Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-etw.c
Warning:line 425, column 13
Value stored to 'edata_off_int' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-etw.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2026-05-11-100331-3640-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-etw.c
1/* packet-etw.c
2 * Routines for ETW Dissection
3 *
4 * Copyright 2020, Odysseus Yang
5 * 2026, Gabriel Potter
6 *
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
10 *
11 * SPDX-License-Identifier: GPL-2.0-or-later
12 */
13
14/* Dissector based on ETW Trace
15* https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal
16*/
17
18#include "config.h"
19
20#include <epan/conversation.h>
21#include <epan/packet.h>
22#include <wiretap/wtap.h>
23
24#include "packet-windows-common.h"
25#include "packet-tcp.h"
26
27#define MAX_SMALL_BUFFER4 4
28
29void proto_register_etw(void);
30void proto_reg_handoff_etw(void);
31
32static dissector_handle_t etw_handle;
33
34// ETW fields
35static int proto_etw;
36static int hf_etw_size;
37static int hf_etw_header_type;
38static int hf_etw_header_flag_extended_info;
39static int hf_etw_header_flag_private_session;
40static int hf_etw_header_flag_string_only;
41static int hf_etw_header_flag_trace_message;
42static int hf_etw_header_flag_no_cputime;
43static int hf_etw_header_flag_32_bit_header;
44static int hf_etw_header_flag_64_bit_header;
45static int hf_etw_header_flag_decode_guid;
46static int hf_etw_header_flag_classic_header;
47static int hf_etw_header_flag_processor_index;
48static int hf_etw_flags;
49static int hf_etw_event_property;
50static int hf_etw_event_property_xml;
51static int hf_etw_event_property_forwarded_xml;
52static int hf_etw_event_property_legacy_eventlog;
53static int hf_etw_event_property_legacy_reloggable;
54static int hf_etw_thread_id;
55static int hf_etw_process_id;
56static int hf_etw_time_stamp;
57static int hf_etw_provider_id;
58static int hf_etw_buffer_context_processor_number;
59static int hf_etw_buffer_context_alignment;
60static int hf_etw_buffer_context_logger_id;
61static int hf_etw_src;
62static int hf_etw_dst;
63static int hf_etw_sessid;
64static int hf_etw_properties_count;
65static int hf_etw_provider_name;
66static int hf_etw_message;
67static int hf_etw_extended_data_count;
68static int hf_etw_extended_data;
69static int hf_etw_edata;
70static int hf_etw_edata_reserved1;
71static int hf_etw_edata_exttype;
72static int hf_etw_edata_linkage;
73static int hf_etw_edata_datasize;
74static int hf_etw_edata_dataptr;
75static int hf_etw_edata_data;
76static int hf_etw_edata_stacktrace_matchid;
77static int hf_etw_edata_stacktrace_address;
78static int hf_etw_edata_schematl_size;
79static int hf_etw_edata_schematl_reserved1;
80static int hf_etw_edata_schematl_name;
81static int hf_etw_edata_schematl_field;
82static int hf_etw_edata_schematl_field_key;
83static int hf_etw_edata_schematl_field_flags;
84static int hf_etw_edata_schematl_field_type;
85static int hf_etw_edata_schematl_field_ccount;
86static int hf_etw_edata_schematl_field_vcount;
87static int hf_etw_edata_schematl_field_chain;
88static int hf_etw_edata_traits_traitssize;
89static int hf_etw_edata_traits_providername;
90static int hf_etw_property;
91static int hf_etw_property_offset;
92static int hf_etw_property_keylen;
93static int hf_etw_property_valuelen;
94static int hf_etw_property_key;
95static int hf_etw_property_value;
96static int hf_etw_tlv_count;
97static int hf_etw_tlv_length;
98static int hf_etw_tlv_offset;
99static int hf_etw_tlv_type;
100static int hf_etw_user_data;
101static int hf_etw_descriptor_id;
102static int hf_etw_descriptor_version;
103static int hf_etw_descriptor_channel;
104static int hf_etw_descriptor_level;
105static int hf_etw_descriptor_opcode;
106static int hf_etw_descriptor_task;
107static int hf_etw_descriptor_keywords;
108static int hf_etw_processor_time;
109static int hf_etw_activity_id;
110
111// Generated fields
112static int hf_etw_type;
113static int hf_etw_message_formatted;
114
115static int ett_etw_header;
116static int ett_etw_data;
117static int ett_etw_descriptor;
118static int ett_etw_buffer_context;
119static int ett_etw_extended_data;
120static int ett_etw_property;
121static int ett_etw_edata;
122static int ett_etw_edata_data;
123static int ett_etw_edata_schematl_schema;
124static int ett_etw_schematl_flags;
125static int ett_etw_header_flags;
126static int ett_etw_event_property_types;
127static int ett_etw_tlvs;
128static int ett_etw_tlv;
129
130static dissector_handle_t mbim_dissector;
131static e_guid_t mbim_net_providerid = { 0xA42FE227, 0xA7BF, 0x4483, {0xA5, 0x02, 0x6B, 0xCD, 0xA4, 0x28, 0xCD, 0x96} };
132
133static dissector_handle_t nbss_dissector;
134static e_guid_t smbclient_providerid = { 0x988C59C5, 0x0A1C, 0x45B6, {0xA5, 0x55, 0x0C, 0x62, 0x27, 0x6E, 0x32, 0x7D} };
135static e_guid_t smbserver_providerid = { 0xD48CE617, 0x33A2, 0x4BC3, {0xA5, 0xC7, 0x11, 0xAA, 0x4F, 0x29, 0x61, 0x9E} };
136
137static dissector_handle_t http_dissector;
138static e_guid_t wininet_providerid = { 0xA70FF94F, 0x570B, 0x4979, { 0xBA, 0x5C, 0xE5, 0x9C, 0x9F, 0xEA, 0xB6, 0x1B} };
139
140static dissector_handle_t ldap_dissector;
141static e_guid_t ldapclient_providerid = { 0x099614A5, 0x5DD7, 0x4788, { 0x8B, 0xC9, 0xE2, 0x9F, 0x43, 0xDB, 0x28, 0xFC } };
142
143static const value_string etw_edata_types[] = {
144 { 0x0001, "RELATED_ACTIVITYID" },
145 { 0x0002, "SID" },
146 { 0x0003, "TS_ID" },
147 { 0x0004, "INSTANCE_INFO" },
148 { 0x0005, "STACK_TRACE32" },
149 { 0x0006, "STACK_TRACE64" },
150 { 0x0007, "PEBS_INDEX" },
151 { 0x0008, "PMC_COUNTERS" },
152 { 0x0009, "PSM_KEY" },
153 { 0x000A, "EVENT_KEY" },
154 { 0x000B, "EVENT_SCHEMA_TL" },
155 { 0x000C, "PROV_TRAITS" },
156 { 0x000D, "PROCESS_START_KEY" },
157 { 0x000E, "CONTROL_GUID" },
158 { 0x000F, "QPC_DELTA" },
159 { 0x0010, "CONTAINER_ID" },
160 { 0x0011, "STACK_KEY32" },
161 { 0x0012, "STACK_KEY64" },
162 { 0, NULL((void*)0) }
163};
164
165static const value_string etw_tlv_types[] = {
166 { 0x0000, "USER_DATA" },
167 { 0x0001, "MESSAGE" },
168 { 0x0002, "PROVIDER_NAME" },
169 { 0x0003, "SRC_ADDR" },
170 { 0x0004, "DST_ADDR" },
171 { 0x0005, "SESSION_ID" },
172 { 0, NULL((void*)0) }
173};
174
175static const value_string etw_schematl_types[] = {
176 { 0x01, "UNICODESTRING" },
177 { 0x02, "ANSISTRING" },
178 { 0x03, "INT8" },
179 { 0x04, "UINT8" },
180 { 0x05, "INT16" },
181 { 0x06, "UINT16" },
182 { 0x07, "INT32" },
183 { 0x08, "UINT32" },
184 { 0x09, "INT64" },
185 { 0x0A, "UINT64" },
186 { 0x0B, "FLOAT" },
187 { 0x0C, "DOUBLE" },
188 { 0x0D, "BOOL32" },
189 { 0x0E, "BINARY" },
190 { 0x0F, "GUID" },
191 { 0x11, "FILETIME" },
192 { 0x12, "SYSTEMTIME" },
193 { 0x13, "SID" },
194 { 0x14, "HEXINT32" },
195 { 0x15, "HEXINT64" },
196 { 0x16, "COUNTEDSTRING" },
197 { 0x17, "COUNTEDANSISTRING" },
198 { 0x18, "STRUCT" },
199 { 0x19, "COUNTEDBINARY" },
200 { 0, NULL((void*)0) }
201};
202
203static int* const etw_schematl_flags[] = {
204 &hf_etw_edata_schematl_field_type,
205 &hf_etw_edata_schematl_field_ccount,
206 &hf_etw_edata_schematl_field_vcount,
207 &hf_etw_edata_schematl_field_chain,
208 NULL((void*)0)
209};
210
211#define ETW_HEADER_SIZE0x5C 0x5C
212
213static int etw_counter;
214
215typedef struct Property_Key_Value
216{
217 const unsigned char *key;
218 const unsigned char *value;
219} PROPERTY_KEY_VALUE;
220
221
222/// <summary>
223/// Function to format the properties into the eventlog message
224/// </summary>
225/// <param name="lpszMessage"></param>
226/// <param name="propArray"></param>
227/// <param name="dwPropertyCount"></param>
228/// <param name="lpszOutBuffer"></param>
229/// <param name="dwOutBufferCount"></param>
230static int
231format_message(char* lpszMessage, wmem_array_t* propArray, wmem_allocator_t* allocator, wmem_strbuf_t** out_buffer)
232{
233 uint16_t startLoc = 0;
234 int percent_loc = 0;
235 PROPERTY_KEY_VALUE key_value;
236 *out_buffer = wmem_strbuf_new(allocator, NULL((void*)0));
237
238 for (int i = 0; lpszMessage[i] != '\0';)
239 {
240 if (lpszMessage[i] != '%')
241 {
242 i++;
243 continue;
244 }
245
246 percent_loc = i;
247 i++;
248
249 if (g_ascii_isdigit(lpszMessage[i])((g_ascii_table[(guchar) (lpszMessage[i])] & G_ASCII_DIGIT
) != 0))
250 {
251 uint16_t dwDigitalCount = 0;
252 char smallBuffer[MAX_SMALL_BUFFER4] = { 0 };
253 while (g_ascii_isdigit(lpszMessage[i])((g_ascii_table[(guchar) (lpszMessage[i])] & G_ASCII_DIGIT
) != 0))
254 {
255 if (dwDigitalCount < (MAX_SMALL_BUFFER4 - 1))
256 {
257 smallBuffer[dwDigitalCount] = lpszMessage[i];
258 }
259 dwDigitalCount++;
260 i++;
261 }
262
263 /* We are not parsing this */
264 if (dwDigitalCount >= (MAX_SMALL_BUFFER4 - 1))
265 {
266 continue;
267 }
268
269 gint64 num = g_ascii_strtoll(smallBuffer, NULL((void*)0), 10);
270 /* We are not parsing this */
271 if (num <= 0 || num >= G_MAXUSHORT(32767 * 2 + 1) || wmem_array_try_index(propArray, (unsigned int) num - 1, &key_value) != 0 || key_value.value == NULL((void*)0))
272 {
273 continue;
274 }
275
276 if (lpszMessage[i] == '!' && lpszMessage[i + 1] == 'S' && lpszMessage[i + 2] == '!')
277 {
278 i += 3;
279 }
280
281 /* We have everything */
282 lpszMessage[percent_loc] = '\0';
283 wmem_strbuf_append(*out_buffer, lpszMessage + startLoc);
284 wmem_strbuf_append(*out_buffer, (char*) key_value.value);
285 startLoc = i;
286 continue; // for
287 }
288 }
289 wmem_strbuf_append(*out_buffer, lpszMessage + startLoc);
290
291 return 0;
292}
293
294static int
295dissect_properties(tvbuff_t* tvb, packet_info* pinfo, proto_tree* edata_tree, uint32_t offset, uint32_t count, wmem_allocator_t* allocator, wmem_array_t** propArray)
296{
297 uint32_t i;
298 proto_item* ti;
299 proto_tree* prop_tree;
300 uint32_t item_offset = offset;
301 uint16_t item_key_length = 0, item_value_length = 0;
302
303 PROPERTY_KEY_VALUE prop;
304 *propArray = wmem_array_new(allocator, sizeof(PROPERTY_KEY_VALUE));
305
306 for (i = 0; i < count; i++)
307 {
308 ti = proto_tree_add_item(edata_tree, hf_etw_property, tvb, offset, 8, ENC_NA0x00000000);
309 prop_tree = proto_item_add_subtree(ti, ett_etw_property);
310
311 proto_tree_add_item_ret_uint32(prop_tree, hf_etw_property_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &item_offset);
312 offset += 4;
313 proto_tree_add_item_ret_uint16(prop_tree, hf_etw_property_keylen, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &item_key_length);
314 offset += 2;
315 proto_tree_add_item_ret_uint16(prop_tree, hf_etw_property_valuelen, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &item_value_length);
316 offset += 2;
317
318 proto_tree_add_item_ret_string(prop_tree, hf_etw_property_key, tvb, item_offset, item_key_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, &prop.key);
319 proto_tree_add_item_ret_string(prop_tree, hf_etw_property_value, tvb, item_offset + item_key_length, item_value_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, &prop.value);
320
321 proto_item_set_text(prop_tree, "%s=%s", prop.key, prop.value);
322 wmem_array_append(*propArray, &prop, 1);
323 }
324 offset = item_offset + item_key_length + item_value_length;
325
326 return offset;
327}
328
329/// <summary>
330/// Dissect the "Extended Data" blobs
331/// </summary>
332static int
333dissect_edata_tlvs(tvbuff_t* tvb, packet_info* pinfo, proto_tree* edata_tree, uint32_t offset, uint16_t extended_data_count, bool_Bool* is_tl)
334{
335 uint16_t i;
336 proto_item* ti;
337 proto_tree* edata_item_tree, *edata_item_data_tree, *edata_schematl_schema;
338 uint64_t edata_off64;
339 uint32_t edata_off = offset, edata_off_int;
340 uint16_t edata_sz = 0, edata_type = 0;
341
342 for (i = 0; i < extended_data_count; i++)
343 {
344 ti = proto_tree_add_item(edata_tree, hf_etw_edata, tvb, offset, 16, ENC_NA0x00000000);
345 edata_item_tree = proto_item_add_subtree(ti, ett_etw_edata);
346
347 proto_tree_add_item(edata_item_tree, hf_etw_edata_reserved1, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
348 offset += 2;
349 proto_tree_add_item_ret_uint16(edata_item_tree, hf_etw_edata_exttype, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &edata_type);
350 offset += 2;
351 proto_tree_add_item(edata_item_tree, hf_etw_edata_linkage, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
352 offset += 2;
353 proto_tree_add_item_ret_uint16(edata_item_tree, hf_etw_edata_datasize, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &edata_sz);
354 offset += 2;
355 proto_tree_add_item_ret_uint64(edata_item_tree, hf_etw_edata_dataptr, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000, &edata_off64);
356 offset += 8;
357
358 if (edata_off64 > UINT32_MAX(4294967295U))
359 continue; // should never happen, but to be safe
360
361 edata_off = (uint32_t) edata_off64;
362
363 ti = proto_tree_add_item(edata_item_tree, hf_etw_edata_data, tvb, edata_off, edata_sz, ENC_NA0x00000000);
364 edata_item_data_tree = proto_item_add_subtree(ti, ett_etw_edata_data);
365
366 edata_off_int = edata_off;
367 switch (edata_type)
368 {
369 case 0x0002: // SID
370 proto_item_set_text(ti, "Data (SID)");
371 dissect_nt_sid(tvb, pinfo, edata_off_int, edata_item_data_tree, "SID", NULL((void*)0), -1);
372
373 break;
374 case 0x0006: // EVENT_STACK_TRACE64
375 proto_item_set_text(ti, "Data (EVENT_STACK_TRACE64)");
376
377 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_stacktrace_matchid, tvb, edata_off_int, 8, ENC_LITTLE_ENDIAN0x80000000);
378 edata_off_int += 8;
379
380 while (edata_off_int < edata_off + edata_sz)
381 {
382 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_stacktrace_address, tvb, edata_off_int, 8, ENC_LITTLE_ENDIAN0x80000000);
383 edata_off_int += 8;
384 }
385 break;
386
387 case 0x000B: // EVENT_SCHEMA_TL
388 {
389 uint8_t schema_size = 0;
390 int item_size = 0;
391
392 *is_tl = true1;
393 proto_item_set_text(ti, "Data (EVENT_SCHEMA_TL)");
394
395 proto_tree_add_item_ret_uint8(edata_item_data_tree, hf_etw_edata_schematl_size, tvb, edata_off_int, 1, ENC_LITTLE_ENDIAN0x80000000, &schema_size);
396 edata_off_int += 1;
397 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_schematl_reserved1, tvb, edata_off_int, 2, ENC_LITTLE_ENDIAN0x80000000);
398 edata_off_int += 2;
399 proto_tree_add_item_ret_length(edata_item_data_tree, hf_etw_edata_schematl_name, tvb, edata_off_int, -1, ENC_LITTLE_ENDIAN0x80000000, &item_size);
400 edata_off_int += item_size;
401
402 while (edata_off_int < edata_off + schema_size)
403 {
404 ti = proto_tree_add_item(edata_item_data_tree, hf_etw_edata_schematl_field, tvb, edata_off_int, 0, ENC_NA0x00000000);
405 edata_schematl_schema = proto_item_add_subtree(ti, ett_etw_edata_schematl_schema);
406
407 proto_tree_add_item_ret_length(edata_schematl_schema, hf_etw_edata_schematl_field_key, tvb, edata_off_int, -1, ENC_LITTLE_ENDIAN0x80000000, &item_size);
408 edata_off_int += item_size;
409 proto_tree_add_bitmask(edata_schematl_schema, tvb, edata_off_int, hf_etw_edata_schematl_field_flags,
410 ett_etw_schematl_flags, etw_schematl_flags, ENC_LITTLE_ENDIAN0x80000000);
411 edata_off_int += 1;
412 }
413 break;
414 }
415 case 0x000C: // PROV_TRAITS
416 {
417 // https://learn.microsoft.com/en-us/windows/win32/etw/provider-traits
418 uint16_t traits_size = 0;
419
420 proto_item_set_text(ti, "Data (PROV_TRAITS)");
421
422 proto_tree_add_item_ret_uint16(edata_item_data_tree, hf_etw_edata_traits_traitssize, tvb, edata_off_int, 2, ENC_LITTLE_ENDIAN0x80000000, &traits_size);
423 edata_off_int += 2;
424 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_traits_providername, tvb, edata_off_int, traits_size - 2, ENC_NA0x00000000 | ENC_UTF_80x00000002);
425 edata_off_int += traits_size;
Value stored to 'edata_off_int' is never read
426 break;
427 }
428
429 default:
430 break;
431 }
432
433
434 }
435
436 return offset;
437}
438
439static int
440dissect_etw(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree _U___attribute__((unused)), void* data _U___attribute__((unused)))
441{
442 // We parse an "ETL->Wireshark encapsulation" format, which is defined in etl.c. This format
443 // includes the actual ETW header, in addition to formatted structures which we added during
444 // the dump process.
445
446 proto_tree* etw_header, * etw_descriptor, * etw_buffer_context, * edata_tree, * etw_data, * etw_tlvs;
447 proto_item* ti;
448 tvbuff_t* subproto_tvb;
449 char* provider_name;
450 uint32_t message_offset = 0, message_length = 0, provider_name_offset = 0, provider_name_length = 0, user_data_offset = 0, user_data_length = 0;
451 uint32_t properties_offset, properties_count;
452 uint16_t extended_data_count, tlv_count;
453 uint64_t flags;
454 wmem_array_t* propArray = NULL((void*)0);
455 bool_Bool is_tl = false0;
456 e_guid_t provider_id;
457 uint16_t event_id;
458 nstime_t timestamp;
459 uint64_t ts;
460 int offset = 0;
461 static int* const etw_header_flags[] = {
462 &hf_etw_header_flag_extended_info,
463 &hf_etw_header_flag_private_session,
464 &hf_etw_header_flag_string_only,
465 &hf_etw_header_flag_trace_message,
466 &hf_etw_header_flag_no_cputime,
467 &hf_etw_header_flag_32_bit_header,
468 &hf_etw_header_flag_64_bit_header,
469 &hf_etw_header_flag_decode_guid,
470 &hf_etw_header_flag_classic_header,
471 &hf_etw_header_flag_processor_index,
472 NULL((void*)0)
473 };
474
475 static int* const etw_event_property_opt[] = {
476 &hf_etw_event_property_xml,
477 &hf_etw_event_property_forwarded_xml,
478 &hf_etw_event_property_legacy_eventlog,
479 &hf_etw_event_property_legacy_reloggable,
480 NULL((void*)0)
481 };
482
483 col_set_str(pinfo->cinfo, COL_DEF_SRC, "windows");
484 col_set_str(pinfo->cinfo, COL_DEF_DST, "windows");
485
486 // Header
487
488 etw_header = proto_tree_add_subtree(tree, tvb, 0, ETW_HEADER_SIZE0x5C, ett_etw_header, NULL((void*)0), "ETW Header");
489 proto_tree_add_item(etw_header, hf_etw_size, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
490 offset += 2;
491 proto_tree_add_item(etw_header, hf_etw_header_type, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
492 offset += 2;
493 proto_tree_add_bitmask_ret_uint64(etw_header, tvb, offset, hf_etw_flags,
494 ett_etw_header_flags, etw_header_flags, ENC_LITTLE_ENDIAN0x80000000, &flags);
495 offset += 2;
496 proto_tree_add_bitmask(etw_header, tvb, offset, hf_etw_event_property,
497 ett_etw_event_property_types, etw_event_property_opt, ENC_LITTLE_ENDIAN0x80000000);
498 offset += 2;
499 proto_tree_add_item(etw_header, hf_etw_thread_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
500 offset += 4;
501 proto_tree_add_item(etw_header, hf_etw_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
502 offset += 4;
503 ts = tvb_get_letoh64(tvb, offset) - INT64_C(0x019DB1DED53E8000)0x019DB1DED53E8000L;
504 timestamp.secs = (unsigned)(ts / 10000000);
505 timestamp.nsecs = (unsigned)((ts % 10000000) * 100);
506 proto_tree_add_time(etw_header, hf_etw_time_stamp, tvb, offset, 8, &timestamp);
507 offset += 8;
508 tvb_get_letohguid(tvb, offset, &provider_id);
509 proto_tree_add_item(etw_header, hf_etw_provider_id, tvb, offset, 16, ENC_LITTLE_ENDIAN0x80000000);
510 offset += 16;
511
512 etw_descriptor = proto_tree_add_subtree(etw_header, tvb, 40, 16, ett_etw_descriptor, NULL((void*)0), "Descriptor");
513 proto_tree_add_item_ret_uint16(etw_descriptor, hf_etw_descriptor_id, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &event_id);
514 offset += 2;
515 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_version, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
516 offset += 1;
517 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_channel, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
518 offset += 1;
519 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_level, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
520 offset += 1;
521 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_opcode, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
522 offset += 1;
523 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_task, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
524 offset += 2;
525 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_keywords, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
526 offset += 8;
527
528 proto_tree_add_item(etw_header, hf_etw_processor_time, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
529 offset += 8;
530 proto_tree_add_item(etw_header, hf_etw_activity_id, tvb, offset, 16, ENC_LITTLE_ENDIAN0x80000000);
531 offset += 16;
532
533 etw_buffer_context = proto_tree_add_subtree(etw_header, tvb, 80, 4, ett_etw_descriptor, NULL((void*)0), "Buffer Context");
534 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_processor_number, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
535 offset += 1;
536 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_alignment, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
537 offset += 1;
538 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_logger_id, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
539 offset += 2;
540 proto_tree_add_item_ret_uint16(etw_header, hf_etw_extended_data_count, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &extended_data_count);
541 offset += 2;
542 proto_tree_add_item_ret_uint16(etw_header, hf_etw_tlv_count, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &tlv_count);
543 offset += 2;
544 proto_tree_add_item_ret_uint(etw_header, hf_etw_properties_count, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &properties_count);
545 offset += 4;
546
547 // Extended data
548
549 ti = proto_tree_add_item(etw_header, hf_etw_extended_data, tvb, offset, extended_data_count * 16, ENC_NA0x00000000); // sizeof(EVENT_HEADER_EXTENDED_DATA_ITEM) = 16
550 edata_tree = proto_item_add_subtree(ti, ett_etw_extended_data);
551 offset = dissect_edata_tlvs(tvb, pinfo, edata_tree, offset, extended_data_count, &is_tl);
552
553 // Expert info
554
555 if (flags & 0x0008) // EVENT_HEADER_FLAG_TRACE_MESSAGE
556 {
557 // WPP
558 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "WPP");
559 }
560 else if (flags & 0x0100) // EVENT_HEADER_FLAG_CLASSIC_HEADER
561 {
562 // MOF (CLASSIC)
563 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "MOF (classic)");
564 }
565 else if (is_tl)
566 {
567 // TRACELOGGING
568 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "TraceLogging");
569 }
570 else
571 {
572 // MANIFEST
573 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "Manifest-based");
574 }
575 proto_item_set_generated(ti);
576
577 // Now is the bunch of TLVs that include formatted stuff
578 if (tlv_count > 0)
579 {
580 etw_tlvs = proto_tree_add_subtree(etw_header, tvb, offset, tlv_count * 12, ett_etw_tlvs, NULL((void*)0), "Extra Information");
581
582 for (uint16_t i = 0; i < tlv_count; i++)
583 {
584 uint32_t tlv_type, tlv_offset, tlv_length;
585
586 proto_tree* etw_tlv = proto_tree_add_subtree(etw_tlvs, tvb, offset, 12, ett_etw_tlv, NULL((void*)0), "Extra Information Item");
587
588 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_type, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_type);
589 offset += 4;
590 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_offset);
591 offset += 4;
592 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_length);
593 offset += 4;
594
595 if (tlv_type == 0)
596 {
597 // TLV_USER_DATA
598 proto_item_set_text(etw_tlv, "Extra Information Item (USER_DATA)");
599 user_data_offset = tlv_offset;
600 user_data_length = tlv_length;
601 }
602 else if (tlv_type == 1)
603 {
604 // TLV_MESSAGE
605 proto_item_set_text(etw_tlv, "Extra Information Item (MESSAGE)");
606 message_offset = tlv_offset;
607 message_length = tlv_length;
608 }
609 else if (tlv_type == 2)
610 {
611 // TLV_PROVIDER_NAME
612 proto_item_set_text(etw_tlv, "Extra Information Item (PROVIDER_NAME)");
613 provider_name_offset = tlv_offset;
614 provider_name_length = tlv_length;
615 }
616 else if (tlv_type == 3)
617 {
618 // TLV_SRC_ADDR
619 char* src_addr;
620 proto_item_set_text(etw_tlv, "Extra Information Item (SRC_ADDR)");
621 proto_tree_add_item_ret_string(etw_tlv, hf_etw_src, tvb, tlv_offset, tlv_length, ENC_NA0x00000000 | ENC_ASCII0x00000000, pinfo->pool, (const uint8_t**)&src_addr);
622 col_set_str(pinfo->cinfo, COL_DEF_SRC, src_addr);
623 }
624 else if (tlv_type == 4)
625 {
626 // TLV_DST_ADDR
627 char* dst_addr;
628 proto_item_set_text(etw_tlv, "Extra Information Item (DST_ADDR)");
629 proto_tree_add_item_ret_string(etw_tlv, hf_etw_dst, tvb, tlv_offset, tlv_length, ENC_NA0x00000000 | ENC_ASCII0x00000000, pinfo->pool, (const uint8_t**)&dst_addr);
630 col_set_str(pinfo->cinfo, COL_DEF_DST, dst_addr);
631 }
632 else if (tlv_type == 5)
633 {
634 // TLV_SESSION_ID
635 uint64_t session_id;
636 proto_item_set_text(etw_tlv, "Extra Information Item (SESSION_ID)");
637 proto_tree_add_item_ret_uint64(etw_tlv, hf_etw_sessid, tvb, tlv_offset, tlv_length, ENC_LITTLE_ENDIAN0x80000000, &session_id);
638
639 pinfo->use_conv_addr_port_endpoints = false0;
640 conversation_set_elements_by_id(pinfo, CONVERSATION_TCP, session_id & 0xFFFFFFFF);
641 }
642 }
643 }
644
645 // Now it's the properties (we parse them later)
646
647 properties_offset = offset;
648
649 // We're done with the header. Starting adding "Data" elements.
650
651 if (provider_name_length) {
652 // Specifically for the provider name, we keep it in the "Data" header to handle the MBIM case
653 proto_tree_add_item_ret_string(etw_header, hf_etw_provider_name, tvb, provider_name_offset, provider_name_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, (const uint8_t**)&provider_name);
654 }
655
656 // Depending on the provider ID, we might have special dissections available
657
658 if (user_data_length && memcmp(&mbim_net_providerid, &provider_id, sizeof(e_guid_t)) == 0)
659 {
660 // MBIM
661
662 uint32_t pack_flags;
663
664 if (WTAP_OPTTYPE_SUCCESS == wtap_block_get_uint32_option_value(pinfo->rec->block, OPT_PKT_FLAGS2, &pack_flags)) {
665 switch (PACK_FLAGS_DIRECTION(pack_flags)(((pack_flags) & 0x00000003) >> 0)) {
666 case PACK_FLAGS_DIRECTION_INBOUND1:
667 col_set_str(pinfo->cinfo, COL_DEF_SRC, "device");
668 col_set_str(pinfo->cinfo, COL_DEF_DST, "host");
669 break;
670 case PACK_FLAGS_DIRECTION_OUTBOUND2:
671 col_set_str(pinfo->cinfo, COL_DEF_SRC, "host");
672 col_set_str(pinfo->cinfo, COL_DEF_DST, "device");
673 break;
674 }
675 }
676 subproto_tvb = tvb_new_subset_length(tvb, user_data_offset, user_data_length);
677 call_dissector_only(mbim_dissector, subproto_tvb, pinfo, tree, data);
678 }
679 else if (user_data_length &&
680 (memcmp(&smbclient_providerid, &provider_id, sizeof(e_guid_t)) == 0 ||
681 memcmp(&smbserver_providerid, &provider_id, sizeof(e_guid_t)) == 0) &&
682 (event_id == 40000 || event_id == 2000))
683 {
684 // SMB "Packet" event
685
686 subproto_tvb = tvb_new_subset_length(tvb, user_data_offset, user_data_length);
687 call_dissector_only(nbss_dissector, subproto_tvb, pinfo, tree, data);
688 }
689 else if (user_data_length &&
690 memcmp(&wininet_providerid, &provider_id, sizeof(e_guid_t)) == 0 &&
691 (event_id == 2001 || event_id == 2002 || event_id == 2003 || event_id == 2004))
692 {
693 // WinInet "HTTP" event
694
695 // Emulate direction
696 if (event_id == 2001 || event_id == 2002)
697 {
698 pinfo->srcport = 50000;
699 pinfo->destport = 80;
700 }
701 else
702 {
703 pinfo->srcport = 80;
704 pinfo->destport = 50000;
705 }
706
707 // TODO: figure out how to make reassembly work :(
708 subproto_tvb = tvb_new_subset_length(tvb, user_data_offset, user_data_length);
709 call_dissector_only(http_dissector, subproto_tvb, pinfo, tree, NULL((void*)0));
710 }
711 else if (user_data_length &&
712 memcmp(&ldapclient_providerid, &provider_id, sizeof(e_guid_t)) == 0 &&
713 (event_id == 12 || event_id == 17))
714 {
715 // LDAP events
716
717 // TODO: figure out how to make reassembly work :(
718 subproto_tvb = tvb_new_subset_length(tvb, user_data_offset, user_data_length);
719 call_dissector_only(ldap_dissector, subproto_tvb, pinfo, tree, NULL((void*)0));
720 }
721 else
722 {
723 // Other provider: add "Data" header
724
725 etw_data = proto_tree_add_subtree(tree, tvb, offset, 0, ett_etw_data, NULL((void*)0), "ETW Data");
726 if (properties_count) {
727 offset = dissect_properties(tvb, pinfo, etw_data, properties_offset, properties_count, pinfo->pool, &propArray);
728 }
729 if (user_data_length) {
730 proto_tree_add_item(etw_data, hf_etw_user_data, tvb, user_data_offset, user_data_length, ENC_NA0x00000000);
731 }
732
733 if (provider_name_length) {
734 col_set_str(pinfo->cinfo, COL_PROTOCOL, provider_name);
735 }
736
737 if (message_length) {
738 char* message;
739
740 proto_tree_add_item_ret_string(etw_data, hf_etw_message, tvb, message_offset, message_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, (const uint8_t**)& message);
741 if (propArray != NULL((void*)0))
742 {
743 wmem_strbuf_t* out_buffer;
744 format_message(message, propArray, pinfo->pool, &out_buffer);
745 message = out_buffer->str;
746 ti = proto_tree_add_string(etw_data, hf_etw_message_formatted, tvb, 0, -1, message);
747 proto_item_set_generated(ti);
748 }
749 col_set_str(pinfo->cinfo, COL_INFO, message);
750 }
751 else
752 {
753 col_set_str(pinfo->cinfo, COL_INFO, guids_resolve_guid_to_str(&provider_id, pinfo->pool));
754 }
755 }
756
757 etw_counter += 1;
758 return tvb_captured_length(tvb);
759}
760
761void
762proto_register_etw(void)
763{
764 static hf_register_info hf[] = {
765 { &hf_etw_size,
766 { "Size", "etw.size",
767 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
768 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
769 },
770 { &hf_etw_header_type,
771 { "Header Type", "etw.header_type",
772 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
773 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
774 },
775 { &hf_etw_flags,
776 { "Flags", "etw.flags",
777 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
778 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
779 },
780 { &hf_etw_header_flag_extended_info,
781 { "Extended Info", "etw.header.flag.extended_info",
782 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0001,
783 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
784 },
785 { &hf_etw_header_flag_private_session,
786 { "Private Session", "etw.header.flag.private_session",
787 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0002,
788 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
789 },
790 { &hf_etw_header_flag_string_only,
791 { "String Only", "etw.header.flag.string_only",
792 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0004,
793 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
794 },
795 { &hf_etw_header_flag_trace_message,
796 { "Trace Message", "etw.header.flag.trace_message",
797 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0008,
798 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
799 },
800 { &hf_etw_header_flag_no_cputime,
801 { "No CPU time", "etw.header.flag.no_cputime",
802 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0010,
803 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
804 },
805 { &hf_etw_header_flag_32_bit_header,
806 { "32-bit Header", "etw.header.flag.32_bit_header",
807 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0020,
808 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
809 },
810 { &hf_etw_header_flag_64_bit_header,
811 { "64-bit Header", "etw.header.flag.64_bit_header",
812 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0040,
813 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
814 },
815 { &hf_etw_header_flag_decode_guid,
816 { "Decode GUID", "etw.header.flag.decode_guid",
817 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0080,
818 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
819 },
820 { &hf_etw_header_flag_classic_header,
821 { "Classic Header", "etw.header.flag.classic_header",
822 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0100,
823 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
824 },
825 { &hf_etw_header_flag_processor_index,
826 { "Processor Index", "etw.header.flag.processor_index",
827 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0200,
828 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
829 },
830 { &hf_etw_event_property,
831 { "Event Property", "etw.event_property",
832 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
833 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
834 },
835 { &hf_etw_event_property_xml,
836 { "XML", "etw.property.xml",
837 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0001,
838 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
839 },
840 { &hf_etw_event_property_forwarded_xml,
841 { "Forwarded XML", "etw.property.forwarded_xml",
842 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0002,
843 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
844 },
845 { &hf_etw_event_property_legacy_eventlog,
846 { "Legacy Event Log", "etw.property.legacy_event",
847 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0004,
848 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
849 },
850 { &hf_etw_event_property_legacy_reloggable,
851 { "Legacy Reloggable", "etw.property.legacy_reloggable",
852 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0008,
853 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
854 },
855 { &hf_etw_thread_id,
856 { "Thread ID", "etw.thread_id",
857 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
858 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
859 },
860 { &hf_etw_process_id,
861 { "Process ID", "etw.process_id",
862 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
863 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
864 },
865 { &hf_etw_time_stamp,
866 { "Time Stamp", "etw.time_stamp",
867 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL((void*)0), 0,
868 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
869 },
870 { &hf_etw_provider_id,
871 { "Provider ID", "etw.provider_id",
872 FT_GUID, BASE_NONE, NULL((void*)0), 0,
873 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
874 },
875 { &hf_etw_buffer_context_processor_number,
876 { "Processor Number", "etw.buffer_context.processor_number",
877 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
878 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
879 },
880 { &hf_etw_buffer_context_alignment,
881 { "Alignment", "etw.buffer_context.alignment",
882 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
883 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
884 },
885 { &hf_etw_buffer_context_logger_id,
886 { "ID", "etw.buffer_context.logger_id",
887 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
888 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
889 },
890 { &hf_etw_tlv_count,
891 { "Extra Information Count", "etw.tlv_count",
892 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
893 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
894 },
895 { &hf_etw_tlv_offset,
896 { "Offset", "etw.tlv.offset",
897 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
898 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
899 },
900 { &hf_etw_tlv_length,
901 { "Length", "etw.tlv.length",
902 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
903 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
904 },
905 { &hf_etw_tlv_type,
906 { "Type", "etw.tlv.type",
907 FT_UINT32, BASE_DEC, VALS(etw_tlv_types)((0 ? (const struct _value_string*)0 : ((etw_tlv_types)))), 0,
908 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
909 },
910 { &hf_etw_src,
911 { "Source Address", "etw.src",
912 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
913 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
914 },
915 { &hf_etw_dst,
916 { "Destination Address", "etw.dst",
917 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
918 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
919 },
920 { &hf_etw_sessid,
921 { "Session Id", "etw.sessid",
922 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
923 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
924 },
925 { &hf_etw_properties_count,
926 { "Properties count", "etw.props_count",
927 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
928 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
929 },
930 { &hf_etw_provider_name,
931 { "Provider Name", "etw.provider_name",
932 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
933 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
934 },
935 { &hf_etw_message,
936 { "Event Message", "etw.message",
937 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
938 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
939 },
940 { &hf_etw_extended_data_count,
941 { "Extended Data Count", "etw.extended_data_count",
942 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
943 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
944 },
945 { &hf_etw_extended_data,
946 { "Extended Data", "etw.extended_data",
947 FT_NONE, BASE_NONE, NULL((void*)0), 0,
948 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
949 },
950 { &hf_etw_edata,
951 { "Extended Data Item", "etw.edata",
952 FT_NONE, BASE_NONE, NULL((void*)0), 0,
953 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
954 },
955 { &hf_etw_edata_reserved1,
956 { "Reserved1", "etw.edata.reserved1",
957 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
958 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
959 },
960 { &hf_etw_edata_exttype,
961 { "ExtType", "etw.edata.exttype",
962 FT_UINT16, BASE_DEC, VALS(etw_edata_types)((0 ? (const struct _value_string*)0 : ((etw_edata_types)))), 0,
963 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
964 },
965 { &hf_etw_edata_linkage,
966 { "Linkage", "etw.edata.linkage",
967 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
968 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
969 },
970 { &hf_etw_edata_datasize,
971 { "DataSize", "etw.edata.datasize",
972 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
973 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
974 },
975 { &hf_etw_edata_dataptr,
976 { "DataPtr", "etw.edata.dataptr",
977 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
978 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
979 },
980 { &hf_etw_edata_data,
981 { "Data", "etw.edata.data",
982 FT_NONE, BASE_NONE, NULL((void*)0), 0,
983 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
984 },
985 { &hf_etw_edata_stacktrace_matchid,
986 { "MatchId", "etw.edata.stacktrace.matchid",
987 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
988 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
989 },
990 { &hf_etw_edata_stacktrace_address,
991 { "Address", "etw.edata.stacktrace.address",
992 FT_UINT64, BASE_HEX, NULL((void*)0), 0,
993 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
994 },
995 { &hf_etw_edata_schematl_size,
996 { "Size", "etw.edata.schematl.size",
997 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
998 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
999 },
1000 { &hf_etw_edata_schematl_reserved1,
1001 { "Unknown", "etw.edata.schematl.reserved1",
1002 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1003 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1004 },
1005 { &hf_etw_edata_schematl_name,
1006 { "Event Name", "etw.edata.schematl.name",
1007 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1008 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1009 },
1010 { &hf_etw_edata_schematl_field,
1011 { "Schema Field", "etw.edata.schematl.field",
1012 FT_NONE, BASE_NONE, NULL((void*)0), 0,
1013 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1014 },
1015 { &hf_etw_edata_schematl_field_key,
1016 { "Key", "etw.edata.schematl.field.key",
1017 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1018 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1019 },
1020 { &hf_etw_edata_schematl_field_flags,
1021 { "Flags", "etw.edata.schematl.field.flags",
1022 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1023 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1024 },
1025 { &hf_etw_edata_schematl_field_type,
1026 { "Type", "etw.edata.schematl.field.type",
1027 FT_UINT8, BASE_DEC, VALS(etw_schematl_types)((0 ? (const struct _value_string*)0 : ((etw_schematl_types))
)), 0x1F,
1028 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1029 },
1030 { &hf_etw_edata_schematl_field_ccount,
1031 { "Constant array count", "etw.edata.schematl.field.ccount",
1032 FT_UINT8, BASE_DEC, NULL((void*)0), 0x20,
1033 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1034 },
1035 { &hf_etw_edata_schematl_field_vcount,
1036 { "Variable array count", "etw.edata.schematl.field.vcount",
1037 FT_UINT8, BASE_DEC, NULL((void*)0), 0x40,
1038 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1039 },
1040 { &hf_etw_edata_schematl_field_chain,
1041 { "Chain", "etw.edata.schematl.field.chain",
1042 FT_UINT8, BASE_DEC, NULL((void*)0), 0x80,
1043 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1044 },
1045 { &hf_etw_edata_traits_traitssize,
1046 { "Trait size", "etw.edata.traits.traitssize",
1047 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1048 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1049 },
1050 { &hf_etw_edata_traits_providername,
1051 { "Trait provider name", "etw.edata.traits.providername",
1052 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1053 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1054 },
1055 { &hf_etw_property,
1056 { "Property", "etw.prop",
1057 FT_NONE, BASE_NONE, NULL((void*)0), 0,
1058 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1059 },
1060 { &hf_etw_property_offset,
1061 { "Offset", "etw.prop.offset",
1062 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
1063 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1064 },
1065 { &hf_etw_property_keylen,
1066 { "Key Length", "etw.prop.keylen",
1067 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1068 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1069 },
1070 { &hf_etw_property_valuelen,
1071 { "Value Length", "etw.prop.valuelen",
1072 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1073 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1074 },
1075 { &hf_etw_property_key,
1076 { "Key", "etw.prop.key",
1077 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1078 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1079 },
1080 { &hf_etw_property_value,
1081 { "Value", "etw.prop.value",
1082 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1083 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1084 },
1085 { &hf_etw_user_data,
1086 { "Raw User Data", "etw.user_data",
1087 FT_NONE, BASE_NONE, NULL((void*)0), 0,
1088 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1089 },
1090 { &hf_etw_descriptor_id,
1091 { "ID", "etw.descriptor.id",
1092 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1093 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1094 },
1095 { &hf_etw_descriptor_version,
1096 { "Version", "etw.descriptor.version",
1097 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1098 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1099 },
1100 { &hf_etw_descriptor_channel,
1101 { "Channel", "etw.descriptor.channel",
1102 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1103 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1104 },
1105 { &hf_etw_descriptor_level,
1106 { "Level", "etw.descriptor.level",
1107 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1108 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1109 },
1110 { &hf_etw_descriptor_opcode,
1111 { "Opcode", "etw.descriptor.opcode",
1112 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1113 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1114 },
1115 { &hf_etw_descriptor_task,
1116 { "Task", "etw.descriptor.task",
1117 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1118 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1119 },
1120 { &hf_etw_descriptor_keywords,
1121 { "Keywords", "etw.descriptor.keywords",
1122 FT_UINT64, BASE_HEX, NULL((void*)0), 0,
1123 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1124 },
1125 { &hf_etw_processor_time,
1126 { "Processor Time", "etw.processor_time",
1127 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
1128 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1129 },
1130 { &hf_etw_activity_id,
1131 { "Activity ID", "etw.activity_id",
1132 FT_GUID, BASE_NONE, NULL((void*)0), 0,
1133 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1134 },
1135 // Generated fields
1136 { &hf_etw_type,
1137 { "Event Type", "etw.type",
1138 FT_STRING, BASE_NONE, NULL((void*)0), 0,
1139 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1140 },
1141 { &hf_etw_message_formatted,
1142 { "Message (formatted)", "etw.message_formatted",
1143 FT_STRING, BASE_NONE, NULL((void*)0), 0,
1144 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1145 },
1146 };
1147
1148 static int *ett[] = {
1149 &ett_etw_header,
1150 &ett_etw_data,
1151 &ett_etw_descriptor,
1152 &ett_etw_buffer_context,
1153 &ett_etw_extended_data,
1154 &ett_etw_property,
1155 &ett_etw_edata,
1156 &ett_etw_edata_data,
1157 &ett_etw_edata_schematl_schema,
1158 &ett_etw_schematl_flags,
1159 &ett_etw_header_flags,
1160 &ett_etw_event_property_types,
1161 &ett_etw_tlvs,
1162 &ett_etw_tlv,
1163 };
1164
1165 proto_etw = proto_register_protocol("Event Tracing for Windows", "ETW", "etw");
1166 proto_register_field_array(proto_etw, hf, array_length(hf)(sizeof (hf) / sizeof (hf)[0]));
1167 proto_register_subtree_array(ett, array_length(ett)(sizeof (ett) / sizeof (ett)[0]));
1168
1169 etw_handle = register_dissector("etw", dissect_etw, proto_etw);
1170}
1171
1172void
1173proto_reg_handoff_etw(void)
1174{
1175 dissector_add_uint("wtap_encap", WTAP_ENCAP_ETW212, etw_handle);
1176
1177 mbim_dissector = find_dissector("mbim.control");
1178 nbss_dissector = find_dissector("nbss");
1179 http_dissector = find_dissector("http-over-tcp");
1180 ldap_dissector = find_dissector("ldap");
1181}
1182
1183/*
1184 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1185 *
1186 * Local variables:
1187 * c-basic-offset: 4
1188 * tab-width: 8
1189 * indent-tabs-mode: nil
1190 * End:
1191 *
1192 * vi: set shiftwidth=4 tabstop=8 expandtab:
1193 * :indentSize=4:tabSize=8:noTabs=true:
1194 */