diff options
| -rw-r--r-- | epan/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | epan/dissectors/Makefile.common | 1 | ||||
| -rw-r--r-- | epan/dissectors/packet-sysdig-event.c | 2207 | ||||
| -rw-r--r-- | tools/Makefile.am | 1 | ||||
| -rwxr-xr-x | tools/generate-sysdig-event.py | 345 | ||||
| -rw-r--r-- | wiretap/pcapng.c | 118 | ||||
| -rw-r--r-- | wiretap/pcapng_module.h | 2 | ||||
| -rw-r--r-- | wiretap/wtap.h | 15 |
8 files changed, 2685 insertions, 5 deletions
diff --git a/epan/CMakeLists.txt b/epan/CMakeLists.txt index 0bc9478e35..467d73ed50 100644 --- a/epan/CMakeLists.txt +++ b/epan/CMakeLists.txt @@ -1321,6 +1321,7 @@ set(DISSECTOR_SRC dissectors/packet-sync.c dissectors/packet-synergy.c dissectors/packet-synphasor.c + dissectors/packet-sysdig-event.c dissectors/packet-sysex.c dissectors/packet-syslog.c dissectors/packet-t30.c diff --git a/epan/dissectors/Makefile.common b/epan/dissectors/Makefile.common index 491613fc58..008122ae74 100644 --- a/epan/dissectors/Makefile.common +++ b/epan/dissectors/Makefile.common @@ -187,6 +187,7 @@ ASN1_DISSECTOR_SRC = \ packet-smrse.c \ packet-spnego.c \ packet-sv.c \ + packet-sysdig-event.c \ packet-sysex.c \ packet-t124.c \ packet-t125.c \ diff --git a/epan/dissectors/packet-sysdig-event.c b/epan/dissectors/packet-sysdig-event.c new file mode 100644 index 0000000000..8c0d454c87 --- /dev/null +++ b/epan/dissectors/packet-sysdig-event.c @@ -0,0 +1,2207 @@ +/* EDIT WITH CARE. + * Many sections of this file were automatically generated. + */ + +/* packet-sysdig-event.c + * Routines for Sysdig event dissection + * http://www.sysdig.org/ + * Copyright 2015, Gerald Combs <gerald@wireshark.org> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* + * Sysdig is a tool that captures and analyzes system state. + * This dissects pcap-ng Sysdig Event Blocks (0x00000204), which contains + * a system call entry or exit along with its associated parameters. + */ + +/* + * To do: + * - Event with flags (0x00000208). + * - Enter/exit delay. + * - Most of this could be automatically generated from the Sysdig sources. + * - Alternatively we could modify Sysdig to dump its internal tables and + * generate a dissector from that output. + * - Generate the column info table. + * - Pull metainformation (processes, users, etc) into hash tables. + */ + +#include <config.h> + +#include <epan/packet.h> +#include <epan/strutil.h> + +#include <wiretap/wtap.h> +/* #include <epan/expert.h> */ +/* #include <epan/prefs.h> */ + +/* Prototypes */ +void proto_reg_handoff_sysdig_event(void); +void proto_register_sysdig_event(void); + +/* Initialize the protocol and registered fields */ +static int proto_sysdig_event = -1; +/* Add byte order? */ +static int hf_se_cpu_id = -1; +static int hf_se_thread_id = -1; +static int hf_se_event_length = -1; +static int hf_se_event_type = -1; + +static int hf_se_param_lens = -1; +static int hf_se_param_len = -1; + +/* Name+type */ +/* Header fields. Automatically generated by tools/generate-sysdig-event.py */ +static int hf_param_ID_bytes = -1; +static int hf_param_action_uint32 = -1; +static int hf_param_addr_bytes = -1; +static int hf_param_addr_uint64 = -1; +static int hf_param_args_string = -1; +static int hf_param_argument_uint64 = -1; +static int hf_param_backlog_uint32 = -1; +static int hf_param_cgroups_bytes = -1; +static int hf_param_clockid_uint8 = -1; +static int hf_param_cmd_bytes = -1; +static int hf_param_comm_string = -1; +static int hf_param_cpu_sys_uint64 = -1; +static int hf_param_cpu_uint32 = -1; +static int hf_param_cpu_usr_uint64 = -1; +static int hf_param_cur_int64 = -1; +static int hf_param_cwd_string = -1; +static int hf_param_data_bytes = -1; +static int hf_param_dev_string = -1; +static int hf_param_dir_string = -1; +static int hf_param_dirfd_int64 = -1; +static int hf_param_domain_bytes = -1; +static int hf_param_dpid_bytes = -1; +static int hf_param_dqb_bhardlimit_uint64 = -1; +static int hf_param_dqb_bsoftlimit_uint64 = -1; +static int hf_param_dqb_btime_bytes = -1; +static int hf_param_dqb_curspace_uint64 = -1; +static int hf_param_dqb_ihardlimit_uint64 = -1; +static int hf_param_dqb_isoftlimit_uint64 = -1; +static int hf_param_dqb_itime_bytes = -1; +static int hf_param_dqi_bgrace_bytes = -1; +static int hf_param_dqi_flags_bytes = -1; +static int hf_param_dqi_igrace_bytes = -1; +static int hf_param_egid_bytes = -1; +static int hf_param_env_string = -1; +static int hf_param_euid_bytes = -1; +static int hf_param_event_data_uint64 = -1; +static int hf_param_event_type_uint32 = -1; +static int hf_param_exe_string = -1; +static int hf_param_fd1_int64 = -1; +static int hf_param_fd2_int64 = -1; +static int hf_param_fd_in_int64 = -1; +static int hf_param_fd_int64 = -1; +static int hf_param_fd_out_int64 = -1; +static int hf_param_fdlimit_int64 = -1; +static int hf_param_fdlimit_uint64 = -1; +static int hf_param_fds_bytes = -1; +static int hf_param_flags_bytes = -1; +static int hf_param_flags_uint32 = -1; +static int hf_param_gid_bytes = -1; +static int hf_param_gid_uint32 = -1; +static int hf_param_how_bytes = -1; +static int hf_param_id_string = -1; +static int hf_param_id_uint32 = -1; +static int hf_param_image_string = -1; +static int hf_param_in_fd_int64 = -1; +static int hf_param_initval_uint64 = -1; +static int hf_param_ino_uint64 = -1; +static int hf_param_interval_bytes = -1; +static int hf_param_length_uint64 = -1; +static int hf_param_linkdirfd_int64 = -1; +static int hf_param_linkpath_string = -1; +static int hf_param_mask_uint32 = -1; +static int hf_param_max_int64 = -1; +static int hf_param_maxevents_bytes = -1; +static int hf_param_mode_uint32 = -1; +static int hf_param_name_string = -1; +static int hf_param_nativeID_uint16 = -1; +static int hf_param_newcur_int64 = -1; +static int hf_param_newdir_int64 = -1; +static int hf_param_newdirfd_int64 = -1; +static int hf_param_newmax_int64 = -1; +static int hf_param_newpath_string = -1; +static int hf_param_next_bytes = -1; +static int hf_param_nsops_uint32 = -1; +static int hf_param_nstype_bytes = -1; +static int hf_param_offset_uint64 = -1; +static int hf_param_oldcur_int64 = -1; +static int hf_param_olddir_int64 = -1; +static int hf_param_olddirfd_int64 = -1; +static int hf_param_oldmax_int64 = -1; +static int hf_param_oldpath_string = -1; +static int hf_param_op_bytes = -1; +static int hf_param_operation_bytes = -1; +static int hf_param_out_fd_int64 = -1; +static int hf_param_path_string = -1; +static int hf_param_peer_uint64 = -1; +static int hf_param_pgft_maj_uint64 = -1; +static int hf_param_pgft_min_uint64 = -1; +static int hf_param_pgoffset_uint64 = -1; +static int hf_param_pid_bytes = -1; +static int hf_param_pos_uint64 = -1; +static int hf_param_prot_bytes = -1; +static int hf_param_proto_uint32 = -1; +static int hf_param_ptid_bytes = -1; +static int hf_param_queuelen_uint32 = -1; +static int hf_param_queuemax_uint32 = -1; +static int hf_param_queuepct_uint8 = -1; +static int hf_param_quota_fmt_bytes = -1; +static int hf_param_quota_fmt_out_bytes = -1; +static int hf_param_quotafilepath_string = -1; +static int hf_param_ratio_uint32 = -1; +static int hf_param_request_bytes = -1; +static int hf_param_request_uint64 = -1; +static int hf_param_res_bytes = -1; +static int hf_param_res_int64 = -1; +static int hf_param_res_uint64 = -1; +static int hf_param_resource_bytes = -1; +static int hf_param_rgid_bytes = -1; +static int hf_param_ruid_bytes = -1; +static int hf_param_sem_flg_0_bytes = -1; +static int hf_param_sem_flg_1_bytes = -1; +static int hf_param_sem_num_0_uint16 = -1; +static int hf_param_sem_num_1_uint16 = -1; +static int hf_param_sem_op_0_int16 = -1; +static int hf_param_sem_op_1_int16 = -1; +static int hf_param_semid_int32 = -1; +static int hf_param_semnum_int32 = -1; +static int hf_param_sgid_bytes = -1; +static int hf_param_sig_bytes = -1; +static int hf_param_sigmask_bytes = -1; +static int hf_param_size_uint32 = -1; +static int hf_param_size_uint64 = -1; +static int hf_param_source_uint64 = -1; +static int hf_param_special_string = -1; +static int hf_param_spid_bytes = -1; +static int hf_param_status_bytes = -1; +static int hf_param_suid_bytes = -1; +static int hf_param_target_string = -1; +static int hf_param_tid_bytes = -1; +static int hf_param_timeout_bytes = -1; +static int hf_param_timeout_int64 = -1; +static int hf_param_tuple_bytes = -1; +static int hf_param_type_bytes = -1; +static int hf_param_type_string = -1; +static int hf_param_type_uint32 = -1; +static int hf_param_uid_bytes = -1; +static int hf_param_uid_uint32 = -1; +static int hf_param_val_int32 = -1; +static int hf_param_val_uint64 = -1; +static int hf_param_vm_rss_uint32 = -1; +static int hf_param_vm_size_uint32 = -1; +static int hf_param_vm_swap_uint32 = -1; +static int hf_param_vpid_bytes = -1; +static int hf_param_vtid_bytes = -1; +static int hf_param_whence_bytes = -1; + +/* Initialize the subtree pointers */ +static gint ett_sysdig_event = -1; +static gint ett_sysdig_parm_lens = -1; +static gint ett_sysdig_syscall = -1; + +#define SYSDIG_EVENT_MIN_LENGTH 8 /* XXX Fix */ + +/* Event names. Automatically generated by tools/generate-sysdig-event.py */ +#define EVT_STR_NA1 "NA1" +#define EVT_STR_NA2 "NA2" +#define EVT_STR_ACCEPT "accept" +#define EVT_STR_BIND "bind" +#define EVT_STR_BRK "brk" +#define EVT_STR_CHDIR "chdir" +#define EVT_STR_CLONE "clone" +#define EVT_STR_CLOSE "close" +#define EVT_STR_CONNECT "connect" +#define EVT_STR_CONTAINER "container" +#define EVT_STR_CPU_HOTPLUG "cpu_hotplug" +#define EVT_STR_CREAT "creat" +#define EVT_STR_DROP "drop" +#define EVT_STR_DUP "dup" +#define EVT_STR_EPOLL_WAIT "epoll_wait" +#define EVT_STR_EVENTFD "eventfd" +#define EVT_STR_EXECVE "execve" +#define EVT_STR_FCHDIR "fchdir" +#define EVT_STR_FCNTL "fcntl" +#define EVT_STR_FLOCK "flock" +#define EVT_STR_FORK "fork" +#define EVT_STR_FSTAT "fstat" +#define EVT_STR_FSTAT64 "fstat64" +#define EVT_STR_FUTEX "futex" +#define EVT_STR_GETCWD "getcwd" +#define EVT_STR_GETDENTS "getdents" +#define EVT_STR_GETDENTS64 "getdents64" +#define EVT_STR_GETEGID "getegid" +#define EVT_STR_GETEUID "geteuid" +#define EVT_STR_GETGID "getgid" +#define EVT_STR_GETPEERNAME "getpeername" +#define EVT_STR_GETRESGID "getresgid" +#define EVT_STR_GETRESUID "getresuid" +#define EVT_STR_GETRLIMIT "getrlimit" +#define EVT_STR_GETSOCKNAME "getsockname" +#define EVT_STR_GETSOCKOPT "getsockopt" +#define EVT_STR_GETUID "getuid" +#define EVT_STR_INOTIFY_INIT "inotify_init" +#define EVT_STR_IOCTL "ioctl" +#define EVT_STR_KILL "kill" +#define EVT_STR_LINK "link" +#define EVT_STR_LINKAT "linkat" +#define EVT_STR_LISTEN "listen" +#define EVT_STR_LLSEEK "llseek" +#define EVT_STR_LSEEK "lseek" +#define EVT_STR_LSTAT "lstat" +#define EVT_STR_LSTAT64 "lstat64" +#define EVT_STR_MKDIR "mkdir" +#define EVT_STR_MMAP "mmap" +#define EVT_STR_MMAP2 "mmap2" +#define EVT_STR_MOUNT "mount" +#define EVT_STR_MUNMAP "munmap" +#define EVT_STR_NANOSLEEP "nanosleep" +#define EVT_STR_OPEN "open" +#define EVT_STR_OPENAT "openat" +#define EVT_STR_PIPE "pipe" +#define EVT_STR_POLL "poll" +#define EVT_STR_PPOLL "ppoll" +#define EVT_STR_PREAD "pread" +#define EVT_STR_PREADV "preadv" +#define EVT_STR_PRLIMIT "prlimit" +#define EVT_STR_PROCEXIT "procexit" +#define EVT_STR_PROCINFO "procinfo" +#define EVT_STR_PTRACE "ptrace" +#define EVT_STR_PWRITE "pwrite" +#define EVT_STR_PWRITEV "pwritev" +#define EVT_STR_QUOTACTL "quotactl" +#define EVT_STR_READ "read" +#define EVT_STR_READV "readv" +#define EVT_STR_RECV "recv" +#define EVT_STR_RECVFROM "recvfrom" +#define EVT_STR_RECVMMSG "recvmmsg" +#define EVT_STR_RECVMSG "recvmsg" +#define EVT_STR_RENAME "rename" +#define EVT_STR_RENAMEAT "renameat" +#define EVT_STR_RMDIR "rmdir" +#define EVT_STR_SELECT "select" +#define EVT_STR_SEMCTL "semctl" +#define EVT_STR_SEMOP "semop" +#define EVT_STR_SEND "send" +#define EVT_STR_SENDFILE "sendfile" +#define EVT_STR_SENDMMSG "sendmmsg" +#define EVT_STR_SENDMSG "sendmsg" +#define EVT_STR_SENDTO "sendto" +#define EVT_STR_SETGID "setgid" +#define EVT_STR_SETNS "setns" +#define EVT_STR_SETRESGID "setresgid" +#define EVT_STR_SETRESUID "setresuid" +#define EVT_STR_SETRLIMIT "setrlimit" +#define EVT_STR_SETSOCKOPT "setsockopt" +#define EVT_STR_SETUID "setuid" +#define EVT_STR_SHUTDOWN "shutdown" +#define EVT_STR_SIGNALDELIVER "signaldeliver" +#define EVT_STR_SIGNALFD "signalfd" +#define EVT_STR_SOCKET "socket" +#define EVT_STR_SOCKETPAIR "socketpair" +#define EVT_STR_SPLICE "splice" +#define EVT_STR_STAT "stat" +#define EVT_STR_STAT64 "stat64" +#define EVT_STR_SWITCH "switch" +#define EVT_STR_SYMLINK "symlink" +#define EVT_STR_SYMLINKAT "symlinkat" +#define EVT_STR_SYSCALL "syscall" +#define EVT_STR_SYSDIGEVENT "sysdigevent" +#define EVT_STR_TGKILL "tgkill" +#define EVT_STR_TIMERFD_CREATE "timerfd_create" +#define EVT_STR_TKILL "tkill" +#define EVT_STR_UMOUNT "umount" +#define EVT_STR_UNLINK "unlink" +#define EVT_STR_UNLINKAT "unlinkat" +#define EVT_STR_VFORK "vfork" +#define EVT_STR_WRITE "write" +#define EVT_STR_WRITEV "writev" + +/* EVT_... = PPME_... */ +/* Event definitions. Automatically generated by tools/generate-sysdig-event.py */ +#define EVT_GENERIC_E 0 +#define EVT_GENERIC_X 1 +#define EVT_SYSCALL_OPEN_E 2 +#define EVT_SYSCALL_OPEN_X 3 +#define EVT_SYSCALL_CLOSE_E 4 +#define EVT_SYSCALL_CLOSE_X 5 +#define EVT_SYSCALL_READ_E 6 +#define EVT_SYSCALL_READ_X 7 +#define EVT_SYSCALL_WRITE_E 8 +#define EVT_SYSCALL_WRITE_X 9 +#define EVT_SYSCALL_BRK_1_E 10 +#define EVT_SYSCALL_BRK_1_X 11 +#define EVT_SYSCALL_EXECVE_8_E 12 +#define EVT_SYSCALL_EXECVE_8_X 13 +#define EVT_SYSCALL_CLONE_11_E 14 +#define EVT_SYSCALL_CLONE_11_X 15 +#define EVT_PROCEXIT_E 16 +#define EVT_PROCEXIT_X 17 +#define EVT_SOCKET_SOCKET_E 18 +#define EVT_SOCKET_SOCKET_X 19 +#define EVT_SOCKET_BIND_E 20 +#define EVT_SOCKET_BIND_X 21 +#define EVT_SOCKET_CONNECT_E 22 +#define EVT_SOCKET_CONNECT_X 23 +#define EVT_SOCKET_LISTEN_E 24 +#define EVT_SOCKET_LISTEN_X 25 +#define EVT_SOCKET_ACCEPT_E 26 +#define EVT_SOCKET_ACCEPT_X 27 +#define EVT_SOCKET_SEND_E 28 +#define EVT_SOCKET_SEND_X 29 +#define EVT_SOCKET_SENDTO_E 30 +#define EVT_SOCKET_SENDTO_X 31 +#define EVT_SOCKET_RECV_E 32 +#define EVT_SOCKET_RECV_X 33 +#define EVT_SOCKET_RECVFROM_E 34 +#define EVT_SOCKET_RECVFROM_X 35 +#define EVT_SOCKET_SHUTDOWN_E 36 +#define EVT_SOCKET_SHUTDOWN_X 37 +#define EVT_SOCKET_GETSOCKNAME_E 38 +#define EVT_SOCKET_GETSOCKNAME_X 39 +#define EVT_SOCKET_GETPEERNAME_E 40 +#define EVT_SOCKET_GETPEERNAME_X 41 +#define EVT_SOCKET_SOCKETPAIR_E 42 +#define EVT_SOCKET_SOCKETPAIR_X 43 +#define EVT_SOCKET_SETSOCKOPT_E 44 +#define EVT_SOCKET_SETSOCKOPT_X 45 +#define EVT_SOCKET_GETSOCKOPT_E 46 +#define EVT_SOCKET_GETSOCKOPT_X 47 +#define EVT_SOCKET_SENDMSG_E 48 +#define EVT_SOCKET_SENDMSG_X 49 +#define EVT_SOCKET_SENDMMSG_E 50 +#define EVT_SOCKET_SENDMMSG_X 51 +#define EVT_SOCKET_RECVMSG_E 52 +#define EVT_SOCKET_RECVMSG_X 53 +#define EVT_SOCKET_RECVMMSG_E 54 +#define EVT_SOCKET_RECVMMSG_X 55 +#define EVT_SOCKET_ACCEPT4_E 56 +#define EVT_SOCKET_ACCEPT4_X 57 +#define EVT_SYSCALL_CREAT_E 58 +#define EVT_SYSCALL_CREAT_X 59 +#define EVT_SYSCALL_PIPE_E 60 +#define EVT_SYSCALL_PIPE_X 61 +#define EVT_SYSCALL_EVENTFD_E 62 +#define EVT_SYSCALL_EVENTFD_X 63 +#define EVT_SYSCALL_FUTEX_E 64 +#define EVT_SYSCALL_FUTEX_X 65 +#define EVT_SYSCALL_STAT_E 66 +#define EVT_SYSCALL_STAT_X 67 +#define EVT_SYSCALL_LSTAT_E 68 +#define EVT_SYSCALL_LSTAT_X 69 +#define EVT_SYSCALL_FSTAT_E 70 +#define EVT_SYSCALL_FSTAT_X 71 +#define EVT_SYSCALL_STAT64_E 72 +#define EVT_SYSCALL_STAT64_X 73 +#define EVT_SYSCALL_LSTAT64_E 74 +#define EVT_SYSCALL_LSTAT64_X 75 +#define EVT_SYSCALL_FSTAT64_E 76 +#define EVT_SYSCALL_FSTAT64_X 77 +#define EVT_SYSCALL_EPOLLWAIT_E 78 +#define EVT_SYSCALL_EPOLLWAIT_X 79 +#define EVT_SYSCALL_POLL_E 80 +#define EVT_SYSCALL_POLL_X 81 +#define EVT_SYSCALL_SELECT_E 82 +#define EVT_SYSCALL_SELECT_X 83 +#define EVT_SYSCALL_NEWSELECT_E 84 +#define EVT_SYSCALL_NEWSELECT_X 85 +#define EVT_SYSCALL_LSEEK_E 86 +#define EVT_SYSCALL_LSEEK_X 87 +#define EVT_SYSCALL_LLSEEK_E 88 +#define EVT_SYSCALL_LLSEEK_X 89 +#define EVT_SYSCALL_IOCTL_2_E 90 +#define EVT_SYSCALL_IOCTL_2_X 91 +#define EVT_SYSCALL_GETCWD_E 92 +#define EVT_SYSCALL_GETCWD_X 93 +#define EVT_SYSCALL_CHDIR_E 94 +#define EVT_SYSCALL_CHDIR_X 95 +#define EVT_SYSCALL_FCHDIR_E 96 +#define EVT_SYSCALL_FCHDIR_X 97 +#define EVT_SYSCALL_MKDIR_E 98 +#define EVT_SYSCALL_MKDIR_X 99 +#define EVT_SYSCALL_RMDIR_E 100 +#define EVT_SYSCALL_RMDIR_X 101 +#define EVT_SYSCALL_OPENAT_E 102 +#define EVT_SYSCALL_OPENAT_X 103 +#define EVT_SYSCALL_LINK_E 104 +#define EVT_SYSCALL_LINK_X 105 +#define EVT_SYSCALL_LINKAT_E 106 +#define EVT_SYSCALL_LINKAT_X 107 +#define EVT_SYSCALL_UNLINK_E 108 +#define EVT_SYSCALL_UNLINK_X 109 +#define EVT_SYSCALL_UNLINKAT_E 110 +#define EVT_SYSCALL_UNLINKAT_X 111 +#define EVT_SYSCALL_PREAD_E 112 +#define EVT_SYSCALL_PREAD_X 113 +#define EVT_SYSCALL_PWRITE_E 114 +#define EVT_SYSCALL_PWRITE_X 115 +#define EVT_SYSCALL_READV_E 116 +#define EVT_SYSCALL_READV_X 117 +#define EVT_SYSCALL_WRITEV_E 118 +#define EVT_SYSCALL_WRITEV_X 119 +#define EVT_SYSCALL_PREADV_E 120 +#define EVT_SYSCALL_PREADV_X 121 +#define EVT_SYSCALL_PWRITEV_E 122 +#define EVT_SYSCALL_PWRITEV_X 123 +#define EVT_SYSCALL_DUP_E 124 +#define EVT_SYSCALL_DUP_X 125 +#define EVT_SYSCALL_SIGNALFD_E 126 +#define EVT_SYSCALL_SIGNALFD_X 127 +#define EVT_SYSCALL_KILL_E 128 +#define EVT_SYSCALL_KILL_X 129 +#define EVT_SYSCALL_TKILL_E 130 +#define EVT_SYSCALL_TKILL_X 131 +#define EVT_SYSCALL_TGKILL_E 132 +#define EVT_SYSCALL_TGKILL_X 133 +#define EVT_SYSCALL_NANOSLEEP_E 134 +#define EVT_SYSCALL_NANOSLEEP_X 135 +#define EVT_SYSCALL_TIMERFD_CREATE_E 136 +#define EVT_SYSCALL_TIMERFD_CREATE_X 137 +#define EVT_SYSCALL_INOTIFY_INIT_E 138 +#define EVT_SYSCALL_INOTIFY_INIT_X 139 +#define EVT_SYSCALL_GETRLIMIT_E 140 +#define EVT_SYSCALL_GETRLIMIT_X 141 +#define EVT_SYSCALL_SETRLIMIT_E 142 +#define EVT_SYSCALL_SETRLIMIT_X 143 +#define EVT_SYSCALL_PRLIMIT_E 144 +#define EVT_SYSCALL_PRLIMIT_X 145 +#define EVT_SCHEDSWITCH_1_E 146 +#define EVT_SCHEDSWITCH_1_X 147 +#define EVT_DROP_E 148 +#define EVT_DROP_X 149 +#define EVT_SYSCALL_FCNTL_E 150 +#define EVT_SYSCALL_FCNTL_X 151 +#define EVT_SCHEDSWITCH_6_E 152 +#define EVT_SCHEDSWITCH_6_X 153 +#define EVT_SYSCALL_EXECVE_13_E 154 +#define EVT_SYSCALL_EXECVE_13_X 155 +#define EVT_SYSCALL_CLONE_16_E 156 +#define EVT_SYSCALL_CLONE_16_X 157 +#define EVT_SYSCALL_BRK_4_E 158 +#define EVT_SYSCALL_BRK_4_X 159 +#define EVT_SYSCALL_MMAP_E 160 +#define EVT_SYSCALL_MMAP_X 161 +#define EVT_SYSCALL_MMAP2_E 162 +#define EVT_SYSCALL_MMAP2_X 163 +#define EVT_SYSCALL_MUNMAP_E 164 +#define EVT_SYSCALL_MUNMAP_X 165 +#define EVT_SYSCALL_SPLICE_E 166 +#define EVT_SYSCALL_SPLICE_X 167 +#define EVT_SYSCALL_PTRACE_E 168 +#define EVT_SYSCALL_PTRACE_X 169 +#define EVT_SYSCALL_IOCTL_3_E 170 +#define EVT_SYSCALL_IOCTL_3_X 171 +#define EVT_SYSCALL_EXECVE_14_E 172 +#define EVT_SYSCALL_EXECVE_14_X 173 +#define EVT_SYSCALL_RENAME_E 174 +#define EVT_SYSCALL_RENAME_X 175 +#define EVT_SYSCALL_RENAMEAT_E 176 +#define EVT_SYSCALL_RENAMEAT_X 177 +#define EVT_SYSCALL_SYMLINK_E 178 +#define EVT_SYSCALL_SYMLINK_X 179 +#define EVT_SYSCALL_SYMLINKAT_E 180 +#define EVT_SYSCALL_SYMLINKAT_X 181 +#define EVT_SYSCALL_FORK_E 182 +#define EVT_SYSCALL_FORK_X 183 +#define EVT_SYSCALL_VFORK_E 184 +#define EVT_SYSCALL_VFORK_X 185 +#define EVT_PROCEXIT_1_E 186 +#define EVT_PROCEXIT_1_X 187 +#define EVT_SYSCALL_SENDFILE_E 188 +#define EVT_SYSCALL_SENDFILE_X 189 +#define EVT_SYSCALL_QUOTACTL_E 190 +#define EVT_SYSCALL_QUOTACTL_X 191 +#define EVT_SYSCALL_SETRESUID_E 192 +#define EVT_SYSCALL_SETRESUID_X 193 +#define EVT_SYSCALL_SETRESGID_E 194 +#define EVT_SYSCALL_SETRESGID_X 195 +#define EVT_SYSDIGEVENT_E 196 +#define EVT_SYSDIGEVENT_X 197 +#define EVT_SYSCALL_SETUID_E 198 +#define EVT_SYSCALL_SETUID_X 199 +#define EVT_SYSCALL_SETGID_E 200 +#define EVT_SYSCALL_SETGID_X 201 +#define EVT_SYSCALL_GETUID_E 202 +#define EVT_SYSCALL_GETUID_X 203 +#define EVT_SYSCALL_GETEUID_E 204 +#define EVT_SYSCALL_GETEUID_X 205 +#define EVT_SYSCALL_GETGID_E 206 +#define EVT_SYSCALL_GETGID_X 207 +#define EVT_SYSCALL_GETEGID_E 208 +#define EVT_SYSCALL_GETEGID_X 209 +#define EVT_SYSCALL_GETRESUID_E 210 +#define EVT_SYSCALL_GETRESUID_X 211 +#define EVT_SYSCALL_GETRESGID_E 212 +#define EVT_SYSCALL_GETRESGID_X 213 +#define EVT_SYSCALL_EXECVE_15_E 214 +#define EVT_SYSCALL_EXECVE_15_X 215 +#define EVT_SYSCALL_CLONE_17_E 216 +#define EVT_SYSCALL_CLONE_17_X 217 +#define EVT_SYSCALL_FORK_17_E 218 +#define EVT_SYSCALL_FORK_17_X 219 +#define EVT_SYSCALL_VFORK_17_E 220 +#define EVT_SYSCALL_VFORK_17_X 221 +#define EVT_SYSCALL_CLONE_20_E 222 +#define EVT_SYSCALL_CLONE_20_X 223 +#define EVT_SYSCALL_FORK_20_E 224 +#define EVT_SYSCALL_FORK_20_X 225 +#define EVT_SYSCALL_VFORK_20_E 226 +#define EVT_SYSCALL_VFORK_20_X 227 +#define EVT_CONTAINER_E 228 +#define EVT_CONTAINER_X 229 +#define EVT_SYSCALL_EXECVE_16_E 230 +#define EVT_SYSCALL_EXECVE_16_X 231 +#define EVT_SIGNALDELIVER_E 232 +#define EVT_SIGNALDELIVER_X 233 +#define EVT_PROCINFO_E 234 +#define EVT_PROCINFO_X 235 +#define EVT_SYSCALL_GETDENTS_E 236 +#define EVT_SYSCALL_GETDENTS_X 237 +#define EVT_SYSCALL_GETDENTS64_E 238 +#define EVT_SYSCALL_GETDENTS64_X 239 +#define EVT_SYSCALL_SETNS_E 240 +#define EVT_SYSCALL_SETNS_X 241 +#define EVT_SYSCALL_FLOCK_E 242 +#define EVT_SYSCALL_FLOCK_X 243 +#define EVT_CPU_HOTPLUG_E 244 +#define EVT_CPU_HOTPLUG_X 245 +#define EVT_SOCKET_ACCEPT_5_E 246 +#define EVT_SOCKET_ACCEPT_5_X 247 +#define EVT_SOCKET_ACCEPT4_5_E 248 +#define EVT_SOCKET_ACCEPT4_5_X 249 +#define EVT_SYSCALL_SEMOP_E 250 +#define EVT_SYSCALL_SEMOP_X 251 +#define EVT_SYSCALL_SEMCTL_E 252 +#define EVT_SYSCALL_SEMCTL_X 253 +#define EVT_SYSCALL_PPOLL_E 254 +#define EVT_SYSCALL_PPOLL_X 255 +#define EVT_SYSCALL_MOUNT_E 256 +#define EVT_SYSCALL_MOUNT_X 257 +#define EVT_SYSCALL_UMOUNT_E 258 +#define EVT_SYSCALL_UMOUNT_X 259 + +static const value_string event_type_vals[] = { +/* Value strings. Automatically generated by tools/generate-sysdig-event.py */ + { EVT_GENERIC_E, EVT_STR_SYSCALL }, + { EVT_GENERIC_X, EVT_STR_SYSCALL }, + { EVT_SYSCALL_OPEN_E, EVT_STR_OPEN }, + { EVT_SYSCALL_OPEN_X, EVT_STR_OPEN }, + { EVT_SYSCALL_CLOSE_E, EVT_STR_CLOSE }, + { EVT_SYSCALL_CLOSE_X, EVT_STR_CLOSE }, + { EVT_SYSCALL_READ_E, EVT_STR_READ }, + { EVT_SYSCALL_READ_X, EVT_STR_READ }, + { EVT_SYSCALL_WRITE_E, EVT_STR_WRITE }, + { EVT_SYSCALL_WRITE_X, EVT_STR_WRITE }, + { EVT_SYSCALL_BRK_1_E, EVT_STR_BRK }, + { EVT_SYSCALL_BRK_1_X, EVT_STR_BRK }, + { EVT_SYSCALL_EXECVE_8_E, EVT_STR_EXECVE }, + { EVT_SYSCALL_EXECVE_8_X, EVT_STR_EXECVE }, + { EVT_SYSCALL_CLONE_11_E, EVT_STR_CLONE }, + { EVT_SYSCALL_CLONE_11_X, EVT_STR_CLONE }, + { EVT_PROCEXIT_E, EVT_STR_PROCEXIT }, + { EVT_PROCEXIT_X, EVT_STR_NA1 }, + { EVT_SOCKET_SOCKET_E, EVT_STR_SOCKET }, + { EVT_SOCKET_SOCKET_X, EVT_STR_SOCKET }, + { EVT_SOCKET_BIND_E, EVT_STR_BIND }, + { EVT_SOCKET_BIND_X, EVT_STR_BIND }, + { EVT_SOCKET_CONNECT_E, EVT_STR_CONNECT }, + { EVT_SOCKET_CONNECT_X, EVT_STR_CONNECT }, + { EVT_SOCKET_LISTEN_E, EVT_STR_LISTEN }, + { EVT_SOCKET_LISTEN_X, EVT_STR_LISTEN }, + { EVT_SOCKET_ACCEPT_E, EVT_STR_ACCEPT }, + { EVT_SOCKET_ACCEPT_X, EVT_STR_ACCEPT }, + { EVT_SOCKET_SEND_E, EVT_STR_SEND }, + { EVT_SOCKET_SEND_X, EVT_STR_SEND }, + { EVT_SOCKET_SENDTO_E, EVT_STR_SENDTO }, + { EVT_SOCKET_SENDTO_X, EVT_STR_SENDTO }, + { EVT_SOCKET_RECV_E, EVT_STR_RECV }, + { EVT_SOCKET_RECV_X, EVT_STR_RECV }, + { EVT_SOCKET_RECVFROM_E, EVT_STR_RECVFROM }, + { EVT_SOCKET_RECVFROM_X, EVT_STR_RECVFROM }, + { EVT_SOCKET_SHUTDOWN_E, EVT_STR_SHUTDOWN }, + { EVT_SOCKET_SHUTDOWN_X, EVT_STR_SHUTDOWN }, + { EVT_SOCKET_GETSOCKNAME_E, EVT_STR_GETSOCKNAME }, + { EVT_SOCKET_GETSOCKNAME_X, EVT_STR_GETSOCKNAME }, + { EVT_SOCKET_GETPEERNAME_E, EVT_STR_GETPEERNAME }, + { EVT_SOCKET_GETPEERNAME_X, EVT_STR_GETPEERNAME }, + { EVT_SOCKET_SOCKETPAIR_E, EVT_STR_SOCKETPAIR }, + { EVT_SOCKET_SOCKETPAIR_X, EVT_STR_SOCKETPAIR }, + { EVT_SOCKET_SETSOCKOPT_E, EVT_STR_SETSOCKOPT }, + { EVT_SOCKET_SETSOCKOPT_X, EVT_STR_SETSOCKOPT }, + { EVT_SOCKET_GETSOCKOPT_E, EVT_STR_GETSOCKOPT }, + { EVT_SOCKET_GETSOCKOPT_X, EVT_STR_GETSOCKOPT }, + { EVT_SOCKET_SENDMSG_E, EVT_STR_SENDMSG }, + { EVT_SOCKET_SENDMSG_X, EVT_STR_SENDMSG }, + { EVT_SOCKET_SENDMMSG_E, EVT_STR_SENDMMSG }, + { EVT_SOCKET_SENDMMSG_X, EVT_STR_SENDMMSG }, + { EVT_SOCKET_RECVMSG_E, EVT_STR_RECVMSG }, + { EVT_SOCKET_RECVMSG_X, EVT_STR_RECVMSG }, + { EVT_SOCKET_RECVMMSG_E, EVT_STR_RECVMMSG }, + { EVT_SOCKET_RECVMMSG_X, EVT_STR_RECVMMSG }, + { EVT_SOCKET_ACCEPT4_E, EVT_STR_ACCEPT }, + { EVT_SOCKET_ACCEPT4_X, EVT_STR_ACCEPT }, + { EVT_SYSCALL_CREAT_E, EVT_STR_CREAT }, + { EVT_SYSCALL_CREAT_X, EVT_STR_CREAT }, + { EVT_SYSCALL_PIPE_E, EVT_STR_PIPE }, + { EVT_SYSCALL_PIPE_X, EVT_STR_PIPE }, + { EVT_SYSCALL_EVENTFD_E, EVT_STR_EVENTFD }, + { EVT_SYSCALL_EVENTFD_X, EVT_STR_EVENTFD }, + { EVT_SYSCALL_FUTEX_E, EVT_STR_FUTEX }, + { EVT_SYSCALL_FUTEX_X, EVT_STR_FUTEX }, + { EVT_SYSCALL_STAT_E, EVT_STR_STAT }, + { EVT_SYSCALL_STAT_X, EVT_STR_STAT }, + { EVT_SYSCALL_LSTAT_E, EVT_STR_LSTAT }, + { EVT_SYSCALL_LSTAT_X, EVT_STR_LSTAT }, + { EVT_SYSCALL_FSTAT_E, EVT_STR_FSTAT }, + { EVT_SYSCALL_FSTAT_X, EVT_STR_FSTAT }, + { EVT_SYSCALL_STAT64_E, EVT_STR_STAT64 }, + { EVT_SYSCALL_STAT64_X, EVT_STR_STAT64 }, + { EVT_SYSCALL_LSTAT64_E, EVT_STR_LSTAT64 }, + { EVT_SYSCALL_LSTAT64_X, EVT_STR_LSTAT64 }, + { EVT_SYSCALL_FSTAT64_E, EVT_STR_FSTAT64 }, + { EVT_SYSCALL_FSTAT64_X, EVT_STR_FSTAT64 }, + { EVT_SYSCALL_EPOLLWAIT_E, EVT_STR_EPOLL_WAIT }, + { EVT_SYSCALL_EPOLLWAIT_X, EVT_STR_EPOLL_WAIT }, + { EVT_SYSCALL_POLL_E, EVT_STR_POLL }, + { EVT_SYSCALL_POLL_X, EVT_STR_POLL }, + { EVT_SYSCALL_SELECT_E, EVT_STR_SELECT }, + { EVT_SYSCALL_SELECT_X, EVT_STR_SELECT }, + { EVT_SYSCALL_NEWSELECT_E, EVT_STR_SELECT }, + { EVT_SYSCALL_NEWSELECT_X, EVT_STR_SELECT }, + { EVT_SYSCALL_LSEEK_E, EVT_STR_LSEEK }, + { EVT_SYSCALL_LSEEK_X, EVT_STR_LSEEK }, + { EVT_SYSCALL_LLSEEK_E, EVT_STR_LLSEEK }, + { EVT_SYSCALL_LLSEEK_X, EVT_STR_LLSEEK }, + { EVT_SYSCALL_IOCTL_2_E, EVT_STR_IOCTL }, + { EVT_SYSCALL_IOCTL_2_X, EVT_STR_IOCTL }, + { EVT_SYSCALL_GETCWD_E, EVT_STR_GETCWD }, + { EVT_SYSCALL_GETCWD_X, EVT_STR_GETCWD }, + { EVT_SYSCALL_CHDIR_E, EVT_STR_CHDIR }, + { EVT_SYSCALL_CHDIR_X, EVT_STR_CHDIR }, + { EVT_SYSCALL_FCHDIR_E, EVT_STR_FCHDIR }, + { EVT_SYSCALL_FCHDIR_X, EVT_STR_FCHDIR }, + { EVT_SYSCALL_MKDIR_E, EVT_STR_MKDIR }, + { EVT_SYSCALL_MKDIR_X, EVT_STR_MKDIR }, + { EVT_SYSCALL_RMDIR_E, EVT_STR_RMDIR }, + { EVT_SYSCALL_RMDIR_X, EVT_STR_RMDIR }, + { EVT_SYSCALL_OPENAT_E, EVT_STR_OPENAT }, + { EVT_SYSCALL_OPENAT_X, EVT_STR_OPENAT }, + { EVT_SYSCALL_LINK_E, EVT_STR_LINK }, + { EVT_SYSCALL_LINK_X, EVT_STR_LINK }, + { EVT_SYSCALL_LINKAT_E, EVT_STR_LINKAT }, + { EVT_SYSCALL_LINKAT_X, EVT_STR_LINKAT }, + { EVT_SYSCALL_UNLINK_E, EVT_STR_UNLINK }, + { EVT_SYSCALL_UNLINK_X, EVT_STR_UNLINK }, + { EVT_SYSCALL_UNLINKAT_E, EVT_STR_UNLINKAT }, + { EVT_SYSCALL_UNLINKAT_X, EVT_STR_UNLINKAT }, + { EVT_SYSCALL_PREAD_E, EVT_STR_PREAD }, + { EVT_SYSCALL_PREAD_X, EVT_STR_PREAD }, + { EVT_SYSCALL_PWRITE_E, EVT_STR_PWRITE }, + { EVT_SYSCALL_PWRITE_X, EVT_STR_PWRITE }, + { EVT_SYSCALL_READV_E, EVT_STR_READV }, + { EVT_SYSCALL_READV_X, EVT_STR_READV }, + { EVT_SYSCALL_WRITEV_E, EVT_STR_WRITEV }, + { EVT_SYSCALL_WRITEV_X, EVT_STR_WRITEV }, + { EVT_SYSCALL_PREADV_E, EVT_STR_PREADV }, + { EVT_SYSCALL_PREADV_X, EVT_STR_PREADV }, + { EVT_SYSCALL_PWRITEV_E, EVT_STR_PWRITEV }, + { EVT_SYSCALL_PWRITEV_X, EVT_STR_PWRITEV }, + { EVT_SYSCALL_DUP_E, EVT_STR_DUP }, + { EVT_SYSCALL_DUP_X, EVT_STR_DUP }, + { EVT_SYSCALL_SIGNALFD_E, EVT_STR_SIGNALFD }, + { EVT_SYSCALL_SIGNALFD_X, EVT_STR_SIGNALFD }, + { EVT_SYSCALL_KILL_E, EVT_STR_KILL }, + { EVT_SYSCALL_KILL_X, EVT_STR_KILL }, + { EVT_SYSCALL_TKILL_E, EVT_STR_TKILL }, + { EVT_SYSCALL_TKILL_X, EVT_STR_TKILL }, + { EVT_SYSCALL_TGKILL_E, EVT_STR_TGKILL }, + { EVT_SYSCALL_TGKILL_X, EVT_STR_TGKILL }, + { EVT_SYSCALL_NANOSLEEP_E, EVT_STR_NANOSLEEP }, + { EVT_SYSCALL_NANOSLEEP_X, EVT_STR_NANOSLEEP }, + { EVT_SYSCALL_TIMERFD_CREATE_E, EVT_STR_TIMERFD_CREATE }, + { EVT_SYSCALL_TIMERFD_CREATE_X, EVT_STR_TIMERFD_CREATE }, + { EVT_SYSCALL_INOTIFY_INIT_E, EVT_STR_INOTIFY_INIT }, + { EVT_SYSCALL_INOTIFY_INIT_X, EVT_STR_INOTIFY_INIT }, + { EVT_SYSCALL_GETRLIMIT_E, EVT_STR_GETRLIMIT }, + { EVT_SYSCALL_GETRLIMIT_X, EVT_STR_GETRLIMIT }, + { EVT_SYSCALL_SETRLIMIT_E, EVT_STR_SETRLIMIT }, + { EVT_SYSCALL_SETRLIMIT_X, EVT_STR_SETRLIMIT }, + { EVT_SYSCALL_PRLIMIT_E, EVT_STR_PRLIMIT }, + { EVT_SYSCALL_PRLIMIT_X, EVT_STR_PRLIMIT }, + { EVT_SCHEDSWITCH_1_E, EVT_STR_SWITCH }, + { EVT_SCHEDSWITCH_1_X, EVT_STR_NA2 }, + { EVT_DROP_E, EVT_STR_DROP }, + { EVT_DROP_X, EVT_STR_DROP }, + { EVT_SYSCALL_FCNTL_E, EVT_STR_FCNTL }, + { EVT_SYSCALL_FCNTL_X, EVT_STR_FCNTL }, + { EVT_SCHEDSWITCH_6_E, EVT_STR_SWITCH }, + { EVT_SCHEDSWITCH_6_X, EVT_STR_NA2 }, + { EVT_SYSCALL_EXECVE_13_E, EVT_STR_EXECVE }, + { EVT_SYSCALL_EXECVE_13_X, EVT_STR_EXECVE }, + { EVT_SYSCALL_CLONE_16_E, EVT_STR_CLONE }, + { EVT_SYSCALL_CLONE_16_X, EVT_STR_CLONE }, + { EVT_SYSCALL_BRK_4_E, EVT_STR_BRK }, + { EVT_SYSCALL_BRK_4_X, EVT_STR_BRK }, + { EVT_SYSCALL_MMAP_E, EVT_STR_MMAP }, + { EVT_SYSCALL_MMAP_X, EVT_STR_MMAP }, + { EVT_SYSCALL_MMAP2_E, EVT_STR_MMAP2 }, + { EVT_SYSCALL_MMAP2_X, EVT_STR_MMAP2 }, + { EVT_SYSCALL_MUNMAP_E, EVT_STR_MUNMAP }, + { EVT_SYSCALL_MUNMAP_X, EVT_STR_MUNMAP }, + { EVT_SYSCALL_SPLICE_E, EVT_STR_SPLICE }, + { EVT_SYSCALL_SPLICE_X, EVT_STR_SPLICE }, + { EVT_SYSCALL_PTRACE_E, EVT_STR_PTRACE }, + { EVT_SYSCALL_PTRACE_X, EVT_STR_PTRACE }, + { EVT_SYSCALL_IOCTL_3_E, EVT_STR_IOCTL }, + { EVT_SYSCALL_IOCTL_3_X, EVT_STR_IOCTL }, + { EVT_SYSCALL_EXECVE_14_E, EVT_STR_EXECVE }, + { EVT_SYSCALL_EXECVE_14_X, EVT_STR_EXECVE }, + { EVT_SYSCALL_RENAME_E, EVT_STR_RENAME }, + { EVT_SYSCALL_RENAME_X, EVT_STR_RENAME }, + { EVT_SYSCALL_RENAMEAT_E, EVT_STR_RENAMEAT }, + { EVT_SYSCALL_RENAMEAT_X, EVT_STR_RENAMEAT }, + { EVT_SYSCALL_SYMLINK_E, EVT_STR_SYMLINK }, + { EVT_SYSCALL_SYMLINK_X, EVT_STR_SYMLINK }, + { EVT_SYSCALL_SYMLINKAT_E, EVT_STR_SYMLINKAT }, + { EVT_SYSCALL_SYMLINKAT_X, EVT_STR_SYMLINKAT }, + { EVT_SYSCALL_FORK_E, EVT_STR_FORK }, + { EVT_SYSCALL_FORK_X, EVT_STR_FORK }, + { EVT_SYSCALL_VFORK_E, EVT_STR_VFORK }, + { EVT_SYSCALL_VFORK_X, EVT_STR_VFORK }, + { EVT_PROCEXIT_1_E, EVT_STR_PROCEXIT }, + { EVT_PROCEXIT_1_X, EVT_STR_NA1 }, + { EVT_SYSCALL_SENDFILE_E, EVT_STR_SENDFILE }, + { EVT_SYSCALL_SENDFILE_X, EVT_STR_SENDFILE }, + { EVT_SYSCALL_QUOTACTL_E, EVT_STR_QUOTACTL }, + { EVT_SYSCALL_QUOTACTL_X, EVT_STR_QUOTACTL }, + { EVT_SYSCALL_SETRESUID_E, EVT_STR_SETRESUID }, + { EVT_SYSCALL_SETRESUID_X, EVT_STR_SETRESUID }, + { EVT_SYSCALL_SETRESGID_E, EVT_STR_SETRESGID }, + { EVT_SYSCALL_SETRESGID_X, EVT_STR_SETRESGID }, + { EVT_SYSDIGEVENT_E, EVT_STR_SYSDIGEVENT }, + { EVT_SYSDIGEVENT_X, EVT_STR_SYSDIGEVENT }, + { EVT_SYSCALL_SETUID_E, EVT_STR_SETUID }, + { EVT_SYSCALL_SETUID_X, EVT_STR_SETUID }, + { EVT_SYSCALL_SETGID_E, EVT_STR_SETGID }, + { EVT_SYSCALL_SETGID_X, EVT_STR_SETGID }, + { EVT_SYSCALL_GETUID_E, EVT_STR_GETUID }, + { EVT_SYSCALL_GETUID_X, EVT_STR_GETUID }, + { EVT_SYSCALL_GETEUID_E, EVT_STR_GETEUID }, + { EVT_SYSCALL_GETEUID_X, EVT_STR_GETEUID }, + { EVT_SYSCALL_GETGID_E, EVT_STR_GETGID }, + { EVT_SYSCALL_GETGID_X, EVT_STR_GETGID }, + { EVT_SYSCALL_GETEGID_E, EVT_STR_GETEGID }, + { EVT_SYSCALL_GETEGID_X, EVT_STR_GETEGID }, + { EVT_SYSCALL_GETRESUID_E, EVT_STR_GETRESUID }, + { EVT_SYSCALL_GETRESUID_X, EVT_STR_GETRESUID }, + { EVT_SYSCALL_GETRESGID_E, EVT_STR_GETRESGID }, + { EVT_SYSCALL_GETRESGID_X, EVT_STR_GETRESGID }, + { EVT_SYSCALL_EXECVE_15_E, EVT_STR_EXECVE }, + { EVT_SYSCALL_EXECVE_15_X, EVT_STR_EXECVE }, + { EVT_SYSCALL_CLONE_17_E, EVT_STR_CLONE }, + { EVT_SYSCALL_CLONE_17_X, EVT_STR_CLONE }, + { EVT_SYSCALL_FORK_17_E, EVT_STR_FORK }, + { EVT_SYSCALL_FORK_17_X, EVT_STR_FORK }, + { EVT_SYSCALL_VFORK_17_E, EVT_STR_VFORK }, + { EVT_SYSCALL_VFORK_17_X, EVT_STR_VFORK }, + { EVT_SYSCALL_CLONE_20_E, EVT_STR_CLONE }, + { EVT_SYSCALL_CLONE_20_X, EVT_STR_CLONE }, + { EVT_SYSCALL_FORK_20_E, EVT_STR_FORK }, + { EVT_SYSCALL_FORK_20_X, EVT_STR_FORK }, + { EVT_SYSCALL_VFORK_20_E, EVT_STR_VFORK }, + { EVT_SYSCALL_VFORK_20_X, EVT_STR_VFORK }, + { EVT_CONTAINER_E, EVT_STR_CONTAINER }, + { EVT_CONTAINER_X, EVT_STR_CONTAINER }, + { EVT_SYSCALL_EXECVE_16_E, EVT_STR_EXECVE }, + { EVT_SYSCALL_EXECVE_16_X, EVT_STR_EXECVE }, + { EVT_SIGNALDELIVER_E, EVT_STR_SIGNALDELIVER }, + { EVT_SIGNALDELIVER_X, EVT_STR_SIGNALDELIVER }, + { EVT_PROCINFO_E, EVT_STR_PROCINFO }, + { EVT_PROCINFO_X, EVT_STR_NA2 }, + { EVT_SYSCALL_GETDENTS_E, EVT_STR_GETDENTS }, + { EVT_SYSCALL_GETDENTS_X, EVT_STR_GETDENTS }, + { EVT_SYSCALL_GETDENTS64_E, EVT_STR_GETDENTS64 }, + { EVT_SYSCALL_GETDENTS64_X, EVT_STR_GETDENTS64 }, + { EVT_SYSCALL_SETNS_E, EVT_STR_SETNS }, + { EVT_SYSCALL_SETNS_X, EVT_STR_SETNS }, + { EVT_SYSCALL_FLOCK_E, EVT_STR_FLOCK }, + { EVT_SYSCALL_FLOCK_X, EVT_STR_FLOCK }, + { EVT_CPU_HOTPLUG_E, EVT_STR_CPU_HOTPLUG }, + { EVT_CPU_HOTPLUG_X, EVT_STR_NA2 }, + { EVT_SOCKET_ACCEPT_5_E, EVT_STR_ACCEPT }, + { EVT_SOCKET_ACCEPT_5_X, EVT_STR_ACCEPT }, + { EVT_SOCKET_ACCEPT4_5_E, EVT_STR_ACCEPT }, + { EVT_SOCKET_ACCEPT4_5_X, EVT_STR_ACCEPT }, + { EVT_SYSCALL_SEMOP_E, EVT_STR_SEMOP }, + { EVT_SYSCALL_SEMOP_X, EVT_STR_SEMOP }, + { EVT_SYSCALL_SEMCTL_E, EVT_STR_SEMCTL }, + { EVT_SYSCALL_SEMCTL_X, EVT_STR_SEMCTL }, + { EVT_SYSCALL_PPOLL_E, EVT_STR_PPOLL }, + { EVT_SYSCALL_PPOLL_X, EVT_STR_PPOLL }, + { EVT_SYSCALL_MOUNT_E, EVT_STR_MOUNT }, + { EVT_SYSCALL_MOUNT_X, EVT_STR_MOUNT }, + { EVT_SYSCALL_UMOUNT_E, EVT_STR_UMOUNT }, + { EVT_SYSCALL_UMOUNT_X, EVT_STR_UMOUNT }, + + {0, NULL } +}; + +/* + * "Interesting" parameters, which are appended to COL_INFO. + * Manually generated for now. + */ +struct _event_col_info_param { + const int param_num; + const char *param_name; + enum ftenum param_ftype; +}; + +static const struct _event_col_info_param open_x_params[] = { + { 0, "fd", FT_UINT64 }, + { 1, "name", FT_STRING }, + { 0, NULL, FT_NONE } +}; + +static const struct _event_col_info_param close_e_params[] = { + { 0, "fd", FT_UINT64 }, + { 0, NULL, FT_NONE } +}; + +static const struct _event_col_info_param read_e_params[] = { + { 0, "fd", FT_UINT64 }, + { 0, NULL, FT_NONE } +}; + +static const struct _event_col_info_param write_e_params[] = { + { 0, "fd", FT_UINT64 }, + { 0, NULL, FT_NONE } +}; + +static const struct _event_col_info_param execve_15_x_params[] = { + { 1, "exe", FT_STRING }, + { 2, "args", FT_STRING }, + { 0, NULL, FT_NONE } +}; + +struct _event_col_info { + const guint event_type; + const int num_len_fields; + const struct _event_col_info_param *params; +}; + +/* Info column parameters */ +static const struct _event_col_info event_col_info[] = { + { EVT_SYSCALL_OPEN_X, 4, open_x_params }, + { EVT_SYSCALL_CLOSE_E, 1, close_e_params }, + { EVT_SYSCALL_READ_E, 2, read_e_params }, + { EVT_SYSCALL_WRITE_E, 2, write_e_params }, + { EVT_SYSCALL_EXECVE_15_X, 15, execve_15_x_params }, + { 0, 0, NULL } +}; + +struct _event_tree_info { + const guint event_type; + /* int num_params; */ + const int **hf_indexes; +}; + +static const int *no_indexes[] = { NULL }; + +/* Parameter indexes. Automatically generated by tools/generate-sysdig-event.py */ +static const int *generic_e_indexes[] = { &hf_param_ID_bytes, &hf_param_nativeID_uint16, NULL }; +static const int *generic_x_indexes[] = { &hf_param_ID_bytes, NULL }; +#define syscall_open_e_indexes no_indexes +static const int *syscall_open_x_indexes[] = { &hf_param_fd_int64, &hf_param_name_string, &hf_param_flags_bytes, &hf_param_mode_uint32, NULL }; +static const int *syscall_close_e_indexes[] = { &hf_param_fd_int64, NULL }; +static const int *syscall_close_x_indexes[] = { &hf_param_res_bytes, NULL }; +static const int *syscall_read_e_indexes[] = { &hf_param_fd_int64, &hf_param_size_uint32, NULL }; +static const int *syscall_read_x_indexes[] = { &hf_param_res_bytes, &hf_param_data_bytes, NULL }; +#define syscall_write_e_indexes syscall_read_e_indexes +#define syscall_write_x_indexes syscall_read_x_indexes +static const int *syscall_brk_1_e_indexes[] = { &hf_param_size_uint32, NULL }; +static const int *syscall_brk_1_x_indexes[] = { &hf_param_res_uint64, NULL }; +#define syscall_execve_8_e_indexes no_indexes +static const int *syscall_execve_8_x_indexes[] = { &hf_param_res_bytes, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_bytes, &hf_param_pid_bytes, &hf_param_ptid_bytes, &hf_param_cwd_string, &hf_param_fdlimit_uint64, NULL }; +#define syscall_clone_11_e_indexes no_indexes +static const int *syscall_clone_11_x_indexes[] = { &hf_param_res_bytes, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_bytes, &hf_param_pid_bytes, &hf_param_ptid_bytes, &hf_param_cwd_string, &hf_param_fdlimit_int64, &hf_param_flags_bytes, &hf_param_uid_uint32, &hf_param_gid_uint32, NULL }; +#define procexit_e_indexes no_indexes +#define procexit_x_indexes no_indexes +static const int *socket_socket_e_indexes[] = { &hf_param_domain_bytes, &hf_param_type_uint32, &hf_param_proto_uint32, NULL }; +#define socket_socket_x_indexes syscall_close_e_indexes +#define socket_bind_e_indexes syscall_close_e_indexes +static const int *socket_bind_x_indexes[] = { &hf_param_res_bytes, &hf_param_addr_bytes, NULL }; +#define socket_connect_e_indexes syscall_close_e_indexes +static const int *socket_connect_x_indexes[] = { &hf_param_res_bytes, &hf_param_tuple_bytes, NULL }; +static const int *socket_listen_e_indexes[] = { &hf_param_fd_int64, &hf_param_backlog_uint32, NULL }; +#define socket_listen_x_indexes syscall_close_x_indexes +#define socket_accept_e_indexes no_indexes +static const int *socket_accept_x_indexes[] = { &hf_param_fd_int64, &hf_param_tuple_bytes, &hf_param_queuepct_uint8, NULL }; +#define socket_send_e_indexes syscall_read_e_indexes +#define socket_send_x_indexes syscall_read_x_indexes +static const int *socket_sendto_e_indexes[] = { &hf_param_fd_int64, &hf_param_size_uint32, &hf_param_tuple_bytes, NULL }; +#define socket_sendto_x_indexes syscall_read_x_indexes +#define socket_recv_e_indexes syscall_read_e_indexes +#define socket_recv_x_indexes syscall_read_x_indexes +#define socket_recvfrom_e_indexes syscall_read_e_indexes +static const int *socket_recvfrom_x_indexes[] = { &hf_param_res_bytes, &hf_param_data_bytes, &hf_param_tuple_bytes, NULL }; +static const int *socket_shutdown_e_indexes[] = { &hf_param_fd_int64, &hf_param_how_bytes, NULL }; +#define socket_shutdown_x_indexes syscall_close_x_indexes +#define socket_getsockname_e_indexes no_indexes +#define socket_getsockname_x_indexes no_indexes +#define socket_getpeername_e_indexes no_indexes +#define socket_getpeername_x_indexes no_indexes +#define socket_socketpair_e_indexes socket_socket_e_indexes +static const int *socket_socketpair_x_indexes[] = { &hf_param_res_bytes, &hf_param_fd1_int64, &hf_param_fd2_int64, &hf_param_source_uint64, &hf_param_peer_uint64, NULL }; +#define socket_setsockopt_e_indexes no_indexes +#define socket_setsockopt_x_indexes no_indexes +#define socket_getsockopt_e_indexes no_indexes +#define socket_getsockopt_x_indexes no_indexes +#define socket_sendmsg_e_indexes socket_sendto_e_indexes +#define socket_sendmsg_x_indexes syscall_read_x_indexes +#define socket_sendmmsg_e_indexes no_indexes +#define socket_sendmmsg_x_indexes no_indexes +#define socket_recvmsg_e_indexes syscall_close_e_indexes +static const int *socket_recvmsg_x_indexes[] = { &hf_param_res_bytes, &hf_param_size_uint32, &hf_param_data_bytes, &hf_param_tuple_bytes, NULL }; +#define socket_recvmmsg_e_indexes no_indexes +#define socket_recvmmsg_x_indexes no_indexes +static const int *socket_accept4_e_indexes[] = { &hf_param_flags_uint32, NULL }; +#define socket_accept4_x_indexes socket_accept_x_indexes +#define syscall_creat_e_indexes no_indexes +static const int *syscall_creat_x_indexes[] = { &hf_param_fd_int64, &hf_param_name_string, &hf_param_mode_uint32, NULL }; +#define syscall_pipe_e_indexes no_indexes +static const int *syscall_pipe_x_indexes[] = { &hf_param_res_bytes, &hf_param_fd1_int64, &hf_param_fd2_int64, &hf_param_ino_uint64, NULL }; +static const int *syscall_eventfd_e_indexes[] = { &hf_param_initval_uint64, &hf_param_flags_bytes, NULL }; +static const int *syscall_eventfd_x_indexes[] = { &hf_param_res_int64, NULL }; +static const int *syscall_futex_e_indexes[] = { &hf_param_addr_uint64, &hf_param_op_bytes, &hf_param_val_uint64, NULL }; +#define syscall_futex_x_indexes syscall_close_x_indexes +#define syscall_stat_e_indexes no_indexes +static const int *syscall_stat_x_indexes[] = { &hf_param_res_bytes, &hf_param_path_string, NULL }; +#define syscall_lstat_e_indexes no_indexes +#define syscall_lstat_x_indexes syscall_stat_x_indexes +#define syscall_fstat_e_indexes syscall_close_e_indexes +#define syscall_fstat_x_indexes syscall_close_x_indexes +#define syscall_stat64_e_indexes no_indexes +#define syscall_stat64_x_indexes syscall_stat_x_indexes +#define syscall_lstat64_e_indexes no_indexes +#define syscall_lstat64_x_indexes syscall_stat_x_indexes +#define syscall_fstat64_e_indexes syscall_close_e_indexes +#define syscall_fstat64_x_indexes syscall_close_x_indexes +static const int *syscall_epollwait_e_indexes[] = { &hf_param_maxevents_bytes, NULL }; +#define syscall_epollwait_x_indexes syscall_close_x_indexes +static const int *syscall_poll_e_indexes[] = { &hf_param_fds_bytes, &hf_param_timeout_int64, NULL }; +static const int *syscall_poll_x_indexes[] = { &hf_param_res_bytes, &hf_param_fds_bytes, NULL }; +#define syscall_select_e_indexes no_indexes +#define syscall_select_x_indexes syscall_close_x_indexes +#define syscall_newselect_e_indexes no_indexes +#define syscall_newselect_x_indexes syscall_close_x_indexes +static const int *syscall_lseek_e_indexes[] = { &hf_param_fd_int64, &hf_param_offset_uint64, &hf_param_whence_bytes, NULL }; +#define syscall_lseek_x_indexes syscall_close_x_indexes +#define syscall_llseek_e_indexes syscall_lseek_e_indexes +#define syscall_llseek_x_indexes syscall_close_x_indexes +static const int *syscall_ioctl_2_e_indexes[] = { &hf_param_fd_int64, &hf_param_request_uint64, NULL }; +#define syscall_ioctl_2_x_indexes syscall_close_x_indexes +#define syscall_getcwd_e_indexes no_indexes +#define syscall_getcwd_x_indexes syscall_stat_x_indexes +#define syscall_chdir_e_indexes no_indexes +#define syscall_chdir_x_indexes syscall_stat_x_indexes +#define syscall_fchdir_e_indexes syscall_close_e_indexes +#define syscall_fchdir_x_indexes syscall_close_x_indexes +static const int *syscall_mkdir_e_indexes[] = { &hf_param_path_string, &hf_param_mode_uint32, NULL }; +#define syscall_mkdir_x_indexes syscall_close_x_indexes +static const int *syscall_rmdir_e_indexes[] = { &hf_param_path_string, NULL }; +#define syscall_rmdir_x_indexes syscall_close_x_indexes +static const int *syscall_openat_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_name_string, &hf_param_flags_bytes, &hf_param_mode_uint32, NULL }; +#define syscall_openat_x_indexes syscall_close_e_indexes +static const int *syscall_link_e_indexes[] = { &hf_param_oldpath_string, &hf_param_newpath_string, NULL }; +#define syscall_link_x_indexes syscall_close_x_indexes +static const int *syscall_linkat_e_indexes[] = { &hf_param_olddir_int64, &hf_param_oldpath_string, &hf_param_newdir_int64, &hf_param_newpath_string, NULL }; +#define syscall_linkat_x_indexes syscall_close_x_indexes +#define syscall_unlink_e_indexes syscall_rmdir_e_indexes +#define syscall_unlink_x_indexes syscall_close_x_indexes +static const int *syscall_unlinkat_e_indexes[] = { &hf_param_dirfd_int64, &hf_param_name_string, NULL }; +#define syscall_unlinkat_x_indexes syscall_close_x_indexes +static const int *syscall_pread_e_indexes[] = { &hf_param_fd_int64, &hf_param_size_uint32, &hf_param_pos_uint64, NULL }; +#define syscall_pread_x_indexes syscall_read_x_indexes +#define syscall_pwrite_e_indexes syscall_pread_e_indexes +#define syscall_pwrite_x_indexes syscall_read_x_indexes +#define syscall_readv_e_indexes syscall_close_e_indexes +static const int *syscall_readv_x_indexes[] = { &hf_param_res_bytes, &hf_param_size_uint32, &hf_param_data_bytes, NULL }; +#define syscall_writev_e_indexes syscall_read_e_indexes +#define syscall_writev_x_indexes syscall_read_x_indexes +static const int *syscall_preadv_e_indexes[] = { &hf_param_fd_int64, &hf_param_pos_uint64, NULL }; +#define syscall_preadv_x_indexes syscall_readv_x_indexes +#define syscall_pwritev_e_indexes syscall_pread_e_indexes +#define syscall_pwritev_x_indexes syscall_read_x_indexes +#define syscall_dup_e_indexes syscall_close_e_indexes +#define syscall_dup_x_indexes syscall_eventfd_x_indexes +static const int *syscall_signalfd_e_indexes[] = { &hf_param_fd_int64, &hf_param_mask_uint32, &hf_param_flags_bytes, NULL }; +#define syscall_signalfd_x_indexes syscall_eventfd_x_indexes +static const int *syscall_kill_e_indexes[] = { &hf_param_pid_bytes, &hf_param_sig_bytes, NULL }; +#define syscall_kill_x_indexes syscall_close_x_indexes +static const int *syscall_tkill_e_indexes[] = { &hf_param_tid_bytes, &hf_param_sig_bytes, NULL }; +#define syscall_tkill_x_indexes syscall_close_x_indexes +static const int *syscall_tgkill_e_indexes[] = { &hf_param_pid_bytes, &hf_param_tid_bytes, &hf_param_sig_bytes, NULL }; +#define syscall_tgkill_x_indexes syscall_close_x_indexes +static const int *syscall_nanosleep_e_indexes[] = { &hf_param_interval_bytes, NULL }; +#define syscall_nanosleep_x_indexes syscall_close_x_indexes +static const int *syscall_timerfd_create_e_indexes[] = { &hf_param_clockid_uint8, &hf_param_flags_bytes, NULL }; +#define syscall_timerfd_create_x_indexes syscall_eventfd_x_indexes +static const int *syscall_inotify_init_e_indexes[] = { &hf_param_flags_bytes, NULL }; +#define syscall_inotify_init_x_indexes syscall_eventfd_x_indexes +static const int *syscall_getrlimit_e_indexes[] = { &hf_param_resource_bytes, NULL }; +static const int *syscall_getrlimit_x_indexes[] = { &hf_param_res_bytes, &hf_param_cur_int64, &hf_param_max_int64, NULL }; +#define syscall_setrlimit_e_indexes syscall_getrlimit_e_indexes +#define syscall_setrlimit_x_indexes syscall_getrlimit_x_indexes +static const int *syscall_prlimit_e_indexes[] = { &hf_param_pid_bytes, &hf_param_resource_bytes, NULL }; +static const int *syscall_prlimit_x_indexes[] = { &hf_param_res_bytes, &hf_param_newcur_int64, &hf_param_newmax_int64, &hf_param_oldcur_int64, &hf_param_oldmax_int64, NULL }; +static const int *schedswitch_1_e_indexes[] = { &hf_param_next_bytes, NULL }; +#define schedswitch_1_x_indexes no_indexes +static const int *drop_e_indexes[] = { &hf_param_ratio_uint32, NULL }; +#define drop_x_indexes drop_e_indexes +static const int *syscall_fcntl_e_indexes[] = { &hf_param_fd_int64, &hf_param_cmd_bytes, NULL }; +#define syscall_fcntl_x_indexes syscall_eventfd_x_indexes +static const int *schedswitch_6_e_indexes[] = { &hf_param_next_bytes, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL }; +#define schedswitch_6_x_indexes no_indexes +#define syscall_execve_13_e_indexes no_indexes +static const int *syscall_execve_13_x_indexes[] = { &hf_param_res_bytes, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_bytes, &hf_param_pid_bytes, &hf_param_ptid_bytes, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL }; +#define syscall_clone_16_e_indexes no_indexes +static const int *syscall_clone_16_x_indexes[] = { &hf_param_res_bytes, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_bytes, &hf_param_pid_bytes, &hf_param_ptid_bytes, &hf_param_cwd_string, &hf_param_fdlimit_int64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_flags_bytes, &hf_param_uid_uint32, &hf_param_gid_uint32, NULL }; +static const int *syscall_brk_4_e_indexes[] = { &hf_param_addr_uint64, NULL }; +static const int *syscall_brk_4_x_indexes[] = { &hf_param_res_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL }; +static const int *syscall_mmap_e_indexes[] = { &hf_param_addr_uint64, &hf_param_length_uint64, &hf_param_prot_bytes, &hf_param_flags_bytes, &hf_param_fd_int64, &hf_param_offset_uint64, NULL }; +#define syscall_mmap_x_indexes syscall_brk_4_x_indexes +static const int *syscall_mmap2_e_indexes[] = { &hf_param_addr_uint64, &hf_param_length_uint64, &hf_param_prot_bytes, &hf_param_flags_bytes, &hf_param_fd_int64, &hf_param_pgoffset_uint64, NULL }; +#define syscall_mmap2_x_indexes syscall_brk_4_x_indexes +static const int *syscall_munmap_e_indexes[] = { &hf_param_addr_uint64, &hf_param_length_uint64, NULL }; +static const int *syscall_munmap_x_indexes[] = { &hf_param_res_bytes, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, NULL }; +static const int *syscall_splice_e_indexes[] = { &hf_param_fd_in_int64, &hf_param_fd_out_int64, &hf_param_size_uint64, &hf_param_flags_bytes, NULL }; +#define syscall_splice_x_indexes syscall_close_x_indexes +static const int *syscall_ptrace_e_indexes[] = { &hf_param_request_bytes, &hf_param_pid_bytes, NULL }; +static const int *syscall_ptrace_x_indexes[] = { &hf_param_res_bytes, &hf_param_addr_bytes, &hf_param_data_bytes, NULL }; +static const int *syscall_ioctl_3_e_indexes[] = { &hf_param_fd_int64, &hf_param_request_uint64, &hf_param_argument_uint64, NULL }; +#define syscall_ioctl_3_x_indexes syscall_close_x_indexes +#define syscall_execve_14_e_indexes no_indexes +static const int *syscall_execve_14_x_indexes[] = { &hf_param_res_bytes, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_bytes, &hf_param_pid_bytes, &hf_param_ptid_bytes, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_env_string, NULL }; +#define syscall_rename_e_indexes no_indexes +static const int *syscall_rename_x_indexes[] = { &hf_param_res_bytes, &hf_param_oldpath_string, &hf_param_newpath_string, NULL }; +#define syscall_renameat_e_indexes no_indexes +static const int *syscall_renameat_x_indexes[] = { &hf_param_res_bytes, &hf_param_olddirfd_int64, &hf_param_oldpath_string, &hf_param_newdirfd_int64, &hf_param_newpath_string, NULL }; +#define syscall_symlink_e_indexes no_indexes +static const int *syscall_symlink_x_indexes[] = { &hf_param_res_bytes, &hf_param_target_string, &hf_param_linkpath_string, NULL }; +#define syscall_symlinkat_e_indexes no_indexes +static const int *syscall_symlinkat_x_indexes[] = { &hf_param_res_bytes, &hf_param_target_string, &hf_param_linkdirfd_int64, &hf_param_linkpath_string, NULL }; +#define syscall_fork_e_indexes no_indexes +#define syscall_fork_x_indexes syscall_clone_16_x_indexes +#define syscall_vfork_e_indexes no_indexes +#define syscall_vfork_x_indexes syscall_clone_16_x_indexes +static const int *procexit_1_e_indexes[] = { &hf_param_status_bytes, NULL }; +#define procexit_1_x_indexes no_indexes +static const int *syscall_sendfile_e_indexes[] = { &hf_param_out_fd_int64, &hf_param_in_fd_int64, &hf_param_offset_uint64, &hf_param_size_uint64, NULL }; +static const int *syscall_sendfile_x_indexes[] = { &hf_param_res_bytes, &hf_param_offset_uint64, NULL }; +static const int *syscall_quotactl_e_indexes[] = { &hf_param_cmd_bytes, &hf_param_type_bytes, &hf_param_id_uint32, &hf_param_quota_fmt_bytes, NULL }; +static const int *syscall_quotactl_x_indexes[] = { &hf_param_res_bytes, &hf_param_special_string, &hf_param_quotafilepath_string, &hf_param_dqb_bhardlimit_uint64, &hf_param_dqb_bsoftlimit_uint64, &hf_param_dqb_curspace_uint64, &hf_param_dqb_ihardlimit_uint64, &hf_param_dqb_isoftlimit_uint64, &hf_param_dqb_btime_bytes, &hf_param_dqb_itime_bytes, &hf_param_dqi_bgrace_bytes, &hf_param_dqi_igrace_bytes, &hf_param_dqi_flags_bytes, &hf_param_quota_fmt_out_bytes, NULL }; +static const int *syscall_setresuid_e_indexes[] = { &hf_param_ruid_bytes, &hf_param_euid_bytes, &hf_param_suid_bytes, NULL }; +#define syscall_setresuid_x_indexes syscall_close_x_indexes +static const int *syscall_setresgid_e_indexes[] = { &hf_param_rgid_bytes, &hf_param_egid_bytes, &hf_param_sgid_bytes, NULL }; +#define syscall_setresgid_x_indexes syscall_close_x_indexes +static const int *sysdigevent_e_indexes[] = { &hf_param_event_type_uint32, &hf_param_event_data_uint64, NULL }; +#define sysdigevent_x_indexes no_indexes +static const int *syscall_setuid_e_indexes[] = { &hf_param_uid_bytes, NULL }; +#define syscall_setuid_x_indexes syscall_close_x_indexes +static const int *syscall_setgid_e_indexes[] = { &hf_param_gid_bytes, NULL }; +#define syscall_setgid_x_indexes syscall_close_x_indexes +#define syscall_getuid_e_indexes no_indexes +#define syscall_getuid_x_indexes syscall_setuid_e_indexes +#define syscall_geteuid_e_indexes no_indexes +static const int *syscall_geteuid_x_indexes[] = { &hf_param_euid_bytes, NULL }; +#define syscall_getgid_e_indexes no_indexes +#define syscall_getgid_x_indexes syscall_setgid_e_indexes +#define syscall_getegid_e_indexes no_indexes +static const int *syscall_getegid_x_indexes[] = { &hf_param_egid_bytes, NULL }; +#define syscall_getresuid_e_indexes no_indexes +static const int *syscall_getresuid_x_indexes[] = { &hf_param_res_bytes, &hf_param_ruid_bytes, &hf_param_euid_bytes, &hf_param_suid_bytes, NULL }; +#define syscall_getresgid_e_indexes no_indexes +static const int *syscall_getresgid_x_indexes[] = { &hf_param_res_bytes, &hf_param_rgid_bytes, &hf_param_egid_bytes, &hf_param_sgid_bytes, NULL }; +#define syscall_execve_15_e_indexes no_indexes +static const int *syscall_execve_15_x_indexes[] = { &hf_param_res_bytes, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_bytes, &hf_param_pid_bytes, &hf_param_ptid_bytes, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_env_string, NULL }; +#define syscall_clone_17_e_indexes no_indexes +static const int *syscall_clone_17_x_indexes[] = { &hf_param_res_bytes, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_bytes, &hf_param_pid_bytes, &hf_param_ptid_bytes, &hf_param_cwd_string, &hf_param_fdlimit_int64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_flags_bytes, &hf_param_uid_uint32, &hf_param_gid_uint32, NULL }; +#define syscall_fork_17_e_indexes no_indexes +#define syscall_fork_17_x_indexes syscall_clone_17_x_indexes +#define syscall_vfork_17_e_indexes no_indexes +#define syscall_vfork_17_x_indexes syscall_clone_17_x_indexes +#define syscall_clone_20_e_indexes no_indexes +static const int *syscall_clone_20_x_indexes[] = { &hf_param_res_bytes, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_bytes, &hf_param_pid_bytes, &hf_param_ptid_bytes, &hf_param_cwd_string, &hf_param_fdlimit_int64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_flags_bytes, &hf_param_uid_uint32, &hf_param_gid_uint32, &hf_param_vtid_bytes, &hf_param_vpid_bytes, NULL }; +#define syscall_fork_20_e_indexes no_indexes +#define syscall_fork_20_x_indexes syscall_clone_20_x_indexes +#define syscall_vfork_20_e_indexes no_indexes +#define syscall_vfork_20_x_indexes syscall_clone_20_x_indexes +static const int *container_e_indexes[] = { &hf_param_id_string, &hf_param_type_uint32, &hf_param_name_string, &hf_param_image_string, NULL }; +#define container_x_indexes no_indexes +#define syscall_execve_16_e_indexes no_indexes +static const int *syscall_execve_16_x_indexes[] = { &hf_param_res_bytes, &hf_param_exe_string, &hf_param_args_string, &hf_param_tid_bytes, &hf_param_pid_bytes, &hf_param_ptid_bytes, &hf_param_cwd_string, &hf_param_fdlimit_uint64, &hf_param_pgft_maj_uint64, &hf_param_pgft_min_uint64, &hf_param_vm_size_uint32, &hf_param_vm_rss_uint32, &hf_param_vm_swap_uint32, &hf_param_comm_string, &hf_param_cgroups_bytes, &hf_param_env_string, NULL }; +static const int *signaldeliver_e_indexes[] = { &hf_param_spid_bytes, &hf_param_dpid_bytes, &hf_param_sig_bytes, NULL }; +#define signaldeliver_x_indexes no_indexes +static const int *procinfo_e_indexes[] = { &hf_param_cpu_usr_uint64, &hf_param_cpu_sys_uint64, NULL }; +#define procinfo_x_indexes no_indexes +#define syscall_getdents_e_indexes syscall_close_e_indexes +#define syscall_getdents_x_indexes syscall_close_x_indexes +#define syscall_getdents64_e_indexes syscall_close_e_indexes +#define syscall_getdents64_x_indexes syscall_close_x_indexes +static const int *syscall_setns_e_indexes[] = { &hf_param_fd_int64, &hf_param_nstype_bytes, NULL }; +#define syscall_setns_x_indexes syscall_close_x_indexes +static const int *syscall_flock_e_indexes[] = { &hf_param_fd_int64, &hf_param_operation_bytes, NULL }; +#define syscall_flock_x_indexes syscall_close_x_indexes +static const int *cpu_hotplug_e_indexes[] = { &hf_param_cpu_uint32, &hf_param_action_uint32, NULL }; +#define cpu_hotplug_x_indexes no_indexes +#define socket_accept_5_e_indexes no_indexes +static const int *socket_accept_5_x_indexes[] = { &hf_param_fd_int64, &hf_param_tuple_bytes, &hf_param_queuepct_uint8, &hf_param_queuelen_uint32, &hf_param_queuemax_uint32, NULL }; +#define socket_accept4_5_e_indexes socket_accept4_e_indexes +#define socket_accept4_5_x_indexes socket_accept_5_x_indexes +static const int *syscall_semop_e_indexes[] = { &hf_param_semid_int32, NULL }; +static const int *syscall_semop_x_indexes[] = { &hf_param_res_bytes, &hf_param_nsops_uint32, &hf_param_sem_num_0_uint16, &hf_param_sem_op_0_int16, &hf_param_sem_flg_0_bytes, &hf_param_sem_num_1_uint16, &hf_param_sem_op_1_int16, &hf_param_sem_flg_1_bytes, NULL }; +static const int *syscall_semctl_e_indexes[] = { &hf_param_semid_int32, &hf_param_semnum_int32, &hf_param_cmd_bytes, &hf_param_val_int32, NULL }; +#define syscall_semctl_x_indexes syscall_close_x_indexes +static const int *syscall_ppoll_e_indexes[] = { &hf_param_fds_bytes, &hf_param_timeout_bytes, &hf_param_sigmask_bytes, NULL }; +#define syscall_ppoll_x_indexes syscall_poll_x_indexes +#define syscall_mount_e_indexes syscall_inotify_init_e_indexes +static const int *syscall_mount_x_indexes[] = { &hf_param_res_bytes, &hf_param_dev_string, &hf_param_dir_string, &hf_param_type_string, NULL }; +#define syscall_umount_e_indexes syscall_inotify_init_e_indexes +static const int *syscall_umount_x_indexes[] = { &hf_param_res_bytes, &hf_param_name_string, NULL }; + +static const struct _event_tree_info event_tree_info[] = { +/* Event tree. Automatically generated by tools/generate-sysdig-event.py */ + { EVT_GENERIC_E, generic_e_indexes }, + { EVT_GENERIC_X, generic_x_indexes }, + { EVT_SYSCALL_OPEN_E, syscall_open_e_indexes }, + { EVT_SYSCALL_OPEN_X, syscall_open_x_indexes }, + { EVT_SYSCALL_CLOSE_E, syscall_close_e_indexes }, + { EVT_SYSCALL_CLOSE_X, syscall_close_x_indexes }, + { EVT_SYSCALL_READ_E, syscall_read_e_indexes }, + { EVT_SYSCALL_READ_X, syscall_read_x_indexes }, + { EVT_SYSCALL_WRITE_E, syscall_write_e_indexes }, + { EVT_SYSCALL_WRITE_X, syscall_write_x_indexes }, + { EVT_SYSCALL_BRK_1_E, syscall_brk_1_e_indexes }, + { EVT_SYSCALL_BRK_1_X, syscall_brk_1_x_indexes }, + { EVT_SYSCALL_EXECVE_8_E, syscall_execve_8_e_indexes }, + { EVT_SYSCALL_EXECVE_8_X, syscall_execve_8_x_indexes }, + { EVT_SYSCALL_CLONE_11_E, syscall_clone_11_e_indexes }, + { EVT_SYSCALL_CLONE_11_X, syscall_clone_11_x_indexes }, + { EVT_PROCEXIT_E, procexit_e_indexes }, + { EVT_PROCEXIT_X, procexit_x_indexes }, + { EVT_SOCKET_SOCKET_E, socket_socket_e_indexes }, + { EVT_SOCKET_SOCKET_X, socket_socket_x_indexes }, + { EVT_SOCKET_BIND_E, socket_bind_e_indexes }, + { EVT_SOCKET_BIND_X, socket_bind_x_indexes }, + { EVT_SOCKET_CONNECT_E, socket_connect_e_indexes }, + { EVT_SOCKET_CONNECT_X, socket_connect_x_indexes }, + { EVT_SOCKET_LISTEN_E, socket_listen_e_indexes }, + { EVT_SOCKET_LISTEN_X, socket_listen_x_indexes }, + { EVT_SOCKET_ACCEPT_E, socket_accept_e_indexes }, + { EVT_SOCKET_ACCEPT_X, socket_accept_x_indexes }, + { EVT_SOCKET_SEND_E, socket_send_e_indexes }, + { EVT_SOCKET_SEND_X, socket_send_x_indexes }, + { EVT_SOCKET_SENDTO_E, socket_sendto_e_indexes }, + { EVT_SOCKET_SENDTO_X, socket_sendto_x_indexes }, + { EVT_SOCKET_RECV_E, socket_recv_e_indexes }, + { EVT_SOCKET_RECV_X, socket_recv_x_indexes }, + { EVT_SOCKET_RECVFROM_E, socket_recvfrom_e_indexes }, + { EVT_SOCKET_RECVFROM_X, socket_recvfrom_x_indexes }, + { EVT_SOCKET_SHUTDOWN_E, socket_shutdown_e_indexes }, + { EVT_SOCKET_SHUTDOWN_X, socket_shutdown_x_indexes }, + { EVT_SOCKET_GETSOCKNAME_E, socket_getsockname_e_indexes }, + { EVT_SOCKET_GETSOCKNAME_X, socket_getsockname_x_indexes }, + { EVT_SOCKET_GETPEERNAME_E, socket_getpeername_e_indexes }, + { EVT_SOCKET_GETPEERNAME_X, socket_getpeername_x_indexes }, + { EVT_SOCKET_SOCKETPAIR_E, socket_socketpair_e_indexes }, + { EVT_SOCKET_SOCKETPAIR_X, socket_socketpair_x_indexes }, + { EVT_SOCKET_SETSOCKOPT_E, socket_setsockopt_e_indexes }, + { EVT_SOCKET_SETSOCKOPT_X, socket_setsockopt_x_indexes }, + { EVT_SOCKET_GETSOCKOPT_E, socket_getsockopt_e_indexes }, + { EVT_SOCKET_GETSOCKOPT_X, socket_getsockopt_x_indexes }, + { EVT_SOCKET_SENDMSG_E, socket_sendmsg_e_indexes }, + { EVT_SOCKET_SENDMSG_X, socket_sendmsg_x_indexes }, + { EVT_SOCKET_SENDMMSG_E, socket_sendmmsg_e_indexes }, + { EVT_SOCKET_SENDMMSG_X, socket_sendmmsg_x_indexes }, + { EVT_SOCKET_RECVMSG_E, socket_recvmsg_e_indexes }, + { EVT_SOCKET_RECVMSG_X, socket_recvmsg_x_indexes }, + { EVT_SOCKET_RECVMMSG_E, socket_recvmmsg_e_indexes }, + { EVT_SOCKET_RECVMMSG_X, socket_recvmmsg_x_indexes }, + { EVT_SOCKET_ACCEPT4_E, socket_accept4_e_indexes }, + { EVT_SOCKET_ACCEPT4_X, socket_accept4_x_indexes }, + { EVT_SYSCALL_CREAT_E, syscall_creat_e_indexes }, + { EVT_SYSCALL_CREAT_X, syscall_creat_x_indexes }, + { EVT_SYSCALL_PIPE_E, syscall_pipe_e_indexes }, + { EVT_SYSCALL_PIPE_X, syscall_pipe_x_indexes }, + { EVT_SYSCALL_EVENTFD_E, syscall_eventfd_e_indexes }, + { EVT_SYSCALL_EVENTFD_X, syscall_eventfd_x_indexes }, + { EVT_SYSCALL_FUTEX_E, syscall_futex_e_indexes }, + { EVT_SYSCALL_FUTEX_X, syscall_futex_x_indexes }, + { EVT_SYSCALL_STAT_E, syscall_stat_e_indexes }, + { EVT_SYSCALL_STAT_X, syscall_stat_x_indexes }, + { EVT_SYSCALL_LSTAT_E, syscall_lstat_e_indexes }, + { EVT_SYSCALL_LSTAT_X, syscall_lstat_x_indexes }, + { EVT_SYSCALL_FSTAT_E, syscall_fstat_e_indexes }, + { EVT_SYSCALL_FSTAT_X, syscall_fstat_x_indexes }, + { EVT_SYSCALL_STAT64_E, syscall_stat64_e_indexes }, + { EVT_SYSCALL_STAT64_X, syscall_stat64_x_indexes }, + { EVT_SYSCALL_LSTAT64_E, syscall_lstat64_e_indexes }, + { EVT_SYSCALL_LSTAT64_X, syscall_lstat64_x_indexes }, + { EVT_SYSCALL_FSTAT64_E, syscall_fstat64_e_indexes }, + { EVT_SYSCALL_FSTAT64_X, syscall_fstat64_x_indexes }, + { EVT_SYSCALL_EPOLLWAIT_E, syscall_epollwait_e_indexes }, + { EVT_SYSCALL_EPOLLWAIT_X, syscall_epollwait_x_indexes }, + { EVT_SYSCALL_POLL_E, syscall_poll_e_indexes }, + { EVT_SYSCALL_POLL_X, syscall_poll_x_indexes }, + { EVT_SYSCALL_SELECT_E, syscall_select_e_indexes }, + { EVT_SYSCALL_SELECT_X, syscall_select_x_indexes }, + { EVT_SYSCALL_NEWSELECT_E, syscall_newselect_e_indexes }, + { EVT_SYSCALL_NEWSELECT_X, syscall_newselect_x_indexes }, + { EVT_SYSCALL_LSEEK_E, syscall_lseek_e_indexes }, + { EVT_SYSCALL_LSEEK_X, syscall_lseek_x_indexes }, + { EVT_SYSCALL_LLSEEK_E, syscall_llseek_e_indexes }, + { EVT_SYSCALL_LLSEEK_X, syscall_llseek_x_indexes }, + { EVT_SYSCALL_IOCTL_2_E, syscall_ioctl_2_e_indexes }, + { EVT_SYSCALL_IOCTL_2_X, syscall_ioctl_2_x_indexes }, + { EVT_SYSCALL_GETCWD_E, syscall_getcwd_e_indexes }, + { EVT_SYSCALL_GETCWD_X, syscall_getcwd_x_indexes }, + { EVT_SYSCALL_CHDIR_E, syscall_chdir_e_indexes }, + { EVT_SYSCALL_CHDIR_X, syscall_chdir_x_indexes }, + { EVT_SYSCALL_FCHDIR_E, syscall_fchdir_e_indexes }, + { EVT_SYSCALL_FCHDIR_X, syscall_fchdir_x_indexes }, + { EVT_SYSCALL_MKDIR_E, syscall_mkdir_e_indexes }, + { EVT_SYSCALL_MKDIR_X, syscall_mkdir_x_indexes }, + { EVT_SYSCALL_RMDIR_E, syscall_rmdir_e_indexes }, + { EVT_SYSCALL_RMDIR_X, syscall_rmdir_x_indexes }, + { EVT_SYSCALL_OPENAT_E, syscall_openat_e_indexes }, + { EVT_SYSCALL_OPENAT_X, syscall_openat_x_indexes }, + { EVT_SYSCALL_LINK_E, syscall_link_e_indexes }, + { EVT_SYSCALL_LINK_X, syscall_link_x_indexes }, + { EVT_SYSCALL_LINKAT_E, syscall_linkat_e_indexes }, + { EVT_SYSCALL_LINKAT_X, syscall_linkat_x_indexes }, + { EVT_SYSCALL_UNLINK_E, syscall_unlink_e_indexes }, + { EVT_SYSCALL_UNLINK_X, syscall_unlink_x_indexes }, + { EVT_SYSCALL_UNLINKAT_E, syscall_unlinkat_e_indexes }, + { EVT_SYSCALL_UNLINKAT_X, syscall_unlinkat_x_indexes }, + { EVT_SYSCALL_PREAD_E, syscall_pread_e_indexes }, + { EVT_SYSCALL_PREAD_X, syscall_pread_x_indexes }, + { EVT_SYSCALL_PWRITE_E, syscall_pwrite_e_indexes }, + { EVT_SYSCALL_PWRITE_X, syscall_pwrite_x_indexes }, + { EVT_SYSCALL_READV_E, syscall_readv_e_indexes }, + { EVT_SYSCALL_READV_X, syscall_readv_x_indexes }, + { EVT_SYSCALL_WRITEV_E, syscall_writev_e_indexes }, + { EVT_SYSCALL_WRITEV_X, syscall_writev_x_indexes }, + { EVT_SYSCALL_PREADV_E, syscall_preadv_e_indexes }, + { EVT_SYSCALL_PREADV_X, syscall_preadv_x_indexes }, + { EVT_SYSCALL_PWRITEV_E, syscall_pwritev_e_indexes }, + { EVT_SYSCALL_PWRITEV_X, syscall_pwritev_x_indexes }, + { EVT_SYSCALL_DUP_E, syscall_dup_e_indexes }, + { EVT_SYSCALL_DUP_X, syscall_dup_x_indexes }, + { EVT_SYSCALL_SIGNALFD_E, syscall_signalfd_e_indexes }, + { EVT_SYSCALL_SIGNALFD_X, syscall_signalfd_x_indexes }, + { EVT_SYSCALL_KILL_E, syscall_kill_e_indexes }, + { EVT_SYSCALL_KILL_X, syscall_kill_x_indexes }, + { EVT_SYSCALL_TKILL_E, syscall_tkill_e_indexes }, + { EVT_SYSCALL_TKILL_X, syscall_tkill_x_indexes }, + { EVT_SYSCALL_TGKILL_E, syscall_tgkill_e_indexes }, + { EVT_SYSCALL_TGKILL_X, syscall_tgkill_x_indexes }, + { EVT_SYSCALL_NANOSLEEP_E, syscall_nanosleep_e_indexes }, + { EVT_SYSCALL_NANOSLEEP_X, syscall_nanosleep_x_indexes }, + { EVT_SYSCALL_TIMERFD_CREATE_E, syscall_timerfd_create_e_indexes }, + { EVT_SYSCALL_TIMERFD_CREATE_X, syscall_timerfd_create_x_indexes }, + { EVT_SYSCALL_INOTIFY_INIT_E, syscall_inotify_init_e_indexes }, + { EVT_SYSCALL_INOTIFY_INIT_X, syscall_inotify_init_x_indexes }, + { EVT_SYSCALL_GETRLIMIT_E, syscall_getrlimit_e_indexes }, + { EVT_SYSCALL_GETRLIMIT_X, syscall_getrlimit_x_indexes }, + { EVT_SYSCALL_SETRLIMIT_E, syscall_setrlimit_e_indexes }, + { EVT_SYSCALL_SETRLIMIT_X, syscall_setrlimit_x_indexes }, + { EVT_SYSCALL_PRLIMIT_E, syscall_prlimit_e_indexes }, + { EVT_SYSCALL_PRLIMIT_X, syscall_prlimit_x_indexes }, + { EVT_SCHEDSWITCH_1_E, schedswitch_1_e_indexes }, + { EVT_SCHEDSWITCH_1_X, schedswitch_1_x_indexes }, + { EVT_DROP_E, drop_e_indexes }, + { EVT_DROP_X, drop_x_indexes }, + { EVT_SYSCALL_FCNTL_E, syscall_fcntl_e_indexes }, + { EVT_SYSCALL_FCNTL_X, syscall_fcntl_x_indexes }, + { EVT_SCHEDSWITCH_6_E, schedswitch_6_e_indexes }, + { EVT_SCHEDSWITCH_6_X, schedswitch_6_x_indexes }, + { EVT_SYSCALL_EXECVE_13_E, syscall_execve_13_e_indexes }, + { EVT_SYSCALL_EXECVE_13_X, syscall_execve_13_x_indexes }, + { EVT_SYSCALL_CLONE_16_E, syscall_clone_16_e_indexes }, + { EVT_SYSCALL_CLONE_16_X, syscall_clone_16_x_indexes }, + { EVT_SYSCALL_BRK_4_E, syscall_brk_4_e_indexes }, + { EVT_SYSCALL_BRK_4_X, syscall_brk_4_x_indexes }, + { EVT_SYSCALL_MMAP_E, syscall_mmap_e_indexes }, + { EVT_SYSCALL_MMAP_X, syscall_mmap_x_indexes }, + { EVT_SYSCALL_MMAP2_E, syscall_mmap2_e_indexes }, + { EVT_SYSCALL_MMAP2_X, syscall_mmap2_x_indexes }, + { EVT_SYSCALL_MUNMAP_E, syscall_munmap_e_indexes }, + { EVT_SYSCALL_MUNMAP_X, syscall_munmap_x_indexes }, + { EVT_SYSCALL_SPLICE_E, syscall_splice_e_indexes }, + { EVT_SYSCALL_SPLICE_X, syscall_splice_x_indexes }, + { EVT_SYSCALL_PTRACE_E, syscall_ptrace_e_indexes }, + { EVT_SYSCALL_PTRACE_X, syscall_ptrace_x_indexes }, + { EVT_SYSCALL_IOCTL_3_E, syscall_ioctl_3_e_indexes }, + { EVT_SYSCALL_IOCTL_3_X, syscall_ioctl_3_x_indexes }, + { EVT_SYSCALL_EXECVE_14_E, syscall_execve_14_e_indexes }, + { EVT_SYSCALL_EXECVE_14_X, syscall_execve_14_x_indexes }, + { EVT_SYSCALL_RENAME_E, syscall_rename_e_indexes }, + { EVT_SYSCALL_RENAME_X, syscall_rename_x_indexes }, + { EVT_SYSCALL_RENAMEAT_E, syscall_renameat_e_indexes }, + { EVT_SYSCALL_RENAMEAT_X, syscall_renameat_x_indexes }, + { EVT_SYSCALL_SYMLINK_E, syscall_symlink_e_indexes }, + { EVT_SYSCALL_SYMLINK_X, syscall_symlink_x_indexes }, + { EVT_SYSCALL_SYMLINKAT_E, syscall_symlinkat_e_indexes }, + { EVT_SYSCALL_SYMLINKAT_X, syscall_symlinkat_x_indexes }, + { EVT_SYSCALL_FORK_E, syscall_fork_e_indexes }, + { EVT_SYSCALL_FORK_X, syscall_fork_x_indexes }, + { EVT_SYSCALL_VFORK_E, syscall_vfork_e_indexes }, + { EVT_SYSCALL_VFORK_X, syscall_vfork_x_indexes }, + { EVT_PROCEXIT_1_E, procexit_1_e_indexes }, + { EVT_PROCEXIT_1_X, procexit_1_x_indexes }, + { EVT_SYSCALL_SENDFILE_E, syscall_sendfile_e_indexes }, + { EVT_SYSCALL_SENDFILE_X, syscall_sendfile_x_indexes }, + { EVT_SYSCALL_QUOTACTL_E, syscall_quotactl_e_indexes }, + { EVT_SYSCALL_QUOTACTL_X, syscall_quotactl_x_indexes }, + { EVT_SYSCALL_SETRESUID_E, syscall_setresuid_e_indexes }, + { EVT_SYSCALL_SETRESUID_X, syscall_setresuid_x_indexes }, + { EVT_SYSCALL_SETRESGID_E, syscall_setresgid_e_indexes }, + { EVT_SYSCALL_SETRESGID_X, syscall_setresgid_x_indexes }, + { EVT_SYSDIGEVENT_E, sysdigevent_e_indexes }, + { EVT_SYSDIGEVENT_X, sysdigevent_x_indexes }, + { EVT_SYSCALL_SETUID_E, syscall_setuid_e_indexes }, + { EVT_SYSCALL_SETUID_X, syscall_setuid_x_indexes }, + { EVT_SYSCALL_SETGID_E, syscall_setgid_e_indexes }, + { EVT_SYSCALL_SETGID_X, syscall_setgid_x_indexes }, + { EVT_SYSCALL_GETUID_E, syscall_getuid_e_indexes }, + { EVT_SYSCALL_GETUID_X, syscall_getuid_x_indexes }, + { EVT_SYSCALL_GETEUID_E, syscall_geteuid_e_indexes }, + { EVT_SYSCALL_GETEUID_X, syscall_geteuid_x_indexes }, + { EVT_SYSCALL_GETGID_E, syscall_getgid_e_indexes }, + { EVT_SYSCALL_GETGID_X, syscall_getgid_x_indexes }, + { EVT_SYSCALL_GETEGID_E, syscall_getegid_e_indexes }, + { EVT_SYSCALL_GETEGID_X, syscall_getegid_x_indexes }, + { EVT_SYSCALL_GETRESUID_E, syscall_getresuid_e_indexes }, + { EVT_SYSCALL_GETRESUID_X, syscall_getresuid_x_indexes }, + { EVT_SYSCALL_GETRESGID_E, syscall_getresgid_e_indexes }, + { EVT_SYSCALL_GETRESGID_X, syscall_getresgid_x_indexes }, + { EVT_SYSCALL_EXECVE_15_E, syscall_execve_15_e_indexes }, + { EVT_SYSCALL_EXECVE_15_X, syscall_execve_15_x_indexes }, + { EVT_SYSCALL_CLONE_17_E, syscall_clone_17_e_indexes }, + { EVT_SYSCALL_CLONE_17_X, syscall_clone_17_x_indexes }, + { EVT_SYSCALL_FORK_17_E, syscall_fork_17_e_indexes }, + { EVT_SYSCALL_FORK_17_X, syscall_fork_17_x_indexes }, + { EVT_SYSCALL_VFORK_17_E, syscall_vfork_17_e_indexes }, + { EVT_SYSCALL_VFORK_17_X, syscall_vfork_17_x_indexes }, + { EVT_SYSCALL_CLONE_20_E, syscall_clone_20_e_indexes }, + { EVT_SYSCALL_CLONE_20_X, syscall_clone_20_x_indexes }, + { EVT_SYSCALL_FORK_20_E, syscall_fork_20_e_indexes }, + { EVT_SYSCALL_FORK_20_X, syscall_fork_20_x_indexes }, + { EVT_SYSCALL_VFORK_20_E, syscall_vfork_20_e_indexes }, + { EVT_SYSCALL_VFORK_20_X, syscall_vfork_20_x_indexes }, + { EVT_CONTAINER_E, container_e_indexes }, + { EVT_CONTAINER_X, container_x_indexes }, + { EVT_SYSCALL_EXECVE_16_E, syscall_execve_16_e_indexes }, + { EVT_SYSCALL_EXECVE_16_X, syscall_execve_16_x_indexes }, + { EVT_SIGNALDELIVER_E, signaldeliver_e_indexes }, + { EVT_SIGNALDELIVER_X, signaldeliver_x_indexes }, + { EVT_PROCINFO_E, procinfo_e_indexes }, + { EVT_PROCINFO_X, procinfo_x_indexes }, + { EVT_SYSCALL_GETDENTS_E, syscall_getdents_e_indexes }, + { EVT_SYSCALL_GETDENTS_X, syscall_getdents_x_indexes }, + { EVT_SYSCALL_GETDENTS64_E, syscall_getdents64_e_indexes }, + { EVT_SYSCALL_GETDENTS64_X, syscall_getdents64_x_indexes }, + { EVT_SYSCALL_SETNS_E, syscall_setns_e_indexes }, + { EVT_SYSCALL_SETNS_X, syscall_setns_x_indexes }, + { EVT_SYSCALL_FLOCK_E, syscall_flock_e_indexes }, + { EVT_SYSCALL_FLOCK_X, syscall_flock_x_indexes }, + { EVT_CPU_HOTPLUG_E, cpu_hotplug_e_indexes }, + { EVT_CPU_HOTPLUG_X, cpu_hotplug_x_indexes }, + { EVT_SOCKET_ACCEPT_5_E, socket_accept_5_e_indexes }, + { EVT_SOCKET_ACCEPT_5_X, socket_accept_5_x_indexes }, + { EVT_SOCKET_ACCEPT4_5_E, socket_accept4_5_e_indexes }, + { EVT_SOCKET_ACCEPT4_5_X, socket_accept4_5_x_indexes }, + { EVT_SYSCALL_SEMOP_E, syscall_semop_e_indexes }, + { EVT_SYSCALL_SEMOP_X, syscall_semop_x_indexes }, + { EVT_SYSCALL_SEMCTL_E, syscall_semctl_e_indexes }, + { EVT_SYSCALL_SEMCTL_X, syscall_semctl_x_indexes }, + { EVT_SYSCALL_PPOLL_E, syscall_ppoll_e_indexes }, + { EVT_SYSCALL_PPOLL_X, syscall_ppoll_x_indexes }, + { EVT_SYSCALL_MOUNT_E, syscall_mount_e_indexes }, + { EVT_SYSCALL_MOUNT_X, syscall_mount_x_indexes }, + { EVT_SYSCALL_UMOUNT_E, syscall_umount_e_indexes }, + { EVT_SYSCALL_UMOUNT_X, syscall_umount_x_indexes }, + + { 0, NULL } +}; + +/* + * Value strings. + * If the X_Y_vals has a matching hf_param_X_Y it will be added as a + * VALS field conversion below. + */ + +static const value_string nativeID_uint16_vals[] = { + { 1, "restart_syscall" }, + { 2, "exit" }, + { 3, "read" }, + { 4, "write" }, + { 5, "open" }, + { 6, "close" }, + { 7, "creat" }, + { 8, "link" }, + { 9, "unlink" }, + { 10, "chdir" }, + { 11, "time" }, + { 12, "mknod" }, + { 13, "chmod" }, + { 14, "stat" }, + { 15, "lseek" }, + { 16, "getpid" }, + { 17, "mount" }, + { 18, "ptrace" }, + { 19, "alarm" }, + { 20, "fstat" }, + { 21, "pause" }, + { 22, "utime" }, + { 23, "access" }, + { 24, "sync" }, + { 25, "kill" }, + { 26, "rename" }, + { 27, "mkdir" }, + { 28, "rmdir" }, + { 29, "dup" }, + { 30, "pipe" }, + { 31, "times" }, + { 32, "brk" }, + { 33, "acct" }, + { 34, "ioctl" }, + { 35, "fcntl" }, + { 36, "setpgid" }, + { 37, "umask" }, + { 38, "chroot" }, + { 39, "ustat" }, + { 40, "dup2" }, + { 41, "getppid" }, + { 42, "getpgrp" }, + { 43, "setsid" }, + { 44, "sethostname" }, + { 45, "setrlimit" }, + { 46, "getrusage" }, + { 47, "gettimeofday" }, + { 48, "settimeofday" }, + { 49, "symlink" }, + { 50, "lstat" }, + { 51, "readlink" }, + { 52, "uselib" }, + { 53, "swapon" }, + { 54, "reboot" }, + { 55, "mmap" }, + { 56, "munmap" }, + { 57, "truncate" }, + { 58, "ftruncate" }, + { 59, "fchmod" }, + { 60, "getpriority" }, + { 61, "setpriority" }, + { 62, "statfs" }, + { 63, "fstatfs" }, + { 64, "syslog" }, + { 65, "setitimer" }, + { 66, "getitimer" }, + { 67, "uname" }, + { 68, "clean" }, + { 69, "wait4" }, + { 70, "swapoff" }, + { 71, "sysinfo" }, + { 72, "fsync" }, + { 73, "setdomainname" }, + { 74, "adjtimex" }, + { 75, "mprotect" }, + { 76, "init_module" }, + { 77, "delete_module" }, + { 78, "quotactl" }, + { 79, "getpgid" }, + { 80, "fchdir" }, + { 81, "sysfs" }, + { 82, "personality" }, + { 83, "getdents" }, + { 84, "select" }, + { 85, "flock" }, + { 86, "msync" }, + { 87, "readv" }, + { 88, "writev" }, + { 89, "getsid" }, + { 90, "fdatasync" }, + { 91, "mlock" }, + { 92, "munlock" }, + { 93, "mlockall" }, + { 94, "munlockall" }, + { 95, "sched_setparam" }, + { 96, "sched_getparam" }, + { 97, "sched_setscheduler" }, + { 98, "sched_getscheduler" }, + { 99, "sched_yield" }, + { 100, "sched_get_priority_max" }, + { 101, "sched_get_priority_min" }, + { 102, "sched_rr_get_interval" }, + { 103, "nanosleep" }, + { 104, "mremap" }, + { 105, "poll" }, + { 106, "prctl" }, + { 107, "rt_sigaction" }, + { 108, "rt_sigprocmask" }, + { 109, "rt_sigpending" }, + { 110, "rt_sigtimedwait" }, + { 111, "rt_sigqueueinfo" }, + { 112, "rt_sigsuspend" }, + { 113, "getcwd" }, + { 114, "capget" }, + { 115, "capset" }, + { 116, "sendfile" }, + { 117, "getrlimit" }, + { 118, "lchown" }, + { 119, "getuid" }, + { 120, "getgid" }, + { 121, "geteuid" }, + { 122, "getegid" }, + { 123, "setreuid" }, + { 124, "setregid" }, + { 125, "getgroups" }, + { 126, "setgroups" }, + { 127, "fchown" }, + { 128, "setresuid" }, + { 129, "getresuid" }, + { 130, "setresgid" }, + { 131, "getresgid" }, + { 132, "chown" }, + { 133, "setuid" }, + { 134, "setgid" }, + { 135, "setfsuid" }, + { 136, "setfsgid" }, + { 137, "pivot_root" }, + { 138, "mincore" }, + { 139, "madvise" }, + { 140, "gettid" }, + { 141, "setxattr" }, + { 142, "lsetxattr" }, + { 143, "fsetxattr" }, + { 144, "getxattr" }, + { 145, "lgetxattr" }, + { 146, "fgetxattr" }, + { 147, "listxattr" }, + { 148, "llistxattr" }, + { 149, "flistxattr" }, + { 150, "removexattr" }, + { 151, "lremovexattr" }, + { 152, "fremovexattr" }, + { 153, "tkill" }, + { 154, "futex" }, + { 155, "sched_setaffinity" }, + { 156, "sched_getaffinity" }, + { 157, "set_thread_area" }, + { 158, "get_thread_area" }, + { 159, "io_setup" }, + { 160, "io_destroy" }, + { 161, "io_getevents" }, + { 162, "io_submit" }, + { 163, "io_cancel" }, + { 164, "exit_group" }, + { 165, "epoll_create" }, + { 166, "epoll_ctl" }, + { 167, "epoll_wait" }, + { 168, "remap_file_pages" }, + { 169, "set_tid_address" }, + { 170, "timer_create" }, + { 171, "timer_settime" }, + { 172, "timer_gettime" }, + { 173, "timer_getoverrun" }, + { 174, "timer_delete" }, + { 175, "clock_settime" }, + { 176, "clock_gettime" }, + { 177, "clock_getres" }, + { 178, "clock_nanosleep" }, + { 179, "tgkill" }, + { 180, "utimes" }, + { 181, "mq_open" }, + { 182, "mq_unlink" }, + { 183, "mq_timedsend" }, + { 184, "mq_timedreceive" }, + { 185, "mq_notify" }, + { 186, "mq_getsetattr" }, + { 187, "kexec_load" }, + { 188, "waitid" }, + { 189, "add_key" }, + { 190, "request_key" }, + { 191, "keyctl" }, + { 192, "ioprio_set" }, + { 193, "ioprio_get" }, + { 194, "inotify_init" }, + { 195, "inotify_add_watch" }, + { 196, "inotify_rm_watch" }, + { 197, "openat" }, + { 198, "mkdirat" }, + { 199, "mknodat" }, + { 200, "fchownat" }, + { 201, "futimesat" }, + { 202, "unlinkat" }, + { 203, "renameat" }, + { 204, "linkat" }, + { 205, "symlinkat" }, + { 206, "readlinkat" }, + { 207, "fchmodat" }, + { 208, "faccessat" }, + { 209, "pselect6" }, + { 210, "ppoll" }, + { 211, "unshare" }, + { 212, "set_robust_list" }, + { 213, "get_robust_list" }, + { 214, "splice" }, + { 215, "tee" }, + { 216, "vmsplice" }, + { 217, "getcpu" }, + { 218, "epoll_pwait" }, + { 219, "utimensat" }, + { 220, "signalfd" }, + { 221, "timerfd_create" }, + { 222, "eventfd" }, + { 223, "timerfd_settime" }, + { 224, "timerfd_gettime" }, + { 225, "signalfd4" }, + { 226, "eventfd2" }, + { 227, "epoll_create1" }, + { 228, "dup3" }, + { 229, "pipe2" }, + { 230, "inotify_init1" }, + { 231, "preadv" }, + { 232, "pwritev" }, + { 233, "rt_tgsigqueueinfo" }, + { 234, "perf_event_open" }, + { 235, "fanotify_init" }, + { 236, "prlimit64" }, + { 237, "clock_adjtime" }, + { 238, "syncfs" }, + { 239, "setns" }, + { 240, "getdents64" }, + { 241, "socket" }, + { 242, "bind" }, + { 243, "connect" }, + { 244, "listen" }, + { 245, "accept" }, + { 246, "getsockname" }, + { 247, "getpeername" }, + { 248, "socketpair" }, + { 249, "sendto" }, + { 250, "recvfrom" }, + { 251, "shutdown" }, + { 252, "setsockopt" }, + { 253, "getsockopt" }, + { 254, "sendmsg" }, + { 255, "sendmmsg" }, + { 256, "recvmsg" }, + { 257, "recvmmsg" }, + { 258, "accept4" }, + { 259, "semop" }, + { 260, "semget" }, + { 261, "semctl" }, + { 262, "msgsnd" }, + { 263, "msgrcv" }, + { 264, "msgget" }, + { 265, "msgctl" }, + { 266, "shmdt" }, + { 267, "shmget" }, + { 268, "shmctl" }, + { 269, "statfs64" }, + { 270, "fstatfs64" }, + { 271, "fstatat64" }, + { 272, "sendfile64" }, + { 273, "ugetrlimit" }, + { 274, "bdflush" }, + { 275, "sigprocmask" }, + { 276, "ipc" }, + { 277, "socketcall" }, + { 278, "stat64" }, + { 279, "lstat64" }, + { 280, "fstat64" }, + { 281, "fcntl64" }, + { 282, "mmap2" }, + { 283, "newselect" }, + { 284, "sgetmask" }, + { 285, "ssetmask" }, + { 286, "sigpending" }, + { 287, "olduname" }, + { 288, "umount" }, + { 289, "signal" }, + { 290, "nice" }, + { 291, "stime" }, + { 292, "llseek" }, + { 293, "waitpid" }, + { 294, "pread64" }, + { 295, "pwrite64" }, + { 296, "arch_prctl" }, + { 297, "shmat" }, + { 298, "sigreturn" }, + { 299, "fallocate" }, + { 300, "newfstatat" }, + { 301, "process_vm_readv" }, + { 302, "process_vm_writev" }, + { 303, "fork" }, + { 304, "vfork" }, + { 305, "setuid" }, + { 306, "getuid" }, + { 307, "setgid" }, + { 308, "geteuid" }, + { 309, "getgid" }, + { 310, "setresuid" }, + { 311, "setresgid" }, + { 312, "getresuid" }, + { 313, "getresgid" }, + { 0, NULL } +}; + +/* +static const value_string param_category_vals[] = { + { 1, "Other"}, + { 2, "File"}, + { 3, "Network operation"}, + { 4, "IPC operation"}, + { 5, "Memory operation"}, + { 6, "Process operation"}, + { 7, "Plain sleep"}, + { 8, "System operation"}, + { 9, "Signal operation"}, + { 10, "User operation"}, + { 11, "Time"}, + { 12, "User-level processing"}, + { 32, "I/O read"}, + { 33, "I/O write"}, + { 34, "I/O other"}, + { 64, "General wait"}, + {128, "Scheduler event"}, + {256, "Internal event"}, + {0, NULL} +}; +*/ + +/* +static const value_string param_flag_vals[] = { + { 0, "None"}, + {1 << 0, "Creates FD"}, + {1 << 1, "Destroys FD"}, + {1 << 2, "Uses FD"}, + {1 << 3, "Reads from FD"}, + {1 << 4, "Writes to FD"}, + {1 << 5, "Modifies state"}, + {1 << 6, "Unused"}, + {1 << 7, "Waits"}, + {1 << 8, "Skip parse reset"}, + {1 << 9, "Old version"}, + {0, NULL} +}; +*/ + +/* +static const value_string param_subcategory_vals[] = { + { 0, "Unknown"}, + { 1, "None"}, + { 2, "Other"}, + { 3, "File"}, + { 4, "Net"}, + { 5, "IPC"}, + {0, NULL} +}; +*/ + +static inline const gchar *format_param_str(tvbuff_t *tvb, int offset, int len) { + char *param_str; + + param_str = tvb_get_string_enc(wmem_packet_scope(), tvb, offset, len, ENC_UTF_8|ENC_NA); + + if (len < 2) { + return param_str; + } + return format_text_chr(param_str, len - 1, ' '); /* Leave terminating NULLs alone. */ +} + +/* Code to actually dissect the packets */ + +static int +dissect_header_lens(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding, const int **hf_indexes) +{ + int param_count; + proto_item *ti; + proto_tree *len_tree; + + for (param_count = 0; hf_indexes[param_count]; param_count++); + + ti = proto_tree_add_item(tree, hf_se_param_lens, tvb, offset, param_count * 2, ENC_NA); + len_tree = proto_item_add_subtree(ti, ett_sysdig_parm_lens); + + for (param_count = 0; hf_indexes[param_count]; param_count++) { + proto_tree_add_item(len_tree, hf_se_param_len, tvb, offset + (param_count * 2), 2, encoding); + } + + proto_item_set_len(ti, param_count * 2); + return param_count * 2; +} + +/* Dissect events */ + +static int +dissect_event_params(tvbuff_t *tvb, int offset, proto_tree *tree, int encoding, const int **hf_indexes) +{ + int len_offset = offset; + int param_offset; + int cur_param; + + param_offset = offset + dissect_header_lens(tvb, offset, tree, encoding, hf_indexes); + + for (cur_param = 0; hf_indexes[cur_param]; cur_param++) { + int param_len = tvb_get_guint16(tvb, len_offset, encoding); + const int hf_index = *hf_indexes[cur_param]; + if (proto_registrar_get_ftype(hf_index) == FT_STRING) { + proto_tree_add_string(tree, hf_index, tvb, param_offset, param_len, + format_param_str(tvb, param_offset, param_len)); + } else { + proto_tree_add_item(tree, hf_index, tvb, param_offset, param_len, encoding); + } + + param_offset += param_len; + len_offset += 2; + } + return param_offset - offset; +} + + +static int +dissect_sysdig_event(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, + void *data _U_) +{ + proto_item *ti; + proto_tree *se_tree, *syscall_tree; + guint event_type = pinfo->phdr->pseudo_header.sysdig_event.event_type; + int encoding = pinfo->phdr->pseudo_header.sysdig_event.byte_order == G_BIG_ENDIAN ? ENC_BIG_ENDIAN : ENC_LITTLE_ENDIAN; + const struct _event_col_info *cur_col_info; + const struct _event_tree_info *cur_tree_info; + + /*** HEURISTICS ***/ + + /* Check that the packet is long enough for it to belong to us. */ + if (tvb_reported_length(tvb) < SYSDIG_EVENT_MIN_LENGTH) + return 0; + + /*** COLUMN DATA ***/ + + /* + * Sysdig uses the term "event" internally. So far every event has been + * a syscall. + */ + col_set_str(pinfo->cinfo, COL_PROTOCOL, "System Call"); + + col_clear(pinfo->cinfo, COL_INFO); + col_add_str(pinfo->cinfo, COL_INFO, val_to_str(event_type, event_type_vals, "Unknown syscall %u")); + /* + * XXX We can ditch this in favor of a simple index when event_col_info + * is contiguous and in the correct order. + */ + for (cur_col_info = event_col_info; cur_col_info->params; cur_col_info++) { + if (cur_col_info->event_type == event_type) { + const struct _event_col_info_param *cur_param = cur_col_info->params; + int param_offset = cur_col_info->num_len_fields * 2; + + /* Find the data offset */ + int cur_len_field; + for (cur_len_field = 0; + cur_len_field < cur_col_info->num_len_fields && cur_param->param_name; + cur_len_field++) { + unsigned param_len = tvb_get_guint16(tvb, cur_len_field * 2, encoding); + if (cur_param->param_num == cur_len_field) { + col_append_fstr(pinfo->cinfo, COL_INFO, ", %s=", cur_param->param_name); + switch (cur_param->param_ftype) { + case FT_STRING: + col_append_str(pinfo->cinfo, COL_INFO, format_param_str(tvb, param_offset, param_len)); + break; + case FT_UINT64: + col_append_fstr(pinfo->cinfo, COL_INFO, "%" G_GUINT64_FORMAT, tvb_get_guint64(tvb, param_offset, encoding)); + default: + break; + } + cur_param++; + } + param_offset += param_len; + } + } + } + + /*** PROTOCOL TREE ***/ + + /* create display subtree for the protocol */ + ti = proto_tree_add_item(tree, proto_sysdig_event, tvb, 0, -1, ENC_NA); + + se_tree = proto_item_add_subtree(ti, ett_sysdig_event); + + proto_tree_add_uint(se_tree, hf_se_cpu_id, tvb, 0, 0, pinfo->phdr->pseudo_header.sysdig_event.cpu_id); + proto_tree_add_uint64(se_tree, hf_se_thread_id, tvb, 0, 0, pinfo->phdr->pseudo_header.sysdig_event.thread_id); + proto_tree_add_uint(se_tree, hf_se_event_length, tvb, 0, 0, pinfo->phdr->pseudo_header.sysdig_event.event_len); + ti = proto_tree_add_uint(se_tree, hf_se_event_type, tvb, 0, 0, event_type); + + syscall_tree = proto_item_add_subtree(ti, ett_sysdig_syscall); + + for (cur_tree_info = event_tree_info; cur_tree_info->hf_indexes; cur_tree_info++) { + if (cur_tree_info->event_type == event_type) { + dissect_event_params(tvb, 0, syscall_tree, encoding, cur_tree_info->hf_indexes); + break; + } + } + + /* XXX */ + /* return offset; */ + return pinfo->phdr->pseudo_header.sysdig_event.event_len; +} + +/* Register the protocol with Wireshark. + * + * This format is require because a script is used to build the C function that + * calls all the protocol registration. + */ +void +proto_register_sysdig_event(void) +{ + /* XXX Match up with Sysdig's names. */ + static hf_register_info hf[] = { + { &hf_se_cpu_id, + { "CPU ID", "sysdig.cpu_id", + FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL } + }, + { &hf_se_thread_id, + { "Thread ID", "sysdig.thread_id", + FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } + }, + { &hf_se_event_length, + { "Event length", "sysdig.event_len", + FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } + }, + { &hf_se_event_type, + { "Event type", "sysdig.event_type", + FT_UINT16, BASE_DEC, VALS(event_type_vals), 0, NULL, HFILL } + }, + { &hf_se_param_lens, + { "Parameter lengths", "sysdig.param.lens", + FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } + }, + { &hf_se_param_len, + { "Parameter length", "sysdig.param.len", + FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL } + }, + +/* Header field registration. Automatically generated by tools/generate-sysdig-event.py */ + { &hf_param_ID_bytes, { "ID", "sysdig.param.syscall.ID", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_action_uint32, { "action", "sysdig.param.cpu_hotplug.action", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_addr_bytes, { "addr", "sysdig.param.ptrace.addr", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_addr_uint64, { "addr", "sysdig.param.munmap.addr", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_args_string, { "Program arguments", "sysdig.param.execve.args", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_argument_uint64, { "I/O control: argument", "sysdig.param.ioctl.argument", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_backlog_uint32, { "backlog", "sysdig.param.listen.backlog", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_cgroups_bytes, { "cgroups", "sysdig.param.execve.cgroups", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_clockid_uint8, { "clockid", "sysdig.param.timerfd_create.clockid", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_cmd_bytes, { "cmd", "sysdig.param.semctl.cmd", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_comm_string, { "Command", "sysdig.param.execve.comm", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_cpu_sys_uint64, { "cpu_sys", "sysdig.param.procinfo.cpu_sys", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_cpu_uint32, { "cpu", "sysdig.param.cpu_hotplug.cpu", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_cpu_usr_uint64, { "cpu_usr", "sysdig.param.procinfo.cpu_usr", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_cur_int64, { "cur", "sysdig.param.setrlimit.cur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_cwd_string, { "Current working directory", "sysdig.param.execve.cwd", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_data_bytes, { "data", "sysdig.param.ptrace.data", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_dev_string, { "dev", "sysdig.param.mount.dev", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_dir_string, { "dir", "sysdig.param.mount.dir", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_dirfd_int64, { "dirfd", "sysdig.param.unlinkat.dirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_domain_bytes, { "domain", "sysdig.param.socketpair.domain", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_dpid_bytes, { "dpid", "sysdig.param.signaldeliver.dpid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_dqb_bhardlimit_uint64, { "dqb_bhardlimit", "sysdig.param.quotactl.dqb_bhardlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_dqb_bsoftlimit_uint64, { "dqb_bsoftlimit", "sysdig.param.quotactl.dqb_bsoftlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_dqb_btime_bytes, { "dqb_btime", "sysdig.param.quotactl.dqb_btime", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_dqb_curspace_uint64, { "dqb_curspace", "sysdig.param.quotactl.dqb_curspace", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_dqb_ihardlimit_uint64, { "dqb_ihardlimit", "sysdig.param.quotactl.dqb_ihardlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_dqb_isoftlimit_uint64, { "dqb_isoftlimit", "sysdig.param.quotactl.dqb_isoftlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_dqb_itime_bytes, { "dqb_itime", "sysdig.param.quotactl.dqb_itime", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_dqi_bgrace_bytes, { "dqi_bgrace", "sysdig.param.quotactl.dqi_bgrace", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_dqi_flags_bytes, { "dqi_flags", "sysdig.param.quotactl.dqi_flags", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_dqi_igrace_bytes, { "dqi_igrace", "sysdig.param.quotactl.dqi_igrace", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_egid_bytes, { "egid", "sysdig.param.getresgid.egid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_env_string, { "env", "sysdig.param.execve.env", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_euid_bytes, { "euid", "sysdig.param.getresuid.euid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_event_data_uint64, { "event_data", "sysdig.param.sysdigevent.event_data", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_event_type_uint32, { "event_type", "sysdig.param.sysdigevent.event_type", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_exe_string, { "exe", "sysdig.param.execve.exe", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_fd1_int64, { "fd1", "sysdig.param.pipe.fd1", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_fd2_int64, { "fd2", "sysdig.param.pipe.fd2", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_fd_in_int64, { "fd_in", "sysdig.param.splice.fd_in", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_fd_int64, { "fd", "sysdig.param.accept.fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_fd_out_int64, { "fd_out", "sysdig.param.splice.fd_out", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_fdlimit_int64, { "fdlimit", "sysdig.param.vfork.fdlimit", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_fdlimit_uint64, { "fdlimit", "sysdig.param.execve.fdlimit", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_fds_bytes, { "fds", "sysdig.param.ppoll.fds", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_flags_bytes, { "flags", "sysdig.param.umount.flags", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_flags_uint32, { "flags", "sysdig.param.accept.flags", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_gid_bytes, { "gid", "sysdig.param.getgid.gid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_gid_uint32, { "gid", "sysdig.param.vfork.gid", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_how_bytes, { "how", "sysdig.param.shutdown.how", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_id_string, { "id", "sysdig.param.container.id", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_id_uint32, { "id", "sysdig.param.quotactl.id", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_image_string, { "image", "sysdig.param.container.image", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_in_fd_int64, { "in_fd", "sysdig.param.sendfile.in_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_initval_uint64, { "initval", "sysdig.param.eventfd.initval", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_ino_uint64, { "ino", "sysdig.param.pipe.ino", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_interval_bytes, { "interval", "sysdig.param.nanosleep.interval", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_length_uint64, { "length", "sysdig.param.munmap.length", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_linkdirfd_int64, { "linkdirfd", "sysdig.param.symlinkat.linkdirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_linkpath_string, { "linkpath", "sysdig.param.symlinkat.linkpath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_mask_uint32, { "mask", "sysdig.param.signalfd.mask", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_max_int64, { "max", "sysdig.param.setrlimit.max", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_maxevents_bytes, { "maxevents", "sysdig.param.epoll_wait.maxevents", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_mode_uint32, { "mode", "sysdig.param.openat.mode", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_name_string, { "name", "sysdig.param.umount.name", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_nativeID_uint16, { "nativeID", "sysdig.param.syscall.nativeID", FT_UINT16, BASE_DEC, VALS(nativeID_uint16_vals), 0, NULL, HFILL } }, + { &hf_param_newcur_int64, { "newcur", "sysdig.param.prlimit.newcur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_newdir_int64, { "newdir", "sysdig.param.linkat.newdir", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_newdirfd_int64, { "newdirfd", "sysdig.param.renameat.newdirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_newmax_int64, { "newmax", "sysdig.param.prlimit.newmax", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_newpath_string, { "newpath", "sysdig.param.renameat.newpath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_next_bytes, { "next", "sysdig.param.switch.next", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_nsops_uint32, { "nsops", "sysdig.param.semop.nsops", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_nstype_bytes, { "nstype", "sysdig.param.setns.nstype", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_offset_uint64, { "offset", "sysdig.param.sendfile.offset", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_oldcur_int64, { "oldcur", "sysdig.param.prlimit.oldcur", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_olddir_int64, { "olddir", "sysdig.param.linkat.olddir", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_olddirfd_int64, { "olddirfd", "sysdig.param.renameat.olddirfd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_oldmax_int64, { "oldmax", "sysdig.param.prlimit.oldmax", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_oldpath_string, { "oldpath", "sysdig.param.renameat.oldpath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_op_bytes, { "op", "sysdig.param.futex.op", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_operation_bytes, { "operation", "sysdig.param.flock.operation", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_out_fd_int64, { "out_fd", "sysdig.param.sendfile.out_fd", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_path_string, { "path", "sysdig.param.unlink.path", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_peer_uint64, { "peer", "sysdig.param.socketpair.peer", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_pgft_maj_uint64, { "pgft_maj", "sysdig.param.execve.pgft_maj", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_pgft_min_uint64, { "pgft_min", "sysdig.param.execve.pgft_min", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_pgoffset_uint64, { "pgoffset", "sysdig.param.mmap2.pgoffset", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_pid_bytes, { "pid", "sysdig.param.execve.pid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_pos_uint64, { "pos", "sysdig.param.pwritev.pos", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_prot_bytes, { "prot", "sysdig.param.mmap2.prot", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_proto_uint32, { "proto", "sysdig.param.socketpair.proto", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_ptid_bytes, { "ptid", "sysdig.param.execve.ptid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_queuelen_uint32, { "queuelen", "sysdig.param.accept.queuelen", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_queuemax_uint32, { "queuemax", "sysdig.param.accept.queuemax", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_queuepct_uint8, { "Accept queue per connection", "sysdig.param.accept.queuepct", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_quota_fmt_bytes, { "quota_fmt", "sysdig.param.quotactl.quota_fmt", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_quota_fmt_out_bytes, { "quota_fmt_out", "sysdig.param.quotactl.quota_fmt_out", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_quotafilepath_string, { "quotafilepath", "sysdig.param.quotactl.quotafilepath", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_ratio_uint32, { "ratio", "sysdig.param.drop.ratio", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_request_bytes, { "request", "sysdig.param.ptrace.request", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_request_uint64, { "I/O control: request", "sysdig.param.ioctl.request", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_res_bytes, { "res", "sysdig.param.umount.res", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_res_int64, { "res", "sysdig.param.fcntl.res", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_res_uint64, { "res", "sysdig.param.mmap2.res", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_resource_bytes, { "resource", "sysdig.param.prlimit.resource", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_rgid_bytes, { "rgid", "sysdig.param.getresgid.rgid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_ruid_bytes, { "ruid", "sysdig.param.getresuid.ruid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_sem_flg_0_bytes, { "sem_flg_0", "sysdig.param.semop.sem_flg_0", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_sem_flg_1_bytes, { "sem_flg_1", "sysdig.param.semop.sem_flg_1", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_sem_num_0_uint16, { "sem_num_0", "sysdig.param.semop.sem_num_0", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_sem_num_1_uint16, { "sem_num_1", "sysdig.param.semop.sem_num_1", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_sem_op_0_int16, { "sem_op_0", "sysdig.param.semop.sem_op_0", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_sem_op_1_int16, { "sem_op_1", "sysdig.param.semop.sem_op_1", FT_INT16, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_semid_int32, { "semid", "sysdig.param.semctl.semid", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_semnum_int32, { "semnum", "sysdig.param.semctl.semnum", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_sgid_bytes, { "sgid", "sysdig.param.getresgid.sgid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_sig_bytes, { "sig", "sysdig.param.signaldeliver.sig", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_sigmask_bytes, { "sigmask", "sysdig.param.ppoll.sigmask", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_size_uint32, { "size", "sysdig.param.pwritev.size", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_size_uint64, { "size", "sysdig.param.sendfile.size", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_source_uint64, { "source", "sysdig.param.socketpair.source", FT_UINT64, BASE_HEX, NULL, 0, NULL, HFILL } }, + { &hf_param_special_string, { "special", "sysdig.param.quotactl.special", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_spid_bytes, { "spid", "sysdig.param.signaldeliver.spid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_status_bytes, { "status", "sysdig.param.procexit.status", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_suid_bytes, { "suid", "sysdig.param.getresuid.suid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_target_string, { "target", "sysdig.param.symlinkat.target", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_tid_bytes, { "tid", "sysdig.param.execve.tid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_timeout_bytes, { "timeout", "sysdig.param.ppoll.timeout", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_timeout_int64, { "timeout", "sysdig.param.poll.timeout", FT_INT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_tuple_bytes, { "tuple", "sysdig.param.accept.tuple", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_type_bytes, { "type", "sysdig.param.quotactl.type", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_type_string, { "type", "sysdig.param.mount.type", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_type_uint32, { "type", "sysdig.param.container.type", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_uid_bytes, { "uid", "sysdig.param.getuid.uid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_uid_uint32, { "uid", "sysdig.param.vfork.uid", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_val_int32, { "val", "sysdig.param.semctl.val", FT_INT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_val_uint64, { "val", "sysdig.param.futex.val", FT_UINT64, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_vm_rss_uint32, { "vm_rss", "sysdig.param.execve.vm_rss", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_vm_size_uint32, { "vm_size", "sysdig.param.execve.vm_size", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_vm_swap_uint32, { "vm_swap", "sysdig.param.execve.vm_swap", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL } }, + { &hf_param_vpid_bytes, { "vpid", "sysdig.param.vfork.vpid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_vtid_bytes, { "vtid", "sysdig.param.vfork.vtid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + { &hf_param_whence_bytes, { "whence", "sysdig.param.llseek.whence", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL } }, + + }; + + /* Setup protocol subtree array */ + static gint *ett[] = { + &ett_sysdig_event, + &ett_sysdig_parm_lens, + &ett_sysdig_syscall + }; + + /* Register the protocol name and description */ + proto_sysdig_event = proto_register_protocol("Sysdig System Call", + "Sysdig Event", "sysdig"); + + /* Required function calls to register the header fields and subtrees */ + proto_register_field_array(proto_sysdig_event, hf, array_length(hf)); + proto_register_subtree_array(ett, array_length(ett)); +} + +#define BLOCK_TYPE_SYSDIG_EVENT 0x00000204 +void +proto_reg_handoff_sysdig_event(void) +{ + dissector_handle_t sysdig_event_handle; + + /* Use new_create_dissector_handle() to indicate that dissect_sysdig_event() + * returns the number of bytes it dissected (or 0 if it thinks the packet + * does not belong to PROTONAME). + */ + sysdig_event_handle = new_create_dissector_handle(dissect_sysdig_event, + proto_sysdig_event); + dissector_add_uint("pcapng.block_type", BLOCK_TYPE_SYSDIG_EVENT, sysdig_event_handle); +} + +/* + * Editor modelines - https://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 4 + * tab-width: 8 + * indent-tabs-mode: nil + * End: + * + * vi: set shiftwidth=4 tabstop=8 expandtab: + * :indentSize=4:tabSize=8:noTabs=true: + */ diff --git a/tools/Makefile.am b/tools/Makefile.am index 658cb2a1e3..2b582c8cbc 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -137,6 +137,7 @@ EXTRA_DIST = \ fuzz-test.sh \ gen-bugnote \ generate-bacnet-vendors.py \ + generate-sysdig-event.py \ Get-HardenFlags.ps1 \ git-compare-abis.sh \ git-export-release.sh \ diff --git a/tools/generate-sysdig-event.py b/tools/generate-sysdig-event.py new file mode 100755 index 0000000000..659bcb38f1 --- /dev/null +++ b/tools/generate-sysdig-event.py @@ -0,0 +1,345 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +# +# Wireshark - Network traffic analyzer +# By Gerald Combs <gerald@wireshark.org> +# Copyright 1998 Gerald Combs +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +'''\ +Generate Sysdig event dissector sections from the sysdig sources. + +Reads driver/event_table.c and driver/ppm_events_public.h and generates +corresponding dissection code in packet-sysdig-event.c. Updates are +performed in-place in the dissector code. + +Requires an Internet connection. Assets are loaded from GitHub over HTTPS. +''' + +import os +import os.path +import re +import urllib2 +import sys + +sysdig_repo_pfx = 'https://raw.githubusercontent.com/draios/sysdig/0.5.0/' + +ppm_ev_pub = urllib2.urlopen(sysdig_repo_pfx + 'driver/ppm_events_public.h') +ppm_ev_pub_lines = ppm_ev_pub.readlines() +ppm_ev_pub.close() + +ppme_re = re.compile('^\s+PPME_([A-Z0-9_]+_[EX])\s*=\s*([0-9]+)\s*,') + +event_info_d = {} + +def get_event_defines(): + event_d = {} + for line in ppm_ev_pub_lines: + m = ppme_re.match(line) + if m: + event_d[int(m.group(2))] = m.group(1) + return event_d + +ppm_ev_table = urllib2.urlopen(sysdig_repo_pfx + 'driver/event_table.c') +ppm_ev_table_lines = ppm_ev_table.readlines() +ppm_ev_table.close() + +hf_d = {} + +event_info_re = re.compile('^\s+/\*\s*PPME_.*\*\/\s*{\s*"([A-Za-z0-9_]+)"\s*,[^,]+,[^,]+,\s*([0-9]+)\s*[,{}]') +event_param_re = re.compile('{\s*"([A-Za-z0-9_]+)"\s*,\s*PT_([A-Z0-9_]+)\s*,\s*PF_([A-Z0-9_]+)\s*[,}]') + +def get_event_names(): + '''Return a contiguous list of event names. Names are lower case.''' + event_name_l = [] + for line in ppm_ev_table_lines: + ei = event_info_re.match(line) + if ei: + event_name_l.append(ei.group(1)) + return event_name_l + +# PT_xxx to FT_xxx +pt_to_ft = { + 'BYTEBUF': 'BYTES', + 'CHARBUF': 'STRING', + 'FD': 'INT64', + 'FSPATH': 'STRING', +} + +def get_event_params(): + '''Return a list of dictionaries containing event names and parameter info.''' + event_param_l = [] + event_num = 0 + force_string_l = ['args', 'env'] + for line in ppm_ev_table_lines: + ei = event_info_re.match(line) + ep = event_param_re.findall(line) + if ei and ep: + src_param_count = int(ei.group(2)) + if len(ep) != src_param_count: + err_msg = '{}: found {} parameters. Expected {}. Params: {}'.format( + ei.group(1), len(ep), src_param_count, repr(ep)) + raise NameError(err_msg) + for p in ep: + if p[0] in force_string_l: + param_type = 'STRING' + elif p[1] in pt_to_ft: + param_type = pt_to_ft[p[1]] + elif p[0] == 'flags' and p[1].startswith('INT') and 'HEX' in p[2]: + param_type = 'U' + p[1] + elif 'INT' in p[1]: + # Ints + param_type = p[1] + else: + # Fall back to bytes + param_type = 'BYTES' + + if p[2] == 'NA': + if 'INT' in param_type: + param_format = 'DEC' + else: + param_format = 'NONE' + elif param_type == 'BYTES': + param_format = 'NONE' + else: + param_format = p[2] + param_d = { + 'event_name': ei.group(1), + 'event_num': event_num, + 'param_name': p[0], + 'param_type': param_type, + 'param_format': param_format, + } + event_param_l.append(param_d) + if ei: + event_num += 1 + return event_param_l + +def param_to_hf_name(param): + return 'hf_param_{}_{}'.format(param['param_name'], param['param_type'].lower()) + +def param_to_value_string_name(param): + return '{}_{}_vals'.format(param['param_name'], param['param_type'].lower()) + +def get_param_desc(param): + # Try to coerce event names and parameters into human-friendly + # strings. + # XXX This could use some work. + + # Specific descriptions. Event name + parameter name. + param_descs = { + 'accept.queuepct': 'Accept queue per connection', + 'execve.args': 'Program arguments', + 'execve.comm': 'Command', + 'execve.cwd': 'Current working directory', + } + # General descriptions. Event name only. + event_descs = { + 'ioctl': 'I/O control', + } + + event_name = param['event_name'] + param_id = '{}.{}'.format(event_name, param['param_name']) + if param_id in param_descs: + param_desc = param_descs[param_id] + elif event_name in event_descs: + param_desc = '{}: {}'.format(event_descs[event_name], param['param_name']) + else: + param_desc = param['param_name'] + return param_desc + +def main(): + # Event list + event_d = get_event_defines() + event_nums = event_d.keys() + event_nums.sort() + + event_name_l = get_event_names() + event_param_l = get_event_params() + + hf_d = {} + for param in event_param_l: + hf_name = param_to_hf_name(param) + hf_d[hf_name] = param + + idx_id_to_name = { '': 'no' } + parameter_index_l = [] + + for en in range (0, len(event_nums)): + param_id = '' + param_l = [] + event_var = event_d[en].lower() + for param in event_param_l: + if param['event_num'] == en: + hf_name = param_to_hf_name(param) + param_l.append(hf_name) + param_id += ':' + param['param_name'] + '_' + param['param_type'] + + ei_str = '' + if param_id not in idx_id_to_name: + idx_id_to_name[param_id] = event_var + ei_str = 'static const int *{}_indexes[] = {{ &{}, NULL }};'.format( + event_var, + ', &'.join(param_l) + ) + else: + ei_str = '#define {}_indexes {}_indexes'.format(event_var, idx_id_to_name[param_id]) + + parameter_index_l.append(ei_str) + + dissector_path = os.path.join(os.path.dirname(__file__), + '..', 'epan', 'dissectors', 'packet-sysdig-event.c') + dissector_f = open(dissector_path, 'r') + dissector_lines = list(dissector_f) + dissector_f = open(dissector_path, 'w+') + + # Strip out old content + strip_re_l = [] + strip_re_l.append(re.compile('^static\s+int\s+hf_param_.*;')) + strip_re_l.append(re.compile('^#define\s+EVT_STR_[A-Z0-9_]+\s+"[A-Za-z0-9_]+"')) + strip_re_l.append(re.compile('^#define\s+EVT_[A-Z0-9_]+\s+[0-9]+')) + strip_re_l.append(re.compile('^\s*{\s*EVT_[A-Z0-9_]+\s*,\s*EVT_STR_[A-Z0-9_]+\s*}')) + strip_re_l.append(re.compile('^static\s+const\s+int\s+\*\s*[a-z0-9_]+_[ex]_indexes\[\]\s*=\s*\{\s*&hf_param_.*NULL\s*\}\s*;')) + strip_re_l.append(re.compile('^\s*#define\s+[a-z0-9_]+_[ex]_indexes\s+[a-z0-9_]+_indexes')) + strip_re_l.append(re.compile('^\s*\{\s*EVT_[A-Z0-9_]+_[EX]\s*,\s*[a-z0-9_]+_[ex]_indexes\s*}\s*,')) + strip_re_l.append(re.compile('^\s*{\s*&hf_param_.*},')) # Must all be on one line + + for strip_re in strip_re_l: + dissector_lines = [l for l in dissector_lines if not strip_re.search(l)] + + # Find our value strings + value_string_re = re.compile('static\s+const\s+value_string\s+([A-Za-z0-9_]+_vals)') + value_string_l = [] + for line in dissector_lines: + vs = value_string_re.match(line) + if vs: + value_string_l.append(vs.group(1)) + + # Add in new content after comments. + + header_fields_c = 'Header fields' + header_fields_re = re.compile('/\*\s+' + header_fields_c, flags = re.IGNORECASE) + header_fields_l = [] + for hf_name in sorted(hf_d.keys()): + header_fields_l.append('static int {} = -1;'.format(hf_name)) + + event_names_c = 'Event names' + event_names_re = re.compile('/\*\s+' + event_names_c, flags = re.IGNORECASE) + event_names_l = [] + event_str_l = list(set(event_name_l)) + event_str_l.sort() + for evt_str in event_str_l: + event_names_l.append('#define EVT_STR_{0:24s} "{1:s}"'.format(evt_str.upper(), evt_str)) + + event_definitions_c = 'Event definitions' + event_definitions_re = re.compile('/\*\s+' + event_definitions_c, flags = re.IGNORECASE) + event_definitions_l = [] + for evt in event_nums: + event_definitions_l.append('#define EVT_{0:24s} {1:3d}'.format(event_d[evt], evt)) + + value_strings_c = 'Value strings' + value_strings_re = re.compile('/\*\s+' + value_strings_c, flags = re.IGNORECASE) + value_strings_l = [] + for evt in event_nums: + evt_num = 'EVT_{},'.format(event_d[evt]) + evt_str = 'EVT_STR_' + event_name_l[evt].upper() + value_strings_l.append(' {{ {0:<32s} {1:s} }},'.format(evt_num, evt_str)) + + parameter_index_c = 'Parameter indexes' + parameter_index_re = re.compile('/\*\s+' + parameter_index_c, flags = re.IGNORECASE) + # parameter_index_l defined above. + + event_tree_c = 'Event tree' + event_tree_re = re.compile('/\*\s+' + event_tree_c, flags = re.IGNORECASE) + event_tree_l = [] + for evt in event_nums: + evt_num = 'EVT_{}'.format(event_d[evt]) + evt_idx = '{}_indexes'.format(event_d[evt].lower()) + event_tree_l.append(' {{ {}, {} }},'.format(evt_num, evt_idx)) + + header_field_reg_c = 'Header field registration' + header_field_reg_re = re.compile('/\*\s+' + header_field_reg_c, flags = re.IGNORECASE) + header_field_reg_l = [] + for hf_name in sorted(hf_d.keys()): + param = hf_d[hf_name] + event_name = param['event_name'] + param_desc = get_param_desc(param) + param_name = param['param_name'] + param_type = param['param_type'] + param_format = param['param_format'] + fieldconvert = 'NULL' + vs_name = param_to_value_string_name(param) + if vs_name in value_string_l and 'INT' in param_type: + fieldconvert = 'VALS({})'.format(vs_name) + header_field_reg_l.append(' {{ &{}, {{ "{}", "sysdig.param.{}.{}", FT_{}, BASE_{}, {}, 0, NULL, HFILL }} }},'.format( + hf_name, + param_desc, + event_name, + param_name, + param_type, + param_format, + fieldconvert + )) + + for line in dissector_lines: + fill_comment = None + fill_l = [] + + if header_fields_re.match(line): + fill_comment = header_fields_c + fill_l = header_fields_l + elif event_names_re.match(line): + fill_comment = event_names_c + fill_l = event_names_l + elif event_definitions_re.match(line): + fill_comment = event_definitions_c + fill_l = event_definitions_l + elif value_strings_re.match(line): + fill_comment = value_strings_c + fill_l = value_strings_l + elif parameter_index_re.match(line): + fill_comment = parameter_index_c + fill_l = parameter_index_l + elif event_tree_re.match(line): + fill_comment = event_tree_c + fill_l = event_tree_l + elif header_field_reg_re.match(line): + fill_comment = header_field_reg_c + fill_l = header_field_reg_l + + if fill_comment is not None: + # Write our comment followed by the content + print('Generating {}, {:d} lines'.format(fill_comment, len(fill_l))) + dissector_f.write('/* {}. Automatically generated by tools/{} */\n'.format( + fill_comment, + os.path.basename(__file__) + )) + for line in fill_l: + dissector_f.write('{}\n'.format(line)) + # Fill each section only once + del fill_l[:] + else: + # Existing content + dissector_f.write(line) + + dissector_f.close() + +# +# On with the show +# + +if __name__ == "__main__": + sys.exit(main()) diff --git a/wiretap/pcapng.c b/wiretap/pcapng.c index a9cad5fc4f..fbd51d3d07 100644 --- a/wiretap/pcapng.c +++ b/wiretap/pcapng.c @@ -183,6 +183,11 @@ typedef struct pcapng_interface_statistics_block_s { */ #define MIN_ISB_SIZE ((guint32)(MIN_BLOCK_SIZE + sizeof(pcapng_interface_statistics_block_t))) +/* + * Minimum Sysdig size = minimum block size + packed size of sysdig_event_phdr. + */ +#define MIN_SYSDIG_EVENT_SIZE ((guint32)(MIN_BLOCK_SIZE)) + ((16 + 64 + 64 + 32 + 16) / 8) + /* pcapng: common option header file encoding for every option type */ typedef struct pcapng_option_header_s { guint16 option_code; @@ -196,7 +201,6 @@ struct option { guint16 value_length; }; - /* Option codes: 16-bit field */ #define OPT_EOFOPT 0x0000 #define OPT_COMMENT 0x0001 @@ -378,8 +382,9 @@ register_pcapng_block_type_handler(guint block_type, block_reader reader, #define BT_INDEX_PBS 2 /* all packet blocks */ #define BT_INDEX_NRB 3 #define BT_INDEX_ISB 4 +#define BT_INDEX_EVT 5 -#define NUM_BT_INDICES 5 +#define NUM_BT_INDICES 6 static GHashTable *option_handlers[NUM_BT_INDICES]; @@ -412,6 +417,11 @@ get_block_type_index(guint block_type, guint *bt_index) *bt_index = BT_INDEX_ISB; break; + case BLOCK_TYPE_SYSDIG_EVENT: + /* case BLOCK_TYPE_SYSDIG_EVF: */ + *bt_index = BT_INDEX_EVT; + break; + default: /* * This is a block type we don't process; either we ignore it, @@ -2155,6 +2165,96 @@ pcapng_read_interface_statistics_block(FILE_T fh, pcapng_block_header_t *bh, pca return TRUE; } +static gboolean +pcapng_read_sysdig_event_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn _U_, wtapng_block_t *wblock, int *err, gchar **err_info) +{ + unsigned block_read; + guint32 block_total_length; + guint16 cpu_id; + guint64 wire_ts; + guint64 ts; + guint64 thread_id; + guint32 event_len; + guint16 event_type; + + if (bh->block_total_length < MIN_SYSDIG_EVENT_SIZE) { + *err = WTAP_ERR_BAD_FILE; + *err_info = g_strdup_printf("%s: total block length %u is too small (< %u)", G_STRFUNC, + bh->block_total_length, MIN_SYSDIG_EVENT_SIZE); + return FALSE; + } + + /* add padding bytes to "block total length" */ + /* (the "block total length" of some example files don't contain any padding bytes!) */ + if (bh->block_total_length % 4) { + block_total_length = bh->block_total_length + 4 - (bh->block_total_length % 4); + } else { + block_total_length = bh->block_total_length; + } + + pcapng_debug("pcapng_read_sysdig_event_block: block_total_length %u", + bh->block_total_length); + + wblock->packet_header->rec_type = REC_TYPE_FT_SPECIFIC_EVENT; + wblock->packet_header->pseudo_header.sysdig_event.record_type = BLOCK_TYPE_SYSDIG_EVENT; + wblock->packet_header->presence_flags = WTAP_HAS_TS|WTAP_HAS_CAP_LEN /*|WTAP_HAS_INTERFACE_ID */; + wblock->packet_header->pkt_tsprec = WTAP_TSPREC_NSEC; + + block_read = block_total_length; + + if (!wtap_read_bytes(fh, &cpu_id, sizeof cpu_id, err, err_info)) { + pcapng_debug("pcapng_read_packet_block: failed to read sysdig event cpu id"); + return FALSE; + } + if (!wtap_read_bytes(fh, &wire_ts, sizeof wire_ts, err, err_info)) { + pcapng_debug("pcapng_read_packet_block: failed to read sysdig event timestamp"); + return FALSE; + } + if (!wtap_read_bytes(fh, &thread_id, sizeof thread_id, err, err_info)) { + pcapng_debug("pcapng_read_packet_block: failed to read sysdig event thread id"); + return FALSE; + } + if (!wtap_read_bytes(fh, &event_len, sizeof event_len, err, err_info)) { + pcapng_debug("pcapng_read_packet_block: failed to read sysdig event length"); + return FALSE; + } + if (!wtap_read_bytes(fh, &event_type, sizeof event_type, err, err_info)) { + pcapng_debug("pcapng_read_packet_block: failed to read sysdig event type"); + return FALSE; + } + + block_read -= MIN_SYSDIG_EVENT_SIZE; + wblock->packet_header->pseudo_header.sysdig_event.byte_order = G_BYTE_ORDER; + + if (pn->byte_swapped) { + wblock->packet_header->pseudo_header.sysdig_event.byte_order = + G_BYTE_ORDER == G_LITTLE_ENDIAN ? G_BIG_ENDIAN : G_LITTLE_ENDIAN; + wblock->packet_header->pseudo_header.sysdig_event.cpu_id = GUINT16_SWAP_LE_BE(cpu_id); + ts = GUINT64_SWAP_LE_BE(wire_ts); + wblock->packet_header->pseudo_header.sysdig_event.thread_id = GUINT64_SWAP_LE_BE(thread_id); + wblock->packet_header->pseudo_header.sysdig_event.event_len = GUINT32_SWAP_LE_BE(event_len); + wblock->packet_header->pseudo_header.sysdig_event.event_type = GUINT16_SWAP_LE_BE(event_type); + } else { + wblock->packet_header->pseudo_header.sysdig_event.cpu_id = cpu_id; + ts = wire_ts; + wblock->packet_header->pseudo_header.sysdig_event.thread_id = thread_id; + wblock->packet_header->pseudo_header.sysdig_event.event_len = event_len; + wblock->packet_header->pseudo_header.sysdig_event.event_type = event_type; + } + + wblock->packet_header->ts.secs = (time_t) (ts / 1000000000); + wblock->packet_header->ts.nsecs = (int) (ts % 1000000000); + + wblock->packet_header->caplen = block_read; + wblock->packet_header->len = wblock->packet_header->pseudo_header.sysdig_event.event_len; + + /* "Sysdig Event Block" read event data */ + if (!wtap_read_packet_bytes(fh, wblock->frame_buffer, + block_read, err, err_info)) + return FALSE; + + return TRUE; +} static gboolean pcapng_read_unknown_block(FILE_T fh, pcapng_block_header_t *bh, pcapng_t *pn _U_, wtapng_block_t *wblock _U_, int *err, gchar **err_info) @@ -2290,6 +2390,11 @@ pcapng_read_block(wtap *wth, FILE_T fh, pcapng_t *pn, wtapng_block_t *wblock, in if (!pcapng_read_interface_statistics_block(fh, &bh, pn, wblock, err, err_info)) return PCAPNG_BLOCK_ERROR; break; + case(BLOCK_TYPE_SYSDIG_EVENT): + /* case(BLOCK_TYPE_SYSDIG_EVF): */ + if (!pcapng_read_sysdig_event_block(fh, &bh, pn, wblock, err, err_info)) + return PCAPNG_BLOCK_ERROR; + break; default: pcapng_debug("pcapng_read_block: Unknown block_type: 0x%x (block ignored), block total length %d", bh.block_type, bh.block_total_length); if (!pcapng_read_unknown_block(fh, &bh, pn, wblock, err, err_info)) @@ -2523,6 +2628,8 @@ pcapng_read(wtap *wth, int *err, gchar **err_info, gint64 *data_offset) case(BLOCK_TYPE_PB): case(BLOCK_TYPE_SPB): case(BLOCK_TYPE_EPB): + case(BLOCK_TYPE_SYSDIG_EVENT): + case(BLOCK_TYPE_SYSDIG_EVF): /* packet block - we've found a packet */ goto got_packet; @@ -2615,10 +2722,11 @@ pcapng_seek_read(wtap *wth, gint64 seek_off, } /* block must be a "Packet Block", an "Enhanced Packet Block", - or a "Simple Packet Block" */ + a "Simple Packet Block", or an event */ if (wblock.type != BLOCK_TYPE_PB && wblock.type != BLOCK_TYPE_EPB && - wblock.type != BLOCK_TYPE_SPB) { - pcapng_debug("pcapng_seek_read: block type %u not PB/EPB/SPB", wblock.type); + wblock.type != BLOCK_TYPE_SPB && + wblock.type != BLOCK_TYPE_SYSDIG_EVENT && wblock.type != BLOCK_TYPE_SYSDIG_EVF) { + pcapng_debug("pcapng_seek_read: block type %u not PB/EPB/SPB", wblock.type); return FALSE; } diff --git a/wiretap/pcapng_module.h b/wiretap/pcapng_module.h index c735380ab6..aa7f9c40c9 100644 --- a/wiretap/pcapng_module.h +++ b/wiretap/pcapng_module.h @@ -28,6 +28,8 @@ #define BLOCK_TYPE_NRB 0x00000004 /* Name Resolution Block */ #define BLOCK_TYPE_ISB 0x00000005 /* Interface Statistics Block */ #define BLOCK_TYPE_EPB 0x00000006 /* Enhanced Packet Block */ +#define BLOCK_TYPE_SYSDIG_EVENT 0x00000204 /* Sysdig Event Block */ +#define BLOCK_TYPE_SYSDIG_EVF 0x00000208 /* Sysdig Event Block with flags */ #define BLOCK_TYPE_SHB 0x0A0D0D0A /* Section Header Block */ /* TODO: the following are not yet well defined in the draft spec: * Compression Block diff --git a/wiretap/wtap.h b/wiretap/wtap.h index 37dfce7918..ccbc598c5e 100644 --- a/wiretap/wtap.h +++ b/wiretap/wtap.h @@ -1119,6 +1119,20 @@ struct logcat_phdr { gint version; }; +/* Packet "pseudo-header" information for Sysdig events. */ + +struct sysdig_event_phdr { + guint record_type; /* XXX match ft_specific_record_phdr so that we chain off of packet-pcapng_block for now. */ + int byte_order; + guint16 cpu_id; + /* guint32 sentinel; */ + guint64 timestamp; /* ns since epoch */ + guint64 thread_id; + guint32 event_len; /* XXX dup of wtap_pkthdr.len */ + guint16 event_type; + /* ... Event ... */ +}; + /* Pseudo-header for file-type-specific records */ struct ft_specific_record_phdr { guint record_type; /* the type of record this is */ @@ -1150,6 +1164,7 @@ union wtap_pseudo_header { struct nokia_phdr nokia; struct llcp_phdr llcp; struct logcat_phdr logcat; + struct sysdig_event_phdr sysdig_event; struct ft_specific_record_phdr ftsrec; }; |