Showing preview only (2,801K chars total). Download the full file or copy to clipboard to get everything.
Repository: airbus-cert/Winshark
Branch: master
Commit: d56586da8474
Files: 27
Total size: 2.7 MB
Directory structure:
gitextract_mp5iiu2j/
├── .gitignore
├── .gitmodules
├── CHANGELOG.md
├── CMakeLists.txt
├── LICENSE
├── README.md
├── dissector/
│ ├── 0winshark.lua
│ ├── CMakeLists.txt
│ ├── Microsoft_Windows_NDIS_PacketCapture.lua
│ ├── Microsoft_Windows_PktMon.lua
│ └── Tracelogging.lua
├── install/
│ └── patch.xml
└── transluator/
├── CMakeLists.txt
├── scripts/
│ └── WinsharkUpdate.bat
├── src/
│ ├── DissectorLua.cs
│ ├── DissectorPython.cs
│ ├── Manifest.cs
│ └── Transluator.cs
└── third_party/
└── Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/
├── .signature.p7s
├── Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36.nupkg
├── build/
│ └── Microsoft.Diagnostics.Tracing.TraceEvent.props
└── lib/
├── net45/
│ ├── Microsoft.Diagnostics.FastSerialization.xml
│ └── Microsoft.Diagnostics.Tracing.TraceEvent.xml
├── netstandard1.6/
│ ├── Microsoft.Diagnostics.FastSerialization.xml
│ └── Microsoft.Diagnostics.Tracing.TraceEvent.xml
└── netstandard2.0/
├── Microsoft.Diagnostics.FastSerialization.xml
└── Microsoft.Diagnostics.Tracing.TraceEvent.xml
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
CMakeCache.txt
CMakeFiles
CMakeScripts
Testing
Makefile
cmake_install.cmake
install_manifest.txt
compile_commands.json
CTestTestfile.cmake
================================================
FILE: .gitmodules
================================================
[submodule "libpcap"]
path = libpcap
url = https://github.com/airbus-cert/libpcap
branch = etw
================================================
FILE: CHANGELOG.md
================================================
# 1.1.0
* Fix issue #2 that don't allow to install wireshark in a non standard folder
* Fix issue #4 :warning: Rename protocol from ETW to `winshark` :warning: for DLT_USER0(147) link
* Add support for PkMon (thanks @Blondy314)
================================================
FILE: CMakeLists.txt
================================================
# Minimum CMake required
cmake_minimum_required(VERSION 3.11)
# Project
project(Winshark LANGUAGES C CXX CSharp VERSION 1.1.0)
# Config
set_property(GLOBAL PROPERTY USE_FOLDERS ON)
SET(EXECUTABLE_OUTPUT_PATH ${CMAKE_BINARY_DIR}/bin)
SET(LIBRARY_OUTPUT_PATH ${CMAKE_BINARY_DIR}/bin)
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT /WX")
set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} /MTd /WX")
# Include libpcap
set(LIBRARY_NAME wpcap CACHE STRING "Library name")
set(PCAP_TYPE "etw" CACHE STRING "Packet capture type" FORCE)
add_subdirectory(libpcap)
set_property(TARGET can_set_rfmon_test PROPERTY FOLDER "libpcap")
set_property(TARGET capturetest PROPERTY FOLDER "libpcap")
set_property(TARGET filtertest PROPERTY FOLDER "libpcap")
set_property(TARGET findalldevstest PROPERTY FOLDER "libpcap")
set_property(TARGET fuzz_both PROPERTY FOLDER "libpcap")
set_property(TARGET fuzz_filter PROPERTY FOLDER "libpcap")
set_property(TARGET fuzz_pcap PROPERTY FOLDER "libpcap")
set_property(TARGET opentest PROPERTY FOLDER "libpcap")
set_property(TARGET wpcap PROPERTY FOLDER "libpcap")
set_property(TARGET wpcap_static PROPERTY FOLDER "libpcap")
set_property(TARGET reactivatetest PROPERTY FOLDER "libpcap")
set_property(TARGET rpcapd PROPERTY FOLDER "libpcap")
set_property(TARGET SerializeTarget PROPERTY FOLDER "libpcap")
set_property(TARGET testprogs PROPERTY FOLDER "libpcap")
set_property(TARGET threadsignaltest PROPERTY FOLDER "libpcap")
set_property(TARGET uninstall PROPERTY FOLDER "libpcap")
install(TARGETS wpcap DESTINATION .)
# Install dissector write by hand
add_subdirectory(dissector)
# Add tool to create new dissector from manifest based ETW
add_subdirectory(transluator)
# Summary
message(STATUS "Configuration summary")
message(STATUS "Project name : ${PROJECT_NAME}")
message(STATUS "Project version : ${PROJECT_VERSION}")
# CPack part
set(CPACK_GENERATOR "WIX")
set(CPACK_WIX_UPGRADE_GUID "c64ed0aa-c54a-4590-93fb-72e152edefb7")
set(CPACK_WIX_UNINSTALL "1")
set(CPACK_WIX_PATCH_FILE "${CMAKE_CURRENT_SOURCE_DIR}/install/patch.xml")
include(CPack)
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
================================================
FILE: README.md
================================================
# Winshark
`Wireshark` plugin to work with Event Tracing for Windows
`Microsoft Message Analyzer` is being retired and its download packages were removed from microsoft.com sites on November 25 2019.
Wireshark have built a huge library of network protocol dissectors.
The best tool for Windows would be one that can gather and mix all type of logs...
Welcome `Winshark`!!!
`Winshark` is based on a `libpcap` backend to capture ETW (Event tracing for Windows), and a generator that will produce all dissectors for known ETW providers on your machine.
We've added Tracelogging support to cover almost all log techniques on the Windows Operating System.
With Winshark and the power of Windows, we can now capture Network and Event Logs in the same tool. Windows exposes a lot of ETW providers, in particular one for network capture ;-)
No more need for an external NDIS driver.
This is a huge improvement in terms of use:
* Enable to mix all kind of events (system and network)
* Enable to use Wireshark filtering on event log
* Enable to track network and system logs by Process ID!!!
* Enable to capture Windows log and network trace into an unique pcap file!!!
* Capture NamedPipe through [NpEtw](https://github.com/kobykahane/NpEtw) file system filter driver
If you want to:
* [Capture Network Traffic Using Winshark](#Capture-Network-traffic)
* [Filter on Process ID](#Filtering-on-process-id)
* [Capture NamedPipe Traffic](#Capturing-NamedPipe)
## Install
Please install [Wireshark](https://www.wireshark.org/download.html) before.
Then just install [Winshark](https://github.com/airbus-cert/Winshark/releases).
Currently, you have to ask `Wireshark` to interpret the DLT_USER 147 as ETW. This is because you have not yet a true value from `libpcap` for our new Data Link.
We issued a pull request to have a dedicated DLT value; it is still pending.
To do that you have to open `Preferences` tab under the `Edit` panel. Select `DLT_USER` under `Protocols` and `Edit` the encapsulations table:
And set `winshark` for `DLT = 147` :
Enjoy!
## Build
Winshark is powered by `cmake`:
```
git clone https://github.com/airbus-cert/winshark --recursive
mkdir build_winshark
cd build_winshark
cmake ..\Winshark
cmake --build . --target package --config release
```
## How does it work
To better understand how Winshark works, we need to understand how ETW works first.
ETW is splitted into three parts:
* A Provider that will emit log and identified by unique ID
* A Session that will mix one or more providers
* A Consumer that will read logs emitted by a session
### Provider
There is a lot of different kinds of providers. The most common, and usable, are registred providers. A registred provider, or a manifest-based provider, is recorded under the registry key `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers`.
This makes the link between a provider ID and a dll. The manifest is encompassed into the associated dll into a resource name `WEVT_TEMPLATE`.
You can list all providers registred on your machine using `logman`:
```
logman query providers
```
You can also list all providers bound by a particular process:
```
logman query providers -pid 1234
```
Some of them could appears without name; these kinds of provider can produce [WPP](https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7) or [TraceLogging](https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7) logs.
### Session
Sessions are created to collect logs from more than one provider.
You can create your own session using `logman`:
```
logman start Mysession -p "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS" -ets -rt
logman update MySession -p "Microsoft-Windows-NDIS-PacketCapture" -ets -rt
```
You can list all active sessions from an admin command line:
```
logman query -ets
Data Collector Set Type Status
-------------------------------------------------------------------------------
...
EventLog-Application Trace Running
EventLog-Microsoft-Windows-Sysmon-Operational Trace Running
EventLog-System Trace Running
...
The command completed successfully.
```
You can see here some interesting session use by the event logger to capture logs from Application and System sessions and from Sysmon.
### Consumer
A consumer is a simple program that will read logs from a session. Well-known consumers are:
* Event Logger
* `logman`
* `netsh`
* `tracert`
And now `Winshark`!!! `Winshark` is a simple ETW consumer. The real underlying consumer is `libpcap`, (`wpcap.dll` for Windows) which is used by `dumpcap.exe` which is the process in charge of packet capture.
## Wireshark
`Wireshark` is split in three parts (yes, him too):
* `Wireshark.exe` which is in charge of parsing and dissecting protocols
* `dumpcap.exe` which is in charge of capturing packets
* `libpcap` (`wpcap.dll`) which is in charge of interfacing between `dumpcap.exe` and the Operating System
`Winshark` takes place in the first and last parts. It implements a backend for `libpcap` to capture ETW events.
`Winshark` works on ETW sessions, this is why you can select an ETW session in place of Network interface at the start of capture.
Then `Winshark` generates `lua` dissectors for each manifest-based provider registred on your computer, during the installation step.
`Winshark` is also able to parse tracelogging-based providers.
## Capture network traffic
To capture network traffic using `Winshark`, you can use two simple ways:
#### pktmon (Packet Monitor)
pktmon is an in-box, cross-component network diagnostics tool for Windows. It can be used for packet capture, packet drop detection, packet filtering and counting (supported from RS5)
(https://docs.microsoft.com/en-us/windows-server/networking/technologies/pktmon/pktmon)
```
pktmon start -c -m real-mode
```
you can run pktmon -h for more options (as admin)
For instance:
Add a filter for packets
```
pktmon filter add -t icmp
pktmon filter add -t tcp -p 80
```
Then launch `Wireshark` with administrator privileges and select `Pktmon` interface:
That will start the packet capture:
#### netsh trace
```
netsh.exe trace start capture=yes report=no correlation=no
```
And then create an ETW session associated with the `Microsoft-Windows-NDIS-PacketCapture` provider:
```
logman start Winshark-PacketCapture -p "Microsoft-Windows-NDIS-PacketCapture" -rt -ets
```
Then launch `Wireshark` with administrator privileges and select `Winshark-PacketCapture` interface:
That will start the packet capture:
## Filtering on process ID
ETW marks each packet with a header that sets some metadata about the sender.
One of these is the `Process ID` of the emitter. This is a huge improvement from a classic packet capture from an NDIS driver.
Simply fill the filter field of Wireshark with the following expression:
```
winshark.header.ProcessId == 1234
```
## Capturing NamedPipe
@kobykahane provide a [file system filter driver](https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/about-file-system-filter-drivers) that emit an ETW for every action perform on a NamedPipe.
### Install
* Pass driver signing check in test mode
```
bcdedit /set testsigning on
```
* Install [NpEtwSetup.msi](https://github.com/airbus-cert/Winshark/releases)
* Reboot
* Update `Winshark` dissector by double clicking `C:\Program Files\Wireshark\WinsharkUpdate.bat` with `Admin` rights
### Capture
* Open a `cmd.exe` in `Admin mode`
* Start the driver
```
sc start NpEtw
```
* Create an ETW Session
```
logman start namedpipe -p NpEtw -ets -rt
```
* Start `Wireshark` and select the `namedpipe` session. Enjoy!
## SSTIC (Symposium sur la sécurité des technologies de l'information et des communications)
This project is part of a presentation made for [SSTIC](https://www.sstic.org/2020/presentation/quand_les_bleus_se_prennent_pour_des_chercheurs_de_vulnrabilites/)
================================================
FILE: dissector/0winshark.lua
================================================
-- This is the main dissector for all winshark based dissector
-- This dissector will parse all meta infos for ETW packet captured
-- throw the ETW backend for lib pcap
winshark_proto = Proto("winshark","Event Trace for Windows");
local header_size = ProtoField.uint16("winshark.header.Size", "Size", base.DEC);
local header_type = ProtoField.uint16("winshark.header.HeaderType", "HeaderType", base.DEC);
local header_flags = ProtoField.uint16("winshark.header.Flags", "Flags", base.DEC);
local header_eventproperty = ProtoField.uint16("winshark.header.EventProperty", "EventProperty", base.DEC);
local header_threadid = ProtoField.uint32("winshark.header.ThreadId", "ThreadId", base.DEC);
local header_processid = ProtoField.uint32("winshark.header.ProcessId", "ProcessId", base.DEC);
local header_timestamp = ProtoField.uint64("winshark.header.TimeStamp", "TimeStamp", base.DEC);
local header_providerid = ProtoField.guid("winshark.header.ProviderId", "ProviderId", base.DEC);
local header_processtime = ProtoField.uint64("winshark.header.ProcessorTime", "ProcessorTime", base.DEC);
local header_activityid = ProtoField.guid("winshark.header.ActivityId", "ActivityId", base.DEC);
local header_eventdescriptor_id = ProtoField.uint16("winshark.header.EventDescriptor.Id", "Id", base.DEC);
local header_eventdescriptor_version = ProtoField.uint8("winshark.header.EventDescriptor.Version", "Version", base.DEC);
local header_eventdescriptor_channel = ProtoField.uint8("winshark.header.EventDescriptor.Channel", "Channel", base.DEC);
local header_eventdescriptor_level = ProtoField.uint8("winshark.header.EventDescriptor.Level", "Level", base.DEC);
local header_eventdescriptor_opcode = ProtoField.uint8("winshark.header.EventDescriptor.Opcode", "Opcode", base.DEC);
local header_eventdescriptor_task = ProtoField.uint16("winshark.header.EventDescriptor.Task", "Task", base.DEC);
local header_eventdescriptor_keyword = ProtoField.uint64("winshark.header.EventDescriptor.Keyword", "Keyword", base.HEX);
local header_extendeddatalength = ProtoField.uint16("winshark.header.ExtendedDataLength", "ExtendedDataLength", base.DEC);
local header_extendeddata = ProtoField.bytes("winshark.ExtendedData", "ExtendedData", base.NONE);
local header_extendeddatatype = ProtoField.uint16("winshark.ExtendedData.Type", "ExtType", base.DEC);
local header_extendeddatasize = ProtoField.uint16("winshark.ExtendedData.Size", "DataSize", base.DEC);
winshark_proto.fields = {
header_size,
header_type,
header_flags,
header_eventproperty,
header_threadid,
header_processid,
header_timestamp,
header_providerid,
header_processtime,
header_activityid,
header_eventdescriptor_id,
header_eventdescriptor_version,
header_eventdescriptor_channel,
header_eventdescriptor_level,
header_eventdescriptor_opcode,
header_eventdescriptor_task,
header_eventdescriptor_keyword,
header_extendeddatalength,
header_extendeddatasize,
header_extendeddatatype,
header_extendeddata
}
-- declate the personnal etw dissector table
winshark_dissector_table = DissectorTable.new("winshark", "Event Tracing for Windows", ftypes.STRING)
function winshark_proto.dissector(buffer, pinfo, tree)
length = buffer:len();
if length == 0 then return end
pinfo.cols.protocol = winshark_proto.name;
local winshark = tree:add(winshark_proto, buffer());
local event_header = winshark:add(buffer(0, 80), "EventHeader")
event_header:add_le(header_size, buffer(0, 2));
event_header:add_le(header_type, buffer(2, 2));
event_header:add_le(header_flags, buffer(4, 2));
event_header:add_le(header_eventproperty, buffer(6, 2));
event_header:add_le(header_threadid, buffer(8, 4));
event_header:add_le(header_processid, buffer(12, 4));
event_header:add_le(header_timestamp, buffer(16, 8));
event_header:add_le(header_providerid, buffer(24, 16));
local event_descriptor = event_header:add(buffer(40, 16), "EventDescriptor");
event_descriptor:add_le(header_eventdescriptor_id, buffer(40, 2));
event_descriptor:add_le(header_eventdescriptor_version, buffer(42, 1));
event_descriptor:add_le(header_eventdescriptor_channel, buffer(43, 1));
event_descriptor:add_le(header_eventdescriptor_level, buffer(44, 1));
event_descriptor:add_le(header_eventdescriptor_opcode, buffer(45, 1));
event_descriptor:add_le(header_eventdescriptor_task, buffer(46, 2));
event_descriptor:add_le(header_eventdescriptor_keyword, buffer(48, 8));
event_header:add_le(header_processtime, buffer(56, 8));
event_header:add_le(header_activityid, buffer(64, 16));
event_header:add_le(header_extendeddatalength, buffer(80, 2));
-- convert to string guid
-- Provider id is the switch use by sub dissector
-- Tracelogging use trcelogging string as identifier
local providerid = string.format("%08x-%04x-%04x-%04x-%04x%04x%04x",
buffer(24, 4):le_uint(),
buffer(28, 2):le_uint(),
buffer(30, 2):le_uint(),
buffer(32, 2):uint(), buffer(34, 2):uint(), buffer(36, 2):uint(), buffer(38, 2):uint()
);
extended_data_length = buffer(80, 2):le_uint();
local extended_data = winshark:add_le(header_extendeddata, buffer(82, extended_data_length));
local offset = 0;
local index = 0;
while offset < extended_data_length do
local ext_type = buffer(82 + offset, 2):le_uint()
local size = buffer(82 + offset + 2, 2):le_uint()
local data = extended_data:add(buffer(82 + offset, size + 4), string.format("[%d]", index))
index = index + 1
data:add_le(header_extendeddatatype, buffer(82 + offset, 2))
data:add_le(header_extendeddatasize, buffer(82 + offset + 2, 2))
data:add(buffer(82 + offset + 4, size), "Data")
-- detecting trace logging protocol
-- tracelogging encompass its scheme directly into extended data
if ext_type == 11 then
providerid = "Tracelogging"
end
offset = offset + size + 4;
end
-- select corect dissector and pass UserData
winshark:add(buffer(82 + extended_data_length, length - 82 - extended_data_length), "UserData")
winshark_dissector_table:try(providerid, buffer(82 + extended_data_length, length - 82 - extended_data_length):tvb(), pinfo, tree);
end
================================================
FILE: dissector/CMakeLists.txt
================================================
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/0winshark.lua" DESTINATION plugins/winshark)
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/Tracelogging.lua" DESTINATION plugins/winshark)
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/Microsoft_Windows_NDIS_PacketCapture.lua" DESTINATION plugins/winshark)
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/Microsoft_Windows_PktMon.lua" DESTINATION plugins/winshark)
================================================
FILE: dissector/Microsoft_Windows_NDIS_PacketCapture.lua
================================================
local proto = Proto("Microsoft-Windows-NDIS-PacketCapture", "Microsoft-Windows-NDIS-PacketCapture")
local event_id = Field.new("winshark.header.EventDescriptor.Id")
local event_version = Field.new("winshark.header.EventDescriptor.Version")
local dissector_table = DissectorTable.new("Microsoft-Windows-NDIS-PacketCapture", "Microsoft-Windows-NDIS-PacketCapture 2ed6006e-4729-4609-b423-3ee7bcd678ef", ftypes.STRING)
function proto.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local id = event_id()
local version = event_version()
dissector_table:try(tostring(id) .. "." .. tostring(version) , buffer, pinfo, tree)
end
local winshark_dissector_table = DissectorTable.get("winshark")
winshark_dissector_table:add("2ed6006e-4729-4609-b423-3ee7bcd678ef", proto)
event_proto_1001_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.1001.0", "Microsoft-Windows-NDIS-PacketCapture EventId(1001) Version(0)")
event_proto_1001_0.fields = { ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1001.MiniportIfIndex", "MiniportIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1001.LowerIfIndex", "LowerIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1001.FragmentSize", "FragmentSize", base.DEC), ProtoField.bytes("Microsoft-Windows-NDIS-PacketCapture.1001.Fragment", "Fragment", base.NONE), ProtoField.uint64("Microsoft-Windows-NDIS-PacketCapture.1001.GftFlowEntryId", "GftFlowEntryId", base.DEC), ProtoField.uint64("Microsoft-Windows-NDIS-PacketCapture.1001.GftOffloadInformation", "GftOffloadInformation", base.DEC) }
function event_proto_1001_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_1001_0.name
local fields = tree:add(event_proto_1001_0, buffer())
local index = 0
local MiniportIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1001_0.fields[1], buffer(index, 4))
index = index + 4
local LowerIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1001_0.fields[2], buffer(index, 4))
index = index + 4
local FragmentSize_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1001_0.fields[3], buffer(index, 4))
index = index + 4
fields:add_le(event_proto_1001_0.fields[4], buffer(index, FragmentSize_value))
index = index + FragmentSize_value
local GftFlowEntryId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_1001_0.fields[5], buffer(index, 8))
index = index + 8
local GftOffloadInformation_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_1001_0.fields[6], buffer(index, 8))
index = index + 8
local ethernet = Dissector.get("eth_withoutfcs")
ethernet:call(buffer(12, FragmentSize_value):tvb() , pinfo , tree )
end
dissector_table:add("1001.0", event_proto_1001_0)
event_proto_1002_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.1002.0", "Microsoft-Windows-NDIS-PacketCapture EventId(1002) Version(0)")
event_proto_1002_0.fields = { ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1002.MiniportIfIndex", "MiniportIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1002.LowerIfIndex", "LowerIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1002.MetadataSize", "MetadataSize", base.DEC), ProtoField.bytes("Microsoft-Windows-NDIS-PacketCapture.1002.Metadata", "Metadata", base.NONE) }
function event_proto_1002_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_1002_0.name
local fields = tree:add(event_proto_1002_0, buffer())
local index = 0
local MiniportIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1002_0.fields[1], buffer(index, 4))
index = index + 4
local LowerIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1002_0.fields[2], buffer(index, 4))
index = index + 4
local MetadataSize_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1002_0.fields[3], buffer(index, 4))
index = index + 4
fields:add_le(event_proto_1002_0.fields[4], buffer(index, MetadataSize_value))
index = index + MetadataSize_value
end
dissector_table:add("1002.0", event_proto_1002_0)
event_proto_1003_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.1003.0", "Microsoft-Windows-NDIS-PacketCapture EventId(1003) Version(0)")
event_proto_1003_0.fields = { ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1003.MiniportIfIndex", "MiniportIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1003.LowerIfIndex", "LowerIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1003.SourcePortId", "SourcePortId", base.DEC), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1003.SourcePortName", "SourcePortName", base.UNICODE), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1003.SourceNicName", "SourceNicName", base.UNICODE), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1003.SourceNicType", "SourceNicType", base.UNICODE), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1003.DestinationCount", "DestinationCount", base.DEC), ProtoField.double("Microsoft-Windows-NDIS-PacketCapture.1003.Destination", "Destination", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1003.FragmentSize", "FragmentSize", base.DEC), ProtoField.bytes("Microsoft-Windows-NDIS-PacketCapture.1003.Fragment", "Fragment", base.NONE), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1003.OOBDataSize", "OOBDataSize", base.DEC), ProtoField.bytes("Microsoft-Windows-NDIS-PacketCapture.1003.OOBData", "OOBData", base.NONE) }
function event_proto_1003_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_1003_0.name
local fields = tree:add(event_proto_1003_0, buffer())
local index = 0
local MiniportIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1003_0.fields[1], buffer(index, 4))
index = index + 4
local LowerIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1003_0.fields[2], buffer(index, 4))
index = index + 4
local SourcePortId_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1003_0.fields[3], buffer(index, 4))
index = index + 4
fields:add_le(event_proto_1003_0.fields[4], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_1003_0.fields[5], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_1003_0.fields[6], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
local DestinationCount_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1003_0.fields[7], buffer(index, 4))
index = index + 4
fields:add_le(event_proto_1003_0.fields[8], buffer(index, 8))
index = index + 8
local FragmentSize_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1003_0.fields[9], buffer(index, 4))
index = index + 4
fields:add_le(event_proto_1003_0.fields[10], buffer(index, FragmentSize_value))
index = index + FragmentSize_value
local OOBDataSize_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1003_0.fields[11], buffer(index, 4))
index = index + 4
fields:add_le(event_proto_1003_0.fields[12], buffer(index, OOBDataSize_value))
index = index + OOBDataSize_value
end
dissector_table:add("1003.0", event_proto_1003_0)
event_proto_1011_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.1011.0", "Microsoft-Windows-NDIS-PacketCapture EventId(1011) Version(0)")
event_proto_1011_0.fields = { ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1011.RulesCount", "RulesCount", base.DEC) }
function event_proto_1011_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_1011_0.name
local fields = tree:add(event_proto_1011_0, buffer())
local index = 0
local RulesCount_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1011_0.fields[1], buffer(index, 4))
index = index + 4
end
dissector_table:add("1011.0", event_proto_1011_0)
event_proto_1012_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.1012.0", "Microsoft-Windows-NDIS-PacketCapture EventId(1012) Version(0)")
event_proto_1012_0.fields = { ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1012.FriendlyName", "FriendlyName", base.UNICODE), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1012.UniqueName", "UniqueName", base.UNICODE), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1012.ServiceName", "ServiceName", base.UNICODE), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1012.Version", "Version", base.UNICODE) }
function event_proto_1012_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_1012_0.name
local fields = tree:add(event_proto_1012_0, buffer())
local index = 0
fields:add_le(event_proto_1012_0.fields[1], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_1012_0.fields[2], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_1012_0.fields[3], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_1012_0.fields[4], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
end
dissector_table:add("1012.0", event_proto_1012_0)
event_proto_1013_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.1013.0", "Microsoft-Windows-NDIS-PacketCapture EventId(1013) Version(0)")
event_proto_1013_0.fields = { ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1013.FriendlyName", "FriendlyName", base.UNICODE), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1013.UniqueName", "UniqueName", base.UNICODE), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1013.ServiceName", "ServiceName", base.UNICODE), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.1013.Version", "Version", base.UNICODE) }
function event_proto_1013_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_1013_0.name
local fields = tree:add(event_proto_1013_0, buffer())
local index = 0
fields:add_le(event_proto_1013_0.fields[1], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_1013_0.fields[2], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_1013_0.fields[3], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_1013_0.fields[4], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
end
dissector_table:add("1013.0", event_proto_1013_0)
event_proto_1014_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.1014.0", "Microsoft-Windows-NDIS-PacketCapture EventId(1014) Version(0)")
event_proto_1014_0.fields = { ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1014.MiniportIfIndex", "MiniportIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1014.LowerIfIndex", "LowerIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1014.MediaType", "MediaType", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1014.ReferenceContext", "ReferenceContext", base.DEC) }
function event_proto_1014_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_1014_0.name
local fields = tree:add(event_proto_1014_0, buffer())
local index = 0
local MiniportIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1014_0.fields[1], buffer(index, 4))
index = index + 4
local LowerIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1014_0.fields[2], buffer(index, 4))
index = index + 4
local MediaType_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1014_0.fields[3], buffer(index, 4))
index = index + 4
local ReferenceContext_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1014_0.fields[4], buffer(index, 4))
index = index + 4
end
dissector_table:add("1014.0", event_proto_1014_0)
event_proto_1015_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.1015.0", "Microsoft-Windows-NDIS-PacketCapture EventId(1015) Version(0)")
event_proto_1015_0.fields = { ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1015.MiniportIfIndex", "MiniportIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1015.LowerIfIndex", "LowerIfIndex", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1015.MediaType", "MediaType", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.1015.ReferenceContext", "ReferenceContext", base.DEC) }
function event_proto_1015_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_1015_0.name
local fields = tree:add(event_proto_1015_0, buffer())
local index = 0
local MiniportIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1015_0.fields[1], buffer(index, 4))
index = index + 4
local LowerIfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1015_0.fields[2], buffer(index, 4))
index = index + 4
local MediaType_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1015_0.fields[3], buffer(index, 4))
index = index + 4
local ReferenceContext_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_1015_0.fields[4], buffer(index, 4))
index = index + 4
end
dissector_table:add("1015.0", event_proto_1015_0)
event_proto_1016_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.1016.0", "Microsoft-Windows-NDIS-PacketCapture EventId(1016) Version(0)")
event_proto_1016_0.fields = { ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.1016.RuleId", "RuleId", base.DEC), ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.1016.Directive", "Directive", base.DEC), ProtoField.uint16("Microsoft-Windows-NDIS-PacketCapture.1016.Length", "Length", base.DEC), ProtoField.bytes("Microsoft-Windows-NDIS-PacketCapture.1016.Value", "Value", base.NONE) }
function event_proto_1016_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_1016_0.name
local fields = tree:add(event_proto_1016_0, buffer())
local index = 0
local RuleId_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_1016_0.fields[1], buffer(index, 1))
index = index + 1
local Directive_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_1016_0.fields[2], buffer(index, 1))
index = index + 1
local Length_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_1016_0.fields[3], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_1016_0.fields[4], buffer(index, Length_value))
index = index + Length_value
end
dissector_table:add("1016.0", event_proto_1016_0)
event_proto_2001_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.2001.0", "Microsoft-Windows-NDIS-PacketCapture EventId(2001) Version(0)")
event_proto_2001_0.fields = { ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.2001.ErrorCode", "ErrorCode", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.2001.Location", "Location", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.2001.Context", "Context", base.DEC) }
function event_proto_2001_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_2001_0.name
local fields = tree:add(event_proto_2001_0, buffer())
local index = 0
local ErrorCode_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_2001_0.fields[1], buffer(index, 4))
index = index + 4
local Location_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_2001_0.fields[2], buffer(index, 4))
index = index + 4
local Context_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_2001_0.fields[3], buffer(index, 4))
index = index + 4
end
dissector_table:add("2001.0", event_proto_2001_0)
event_proto_2002_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.2002.0", "Microsoft-Windows-NDIS-PacketCapture EventId(2002) Version(0)")
event_proto_2002_0.fields = { ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.2002.ErrorCode", "ErrorCode", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.2002.Location", "Location", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.2002.Context", "Context", base.DEC) }
function event_proto_2002_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_2002_0.name
local fields = tree:add(event_proto_2002_0, buffer())
local index = 0
local ErrorCode_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_2002_0.fields[1], buffer(index, 4))
index = index + 4
local Location_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_2002_0.fields[2], buffer(index, 4))
index = index + 4
local Context_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_2002_0.fields[3], buffer(index, 4))
index = index + 4
end
dissector_table:add("2002.0", event_proto_2002_0)
event_proto_2003_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.2003.0", "Microsoft-Windows-NDIS-PacketCapture EventId(2003) Version(0)")
event_proto_2003_0.fields = { ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.2003.RuleId", "RuleId", base.DEC), ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.2003.Directive", "Directive", base.DEC), ProtoField.uint16("Microsoft-Windows-NDIS-PacketCapture.2003.Length", "Length", base.DEC), ProtoField.bytes("Microsoft-Windows-NDIS-PacketCapture.2003.Value", "Value", base.NONE) }
function event_proto_2003_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_2003_0.name
local fields = tree:add(event_proto_2003_0, buffer())
local index = 0
local RuleId_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_2003_0.fields[1], buffer(index, 1))
index = index + 1
local Directive_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_2003_0.fields[2], buffer(index, 1))
index = index + 1
local Length_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_2003_0.fields[3], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_2003_0.fields[4], buffer(index, Length_value))
index = index + Length_value
end
dissector_table:add("2003.0", event_proto_2003_0)
event_proto_3001_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.3001.0", "Microsoft-Windows-NDIS-PacketCapture EventId(3001) Version(0)")
event_proto_3001_0.fields = { ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.3001.PreviousState", "PreviousState", base.DEC), ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.3001.NextState", "NextState", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.3001.Location", "Location", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.3001.Context", "Context", base.DEC) }
function event_proto_3001_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_3001_0.name
local fields = tree:add(event_proto_3001_0, buffer())
local index = 0
local PreviousState_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_3001_0.fields[1], buffer(index, 1))
index = index + 1
local NextState_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_3001_0.fields[2], buffer(index, 1))
index = index + 1
local Location_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_3001_0.fields[3], buffer(index, 4))
index = index + 4
local Context_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_3001_0.fields[4], buffer(index, 4))
index = index + 4
end
dissector_table:add("3001.0", event_proto_3001_0)
event_proto_3002_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.3002.0", "Microsoft-Windows-NDIS-PacketCapture EventId(3002) Version(0)")
event_proto_3002_0.fields = { ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.3002.PreviousState", "PreviousState", base.DEC), ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.3002.NextState", "NextState", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.3002.Location", "Location", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.3002.Context", "Context", base.DEC) }
function event_proto_3002_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_3002_0.name
local fields = tree:add(event_proto_3002_0, buffer())
local index = 0
local PreviousState_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_3002_0.fields[1], buffer(index, 1))
index = index + 1
local NextState_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_3002_0.fields[2], buffer(index, 1))
index = index + 1
local Location_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_3002_0.fields[3], buffer(index, 4))
index = index + 4
local Context_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_3002_0.fields[4], buffer(index, 4))
index = index + 4
end
dissector_table:add("3002.0", event_proto_3002_0)
event_proto_5100_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.5100.0", "Microsoft-Windows-NDIS-PacketCapture EventId(5100) Version(0)")
event_proto_5100_0.fields = { ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.5100.SourceId", "SourceId", base.DEC), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.5100.RundownId", "RundownId", base.DEC), ProtoField.uint64("Microsoft-Windows-NDIS-PacketCapture.5100.Param1", "Param1", base.DEC), ProtoField.uint64("Microsoft-Windows-NDIS-PacketCapture.5100.Param2", "Param2", base.DEC), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.5100.ParamStr", "ParamStr", base.UNICODE), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.5100.Description", "Description", base.UNICODE) }
function event_proto_5100_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_5100_0.name
local fields = tree:add(event_proto_5100_0, buffer())
local index = 0
local SourceId_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_5100_0.fields[1], buffer(index, 1))
index = index + 1
local RundownId_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_5100_0.fields[2], buffer(index, 4))
index = index + 4
local Param1_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_5100_0.fields[3], buffer(index, 8))
index = index + 8
local Param2_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_5100_0.fields[4], buffer(index, 8))
index = index + 8
fields:add_le(event_proto_5100_0.fields[5], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_5100_0.fields[6], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
end
dissector_table:add("5100.0", event_proto_5100_0)
event_proto_5101_0 = Proto("Microsoft-Windows-NDIS-PacketCapture.5101.0", "Microsoft-Windows-NDIS-PacketCapture EventId(5101) Version(0)")
event_proto_5101_0.fields = { ProtoField.uint8("Microsoft-Windows-NDIS-PacketCapture.5101.SourceId", "SourceId", base.DEC), ProtoField.string("Microsoft-Windows-NDIS-PacketCapture.5101.SourceName", "SourceName", base.UNICODE), ProtoField.uint32("Microsoft-Windows-NDIS-PacketCapture.5101.IfIndex", "IfIndex", base.DEC), ProtoField.uint16("Microsoft-Windows-NDIS-PacketCapture.5101.LayerCount", "LayerCount", base.DEC), ProtoField.int16("Microsoft-Windows-NDIS-PacketCapture.5101.LayerInfo", "LayerInfo", base.DEC) }
function event_proto_5101_0.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
pinfo.cols.protocol = event_proto_5101_0.name
local fields = tree:add(event_proto_5101_0, buffer())
local index = 0
local SourceId_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_5101_0.fields[1], buffer(index, 1))
index = index + 1
fields:add_le(event_proto_5101_0.fields[2], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
local IfIndex_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_5101_0.fields[3], buffer(index, 4))
index = index + 4
local LayerCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_5101_0.fields[4], buffer(index, 2))
index = index + 2
local LayerInfo_value = buffer(index, 2):le_int()
fields:add_le(event_proto_5101_0.fields[5], buffer(index, 2))
index = index + 2
end
dissector_table:add("5101.0", event_proto_5101_0)
================================================
FILE: dissector/Microsoft_Windows_PktMon.lua
================================================
local proto = Proto("Microsoft-Windows-PktMon", "Microsoft-Windows-PktMon")
local event_id = Field.new("winshark.header.EventDescriptor.Id")
local event_version = Field.new("winshark.header.EventDescriptor.Version")
local dissector_table = DissectorTable.new("Microsoft-Windows-PktMon", "Microsoft-Windows-PktMon 4d4f80d9-c8bd-4d73-bb5b-19c90402c5ac", ftypes.STRING)
local protocols = {}
local current_protocol = nil
function proto.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local id = event_id()
local version = event_version()
dissector_table:try(tostring(id) .. "." .. tostring(version) , buffer, pinfo, tree)
end
local winshark_dissector_table = DissectorTable.get("winshark")
winshark_dissector_table:add("4d4f80d9-c8bd-4d73-bb5b-19c90402c5ac", proto)
current_protocol = Proto("Microsoft-Windows-PktMon.10.0", "Microsoft-Windows-PktMon EventId(10) Version(0)")
current_protocol.fields = { ProtoField.uint32("Microsoft-Windows-PktMon.10.0.Status", "Status", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_10_0 = protocols["10.0"]
pinfo.cols.protocol = event_proto_10_0.name
pinfo.cols.info = event_proto_10_0.description
local fields = tree:add(event_proto_10_0, buffer())
local index = 0
local Status_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_10_0.fields[1], buffer(index, 4))
index = index + 4
end
protocols["10.0"] = current_protocol
dissector_table:add("10.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.20.0", "Microsoft-Windows-PktMon EventId(20) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.20.0.Id", "Id", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.20.0.Type", "Type", base.DEC), ProtoField.string("Microsoft-Windows-PktMon.20.0.Name", "Name", base.UNICODE), ProtoField.string("Microsoft-Windows-PktMon.20.0.Description", "Description", base.UNICODE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_20_0 = protocols["20.0"]
pinfo.cols.protocol = event_proto_20_0.name
pinfo.cols.info = event_proto_20_0.description
local fields = tree:add(event_proto_20_0, buffer())
local index = 0
local Id_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_20_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_20_0.fields[2], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_20_0.fields[3], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
fields:add_le(event_proto_20_0.fields[4], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
end
protocols["20.0"] = current_protocol
dissector_table:add("20.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.30.0", "Microsoft-Windows-PktMon EventId(30) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.30.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.30.0.Type", "Type", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.30.0.Value", "Value", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_30_0 = protocols["30.0"]
pinfo.cols.protocol = event_proto_30_0.name
pinfo.cols.info = event_proto_30_0.description
local fields = tree:add(event_proto_30_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_30_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_30_0.fields[2], buffer(index, 2))
index = index + 2
local Value_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_30_0.fields[3], buffer(index, 4))
index = index + 4
end
protocols["30.0"] = current_protocol
dissector_table:add("30.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.40.0", "Microsoft-Windows-PktMon EventId(40) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.40.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.40.0.Type", "Type", base.DEC), ProtoField.guid("Microsoft-Windows-PktMon.40.0.Value", "Value", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_40_0 = protocols["40.0"]
pinfo.cols.protocol = event_proto_40_0.name
pinfo.cols.info = event_proto_40_0.description
local fields = tree:add(event_proto_40_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_40_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_40_0.fields[2], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_40_0.fields[3], buffer(index, 16))
index = index + 16
end
protocols["40.0"] = current_protocol
dissector_table:add("40.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.50.0", "Microsoft-Windows-PktMon EventId(50) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.50.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.50.0.Type", "Type", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.50.0.Value", "Value", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_50_0 = protocols["50.0"]
pinfo.cols.protocol = event_proto_50_0.name
pinfo.cols.info = event_proto_50_0.description
local fields = tree:add(event_proto_50_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_50_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_50_0.fields[2], buffer(index, 2))
index = index + 2
local Value_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_50_0.fields[3], buffer(index, 4))
index = index + 4
end
protocols["50.0"] = current_protocol
dissector_table:add("50.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.60.0", "Microsoft-Windows-PktMon EventId(60) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.60.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.60.0.Type", "Type", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.60.0.Value", "Value", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_60_0 = protocols["60.0"]
pinfo.cols.protocol = event_proto_60_0.name
pinfo.cols.info = event_proto_60_0.description
local fields = tree:add(event_proto_60_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_60_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_60_0.fields[2], buffer(index, 2))
index = index + 2
local Value_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_60_0.fields[3], buffer(index, 2))
index = index + 2
end
protocols["60.0"] = current_protocol
dissector_table:add("60.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.65.0", "Microsoft-Windows-PktMon EventId(65) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.65.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.65.0.Type", "Type", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.65.0.IpAddress", "IpAddress", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_65_0 = protocols["65.0"]
pinfo.cols.protocol = event_proto_65_0.name
pinfo.cols.info = event_proto_65_0.description
local fields = tree:add(event_proto_65_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_65_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_65_0.fields[2], buffer(index, 2))
index = index + 2
local IpAddress_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_65_0.fields[3], buffer(index, 4))
index = index + 4
end
protocols["65.0"] = current_protocol
dissector_table:add("65.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.66.0", "Microsoft-Windows-PktMon EventId(66) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.66.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.66.0.Type", "Type", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.66.0.IpAddress", "IpAddress", base.NONE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_66_0 = protocols["66.0"]
pinfo.cols.protocol = event_proto_66_0.name
pinfo.cols.info = event_proto_66_0.description
local fields = tree:add(event_proto_66_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_66_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_66_0.fields[2], buffer(index, 2))
index = index + 2
end
protocols["66.0"] = current_protocol
dissector_table:add("66.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.70.0", "Microsoft-Windows-PktMon EventId(70) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.70.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.70.0.Type", "Type", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.70.0.Size", "Size", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.70.0.Value", "Value", base.NONE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_70_0 = protocols["70.0"]
pinfo.cols.protocol = event_proto_70_0.name
pinfo.cols.info = event_proto_70_0.description
local fields = tree:add(event_proto_70_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_70_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_70_0.fields[2], buffer(index, 2))
index = index + 2
local Size_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_70_0.fields[3], buffer(index, 4))
index = index + 4
fields:add_le(event_proto_70_0.fields[4], buffer(index, Size_value))
index = index + Size_value
end
protocols["70.0"] = current_protocol
dissector_table:add("70.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.73.0", "Microsoft-Windows-PktMon EventId(73) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.73.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.73.0.Type", "Type", base.DEC), ProtoField.string("Microsoft-Windows-PktMon.73.0.Value", "Value", base.UNICODE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_73_0 = protocols["73.0"]
pinfo.cols.protocol = event_proto_73_0.name
pinfo.cols.info = event_proto_73_0.description
local fields = tree:add(event_proto_73_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_73_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_73_0.fields[2], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_73_0.fields[3], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
end
protocols["73.0"] = current_protocol
dissector_table:add("73.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.75.0", "Microsoft-Windows-PktMon EventId(75) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.75.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.75.0.Type", "Type", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.75.0.EtherType", "EtherType", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_75_0 = protocols["75.0"]
pinfo.cols.protocol = event_proto_75_0.name
pinfo.cols.info = event_proto_75_0.description
local fields = tree:add(event_proto_75_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_75_0.fields[1], buffer(index, 2))
index = index + 2
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_75_0.fields[2], buffer(index, 2))
index = index + 2
local EtherType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_75_0.fields[3], buffer(index, 2))
index = index + 2
end
protocols["75.0"] = current_protocol
dissector_table:add("75.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.80.0", "Microsoft-Windows-PktMon EventId(80) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.80.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.80.0.DirTagIn", "DirTagIn", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.80.0.PacketsIn", "PacketsIn", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.80.0.BytesIn", "BytesIn", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.80.0.DirTagOut", "DirTagOut", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.80.0.PacketsOut", "PacketsOut", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.80.0.BytesOut", "BytesOut", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_80_0 = protocols["80.0"]
pinfo.cols.protocol = event_proto_80_0.name
pinfo.cols.info = event_proto_80_0.description
local fields = tree:add(event_proto_80_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_80_0.fields[1], buffer(index, 2))
index = index + 2
local DirTagIn_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_80_0.fields[2], buffer(index, 2))
index = index + 2
local PacketsIn_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_80_0.fields[3], buffer(index, 8))
index = index + 8
local BytesIn_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_80_0.fields[4], buffer(index, 8))
index = index + 8
local DirTagOut_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_80_0.fields[5], buffer(index, 2))
index = index + 2
local PacketsOut_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_80_0.fields[6], buffer(index, 8))
index = index + 8
local BytesOut_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_80_0.fields[7], buffer(index, 8))
index = index + 8
end
protocols["80.0"] = current_protocol
dissector_table:add("80.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.90.0", "Microsoft-Windows-PktMon EventId(90) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.90.0.ComponentId", "ComponentId", base.DEC), ProtoField.string("Microsoft-Windows-PktMon.90.0.EdgeName", "EdgeName", base.UNICODE), ProtoField.uint16("Microsoft-Windows-PktMon.90.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.90.0.DirTagIn", "DirTagIn", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.90.0.PacketsIn", "PacketsIn", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.90.0.BytesIn", "BytesIn", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.90.0.DirTagOut", "DirTagOut", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.90.0.PacketsOut", "PacketsOut", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.90.0.BytesOut", "BytesOut", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_90_0 = protocols["90.0"]
pinfo.cols.protocol = event_proto_90_0.name
pinfo.cols.info = event_proto_90_0.description
local fields = tree:add(event_proto_90_0, buffer())
local index = 0
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_90_0.fields[1], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_90_0.fields[2], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_90_0.fields[3], buffer(index, 2))
index = index + 2
local DirTagIn_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_90_0.fields[4], buffer(index, 2))
index = index + 2
local PacketsIn_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_90_0.fields[5], buffer(index, 8))
index = index + 8
local BytesIn_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_90_0.fields[6], buffer(index, 8))
index = index + 8
local DirTagOut_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_90_0.fields[7], buffer(index, 2))
index = index + 2
local PacketsOut_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_90_0.fields[8], buffer(index, 8))
index = index + 8
local BytesOut_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_90_0.fields[9], buffer(index, 8))
index = index + 8
end
protocols["90.0"] = current_protocol
dissector_table:add("90.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.100.0", "Microsoft-Windows-PktMon EventId(100) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.100.0.FilterId", "FilterId", base.DEC), ProtoField.string("Microsoft-Windows-PktMon.100.0.FilterName", "FilterName", base.UNICODE), ProtoField.bytes("Microsoft-Windows-PktMon.100.0.MacAddress1", "MacAddress1", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.100.0.MacAddress2", "MacAddress2", base.NONE), ProtoField.uint16("Microsoft-Windows-PktMon.100.0.EtherType", "EtherType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.100.0.VlanId", "VlanId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.100.0.IpAddress1", "IpAddress1", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.100.0.IpAddress2", "IpAddress2", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.100.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.100.0.Port1", "Port1", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.100.0.Port2", "Port2", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.100.0.TCPFlags", "TCPFlags", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_100_0 = protocols["100.0"]
pinfo.cols.protocol = event_proto_100_0.name
pinfo.cols.info = event_proto_100_0.description
local fields = tree:add(event_proto_100_0, buffer())
local index = 0
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_100_0.fields[1], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_100_0.fields[2], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
local EtherType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_100_0.fields[5], buffer(index, 2))
index = index + 2
local VlanId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_100_0.fields[6], buffer(index, 2))
index = index + 2
local IpAddress1_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_100_0.fields[7], buffer(index, 4))
index = index + 4
local IpAddress2_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_100_0.fields[8], buffer(index, 4))
index = index + 4
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_100_0.fields[9], buffer(index, 1))
index = index + 1
local Port1_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_100_0.fields[10], buffer(index, 2))
index = index + 2
local Port2_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_100_0.fields[11], buffer(index, 2))
index = index + 2
local TCPFlags_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_100_0.fields[12], buffer(index, 1))
index = index + 1
end
protocols["100.0"] = current_protocol
dissector_table:add("100.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.110.0", "Microsoft-Windows-PktMon EventId(110) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.110.0.FilterId", "FilterId", base.DEC), ProtoField.string("Microsoft-Windows-PktMon.110.0.FilterName", "FilterName", base.UNICODE), ProtoField.bytes("Microsoft-Windows-PktMon.110.0.MacAddress1", "MacAddress1", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.110.0.MacAddress2", "MacAddress2", base.NONE), ProtoField.uint16("Microsoft-Windows-PktMon.110.0.EtherType", "EtherType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.110.0.VlanId", "VlanId", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.110.0.IpAddress1", "IpAddress1", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.110.0.IpAddress2", "IpAddress2", base.NONE), ProtoField.uint8("Microsoft-Windows-PktMon.110.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.110.0.Port1", "Port1", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.110.0.Port2", "Port2", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.110.0.TCPFlags", "TCPFlags", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_110_0 = protocols["110.0"]
pinfo.cols.protocol = event_proto_110_0.name
pinfo.cols.info = event_proto_110_0.description
local fields = tree:add(event_proto_110_0, buffer())
local index = 0
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_110_0.fields[1], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_110_0.fields[2], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
local EtherType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_110_0.fields[5], buffer(index, 2))
index = index + 2
local VlanId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_110_0.fields[6], buffer(index, 2))
index = index + 2
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_110_0.fields[9], buffer(index, 1))
index = index + 1
local Port1_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_110_0.fields[10], buffer(index, 2))
index = index + 2
local Port2_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_110_0.fields[11], buffer(index, 2))
index = index + 2
local TCPFlags_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_110_0.fields[12], buffer(index, 1))
index = index + 1
end
protocols["110.0"] = current_protocol
dissector_table:add("110.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.120.0", "Microsoft-Windows-PktMon EventId(120) Version(0)")
current_protocol.fields = { ProtoField.bytes("Microsoft-Windows-PktMon.120.0.DestinationMAC", "DestinationMAC", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.120.0.SourceMAC", "SourceMAC", base.NONE), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.EtherType", "EtherType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.VlanId", "VlanId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.120.0.DestinationIP", "DestinationIP", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.120.0.SourceIP", "SourceIP", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.120.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.DestinationPort", "DestinationPort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.SourcePort", "SourcePort", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.120.0.TCPFlags", "TCPFlags", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.120.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.PktCount", "PktCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.120.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.120.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.120.0.DropLocation", "DropLocation", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_120_0 = protocols["120.0"]
pinfo.cols.protocol = event_proto_120_0.name
pinfo.cols.info = event_proto_120_0.description
local fields = tree:add(event_proto_120_0, buffer())
local index = 0
local EtherType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[3], buffer(index, 2))
index = index + 2
local VlanId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[4], buffer(index, 2))
index = index + 2
local DestinationIP_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_120_0.fields[5], buffer(index, 4))
index = index + 4
local SourceIP_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_120_0.fields[6], buffer(index, 4))
index = index + 4
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_120_0.fields[7], buffer(index, 1))
index = index + 1
local DestinationPort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[8], buffer(index, 2))
index = index + 2
local SourcePort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[9], buffer(index, 2))
index = index + 2
local TCPFlags_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_120_0.fields[10], buffer(index, 1))
index = index + 1
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_120_0.fields[11], buffer(index, 8))
index = index + 8
local PktCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[12], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[13], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[14], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[15], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[16], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[17], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_120_0.fields[18], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_120_0.fields[19], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_120_0.fields[20], buffer(index, 4))
index = index + 4
end
protocols["120.0"] = current_protocol
dissector_table:add("120.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.130.0", "Microsoft-Windows-PktMon EventId(130) Version(0)")
current_protocol.fields = { ProtoField.bytes("Microsoft-Windows-PktMon.130.0.DestinationMAC", "DestinationMAC", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.130.0.SourceMAC", "SourceMAC", base.NONE), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.EtherType", "EtherType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.VlanId", "VlanId", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.130.0.DestinationIP", "DestinationIP", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.130.0.SourceIP", "SourceIP", base.NONE), ProtoField.uint8("Microsoft-Windows-PktMon.130.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.DestinationPort", "DestinationPort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.SourcePort", "SourcePort", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.130.0.TCPFlags", "TCPFlags", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.130.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.PktCount", "PktCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.130.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.130.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.130.0.DropLocation", "DropLocation", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_130_0 = protocols["130.0"]
pinfo.cols.protocol = event_proto_130_0.name
pinfo.cols.info = event_proto_130_0.description
local fields = tree:add(event_proto_130_0, buffer())
local index = 0
local EtherType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[3], buffer(index, 2))
index = index + 2
local VlanId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[4], buffer(index, 2))
index = index + 2
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_130_0.fields[7], buffer(index, 1))
index = index + 1
local DestinationPort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[8], buffer(index, 2))
index = index + 2
local SourcePort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[9], buffer(index, 2))
index = index + 2
local TCPFlags_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_130_0.fields[10], buffer(index, 1))
index = index + 1
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_130_0.fields[11], buffer(index, 8))
index = index + 8
local PktCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[12], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[13], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[14], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[15], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[16], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[17], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_130_0.fields[18], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_130_0.fields[19], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_130_0.fields[20], buffer(index, 4))
index = index + 4
end
protocols["130.0"] = current_protocol
dissector_table:add("130.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.140.0", "Microsoft-Windows-PktMon EventId(140) Version(0)")
current_protocol.fields = { ProtoField.bytes("Microsoft-Windows-PktMon.140.0.DestinationMAC", "DestinationMAC", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.140.0.SourceMAC", "SourceMAC", base.NONE), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.EtherType", "EtherType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.VlanId", "VlanId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.140.0.DestinationIP", "DestinationIP", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.140.0.SourceIP", "SourceIP", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.140.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.DestinationPort", "DestinationPort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.SourcePort", "SourcePort", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.140.0.TCPFlags", "TCPFlags", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.140.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.PktCount", "PktCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.140.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.140.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.140.0.DropLocation", "DropLocation", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_140_0 = protocols["140.0"]
pinfo.cols.protocol = event_proto_140_0.name
pinfo.cols.info = event_proto_140_0.description
local fields = tree:add(event_proto_140_0, buffer())
local index = 0
local EtherType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[3], buffer(index, 2))
index = index + 2
local VlanId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[4], buffer(index, 2))
index = index + 2
local DestinationIP_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_140_0.fields[5], buffer(index, 4))
index = index + 4
local SourceIP_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_140_0.fields[6], buffer(index, 4))
index = index + 4
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_140_0.fields[7], buffer(index, 1))
index = index + 1
local DestinationPort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[8], buffer(index, 2))
index = index + 2
local SourcePort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[9], buffer(index, 2))
index = index + 2
local TCPFlags_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_140_0.fields[10], buffer(index, 1))
index = index + 1
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_140_0.fields[11], buffer(index, 8))
index = index + 8
local PktCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[12], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[13], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[14], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[15], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[16], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[17], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_140_0.fields[18], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_140_0.fields[19], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_140_0.fields[20], buffer(index, 4))
index = index + 4
end
protocols["140.0"] = current_protocol
dissector_table:add("140.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.150.0", "Microsoft-Windows-PktMon EventId(150) Version(0)")
current_protocol.fields = { ProtoField.bytes("Microsoft-Windows-PktMon.150.0.DestinationMAC", "DestinationMAC", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.150.0.SourceMAC", "SourceMAC", base.NONE), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.EtherType", "EtherType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.VlanId", "VlanId", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.150.0.DestinationIP", "DestinationIP", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.150.0.SourceIP", "SourceIP", base.NONE), ProtoField.uint8("Microsoft-Windows-PktMon.150.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.DestinationPort", "DestinationPort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.SourcePort", "SourcePort", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.150.0.TCPFlags", "TCPFlags", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.150.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.PktCount", "PktCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.150.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.150.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.150.0.DropLocation", "DropLocation", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_150_0 = protocols["150.0"]
pinfo.cols.protocol = event_proto_150_0.name
pinfo.cols.info = event_proto_150_0.description
local fields = tree:add(event_proto_150_0, buffer())
local index = 0
local EtherType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[3], buffer(index, 2))
index = index + 2
local VlanId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[4], buffer(index, 2))
index = index + 2
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_150_0.fields[7], buffer(index, 1))
index = index + 1
local DestinationPort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[8], buffer(index, 2))
index = index + 2
local SourcePort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[9], buffer(index, 2))
index = index + 2
local TCPFlags_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_150_0.fields[10], buffer(index, 1))
index = index + 1
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_150_0.fields[11], buffer(index, 8))
index = index + 8
local PktCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[12], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[13], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[14], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[15], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[16], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[17], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_150_0.fields[18], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_150_0.fields[19], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_150_0.fields[20], buffer(index, 4))
index = index + 4
end
protocols["150.0"] = current_protocol
dissector_table:add("150.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.160.0", "Microsoft-Windows-PktMon EventId(160) Version(0)")
current_protocol.fields = { ProtoField.uint64("Microsoft-Windows-PktMon.160.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.160.0.PktNumber", "PktNumber", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.160.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.160.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.160.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.160.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.160.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.160.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.160.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.160.0.DropLocation", "DropLocation", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.160.0.OriginalPayloadSize", "OriginalPayloadSize", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.160.0.LoggedPayloadSize", "LoggedPayloadSize", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.160.0.Payload", "Payload", base.NONE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_160_0 = protocols["160.0"]
pinfo.cols.protocol = event_proto_160_0.name
pinfo.cols.info = event_proto_160_0.description
local fields = tree:add(event_proto_160_0, buffer())
local index = 0
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_160_0.fields[1], buffer(index, 8))
index = index + 8
local PktNumber_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_160_0.fields[2], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_160_0.fields[3], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_160_0.fields[4], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_160_0.fields[5], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_160_0.fields[6], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_160_0.fields[7], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_160_0.fields[8], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_160_0.fields[9], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_160_0.fields[10], buffer(index, 4))
index = index + 4
local OriginalPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_160_0.fields[11], buffer(index, 2))
index = index + 2
local LoggedPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_160_0.fields[12], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_160_0.fields[13], buffer(index, LoggedPayloadSize_value))
index = index + LoggedPayloadSize_value
local ethernet = Dissector.get("eth_withoutfcs")
ethernet:call(buffer(34, LoggedPayloadSize_value):tvb() , pinfo , tree )
end
protocols["160.0"] = current_protocol
dissector_table:add("160.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.170.0", "Microsoft-Windows-PktMon EventId(170) Version(0)")
current_protocol.fields = { ProtoField.uint64("Microsoft-Windows-PktMon.170.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.170.0.PktNumber", "PktNumber", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.170.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.170.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.170.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.170.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.170.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.170.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.170.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.170.0.DropLocation", "DropLocation", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.170.0.OriginalPayloadSize", "OriginalPayloadSize", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.170.0.LoggedPayloadSize", "LoggedPayloadSize", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.170.0.Payload", "Payload", base.NONE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_170_0 = protocols["170.0"]
pinfo.cols.protocol = event_proto_170_0.name
pinfo.cols.info = event_proto_170_0.description
local fields = tree:add(event_proto_170_0, buffer())
local index = 0
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_170_0.fields[1], buffer(index, 8))
index = index + 8
local PktNumber_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_170_0.fields[2], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_170_0.fields[3], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_170_0.fields[4], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_170_0.fields[5], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_170_0.fields[6], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_170_0.fields[7], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_170_0.fields[8], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_170_0.fields[9], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_170_0.fields[10], buffer(index, 4))
index = index + 4
local OriginalPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_170_0.fields[11], buffer(index, 2))
index = index + 2
local LoggedPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_170_0.fields[12], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_170_0.fields[13], buffer(index, LoggedPayloadSize_value))
index = index + LoggedPayloadSize_value
end
protocols["170.0"] = current_protocol
dissector_table:add("170.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.180.0", "Microsoft-Windows-PktMon EventId(180) Version(0)")
current_protocol.fields = { ProtoField.uint64("Microsoft-Windows-PktMon.180.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.180.0.PktCount", "PktCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.180.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.180.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.180.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.180.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.180.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.180.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.180.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.180.0.DropLocation", "DropLocation", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.180.0.TcpIpChecksum", "TcpIpChecksum", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.180.0.TcpLargeSend", "TcpLargeSend", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.180.0.Ieee8021Q", "Ieee8021Q", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.180.0.HashInfo", "HashInfo", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.180.0.HashValue", "HashValue", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.180.0.VirtualSubnetInfo", "VirtualSubnetInfo", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.180.0.TcpRecvSegCoalesceInfo", "TcpRecvSegCoalesceInfo", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.180.0.NrtNameResolutionId", "NrtNameResolutionId", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.180.0.TcpSendOffloadsSupplementalInfo", "TcpSendOffloadsSupplementalInfo", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.180.0.SwitchForwardingDetail", "SwitchForwardingDetail", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.180.0.GftOffloadInfo", "GftOffloadInfo", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.180.0.GftFlowEntryId", "GftFlowEntryId", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_180_0 = protocols["180.0"]
pinfo.cols.protocol = event_proto_180_0.name
pinfo.cols.info = event_proto_180_0.description
local fields = tree:add(event_proto_180_0, buffer())
local index = 0
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_180_0.fields[1], buffer(index, 8))
index = index + 8
local PktCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_180_0.fields[2], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_180_0.fields[3], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_180_0.fields[4], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_180_0.fields[5], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_180_0.fields[6], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_180_0.fields[7], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_180_0.fields[8], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_180_0.fields[9], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_180_0.fields[10], buffer(index, 4))
index = index + 4
local TcpIpChecksum_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_180_0.fields[11], buffer(index, 8))
index = index + 8
local TcpLargeSend_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_180_0.fields[12], buffer(index, 8))
index = index + 8
local Ieee8021Q_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_180_0.fields[13], buffer(index, 8))
index = index + 8
local HashInfo_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_180_0.fields[14], buffer(index, 8))
index = index + 8
local HashValue_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_180_0.fields[15], buffer(index, 8))
index = index + 8
local VirtualSubnetInfo_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_180_0.fields[16], buffer(index, 8))
index = index + 8
local TcpRecvSegCoalesceInfo_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_180_0.fields[17], buffer(index, 8))
index = index + 8
local NrtNameResolutionId_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_180_0.fields[18], buffer(index, 8))
index = index + 8
local TcpSendOffloadsSupplementalInfo_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_180_0.fields[19], buffer(index, 8))
index = index + 8
local SwitchForwardingDetail_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_180_0.fields[20], buffer(index, 8))
index = index + 8
local GftOffloadInfo_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_180_0.fields[21], buffer(index, 8))
index = index + 8
local GftFlowEntryId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_180_0.fields[22], buffer(index, 8))
index = index + 8
end
protocols["180.0"] = current_protocol
dissector_table:add("180.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.190.0", "Microsoft-Windows-PktMon EventId(190) Version(0)")
current_protocol.fields = { ProtoField.uint64("Microsoft-Windows-PktMon.190.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.190.0.PktCount", "PktCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.190.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.190.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.190.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.190.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.190.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.190.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.190.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.190.0.DropLocation", "DropLocation", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.190.0.TcpIpChecksum", "TcpIpChecksum", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.190.0.TcpLargeSend", "TcpLargeSend", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.190.0.Ieee8021Q", "Ieee8021Q", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.190.0.HashInfo", "HashInfo", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.190.0.HashValue", "HashValue", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.190.0.VirtualSubnetInfo", "VirtualSubnetInfo", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.190.0.TcpRecvSegCoalesceInfo", "TcpRecvSegCoalesceInfo", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.190.0.NrtNameResolutionId", "NrtNameResolutionId", base.DEC), ProtoField.int64("Microsoft-Windows-PktMon.190.0.TcpSendOffloadsSupplementalInfo", "TcpSendOffloadsSupplementalInfo", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.190.0.SwitchForwardingDetail", "SwitchForwardingDetail", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.190.0.GftOffloadInfo", "GftOffloadInfo", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.190.0.GftFlowEntryId", "GftFlowEntryId", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_190_0 = protocols["190.0"]
pinfo.cols.protocol = event_proto_190_0.name
pinfo.cols.info = event_proto_190_0.description
local fields = tree:add(event_proto_190_0, buffer())
local index = 0
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_190_0.fields[1], buffer(index, 8))
index = index + 8
local PktCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_190_0.fields[2], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_190_0.fields[3], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_190_0.fields[4], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_190_0.fields[5], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_190_0.fields[6], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_190_0.fields[7], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_190_0.fields[8], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_190_0.fields[9], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_190_0.fields[10], buffer(index, 4))
index = index + 4
local TcpIpChecksum_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_190_0.fields[11], buffer(index, 8))
index = index + 8
local TcpLargeSend_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_190_0.fields[12], buffer(index, 8))
index = index + 8
local Ieee8021Q_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_190_0.fields[13], buffer(index, 8))
index = index + 8
local HashInfo_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_190_0.fields[14], buffer(index, 8))
index = index + 8
local HashValue_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_190_0.fields[15], buffer(index, 8))
index = index + 8
local VirtualSubnetInfo_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_190_0.fields[16], buffer(index, 8))
index = index + 8
local TcpRecvSegCoalesceInfo_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_190_0.fields[17], buffer(index, 8))
index = index + 8
local NrtNameResolutionId_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_190_0.fields[18], buffer(index, 8))
index = index + 8
local TcpSendOffloadsSupplementalInfo_value = buffer(index, 8):le_int64()
fields:add_le(event_proto_190_0.fields[19], buffer(index, 8))
index = index + 8
local SwitchForwardingDetail_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_190_0.fields[20], buffer(index, 8))
index = index + 8
local GftOffloadInfo_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_190_0.fields[21], buffer(index, 8))
index = index + 8
local GftFlowEntryId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_190_0.fields[22], buffer(index, 8))
index = index + 8
end
protocols["190.0"] = current_protocol
dissector_table:add("190.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.200.0", "Microsoft-Windows-PktMon EventId(200) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.200.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.200.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.200.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.200.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.200.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.200.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.200.0.DropLocation", "DropLocation", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.200.0.DestinationIP", "DestinationIP", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.200.0.SourceIP", "SourceIP", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.200.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.200.0.DestinationPort", "DestinationPort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.200.0.SourcePort", "SourcePort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.200.0.OriginalPayloadSize", "OriginalPayloadSize", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.200.0.LoggedPayloadSize", "LoggedPayloadSize", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.200.0.Payload", "Payload", base.NONE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_200_0 = protocols["200.0"]
pinfo.cols.protocol = event_proto_200_0.name
pinfo.cols.info = event_proto_200_0.description
local fields = tree:add(event_proto_200_0, buffer())
local index = 0
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_200_0.fields[1], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_200_0.fields[2], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_200_0.fields[3], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_200_0.fields[4], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_200_0.fields[5], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_200_0.fields[6], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_200_0.fields[7], buffer(index, 4))
index = index + 4
local DestinationIP_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_200_0.fields[8], buffer(index, 4))
index = index + 4
local SourceIP_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_200_0.fields[9], buffer(index, 4))
index = index + 4
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_200_0.fields[10], buffer(index, 1))
index = index + 1
local DestinationPort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_200_0.fields[11], buffer(index, 2))
index = index + 2
local SourcePort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_200_0.fields[12], buffer(index, 2))
index = index + 2
local OriginalPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_200_0.fields[13], buffer(index, 2))
index = index + 2
local LoggedPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_200_0.fields[14], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_200_0.fields[15], buffer(index, LoggedPayloadSize_value))
index = index + LoggedPayloadSize_value
end
protocols["200.0"] = current_protocol
dissector_table:add("200.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.210.0", "Microsoft-Windows-PktMon EventId(210) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.210.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.210.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.210.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.210.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.210.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.210.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.210.0.DropLocation", "DropLocation", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.210.0.DestinationIP", "DestinationIP", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.210.0.SourceIP", "SourceIP", base.DEC), ProtoField.uint8("Microsoft-Windows-PktMon.210.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.210.0.DestinationPort", "DestinationPort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.210.0.SourcePort", "SourcePort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.210.0.OriginalPayloadSize", "OriginalPayloadSize", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.210.0.LoggedPayloadSize", "LoggedPayloadSize", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.210.0.Payload", "Payload", base.NONE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_210_0 = protocols["210.0"]
pinfo.cols.protocol = event_proto_210_0.name
pinfo.cols.info = event_proto_210_0.description
local fields = tree:add(event_proto_210_0, buffer())
local index = 0
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_210_0.fields[1], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_210_0.fields[2], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_210_0.fields[3], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_210_0.fields[4], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_210_0.fields[5], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_210_0.fields[6], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_210_0.fields[7], buffer(index, 4))
index = index + 4
local DestinationIP_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_210_0.fields[8], buffer(index, 4))
index = index + 4
local SourceIP_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_210_0.fields[9], buffer(index, 4))
index = index + 4
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_210_0.fields[10], buffer(index, 1))
index = index + 1
local DestinationPort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_210_0.fields[11], buffer(index, 2))
index = index + 2
local SourcePort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_210_0.fields[12], buffer(index, 2))
index = index + 2
local OriginalPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_210_0.fields[13], buffer(index, 2))
index = index + 2
local LoggedPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_210_0.fields[14], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_210_0.fields[15], buffer(index, LoggedPayloadSize_value))
index = index + LoggedPayloadSize_value
end
protocols["210.0"] = current_protocol
dissector_table:add("210.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.220.0", "Microsoft-Windows-PktMon EventId(220) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.220.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.220.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.220.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.220.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.220.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.220.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.220.0.DropLocation", "DropLocation", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.220.0.DestinationIP", "DestinationIP", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.220.0.SourceIP", "SourceIP", base.NONE), ProtoField.uint8("Microsoft-Windows-PktMon.220.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.220.0.DestinationPort", "DestinationPort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.220.0.SourcePort", "SourcePort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.220.0.OriginalPayloadSize", "OriginalPayloadSize", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.220.0.LoggedPayloadSize", "LoggedPayloadSize", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.220.0.Payload", "Payload", base.NONE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_220_0 = protocols["220.0"]
pinfo.cols.protocol = event_proto_220_0.name
pinfo.cols.info = event_proto_220_0.description
local fields = tree:add(event_proto_220_0, buffer())
local index = 0
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_220_0.fields[1], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_220_0.fields[2], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_220_0.fields[3], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_220_0.fields[4], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_220_0.fields[5], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_220_0.fields[6], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_220_0.fields[7], buffer(index, 4))
index = index + 4
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_220_0.fields[10], buffer(index, 1))
index = index + 1
local DestinationPort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_220_0.fields[11], buffer(index, 2))
index = index + 2
local SourcePort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_220_0.fields[12], buffer(index, 2))
index = index + 2
local OriginalPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_220_0.fields[13], buffer(index, 2))
index = index + 2
local LoggedPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_220_0.fields[14], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_220_0.fields[15], buffer(index, LoggedPayloadSize_value))
index = index + LoggedPayloadSize_value
end
protocols["220.0"] = current_protocol
dissector_table:add("220.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.230.0", "Microsoft-Windows-PktMon EventId(230) Version(0)")
current_protocol.fields = { ProtoField.uint16("Microsoft-Windows-PktMon.230.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.230.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.230.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.230.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.230.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.230.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.230.0.DropLocation", "DropLocation", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.230.0.DestinationIP", "DestinationIP", base.NONE), ProtoField.bytes("Microsoft-Windows-PktMon.230.0.SourceIP", "SourceIP", base.NONE), ProtoField.uint8("Microsoft-Windows-PktMon.230.0.Protocol", "Protocol", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.230.0.DestinationPort", "DestinationPort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.230.0.SourcePort", "SourcePort", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.230.0.OriginalPayloadSize", "OriginalPayloadSize", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.230.0.LoggedPayloadSize", "LoggedPayloadSize", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.230.0.Payload", "Payload", base.NONE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_230_0 = protocols["230.0"]
pinfo.cols.protocol = event_proto_230_0.name
pinfo.cols.info = event_proto_230_0.description
local fields = tree:add(event_proto_230_0, buffer())
local index = 0
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_230_0.fields[1], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_230_0.fields[2], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_230_0.fields[3], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_230_0.fields[4], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_230_0.fields[5], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_230_0.fields[6], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_230_0.fields[7], buffer(index, 4))
index = index + 4
local Protocol_value = buffer(index, 1):le_uint()
fields:add_le(event_proto_230_0.fields[10], buffer(index, 1))
index = index + 1
local DestinationPort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_230_0.fields[11], buffer(index, 2))
index = index + 2
local SourcePort_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_230_0.fields[12], buffer(index, 2))
index = index + 2
local OriginalPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_230_0.fields[13], buffer(index, 2))
index = index + 2
local LoggedPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_230_0.fields[14], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_230_0.fields[15], buffer(index, LoggedPayloadSize_value))
index = index + LoggedPayloadSize_value
end
protocols["230.0"] = current_protocol
dissector_table:add("230.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.240.0", "Microsoft-Windows-PktMon EventId(240) Version(0)")
current_protocol.fields = { ProtoField.uint64("Microsoft-Windows-PktMon.240.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.240.0.PktNumber", "PktNumber", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.240.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.240.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.240.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.240.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.240.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.240.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.240.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.240.0.DropLocation", "DropLocation", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.240.0.OriginalPayloadSize", "OriginalPayloadSize", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.240.0.LoggedPayloadSize", "LoggedPayloadSize", base.DEC), ProtoField.bytes("Microsoft-Windows-PktMon.240.0.Payload", "Payload", base.NONE) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_240_0 = protocols["240.0"]
pinfo.cols.protocol = event_proto_240_0.name
pinfo.cols.info = event_proto_240_0.description
local fields = tree:add(event_proto_240_0, buffer())
local index = 0
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_240_0.fields[1], buffer(index, 8))
index = index + 8
local PktNumber_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_240_0.fields[2], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_240_0.fields[3], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_240_0.fields[4], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_240_0.fields[5], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_240_0.fields[6], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_240_0.fields[7], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_240_0.fields[8], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_240_0.fields[9], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_240_0.fields[10], buffer(index, 4))
index = index + 4
local OriginalPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_240_0.fields[11], buffer(index, 2))
index = index + 2
local LoggedPayloadSize_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_240_0.fields[12], buffer(index, 2))
index = index + 2
fields:add_le(event_proto_240_0.fields[13], buffer(index, LoggedPayloadSize_value))
index = index + LoggedPayloadSize_value
end
protocols["240.0"] = current_protocol
dissector_table:add("240.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.250.0", "Microsoft-Windows-PktMon EventId(250) Version(0)")
current_protocol.fields = { ProtoField.uint64("Microsoft-Windows-PktMon.250.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.250.0.PktNumber", "PktNumber", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.250.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.250.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.250.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.250.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.250.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.250.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.250.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.250.0.DropLocation", "DropLocation", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.250.0.Type", "Type", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.250.0.PktContext", "PktContext", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_250_0 = protocols["250.0"]
pinfo.cols.protocol = event_proto_250_0.name
pinfo.cols.info = event_proto_250_0.description
local fields = tree:add(event_proto_250_0, buffer())
local index = 0
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_250_0.fields[1], buffer(index, 8))
index = index + 8
local PktNumber_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_250_0.fields[2], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_250_0.fields[3], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_250_0.fields[4], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_250_0.fields[5], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_250_0.fields[6], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_250_0.fields[7], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_250_0.fields[8], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_250_0.fields[9], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_250_0.fields[10], buffer(index, 4))
index = index + 4
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_250_0.fields[11], buffer(index, 2))
index = index + 2
local PktContext_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_250_0.fields[12], buffer(index, 8))
index = index + 8
end
protocols["250.0"] = current_protocol
dissector_table:add("250.0", current_protocol)
current_protocol = Proto("Microsoft-Windows-PktMon.260.0", "Microsoft-Windows-PktMon EventId(260) Version(0)")
current_protocol.fields = { ProtoField.uint64("Microsoft-Windows-PktMon.260.0.PktGroupId", "PktGroupId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.260.0.PktNumber", "PktNumber", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.260.0.AppearanceCount", "AppearanceCount", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.260.0.DirTag", "DirTag", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.260.0.PacketType", "PacketType", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.260.0.ComponentId", "ComponentId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.260.0.EdgeId", "EdgeId", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.260.0.FilterId", "FilterId", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.260.0.DropReason", "DropReason", base.DEC), ProtoField.uint32("Microsoft-Windows-PktMon.260.0.DropLocation", "DropLocation", base.DEC), ProtoField.uint16("Microsoft-Windows-PktMon.260.0.Type", "Type", base.DEC), ProtoField.uint64("Microsoft-Windows-PktMon.260.0.PktContext", "PktContext", base.DEC) }
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_260_0 = protocols["260.0"]
pinfo.cols.protocol = event_proto_260_0.name
pinfo.cols.info = event_proto_260_0.description
local fields = tree:add(event_proto_260_0, buffer())
local index = 0
local PktGroupId_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_260_0.fields[1], buffer(index, 8))
index = index + 8
local PktNumber_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_260_0.fields[2], buffer(index, 2))
index = index + 2
local AppearanceCount_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_260_0.fields[3], buffer(index, 2))
index = index + 2
local DirTag_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_260_0.fields[4], buffer(index, 2))
index = index + 2
local PacketType_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_260_0.fields[5], buffer(index, 2))
index = index + 2
local ComponentId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_260_0.fields[6], buffer(index, 2))
index = index + 2
local EdgeId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_260_0.fields[7], buffer(index, 2))
index = index + 2
local FilterId_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_260_0.fields[8], buffer(index, 2))
index = index + 2
local DropReason_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_260_0.fields[9], buffer(index, 4))
index = index + 4
local DropLocation_value = buffer(index, 4):le_uint()
fields:add_le(event_proto_260_0.fields[10], buffer(index, 4))
index = index + 4
local Type_value = buffer(index, 2):le_uint()
fields:add_le(event_proto_260_0.fields[11], buffer(index, 2))
index = index + 2
local PktContext_value = buffer(index, 8):le_uint64()
fields:add_le(event_proto_260_0.fields[12], buffer(index, 8))
index = index + 8
end
protocols["260.0"] = current_protocol
dissector_table:add("260.0", current_protocol)
================================================
FILE: dissector/Tracelogging.lua
================================================
-- This is the main tracelogging disector
-- As tracelogging encompass its scheme directly into
-- Extended data, we need to create dynamic Proto bases on scheme
-- Read from extendedata field from etw dissector
local tracelogging = Proto("Tracelogging", "Tracelogging")
-- field use by Tracelogging to extract scheme
local extended_data_field = Field.new("winshark.ExtendedData")
local tl_dissector_table = DissectorTable.new("Tracelogging", "Tracelogging", ftypes.STRING)
-- This function convert scheme type into lua type
-- tree: current tree node use to display type
-- buffer: buffer contain type
-- tag_type: type extracted from scheme
-- tag_name: name extracted from scheme
function parse_field(tree, buffer, tag_type, tag_name)
tag_name_formated = string.format("%s:", tag_name);
if tag_type == 1 then local value = buffer(0):le_ustringz(); tree:add(tag_name_formated, value) ; return (value:len() + 1) * 2;
elseif tag_type == 2 then local value = buffer(0):stringz(); tree:add(tag_name_formated, value) ; return value:len() + 1;
elseif tag_type == 3 then tree:add(tag_name_formated, buffer(0, 1):le_int()); return 1;
elseif tag_type == 4 then tree:add(tag_name_formated, buffer(0, 1):le_uint()); return 1;
elseif tag_type == 5 then tree:add(tag_name_formated, buffer(0, 2):le_int()); return 2;
elseif tag_type == 6 then tree:add(tag_name_formated, buffer(0, 2):le_uint()); return 2;
elseif tag_type == 7 then tree:add(tag_name_formated, buffer(0, 4):le_int()); return 4;
elseif tag_type == 8 then tree:add(tag_name_formated, buffer(0, 4):le_uint()); return 4;
elseif tag_type == 9 then tree:add(tag_name_formated, buffer(0, 8):le_uint64()); return 8;
elseif tag_type == 10 then tree:add(tag_name_formated, buffer(0, 8):le_int64()); return 8;
elseif tag_type == 11 then tree:add(tag_name_formated, buffer(0, 4):le_float()); return 4;
elseif tag_type == 12 then tree:add(tag_name_formated, buffer(0, 8):le_float()); return 8;
elseif tag_type == 13 then tree:add(tag_name_formated, buffer(0, 4):le_uint()); return 4;
elseif tag_type == 14 then return parse_array_field(tree, buffer, tag_type, tag_name);
elseif tag_type == 15 then tree:add(tag_name_formated, buffer(0, 16)); return 16;
elseif tag_type == 17 then tree:add(tag_name_formated, buffer(0, 8)); return 8;
elseif tag_type == 18 then tree:add(tag_name_formated, buffer(0, 16)); return 16;
elseif tag_type == 20 then tree:add(tag_name_formated, buffer(0, 4):le_uint()); return 4;
elseif tag_type == 21 then tree:add(tag_name_formated, buffer(0, 8):le_uint()); return 8;
end
end
-- Parse an array of type as defined by tracelogging macro
-- tree: current tree node use to display type
-- buffer: buffer contain type
-- tag_type: type extracted from scheme
-- tag_name: name extracted from scheme
function parse_array_field(tree, buffer, tag_type, tag_name)
local i = 0;
local nb = buffer(0, 2):le_uint();
local index = 2;
local array = tree:add(tag_name);
while i < nb do
index = index + parse_field(array, buffer(index):tvb(), tag_type, string.format("[%d]", i));
i = i + 1;
end
return index
end
-- Tracelogging dissector definition
-- Mainly extract scheme from extendedata parse from etw dissector
-- and create a sub Proto for this scheme if not parsed before
-- WARNING: TL accept that different scheme for same TL name, this not handle by this dissector
function tracelogging.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local name = nil
local scheme = {}
local extended_data = extended_data_field()():tvb()
local offset = 0
while offset < extended_data:len() do
local ext_type = extended_data(offset, 2):le_uint()
local size = extended_data(offset + 2, 2):le_uint()
local data = extended_data(offset + 4, size):tvb()
-- detect scheme
if ext_type == 11 then
local size = data(0, 2):le_uint()
local tag = data(2, 1):le_uint()
local extended_tag = nil
local offset_name = 3
-- tag have an extended int format
if bit32.band(tag, 0x80) == 0x80 then
extended_tag = data(3, 1):le_uint()
offset_name = 4
end
-- name of the protocol
name = data(offset_name):stringz():gsub(" ", "_")
local scheme_data = data(offset_name + name:len() + 1):tvb()
local offset_scheme = 0
local index_tag = 1
while offset_scheme < scheme_data:len() do
local field_name = scheme_data(offset_scheme):stringz():gsub(" ", "_")
local tag_in = scheme_data(offset_scheme + field_name:len() + 1, 1):le_uint()
offset_scheme = offset_scheme + field_name:len() + 1 + 1
-- tag out field ignore
if bit32.band(tag_in, 0x80) == 0x80 then
print("tag_out")
local tag_out = scheme_data(offset_scheme, 1):le_uint()
if bit32.band(tag_out, 0x80) == 0x80 then
offset_scheme = offset_scheme + 5
else
offset_scheme = offset_scheme + 1
end
end
scheme[index_tag] = {tag = tag_in, name = field_name}
index_tag = index_tag + 1
end
end
offset = offset + size + 4
end
tl_proto = tl_dissector_table:get_dissector(name)
if tl_proto == nil then
local tl_proto = Proto(name, name)
tl_proto.dissector = function(buffer, pinfo, tree)
pinfo.cols.protocol = tl_proto.name
local proto_tree = tree:add(tl_proto, buffer())
local index = 0
-- loop over all scheme entry and parse them
for i, element in ipairs(scheme) do
local tag_type = bit32.band(element.tag, 0x1F)
local is_array = bit32.band(element.tag, 0x20) == 0x20 or bit32.band(element.tag, 0x40) == 0x40
if is_array then
index = index + parse_array_field(proto_tree, buffer(index):tvb(), tag_type, element.name)
else
index = index + parse_field(proto_tree, buffer(index):tvb(), tag_type, element.name)
end
end
end
tl_dissector_table:add(name, tl_proto)
end
tl_dissector_table:try(name, buffer, pinfo, tree)
end
local winshark_dissector_table = DissectorTable.get("winshark")
winshark_dissector_table:add("Tracelogging", tracelogging)
================================================
FILE: install/patch.xml
================================================
<CPackWiXPatch>
<CPackWiXFragment Id="#PRODUCT">
<DirectoryRef Id="INSTALL_ROOT">
<Directory Id="plugins" Name="plugins">
<Directory Id="winshark" Name="winshark">
</Directory>
</Directory>
</DirectoryRef>
<Component Id="Clean" Guid="946e5348-7a9e-482f-b793-ff398813a8db" Directory="winshark" Feature="ProductFeature">
<RemoveFile Id="PurgePluginFolder" Name="*.*" On="uninstall" />
</Component>
<CustomAction Id="GenerateDissector" ExeCommand="cmd /c Transluator.exe .\plugins\winshark" Directory="INSTALL_ROOT" Execute="deferred" Impersonate='no' Return="check"/>
<InstallExecuteSequence>
<Custom Action="GenerateDissector" Before="InstallFinalize">
NOT Installed
</Custom>
</InstallExecuteSequence>
</CPackWiXFragment>
</CPackWiXPatch>
================================================
FILE: transluator/CMakeLists.txt
================================================
set(TRANSLUATOR_SRC
src/DissectorLua.cs
src/DissectorPython.cs
src/Manifest.cs
src/Transluator.cs
)
add_executable(Transluator ${TRANSLUATOR_SRC})
set_property(TARGET Transluator PROPERTY VS_DOTNET_TARGET_FRAMEWORK_VERSION "v4.5")
set_property(TARGET Transluator PROPERTY VS_DOTNET_REFERENCES
"System"
"System.Xml"
"System.Runtime"
"${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Microsoft.Diagnostics.Tracing.TraceEvent.dll"
"${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Microsoft.Diagnostics.FastSerialization.dll"
)
install(TARGETS Transluator DESTINATION .)
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Microsoft.Diagnostics.Tracing.TraceEvent.dll" DESTINATION .)
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Microsoft.Diagnostics.FastSerialization.dll" DESTINATION .)
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Dia2Lib.dll" DESTINATION .)
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/OSExtensions.dll" DESTINATION .)
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/TraceReloggerLib.dll" DESTINATION .)
install(FILES "${CMAKE_CURRENT_SOURCE_DIR}/scripts/WinsharkUpdate.bat" DESTINATION .)
================================================
FILE: transluator/scripts/WinsharkUpdate.bat
================================================
SET DIR=%~dp0
"%DIR%\Transluator.exe" "%DIR%\plugins\winshark"
================================================
FILE: transluator/src/DissectorLua.cs
================================================
using System;
using System.Collections.Generic;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Xml.Serialization;
using Microsoft.Diagnostics.Tracing.Parsers;
using System.Linq;
namespace Transluator
{
static class DissectorLUATemplate
{
public const string PROVIDER = @"
local proto = Proto(""{0}"", ""{0}"")
local event_id = Field.new(""winshark.header.EventDescriptor.Id"")
local event_version = Field.new(""winshark.header.EventDescriptor.Version"")
local dissector_table = DissectorTable.new(""{0}"", ""{0} {1}"", ftypes.STRING)
local protocols = {{}}
local current_protocol = nil
function proto.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local id = event_id()
local version = event_version()
dissector_table:try(tostring(id) .. ""."" .. tostring(version) , buffer, pinfo, tree)
end
local winshark_dissector_table = DissectorTable.get(""winshark"")
winshark_dissector_table:add(""{1}"", proto)
";
public const string EVENT_HEADER = @"current_protocol = Proto(""{0}.{1}.{2}"", ""{0} EventId({1}) Version({2})"")";
public const string EVENT_FIELD_NAME = @"{0}_{1}";
public const string EVENT_FIELD = @"{1}(""{2}.{3}.{4}.{0}"", ""{0}"", {5})";
public const string EVENT_PROTO_FIELD = @"current_protocol.fields = {{ {0} }}";
public const string EVENT_DECLARATION = @"
function current_protocol.dissector(buffer, pinfo, tree)
length = buffer:len()
if length == 0 then return end
local event_proto_{0}_{1} = protocols[""{0}.{1}""]
pinfo.cols.protocol = event_proto_{0}_{1}.name
pinfo.cols.info = event_proto_{0}_{1}.description
local fields = tree:add(event_proto_{0}_{1}, buffer())
local index = 0
{2}
end
protocols[""{0}.{1}""] = current_protocol
dissector_table:add(""{0}.{1}"", current_protocol)
";
public const string EVENT_FIELD_DECLARATION_WITH_VALUE = @"
local {{3}}_value = buffer(index, {0}):{1}()
fields:add_le(event_proto_{{0}}_{{1}}.fields[{{2}}], buffer(index, {0}))
index = index + {0}
";
public const string EVENT_FIELD_DECLARATION_SIMPLE = @"
fields:add_le(event_proto_{{0}}_{{1}}.fields[{{2}}], buffer(index, {0}))
index = index + {0}
";
public const string EVENT_FIELD_DECLARATION_UZSTRING = @"
fields:add_le(event_proto_{0}_{1}.fields[{2}], buffer(index, (buffer(index):le_ustringz():len() + 1) * 2), tostring(buffer(index):le_ustringz()))
index = index + (buffer(index):le_ustringz():len() + 1) * 2
";
public const string EVENT_FIELD_DECLARATION_ANSISTRING = @"
fields:add_le(event_proto_{0}_{1}.fields[{2}], buffer(index, (buffer(index):stringz():len() + 1)), tostring(buffer(index):stringz()))
index = index + (buffer(index):stringz():len() + 1)
";
public const string EVENT_FIELD_DECLARATION_WITH_LENGTH = @"
fields:add_le(event_proto_{0}_{1}.fields[{2}], buffer(index, {3}_value))
index = index + {3}_value
";
public const string EVENT_FIELD_DECLARATION_SID = @"
fields:add_le(event_proto_{0}_{1}.fields[{2}], buffer(index, 8 + buffer(index + 1, 1):le_int() * 4))
index = index + 8 + buffer(index + 1, 1):le_int() * 4
";
public static readonly Dictionary<Data.InType, Tuple<string, string, string>> EVENT_DATA_TYPE_CONVERT = new Dictionary<Data.InType, Tuple<string, string, string>>()
{
{ Data.InType.Binary, new Tuple<string, string, string>("ProtoField.bytes", "base.NONE", EVENT_FIELD_DECLARATION_WITH_LENGTH) },
{ Data.InType.Int8, new Tuple<string, string, string>("ProtoField.int8", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 1, "le_int")) },
{ Data.InType.Int16, new Tuple<string, string, string>("ProtoField.int16", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 2, "le_int")) },
{ Data.InType.Int32, new Tuple<string, string, string>("ProtoField.int32", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 4, "le_int")) },
{ Data.InType.Int64, new Tuple<string, string, string>("ProtoField.int64", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 8, "le_int64")) },
{ Data.InType.UInt16, new Tuple<string, string, string>("ProtoField.uint16", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 2, "le_uint")) },
{ Data.InType.UInt32, new Tuple<string, string, string>("ProtoField.uint32", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 4, "le_uint")) },
{ Data.InType.UInt64, new Tuple<string, string, string>("ProtoField.uint64", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 8, "le_uint64")) },
{ Data.InType.UInt8, new Tuple<string, string, string>("ProtoField.uint8", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 1, "le_uint")) },
{ Data.InType.GUID, new Tuple<string, string, string>("ProtoField.guid", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_SIMPLE, 16)) },
{ Data.InType.UnicodeString, new Tuple<string, string, string>("ProtoField.string", "base.UNICODE", EVENT_FIELD_DECLARATION_UZSTRING) },
{ Data.InType.AnsiString, new Tuple<string, string, string>("ProtoField.string", "base.ASCII", EVENT_FIELD_DECLARATION_ANSISTRING) },
{ Data.InType.Boolean, new Tuple<string, string, string>("ProtoField.int8", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 1,"le_uint")) },
{ Data.InType.Double, new Tuple<string, string, string>("ProtoField.double", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 8, "le_float")) },
{ Data.InType.HexInt32, new Tuple<string, string, string>("ProtoField.int32", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 4, "le_int")) },
{ Data.InType.HexInt64, new Tuple<string, string, string>("ProtoField.int64", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 8, "le_int64")) },
{ Data.InType.FILETIME, new Tuple<string, string, string>("ProtoField.int64", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 8, "le_int64")) },
{ Data.InType.Pointer, new Tuple<string, string, string>("ProtoField.int64", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 8, "le_int64")) },
{ Data.InType.SYSTEMTIME, new Tuple<string, string, string>("ProtoField.bytes", "base.NONE", string.Format(EVENT_FIELD_DECLARATION_SIMPLE, 16)) },
{ Data.InType.SID, new Tuple<string, string, string>("ProtoField.bytes", "base.NONE", EVENT_FIELD_DECLARATION_SID) },
{ Data.InType.Float, new Tuple<string, string, string>("ProtoField.float", "base.DEC", string.Format(EVENT_FIELD_DECLARATION_WITH_VALUE, 4, "le_float")) },
};
}
public static class ProviderExtensions
{
public static string FormatProviderName(this Provider provider)
{
return provider.name.Replace(" ", "_");
}
}
class DissectorLUA
{
public Manifest Manifest { get; private set; }
private static void GenerateProvider(Provider provider, StreamWriter writer)
{
writer.WriteLine(string.Format(DissectorLUATemplate.PROVIDER, provider.FormatProviderName(), provider.guid));
}
private static void GenerateEvent(Event etwEvent, Provider provider, StreamWriter writer)
{
writer.WriteLine(string.Format(DissectorLUATemplate.EVENT_HEADER, provider.FormatProviderName(), etwEvent.value, etwEvent.version));
var template = provider.templates.Where(x => x.tid == etwEvent.template).Single();
var fields_declaration = template.datas.Select(
x => string.Format(
DissectorLUATemplate.EVENT_FIELD,
x.name,
DissectorLUATemplate.EVENT_DATA_TYPE_CONVERT[x.inType].Item1,
provider.FormatProviderName(),
etwEvent.value,
etwEvent.version,
DissectorLUATemplate.EVENT_DATA_TYPE_CONVERT[x.inType].Item2
)
);
writer.WriteLine("\n" +
string.Format(
DissectorLUATemplate.EVENT_PROTO_FIELD,
string.Join(", ", fields_declaration)
) + "\n"
);
// build the core parser
var result = "";
var index = 1;
foreach (var data in template.datas)
{
if(data.inType == Data.InType.Binary)
{
if(data.length != null)
{
result += string.Format(DissectorLUATemplate.EVENT_DATA_TYPE_CONVERT[data.inType].Item3, etwEvent.value, etwEvent.version, index, data.length.Replace(" ", "")) + "\n";
}
else if(data.name == "hash")
{
result += string.Format(string.Format(DissectorLUATemplate.EVENT_FIELD_DECLARATION_SIMPLE, 16), etwEvent.value, etwEvent.version, index) + "\n";
}
else if(data.name == "SHA1Hash")
{
result += string.Format(string.Format(DissectorLUATemplate.EVENT_FIELD_DECLARATION_SIMPLE, 20), etwEvent.value, etwEvent.version, index) + "\n";
}
else if(data.name == "CredKeyIdentifier")
{
result += string.Format(string.Format(DissectorLUATemplate.EVENT_FIELD_DECLARATION_SIMPLE, 32), etwEvent.value, etwEvent.version, index) + "\n";
}
}
else if(data.length != null)
{
result += string.Format(DissectorLUATemplate.EVENT_FIELD_DECLARATION_WITH_LENGTH, etwEvent.value, etwEvent.version, index, data.length.Replace(" ", "")) + "\n";
}
else
{
result += string.Format(DissectorLUATemplate.EVENT_DATA_TYPE_CONVERT[data.inType].Item3, etwEvent.value, etwEvent.version, index, data.name) + "\n";
}
index++;
}
writer.WriteLine(string.Format(DissectorLUATemplate.EVENT_DECLARATION, etwEvent.value, etwEvent.version, result));
}
public DissectorLUA(Manifest source)
{
this.Manifest = source;
}
public void create(Stream output)
{
using (var s = new StreamWriter(output))
{
GenerateProvider(this.Manifest.instrumentation.events.provider, s);
// delete all event with same value and version (exist in scheme)
var eventSet = new HashSet<Event>(this.Manifest.instrumentation.events.provider.events, new EventComparer());
foreach (var etwEvent in eventSet)
{
if(etwEvent.template == null)
{
continue;
}
GenerateEvent(etwEvent, this.Manifest.instrumentation.events.provider, s);
}
}
}
}
}
================================================
FILE: transluator/src/DissectorPython.cs
================================================
using System;
using System.Collections.Generic;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Xml.Serialization;
using Microsoft.Diagnostics.Tracing.Parsers;
using System.Linq;
namespace Transluator
{
static class DissectorPythonTemplate
{
public const string PROVIDER = @"# -*- coding: utf-8 -*-
""""""
{0}
GUID : {1}
""""""
from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct
from etl.utils import WString, CString, SystemTime, Guid
from etl.dtyp import Sid
from etl.parsers.etw.core import Etw, declare, guid
";
public const string EVENT_TEMPLATE = @"
@declare(guid=guid(""{0}""), event_id={1}, version={2})
class {3}_{1}_{2}(Etw):
pattern = Struct(
{4}
)
";
public const string EVENT_FIELD = @" ""{0}"" / {1}";
public const string EVENT_FIELD_WITH_LENTH = @" ""{0}"" / Bytes(lambda this: this.{1})";
public const string EVENT_FIELD_STATIC_LENGTH = @" ""{0}"" / Bytes({1})";
public static readonly Dictionary<Data.InType, string> EVENT_DATA_TYPE_CONVERT = new Dictionary<Data.InType, string>()
{
{ Data.InType.Binary, "Bytes" },
{ Data.InType.Int8, "Int8sl" },
{ Data.InType.Int16, "Int16sl" },
{ Data.InType.Int32, "Int32sl" },
{ Data.InType.Int64, "Int64sl" },
{ Data.InType.UInt16, "Int16ul" },
{ Data.InType.UInt32, "Int32ul" },
{ Data.InType.UInt64, "Int64ul" },
{ Data.InType.UInt8, "Int8ul" },
{ Data.InType.GUID, "Guid" },
{ Data.InType.UnicodeString, "WString" },
{ Data.InType.AnsiString, "CString" },
{ Data.InType.Boolean, "Int8ul" },
{ Data.InType.Double, "Double" },
{ Data.InType.HexInt32, "Int32ul" },
{ Data.InType.HexInt64, "Int64ul" },
{ Data.InType.FILETIME, "Int64ul" },
{ Data.InType.Pointer, "Int64ul" },
{ Data.InType.SYSTEMTIME, "SystemTime" },
{ Data.InType.SID, "Sid" },
{ Data.InType.Float, "Float32l" },
};
}
class DissectorPython
{
public Manifest Manifest { get; private set; }
private static void GenerateProvider(Provider provider, StreamWriter writer)
{
writer.WriteLine(string.Format(DissectorPythonTemplate.PROVIDER, provider.name, provider.guid));
}
private static void GenerateEvent(Event etwEvent, Provider provider, StreamWriter writer)
{
Console.WriteLine("{0}_{1}_{2}", provider.name.Replace("-", "_").Replace(" ", "_"), etwEvent.value, etwEvent.version);
var template = provider.templates.Where(x => x.tid == etwEvent.template).Single();
var fields_declaration = new List<string>();
foreach (var data in template.datas)
{
if (data.inType == Data.InType.Binary)
{
if (data.length != null)
{
fields_declaration.Add(string.Format(DissectorPythonTemplate.EVENT_FIELD_WITH_LENTH, data.name, data.length.Replace(" ", "")));
}
else if (data.name == "hash")
{
fields_declaration.Add(string.Format(DissectorPythonTemplate.EVENT_FIELD_STATIC_LENGTH, data.name, 16));
}
else if (data.name == "SHA1Hash")
{
fields_declaration.Add(string.Format(DissectorPythonTemplate.EVENT_FIELD_STATIC_LENGTH, data.name, 20));
}
else if (data.name == "CredKeyIdentifier")
{
fields_declaration.Add(string.Format(DissectorPythonTemplate.EVENT_FIELD_STATIC_LENGTH, data.name, 32));
}
}
else if (data.length != null)
{
fields_declaration.Add(string.Format(DissectorPythonTemplate.EVENT_FIELD_WITH_LENTH, data.name, data.length.Replace(" ", "")));
}
else
{
fields_declaration.Add(string.Format(DissectorPythonTemplate.EVENT_FIELD, data.name, DissectorPythonTemplate.EVENT_DATA_TYPE_CONVERT[data.inType]));
}
}
writer.WriteLine(
string.Format(
DissectorPythonTemplate.EVENT_TEMPLATE, provider.guid, etwEvent.value, etwEvent.version, provider.name.Replace("-", "_").Replace(" ", "_"),
string.Join(",\n", fields_declaration)
)
);
}
public DissectorPython(Manifest source)
{
this.Manifest = source;
}
public void create(Stream output)
{
using (var s = new StreamWriter(output))
{
GenerateProvider(this.Manifest.instrumentation.events.provider, s);
// delete all event with same value and version (exist in scheme)
var eventSet = new HashSet<Event>(this.Manifest.instrumentation.events.provider.events, new EventComparer());
foreach (var etwEvent in eventSet)
{
if(etwEvent.template == null)
{
continue;
}
GenerateEvent(etwEvent, this.Manifest.instrumentation.events.provider, s);
}
}
}
}
}
================================================
FILE: transluator/src/Manifest.cs
================================================
using System;
using System.Xml;
using System.Xml.Serialization;
using System.IO;
using System.Collections.Generic;
namespace Transluator
{
[XmlType("map")]
public class Map
{
[XmlAttribute]
public string message;
[XmlAttribute]
public string value;
}
[XmlType("valueMap")]
public class ValueMap
{
[XmlAttribute]
public string name;
[XmlElement("map")]
public List<Map> maps;
}
public class Maps
{
[XmlElement("valueMap")]
public List<ValueMap> valueMaps;
}
[XmlType("opcode")]
public class Opcode
{
[XmlAttribute]
public string name;
[XmlAttribute]
public string message;
[XmlAttribute]
public string value;
}
[XmlType("task")]
public class Task
{
[XmlAttribute]
public string name;
[XmlAttribute]
public string message;
[XmlAttribute]
public string value;
public List<Opcode> opcodes;
}
[XmlType("event")]
public class Event
{
public enum Level
{
[XmlEnum(Name = "win:Informational")]
Informational,
[XmlEnum(Name = "win:Verbose")]
Verbose,
[XmlEnum(Name = "win:Warning")]
Warning,
[XmlEnum(Name = "win:Error")]
Error,
[XmlEnum(Name = "win:Critical")]
Critical,
[XmlEnum(Name = "win:Always")]
Always
}
[XmlAttribute]
public string value;
[XmlAttribute]
public string symbol;
[XmlAttribute]
public int version;
[XmlAttribute]
public string task;
[XmlAttribute]
public Level level;
[XmlAttribute]
public string template;
[XmlAttribute]
public string keywords;
[XmlAttribute]
public string opcode;
}
public class EventComparer : IEqualityComparer<Event>
{
public bool Equals(Event x, Event y)
{
return x.value == y.value && x.version == y.version;
}
public int GetHashCode(Event obj)
{
return obj.value.GetHashCode() ^ obj.version.GetHashCode();
}
}
[XmlType("data")]
public class Data
{
[XmlAttribute]
public string name;
public enum InType
{
[XmlEnum(Name = "win:UnicodeString")]
UnicodeString,
[XmlEnum(Name = "win:AnsiString")]
AnsiString,
[XmlEnum(Name = "win:GUID")]
GUID,
[XmlEnum(Name = "win:UInt32")]
UInt32,
[XmlEnum(Name = "win:HexInt32")]
HexInt32,
[XmlEnum(Name = "win:HexInt64")]
HexInt64,
[XmlEnum(Name = "win:Boolean")]
Boolean,
[XmlEnum(Name = "win:UInt16")]
UInt16,
[XmlEnum(Name = "win:Binary")]
Binary,
[XmlEnum(Name = "win:UInt64")]
UInt64,
[XmlEnum(Name = "win:Double")]
Double,
[XmlEnum(Name = "win:UInt8")]
UInt8,
[XmlEnum(Name = "win:Int8")]
Int8,
[XmlEnum(Name = "win:Int16")]
Int16,
[XmlEnum(Name = "win:Int32")]
Int32,
[XmlEnum(Name = "win:Int64")]
Int64,
[XmlEnum(Name = "win:FILETIME")]
FILETIME,
[XmlEnum(Name = "win:Pointer")]
Pointer,
[XmlEnum(Name = "win:SYSTEMTIME")]
SYSTEMTIME,
[XmlEnum(Name = "win:SID")]
SID,
[XmlEnum(Name = "win:Float")]
Float
}
[XmlAttribute]
public InType inType;
[XmlAttribute]
public string length;
[XmlAttribute]
public string count;
[XmlAttribute]
public string map;
}
[XmlType("template")]
public class Template
{
[XmlAttribute]
public string tid;
[XmlElement("data")]
public List<Data> datas;
}
[XmlType("keyword")]
public class Keyword
{
[XmlAttribute]
public string name;
[XmlAttribute]
public string message;
[XmlAttribute]
public string mask;
}
public class Provider
{
[XmlAttribute]
public string name;
[XmlAttribute]
public Guid guid;
[XmlAttribute]
public string resourceFileName;
[XmlAttribute]
public string messageFileName;
[XmlAttribute]
public string symbol;
[XmlAttribute]
public string source;
public List<Keyword> keywords;
public List<Task> tasks;
public List<Event> events;
public List<Template> templates;
public List<ValueMap> maps;
}
public class Events
{
public Provider provider;
}
public class Instrumentation
{
public Events events;
}
[XmlType("string")]
public class String
{
[XmlAttribute]
public string id;
[XmlAttribute]
public string value;
}
public class Resources
{
[XmlAttribute]
public string culture;
public List<String> stringTable;
}
public class Localization
{
public Resources resources;
}
[XmlRootAttribute("instrumentationManifest", Namespace = "http://schemas.microsoft.com/win/2004/08/events")]
public class Manifest
{
public Instrumentation instrumentation;
public Localization localization;
}
}
================================================
FILE: transluator/src/Transluator.cs
================================================
using System;
using System.Collections.Generic;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Xml.Serialization;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;
using System.Linq;
namespace Transluator
{
/// <summary>
/// This the main class of transluator
/// </summary>
static class Transluator
{
static void PrintUsage()
{
Console.WriteLine("Welcome Transluator");
Console.WriteLine("\tCreate dissector for one provider");
Console.WriteLine("\ttransluator.exe PROVIDER_NAME OUTPUT_FILE_PATH");
Console.WriteLine("\tEx : Transluator.exe Microsoft-Windows-Sysmon c:\\temp\\Microsoft-Windows-Sysmon.lua");
Console.WriteLine("");
Console.WriteLine("\tCreate dissectors for all providers published on local machine");
Console.WriteLine("\ttransluator.exe OUTPUT_FOLDER");
Console.WriteLine("\tEx : Transluator.exe ");
}
/// <summary>
/// Create dissector for one provider
/// </summary>
/// <param name="providerName">Name of provider</param>
/// <param name="outputPath">Path to putput file</param>
static void CreateDissectorFromProvider(string providerName, string outputPath)
{
try
{
var xml = RegisteredTraceEventParser.GetManifestForRegisteredProvider(providerName);
XmlSerializer serializer = new XmlSerializer(typeof(Manifest));
using (TextReader reader = new StringReader(xml))
{
Manifest manifest = (Manifest)serializer.Deserialize(reader);
using (var stream = new FileStream(outputPath, FileMode.Create))
{
new DissectorLUA(manifest).create(stream);
}
}
}
catch (System.ApplicationException e)
{
Console.WriteLine(e.Message);
}
catch (System.InvalidOperationException)
{
// sometimes XML generate by RegisteredTraceEventParser can't be parsed by the microsoft parser...
}
}
/// <summary>
/// Main function (entry point)
/// </summary>
/// <param name="args">Provider Name as first parameter, Output file as second parameter</param>
static int Main(string[] args)
{
if(args.Length == 1)
{
foreach (var providerName in TraceEventProviders.GetPublishedProviders().Select(x => TraceEventProviders.GetProviderName(x)))
{
Console.WriteLine("Create dissector for provider " + providerName);
if(providerName == "TPM")
{
continue;
}
// Ignore this provider during install
// because we made it by hand to handle
// upper layer
if(providerName == "Microsoft-Windows-NDIS-PacketCapture")
{
continue;
}
if(System.Environment.OSVersion.Version.Major == 6 && System.Environment.OSVersion.Version.Minor == 1)
{
if (providerName == "Microsoft-Windows-UIAutomationCore")
{
Console.WriteLine("Ignore provider " + providerName + " on Windows 7");
continue;
}
}
Directory.CreateDirectory(args[0]);
CreateDissectorFromProvider(providerName, Path.Combine(args[0], providerName.Replace("-", "_").Replace(" ", "_") + ".lua"));
}
}
else if (args.Length == 2)
{
CreateDissectorFromProvider(args[0], args[1]);
return 0;
}
else
{
PrintUsage();
}
return 0;
}
}
}
================================================
FILE: transluator/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/build/Microsoft.Diagnostics.Tracing.TraceEvent.props
================================================
<?xml version="1.0" encoding="utf-8"?>
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<None Condition="Exists('$(MSBuildThisFileDirectory)..\lib\native\x86\KernelTraceControl.dll')" Include="$(MSBuildThisFileDirectory)..\lib\native\x86\KernelTraceControl.dll">
<Link>x86\KernelTraceControl.dll</Link>
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</None>
<None Condition="Exists('$(MSBuildThisFileDirectory)..\lib\native\x86\KernelTraceControl.Win61.dll')" Include="$(MSBuildThisFileDirectory)..\lib\native\x86\KernelTraceControl.Win61.dll">
<Link>x86\KernelTraceControl.Win61.dll</Link>
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</None>
<None Condition="Exists('$(MSBuildThisFileDirectory)..\lib\native\x86\msdia140.dll')" Include="$(MSBuildThisFileDirectory)..\lib\native\x86\msdia140.dll">
<Link>x86\msdia140.dll</Link>
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</None>
<None Condition="Exists('$(MSBuildThisFileDirectory)..\lib\native\amd64\KernelTraceControl.dll')" Include="$(MSBuildThisFileDirectory)..\lib\native\amd64\KernelTraceControl.dll">
<Link>amd64\KernelTraceControl.dll</Link>
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</None>
<None Condition="Exists('$(MSBuildThisFileDirectory)..\lib\native\amd64\msdia140.dll')" Include="$(MSBuildThisFileDirectory)..\lib\native\amd64\msdia140.dll">
<Link>amd64\msdia140.dll</Link>
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</None>
<!-- There are no static references to these so I need to copy them explicitly.
The first two COM interop assemblies so they are the same for all targets, I pick netstandard1.6 pretty arbitraily
OSExtensions is also the same for all targets. It needs to be copied for the dev-time case since in that case it runs the DLLs from the .nuget cache
by default, and OSExtensions needs to be in the right relative location with respect to the native DLLs (since it loads them via relative path).
-->
<None Condition="Exists('$(MSBuildThisFileDirectory)..\lib\netstandard1.6\TraceReloggerLib.dll')" Include="$(MSBuildThisFileDirectory)..\lib\netstandard1.6\TraceReloggerLib.dll">
<Link>TraceReloggerLib.dll</Link>
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</None>
<None Condition="Exists('$(MSBuildThisFileDirectory)..\lib\netstandard1.6\Dia2Lib.dll')" Include="$(MSBuildThisFileDirectory)..\lib\netstandard1.6\Dia2Lib.dll">
<Link>Dia2Lib.dll</Link>
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</None>
<!-- you have to pick the right version of this DLL because it depends on things besides System.Runtime.dll -->
<None Condition="'$(TargetFrameworkIdentifier)' != '.NETFramework' AND Exists('$(MSBuildThisFileDirectory)..\lib\netstandard1.6\OSExtensions.dll')" Include="$(MSBuildThisFileDirectory)..\lib\netstandard1.6\OSExtensions.dll">
<Link>OSExtensions.dll</Link>
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</None>
<None Condition="'$(TargetFrameworkIdentifier)' == '.NETFramework' AND Exists('$(MSBuildThisFileDirectory)..\lib\net45\OSExtensions.dll')" Include="$(MSBuildThisFileDirectory)..\lib\net45\OSExtensions.dll">
<Link>OSExtensions.dll</Link>
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</None>
</ItemGroup>
</Project>
================================================
FILE: transluator/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Microsoft.Diagnostics.FastSerialization.xml
================================================
<?xml version="1.0"?>
<doc>
<assembly>
<name>Microsoft.Diagnostics.FastSerialization</name>
</assembly>
<members>
<member name="T:FastSerialization.StreamLabel">
<summary>
A StreamLabel is a 32 bit integer that represents a position in a IStreamReader or
IStreamWriter. During writing it is generated by the IStreamWriter.GetLabel method an
consumed by the IStreamWriter.WriteLabel method. On reading you can use
IStreamReader.Current and and IStreamReader.
</summary>
</member>
<member name="F:FastSerialization.StreamLabel.Invalid">
<summary>
Represents a stream label that is not a valid value
</summary>
</member>
<member name="T:FastSerialization.IStreamWriter">
<summary>
IStreamWriter is meant to be a very simple streaming protocol. You can write integral types,
strings, and labels to the stream itself.
IStreamWrite can be thought of a simplified System.IO.BinaryWriter, or maybe the writer
part of a System.IO.Stream with a few helpers for primitive types.
See also IStreamReader
</summary>
</member>
<member name="M:FastSerialization.IStreamWriter.Write(System.Byte)">
<summary>
Write a byte to a stream
</summary>
</member>
<member name="M:FastSerialization.IStreamWriter.Write(System.Int16)">
<summary>
Write a short to a stream
</summary>
</member>
<member name="M:FastSerialization.IStreamWriter.Write(System.Int32)">
<summary>
Write an int to a stream
</summary>
</member>
<member name="M:FastSerialization.IStreamWriter.Write(System.Int64)">
<summary>
Write a long to a stream
</summary>
</member>
<member name="M:FastSerialization.IStreamWriter.Write(FastSerialization.StreamLabel)">
<summary>
Write a StreamLabel (a pointer to another part of the stream) to a stream
</summary>
</member>
<member name="M:FastSerialization.IStreamWriter.Write(System.String)">
<summary>
Write a string to a stream (supports null values).
</summary>
</member>
<member name="M:FastSerialization.IStreamWriter.GetLabel">
<summary>
Get the stream label for the current position (points at whatever is written next
</summary>
<returns></returns>
</member>
<member name="M:FastSerialization.IStreamWriter.WriteSuffixLabel(FastSerialization.StreamLabel)">
<summary>
Write a SuffixLabel it must be the last thing written to the stream. The stream
guarantees that this value can be efficiently read at any time (probably by seeking
back from the end of the stream)). The idea is that when you generate a 'tableOfContents'
you can only do this after processing the data (and probably writing it out), If you
remember where you write this table of contents and then write a suffix label to it
as the last thing in the stream using this API, you guarantee that the reader can
efficiently seek to the end, read the value, and then goto that position. (See
IStreamReader.GotoSuffixLabel for more)
</summary>
</member>
<member name="T:FastSerialization.IStreamReader">
IStreamReader is meant to be a very simple streaming protocol. You can read integral types,
strings, and labels to the stream itself. You can also goto labels you have read from the stream.
IStreamReader can be thought of a simplified System.IO.BinaryReder, or maybe the reader
part of a System.IO.Stream with a few helpers for primitive types.
See also IStreamWriter
</member>
<member name="M:FastSerialization.IStreamReader.ReadByte">
<summary>
Read a byte from the stream
</summary>
</member>
<member name="M:FastSerialization.IStreamReader.ReadInt16">
<summary>
Read a short from the stream
</summary>
</member>
<member name="M:FastSerialization.IStreamReader.ReadInt32">
<summary>
Read an int from the stream
</summary>
</member>
<member name="M:FastSerialization.IStreamReader.ReadInt64">
<summary>
Read a long from the stream
</summary>
</member>
<member name="M:FastSerialization.IStreamReader.ReadString">
<summary>
Read a string from the stream. Can represent null strings
</summary>
</member>
<member name="M:FastSerialization.IStreamReader.Read(System.Span{System.Byte})">
<summary>
Read a span of bytes from the stream.
</summary>
</member>
<member name="M:FastSerialization.IStreamReader.ReadLabel">
<summary>
Read a StreamLabel (pointer to some other part of the stream) from the stream
</summary>
</member>
<member name="M:FastSerialization.IStreamReader.Goto(FastSerialization.StreamLabel)">
<summary>
Goto a location in the stream
</summary>
</member>
<member name="P:FastSerialization.IStreamReader.Current">
<summary>
Returns the current position in the stream.
</summary>
</member>
<member name="M:FastSerialization.IStreamReader.GotoSuffixLabel">
<summary>
Sometimes information is only known after writing the entire stream. This information can be put
on the end of the stream, but there needs to be a way of finding it relative to the end, rather
than from the beginning. A IStreamReader, however, does not actually let you go 'backwards' easily
because it does not guarantee the size what it writes out (it might compress).
The solution is the concept of a 'suffixLabel' which is location in the stream where you can always
efficiently get to.
It is written with a special API (WriteSuffixLabel that must be the last thing written. It is
expected that it simply write an uncompressed StreamLabel. It can then be used by using the
GotoSTreamLabel() method below. This goes to this well know position in the stream. We expect
this is implemented by seeking to the end of the stream, reading the uncompressed streamLabel,
and then seeking to that position.
</summary>
</member>
<member name="T:FastSerialization.IStreamWriterExentions">
<summary>
Support for higher level operations on IStreamWriter and IStreamReader
</summary>
</member>
<member name="M:FastSerialization.IStreamWriterExentions.Write(FastSerialization.IStreamWriter,System.Guid)">
<summary>
Writes a Guid to stream 'writer' as sequence of 8 bytes
</summary>
</member>
<member name="M:FastSerialization.IStreamWriterExentions.ReadGuid(FastSerialization.IStreamReader)">
<summary>
Reads a Guid to stream 'reader' as sequence of 8 bytes and returns it
</summary>
</member>
<member name="M:FastSerialization.IStreamWriterExentions.Add(FastSerialization.StreamLabel,System.Int32)">
<summary>
Returns a StreamLabel that is the sum of label + offset.
</summary>
</member>
<member name="M:FastSerialization.IStreamWriterExentions.Sub(FastSerialization.StreamLabel,FastSerialization.StreamLabel)">
<summary>
Returns the difference between two stream labels (currently guarenteed to fit in an int)
</summary>
</member>
<member name="M:FastSerialization.IStreamWriterExentions.Skip(FastSerialization.IStreamReader,System.Int32)">
<summary>
Convenience method for skipping a a certain number of bytes in the stream.
</summary>
</member>
<member name="T:FastSerialization.ForwardReference">
<summary>
Like a StreamLabel, a ForwardReference represents a pointer to a location in the stream.
However unlike a StreamLabel, the exact value in the stream does not need to be known at the
time the forward references is written. Instead the ID is written, and later that ID is
associated with the target location (using DefineForwardReference).
</summary>
</member>
<member name="F:FastSerialization.ForwardReference.Invalid">
<summary>
Returned when no appropriate ForwardReference exists.
</summary>
</member>
<member name="T:FastSerialization.Serializer">
<summary>
#SerializerIntroduction see also #StreamLayout
The Serializer class is a general purpose object graph serializer helper. While it does not have
any knowledge of the serialization format of individual object, it does impose conventions on how to
serialize support information like the header (which holds versioning information), a trailer (which
holds deferred pointer information), and how types are versioned. However these conventions are
intended to be very generic and thus this class can be used for essentially any serialization need.
Goals:
* Allows full range of serialization, including subclassing and cyclic object graphs.
* Can be serialized and deserialized efficiently sequentially (no seeks MANDATED on read or
write). This allows the serializer to be used over pipes and other non-seekable devices).
* Pay for play (thus very efficient in simple cases (no subclassing or cyclic graphs).
* Ideally self-describing, and debuggable (output as XML if desired?)
Versioning:
* We want the ability for new formats to accept old versions if objects wish to support old
formats
* Also wish to allow new formats to be read by OLD version if the new format is just an
'extension' (data added to end of objects). This makes making new versions almost pain-free.
Concepts:
* No-seek requirement
The serialized form should be such that it can be deserialized efficiently in a serial fashion
(no seeks). This means all information needed to deserialize has to be 'just in time' (can't
be some table at the end). Pragmatically this means that type information (needed to create
instances), has to be output on first use, so it is available for the deserializer.
* Laziness requirement
While is should be possible to read the serialized for sequentially, we should also not force
it. It should be possible to have a large file that represents a persisted structure that can
be lazily brought into memory on demand. This means that all information needed to
deserialize must also be 'randomly available' and not depend on reading from the beginning.
Pragmatically this means that type information, and for
gitextract_mp5iiu2j/
├── .gitignore
├── .gitmodules
├── CHANGELOG.md
├── CMakeLists.txt
├── LICENSE
├── README.md
├── dissector/
│ ├── 0winshark.lua
│ ├── CMakeLists.txt
│ ├── Microsoft_Windows_NDIS_PacketCapture.lua
│ ├── Microsoft_Windows_PktMon.lua
│ └── Tracelogging.lua
├── install/
│ └── patch.xml
└── transluator/
├── CMakeLists.txt
├── scripts/
│ └── WinsharkUpdate.bat
├── src/
│ ├── DissectorLua.cs
│ ├── DissectorPython.cs
│ ├── Manifest.cs
│ └── Transluator.cs
└── third_party/
└── Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/
├── .signature.p7s
├── Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36.nupkg
├── build/
│ └── Microsoft.Diagnostics.Tracing.TraceEvent.props
└── lib/
├── net45/
│ ├── Microsoft.Diagnostics.FastSerialization.xml
│ └── Microsoft.Diagnostics.Tracing.TraceEvent.xml
├── netstandard1.6/
│ ├── Microsoft.Diagnostics.FastSerialization.xml
│ └── Microsoft.Diagnostics.Tracing.TraceEvent.xml
└── netstandard2.0/
├── Microsoft.Diagnostics.FastSerialization.xml
└── Microsoft.Diagnostics.Tracing.TraceEvent.xml
SYMBOL INDEX (39 symbols across 4 files)
FILE: transluator/src/DissectorLua.cs
class DissectorLUATemplate (line 12) | static class DissectorLUATemplate
class ProviderExtensions (line 108) | public static class ProviderExtensions
method FormatProviderName (line 110) | public static string FormatProviderName(this Provider provider)
class DissectorLUA (line 116) | class DissectorLUA
method GenerateProvider (line 121) | private static void GenerateProvider(Provider provider, StreamWriter w...
method GenerateEvent (line 126) | private static void GenerateEvent(Event etwEvent, Provider provider, S...
method DissectorLUA (line 188) | public DissectorLUA(Manifest source)
method create (line 193) | public void create(Stream output)
FILE: transluator/src/DissectorPython.cs
class DissectorPythonTemplate (line 12) | static class DissectorPythonTemplate
class DissectorPython (line 64) | class DissectorPython
method GenerateProvider (line 69) | private static void GenerateProvider(Provider provider, StreamWriter w...
method GenerateEvent (line 74) | private static void GenerateEvent(Event etwEvent, Provider provider, S...
method DissectorPython (line 120) | public DissectorPython(Manifest source)
method create (line 125) | public void create(Stream output)
FILE: transluator/src/Manifest.cs
class Map (line 9) | [XmlType("map")]
class ValueMap (line 19) | [XmlType("valueMap")]
class Maps (line 29) | public class Maps
class Opcode (line 35) | [XmlType("opcode")]
class Task (line 48) | [XmlType("task")]
class Event (line 63) | [XmlType("event")]
type Level (line 66) | public enum Level
class EventComparer (line 107) | public class EventComparer : IEqualityComparer<Event>
method Equals (line 109) | public bool Equals(Event x, Event y)
method GetHashCode (line 114) | public int GetHashCode(Event obj)
class Data (line 121) | [XmlType("data")]
type InType (line 127) | public enum InType
class Template (line 186) | [XmlType("template")]
class Keyword (line 196) | [XmlType("keyword")]
class Provider (line 209) | public class Provider
class Events (line 240) | public class Events
class Instrumentation (line 245) | public class Instrumentation
class String (line 250) | [XmlType("string")]
class Resources (line 260) | public class Resources
class Localization (line 268) | public class Localization
class Manifest (line 273) | [XmlRootAttribute("instrumentationManifest", Namespace = "http://schemas...
FILE: transluator/src/Transluator.cs
class Transluator (line 16) | static class Transluator
method PrintUsage (line 18) | static void PrintUsage()
method CreateDissectorFromProvider (line 35) | static void CreateDissectorFromProvider(string providerName, string ou...
method Main (line 65) | static int Main(string[] args)
Condensed preview — 27 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (2,871K chars).
[
{
"path": ".gitignore",
"chars": 139,
"preview": "CMakeCache.txt\nCMakeFiles\nCMakeScripts\nTesting\nMakefile\ncmake_install.cmake\ninstall_manifest.txt\ncompile_commands.json\nC"
},
{
"path": ".gitmodules",
"chars": 98,
"preview": "[submodule \"libpcap\"]\n\tpath = libpcap\n\turl = https://github.com/airbus-cert/libpcap\n\tbranch = etw\n"
},
{
"path": "CHANGELOG.md",
"chars": 227,
"preview": "# 1.1.0\n* Fix issue #2 that don't allow to install wireshark in a non standard folder\n* Fix issue #4 :warning: Rename pr"
},
{
"path": "CMakeLists.txt",
"chars": 2121,
"preview": "# Minimum CMake required\ncmake_minimum_required(VERSION 3.11)\n\n# Project\nproject(Winshark LANGUAGES C CXX CSharp VERSION"
},
{
"path": "LICENSE",
"chars": 10173,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "README.md",
"chars": 8596,
"preview": "# Winshark\n`Wireshark` plugin to work with Event Tracing for Windows\n\n`Microsoft Message Analyzer` is being retired and "
},
{
"path": "dissector/0winshark.lua",
"chars": 6084,
"preview": "-- This is the main dissector for all winshark based dissector\n-- This dissector will parse all meta infos for ETW packe"
},
{
"path": "dissector/CMakeLists.txt",
"chars": 397,
"preview": "install(FILES \"${CMAKE_CURRENT_SOURCE_DIR}/0winshark.lua\" DESTINATION plugins/winshark)\ninstall(FILES \"${CMAKE_CURRENT_S"
},
{
"path": "dissector/Microsoft_Windows_NDIS_PacketCapture.lua",
"chars": 26881,
"preview": "\nlocal proto = Proto(\"Microsoft-Windows-NDIS-PacketCapture\", \"Microsoft-Windows-NDIS-PacketCapture\")\nlocal event_id = Fi"
},
{
"path": "dissector/Microsoft_Windows_PktMon.lua",
"chars": 91266,
"preview": "\r\nlocal proto = Proto(\"Microsoft-Windows-PktMon\", \"Microsoft-Windows-PktMon\")\r\nlocal event_id = Field.new(\"winshark.head"
},
{
"path": "dissector/Tracelogging.lua",
"chars": 6020,
"preview": "-- This is the main tracelogging disector\n-- As tracelogging encompass its scheme directly into \n-- Extended data, we ne"
},
{
"path": "install/patch.xml",
"chars": 787,
"preview": "<CPackWiXPatch>\n\t<CPackWiXFragment Id=\"#PRODUCT\">\n\t\t<DirectoryRef Id=\"INSTALL_ROOT\">\n\t\t <Directory Id=\"plugins\" Name=\"p"
},
{
"path": "transluator/CMakeLists.txt",
"chars": 1546,
"preview": "set(TRANSLUATOR_SRC\n\tsrc/DissectorLua.cs\n\tsrc/DissectorPython.cs\n\tsrc/Manifest.cs\n\tsrc/Transluator.cs\n)\n\nadd_executable("
},
{
"path": "transluator/scripts/WinsharkUpdate.bat",
"chars": 62,
"preview": "SET DIR=%~dp0\n\"%DIR%\\Transluator.exe\" \"%DIR%\\plugins\\winshark\""
},
{
"path": "transluator/src/DissectorLua.cs",
"chars": 11252,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Reflection;\nusing System.Runtime.InteropS"
},
{
"path": "transluator/src/DissectorPython.cs",
"chars": 5648,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Reflection;\nusing System.Runtime.InteropS"
},
{
"path": "transluator/src/Manifest.cs",
"chars": 5777,
"preview": "using System;\nusing System.Xml;\nusing System.Xml.Serialization;\nusing System.IO;\nusing System.Collections.Generic;\n\nnam"
},
{
"path": "transluator/src/Transluator.cs",
"chars": 4206,
"preview": "using System;\nusing System.Collections.Generic;\nusing System.IO;\nusing System.Reflection;\nusing System.Runtime.InteropS"
},
{
"path": "transluator/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/build/Microsoft.Diagnostics.Tracing.TraceEvent.props",
"chars": 3826,
"preview": "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<Project xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n <ItemGrou"
},
{
"path": "transluator/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Microsoft.Diagnostics.FastSerialization.xml",
"chars": 92934,
"preview": "<?xml version=\"1.0\"?>\n<doc>\n <assembly>\n <name>Microsoft.Diagnostics.FastSerialization</name>\n </assembly>\n"
},
{
"path": "transluator/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/net45/Microsoft.Diagnostics.Tracing.TraceEvent.xml",
"chars": 777237,
"preview": "<?xml version=\"1.0\"?>\n<doc>\n <assembly>\n <name>Microsoft.Diagnostics.Tracing.TraceEvent</name>\n </assembly>"
},
{
"path": "transluator/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/netstandard1.6/Microsoft.Diagnostics.FastSerialization.xml",
"chars": 92934,
"preview": "<?xml version=\"1.0\"?>\n<doc>\n <assembly>\n <name>Microsoft.Diagnostics.FastSerialization</name>\n </assembly>\n"
},
{
"path": "transluator/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/netstandard1.6/Microsoft.Diagnostics.Tracing.TraceEvent.xml",
"chars": 777237,
"preview": "<?xml version=\"1.0\"?>\n<doc>\n <assembly>\n <name>Microsoft.Diagnostics.Tracing.TraceEvent</name>\n </assembly>"
},
{
"path": "transluator/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/netstandard2.0/Microsoft.Diagnostics.FastSerialization.xml",
"chars": 92934,
"preview": "<?xml version=\"1.0\"?>\n<doc>\n <assembly>\n <name>Microsoft.Diagnostics.FastSerialization</name>\n </assembly>\n"
},
{
"path": "transluator/third_party/Microsoft.Diagnostics.Tracing.TraceEvent.2.0.36/lib/netstandard2.0/Microsoft.Diagnostics.Tracing.TraceEvent.xml",
"chars": 777237,
"preview": "<?xml version=\"1.0\"?>\n<doc>\n <assembly>\n <name>Microsoft.Diagnostics.Tracing.TraceEvent</name>\n </assembly>"
}
]
// ... and 2 more files (download for full content)
About this extraction
This page contains the full source code of the airbus-cert/Winshark GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 27 files (2.7 MB), approximately 700.3k tokens, and a symbol index with 39 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.