Wireshark 4.7.0
The Wireshark network protocol analyzer
Loading...
Searching...
No Matches
sinsp-span.h
1/* sinsp-span.h
2 *
3 * By Gerald Combs
4 * Copyright (C) 2022 Sysdig, Inc.
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <[email protected]>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13#ifndef __SINSP_SPAN_H__
14#define __SINSP_SPAN_H__
15
16#include <stdint.h>
17
18#include <epan/ftypes/ftypes.h>
19#include <wsutil/wmem/wmem.h>
20
21#ifdef __cplusplus
22extern "C" {
23#endif // __cplusplus
24
25#define FALCO_FIELD_NAME_PREFIX "falco."
26
27#define N_PROC_LINEAGE_ENTRIES 16
28#define N_PROC_LINEAGE_ENTRY_FIELDS 4
29
30typedef struct sinsp_source_info_t sinsp_source_info_t;
31typedef struct sinsp_span_t sinsp_span_t;
32
33typedef enum sinsp_field_display_format_e {
34 SFDF_UNKNOWN,
35 SFDF_DECIMAL,
36 SFDF_HEXADECIMAL,
37 SFDF_OCTAL
38} sinsp_field_display_format_e;
39
40// Should match sinsp_filter_check_list in libsinsp as closely as possible.
41
42typedef enum sinsp_syscall_category_e {
43 SSC_EVENT, // gen_event, event
44 SSC_EVTARGS, // event arguments
45 SSC_PROCESS, // thread
46 SSC_PROCLINEAGE, // process lineage
47 SSC_USER, // user
48 SSC_GROUP, // group
49 SSC_CONTAINER, // container
50 SSC_FD, // fd
51 SSC_FS, // fs.path
52// SSC_SYSLOG, // syslog. Collides with syslog dissector so skip for now.
53 SSC_FDLIST, // fdlist
54 SSC_OTHER, // "falco.", catch-all
55 NUM_SINSP_SYSCALL_CATEGORIES
56} sinsp_syscall_category_e;
57
58typedef struct sinsp_field_info_t {
59 enum ftenum type;
60 sinsp_field_display_format_e display_format;
61 char abbrev[64]; // filter name
62 char display[64]; // display name
63 char description[1024];
64 bool skip; // Fields that we don't handle, e.g. lists and tables
65 bool is_info;
66 bool is_conversation;
67 bool is_numeric_address;
68} sinsp_field_info_t;
69
70#define SFE_SMALL_BUF_SIZE 8
71typedef struct sinsp_field_extract_t {
72 union {
73 uint8_t *bytes;
74 const char *str;
75 int32_t i32;
76 int64_t i64;
77 uint32_t u32;
78 uint64_t u64;
79 double dbl;
80 bool boolean;
81 char small_str[SFE_SMALL_BUF_SIZE];
82 uint8_t small_bytes[SFE_SMALL_BUF_SIZE];
83 } res;
84 int res_len; // out
85 uint16_t field_idx; // out for syscalls
86} sinsp_field_extract_t;
87
88#define PLUGIN_EVENT_HEADER_SIZE (26 + 4 + 4 + 4) // sizeof(ss_plugin_event) + plugin ID length + data length + plugin ID
89typedef struct plugin_field_extract_t {
90 uint32_t field_id; // out for syscalls, in for plugins
91 const char *field_name; // in
92 enum ftenum type; // in, out
93 bool is_present; // out
94 bool is_generated; // out
95 union {
96 uint8_t *bytes;
97 const char *str;
98 int32_t i32;
99 int64_t i64;
100 uint32_t u32;
101 uint64_t u64;
102 double dbl;
103 uint8_t ipv6[16];
104 bool boolean;
105 } res;
106 int res_len; // out
107 int data_start; // out
108 int data_length; // out
109// sinsp_syscall_category_e parent_category; // out
110} plugin_field_extract_t;
111
112sinsp_span_t *create_sinsp_span(void);
113void destroy_sinsp_span(sinsp_span_t *sinsp_span);
114
115// Common routines
116uint32_t get_sinsp_source_id(sinsp_source_info_t *ssi);
117const char *get_sinsp_source_last_error(sinsp_source_info_t *ssi);
118const char *get_sinsp_source_name(sinsp_source_info_t *ssi);
119const char* get_sinsp_source_description(sinsp_source_info_t *ssi);
120bool get_sinsp_source_field_info(sinsp_source_info_t *ssi, size_t field_num, sinsp_field_info_t *field);
121
122// libsinsp builtin syscall routines.
123void create_sinsp_syscall_source(sinsp_span_t *sinsp_span, sinsp_source_info_t **ssi_ptr);
124void open_sinsp_capture(sinsp_span_t *sinsp_span, const char *filepath);
125//uint32_t process_syscall_capture(sinsp_span_t * sinsp_span, sinsp_source_info_t *ssi, uint32_t to_event);
126void close_sinsp_capture(sinsp_span_t *sinsp_span);
127bool extract_syscall_source_fields(sinsp_span_t *sinsp_span, sinsp_source_info_t *ssi, uint32_t frame_num, sinsp_field_extract_t **sinsp_fields, uint32_t *sinsp_field_len, void** sisnp_evt_info);
128sinsp_syscall_category_e get_syscall_parent_category(sinsp_source_info_t *ssi, size_t field_check_idx);
129bool get_extracted_syscall_source_fields(sinsp_span_t *sinsp_span, uint32_t frame_num, sinsp_field_extract_t **sinsp_fields, uint32_t *sinsp_field_len, void** sinsp_evt_info);
130char* get_evt_arg_name(void* sinsp_evt_info, uint32_t arg_num);
131bool evt_creates_fd(void* sinsp_evt_info);
132
133// Extractor plugin routines.
134// These roughly match common_plugin_info
135char *create_sinsp_plugin_source(sinsp_span_t *sinsp_span, const char* libname, sinsp_source_info_t **ssi_ptr);
136size_t get_sinsp_source_nfields(sinsp_source_info_t *ssi);
137bool extract_plugin_source_fields(sinsp_source_info_t *ssi, uint32_t event_num, uint8_t *evt_data, uint32_t evt_datalen, wmem_allocator_t *pool, plugin_field_extract_t *sinsp_fields, uint32_t sinsp_field_len);
138
139
140#ifdef __cplusplus
141}
142#endif // __cplusplus
143
144#endif // __SINSP_SPAN_H__
_wmem_allocator_t
Definition wmem_allocator.h:27
plugin_field_extract_t
Definition sinsp-span.h:89
sinsp_field_extract_t
Definition sinsp-span.h:71
sinsp_field_info_t
Definition sinsp-span.h:58
sinsp_source_info_t
Definition sinsp-span.cpp:52
sinsp_span_t
Definition sinsp-span.cpp:71
Generated by doxygen 1.9.8