private object ParseBasicProperty(Property prop, IEventRecord record)
{
object propertyValue = null;
switch (prop.Type)
{
case (int)TDH_IN_TYPE.TDH_INTYPE_ANSISTRING:
propertyValue = record.GetAnsiString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_BINARY:
propertyValue = record.GetBinary(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_COUNTEDSTRING:
propertyValue = record.GetCountedString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT8:
propertyValue = record.GetInt8(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT16:
propertyValue = record.GetInt16(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT32:
propertyValue = record.GetInt32(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_INT64:
propertyValue = record.GetInt64(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT8:
propertyValue = record.GetUInt8(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT16:
propertyValue = record.GetUInt16(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT32:
propertyValue = record.GetUInt32(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UINT64:
propertyValue = record.GetUInt64(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_UNICODESTRING:
propertyValue = record.GetUnicodeString(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_FILETIME:
propertyValue = record.GetDateTime(prop.Name);
break;
case (int)TDH_IN_TYPE.TDH_INTYPE_POINTER:
propertyValue = record.GetUInt64(prop.Name);
break;
default:
propertyValue = "<Unknown type>";
break;
}
return(propertyValue);
}
/// <summary>
/// Parse an event log base on tracelogging
/// </summary>
/// <param name="record">ETW event record</param>
/// <param name="eventData">dict will be filled with event data</param>
public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
{
foreach (var property in record.Properties)
{
try
{
switch (property.Type)
{
case 1:
eventData[property.Name] = record.GetUnicodeString(property.Name);
break;
case 2:
eventData[property.Name] = record.GetAnsiString(property.Name);
break;
case 3:
eventData[property.Name] = record.GetInt8(property.Name);
break;
case 4:
eventData[property.Name] = record.GetUInt8(property.Name);
break;
case 5:
eventData[property.Name] = record.GetInt16(property.Name);
break;
case 6:
eventData[property.Name] = record.GetUInt16(property.Name);
break;
case 7:
eventData[property.Name] = record.GetInt32(property.Name);
break;
case 8:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 9:
eventData[property.Name] = record.GetInt64(property.Name);
break;
case 10:
eventData[property.Name] = record.GetUInt64(property.Name);
break;
case 13:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 14:
eventData[property.Name] = record.GetBinary(property.Name);
break;
case 15:
eventData[property.Name] = record.GetBinary(property.Name);
break;
case 20:
eventData[property.Name] = record.GetUInt32(property.Name);
break;
case 21:
eventData[property.Name] = record.GetUInt64(property.Name);
break;
}
}
catch (Exception)
{
eventData[property.Name] = ERROR_PARSING_FIELD;
}
}
}
/// <summary>
/// Try to parse an event record base on the manifest
/// </summary>
/// <param name="record">ETW event record</param>
/// <param name="eventData">eventdata that will be filled by the parser</param>
public void Parse(IEventRecord record, Dictionary <String, dynamic> eventData)
{
foreach (var eventDefinition in this.Scheme.instrumentation.events.provider.events)
{
if (Int16.Parse(eventDefinition.value) != record.Id)
{
continue;
}
var template = this.Scheme.instrumentation.events.provider.templates.Where(x => x.tid == eventDefinition.template).Single();
foreach (var data in template.datas)
{
try
{
switch (data.inType)
{
case Manifest.Data.InType.UnicodeString:
eventData[data.name] = record.GetUnicodeString(data.name);
break;
case Manifest.Data.InType.AnsiString:
eventData[data.name] = record.GetAnsiString(data.name);
break;
case Manifest.Data.InType.GUID:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.UInt32:
eventData[data.name] = record.GetUInt32(data.name);
break;
case Manifest.Data.InType.HexInt32:
eventData[data.name] = record.GetInt32(data.name);
break;
case Manifest.Data.InType.HexInt64:
eventData[data.name] = record.GetInt64(data.name);
break;
case Manifest.Data.InType.Boolean:
eventData[data.name] = record.GetUInt32(data.name);
break;
case Manifest.Data.InType.UInt16:
eventData[data.name] = record.GetUInt16(data.name);
break;
case Manifest.Data.InType.Binary:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.UInt64:
eventData[data.name] = record.GetUInt64(data.name);
break;
case Manifest.Data.InType.Double:
eventData[data.name] = record.GetUInt64(data.name);
break;
case Manifest.Data.InType.UInt8:
eventData[data.name] = record.GetUInt8(data.name);
break;
case Manifest.Data.InType.Int8:
eventData[data.name] = record.GetInt64(data.name);
break;
case Manifest.Data.InType.Int16:
eventData[data.name] = record.GetInt16(data.name);
break;
case Manifest.Data.InType.Int32:
eventData[data.name] = record.GetInt32(data.name);
break;
case Manifest.Data.InType.Int64:
eventData[data.name] = record.GetInt64(data.name);
break;
case Manifest.Data.InType.FILETIME:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.Pointer:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.SYSTEMTIME:
eventData[data.name] = record.GetDateTime(data.name);
break;
case Manifest.Data.InType.SID:
eventData[data.name] = record.GetBinary(data.name);
break;
case Manifest.Data.InType.Float:
eventData[data.name] = record.GetUInt32(data.name);
break;
}
}
catch (Exception)
{
eventData[data.name] = ERROR_PARSING_FIELD;
}
}
break;
}
}