dissect.etl.headers.logfile
¶
Module Contents¶
Classes¶
Enum where members are also (and must be) ints |
|
The logfile header. |
Attributes¶
- dissect.etl.headers.logfile.logfile_def = Multiline-String¶
Show Value
""" struct SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; }; struct TZInfo { LONG Bias; wchar StandardName[32]; SYSTEMTIME StandardDate; LONG StandardBias; wchar DaylightName[32]; SYSTEMTIME DaylightDate; LONG DaylightBias; }; struct TraceLogfileHeader { uint32 BufferSize; union version_information { uint32 Version; struct VersionDetail { uchar MajorVersion; uchar MinorVersion; uchar SubVersion; uchar SubMinorVersion; }; }; uint32 ProviderVersion; uint32 NumberOfProcessors; uint64 EndTime; uint32 TimerResolution; uint32 MaximumFileSize; uint32 LogFileMode; uint32 BuffersWritten; union { char LogInstanceGuid[16]; struct { uint32 StartBuffers; uint32 PointerSize; uint32 EventsLost; uint32 CpuSpeedInMHz; }; }; PWSTR LoggerName; PWSTR LogFileName; TZInfo TimeZone; uint32 padding; /* The timezone info is said to be 0xB0 bytes... no clue why */ uint64 BootTime; uint64 PerfFreq; uint64 StartTime; uint32 ReservedFlags; uint32 BufferLost; }; struct LogFileNames { wchar LoggerName[]; wchar LogFileName[]; }; """
- class dissect.etl.headers.logfile.ReservedFlags¶
Bases:
enum.IntEnum
Enum where members are also (and must be) ints
- PERFORMANCE_FREQ = 1¶
- FILETIME = 2¶
- CPU_FREQ = 3¶
- class dissect.etl.headers.logfile.LogfileHeader(calling_header: dissect.etl.headers.system.SystemHeader)¶
The logfile header.
It is the payload of the first event in an ETL file.
There is also a manifest file that parses this specific header. However, as it is a standard event that is inside every ETL file (and it requires some special handling for timestamp calculation) there is a dedicated parser for it.
- property header: dissect.cstruct.Structure¶
The parsed header of the event.
- property payload: memoryview¶
The payload data for the event.
- property is_64bit: bool¶
- property minimal_size: int¶
Minimum header size.
- property cpu_speed_in_MHz: int¶
The CPU speed that was recorded inside the logfile header.
- property perf_freq: int¶
The performance frequency used to record the etl file.
- property start_time: int¶
When the etl file started to record.
- property pointer_size: int¶
The size of stringpointers.
- property end_time: int¶
The time the last event was written to the ETL file.
- property buffers_written: int¶
The number of buffers written to the file.