aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAnthony Coddington <anthony.coddington@endace.com>2018-02-26 11:21:25 +1300
committerAnders Broman <a.broman58@gmail.com>2018-02-27 09:06:01 +0000
commit15c261e94b888b0ae4e6122fb11fba2219c932fa (patch)
tree582ff8535af33f6ab71d737d524ee0a1bfe85cda
parent21b4d6ecf1e287658565092720870f0b6aba1c15 (diff)
ERF: Add support for new extension header and Provenance tags
Add support for Entropy Extension header, currently with one field. Uses a conversion function to convert representation to bits. Add various entropy and tap mode Provenance (ERF_TYPE_META) tags. The only complex tag is ext_hdrs_added/removed. This tag consist of up to 4 big endian uint32 bitfields, with each bit representing an extension header number. ehdr_type_vals and a new ehdr_type_vals_short are used to generate the tags. Custom printing is used for the header line to display unknown values as integer and support the special case of <All>: all supplied bits 1 meaning all extension headers removed. Storage for the up to 4 subtree header_field id entries is in the first 4 extra hf_values[] for now, the ett value is reused. Increase erfmeta_tag_info_ext_t ERF_HF_VALUES_PER_TAG to 32. A better solution is needed sooner rather than later but the structure is only allocated for tags that need it. Change-Id: I9e359f044131bce2afc189bebc21239eed429b21 Reviewed-on: https://code.wireshark.org/review/26111 Petri-Dish: Alexis La Goutte <alexis.lagoutte@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
-rw-r--r--epan/dissectors/packet-erf.c298
-rw-r--r--wiretap/erf.h27
2 files changed, 320 insertions, 5 deletions
diff --git a/epan/dissectors/packet-erf.c b/epan/dissectors/packet-erf.c
index 2ccf699634..3ba3703d4c 100644
--- a/epan/dissectors/packet-erf.c
+++ b/epan/dissectors/packet-erf.c
@@ -136,6 +136,11 @@ static int hf_erf_source_current = -1;
static int hf_erf_source_next = -1;
static int hf_erf_source_prev = -1;
+/* Entropy extension header */
+static int hf_erf_ehdr_entropy_entropy = -1;
+static int hf_erf_ehdr_entropy_entropy_raw = -1;
+static int hf_erf_ehdr_entropy_reserved = -1;
+
/* Unknown extension header */
static int hf_erf_ehdr_unk = -1;
@@ -247,6 +252,7 @@ static gint ett_erf_meta_tag = -1;
static gint ett_erf_source = -1;
static gint ett_erf_anchor = -1;
static gint ett_erf_anchor_flags = -1;
+static gint ett_erf_entropy_value = -1;
static expert_field ei_erf_extension_headers_not_shown = EI_INIT;
static expert_field ei_erf_packet_loss = EI_INIT;
@@ -434,12 +440,32 @@ static const value_string ehdr_type_vals[] = {
{ ERF_EXT_HDR_TYPE_BFS , "BFS Filter/Hash"},
{ ERF_EXT_HDR_TYPE_CHANNELISED , "Channelised"},
{ ERF_EXT_HDR_TYPE_SIGNATURE , "Signature"},
+ { ERF_EXT_HDR_TYPE_PKT_ID , "Packet ID"},
{ ERF_EXT_HDR_TYPE_FLOW_ID , "Flow ID"},
{ ERF_EXT_HDR_TYPE_HOST_ID , "Host ID"},
{ ERF_EXT_HDR_TYPE_ANCHOR_ID , "Anchor ID"},
+ { ERF_EXT_HDR_TYPE_ENTROPY , "Entropy"},
+ { 0, NULL }
+};
+
+/* Used for Provenance ext_hdrs_added/remvoed, should match the field abbreviation */
+static const value_string ehdr_type_vals_short[] = {
+ { ERF_EXT_HDR_TYPE_CLASSIFICATION , "class"},
+ { ERF_EXT_HDR_TYPE_INTERCEPTID , "int"},
+ { ERF_EXT_HDR_TYPE_RAW_LINK , "raw"},
+ { ERF_EXT_HDR_TYPE_BFS , "bfs"},
+ { ERF_EXT_HDR_TYPE_CHANNELISED , "chan"},
+ { ERF_EXT_HDR_TYPE_SIGNATURE , "signature"},
+ { ERF_EXT_HDR_TYPE_PKT_ID , "packetid"},
+ { ERF_EXT_HDR_TYPE_FLOW_ID , "flowid"},
+ { ERF_EXT_HDR_TYPE_HOST_ID , "hostid"},
+ { ERF_EXT_HDR_TYPE_ANCHOR_ID , "anchorid"},
+ { ERF_EXT_HDR_TYPE_ENTROPY , "entropy"},
{ 0, NULL }
};
+/* XXX: Must be at least array_length(ehdr_type_vals). */
+#define ERF_HF_VALUES_PER_TAG 32
static const value_string raw_link_types[] = {
{ 0x00, "raw SONET"},
@@ -576,6 +602,39 @@ static const value_string erf_clk_port_proto[] = {
{ 0, NULL }
};
+static const value_string erf_tap_mode[] = {
+ { 0x00, "Invalid" },
+ { 0x01, "Off" },
+ { 0x02, "Active" },
+ { 0x03, "Monitor" },
+ { 0x04, "Bypass" },
+ { 0x05, "Blocking" },
+ { 0, NULL }
+};
+
+static const value_string erf_tap_fail_mode[] = {
+ { 0x00, "Invalid" },
+ { 0x01, "Off" },
+ { 0x02, "Open" },
+ { 0x03, "Closed" },
+ { 0, NULL }
+};
+
+static const value_string erf_dpi_state[] = {
+ { 0x00, "Terminated"},
+ { 0x01, "Inspecting"},
+ { 0x02, "Monitoring"},
+ { 0x03, "Classified"},
+ { 0, NULL}
+};
+
+static const value_string erf_flow_state[] = {
+ { 0x00, "Active"},
+ { 0x01, "Terminated"},
+ { 0x02, "Expired"},
+ { 0, NULL}
+};
+
/* Used as templates for ERF_META_TAG_tunneling_mode */
static const header_field_info erf_tunneling_modes[] = {
{ "IP-in-IP", "ip_in_ip", FT_BOOLEAN, 32, NULL, 0x1, NULL, HFILL },
@@ -619,8 +678,24 @@ static const header_field_info erf_parent_section[] = {
{ "Section ID", "section_id", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }
};
-/* XXX: Must be at least array_length(erf_tunneling_modes). */
-#define ERF_HF_VALUES_PER_TAG 8
+/* Used as templates for ERF_META_TAG_stream_flags */
+static const header_field_info erf_stream_flags[] = {
+ { "Relative Snapping", "relative_snap", FT_BOOLEAN, 32, NULL, 0x1, NULL, HFILL },
+ { "Entropy Snapping", "entropy_snap", FT_BOOLEAN, 32, NULL, 0x2, NULL, HFILL }
+};
+
+/* Used as templates for ERF_META_TAG_ext_hdrs_added/removed subtrees */
+static const header_field_info erf_ext_hdr_items[] = {
+ { "Extension Headers 0 to 31", "0_31", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL },
+ { "Extension Headers 32 to 63", "32_63", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL },
+ { "Extension Headers 64 to 95", "64_95", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL },
+ { "Extension Headers 96 to 127", "96_127", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL }
+};
+
+/* Used as templates for ERF_META_TAG_smart_trunc_default */
+static const header_field_info erf_smart_trunc_default_flags[] = {
+ { "Truncation Candidate", "trunc_candidate", FT_BOOLEAN, 32, &tfs_yes_no, 0x1, NULL, HFILL }
+};
typedef struct {
guint16 code;
@@ -630,9 +705,12 @@ typedef struct {
typedef struct {
gint ett_value;
/*
- * XXX: Must be at least array_length(erf_tunneling_modes). Should change to
+ * XXX: Must be at least array_length(ehdr_type_vals). Should change to
* dynamic (possibly using new proto tree API) if many more fields defined.
+ * Non-trivial as bitmask functions take an array of pointers not values.
* Either that or add a value-string-like automatic bitmask flags proto_item.
+ *
+ * Note that this struct is only added for tags that need it.
*/
int hf_values[ERF_HF_VALUES_PER_TAG];
} erf_meta_tag_info_ex_t;
@@ -749,6 +827,12 @@ static const erf_meta_hf_template_t erf_meta_tags[] = {
{ ERF_META_TAG_cpu_numa_nodes, { "CPU NUMA Nodes", "cpu_numa_nodes", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_dag_attribute, { "DAG Attribute", "dag_attribute", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_dag_version, { "DAG Software Version", "dag_version", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_stream_flags, { "Stream Flags", "stream_flags", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_entropy_threshold, { "Entropy Threshold", "entropy_threshold", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_smart_trunc_default, { "Smart Truncation Default", "smart_trunc_default",FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_ext_hdrs_added, { "Extension Headers Added", "ext_hdrs_added", FT_BYTES, BASE_NO_DISPLAY_VALUE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_ext_hdrs_removed, { "Extension Headers Removed", "ext_hdrs_removed", FT_BYTES, BASE_NO_DISPLAY_VALUE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_relative_snaplen, { "Relative Snap Length", "relative_snaplen", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_if_num, { "Interface Number", "if_num", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_if_vc, { "Interface Virtual Circuit", "if_vc", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
@@ -771,6 +855,10 @@ static const erf_meta_hf_template_t erf_meta_tags[] = {
{ ERF_META_TAG_if_phy_mode, { "Interface Endace PHY Mode", "if_phy_mode", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_if_port_type, { "Interface Port Type", "if_port_type", FT_UINT32, BASE_DEC, VALS(erf_port_type), 0x0, NULL, HFILL } },
{ ERF_META_TAG_if_rx_latency, { "Interface Uncorrected RX Latency", "if_rx_latency", FT_RELATIVE_TIME, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_tap_mode, { "Tap Mode", "tap_mode", FT_UINT32, BASE_DEC, VALS(erf_tap_mode), 0x0, NULL, HFILL } },
+ { ERF_META_TAG_tap_fail_mode, { "Tap Failover Mode", "tap_fail_mode", FT_UINT32, BASE_DEC, VALS(erf_tap_fail_mode), 0x0, NULL, HFILL } },
+ { ERF_META_TAG_watchdog_expired, { "Watchdog Expired", "watchdog_expired", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_watchdog_interval, { "Watchdog Interval (ms)", "watchdog_interval", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_src_ipv4, { "Source IPv4 address", "src_ipv4", FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_dest_ipv4, { "Destination IPv4 address", "dest_ipv4", FT_IPv4, BASE_NONE, NULL, 0x0, NULL, HFILL } },
@@ -791,10 +879,25 @@ static const erf_meta_hf_template_t erf_meta_tags[] = {
{ ERF_META_TAG_src_port, { "Source Port", "src_port", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_dest_port, { "Destination Port", "dest_port", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_ip_proto, { "IP Protocol", "ip_proto", FT_UINT32, BASE_DEC|BASE_EXT_STRING, &ipproto_val_ext, 0x0, NULL, HFILL } },
- { ERF_META_TAG_flow_hash, { "Flow Hash", "flow_hash", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_flow_hash, { "Flow Hash", "flow_hash", FT_UINT32, BASE_HEX, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_filter_match, { "Filter Match", "filter_match", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_filter_match_name, { "Filter Match Name", "filter_match_name", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_error_flags, { "Error Flags", "error_flags", FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_initiator_pkts, { "Initiator Packets", "initiator_pkts", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_responder_pkts, { "Responder Packets", "responder_pkts", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_initiator_bytes, { "Initiator Bytes", "initiator_bytes", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_responder_bytes, { "Responder Bytes", "responder_bytes", FT_UINT64, BASE_DEC, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_initiator_min_entropy, { "Initiator Minimum Entropy", "initiator_min_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_responder_min_entropy, { "Responder Minimum Entropy", "responder_min_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_initiator_avg_entropy, { "Initiator Average Entropy", "initiator_avg_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_responder_avg_entropy, { "Responder Average Entropy", "responder_avg_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_initiator_max_entropy, { "Initiator Maximum Entropy", "initiator_max_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_responder_max_entropy, { "Responder Maximum Entropy", "responder_max_entropy", FT_FLOAT, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_dpi_application, { "DPI Application", "dpi_application", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_dpi_confidence, { "DPI Confidence", "dpi_confidence", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_dpi_state, { "DPI State", "dpi_state", FT_UINT32, BASE_NONE, VALS(erf_dpi_state), 0x0, NULL, HFILL } },
+ { ERF_META_TAG_dpi_protocol_stack, { "DPI Protocol Stack", "dpi_protocol_stack", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL } },
+ { ERF_META_TAG_flow_state, { "Flow State", "flow_state", FT_UINT32, BASE_NONE, VALS(erf_flow_state), 0x0, NULL, HFILL } },
{ ERF_META_TAG_start_time, { "Start Time", "start_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0, NULL, HFILL } },
{ ERF_META_TAG_end_time, { "End Time", "end_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0x0, NULL, HFILL } },
@@ -1010,6 +1113,34 @@ init_tag_value_subfields(wmem_array_t *hfri_table, erf_meta_tag_info_t *tag_info
}
static erf_meta_tag_info_t*
+init_ext_hdrs_tag_value_subfields(wmem_array_t *hfri_table, erf_meta_tag_info_t *tag_info)
+{
+ gsize i = 0;
+ gsize num_known_ext_hdrs = array_length(ehdr_type_vals) -1 /*null terminated*/;
+ hf_register_info hfri_tmp = { NULL, { NULL, NULL, FT_BOOLEAN, 32, NULL, 0x1, NULL, HFILL } }; /* Value, will be filled from template */
+
+ DISSECTOR_ASSERT(array_length(ehdr_type_vals_short) > num_known_ext_hdrs);
+ /* XXX: this currently supports only up to 27 known extension headers */
+ DISSECTOR_ASSERT(ERF_HF_VALUES_PER_TAG > num_known_ext_hdrs - 4); /* -1 sentinel terminated */
+ /* Use the first 4 hf_values for 32-bit subtree */
+ init_tag_value_subfields(hfri_table, tag_info, erf_ext_hdr_items, array_length(erf_ext_hdr_items));
+ DISSECTOR_ASSERT(tag_info->extra);
+
+ /*Fill in the rest of the remaining 27 entries with any known tag entries values */
+ for (i = 0; i < num_known_ext_hdrs; i++) {
+ /* Add value subfield */
+ hfri_tmp.p_id = &tag_info->extra->hf_values[4+i];
+ hfri_tmp.hfinfo.bitmask = (guint64)1 << ehdr_type_vals[i].value;
+ hfri_tmp.hfinfo.name = ehdr_type_vals[i].strptr;
+ hfri_tmp.hfinfo.abbrev = wmem_strconcat(wmem_epan_scope(),
+ "erf.meta.", tag_info->section_template->hfinfo.abbrev, ".", tag_info->tag_template->hfinfo.abbrev, ".", ehdr_type_vals_short[i].strptr, NULL);
+ wmem_array_append_one(hfri_table, hfri_tmp);
+ }
+
+ return tag_info;
+}
+
+static erf_meta_tag_info_t*
init_ns_addr_tag_value_fields(wmem_array_t *hfri_table, erf_meta_tag_info_t *tag_info)
{
header_field_info ns_addr_extra_fields[] = {
@@ -1085,6 +1216,17 @@ init_tag_fields(wmem_array_t *hfri_table, wmem_array_t *ett_table, const erf_met
break;
case ERF_META_TAG_ptp_gm_clock_quality:
init_tag_value_subfields(hfri_table, tag_info, erf_ptp_clock_quality, array_length(erf_ptp_clock_quality));
+ break;
+ case ERF_META_TAG_stream_flags:
+ init_tag_value_subfields(hfri_table, tag_info, erf_stream_flags, array_length(erf_stream_flags));
+ break;
+ case ERF_META_TAG_smart_trunc_default:
+ init_tag_value_subfields(hfri_table, tag_info, erf_smart_trunc_default_flags, array_length(erf_smart_trunc_default_flags));
+ break;
+ case ERF_META_TAG_ext_hdrs_added:
+ case ERF_META_TAG_ext_hdrs_removed:
+ init_ext_hdrs_tag_value_subfields(hfri_table, tag_info);
+ break;
}
/* Add ett entries */
@@ -1632,6 +1774,36 @@ dissect_flow_id_ex_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, i
}
}
+float entropy_from_entropy_header_value(guint8 entropy_hdr_value)
+{
+ /* mapping 1-255 to 0.0-8.0 */
+ /* 255 is 8.0 */
+ /* 1 represent any value less than 2/32 */
+ /* 0 represents not calculated */
+ return (float)((entropy_hdr_value == 0)?0.0: (((float)entropy_hdr_value+1) / 32.0));
+}
+
+static void
+dissect_entropy_ex_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int idx)
+{
+ if(tree) {
+ guint64 hdr = pinfo->pseudo_header->erf.ehdr_list[idx].ehdr;
+ guint8 entropy_hdr_value = (guint8)((hdr >> 48) & 0xFF);
+ float entropy;
+ proto_item *pi;
+ proto_tree *entropy_value_tree;
+
+ entropy = entropy_from_entropy_header_value(entropy_hdr_value);
+
+ pi = proto_tree_add_float_format_value(tree, hf_erf_ehdr_entropy_entropy, tvb, 0, 0, entropy,
+ "%.2f %s", entropy, entropy == 0.0 ? "(not calculated)":"bits");
+ entropy_value_tree = proto_item_add_subtree(pi, ett_erf_entropy_value);
+ proto_tree_add_uint(entropy_value_tree, hf_erf_ehdr_entropy_entropy_raw, tvb, 0, 0, entropy_hdr_value);
+
+ proto_tree_add_uint64(tree, hf_erf_ehdr_entropy_reserved, tvb, 0, 0, (hdr & 0xFFFFFFFFFFFF));
+ }
+}
+
static guint64
find_host_id(packet_info *pinfo, gboolean *has_anchor_definition) {
guint64 hdr;
@@ -2153,6 +2325,9 @@ dissect_erf_pseudo_extension_header(tvbuff_t *tvb, packet_info *pinfo, proto_tre
}
dissect_host_anchor_id(tvb, pinfo, tree, host_id, hdr & ERF_EHDR_ANCHOR_ID_MASK, (guint8)(hdr >> 48));
break;
+ case ERF_EXT_HDR_TYPE_ENTROPY:
+ dissect_entropy_ex_header(tvb, pinfo, ehdr_tree, i);
+ break;
default:
dissect_unknown_ex_header(tvb, pinfo, ehdr_tree, i);
break;
@@ -2250,6 +2425,77 @@ dissect_meta_tag_bitfield(proto_item *section_tree, tvbuff_t *tvb, int offset, e
return tag_pi;
}
+static proto_item*
+dissect_meta_tag_ext_hdrs(proto_item *section_tree, tvbuff_t *tvb, int offset, gint taglength, erf_meta_tag_info_t *tag_info, proto_item **out_tag_tree, expert_field **out_truncated_expert)
+{
+ proto_item *tag_pi = NULL;
+ proto_tree *subtree = NULL;
+ proto_item *subtree_pi = NULL;
+ int i;
+ guint32 ext_hdrs[4] = {0, 0, 0, 0};
+ int int_offset = 0;
+ int int_avail = MIN(taglength / 4, 4);;
+ int bit_offset = 0;
+ int ext_hdr_num = 0;
+ gboolean first = TRUE;
+ gboolean all_set = TRUE;
+
+ DISSECTOR_ASSERT(tag_info->extra);
+
+ tag_pi = proto_tree_add_item(section_tree, tag_info->hf_value, tvb, offset + 4, taglength, ENC_BIG_ENDIAN);
+ *out_tag_tree = proto_item_add_subtree(tag_pi, tag_info->ett);
+
+ for (int_offset = 0; int_offset < int_avail; int_offset++) {
+ ext_hdrs[int_offset] = tvb_get_guint32(tvb, offset + 4 + int_offset*4, ENC_BIG_ENDIAN);
+ if (ext_hdrs[int_offset] != G_MAXUINT32)
+ all_set = FALSE;
+ }
+
+ /* Special case: all specified bits are 1 means all extension headers */
+ if (all_set)
+ proto_item_append_text(tag_pi, ": <All>");
+
+ /* Add 4 subtrees, one for each uint32 representing 32 extension header numbers */
+ for (int_offset = 0; int_offset < int_avail; int_offset++) {
+ /* TODO: Put subtree hf values somewhere better than first 4 hf_values */
+ subtree_pi = proto_tree_add_item(*out_tag_tree, tag_info->extra->hf_values[int_offset], tvb, offset + 4 + int_offset*4, 4, ENC_BIG_ENDIAN);
+
+ /* Add the individual bit dissections */
+ /* XXX: This currently assumes we only know up to the first 32 */
+ if (int_offset == 0) {
+ subtree = proto_item_add_subtree(subtree_pi, tag_info->ett);
+ for (i = 4; tag_info->extra->hf_values[i] != -1; i++) {
+ proto_tree_add_boolean(subtree, tag_info->extra->hf_values[i], tvb, offset + 4 + int_offset*4, 4, ext_hdrs[int_offset]);
+ }
+ }
+
+ /* Add all set bits to the header, including the ones we don't understand */
+ for (bit_offset = 0; bit_offset < 32; bit_offset++) {
+ if (ext_hdrs[int_offset] & (1 << bit_offset)) {
+ proto_item_append_text(subtree_pi, ", %s", val_to_str(ext_hdr_num, ehdr_type_vals, "%d"));
+
+ /* Also add to the top level */
+ if (!all_set)
+ proto_item_append_text(tag_pi, "%s %s", first ? ":" : ",", val_to_str(ext_hdr_num, ehdr_type_vals, "%d"));
+
+ first = FALSE;
+ }
+
+ ext_hdr_num++;
+ }
+ }
+
+ if (first)
+ proto_item_append_text(tag_pi, ": <None>");
+
+ /* Check for truncated tag (i.e. last uint32 is partial) */
+ if (int_avail < 4 && taglength % 4 != 0) {
+ *out_truncated_expert = &ei_erf_meta_truncated_tag;
+ }
+
+ return tag_pi;
+}
+
static void erf_ts_to_nstime(guint64 timestamp, nstime_t* t, gboolean is_relative) {
guint64 ts = timestamp;
@@ -2355,6 +2601,12 @@ meta_tag_expected_length(erf_meta_tag_info_t *tag_info) {
/* 16-byte WWNs */
expected_length = 16;
break;
+
+ case ERF_META_TAG_ext_hdrs_added:
+ case ERF_META_TAG_ext_hdrs_removed:
+ /* 1 to 4 uint32 fields */
+ expected_length = 4;
+ break;
}
return expected_length;
@@ -2572,6 +2824,8 @@ dissect_meta_record_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
case ERF_META_TAG_tunneling_mode:
case ERF_META_TAG_ptp_time_properties:
case ERF_META_TAG_ptp_gm_clock_quality:
+ case ERF_META_TAG_stream_flags:
+ case ERF_META_TAG_smart_trunc_default:
tag_pi = dissect_meta_tag_bitfield(section_tree, tvb, offset, tag_info, &tag_tree);
break;
@@ -2626,6 +2880,28 @@ dissect_meta_record_tags(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree) {
break;
}
+ case ERF_META_TAG_entropy_threshold:
+ case ERF_META_TAG_initiator_min_entropy:
+ case ERF_META_TAG_responder_min_entropy:
+ case ERF_META_TAG_initiator_avg_entropy:
+ case ERF_META_TAG_responder_avg_entropy:
+ case ERF_META_TAG_initiator_max_entropy:
+ case ERF_META_TAG_responder_max_entropy:
+ {
+ float entropy;
+ value32 = tvb_get_ntohl(tvb, offset + 4);
+ entropy = entropy_from_entropy_header_value(value32);
+
+ tag_pi = proto_tree_add_float_format_value(section_tree, tag_info->hf_value, tvb, 0, 0, entropy,
+ "%.2f %s", entropy, entropy == 0.0 ? "(not calculated)":"bits");
+ break;
+ }
+
+ case ERF_META_TAG_ext_hdrs_added:
+ case ERF_META_TAG_ext_hdrs_removed:
+ tag_pi = dissect_meta_tag_ext_hdrs(section_tree, tvb, offset, taglength, tag_info, &tag_tree, &truncated_expert);
+ break;
+
default:
dissected = FALSE;
break;
@@ -3228,6 +3504,17 @@ proto_register_erf(void)
{ "Previous Metadata in Source", "erf.source_meta_frame_prev",
FT_FRAMENUM, BASE_NONE, NULL, 0, NULL, HFILL } },
+ /* Entropy Extension Header */
+ { &hf_erf_ehdr_entropy_entropy,
+ { "Entropy", "erf.ehdr.entropy.entropy",
+ FT_FLOAT, BASE_NONE, NULL, 0, NULL, HFILL} },
+ { &hf_erf_ehdr_entropy_entropy_raw,
+ { "Raw Entropy", "erf.ehdr.entropy.entropy.raw",
+ FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL} },
+ { &hf_erf_ehdr_entropy_reserved,
+ { "Reserved", "erf.ehdr.entropy.rsvd",
+ FT_UINT48, BASE_HEX, NULL, 0, NULL, HFILL} },
+
/* Unknown Extension Header */
{ &hf_erf_ehdr_unk,
{ "Data", "erf.ehdr.unknown.data",
@@ -3485,7 +3772,8 @@ proto_register_erf(void)
&ett_erf_meta_tag,
&ett_erf_source,
&ett_erf_anchor,
- &ett_erf_anchor_flags
+ &ett_erf_anchor_flags,
+ &ett_erf_entropy_value
};
static const enum_val_t erf_hdlc_options[] = {
diff --git a/wiretap/erf.h b/wiretap/erf.h
index 271e2156d4..8da7d00d08 100644
--- a/wiretap/erf.h
+++ b/wiretap/erf.h
@@ -101,9 +101,11 @@
#define ERF_EXT_HDR_TYPE_BFS 6
#define ERF_EXT_HDR_TYPE_CHANNELISED 12
#define ERF_EXT_HDR_TYPE_SIGNATURE 14
+#define ERF_EXT_HDR_TYPE_PKT_ID 15
#define ERF_EXT_HDR_TYPE_FLOW_ID 16
#define ERF_EXT_HDR_TYPE_HOST_ID 17
#define ERF_EXT_HDR_TYPE_ANCHOR_ID 18
+#define ERF_EXT_HDR_TYPE_ENTROPY 19
/* Host ID and Anchor ID*/
#define ERF_EHDR_HOST_ID_MASK G_GUINT64_CONSTANT(0xffffffffffff)
@@ -188,6 +190,12 @@
#define ERF_META_TAG_cpu_numa_nodes 51
#define ERF_META_TAG_dag_attribute 52
#define ERF_META_TAG_dag_version 53
+#define ERF_META_TAG_stream_flags 54
+#define ERF_META_TAG_entropy_threshold 55
+#define ERF_META_TAG_smart_trunc_default 56
+#define ERF_META_TAG_ext_hdrs_added 57
+#define ERF_META_TAG_ext_hdrs_removed 58
+#define ERF_META_TAG_relative_snaplen 59
#define ERF_META_TAG_if_num 64
#define ERF_META_TAG_if_vc 65
@@ -210,6 +218,10 @@
#define ERF_META_TAG_if_phy_mode 82
#define ERF_META_TAG_if_port_type 83
#define ERF_META_TAG_if_rx_latency 84
+#define ERF_META_TAG_tap_mode 85
+#define ERF_META_TAG_tap_fail_mode 86
+#define ERF_META_TAG_watchdog_expired 87
+#define ERF_META_TAG_watchdog_interval 88
#define ERF_META_TAG_src_ipv4 128
#define ERF_META_TAG_dest_ipv4 129
@@ -234,6 +246,21 @@
#define ERF_META_TAG_filter_match 148
#define ERF_META_TAG_filter_match_name 149
#define ERF_META_TAG_error_flags 150
+#define ERF_META_TAG_initiator_pkts 151
+#define ERF_META_TAG_responder_pkts 152
+#define ERF_META_TAG_initiator_bytes 153
+#define ERF_META_TAG_responder_bytes 154
+#define ERF_META_TAG_initiator_min_entropy 155
+#define ERF_META_TAG_responder_min_entropy 156
+#define ERF_META_TAG_initiator_avg_entropy 157
+#define ERF_META_TAG_responder_avg_entropy 158
+#define ERF_META_TAG_initiator_max_entropy 159
+#define ERF_META_TAG_responder_max_entropy 160
+#define ERF_META_TAG_dpi_application 161
+#define ERF_META_TAG_dpi_confidence 162
+#define ERF_META_TAG_dpi_state 163
+#define ERF_META_TAG_dpi_protocol_stack 164
+#define ERF_META_TAG_flow_state 165
#define ERF_META_TAG_start_time 193
#define ERF_META_TAG_end_time 194