:py:mod:`dissect.etl.headers.headers` ===================================== .. py:module:: dissect.etl.headers.headers Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.etl.headers.headers.Marker dissect.etl.headers.headers.Header dissect.etl.headers.headers.InvalidHeader dissect.etl.headers.headers.UnimplementedHeader dissect.etl.headers.headers.EventProperty dissect.etl.headers.headers.MessageTraceHeader dissect.etl.headers.headers.EventTraceHeader dissect.etl.headers.headers.EventInstanceHeader dissect.etl.headers.headers.EventInstanceGUIDHeader dissect.etl.headers.headers.ErrorHeader Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.etl.headers.headers.BIT64_HEADERS .. py:data:: BIT64_HEADERS .. py:class:: Marker(marker: int) Abstracts the marker calculation for headers. .. py:property:: flags .. py:property:: header_type .. py:property:: remainder .. py:attribute:: MARKER_MASK :value: 4278190080 .. py:attribute:: HEADER_MASK :value: 16711680 .. py:attribute:: REMAINDER_MASK :value: 65535 .. py:attribute:: MESSAGE_FLAGS :value: 144 .. py:attribute:: HEADER_FLAGS :value: 192 .. py:class:: Header(marker: Marker, data: memoryview, etl) A baseclass for the different ETL headers. .. py:property:: minimal_size :type: int :abstractmethod: Minimum header size. .. py:property:: provider_id :type: uuid.UUID Provider that generated this event. .. py:property:: version :type: int The version of the event. .. py:property:: timestamp :type: datetime.datetime The timestamp of the event. .. py:property:: time_delta :type: int The change in time relative to the start of the logfile. .. py:property:: marker :type: int The marker data for this event. .. py:property:: is_64bit :type: bool A value to determine if the header is 64 or 32 bits. .. py:property:: size :type: int The size of the event. In most cases this is inside the remainder field of the marker. .. py:property:: data_size :type: int The size of the payload. .. py:property:: payload :type: memoryview Grab the payload data from the datastream. .. py:property:: header :type: dissect.cstruct.types.structure.Structure Type of header that will get parsed. .. py:method:: additional_header_fields() -> dict[str, Any] :abstractmethod: Additional fields that hold interesting information. each header subclass defines what additional information it wants to return to a record. .. py:method:: standard_header_fields() -> dict[str, Any] Some standard header information that can be retrieved for any header. .. py:method:: __repr__() Return repr(self). .. py:class:: InvalidHeader(marker, data, etl) Bases: :py:obj:`Header` An invalid header. .. py:class:: UnimplementedHeader(marker: Marker, data: memoryview, etl) Bases: :py:obj:`Header` A header that isn't implemented yet. .. py:class:: EventProperty Bases: :py:obj:`enum.IntEnum` Defines what the message trace header can additionally find in its payload. .. py:attribute:: SEQUENCE :value: 1 .. py:attribute:: GUID :value: 2 .. py:attribute:: COMPONENT_ID :value: 4 .. py:attribute:: TIMESTAMP :value: 8 .. py:attribute:: PERFORMANCE_TIMESTAMP :value: 16 .. py:attribute:: SYSTEMINFO :value: 32 .. py:attribute:: POINTER32 :value: 64 .. py:attribute:: POINTER64 :value: 128 .. py:class:: MessageTraceHeader(marker: Marker, data: memoryview, etl) Bases: :py:obj:`Header` A baseclass for the different ETL headers. .. py:property:: minimal_size :type: int Minimum header size. .. py:property:: time_delta :type: int The change in time relative to the start of the logfile. .. py:property:: version :type: int The version of the event. .. py:property:: id :type: int The id of the message event. .. py:property:: event_property :type: int What type of payload to expect. .. py:property:: provider_id :type: uuid.UUID Provider that generated this event. .. py:property:: thread_id :type: int .. py:property:: process_id :type: int .. py:property:: sequence_number :type: int .. py:method:: additional_header_fields() -> dict[str, Any] Additional fields that hold interesting information. each header subclass defines what additional information it wants to return to a record. .. py:class:: EventTraceHeader(marker: Marker, data: memoryview, etl) Bases: :py:obj:`Header` A baseclass for the different ETL headers. .. py:property:: minimal_size :type: int Minimum header size. .. py:property:: thread_id :type: int The thread id that created this event. .. py:property:: process_id :type: int The process id that created this event. .. py:method:: additional_header_fields() -> dict[str, Any] Additional fields that hold interesting information. each header subclass defines what additional information it wants to return to a record. .. py:class:: EventInstanceHeader(marker: Marker, data: memoryview, etl) Bases: :py:obj:`Header` A baseclass for the different ETL headers. .. py:property:: minimal_size :type: int Minimum header size. .. py:method:: additional_header_fields() -> dict[str, Any] Additional fields that hold interesting information. each header subclass defines what additional information it wants to return to a record. .. py:class:: EventInstanceGUIDHeader(marker: Marker, data: memoryview, etl) Bases: :py:obj:`Header` A more expanded EventInstanceHeader. This is created from an EventInstanceHeader, but it's not quite clear which one is specifically used. For now, this header is default. .. py:property:: minimal_size :type: int Minimum header size. .. py:property:: thread_id The thread id that created this event. .. py:property:: process_id The process id that created this event. .. py:property:: parent_guid .. py:method:: additional_header_fields() -> dict[str, Any] Additional fields that hold interesting information. each header subclass defines what additional information it wants to return to a record. .. py:class:: ErrorHeader(marker: Marker, data: memoryview, etl) Bases: :py:obj:`Header` When an error event was created. However, the structure of the header isn't clear. .. py:property:: minimal_size :type: int Minimum header size. .. py:method:: additional_header_fields() -> dict[str, Any] Additional fields that hold interesting information. each header subclass defines what additional information it wants to return to a record.