ett[] = {
1045 &ett_etw_header,
1046 &ett_etw_data,
1047 &ett_etw_descriptor,
1048 &ett_etw_buffer_context,
1049 &ett_etw_extended_data,
1050 &ett_etw_property,
1051 &ett_etw_edata,
1052 &ett_etw_edata_data,
1053 &ett_etw_edata_schematl_schema,
1054 &ett_etw_schematl_flags,
1055 &ett_etw_header_flags,
1056 &ett_etw_event_property_types,
1057 &ett_etw_tlvs,
1058 &ett_etw_tlv,
1059 };
1060
1061 proto_etw = proto_register_protocol("Event Tracing for Windows", "ETW", "etw");
1062 proto_register_field_array(proto_etw, hf, array_length(hf)(sizeof (hf) / sizeof (hf)[0]));
1063 proto_register_subtree_array(ett, array_length(ett)(sizeof (ett) / sizeof (ett)[0]));
1064
1065 etw_handle = register_dissector("etw", dissect_etw, proto_etw);
1066}
1067
1068void
1069proto_reg_handoff_etw(void)
1070{
1071 dissector_add_uint("wtap_encap", WTAP_ENCAP_ETW212, etw_handle);
1072
1073 mbim_dissector = find_dissector("mbim.control");
1074}
1075
1076/*
1077 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1078 *
1079 * Local variables:
1080 * c-basic-offset: 4
1081 * tab-width: 8
1082 * indent-tabs-mode: nil
1083 * End:
1084 *
1085 * vi: set shiftwidth=4 tabstop=8 expandtab:
1086 * :indentSize=4:tabSize=8:noTabs=true:
1087 */