misc tweaks (#16)

microsoft · Jan 5, 2020 · 9361329 · 9361329
1 parent d5de9d1
commit 9361329
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -28,6 +28,13 @@ etl2pcapng.exe in.etl out.pcapng
 After converting the file, the tool prints a table which shows mappings between Windows
 interface indices and pcapng interface IDs.
 
+The output pcapng file will have a comment on each packet indicating the PID
+of the current process when the packet was logged. WARNING: this is frequently
+not the same as the actual PID of the process which caused the packet to be
+sent or to which the packet was delivered, since the packet capture provider
+often runs in a DPC (which runs in an arbitrary process). The user should keep
+this in mind when using the PID information.
+
 # Building
 
 Run in the src directory in a Visual Studio Command Prompt:

diff --git a/src/main.c b/src/main.c
@@ -47,7 +47,7 @@ BOOLEAN Pass2 = FALSE;
 char AuxFragBuf[MAX_PACKET_SIZE] = {0};
 unsigned long AuxFragBufOffset = 0;
 
-const GUID NdisCapId = { // Microsoft-Windows-NDIS-PacketCapture {B8197C10-845F-40CA-82AB-9341E98CFC2B}
+const GUID NdisCapId = { // Microsoft-Windows-NDIS-PacketCapture {2ED6006E-4729-4609-B423-3EE7BCD678EF}
     0x2ed6006e, 0x4729, 0x4609, 0xb4, 0x23, 0x3e, 0xe7, 0xbc, 0xd6, 0x78, 0xef};
 
 struct INTERFACE {
@@ -222,13 +222,13 @@ void WINAPI EventCallback(PEVENT_RECORD ev)
             printf("WARNING: inconsistent media type in packet events!\n");
         }
         return;
-    } else {
-        if (Iface == NULL) {
-            // We generated the list of interfaces directly from the
-            // packet traces themselves, so there must be a bug.
-            printf("ERROR: packet with unrecognized IfIndex\n");
-            exit(1);
-        }
+    }
+
+    if (Iface == NULL) {
+        // We generated the list of interfaces directly from the
+        // packet traces themselves, so there must be a bug.
+        printf("ERROR: packet with unrecognized IfIndex\n");
+        exit(1);
     }
 
     // N.B.: Here we are querying the FragmentSize property to get the
@@ -306,7 +306,7 @@ int __cdecl wmain(int argc, wchar_t** argv)
     if (argc == 2 &&
         (!wcscmp(argv[1], L"-v") ||
          !wcscmp(argv[1], L"--version"))) {
-        printf("etl2pcapng version 1.2.0\n");
+        printf("etl2pcapng version 1.3.0\n");
         return 0;
     }
 

diff --git a/src/pcapng.h b/src/pcapng.h
@@ -159,7 +159,7 @@ PcapNgWriteEnhancedPacket(
     long IsSend,
     long TimeStampHigh, // usec (unless if_tsresol is used)
     long TimeStampLow,
-    unsigned long ProcessID
+    unsigned long ProcessId
     )
 {
     int Err = NO_ERROR;
@@ -178,12 +178,11 @@ PcapNgWriteEnhancedPacket(
     int TotalLength;
 
     memset(Comment, 0, COMMENT_MAX_SIZE);
-    if SUCCEEDED(StringCchPrintfA(Comment, COMMENT_MAX_SIZE, "PID=%d", ProcessID)) {
+    if SUCCEEDED(StringCchPrintfA(Comment, COMMENT_MAX_SIZE, "PID=%d", ProcessId)) {
         if FAILED(StringCchLengthA(Comment, COMMENT_MAX_SIZE, &CommentLength)) {
             CommentLength = 0;
         }
-    }
-    else {
+    } else {
         memset(Comment, 0, COMMENT_MAX_SIZE);
     }
     CommentOption.Code = PCAPNG_OPTIONCODE_COMMENT;