tdh

package

v1.10.0 Latest Latest Go to latest Published: Mar 31, 2023 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/rabbitstack/fibratus

Links

Open Source Insights

Documentation ¶

Rendered for windows/amd64

Index ¶

Constants
func GetEventInformation(evt *etw.EventRecord, buffer []byte, size uint32) error
func GetProperty(evt *etw.EventRecord, descriptor *PropertyDataDescriptor, size uint32, ...) error
func GetPropertySize(evt *etw.EventRecord, descriptor *PropertyDataDescriptor) (uint32, error)
type EventPropertyInfo
type NonStructType
type PropertyDataDescriptor
type TraceEventInfo

Constants ¶

View Source

const (
	// IntypeNull represents the null property type
	IntypeNull = iota
	// IntypeUnicodeString represents a string of 16-bit characters. By default, assumed to have been encoded using UTF-16LE
	IntypeUnicodeString
	// IntypeAnsiString represents a string of 8-bit characters
	IntypeAnsiString
	// IntypeInt8 represents a signed 8-bit integer
	IntypeInt8
	// IntypeUint8 represents an unsigned 8-bit integer
	IntypeUint8
	// IntypeInt16 represents a signed 16-bit integer
	IntypeInt16
	// IntypeUint16 represents an unsigned 18-bit integer
	IntypeUint16
	// IntypeInt32 represents a signed 32-bit integer
	IntypeInt32
	// IntypeUint32 represents an unsigned 8-bit integer
	IntypeUint32
	// IntypeInt64 represents a signed 64-bit integer
	IntypeInt64
	// IntypeUint64 represents an unsigned 64-bit integer
	IntypeUint64
	// IntypeFloat represents an IEEE 4-byte floating-point number
	IntypeFloat
	// IntypeDouble represents an IEEE 8-byte floating-point number
	IntypeDouble
	// IntypeBoolean a 32-bit value where 0 is false and 1 is true
	IntypeBoolean
	// IntypeBinary represents a binary data of variable size
	IntypeBinary
	// IntypeGUID is a GUID structure. On output, the GUID is rendered in the registry string form, {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
	IntypeGUID
	// IntypePointer represents an unsigned 32-bit or 64-bit pointer value. The size depends on the architecture of the computer logging the event
	IntypePointer
	// IntypeFiletime represents the file timestamp
	IntypeFiletime
	// IntypeSystime represents the system timestamp
	IntypeSystime
	// IntypeSID represents a security identifier (SID) structure that uniquely identifies a user or group
	IntypeSID
	// IntypeHexInt32 represents the hexadecimal representation of 32-bit integer
	IntypeHexInt32
	// IntypeHexInt64 represents the hexadecimal representation of 64-bit integer
	IntypeHexInt64
	// IntypeUnicodeChar represents the Unicode codepoint
	IntypeUnicodeChar = 306
	// IntypeAnsiChar represents the ASCII character
	IntypeAnsiChar = 307
	// IntypeSizet represents the architecture-variable size
	IntypeSizet = 308
	// IntypeHexdump represents the hexadecimal dump
	IntypeHexdump = 309
	// IntypeWbemSID represents the Web-Based Enterprise Management security identifier
	IntypeWbemSID = 310
)

View Source

const (
	// OutypeNull represents the null property type
	OutypeNull = iota
	// OutypeString represents a string value
	OutypeString
	// OutypeDatetime represents the timestamp value
	OutypeDatetime
	// OutypeByte represents a signed 8-bit value
	OutypeByte
	// OutypeUnsignedByte represents an unsigned 8-bit value
	OutypeUnsignedByte
	// OutypeShort represents a signed 16-bit value
	OutypeShort
	// OutypeUnsignedShort represents an unsigned 16-bit value
	OutypeUnsignedShort
	// OutypeInt represents a signed 32-bit value
	OutypeInt
	// OutypeUnsignedInt represents an unsigned 32-bit value
	OutypeUnsignedInt
	// OutypeLong represents a signed 64-bit value
	OutypeLong
	// OutypeUnsignedLong represents an unsigned 64-bit value
	OutypeUnsignedLong
	// OutypeFloat represents an IEEE 4-byte floating-point number
	OutypeFloat
	// OutypeDouble represents an IEEE 8-byte floating-point number
	OutypeDouble
	// OutypeBoolean a 32-bit value where 0 is false and 1 is true
	OutypeBoolean
	// OutypeGUID represents an unsigned 32-bit or 64-bit pointer value. The size depends on the architecture of the computer logging the event
	OutypeGUID
	// OutypeHexBinary represents a binary data of variable size in hexadecimal format
	OutypeHexBinary
	// OutypeHexInt8 represents the hexadecimal representation of 8-bit integer
	OutypeHexInt8
	// OutypeHexInt16 represents the hexadecimal representation of 16-bit integer
	OutypeHexInt16
	// OutypeHexInt32 represents the hexadecimal representation of 32-bit integer
	OutypeHexInt32
	// OutypeHexInt64 represents the hexadecimal representation of 64-bit integer
	OutypeHexInt64
	// OutypePID represents the process identifier
	OutypePID
	// OutypeTID represents the thread identifier
	OutypeTID
	// OutypePort represents the port
	OutypePort
	// OutypeIPv4 represents the IPv4 address
	OutypeIPv4
	// OutypeIPv6 represents the IPv6 address
	OutypeIPv6
)

Variables ¶

This section is empty.

Functions ¶

func GetEventInformation ¶

func GetEventInformation(evt *etw.EventRecord, buffer []byte, size uint32) error

GetEventInformation retrieves metadata about an event. It receives a buffer that to allocate `TraceEventInfo` structure.

func GetProperty ¶

func GetProperty(evt *etw.EventRecord, descriptor *PropertyDataDescriptor, size uint32, buffer []byte) error

GetProperty retrieves a property value from the event data.

func GetPropertySize ¶

func GetPropertySize(evt *etw.EventRecord, descriptor *PropertyDataDescriptor) (uint32, error)

GetPropertySize retrieves the size of one or more property values in the event data.

Types ¶

type EventPropertyInfo ¶

type EventPropertyInfo struct {
	Flags      int32
	NameOffset uint32
	Types      [8]byte
	Count      [2]byte
	Length     [2]byte
	Reserved   [4]byte
}

EventPropertyInfo provides information about a single property of the event or filter.

type NonStructType ¶

type NonStructType struct {
	InType        uint16
	OutType       uint16
	MapNameOffset uint32
}

NonStructType defines if the property is contained in a structure or array.

type PropertyDataDescriptor ¶

type PropertyDataDescriptor struct {
	PropertyName unsafe.Pointer
	ArrayIndex   uint32
	Reserved     uint32
}

PropertyDataDescriptor defines the property to retrieve.

type TraceEventInfo ¶

type TraceEventInfo struct {
	ProviderGUID           sc.GUID
	EventGUID              sc.GUID
	EventDescriptor        etw.EventDescriptor
	DecodingSource         int32
	ProviderNameOffset     uint32
	LevelNameOffset        uint32
	ChannelNameOffset      uint32
	KeywordsNameOffset     uint32
	TaskNameOffset         uint32
	OpcodeNameOffset       uint32
	EventMessageOffset     uint32
	ProviderMessageOffset  uint32
	BinaryXMLOffset        uint32
	BinaryXMLSize          uint32
	EventNameOffset        [4]byte
	EventAttributeOffset   [4]byte
	PropertyCount          uint32
	TopLevelPropertyCount  uint32
	Flags                  [4]byte
	EventPropertyInfoArray [1]EventPropertyInfo
}

TraceEventInfo defines the information about the event.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL