Wireshark 4.7.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
sinsp-span.h
1/* sinsp-span.h
2 *
3 * By Gerald Combs
4 * Copyright (C) 2022 Sysdig, Inc.
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <[email protected]>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13#ifndef __SINSP_SPAN_H__
14#define __SINSP_SPAN_H__
15
16#include <stdint.h>
17
18#include <epan/ftypes/ftypes.h>
19#include <wsutil/wmem/wmem.h>
20
21#ifdef __cplusplus
22extern "C" {
23#endif // __cplusplus
24
25#define FALCO_FIELD_NAME_PREFIX "falco."
26
27#define N_PROC_LINEAGE_ENTRIES 16
28#define N_PROC_LINEAGE_ENTRY_FIELDS 4
29
30typedef struct sinsp_source_info_t sinsp_source_info_t;
31typedef struct sinsp_span_t sinsp_span_t;
32
36typedef enum sinsp_field_display_format_e {
37 SFDF_UNKNOWN,
38 SFDF_DECIMAL,
39 SFDF_HEXADECIMAL,
40 SFDF_OCTAL
41} sinsp_field_display_format_e;
42
43
49typedef enum sinsp_syscall_category_e {
50 SSC_EVENT,
51 SSC_EVTARGS,
52 SSC_PROCESS,
53 SSC_PROCLINEAGE,
54 SSC_USER,
55 SSC_GROUP,
56 SSC_CONTAINER,
57 SSC_FD,
58 SSC_FS,
59/* SSC_SYSLOG, */
60 SSC_FDLIST,
61 SSC_OTHER,
62 NUM_SINSP_SYSCALL_CATEGORIES
63} sinsp_syscall_category_e;
64
65
69typedef struct sinsp_field_info_t {
70 enum ftenum type;
71 sinsp_field_display_format_e display_format;
72 char abbrev[64];
73 char display[64];
74 char description[1024];
75 bool skip;
76 bool is_info;
77 bool is_conversation;
78 bool is_numeric_address;
79} sinsp_field_info_t;
80
81
83#define SFE_SMALL_BUF_SIZE 8
84
92typedef struct sinsp_field_extract_t {
94 union {
95 uint8_t *bytes;
96 const char *str;
97 int32_t i32;
98 int64_t i64;
99 uint32_t u32;
100 uint64_t u64;
101 double dbl;
102 bool boolean;
103 char small_str[SFE_SMALL_BUF_SIZE];
104 uint8_t small_bytes[SFE_SMALL_BUF_SIZE];
105 } res;
106 int res_len;
107 uint16_t field_idx;
108} sinsp_field_extract_t;
109
110
115#define PLUGIN_EVENT_HEADER_SIZE (26 + 4 + 4 + 4)
116
124typedef struct plugin_field_extract_t {
125 uint32_t field_id;
126 const char *field_name;
127 enum ftenum type;
128 bool is_present;
129 bool is_generated;
132 union {
133 uint8_t *bytes;
134 const char *str;
135 int32_t i32;
136 int64_t i64;
137 uint32_t u32;
138 uint64_t u64;
139 double dbl;
140 uint8_t ipv6[16];
141 bool boolean;
142 } res;
143 int data_start;
144 int data_length;
145} plugin_field_extract_t;
146
154sinsp_span_t *create_sinsp_span(void);
155
161void destroy_sinsp_span(sinsp_span_t *sinsp_span);
162
163// Common routines
170uint32_t get_sinsp_source_id(sinsp_source_info_t *ssi);
171
179const char *get_sinsp_source_last_error(sinsp_source_info_t *ssi);
180
187const char *get_sinsp_source_name(sinsp_source_info_t *ssi);
188
195const char *get_sinsp_source_description(sinsp_source_info_t *ssi);
196
205bool get_sinsp_source_field_info(sinsp_source_info_t *ssi, size_t field_num, sinsp_field_info_t *field);
206
207// libsinsp builtin syscall routines.
208
215void create_sinsp_syscall_source(sinsp_span_t *sinsp_span, sinsp_source_info_t **ssi_ptr);
216
225void open_sinsp_capture(sinsp_span_t *sinsp_span, const char *filepath);
226
227//uint32_t process_syscall_capture(sinsp_span_t * sinsp_span, sinsp_source_info_t *ssi, uint32_t to_event);
228
234void close_sinsp_capture(sinsp_span_t *sinsp_span);
235
247bool extract_syscall_source_fields(sinsp_span_t *sinsp_span, sinsp_source_info_t *ssi, uint32_t frame_num, sinsp_field_extract_t **sinsp_fields, uint32_t *sinsp_field_len, void** sisnp_evt_info);
248
256sinsp_syscall_category_e get_syscall_parent_category(sinsp_source_info_t *ssi, size_t field_check_idx);
257
277bool get_extracted_syscall_source_fields(sinsp_span_t *sinsp_span, uint32_t frame_num, sinsp_field_extract_t **sinsp_fields, uint32_t *sinsp_field_len, void** sinsp_evt_info);
278
286char* get_evt_arg_name(void* sinsp_evt_info, uint32_t arg_num);
287
294bool evt_creates_fd(void* sinsp_evt_info);
295
296// Extractor plugin routines.
297// These roughly match common_plugin_info
298
307char *create_sinsp_plugin_source(sinsp_span_t *sinsp_span, const char* libname, sinsp_source_info_t **ssi_ptr);
308
315size_t get_sinsp_source_nfields(sinsp_source_info_t *ssi);
316
332bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num, const uint8_t *evt_data, uint32_t evt_datalen, wmem_allocator_t *pool, plugin_field_extract_t *sinsp_fields, uint32_t sinsp_field_len);
333
334
335#ifdef __cplusplus
336}
337#endif // __cplusplus
338
339#endif // __SINSP_SPAN_H__
ftenum
ftenum
Fundamental field value types used throughout the Wireshark dissector framework.
Definition ftypes.h:26
_wmem_allocator_t
Internal memory allocator interface used by the wmem subsystem.
Definition wmem_allocator.h:34
plugin_field_extract_t
Holds a single field extraction request/result for a plugin event.
Definition sinsp-span.h:124
plugin_field_extract_t::boolean
bool boolean
Definition sinsp-span.h:141
plugin_field_extract_t::str
const char * str
Definition sinsp-span.h:134
plugin_field_extract_t::ipv6
uint8_t ipv6[16]
Definition sinsp-span.h:140
plugin_field_extract_t::bytes
uint8_t * bytes
Definition sinsp-span.h:133
plugin_field_extract_t::field_name
const char * field_name
Definition sinsp-span.h:126
plugin_field_extract_t::type
enum ftenum type
Definition sinsp-span.h:127
plugin_field_extract_t::dbl
double dbl
Definition sinsp-span.h:139
plugin_field_extract_t::u32
uint32_t u32
Definition sinsp-span.h:137
plugin_field_extract_t::i32
int32_t i32
Definition sinsp-span.h:135
plugin_field_extract_t::field_id
uint32_t field_id
Definition sinsp-span.h:125
plugin_field_extract_t::res
union plugin_field_extract_t::@560 res
Extracted value; the active member is determined by type.
plugin_field_extract_t::is_generated
bool is_generated
Definition sinsp-span.h:129
plugin_field_extract_t::is_present
bool is_present
Definition sinsp-span.h:128
plugin_field_extract_t::u64
uint64_t u64
Definition sinsp-span.h:138
plugin_field_extract_t::i64
int64_t i64
Definition sinsp-span.h:136
plugin_field_extract_t::data_length
int data_length
Definition sinsp-span.h:144
plugin_field_extract_t::data_start
int data_start
Definition sinsp-span.h:143
sinsp_field_extract_t
Holds a single extracted field value from a sinsp syscall event.
Definition sinsp-span.h:92
sinsp_field_extract_t::small_str
char small_str[8]
Definition sinsp-span.h:103
sinsp_field_extract_t::boolean
bool boolean
Definition sinsp-span.h:102
sinsp_field_extract_t::res_len
int res_len
Definition sinsp-span.h:106
sinsp_field_extract_t::str
const char * str
Definition sinsp-span.h:96
sinsp_field_extract_t::u64
uint64_t u64
Definition sinsp-span.h:100
sinsp_field_extract_t::i32
int32_t i32
Definition sinsp-span.h:97
sinsp_field_extract_t::u32
uint32_t u32
Definition sinsp-span.h:99
sinsp_field_extract_t::bytes
uint8_t * bytes
Definition sinsp-span.h:95
sinsp_field_extract_t::dbl
double dbl
Definition sinsp-span.h:101
sinsp_field_extract_t::small_bytes
uint8_t small_bytes[8]
Definition sinsp-span.h:104
sinsp_field_extract_t::field_idx
uint16_t field_idx
Definition sinsp-span.h:107
sinsp_field_extract_t::res
union sinsp_field_extract_t::@559 res
Extracted value; the active member depends on the field type.
sinsp_field_extract_t::i64
int64_t i64
Definition sinsp-span.h:98
sinsp_field_info_t
Metadata describing a single sinsp filter/display field.
Definition sinsp-span.h:69
sinsp_field_info_t::type
enum ftenum type
Definition sinsp-span.h:70
sinsp_field_info_t::is_info
bool is_info
Definition sinsp-span.h:76
sinsp_field_info_t::is_conversation
bool is_conversation
Definition sinsp-span.h:77
sinsp_field_info_t::display
char display[64]
Definition sinsp-span.h:73
sinsp_field_info_t::display_format
sinsp_field_display_format_e display_format
Definition sinsp-span.h:71
sinsp_field_info_t::abbrev
char abbrev[64]
Definition sinsp-span.h:72
sinsp_field_info_t::description
char description[1024]
Definition sinsp-span.h:74
sinsp_field_info_t::skip
bool skip
Definition sinsp-span.h:75
sinsp_field_info_t::is_numeric_address
bool is_numeric_address
Definition sinsp-span.h:78
sinsp_source_info_t
Definition sinsp-span.cpp:52
sinsp_span_t
Definition sinsp-span.cpp:71
Generated by doxygen 1.9.8