Add a comment to each packet containing the process id (PID) (#15)

* Add comment to each packet containing the process id (PID) * Add a comment to each packet containing the process id (PID) * Add a comment to each packet containing the process id (PID) * Update README.md * Add a comment to each packet containing the process id - review changes * Add a comment to each packet containing the process id - tabs
microsoft · Jan 5, 2020 · d5de9d1 · d5de9d1
1 parent ac547e1
commit d5de9d1
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -38,6 +38,8 @@ msbuild -t:rebuild -p:configuration=release -p:platform=x64
 
 # History
 
+1.3.0 - Add a comment to each packet containing the process id (PID).
+
 1.2.0 - Write direction info of each packet (epb_flags)
 
 1.1.0 - Added support for multi-event packets found in traces from Win8 and older

diff --git a/src/main.c b/src/main.c
@@ -24,6 +24,7 @@ in Windows that produces packet capture events) to pcapng format
 #include <evntrace.h>
 #include <evntcons.h>
 #include <tdh.h>
+#include <strsafe.h>
 #include <pcapng.h>
 
 #define USAGE \
@@ -285,7 +286,8 @@ void WINAPI EventCallback(PEVENT_RECORD ev)
             Iface->PcapNgIfIndex,
             !!(ev->EventHeader.EventDescriptor.Keyword & KW_SEND),
             TimeStamp.HighPart,
-            TimeStamp.LowPart);
+            TimeStamp.LowPart,
+            ev->EventHeader.ProcessId);
         AuxFragBufOffset = 0;
         NumFramesConverted++;
     } else {

diff --git a/src/pcapng.h b/src/pcapng.h
@@ -16,6 +16,7 @@ Helpers for working with .pcapng files.
 #define PCAPNG_BLOCKTYPE_ENHANCED_PACKET 0x00000006
 
 #define PCAPNG_OPTIONCODE_ENDOFOPT  0
+#define PCAPNG_OPTIONCODE_COMMENT   1
 #define PCAPNG_OPTIONCODE_EPB_FLAGS 2
 
 #define PCAPNG_LINKTYPE_ETHERNET    1
@@ -57,6 +58,10 @@ struct PCAPNG_BLOCK_OPTION_EPB_FLAGS {
     short Length; // 4
     long Value;
 };
+struct PCAPNG_BLOCK_OPTION_COMMENT {
+    unsigned short Code; // PCAPNG_OPTIONCODE_COMMENT
+    unsigned short Length;
+};
 struct PCAPNG_BLOCK_TAIL {
     long Length; // Same as PCAPNG_BLOCK_HEAD.Length, for easier backward processing.
 };
@@ -153,20 +158,41 @@ PcapNgWriteEnhancedPacket(
     long InterfaceId,
     long IsSend,
     long TimeStampHigh, // usec (unless if_tsresol is used)
-    long TimeStampLow
+    long TimeStampLow,
+    unsigned long ProcessID
     )
 {
     int Err = NO_ERROR;
     struct PCAPNG_BLOCK_HEAD Head;
     struct PCAPNG_ENHANCED_PACKET_BODY Body;
     struct PCAPNG_BLOCK_OPTION_ENDOFOPT EndOption;
     struct PCAPNG_BLOCK_OPTION_EPB_FLAGS EpbFlagsOption;
+    struct PCAPNG_BLOCK_OPTION_COMMENT CommentOption;
     struct PCAPNG_BLOCK_TAIL Tail;
     char Pad[4] = {0};
+// COMMENT_MAX_SIZE must be multiple of 4
+#define COMMENT_MAX_SIZE 16
+    char Comment[COMMENT_MAX_SIZE];
+    size_t CommentLength = 0;
     int FragPadLength = (4 - ((sizeof(Body) + FragLength) & 3)) & 3; // pad to 4 bytes per the spec.
-    int TotalLength =
+    int TotalLength;
+
+    memset(Comment, 0, COMMENT_MAX_SIZE);
+    if SUCCEEDED(StringCchPrintfA(Comment, COMMENT_MAX_SIZE, "PID=%d", ProcessID)) {
+        if FAILED(StringCchLengthA(Comment, COMMENT_MAX_SIZE, &CommentLength)) {
+            CommentLength = 0;
+        }
+    }
+    else {
+        memset(Comment, 0, COMMENT_MAX_SIZE);
+    }
+    CommentOption.Code = PCAPNG_OPTIONCODE_COMMENT;
+    CommentOption.Length = (unsigned short) CommentLength;
+    if (CommentOption.Length % 4 != 0)
+        CommentOption.Length += (4 - CommentOption.Length % 4);
+    TotalLength =
         sizeof(Head) + sizeof(Body) + FragLength + FragPadLength +
-        sizeof(EpbFlagsOption) + sizeof(EndOption) + sizeof(Tail);
+        sizeof(EpbFlagsOption) + sizeof(CommentOption) + CommentOption.Length + sizeof(EndOption) + sizeof(Tail);
 
     Head.Type = PCAPNG_BLOCKTYPE_ENHANCED_PACKET;
     Head.Length = TotalLength;
@@ -208,6 +234,17 @@ PcapNgWriteEnhancedPacket(
         goto Done;
     }
 
+    if (!WriteFile(File, &CommentOption, sizeof(CommentOption), NULL, NULL)) {
+        Err = GetLastError();
+        printf("WriteFile failed with %u\n", Err);
+        goto Done;
+    }
+    if (!WriteFile(File, &Comment, CommentOption.Length, NULL, NULL)) {
+        Err = GetLastError();
+        printf("WriteFile failed with %u\n", Err);
+        goto Done;
+    }
+
     EndOption.Code = PCAPNG_OPTIONCODE_ENDOFOPT;
     EndOption.Length = 0;
     if (!WriteFile(File, &EndOption, sizeof(EndOption), NULL, NULL)) {