diff --git a/README.md b/README.md index 2a288e5..1eaa0ad 100644 --- a/README.md +++ b/README.md @@ -38,6 +38,8 @@ msbuild -t:rebuild -p:configuration=release -p:platform=x64 # History +1.3.0 - Add a comment to each packet containing the process id (PID). + 1.2.0 - Write direction info of each packet (epb_flags) 1.1.0 - Added support for multi-event packets found in traces from Win8 and older diff --git a/src/main.c b/src/main.c index 4a5e18e..3028f54 100644 --- a/src/main.c +++ b/src/main.c @@ -24,6 +24,7 @@ in Windows that produces packet capture events) to pcapng format #include #include #include +#include #include #define USAGE \ @@ -285,7 +286,8 @@ void WINAPI EventCallback(PEVENT_RECORD ev) Iface->PcapNgIfIndex, !!(ev->EventHeader.EventDescriptor.Keyword & KW_SEND), TimeStamp.HighPart, - TimeStamp.LowPart); + TimeStamp.LowPart, + ev->EventHeader.ProcessId); AuxFragBufOffset = 0; NumFramesConverted++; } else { diff --git a/src/pcapng.h b/src/pcapng.h index a2ac37f..1243a7e 100644 --- a/src/pcapng.h +++ b/src/pcapng.h @@ -16,6 +16,7 @@ Helpers for working with .pcapng files. #define PCAPNG_BLOCKTYPE_ENHANCED_PACKET 0x00000006 #define PCAPNG_OPTIONCODE_ENDOFOPT 0 +#define PCAPNG_OPTIONCODE_COMMENT 1 #define PCAPNG_OPTIONCODE_EPB_FLAGS 2 #define PCAPNG_LINKTYPE_ETHERNET 1 @@ -57,6 +58,10 @@ struct PCAPNG_BLOCK_OPTION_EPB_FLAGS { short Length; // 4 long Value; }; +struct PCAPNG_BLOCK_OPTION_COMMENT { + unsigned short Code; // PCAPNG_OPTIONCODE_COMMENT + unsigned short Length; +}; struct PCAPNG_BLOCK_TAIL { long Length; // Same as PCAPNG_BLOCK_HEAD.Length, for easier backward processing. }; @@ -153,7 +158,8 @@ PcapNgWriteEnhancedPacket( long InterfaceId, long IsSend, long TimeStampHigh, // usec (unless if_tsresol is used) - long TimeStampLow + long TimeStampLow, + unsigned long ProcessID ) { int Err = NO_ERROR; @@ -161,12 +167,32 @@ PcapNgWriteEnhancedPacket( struct PCAPNG_ENHANCED_PACKET_BODY Body; struct PCAPNG_BLOCK_OPTION_ENDOFOPT EndOption; struct PCAPNG_BLOCK_OPTION_EPB_FLAGS EpbFlagsOption; + struct PCAPNG_BLOCK_OPTION_COMMENT CommentOption; struct PCAPNG_BLOCK_TAIL Tail; char Pad[4] = {0}; +// COMMENT_MAX_SIZE must be multiple of 4 +#define COMMENT_MAX_SIZE 16 + char Comment[COMMENT_MAX_SIZE]; + size_t CommentLength = 0; int FragPadLength = (4 - ((sizeof(Body) + FragLength) & 3)) & 3; // pad to 4 bytes per the spec. - int TotalLength = + int TotalLength; + + memset(Comment, 0, COMMENT_MAX_SIZE); + if SUCCEEDED(StringCchPrintfA(Comment, COMMENT_MAX_SIZE, "PID=%d", ProcessID)) { + if FAILED(StringCchLengthA(Comment, COMMENT_MAX_SIZE, &CommentLength)) { + CommentLength = 0; + } + } + else { + memset(Comment, 0, COMMENT_MAX_SIZE); + } + CommentOption.Code = PCAPNG_OPTIONCODE_COMMENT; + CommentOption.Length = (unsigned short) CommentLength; + if (CommentOption.Length % 4 != 0) + CommentOption.Length += (4 - CommentOption.Length % 4); + TotalLength = sizeof(Head) + sizeof(Body) + FragLength + FragPadLength + - sizeof(EpbFlagsOption) + sizeof(EndOption) + sizeof(Tail); + sizeof(EpbFlagsOption) + sizeof(CommentOption) + CommentOption.Length + sizeof(EndOption) + sizeof(Tail); Head.Type = PCAPNG_BLOCKTYPE_ENHANCED_PACKET; Head.Length = TotalLength; @@ -208,6 +234,17 @@ PcapNgWriteEnhancedPacket( goto Done; } + if (!WriteFile(File, &CommentOption, sizeof(CommentOption), NULL, NULL)) { + Err = GetLastError(); + printf("WriteFile failed with %u\n", Err); + goto Done; + } + if (!WriteFile(File, &Comment, CommentOption.Length, NULL, NULL)) { + Err = GetLastError(); + printf("WriteFile failed with %u\n", Err); + goto Done; + } + EndOption.Code = PCAPNG_OPTIONCODE_ENDOFOPT; EndOption.Length = 0; if (!WriteFile(File, &EndOption, sizeof(EndOption), NULL, NULL)) {