diff options
Diffstat (limited to 'epan/dissectors/packet-sysdig-event.c')
-rw-r--r-- | epan/dissectors/packet-sysdig-event.c | 736 |
1 files changed, 420 insertions, 316 deletions
diff --git a/epan/dissectors/packet-sysdig-event.c b/epan/dissectors/packet-sysdig-event.c index c0fdc7e3..a95bf0c1 100644 --- a/epan/dissectors/packet-sysdig-event.c +++ b/epan/dissectors/packet-sysdig-event.c @@ -33,17 +33,17 @@ #include <config.h> +#include <epan/exceptions.h> #include <epan/packet.h> #include <epan/strutil.h> +#include <packet-sysdig-event.h> + #include <wiretap/wtap.h> +#include <wiretap/pcapng_module.h> /* #include <epan/expert.h> */ /* #include <epan/prefs.h> */ -#define BLOCK_TYPE_SYSDIG_EVENT 0x00000204 -#define BLOCK_TYPE_SYSDIG_EVENT_V2 0x00000216 -#define BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE 0x00000221 - #define SYSDIG_PARAM_SIZE 2 #define SYSDIG_PARAM_SIZE_V2 2 #define SYSDIG_PARAM_SIZE_V2_LARGE 4 @@ -55,249 +55,253 @@ void proto_register_sysdig_event(void); static dissector_handle_t sysdig_event_handle; /* Initialize the protocol and registered fields */ -static int proto_sysdig_event = -1; +static int proto_sysdig_event; /* Add byte order? */ -static int hf_se_cpu_id = -1; -static int hf_se_thread_id = -1; -static int hf_se_event_length = -1; -static int hf_se_nparams = -1; -static int hf_se_event_type = -1; -static int hf_se_event_name = -1; +static int hf_se_cpu_id; +static int hf_se_thread_id; +static int hf_se_event_length; +static int hf_se_nparams; +static int hf_se_event_type; +static int hf_se_event_name; -static int hf_se_param_lens = -1; -static int hf_se_param_len = -1; +static int hf_se_param_lens; +static int hf_se_param_len; /* Name+type */ /* Header fields. Automatically generated by tools/generate-sysdig-event.py */ -static int hf_param_ID_uint16 = -1; -static int hf_param_action_uint32 = -1; -static int hf_param_addr_bytes = -1; -static int hf_param_addr_uint64 = -1; -static int hf_param_arg2_int_int64 = -1; -static int hf_param_arg2_str_string = -1; -static int hf_param_arg_uint64 = -1; -static int hf_param_args_string = -1; -static int hf_param_argument_uint64 = -1; -static int hf_param_aux_int32 = -1; -static int hf_param_backlog_int32 = -1; -static int hf_param_cap_effective_uint64 = -1; -static int hf_param_cap_inheritable_uint64 = -1; -static int hf_param_cap_permitted_uint64 = -1; -static int hf_param_cgroups_bytes = -1; -static int hf_param_clockid_uint8 = -1; -static int hf_param_cmd_bytes = -1; -static int hf_param_cmd_int16 = -1; -static int hf_param_cmd_int64 = -1; -static int hf_param_comm_string = -1; -static int hf_param_container_id_string = -1; -static int hf_param_core_uint8 = -1; -static int hf_param_cpu_sys_uint64 = -1; -static int hf_param_cpu_uint32 = -1; -static int hf_param_cpu_usr_uint64 = -1; -static int hf_param_cq_entries_uint32 = -1; -static int hf_param_cur_int64 = -1; -static int hf_param_cwd_string = -1; -static int hf_param_data_bytes = -1; -static int hf_param_desc_string = -1; -static int hf_param_description_string = -1; -static int hf_param_dev_string = -1; -static int hf_param_dev_uint32 = -1; -static int hf_param_dir_string = -1; -static int hf_param_dirfd_int64 = -1; -static int hf_param_domain_bytes = -1; -static int hf_param_dpid_int64 = -1; -static int hf_param_dqb_bhardlimit_uint64 = -1; -static int hf_param_dqb_bsoftlimit_uint64 = -1; -static int hf_param_dqb_btime_bytes = -1; -static int hf_param_dqb_curspace_uint64 = -1; -static int hf_param_dqb_ihardlimit_uint64 = -1; -static int hf_param_dqb_isoftlimit_uint64 = -1; -static int hf_param_dqb_itime_bytes = -1; -static int hf_param_dqi_bgrace_bytes = -1; -static int hf_param_dqi_flags_int8 = -1; -static int hf_param_dqi_igrace_bytes = -1; -static int hf_param_egid_int32 = -1; -static int hf_param_entries_uint32 = -1; -static int hf_param_env_string = -1; -static int hf_param_error_int32 = -1; -static int hf_param_euid_int32 = -1; -static int hf_param_event_data_bytes = -1; -static int hf_param_event_data_uint64 = -1; -static int hf_param_event_type_uint32 = -1; -static int hf_param_exe_ino_ctime_bytes = -1; -static int hf_param_exe_ino_mtime_bytes = -1; -static int hf_param_exe_ino_uint64 = -1; -static int hf_param_exe_string = -1; -static int hf_param_fd1_int64 = -1; -static int hf_param_fd2_int64 = -1; -static int hf_param_fd_in_int64 = -1; -static int hf_param_fd_int64 = -1; -static int hf_param_fd_out_int64 = -1; -static int hf_param_fdin_int64 = -1; -static int hf_param_fdlimit_int64 = -1; -static int hf_param_fdlimit_uint64 = -1; -static int hf_param_fdout_int64 = -1; -static int hf_param_fds_bytes = -1; -static int hf_param_features_int32 = -1; -static int hf_param_filename_string = -1; -static int hf_param_flags_int16 = -1; -static int hf_param_flags_int32 = -1; -static int hf_param_flags_int8 = -1; -static int hf_param_flags_uint32 = -1; -static int hf_param_gid_int32 = -1; -static int hf_param_gid_uint32 = -1; -static int hf_param_home_string = -1; -static int hf_param_how_bytes = -1; -static int hf_param_id_int64 = -1; -static int hf_param_id_string = -1; -static int hf_param_id_uint32 = -1; -static int hf_param_image_string = -1; -static int hf_param_img_bytes = -1; -static int hf_param_in_fd_int64 = -1; -static int hf_param_initval_uint64 = -1; -static int hf_param_ino_uint64 = -1; -static int hf_param_interval_bytes = -1; -static int hf_param_ip_uint64 = -1; -static int hf_param_json_string = -1; -static int hf_param_key_int32 = -1; -static int hf_param_key_string = -1; -static int hf_param_len_uint64 = -1; -static int hf_param_length_uint64 = -1; -static int hf_param_level_bytes = -1; -static int hf_param_linkdirfd_int64 = -1; -static int hf_param_linkpath_string = -1; -static int hf_param_loginuid_int32 = -1; -static int hf_param_mask_uint32 = -1; -static int hf_param_max_int64 = -1; -static int hf_param_maxevents_int64 = -1; -static int hf_param_min_complete_uint32 = -1; -static int hf_param_mode_int32 = -1; -static int hf_param_mode_uint32 = -1; -static int hf_param_mountfd_int64 = -1; -static int hf_param_name_string = -1; -static int hf_param_nativeID_uint16 = -1; -static int hf_param_newcur_int64 = -1; -static int hf_param_newdir_int64 = -1; -static int hf_param_newdirfd_int64 = -1; -static int hf_param_newfd_int64 = -1; -static int hf_param_newmax_int64 = -1; -static int hf_param_newpath_string = -1; -static int hf_param_next_int64 = -1; -static int hf_param_nr_args_uint32 = -1; -static int hf_param_nsems_int32 = -1; -static int hf_param_nsops_uint32 = -1; -static int hf_param_nstype_int32 = -1; -static int hf_param_offin_uint64 = -1; -static int hf_param_offout_uint64 = -1; -static int hf_param_offset_uint64 = -1; -static int hf_param_oldcur_int64 = -1; -static int hf_param_olddir_int64 = -1; -static int hf_param_olddirfd_int64 = -1; -static int hf_param_oldfd_int64 = -1; -static int hf_param_oldmax_int64 = -1; -static int hf_param_oldpath_string = -1; -static int hf_param_op_bytes = -1; -static int hf_param_op_uint64 = -1; -static int hf_param_opcode_bytes = -1; -static int hf_param_operation_int32 = -1; -static int hf_param_option_bytes = -1; -static int hf_param_optlen_uint32 = -1; -static int hf_param_optname_bytes = -1; -static int hf_param_out_fd_int64 = -1; -static int hf_param_path_string = -1; -static int hf_param_pathname_string = -1; -static int hf_param_peer_uint64 = -1; -static int hf_param_pgft_maj_uint64 = -1; -static int hf_param_pgft_min_uint64 = -1; -static int hf_param_pgid_int64 = -1; -static int hf_param_pgoffset_uint64 = -1; -static int hf_param_pid_fd_int64 = -1; -static int hf_param_pid_int64 = -1; -static int hf_param_pidns_init_start_ts_uint64 = -1; -static int hf_param_plugin_id_uint32 = -1; -static int hf_param_pos_uint64 = -1; -static int hf_param_prot_int32 = -1; -static int hf_param_proto_uint32 = -1; -static int hf_param_ptid_int64 = -1; -static int hf_param_queuelen_uint32 = -1; -static int hf_param_queuemax_uint32 = -1; -static int hf_param_queuepct_uint8 = -1; -static int hf_param_quota_fmt_int8 = -1; -static int hf_param_quota_fmt_out_int8 = -1; -static int hf_param_quotafilepath_string = -1; -static int hf_param_ratio_uint32 = -1; -static int hf_param_reaper_tid_int64 = -1; -static int hf_param_request_bytes = -1; -static int hf_param_request_uint64 = -1; -static int hf_param_res_int64 = -1; -static int hf_param_res_or_fd_bytes = -1; -static int hf_param_res_uint64 = -1; -static int hf_param_resolve_int32 = -1; -static int hf_param_resource_bytes = -1; -static int hf_param_ret_int64 = -1; -static int hf_param_rgid_int32 = -1; -static int hf_param_ruid_int32 = -1; -static int hf_param_scope_string = -1; -static int hf_param_sem_flg_0_int16 = -1; -static int hf_param_sem_flg_1_int16 = -1; -static int hf_param_sem_num_0_uint16 = -1; -static int hf_param_sem_num_1_uint16 = -1; -static int hf_param_sem_op_0_int16 = -1; -static int hf_param_sem_op_1_int16 = -1; -static int hf_param_semflg_int32 = -1; -static int hf_param_semid_int32 = -1; -static int hf_param_semnum_int32 = -1; -static int hf_param_sgid_int32 = -1; -static int hf_param_shell_string = -1; -static int hf_param_sig_bytes = -1; -static int hf_param_sigmask_bytes = -1; -static int hf_param_size_int32 = -1; -static int hf_param_size_uint32 = -1; -static int hf_param_size_uint64 = -1; -static int hf_param_source_string = -1; -static int hf_param_source_uint64 = -1; -static int hf_param_special_string = -1; -static int hf_param_spid_int64 = -1; -static int hf_param_sq_entries_uint32 = -1; -static int hf_param_sq_thread_cpu_uint32 = -1; -static int hf_param_sq_thread_idle_uint32 = -1; -static int hf_param_status_int64 = -1; -static int hf_param_suid_int32 = -1; -static int hf_param_tags_bytes = -1; -static int hf_param_target_fd_int64 = -1; -static int hf_param_target_string = -1; -static int hf_param_tid_int64 = -1; -static int hf_param_timeout_bytes = -1; -static int hf_param_timeout_int64 = -1; -static int hf_param_to_submit_uint32 = -1; -static int hf_param_tty_int32 = -1; -static int hf_param_tty_uint32 = -1; -static int hf_param_tuple_bytes = -1; -static int hf_param_type_int8 = -1; -static int hf_param_type_string = -1; -static int hf_param_type_uint32 = -1; -static int hf_param_uargs_string = -1; -static int hf_param_uid_int32 = -1; -static int hf_param_uid_uint32 = -1; -static int hf_param_val_bytes = -1; -static int hf_param_val_int32 = -1; -static int hf_param_val_uint64 = -1; -static int hf_param_value_bytebuf_bytes = -1; -static int hf_param_value_charbuf_string = -1; -static int hf_param_vm_rss_uint32 = -1; -static int hf_param_vm_size_uint32 = -1; -static int hf_param_vm_swap_uint32 = -1; -static int hf_param_vpid_int64 = -1; -static int hf_param_vtid_int64 = -1; -static int hf_param_whence_bytes = -1; +static int hf_param_ID_uint16; +static int hf_param_action_uint32; +static int hf_param_addr_bytes; +static int hf_param_addr_uint64; +static int hf_param_arg2_int_int64; +static int hf_param_arg2_str_string; +static int hf_param_arg_uint64; +static int hf_param_args_string; +static int hf_param_argument_uint64; +static int hf_param_aux_int32; +static int hf_param_backlog_int32; +static int hf_param_cap_effective_uint64; +static int hf_param_cap_inheritable_uint64; +static int hf_param_cap_permitted_uint64; +static int hf_param_cgroups_bytes; +static int hf_param_clockid_uint8; +static int hf_param_cmd_bytes; +static int hf_param_cmd_int16; +static int hf_param_cmd_int64; +static int hf_param_comm_string; +static int hf_param_container_id_string; +static int hf_param_core_uint8; +static int hf_param_cpu_sys_uint64; +static int hf_param_cpu_uint32; +static int hf_param_cpu_usr_uint64; +static int hf_param_cq_entries_uint32; +static int hf_param_cur_int64; +static int hf_param_cwd_string; +static int hf_param_data_bytes; +static int hf_param_desc_string; +static int hf_param_description_string; +static int hf_param_dev_string; +static int hf_param_dev_uint32; +static int hf_param_dir_string; +static int hf_param_dirfd_int64; +static int hf_param_domain_bytes; +static int hf_param_dpid_int64; +static int hf_param_dqb_bhardlimit_uint64; +static int hf_param_dqb_bsoftlimit_uint64; +static int hf_param_dqb_btime_bytes; +static int hf_param_dqb_curspace_uint64; +static int hf_param_dqb_ihardlimit_uint64; +static int hf_param_dqb_isoftlimit_uint64; +static int hf_param_dqb_itime_bytes; +static int hf_param_dqi_bgrace_bytes; +static int hf_param_dqi_flags_int8; +static int hf_param_dqi_igrace_bytes; +static int hf_param_egid_int32; +static int hf_param_entries_uint32; +static int hf_param_env_string; +static int hf_param_error_int32; +static int hf_param_euid_int32; +static int hf_param_event_data_bytes; +static int hf_param_event_data_uint64; +static int hf_param_event_type_uint32; +static int hf_param_exe_ino_ctime_bytes; +static int hf_param_exe_ino_mtime_bytes; +static int hf_param_exe_ino_uint64; +static int hf_param_exe_string; +static int hf_param_fd1_int64; +static int hf_param_fd2_int64; +static int hf_param_fd_in_int64; +static int hf_param_fd_int64; +static int hf_param_fd_out_int64; +static int hf_param_fdin_int64; +static int hf_param_fdlimit_int64; +static int hf_param_fdlimit_uint64; +static int hf_param_fdout_int64; +static int hf_param_fds_bytes; +static int hf_param_features_int32; +static int hf_param_filename_string; +static int hf_param_flags_int16; +static int hf_param_flags_int32; +static int hf_param_flags_uint32; +static int hf_param_flags_uint64; +static int hf_param_flags_uint8; +static int hf_param_gid_int32; +static int hf_param_gid_uint32; +static int hf_param_home_string; +static int hf_param_how_bytes; +static int hf_param_id_int64; +static int hf_param_id_string; +static int hf_param_id_uint32; +static int hf_param_image_string; +static int hf_param_img_bytes; +static int hf_param_in_fd_int64; +static int hf_param_initval_uint64; +static int hf_param_ino_uint64; +static int hf_param_interval_bytes; +static int hf_param_ip_uint64; +static int hf_param_json_string; +static int hf_param_key_int32; +static int hf_param_key_string; +static int hf_param_len_uint64; +static int hf_param_length_uint64; +static int hf_param_level_bytes; +static int hf_param_linkdirfd_int64; +static int hf_param_linkpath_string; +static int hf_param_loginuid_int32; +static int hf_param_mask_uint32; +static int hf_param_max_int64; +static int hf_param_maxevents_int64; +static int hf_param_min_complete_uint32; +static int hf_param_mode_int32; +static int hf_param_mode_uint32; +static int hf_param_mountfd_int64; +static int hf_param_msgcontrol_bytes; +static int hf_param_name_string; +static int hf_param_nativeID_uint16; +static int hf_param_newcur_int64; +static int hf_param_newdir_int64; +static int hf_param_newdirfd_int64; +static int hf_param_newfd_int64; +static int hf_param_newmax_int64; +static int hf_param_newpath_string; +static int hf_param_next_int64; +static int hf_param_nr_args_uint32; +static int hf_param_nsems_int32; +static int hf_param_nsops_uint32; +static int hf_param_nstype_int32; +static int hf_param_offin_uint64; +static int hf_param_offout_uint64; +static int hf_param_offset_uint64; +static int hf_param_oldcur_int64; +static int hf_param_olddir_int64; +static int hf_param_olddirfd_int64; +static int hf_param_oldfd_int64; +static int hf_param_oldmax_int64; +static int hf_param_oldpath_string; +static int hf_param_op_bytes; +static int hf_param_op_uint64; +static int hf_param_opcode_bytes; +static int hf_param_operation_int32; +static int hf_param_option_bytes; +static int hf_param_optlen_uint32; +static int hf_param_optname_bytes; +static int hf_param_out_fd_int64; +static int hf_param_path_string; +static int hf_param_pathname_string; +static int hf_param_peer_uint64; +static int hf_param_pgft_maj_uint64; +static int hf_param_pgft_min_uint64; +static int hf_param_pgid_int64; +static int hf_param_pgoffset_uint64; +static int hf_param_pid_fd_int64; +static int hf_param_pid_int64; +static int hf_param_pidns_init_start_ts_uint64; +static int hf_param_plugin_id_uint32; +static int hf_param_pos_uint64; +static int hf_param_prot_int32; +static int hf_param_proto_uint32; +static int hf_param_ptid_int64; +static int hf_param_queuelen_uint32; +static int hf_param_queuemax_uint32; +static int hf_param_queuepct_uint8; +static int hf_param_quota_fmt_int8; +static int hf_param_quota_fmt_out_int8; +static int hf_param_quotafilepath_string; +static int hf_param_ratio_uint32; +static int hf_param_reaper_tid_int64; +static int hf_param_request_bytes; +static int hf_param_request_uint64; +static int hf_param_res_int64; +static int hf_param_res_or_fd_bytes; +static int hf_param_res_uint64; +static int hf_param_resolve_int32; +static int hf_param_resource_bytes; +static int hf_param_ret_int64; +static int hf_param_rgid_int32; +static int hf_param_ruid_int32; +static int hf_param_scope_string; +static int hf_param_sem_flg_0_int16; +static int hf_param_sem_flg_1_int16; +static int hf_param_sem_num_0_uint16; +static int hf_param_sem_num_1_uint16; +static int hf_param_sem_op_0_int16; +static int hf_param_sem_op_1_int16; +static int hf_param_semflg_int32; +static int hf_param_semid_int32; +static int hf_param_semnum_int32; +static int hf_param_sgid_int32; +static int hf_param_shell_string; +static int hf_param_sig_bytes; +static int hf_param_sigmask_bytes; +static int hf_param_size_int32; +static int hf_param_size_uint32; +static int hf_param_size_uint64; +static int hf_param_source_string; +static int hf_param_source_uint64; +static int hf_param_special_string; +static int hf_param_spid_int64; +static int hf_param_sq_entries_uint32; +static int hf_param_sq_thread_cpu_uint32; +static int hf_param_sq_thread_idle_uint32; +static int hf_param_status_int64; +static int hf_param_suid_int32; +static int hf_param_tags_bytes; +static int hf_param_target_fd_int64; +static int hf_param_target_string; +static int hf_param_tid_int64; +static int hf_param_timeout_bytes; +static int hf_param_timeout_int64; +static int hf_param_to_submit_uint32; +static int hf_param_trusted_exepath_string; +static int hf_param_tty_int32; +static int hf_param_tty_uint32; +static int hf_param_tuple_bytes; +static int hf_param_type_int8; +static int hf_param_type_string; +static int hf_param_type_uint32; +static int hf_param_uargs_string; +static int hf_param_uid_int32; +static int hf_param_uid_uint32; +static int hf_param_val_bytes; +static int hf_param_val_int32; +static int hf_param_val_uint64; +static int hf_param_value_bytebuf_bytes; +static int hf_param_value_charbuf_string; +static int hf_param_vm_rss_uint32; +static int hf_param_vm_size_uint32; +static int hf_param_vm_swap_uint32; +static int hf_param_vpid_int64; +static int hf_param_vtid_int64; +static int hf_param_whence_bytes; /* Initialize the subtree pointers */ -static gint ett_sysdig_event = -1; -static gint ett_sysdig_parm_lens = -1; -static gint ett_sysdig_syscall = -1; +static int ett_sysdig_event; +static int ett_sysdig_parm_lens; +static int ett_sysdig_syscall; /* Initialize the pointer to the child plugin dissector */ -static dissector_handle_t plugin_dissector_handle = NULL; +static dissector_handle_t sinsp_dissector_handle; +static dissector_handle_t elf_dissector_handle; #define SYSDIG_EVENT_MIN_LENGTH 8 /* XXX Fix */ @@ -324,6 +328,7 @@ static dissector_handle_t plugin_dissector_handle = NULL; #define EVT_STR_COPY_FILE_RANGE "copy_file_range" #define EVT_STR_CPU_HOTPLUG "cpu_hotplug" #define EVT_STR_CREAT "creat" +#define EVT_STR_DELETE_MODULE "delete_module" #define EVT_STR_DROP "drop" #define EVT_STR_DUP "dup" #define EVT_STR_DUP2 "dup2" @@ -398,6 +403,7 @@ static dissector_handle_t plugin_dissector_handle = NULL; #define EVT_STR_MUNLOCKALL "munlockall" #define EVT_STR_MUNMAP "munmap" #define EVT_STR_NANOSLEEP "nanosleep" +#define EVT_STR_NEWFSTATAT "newfstatat" #define EVT_STR_NOTIFICATION "notification" #define EVT_STR_OPEN "open" #define EVT_STR_OPEN_BY_HANDLE_AT "open_by_handle_at" @@ -415,6 +421,8 @@ static dissector_handle_t plugin_dissector_handle = NULL; #define EVT_STR_PREAD "pread" #define EVT_STR_PREADV "preadv" #define EVT_STR_PRLIMIT "prlimit" +#define EVT_STR_PROCESS_VM_READV "process_vm_readv" +#define EVT_STR_PROCESS_VM_WRITEV "process_vm_writev" #define EVT_STR_PROCEXIT "procexit" #define EVT_STR_PROCINFO "procinfo" #define EVT_STR_PTRACE "ptrace" @@ -445,8 +453,10 @@ static dissector_handle_t plugin_dissector_handle = NULL; #define EVT_STR_SETGID "setgid" #define EVT_STR_SETNS "setns" #define EVT_STR_SETPGID "setpgid" +#define EVT_STR_SETREGID "setregid" #define EVT_STR_SETRESGID "setresgid" #define EVT_STR_SETRESUID "setresuid" +#define EVT_STR_SETREUID "setreuid" #define EVT_STR_SETRLIMIT "setrlimit" #define EVT_STR_SETSID "setsid" #define EVT_STR_SETSOCKOPT "setsockopt" @@ -900,6 +910,18 @@ static dissector_handle_t plugin_dissector_handle = NULL; #define EVT_SYSCALL_MKNOD_X 415 #define EVT_SYSCALL_MKNODAT_E 416 #define EVT_SYSCALL_MKNODAT_X 417 +#define EVT_SYSCALL_NEWFSTATAT_E 418 +#define EVT_SYSCALL_NEWFSTATAT_X 419 +#define EVT_SYSCALL_PROCESS_VM_READV_E 420 +#define EVT_SYSCALL_PROCESS_VM_READV_X 421 +#define EVT_SYSCALL_PROCESS_VM_WRITEV_E 422 +#define EVT_SYSCALL_PROCESS_VM_WRITEV_X 423 +#define EVT_SYSCALL_DELETE_MODULE_E 424 +#define EVT_SYSCALL_DELETE_MODULE_X 425 +#define EVT_SYSCALL_SETREUID_E 426 +#define EVT_SYSCALL_SETREUID_X 427 +#define EVT_SYSCALL_SETREGID_E 428 +#define EVT_SYSCALL_SETREGID_X 429 static const value_string event_type_vals[] = { /* Value strings. Automatically generated by tools/generate-sysdig-event.py */ @@ -1321,6 +1343,18 @@ static const value_string event_type_vals[] = { { EVT_SYSCALL_MKNOD_X, EVT_STR_MKNOD }, { EVT_SYSCALL_MKNODAT_E, EVT_STR_MKNODAT }, { EVT_SYSCALL_MKNODAT_X, EVT_STR_MKNODAT }, + { EVT_SYSCALL_NEWFSTATAT_E, EVT_STR_NEWFSTATAT }, + { EVT_SYSCALL_NEWFSTATAT_X, EVT_STR_NEWFSTATAT }, + { EVT_SYSCALL_PROCESS_VM_READV_E, EVT_STR_PROCESS_VM_READV }, + { EVT_SYSCALL_PROCESS_VM_READV_X, EVT_STR_PROCESS_VM_READV }, + { EVT_SYSCALL_PROCESS_VM_WRITEV_E, EVT_STR_PROCESS_VM_WRITEV }, + { EVT_SYSCALL_PROCESS_VM_WRITEV_X, EVT_STR_PROCESS_VM_WRITEV }, + { EVT_SYSCALL_DELETE_MODULE_E, EVT_STR_DELETE_MODULE }, + { EVT_SYSCALL_DELETE_MODULE_X, EVT_STR_DELETE_MODULE }, + { EVT_SYSCALL_SETREUID_E, EVT_STR_SETREUID }, + { EVT_SYSCALL_SETREUID_X, EVT_STR_SETREUID }, + { EVT_SYSCALL_SETREGID_E, EVT_STR_SETREGID }, + { EVT_SYSCALL_SETREGID_X, EVT_STR_SETREGID }, {0, NULL } }; @@ -1363,7 +1397,7 @@ static const struct _event_col_info_param execve_15_x_params[] = { }; struct _event_col_info { - const guint event_type; + const unsigned event_type; const int num_len_fields; const struct _event_col_info_param *params; }; @@ -1379,7 +1413,7 @@ static const struct _event_col_info event_col_info[] = { }; struct _event_tree_info { - const guint event_type; + const unsigned event_type; /* int num_params; */ int * const *hf_indexes; }; @@ -1440,7 +1474,7 @@ static int * const socket_setsockopt_x_indexes[] = { &hf_param_res_int64, &hf_pa #define socket_sendmmsg_e_indexes no_indexes #define socket_sendmmsg_x_indexes no_indexes #define socket_recvmsg_e_indexes syscall_close_e_indexes -static int * const socket_recvmsg_x_indexes[] = { &hf_param_res_int64, &hf_param_size_uint32, &hf_param_data_bytes, &hf_param_tuple_bytes, NULL }; +static int * const socket_recvmsg_x_indexes[] = { &hf_param_res_int64, &hf_param_size_uint32, &hf_param_data_bytes, &hf_param_tuple_bytes, &hf_param_msgcontrol_bytes, NULL }; #define socket_recvmmsg_e_indexes no_indexes #define socket_recvmmsg_x_indexes no_indexes static int * const socket_accept4_e_indexes[] = { &hf_param_flags_uint32, NULL }; @@ -1449,7 +1483,7 @@ static int * const syscall_creat_e_indexes[] = { &hf_param_name_string, &hf_para static int * const syscall_creat_x_indexes[] = { &hf_param_fd_int64, &hf_param_name_string, &hf_param_mode_uint32, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL }; #define syscall_pipe_e_indexes no_indexes static int * const syscall_pipe_x_indexes[] = { &hf_param_res_int64, &hf_param_fd1_int64, &hf_param_fd2_int64, &hf_param_ino_uint64, NULL }; -static int * const syscall_eventfd_e_indexes[] = { &hf_param_initval_uint64, &hf_param_flags_int32, NULL }; +static int * const syscall_eventfd_e_indexes[] = { &hf_param_initval_uint64, &hf_param_flags_uint32, NULL }; #define syscall_eventfd_x_indexes syscall_close_x_indexes static int * const syscall_futex_e_indexes[] = { &hf_param_addr_uint64, &hf_param_op_bytes, &hf_param_val_uint64, NULL }; #define syscall_futex_x_indexes syscall_close_x_indexes @@ -1513,7 +1547,7 @@ static int * const syscall_preadv_e_indexes[] = { &hf_param_fd_int64, &hf_param_ #define syscall_pwritev_x_indexes syscall_read_x_indexes #define syscall_dup_e_indexes syscall_close_e_indexes #define syscall_dup_x_indexes syscall_close_x_indexes -static int * const syscall_signalfd_e_indexes[] = { &hf_param_fd_int64, &hf_param_mask_uint32, &hf_param_flags_int8, NULL }; +static int * const syscall_signalfd_e_indexes[] = { &hf_param_fd_int64, &hf_param_mask_uint32, &hf_param_flags_uint8, NULL }; #define syscall_signalfd_x_indexes syscall_close_x_indexes static int * const syscall_kill_e_indexes[] = { &hf_param_pid_int64, &hf_param_sig_bytes, NULL }; #define syscall_kill_x_indexes syscall_close_x_indexes @@ -1523,22 +1557,22 @@ static int * const syscall_tgkill_e_indexes[] = { &hf_param_pid_int64, &hf_param #define syscall_tgkill_x_indexes syscall_close_x_indexes static int * const syscall_nanosleep_e_indexes[] = { &hf_param_interval_bytes, NULL }; #define syscall_nanosleep_x_indexes syscall_close_x_indexes -static int * const syscall_timerfd_create_e_indexes[] = { &hf_param_clockid_uint8, &hf_param_flags_int8, NULL }; +static int * const syscall_timerfd_create_e_indexes[] = { &hf_param_clockid_uint8, &hf_param_flags_uint8, NULL }; #define syscall_timerfd_create_x_indexes syscall_close_x_indexes -static int * const syscall_inotify_init_e_indexes[] = { &hf_param_flags_int8, NULL }; +static int * const syscall_inotify_init_e_indexes[] = { &hf_param_flags_uint8, NULL }; #define syscall_inotify_init_x_indexes syscall_close_x_indexes static int * const syscall_getrlimit_e_indexes[] = { &hf_param_resource_bytes, NULL }; static int * const syscall_getrlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_cur_int64, &hf_param_max_int64, NULL }; #define syscall_setrlimit_e_indexes syscall_getrlimit_e_indexes -#define syscall_setrlimit_x_indexes syscall_getrlimit_x_indexes +static int * const syscall_setrlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_cur_int64, &hf_param_max_int64, &hf_param_resource_bytes, NULL }; static int * const syscall_prlimit_e_indexes[] = { &hf_param_pid_int64, &hf_param_resource_bytes, NULL }; -static int * const syscall_prlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_newcur_int64, &hf_param_newmax_int64, &hf_param_oldcur_int64, &hf_param_oldmax_int64, NULL }; +static int * const syscall_prlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_newcur_int64, &hf_param_newmax_int64, &hf_param_oldcur_int64, &hf_param_oldmax_int64, &hf_param_pid_int64, &hf_param_resource_bytes, NULL }; static int * const schedswitch_1_e_indexes[] = { &hf_param_next_int64, NULL }; #define schedswitch_1_x_indexes no_indexes static int * const drop_e_indexes[] = { &hf_param_ratio_uint32, NULL }; #define drop_x_indexes drop_e_indexes static int * const syscall_fcntl_e_indexes[] = { &hf_param_fd_int64, &hf_param_cmd_bytes, NULL }; -#define syscall_fcntl_x_indexes syscall_close_x_indexes +static int * const syscall_fcntl_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_cmd_bytes, NULL }; static int * const schedswitch_6_e_indexes[] = { &hf_param_next_int64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL }; #define schedswitch_6_x_indexes no_indexes #define syscall_execve_13_e_indexes no_indexes @@ -1680,12 +1714,12 @@ static int * const syscall_execve_18_e_indexes[] = { &hf_param_filename_string, static int * const page_fault_e_indexes[] = { &hf_param_addr_uint64, &hf_param_ip_uint64, &hf_param_error_int32, NULL }; #define page_fault_x_indexes no_indexes #define syscall_execve_19_e_indexes syscall_execve_18_e_indexes -static int * const syscall_execve_19_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_env_string, &hf_param_tty_uint32, &hf_param_pgid_int64, &hf_param_loginuid_int32, &hf_param_flags_int32, &hf_param_cap_inheritable_uint64, &hf_param_cap_permitted_uint64, &hf_param_cap_effective_uint64, &hf_param_exe_ino_uint64, &hf_param_exe_ino_ctime_bytes, &hf_param_exe_ino_mtime_bytes, &hf_param_uid_int32, NULL }; +static int * const syscall_execve_19_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_env_string, &hf_param_tty_uint32, &hf_param_pgid_int64, &hf_param_loginuid_int32, &hf_param_flags_int32, &hf_param_cap_inheritable_uint64, &hf_param_cap_permitted_uint64, &hf_param_cap_effective_uint64, &hf_param_exe_ino_uint64, &hf_param_exe_ino_ctime_bytes, &hf_param_exe_ino_mtime_bytes, &hf_param_uid_int32, &hf_param_trusted_exepath_string, NULL }; static int * const syscall_setpgid_e_indexes[] = { &hf_param_pid_int64, &hf_param_pgid_int64, NULL }; #define syscall_setpgid_x_indexes syscall_close_x_indexes static int * const syscall_bpf_e_indexes[] = { &hf_param_cmd_int64, NULL }; static int * const syscall_bpf_x_indexes[] = { &hf_param_res_or_fd_bytes, NULL }; -static int * const syscall_seccomp_e_indexes[] = { &hf_param_op_uint64, NULL }; +static int * const syscall_seccomp_e_indexes[] = { &hf_param_op_uint64, &hf_param_flags_uint64, NULL }; #define syscall_seccomp_x_indexes syscall_close_x_indexes #define syscall_unlink_2_e_indexes no_indexes #define syscall_unlink_2_x_indexes syscall_stat_x_indexes @@ -1714,7 +1748,7 @@ static int * const pluginevent_e_indexes[] = { &hf_param_plugin_id_uint32, &hf_p #define container_json_2_e_indexes k8s_e_indexes #define container_json_2_x_indexes no_indexes static int * const syscall_openat2_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_resolve_int32, NULL }; -static int * const syscall_openat2_x_indexes[] = { &hf_param_fd_int64, &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_resolve_int32, NULL }; +static int * const syscall_openat2_x_indexes[] = { &hf_param_fd_int64, &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_resolve_int32, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL }; static int * const syscall_mprotect_e_indexes[] = { &hf_param_addr_uint64, &hf_param_length_uint64, &hf_param_prot_int32, NULL }; #define syscall_mprotect_x_indexes syscall_close_x_indexes static int * const syscall_execveat_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_pathname_string, &hf_param_flags_int32, NULL }; @@ -1724,7 +1758,7 @@ static int * const syscall_copy_file_range_x_indexes[] = { &hf_param_res_int64, #define syscall_clone3_e_indexes no_indexes #define syscall_clone3_x_indexes syscall_clone_20_x_indexes #define syscall_open_by_handle_at_e_indexes no_indexes -static int * const syscall_open_by_handle_at_x_indexes[] = { &hf_param_fd_int64, &hf_param_mountfd_int64, &hf_param_flags_int32, &hf_param_path_string, NULL }; +static int * const syscall_open_by_handle_at_x_indexes[] = { &hf_param_fd_int64, &hf_param_mountfd_int64, &hf_param_flags_int32, &hf_param_path_string, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL }; #define syscall_io_uring_setup_e_indexes no_indexes static int * const syscall_io_uring_setup_x_indexes[] = { &hf_param_res_int64, &hf_param_entries_uint32, &hf_param_sq_entries_uint32, &hf_param_cq_entries_uint32, &hf_param_flags_int32, &hf_param_sq_thread_cpu_uint32, &hf_param_sq_thread_idle_uint32, &hf_param_features_int32, NULL }; #define syscall_io_uring_enter_e_indexes no_indexes @@ -1756,9 +1790,9 @@ static int * const syscall_dup3_x_indexes[] = { &hf_param_res_int64, &hf_param_o #define syscall_dup_1_e_indexes syscall_close_e_indexes static int * const syscall_dup_1_x_indexes[] = { &hf_param_res_int64, &hf_param_oldfd_int64, NULL }; #define syscall_bpf_2_e_indexes syscall_bpf_e_indexes -#define syscall_bpf_2_x_indexes syscall_close_e_indexes +#define syscall_bpf_2_x_indexes syscall_fcntl_e_indexes #define syscall_mlock2_e_indexes no_indexes -static int * const syscall_mlock2_x_indexes[] = { &hf_param_res_int64, &hf_param_addr_uint64, &hf_param_len_uint64, &hf_param_flags_uint32, NULL }; +static int * const syscall_mlock2_x_indexes[] = { &hf_param_res_int64, &hf_param_addr_uint64, &hf_param_len_uint64, &hf_param_flags_int32, NULL }; #define syscall_fsconfig_e_indexes no_indexes static int * const syscall_fsconfig_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_cmd_bytes, &hf_param_key_string, &hf_param_value_bytebuf_bytes, &hf_param_value_charbuf_string, &hf_param_aux_int32, NULL }; static int * const syscall_epoll_create_e_indexes[] = { &hf_param_size_int32, NULL }; @@ -1794,7 +1828,7 @@ static int * const asyncevent_e_indexes[] = { &hf_param_plugin_id_uint32, &hf_pa #define syscall_memfd_create_e_indexes no_indexes static int * const syscall_memfd_create_x_indexes[] = { &hf_param_fd_int64, &hf_param_name_string, &hf_param_flags_int32, NULL }; #define syscall_pidfd_getfd_e_indexes no_indexes -static int * const syscall_pidfd_getfd_x_indexes[] = { &hf_param_fd_int64, &hf_param_pid_fd_int64, &hf_param_target_fd_int64, &hf_param_flags_int32, NULL }; +static int * const syscall_pidfd_getfd_x_indexes[] = { &hf_param_fd_int64, &hf_param_pid_fd_int64, &hf_param_target_fd_int64, &hf_param_flags_uint32, NULL }; #define syscall_pidfd_open_e_indexes no_indexes static int * const syscall_pidfd_open_x_indexes[] = { &hf_param_fd_int64, &hf_param_pid_int64, &hf_param_flags_int32, NULL }; #define syscall_init_module_e_indexes no_indexes @@ -1805,6 +1839,18 @@ static int * const syscall_finit_module_x_indexes[] = { &hf_param_res_int64, &hf static int * const syscall_mknod_x_indexes[] = { &hf_param_res_int64, &hf_param_path_string, &hf_param_mode_int32, &hf_param_dev_uint32, NULL }; #define syscall_mknodat_e_indexes no_indexes static int * const syscall_mknodat_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_path_string, &hf_param_mode_int32, &hf_param_dev_uint32, NULL }; +#define syscall_newfstatat_e_indexes no_indexes +static int * const syscall_newfstatat_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_path_string, &hf_param_flags_int32, NULL }; +#define syscall_process_vm_readv_e_indexes no_indexes +static int * const syscall_process_vm_readv_x_indexes[] = { &hf_param_res_int64, &hf_param_pid_int64, &hf_param_data_bytes, NULL }; +#define syscall_process_vm_writev_e_indexes no_indexes +#define syscall_process_vm_writev_x_indexes syscall_process_vm_readv_x_indexes +#define syscall_delete_module_e_indexes no_indexes +static int * const syscall_delete_module_x_indexes[] = { &hf_param_res_int64, &hf_param_name_string, &hf_param_flags_int32, NULL }; +#define syscall_setreuid_e_indexes no_indexes +static int * const syscall_setreuid_x_indexes[] = { &hf_param_res_int64, &hf_param_ruid_int32, &hf_param_euid_int32, NULL }; +#define syscall_setregid_e_indexes no_indexes +static int * const syscall_setregid_x_indexes[] = { &hf_param_res_int64, &hf_param_rgid_int32, &hf_param_egid_int32, NULL }; static const struct _event_tree_info event_tree_info[] = { /* Event tree. Automatically generated by tools/generate-sysdig-event.py */ @@ -2226,6 +2272,18 @@ static const struct _event_tree_info event_tree_info[] = { { EVT_SYSCALL_MKNOD_X, syscall_mknod_x_indexes }, { EVT_SYSCALL_MKNODAT_E, syscall_mknodat_e_indexes }, { EVT_SYSCALL_MKNODAT_X, syscall_mknodat_x_indexes }, + { EVT_SYSCALL_NEWFSTATAT_E, syscall_newfstatat_e_indexes }, + { EVT_SYSCALL_NEWFSTATAT_X, syscall_newfstatat_x_indexes }, + { EVT_SYSCALL_PROCESS_VM_READV_E, syscall_process_vm_readv_e_indexes }, + { EVT_SYSCALL_PROCESS_VM_READV_X, syscall_process_vm_readv_x_indexes }, + { EVT_SYSCALL_PROCESS_VM_WRITEV_E, syscall_process_vm_writev_e_indexes }, + { EVT_SYSCALL_PROCESS_VM_WRITEV_X, syscall_process_vm_writev_x_indexes }, + { EVT_SYSCALL_DELETE_MODULE_E, syscall_delete_module_e_indexes }, + { EVT_SYSCALL_DELETE_MODULE_X, syscall_delete_module_x_indexes }, + { EVT_SYSCALL_SETREUID_E, syscall_setreuid_e_indexes }, + { EVT_SYSCALL_SETREUID_X, syscall_setreuid_x_indexes }, + { EVT_SYSCALL_SETREGID_E, syscall_setregid_e_indexes }, + { EVT_SYSCALL_SETREGID_X, syscall_setregid_x_indexes }, { 0, NULL } }; @@ -2650,6 +2708,36 @@ static const value_string ID_uint16_vals[] = { { 410, "sigreturn" }, // PPM_SC_SIGRETURN { 411, "s390_guarded_storage" }, // PPM_SC_S390_GUARDED_STORAGE { 412, "cachestat" }, // PPM_SC_CACHESTAT + { 413, "fchmodat2" }, // PPM_SC_FCHMODAT2 + { 414, "map_shadow_stack" }, // PPM_SC_MAP_SHADOW_STACK + { 415, "riscv_flush_icache" }, // PPM_SC_RISCV_FLUSH_ICACHE + { 416, "riscv_hwprobe" }, // PPM_SC_RISCV_HWPROBE + { 417, "futex_wake" }, // PPM_SC_FUTEX_WAKE + { 418, "futex_requeue" }, // PPM_SC_FUTEX_REQUEUE + { 419, "futex_wait" }, // PPM_SC_FUTEX_WAIT + { 420, "oldstat" }, // PPM_SC_OLDSTAT + { 421, "switch_endian" }, // PPM_SC_SWITCH_ENDIAN + { 422, "multiplexer" }, // PPM_SC_MULTIPLEXER + { 423, "oldlstat" }, // PPM_SC_OLDLSTAT + { 424, "spu_create" }, // PPM_SC_SPU_CREATE + { 425, "sync_file_range2" }, // PPM_SC_SYNC_FILE_RANGE2 + { 426, "oldfstat" }, // PPM_SC_OLDFSTAT + { 427, "spu_run" }, // PPM_SC_SPU_RUN + { 428, "swapcontext" }, // PPM_SC_SWAPCONTEXT + { 429, "pciconfig_write" }, // PPM_SC_PCICONFIG_WRITE + { 430, "rtas" }, // PPM_SC_RTAS + { 431, "pciconfig_read" }, // PPM_SC_PCICONFIG_READ + { 432, "sys_debug_setcontext" }, // PPM_SC_SYS_DEBUG_SETCONTEXT + { 433, "vm86" }, // PPM_SC_VM86 + { 434, "oldolduname" }, // PPM_SC_OLDOLDUNAME + { 435, "subpage_prot" }, // PPM_SC_SUBPAGE_PROT + { 436, "pciconfig_iobase" }, // PPM_SC_PCICONFIG_IOBASE + { 437, "listmount" }, // PPM_SC_LISTMOUNT + { 438, "statmount" }, // PPM_SC_STATMOUNT + { 439, "lsm_get_self_attr" }, // PPM_SC_LSM_GET_SELF_ATTR + { 440, "lsm_set_self_attr" }, // PPM_SC_LSM_SET_SELF_ATTR + { 441, "lsm_list_modules" }, // PPM_SC_LSM_LIST_MODULES + { 442, "mseal" }, // PPM_SC_MSEAL { 0, NULL } }; @@ -2707,7 +2795,7 @@ static const value_string param_subcategory_vals[] = { }; */ -static inline const gchar *format_param_str(tvbuff_t *tvb, int offset, int len) { +static inline const char *format_param_str(tvbuff_t *tvb, int offset, int len) { char *param_str; param_str = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_UTF_8|ENC_NA); @@ -2721,7 +2809,7 @@ static inline const gchar *format_param_str(tvbuff_t *tvb, int offset, int len) /* Code to actually dissect the packets */ static int -dissect_header_lens_v1(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding, int * const *hf_indexes) +dissect_header_lens_v1(tvbuff_t *tvb, proto_tree *tree, int encoding, int * const *hf_indexes) { int param_count; proto_item *ti; @@ -2729,11 +2817,11 @@ dissect_header_lens_v1(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding for (param_count = 0; hf_indexes[param_count]; param_count++); - ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, offset, param_count * SYSDIG_PARAM_SIZE, ENC_NA); + ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, 0, param_count * SYSDIG_PARAM_SIZE, ENC_NA); len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens); for (param_count = 0; hf_indexes[param_count]; param_count++) { - proto_tree_add_item(len_tree, hf_se_param_len, tvb, offset + (param_count * SYSDIG_PARAM_SIZE), SYSDIG_PARAM_SIZE, encoding); + proto_tree_add_item(len_tree, hf_se_param_len, tvb, param_count * SYSDIG_PARAM_SIZE, SYSDIG_PARAM_SIZE, encoding); } proto_item_set_len(ti, param_count * SYSDIG_PARAM_SIZE); @@ -2741,17 +2829,17 @@ dissect_header_lens_v1(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding } static int -dissect_header_lens_v2(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int offset, proto_tree *tree, int encoding) +dissect_header_lens_v2(tvbuff_t *tvb, wtap_syscall_header* syscall_header, proto_tree *tree, int encoding) { - guint32 param_count; + uint32_t param_count; proto_item *ti; proto_tree *len_tree; - ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, offset, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2, ENC_NA); + ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, 0, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2, ENC_NA); len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens); for (param_count = 0; param_count < syscall_header->nparams; param_count++) { - proto_tree_add_item(len_tree, hf_se_param_len, tvb, offset + (param_count * SYSDIG_PARAM_SIZE_V2), SYSDIG_PARAM_SIZE_V2, encoding); + proto_tree_add_item(len_tree, hf_se_param_len, tvb, param_count * SYSDIG_PARAM_SIZE_V2, SYSDIG_PARAM_SIZE_V2, encoding); } proto_item_set_len(ti, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2); @@ -2759,17 +2847,17 @@ dissect_header_lens_v2(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int o } static int -dissect_header_lens_v2_large(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int offset, proto_tree *tree, int encoding) +dissect_header_lens_v2_large(tvbuff_t *tvb, wtap_syscall_header* syscall_header, proto_tree *tree, int encoding) { - guint32 param_count; + uint32_t param_count; proto_item *ti; proto_tree *len_tree; - ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, offset, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2_LARGE, ENC_NA); + ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, 0, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2_LARGE, ENC_NA); len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens); for (param_count = 0; param_count < syscall_header->nparams; param_count++) { - proto_tree_add_item(len_tree, hf_se_param_len, tvb, offset + (param_count * SYSDIG_PARAM_SIZE_V2_LARGE), SYSDIG_PARAM_SIZE_V2_LARGE, encoding); + proto_tree_add_item(len_tree, hf_se_param_len, tvb, param_count * SYSDIG_PARAM_SIZE_V2_LARGE, SYSDIG_PARAM_SIZE_V2_LARGE, encoding); } proto_item_set_len(ti, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2_LARGE); @@ -2779,24 +2867,24 @@ dissect_header_lens_v2_large(tvbuff_t *tvb, wtap_syscall_header* syscall_header, /* Dissect events */ static int -dissect_event_params(tvbuff_t *tvb, packet_info *pinfo, const char **event_name, wtap_syscall_header* syscall_header, int offset, proto_tree *tree, int encoding, int * const *hf_indexes) +dissect_event_params(tvbuff_t *tvb, packet_info *pinfo, const char **event_name, wtap_syscall_header* syscall_header, proto_tree *tree, int encoding, int * const *hf_indexes, sysdig_event_param_data *event_param_data) { - int len_offset = offset; + int len_offset = 0; int param_offset; int len_size; - guint32 cur_param; + uint32_t cur_param; switch (syscall_header->record_type) { case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE: - param_offset = offset + dissect_header_lens_v2_large(tvb, syscall_header, offset, tree, encoding); + param_offset = dissect_header_lens_v2_large(tvb, syscall_header, tree, encoding); len_size = SYSDIG_PARAM_SIZE_V2_LARGE; break; case BLOCK_TYPE_SYSDIG_EVENT_V2: - param_offset = offset + dissect_header_lens_v2(tvb, syscall_header, offset, tree, encoding); + param_offset = dissect_header_lens_v2(tvb, syscall_header, tree, encoding); len_size = SYSDIG_PARAM_SIZE_V2; break; default: - param_offset = offset + dissect_header_lens_v1(tvb, offset, tree, encoding, hf_indexes); + param_offset = dissect_header_lens_v1(tvb, tree, encoding, hf_indexes); len_size = SYSDIG_PARAM_SIZE; break; } @@ -2809,11 +2897,11 @@ dissect_event_params(tvbuff_t *tvb, packet_info *pinfo, const char **event_name, break; } - guint32 param_len; + uint32_t param_len; if (syscall_header->record_type == BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE) { - param_len = tvb_get_guint32(tvb, len_offset, encoding); + param_len = tvb_get_uint32(tvb, len_offset, encoding); } else { - param_len = tvb_get_guint16(tvb, len_offset, encoding); + param_len = tvb_get_uint16(tvb, len_offset, encoding); } const int hf_index = *hf_indexes[cur_param]; if (proto_registrar_get_ftype(hf_index) == FT_STRING) { @@ -2821,33 +2909,26 @@ dissect_event_params(tvbuff_t *tvb, packet_info *pinfo, const char **event_name, format_param_str(tvb, param_offset, param_len)); } else { proto_tree_add_item(tree, hf_index, tvb, param_offset, param_len, encoding); + if (hf_index == hf_param_data_bytes) { + event_param_data->data_bytes_offset = param_offset; + event_param_data->data_bytes_length = param_len; + } } if (hf_index == hf_param_ID_uint16) { - uint16_t id = tvb_get_guint16(tvb, param_offset, encoding); + uint16_t id = tvb_get_uint16(tvb, param_offset, encoding); *event_name = val_to_str(id, ID_uint16_vals, "Unknown ID %u"); col_add_str(pinfo->cinfo, COL_INFO, *event_name); } param_offset += param_len; len_offset += len_size; } - return param_offset - offset; -} - - -static int -dissect_plugin_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data) -{ - if (!plugin_dissector_handle) { - return 0; - } - return call_dissector_with_data(plugin_dissector_handle, tvb, pinfo, tree, data); + return param_offset; } - static int dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, - void *data) + void *data _U_) { proto_item *ti; proto_tree *se_tree, *syscall_tree; @@ -2867,11 +2948,12 @@ dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, /* * If this is a plugin event, handle it appropriately and return */ - if (event_type == EVT_PLUGINEVENT_E) { - return dissect_plugin_event(tvb, pinfo, tree, data); + if (event_type == EVT_PLUGINEVENT_E && sinsp_dissector_handle) { + return call_dissector(sinsp_dissector_handle, tvb, pinfo, tree); } const char *event_name = val_to_str(event_type, event_type_vals, "Unknown syscall %u"); + sysdig_event_param_data event_param_data = {0}; /* * Sysdig uses the term "event" internally. So far every event has been @@ -2895,7 +2977,7 @@ dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, for (cur_len_field = 0; cur_len_field < cur_col_info->num_len_fields && cur_param->param_name; cur_len_field++) { - unsigned param_len = tvb_get_guint16(tvb, cur_len_field * 2, encoding); + unsigned param_len = tvb_get_uint16(tvb, cur_len_field * 2, encoding); if (cur_param->param_num == cur_len_field) { col_append_fstr(pinfo->cinfo, COL_INFO, ", %s=", cur_param->param_name); switch (cur_param->param_ftype) { @@ -2903,7 +2985,7 @@ dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, col_append_str(pinfo->cinfo, COL_INFO, format_param_str(tvb, param_offset, param_len)); break; case FT_UINT64: - col_append_fstr(pinfo->cinfo, COL_INFO, "%" PRIu64, tvb_get_guint64(tvb, param_offset, encoding)); + col_append_fstr(pinfo->cinfo, COL_INFO, "%" PRIu64, tvb_get_uint64(tvb, param_offset, encoding)); default: break; } @@ -2931,18 +3013,36 @@ dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, syscall_tree = proto_item_add_subtree(ti, ett_sysdig_syscall); - for (cur_tree_info = event_tree_info; cur_tree_info->hf_indexes; cur_tree_info++) { - if (cur_tree_info->event_type == event_type) { - dissect_event_params(tvb, pinfo, &event_name, &pinfo->rec->rec_header.syscall_header, 0, syscall_tree, encoding, cur_tree_info->hf_indexes); - break; + if (pinfo->rec->rec_header.syscall_header.nparams > 0) { + for (cur_tree_info = event_tree_info; cur_tree_info->hf_indexes; cur_tree_info++) { + if (cur_tree_info->event_type == event_type) { + dissect_event_params(tvb, pinfo, &event_name, &pinfo->rec->rec_header.syscall_header, syscall_tree, encoding, cur_tree_info->hf_indexes, &event_param_data); + break; + } } } proto_tree_add_string(se_tree, hf_se_event_name, tvb, 0, 0, event_name); - /* XXX */ - /* return offset; */ - return pinfo->rec->rec_header.syscall_header.event_len; + if (!sinsp_dissector_handle) { + return tvb_reported_length(tvb); + } + + int ret = call_dissector_with_data(sinsp_dissector_handle, tvb, pinfo, tree, &event_param_data); + + if (event_param_data.data_bytes_offset > 0 && event_param_data.data_bytes_length > 0) { +#define ELF_MAGIC 0x7f454c46 // 7f 'E' 'L' 'F' + if (tvb_get_uint32(tvb, event_param_data.data_bytes_offset, ENC_BIG_ENDIAN) == ELF_MAGIC) { + tvbuff_t *elf_tvb = tvb_new_subset_length(tvb, event_param_data.data_bytes_offset, event_param_data.data_bytes_length); + TRY { + call_dissector(elf_dissector_handle, elf_tvb, pinfo, tree); + } CATCH_NONFATAL_ERRORS { + // Partial dissection is OK. + } ENDTRY; + } + } + + return ret; } /* Register the protocol with Wireshark. @@ -3017,13 +3117,13 @@ proto_register_sysdig_event(void) { &hf_param_cq_entries_uint32, { "cq_entries", "sysdig.param.io_uring_setup.cq_entries", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_cur_int64, { "cur", "sysdig.param.setrlimit.cur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_cwd_string, { "cwd", "sysdig.param.clone3.cwd", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, - { &hf_param_data_bytes, { "data", "sysdig.param.asyncevent.data", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_data_bytes, { "data", "sysdig.param.process_vm_writev.data", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_desc_string, { "desc", "sysdig.param.notification.desc", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_description_string, { "description", "sysdig.param.infra.description", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_dev_string, { "dev", "sysdig.param.mount.dev", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_dev_uint32, { "dev", "sysdig.param.mknodat.dev", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_dir_string, { "dir", "sysdig.param.mount.dir", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, - { &hf_param_dirfd_int64, { "dirfd", "sysdig.param.mknodat.dirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_dirfd_int64, { "dirfd", "sysdig.param.newfstatat.dirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_domain_bytes, { "domain", "sysdig.param.socketpair.domain", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_dpid_int64, { "dpid", "sysdig.param.signaldeliver.dpid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_dqb_bhardlimit_uint64, { "dqb_bhardlimit", "sysdig.param.quotactl.dqb_bhardlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, @@ -3036,11 +3136,11 @@ proto_register_sysdig_event(void) { &hf_param_dqi_bgrace_bytes, { "dqi_bgrace", "sysdig.param.quotactl.dqi_bgrace", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_dqi_flags_int8, { "dqi_flags", "sysdig.param.quotactl.dqi_flags", FT_INT8, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_dqi_igrace_bytes, { "dqi_igrace", "sysdig.param.quotactl.dqi_igrace", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, - { &hf_param_egid_int32, { "egid", "sysdig.param.getresgid.egid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_egid_int32, { "egid", "sysdig.param.setregid.egid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_entries_uint32, { "entries", "sysdig.param.io_uring_setup.entries", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_env_string, { "env", "sysdig.param.execveat.env", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_error_int32, { "error", "sysdig.param.page_fault.error", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, - { &hf_param_euid_int32, { "euid", "sysdig.param.getresuid.euid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_euid_int32, { "euid", "sysdig.param.setreuid.euid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_event_data_bytes, { "event_data", "sysdig.param.pluginevent.event_data", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_event_data_uint64, { "event_data", "sysdig.param.scapevent.event_data", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_event_type_uint32, { "event_type", "sysdig.param.scapevent.event_type", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, @@ -3061,9 +3161,10 @@ proto_register_sysdig_event(void) { &hf_param_features_int32, { "features", "sysdig.param.io_uring_setup.features", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_filename_string, { "filename", "sysdig.param.chmod.filename", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_flags_int16, { "flags", "sysdig.param.signalfd4.flags", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } }, - { &hf_param_flags_int32, { "flags", "sysdig.param.finit_module.flags", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, - { &hf_param_flags_int8, { "flags", "sysdig.param.inotify_init.flags", FT_INT8, BASE_DEC, NULL, 0, NULL, HFILL } }, - { &hf_param_flags_uint32, { "flags", "sysdig.param.accept4.flags", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_flags_int32, { "flags", "sysdig.param.delete_module.flags", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_flags_uint32, { "flags", "sysdig.param.pidfd_getfd.flags", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_flags_uint64, { "flags", "sysdig.param.seccomp.flags", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_flags_uint8, { "flags", "sysdig.param.inotify_init.flags", FT_UINT8, BASE_HEX, NULL, 0, NULL, HFILL } }, { &hf_param_gid_int32, { "gid", "sysdig.param.getgid.gid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_gid_uint32, { "gid", "sysdig.param.fchownat.gid", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_home_string, { "home", "sysdig.param.userdeleted.home", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, @@ -3094,7 +3195,8 @@ proto_register_sysdig_event(void) { &hf_param_mode_int32, { "mode", "sysdig.param.mknodat.mode", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_mode_uint32, { "mode", "sysdig.param.openat2.mode", FT_UINT32, BASE_OCT, NULL, 0, NULL, HFILL } }, { &hf_param_mountfd_int64, { "mountfd", "sysdig.param.open_by_handle_at.mountfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, - { &hf_param_name_string, { "name", "sysdig.param.memfd_create.name", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_msgcontrol_bytes, { "msgcontrol", "sysdig.param.recvmsg.msgcontrol", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_name_string, { "name", "sysdig.param.delete_module.name", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_nativeID_uint16, { "nativeID", "sysdig.param.syscall.nativeID", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_newcur_int64, { "newcur", "sysdig.param.prlimit.newcur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_newdir_int64, { "newdir", "sysdig.param.linkat.newdir", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, @@ -3124,7 +3226,7 @@ proto_register_sysdig_event(void) { &hf_param_optlen_uint32, { "optlen", "sysdig.param.getsockopt.optlen", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_optname_bytes, { "optname", "sysdig.param.getsockopt.optname", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_out_fd_int64, { "out_fd", "sysdig.param.sendfile.out_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, - { &hf_param_path_string, { "path", "sysdig.param.mknodat.path", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_path_string, { "path", "sysdig.param.newfstatat.path", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_pathname_string, { "pathname", "sysdig.param.fchownat.pathname", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_peer_uint64, { "peer", "sysdig.param.socketpair.peer", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, { &hf_param_pgft_maj_uint64, { "pgft_maj", "sysdig.param.clone3.pgft_maj", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, @@ -3132,7 +3234,7 @@ proto_register_sysdig_event(void) { &hf_param_pgid_int64, { "pgid", "sysdig.param.execveat.pgid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_pgoffset_uint64, { "pgoffset", "sysdig.param.mmap2.pgoffset", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_pid_fd_int64, { "pid_fd", "sysdig.param.pidfd_getfd.pid_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, - { &hf_param_pid_int64, { "pid", "sysdig.param.pidfd_open.pid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_pid_int64, { "pid", "sysdig.param.process_vm_writev.pid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_pidns_init_start_ts_uint64, { "pidns_init_start_ts", "sysdig.param.clone3.pidns_init_start_ts", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_plugin_id_uint32, { "plugin_id", "sysdig.param.asyncevent.plugin_id", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_pos_uint64, { "pos", "sysdig.param.pwritev.pos", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, @@ -3149,14 +3251,14 @@ proto_register_sysdig_event(void) { &hf_param_reaper_tid_int64, { "reaper_tid", "sysdig.param.procexit.reaper_tid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_request_bytes, { "request", "sysdig.param.ptrace.request", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_request_uint64, { "I/O control: request", "sysdig.param.ioctl.request", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, - { &hf_param_res_int64, { "res", "sysdig.param.mknodat.res", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_res_int64, { "res", "sysdig.param.setregid.res", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_res_or_fd_bytes, { "res_or_fd", "sysdig.param.bpf.res_or_fd", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_res_uint64, { "res", "sysdig.param.brk.res", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, { &hf_param_resolve_int32, { "resolve", "sysdig.param.openat2.resolve", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_resource_bytes, { "resource", "sysdig.param.prlimit.resource", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_ret_int64, { "ret", "sysdig.param.procexit.ret", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, - { &hf_param_rgid_int32, { "rgid", "sysdig.param.getresgid.rgid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, - { &hf_param_ruid_int32, { "ruid", "sysdig.param.getresuid.ruid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_rgid_int32, { "rgid", "sysdig.param.setregid.rgid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_ruid_int32, { "ruid", "sysdig.param.setreuid.ruid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_scope_string, { "scope", "sysdig.param.infra.scope", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_sem_flg_0_int16, { "sem_flg_0", "sysdig.param.semop.sem_flg_0", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_sem_flg_1_int16, { "sem_flg_1", "sysdig.param.semop.sem_flg_1", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } }, @@ -3190,6 +3292,7 @@ proto_register_sysdig_event(void) { &hf_param_timeout_bytes, { "timeout", "sysdig.param.ppoll.timeout", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_timeout_int64, { "timeout", "sysdig.param.poll.timeout", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_to_submit_uint32, { "to_submit", "sysdig.param.io_uring_enter.to_submit", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_trusted_exepath_string, { "trusted_exepath", "sysdig.param.execveat.trusted_exepath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, { &hf_param_tty_int32, { "tty", "sysdig.param.execve.tty", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_tty_uint32, { "tty", "sysdig.param.execveat.tty", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, { &hf_param_tuple_bytes, { "tuple", "sysdig.param.accept4.tuple", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, @@ -3213,7 +3316,7 @@ proto_register_sysdig_event(void) }; /* Setup protocol subtree array */ - static gint *ett[] = { + static int *ett[] = { &ett_sysdig_event, &ett_sysdig_parm_lens, &ett_sysdig_syscall @@ -3236,7 +3339,8 @@ proto_reg_handoff_sysdig_event(void) dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2, sysdig_event_handle); dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE, sysdig_event_handle); - plugin_dissector_handle = find_dissector("falcobridge"); + sinsp_dissector_handle = find_dissector("falcobridge"); + elf_dissector_handle = find_dissector("elf"); } /* |