diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-10 20:34:10 +0000 |
| commit | e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc (patch) | |
| tree | 68cb5ef9081156392f1dd62a00c6ccc1451b93df /epan/dissectors/packet-netmon.c | |
| parent | Initial commit. (diff) | |
| download | wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.tar.xz wireshark-e4ba6dbc3f1e76890b22773807ea37fe8fa2b1bc.zip | |
Adding upstream version 4.2.2.upstream/4.2.2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'epan/dissectors/packet-netmon.c')
| -rw-r--r-- | epan/dissectors/packet-netmon.c | 2907 |
1 files changed, 2907 insertions, 0 deletions
diff --git a/epan/dissectors/packet-netmon.c b/epan/dissectors/packet-netmon.c new file mode 100644 index 0000000..b4d7782 --- /dev/null +++ b/epan/dissectors/packet-netmon.c @@ -0,0 +1,2907 @@ +/* packet-netmon.c + * Routines for Network Monitor capture dissection + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + * + * Network Event Tracing event taken from: + * + * https://docs.microsoft.com/en-us/windows/win32/api/evntcons/ns-evntcons-event_header + */ + +#include "config.h" + +#include <epan/packet.h> +#include <epan/to_str.h> +#include <epan/expert.h> +#include <wiretap/wtap.h> +#include "packet-netmon.h" + +void proto_register_netmon(void); +void proto_reg_handoff_netmon(void); + +#define EVENT_HEADER_PROPERTY_XML 0x0001 +#define EVENT_HEADER_PROPERTY_FORWARDED_XML 0x0002 +#define EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG 0x0004 + +static const value_string event_level_vals[] = { + { 0, "Log Always"}, + { 1, "Critical"}, + { 2, "Error"}, + { 3, "Warning"}, + { 4, "Info"}, + { 5, "Verbose"}, + { 6, "Reserved"}, + { 7, "Reserved"}, + { 8, "Reserved"}, + { 9, "Reserved"}, + { 10, "Reserved"}, + { 11, "Reserved"}, + { 12, "Reserved"}, + { 13, "Reserved"}, + { 14, "Reserved"}, + { 15, "Reserved"}, + { 0, NULL } +}; + +static const value_string opcode_vals[] = { + { 0, "Info"}, + { 1, "Start"}, + { 2, "Stop"}, + { 3, "DC Start"}, + { 4, "DC Stop"}, + { 5, "Extension"}, + { 6, "Reply"}, + { 7, "Resume"}, + { 8, "Suspend"}, + { 9, "Transfer"}, + { 0, NULL } +}; + +static const range_string filter_types[] = { + { 0, 0, "Display Filter" }, + { 1, 1, "Capture Filter" }, + { 2, 0xFFFFFFFF, "Display Filter" }, + { 0, 0, NULL } +}; + +static dissector_table_t provider_id_table; + +/* Initialize the protocol and registered fields */ +static int proto_netmon_header = -1; +static int proto_netmon_event = -1; +static int proto_netmon_filter = -1; +static int proto_netmon_network_info = -1; +static int proto_netmon_system_trace = -1; +static int proto_netmon_system_config = -1; +static int proto_netmon_process = -1; + +static int hf_netmon_header_title_comment = -1; +static int hf_netmon_header_description_comment = -1; + +static int hf_netmon_event_size = -1; +static int hf_netmon_event_header_type = -1; +static int hf_netmon_event_flags = -1; +static int hf_netmon_event_flags_extended_info = -1; +static int hf_netmon_event_flags_private_session = -1; +static int hf_netmon_event_flags_string_only = -1; +static int hf_netmon_event_flags_trace_message = -1; +static int hf_netmon_event_flags_no_cputime = -1; +static int hf_netmon_event_flags_32bit_header = -1; +static int hf_netmon_event_flags_64bit_header = -1; +static int hf_netmon_event_flags_classic_header = -1; +static int hf_netmon_event_event_property = -1; +static int hf_netmon_event_event_property_xml = -1; +static int hf_netmon_event_event_property_forwarded_xml = -1; +static int hf_netmon_event_event_property_legacy_eventlog = -1; +static int hf_netmon_event_thread_id = -1; +static int hf_netmon_event_process_id = -1; +static int hf_netmon_event_timestamp = -1; +static int hf_netmon_event_provider_id = -1; +static int hf_netmon_event_event_desc_id = -1; +static int hf_netmon_event_event_desc_version = -1; +static int hf_netmon_event_event_desc_channel = -1; +static int hf_netmon_event_event_desc_level = -1; +static int hf_netmon_event_event_desc_opcode = -1; +static int hf_netmon_event_event_desc_task = -1; +static int hf_netmon_event_event_desc_keyword = -1; +static int hf_netmon_event_kernel_time = -1; +static int hf_netmon_event_user_time = -1; +static int hf_netmon_event_processor_time = -1; +static int hf_netmon_event_activity_id = -1; +static int hf_netmon_event_processor_number = -1; +static int hf_netmon_event_alignment = -1; +static int hf_netmon_event_logger_id = -1; +static int hf_netmon_event_extended_data_count = -1; +static int hf_netmon_event_user_data_length = -1; +static int hf_netmon_event_reassembled = -1; +static int hf_netmon_event_extended_data_reserved = -1; +static int hf_netmon_event_extended_data_type = -1; +static int hf_netmon_event_extended_data_linkage = -1; +static int hf_netmon_event_extended_data_reserved2 = -1; +static int hf_netmon_event_extended_data_size = -1; +static int hf_netmon_event_extended_data = -1; +static int hf_netmon_event_user_data = -1; + +static int hf_netmon_filter_version = -1; +static int hf_netmon_filter_type = -1; +static int hf_netmon_filter_app_major_version = -1; +static int hf_netmon_filter_app_minor_version = -1; +static int hf_netmon_filter_app_name = -1; +static int hf_netmon_filter_filter = -1; + +static int hf_netmon_network_info_version = -1; +static int hf_netmon_network_info_adapter_count = -1; +static int hf_netmon_network_info_computer_name = -1; +static int hf_netmon_network_info_friendly_name = -1; +static int hf_netmon_network_info_description = -1; +static int hf_netmon_network_info_miniport_guid = -1; +static int hf_netmon_network_info_media_type = -1; +static int hf_netmon_network_info_mtu = -1; +static int hf_netmon_network_info_link_speed = -1; +static int hf_netmon_network_info_mac_address = -1; +static int hf_netmon_network_info_ipv4_count = -1; +static int hf_netmon_network_info_ipv6_count = -1; +static int hf_netmon_network_info_gateway_count = -1; +static int hf_netmon_network_info_dhcp_server_count = -1; +static int hf_netmon_network_info_dns_ipv4_count = -1; +static int hf_netmon_network_info_dns_ipv6_count = -1; +static int hf_netmon_network_info_ipv4 = -1; +static int hf_netmon_network_info_subnet = -1; +static int hf_netmon_network_info_ipv6 = -1; +static int hf_netmon_network_info_gateway = -1; +static int hf_netmon_network_info_dhcp_server = -1; +static int hf_netmon_network_info_dns_ipv4 = -1; +static int hf_netmon_network_info_dns_ipv6 = -1; + +static int hf_netmon_system_trace_buffer_size = -1; +static int hf_netmon_system_trace_version = -1; +static int hf_netmon_system_trace_provider_version = -1; +static int hf_netmon_system_trace_num_processors = -1; +static int hf_netmon_system_trace_end_time = -1; +static int hf_netmon_system_trace_timer_resolution = -1; +static int hf_netmon_system_trace_max_file_size = -1; +static int hf_netmon_system_trace_log_file_mode = -1; +static int hf_netmon_system_trace_buffers_written = -1; +static int hf_netmon_system_trace_start_buffers = -1; +static int hf_netmon_system_trace_pointers_size = -1; +static int hf_netmon_system_trace_events_lost = -1; +static int hf_netmon_system_trace_cpu_speed = -1; +static int hf_netmon_system_trace_logger_name = -1; +static int hf_netmon_system_trace_log_file_name_ptr = -1; +static int hf_netmon_system_trace_time_zone_info = -1; +static int hf_netmon_system_trace_boot_time = -1; +static int hf_netmon_system_trace_perf_freq = -1; +static int hf_netmon_system_trace_start_time = -1; +static int hf_netmon_system_trace_reserved_flags = -1; +static int hf_netmon_system_trace_buffers_lost = -1; +static int hf_netmon_system_trace_session_name = -1; +static int hf_netmon_system_trace_log_file_name = -1; +static int hf_netmon_system_trace_group_mask1 = -1; +static int hf_netmon_system_trace_group_mask2 = -1; +static int hf_netmon_system_trace_group_mask3 = -1; +static int hf_netmon_system_trace_group_mask4 = -1; +static int hf_netmon_system_trace_group_mask5 = -1; +static int hf_netmon_system_trace_group_mask6 = -1; +static int hf_netmon_system_trace_group_mask7 = -1; +static int hf_netmon_system_trace_group_mask8 = -1; +static int hf_netmon_system_trace_kernel_event_version = -1; + +static int hf_netmon_system_config_mhz = -1; +static int hf_netmon_system_config_num_processors = -1; +static int hf_netmon_system_config_mem_size = -1; +static int hf_netmon_system_config_page_size = -1; +static int hf_netmon_system_config_allocation_granularity = -1; +static int hf_netmon_system_config_computer_name = -1; +static int hf_netmon_system_config_domain_name = -1; +static int hf_netmon_system_config_hyper_threading_flag = -1; +static int hf_netmon_system_config_disk_number = -1; +static int hf_netmon_system_config_bytes_per_sector = -1; +static int hf_netmon_system_config_sectors_per_track = -1; +static int hf_netmon_system_config_tracks_per_cylinder = -1; +static int hf_netmon_system_config_cylinders = -1; +static int hf_netmon_system_config_scsi_port = -1; +static int hf_netmon_system_config_scsi_path = -1; +static int hf_netmon_system_config_scsi_target = -1; +static int hf_netmon_system_config_scsi_lun = -1; +static int hf_netmon_system_config_manufacturer = -1; +static int hf_netmon_system_config_partition_count = -1; +static int hf_netmon_system_config_write_cache_enabled = -1; +static int hf_netmon_system_config_pad = -1; +static int hf_netmon_system_config_boot_drive_letter = -1; +static int hf_netmon_system_config_spare = -1; +static int hf_netmon_system_config_start_offset = -1; +static int hf_netmon_system_config_partition_size = -1; +static int hf_netmon_system_config_size = -1; +static int hf_netmon_system_config_drive_type = -1; +static int hf_netmon_system_config_drive_letter = -1; +static int hf_netmon_system_config_partition_number = -1; +static int hf_netmon_system_config_sectors_per_cluster = -1; +static int hf_netmon_system_config_num_free_clusters = -1; +static int hf_netmon_system_config_total_num_clusters = -1; +static int hf_netmon_system_config_file_system = -1; +static int hf_netmon_system_config_volume_ext = -1; +static int hf_netmon_system_config_physical_addr = -1; +static int hf_netmon_system_config_physical_addr_len = -1; +static int hf_netmon_system_config_ipv4_index = -1; +static int hf_netmon_system_config_ipv6_index = -1; +static int hf_netmon_system_config_nic_description = -1; +static int hf_netmon_system_config_ipaddresses = -1; +static int hf_netmon_system_config_dns_server_addresses = -1; +static int hf_netmon_system_config_memory_size = -1; +static int hf_netmon_system_config_x_resolution = -1; +static int hf_netmon_system_config_y_resolution = -1; +static int hf_netmon_system_config_bits_per_pixel = -1; +static int hf_netmon_system_config_vrefresh = -1; +static int hf_netmon_system_config_chip_type = -1; +static int hf_netmon_system_config_dac_type = -1; +static int hf_netmon_system_config_adapter_string = -1; +static int hf_netmon_system_config_bios_string = -1; +static int hf_netmon_system_config_device_id = -1; +static int hf_netmon_system_config_state_flags = -1; +static int hf_netmon_system_config_process_id = -1; +static int hf_netmon_system_config_service_state = -1; +static int hf_netmon_system_config_sub_process_tag = -1; +static int hf_netmon_system_config_service_name = -1; +static int hf_netmon_system_config_display_name = -1; +static int hf_netmon_system_config_process_name = -1; +static int hf_netmon_system_config_s1 = -1; +static int hf_netmon_system_config_s2 = -1; +static int hf_netmon_system_config_s3 = -1; +static int hf_netmon_system_config_s4 = -1; +static int hf_netmon_system_config_s5 = -1; +static int hf_netmon_system_config_tcb_table_partitions = -1; +static int hf_netmon_system_config_max_hash_table_size = -1; +static int hf_netmon_system_config_max_user_port = -1; +static int hf_netmon_system_config_tcp_timed_wait_delay = -1; +static int hf_netmon_system_config_irq_affinity = -1; +static int hf_netmon_system_config_irq_num = -1; +static int hf_netmon_system_config_device_desc_len = -1; +static int hf_netmon_system_config_device_desc = -1; +static int hf_netmon_system_config_device_id_len = -1; +static int hf_netmon_system_config_friendly_name_len = -1; +static int hf_netmon_system_config_friendly_name = -1; +static int hf_netmon_system_config_target_id = -1; +static int hf_netmon_system_config_device_type = -1; +static int hf_netmon_system_config_device_timing_mode = -1; +static int hf_netmon_system_config_location_information_len = -1; +static int hf_netmon_system_config_location_information = -1; +static int hf_netmon_system_config_system_manufacturer = -1; +static int hf_netmon_system_config_system_product_name = -1; +static int hf_netmon_system_config_bios_date = -1; +static int hf_netmon_system_config_bios_version = -1; +static int hf_netmon_system_config_load_order_group = -1; +static int hf_netmon_system_config_svc_host_group = -1; +static int hf_netmon_system_config_irq_group = -1; +static int hf_netmon_system_config_pdo_name = -1; +static int hf_netmon_system_config_nic_name = -1; +static int hf_netmon_system_config_index = -1; +static int hf_netmon_system_config_physical_addr_str = -1; +static int hf_netmon_system_config_ip_address = -1; +static int hf_netmon_system_config_subnet_mask = -1; +static int hf_netmon_system_config_dhcp_server = -1; +static int hf_netmon_system_config_gateway = -1; +static int hf_netmon_system_config_primary_wins_server = -1; +static int hf_netmon_system_config_secondary_wins_server = -1; +static int hf_netmon_system_config_dns_server1 = -1; +static int hf_netmon_system_config_dns_server2 = -1; +static int hf_netmon_system_config_dns_server3 = -1; +static int hf_netmon_system_config_dns_server4 = -1; +static int hf_netmon_system_config_data = -1; + + + +static int hf_netmon_process_unique_process_key = -1; +static int hf_netmon_process_process_id = -1; +static int hf_netmon_process_parent_id = -1; +static int hf_netmon_process_session_id = -1; +static int hf_netmon_process_exit_status = -1; +static int hf_netmon_process_directory_table_base = -1; +static int hf_netmon_process_unknown = -1; +static int hf_netmon_process_user_sid_revision = -1; +static int hf_netmon_process_user_sid_subauth_count = -1; +static int hf_netmon_process_user_sid_id = -1; +static int hf_netmon_process_user_sid_authority = -1; +static int hf_netmon_process_image_file_name = -1; +static int hf_netmon_process_command_line = -1; +static int hf_netmon_process_page_directory_base = -1; +static int hf_netmon_process_page_fault_count = -1; +static int hf_netmon_process_handle_count = -1; +static int hf_netmon_process_reserved = -1; +static int hf_netmon_process_peak_virtual_size = -1; +static int hf_netmon_process_peak_working_set_size = -1; +static int hf_netmon_process_peak_page_file_usage = -1; +static int hf_netmon_process_quota_peak_paged_pool_usage = -1; +static int hf_netmon_process_quota_peak_non_paged_pool_usage = -1; +static int hf_netmon_process_virtual_size = -1; +static int hf_netmon_process_workingset_size = -1; +static int hf_netmon_process_pagefile_usage = -1; +static int hf_netmon_process_quota_paged_pool_usage = -1; +static int hf_netmon_process_quota_non_paged_pool_usage = -1; +static int hf_netmon_process_private_page_count = -1; +static int hf_netmon_process_directory_table_base32 = -1; + + +static gint ett_netmon_header = -1; +static gint ett_netmon_event = -1; +static gint ett_netmon_event_desc = -1; +static gint ett_netmon_event_flags = -1; +static gint ett_netmon_event_property = -1; +static gint ett_netmon_event_extended_data = -1; +static gint ett_netmon_filter = -1; +static gint ett_netmon_network_info = -1; +static gint ett_netmon_network_info_list = -1; +static gint ett_netmon_network_info_adapter = -1; +static gint ett_netmon_system_trace = -1; +static gint ett_netmon_event_buffer_context = -1; +static gint ett_netmon_process = -1; +static gint ett_netmon_sid = -1; +static gint ett_netmon_system_config = -1; + +static expert_field ei_netmon_process_user_sid = EI_INIT; + +static dissector_table_t wtap_encap_table; + +void +netmon_etl_field(proto_tree *tree, tvbuff_t *tvb, int* offset, int hf, guint16 flags) +{ + if (flags & EVENT_HEADER_FLAG_64_BIT_HEADER) { + /* XXX - This seems to be how values are displayed in Network Monitor */ + guint64 value = tvb_get_letoh64(tvb, *offset) & 0xFFFFFFFF; + proto_tree_add_uint64(tree, hf, tvb, *offset, 8, value); + (*offset) += 8; + } else { + proto_tree_add_item(tree, hf, tvb, *offset, 4, ENC_LITTLE_ENDIAN); + (*offset) += 4; + } +} + +void +netmon_sid_field(proto_tree *tree, tvbuff_t *tvb, int* offset, packet_info *pinfo, + int hf_revision, int hf_subauthority_count, int hf_sid_id, int hf_sid_authority, expert_field* invalid_sid, gboolean conformant _U_) +{ + proto_item *ti, *sid_item; + proto_tree *sid_tree; + int start_offset = *offset; + guint32 i, revision, count; + + sid_tree = proto_tree_add_subtree(tree, tvb, *offset, 2, ett_netmon_sid, &sid_item, "SID"); + + ti = proto_tree_add_item_ret_uint(sid_tree, hf_revision, tvb, *offset, 1, ENC_LITTLE_ENDIAN, &revision); + (*offset) += 1; + if (revision != 1) + { + expert_add_info(pinfo, ti, invalid_sid); + } + proto_tree_add_item_ret_uint(sid_tree, hf_subauthority_count, tvb, *offset, 1, ENC_LITTLE_ENDIAN, &count); + (*offset) += 1; + if (count > 15) + { + expert_add_info(pinfo, ti, invalid_sid); + } + + proto_tree_add_item(sid_tree, hf_sid_id, tvb, *offset, 6, ENC_NA); + (*offset) += 6; + + for (i = 0; i < count; i++) + { + proto_tree_add_item(sid_tree, hf_sid_authority, tvb, *offset, 4, ENC_LITTLE_ENDIAN); + (*offset) += 4; + } + + proto_item_set_len(sid_item, (*offset)-start_offset); +} + +/* Code to actually dissect the packets */ +static int +dissect_netmon_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + proto_item *ti; + proto_tree *header_tree; + union wtap_pseudo_header temp_header; + gchar *comment; + + ti = proto_tree_add_item(tree, proto_netmon_header, tvb, 0, 0, ENC_NA); + header_tree = proto_item_add_subtree(ti, ett_netmon_header); + + if (pinfo->pseudo_header->netmon.title != NULL) { + ti = proto_tree_add_string(header_tree, hf_netmon_header_title_comment, tvb, 0, 0, pinfo->pseudo_header->netmon.title); + proto_item_set_generated(ti); + } + + if (pinfo->pseudo_header->netmon.description != NULL) { + /* Description comment is only ASCII. However, it's + * RTF, not raw text. + */ + + /* Ensure string termination */ + comment = wmem_strndup(pinfo->pool, pinfo->pseudo_header->netmon.description, pinfo->pseudo_header->netmon.descLength); + + ti = proto_tree_add_string(header_tree, hf_netmon_header_description_comment, tvb, 0, 0, comment); + proto_item_set_generated(ti); + } + + /* Save the pseudo header data to a temp variable before it's copied to + * real pseudo header + */ + switch (pinfo->pseudo_header->netmon.sub_encap) + { + case WTAP_ENCAP_ATM_PDUS: + memcpy(&temp_header.atm, &pinfo->pseudo_header->netmon.subheader.atm, sizeof(temp_header.atm)); + memcpy(&pinfo->pseudo_header->atm, &temp_header.atm, sizeof(temp_header.atm)); + break; + case WTAP_ENCAP_ETHERNET: + memcpy(&temp_header.eth, &pinfo->pseudo_header->netmon.subheader.eth, sizeof(temp_header.eth)); + memcpy(&pinfo->pseudo_header->eth, &temp_header.eth, sizeof(temp_header.eth)); + break; + case WTAP_ENCAP_IEEE_802_11_NETMON: + memcpy(&temp_header.ieee_802_11, &pinfo->pseudo_header->netmon.subheader.ieee_802_11, sizeof(temp_header.ieee_802_11)); + memcpy(&pinfo->pseudo_header->ieee_802_11, &temp_header.ieee_802_11, sizeof(temp_header.ieee_802_11)); + break; + } + + if (!dissector_try_uint_new(wtap_encap_table, + pinfo->pseudo_header->netmon.sub_encap, tvb, pinfo, tree, TRUE, + (void *)pinfo->pseudo_header)) { + call_data_dissector(tvb, pinfo, tree); + } + + return tvb_captured_length(tvb); +} + +static int +dissect_netmon_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + proto_item *ti, *extended_data_item; + proto_tree *event_tree, *event_desc_tree, *extended_data_tree, *buffer_context_tree; + int offset = 0, extended_data_count_offset; + guint32 i, thread_id, process_id, extended_data_count, extended_data_size, user_data_size; + nstime_t timestamp; + tvbuff_t *provider_id_tvb; + guid_key provider_guid; + struct netmon_provider_id_data provider_id_data; + static int * const event_flags[] = { + &hf_netmon_event_flags_extended_info, + &hf_netmon_event_flags_private_session, + &hf_netmon_event_flags_string_only, + &hf_netmon_event_flags_trace_message, + &hf_netmon_event_flags_no_cputime, + &hf_netmon_event_flags_32bit_header, + &hf_netmon_event_flags_64bit_header, + &hf_netmon_event_flags_classic_header, + NULL + }; + static int * const event_property[] = { + &hf_netmon_event_event_property_xml, + &hf_netmon_event_event_property_forwarded_xml, + &hf_netmon_event_event_property_legacy_eventlog, + NULL + }; + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon Event"); + /* Clear out stuff in the info column */ + col_clear(pinfo->cinfo, COL_INFO); + + memset(&provider_id_data, 0, sizeof(provider_id_data)); + + ti = proto_tree_add_item(tree, proto_netmon_event, tvb, offset, -1, ENC_NA); + event_tree = proto_item_add_subtree(ti, ett_netmon_event); + + proto_tree_add_item(event_tree, hf_netmon_event_size, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + proto_tree_add_item(event_tree, hf_netmon_event_header_type, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + provider_id_data.event_flags = tvb_get_letohs(tvb, offset); + proto_tree_add_bitmask(event_tree, tvb, offset, hf_netmon_event_flags, ett_netmon_event_flags, event_flags, ENC_LITTLE_ENDIAN); + offset += 2; + proto_tree_add_bitmask(event_tree, tvb, offset, hf_netmon_event_event_property, ett_netmon_event_property, event_property, ENC_LITTLE_ENDIAN); + offset += 2; + proto_tree_add_item_ret_uint(event_tree, hf_netmon_event_thread_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &thread_id); + offset += 4; + proto_tree_add_item_ret_uint(event_tree, hf_netmon_event_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &process_id); + offset += 4; + + timestamp.secs = 0; + timestamp.nsecs = 0; + filetime_to_nstime(×tamp, tvb_get_letoh64(tvb, offset)); + proto_tree_add_time(event_tree, hf_netmon_event_timestamp, tvb, offset, 8, ×tamp); + offset += 8; + + proto_tree_add_item(event_tree, hf_netmon_event_provider_id, tvb, offset, 16, ENC_LITTLE_ENDIAN); + /* Save the GUID to use in dissector table */ + tvb_memcpy(tvb, &provider_guid.guid, offset, 16); + provider_guid.ver = 0; //version field not used + offset += 16; + + col_add_fstr(pinfo->cinfo, COL_INFO, "Thread ID: %d, Process ID: %d, Provider ID: %s", + thread_id, process_id, guid_to_str(pinfo->pool, &provider_guid.guid)); + + event_desc_tree = proto_tree_add_subtree(event_tree, tvb, offset, 16, ett_netmon_event_desc, NULL, "Event Descriptor"); + proto_tree_add_item_ret_uint(event_desc_tree, hf_netmon_event_event_desc_id, tvb, offset, 2, ENC_LITTLE_ENDIAN, &provider_id_data.event_id); + offset += 2; + provider_id_data.event_version = tvb_get_guint8(tvb, offset); + proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_version, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_channel, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_level, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + provider_id_data.opcode = tvb_get_guint8(tvb, offset); + proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_opcode, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(event_desc_tree, hf_netmon_event_event_desc_task, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + proto_tree_add_item_ret_uint64(event_desc_tree, hf_netmon_event_event_desc_keyword, tvb, offset, 8, ENC_LITTLE_ENDIAN, &provider_id_data.keyword); + offset += 8; + + if (provider_id_data.event_flags & (EVENT_HEADER_FLAG_PRIVATE_SESSION | EVENT_HEADER_FLAG_NO_CPUTIME)) + { + /* Kernel and User time are a union with processor time */ + proto_tree_add_item(event_tree, hf_netmon_event_kernel_time, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(event_tree, hf_netmon_event_user_time, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + } + else + { + proto_tree_add_item(event_tree, hf_netmon_event_processor_time, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + } + + proto_tree_add_item(event_tree, hf_netmon_event_activity_id, tvb, offset, 16, ENC_LITTLE_ENDIAN); + offset += 16; + + buffer_context_tree = proto_tree_add_subtree(event_tree, tvb, offset, 4, ett_netmon_event_buffer_context, NULL, "BufferContext"); + proto_tree_add_item(buffer_context_tree, hf_netmon_event_processor_number, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(buffer_context_tree, hf_netmon_event_alignment, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(buffer_context_tree, hf_netmon_event_logger_id, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + + proto_tree_add_item_ret_uint(event_tree, hf_netmon_event_extended_data_count, tvb, offset, 2, ENC_LITTLE_ENDIAN, &extended_data_count); + offset += 2; + proto_tree_add_item_ret_uint(event_tree, hf_netmon_event_user_data_length, tvb, offset, 2, ENC_LITTLE_ENDIAN, &user_data_size); + offset += 2; + proto_tree_add_item(event_tree, hf_netmon_event_reassembled, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + + for (i = 1; i <= extended_data_count; i++) + { + extended_data_count_offset = offset; + extended_data_tree = proto_tree_add_subtree_format(event_tree, tvb, offset, 4, ett_netmon_event_extended_data, &extended_data_item, "Extended Data Item #%d", i); + proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data_reserved, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data_type, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data_linkage, tvb, offset, 2, ENC_LITTLE_ENDIAN); + proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data_reserved2, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + proto_tree_add_item_ret_uint(extended_data_tree, hf_netmon_event_extended_data_size, tvb, offset, 2, ENC_LITTLE_ENDIAN, &extended_data_size); + offset += 2; + proto_tree_add_item(extended_data_tree, hf_netmon_event_extended_data, tvb, offset, extended_data_size, ENC_NA); + offset += extended_data_size; + proto_item_set_len(extended_data_item, offset-extended_data_count_offset); + } + + provider_id_tvb = tvb_new_subset_remaining(tvb, offset); + if (!dissector_try_guid_new(provider_id_table, &provider_guid, provider_id_tvb, pinfo, tree, TRUE, &provider_id_data)) + { + proto_tree_add_item(event_tree, hf_netmon_event_user_data, tvb, offset, user_data_size, ENC_NA); + offset += user_data_size; + } + proto_item_set_len(ti, offset); + return tvb_captured_length(tvb); +} + + +static int +dissect_netmon_filter(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + proto_item *ti; + proto_tree *filter_tree; + int offset = 0; + guint length; + const guint8* filter; + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon Filter"); + /* Clear out stuff in the info column */ + col_clear(pinfo->cinfo, COL_INFO); + + ti = proto_tree_add_item(tree, proto_netmon_filter, tvb, offset, -1, ENC_NA); + filter_tree = proto_item_add_subtree(ti, ett_netmon_filter); + + proto_tree_add_item(filter_tree, hf_netmon_filter_version, tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + proto_tree_add_item(filter_tree, hf_netmon_filter_type, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(filter_tree, hf_netmon_filter_app_major_version, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(filter_tree, hf_netmon_filter_app_minor_version, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(filter_tree, hf_netmon_filter_app_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(filter_tree, hf_netmon_filter_filter, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, + pinfo->pool, &filter); + col_add_fstr(pinfo->cinfo, COL_INFO, "Filter: %s", filter); + + return tvb_captured_length(tvb); +} + + +static int +dissect_netmon_network_info(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + proto_item *ti, *list_item, *adapter_item; + proto_tree *network_info_tree, *list_tree, *adapter_tree; + int offset = 0, list_start_offset, adapter_start_offset; + guint adapter, adapter_count, length; + guint64 link_speed; + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon Network Info"); + /* Clear out stuff in the info column */ + col_clear(pinfo->cinfo, COL_INFO); + + ti = proto_tree_add_item(tree, proto_netmon_network_info, tvb, offset, -1, ENC_NA); + network_info_tree = proto_item_add_subtree(ti, ett_netmon_network_info); + + proto_tree_add_item(network_info_tree, hf_netmon_network_info_version, tvb, offset, 2, ENC_BIG_ENDIAN); + offset += 2; + + proto_tree_add_item_ret_uint(network_info_tree, hf_netmon_network_info_adapter_count, tvb, offset, 2, ENC_BIG_ENDIAN, &adapter_count); + offset += 2; + col_add_fstr(pinfo->cinfo, COL_INFO, "Adapter count: %d", adapter_count); + + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(network_info_tree, hf_netmon_network_info_computer_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + if (adapter_count > 0) + { + list_start_offset = offset; + list_tree = proto_tree_add_subtree(network_info_tree, tvb, offset, 1, ett_netmon_network_info_list, &list_item, "NetworkInfo"); + for (adapter = 1; adapter <= adapter_count; adapter++) + { + guint32 loop, ipv4_count, ipv6_count, gateway_count, dhcp_server_count, dns_ipv4_count, dns_ipv6_count; + + adapter_start_offset = offset; + adapter_tree = proto_tree_add_subtree_format(list_tree, tvb, offset, 1, ett_netmon_network_info_adapter, &adapter_item, "Adapter #%d", adapter); + + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(adapter_tree, hf_netmon_network_info_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(adapter_tree, hf_netmon_network_info_description, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(adapter_tree, hf_netmon_network_info_miniport_guid, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + proto_tree_add_item(adapter_tree, hf_netmon_network_info_media_type, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(adapter_tree, hf_netmon_network_info_mtu, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + link_speed = tvb_get_ntoh64(tvb, offset); + if (link_speed == 0xFFFFFFFFFFFFFFFF) + { + proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "(Unknown)"); + } + else if (link_speed >= 1000 * 1000 * 1000) + { + proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "%" PRIu64 " Gbps", link_speed/(1000*1000*1000)); + } + else if (link_speed >= 1000 * 1000) + { + proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "%" PRIu64 " Mbps", link_speed/(1000*1000)); + } + else if (link_speed >= 1000) + { + proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "%" PRIu64 " Kbps", link_speed/1000); + } + else + { + proto_tree_add_uint64_format_value(adapter_tree, hf_netmon_network_info_link_speed, tvb, offset, 8, link_speed, "%" PRIu64 " bps", link_speed); + } + offset += 8; + proto_tree_add_item(adapter_tree, hf_netmon_network_info_mac_address, tvb, offset, 6, ENC_NA); + offset += 6; + + proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_ipv4_count, tvb, offset, 2, ENC_BIG_ENDIAN, &ipv4_count); + offset += 2; + proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_ipv6_count, tvb, offset, 2, ENC_BIG_ENDIAN, &ipv6_count); + offset += 2; + proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_gateway_count, tvb, offset, 2, ENC_BIG_ENDIAN, &gateway_count); + offset += 2; + proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_dhcp_server_count, tvb, offset, 2, ENC_BIG_ENDIAN, &dhcp_server_count); + offset += 2; + proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_dns_ipv4_count, tvb, offset, 2, ENC_BIG_ENDIAN, &dns_ipv4_count); + offset += 2; + proto_tree_add_item_ret_uint(adapter_tree, hf_netmon_network_info_dns_ipv6_count, tvb, offset, 2, ENC_BIG_ENDIAN, &dns_ipv6_count); + offset += 2; + + for (loop = 0; loop < ipv4_count; loop++) + { + proto_tree_add_item(adapter_tree, hf_netmon_network_info_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + } + for (loop = 0; loop < ipv4_count; loop++) + { + proto_tree_add_item(adapter_tree, hf_netmon_network_info_subnet, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + } + for (loop = 0; loop < ipv6_count; loop++) + { + proto_tree_add_item(adapter_tree, hf_netmon_network_info_ipv6, tvb, offset, 16, ENC_NA); + offset += 16; + } + for (loop = 0; loop < gateway_count; loop++) + { + proto_tree_add_item(adapter_tree, hf_netmon_network_info_gateway, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + } + for (loop = 0; loop < dhcp_server_count; loop++) + { + proto_tree_add_item(adapter_tree, hf_netmon_network_info_dhcp_server, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + } + for (loop = 0; loop < dns_ipv4_count; loop++) + { + proto_tree_add_item(adapter_tree, hf_netmon_network_info_dns_ipv4, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + } + for (loop = 0; loop < dns_ipv6_count; loop++) + { + proto_tree_add_item(adapter_tree, hf_netmon_network_info_dns_ipv6, tvb, offset, 16, ENC_NA); + offset += 16; + } + + proto_item_set_len(adapter_item, offset-adapter_start_offset); + } + + proto_item_set_len(list_item, offset-list_start_offset); + } + + return tvb_captured_length(tvb); +} + +static int +dissect_netmon_system_trace(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + proto_item *ti; + proto_tree *system_tree; + int offset = 0; + struct netmon_provider_id_data *provider_id_data = (struct netmon_provider_id_data*)data; + guint length; + nstime_t timestamp; + guint64 raw_timestamp; + + DISSECTOR_ASSERT(provider_id_data != NULL); + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon System Trace"); + col_clear(pinfo->cinfo, COL_INFO); + + ti = proto_tree_add_item(tree, proto_netmon_system_trace, tvb, 0, -1, ENC_NA); + system_tree = proto_item_add_subtree(ti, ett_netmon_system_trace); + + switch (provider_id_data->opcode) + { + case 0: + proto_tree_add_item(system_tree, hf_netmon_system_trace_buffer_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_version, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_provider_version, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_num_processors, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + + raw_timestamp = tvb_get_letoh64(tvb, offset); + if (raw_timestamp != 0) + { + timestamp.secs = 0; + timestamp.nsecs = 0; + filetime_to_nstime(×tamp, raw_timestamp); + proto_tree_add_time(system_tree, hf_netmon_system_trace_end_time, tvb, offset, 8, ×tamp); + } + else + { + proto_tree_add_time_format_value(system_tree, hf_netmon_system_trace_end_time, tvb, offset, 8, ×tamp, "(None)"); + } + offset += 8; + + proto_tree_add_item(system_tree, hf_netmon_system_trace_timer_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_max_file_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_log_file_mode, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_buffers_written, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_start_buffers, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_pointers_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_events_lost, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_cpu_speed, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_trace_logger_name, provider_id_data->event_flags); + netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_trace_log_file_name_ptr, provider_id_data->event_flags); + proto_tree_add_item(system_tree, hf_netmon_system_trace_time_zone_info, tvb, offset, 176, ENC_NA); + offset += 176; + + timestamp.secs = 0; + timestamp.nsecs = 0; + filetime_to_nstime(×tamp, tvb_get_letoh64(tvb, offset)); + proto_tree_add_time(system_tree, hf_netmon_system_trace_boot_time, tvb, offset, 8, ×tamp); + offset += 8; + + proto_tree_add_item(system_tree, hf_netmon_system_trace_perf_freq, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + + timestamp.secs = 0; + timestamp.nsecs = 0; + filetime_to_nstime(×tamp, tvb_get_letoh64(tvb, offset)); + proto_tree_add_time(system_tree, hf_netmon_system_trace_start_time, tvb, offset, 8, ×tamp); + offset += 8; + + proto_tree_add_item(system_tree, hf_netmon_system_trace_reserved_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_buffers_lost, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_trace_session_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_trace_log_file_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + break; + case 5: + case 32: + proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask1, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask2, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask3, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask4, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask5, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask6, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask7, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_group_mask8, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_trace_kernel_event_version, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + case 8: // EventTrace_RDComplete + break; + } + + return tvb_captured_length(tvb); +} + +static int +dissect_netmon_system_config(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + proto_item *ti; + proto_tree *system_tree; + int offset = 0; + struct netmon_provider_id_data *provider_id_data = (struct netmon_provider_id_data*)data; + guint length; + guint32 field1, field2; + const guint8 *str_field1, *str_field2, *str_field3, *str_field4; + + DISSECTOR_ASSERT(provider_id_data != NULL); + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon System Config"); + col_clear(pinfo->cinfo, COL_INFO); + + ti = proto_tree_add_item(tree, proto_netmon_system_config, tvb, 0, -1, ENC_NA); + system_tree = proto_item_add_subtree(ti, ett_netmon_system_config); + + switch (provider_id_data->event_version) + { + // SystemConfig_V0 + case 0: + switch (provider_id_data->opcode) + { + case 10: + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_mhz, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_num_processors, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field2); + offset += 4; + col_add_fstr(pinfo->cinfo, COL_INFO, "Processors: %u, (%u MHz)", field2, field1); + + proto_tree_add_item(system_tree, hf_netmon_system_config_mem_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_page_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_allocation_granularity, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_computer_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_domain_name, tvb, offset, 264, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 264; + netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_config_hyper_threading_flag, provider_id_data->event_flags); + break; + case 11: + proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_track, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_tracks_per_cylinder, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_cylinders, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_port, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_path, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_target, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_lun, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_manufacturer, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_partition_count, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_write_cache_enabled, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 1, ENC_NA); + offset += 1; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_boot_drive_letter, tvb, offset, 6, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 6; + proto_tree_add_item(system_tree, hf_netmon_system_config_spare, tvb, offset, 4, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 4; + + col_add_fstr(pinfo->cinfo, COL_INFO, "Manufacturer: %s, BootDriveLetter: %s", str_field1, str_field2); + break; + case 12: + proto_tree_add_item(system_tree, hf_netmon_system_config_start_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_partition_size, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_drive_type, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_drive_letter, tvb, offset, 8, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_partition_number, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_cluster, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_num_free_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_total_num_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_file_system, tvb, offset, 32, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 32; + col_add_fstr(pinfo->cinfo, COL_INFO, "Drive: %s, FileSystem: %s", str_field1, str_field2); + proto_tree_add_item(system_tree, hf_netmon_system_config_volume_ext, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + case 13: + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_nic_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_index, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_str, tvb, offset, 16, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 16; + proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_ip_address, tvb, offset, 4, ENC_BIG_ENDIAN); + col_add_fstr(pinfo->cinfo, COL_INFO, "NIC: %s, Address: %s", str_field1, tvb_ip_to_str(pinfo->pool, tvb, offset)); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_subnet_mask, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dhcp_server, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_gateway, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_primary_wins_server, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_secondary_wins_server, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server1, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server2, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server3, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server4, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_data, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + case 14: + proto_tree_add_item(system_tree, hf_netmon_system_config_memory_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_x_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_y_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_bits_per_pixel, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_vrefresh, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_chip_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_dac_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_adapter_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 512; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field3); + offset += 512; + col_add_fstr(pinfo->cinfo, COL_INFO, "Chip: %s, Adapter: %s, Bios: %s", str_field1, str_field2, str_field3); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_id, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_state_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + case 15: + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_service_name, tvb, offset, 68, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 68; + proto_tree_add_item(system_tree, hf_netmon_system_config_display_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_process_name, tvb, offset, 68, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 68; + col_add_fstr(pinfo->cinfo, COL_INFO, "Service: %s, Process: %s", str_field1, str_field2); + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + break; + case 16: + proto_tree_add_item(system_tree, hf_netmon_system_config_s1, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s2, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s3, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s4, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s5, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 3, ENC_NA); + offset += 3; + break; + case 21: + proto_tree_add_item(system_tree, hf_netmon_system_config_irq_affinity, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_irq_num, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + col_add_fstr(pinfo->cinfo, COL_INFO, "IRQ: %u", field1); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + /* XXX - can we trust size above? */ + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + case 22: + proto_tree_add_item(system_tree, hf_netmon_system_config_device_id_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_friendly_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + /* XXX - can we trust sizes above? */ + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_device_id, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += length; + col_add_fstr(pinfo->cinfo, COL_INFO, "ID: %s, Name: %s", str_field1, str_field2); + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_pdo_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + } + break; + // SystemConfig_V1 + case 1: + switch (provider_id_data->opcode) + { + case 10: + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_mhz, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_num_processors, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field2); + offset += 4; + col_add_fstr(pinfo->cinfo, COL_INFO, "Processors: %u, (%u MHz)", field2, field1); + + proto_tree_add_item(system_tree, hf_netmon_system_config_mem_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_page_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_allocation_granularity, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_computer_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_domain_name, tvb, offset, 264, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 264; + netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_config_hyper_threading_flag, provider_id_data->event_flags); + break; + case 11: + proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_track, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_tracks_per_cylinder, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_cylinders, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_port, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_path, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_target, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_lun, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_manufacturer, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_partition_count, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_write_cache_enabled, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 1, ENC_NA); + offset += 1; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_boot_drive_letter, tvb, offset, 6, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 6; + proto_tree_add_item(system_tree, hf_netmon_system_config_spare, tvb, offset, 4, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 4; + + col_add_fstr(pinfo->cinfo, COL_INFO, "Manufacturer: %s, BootDriveLetter: %s", str_field1, str_field2); + break; + case 12: + proto_tree_add_item(system_tree, hf_netmon_system_config_start_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_partition_size, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_drive_type, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_drive_letter, tvb, offset, 8, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_partition_number, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_cluster, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_num_free_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_total_num_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_file_system, tvb, offset, 32, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 32; + col_add_fstr(pinfo->cinfo, COL_INFO, "Drive: %s, FileSystem: %s", str_field1, str_field2); + proto_tree_add_item(system_tree, hf_netmon_system_config_volume_ext, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + case 13: + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_nic_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_index, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_str, tvb, offset, 16, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 16; + proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_ip_address, tvb, offset, 4, ENC_BIG_ENDIAN); + col_add_fstr(pinfo->cinfo, COL_INFO, "NIC: %s, Address: %s", str_field1, tvb_ip_to_str(pinfo->pool, tvb, offset)); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_subnet_mask, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dhcp_server, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_gateway, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_primary_wins_server, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_secondary_wins_server, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server1, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server2, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server3, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server4, tvb, offset, 4, ENC_BIG_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_data, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + case 14: + proto_tree_add_item(system_tree, hf_netmon_system_config_memory_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_x_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_y_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_bits_per_pixel, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_vrefresh, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_chip_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_dac_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_adapter_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 512; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field3); + offset += 512; + col_add_fstr(pinfo->cinfo, COL_INFO, "Chip: %s, Adapter: %s, Bios: %s", str_field1, str_field2, str_field3); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_id, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_state_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + case 15: + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_service_name, tvb, offset, 68, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 68; + proto_tree_add_item(system_tree, hf_netmon_system_config_display_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_process_name, tvb, offset, 68, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 68; + col_add_fstr(pinfo->cinfo, COL_INFO, "Service: %s, Process: %s", str_field1, str_field2); + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + break; + case 16: + proto_tree_add_item(system_tree, hf_netmon_system_config_s1, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s2, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s3, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s4, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s5, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 3, ENC_NA); + offset += 3; + break; + case 21: + proto_tree_add_item(system_tree, hf_netmon_system_config_irq_affinity, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_irq_num, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + col_add_fstr(pinfo->cinfo, COL_INFO, "IRQ: %u", field1); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + /* XXX - can we trust size above? */ + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + case 22: + proto_tree_add_item(system_tree, hf_netmon_system_config_device_id_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_friendly_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + /* XXX - can we trust sizes above? */ + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_device_id, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += length; + col_add_fstr(pinfo->cinfo, COL_INFO, "ID: %s, Name: %s", str_field1, str_field2); + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_pdo_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + } + break; + // SystemConfig_V2 + case 2: + switch (provider_id_data->opcode) + { + case 10: + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_mhz, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_num_processors, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field2); + offset += 4; + col_add_fstr(pinfo->cinfo, COL_INFO, "Processors: %u, (%u MHz)", field2, field1); + + proto_tree_add_item(system_tree, hf_netmon_system_config_mem_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_page_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_allocation_granularity, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_computer_name, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_domain_name, tvb, offset, 268, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 268; + netmon_etl_field(system_tree, tvb, &offset, hf_netmon_system_config_hyper_threading_flag, provider_id_data->event_flags); + break; + case 11: + proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_track, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_tracks_per_cylinder, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_cylinders, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_port, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_path, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_target, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_scsi_lun, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_manufacturer, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_partition_count, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_write_cache_enabled, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 1, ENC_NA); + offset += 1; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_boot_drive_letter, tvb, offset, 6, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 6; + proto_tree_add_item(system_tree, hf_netmon_system_config_spare, tvb, offset, 4, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 4; + + col_add_fstr(pinfo->cinfo, COL_INFO, "Manufacturer: %s, BootDriveLetter: %s", str_field1, str_field2); + break; + case 12: + proto_tree_add_item(system_tree, hf_netmon_system_config_start_offset, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_partition_size, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_disk_number, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_drive_type, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_drive_letter, tvb, offset, 8, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_partition_number, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_sectors_per_cluster, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_bytes_per_sector, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_num_free_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_total_num_clusters, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_file_system, tvb, offset, 32, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 32; + col_add_fstr(pinfo->cinfo, COL_INFO, "Drive: %s, FileSystem: %s", str_field1, str_field2); + proto_tree_add_item(system_tree, hf_netmon_system_config_volume_ext, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 4, ENC_NA); + offset += 4; + break; + case 13: + proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_physical_addr_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_ipv4_index, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_ipv6_index, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_nic_description, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_ipaddresses, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += length; + col_add_fstr(pinfo->cinfo, COL_INFO, "IP Addresses: %s", str_field1); + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_dns_server_addresses, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + case 14: + proto_tree_add_item(system_tree, hf_netmon_system_config_memory_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_x_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_y_resolution, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_bits_per_pixel, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_vrefresh, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_chip_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_dac_type, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_adapter_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += 512; + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_string, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field3); + offset += 512; + col_add_fstr(pinfo->cinfo, COL_INFO, "Chip: %s, Adapter: %s, Bios: %s", str_field1, str_field2, str_field3); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_id, tvb, offset, 512, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += 512; + proto_tree_add_item(system_tree, hf_netmon_system_config_state_flags, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + case 15: + proto_tree_add_item(system_tree, hf_netmon_system_config_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_service_state, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_sub_process_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_service_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_display_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_process_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += length; + col_add_fstr(pinfo->cinfo, COL_INFO, "Service: %s, Process: %s", str_field1, str_field2); + break; + case 16: + proto_tree_add_item(system_tree, hf_netmon_system_config_s1, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s2, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s3, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s4, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_s5, tvb, offset, 1, ENC_LITTLE_ENDIAN); + offset += 1; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 3, ENC_NA); + offset += 3; + break; + case 17: + proto_tree_add_item(system_tree, hf_netmon_system_config_tcb_table_partitions, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_max_hash_table_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_max_user_port, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_tcp_timed_wait_delay, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + col_add_fstr(pinfo->cinfo, COL_INFO, "MaxUserPort: %u", field1); + break; + case 21: + proto_tree_add_item(system_tree, hf_netmon_system_config_irq_affinity, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_irq_num, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + col_add_fstr(pinfo->cinfo, COL_INFO, "IRQ: %u", field1); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + /* XXX - can we trust size above? */ + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + case 22: + proto_tree_add_item(system_tree, hf_netmon_system_config_device_id_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_friendly_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + /* XXX - can we trust sizes above? */ + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_device_id, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += length; + col_add_fstr(pinfo->cinfo, COL_INFO, "ID: %s, Name: %s", str_field1, str_field2); + break; + case 23: + proto_tree_add_item(system_tree, hf_netmon_system_config_target_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_device_type, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_device_timing_mode, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_location_information_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_location_information, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += length; + col_add_fstr(pinfo->cinfo, COL_INFO, "Location: %s", str_field1); + break; + case 25: + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_system_manufacturer, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_system_product_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_date, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field3); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_bios_version, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field4); + offset += length; + col_add_fstr(pinfo->cinfo, COL_INFO, "Manufacturer: %s, ProductName: %s, BiosDate: %s, BiosVersion: %s", str_field1, str_field2, str_field3, str_field4); + break; + } + break; + // SystemConfig_V3 + case 3: + switch (provider_id_data->opcode) + { + case 15: + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_service_state, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_sub_process_tag, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_service_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += length; + col_add_fstr(pinfo->cinfo, COL_INFO, "Service: %s, (PID=%d)", str_field1, field1); + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_display_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_process_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_load_order_group, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_svc_host_group, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + case 21: + proto_tree_add_item(system_tree, hf_netmon_system_config_irq_affinity, tvb, offset, 8, ENC_LITTLE_ENDIAN); + offset += 8; + proto_tree_add_item(system_tree, hf_netmon_system_config_irq_group, tvb, offset, 2, ENC_LITTLE_ENDIAN); + offset += 2; + proto_tree_add_item(system_tree, hf_netmon_system_config_pad, tvb, offset, 2, ENC_NA); + offset += 2; + proto_tree_add_item_ret_uint(system_tree, hf_netmon_system_config_irq_num, tvb, offset, 4, ENC_LITTLE_ENDIAN, &field1); + offset += 4; + col_add_fstr(pinfo->cinfo, COL_INFO, "IRQ: %u", field1); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + /* XXX - can we trust size above? */ + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + case 22: + proto_tree_add_item(system_tree, hf_netmon_system_config_device_id_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(system_tree, hf_netmon_system_config_friendly_name_len, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + /* XXX - can we trust sizes above? */ + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_device_id, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field1); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_device_desc, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item_ret_string(system_tree, hf_netmon_system_config_friendly_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16, pinfo->pool, &str_field2); + offset += length; + col_add_fstr(pinfo->cinfo, COL_INFO, "ID: %s, Name: %s", str_field1, str_field2); + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(system_tree, hf_netmon_system_config_pdo_name, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + } + break; + } + + return offset; +} + +static int +dissect_netmon_process(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) +{ + proto_item *ti; + proto_tree *process_tree; + int offset = 0; + struct netmon_provider_id_data *provider_id_data = (struct netmon_provider_id_data*)data; + guint length; + const guint8 *filename; + + DISSECTOR_ASSERT(provider_id_data != NULL); + + col_set_str(pinfo->cinfo, COL_PROTOCOL, "NetMon Process"); + col_clear(pinfo->cinfo, COL_INFO); + + ti = proto_tree_add_item(tree, proto_netmon_process, tvb, 0, -1, ENC_NA); + process_tree = proto_item_add_subtree(ti, ett_netmon_process); + + switch (provider_id_data->event_version) + { + case 0: + switch (provider_id_data->opcode) + { + case 1: + case 2: + case 3: + case 4: + proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_parent_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + netmon_sid_field(process_tree, tvb, &offset, pinfo, hf_netmon_process_user_sid_revision, + hf_netmon_process_user_sid_subauth_count, hf_netmon_process_user_sid_id, hf_netmon_process_user_sid_authority, + &ei_netmon_process_user_sid, FALSE); + length = tvb_strsize(tvb, offset); + proto_tree_add_item_ret_string(process_tree, hf_netmon_process_image_file_name, tvb, offset, length, ENC_NA|ENC_ASCII, + pinfo->pool, &filename); + col_add_fstr(pinfo->cinfo, COL_INFO, "Filename: %s", filename); + offset += length; + break; + + } + break; + case 1: + switch (provider_id_data->opcode) + { + case 1: + case 2: + case 3: + case 4: + netmon_etl_field(process_tree, tvb, &offset, hf_netmon_process_page_directory_base, provider_id_data->event_flags); + proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_parent_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_session_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_exit_status, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + netmon_sid_field(process_tree, tvb, &offset, pinfo, hf_netmon_process_user_sid_revision, + hf_netmon_process_user_sid_subauth_count, hf_netmon_process_user_sid_id, hf_netmon_process_user_sid_authority, + &ei_netmon_process_user_sid, FALSE); + length = tvb_strsize(tvb, offset); + proto_tree_add_item_ret_string(process_tree, hf_netmon_process_image_file_name, tvb, offset, length, ENC_NA|ENC_ASCII, + pinfo->pool, &filename); + col_add_fstr(pinfo->cinfo, COL_INFO, "Filename: %s", filename); + offset += length; + break; + } + break; + case 2: + switch (provider_id_data->opcode) + { + case 1: + case 2: + case 3: + case 4: + case 39: + netmon_etl_field(process_tree, tvb, &offset, hf_netmon_process_unique_process_key, provider_id_data->event_flags); + proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_parent_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_session_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_exit_status, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + if (provider_id_data->event_flags & EVENT_HEADER_FLAG_64_BIT_HEADER) + { + proto_tree_add_item(process_tree, hf_netmon_process_unknown, tvb, offset, 16, ENC_NA); + offset += 16; + } + else + { + proto_tree_add_item(process_tree, hf_netmon_process_unknown, tvb, offset, 8, ENC_NA); + offset += 8; + } + netmon_sid_field(process_tree, tvb, &offset, pinfo, hf_netmon_process_user_sid_revision, + hf_netmon_process_user_sid_subauth_count, hf_netmon_process_user_sid_id, hf_netmon_process_user_sid_authority, + &ei_netmon_process_user_sid, FALSE); + length = tvb_strsize(tvb, offset); + proto_tree_add_item_ret_string(process_tree, hf_netmon_process_image_file_name, tvb, offset, length, ENC_NA|ENC_ASCII, + pinfo->pool, &filename); + col_add_fstr(pinfo->cinfo, COL_INFO, "Filename: %s", filename); + offset += length; + + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(process_tree, hf_netmon_process_command_line, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + + case 32: + case 33: + proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_page_fault_count, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_handle_count, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_reserved, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_peak_virtual_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_peak_working_set_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_peak_page_file_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_quota_peak_paged_pool_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_quota_peak_non_paged_pool_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_virtual_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_workingset_size, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_pagefile_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_quota_paged_pool_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_quota_non_paged_pool_usage, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_private_page_count, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + case 35: + proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_directory_table_base32, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + break; + } + break; + case 3: + switch (provider_id_data->opcode) + { + case 1: + case 2: + case 3: + case 4: + case 39: + netmon_etl_field(process_tree, tvb, &offset, hf_netmon_process_unique_process_key, provider_id_data->event_flags); + proto_tree_add_item(process_tree, hf_netmon_process_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_parent_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_session_id, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + proto_tree_add_item(process_tree, hf_netmon_process_exit_status, tvb, offset, 4, ENC_LITTLE_ENDIAN); + offset += 4; + netmon_etl_field(process_tree, tvb, &offset, hf_netmon_process_directory_table_base, provider_id_data->event_flags); + if (provider_id_data->event_flags & EVENT_HEADER_FLAG_64_BIT_HEADER) + { + proto_tree_add_item(process_tree, hf_netmon_process_unknown, tvb, offset, 16, ENC_NA); + offset += 16; + } + else + { + proto_tree_add_item(process_tree, hf_netmon_process_unknown, tvb, offset, 8, ENC_NA); + offset += 8; + } + netmon_sid_field(process_tree, tvb, &offset, pinfo, hf_netmon_process_user_sid_revision, + hf_netmon_process_user_sid_subauth_count, hf_netmon_process_user_sid_id, hf_netmon_process_user_sid_authority, + &ei_netmon_process_user_sid, FALSE); + length = tvb_strsize(tvb, offset); + proto_tree_add_item_ret_string(process_tree, hf_netmon_process_image_file_name, tvb, offset, length, ENC_NA|ENC_ASCII, + pinfo->pool, &filename); + col_add_fstr(pinfo->cinfo, COL_INFO, "Filename: %s", filename); + offset += length; + + length = tvb_unicode_strsize(tvb, offset); + proto_tree_add_item(process_tree, hf_netmon_process_command_line, tvb, offset, length, ENC_LITTLE_ENDIAN|ENC_UTF_16); + offset += length; + break; + } + break; + } + + return tvb_captured_length(tvb); +} + +void proto_register_netmon(void) +{ + static hf_register_info hf_header[] = { + { &hf_netmon_header_title_comment, + { "Comment title", "netmon_header.title_comment", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_header_description_comment, + { "Comment description", "netmon_header.description_comment", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + }; + + + static hf_register_info hf_event[] = { + { &hf_netmon_event_size, + { "Size", "netmon_event.size", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_header_type, + { "Header type", "netmon_event.header_type", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_flags, + { "Flags", "netmon_event.flags", + FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_flags_extended_info, + { "Extended Info", "netmon_event.flags.extended_info", + FT_BOOLEAN, 16, TFS(&tfs_present_not_present), EVENT_HEADER_FLAG_EXTENDED_INFO, NULL, HFILL } + }, + { &hf_netmon_event_flags_private_session, + { "Private Sessions", "netmon_event.flags.private_session", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_PRIVATE_SESSION, NULL, HFILL } + }, + { &hf_netmon_event_flags_string_only, + { "Null-terminated Unicode string", "netmon_event.flags.string_only", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_STRING_ONLY, NULL, HFILL } + }, + { &hf_netmon_event_flags_trace_message, + { "TraceMessage logged", "netmon_event.flags.trace_message", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_TRACE_MESSAGE, NULL, HFILL } + }, + { &hf_netmon_event_flags_no_cputime, + { "Use ProcessorTime", "netmon_event.flags.no_cputime", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_NO_CPUTIME, NULL, HFILL } + }, + { &hf_netmon_event_flags_32bit_header, + { "Provider running on 32-bit computer", "netmon_event.flags.32bit_header", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_32_BIT_HEADER, NULL, HFILL } + }, + { &hf_netmon_event_flags_64bit_header, + { "Provider running on 64-bit computer", "netmon_event.flags.64bit_header", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_64_BIT_HEADER, NULL, HFILL } + }, + { &hf_netmon_event_flags_classic_header, + { "Use TraceEvent", "netmon_event.flags.classic_header", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_FLAG_CLASSIC_HEADER, NULL, HFILL } + }, + { &hf_netmon_event_event_property, + { "Event property", "netmon_event.event_property", + FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_event_property_xml, + { "Need manifest", "netmon_event.event_property.xml", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_PROPERTY_XML, NULL, HFILL } + }, + { &hf_netmon_event_event_property_forwarded_xml, + { "Event data contains fully-rendered XML", "netmon_event.event_property.forwarded_xml", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_PROPERTY_FORWARDED_XML, NULL, HFILL } + }, + { &hf_netmon_event_event_property_legacy_eventlog, + { "Need WMI MOF class", "netmon_event.event_property.legacy_eventlog", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), EVENT_HEADER_PROPERTY_LEGACY_EVENTLOG, NULL, HFILL } + }, + { &hf_netmon_event_thread_id, + { "Thread ID", "netmon_event.thread_id", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_process_id, + { "Process ID", "netmon_event.process_id", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_timestamp, + { "Timestamp", "netmon_event.timestamp", + FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_provider_id, + { "Provider ID", "netmon_event.provider_id", + FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_event_desc_id, + { "ID", "netmon_event.event_desc.id", + FT_UINT16, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_event_desc_version, + { "Version", "netmon_event.event_desc.version", + FT_UINT8, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_event_desc_channel, + { "Channel", "netmon_event.event_desc.channel", + FT_UINT8, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_event_desc_level, + { "Level", "netmon_event.event_desc.level", + FT_UINT8, BASE_DEC, VALS(event_level_vals), 0x0, NULL, HFILL } + }, + { &hf_netmon_event_event_desc_opcode, + { "Opcode", "netmon_event.event_desc.opcode", + FT_UINT8, BASE_HEX, VALS(opcode_vals), 0x0, NULL, HFILL } + }, + { &hf_netmon_event_event_desc_task, + { "Task", "netmon_event.event_desc.task", + FT_UINT16, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_event_desc_keyword, + { "Keyword", "netmon_event.event_desc.keyword", + FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_kernel_time, + { "Kernel time", "netmon_event.kernel_time", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_user_time, + { "User time", "netmon_event.user_time", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_processor_time, + { "Processor time", "netmon_event.processor_time", + FT_UINT64, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_activity_id, + { "Activity ID", "netmon_event.activity_id", + FT_GUID, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_processor_number, + { "Processor number", "netmon_event.processor_number", + FT_UINT8, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_alignment, + { "Alignment", "netmon_event.alignment", + FT_UINT8, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_logger_id, + { "Logger ID", "netmon_event.logger_id", + FT_UINT16, BASE_DEC_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_extended_data_count, + { "Extended data count", "netmon_event.extended_data_count", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_user_data_length, + { "User data length", "netmon_event.user_data_length", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_reassembled, + { "Reassembled", "netmon_event.reassembled", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_extended_data_reserved, + { "Reserved", "netmon_event.extended_data.reserved", + FT_UINT16, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_extended_data_type, + { "Extended info type", "netmon_event.extended_data.type", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_extended_data_linkage, + { "Additional extended data", "netmon_event.extended_data.linkage", + FT_BOOLEAN, 16, TFS(&tfs_yes_no), 0x0001, NULL, HFILL } + }, + { &hf_netmon_event_extended_data_reserved2, + { "Reserved", "netmon_event.extended_data.reserved2", + FT_UINT16, BASE_HEX, NULL, 0xFFFE, NULL, HFILL } + }, + { &hf_netmon_event_extended_data_size, + { "Extended data size", "netmon_event.extended_data.size", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_extended_data, + { "Extended data", "netmon_event.extended_data", + FT_BYTES, BASE_NONE|BASE_ALLOW_ZERO, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_event_user_data, + { "User data", "netmon_event.user_data", + FT_BYTES, BASE_NONE|BASE_ALLOW_ZERO, NULL, 0x0, NULL, HFILL } + }, + }; + + static hf_register_info hf_filter[] = { + { &hf_netmon_filter_version, + { "Version", "netmon_filter.version", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_filter_type, + { "Filter type", "netmon_filter.type", + FT_UINT32, BASE_DEC|BASE_RANGE_STRING, RVALS(filter_types), 0x0, NULL, HFILL } + }, + { &hf_netmon_filter_app_major_version, + { "App Major Version", "netmon_filter.app_major_version", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_filter_app_minor_version, + { "App Minor Version", "netmon_filter.app_minor_version", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_filter_app_name, + { "Application Name", "netmon_filter.app_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_filter_filter, + { "Filter", "netmon_filter.filter", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + }; + + static hf_register_info hf_network_info[] = { + { &hf_netmon_network_info_version, + { "Version", "netmon_network_info.version", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_adapter_count, + { "Adapter count", "netmon_network_info.adapter_count", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_computer_name, + { "Computer name", "netmon_network_info.computer_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_friendly_name, + { "Friendly name", "netmon_network_info.friendly_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_description, + { "Description", "netmon_network_info.description", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_miniport_guid, + { "Miniport GUID", "netmon_network_info.miniport_guid", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_media_type, + { "Media type", "netmon_network_info.media_type", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_mtu, + { "MTU", "netmon_network_info.mtu", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_link_speed, + { "Link speed", "netmon_network_info.link_speed", + FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_mac_address, + { "MAC address", "netmon_network_info.mac_address", + FT_ETHER, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_ipv4_count, + { "IPv4 count", "netmon_network_info.ipv4_count", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_ipv6_count, + { "IPv6 count", "netmon_network_info.ipv6_count", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_gateway_count, + { "Gateway count", "netmon_network_info.gateway_count", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_dhcp_server_count, + { "DHCP server count", "netmon_network_info.dhcp_server_count", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_dns_ipv4_count, + { "DNS IPv4 count", "netmon_network_info.dns_ipv4_count", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_dns_ipv6_count, + { "DNS IPv6 count", "netmon_network_info.dns_ipv6_count", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_ipv4, + { "IPv4 address", "netmon_network_info.ipv4", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_subnet, + { "Subnet mask", "netmon_network_info.subnet", + FT_IPv4, BASE_NETMASK, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_ipv6, + { "IPv6 address", "netmon_network_info.ipv6", + FT_IPv6, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_gateway, + { "Gateway address", "netmon_network_info.gateway", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_dhcp_server, + { "DHCP Server", "netmon_network_info.dhcp_server", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_dns_ipv4, + { "DNS IPv4 address", "netmon_network_info.dns_ipv4", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_network_info_dns_ipv6, + { "DNS IPv6 address", "netmon_network_info.dns_ipv6", + FT_IPv6, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + }; + + static hf_register_info hf_system_trace[] = { + { &hf_netmon_system_trace_buffer_size, + { "Buffer size", "netmon_system_trace.buffer_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_version, + { "Version", "netmon_system_trace.version", + FT_UINT32, BASE_HEX_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_provider_version, + { "Provider version", "netmon_system_trace.provider_version", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_num_processors, + { "Number of processors", "netmon_system_trace.num_processors", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_end_time, + { "End time", "netmon_system_trace.end_time", + FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_timer_resolution, + { "Timer resolution", "netmon_system_trace.timer_resolution", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_max_file_size, + { "Max file size", "netmon_system_trace.max_file_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_log_file_mode, + { "Log file mode", "netmon_system_trace.log_file_mode", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_buffers_written, + { "Buffers written", "netmon_system_trace.buffers_written", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_start_buffers, + { "Start buffers", "netmon_system_trace.start_buffers", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_pointers_size, + { "Pointers size", "netmon_system_trace.pointers_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_events_lost, + { "Events lost", "netmon_system_trace.events_lost", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_cpu_speed, + { "CPU speed", "netmon_system_trace.cpu_speed", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_logger_name, + { "Logger name", "netmon_system_trace.logger_name", + FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_log_file_name_ptr, + { "Log file name", "netmon_system_trace.log_file_name_ptr", + FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_time_zone_info, + { "Time zone info", "netmon_system_trace.time_zone_info", + FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_boot_time, + { "Boot time", "netmon_system_trace.boot_time", + FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_perf_freq, + { "Perf freq", "netmon_system_trace.pref_freq", + FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_start_time, + { "Start time", "netmon_system_trace.start_time", + FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_reserved_flags, + { "Reserved Flags", "netmon_system_trace.reserved_flags", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_buffers_lost, + { "Buffers lost", "netmon_system_trace.buffers_lost", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_session_name, + { "Session name", "netmon_system_trace.session_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_log_file_name, + { "Log file name", "netmon_system_trace.log_file_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_group_mask1, + { "Group Mask1", "netmon_system_trace.group_mask1", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_group_mask2, + { "Group Mask2", "netmon_system_trace.group_mask2", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_group_mask3, + { "Group Mask3", "netmon_system_trace.group_mask3", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_group_mask4, + { "Group Mask4", "netmon_system_trace.group_mask4", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_group_mask5, + { "Group Mask5", "netmon_system_trace.group_mask5", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_group_mask6, + { "Group Mask6", "netmon_system_trace.group_mask6", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_group_mask7, + { "Group Mask7", "netmon_system_trace.group_mask7", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_group_mask8, + { "Group Mask8", "netmon_system_trace.group_mask8", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_trace_kernel_event_version, + { "Kernel event version", "netmon_system_trace.kernel_event_version", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + }; + + static hf_register_info hf_system_config[] = { + { &hf_netmon_system_config_mhz, + { "Mhz", "netmon_system_config.mhz", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_num_processors, + { "Number of processors", "netmon_system_config.num_processors", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_mem_size, + { "Memory size", "netmon_system_config.mem_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_page_size, + { "Page size", "netmon_system_config.page_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_allocation_granularity, + { "Allocation granularity", "netmon_system_config.allocation_granularity", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_computer_name, + { "Computer name", "netmon_system_config.computer_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_domain_name, + { "Domain name", "netmon_system_config.domain_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_hyper_threading_flag, + { "Hyper threading flag", "netmon_system_config.hyper_threading_flag", + FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_disk_number, + { "Disk number", "netmon_system_config.disk_number", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_bytes_per_sector, + { "Bytes per sector", "netmon_system_config.bytes_per_sector", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_sectors_per_track, + { "Sectors per track", "netmon_system_config.sectors_per_track", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_tracks_per_cylinder, + { "Tracks per cylinder", "netmon_system_config.tracks_per_cylinder", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_cylinders, + { "Cylinders", "netmon_system_config.cylinders", + FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_scsi_port, + { "SCSI port", "netmon_system_config.scsi_port", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_scsi_path, + { "SCSI path", "netmon_system_config.scsi_path", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_scsi_target, + { "SCSI target", "netmon_system_config.csi_target", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_scsi_lun, + { "SCSI lun", "netmon_system_config.scsi_lun", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_manufacturer, + { "Manufacturer", "netmon_system_config.manufacturer", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_partition_count, + { "Partition count", "netmon_system_config.partition_count", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_write_cache_enabled, + { "Write cache enabled", "netmon_system_config.write_cache_enabled", + FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_pad, + { "Pad", "netmon_system_config.pad", + FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_boot_drive_letter, + { "Boot drive letter", "netmon_system_config.boot_drive_letter", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_spare, + { "Spare", "netmon_system_config.spare", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_start_offset, + { "Start offset", "netmon_system_config.start_offset", + FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_partition_size, + { "Partition size", "netmon_system_config.partition_size", + FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_size, + { "Size", "netmon_system_config.size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_drive_type, + { "Drive type", "netmon_system_config.drive_type", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_drive_letter, + { "Drive letter", "netmon_system_config.drive_letter", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_partition_number, + { "Partition number", "netmon_system_config.partition_number", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_sectors_per_cluster, + { "Sectors per cluster", "netmon_system_config.sectors_per_cluster", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_num_free_clusters, + { "Number of free clusters", "netmon_system_config.num_free_clusters", + FT_INT64, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_total_num_clusters, + { "Total number of clusters", "netmon_system_config.total_num_clusters", + FT_INT64, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_file_system, + { "File system", "netmon_system_config.file_system", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_volume_ext, + { "Volume ext", "netmon_system_config.volume_ext", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_physical_addr, + { "Physical address", "netmon_system_config.physical_addr", + FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_physical_addr_len, + { "Physical address length", "netmon_system_config.physical_addr_len", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_ipv4_index, + { "IPv4 index", "netmon_system_config.ipv4_index", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_ipv6_index, + { "IPv6 index", "netmon_system_config.ipv6_index", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_nic_description, + { "File system", "netmon_system_config.file_system", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_ipaddresses, + { "IP addresses", "netmon_system_config.ipaddresses", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_dns_server_addresses, + { "DNS server addresses", "netmon_system_config.dns_server_addresses", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_memory_size, + { "Memory size", "netmon_system_config.memory_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_x_resolution, + { "X resolution", "netmon_system_config.x_resolution", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_y_resolution, + { "Y resolution", "netmon_system_config.y_resolution", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_bits_per_pixel, + { "Bits per pixel", "netmon_system_config.bits_per_pixel", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_vrefresh, + { "VRefresh", "netmon_system_config.vrefresh", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_chip_type, + { "Chip type", "netmon_system_config.chip_type", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_dac_type, + { "DAC type", "netmon_system_config.dac_type", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_adapter_string, + { "Adapter string", "netmon_system_config.adapter_string", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_bios_string, + { "BIOS string", "netmon_system_config.bios_string", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_device_id, + { "Device ID", "netmon_system_config.device_id", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_state_flags, + { "State flags", "netmon_system_config.state_flags", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_process_id, + { "Process ID", "netmon_system_config.process_id", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_service_state, + { "Service state", "netmon_system_config.service_state", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_sub_process_tag, + { "Subprocess tag", "netmon_system_config.sub_process_tag", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_service_name, + { "Service name", "netmon_system_config.service_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_display_name, + { "Display name", "netmon_system_config.display_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_process_name, + { "Process name", "netmon_system_config.process_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_s1, + { "S1", "netmon_system_config.s1", + FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_s2, + { "S2", "netmon_system_config.s2", + FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_s3, + { "S3", "netmon_system_config.s3", + FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_s4, + { "S4", "netmon_system_config.s4", + FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_s5, + { "S5", "netmon_system_config.s5", + FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_tcb_table_partitions, + { "Tcb table partitions", "netmon_system_config.tcb_table_partitions", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_max_hash_table_size, + { "Max hash table size", "netmon_system_config.max_hash_table_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_max_user_port, + { "Max user port", "netmon_system_config.max_user_port", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_tcp_timed_wait_delay, + { "TCP timed wait delay", "netmon_system_config.tcp_timed_wait_delay", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_irq_affinity, + { "IRQ affinity", "netmon_system_config.irq_affinity", + FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_irq_num, + { "IRQ", "netmon_system_config.irq_num", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_device_desc_len, + { "Device description length", "netmon_system_config.device_desc_len", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_device_desc, + { "Device description", "netmon_system_config.device_desc", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_friendly_name, + { "Friendly name", "netmon_system_config.friendly_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_device_id_len, + { "Device ID length", "netmon_system_config.device_id_len", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_friendly_name_len, + { "Friendly name length", "netmon_system_config.friendly_name_len", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_target_id, + { "Target ID", "netmon_system_config.target_id", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_device_type, + { "Device type", "netmon_system_config.device_type", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_device_timing_mode, + { "Device timing mode", "netmon_system_config.device_timing_mode", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_location_information_len, + { "Location information length", "netmon_system_config.location_information_len", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_location_information, + { "Location information", "netmon_system_config.location_information", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_system_manufacturer, + { "System manufacturer", "netmon_system_config.system_manufacturer", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_system_product_name, + { "System product name", "netmon_system_config.system_product_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_bios_date, + { "BIOS date", "netmon_system_config.bios_date", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_bios_version, + { "BIOS version", "netmon_system_config.bios_version", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_load_order_group, + { "Load order group", "netmon_system_config.load_order_group", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_svc_host_group, + { "svchost group", "netmon_system_config.svc_host_group", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_irq_group, + { "IRQ group", "netmon_system_config.irq_group", + FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_pdo_name, + { "PDO name", "netmon_system_config.pdo_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_nic_name, + { "NIC name", "netmon_system_config.nic_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_index, + { "Index", "netmon_system_config.index", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_physical_addr_str, + { "Physical address", "netmon_system_config.physical_addr_str", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_ip_address, + { "IP address", "netmon_system_config.ip_address", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_subnet_mask, + { "Subnet mask", "netmon_system_config.subnet_mask", + FT_IPv4, BASE_NETMASK, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_dhcp_server, + { "DHCP server", "netmon_system_config.dhcp_server", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_gateway, + { "Gateway", "netmon_system_config.gateway", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_primary_wins_server, + { "Primary WINS server", "netmon_system_config.primary_wins_server", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_secondary_wins_server, + { "Secondary WINS server", "netmon_system_config.secondary_wins_server", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_dns_server1, + { "DNS server1", "netmon_system_config.dns_server1", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_dns_server2, + { "DNS server2", "netmon_system_config.dns_server2", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_dns_server3, + { "DNS server3", "netmon_system_config.dns_server3", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_dns_server4, + { "DNS server4", "netmon_system_config.dns_server4", + FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_system_config_data, + { "Data", "netmon_system_config.data", + FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + }; + + static hf_register_info hf_process[] = { + { &hf_netmon_process_unique_process_key, + { "Unique process key", "netmon_process.unique_process_key", + FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_process_id, + { "Process ID", "netmon_process.process_id", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_parent_id, + { "Parent ID", "netmon_process.parent_id", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_session_id, + { "Session ID", "netmon_process.session_id", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_exit_status, + { "Exit status", "netmon_process.exit_status", + FT_INT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_directory_table_base, + { "Directory table base", "netmon_process.directory_table_base", + FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_unknown, + { "Unknown", "netmon_process.unknown", + FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_user_sid_revision, + { "User SID Revision", "netmon_process.user_sid.revision", + FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_user_sid_subauth_count, + { "User SID Subauth count", "netmon_process.user_sid.subauth_count", + FT_UINT8, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_user_sid_id, + { "User SID Identifier Authority", "netmon_process.user_sid.id", + FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_user_sid_authority, + { "User SID Authority", "netmon_process.user_sid.authority", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_image_file_name, + { "Image file name", "netmon_process.image_file_name", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_command_line, + { "Commandline", "netmon_process.command_line", + FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_page_directory_base, + { "Page directory base", "netmon_process.page_directory_base", + FT_UINT64, BASE_HEX, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_page_fault_count, + { "Page fault count", "netmon_process.page_fault_count", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_handle_count, + { "Handle count", "netmon_process.handle_count", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_reserved, + { "Reserved", "netmon_process.reserved", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_peak_virtual_size, + { "Peak virtual size", "netmon_process.peak_virtual_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_peak_working_set_size, + { "Peak working set size", "netmon_process.peak_working_set_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_peak_page_file_usage, + { "Peak page file usage", "netmon_process.peak_page_file_usage", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_quota_peak_paged_pool_usage, + { "Quota peak paged pool usage", "netmon_process.quota_peak_paged_pool_usage", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_quota_peak_non_paged_pool_usage, + { "Quota peak non-paged pool usage", "netmon_process.quota_peak_non_paged_pool_usage", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_virtual_size, + { "Virtual size", "netmon_process.virtual_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_workingset_size, + { "Working set size", "netmon_process.workingset_size", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_pagefile_usage, + { "Pagefile usage", "netmon_process.pagefile_usage", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_quota_paged_pool_usage, + { "Quota paged pool usage", "netmon_process.quota_paged_pool_usage", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_quota_non_paged_pool_usage, + { "Quota nonpaged pool usage", "netmon_process.quota_non_paged_pool_usage", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_private_page_count, + { "Private page count", "netmon_process.private_page_count", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + { &hf_netmon_process_directory_table_base32, + { "Directory table base", "netmon_process.directory_table_base32", + FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } + }, + }; + + static gint *ett[] = { + &ett_netmon_header, + &ett_netmon_event, + &ett_netmon_event_desc, + &ett_netmon_event_flags, + &ett_netmon_event_property, + &ett_netmon_event_extended_data, + &ett_netmon_filter, + &ett_netmon_network_info, + &ett_netmon_network_info_list, + &ett_netmon_network_info_adapter, + &ett_netmon_system_trace, + &ett_netmon_event_buffer_context, + &ett_netmon_process, + &ett_netmon_sid, + &ett_netmon_system_config, + }; + + static ei_register_info ei_process[] = { + { &ei_netmon_process_user_sid, { "netmon_process.process_user_sid.invalid", PI_MALFORMED, PI_WARN, "Invalid SID", EXPFILL }}, + }; + + expert_module_t *expert_process; + + proto_netmon_header = proto_register_protocol ("Network Monitor Header", "NetMon Header", "netmon_header" ); + proto_netmon_event = proto_register_protocol ("Network Monitor Event", "NetMon Event", "netmon_event" ); + proto_netmon_filter = proto_register_protocol ("Network Monitor Filter", "NetMon Filter", "netmon_filter" ); + proto_netmon_network_info = proto_register_protocol ("Network Monitor Network Info", "NetMon Network Info", "netmon_network_info" ); + proto_netmon_system_trace = proto_register_protocol ("Network Monitor System Trace", "NetMon System Trace", "netmon_system_trace" ); + proto_netmon_system_config = proto_register_protocol ("Network Monitor System Config", "NetMon System Config", "netmon_system_config" ); + proto_netmon_process = proto_register_protocol ("Network Monitor Process", "NetMon Process", "netmon_process" ); + + provider_id_table = register_dissector_table("netmon.provider_id", "NetMon Provider IDs", proto_netmon_event, FT_GUID, BASE_HEX); + + proto_register_field_array(proto_netmon_header, hf_header, array_length(hf_header)); + proto_register_field_array(proto_netmon_event, hf_event, array_length(hf_event)); + proto_register_field_array(proto_netmon_filter, hf_filter, array_length(hf_filter)); + proto_register_field_array(proto_netmon_network_info, hf_network_info, array_length(hf_network_info)); + proto_register_field_array(proto_netmon_system_trace, hf_system_trace, array_length(hf_system_trace)); + proto_register_field_array(proto_netmon_system_config, hf_system_config, array_length(hf_system_config)); + proto_register_field_array(proto_netmon_process, hf_process, array_length(hf_process)); + proto_register_subtree_array(ett, array_length(ett)); + + expert_process = expert_register_protocol(proto_netmon_process); + expert_register_field_array(expert_process, ei_process, array_length(ei_process)); +} + +void proto_reg_handoff_netmon(void) +{ + dissector_handle_t netmon_event_handle, netmon_filter_handle, + netmon_network_info_handle, netmon_header_handle, + system_trace_handle, system_config_handle, process_handle; + + static guid_key system_trace_guid = {{ 0x68fdd900, 0x4a3e, 0x11d1, { 0x84, 0xf4, 0x00, 0x00, 0xf8, 0x04, 0x64, 0xe3 }}, 0 }; + static guid_key system_config_guid = {{ 0x01853a65, 0x418f, 0x4f36, { 0xae, 0xfc, 0xdc, 0x0f, 0x1d, 0x2f, 0xd2, 0x35 }}, 0 }; + static guid_key process_guid = {{ 0x3d6fa8d0, 0xfe05, 0x11d0, { 0x9d, 0xda, 0x00, 0xc0, 0x4f, 0xd7, 0xba, 0x7c }}, 0 }; + + netmon_event_handle = create_dissector_handle(dissect_netmon_event, proto_netmon_event); + netmon_filter_handle = create_dissector_handle(dissect_netmon_filter, proto_netmon_filter); + netmon_network_info_handle = create_dissector_handle(dissect_netmon_network_info, proto_netmon_network_info); + netmon_header_handle = create_dissector_handle(dissect_netmon_header, proto_netmon_header); + system_trace_handle = create_dissector_handle(dissect_netmon_system_trace, proto_netmon_system_trace); + system_config_handle = create_dissector_handle(dissect_netmon_system_config, proto_netmon_system_config); + process_handle = create_dissector_handle(dissect_netmon_process, proto_netmon_process); + + dissector_add_uint("wtap_encap", WTAP_ENCAP_NETMON_NET_NETEVENT, netmon_event_handle); + dissector_add_uint("wtap_encap", WTAP_ENCAP_NETMON_NET_FILTER, netmon_filter_handle); + dissector_add_uint("wtap_encap", WTAP_ENCAP_NETMON_NETWORK_INFO_EX, netmon_network_info_handle); + dissector_add_uint("wtap_encap", WTAP_ENCAP_NETMON_HEADER, netmon_header_handle); + + dissector_add_guid( "netmon.provider_id", &system_trace_guid, system_trace_handle); + dissector_add_guid( "netmon.provider_id", &system_config_guid, system_config_handle); + dissector_add_guid( "netmon.provider_id", &process_guid, process_handle); + + wtap_encap_table = find_dissector_table("wtap_encap"); +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 8 + * tab-width: 8 + * indent-tabs-mode: t + * End: + * + * vi: set shiftwidth=8 tabstop=8 noexpandtab: + * :indentSize=8:tabSize=8:noTabs=false: + */ |