summaryrefslogtreecommitdiffstats
path: root/epan/dissectors/packet-sysdig-event.c
diff options
context:
space:
mode:
Diffstat (limited to 'epan/dissectors/packet-sysdig-event.c')
-rw-r--r--epan/dissectors/packet-sysdig-event.c736
1 files changed, 420 insertions, 316 deletions
diff --git a/epan/dissectors/packet-sysdig-event.c b/epan/dissectors/packet-sysdig-event.c
index c0fdc7e3..a95bf0c1 100644
--- a/epan/dissectors/packet-sysdig-event.c
+++ b/epan/dissectors/packet-sysdig-event.c
@@ -33,17 +33,17 @@
#include <config.h>
+#include <epan/exceptions.h>
#include <epan/packet.h>
#include <epan/strutil.h>
+#include <packet-sysdig-event.h>
+
#include <wiretap/wtap.h>
+#include <wiretap/pcapng_module.h>
/* #include <epan/expert.h> */
/* #include <epan/prefs.h> */
-#define BLOCK_TYPE_SYSDIG_EVENT 0x00000204
-#define BLOCK_TYPE_SYSDIG_EVENT_V2 0x00000216
-#define BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE 0x00000221
-
#define SYSDIG_PARAM_SIZE 2
#define SYSDIG_PARAM_SIZE_V2 2
#define SYSDIG_PARAM_SIZE_V2_LARGE 4
@@ -55,249 +55,253 @@ void proto_register_sysdig_event(void);
static dissector_handle_t sysdig_event_handle;
/* Initialize the protocol and registered fields */
-static int proto_sysdig_event = -1;
+static int proto_sysdig_event;
/* Add byte order? */
-static int hf_se_cpu_id = -1;
-static int hf_se_thread_id = -1;
-static int hf_se_event_length = -1;
-static int hf_se_nparams = -1;
-static int hf_se_event_type = -1;
-static int hf_se_event_name = -1;
+static int hf_se_cpu_id;
+static int hf_se_thread_id;
+static int hf_se_event_length;
+static int hf_se_nparams;
+static int hf_se_event_type;
+static int hf_se_event_name;
-static int hf_se_param_lens = -1;
-static int hf_se_param_len = -1;
+static int hf_se_param_lens;
+static int hf_se_param_len;
/* Name+type */
/* Header fields. Automatically generated by tools/generate-sysdig-event.py */
-static int hf_param_ID_uint16 = -1;
-static int hf_param_action_uint32 = -1;
-static int hf_param_addr_bytes = -1;
-static int hf_param_addr_uint64 = -1;
-static int hf_param_arg2_int_int64 = -1;
-static int hf_param_arg2_str_string = -1;
-static int hf_param_arg_uint64 = -1;
-static int hf_param_args_string = -1;
-static int hf_param_argument_uint64 = -1;
-static int hf_param_aux_int32 = -1;
-static int hf_param_backlog_int32 = -1;
-static int hf_param_cap_effective_uint64 = -1;
-static int hf_param_cap_inheritable_uint64 = -1;
-static int hf_param_cap_permitted_uint64 = -1;
-static int hf_param_cgroups_bytes = -1;
-static int hf_param_clockid_uint8 = -1;
-static int hf_param_cmd_bytes = -1;
-static int hf_param_cmd_int16 = -1;
-static int hf_param_cmd_int64 = -1;
-static int hf_param_comm_string = -1;
-static int hf_param_container_id_string = -1;
-static int hf_param_core_uint8 = -1;
-static int hf_param_cpu_sys_uint64 = -1;
-static int hf_param_cpu_uint32 = -1;
-static int hf_param_cpu_usr_uint64 = -1;
-static int hf_param_cq_entries_uint32 = -1;
-static int hf_param_cur_int64 = -1;
-static int hf_param_cwd_string = -1;
-static int hf_param_data_bytes = -1;
-static int hf_param_desc_string = -1;
-static int hf_param_description_string = -1;
-static int hf_param_dev_string = -1;
-static int hf_param_dev_uint32 = -1;
-static int hf_param_dir_string = -1;
-static int hf_param_dirfd_int64 = -1;
-static int hf_param_domain_bytes = -1;
-static int hf_param_dpid_int64 = -1;
-static int hf_param_dqb_bhardlimit_uint64 = -1;
-static int hf_param_dqb_bsoftlimit_uint64 = -1;
-static int hf_param_dqb_btime_bytes = -1;
-static int hf_param_dqb_curspace_uint64 = -1;
-static int hf_param_dqb_ihardlimit_uint64 = -1;
-static int hf_param_dqb_isoftlimit_uint64 = -1;
-static int hf_param_dqb_itime_bytes = -1;
-static int hf_param_dqi_bgrace_bytes = -1;
-static int hf_param_dqi_flags_int8 = -1;
-static int hf_param_dqi_igrace_bytes = -1;
-static int hf_param_egid_int32 = -1;
-static int hf_param_entries_uint32 = -1;
-static int hf_param_env_string = -1;
-static int hf_param_error_int32 = -1;
-static int hf_param_euid_int32 = -1;
-static int hf_param_event_data_bytes = -1;
-static int hf_param_event_data_uint64 = -1;
-static int hf_param_event_type_uint32 = -1;
-static int hf_param_exe_ino_ctime_bytes = -1;
-static int hf_param_exe_ino_mtime_bytes = -1;
-static int hf_param_exe_ino_uint64 = -1;
-static int hf_param_exe_string = -1;
-static int hf_param_fd1_int64 = -1;
-static int hf_param_fd2_int64 = -1;
-static int hf_param_fd_in_int64 = -1;
-static int hf_param_fd_int64 = -1;
-static int hf_param_fd_out_int64 = -1;
-static int hf_param_fdin_int64 = -1;
-static int hf_param_fdlimit_int64 = -1;
-static int hf_param_fdlimit_uint64 = -1;
-static int hf_param_fdout_int64 = -1;
-static int hf_param_fds_bytes = -1;
-static int hf_param_features_int32 = -1;
-static int hf_param_filename_string = -1;
-static int hf_param_flags_int16 = -1;
-static int hf_param_flags_int32 = -1;
-static int hf_param_flags_int8 = -1;
-static int hf_param_flags_uint32 = -1;
-static int hf_param_gid_int32 = -1;
-static int hf_param_gid_uint32 = -1;
-static int hf_param_home_string = -1;
-static int hf_param_how_bytes = -1;
-static int hf_param_id_int64 = -1;
-static int hf_param_id_string = -1;
-static int hf_param_id_uint32 = -1;
-static int hf_param_image_string = -1;
-static int hf_param_img_bytes = -1;
-static int hf_param_in_fd_int64 = -1;
-static int hf_param_initval_uint64 = -1;
-static int hf_param_ino_uint64 = -1;
-static int hf_param_interval_bytes = -1;
-static int hf_param_ip_uint64 = -1;
-static int hf_param_json_string = -1;
-static int hf_param_key_int32 = -1;
-static int hf_param_key_string = -1;
-static int hf_param_len_uint64 = -1;
-static int hf_param_length_uint64 = -1;
-static int hf_param_level_bytes = -1;
-static int hf_param_linkdirfd_int64 = -1;
-static int hf_param_linkpath_string = -1;
-static int hf_param_loginuid_int32 = -1;
-static int hf_param_mask_uint32 = -1;
-static int hf_param_max_int64 = -1;
-static int hf_param_maxevents_int64 = -1;
-static int hf_param_min_complete_uint32 = -1;
-static int hf_param_mode_int32 = -1;
-static int hf_param_mode_uint32 = -1;
-static int hf_param_mountfd_int64 = -1;
-static int hf_param_name_string = -1;
-static int hf_param_nativeID_uint16 = -1;
-static int hf_param_newcur_int64 = -1;
-static int hf_param_newdir_int64 = -1;
-static int hf_param_newdirfd_int64 = -1;
-static int hf_param_newfd_int64 = -1;
-static int hf_param_newmax_int64 = -1;
-static int hf_param_newpath_string = -1;
-static int hf_param_next_int64 = -1;
-static int hf_param_nr_args_uint32 = -1;
-static int hf_param_nsems_int32 = -1;
-static int hf_param_nsops_uint32 = -1;
-static int hf_param_nstype_int32 = -1;
-static int hf_param_offin_uint64 = -1;
-static int hf_param_offout_uint64 = -1;
-static int hf_param_offset_uint64 = -1;
-static int hf_param_oldcur_int64 = -1;
-static int hf_param_olddir_int64 = -1;
-static int hf_param_olddirfd_int64 = -1;
-static int hf_param_oldfd_int64 = -1;
-static int hf_param_oldmax_int64 = -1;
-static int hf_param_oldpath_string = -1;
-static int hf_param_op_bytes = -1;
-static int hf_param_op_uint64 = -1;
-static int hf_param_opcode_bytes = -1;
-static int hf_param_operation_int32 = -1;
-static int hf_param_option_bytes = -1;
-static int hf_param_optlen_uint32 = -1;
-static int hf_param_optname_bytes = -1;
-static int hf_param_out_fd_int64 = -1;
-static int hf_param_path_string = -1;
-static int hf_param_pathname_string = -1;
-static int hf_param_peer_uint64 = -1;
-static int hf_param_pgft_maj_uint64 = -1;
-static int hf_param_pgft_min_uint64 = -1;
-static int hf_param_pgid_int64 = -1;
-static int hf_param_pgoffset_uint64 = -1;
-static int hf_param_pid_fd_int64 = -1;
-static int hf_param_pid_int64 = -1;
-static int hf_param_pidns_init_start_ts_uint64 = -1;
-static int hf_param_plugin_id_uint32 = -1;
-static int hf_param_pos_uint64 = -1;
-static int hf_param_prot_int32 = -1;
-static int hf_param_proto_uint32 = -1;
-static int hf_param_ptid_int64 = -1;
-static int hf_param_queuelen_uint32 = -1;
-static int hf_param_queuemax_uint32 = -1;
-static int hf_param_queuepct_uint8 = -1;
-static int hf_param_quota_fmt_int8 = -1;
-static int hf_param_quota_fmt_out_int8 = -1;
-static int hf_param_quotafilepath_string = -1;
-static int hf_param_ratio_uint32 = -1;
-static int hf_param_reaper_tid_int64 = -1;
-static int hf_param_request_bytes = -1;
-static int hf_param_request_uint64 = -1;
-static int hf_param_res_int64 = -1;
-static int hf_param_res_or_fd_bytes = -1;
-static int hf_param_res_uint64 = -1;
-static int hf_param_resolve_int32 = -1;
-static int hf_param_resource_bytes = -1;
-static int hf_param_ret_int64 = -1;
-static int hf_param_rgid_int32 = -1;
-static int hf_param_ruid_int32 = -1;
-static int hf_param_scope_string = -1;
-static int hf_param_sem_flg_0_int16 = -1;
-static int hf_param_sem_flg_1_int16 = -1;
-static int hf_param_sem_num_0_uint16 = -1;
-static int hf_param_sem_num_1_uint16 = -1;
-static int hf_param_sem_op_0_int16 = -1;
-static int hf_param_sem_op_1_int16 = -1;
-static int hf_param_semflg_int32 = -1;
-static int hf_param_semid_int32 = -1;
-static int hf_param_semnum_int32 = -1;
-static int hf_param_sgid_int32 = -1;
-static int hf_param_shell_string = -1;
-static int hf_param_sig_bytes = -1;
-static int hf_param_sigmask_bytes = -1;
-static int hf_param_size_int32 = -1;
-static int hf_param_size_uint32 = -1;
-static int hf_param_size_uint64 = -1;
-static int hf_param_source_string = -1;
-static int hf_param_source_uint64 = -1;
-static int hf_param_special_string = -1;
-static int hf_param_spid_int64 = -1;
-static int hf_param_sq_entries_uint32 = -1;
-static int hf_param_sq_thread_cpu_uint32 = -1;
-static int hf_param_sq_thread_idle_uint32 = -1;
-static int hf_param_status_int64 = -1;
-static int hf_param_suid_int32 = -1;
-static int hf_param_tags_bytes = -1;
-static int hf_param_target_fd_int64 = -1;
-static int hf_param_target_string = -1;
-static int hf_param_tid_int64 = -1;
-static int hf_param_timeout_bytes = -1;
-static int hf_param_timeout_int64 = -1;
-static int hf_param_to_submit_uint32 = -1;
-static int hf_param_tty_int32 = -1;
-static int hf_param_tty_uint32 = -1;
-static int hf_param_tuple_bytes = -1;
-static int hf_param_type_int8 = -1;
-static int hf_param_type_string = -1;
-static int hf_param_type_uint32 = -1;
-static int hf_param_uargs_string = -1;
-static int hf_param_uid_int32 = -1;
-static int hf_param_uid_uint32 = -1;
-static int hf_param_val_bytes = -1;
-static int hf_param_val_int32 = -1;
-static int hf_param_val_uint64 = -1;
-static int hf_param_value_bytebuf_bytes = -1;
-static int hf_param_value_charbuf_string = -1;
-static int hf_param_vm_rss_uint32 = -1;
-static int hf_param_vm_size_uint32 = -1;
-static int hf_param_vm_swap_uint32 = -1;
-static int hf_param_vpid_int64 = -1;
-static int hf_param_vtid_int64 = -1;
-static int hf_param_whence_bytes = -1;
+static int hf_param_ID_uint16;
+static int hf_param_action_uint32;
+static int hf_param_addr_bytes;
+static int hf_param_addr_uint64;
+static int hf_param_arg2_int_int64;
+static int hf_param_arg2_str_string;
+static int hf_param_arg_uint64;
+static int hf_param_args_string;
+static int hf_param_argument_uint64;
+static int hf_param_aux_int32;
+static int hf_param_backlog_int32;
+static int hf_param_cap_effective_uint64;
+static int hf_param_cap_inheritable_uint64;
+static int hf_param_cap_permitted_uint64;
+static int hf_param_cgroups_bytes;
+static int hf_param_clockid_uint8;
+static int hf_param_cmd_bytes;
+static int hf_param_cmd_int16;
+static int hf_param_cmd_int64;
+static int hf_param_comm_string;
+static int hf_param_container_id_string;
+static int hf_param_core_uint8;
+static int hf_param_cpu_sys_uint64;
+static int hf_param_cpu_uint32;
+static int hf_param_cpu_usr_uint64;
+static int hf_param_cq_entries_uint32;
+static int hf_param_cur_int64;
+static int hf_param_cwd_string;
+static int hf_param_data_bytes;
+static int hf_param_desc_string;
+static int hf_param_description_string;
+static int hf_param_dev_string;
+static int hf_param_dev_uint32;
+static int hf_param_dir_string;
+static int hf_param_dirfd_int64;
+static int hf_param_domain_bytes;
+static int hf_param_dpid_int64;
+static int hf_param_dqb_bhardlimit_uint64;
+static int hf_param_dqb_bsoftlimit_uint64;
+static int hf_param_dqb_btime_bytes;
+static int hf_param_dqb_curspace_uint64;
+static int hf_param_dqb_ihardlimit_uint64;
+static int hf_param_dqb_isoftlimit_uint64;
+static int hf_param_dqb_itime_bytes;
+static int hf_param_dqi_bgrace_bytes;
+static int hf_param_dqi_flags_int8;
+static int hf_param_dqi_igrace_bytes;
+static int hf_param_egid_int32;
+static int hf_param_entries_uint32;
+static int hf_param_env_string;
+static int hf_param_error_int32;
+static int hf_param_euid_int32;
+static int hf_param_event_data_bytes;
+static int hf_param_event_data_uint64;
+static int hf_param_event_type_uint32;
+static int hf_param_exe_ino_ctime_bytes;
+static int hf_param_exe_ino_mtime_bytes;
+static int hf_param_exe_ino_uint64;
+static int hf_param_exe_string;
+static int hf_param_fd1_int64;
+static int hf_param_fd2_int64;
+static int hf_param_fd_in_int64;
+static int hf_param_fd_int64;
+static int hf_param_fd_out_int64;
+static int hf_param_fdin_int64;
+static int hf_param_fdlimit_int64;
+static int hf_param_fdlimit_uint64;
+static int hf_param_fdout_int64;
+static int hf_param_fds_bytes;
+static int hf_param_features_int32;
+static int hf_param_filename_string;
+static int hf_param_flags_int16;
+static int hf_param_flags_int32;
+static int hf_param_flags_uint32;
+static int hf_param_flags_uint64;
+static int hf_param_flags_uint8;
+static int hf_param_gid_int32;
+static int hf_param_gid_uint32;
+static int hf_param_home_string;
+static int hf_param_how_bytes;
+static int hf_param_id_int64;
+static int hf_param_id_string;
+static int hf_param_id_uint32;
+static int hf_param_image_string;
+static int hf_param_img_bytes;
+static int hf_param_in_fd_int64;
+static int hf_param_initval_uint64;
+static int hf_param_ino_uint64;
+static int hf_param_interval_bytes;
+static int hf_param_ip_uint64;
+static int hf_param_json_string;
+static int hf_param_key_int32;
+static int hf_param_key_string;
+static int hf_param_len_uint64;
+static int hf_param_length_uint64;
+static int hf_param_level_bytes;
+static int hf_param_linkdirfd_int64;
+static int hf_param_linkpath_string;
+static int hf_param_loginuid_int32;
+static int hf_param_mask_uint32;
+static int hf_param_max_int64;
+static int hf_param_maxevents_int64;
+static int hf_param_min_complete_uint32;
+static int hf_param_mode_int32;
+static int hf_param_mode_uint32;
+static int hf_param_mountfd_int64;
+static int hf_param_msgcontrol_bytes;
+static int hf_param_name_string;
+static int hf_param_nativeID_uint16;
+static int hf_param_newcur_int64;
+static int hf_param_newdir_int64;
+static int hf_param_newdirfd_int64;
+static int hf_param_newfd_int64;
+static int hf_param_newmax_int64;
+static int hf_param_newpath_string;
+static int hf_param_next_int64;
+static int hf_param_nr_args_uint32;
+static int hf_param_nsems_int32;
+static int hf_param_nsops_uint32;
+static int hf_param_nstype_int32;
+static int hf_param_offin_uint64;
+static int hf_param_offout_uint64;
+static int hf_param_offset_uint64;
+static int hf_param_oldcur_int64;
+static int hf_param_olddir_int64;
+static int hf_param_olddirfd_int64;
+static int hf_param_oldfd_int64;
+static int hf_param_oldmax_int64;
+static int hf_param_oldpath_string;
+static int hf_param_op_bytes;
+static int hf_param_op_uint64;
+static int hf_param_opcode_bytes;
+static int hf_param_operation_int32;
+static int hf_param_option_bytes;
+static int hf_param_optlen_uint32;
+static int hf_param_optname_bytes;
+static int hf_param_out_fd_int64;
+static int hf_param_path_string;
+static int hf_param_pathname_string;
+static int hf_param_peer_uint64;
+static int hf_param_pgft_maj_uint64;
+static int hf_param_pgft_min_uint64;
+static int hf_param_pgid_int64;
+static int hf_param_pgoffset_uint64;
+static int hf_param_pid_fd_int64;
+static int hf_param_pid_int64;
+static int hf_param_pidns_init_start_ts_uint64;
+static int hf_param_plugin_id_uint32;
+static int hf_param_pos_uint64;
+static int hf_param_prot_int32;
+static int hf_param_proto_uint32;
+static int hf_param_ptid_int64;
+static int hf_param_queuelen_uint32;
+static int hf_param_queuemax_uint32;
+static int hf_param_queuepct_uint8;
+static int hf_param_quota_fmt_int8;
+static int hf_param_quota_fmt_out_int8;
+static int hf_param_quotafilepath_string;
+static int hf_param_ratio_uint32;
+static int hf_param_reaper_tid_int64;
+static int hf_param_request_bytes;
+static int hf_param_request_uint64;
+static int hf_param_res_int64;
+static int hf_param_res_or_fd_bytes;
+static int hf_param_res_uint64;
+static int hf_param_resolve_int32;
+static int hf_param_resource_bytes;
+static int hf_param_ret_int64;
+static int hf_param_rgid_int32;
+static int hf_param_ruid_int32;
+static int hf_param_scope_string;
+static int hf_param_sem_flg_0_int16;
+static int hf_param_sem_flg_1_int16;
+static int hf_param_sem_num_0_uint16;
+static int hf_param_sem_num_1_uint16;
+static int hf_param_sem_op_0_int16;
+static int hf_param_sem_op_1_int16;
+static int hf_param_semflg_int32;
+static int hf_param_semid_int32;
+static int hf_param_semnum_int32;
+static int hf_param_sgid_int32;
+static int hf_param_shell_string;
+static int hf_param_sig_bytes;
+static int hf_param_sigmask_bytes;
+static int hf_param_size_int32;
+static int hf_param_size_uint32;
+static int hf_param_size_uint64;
+static int hf_param_source_string;
+static int hf_param_source_uint64;
+static int hf_param_special_string;
+static int hf_param_spid_int64;
+static int hf_param_sq_entries_uint32;
+static int hf_param_sq_thread_cpu_uint32;
+static int hf_param_sq_thread_idle_uint32;
+static int hf_param_status_int64;
+static int hf_param_suid_int32;
+static int hf_param_tags_bytes;
+static int hf_param_target_fd_int64;
+static int hf_param_target_string;
+static int hf_param_tid_int64;
+static int hf_param_timeout_bytes;
+static int hf_param_timeout_int64;
+static int hf_param_to_submit_uint32;
+static int hf_param_trusted_exepath_string;
+static int hf_param_tty_int32;
+static int hf_param_tty_uint32;
+static int hf_param_tuple_bytes;
+static int hf_param_type_int8;
+static int hf_param_type_string;
+static int hf_param_type_uint32;
+static int hf_param_uargs_string;
+static int hf_param_uid_int32;
+static int hf_param_uid_uint32;
+static int hf_param_val_bytes;
+static int hf_param_val_int32;
+static int hf_param_val_uint64;
+static int hf_param_value_bytebuf_bytes;
+static int hf_param_value_charbuf_string;
+static int hf_param_vm_rss_uint32;
+static int hf_param_vm_size_uint32;
+static int hf_param_vm_swap_uint32;
+static int hf_param_vpid_int64;
+static int hf_param_vtid_int64;
+static int hf_param_whence_bytes;
/* Initialize the subtree pointers */
-static gint ett_sysdig_event = -1;
-static gint ett_sysdig_parm_lens = -1;
-static gint ett_sysdig_syscall = -1;
+static int ett_sysdig_event;
+static int ett_sysdig_parm_lens;
+static int ett_sysdig_syscall;
/* Initialize the pointer to the child plugin dissector */
-static dissector_handle_t plugin_dissector_handle = NULL;
+static dissector_handle_t sinsp_dissector_handle;
+static dissector_handle_t elf_dissector_handle;
#define SYSDIG_EVENT_MIN_LENGTH 8 /* XXX Fix */
@@ -324,6 +328,7 @@ static dissector_handle_t plugin_dissector_handle = NULL;
#define EVT_STR_COPY_FILE_RANGE "copy_file_range"
#define EVT_STR_CPU_HOTPLUG "cpu_hotplug"
#define EVT_STR_CREAT "creat"
+#define EVT_STR_DELETE_MODULE "delete_module"
#define EVT_STR_DROP "drop"
#define EVT_STR_DUP "dup"
#define EVT_STR_DUP2 "dup2"
@@ -398,6 +403,7 @@ static dissector_handle_t plugin_dissector_handle = NULL;
#define EVT_STR_MUNLOCKALL "munlockall"
#define EVT_STR_MUNMAP "munmap"
#define EVT_STR_NANOSLEEP "nanosleep"
+#define EVT_STR_NEWFSTATAT "newfstatat"
#define EVT_STR_NOTIFICATION "notification"
#define EVT_STR_OPEN "open"
#define EVT_STR_OPEN_BY_HANDLE_AT "open_by_handle_at"
@@ -415,6 +421,8 @@ static dissector_handle_t plugin_dissector_handle = NULL;
#define EVT_STR_PREAD "pread"
#define EVT_STR_PREADV "preadv"
#define EVT_STR_PRLIMIT "prlimit"
+#define EVT_STR_PROCESS_VM_READV "process_vm_readv"
+#define EVT_STR_PROCESS_VM_WRITEV "process_vm_writev"
#define EVT_STR_PROCEXIT "procexit"
#define EVT_STR_PROCINFO "procinfo"
#define EVT_STR_PTRACE "ptrace"
@@ -445,8 +453,10 @@ static dissector_handle_t plugin_dissector_handle = NULL;
#define EVT_STR_SETGID "setgid"
#define EVT_STR_SETNS "setns"
#define EVT_STR_SETPGID "setpgid"
+#define EVT_STR_SETREGID "setregid"
#define EVT_STR_SETRESGID "setresgid"
#define EVT_STR_SETRESUID "setresuid"
+#define EVT_STR_SETREUID "setreuid"
#define EVT_STR_SETRLIMIT "setrlimit"
#define EVT_STR_SETSID "setsid"
#define EVT_STR_SETSOCKOPT "setsockopt"
@@ -900,6 +910,18 @@ static dissector_handle_t plugin_dissector_handle = NULL;
#define EVT_SYSCALL_MKNOD_X 415
#define EVT_SYSCALL_MKNODAT_E 416
#define EVT_SYSCALL_MKNODAT_X 417
+#define EVT_SYSCALL_NEWFSTATAT_E 418
+#define EVT_SYSCALL_NEWFSTATAT_X 419
+#define EVT_SYSCALL_PROCESS_VM_READV_E 420
+#define EVT_SYSCALL_PROCESS_VM_READV_X 421
+#define EVT_SYSCALL_PROCESS_VM_WRITEV_E 422
+#define EVT_SYSCALL_PROCESS_VM_WRITEV_X 423
+#define EVT_SYSCALL_DELETE_MODULE_E 424
+#define EVT_SYSCALL_DELETE_MODULE_X 425
+#define EVT_SYSCALL_SETREUID_E 426
+#define EVT_SYSCALL_SETREUID_X 427
+#define EVT_SYSCALL_SETREGID_E 428
+#define EVT_SYSCALL_SETREGID_X 429
static const value_string event_type_vals[] = {
/* Value strings. Automatically generated by tools/generate-sysdig-event.py */
@@ -1321,6 +1343,18 @@ static const value_string event_type_vals[] = {
{ EVT_SYSCALL_MKNOD_X, EVT_STR_MKNOD },
{ EVT_SYSCALL_MKNODAT_E, EVT_STR_MKNODAT },
{ EVT_SYSCALL_MKNODAT_X, EVT_STR_MKNODAT },
+ { EVT_SYSCALL_NEWFSTATAT_E, EVT_STR_NEWFSTATAT },
+ { EVT_SYSCALL_NEWFSTATAT_X, EVT_STR_NEWFSTATAT },
+ { EVT_SYSCALL_PROCESS_VM_READV_E, EVT_STR_PROCESS_VM_READV },
+ { EVT_SYSCALL_PROCESS_VM_READV_X, EVT_STR_PROCESS_VM_READV },
+ { EVT_SYSCALL_PROCESS_VM_WRITEV_E, EVT_STR_PROCESS_VM_WRITEV },
+ { EVT_SYSCALL_PROCESS_VM_WRITEV_X, EVT_STR_PROCESS_VM_WRITEV },
+ { EVT_SYSCALL_DELETE_MODULE_E, EVT_STR_DELETE_MODULE },
+ { EVT_SYSCALL_DELETE_MODULE_X, EVT_STR_DELETE_MODULE },
+ { EVT_SYSCALL_SETREUID_E, EVT_STR_SETREUID },
+ { EVT_SYSCALL_SETREUID_X, EVT_STR_SETREUID },
+ { EVT_SYSCALL_SETREGID_E, EVT_STR_SETREGID },
+ { EVT_SYSCALL_SETREGID_X, EVT_STR_SETREGID },
{0, NULL }
};
@@ -1363,7 +1397,7 @@ static const struct _event_col_info_param execve_15_x_params[] = {
};
struct _event_col_info {
- const guint event_type;
+ const unsigned event_type;
const int num_len_fields;
const struct _event_col_info_param *params;
};
@@ -1379,7 +1413,7 @@ static const struct _event_col_info event_col_info[] = {
};
struct _event_tree_info {
- const guint event_type;
+ const unsigned event_type;
/* int num_params; */
int * const *hf_indexes;
};
@@ -1440,7 +1474,7 @@ static int * const socket_setsockopt_x_indexes[] = { &hf_param_res_int64, &hf_pa
#define socket_sendmmsg_e_indexes no_indexes
#define socket_sendmmsg_x_indexes no_indexes
#define socket_recvmsg_e_indexes syscall_close_e_indexes
-static int * const socket_recvmsg_x_indexes[] = { &hf_param_res_int64, &hf_param_size_uint32, &hf_param_data_bytes, &hf_param_tuple_bytes, NULL };
+static int * const socket_recvmsg_x_indexes[] = { &hf_param_res_int64, &hf_param_size_uint32, &hf_param_data_bytes, &hf_param_tuple_bytes, &hf_param_msgcontrol_bytes, NULL };
#define socket_recvmmsg_e_indexes no_indexes
#define socket_recvmmsg_x_indexes no_indexes
static int * const socket_accept4_e_indexes[] = { &hf_param_flags_uint32, NULL };
@@ -1449,7 +1483,7 @@ static int * const syscall_creat_e_indexes[] = { &hf_param_name_string, &hf_para
static int * const syscall_creat_x_indexes[] = { &hf_param_fd_int64, &hf_param_name_string, &hf_param_mode_uint32, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL };
#define syscall_pipe_e_indexes no_indexes
static int * const syscall_pipe_x_indexes[] = { &hf_param_res_int64, &hf_param_fd1_int64, &hf_param_fd2_int64, &hf_param_ino_uint64, NULL };
-static int * const syscall_eventfd_e_indexes[] = { &hf_param_initval_uint64, &hf_param_flags_int32, NULL };
+static int * const syscall_eventfd_e_indexes[] = { &hf_param_initval_uint64, &hf_param_flags_uint32, NULL };
#define syscall_eventfd_x_indexes syscall_close_x_indexes
static int * const syscall_futex_e_indexes[] = { &hf_param_addr_uint64, &hf_param_op_bytes, &hf_param_val_uint64, NULL };
#define syscall_futex_x_indexes syscall_close_x_indexes
@@ -1513,7 +1547,7 @@ static int * const syscall_preadv_e_indexes[] = { &hf_param_fd_int64, &hf_param_
#define syscall_pwritev_x_indexes syscall_read_x_indexes
#define syscall_dup_e_indexes syscall_close_e_indexes
#define syscall_dup_x_indexes syscall_close_x_indexes
-static int * const syscall_signalfd_e_indexes[] = { &hf_param_fd_int64, &hf_param_mask_uint32, &hf_param_flags_int8, NULL };
+static int * const syscall_signalfd_e_indexes[] = { &hf_param_fd_int64, &hf_param_mask_uint32, &hf_param_flags_uint8, NULL };
#define syscall_signalfd_x_indexes syscall_close_x_indexes
static int * const syscall_kill_e_indexes[] = { &hf_param_pid_int64, &hf_param_sig_bytes, NULL };
#define syscall_kill_x_indexes syscall_close_x_indexes
@@ -1523,22 +1557,22 @@ static int * const syscall_tgkill_e_indexes[] = { &hf_param_pid_int64, &hf_param
#define syscall_tgkill_x_indexes syscall_close_x_indexes
static int * const syscall_nanosleep_e_indexes[] = { &hf_param_interval_bytes, NULL };
#define syscall_nanosleep_x_indexes syscall_close_x_indexes
-static int * const syscall_timerfd_create_e_indexes[] = { &hf_param_clockid_uint8, &hf_param_flags_int8, NULL };
+static int * const syscall_timerfd_create_e_indexes[] = { &hf_param_clockid_uint8, &hf_param_flags_uint8, NULL };
#define syscall_timerfd_create_x_indexes syscall_close_x_indexes
-static int * const syscall_inotify_init_e_indexes[] = { &hf_param_flags_int8, NULL };
+static int * const syscall_inotify_init_e_indexes[] = { &hf_param_flags_uint8, NULL };
#define syscall_inotify_init_x_indexes syscall_close_x_indexes
static int * const syscall_getrlimit_e_indexes[] = { &hf_param_resource_bytes, NULL };
static int * const syscall_getrlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_cur_int64, &hf_param_max_int64, NULL };
#define syscall_setrlimit_e_indexes syscall_getrlimit_e_indexes
-#define syscall_setrlimit_x_indexes syscall_getrlimit_x_indexes
+static int * const syscall_setrlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_cur_int64, &hf_param_max_int64, &hf_param_resource_bytes, NULL };
static int * const syscall_prlimit_e_indexes[] = { &hf_param_pid_int64, &hf_param_resource_bytes, NULL };
-static int * const syscall_prlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_newcur_int64, &hf_param_newmax_int64, &hf_param_oldcur_int64, &hf_param_oldmax_int64, NULL };
+static int * const syscall_prlimit_x_indexes[] = { &hf_param_res_int64, &hf_param_newcur_int64, &hf_param_newmax_int64, &hf_param_oldcur_int64, &hf_param_oldmax_int64, &hf_param_pid_int64, &hf_param_resource_bytes, NULL };
static int * const schedswitch_1_e_indexes[] = { &hf_param_next_int64, NULL };
#define schedswitch_1_x_indexes no_indexes
static int * const drop_e_indexes[] = { &hf_param_ratio_uint32, NULL };
#define drop_x_indexes drop_e_indexes
static int * const syscall_fcntl_e_indexes[] = { &hf_param_fd_int64, &hf_param_cmd_bytes, NULL };
-#define syscall_fcntl_x_indexes syscall_close_x_indexes
+static int * const syscall_fcntl_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_cmd_bytes, NULL };
static int * const schedswitch_6_e_indexes[] = { &hf_param_next_int64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL };
#define schedswitch_6_x_indexes no_indexes
#define syscall_execve_13_e_indexes no_indexes
@@ -1680,12 +1714,12 @@ static int * const syscall_execve_18_e_indexes[] = { &hf_param_filename_string,
static int * const page_fault_e_indexes[] = { &hf_param_addr_uint64, &hf_param_ip_uint64, &hf_param_error_int32, NULL };
#define page_fault_x_indexes no_indexes
#define syscall_execve_19_e_indexes syscall_execve_18_e_indexes
-static int * const syscall_execve_19_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_env_string, &hf_param_tty_uint32, &hf_param_pgid_int64, &hf_param_loginuid_int32, &hf_param_flags_int32, &hf_param_cap_inheritable_uint64, &hf_param_cap_permitted_uint64, &hf_param_cap_effective_uint64, &hf_param_exe_ino_uint64, &hf_param_exe_ino_ctime_bytes, &hf_param_exe_ino_mtime_bytes, &hf_param_uid_int32, NULL };
+static int * const syscall_execve_19_x_indexes[] = { &hf_param_res_int64, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_int64, &hf_param_pid_int64, &hf_param_ptid_int64, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_env_string, &hf_param_tty_uint32, &hf_param_pgid_int64, &hf_param_loginuid_int32, &hf_param_flags_int32, &hf_param_cap_inheritable_uint64, &hf_param_cap_permitted_uint64, &hf_param_cap_effective_uint64, &hf_param_exe_ino_uint64, &hf_param_exe_ino_ctime_bytes, &hf_param_exe_ino_mtime_bytes, &hf_param_uid_int32, &hf_param_trusted_exepath_string, NULL };
static int * const syscall_setpgid_e_indexes[] = { &hf_param_pid_int64, &hf_param_pgid_int64, NULL };
#define syscall_setpgid_x_indexes syscall_close_x_indexes
static int * const syscall_bpf_e_indexes[] = { &hf_param_cmd_int64, NULL };
static int * const syscall_bpf_x_indexes[] = { &hf_param_res_or_fd_bytes, NULL };
-static int * const syscall_seccomp_e_indexes[] = { &hf_param_op_uint64, NULL };
+static int * const syscall_seccomp_e_indexes[] = { &hf_param_op_uint64, &hf_param_flags_uint64, NULL };
#define syscall_seccomp_x_indexes syscall_close_x_indexes
#define syscall_unlink_2_e_indexes no_indexes
#define syscall_unlink_2_x_indexes syscall_stat_x_indexes
@@ -1714,7 +1748,7 @@ static int * const pluginevent_e_indexes[] = { &hf_param_plugin_id_uint32, &hf_p
#define container_json_2_e_indexes k8s_e_indexes
#define container_json_2_x_indexes no_indexes
static int * const syscall_openat2_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_resolve_int32, NULL };
-static int * const syscall_openat2_x_indexes[] = { &hf_param_fd_int64, &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_resolve_int32, NULL };
+static int * const syscall_openat2_x_indexes[] = { &hf_param_fd_int64, &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_int32, &hf_param_mode_uint32, &hf_param_resolve_int32, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL };
static int * const syscall_mprotect_e_indexes[] = { &hf_param_addr_uint64, &hf_param_length_uint64, &hf_param_prot_int32, NULL };
#define syscall_mprotect_x_indexes syscall_close_x_indexes
static int * const syscall_execveat_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_pathname_string, &hf_param_flags_int32, NULL };
@@ -1724,7 +1758,7 @@ static int * const syscall_copy_file_range_x_indexes[] = { &hf_param_res_int64,
#define syscall_clone3_e_indexes no_indexes
#define syscall_clone3_x_indexes syscall_clone_20_x_indexes
#define syscall_open_by_handle_at_e_indexes no_indexes
-static int * const syscall_open_by_handle_at_x_indexes[] = { &hf_param_fd_int64, &hf_param_mountfd_int64, &hf_param_flags_int32, &hf_param_path_string, NULL };
+static int * const syscall_open_by_handle_at_x_indexes[] = { &hf_param_fd_int64, &hf_param_mountfd_int64, &hf_param_flags_int32, &hf_param_path_string, &hf_param_dev_uint32, &hf_param_ino_uint64, NULL };
#define syscall_io_uring_setup_e_indexes no_indexes
static int * const syscall_io_uring_setup_x_indexes[] = { &hf_param_res_int64, &hf_param_entries_uint32, &hf_param_sq_entries_uint32, &hf_param_cq_entries_uint32, &hf_param_flags_int32, &hf_param_sq_thread_cpu_uint32, &hf_param_sq_thread_idle_uint32, &hf_param_features_int32, NULL };
#define syscall_io_uring_enter_e_indexes no_indexes
@@ -1756,9 +1790,9 @@ static int * const syscall_dup3_x_indexes[] = { &hf_param_res_int64, &hf_param_o
#define syscall_dup_1_e_indexes syscall_close_e_indexes
static int * const syscall_dup_1_x_indexes[] = { &hf_param_res_int64, &hf_param_oldfd_int64, NULL };
#define syscall_bpf_2_e_indexes syscall_bpf_e_indexes
-#define syscall_bpf_2_x_indexes syscall_close_e_indexes
+#define syscall_bpf_2_x_indexes syscall_fcntl_e_indexes
#define syscall_mlock2_e_indexes no_indexes
-static int * const syscall_mlock2_x_indexes[] = { &hf_param_res_int64, &hf_param_addr_uint64, &hf_param_len_uint64, &hf_param_flags_uint32, NULL };
+static int * const syscall_mlock2_x_indexes[] = { &hf_param_res_int64, &hf_param_addr_uint64, &hf_param_len_uint64, &hf_param_flags_int32, NULL };
#define syscall_fsconfig_e_indexes no_indexes
static int * const syscall_fsconfig_x_indexes[] = { &hf_param_res_int64, &hf_param_fd_int64, &hf_param_cmd_bytes, &hf_param_key_string, &hf_param_value_bytebuf_bytes, &hf_param_value_charbuf_string, &hf_param_aux_int32, NULL };
static int * const syscall_epoll_create_e_indexes[] = { &hf_param_size_int32, NULL };
@@ -1794,7 +1828,7 @@ static int * const asyncevent_e_indexes[] = { &hf_param_plugin_id_uint32, &hf_pa
#define syscall_memfd_create_e_indexes no_indexes
static int * const syscall_memfd_create_x_indexes[] = { &hf_param_fd_int64, &hf_param_name_string, &hf_param_flags_int32, NULL };
#define syscall_pidfd_getfd_e_indexes no_indexes
-static int * const syscall_pidfd_getfd_x_indexes[] = { &hf_param_fd_int64, &hf_param_pid_fd_int64, &hf_param_target_fd_int64, &hf_param_flags_int32, NULL };
+static int * const syscall_pidfd_getfd_x_indexes[] = { &hf_param_fd_int64, &hf_param_pid_fd_int64, &hf_param_target_fd_int64, &hf_param_flags_uint32, NULL };
#define syscall_pidfd_open_e_indexes no_indexes
static int * const syscall_pidfd_open_x_indexes[] = { &hf_param_fd_int64, &hf_param_pid_int64, &hf_param_flags_int32, NULL };
#define syscall_init_module_e_indexes no_indexes
@@ -1805,6 +1839,18 @@ static int * const syscall_finit_module_x_indexes[] = { &hf_param_res_int64, &hf
static int * const syscall_mknod_x_indexes[] = { &hf_param_res_int64, &hf_param_path_string, &hf_param_mode_int32, &hf_param_dev_uint32, NULL };
#define syscall_mknodat_e_indexes no_indexes
static int * const syscall_mknodat_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_path_string, &hf_param_mode_int32, &hf_param_dev_uint32, NULL };
+#define syscall_newfstatat_e_indexes no_indexes
+static int * const syscall_newfstatat_x_indexes[] = { &hf_param_res_int64, &hf_param_dirfd_int64, &hf_param_path_string, &hf_param_flags_int32, NULL };
+#define syscall_process_vm_readv_e_indexes no_indexes
+static int * const syscall_process_vm_readv_x_indexes[] = { &hf_param_res_int64, &hf_param_pid_int64, &hf_param_data_bytes, NULL };
+#define syscall_process_vm_writev_e_indexes no_indexes
+#define syscall_process_vm_writev_x_indexes syscall_process_vm_readv_x_indexes
+#define syscall_delete_module_e_indexes no_indexes
+static int * const syscall_delete_module_x_indexes[] = { &hf_param_res_int64, &hf_param_name_string, &hf_param_flags_int32, NULL };
+#define syscall_setreuid_e_indexes no_indexes
+static int * const syscall_setreuid_x_indexes[] = { &hf_param_res_int64, &hf_param_ruid_int32, &hf_param_euid_int32, NULL };
+#define syscall_setregid_e_indexes no_indexes
+static int * const syscall_setregid_x_indexes[] = { &hf_param_res_int64, &hf_param_rgid_int32, &hf_param_egid_int32, NULL };
static const struct _event_tree_info event_tree_info[] = {
/* Event tree. Automatically generated by tools/generate-sysdig-event.py */
@@ -2226,6 +2272,18 @@ static const struct _event_tree_info event_tree_info[] = {
{ EVT_SYSCALL_MKNOD_X, syscall_mknod_x_indexes },
{ EVT_SYSCALL_MKNODAT_E, syscall_mknodat_e_indexes },
{ EVT_SYSCALL_MKNODAT_X, syscall_mknodat_x_indexes },
+ { EVT_SYSCALL_NEWFSTATAT_E, syscall_newfstatat_e_indexes },
+ { EVT_SYSCALL_NEWFSTATAT_X, syscall_newfstatat_x_indexes },
+ { EVT_SYSCALL_PROCESS_VM_READV_E, syscall_process_vm_readv_e_indexes },
+ { EVT_SYSCALL_PROCESS_VM_READV_X, syscall_process_vm_readv_x_indexes },
+ { EVT_SYSCALL_PROCESS_VM_WRITEV_E, syscall_process_vm_writev_e_indexes },
+ { EVT_SYSCALL_PROCESS_VM_WRITEV_X, syscall_process_vm_writev_x_indexes },
+ { EVT_SYSCALL_DELETE_MODULE_E, syscall_delete_module_e_indexes },
+ { EVT_SYSCALL_DELETE_MODULE_X, syscall_delete_module_x_indexes },
+ { EVT_SYSCALL_SETREUID_E, syscall_setreuid_e_indexes },
+ { EVT_SYSCALL_SETREUID_X, syscall_setreuid_x_indexes },
+ { EVT_SYSCALL_SETREGID_E, syscall_setregid_e_indexes },
+ { EVT_SYSCALL_SETREGID_X, syscall_setregid_x_indexes },
{ 0, NULL }
};
@@ -2650,6 +2708,36 @@ static const value_string ID_uint16_vals[] = {
{ 410, "sigreturn" }, // PPM_SC_SIGRETURN
{ 411, "s390_guarded_storage" }, // PPM_SC_S390_GUARDED_STORAGE
{ 412, "cachestat" }, // PPM_SC_CACHESTAT
+ { 413, "fchmodat2" }, // PPM_SC_FCHMODAT2
+ { 414, "map_shadow_stack" }, // PPM_SC_MAP_SHADOW_STACK
+ { 415, "riscv_flush_icache" }, // PPM_SC_RISCV_FLUSH_ICACHE
+ { 416, "riscv_hwprobe" }, // PPM_SC_RISCV_HWPROBE
+ { 417, "futex_wake" }, // PPM_SC_FUTEX_WAKE
+ { 418, "futex_requeue" }, // PPM_SC_FUTEX_REQUEUE
+ { 419, "futex_wait" }, // PPM_SC_FUTEX_WAIT
+ { 420, "oldstat" }, // PPM_SC_OLDSTAT
+ { 421, "switch_endian" }, // PPM_SC_SWITCH_ENDIAN
+ { 422, "multiplexer" }, // PPM_SC_MULTIPLEXER
+ { 423, "oldlstat" }, // PPM_SC_OLDLSTAT
+ { 424, "spu_create" }, // PPM_SC_SPU_CREATE
+ { 425, "sync_file_range2" }, // PPM_SC_SYNC_FILE_RANGE2
+ { 426, "oldfstat" }, // PPM_SC_OLDFSTAT
+ { 427, "spu_run" }, // PPM_SC_SPU_RUN
+ { 428, "swapcontext" }, // PPM_SC_SWAPCONTEXT
+ { 429, "pciconfig_write" }, // PPM_SC_PCICONFIG_WRITE
+ { 430, "rtas" }, // PPM_SC_RTAS
+ { 431, "pciconfig_read" }, // PPM_SC_PCICONFIG_READ
+ { 432, "sys_debug_setcontext" }, // PPM_SC_SYS_DEBUG_SETCONTEXT
+ { 433, "vm86" }, // PPM_SC_VM86
+ { 434, "oldolduname" }, // PPM_SC_OLDOLDUNAME
+ { 435, "subpage_prot" }, // PPM_SC_SUBPAGE_PROT
+ { 436, "pciconfig_iobase" }, // PPM_SC_PCICONFIG_IOBASE
+ { 437, "listmount" }, // PPM_SC_LISTMOUNT
+ { 438, "statmount" }, // PPM_SC_STATMOUNT
+ { 439, "lsm_get_self_attr" }, // PPM_SC_LSM_GET_SELF_ATTR
+ { 440, "lsm_set_self_attr" }, // PPM_SC_LSM_SET_SELF_ATTR
+ { 441, "lsm_list_modules" }, // PPM_SC_LSM_LIST_MODULES
+ { 442, "mseal" }, // PPM_SC_MSEAL
{ 0, NULL }
};
@@ -2707,7 +2795,7 @@ static const value_string param_subcategory_vals[] = {
};
*/
-static inline const gchar *format_param_str(tvbuff_t *tvb, int offset, int len) {
+static inline const char *format_param_str(tvbuff_t *tvb, int offset, int len) {
char *param_str;
param_str = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_UTF_8|ENC_NA);
@@ -2721,7 +2809,7 @@ static inline const gchar *format_param_str(tvbuff_t *tvb, int offset, int len)
/* Code to actually dissect the packets */
static int
-dissect_header_lens_v1(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding, int * const *hf_indexes)
+dissect_header_lens_v1(tvbuff_t *tvb, proto_tree *tree, int encoding, int * const *hf_indexes)
{
int param_count;
proto_item *ti;
@@ -2729,11 +2817,11 @@ dissect_header_lens_v1(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding
for (param_count = 0; hf_indexes[param_count]; param_count++);
- ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, offset, param_count * SYSDIG_PARAM_SIZE, ENC_NA);
+ ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, 0, param_count * SYSDIG_PARAM_SIZE, ENC_NA);
len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens);
for (param_count = 0; hf_indexes[param_count]; param_count++) {
- proto_tree_add_item(len_tree, hf_se_param_len, tvb, offset + (param_count * SYSDIG_PARAM_SIZE), SYSDIG_PARAM_SIZE, encoding);
+ proto_tree_add_item(len_tree, hf_se_param_len, tvb, param_count * SYSDIG_PARAM_SIZE, SYSDIG_PARAM_SIZE, encoding);
}
proto_item_set_len(ti, param_count * SYSDIG_PARAM_SIZE);
@@ -2741,17 +2829,17 @@ dissect_header_lens_v1(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding
}
static int
-dissect_header_lens_v2(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int offset, proto_tree *tree, int encoding)
+dissect_header_lens_v2(tvbuff_t *tvb, wtap_syscall_header* syscall_header, proto_tree *tree, int encoding)
{
- guint32 param_count;
+ uint32_t param_count;
proto_item *ti;
proto_tree *len_tree;
- ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, offset, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2, ENC_NA);
+ ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, 0, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2, ENC_NA);
len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens);
for (param_count = 0; param_count < syscall_header->nparams; param_count++) {
- proto_tree_add_item(len_tree, hf_se_param_len, tvb, offset + (param_count * SYSDIG_PARAM_SIZE_V2), SYSDIG_PARAM_SIZE_V2, encoding);
+ proto_tree_add_item(len_tree, hf_se_param_len, tvb, param_count * SYSDIG_PARAM_SIZE_V2, SYSDIG_PARAM_SIZE_V2, encoding);
}
proto_item_set_len(ti, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2);
@@ -2759,17 +2847,17 @@ dissect_header_lens_v2(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int o
}
static int
-dissect_header_lens_v2_large(tvbuff_t *tvb, wtap_syscall_header* syscall_header, int offset, proto_tree *tree, int encoding)
+dissect_header_lens_v2_large(tvbuff_t *tvb, wtap_syscall_header* syscall_header, proto_tree *tree, int encoding)
{
- guint32 param_count;
+ uint32_t param_count;
proto_item *ti;
proto_tree *len_tree;
- ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, offset, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2_LARGE, ENC_NA);
+ ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, 0, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2_LARGE, ENC_NA);
len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens);
for (param_count = 0; param_count < syscall_header->nparams; param_count++) {
- proto_tree_add_item(len_tree, hf_se_param_len, tvb, offset + (param_count * SYSDIG_PARAM_SIZE_V2_LARGE), SYSDIG_PARAM_SIZE_V2_LARGE, encoding);
+ proto_tree_add_item(len_tree, hf_se_param_len, tvb, param_count * SYSDIG_PARAM_SIZE_V2_LARGE, SYSDIG_PARAM_SIZE_V2_LARGE, encoding);
}
proto_item_set_len(ti, syscall_header->nparams * SYSDIG_PARAM_SIZE_V2_LARGE);
@@ -2779,24 +2867,24 @@ dissect_header_lens_v2_large(tvbuff_t *tvb, wtap_syscall_header* syscall_header,
/* Dissect events */
static int
-dissect_event_params(tvbuff_t *tvb, packet_info *pinfo, const char **event_name, wtap_syscall_header* syscall_header, int offset, proto_tree *tree, int encoding, int * const *hf_indexes)
+dissect_event_params(tvbuff_t *tvb, packet_info *pinfo, const char **event_name, wtap_syscall_header* syscall_header, proto_tree *tree, int encoding, int * const *hf_indexes, sysdig_event_param_data *event_param_data)
{
- int len_offset = offset;
+ int len_offset = 0;
int param_offset;
int len_size;
- guint32 cur_param;
+ uint32_t cur_param;
switch (syscall_header->record_type) {
case BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE:
- param_offset = offset + dissect_header_lens_v2_large(tvb, syscall_header, offset, tree, encoding);
+ param_offset = dissect_header_lens_v2_large(tvb, syscall_header, tree, encoding);
len_size = SYSDIG_PARAM_SIZE_V2_LARGE;
break;
case BLOCK_TYPE_SYSDIG_EVENT_V2:
- param_offset = offset + dissect_header_lens_v2(tvb, syscall_header, offset, tree, encoding);
+ param_offset = dissect_header_lens_v2(tvb, syscall_header, tree, encoding);
len_size = SYSDIG_PARAM_SIZE_V2;
break;
default:
- param_offset = offset + dissect_header_lens_v1(tvb, offset, tree, encoding, hf_indexes);
+ param_offset = dissect_header_lens_v1(tvb, tree, encoding, hf_indexes);
len_size = SYSDIG_PARAM_SIZE;
break;
}
@@ -2809,11 +2897,11 @@ dissect_event_params(tvbuff_t *tvb, packet_info *pinfo, const char **event_name,
break;
}
- guint32 param_len;
+ uint32_t param_len;
if (syscall_header->record_type == BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE) {
- param_len = tvb_get_guint32(tvb, len_offset, encoding);
+ param_len = tvb_get_uint32(tvb, len_offset, encoding);
} else {
- param_len = tvb_get_guint16(tvb, len_offset, encoding);
+ param_len = tvb_get_uint16(tvb, len_offset, encoding);
}
const int hf_index = *hf_indexes[cur_param];
if (proto_registrar_get_ftype(hf_index) == FT_STRING) {
@@ -2821,33 +2909,26 @@ dissect_event_params(tvbuff_t *tvb, packet_info *pinfo, const char **event_name,
format_param_str(tvb, param_offset, param_len));
} else {
proto_tree_add_item(tree, hf_index, tvb, param_offset, param_len, encoding);
+ if (hf_index == hf_param_data_bytes) {
+ event_param_data->data_bytes_offset = param_offset;
+ event_param_data->data_bytes_length = param_len;
+ }
}
if (hf_index == hf_param_ID_uint16) {
- uint16_t id = tvb_get_guint16(tvb, param_offset, encoding);
+ uint16_t id = tvb_get_uint16(tvb, param_offset, encoding);
*event_name = val_to_str(id, ID_uint16_vals, "Unknown ID %u");
col_add_str(pinfo->cinfo, COL_INFO, *event_name);
}
param_offset += param_len;
len_offset += len_size;
}
- return param_offset - offset;
-}
-
-
-static int
-dissect_plugin_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
-{
- if (!plugin_dissector_handle) {
- return 0;
- }
- return call_dissector_with_data(plugin_dissector_handle, tvb, pinfo, tree, data);
+ return param_offset;
}
-
static int
dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
- void *data)
+ void *data _U_)
{
proto_item *ti;
proto_tree *se_tree, *syscall_tree;
@@ -2867,11 +2948,12 @@ dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
/*
* If this is a plugin event, handle it appropriately and return
*/
- if (event_type == EVT_PLUGINEVENT_E) {
- return dissect_plugin_event(tvb, pinfo, tree, data);
+ if (event_type == EVT_PLUGINEVENT_E && sinsp_dissector_handle) {
+ return call_dissector(sinsp_dissector_handle, tvb, pinfo, tree);
}
const char *event_name = val_to_str(event_type, event_type_vals, "Unknown syscall %u");
+ sysdig_event_param_data event_param_data = {0};
/*
* Sysdig uses the term "event" internally. So far every event has been
@@ -2895,7 +2977,7 @@ dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
for (cur_len_field = 0;
cur_len_field < cur_col_info->num_len_fields && cur_param->param_name;
cur_len_field++) {
- unsigned param_len = tvb_get_guint16(tvb, cur_len_field * 2, encoding);
+ unsigned param_len = tvb_get_uint16(tvb, cur_len_field * 2, encoding);
if (cur_param->param_num == cur_len_field) {
col_append_fstr(pinfo->cinfo, COL_INFO, ", %s=", cur_param->param_name);
switch (cur_param->param_ftype) {
@@ -2903,7 +2985,7 @@ dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
col_append_str(pinfo->cinfo, COL_INFO, format_param_str(tvb, param_offset, param_len));
break;
case FT_UINT64:
- col_append_fstr(pinfo->cinfo, COL_INFO, "%" PRIu64, tvb_get_guint64(tvb, param_offset, encoding));
+ col_append_fstr(pinfo->cinfo, COL_INFO, "%" PRIu64, tvb_get_uint64(tvb, param_offset, encoding));
default:
break;
}
@@ -2931,18 +3013,36 @@ dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
syscall_tree = proto_item_add_subtree(ti, ett_sysdig_syscall);
- for (cur_tree_info = event_tree_info; cur_tree_info->hf_indexes; cur_tree_info++) {
- if (cur_tree_info->event_type == event_type) {
- dissect_event_params(tvb, pinfo, &event_name, &pinfo->rec->rec_header.syscall_header, 0, syscall_tree, encoding, cur_tree_info->hf_indexes);
- break;
+ if (pinfo->rec->rec_header.syscall_header.nparams > 0) {
+ for (cur_tree_info = event_tree_info; cur_tree_info->hf_indexes; cur_tree_info++) {
+ if (cur_tree_info->event_type == event_type) {
+ dissect_event_params(tvb, pinfo, &event_name, &pinfo->rec->rec_header.syscall_header, syscall_tree, encoding, cur_tree_info->hf_indexes, &event_param_data);
+ break;
+ }
}
}
proto_tree_add_string(se_tree, hf_se_event_name, tvb, 0, 0, event_name);
- /* XXX */
- /* return offset; */
- return pinfo->rec->rec_header.syscall_header.event_len;
+ if (!sinsp_dissector_handle) {
+ return tvb_reported_length(tvb);
+ }
+
+ int ret = call_dissector_with_data(sinsp_dissector_handle, tvb, pinfo, tree, &event_param_data);
+
+ if (event_param_data.data_bytes_offset > 0 && event_param_data.data_bytes_length > 0) {
+#define ELF_MAGIC 0x7f454c46 // 7f 'E' 'L' 'F'
+ if (tvb_get_uint32(tvb, event_param_data.data_bytes_offset, ENC_BIG_ENDIAN) == ELF_MAGIC) {
+ tvbuff_t *elf_tvb = tvb_new_subset_length(tvb, event_param_data.data_bytes_offset, event_param_data.data_bytes_length);
+ TRY {
+ call_dissector(elf_dissector_handle, elf_tvb, pinfo, tree);
+ } CATCH_NONFATAL_ERRORS {
+ // Partial dissection is OK.
+ } ENDTRY;
+ }
+ }
+
+ return ret;
}
/* Register the protocol with Wireshark.
@@ -3017,13 +3117,13 @@ proto_register_sysdig_event(void)
{ &hf_param_cq_entries_uint32, { "cq_entries", "sysdig.param.io_uring_setup.cq_entries", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_cur_int64, { "cur", "sysdig.param.setrlimit.cur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_cwd_string, { "cwd", "sysdig.param.clone3.cwd", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
- { &hf_param_data_bytes, { "data", "sysdig.param.asyncevent.data", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
+ { &hf_param_data_bytes, { "data", "sysdig.param.process_vm_writev.data", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_desc_string, { "desc", "sysdig.param.notification.desc", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_description_string, { "description", "sysdig.param.infra.description", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_dev_string, { "dev", "sysdig.param.mount.dev", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_dev_uint32, { "dev", "sysdig.param.mknodat.dev", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_dir_string, { "dir", "sysdig.param.mount.dir", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
- { &hf_param_dirfd_int64, { "dirfd", "sysdig.param.mknodat.dirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
+ { &hf_param_dirfd_int64, { "dirfd", "sysdig.param.newfstatat.dirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_domain_bytes, { "domain", "sysdig.param.socketpair.domain", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_dpid_int64, { "dpid", "sysdig.param.signaldeliver.dpid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_dqb_bhardlimit_uint64, { "dqb_bhardlimit", "sysdig.param.quotactl.dqb_bhardlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
@@ -3036,11 +3136,11 @@ proto_register_sysdig_event(void)
{ &hf_param_dqi_bgrace_bytes, { "dqi_bgrace", "sysdig.param.quotactl.dqi_bgrace", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_dqi_flags_int8, { "dqi_flags", "sysdig.param.quotactl.dqi_flags", FT_INT8, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_dqi_igrace_bytes, { "dqi_igrace", "sysdig.param.quotactl.dqi_igrace", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
- { &hf_param_egid_int32, { "egid", "sysdig.param.getresgid.egid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
+ { &hf_param_egid_int32, { "egid", "sysdig.param.setregid.egid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_entries_uint32, { "entries", "sysdig.param.io_uring_setup.entries", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_env_string, { "env", "sysdig.param.execveat.env", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_error_int32, { "error", "sysdig.param.page_fault.error", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
- { &hf_param_euid_int32, { "euid", "sysdig.param.getresuid.euid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
+ { &hf_param_euid_int32, { "euid", "sysdig.param.setreuid.euid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_event_data_bytes, { "event_data", "sysdig.param.pluginevent.event_data", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_event_data_uint64, { "event_data", "sysdig.param.scapevent.event_data", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_event_type_uint32, { "event_type", "sysdig.param.scapevent.event_type", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
@@ -3061,9 +3161,10 @@ proto_register_sysdig_event(void)
{ &hf_param_features_int32, { "features", "sysdig.param.io_uring_setup.features", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_filename_string, { "filename", "sysdig.param.chmod.filename", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_flags_int16, { "flags", "sysdig.param.signalfd4.flags", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } },
- { &hf_param_flags_int32, { "flags", "sysdig.param.finit_module.flags", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
- { &hf_param_flags_int8, { "flags", "sysdig.param.inotify_init.flags", FT_INT8, BASE_DEC, NULL, 0, NULL, HFILL } },
- { &hf_param_flags_uint32, { "flags", "sysdig.param.accept4.flags", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL } },
+ { &hf_param_flags_int32, { "flags", "sysdig.param.delete_module.flags", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
+ { &hf_param_flags_uint32, { "flags", "sysdig.param.pidfd_getfd.flags", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL } },
+ { &hf_param_flags_uint64, { "flags", "sysdig.param.seccomp.flags", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
+ { &hf_param_flags_uint8, { "flags", "sysdig.param.inotify_init.flags", FT_UINT8, BASE_HEX, NULL, 0, NULL, HFILL } },
{ &hf_param_gid_int32, { "gid", "sysdig.param.getgid.gid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_gid_uint32, { "gid", "sysdig.param.fchownat.gid", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_home_string, { "home", "sysdig.param.userdeleted.home", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
@@ -3094,7 +3195,8 @@ proto_register_sysdig_event(void)
{ &hf_param_mode_int32, { "mode", "sysdig.param.mknodat.mode", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_mode_uint32, { "mode", "sysdig.param.openat2.mode", FT_UINT32, BASE_OCT, NULL, 0, NULL, HFILL } },
{ &hf_param_mountfd_int64, { "mountfd", "sysdig.param.open_by_handle_at.mountfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
- { &hf_param_name_string, { "name", "sysdig.param.memfd_create.name", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
+ { &hf_param_msgcontrol_bytes, { "msgcontrol", "sysdig.param.recvmsg.msgcontrol", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
+ { &hf_param_name_string, { "name", "sysdig.param.delete_module.name", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_nativeID_uint16, { "nativeID", "sysdig.param.syscall.nativeID", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_newcur_int64, { "newcur", "sysdig.param.prlimit.newcur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_newdir_int64, { "newdir", "sysdig.param.linkat.newdir", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
@@ -3124,7 +3226,7 @@ proto_register_sysdig_event(void)
{ &hf_param_optlen_uint32, { "optlen", "sysdig.param.getsockopt.optlen", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_optname_bytes, { "optname", "sysdig.param.getsockopt.optname", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_out_fd_int64, { "out_fd", "sysdig.param.sendfile.out_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
- { &hf_param_path_string, { "path", "sysdig.param.mknodat.path", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
+ { &hf_param_path_string, { "path", "sysdig.param.newfstatat.path", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_pathname_string, { "pathname", "sysdig.param.fchownat.pathname", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_peer_uint64, { "peer", "sysdig.param.socketpair.peer", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
{ &hf_param_pgft_maj_uint64, { "pgft_maj", "sysdig.param.clone3.pgft_maj", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
@@ -3132,7 +3234,7 @@ proto_register_sysdig_event(void)
{ &hf_param_pgid_int64, { "pgid", "sysdig.param.execveat.pgid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_pgoffset_uint64, { "pgoffset", "sysdig.param.mmap2.pgoffset", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_pid_fd_int64, { "pid_fd", "sysdig.param.pidfd_getfd.pid_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
- { &hf_param_pid_int64, { "pid", "sysdig.param.pidfd_open.pid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
+ { &hf_param_pid_int64, { "pid", "sysdig.param.process_vm_writev.pid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_pidns_init_start_ts_uint64, { "pidns_init_start_ts", "sysdig.param.clone3.pidns_init_start_ts", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_plugin_id_uint32, { "plugin_id", "sysdig.param.asyncevent.plugin_id", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_pos_uint64, { "pos", "sysdig.param.pwritev.pos", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } },
@@ -3149,14 +3251,14 @@ proto_register_sysdig_event(void)
{ &hf_param_reaper_tid_int64, { "reaper_tid", "sysdig.param.procexit.reaper_tid", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_request_bytes, { "request", "sysdig.param.ptrace.request", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_request_uint64, { "I/O control: request", "sysdig.param.ioctl.request", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
- { &hf_param_res_int64, { "res", "sysdig.param.mknodat.res", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
+ { &hf_param_res_int64, { "res", "sysdig.param.setregid.res", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_res_or_fd_bytes, { "res_or_fd", "sysdig.param.bpf.res_or_fd", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_res_uint64, { "res", "sysdig.param.brk.res", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } },
{ &hf_param_resolve_int32, { "resolve", "sysdig.param.openat2.resolve", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_resource_bytes, { "resource", "sysdig.param.prlimit.resource", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_ret_int64, { "ret", "sysdig.param.procexit.ret", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
- { &hf_param_rgid_int32, { "rgid", "sysdig.param.getresgid.rgid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
- { &hf_param_ruid_int32, { "ruid", "sysdig.param.getresuid.ruid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
+ { &hf_param_rgid_int32, { "rgid", "sysdig.param.setregid.rgid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
+ { &hf_param_ruid_int32, { "ruid", "sysdig.param.setreuid.ruid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_scope_string, { "scope", "sysdig.param.infra.scope", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_sem_flg_0_int16, { "sem_flg_0", "sysdig.param.semop.sem_flg_0", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_sem_flg_1_int16, { "sem_flg_1", "sysdig.param.semop.sem_flg_1", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } },
@@ -3190,6 +3292,7 @@ proto_register_sysdig_event(void)
{ &hf_param_timeout_bytes, { "timeout", "sysdig.param.ppoll.timeout", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_timeout_int64, { "timeout", "sysdig.param.poll.timeout", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_to_submit_uint32, { "to_submit", "sysdig.param.io_uring_enter.to_submit", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
+ { &hf_param_trusted_exepath_string, { "trusted_exepath", "sysdig.param.execveat.trusted_exepath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } },
{ &hf_param_tty_int32, { "tty", "sysdig.param.execve.tty", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_tty_uint32, { "tty", "sysdig.param.execveat.tty", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } },
{ &hf_param_tuple_bytes, { "tuple", "sysdig.param.accept4.tuple", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } },
@@ -3213,7 +3316,7 @@ proto_register_sysdig_event(void)
};
/* Setup protocol subtree array */
- static gint *ett[] = {
+ static int *ett[] = {
&ett_sysdig_event,
&ett_sysdig_parm_lens,
&ett_sysdig_syscall
@@ -3236,7 +3339,8 @@ proto_reg_handoff_sysdig_event(void)
dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2, sysdig_event_handle);
dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT_V2_LARGE, sysdig_event_handle);
- plugin_dissector_handle = find_dissector("falcobridge");
+ sinsp_dissector_handle = find_dissector("falcobridge");
+ elf_dissector_handle = find_dissector("elf");
}
/*