Wireshark 解剖器:格式化纪元时间
Wireshark dissector: format epoch time
我正在编写 Wireshark 解析器(C 版本,而不是 Lua)。
我有 uint64 的时间字段,代表自 unix 纪元以来的纳秒数。
我想在 wireshark 中以人类可读的格式打印时间。
我四处寻找说明如何执行此操作的文档,但只在 https://anonsvn.wireshark.org/wireshark/trunk-1.6/doc/README.developer.
处找到了这个与时间相关的函数 proto_tree_add_time
我最终写了一个这样的辅助函数:
static void add_pretty_time(tvbuff_t* tvb, proto_tree* body, unsigned field_offset, int field_id)
{
uint64_t raw_time = tvb_get_letoh64(tvb, field_offset);
nstime_t time;
time.secs = raw_time / 1000000000;
time.nsecs = raw_time % 1000000000;
proto_tree_add_time(body, field_id, tvb, field_offset, 8, &time);
}
有没有 Wireshark 提供的更优雅的方式来做到这一点?例如hf_register_info数组中的FT_UINT64、BASE_DEC可以指定该字段解析为uint64,并以十进制格式显示。如果在 hf_register_info 数组中有类似 FT_EPOCH64、ISO_FORMAT 的东西,那将是理想的。
对于 FT_ABSOLUTE_TIME 个字段,编码指定了其中的形式
指定了时间戳及其字节顺序。时间戳
当前支持的编码位于:https://github.com/wireshark/wireshark/blob/master/doc/README.dissector#L1648
ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4
bytes are seconds and the next 4 bytes are nanoseconds; for 12
bytes, the first 8 bytes are seconds and the next 4 bytes are
nanoseconds; for 16 bytes, the first 8 bytes are seconds and
the next 8 bytes are nanoseconds. The seconds are seconds
since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X
struct timespec with a 4-byte or 8-byte time_t or a structure
with an 8-byte time_t and an 8-byte nanoseconds field.)
ENC_TIME_NTP - 8 bytes; the first 4 bytes are seconds since the NTP
epoch (1900-01-01 00:00:00 GMT) and the next 4 bytes are 1/2^32's of
a second since that second. (I.e., a 64-bit count of 1/2^32's of a
second since the NTP epoch, with the upper 32 bits first and the
lower 32 bits second, even when little-endian.)
ENC_TIME_TOD - 8 bytes, as a count of microseconds since the System/3x0
and z/Architecture epoch (1900-01-01 00:00:00 GMT).
ENC_TIME_RTPS - 8 bytes; the first 4 bytes are seconds since the UN*X
epoch and the next 4 bytes are are 1/2^32's of a second since that
second. (I.e., it's the offspring of a mating between UN*X time and
NTP time.) It's used by the Object Management Group's Real-Time
Publish-Subscribe Wire Protocol for the Data Distribution Service.
ENC_TIME_SECS_USECS - 8 bytes; the first 4 bytes are seconds since the
UN*X epoch and the next 4 bytes are microseconds since that
second. (I.e., a UN*X struct timeval with a 4-byte time_t.)
ENC_TIME_SECS - 4 to 8 bytes, representing a value in seconds since
the UN*X epoch.
ENC_TIME_MSECS - 6 to 8 bytes, representing a value in milliseconds
since the UN*X epoch.
ENC_TIME_SECS_NTP - 4 bytes, representing a count of seconds since
the NTP epoch. (I.e., seconds since the NTP epoch.)
ENC_TIME_RFC_3971 - 8 bytes, representing a count of 1/64ths of a
second since the UN*X epoch; see section 5.3.1 "Timestamp Option"
in RFC 3971.
ENC_TIME_MSEC_NTP - 4-8 bytes, representing a count of milliseconds since
the NTP epoch. (I.e., milliseconds since the NTP epoch.)
None 其中对应于纪元后的 uint64 纳秒。
问题中写的 add_pretty_time helper 是正确的方法,因为我们被迫使用 proto_tree_add_time 而不是在内置编码的帮助下使用标准 proto_tree_add_item .
这仍然需要 hf_register_info 数组具有正确的值:即我们必须使用基于时间的字段类型和基于时间的显示格式。前者的例子:FT_ABSOLUTE_TIME。后者的例子:ABSOLUTE_TIME_UTC。在哪里可以找到每个列表:https://github.com/boundary/wireshark/blob/master/epan/proto.c#L4742 and https://github.com/wireshark/wireshark/blob/master/doc/README.dissector#L147 分别。
我正在编写 Wireshark 解析器(C 版本,而不是 Lua)。
我有 uint64 的时间字段,代表自 unix 纪元以来的纳秒数。
我想在 wireshark 中以人类可读的格式打印时间。
我四处寻找说明如何执行此操作的文档,但只在 https://anonsvn.wireshark.org/wireshark/trunk-1.6/doc/README.developer.
处找到了这个与时间相关的函数proto_tree_add_time
我最终写了一个这样的辅助函数:
static void add_pretty_time(tvbuff_t* tvb, proto_tree* body, unsigned field_offset, int field_id)
{
uint64_t raw_time = tvb_get_letoh64(tvb, field_offset);
nstime_t time;
time.secs = raw_time / 1000000000;
time.nsecs = raw_time % 1000000000;
proto_tree_add_time(body, field_id, tvb, field_offset, 8, &time);
}
有没有 Wireshark 提供的更优雅的方式来做到这一点?例如hf_register_info数组中的FT_UINT64、BASE_DEC可以指定该字段解析为uint64,并以十进制格式显示。如果在 hf_register_info 数组中有类似 FT_EPOCH64、ISO_FORMAT 的东西,那将是理想的。
对于 FT_ABSOLUTE_TIME 个字段,编码指定了其中的形式 指定了时间戳及其字节顺序。时间戳 当前支持的编码位于:https://github.com/wireshark/wireshark/blob/master/doc/README.dissector#L1648
ENC_TIME_SECS_NSECS - 8, 12, or 16 bytes. For 8 bytes, the first 4
bytes are seconds and the next 4 bytes are nanoseconds; for 12
bytes, the first 8 bytes are seconds and the next 4 bytes are
nanoseconds; for 16 bytes, the first 8 bytes are seconds and
the next 8 bytes are nanoseconds. The seconds are seconds
since the UN*X epoch (1970-01-01 00:00:00 UTC). (I.e., a UN*X
struct timespec with a 4-byte or 8-byte time_t or a structure
with an 8-byte time_t and an 8-byte nanoseconds field.)
ENC_TIME_NTP - 8 bytes; the first 4 bytes are seconds since the NTP
epoch (1900-01-01 00:00:00 GMT) and the next 4 bytes are 1/2^32's of
a second since that second. (I.e., a 64-bit count of 1/2^32's of a
second since the NTP epoch, with the upper 32 bits first and the
lower 32 bits second, even when little-endian.)
ENC_TIME_TOD - 8 bytes, as a count of microseconds since the System/3x0
and z/Architecture epoch (1900-01-01 00:00:00 GMT).
ENC_TIME_RTPS - 8 bytes; the first 4 bytes are seconds since the UN*X
epoch and the next 4 bytes are are 1/2^32's of a second since that
second. (I.e., it's the offspring of a mating between UN*X time and
NTP time.) It's used by the Object Management Group's Real-Time
Publish-Subscribe Wire Protocol for the Data Distribution Service.
ENC_TIME_SECS_USECS - 8 bytes; the first 4 bytes are seconds since the
UN*X epoch and the next 4 bytes are microseconds since that
second. (I.e., a UN*X struct timeval with a 4-byte time_t.)
ENC_TIME_SECS - 4 to 8 bytes, representing a value in seconds since
the UN*X epoch.
ENC_TIME_MSECS - 6 to 8 bytes, representing a value in milliseconds
since the UN*X epoch.
ENC_TIME_SECS_NTP - 4 bytes, representing a count of seconds since
the NTP epoch. (I.e., seconds since the NTP epoch.)
ENC_TIME_RFC_3971 - 8 bytes, representing a count of 1/64ths of a
second since the UN*X epoch; see section 5.3.1 "Timestamp Option"
in RFC 3971.
ENC_TIME_MSEC_NTP - 4-8 bytes, representing a count of milliseconds since
the NTP epoch. (I.e., milliseconds since the NTP epoch.)
None 其中对应于纪元后的 uint64 纳秒。
问题中写的 add_pretty_time helper 是正确的方法,因为我们被迫使用 proto_tree_add_time 而不是在内置编码的帮助下使用标准 proto_tree_add_item .
这仍然需要 hf_register_info 数组具有正确的值:即我们必须使用基于时间的字段类型和基于时间的显示格式。前者的例子:FT_ABSOLUTE_TIME。后者的例子:ABSOLUTE_TIME_UTC。在哪里可以找到每个列表:https://github.com/boundary/wireshark/blob/master/epan/proto.c#L4742 and https://github.com/wireshark/wireshark/blob/master/doc/README.dissector#L147 分别。