dissect.etl.headers.logfile
#
Module Contents#
Classes#
Enum where members are also (and must be) ints |
|
The logfile header. |
Attributes#
- dissect.etl.headers.logfile.logfile_def = Multiline-String#
Show Value
""" struct SYSTEMTIME { WORD wYear; WORD wMonth; WORD wDayOfWeek; WORD wDay; WORD wHour; WORD wMinute; WORD wSecond; WORD wMilliseconds; }; struct TZInfo { LONG Bias; wchar StandardName[32]; SYSTEMTIME StandardDate; LONG StandardBias; wchar DaylightName[32]; SYSTEMTIME DaylightDate; LONG DaylightBias; }; struct TraceLogfileHeader { uint32 BufferSize; union version_information { uint32 Version; struct VersionDetail { uchar MajorVersion; uchar MinorVersion; uchar SubVersion; uchar SubMinorVersion; }; }; uint32 ProviderVersion; uint32 NumberOfProcessors; uint64 EndTime; uint32 TimerResolution; uint32 MaximumFileSize; uint32 LogFileMode; uint32 BuffersWritten; union { char LogInstanceGuid[16]; struct { uint32 StartBuffers; uint32 PointerSize; uint32 EventsLost; uint32 CpuSpeedInMHz; }; }; PWSTR LoggerName; PWSTR LogFileName; TZInfo TimeZone; uint32 padding; /* The timezone info is said to be 0xB0 bytes... no clue why */ uint64 BootTime; uint64 PerfFreq; uint64 StartTime; uint32 ReservedFlags; uint32 BufferLost; }; struct LogFileNames { wchar LoggerName[]; wchar LogFileName[]; }; """
- class dissect.etl.headers.logfile.ReservedFlags#
Bases:
enum.IntEnum
Enum where members are also (and must be) ints
- PERFORMANCE_FREQ = 1#
- FILETIME = 2#
- CPU_FREQ = 3#
- class dissect.etl.headers.logfile.LogfileHeader(calling_header: dissect.etl.headers.system.SystemHeader)#
The logfile header.
It is the payload of the first event in an ETL file.
There is also a manifest file that parses this specific header. However, as it is a standard event that is inside every ETL file (and it requires some special handling for timestamp calculation) there is a dedicated parser for it.
- property header: dissect.cstruct.Structure#
The parsed header of the event.
- property payload: memoryview#
The payload data for the event.
- property is_64bit: bool#
- property minimal_size: int#
Minimum header size.
- property cpu_speed_in_MHz: int#
The CPU speed that was recorded inside the logfile header.
- property perf_freq: int#
The performance frequency used to record the etl file.
- property start_time: int#
When the etl file started to record.
- property pointer_size: int#
The size of stringpointers.
- property end_time: int#
The time the last event was written to the ETL file.
- property buffers_written: int#
The number of buffers written to the file.