From d3c58f6b541e20e7b763e5661934b31e1d518d5c Mon Sep 17 00:00:00 2001 From: Paul Rosswurm <49661430+paul-rosswurm-1@users.noreply.github.com> Date: Thu, 24 Feb 2022 16:54:33 -0800 Subject: [PATCH] Adding RSS Hash Value to packet comments for vmswitch fragments (#55) * Adding RSS Hash Value to packet comments for vmswitch fragments * Increasing version to 1.8.0 and updating readme. --- README.md | 2 ++ src/main.c | 19 +++++++++++++------ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 5718bbf..a1f270f 100644 --- a/README.md +++ b/README.md @@ -54,6 +54,8 @@ The binary will be at `build/Release/etl2pcapng.exe` # History +1.8.0 - Adding RSS Hash value to packet comments for VMSwitch packets. + 1.7.0 - Include VMSwitch packet info in packet comments. 1.6.0 - Enable ControlFlowGuard. diff --git a/src/main.c b/src/main.c index 30c1c50..b765b8b 100644 --- a/src/main.c +++ b/src/main.c @@ -22,6 +22,7 @@ in Windows that produces packet capture events) to pcapng format #define WIN32_LEAN_AND_MEAN 1 #include +#include #include #include #include @@ -37,7 +38,7 @@ in Windows that produces packet capture events) to pcapng format "Converts a packet capture from etl to pcapng format.\n" // Increment when adding features -#define VERSION "1.7.0" +#define VERSION "1.8.0" #define MAX_PACKET_SIZE 65535 @@ -126,6 +127,7 @@ typedef struct _NDIS_NET_BUFFER_LIST_8021Q_INFO { // From: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/nblinfo/ne-nblinfo-ndis_net_buffer_list_info #define MaxNetBufferListInfo 200 #define Ieee8021QNetBufferListInfo 4 +#define NetBufferListHashValue 8 PBYTE OobData[MaxNetBufferListInfo]; typedef struct _VMSWITCH_SOURCE_INFO { @@ -139,6 +141,7 @@ typedef struct _VMSWITCH_PACKET_FRAGMENT { unsigned long SourcePortId; unsigned long DestinationCount; short VlanId; + unsigned long RssHashValue; } VMSWITCH_PACKET_FRAGMENT, *PVMSWITCH_PACKET_FRAGMENT; BOOLEAN CurrentPacketIsVMSwitchPacketFragment = FALSE; @@ -466,6 +469,8 @@ void ParseVmSwitchPacketFragment(PEVENT_RECORD ev) pNblVlanInfo = (PNDIS_NET_BUFFER_LIST_8021Q_INFO)&OobData[Ieee8021QNetBufferListInfo]; VMSwitchPacketFragment.VlanId = (short)pNblVlanInfo->TagHeader.VlanId; + VMSwitchPacketFragment.RssHashValue = PtrToUlong((PVOID)OobData[NetBufferListHashValue]); + // SourcePortId Desc.PropertyName = (unsigned long long)L"SourcePortId"; Desc.ArrayIndex = ULONG_MAX; @@ -669,24 +674,26 @@ void WINAPI EventCallback(PEVENT_RECORD ev) memset(&PacketMetadata, 0, sizeof(DOT11_EXTSTA_RECV_CONTEXT)); } else if (CurrentPacketIsVMSwitchPacketFragment) { if (VMSwitchPacketFragment.DestinationCount > 0) { - Err = StringCchPrintfA(Comment, COMMENT_MAX_SIZE, "PID=%d VlanId=%d SrcPortId=%d SrcNicType=%s SrcNicName=%s SrcPortName=%s DstNicCount=%d", + Err = StringCchPrintfA(Comment, COMMENT_MAX_SIZE, "PID=%d VlanId=%d SrcPortId=%d SrcNicType=%s SrcNicName=%s SrcPortName=%s DstNicCount=%d HashValue=%08lx", ev->EventHeader.ProcessId, Iface->VlanId, Iface->VMNic.SourcePortId, Iface->VMNic.SourceNicType, Iface->VMNic.SourceNicName, Iface->VMNic.SourcePortName, - VMSwitchPacketFragment.DestinationCount + VMSwitchPacketFragment.DestinationCount, + VMSwitchPacketFragment.RssHashValue ); } else { - Err = StringCchPrintfA(Comment, COMMENT_MAX_SIZE, "PID=%d VlanId=%d SrcPortId=%d SrcNicType=%s SrcNicName=%s SrcPortName=%s", + Err = StringCchPrintfA(Comment, COMMENT_MAX_SIZE, "PID=%d VlanId=%d SrcPortId=%d SrcNicType=%s SrcNicName=%s SrcPortName=%s HashValue=%08lx", ev->EventHeader.ProcessId, Iface->VlanId, Iface->VMNic.SourcePortId, Iface->VMNic.SourceNicType, Iface->VMNic.SourceNicName, - Iface->VMNic.SourcePortName - ); + Iface->VMNic.SourcePortName, + VMSwitchPacketFragment.RssHashValue + ); } } else { Err = StringCchPrintfA(Comment, COMMENT_MAX_SIZE, "PID=%d", ev->EventHeader.ProcessId);