Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-etw.c
Warning:line 637, column 13
Value stored to 'offset' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-etw.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2026-05-05-100422-3641-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-etw.c
1/* packet-etw.c
2 * Routines for ETW Dissection
3 *
4 * Copyright 2020, Odysseus Yang
5 * 2026, Gabriel Potter
6 *
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <[email protected]>
9 * Copyright 1998 Gerald Combs
10 *
11 * SPDX-License-Identifier: GPL-2.0-or-later
12 */
13
14/* Dissector based on ETW Trace
15* https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal
16*/
17
18#include "config.h"
19
20#include <epan/packet.h>
21#include <wiretap/wtap.h>
22
23#include "packet-windows-common.h"
24
25#define MAX_SMALL_BUFFER4 4
26
27void proto_register_etw(void);
28void proto_reg_handoff_etw(void);
29
30static dissector_handle_t etw_handle;
31
32// ETW fields
33static int proto_etw;
34static int hf_etw_size;
35static int hf_etw_header_type;
36static int hf_etw_header_flag_extended_info;
37static int hf_etw_header_flag_private_session;
38static int hf_etw_header_flag_string_only;
39static int hf_etw_header_flag_trace_message;
40static int hf_etw_header_flag_no_cputime;
41static int hf_etw_header_flag_32_bit_header;
42static int hf_etw_header_flag_64_bit_header;
43static int hf_etw_header_flag_decode_guid;
44static int hf_etw_header_flag_classic_header;
45static int hf_etw_header_flag_processor_index;
46static int hf_etw_flags;
47static int hf_etw_event_property;
48static int hf_etw_event_property_xml;
49static int hf_etw_event_property_forwarded_xml;
50static int hf_etw_event_property_legacy_eventlog;
51static int hf_etw_event_property_legacy_reloggable;
52static int hf_etw_thread_id;
53static int hf_etw_process_id;
54static int hf_etw_time_stamp;
55static int hf_etw_provider_id;
56static int hf_etw_buffer_context_processor_number;
57static int hf_etw_buffer_context_alignment;
58static int hf_etw_buffer_context_logger_id;
59static int hf_etw_properties_count;
60static int hf_etw_provider_name;
61static int hf_etw_message;
62static int hf_etw_extended_data_count;
63static int hf_etw_extended_data;
64static int hf_etw_edata;
65static int hf_etw_edata_reserved1;
66static int hf_etw_edata_exttype;
67static int hf_etw_edata_linkage;
68static int hf_etw_edata_datasize;
69static int hf_etw_edata_dataptr;
70static int hf_etw_edata_data;
71static int hf_etw_edata_stacktrace_matchid;
72static int hf_etw_edata_stacktrace_address;
73static int hf_etw_edata_schematl_size;
74static int hf_etw_edata_schematl_reserved1;
75static int hf_etw_edata_schematl_name;
76static int hf_etw_edata_schematl_field;
77static int hf_etw_edata_schematl_field_key;
78static int hf_etw_edata_schematl_field_flags;
79static int hf_etw_edata_schematl_field_type;
80static int hf_etw_edata_schematl_field_ccount;
81static int hf_etw_edata_schematl_field_vcount;
82static int hf_etw_edata_schematl_field_chain;
83static int hf_etw_edata_traits_traitssize;
84static int hf_etw_edata_traits_providername;
85static int hf_etw_property;
86static int hf_etw_property_offset;
87static int hf_etw_property_keylen;
88static int hf_etw_property_valuelen;
89static int hf_etw_property_key;
90static int hf_etw_property_value;
91static int hf_etw_tlv_count;
92static int hf_etw_tlv_length;
93static int hf_etw_tlv_offset;
94static int hf_etw_tlv_type;
95static int hf_etw_user_data;
96static int hf_etw_descriptor_id;
97static int hf_etw_descriptor_version;
98static int hf_etw_descriptor_channel;
99static int hf_etw_descriptor_level;
100static int hf_etw_descriptor_opcode;
101static int hf_etw_descriptor_task;
102static int hf_etw_descriptor_keywords;
103static int hf_etw_processor_time;
104static int hf_etw_activity_id;
105
106// Generated fields
107static int hf_etw_type;
108static int hf_etw_message_formatted;
109
110static int ett_etw_header;
111static int ett_etw_data;
112static int ett_etw_descriptor;
113static int ett_etw_buffer_context;
114static int ett_etw_extended_data;
115static int ett_etw_property;
116static int ett_etw_edata;
117static int ett_etw_edata_data;
118static int ett_etw_edata_schematl_schema;
119static int ett_etw_schematl_flags;
120static int ett_etw_header_flags;
121static int ett_etw_event_property_types;
122static int ett_etw_tlvs;
123static int ett_etw_tlv;
124
125static dissector_handle_t mbim_dissector;
126
127static e_guid_t mbim_net_providerid = { 0xA42FE227, 0xA7BF, 0x4483, {0xA5, 0x02, 0x6B, 0xCD, 0xA4, 0x28, 0xCD, 0x96} };
128
129static const value_string etw_edata_types[] = {
130 { 0x0001, "RELATED_ACTIVITYID" },
131 { 0x0002, "SID" },
132 { 0x0003, "TS_ID" },
133 { 0x0004, "INSTANCE_INFO" },
134 { 0x0005, "STACK_TRACE32" },
135 { 0x0006, "STACK_TRACE64" },
136 { 0x0007, "PEBS_INDEX" },
137 { 0x0008, "PMC_COUNTERS" },
138 { 0x0009, "PSM_KEY" },
139 { 0x000A, "EVENT_KEY" },
140 { 0x000B, "EVENT_SCHEMA_TL" },
141 { 0x000C, "PROV_TRAITS" },
142 { 0x000D, "PROCESS_START_KEY" },
143 { 0x000E, "CONTROL_GUID" },
144 { 0x000F, "QPC_DELTA" },
145 { 0x0010, "CONTAINER_ID" },
146 { 0x0011, "STACK_KEY32" },
147 { 0x0012, "STACK_KEY64" },
148 { 0, NULL((void*)0) }
149};
150
151static const value_string etw_tlv_types[] = {
152 { 0x0000, "USER_DATA" },
153 { 0x0001, "MESSAGE" },
154 { 0x0002, "PROVIDER_NAME" },
155 { 0, NULL((void*)0) }
156};
157
158static const value_string etw_schematl_types[] = {
159 { 0x01, "UNICODESTRING" },
160 { 0x02, "ANSISTRING" },
161 { 0x03, "INT8" },
162 { 0x04, "UINT8" },
163 { 0x05, "INT16" },
164 { 0x06, "UINT16" },
165 { 0x07, "INT32" },
166 { 0x08, "UINT32" },
167 { 0x09, "INT64" },
168 { 0x0A, "UINT64" },
169 { 0x0B, "FLOAT" },
170 { 0x0C, "DOUBLE" },
171 { 0x0D, "BOOL32" },
172 { 0x0E, "BINARY" },
173 { 0x0F, "GUID" },
174 { 0x11, "FILETIME" },
175 { 0x12, "SYSTEMTIME" },
176 { 0x13, "SID" },
177 { 0x14, "HEXINT32" },
178 { 0x15, "HEXINT64" },
179 { 0x16, "COUNTEDSTRING" },
180 { 0x17, "COUNTEDANSISTRING" },
181 { 0x18, "STRUCT" },
182 { 0x19, "COUNTEDBINARY" },
183 { 0, NULL((void*)0) }
184};
185
186static int* const etw_schematl_flags[] = {
187 &hf_etw_edata_schematl_field_type,
188 &hf_etw_edata_schematl_field_ccount,
189 &hf_etw_edata_schematl_field_vcount,
190 &hf_etw_edata_schematl_field_chain,
191 NULL((void*)0)
192};
193
194#define ETW_HEADER_SIZE0x5C 0x5C
195
196static int etw_counter;
197
198typedef struct Property_Key_Value
199{
200 const unsigned char *key;
201 const unsigned char *value;
202} PROPERTY_KEY_VALUE;
203
204
205/// <summary>
206/// Function to format the properties into the eventlog message
207/// </summary>
208/// <param name="lpszMessage"></param>
209/// <param name="propArray"></param>
210/// <param name="dwPropertyCount"></param>
211/// <param name="lpszOutBuffer"></param>
212/// <param name="dwOutBufferCount"></param>
213static int
214format_message(char* lpszMessage, wmem_array_t* propArray, wmem_allocator_t* allocator, wmem_strbuf_t** out_buffer)
215{
216 uint16_t startLoc = 0;
217 int percent_loc = 0;
218 PROPERTY_KEY_VALUE key_value;
219 *out_buffer = wmem_strbuf_new(allocator, NULL((void*)0));
220
221 for (int i = 0; lpszMessage[i] != '\0';)
222 {
223 if (lpszMessage[i] != '%')
224 {
225 i++;
226 continue;
227 }
228
229 percent_loc = i;
230 i++;
231
232 if (g_ascii_isdigit(lpszMessage[i])((g_ascii_table[(guchar) (lpszMessage[i])] & G_ASCII_DIGIT
) != 0))
233 {
234 uint16_t dwDigitalCount = 0;
235 char smallBuffer[MAX_SMALL_BUFFER4] = { 0 };
236 while (g_ascii_isdigit(lpszMessage[i])((g_ascii_table[(guchar) (lpszMessage[i])] & G_ASCII_DIGIT
) != 0))
237 {
238 if (dwDigitalCount < (MAX_SMALL_BUFFER4 - 1))
239 {
240 smallBuffer[dwDigitalCount] = lpszMessage[i];
241 }
242 dwDigitalCount++;
243 i++;
244 }
245
246 /* We are not parsing this */
247 if (dwDigitalCount >= (MAX_SMALL_BUFFER4 - 1))
248 {
249 continue;
250 }
251
252 gint64 num = g_ascii_strtoll(smallBuffer, NULL((void*)0), 10);
253 /* We are not parsing this */
254 if (num <= 0 || num >= G_MAXUSHORT(32767 * 2 + 1) || wmem_array_try_index(propArray, (unsigned int) num - 1, &key_value) != 0 || key_value.value == NULL((void*)0))
255 {
256 continue;
257 }
258
259 if (lpszMessage[i] == '!' && lpszMessage[i + 1] == 'S' && lpszMessage[i + 2] == '!')
260 {
261 i += 3;
262 }
263
264 /* We have everything */
265 lpszMessage[percent_loc] = '\0';
266 wmem_strbuf_append(*out_buffer, lpszMessage + startLoc);
267 wmem_strbuf_append(*out_buffer, (char*) key_value.value);
268 startLoc = i;
269 continue; // for
270 }
271 }
272 wmem_strbuf_append(*out_buffer, lpszMessage + startLoc);
273
274 return 0;
275}
276
277static int
278dissect_properties(tvbuff_t* tvb, packet_info* pinfo, proto_tree* edata_tree, uint32_t offset, uint32_t count, wmem_allocator_t* allocator, wmem_array_t** propArray)
279{
280 uint32_t i;
281 proto_item* ti;
282 proto_tree* prop_tree;
283 uint32_t item_offset = offset;
284 uint16_t item_key_length = 0, item_value_length = 0;
285
286 PROPERTY_KEY_VALUE prop;
287 *propArray = wmem_array_sized_new(allocator, sizeof(PROPERTY_KEY_VALUE), count);
288
289 for (i = 0; i < count; i++)
290 {
291 ti = proto_tree_add_item(edata_tree, hf_etw_property, tvb, offset, 8, ENC_NA0x00000000);
292 prop_tree = proto_item_add_subtree(ti, ett_etw_property);
293
294 proto_tree_add_item_ret_uint32(prop_tree, hf_etw_property_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &item_offset);
295 offset += 4;
296 proto_tree_add_item_ret_uint16(prop_tree, hf_etw_property_keylen, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &item_key_length);
297 offset += 2;
298 proto_tree_add_item_ret_uint16(prop_tree, hf_etw_property_valuelen, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &item_value_length);
299 offset += 2;
300
301 proto_tree_add_item_ret_string(prop_tree, hf_etw_property_key, tvb, item_offset, item_key_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, &prop.key);
302 proto_tree_add_item_ret_string(prop_tree, hf_etw_property_value, tvb, item_offset + item_key_length, item_value_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, &prop.value);
303
304 proto_item_set_text(prop_tree, "%s=%s", prop.key, prop.value);
305 wmem_array_append(*propArray, &prop, 1);
306 }
307 offset = item_offset + item_key_length + item_value_length;
308
309 return offset;
310}
311
312/// <summary>
313/// Dissect the "Extended Data" blobs
314/// </summary>
315static int
316dissect_edata_tlvs(tvbuff_t* tvb, packet_info* pinfo, proto_tree* edata_tree, uint32_t offset, uint16_t extended_data_count, bool_Bool* is_tl)
317{
318 uint16_t i;
319 proto_item* ti;
320 proto_tree* edata_item_tree, *edata_item_data_tree, *edata_schematl_schema;
321 uint64_t edata_off64;
322 uint32_t edata_off = offset, edata_off_int;
323 uint16_t edata_sz = 0, edata_type = 0;
324
325 for (i = 0; i < extended_data_count; i++)
326 {
327 ti = proto_tree_add_item(edata_tree, hf_etw_edata, tvb, offset, 16, ENC_NA0x00000000);
328 edata_item_tree = proto_item_add_subtree(ti, ett_etw_edata);
329
330 proto_tree_add_item(edata_item_tree, hf_etw_edata_reserved1, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
331 offset += 2;
332 proto_tree_add_item_ret_uint16(edata_item_tree, hf_etw_edata_exttype, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &edata_type);
333 offset += 2;
334 proto_tree_add_item(edata_item_tree, hf_etw_edata_linkage, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
335 offset += 2;
336 proto_tree_add_item_ret_uint16(edata_item_tree, hf_etw_edata_datasize, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &edata_sz);
337 offset += 2;
338 proto_tree_add_item_ret_uint64(edata_item_tree, hf_etw_edata_dataptr, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000, &edata_off64);
339 offset += 8;
340
341 if (edata_off64 > UINT32_MAX(4294967295U))
342 continue; // should never happen, but to be safe
343
344 edata_off = (uint32_t) edata_off64;
345
346 ti = proto_tree_add_item(edata_item_tree, hf_etw_edata_data, tvb, edata_off, edata_sz, ENC_NA0x00000000);
347 edata_item_data_tree = proto_item_add_subtree(ti, ett_etw_edata_data);
348
349 edata_off_int = edata_off;
350 switch (edata_type)
351 {
352 case 0x0002: // SID
353 proto_item_set_text(ti, "Data (SID)");
354 dissect_nt_sid(tvb, pinfo, edata_off_int, edata_item_data_tree, "SID", NULL((void*)0), -1);
355
356 break;
357 case 0x0006: // EVENT_STACK_TRACE64
358 proto_item_set_text(ti, "Data (EVENT_STACK_TRACE64)");
359
360 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_stacktrace_matchid, tvb, edata_off_int, 8, ENC_LITTLE_ENDIAN0x80000000);
361 edata_off_int += 8;
362
363 while (edata_off_int < edata_off + edata_sz)
364 {
365 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_stacktrace_address, tvb, edata_off_int, 8, ENC_LITTLE_ENDIAN0x80000000);
366 edata_off_int += 8;
367 }
368 break;
369
370 case 0x000B: // EVENT_SCHEMA_TL
371 {
372 uint8_t schema_size = 0, item_size = 0;
373
374 *is_tl = true1;
375 proto_item_set_text(ti, "Data (EVENT_SCHEMA_TL)");
376
377 proto_tree_add_item_ret_uint8(edata_item_data_tree, hf_etw_edata_schematl_size, tvb, edata_off_int, 1, ENC_LITTLE_ENDIAN0x80000000, &schema_size);
378 edata_off_int += 1;
379 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_schematl_reserved1, tvb, edata_off_int, 2, ENC_LITTLE_ENDIAN0x80000000);
380 edata_off_int += 2;
381 proto_tree_add_item_ret_length(edata_item_data_tree, hf_etw_edata_schematl_name, tvb, edata_off_int, -1, ENC_LITTLE_ENDIAN0x80000000, (int*)&item_size);
382 edata_off_int += item_size;
383
384 while (edata_off_int < edata_off + schema_size)
385 {
386 ti = proto_tree_add_item(edata_item_data_tree, hf_etw_edata_schematl_field, tvb, edata_off_int, 0, ENC_NA0x00000000);
387 edata_schematl_schema = proto_item_add_subtree(ti, ett_etw_edata_schematl_schema);
388
389 proto_tree_add_item_ret_length(edata_schematl_schema, hf_etw_edata_schematl_field_key, tvb, edata_off_int, -1, ENC_LITTLE_ENDIAN0x80000000, (int*)&item_size);
390 edata_off_int += item_size;
391 proto_tree_add_bitmask(edata_schematl_schema, tvb, edata_off_int, hf_etw_edata_schematl_field_flags,
392 ett_etw_schematl_flags, etw_schematl_flags, ENC_LITTLE_ENDIAN0x80000000);
393 edata_off_int += 1;
394 }
395 break;
396 }
397 case 0x000C: // PROV_TRAITS
398 {
399 // https://learn.microsoft.com/en-us/windows/win32/etw/provider-traits
400 uint16_t traits_size = 0;
401
402 proto_item_set_text(ti, "Data (PROV_TRAITS)");
403
404 proto_tree_add_item_ret_uint16(edata_item_data_tree, hf_etw_edata_traits_traitssize, tvb, edata_off_int, 2, ENC_LITTLE_ENDIAN0x80000000, &traits_size);
405 edata_off_int += 2;
406 proto_tree_add_item(edata_item_data_tree, hf_etw_edata_traits_providername, tvb, edata_off_int, traits_size - 2, ENC_NA0x00000000 | ENC_UTF_80x00000002);
407 edata_off_int += traits_size;
408 break;
409 }
410
411 default:
412 break;
413 }
414
415
416 }
417
418 return offset;
419}
420
421static int
422dissect_etw(tvbuff_t* tvb, packet_info* pinfo, proto_tree* tree _U___attribute__((unused)), void* data _U___attribute__((unused)))
423{
424 // We parse an "ETL->Wireshark encapsulation" format, which is defined in etl.c. This format
425 // includes the actual ETW header, in addition to formatted structures which we added during
426 // the dump process.
427
428 proto_tree* etw_header, * etw_descriptor, * etw_buffer_context, * edata_tree, * etw_data, * etw_tlvs;
429 proto_item* ti;
430 tvbuff_t* mbim_tvb;
431 char* provider_name;
432 uint32_t message_offset = 0, message_length = 0, provider_name_offset = 0, provider_name_length = 0, user_data_offset = 0, user_data_length = 0;
433 uint32_t properties_offset, properties_count;
434 uint16_t extended_data_count, tlv_count;
435 uint64_t flags;
436 wmem_array_t* propArray = NULL((void*)0);
437 bool_Bool is_tl = false0;
438 e_guid_t provider_id;
439 nstime_t timestamp;
440 uint64_t ts;
441 int offset = 0;
442 static int * const etw_header_flags[] = {
443 &hf_etw_header_flag_extended_info,
444 &hf_etw_header_flag_private_session,
445 &hf_etw_header_flag_string_only,
446 &hf_etw_header_flag_trace_message,
447 &hf_etw_header_flag_no_cputime,
448 &hf_etw_header_flag_32_bit_header,
449 &hf_etw_header_flag_64_bit_header,
450 &hf_etw_header_flag_decode_guid,
451 &hf_etw_header_flag_classic_header,
452 &hf_etw_header_flag_processor_index,
453 NULL((void*)0)
454 };
455
456 static int * const etw_event_property_opt[] = {
457 &hf_etw_event_property_xml,
458 &hf_etw_event_property_forwarded_xml,
459 &hf_etw_event_property_legacy_eventlog,
460 &hf_etw_event_property_legacy_reloggable,
461 NULL((void*)0)
462 };
463
464 // Header
465
466 etw_header = proto_tree_add_subtree(tree, tvb, 0, ETW_HEADER_SIZE0x5C, ett_etw_header, NULL((void*)0), "ETW Header");
467 proto_tree_add_item(etw_header, hf_etw_size, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
468 offset += 2;
469 proto_tree_add_item(etw_header, hf_etw_header_type, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
470 offset += 2;
471 proto_tree_add_bitmask_ret_uint64(etw_header, tvb, offset, hf_etw_flags,
472 ett_etw_header_flags, etw_header_flags, ENC_LITTLE_ENDIAN0x80000000, &flags);
473 offset += 2;
474 proto_tree_add_bitmask(etw_header, tvb, offset, hf_etw_event_property,
475 ett_etw_event_property_types, etw_event_property_opt, ENC_LITTLE_ENDIAN0x80000000);
476 offset += 2;
477 proto_tree_add_item(etw_header, hf_etw_thread_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
478 offset += 4;
479 proto_tree_add_item(etw_header, hf_etw_process_id, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000);
480 offset += 4;
481 ts = tvb_get_letoh64(tvb, offset) - INT64_C(0x019DB1DED53E8000)0x019DB1DED53E8000L;
482 timestamp.secs = (unsigned)(ts / 10000000);
483 timestamp.nsecs = (unsigned)((ts % 10000000) * 100);
484 proto_tree_add_time(etw_header, hf_etw_time_stamp, tvb, offset, 8, &timestamp);
485 offset += 8;
486 tvb_get_letohguid(tvb, offset, &provider_id);
487 proto_tree_add_item(etw_header, hf_etw_provider_id, tvb, offset, 16, ENC_LITTLE_ENDIAN0x80000000);
488 offset += 16;
489
490 etw_descriptor = proto_tree_add_subtree(etw_header, tvb, 40, 16, ett_etw_descriptor, NULL((void*)0), "Descriptor");
491 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_id, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
492 offset += 2;
493 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_version, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
494 offset += 1;
495 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_channel, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
496 offset += 1;
497 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_level, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
498 offset += 1;
499 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_opcode, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
500 offset += 1;
501 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_task, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
502 offset += 2;
503 proto_tree_add_item(etw_descriptor, hf_etw_descriptor_keywords, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
504 offset += 8;
505
506 proto_tree_add_item(etw_header, hf_etw_processor_time, tvb, offset, 8, ENC_LITTLE_ENDIAN0x80000000);
507 offset += 8;
508 proto_tree_add_item(etw_header, hf_etw_activity_id, tvb, offset, 16, ENC_LITTLE_ENDIAN0x80000000);
509 offset += 16;
510
511 etw_buffer_context = proto_tree_add_subtree(etw_header, tvb, 80, 4, ett_etw_descriptor, NULL((void*)0), "Buffer Context");
512 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_processor_number, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
513 offset += 1;
514 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_alignment, tvb, offset, 1, ENC_LITTLE_ENDIAN0x80000000);
515 offset += 1;
516 proto_tree_add_item(etw_buffer_context, hf_etw_buffer_context_logger_id, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000);
517 offset += 2;
518 proto_tree_add_item_ret_uint16(etw_header, hf_etw_extended_data_count, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &extended_data_count);
519 offset += 2;
520 proto_tree_add_item_ret_uint16(etw_header, hf_etw_tlv_count, tvb, offset, 2, ENC_LITTLE_ENDIAN0x80000000, &tlv_count);
521 offset += 2;
522 proto_tree_add_item_ret_uint(etw_header, hf_etw_properties_count, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &properties_count);
523 offset += 4;
524
525 // Extended data
526
527 ti = proto_tree_add_item(etw_header, hf_etw_extended_data, tvb, offset, extended_data_count * 16, ENC_NA0x00000000); // sizeof(EVENT_HEADER_EXTENDED_DATA_ITEM) = 16
528 edata_tree = proto_item_add_subtree(ti, ett_etw_extended_data);
529 offset = dissect_edata_tlvs(tvb, pinfo, edata_tree, offset, extended_data_count, &is_tl);
530
531 // Expert info
532
533 if (flags & 0x0008) // EVENT_HEADER_FLAG_TRACE_MESSAGE
534 {
535 // WPP
536 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "WPP");
537 }
538 else if (flags & 0x0100) // EVENT_HEADER_FLAG_CLASSIC_HEADER
539 {
540 // MOF (CLASSIC)
541 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "MOF (classic)");
542 }
543 else if (is_tl)
544 {
545 // TRACELOGGING
546 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "TraceLogging");
547 }
548 else
549 {
550 // MANIFEST
551 ti = proto_tree_add_string(etw_header, hf_etw_type, tvb, 0, -1, "Manifest-based");
552 }
553 proto_item_set_generated(ti);
554
555 // Now is the bunch of TLVs that include formatted stuff
556 if (tlv_count > 0)
557 {
558 etw_tlvs = proto_tree_add_subtree(etw_header, tvb, offset, tlv_count * 12, ett_etw_tlvs, NULL((void*)0), "Extra Information");
559
560 for (uint16_t i = 0; i < tlv_count; i++)
561 {
562 uint32_t tlv_type, tlv_offset, tlv_length;
563
564 proto_tree* etw_tlv = proto_tree_add_subtree(etw_tlvs, tvb, offset, 12, ett_etw_tlv, NULL((void*)0), "Extra Information Item");
565
566 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_type, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_type);
567 offset += 4;
568 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_offset, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_offset);
569 offset += 4;
570 proto_tree_add_item_ret_uint(etw_tlv, hf_etw_tlv_length, tvb, offset, 4, ENC_LITTLE_ENDIAN0x80000000, &tlv_length);
571 offset += 4;
572
573 if (tlv_type == 0)
574 {
575 // TLV_USER_DATA
576 proto_item_set_text(etw_tlv, "Extra Information Item (USER_DATA)");
577 user_data_offset = tlv_offset;
578 user_data_length = tlv_length;
579 }
580 else if (tlv_type == 1)
581 {
582 // TLV_MESSAGE
583 proto_item_set_text(etw_tlv, "Extra Information Item (MESSAGE)");
584 message_offset = tlv_offset;
585 message_length = tlv_length;
586 }
587 else if (tlv_type == 2)
588 {
589 // TLV_PROVIDER_NAME
590 proto_item_set_text(etw_tlv, "Extra Information Item (PROVIDER_NAME)");
591 provider_name_offset = tlv_offset;
592 provider_name_length = tlv_length;
593 }
594 }
595 }
596
597 // Now it's the properties (we parse them later)
598
599 properties_offset = offset;
600
601 // We're done with the header. Starting adding "Data" elements.
602
603 if (provider_name_length) {
604 // Specifically for the provider name, we keep it in the "Data" header to handle the MBIM case
605 proto_tree_add_item_ret_string(etw_header, hf_etw_provider_name, tvb, provider_name_offset, provider_name_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, (const uint8_t **) & provider_name);
606 }
607
608 // User data + set columns
609
610 col_set_str(pinfo->cinfo, COL_DEF_SRC, "windows");
611 col_set_str(pinfo->cinfo, COL_DEF_DST, "windows");
612 if (memcmp(&mbim_net_providerid, &provider_id, sizeof(e_guid_t)) == 0) {
613 // Special case for MBIM
614 uint32_t pack_flags;
615
616 if (WTAP_OPTTYPE_SUCCESS == wtap_block_get_uint32_option_value(pinfo->rec->block, OPT_PKT_FLAGS2, &pack_flags)) {
617 switch(PACK_FLAGS_DIRECTION(pack_flags)(((pack_flags) & 0x00000003) >> 0)) {
618 case PACK_FLAGS_DIRECTION_INBOUND1:
619 col_set_str(pinfo->cinfo, COL_DEF_SRC, "device");
620 col_set_str(pinfo->cinfo, COL_DEF_DST, "host");
621 break;
622 case PACK_FLAGS_DIRECTION_OUTBOUND2:
623 col_set_str(pinfo->cinfo, COL_DEF_SRC, "host");
624 col_set_str(pinfo->cinfo, COL_DEF_DST, "device");
625 break;
626 }
627 }
628 mbim_tvb = tvb_new_subset_remaining(tvb, user_data_offset);
629 call_dissector_only(mbim_dissector, mbim_tvb, pinfo, tree, data);
630 }
631 else
632 {
633 // Other provider: add "Data" header
634
635 etw_data = proto_tree_add_subtree(tree, tvb, offset, 0, ett_etw_data, NULL((void*)0), "ETW Data");
636 if (properties_count) {
637 offset = dissect_properties(tvb, pinfo, etw_data, properties_offset, properties_count, pinfo->pool, &propArray);
Value stored to 'offset' is never read
638 }
639 if (user_data_length) {
640 proto_tree_add_item(etw_data, hf_etw_user_data, tvb, user_data_offset, user_data_length, ENC_NA0x00000000);
641 }
642
643 if (provider_name_length) {
644 col_set_str(pinfo->cinfo, COL_PROTOCOL, provider_name);
645 }
646
647 if (message_length) {
648 char* message;
649
650 proto_tree_add_item_ret_string(etw_data, hf_etw_message, tvb, message_offset, message_length, ENC_LITTLE_ENDIAN0x80000000 | ENC_UTF_160x00000004, pinfo->pool, (const uint8_t**)& message);
651 if (propArray != NULL((void*)0))
652 {
653 wmem_strbuf_t* out_buffer;
654 format_message(message, propArray, pinfo->pool, &out_buffer);
655 message = out_buffer->str;
656 ti = proto_tree_add_string(etw_data, hf_etw_message_formatted, tvb, 0, -1, message);
657 proto_item_set_generated(ti);
658 }
659 col_set_str(pinfo->cinfo, COL_INFO, message);
660 }
661 else
662 {
663 col_set_str(pinfo->cinfo, COL_INFO, guids_resolve_guid_to_str(&provider_id, pinfo->pool));
664 }
665 }
666
667 etw_counter += 1;
668 return tvb_captured_length(tvb);
669}
670
671void
672proto_register_etw(void)
673{
674 static hf_register_info hf[] = {
675 { &hf_etw_size,
676 { "Size", "etw.size",
677 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
678 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
679 },
680 { &hf_etw_header_type,
681 { "Header Type", "etw.header_type",
682 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
683 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
684 },
685 { &hf_etw_flags,
686 { "Flags", "etw.flags",
687 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
688 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
689 },
690 { &hf_etw_header_flag_extended_info,
691 { "Extended Info", "etw.header.flag.extended_info",
692 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0001,
693 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
694 },
695 { &hf_etw_header_flag_private_session,
696 { "Private Session", "etw.header.flag.private_session",
697 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0002,
698 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
699 },
700 { &hf_etw_header_flag_string_only,
701 { "String Only", "etw.header.flag.string_only",
702 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0004,
703 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
704 },
705 { &hf_etw_header_flag_trace_message,
706 { "Trace Message", "etw.header.flag.trace_message",
707 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0008,
708 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
709 },
710 { &hf_etw_header_flag_no_cputime,
711 { "No CPU time", "etw.header.flag.no_cputime",
712 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0010,
713 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
714 },
715 { &hf_etw_header_flag_32_bit_header,
716 { "32-bit Header", "etw.header.flag.32_bit_header",
717 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0020,
718 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
719 },
720 { &hf_etw_header_flag_64_bit_header,
721 { "64-bit Header", "etw.header.flag.64_bit_header",
722 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0040,
723 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
724 },
725 { &hf_etw_header_flag_decode_guid,
726 { "Decode GUID", "etw.header.flag.decode_guid",
727 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0080,
728 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
729 },
730 { &hf_etw_header_flag_classic_header,
731 { "Classic Header", "etw.header.flag.classic_header",
732 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0100,
733 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
734 },
735 { &hf_etw_header_flag_processor_index,
736 { "Processor Index", "etw.header.flag.processor_index",
737 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0200,
738 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
739 },
740 { &hf_etw_event_property,
741 { "Event Property", "etw.event_property",
742 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
743 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
744 },
745 { &hf_etw_event_property_xml,
746 { "XML", "etw.property.xml",
747 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0001,
748 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
749 },
750 { &hf_etw_event_property_forwarded_xml,
751 { "Forwarded XML", "etw.property.forwarded_xml",
752 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0002,
753 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
754 },
755 { &hf_etw_event_property_legacy_eventlog,
756 { "Legacy Event Log", "etw.property.legacy_event",
757 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0004,
758 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
759 },
760 { &hf_etw_event_property_legacy_reloggable,
761 { "Legacy Reloggable", "etw.property.legacy_reloggable",
762 FT_UINT32, BASE_DEC, NULL((void*)0), 0x0008,
763 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
764 },
765 { &hf_etw_thread_id,
766 { "Thread ID", "etw.thread_id",
767 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
768 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
769 },
770 { &hf_etw_process_id,
771 { "Process ID", "etw.process_id",
772 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
773 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
774 },
775 { &hf_etw_time_stamp,
776 { "Time Stamp", "etw.time_stamp",
777 FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL((void*)0), 0,
778 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
779 },
780 { &hf_etw_provider_id,
781 { "Provider ID", "etw.provider_id",
782 FT_GUID, BASE_NONE, NULL((void*)0), 0,
783 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
784 },
785 { &hf_etw_buffer_context_processor_number,
786 { "Processor Number", "etw.buffer_context.processor_number",
787 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
788 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
789 },
790 { &hf_etw_buffer_context_alignment,
791 { "Alignment", "etw.buffer_context.alignment",
792 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
793 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
794 },
795 { &hf_etw_buffer_context_logger_id,
796 { "ID", "etw.buffer_context.logger_id",
797 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
798 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
799 },
800 { &hf_etw_tlv_count,
801 { "Extra Information Count", "etw.tlv_count",
802 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
803 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
804 },
805 { &hf_etw_tlv_offset,
806 { "Offset", "etw.tlv.offset",
807 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
808 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
809 },
810 { &hf_etw_tlv_length,
811 { "Length", "etw.tlv.length",
812 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
813 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
814 },
815 { &hf_etw_tlv_type,
816 { "Type", "etw.tlv.type",
817 FT_UINT32, BASE_DEC, VALS(etw_tlv_types)((0 ? (const struct _value_string*)0 : ((etw_tlv_types)))), 0,
818 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
819 },
820 { &hf_etw_properties_count,
821 { "Properties count", "etw.props_count",
822 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
823 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
824 },
825 { &hf_etw_provider_name,
826 { "Provider Name", "etw.provider_name",
827 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
828 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
829 },
830 { &hf_etw_message,
831 { "Event Message", "etw.message",
832 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
833 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
834 },
835 { &hf_etw_extended_data_count,
836 { "Extended Data Count", "etw.extended_data_count",
837 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
838 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
839 },
840 { &hf_etw_extended_data,
841 { "Extended Data", "etw.extended_data",
842 FT_NONE, BASE_NONE, NULL((void*)0), 0,
843 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
844 },
845 { &hf_etw_edata,
846 { "Extended Data Item", "etw.edata",
847 FT_NONE, BASE_NONE, NULL((void*)0), 0,
848 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
849 },
850 { &hf_etw_edata_reserved1,
851 { "Reserved1", "etw.edata.reserved1",
852 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
853 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
854 },
855 { &hf_etw_edata_exttype,
856 { "ExtType", "etw.edata.exttype",
857 FT_UINT16, BASE_DEC, VALS(etw_edata_types)((0 ? (const struct _value_string*)0 : ((etw_edata_types)))), 0,
858 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
859 },
860 { &hf_etw_edata_linkage,
861 { "Linkage", "etw.edata.linkage",
862 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
863 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
864 },
865 { &hf_etw_edata_datasize,
866 { "DataSize", "etw.edata.datasize",
867 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
868 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
869 },
870 { &hf_etw_edata_dataptr,
871 { "DataPtr", "etw.edata.dataptr",
872 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
873 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
874 },
875 { &hf_etw_edata_data,
876 { "Data", "etw.edata.data",
877 FT_NONE, BASE_NONE, NULL((void*)0), 0,
878 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
879 },
880 { &hf_etw_edata_stacktrace_matchid,
881 { "MatchId", "etw.edata.stacktrace.matchid",
882 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
883 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
884 },
885 { &hf_etw_edata_stacktrace_address,
886 { "Address", "etw.edata.stacktrace.address",
887 FT_UINT64, BASE_HEX, NULL((void*)0), 0,
888 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
889 },
890 { &hf_etw_edata_schematl_size,
891 { "Size", "etw.edata.schematl.size",
892 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
893 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
894 },
895 { &hf_etw_edata_schematl_reserved1,
896 { "Unknown", "etw.edata.schematl.reserved1",
897 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
898 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
899 },
900 { &hf_etw_edata_schematl_name,
901 { "Event Name", "etw.edata.schematl.name",
902 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
903 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
904 },
905 { &hf_etw_edata_schematl_field,
906 { "Schema Field", "etw.edata.schematl.field",
907 FT_NONE, BASE_NONE, NULL((void*)0), 0,
908 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
909 },
910 { &hf_etw_edata_schematl_field_key,
911 { "Key", "etw.edata.schematl.field.key",
912 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
913 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
914 },
915 { &hf_etw_edata_schematl_field_flags,
916 { "Flags", "etw.edata.schematl.field.flags",
917 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
918 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
919 },
920 { &hf_etw_edata_schematl_field_type,
921 { "Type", "etw.edata.schematl.field.type",
922 FT_UINT8, BASE_DEC, VALS(etw_schematl_types)((0 ? (const struct _value_string*)0 : ((etw_schematl_types))
)), 0x1F,
923 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
924 },
925 { &hf_etw_edata_schematl_field_ccount,
926 { "Constant array count", "etw.edata.schematl.field.ccount",
927 FT_UINT8, BASE_DEC, NULL((void*)0), 0x20,
928 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
929 },
930 { &hf_etw_edata_schematl_field_vcount,
931 { "Variable array count", "etw.edata.schematl.field.vcount",
932 FT_UINT8, BASE_DEC, NULL((void*)0), 0x40,
933 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
934 },
935 { &hf_etw_edata_schematl_field_chain,
936 { "Chain", "etw.edata.schematl.field.chain",
937 FT_UINT8, BASE_DEC, NULL((void*)0), 0x80,
938 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
939 },
940 { &hf_etw_edata_traits_traitssize,
941 { "Trait size", "etw.edata.traits.traitssize",
942 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
943 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
944 },
945 { &hf_etw_edata_traits_providername,
946 { "Trait provider name", "etw.edata.traits.providername",
947 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
948 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
949 },
950 { &hf_etw_property,
951 { "Property", "etw.prop",
952 FT_NONE, BASE_NONE, NULL((void*)0), 0,
953 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
954 },
955 { &hf_etw_property_offset,
956 { "Offset", "etw.prop.offset",
957 FT_UINT32, BASE_DEC, NULL((void*)0), 0,
958 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
959 },
960 { &hf_etw_property_keylen,
961 { "Key Length", "etw.prop.keylen",
962 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
963 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
964 },
965 { &hf_etw_property_valuelen,
966 { "Value Length", "etw.prop.valuelen",
967 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
968 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
969 },
970 { &hf_etw_property_key,
971 { "Key", "etw.prop.key",
972 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
973 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
974 },
975 { &hf_etw_property_value,
976 { "Value", "etw.prop.value",
977 FT_STRINGZ, BASE_NONE, NULL((void*)0), 0,
978 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
979 },
980 { &hf_etw_user_data,
981 { "Raw User Data", "etw.user_data",
982 FT_NONE, BASE_NONE, NULL((void*)0), 0,
983 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
984 },
985 { &hf_etw_descriptor_id,
986 { "ID", "etw.descriptor.id",
987 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
988 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
989 },
990 { &hf_etw_descriptor_version,
991 { "Version", "etw.descriptor.version",
992 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
993 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
994 },
995 { &hf_etw_descriptor_channel,
996 { "Channel", "etw.descriptor.channel",
997 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
998 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
999 },
1000 { &hf_etw_descriptor_level,
1001 { "Level", "etw.descriptor.level",
1002 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1003 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1004 },
1005 { &hf_etw_descriptor_opcode,
1006 { "Opcode", "etw.descriptor.opcode",
1007 FT_UINT8, BASE_DEC, NULL((void*)0), 0,
1008 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1009 },
1010 { &hf_etw_descriptor_task,
1011 { "Task", "etw.descriptor.task",
1012 FT_UINT16, BASE_DEC, NULL((void*)0), 0,
1013 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1014 },
1015 { &hf_etw_descriptor_keywords,
1016 { "Keywords", "etw.descriptor.keywords",
1017 FT_UINT64, BASE_HEX, NULL((void*)0), 0,
1018 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1019 },
1020 { &hf_etw_processor_time,
1021 { "Processor Time", "etw.processor_time",
1022 FT_UINT64, BASE_DEC, NULL((void*)0), 0,
1023 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1024 },
1025 { &hf_etw_activity_id,
1026 { "Activity ID", "etw.activity_id",
1027 FT_GUID, BASE_NONE, NULL((void*)0), 0,
1028 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1029 },
1030 // Generated fields
1031 { &hf_etw_type,
1032 { "Event Type", "etw.type",
1033 FT_STRING, BASE_NONE, NULL((void*)0), 0,
1034 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1035 },
1036 { &hf_etw_message_formatted,
1037 { "Message (formatted)", "etw.message_formatted",
1038 FT_STRING, BASE_NONE, NULL((void*)0), 0,
1039 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }
1040 },
1041 };
1042
1043 static int *ett[] = {
1044 &ett_etw_header,
1045 &ett_etw_data,
1046 &ett_etw_descriptor,
1047 &ett_etw_buffer_context,
1048 &ett_etw_extended_data,
1049 &ett_etw_property,
1050 &ett_etw_edata,
1051 &ett_etw_edata_data,
1052 &ett_etw_edata_schematl_schema,
1053 &ett_etw_schematl_flags,
1054 &ett_etw_header_flags,
1055 &ett_etw_event_property_types,
1056 &ett_etw_tlvs,
1057 &ett_etw_tlv,
1058 };
1059
1060 proto_etw = proto_register_protocol("Event Tracing for Windows", "ETW", "etw");
1061 proto_register_field_array(proto_etw, hf, array_length(hf)(sizeof (hf) / sizeof (hf)[0]));
1062 proto_register_subtree_array(ett, array_length(ett)(sizeof (ett) / sizeof (ett)[0]));
1063
1064 etw_handle = register_dissector("etw", dissect_etw, proto_etw);
1065}
1066
1067void
1068proto_reg_handoff_etw(void)
1069{
1070 dissector_add_uint("wtap_encap", WTAP_ENCAP_ETW212, etw_handle);
1071
1072 mbim_dissector = find_dissector("mbim.control");
1073}
1074
1075/*
1076 * Editor modelines - https://www.wireshark.org/tools/modelines.html
1077 *
1078 * Local variables:
1079 * c-basic-offset: 4
1080 * tab-width: 8
1081 * indent-tabs-mode: nil
1082 * End:
1083 *
1084 * vi: set shiftwidth=4 tabstop=8 expandtab:
1085 * :indentSize=4:tabSize=8:noTabs=true:
1086 */