`dissect.etl.headers.headers`#

Module Contents#

Classes#

`Marker`	Abstracts the marker calculation for headers.
`Header`	A baseclass for the different ETL headers.
`InvalidHeader`	An invalid header.
`UnimplementedHeader`	A header that isn't implemented yet.
`EventProperty`	Defines what the message trace header can additionally find in its payload.
`MessageTraceHeader`	A baseclass for the different ETL headers.
`EventTraceHeader`	A baseclass for the different ETL headers.
`EventInstanceHeader`	A baseclass for the different ETL headers.
`EventInstanceGUIDHeader`	A more expanded EventInstanceHeader.
`ErrorHeader`	When an error event was created. However, the structure of the header isn't clear.

Attributes#

BIT64_HEADERS

dissect.etl.headers.headers.BIT64_HEADERS#

class dissect.etl.headers.headers.Marker(marker: int)#

Abstracts the marker calculation for headers.

property flags#

property header_type#

property remainder#

MARKER_MASK = 4278190080#

HEADER_MASK = 16711680#

REMAINDER_MASK = 65535#

MESSAGE_FLAGS = 144#

HEADER_FLAGS = 192#

class dissect.etl.headers.headers.Header(marker: Marker, data: memoryview, etl)#

A baseclass for the different ETL headers.

abstract property minimal_size: int#: Minimum header size.

property provider_id: uuid.UUID#: Provider that generated this event.

property version: int#: The version of the event.

property timestamp: datetime.datetime#: The timestamp of the event.

property time_delta: int#: The change in time relative to the start of the logfile.

property marker: int#: The marker data for this event.

property is_64bit: bool#: A value to determine if the header is 64 or 32 bits.

property size: int#

The size of the event.

In most cases this is inside the remainder field of the marker.

property data_size: int#: The size of the payload.

property payload: memoryview#: Grab the payload data from the datastream.

property header: dissect.cstruct.types.structure.Structure#: Type of header that will get parsed.

abstract additional_header_fields() → Dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.

standard_header_fields() → Dict[str, Any]#: Some standard header information that can be retrieved for any header.

__repr__()#: Return repr(self).

class dissect.etl.headers.headers.InvalidHeader(marker, data, etl)#

Bases: Header

An invalid header.

class dissect.etl.headers.headers.UnimplementedHeader(marker: Marker, data: memoryview, etl)#

Bases: Header

A header that isn’t implemented yet.

class dissect.etl.headers.headers.EventProperty#

Bases: enum.IntEnum

Defines what the message trace header can additionally find in its payload.

SEQUENCE = 1#

GUID = 2#

COMPONENT_ID = 4#

TIMESTAMP = 8#

PERFORMANCE_TIMESTAMP = 16#

SYSTEMINFO = 32#

POINTER32 = 64#

POINTER64 = 128#

class dissect.etl.headers.headers.MessageTraceHeader(marker: Marker, data: memoryview, etl)#

Bases: Header

A baseclass for the different ETL headers.

property minimal_size: int#: Minimum header size.

property time_delta: int#: The change in time relative to the start of the logfile.

property version: int#: The version of the event.

property id: int#: The id of the message event.

property event_property: int#: What type of payload to expect.

property provider_id: uuid.UUID#: Provider that generated this event.

property thread_id: int#

property process_id: int#

property sequence_number: int#

additional_header_fields() → Dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.

class dissect.etl.headers.headers.EventTraceHeader(marker: Marker, data: memoryview, etl)#

Bases: Header

A baseclass for the different ETL headers.

property minimal_size: int#: Minimum header size.

property thread_id: int#: The thread id that created this event.

property process_id: int#: The process id that created this event.

additional_header_fields() → Dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.

class dissect.etl.headers.headers.EventInstanceHeader(marker: Marker, data: memoryview, etl)#

Bases: Header

A baseclass for the different ETL headers.

property minimal_size: int#: Minimum header size.

additional_header_fields() → Dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.

class dissect.etl.headers.headers.EventInstanceGUIDHeader(marker: Marker, data: memoryview, etl)#

Bases: Header

A more expanded EventInstanceHeader.

This is created from an EventInstanceHeader, but it’s not quite clear which one is specifically used. For now, this header is default.

property minimal_size: int#: Minimum header size.

property thread_id#: The thread id that created this event.

property process_id#: The process id that created this event.

property parent_guid#

additional_header_fields() → Dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.

class dissect.etl.headers.headers.ErrorHeader(marker: Marker, data: memoryview, etl)#

Bases: Header

When an error event was created. However, the structure of the header isn’t clear.

property minimal_size: int#: Minimum header size.

additional_header_fields() → Dict[str, Any]#

Additional fields that hold interesting information.

each header subclass defines what additional information it wants to return to a record.

dissect.etl.headers.headers#

Module Contents#

Classes#

Attributes#

`dissect.etl.headers.headers`#