diff options
| author | Gerald Combs <gerald@zing.org> | 2015-06-01 19:48:23 -0700 |
|---|---|---|
| committer | Gerald Combs <gerald@wireshark.org> | 2015-11-10 20:59:53 +0000 |
| commit | 0d497e812508b3d71716618e39647a107c206b1d (patch) | |
| tree | 79976b05e07aa180f7b50f4f0ec7d6348b04c3fe /wiretap/wtap.h | |
| parent | 6a56224c18ec0ed19ad1a6e2b9172d330eeb14f0 (diff) | |
| download | wireshark-0d497e812508b3d71716618e39647a107c206b1d.tar.gz | |
Initial Sysdig syscall (event) support.
Add a dissector for reading Sysdig event blocks. It only handles plain
events but it's usable for reading trace files on hand here.
Use a script to generate various parts of the dissector. As an experiment,
update parts in-place instead of using a template.
Ultimately there should probably be a top-level "Syscall" or "Event"
dissector alongside the "Frame" dissector, which could then call this.
You could then directly compare an executable's system calls alongside
its network traffic.
For now leverage the pcapng_block dissector and keep everything under
"Frame".
Next steps:
- Items listed at the top of packet-sysdig-event.c.
Change-Id: I17077e8d7f40d10a946d61189ebc077d81c4da37
Reviewed-on: https://code.wireshark.org/review/11103
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Reviewed-by: Alexis La Goutte <alexis.lagoutte@gmail.com>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Diffstat (limited to 'wiretap/wtap.h')
| -rw-r--r-- | wiretap/wtap.h | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/wiretap/wtap.h b/wiretap/wtap.h index 37dfce7918..ccbc598c5e 100644 --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -1119,6 +1119,20 @@ struct logcat_phdr { gint version; }; +/* Packet "pseudo-header" information for Sysdig events. */ + +struct sysdig_event_phdr { + guint record_type; /* XXX match ft_specific_record_phdr so that we chain off of packet-pcapng_block for now. */ + int byte_order; + guint16 cpu_id; + /* guint32 sentinel; */ + guint64 timestamp; /* ns since epoch */ + guint64 thread_id; + guint32 event_len; /* XXX dup of wtap_pkthdr.len */ + guint16 event_type; + /* ... Event ... */ +}; + /* Pseudo-header for file-type-specific records */ struct ft_specific_record_phdr { guint record_type; /* the type of record this is */ @@ -1150,6 +1164,7 @@ union wtap_pseudo_header { struct nokia_phdr nokia; struct llcp_phdr llcp; struct logcat_phdr logcat; + struct sysdig_event_phdr sysdig_event; struct ft_specific_record_phdr ftsrec; }; |