Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-etw.c
Warning:line 426, column 13
Value stored to 'edata_off_int' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-etw.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2026-05-12-100340-3641-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-etw.c
1/* packet-etw.c
2 * Routines for ETW Dissection
3 *
4 * Copyright 2020, Odysseus Yang
5 * 2026, Gabriel Potter
6 *
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
10 *
11 * SPDX-License-Identifier: GPL-2.0-or-later
12 */
13
14/* Dissector based on ETW Trace
15* https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal
16*/
17
18#include "config.h"
19
20#include <epan/conversation.h>
21#include <epan/packet.h>
22#include <wiretap/wtap.h>
23
24#include "packet-windows-common.h"
25#include "packet-tcp.h"
26
27#define MAX_SMALL_BUFFER4 4
28
29void proto_register_etw(void);
30void proto_reg_handoff_etw(void);
31
32static dissector_handle_t etw_handle;
33
34// ETW fields
35static int proto_etw;
36static int hf_etw_size;
37static int hf_etw_header_type;
38static int hf_etw_header_flag_extended_info;
39static int hf_etw_header_flag_private_session;
40static int hf_etw_header_flag_string_only;
41static int hf_etw_header_flag_trace_message;
42static int hf_etw_header_flag_no_cputime;
43static int hf_etw_header_flag_32_bit_header;
44static int hf_etw_header_flag_64_bit_header;
45static int hf_etw_header_flag_decode_guid;
46static int hf_etw_header_flag_classic_header;
47static int hf_etw_header_flag_processor_index;
48static int hf_etw_flags;
49static int hf_etw_event_property;
50static int hf_etw_event_property_xml;
51static int hf_etw_event_property_forwarded_xml;
52static int hf_etw_event_property_legacy_eventlog;
53static int hf_etw_event_property_legacy_reloggable;
54static int hf_etw_thread_id;
55static int hf_etw_process_id;
56static int hf_etw_time_stamp;
57static int hf_etw_provider_id;
58static int hf_etw_buffer_context_processor_number;
59static int hf_etw_buffer_context_alignment;
60static int hf_etw_buffer_context_logger_id;
61static int hf_etw_src;
62static int hf_etw_dst;
63static int hf_etw_sessid;
64static int hf_etw_properties_count;
65static int hf_etw_provider_name;
66static int hf_etw_message;
67static int hf_etw_extended_data_count;
68static int hf_etw_extended_data;
69static int hf_etw_edata;
70static int hf_etw_edata_reserved1;
71static int hf_etw_edata_exttype;
72static int hf_etw_edata_linkage;
73static int hf_etw_edata_datasize;
74static int hf_etw_edata_dataptr;
75static int hf_etw_edata_data;
76static int hf_etw_edata_stacktrace_matchid;
77static int hf_etw_edata_stacktrace_address;
78static int hf_etw_edata_schematl_size;
79static int hf_etw_edata_schematl_reserved1;
80static int hf_etw_edata_schematl_name;
81static int hf_etw_edata_schematl_field;
82static int hf_etw_edata_schematl_field_key;
83static int hf_etw_edata_schematl_field_flags;
84static int hf_etw_edata_schematl_field_type;
85static int hf_etw_edata_schematl_field_ccount;
86static int hf_etw_edata_schematl_field_vcount;
87static int hf_etw_edata_schematl_field_chain;
88static int hf_etw_edata_traits_traitssize;
89static int hf_etw_edata_traits_providername;
90static int hf_etw_property;
91static int hf_etw_property_offset;
92static int hf_etw_property_keylen;
93static int hf_etw_property_valuelen;
94static int hf_etw_property_key;
95static int hf_etw_property_value;
96static int hf_etw_tlv_count;
97static int hf_etw_tlv_length;
98static int hf_etw_tlv_offset;
99static int hf_etw_tlv_type;
100static int hf_etw_user_data;
101static int hf_etw_descriptor_id;
102static int hf_etw_descriptor_version;
103static int hf_etw_descriptor_channel;
104static int hf_etw_descriptor_level;
105static int hf_etw_descriptor_opcode;
106static int hf_etw_descriptor_task;
107static int hf_etw_descriptor_keywords;
108static int hf_etw_processor_time;
109static int hf_etw_activity_id;
110
111// Generated fields
112static int hf_etw_type;
113static int hf_etw_message_formatted;
114
115static int ett_etw_header;
116static int ett_etw_data;
117static int ett_etw_descriptor;
118static int ett_etw_buffer_context;
119static int ett_etw_extended_data;
120static int ett_etw_property;
121static int ett_etw_edata;
122static int ett_etw_edata_data;
123static int ett_etw_edata_schematl_schema;
124static int ett_etw_schematl_flags;
125static int ett_etw_header_flags;
126static int ett_etw_event_property_types;
127static int ett_etw_tlvs;
128static int ett_etw_tlv;
129
130static dissector_handle_t mbim_dissector;
131static e_guid_t mbim_net_providerid = { 0xA42FE227, 0xA7BF, 0x4483, {0xA5, 0x02, 0x6B, 0xCD, 0xA4, 0x28, 0xCD, 0x96} };
132
133static dissector_handle_t nbss_dissector;
134static e_guid_t smbclient_providerid = { 0x988C59C5, 0x0A1C, 0x45B6, {0xA5, 0x55, 0x0C, 0x62, 0x27, 0x6E, 0x32, 0x7D} };
135static e_guid_t smbserver_providerid = { 0xD48CE617, 0x33A2, 0x4BC3, {0xA5, 0xC7, 0x11, 0xAA, 0x4F, 0x29, 0x61, 0x9E} };
136
137static dissector_handle_t http_dissector;
138static e_guid_t wininet_providerid = { 0xA70FF94F, 0x570B, 0x4979, { 0xBA, 0x5C, 0xE5, 0x9C, 0x9F, 0xEA, 0xB6, 0x1B} };
139static e_guid_t webio_providerid = { 0x50B3E73C, 0x9370, 0x461D, { 0xBB, 0x9F, 0x26, 0xF3, 0x2D, 0x68, 0x88, 0x7D} };
140
141static dissector_handle_t ldap_dissector;
142static e_guid_t ldapclient_providerid = { 0x099614A5, 0x5DD7, 0x4788, { 0x8B, 0xC9, 0xE2, 0x9F, 0x43, 0xDB, 0x28, 0xFC } };
143
144static const value_string etw_edata_types[] = {
145 { 0x0001, "RELATED_ACTIVITYID" },
146 { 0x0002, "SID" },
147 { 0x0003, "TS_ID" },
148 { 0x0004, "INSTANCE_INFO" },
149 { 0x0005, "STACK_TRACE32" },
150 { 0x0006, "STACK_TRACE64" },
151 { 0x0007, "PEBS_INDEX" },
152 { 0x0008, "PMC_COUNTERS" },
153 { 0x0009, "PSM_KEY" },
154 { 0x000A, "EVENT_KEY" },
155 { 0x000B, "EVENT_SCHEMA_TL" },
156 { 0x000C, "PROV_TRAITS" },
157 { 0x000D, "PROCESS_START_KEY" },
158 { 0x000E, "CONTROL_GUID" },
159 { 0x000F, "QPC_DELTA" },
160 { 0x0010, "CONTAINER_ID" },
161 { 0x0011, "STACK_KEY32" },
162 { 0x0012, "STACK_KEY64" },
163 { 0, NULL((void*)0) }
164};
165
166static const value_string etw_tlv_types[] = {
167 { 0x0000, "USER_DATA" },
168 { 0x0001, "MESSAGE" },
169 { 0x0002, "PROVIDER_NAME" },
170 { 0x0003, "SRC_ADDR" },
171 { 0x0004, "DST_ADDR" },
172 { 0x0005, "SESSION_ID" },
173 { 0, NULL((void*)0) }
174};
175
176static const value_string etw_schematl_types[] = {
177 { 0x01, "UNICODESTRING" },
178 { 0x02, "ANSISTRING" },
179 { 0x03, "INT8" },
180 { 0x04, "UINT8" },
181 { 0x05, "INT16" },
182 { 0x06, "UINT16" },
183 { 0x07, "INT32" },
184 { 0x08, "UINT32" },
185 { 0x09, "INT64" },
186 { 0x0A, "UINT64" },
187 { 0x0B, "FLOAT" },
188 { 0x0C, "DOUBLE" },
189 { 0x0D, "BOOL32" },
190 { 0x0E, "BINARY" },
191 { 0x0F, "GUID" },
192 { 0x11, "FILETIME" },
193 { 0x12, "SYSTEMTIME" },
194 { 0x13, "SID" },
195 { 0x14, "HEXINT32" },
196 { 0x15, "HEXINT64" },
197 { 0x16, "COUNTEDSTRING" },
198 { 0x17, "COUNTEDANSISTRING" },
199 { 0x18, "STRUCT" },
200 { 0x19, "COUNTEDBINARY" },
201 { 0, NULL((void*)0) }
202};
203
204static int* const etw_schematl_flags[] = {
205 &hf_etw_edata_schematl_field_type,
206 &hf_etw_edata_schematl_field_ccount,
207 &hf_etw_edata_schematl_field_vcount,
208 &hf_etw_edata_schematl_field_chain,
209 NULL((void*)0)
210};
211
212#define ETW_HEADER_SIZE0x5C 0x5C
213
214static int etw_counter;
215
216typedef struct Property_Key_Value
217{
218 const unsigned char *key;
219 const unsigned char *value;
220} PROPERTY_KEY_VALUE;
221
222
223/// <summary>
224/// Function to format the properties into the eventlog message
225/// </summary>
226/// <param name="lpszMessage"></param>
227/// <param name="propArray"></param>
228/// <param name="dwPropertyCount"></param>
229/// <param name="lpszOutBuffer"></param>
230/// <param name="dwOutBufferCount"></param>
231static int
232format_message(char* lpszMessage, wmem_array_t* propArray, wmem_allocator_t* allocator, wmem_strbuf_t** out_buffer)
233{
234 uint16_t startLoc = 0;
235 int percent_loc = 0;
236 PROPERTY_KEY_VALUE key_value;
237 *out_buffer = wmem_strbuf_new(allocator, NULL((void*)0));
238
239 for (int i = 0; lpszMessage[i] != '\0';)
240 {
241 if (lpszMessage[i] != '%')
242 {
243 i++;
244 continue;
245 }
246
247 percent_loc = i;
248 i++;
249
250 if (g_ascii_isdigit(lpszMessage[i])((g_ascii_table[(guchar) (lpszMessage[i])] & G_ASCII_DIGIT
) != 0))
251 {
252 uint16_t dwDigitalCount = 0;
253 char smallBuffer[MAX_SMALL_BUFFER4] = { 0 };
254 while (g_ascii_isdigit(lpszMessage[i])((g_ascii_table[(guchar) (lpszMessage[i])] & G_ASCII_DIGIT
) != 0))
255 {
256 if (dwDigitalCount < (MAX_SMALL_BUFFER4 - 1))
257 {
258 smallBuffer[dwDigitalCount] = lpszMessage[i];
259 }
260 dwDigitalCount++;
261 i++;
262 }
263
264 /* We are not parsing this */
265 if (dwDigitalCount >= (MAX_SMALL_BUFFER4 - 1))
266 {
267 continue;
268 }
269
270 gint64 num = g_ascii_strtoll(smallBuffer, NULL((void*)0), 10);
271 /* We are not parsing this */
272 if (num <= 0 || num >= G_MAXUSHORT(32767 * 2 + 1) || wmem_array_try_index(propArray, (unsigned int) num - 1, &key_value) != 0 || key_value.value == NULL((void*)0))
273 {
274 continue;
275 }
276
277 if (lpszMessage[i] == '!' && lpszMessage[i + 1] == 'S' && lpszMessage[i + 2] == '!')
278 {
279 i += 3;
280 }
281
282 /* We have everything */
283 lpszMessage[percent_loc] = '\0';
284 wmem_strbuf_append(*out_buffer, lpszMessage + startLoc);
285 wmem_strbuf_append(*out_buffer, (char*) key_value.value);
286 startLoc = i;
287 continue; // for
288 }
289 }
290 wmem_strbuf_append(*out_buffer, lpszMessage + startLoc);
291
292 return 0;
293}
294
295static int
296dissect_properties(tvbuff_t* tvb, packet_info* pinfo, proto_tree* edata_tree, uint32_t offset, uint32_t count, wmem_allocator_t* allocator, wmem_array_t** propArray)
297{
298 uint32_t i;
299 proto_item* ti;
300 proto_tree* prop_tree;
301 uint32_t item_offset = offset;
302 uint16_t item_key_length = 0, item_value_length = 0;
303
304 PROPERTY_KEY_VALUE prop;
305 *propArray = wmem_array_new(allocator, sizeof(PROPERTY_KEY_VALUE));
306
307 for (i = 0; i < count; i++)
308 {
309 ti = proto_tree_add_item(edata_tree, hf_etw_property, tvb, offset, 8, ENC_NA0x00000000);
310 prop_tree = proto_item_add_subtree(ti, ett_etw_property);
311
312 proto_tree_add_item_ret_uint32(prop_tree, hf_etw_property_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &item_offset);
313 offset += 4;
314 proto_tree_add_item_ret_uint16(prop_tree, hf_etw_property_keylen, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &item_key_length);
315 offset += 2;
316 proto_tree_add_item_ret_uint16(prop_tree, hf_etw_property_valuelen, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &item_value_length);
317 offset += 2;
318
319 proto_tree_add_item_ret_string(prop_tree, hf_etw_property_key, tvb, item_offset, item_key_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, &prop.key);
320 proto_tree_add_item_ret_string(prop_tree, hf_etw_property_value, tvb, item_offset + item_key_length, item_value_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, &prop.value);
321
322 proto_item_set_text(prop_tree, "%s=%s", prop.key, prop.value);
323 wmem_array_append(*propArray, &prop, 1);
324 }
325 offset = item_offset + item_key_length + item_value_length;
326
327 return offset;
328}
329
330/// <summary>
331/// Dissect the "Extended Data" blobs
332/// </summary>
333static int
334dissect_edata_tlvs(tvbuff_t* tvb, packet_info* pinfo, proto_tree* edata_tree, uint32_t offset, uint16_t extended_data_count, bool_Bool* is_tl)
335{
336 uint16_t i;
337 proto_item* ti;
338 proto_tree* edata_item_tree, *edata_item_data_tree, *edata_schematl_schema;
339 uint64_t edata_off64;
340 uint32_t edata_off = offset, edata_off_int;
341 uint16_t edata_sz = 0, edata_type = 0;
342
343 for (i = 0; i < extended_data_count; i++)
344 {
345 ti = proto_tree_add_item(edata_tree, hf_etw_edata, tvb, offset, 16, ENC_NA0x00000000);
346 edata_item_tree = proto_item_add_subtree(ti, ett_etw_edata);
347
348 proto_tree_add_item(edata_item_tree, hf_etw_edata_reserved1, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
349 offset += 2;
350 proto_tree_add_item_ret_uint16(edata_item_tree, hf_etw_edata_exttype, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &edata_type);
351 offset += 2;
352 proto_tree_add_item(edata_item_tree, hf_etw_edata_linkage, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
353 offset += 2;
354 proto_tree_add_item_ret_uint16(edata_item_tree, hf_etw_edata_datasize, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &edata_sz);
355 offset += 2;
356 proto_tree_add_item_ret_uint64(edata_item_tree, hf_etw_edata_dataptr, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000, &edata_off64);
357 offset += 8;
358
359 if (edata_off64 > UINT32_MAX(4294967295U))
360 continue; // should never happen, but to be safe
361
362 edata_off = (uint32_t) edata_off64;
363
364 ti = proto_tree_add_item(edata_item_tree, hf_etw_edata_data, tvb, edata_off, edata_sz, ENC_NA0x00000000);
365 edata_item_data_tree = proto_item_add_subtree(ti, ett_etw_edata_data);
366
367 edata_off_int = edata_off;
368 switch (edata_type)
369 {
370 case 0x0002: // SID
371 proto_item_set_text(ti, "Data (SID)");
372 dissect_nt_sid(tvb, pinfo, edata_off_int, edata_item_data_tree, "SID", NULL((void*)0), -1);
373
374 break;
375 case 0x0006: // EVENT_STACK_TRACE64
376 proto_item_set_text(ti, "Data (EVENT_STACK_TRACE64)");
377
378 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_stacktrace_matchid, tvb, edata_off_int, 8, ENC_LITTLE_ENDIAN0x80000000);
379 edata_off_int += 8;
380
381 while (edata_off_int < edata_off + edata_sz)
382 {
383 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_stacktrace_address, tvb, edata_off_int, 8, ENC_LITTLE_ENDIAN0x80000000);
384 edata_off_int += 8;
385 }
386 break;
387
388 case 0x000B: // EVENT_SCHEMA_TL
389 {
390 uint8_t schema_size = 0;
391 int item_size = 0;
392
393 *is_tl = true1;
394 proto_item_set_text(ti, "Data (EVENT_SCHEMA_TL)");
395
396 proto_tree_add_item_ret_uint8(edata_item_data_tree, hf_etw_edata_schematl_size, tvb, edata_off_int, 1, ENC_LITTLE_ENDIAN0x80000000, &schema_size);
397 edata_off_int += 1;
398 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_schematl_reserved1, tvb, edata_off_int, 2, ENC_LITTLE_ENDIAN0x80000000);
399 edata_off_int += 2;
400 proto_tree_add_item_ret_length(edata_item_data_tree, hf_etw_edata_schematl_name, tvb, edata_off_int, -1, ENC_LITTLE_ENDIAN0x80000000, &item_size);
401 edata_off_int += item_size;
402
403 while (edata_off_int < edata_off + schema_size)
404 {
405 ti = proto_tree_add_item(edata_item_data_tree, hf_etw_edata_schematl_field, tvb, edata_off_int, 0, ENC_NA0x00000000);
406 edata_schematl_schema = proto_item_add_subtree(ti, ett_etw_edata_schematl_schema);
407
408 proto_tree_add_item_ret_length(edata_schematl_schema, hf_etw_edata_schematl_field_key, tvb, edata_off_int, -1, ENC_LITTLE_ENDIAN0x80000000, &item_size);
409 edata_off_int += item_size;
410 proto_tree_add_bitmask(edata_schematl_schema, tvb, edata_off_int, hf_etw_edata_schematl_field_flags,
411 ett_etw_schematl_flags, etw_schematl_flags, ENC_LITTLE_ENDIAN0x80000000);
412 edata_off_int += 1;
413 }
414 break;
415 }
416 case 0x000C: // PROV_TRAITS
417 {
418 // https://learn.microsoft.com/en-us/windows/win32/etw/provider-traits
419 uint16_t traits_size = 0;
420
421 proto_item_set_text(ti, "Data (PROV_TRAITS)");
422
423 proto_tree_add_item_ret_uint16(edata_item_data_tree, hf_etw_edata_traits_traitssize, tvb, edata_off_int, 2, ENC_LITTLE_ENDIAN0x80000000, &traits_size);
424 edata_off_int += 2;
425 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_traits_providername, tvb, edata_off_int, traits_size - 2, ENC_NA0x00000000 | ENC_UTF_80x00000002);
426 edata_off_int += traits_size;
Value stored to 'edata_off_int' is never read
427 break;
428 }
429
430 default:
431 break;
432 }
433
434
435 }
436
437 return offset;
438}
439
440static int
441dissect_etw(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree _U___attribute__((unused)), void* data _U___attribute__((unused)))
442{
443 // We parse an "ETL->Wireshark encapsulation" format, which is defined in etl.c. This format
444 // includes the actual ETW header, in addition to formatted structures which we added during
445 // the dump process.
446
447 proto_tree* etw_header, * etw_descriptor, * etw_buffer_context, * edata_tree, * etw_data, * etw_tlvs;
448 proto_item* ti;
449 tvbuff_t* subproto_tvb;
450 char* provider_name;
451 uint32_t message_offset = 0, message_length = 0, provider_name_offset = 0, provider_name_length = 0, user_data_offset = 0, user_data_length = 0;
452 uint32_t properties_offset, properties_count;
453 uint16_t extended_data_count, tlv_count;
454 uint64_t flags;
455 wmem_array_t* propArray = NULL((void*)0);
456 bool_Bool is_tl = false0;
457 e_guid_t provider_id;
458 uint16_t event_id;
459 nstime_t timestamp;
460 uint64_t ts;
461 int offset = 0;
462 static int* const etw_header_flags[] = {
463 &hf_etw_header_flag_extended_info,
464 &hf_etw_header_flag_private_session,
465 &hf_etw_header_flag_string_only,
466 &hf_etw_header_flag_trace_message,
467 &hf_etw_header_flag_no_cputime,
468 &hf_etw_header_flag_32_bit_header,
469 &hf_etw_header_flag_64_bit_header,
470 &hf_etw_header_flag_decode_guid,
471 &hf_etw_header_flag_classic_header,
472 &hf_etw_header_flag_processor_index,
473 NULL((void*)0)
474 };
475
476 static int* const etw_event_property_opt[] = {
477 &hf_etw_event_property_xml,
478 &hf_etw_event_property_forwarded_xml,
479 &hf_etw_event_property_legacy_eventlog,
480 &hf_etw_event_property_legacy_reloggable,
481 NULL((void*)0)
482 };
483
484 col_set_str(pinfo->cinfo, COL_DEF_SRC, "windows");
485 col_set_str(pinfo->cinfo, COL_DEF_DST, "windows");
486
487 // Header
488
489 etw_header = proto_tree_add_subtree(tree, tvb, 0, ETW_HEADER_SIZE0x5C, ett_etw_header, NULL((void*)0), "ETW Header");
490 proto_tree_add_item(etw_header, hf_etw_size, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
491 offset += 2;
492 proto_tree_add_item(etw_header, hf_etw_header_type, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
493 offset += 2;
494 proto_tree_add_bitmask_ret_uint64(etw_header, tvb, offset, hf_etw_flags,
495 ett_etw_header_flags, etw_header_flags, ENC_LITTLE_ENDIAN0x80000000, &flags);
496 offset += 2;
497 proto_tree_add_bitmask(etw_header, tvb, offset, hf_etw_event_property,
498 ett_etw_event_property_types, etw_event_property_opt, ENC_LITTLE_ENDIAN0x80000000);
499 offset += 2;
500 proto_tree_add_item(etw_header, hf_etw_thread_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
501 offset += 4;
502 proto_tree_add_item(etw_header, hf_etw_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
503 offset += 4;
504 ts = tvb_get_letoh64(tvb, offset) - INT64_C(0x019DB1DED53E8000)0x019DB1DED53E8000L;
505 timestamp.secs = (unsigned)(ts / 10000000);
506 timestamp.nsecs = (unsigned)((ts % 10000000) * 100);
507 proto_tree_add_time(etw_header, hf_etw_time_stamp, tvb, offset, 8, &timestamp);
508 offset += 8;
509 tvb_get_letohguid(tvb, offset, &provider_id);
510 proto_tree_add_item(etw_header, hf_etw_provider_id, tvb, offset, 16, ENC_LITTLE_ENDIAN0x80000000);
511 offset += 16;
512
513 etw_descriptor = proto_tree_add_subtree(etw_header, tvb, 40, 16, ett_etw_descriptor, NULL((void*)0), "Descriptor");
514 proto_tree_add_item_ret_uint16(etw_descriptor, hf_etw_descriptor_id, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &event_id);
515 offset += 2;
516 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_version, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
517 offset += 1;
518 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_channel, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
519 offset += 1;
520 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_level, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
521 offset += 1;
522 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_opcode, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
523 offset += 1;
524 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_task, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
525 offset += 2;
526 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_keywords, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
527 offset += 8;
528
529 proto_tree_add_item(etw_header, hf_etw_processor_time, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
530 offset += 8;
531 proto_tree_add_item(etw_header, hf_etw_activity_id, tvb, offset, 16, ENC_LITTLE_ENDIAN0x80000000);
532 offset += 16;
533
534 etw_buffer_context = proto_tree_add_subtree(etw_header, tvb, 80, 4, ett_etw_descriptor, NULL((void*)0), "Buffer Context");
535 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_processor_number, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
536 offset += 1;
537 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_alignment, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
538 offset += 1;
539 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_logger_id, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
540 offset += 2;
541 proto_tree_add_item_ret_uint16(etw_header, hf_etw_extended_data_count, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &extended_data_count);
542 offset += 2;
543 proto_tree_add_item_ret_uint16(etw_header, hf_etw_tlv_count, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &tlv_count);
544 offset += 2;
545 proto_tree_add_item_ret_uint(etw_header, hf_etw_properties_count, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &properties_count);
546 offset += 4;
547
548 // Extended data
549
550 ti = proto_tree_add_item(etw_header, hf_etw_extended_data, tvb, offset, extended_data_count * 16, ENC_NA0x00000000); // sizeof(EVENT_HEADER_EXTENDED_DATA_ITEM) = 16
551 edata_tree = proto_item_add_subtree(ti, ett_etw_extended_data);
552 offset = dissect_edata_tlvs(tvb, pinfo, edata_tree, offset, extended_data_count, &is_tl);
553
554 // Expert info
555
556 if (flags & 0x0008) // EVENT_HEADER_FLAG_TRACE_MESSAGE
557 {
558 // WPP
559 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "WPP");
560 }
561 else if (flags & 0x0100) // EVENT_HEADER_FLAG_CLASSIC_HEADER
562 {
563 // MOF (CLASSIC)
564 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "MOF (classic)");
565 }
566 else if (is_tl)
567 {
568 // TRACELOGGING
569 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "TraceLogging");
570 }
571 else
572 {
573 // MANIFEST
574 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "Manifest-based");
575 }
576 proto_item_set_generated(ti);
577
578 // Now is the bunch of TLVs that include formatted stuff
579 if (tlv_count > 0)
580 {
581 etw_tlvs = proto_tree_add_subtree(etw_header, tvb, offset, tlv_count * 12, ett_etw_tlvs, NULL((void*)0), "Extra Information");
582
583 for (uint16_t i = 0; i < tlv_count; i++)
584 {
585 uint32_t tlv_type, tlv_offset, tlv_length;
586
587 proto_tree* etw_tlv = proto_tree_add_subtree(etw_tlvs, tvb, offset, 12, ett_etw_tlv, NULL((void*)0), "Extra Information Item");
588
589 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_type, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_type);
590 offset += 4;
591 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_offset);
592 offset += 4;
593 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_length);
594 offset += 4;
595
596 if (tlv_type == 0)
597 {
598 // TLV_USER_DATA
599 proto_item_set_text(etw_tlv, "Extra Information Item (USER_DATA)");
600 user_data_offset = tlv_offset;
601 user_data_length = tlv_length;
602 }
603 else if (tlv_type == 1)
604 {
605 // TLV_MESSAGE
606 proto_item_set_text(etw_tlv, "Extra Information Item (MESSAGE)");
607 message_offset = tlv_offset;
608 message_length = tlv_length;
609 }
610 else if (tlv_type == 2)
611 {
612 // TLV_PROVIDER_NAME
613 proto_item_set_text(etw_tlv, "Extra Information Item (PROVIDER_NAME)");
614 provider_name_offset = tlv_offset;
615 provider_name_length = tlv_length;
616 }
617 else if (tlv_type == 3)
618 {
619 // TLV_SRC_ADDR
620 char* src_addr;
621 proto_item_set_text(etw_tlv, "Extra Information Item (SRC_ADDR)");
622 proto_tree_add_item_ret_string(etw_tlv, hf_etw_src, tvb, tlv_offset, tlv_length, ENC_NA0x00000000 | ENC_ASCII0x00000000, pinfo->pool, (const uint8_t**)&src_addr);
623 col_set_str(pinfo->cinfo, COL_DEF_SRC, src_addr);
624 }
625 else if (tlv_type == 4)
626 {
627 // TLV_DST_ADDR
628 char* dst_addr;
629 proto_item_set_text(etw_tlv, "Extra Information Item (DST_ADDR)");
630 proto_tree_add_item_ret_string(etw_tlv, hf_etw_dst, tvb, tlv_offset, tlv_length, ENC_NA0x00000000 | ENC_ASCII0x00000000, pinfo->pool, (const uint8_t**)&dst_addr);
631 col_set_str(pinfo->cinfo, COL_DEF_DST, dst_addr);
632 }
633 else if (tlv_type == 5)
634 {
635 // TLV_SESSION_ID
636 uint64_t session_id;
637 proto_item_set_text(etw_tlv, "Extra Information Item (SESSION_ID)");
638 proto_tree_add_item_ret_uint64(etw_tlv, hf_etw_sessid, tvb, tlv_offset, tlv_length, ENC_LITTLE_ENDIAN0x80000000, &session_id);
639
640 pinfo->use_conv_addr_port_endpoints = false0;
641 conversation_set_elements_by_id(pinfo, CONVERSATION_TCP, session_id & 0xFFFFFFFF);
642 }
643 }
644 }
645
646 // Now it's the properties (we parse them later)
647
648 properties_offset = offset;
649
650 // We're done with the header. Starting adding "Data" elements.
651
652 if (provider_name_length) {
653 // Specifically for the provider name, we keep it in the "Data" header to handle the MBIM case
654 proto_tree_add_item_ret_string(etw_header, hf_etw_provider_name, tvb, provider_name_offset, provider_name_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, (const uint8_t**)&provider_name);
655 }
656
657 // Depending on the provider ID, we might have special dissections available
658
659 if (user_data_length && memcmp(&mbim_net_providerid, &provider_id, sizeof(e_guid_t)) == 0)
660 {
661 // MBIM
662
663 uint32_t pack_flags;
664
665 if (WTAP_OPTTYPE_SUCCESS == wtap_block_get_uint32_option_value(pinfo->rec->block, OPT_PKT_FLAGS2, &pack_flags)) {
666 switch (PACK_FLAGS_DIRECTION(pack_flags)(((pack_flags) & 0x00000003) >> 0)) {
667 case PACK_FLAGS_DIRECTION_INBOUND1:
668 col_set_str(pinfo->cinfo, COL_DEF_SRC, "device");
669 col_set_str(pinfo->cinfo, COL_DEF_DST, "host");
670 break;
671 case PACK_FLAGS_DIRECTION_OUTBOUND2:
672 col_set_str(pinfo->cinfo, COL_DEF_SRC, "host");
673 col_set_str(pinfo->cinfo, COL_DEF_DST, "device");
674 break;
675 }
676 }
677 subproto_tvb = tvb_new_subset_length(tvb, user_data_offset, user_data_length);
678 call_dissector_only(mbim_dissector, subproto_tvb, pinfo, tree, data);
679 }
680 else if (user_data_length &&
681 (memcmp(&smbclient_providerid, &provider_id, sizeof(e_guid_t)) == 0 ||
682 memcmp(&smbserver_providerid, &provider_id, sizeof(e_guid_t)) == 0) &&
683 (event_id == 40000 || event_id == 2000))
684 {
685 // SMB "Packet" event
686
687 subproto_tvb = tvb_new_subset_length(tvb, user_data_offset, user_data_length);
688 call_dissector_only(nbss_dissector, subproto_tvb, pinfo, tree, data);
689 }
690 else if (user_data_length &&
691 memcmp(&wininet_providerid, &provider_id, sizeof(e_guid_t)) == 0 &&
692 (event_id == 2001 || event_id == 2002 || event_id == 2003 || event_id == 2004))
693 {
694 // WinInet "HTTP" event
695
696 // Emulate direction
697 if (event_id == 2001 || event_id == 2002)
698 {
699 pinfo->srcport = 50000;
700 pinfo->destport = 80;
701 }
702 else
703 {
704 pinfo->srcport = 80;
705 pinfo->destport = 50000;
706 }
707
708 // TODO: figure out how to make reassembly work :(
709 subproto_tvb = tvb_new_subset_length(tvb, user_data_offset, user_data_length);
710 call_dissector_only(http_dissector, subproto_tvb, pinfo, tree, NULL((void*)0));
711 }
712 else if (user_data_length &&
713 memcmp(&webio_providerid, &provider_id, sizeof(e_guid_t)) == 0 &&
714 (event_id == 100 || event_id == 101 || event_id == 111 || event_id == 129))
715 {
716 // WebIO (WinHTTP) "HTTP" event
717
718 // TODO: figure out how to make reassembly work :(
719 subproto_tvb = tvb_new_subset_length(tvb, user_data_offset, user_data_length);
720 call_dissector_only(http_dissector, subproto_tvb, pinfo, tree, NULL((void*)0));
721 }
722 else if (user_data_length &&
723 memcmp(&ldapclient_providerid, &provider_id, sizeof(e_guid_t)) == 0 &&
724 (event_id == 12 || event_id == 17))
725 {
726 // LDAP events
727
728 // TODO: figure out how to make reassembly work :(
729 subproto_tvb = tvb_new_subset_length(tvb, user_data_offset, user_data_length);
730 call_dissector_only(ldap_dissector, subproto_tvb, pinfo, tree, NULL((void*)0));
731 }
732 else
733 {
734 // Other provider: add "Data" header
735
736 etw_data = proto_tree_add_subtree(tree, tvb, offset, 0, ett_etw_data, NULL((void*)0), "ETW Data");
737 if (properties_count) {
738 offset = dissect_properties(tvb, pinfo, etw_data, properties_offset, properties_count, pinfo->pool, &propArray);
739 }
740 if (user_data_length) {
741 proto_tree_add_item(etw_data, hf_etw_user_data, tvb, user_data_offset, user_data_length, ENC_NA0x00000000);
742 }
743
744 if (provider_name_length) {
745 col_set_str(pinfo->cinfo, COL_PROTOCOL, provider_name);
746 }
747
748 if (message_length) {
749 char* message;
750
751 proto_tree_add_item_ret_string(etw_data, hf_etw_message, tvb, message_offset, message_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, (const uint8_t**)& message);
752 if (propArray != NULL((void*)0))
753 {
754 wmem_strbuf_t* out_buffer;
755 format_message(message, propArray, pinfo->pool, &out_buffer);
756 message = out_buffer->str;
757 ti = proto_tree_add_string(etw_data, hf_etw_message_formatted, tvb, 0, -1, message);
758 proto_item_set_generated(ti);
759 }
760 col_set_str(pinfo->cinfo, COL_INFO, message);
761 }
762 else
763 {
764 col_set_str(pinfo->cinfo, COL_INFO, guids_resolve_guid_to_str(&provider_id, pinfo->pool));
765 }
766 }
767
768 etw_counter += 1;
769 return tvb_captured_length(tvb);
770}
771
772void
773proto_register_etw(void)
774{
775 static hf_register_info hf[] = {
776 { &hf_etw_size,
777 { "Size", "etw.size",
778 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
779 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
780 },
781 { &hf_etw_header_type,
782 { "Header Type", "etw.header_type",
783 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
784 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
785 },
786 { &hf_etw_flags,
787 { "Flags", "etw.flags",
788 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
789 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
790 },
791 { &hf_etw_header_flag_extended_info,
792 { "Extended Info", "etw.header.flag.extended_info",
793 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0001,
794 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
795 },
796 { &hf_etw_header_flag_private_session,
797 { "Private Session", "etw.header.flag.private_session",
798 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0002,
799 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
800 },
801 { &hf_etw_header_flag_string_only,
802 { "String Only", "etw.header.flag.string_only",
803 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0004,
804 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
805 },
806 { &hf_etw_header_flag_trace_message,
807 { "Trace Message", "etw.header.flag.trace_message",
808 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0008,
809 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
810 },
811 { &hf_etw_header_flag_no_cputime,
812 { "No CPU time", "etw.header.flag.no_cputime",
813 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0010,
814 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
815 },
816 { &hf_etw_header_flag_32_bit_header,
817 { "32-bit Header", "etw.header.flag.32_bit_header",
818 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0020,
819 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
820 },
821 { &hf_etw_header_flag_64_bit_header,
822 { "64-bit Header", "etw.header.flag.64_bit_header",
823 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0040,
824 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
825 },
826 { &hf_etw_header_flag_decode_guid,
827 { "Decode GUID", "etw.header.flag.decode_guid",
828 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0080,
829 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
830 },
831 { &hf_etw_header_flag_classic_header,
832 { "Classic Header", "etw.header.flag.classic_header",
833 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0100,
834 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
835 },
836 { &hf_etw_header_flag_processor_index,
837 { "Processor Index", "etw.header.flag.processor_index",
838 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0200,
839 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
840 },
841 { &hf_etw_event_property,
842 { "Event Property", "etw.event_property",
843 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
844 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
845 },
846 { &hf_etw_event_property_xml,
847 { "XML", "etw.property.xml",
848 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0001,
849 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
850 },
851 { &hf_etw_event_property_forwarded_xml,
852 { "Forwarded XML", "etw.property.forwarded_xml",
853 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0002,
854 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
855 },
856 { &hf_etw_event_property_legacy_eventlog,
857 { "Legacy Event Log", "etw.property.legacy_event",
858 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0004,
859 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
860 },
861 { &hf_etw_event_property_legacy_reloggable,
862 { "Legacy Reloggable", "etw.property.legacy_reloggable",
863 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0008,
864 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
865 },
866 { &hf_etw_thread_id,
867 { "Thread ID", "etw.thread_id",
868 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
869 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
870 },
871 { &hf_etw_process_id,
872 { "Process ID", "etw.process_id",
873 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
874 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
875 },
876 { &hf_etw_time_stamp,
877 { "Time Stamp", "etw.time_stamp",
878 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL((void*)0), 0,
879 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
880 },
881 { &hf_etw_provider_id,
882 { "Provider ID", "etw.provider_id",
883 FT_GUID, BASE_NONE, NULL((void*)0), 0,
884 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
885 },
886 { &hf_etw_buffer_context_processor_number,
887 { "Processor Number", "etw.buffer_context.processor_number",
888 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
889 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
890 },
891 { &hf_etw_buffer_context_alignment,
892 { "Alignment", "etw.buffer_context.alignment",
893 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
894 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
895 },
896 { &hf_etw_buffer_context_logger_id,
897 { "ID", "etw.buffer_context.logger_id",
898 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
899 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
900 },
901 { &hf_etw_tlv_count,
902 { "Extra Information Count", "etw.tlv_count",
903 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
904 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
905 },
906 { &hf_etw_tlv_offset,
907 { "Offset", "etw.tlv.offset",
908 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
909 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
910 },
911 { &hf_etw_tlv_length,
912 { "Length", "etw.tlv.length",
913 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
914 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
915 },
916 { &hf_etw_tlv_type,
917 { "Type", "etw.tlv.type",
918 FT_UINT32, BASE_DEC, VALS(etw_tlv_types)((0 ? (const struct _value_string*)0 : ((etw_tlv_types)))), 0,
919 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
920 },
921 { &hf_etw_src,
922 { "Source Address", "etw.src",
923 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
924 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
925 },
926 { &hf_etw_dst,
927 { "Destination Address", "etw.dst",
928 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
929 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
930 },
931 { &hf_etw_sessid,
932 { "Session Id", "etw.sessid",
933 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
934 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
935 },
936 { &hf_etw_properties_count,
937 { "Properties count", "etw.props_count",
938 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
939 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
940 },
941 { &hf_etw_provider_name,
942 { "Provider Name", "etw.provider_name",
943 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
944 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
945 },
946 { &hf_etw_message,
947 { "Event Message", "etw.message",
948 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
949 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
950 },
951 { &hf_etw_extended_data_count,
952 { "Extended Data Count", "etw.extended_data_count",
953 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
954 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
955 },
956 { &hf_etw_extended_data,
957 { "Extended Data", "etw.extended_data",
958 FT_NONE, BASE_NONE, NULL((void*)0), 0,
959 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
960 },
961 { &hf_etw_edata,
962 { "Extended Data Item", "etw.edata",
963 FT_NONE, BASE_NONE, NULL((void*)0), 0,
964 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
965 },
966 { &hf_etw_edata_reserved1,
967 { "Reserved1", "etw.edata.reserved1",
968 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
969 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
970 },
971 { &hf_etw_edata_exttype,
972 { "ExtType", "etw.edata.exttype",
973 FT_UINT16, BASE_DEC, VALS(etw_edata_types)((0 ? (const struct _value_string*)0 : ((etw_edata_types)))), 0,
974 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
975 },
976 { &hf_etw_edata_linkage,
977 { "Linkage", "etw.edata.linkage",
978 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
979 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
980 },
981 { &hf_etw_edata_datasize,
982 { "DataSize", "etw.edata.datasize",
983 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
984 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
985 },
986 { &hf_etw_edata_dataptr,
987 { "DataPtr", "etw.edata.dataptr",
988 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
989 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
990 },
991 { &hf_etw_edata_data,
992 { "Data", "etw.edata.data",
993 FT_NONE, BASE_NONE, NULL((void*)0), 0,
994 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
995 },
996 { &hf_etw_edata_stacktrace_matchid,
997 { "MatchId", "etw.edata.stacktrace.matchid",
998 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
999 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1000 },
1001 { &hf_etw_edata_stacktrace_address,
1002 { "Address", "etw.edata.stacktrace.address",
1003 FT_UINT64, BASE_HEX, NULL((void*)0), 0,
1004 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1005 },
1006 { &hf_etw_edata_schematl_size,
1007 { "Size", "etw.edata.schematl.size",
1008 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1009 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1010 },
1011 { &hf_etw_edata_schematl_reserved1,
1012 { "Unknown", "etw.edata.schematl.reserved1",
1013 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1014 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1015 },
1016 { &hf_etw_edata_schematl_name,
1017 { "Event Name", "etw.edata.schematl.name",
1018 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1019 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1020 },
1021 { &hf_etw_edata_schematl_field,
1022 { "Schema Field", "etw.edata.schematl.field",
1023 FT_NONE, BASE_NONE, NULL((void*)0), 0,
1024 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1025 },
1026 { &hf_etw_edata_schematl_field_key,
1027 { "Key", "etw.edata.schematl.field.key",
1028 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1029 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1030 },
1031 { &hf_etw_edata_schematl_field_flags,
1032 { "Flags", "etw.edata.schematl.field.flags",
1033 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1034 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1035 },
1036 { &hf_etw_edata_schematl_field_type,
1037 { "Type", "etw.edata.schematl.field.type",
1038 FT_UINT8, BASE_DEC, VALS(etw_schematl_types)((0 ? (const struct _value_string*)0 : ((etw_schematl_types))
)), 0x1F,
1039 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1040 },
1041 { &hf_etw_edata_schematl_field_ccount,
1042 { "Constant array count", "etw.edata.schematl.field.ccount",
1043 FT_UINT8, BASE_DEC, NULL((void*)0), 0x20,
1044 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1045 },
1046 { &hf_etw_edata_schematl_field_vcount,
1047 { "Variable array count", "etw.edata.schematl.field.vcount",
1048 FT_UINT8, BASE_DEC, NULL((void*)0), 0x40,
1049 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1050 },
1051 { &hf_etw_edata_schematl_field_chain,
1052 { "Chain", "etw.edata.schematl.field.chain",
1053 FT_UINT8, BASE_DEC, NULL((void*)0), 0x80,
1054 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1055 },
1056 { &hf_etw_edata_traits_traitssize,
1057 { "Trait size", "etw.edata.traits.traitssize",
1058 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1059 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1060 },
1061 { &hf_etw_edata_traits_providername,
1062 { "Trait provider name", "etw.edata.traits.providername",
1063 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1064 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1065 },
1066 { &hf_etw_property,
1067 { "Property", "etw.prop",
1068 FT_NONE, BASE_NONE, NULL((void*)0), 0,
1069 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1070 },
1071 { &hf_etw_property_offset,
1072 { "Offset", "etw.prop.offset",
1073 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
1074 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1075 },
1076 { &hf_etw_property_keylen,
1077 { "Key Length", "etw.prop.keylen",
1078 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1079 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1080 },
1081 { &hf_etw_property_valuelen,
1082 { "Value Length", "etw.prop.valuelen",
1083 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1084 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1085 },
1086 { &hf_etw_property_key,
1087 { "Key", "etw.prop.key",
1088 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1089 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1090 },
1091 { &hf_etw_property_value,
1092 { "Value", "etw.prop.value",
1093 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
1094 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1095 },
1096 { &hf_etw_user_data,
1097 { "Raw User Data", "etw.user_data",
1098 FT_NONE, BASE_NONE, NULL((void*)0), 0,
1099 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1100 },
1101 { &hf_etw_descriptor_id,
1102 { "ID", "etw.descriptor.id",
1103 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1104 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1105 },
1106 { &hf_etw_descriptor_version,
1107 { "Version", "etw.descriptor.version",
1108 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1109 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1110 },
1111 { &hf_etw_descriptor_channel,
1112 { "Channel", "etw.descriptor.channel",
1113 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1114 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1115 },
1116 { &hf_etw_descriptor_level,
1117 { "Level", "etw.descriptor.level",
1118 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1119 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1120 },
1121 { &hf_etw_descriptor_opcode,
1122 { "Opcode", "etw.descriptor.opcode",
1123 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1124 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1125 },
1126 { &hf_etw_descriptor_task,
1127 { "Task", "etw.descriptor.task",
1128 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1129 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1130 },
1131 { &hf_etw_descriptor_keywords,
1132 { "Keywords", "etw.descriptor.keywords",
1133 FT_UINT64, BASE_HEX, NULL((void*)0), 0,
1134 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1135 },
1136 { &hf_etw_processor_time,
1137 { "Processor Time", "etw.processor_time",
1138 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
1139 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1140 },
1141 { &hf_etw_activity_id,
1142 { "Activity ID", "etw.activity_id",
1143 FT_GUID, BASE_NONE, NULL((void*)0), 0,
1144 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1145 },
1146 // Generated fields
1147 { &hf_etw_type,
1148 { "Event Type", "etw.type",
1149 FT_STRING, BASE_NONE, NULL((void*)0), 0,
1150 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1151 },
1152 { &hf_etw_message_formatted,
1153 { "Message (formatted)", "etw.message_formatted",
1154 FT_STRING, BASE_NONE, NULL((void*)0), 0,
1155 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1156 },
1157 };
1158
1159 static int *ett[] = {
1160 &ett_etw_header,
1161 &ett_etw_data,
1162 &ett_etw_descriptor,
1163 &ett_etw_buffer_context,
1164 &ett_etw_extended_data,
1165 &ett_etw_property,
1166 &ett_etw_edata,
1167 &ett_etw_edata_data,
1168 &ett_etw_edata_schematl_schema,
1169 &ett_etw_schematl_flags,
1170 &ett_etw_header_flags,
1171 &ett_etw_event_property_types,
1172 &ett_etw_tlvs,
1173 &ett_etw_tlv,
1174 };
1175
1176 proto_etw = proto_register_protocol("Event Tracing for Windows", "ETW", "etw");
1177 proto_register_field_array(proto_etw, hf, array_length(hf)(sizeof (hf) / sizeof (hf)[0]));
1178 proto_register_subtree_array(ett, array_length(ett)(sizeof (ett) / sizeof (ett)[0]));
1179
1180 etw_handle = register_dissector("etw", dissect_etw, proto_etw);
1181}
1182
1183void
1184proto_reg_handoff_etw(void)
1185{
1186 dissector_add_uint("wtap_encap", WTAP_ENCAP_ETW212, etw_handle);
1187
1188 mbim_dissector = find_dissector("mbim.control");
1189 nbss_dissector = find_dissector("nbss");
1190 http_dissector = find_dissector("http-over-tcp");
1191 ldap_dissector = find_dissector("ldap");
1192}
1193
1194/*
1195 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1196 *
1197 * Local variables:
1198 * c-basic-offset: 4
1199 * tab-width: 8
1200 * indent-tabs-mode: nil
1201 * End:
1202 *
1203 * vi: set shiftwidth=4 tabstop=8 expandtab:
1204 * :indentSize=4:tabSize=8:noTabs=true:
1205 */