[pcap-ng-format] Proposed addition of systemd Journal Export Blocks
Gerald Combs
gerald at wireshark.org
Thu Sep 20 18:33:28 UTC 2018
Hi,
I would like to propose the addition of a new block type that contains systemd Journal Export Format[1] entries. The entries themselves are easy to parse and generate, and including them in a pcapng capture should make it easier to correlate system-level events with network traffic.
Block description:
A systemd Journal Export Block contains a single systemd Journal Export Format entry. Each entry MUST contain a __REALTIME_TIMESTAMP= field as described in the systemd.journal-fields documentation. If a timestamp for the block is required it can be derived from this field. The length of the entry can be determined by finding the last non-zero byte in the Journal Entry data.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+---------------------------------------------------------------+
0 | Block Type = 0x00000009 |
+---------------------------------------------------------------+
4 | Block Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
8 / /
/ Journal Entry /
/ variable length, padded to 32 bits /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Block Total Length |
+---------------------------------------------------------------+
Support for the new block type in Wireshark is inbound at [2] and an update to the pcapng specification is inbound at [3]. Block type 0x00000009 appeared to be the next unused value, so that's the one I grabbed.
[1] https://www.freedesktop.org/wiki/Software/systemd/export/
[2] https://code.wireshark.org/review/c/29611/
[3] https://github.com/pcapng/pcapng/pull/53
More information about the pcap-ng-format
mailing list