1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \\PIPE\\NETLOGON packet disassembly
3 * Copyright 2001, Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.47 2002/08/11 14:08:08 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_rc = -1;
43 static int hf_netlogon_len = -1;
44 static int hf_netlogon_sensitive_data_flag = -1;
45 static int hf_netlogon_sensitive_data_len = -1;
46 static int hf_netlogon_sensitive_data = -1;
47 static int hf_netlogon_security_information = -1;
48 static int hf_netlogon_dummy = -1;
49 static int hf_netlogon_neg_flags = -1;
50 static int hf_netlogon_minworkingsetsize = -1;
51 static int hf_netlogon_maxworkingsetsize = -1;
52 static int hf_netlogon_pagedpoollimit = -1;
53 static int hf_netlogon_pagefilelimit = -1;
54 static int hf_netlogon_timelimit = -1;
55 static int hf_netlogon_nonpagedpoollimit = -1;
56 static int hf_netlogon_pac_size = -1;
57 static int hf_netlogon_pac_data = -1;
58 static int hf_netlogon_auth_size = -1;
59 static int hf_netlogon_auth_data = -1;
60 static int hf_netlogon_cipher_len = -1;
61 static int hf_netlogon_cipher_maxlen = -1;
62 static int hf_netlogon_cipher_current_data = -1;
63 static int hf_netlogon_cipher_current_set_time = -1;
64 static int hf_netlogon_cipher_old_data = -1;
65 static int hf_netlogon_cipher_old_set_time = -1;
66 static int hf_netlogon_priv = -1;
67 static int hf_netlogon_privilege_entries = -1;
68 static int hf_netlogon_privilege_control = -1;
69 static int hf_netlogon_privilege_name = -1;
70 static int hf_netlogon_systemflags = -1;
71 static int hf_netlogon_pdc_connection_status = -1;
72 static int hf_netlogon_tc_connection_status = -1;
73 static int hf_netlogon_restart_state = -1;
74 static int hf_netlogon_attrs = -1;
75 static int hf_netlogon_count = -1;
76 static int hf_netlogon_entries = -1;
77 static int hf_netlogon_minpasswdlen = -1;
78 static int hf_netlogon_passwdhistorylen = -1;
79 static int hf_netlogon_level16 = -1;
80 static int hf_netlogon_validation_level = -1;
81 static int hf_netlogon_reference = -1;
82 static int hf_netlogon_next_reference = -1;
83 static int hf_netlogon_timestamp = -1;
84 static int hf_netlogon_level = -1;
85 static int hf_netlogon_challenge = -1;
86 static int hf_netlogon_reserved = -1;
87 static int hf_netlogon_audit_retention_period = -1;
88 static int hf_netlogon_auditing_mode = -1;
89 static int hf_netlogon_max_audit_event_count = -1;
90 static int hf_netlogon_event_audit_option = -1;
91 static int hf_netlogon_unknown_time = -1;
92 static int hf_netlogon_unknown_string = -1;
93 static int hf_netlogon_unknown_long = -1;
94 static int hf_netlogon_unknown_short = -1;
95 static int hf_netlogon_unknown_char = -1;
96 static int hf_netlogon_logon_time = -1;
97 static int hf_netlogon_logoff_time = -1;
98 static int hf_netlogon_kickoff_time = -1;
99 static int hf_netlogon_pwd_last_set_time = -1;
100 static int hf_netlogon_pwd_can_change_time = -1;
101 static int hf_netlogon_pwd_must_change_time = -1;
102 static int hf_netlogon_nt_chal_resp = -1;
103 static int hf_netlogon_lm_chal_resp = -1;
104 static int hf_netlogon_credential = -1;
105 static int hf_netlogon_acct_name = -1;
106 static int hf_netlogon_acct_desc = -1;
107 static int hf_netlogon_group_desc = -1;
108 static int hf_netlogon_full_name = -1;
109 static int hf_netlogon_comment = -1;
110 static int hf_netlogon_parameters = -1;
111 static int hf_netlogon_logon_script = -1;
112 static int hf_netlogon_profile_path = -1;
113 static int hf_netlogon_home_dir = -1;
114 static int hf_netlogon_dir_drive = -1;
115 static int hf_netlogon_last_logon = -1;
116 static int hf_netlogon_last_logoff = -1;
117 static int hf_netlogon_logon_count = -1;
118 static int hf_netlogon_logon_count16 = -1;
119 static int hf_netlogon_bad_pw_count = -1;
120 static int hf_netlogon_bad_pw_count16 = -1;
121 static int hf_netlogon_user_rid = -1;
122 static int hf_netlogon_alias_rid = -1;
123 static int hf_netlogon_group_rid = -1;
124 static int hf_netlogon_logon_srv = -1;
125 static int hf_netlogon_principal = -1;
126 static int hf_netlogon_logon_dom = -1;
127 static int hf_netlogon_domain_name = -1;
128 static int hf_netlogon_domain_create_time = -1;
129 static int hf_netlogon_domain_modify_time = -1;
130 static int hf_netlogon_modify_count = -1;
131 static int hf_netlogon_db_modify_time = -1;
132 static int hf_netlogon_db_create_time = -1;
133 static int hf_netlogon_oem_info = -1;
134 static int hf_netlogon_serial_number = -1;
135 static int hf_netlogon_trusted_domain_name = -1;
136 static int hf_netlogon_num_rids = -1;
137 static int hf_netlogon_num_controllers = -1;
138 static int hf_netlogon_num_other_groups = -1;
139 static int hf_netlogon_computer_name = -1;
140 static int hf_netlogon_site_name = -1;
141 static int hf_netlogon_trusted_dc_name = -1;
142 static int hf_netlogon_dc_name = -1;
143 static int hf_netlogon_dc_site_name = -1;
144 static int hf_netlogon_dns_forest_name = -1;
145 static int hf_netlogon_dc_address = -1;
146 static int hf_netlogon_dc_address_type = -1;
147 static int hf_netlogon_client_name = -1;
148 static int hf_netlogon_client_site_name = -1;
149 static int hf_netlogon_workstation = -1;
150 static int hf_netlogon_workstation_site_name = -1;
151 static int hf_netlogon_workstation_os = -1;
152 static int hf_netlogon_workstations = -1;
153 static int hf_netlogon_workstation_fqdn = -1;
154 static int hf_netlogon_group_name = -1;
155 static int hf_netlogon_alias_name = -1;
156 static int hf_netlogon_country = -1;
157 static int hf_netlogon_codepage = -1;
158 static int hf_netlogon_flags = -1;
159 static int hf_netlogon_user_flags = -1;
160 static int hf_netlogon_auth_flags = -1;
161 static int hf_netlogon_pwd_expired = -1;
162 static int hf_netlogon_nt_pwd_present = -1;
163 static int hf_netlogon_lm_pwd_present = -1;
164 static int hf_netlogon_code = -1;
165 static int hf_netlogon_database_id = -1;
166 static int hf_netlogon_sync_context = -1;
167 static int hf_netlogon_max_size = -1;
168 static int hf_netlogon_max_log_size = -1;
169 static int hf_netlogon_change_log_size = -1;
170 static int hf_netlogon_dns_host = -1;
171 static int hf_netlogon_num_pwd_pairs = -1;
172 static int hf_netlogon_acct_expiry_time = -1;
173 static int hf_netlogon_encrypted_lm_owf_password = -1;
174 static int hf_netlogon_lm_owf_password = -1;
175 static int hf_netlogon_nt_owf_password = -1;
176 static int hf_netlogon_param_ctrl = -1;
177 static int hf_netlogon_logon_id = -1;
178 static int hf_netlogon_num_deltas = -1;
179 static int hf_netlogon_user_session_key = -1;
180 static int hf_netlogon_blob_size = -1;
181 static int hf_netlogon_blob = -1;
182 static int hf_netlogon_logon_attempts = -1;
183 static int hf_netlogon_authoritative = -1;
184 static int hf_netlogon_secure_channel_type = -1;
185 static int hf_netlogon_logonsrv_handle = -1;
186 static int hf_netlogon_delta_type = -1;
188 static gint ett_dcerpc_netlogon = -1;
189 static gint ett_QUOTA_LIMITS = -1;
190 static gint ett_IDENTITY_INFO = -1;
191 static gint ett_DELTA_ENUM = -1;
192 static gint ett_CYPHER_VALUE = -1;
193 static gint ett_UNICODE_MULTI = -1;
194 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
195 static gint ett_TYPE_46 = -1;
196 static gint ett_TYPE_48 = -1;
197 static gint ett_UNICODE_STRING_512 = -1;
198 static gint ett_TYPE_50 = -1;
199 static gint ett_TYPE_51 = -1;
200 static gint ett_TYPE_52 = -1;
201 static gint ett_DELTA_ID_UNION = -1;
202 static gint ett_TYPE_44 = -1;
203 static gint ett_DELTA_UNION = -1;
204 static gint ett_TYPE_45 = -1;
205 static gint ett_TYPE_47 = -1;
206 static gint ett_GUID = -1;
207 static gint ett_LM_OWF_PASSWORD = -1;
208 static gint ett_NT_OWF_PASSWORD = -1;
209 static gint ett_GROUP_MEMBERSHIP = -1;
210 static gint ett_BLOB = -1;
212 static e_uuid_t uuid_dcerpc_netlogon = {
213 0x12345678, 0x1234, 0xabcd,
214 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
217 static guint16 ver_dcerpc_netlogon = 1;
222 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
223 packet_info *pinfo, proto_tree *tree,
226 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
227 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
228 "Server Handle", hf_netlogon_logonsrv_handle, 0);
234 * IDL typedef struct {
235 * IDL [unique][string] wchar_t *effective_name;
237 * IDL long auth_flags;
238 * IDL long logon_count;
239 * IDL long bad_pw_count;
240 * IDL long last_logon;
241 * IDL long last_logoff;
242 * IDL long logoff_time;
243 * IDL long kickoff_time;
244 * IDL long password_age;
245 * IDL long pw_can_change;
246 * IDL long pw_must_change;
247 * IDL [unique][string] wchar_t *computer;
248 * IDL [unique][string] wchar_t *domain;
249 * IDL [unique][string] wchar_t *script_path;
253 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
254 packet_info *pinfo, proto_tree *tree,
259 di=pinfo->private_data;
260 if(di->conformant_run){
261 /*just a run to handle conformant arrays, nothing to dissect */
265 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
266 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
267 "Effective Account", hf_netlogon_acct_name, 0);
269 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
270 hf_netlogon_priv, NULL);
272 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
273 hf_netlogon_auth_flags, NULL);
275 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
276 hf_netlogon_logon_count, NULL);
278 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
279 hf_netlogon_bad_pw_count, NULL);
281 /* XXX - are these all UNIX "time_t"s, like the time stamps in
284 Or are they, as per some RAP-based operations, UTIMEs? */
285 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
288 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
291 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
294 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
297 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
300 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
303 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
306 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
307 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
308 "Computer", hf_netlogon_computer_name, 0);
310 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
311 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
312 "Domain", hf_netlogon_domain_name, 0);
314 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
315 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
316 "Script", hf_netlogon_logon_script, 0);
318 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
319 hf_netlogon_reserved, NULL);
325 * IDL long NetLogonUasLogon(
326 * IDL [in][unique][string] wchar_t *ServerName,
327 * IDL [in][ref][string] wchar_t *UserName,
328 * IDL [in][ref][string] wchar_t *Workstation,
329 * IDL [out][unique] VALIDATION_UAS_INFO *info
333 netlogon_dissect_netlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
334 packet_info *pinfo, proto_tree *tree, char *drep)
336 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
339 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
340 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
341 "Account", hf_netlogon_acct_name, 0);
343 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
344 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
345 "Workstation", hf_netlogon_workstation, 0);
352 netlogon_dissect_netlogonuaslogon_reply(tvbuff_t *tvb, int offset,
353 packet_info *pinfo, proto_tree *tree, char *drep)
355 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
356 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
357 "VALIDATION_UAS_INFO", -1, 0);
359 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
360 hf_netlogon_rc, NULL);
366 * IDL typedef struct {
368 * IDL short logon_count;
369 * IDL } LOGOFF_UAS_INFO;
372 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
373 packet_info *pinfo, proto_tree *tree,
378 di=pinfo->private_data;
379 if(di->conformant_run){
380 /*just a run to handle conformant arrays, nothing to dissect */
384 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
387 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
388 hf_netlogon_logon_count16, NULL);
394 * IDL long NetLogonUasLogoff(
395 * IDL [in][unique][string] wchar_t *ServerName,
396 * IDL [in][ref][string] wchar_t *UserName,
397 * IDL [in][ref][string] wchar_t *Workstation,
398 * IDL [out][ref] LOGOFF_UAS_INFO *info
402 netlogon_dissect_netlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
403 packet_info *pinfo, proto_tree *tree, char *drep)
405 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
408 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
409 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
410 "Account", hf_netlogon_acct_name, 0);
412 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
413 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
414 "Workstation", hf_netlogon_workstation, 0);
421 netlogon_dissect_netlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
422 packet_info *pinfo, proto_tree *tree, char *drep)
424 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
425 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
426 "LOGOFF_UAS_INFO", -1, 0);
428 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
429 hf_netlogon_rc, NULL);
438 * IDL typedef struct {
439 * IDL UNICODESTRING LogonDomainName;
440 * IDL long ParameterControl;
441 * IDL uint64 LogonID;
442 * IDL UNICODESTRING UserName;
443 * IDL UNICODESTRING Workstation;
444 * IDL } LOGON_IDENTITY_INFO;
447 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
448 packet_info *pinfo, proto_tree *parent_tree,
451 proto_item *item=NULL;
452 proto_tree *tree=NULL;
453 int old_offset=offset;
456 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
458 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
461 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
462 hf_netlogon_logon_dom, 0);
464 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
465 hf_netlogon_param_ctrl, NULL);
467 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
468 hf_netlogon_logon_id, NULL);
470 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
471 hf_netlogon_acct_name, 0);
473 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
474 hf_netlogon_workstation, 0);
477 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
478 /* XXX 8 extra bytes here */
479 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
480 the idl file. Could be a bug in either the NETLOGON implementation or in the
483 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
486 proto_item_set_len(item, offset-old_offset);
492 * IDL typedef struct {
493 * IDL char password[16];
494 * IDL } LM_OWF_PASSWORD;
497 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
498 packet_info *pinfo, proto_tree *parent_tree,
501 proto_item *item=NULL;
502 proto_tree *tree=NULL;
505 di=pinfo->private_data;
506 if(di->conformant_run){
507 /*just a run to handle conformant arrays, nothing to dissect.*/
512 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
514 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
517 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
525 * IDL typedef struct {
526 * IDL char password[16];
527 * IDL } NT_OWF_PASSWORD;
530 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
531 packet_info *pinfo, proto_tree *parent_tree,
534 proto_item *item=NULL;
535 proto_tree *tree=NULL;
538 di=pinfo->private_data;
539 if(di->conformant_run){
540 /*just a run to handle conformant arrays, nothing to dissect.*/
545 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
547 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
550 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
559 * IDL typedef struct {
560 * IDL LOGON_IDENTITY_INFO identity_info;
561 * IDL LM_OWF_PASSWORD lmpassword;
562 * IDL NT_OWF_PASSWORD ntpassword;
563 * IDL } INTERACTIVE_INFO;
566 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
567 packet_info *pinfo, proto_tree *tree,
570 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
573 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
576 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
583 * IDL typedef struct {
588 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
589 packet_info *pinfo, proto_tree *tree,
594 di=pinfo->private_data;
595 if(di->conformant_run){
596 /*just a run to handle conformant arrays, nothing to dissect.*/
600 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
608 * IDL typedef struct {
609 * IDL LOGON_IDENTITY_INFO logon_info;
610 * IDL CHALLENGE chal;
611 * IDL STRING ntchallengeresponse;
612 * IDL STRING lmchallengeresponse;
613 * IDL } NETWORK_INFO;
616 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
617 packet_info *pinfo, proto_tree *tree,
620 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
623 offset = netlogon_dissect_CHALLENGE(tvb, offset,
626 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
627 hf_netlogon_nt_chal_resp, 0);
629 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
630 hf_netlogon_lm_chal_resp, 0);
636 * IDL typedef struct {
637 * IDL LOGON_IDENTITY_INFO logon_info;
638 * IDL LM_OWF_PASSWORD lmpassword;
639 * IDL NT_OWF_PASSWORD ntpassword;
640 * IDL } SERVICE_INFO;
643 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
644 packet_info *pinfo, proto_tree *tree,
647 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
650 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
653 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
660 * IDL typedef [switch_type(short)] union {
661 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
662 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
663 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
667 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
668 packet_info *pinfo, proto_tree *tree,
673 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
674 hf_netlogon_level16, &level);
679 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
680 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
681 "INTERACTIVE_INFO:", -1, 0);
684 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
685 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
686 "NETWORK_INFO:", -1, 0);
689 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
690 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
691 "SERVICE_INFO:", -1, 0);
699 * IDL typedef struct {
704 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
705 packet_info *pinfo, proto_tree *tree,
710 di=pinfo->private_data;
711 if(di->conformant_run){
712 /*just a run to handle conformant arrays, nothing to dissect.*/
716 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
725 * IDL typedef struct {
726 * IDL CREDENTIAL cred;
727 * IDL long timestamp;
728 * IDL } AUTHENTICATOR;
731 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
732 packet_info *pinfo, proto_tree *tree,
738 di=pinfo->private_data;
739 if(di->conformant_run){
740 /*just a run to handle conformant arrays, nothing to dissect */
744 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
748 * XXX - this appears to be a UNIX time_t in some credentials, but
749 * appears to be random junk in other credentials.
750 * For example, it looks like a UNIX time_t in "credential"
751 * AUTHENTICATORs, but like random junk in "return_authenticator"
755 ts.secs = tvb_get_letohl(tvb, offset);
757 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
765 * IDL typedef struct {
767 * IDL long attributes;
768 * IDL } GROUP_MEMBERSHIP;
771 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
772 packet_info *pinfo, proto_tree *parent_tree,
775 proto_item *item=NULL;
776 proto_tree *tree=NULL;
779 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
780 "GROUP_MEMBERSHIP:");
781 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
784 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
785 hf_netlogon_user_rid, NULL);
787 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
788 hf_netlogon_attrs, NULL);
794 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
795 packet_info *pinfo, proto_tree *tree,
798 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
799 netlogon_dissect_GROUP_MEMBERSHIP);
805 * IDL typedef struct {
806 * IDL char user_session_key[16];
807 * IDL } USER_SESSION_KEY;
810 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
811 packet_info *pinfo, proto_tree *tree,
816 di=pinfo->private_data;
817 if(di->conformant_run){
818 /*just a run to handle conformant arrays, nothing to dissect.*/
822 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
830 * IDL typedef struct {
831 * IDL uint64 LogonTime;
832 * IDL uint64 LogoffTime;
833 * IDL uint64 KickOffTime;
834 * IDL uint64 PasswdLastSet;
835 * IDL uint64 PasswdCanChange;
836 * IDL uint64 PasswdMustChange;
837 * IDL unicodestring effectivename;
838 * IDL unicodestring fullname;
839 * IDL unicodestring logonscript;
840 * IDL unicodestring profilepath;
841 * IDL unicodestring homedirectory;
842 * IDL unicodestring homedirectorydrive;
843 * IDL short LogonCount;
844 * IDL short BadPasswdCount;
846 * IDL long primarygroup;
847 * IDL long groupcount;
848 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
849 * IDL long userflags;
850 * IDL USER_SESSION_KEY key;
851 * IDL unicodestring logonserver;
852 * IDL unicodestring domainname;
853 * IDL [unique] SID logondomainid;
854 * IDL long expansionroom[10];
855 * IDL } VALIDATION_SAM_INFO;
858 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
859 packet_info *pinfo, proto_tree *tree,
864 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
865 hf_netlogon_logon_time);
867 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
868 hf_netlogon_logoff_time);
870 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
871 hf_netlogon_kickoff_time);
873 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
874 hf_netlogon_pwd_last_set_time);
876 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
877 hf_netlogon_pwd_can_change_time);
879 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
880 hf_netlogon_pwd_must_change_time);
882 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
883 hf_netlogon_acct_name, 0);
885 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
886 hf_netlogon_full_name, 0);
888 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
889 hf_netlogon_logon_script, 0);
891 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
892 hf_netlogon_profile_path, 0);
894 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
895 hf_netlogon_home_dir, 0);
897 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
898 hf_netlogon_dir_drive, 0);
900 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
901 hf_netlogon_logon_count16, NULL);
903 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
904 hf_netlogon_bad_pw_count16, NULL);
906 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
907 hf_netlogon_user_rid, NULL);
909 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
910 hf_netlogon_group_rid, NULL);
912 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
913 hf_netlogon_num_rids, NULL);
915 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
916 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
917 "GROUP_MEMBERSHIP_ARRAY", -1, 0);
919 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
920 hf_netlogon_user_flags, NULL);
922 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
925 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
926 hf_netlogon_logon_srv, 0);
928 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
929 hf_netlogon_logon_dom, 0);
931 offset = dissect_ndr_nt_PSID(tvb, offset,
935 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
936 hf_netlogon_reserved, NULL);
945 * IDL typedef struct {
946 * IDL uint64 LogonTime;
947 * IDL uint64 LogoffTime;
948 * IDL uint64 KickOffTime;
949 * IDL uint64 PasswdLastSet;
950 * IDL uint64 PasswdCanChange;
951 * IDL uint64 PasswdMustChange;
952 * IDL unicodestring effectivename;
953 * IDL unicodestring fullname;
954 * IDL unicodestring logonscript;
955 * IDL unicodestring profilepath;
956 * IDL unicodestring homedirectory;
957 * IDL unicodestring homedirectorydrive;
958 * IDL short LogonCount;
959 * IDL short BadPasswdCount;
961 * IDL long primarygroup;
962 * IDL long groupcount;
963 * IDL [unique] GROUP_MEMBERSHIP *groupids;
964 * IDL long userflags;
965 * IDL USER_SESSION_KEY key;
966 * IDL unicodestring logonserver;
967 * IDL unicodestring domainname;
968 * IDL [unique] SID logondomainid;
969 * IDL long expansionroom[10];
971 * IDL [unique] SID_AND_ATTRIBS;
972 * IDL } VALIDATION_SAM_INFO2;
975 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
976 packet_info *pinfo, proto_tree *tree,
981 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
982 hf_netlogon_logon_time);
984 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
985 hf_netlogon_logoff_time);
987 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
988 hf_netlogon_kickoff_time);
990 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
991 hf_netlogon_pwd_last_set_time);
993 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
994 hf_netlogon_pwd_can_change_time);
996 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
997 hf_netlogon_pwd_must_change_time);
999 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1000 hf_netlogon_acct_name, 0);
1002 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1003 hf_netlogon_full_name, 0);
1005 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1006 hf_netlogon_logon_script, 0);
1008 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1009 hf_netlogon_profile_path, 0);
1011 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1012 hf_netlogon_home_dir, 0);
1014 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1015 hf_netlogon_dir_drive, 0);
1017 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1018 hf_netlogon_logon_count16, NULL);
1020 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1021 hf_netlogon_bad_pw_count16, NULL);
1023 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1024 hf_netlogon_user_rid, NULL);
1026 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1027 hf_netlogon_group_rid, NULL);
1029 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1030 hf_netlogon_num_rids, NULL);
1032 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1033 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1034 "GROUP_MEMBERSHIP_ARRAY", -1, 0);
1036 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1037 hf_netlogon_user_flags, NULL);
1039 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1042 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1043 hf_netlogon_logon_srv, 0);
1045 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1046 hf_netlogon_logon_dom, 0);
1048 offset = dissect_ndr_nt_PSID(tvb, offset,
1052 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1053 hf_netlogon_unknown_long, NULL);
1056 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1057 hf_netlogon_num_other_groups, NULL);
1059 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1060 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1061 "SID_AND_ATTRIBUTES_ARRAY:", -1, 0);
1069 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1070 packet_info *pinfo, proto_tree *tree,
1076 di=pinfo->private_data;
1077 if(di->conformant_run){
1078 /*just a run to handle conformant arrays, nothing to dissect */
1082 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1083 hf_netlogon_pac_size, &pac_size);
1085 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1093 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1094 packet_info *pinfo, proto_tree *tree,
1100 di=pinfo->private_data;
1101 if(di->conformant_run){
1102 /*just a run to handle conformant arrays, nothing to dissect */
1106 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1107 hf_netlogon_auth_size, &auth_size);
1109 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1111 offset += auth_size;
1118 * IDL typedef struct {
1120 * IDL [unique][size_is(pac_size)] char *pac;
1121 * IDL UNICODESTRING logondomain;
1122 * IDL UNICODESTRING logonserver;
1123 * IDL UNICODESTRING principalname;
1124 * IDL long auth_size;
1125 * IDL [unique][size_is(auth_size)] char *auth;
1126 * IDL USER_SESSION_KEY user_session_key;
1127 * IDL long expansionroom[10];
1128 * IDL UNICODESTRING dummy1;
1129 * IDL UNICODESTRING dummy2;
1130 * IDL UNICODESTRING dummy3;
1131 * IDL UNICODESTRING dummy4;
1132 * IDL } VALIDATION_PAC_INFO;
1135 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1136 packet_info *pinfo, proto_tree *tree,
1141 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1142 hf_netlogon_pac_size, NULL);
1144 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1145 netlogon_dissect_PAC, NDR_POINTER_UNIQUE,
1148 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1149 hf_netlogon_logon_dom, 0);
1151 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1152 hf_netlogon_logon_srv, 0);
1154 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1155 hf_netlogon_principal, 0);
1157 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1158 hf_netlogon_auth_size, NULL);
1160 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1161 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE,
1164 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1168 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1169 hf_netlogon_unknown_long, NULL);
1172 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1173 hf_netlogon_dummy, 0);
1175 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1176 hf_netlogon_dummy, 0);
1178 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1179 hf_netlogon_dummy, 0);
1181 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1182 hf_netlogon_dummy, 0);
1189 * IDL typedef [switch_type(short)] union {
1190 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1191 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1192 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1193 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1197 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1198 packet_info *pinfo, proto_tree *tree,
1203 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1204 hf_netlogon_validation_level, &level);
1209 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1210 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1211 "VALIDATION_SAM_INFO:", -1, 0);
1214 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1215 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1216 "VALIDATION_SAM_INFO2:", -1, 0);
1219 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1220 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1221 "VALIDATION_PAC_INFO:", -1, 0);
1224 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1225 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1226 "VALIDATION_PAC_INFO:", -1, 0);
1235 * IDL long NetLogonSamLogon(
1236 * IDL [in][unique][string] wchar_t *ServerName,
1237 * IDL [in][unique][string] wchar_t *Workstation,
1238 * IDL [in][unique] AUTHENTICATOR *credential,
1239 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1240 * IDL [in] short LogonLevel,
1241 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1242 * IDL [in] short ValidationLevel,
1243 * IDL [out][ref] VALIDATION *validation,
1244 * IDL [out][ref] boolean Authorative
1248 netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1249 packet_info *pinfo, proto_tree *tree, char *drep)
1251 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1254 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1255 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1256 "Computer Name", hf_netlogon_computer_name, 0);
1258 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1259 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1260 "AUTHENTICATOR: credential", -1, 0);
1262 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1263 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1264 "AUTHENTICATOR: return_authenticator", -1, 0);
1266 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1267 hf_netlogon_level16, NULL);
1269 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1270 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1271 "LEVEL: LogonLevel", -1, 0);
1273 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1274 hf_netlogon_validation_level, NULL);
1280 netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1281 packet_info *pinfo, proto_tree *tree, char *drep)
1283 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1284 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1285 "AUTHENTICATOR: return_authenticator", -1, 0);
1287 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1288 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1289 "VALIDATION:", -1, 0);
1291 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1292 hf_netlogon_authoritative, NULL);
1294 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1295 hf_netlogon_rc, NULL);
1302 * IDL long NetLogonSamLogoff(
1303 * IDL [in][unique][string] wchar_t *ServerName,
1304 * IDL [in][unique][string] wchar_t *ComputerName,
1305 * IDL [in][unique] AUTHENTICATOR credential,
1306 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1307 * IDL [in] short logon_level,
1308 * IDL [in][ref] LEVEL logoninformation
1312 netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1313 packet_info *pinfo, proto_tree *tree, char *drep)
1315 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1318 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1319 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1320 "Computer Name", hf_netlogon_computer_name, 0);
1322 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1323 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1324 "AUTHENTICATOR: credential", -1, 0);
1326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1327 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1328 "AUTHENTICATOR: return_authenticator", -1, 0);
1330 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1331 hf_netlogon_level16, NULL);
1333 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1334 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1335 "LEVEL: logoninformation", -1, 0);
1340 netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1341 packet_info *pinfo, proto_tree *tree, char *drep)
1344 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1345 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1346 "AUTHENTICATOR: return_authenticator", -1, 0);
1348 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1349 hf_netlogon_rc, NULL);
1356 * IDL long NetServerReqChallenge(
1357 * IDL [in][unique][string] wchar_t *ServerName,
1358 * IDL [in][ref][string] wchar_t *ComputerName,
1359 * IDL [in][ref] CREDENTIAL client_credential,
1360 * IDL [out][ref] CREDENTIAL server_credential
1364 netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1365 packet_info *pinfo, proto_tree *tree, char *drep)
1367 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1370 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1371 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1372 "Computer Name", hf_netlogon_computer_name, 0);
1374 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1375 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1376 "CREDENTIAL: client challenge", -1, 0);
1381 netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1382 packet_info *pinfo, proto_tree *tree, char *drep)
1384 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1385 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1386 "CREDENTIAL: server credential", -1, 0);
1388 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1389 hf_netlogon_rc, NULL);
1396 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1397 packet_info *pinfo, proto_tree *tree,
1400 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1401 hf_netlogon_secure_channel_type, NULL);
1408 * IDL long NetServerAuthenticate(
1409 * IDL [in][unique][string] wchar_t *ServerName,
1410 * IDL [in][ref][string] wchar_t *UserName,
1411 * IDL [in] short secure_challenge_type,
1412 * IDL [in][ref][string] wchar_t *ComputerName,
1413 * IDL [in][ref] CREDENTIAL client_challenge,
1414 * IDL [out][ref] CREDENTIAL server_challenge
1418 netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1419 packet_info *pinfo, proto_tree *tree, char *drep)
1421 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1424 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1425 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1426 "User Name", hf_netlogon_acct_name, 0);
1428 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1431 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1432 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1433 "Computer Name", hf_netlogon_computer_name, 0);
1435 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1436 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1437 "CREDENTIAL: client challenge", -1, 0);
1442 netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
1443 packet_info *pinfo, proto_tree *tree, char *drep)
1445 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1446 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1447 "CREDENTIAL: server challenge", -1, 0);
1449 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1450 hf_netlogon_rc, NULL);
1458 * IDL typedef struct {
1459 * IDL char encrypted_password[16];
1460 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1463 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1464 packet_info *pinfo, proto_tree *tree,
1469 di=pinfo->private_data;
1470 if(di->conformant_run){
1471 /*just a run to handle conformant arrays, nothing to dissect.*/
1475 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1483 * IDL long NetServerPasswordSet(
1484 * IDL [in][unique][string] wchar_t *ServerName,
1485 * IDL [in][ref][string] wchar_t *UserName,
1486 * IDL [in] short secure_challenge_type,
1487 * IDL [in][ref][string] wchar_t *ComputerName,
1488 * IDL [in][ref] AUTHENTICATOR credential,
1489 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1490 * IDL [out][ref] AUTHENTICATOR return_authenticator
1494 netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1495 packet_info *pinfo, proto_tree *tree, char *drep)
1497 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1500 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1501 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1502 "User Name", hf_netlogon_acct_name, 0);
1504 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1507 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1508 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1509 "Computer Name", hf_netlogon_computer_name, 0);
1511 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1512 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1513 "AUTHENTICATOR: credential", -1, 0);
1515 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1516 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1517 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1, 0);
1522 netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
1523 packet_info *pinfo, proto_tree *tree, char *drep)
1525 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1526 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1527 "AUTHENTICATOR: return_authenticator", -1, 0);
1529 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1530 hf_netlogon_rc, NULL);
1537 * IDL typedef struct {
1538 * IDL [unique][string] wchar_t *UserName;
1539 * IDL UNICODESTRING dummy1;
1540 * IDL UNICODESTRING dummy2;
1541 * IDL UNICODESTRING dummy3;
1542 * IDL UNICODESTRING dummy4;
1547 * IDL } DELTA_DELETE_USER;
1550 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1551 packet_info *pinfo, proto_tree *tree,
1554 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1555 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1556 "Account Name", hf_netlogon_acct_name, -1);
1558 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1559 hf_netlogon_dummy, 0);
1561 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1562 hf_netlogon_dummy, 0);
1564 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1565 hf_netlogon_dummy, 0);
1567 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1568 hf_netlogon_dummy, 0);
1570 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1571 hf_netlogon_reserved, NULL);
1573 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1574 hf_netlogon_reserved, NULL);
1576 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1577 hf_netlogon_reserved, NULL);
1579 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1580 hf_netlogon_reserved, NULL);
1587 * IDL typedef struct {
1588 * IDL bool SensitiveDataFlag;
1589 * IDL long DataLength;
1590 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1591 * IDL } USER_PRIVATE_INFO;
1594 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1595 packet_info *pinfo, proto_tree *tree,
1601 di=pinfo->private_data;
1602 if(di->conformant_run){
1603 /*just a run to handle conformant arrays, nothing to dissect */
1607 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1608 hf_netlogon_sensitive_data_len, &data_len);
1610 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1617 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1618 packet_info *pinfo, proto_tree *tree,
1621 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1622 hf_netlogon_sensitive_data_flag, NULL);
1624 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1625 hf_netlogon_sensitive_data_len, NULL);
1627 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1628 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1629 "SENSITIVE_DATA", -1, 0);
1635 * IDL typedef struct {
1636 * IDL UNICODESTRING UserName;
1637 * IDL UNICODESTRING FullName;
1639 * IDL long PrimaryGroupID;
1640 * IDL UNICODESTRING HomeDir;
1641 * IDL UNICODESTRING HomeDirDrive;
1642 * IDL UNICODESTRING LogonScript;
1643 * IDL UNICODESTRING Comment;
1644 * IDL UNICODESTRING Workstations;
1645 * IDL NTTIME LastLogon;
1646 * IDL NTTIME LastLogoff;
1647 * IDL LOGON_HOURS logonhours;
1648 * IDL short BadPwCount;
1649 * IDL short LogonCount;
1650 * IDL NTTIME PwLastSet;
1651 * IDL NTTIME AccountExpires;
1652 * IDL long AccountControl;
1653 * IDL LM_OWF_PASSWORD lmpw;
1654 * IDL NT_OWF_PASSWORD ntpw;
1655 * IDL bool NTPwPresent;
1656 * IDL bool LMPwPresent;
1657 * IDL bool PwExpired;
1658 * IDL UNICODESTRING UserComment;
1659 * IDL UNICODESTRING Parameters;
1660 * IDL short CountryCode;
1661 * IDL short CodePage;
1662 * IDL USER_PRIVATE_INFO user_private_info;
1663 * IDL long SecurityInformation;
1664 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1665 * IDL UNICODESTRING dummy1;
1666 * IDL UNICODESTRING dummy2;
1667 * IDL UNICODESTRING dummy3;
1668 * IDL UNICODESTRING dummy4;
1676 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1677 packet_info *pinfo, proto_tree *tree,
1680 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1681 hf_netlogon_acct_name, 0);
1683 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1684 hf_netlogon_full_name, 0);
1686 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1687 hf_netlogon_user_rid, NULL);
1689 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1690 hf_netlogon_group_rid, NULL);
1692 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1693 hf_netlogon_home_dir, 0);
1695 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1696 hf_netlogon_dir_drive, 0);
1698 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1699 hf_netlogon_logon_script, 0);
1701 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1702 hf_netlogon_acct_desc, 0);
1704 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1705 hf_netlogon_workstations, 0);
1707 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1708 hf_netlogon_logon_time);
1710 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1711 hf_netlogon_logoff_time);
1713 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1715 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1716 hf_netlogon_bad_pw_count16, NULL);
1718 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1719 hf_netlogon_logon_count16, NULL);
1721 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1722 hf_netlogon_pwd_last_set_time);
1724 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1725 hf_netlogon_acct_expiry_time);
1727 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1729 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1732 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1735 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1736 hf_netlogon_nt_pwd_present, NULL);
1738 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1739 hf_netlogon_lm_pwd_present, NULL);
1741 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1742 hf_netlogon_pwd_expired, NULL);
1744 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1745 hf_netlogon_comment, 0);
1747 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1748 hf_netlogon_parameters, 0);
1750 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1751 hf_netlogon_country, NULL);
1753 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1754 hf_netlogon_codepage, NULL);
1756 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1759 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1760 hf_netlogon_security_information, NULL);
1762 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1765 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1766 hf_netlogon_dummy, 0);
1768 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1769 hf_netlogon_dummy, 0);
1771 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1772 hf_netlogon_dummy, 0);
1774 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1775 hf_netlogon_dummy, 0);
1777 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1778 hf_netlogon_reserved, NULL);
1780 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1781 hf_netlogon_reserved, NULL);
1783 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1784 hf_netlogon_reserved, NULL);
1786 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1787 hf_netlogon_reserved, NULL);
1794 * IDL typedef struct {
1795 * IDL UNICODESTRING DomainName;
1796 * IDL UNICODESTRING OEMInfo;
1797 * IDL NTTIME forcedlogoff;
1798 * IDL short minpasswdlen;
1799 * IDL short passwdhistorylen;
1800 * IDL NTTIME pwd_must_change_time;
1801 * IDL NTTIME pwd_can_change_time;
1802 * IDL NTTIME domain_modify_time;
1803 * IDL NTTIME domain_create_time;
1804 * IDL long SecurityInformation;
1805 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1806 * IDL UNICODESTRING dummy1;
1807 * IDL UNICODESTRING dummy2;
1808 * IDL UNICODESTRING dummy3;
1809 * IDL UNICODESTRING dummy4;
1814 * IDL } DELTA_DOMAIN;
1817 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
1818 packet_info *pinfo, proto_tree *tree,
1821 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1822 hf_netlogon_domain_name, 1);
1824 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1825 hf_netlogon_oem_info, 0);
1827 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1828 hf_netlogon_kickoff_time);
1830 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1831 hf_netlogon_minpasswdlen, NULL);
1833 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1834 hf_netlogon_passwdhistorylen, NULL);
1836 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1837 hf_netlogon_pwd_must_change_time);
1839 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1840 hf_netlogon_pwd_can_change_time);
1842 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1843 hf_netlogon_domain_modify_time);
1845 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1846 hf_netlogon_domain_create_time);
1848 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1849 hf_netlogon_security_information, NULL);
1851 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1854 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1855 hf_netlogon_dummy, 0);
1857 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1858 hf_netlogon_dummy, 0);
1860 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1861 hf_netlogon_dummy, 0);
1863 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1864 hf_netlogon_dummy, 0);
1866 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1867 hf_netlogon_reserved, NULL);
1869 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1870 hf_netlogon_reserved, NULL);
1872 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1873 hf_netlogon_reserved, NULL);
1875 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1876 hf_netlogon_reserved, NULL);
1883 * IDL typedef struct {
1884 * IDL UNICODESTRING groupname;
1885 * IDL GROUP_MEMBERSHIP group_membership;
1886 * IDL UNICODESTRING comment;
1887 * IDL long SecurityInformation;
1888 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1889 * IDL UNICODESTRING dummy1;
1890 * IDL UNICODESTRING dummy2;
1891 * IDL UNICODESTRING dummy3;
1892 * IDL UNICODESTRING dummy4;
1897 * IDL } DELTA_GROUP;
1900 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
1901 packet_info *pinfo, proto_tree *tree,
1904 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1905 hf_netlogon_group_name, 1);
1907 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
1910 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1911 hf_netlogon_group_desc, 0);
1913 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1914 hf_netlogon_security_information, NULL);
1916 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1919 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1920 hf_netlogon_dummy, 0);
1922 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1923 hf_netlogon_dummy, 0);
1925 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1926 hf_netlogon_dummy, 0);
1928 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1929 hf_netlogon_dummy, 0);
1931 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1932 hf_netlogon_reserved, NULL);
1934 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1935 hf_netlogon_reserved, NULL);
1937 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1938 hf_netlogon_reserved, NULL);
1940 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1941 hf_netlogon_reserved, NULL);
1948 * IDL typedef struct {
1949 * IDL UNICODESTRING OldName;
1950 * IDL UNICODESTRING NewName;
1951 * IDL UNICODESTRING dummy1;
1952 * IDL UNICODESTRING dummy2;
1953 * IDL UNICODESTRING dummy3;
1954 * IDL UNICODESTRING dummy4;
1959 * IDL } DELTA_RENAME;
1962 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
1963 packet_info *pinfo, proto_tree *tree,
1968 di=pinfo->private_data;
1970 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1973 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1976 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1977 hf_netlogon_dummy, 0);
1979 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1980 hf_netlogon_dummy, 0);
1982 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1983 hf_netlogon_dummy, 0);
1985 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1986 hf_netlogon_dummy, 0);
1988 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1989 hf_netlogon_reserved, NULL);
1991 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1992 hf_netlogon_reserved, NULL);
1994 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1995 hf_netlogon_reserved, NULL);
1997 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1998 hf_netlogon_reserved, NULL);
2005 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2006 packet_info *pinfo, proto_tree *tree,
2009 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2010 hf_netlogon_user_rid, NULL);
2016 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2017 packet_info *pinfo, proto_tree *tree,
2020 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2021 netlogon_dissect_RID);
2027 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2028 packet_info *pinfo, proto_tree *tree,
2031 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2032 hf_netlogon_attrs, NULL);
2038 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2039 packet_info *pinfo, proto_tree *tree,
2042 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2043 netlogon_dissect_ATTRIB);
2049 * IDL typedef struct {
2050 * IDL [unique][size_is(num_rids)] long *rids;
2051 * IDL [unique][size_is(num_rids)] long *attribs;
2052 * IDL long num_rids;
2057 * IDL } DELTA_GROUP_MEMBER;
2060 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2061 packet_info *pinfo, proto_tree *tree,
2064 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2065 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2068 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2069 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2072 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2073 hf_netlogon_num_rids, NULL);
2075 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2076 hf_netlogon_reserved, NULL);
2078 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2079 hf_netlogon_reserved, NULL);
2081 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2082 hf_netlogon_reserved, NULL);
2084 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2085 hf_netlogon_reserved, NULL);
2092 * IDL typedef struct {
2093 * IDL UNICODESTRING alias_name;
2095 * IDL long SecurityInformation;
2096 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2097 * IDL UNICODESTRING dummy1;
2098 * IDL UNICODESTRING dummy2;
2099 * IDL UNICODESTRING dummy3;
2100 * IDL UNICODESTRING dummy4;
2105 * IDL } DELTA_ALIAS;
2108 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2109 packet_info *pinfo, proto_tree *tree,
2112 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2113 hf_netlogon_alias_name, 1);
2115 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2116 hf_netlogon_alias_rid, NULL);
2118 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2119 hf_netlogon_security_information, NULL);
2121 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2124 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2125 hf_netlogon_dummy, 0);
2127 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2128 hf_netlogon_dummy, 0);
2130 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2131 hf_netlogon_dummy, 0);
2133 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2134 hf_netlogon_dummy, 0);
2136 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2137 hf_netlogon_reserved, NULL);
2139 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2140 hf_netlogon_reserved, NULL);
2142 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2143 hf_netlogon_reserved, NULL);
2145 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2146 hf_netlogon_reserved, NULL);
2153 * IDL typedef struct {
2154 * IDL [unique] SID_ARRAY sids;
2159 * IDL } DELTA_ALIAS_MEMBER;
2162 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2163 packet_info *pinfo, proto_tree *tree,
2166 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2168 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2169 hf_netlogon_reserved, NULL);
2171 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2172 hf_netlogon_reserved, NULL);
2174 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2175 hf_netlogon_reserved, NULL);
2177 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2178 hf_netlogon_reserved, NULL);
2185 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2186 packet_info *pinfo, proto_tree *tree,
2189 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2190 hf_netlogon_event_audit_option, NULL);
2196 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2197 packet_info *pinfo, proto_tree *tree,
2200 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2201 netlogon_dissect_EVENT_AUDIT_OPTION);
2208 * IDL typedef struct {
2209 * IDL long pagedpoollimit;
2210 * IDL long nonpagedpoollimit;
2211 * IDL long minimumworkingsetsize;
2212 * IDL long maximumworkingsetsize;
2213 * IDL long pagefilelimit;
2214 * IDL NTTIME timelimit;
2215 * IDL } QUOTA_LIMITS;
2218 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2219 packet_info *pinfo, proto_tree *parent_tree,
2222 proto_item *item=NULL;
2223 proto_tree *tree=NULL;
2224 int old_offset=offset;
2227 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2229 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2232 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2233 hf_netlogon_pagedpoollimit, NULL);
2235 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2236 hf_netlogon_nonpagedpoollimit, NULL);
2238 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2239 hf_netlogon_minworkingsetsize, NULL);
2241 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2242 hf_netlogon_maxworkingsetsize, NULL);
2244 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2245 hf_netlogon_pagefilelimit, NULL);
2247 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2248 hf_netlogon_timelimit);
2250 proto_item_set_len(item, offset-old_offset);
2256 * IDL typedef struct {
2257 * IDL long maxlogsize;
2258 * IDL NTTIME auditretentionperiod;
2259 * IDL bool auditingmode;
2260 * IDL long maxauditeventcount;
2261 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2262 * IDL UNICODESTRING primarydomainname;
2263 * IDL [unique] SID *sid;
2264 * IDL QUOTA_LIMITS quota_limits;
2265 * IDL NTTIME db_modify_time;
2266 * IDL NTTIME db_create_time;
2267 * IDL long SecurityInformation;
2268 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2269 * IDL UNICODESTRING dummy1;
2270 * IDL UNICODESTRING dummy2;
2271 * IDL UNICODESTRING dummy3;
2272 * IDL UNICODESTRING dummy4;
2277 * IDL } DELTA_POLICY;
2280 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2281 packet_info *pinfo, proto_tree *tree,
2284 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2285 hf_netlogon_max_log_size, NULL);
2287 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2288 hf_netlogon_audit_retention_period);
2290 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2291 hf_netlogon_auditing_mode, NULL);
2293 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2294 hf_netlogon_max_audit_event_count, NULL);
2296 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2297 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2298 "Event Audit Options:", -1, 0);
2300 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2301 hf_netlogon_domain_name, 0);
2303 offset = dissect_ndr_nt_PSID(tvb, offset,
2306 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2309 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2310 hf_netlogon_db_modify_time);
2312 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2313 hf_netlogon_db_create_time);
2315 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2316 hf_netlogon_security_information, NULL);
2318 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2321 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2322 hf_netlogon_dummy, 0);
2324 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2325 hf_netlogon_dummy, 0);
2327 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2328 hf_netlogon_dummy, 0);
2330 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2331 hf_netlogon_dummy, 0);
2333 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2334 hf_netlogon_reserved, NULL);
2336 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2337 hf_netlogon_reserved, NULL);
2339 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2340 hf_netlogon_reserved, NULL);
2342 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2343 hf_netlogon_reserved, NULL);
2350 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2351 packet_info *pinfo, proto_tree *tree,
2354 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2355 hf_netlogon_dc_name, 1);
2361 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2362 packet_info *pinfo, proto_tree *tree,
2365 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2366 netlogon_dissect_CONTROLLER);
2373 * IDL typedef struct {
2374 * IDL UNICODESTRING DomainName;
2375 * IDL long num_controllers;
2376 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2377 * IDL long SecurityInformation;
2378 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2379 * IDL UNICODESTRING dummy1;
2380 * IDL UNICODESTRING dummy2;
2381 * IDL UNICODESTRING dummy3;
2382 * IDL UNICODESTRING dummy4;
2387 * IDL } DELTA_TRUSTED_DOMAINS;
2390 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2391 packet_info *pinfo, proto_tree *tree,
2394 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2395 hf_netlogon_domain_name, 0);
2397 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2398 hf_netlogon_num_controllers, NULL);
2400 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2401 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2402 "Domain Controllers:", -1, 0);
2404 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2405 hf_netlogon_security_information, NULL);
2407 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2410 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2411 hf_netlogon_dummy, 0);
2413 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2414 hf_netlogon_dummy, 0);
2416 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2417 hf_netlogon_dummy, 0);
2419 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2420 hf_netlogon_dummy, 0);
2422 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2423 hf_netlogon_reserved, NULL);
2425 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2426 hf_netlogon_reserved, NULL);
2428 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2429 hf_netlogon_reserved, NULL);
2431 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2432 hf_netlogon_reserved, NULL);
2439 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2440 packet_info *pinfo, proto_tree *tree,
2443 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2444 hf_netlogon_attrs, NULL);
2450 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2451 packet_info *pinfo, proto_tree *tree,
2454 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2455 netlogon_dissect_PRIV_ATTR);
2461 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2462 packet_info *pinfo, proto_tree *tree,
2465 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2466 hf_netlogon_privilege_name, 1);
2472 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2473 packet_info *pinfo, proto_tree *tree,
2476 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2477 netlogon_dissect_PRIV_NAME);
2485 * IDL typedef struct {
2486 * IDL long privilegeentries;
2487 * IDL long provolegecontrol;
2488 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2489 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2490 * IDL QUOTALIMITS quotalimits;
2491 * IDL long SecurityInformation;
2492 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2493 * IDL UNICODESTRING dummy1;
2494 * IDL UNICODESTRING dummy2;
2495 * IDL UNICODESTRING dummy3;
2496 * IDL UNICODESTRING dummy4;
2501 * IDL } DELTA_ACCOUNTS;
2504 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2505 packet_info *pinfo, proto_tree *tree,
2508 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2509 hf_netlogon_privilege_entries, NULL);
2511 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2512 hf_netlogon_privilege_control, NULL);
2514 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2515 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2516 "PRIV_ATTR_ARRAY:", -1, 0);
2518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2519 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2520 "PRIV_NAME_ARRAY:", -1, 0);
2522 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2525 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2526 hf_netlogon_systemflags, NULL);
2528 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2529 hf_netlogon_security_information, NULL);
2531 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2534 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2535 hf_netlogon_dummy, 0);
2537 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2538 hf_netlogon_dummy, 0);
2540 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2541 hf_netlogon_dummy, 0);
2543 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2544 hf_netlogon_dummy, 0);
2546 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2547 hf_netlogon_reserved, NULL);
2549 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2550 hf_netlogon_reserved, NULL);
2552 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2553 hf_netlogon_reserved, NULL);
2555 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2556 hf_netlogon_reserved, NULL);
2562 * IDL typedef struct {
2565 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2566 * IDL } CIPHER_VALUE;
2569 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2570 packet_info *pinfo, proto_tree *tree,
2576 di=pinfo->private_data;
2577 if(di->conformant_run){
2578 /*just a run to handle conformant arrays, nothing to dissect */
2582 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2583 hf_netlogon_cipher_maxlen, NULL);
2588 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2589 hf_netlogon_cipher_len, &data_len);
2591 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2598 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2599 packet_info *pinfo, proto_tree *parent_tree,
2600 char *drep, char *name, int hf_index)
2602 proto_item *item=NULL;
2603 proto_tree *tree=NULL;
2604 int old_offset=offset;
2607 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2609 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2612 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2613 hf_netlogon_cipher_len, NULL);
2615 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2616 hf_netlogon_cipher_maxlen, NULL);
2618 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2619 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2622 proto_item_set_len(item, offset-old_offset);
2627 * IDL typedef struct {
2628 * IDL CIPHER_VALUE current_cipher;
2629 * IDL NTTIME current_cipher_set_time;
2630 * IDL CIPHER_VALUE old_cipher;
2631 * IDL NTTIME old_cipher_set_time;
2632 * IDL long SecurityInformation;
2633 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2634 * IDL UNICODESTRING dummy1;
2635 * IDL UNICODESTRING dummy2;
2636 * IDL UNICODESTRING dummy3;
2637 * IDL UNICODESTRING dummy4;
2642 * IDL } DELTA_SECRET;
2645 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2646 packet_info *pinfo, proto_tree *tree,
2649 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2651 "CIPHER_VALUE: current cipher value",
2652 hf_netlogon_cipher_current_data);
2654 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2655 hf_netlogon_cipher_current_set_time);
2657 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2659 "CIPHER_VALUE: old cipher value",
2660 hf_netlogon_cipher_old_data);
2662 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2663 hf_netlogon_cipher_old_set_time);
2665 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2666 hf_netlogon_security_information, NULL);
2668 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2671 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2672 hf_netlogon_dummy, 0);
2674 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2675 hf_netlogon_dummy, 0);
2677 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2678 hf_netlogon_dummy, 0);
2680 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2681 hf_netlogon_dummy, 0);
2683 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2684 hf_netlogon_reserved, NULL);
2686 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2687 hf_netlogon_reserved, NULL);
2689 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2690 hf_netlogon_reserved, NULL);
2692 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2693 hf_netlogon_reserved, NULL);
2699 * IDL typedef struct {
2700 * IDL long low_value;
2701 * IDL long high_value;
2705 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2706 packet_info *pinfo, proto_tree *tree,
2709 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2710 hf_netlogon_modify_count, NULL);
2716 #define DT_DELTA_DOMAIN 1
2717 #define DT_DELTA_GROUP 2
2718 #define DT_DELTA_RENAME_GROUP 4
2719 #define DT_DELTA_USER 5
2720 #define DT_DELTA_RENAME_USER 7
2721 #define DT_DELTA_GROUP_MEMBER 8
2722 #define DT_DELTA_ALIAS 9
2723 #define DT_DELTA_RENAME_ALIAS 11
2724 #define DT_DELTA_ALIAS_MEMBER 12
2725 #define DT_DELTA_POLICY 13
2726 #define DT_DELTA_TRUSTED_DOMAINS 14
2727 #define DT_DELTA_ACCOUNTS 16
2728 #define DT_DELTA_SECRET 18
2729 #define DT_DELTA_DELETE_GROUP 20
2730 #define DT_DELTA_DELETE_USER 21
2731 #define DT_MODIFIED_COUNT 22
2732 static const value_string delta_type_vals[] = {
2733 { DT_DELTA_DOMAIN, "Domain" },
2734 { DT_DELTA_GROUP, "Group" },
2735 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2736 { DT_DELTA_USER, "User" },
2737 { DT_DELTA_RENAME_USER, "Rename User" },
2738 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2739 { DT_DELTA_ALIAS, "Alias" },
2740 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2741 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2742 { DT_DELTA_POLICY, "Policy" },
2743 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2744 { DT_DELTA_ACCOUNTS, "Accounts" },
2745 { DT_DELTA_SECRET, "Secret" },
2746 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2747 { DT_DELTA_DELETE_USER, "Delete User" },
2748 { DT_MODIFIED_COUNT, "Modified Count" },
2752 * IDL typedef [switch_type(short)] union {
2753 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2754 * IDL [case(2)][unique] DELTA_GROUP *group;
2755 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2756 * IDL [case(5)][unique] DELTA_USER *user;
2757 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2758 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2759 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2760 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2761 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2762 * IDL [case(13)][unique] DELTA_POLICY *policy;
2763 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2764 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2765 * IDL [case(18)][unique] DELTA_SECRET *secret;
2766 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2767 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2768 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2769 * IDL } DELTA_UNION;
2772 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2773 packet_info *pinfo, proto_tree *parent_tree,
2776 proto_item *item=NULL;
2777 proto_tree *tree=NULL;
2778 int old_offset=offset;
2782 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2784 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2787 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2788 hf_netlogon_delta_type, &level);
2793 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2794 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2795 "DELTA_DOMAIN:", -1, 0);
2798 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2799 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2800 "DELTA_GROUP:", -1, 0);
2803 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2804 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2805 "DELTA_RENAME_GROUP:", hf_netlogon_group_name, 0);
2808 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2809 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
2810 "DELTA_USER:", -1, 0);
2813 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2814 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2815 "DELTA_RENAME_USER:", hf_netlogon_acct_name, 0);
2818 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2819 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
2820 "DELTA_GROUP_MEMBER:", -1, 0);
2823 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2824 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
2825 "DELTA_ALIAS:", -1, 0);
2828 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2829 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2830 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name, 0);
2833 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2834 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
2835 "DELTA_ALIAS_MEMBER:", -1, 0);
2838 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2839 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
2840 "DELTA_POLICY:", -1, 0);
2843 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2844 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
2845 "DELTA_TRUSTED_DOMAINS:", -1, 0);
2848 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2849 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
2850 "DELTA_ACCOUNTS:", -1, 0);
2853 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2854 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
2855 "DELTA_SECRET:", -1, 0);
2858 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2859 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2860 "DELTA_DELETE_GROUP:", -1, 0);
2863 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2864 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2865 "DELTA_DELETE_USER:", -1, 0);
2868 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2869 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
2870 "MODIFIED_COUNT:", -1, 0);
2874 proto_item_set_len(item, offset-old_offset);
2880 /* IDL XXX must verify this one, especially 13-19
2881 * IDL typedef [switch_type(short)] union {
2882 * IDL [case(1)] long rid;
2883 * IDL [case(2)] long rid;
2884 * IDL [case(3)] long rid;
2885 * IDL [case(4)] long rid;
2886 * IDL [case(5)] long rid;
2887 * IDL [case(6)] long rid;
2888 * IDL [case(7)] long rid;
2889 * IDL [case(8)] long rid;
2890 * IDL [case(9)] long rid;
2891 * IDL [case(10)] long rid;
2892 * IDL [case(11)] long rid;
2893 * IDL [case(12)] long rid;
2894 * IDL [case(13)] [unique] SID *sid;
2895 * IDL [case(14)] [unique] SID *sid;
2896 * IDL [case(15)] [unique] SID *sid;
2897 * IDL [case(16)] [unique] SID *sid;
2898 * IDL [case(17)] [unique] SID *sid;
2899 * IDL [case(18)] [unique][string] wchar_t *Name ;
2900 * IDL [case(19)] [unique][string] wchar_t *Name ;
2901 * IDL [case(20)] long rid;
2902 * IDL [case(21)] long rid;
2903 * IDL } DELTA_ID_UNION;
2906 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
2907 packet_info *pinfo, proto_tree *parent_tree,
2910 proto_item *item=NULL;
2911 proto_tree *tree=NULL;
2912 int old_offset=offset;
2916 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2918 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
2921 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2922 hf_netlogon_level16, &level);
2927 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2928 hf_netlogon_user_rid, NULL);
2931 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2932 hf_netlogon_user_rid, NULL);
2935 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2936 hf_netlogon_user_rid, NULL);
2939 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2940 hf_netlogon_user_rid, NULL);
2943 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2944 hf_netlogon_user_rid, NULL);
2947 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2948 hf_netlogon_user_rid, NULL);
2951 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2952 hf_netlogon_user_rid, NULL);
2955 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2956 hf_netlogon_user_rid, NULL);
2959 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2960 hf_netlogon_user_rid, NULL);
2963 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2964 hf_netlogon_user_rid, NULL);
2967 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2968 hf_netlogon_user_rid, NULL);
2971 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2972 hf_netlogon_user_rid, NULL);
2975 offset = dissect_ndr_nt_PSID(tvb, offset,
2979 offset = dissect_ndr_nt_PSID(tvb, offset,
2983 offset = dissect_ndr_nt_PSID(tvb, offset,
2987 offset = dissect_ndr_nt_PSID(tvb, offset,
2991 offset = dissect_ndr_nt_PSID(tvb, offset,
2995 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2996 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
2997 "unknown", hf_netlogon_unknown_string, -1);
3000 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3001 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3002 "unknown", hf_netlogon_unknown_string, -1);
3005 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3006 hf_netlogon_user_rid, NULL);
3009 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3010 hf_netlogon_user_rid, NULL);
3014 proto_item_set_len(item, offset-old_offset);
3019 * IDL typedef struct {
3020 * IDL short delta_type;
3021 * IDL DELTA_ID_UNION delta_id_union;
3022 * IDL DELTA_UNION delta_union;
3026 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3027 packet_info *pinfo, proto_tree *parent_tree,
3030 proto_item *item=NULL;
3031 proto_tree *tree=NULL;
3032 int old_offset=offset;
3035 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3037 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3040 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3041 hf_netlogon_delta_type, NULL);
3043 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3046 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3049 proto_item_set_len(item, offset-old_offset);
3054 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3055 packet_info *pinfo, proto_tree *tree,
3058 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3059 netlogon_dissect_DELTA_ENUM);
3065 * IDL typedef struct {
3066 * IDL long num_deltas;
3067 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3068 * IDL } DELTA_ENUM_ARRAY;
3071 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3072 packet_info *pinfo, proto_tree *tree,
3075 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3076 hf_netlogon_num_deltas, NULL);
3078 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3079 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3080 "DELTA_ENUM: deltas", -1, 0);
3087 * IDL long NetDatabaseDeltas(
3088 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3089 * IDL [in][string][ref] wchar_t *computername,
3090 * IDL [in][ref] AUTHENTICATOR credential,
3091 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3092 * IDL [in] long database_id,
3093 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3094 * IDL [in] long preferredmaximumlength,
3095 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3099 netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
3100 packet_info *pinfo, proto_tree *tree, char *drep)
3102 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3103 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3104 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3106 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3107 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3108 "Computer Name", hf_netlogon_computer_name, 0);
3110 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3111 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3112 "AUTHENTICATOR: credential", -1, 0);
3114 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3115 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3116 "AUTHENTICATOR: return_authenticator", -1, 0);
3118 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3119 hf_netlogon_database_id, NULL);
3121 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3122 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3123 "MODIFIED_COUNT: domain modified count", -1, 0);
3125 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3126 hf_netlogon_max_size, NULL);
3131 netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
3132 packet_info *pinfo, proto_tree *tree, char *drep)
3134 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3135 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3136 "AUTHENTICATOR: return_authenticator", -1, 0);
3138 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3139 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3140 "MODIFIED_COUNT: domain modified count", -1, 0);
3142 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3143 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3144 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3146 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3147 hf_netlogon_rc, NULL);
3154 * IDL long NetDatabaseSync(
3155 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3156 * IDL [in][string][ref] wchar_t *computername,
3157 * IDL [in][ref] AUTHENTICATOR credential,
3158 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3159 * IDL [in] long database_id,
3160 * IDL [in][out][ref] long sync_context,
3161 * IDL [in] long preferredmaximumlength,
3162 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3166 netlogon_dissect_netlogondatabasesync_rqst(tvbuff_t *tvb, int offset,
3167 packet_info *pinfo, proto_tree *tree, char *drep)
3169 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3170 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3171 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3173 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3174 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3175 "Computer Name", hf_netlogon_computer_name, 0);
3177 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3178 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3179 "AUTHENTICATOR: credential", -1, 0);
3181 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3182 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3183 "AUTHENTICATOR: return_authenticator", -1, 0);
3185 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3186 hf_netlogon_database_id, NULL);
3188 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3189 hf_netlogon_sync_context, NULL);
3191 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3192 hf_netlogon_max_size, NULL);
3199 netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset,
3200 packet_info *pinfo, proto_tree *tree, char *drep)
3202 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3203 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3204 "AUTHENTICATOR: return_authenticator", -1, 0);
3206 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3207 hf_netlogon_sync_context, NULL);
3209 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3210 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3211 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3213 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3214 hf_netlogon_rc, NULL);
3220 * IDL typedef struct {
3221 * IDL char computer_name[16];
3222 * IDL long timecreated;
3223 * IDL long serial_number;
3227 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3228 packet_info *pinfo, proto_tree *tree,
3233 di=pinfo->private_data;
3234 if(di->conformant_run){
3235 /*just a run to handle conformant arrays, nothing to dissect */
3239 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3242 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3245 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3246 hf_netlogon_serial_number, NULL);
3253 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3254 packet_info *pinfo, proto_tree *tree,
3257 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3258 hf_netlogon_unknown_char, NULL);
3264 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3265 packet_info *pinfo, proto_tree *tree,
3268 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3269 netlogon_dissect_BYTE_byte);
3275 * IDL long NetAccountDelta(
3276 * IDL [in][string][unique] wchar_t *logonserver,
3277 * IDL [in][string][ref] wchar_t *computername,
3278 * IDL [in][ref] AUTHENTICATOR credential,
3279 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3280 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3281 * IDL [out][ref] long count_returned,
3282 * IDL [out][ref] long total_entries,
3283 * IDL [in][out][ref] UAS_INFO_0 recordid,
3284 * IDL [in][long] count,
3285 * IDL [in][long] level,
3286 * IDL [in][long] buffersize,
3290 netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset,
3291 packet_info *pinfo, proto_tree *tree, char *drep)
3293 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3296 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3297 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3298 "Computer Name", hf_netlogon_computer_name, 0);
3300 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3301 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3302 "AUTHENTICATOR: credential", -1, 0);
3304 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3305 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3306 "AUTHENTICATOR: return_authenticator", -1, 0);
3308 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3309 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3310 "UAS_INFO_0: RecordID", -1, 0);
3312 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3313 hf_netlogon_count, NULL);
3315 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3316 hf_netlogon_level, NULL);
3318 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3319 hf_netlogon_max_size, NULL);
3324 netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset,
3325 packet_info *pinfo, proto_tree *tree, char *drep)
3327 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3328 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3329 "AUTHENTICATOR: return_authenticator", -1, 0);
3331 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3332 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3333 "BYTE_array: Buffer", -1, 0);
3335 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3336 hf_netlogon_count, NULL);
3338 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3339 hf_netlogon_entries, NULL);
3341 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3342 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3343 "UAS_INFO_0: RecordID", -1, 0);
3345 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3346 hf_netlogon_rc, NULL);
3353 * IDL long NetAccountDelta(
3354 * IDL [in][string][unique] wchar_t *logonserver,
3355 * IDL [in][string][ref] wchar_t *computername,
3356 * IDL [in][ref] AUTHENTICATOR credential,
3357 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3358 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3359 * IDL [out][ref] long count_returned,
3360 * IDL [out][ref] long total_entries,
3361 * IDL [out][ref] long next_reference,
3362 * IDL [in][long] reference,
3363 * IDL [in][long] level,
3364 * IDL [in][long] buffersize,
3365 * IDL [in][out][ref] UAS_INFO_0 recordid,
3369 netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset,
3370 packet_info *pinfo, proto_tree *tree, char *drep)
3372 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3375 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3376 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3377 "Computer Name", hf_netlogon_computer_name, 0);
3379 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3380 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3381 "AUTHENTICATOR: credential", -1, 0);
3383 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3384 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3385 "AUTHENTICATOR: return_authenticator", -1, 0);
3387 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3388 hf_netlogon_reference, NULL);
3390 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3391 hf_netlogon_level, NULL);
3393 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3394 hf_netlogon_max_size, NULL);
3399 netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset,
3400 packet_info *pinfo, proto_tree *tree, char *drep)
3402 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3403 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3404 "AUTHENTICATOR: return_authenticator", -1, 0);
3406 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3407 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3408 "BYTE_array: Buffer", -1, 0);
3410 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3411 hf_netlogon_count, NULL);
3413 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3414 hf_netlogon_entries, NULL);
3416 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3417 hf_netlogon_next_reference, NULL);
3419 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3420 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3421 "UAS_INFO_0: RecordID", -1, 0);
3423 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3424 hf_netlogon_rc, NULL);
3431 * IDL long NetGetDCName(
3432 * IDL [in][ref][string] wchar_t *logon_server,
3433 * IDL [in][unique][string] wchar_t *domainname,
3434 * IDL [out][unique][string] wchar_t *dcname,
3438 netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset,
3439 packet_info *pinfo, proto_tree *tree, char *drep)
3441 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3442 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3443 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3445 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3446 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3447 "Domain", hf_netlogon_domain_name, 0);
3452 netlogon_dissect_netlogongetdcname_reply(tvbuff_t *tvb, int offset,
3453 packet_info *pinfo, proto_tree *tree, char *drep)
3455 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3456 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3457 "Domain", hf_netlogon_dc_name, 0);
3459 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3460 hf_netlogon_rc, NULL);
3468 * IDL typedef struct {
3470 * IDL long pdc_connection_status;
3471 * IDL } NETLOGON_INFO_1;
3474 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3475 packet_info *pinfo, proto_tree *tree,
3478 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3479 hf_netlogon_flags, NULL);
3481 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3482 hf_netlogon_pdc_connection_status, NULL);
3489 * IDL typedef struct {
3491 * IDL long pdc_connection_status;
3492 * IDL [unique][string] wchar_t trusted_dc_name;
3493 * IDL long tc_connection_status;
3494 * IDL } NETLOGON_INFO_2;
3497 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3498 packet_info *pinfo, proto_tree *tree,
3501 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3502 hf_netlogon_flags, NULL);
3504 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3505 hf_netlogon_pdc_connection_status, NULL);
3507 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3508 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3509 "Trusted DC Name", hf_netlogon_trusted_dc_name, 0);
3511 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3512 hf_netlogon_tc_connection_status, NULL);
3519 * IDL typedef struct {
3521 * IDL long logon_attempts;
3522 * IDL long reserved;
3523 * IDL long reserved;
3524 * IDL long reserved;
3525 * IDL long reserved;
3526 * IDL long reserved;
3527 * IDL } NETLOGON_INFO_3;
3530 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3531 packet_info *pinfo, proto_tree *tree,
3534 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3535 hf_netlogon_flags, NULL);
3537 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3538 hf_netlogon_logon_attempts, NULL);
3540 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3541 hf_netlogon_reserved, NULL);
3543 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3544 hf_netlogon_reserved, NULL);
3546 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3547 hf_netlogon_reserved, NULL);
3549 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3550 hf_netlogon_reserved, NULL);
3552 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3553 hf_netlogon_reserved, NULL);
3560 * IDL typedef [switch_type(long)] union {
3561 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
3562 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
3563 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
3564 * IDL } CONTROL_QUERY_INFORMATION;
3567 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
3568 packet_info *pinfo, proto_tree *tree,
3573 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3574 hf_netlogon_level, &level);
3579 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3580 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
3581 "NETLOGON_INFO_1:", -1, 0);
3584 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3585 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
3586 "NETLOGON_INFO_2:", -1, 0);
3589 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3590 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
3591 "NETLOGON_INFO_3:", -1, 0);
3600 * IDL long NetLogonControl(
3601 * IDL [in][string][unique] wchar_t *logonserver,
3602 * IDL [in] long function_code,
3603 * IDL [in] long level,
3604 * IDL [out][ref] CONTROL_QUERY_INFORMATION
3608 netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
3609 packet_info *pinfo, proto_tree *tree, char *drep)
3611 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3614 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3615 hf_netlogon_code, NULL);
3617 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3618 hf_netlogon_level, NULL);
3623 netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
3624 packet_info *pinfo, proto_tree *tree, char *drep)
3626 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3627 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3628 "CONTROL_QUERY_INFORMATION:", -1, 0);
3630 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3631 hf_netlogon_rc, NULL);
3638 * IDL long NetGetDCName(
3639 * IDL [in][unique][string] wchar_t *logon_server,
3640 * IDL [in][unique][string] wchar_t *domainname,
3641 * IDL [out][unique][string] wchar_t *dcname,
3645 netlogon_dissect_netlogongetanydcname_rqst(tvbuff_t *tvb, int offset,
3646 packet_info *pinfo, proto_tree *tree, char *drep)
3648 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3649 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3650 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3652 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3653 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3654 "Domain", hf_netlogon_domain_name, 0);
3659 netlogon_dissect_netlogongetanydcname_reply(tvbuff_t *tvb, int offset,
3660 packet_info *pinfo, proto_tree *tree, char *drep)
3662 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3663 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3664 "Domain", hf_netlogon_dc_name, 0);
3666 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3667 hf_netlogon_rc, NULL);
3674 * IDL typedef [switch_type(long)] union {
3675 * IDL [case(5)] [unique][string] wchar_t *unknown;
3676 * IDL [case(6)] [unique][string] wchar_t *unknown;
3677 * IDL [case(0xfffe)] long unknown;
3678 * IDL [case(7)] [unique][string] wchar_t *unknown;
3679 * IDL } CONTROL_DATA_INFORMATION;
3682 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
3683 * to look like. However NetMon does not recognize any such informationlevels.
3685 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
3686 * until someone has any source of better authority to call upon.
3689 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
3690 packet_info *pinfo, proto_tree *tree,
3695 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3696 hf_netlogon_level, &level);
3701 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3702 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3703 "unknown", hf_netlogon_unknown_string, -1);
3706 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3707 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3708 "unknown", hf_netlogon_unknown_string, -1);
3711 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3712 hf_netlogon_unknown_long, NULL);
3715 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3716 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3717 "unknown", hf_netlogon_unknown_string, -1);
3726 * IDL long NetLogonControl2(
3727 * IDL [in][string][unique] wchar_t *logonserver,
3728 * IDL [in] long function_code,
3729 * IDL [in] long level,
3730 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3731 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3735 netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
3736 packet_info *pinfo, proto_tree *tree, char *drep)
3738 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3741 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3742 hf_netlogon_code, NULL);
3744 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3745 hf_netlogon_level, NULL);
3747 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3748 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3749 "CONTROL_DATA_INFORMATION: ", -1, 0);
3755 netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
3756 packet_info *pinfo, proto_tree *tree, char *drep)
3758 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3759 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3760 "CONTROL_QUERY_INFORMATION:", -1, 0);
3762 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3763 hf_netlogon_rc, NULL);
3770 * IDL long NetServerAuthenticate2(
3771 * IDL [in][string][unique] wchar_t *logonserver,
3772 * IDL [in][ref][string] wchar_t *username,
3773 * IDL [in] short secure_channel_type,
3774 * IDL [in][ref][string] wchar_t *computername,
3775 * IDL [in][ref] CREDENTIAL *client_chal,
3776 * IDL [out][ref] CREDENTIAL *server_chal,
3777 * IDL [in][out][ref] long *negotiate_flags,
3781 netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
3782 packet_info *pinfo, proto_tree *tree, char *drep)
3784 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3787 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3788 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3789 "User Name", hf_netlogon_acct_name, 0);
3791 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3794 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3795 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3796 "Computer Name", hf_netlogon_computer_name, 0);
3798 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3799 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3800 "CREDENTIAL: client_chal", -1, 0);
3802 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3803 hf_netlogon_neg_flags, NULL);
3809 netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
3810 packet_info *pinfo, proto_tree *tree, char *drep)
3812 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3813 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3814 "CREDENTIAL: server_chal", -1, 0);
3816 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3817 hf_netlogon_neg_flags, NULL);
3819 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3820 hf_netlogon_rc, NULL);
3827 * IDL long NetDatabaseSync2(
3828 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3829 * IDL [in][string][ref] wchar_t *computername,
3830 * IDL [in][ref] AUTHENTICATOR credential,
3831 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3832 * IDL [in] long database_id,
3833 * IDL [in] short restart_state,
3834 * IDL [in][out][ref] long *sync_context,
3835 * IDL [in] long preferredmaximumlength,
3836 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3840 netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
3841 packet_info *pinfo, proto_tree *tree, char *drep)
3843 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3844 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3845 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3847 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3848 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3849 "Computer Name", hf_netlogon_computer_name, 0);
3851 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3852 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3853 "AUTHENTICATOR: credential", -1, 0);
3855 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3856 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3857 "AUTHENTICATOR: return_authenticator", -1, 0);
3859 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3860 hf_netlogon_database_id, NULL);
3862 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3863 hf_netlogon_restart_state, NULL);
3865 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3866 hf_netlogon_sync_context, NULL);
3868 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3869 hf_netlogon_max_size, NULL);
3875 netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
3876 packet_info *pinfo, proto_tree *tree, char *drep)
3878 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3879 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3880 "AUTHENTICATOR: return_authenticator", -1, 0);
3882 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3883 hf_netlogon_sync_context, NULL);
3885 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3886 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3887 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3889 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3890 hf_netlogon_rc, NULL);
3897 * IDL long NetDatabaseRedo(
3898 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3899 * IDL [in][string][ref] wchar_t *computername,
3900 * IDL [in][ref] AUTHENTICATOR credential,
3901 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3902 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
3903 * IDL [in] long change_log_entry_size,
3904 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3908 netlogon_dissect_netlogondatabaseredo_rqst(tvbuff_t *tvb, int offset,
3909 packet_info *pinfo, proto_tree *tree, char *drep)
3911 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3912 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3913 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3915 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3916 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3917 "Computer Name", hf_netlogon_computer_name, 0);
3919 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3920 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3921 "AUTHENTICATOR: credential", -1, 0);
3923 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3924 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3925 "AUTHENTICATOR: return_authenticator", -1, 0);
3927 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3928 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3929 "Change log entry: ", -1, 0);
3931 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3932 hf_netlogon_max_log_size, NULL);
3938 netlogon_dissect_netlogondatabaseredo_reply(tvbuff_t *tvb, int offset,
3939 packet_info *pinfo, proto_tree *tree, char *drep)
3941 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3942 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3943 "AUTHENTICATOR: return_authenticator", -1, 0);
3945 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3946 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3947 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3949 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3950 hf_netlogon_rc, NULL);
3956 /* XXX NetMon does not recognize this as a valid function. Muddle however
3957 * tells us what parameters it takes but not their names.
3958 * It looks similar to logoncontrol2. perhaps it is logoncontrol3?
3961 * IDL long NetFunction_12(
3962 * IDL [in][string][unique] wchar_t *logonserver,
3963 * IDL [in] long function_code,
3964 * IDL [in] long level,
3965 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3966 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3970 netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
3971 packet_info *pinfo, proto_tree *tree, char *drep)
3973 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3976 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3977 hf_netlogon_code, NULL);
3979 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3980 hf_netlogon_level, NULL);
3982 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3983 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3984 "CONTROL_DATA_INFORMATION: ", -1, 0);
3989 netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
3990 packet_info *pinfo, proto_tree *tree, char *drep)
3992 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3993 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3994 "CONTROL_QUERY_INFORMATION:", -1, 0);
3996 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3997 hf_netlogon_rc, NULL);
4006 /* Updated above this line */
4014 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4015 packet_info *pinfo, proto_tree *tree,
4020 di=pinfo->private_data;
4021 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4022 di->hf_index, NULL);
4027 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4028 packet_info *pinfo, proto_tree *tree,
4033 di=pinfo->private_data;
4034 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4035 di->hf_index, NULL);
4040 netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
4041 packet_info *pinfo, proto_tree *parent_tree,
4042 char *drep, int type, int hf_index, int levels)
4044 proto_item *item=NULL;
4045 proto_tree *tree=NULL;
4046 int old_offset=offset;
4050 di=pinfo->private_data;
4051 if(di->conformant_run){
4052 /*just a run to handle conformant arrays, nothing to dissect */
4056 name = proto_registrar_get_name(hf_index);
4058 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4060 tree = proto_item_add_subtree(item, ett_nt_unicode_string);
4063 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4064 dissect_ndr_nt_UNICODE_STRING_str, type,
4065 name, hf_index, levels);
4067 proto_item_set_len(item, offset-old_offset);
4073 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4074 packet_info *pinfo, proto_tree *tree,
4077 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4078 hf_netlogon_unknown_char, NULL);
4084 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4085 packet_info *pinfo, proto_tree *tree,
4088 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4089 netlogon_dissect_UNICODE_MULTI_byte);
4095 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4096 packet_info *pinfo, proto_tree *parent_tree,
4099 proto_item *item=NULL;
4100 proto_tree *tree=NULL;
4101 int old_offset=offset;
4104 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4106 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4109 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4110 hf_netlogon_len, NULL);
4112 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4113 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4114 "unknown", hf_netlogon_unknown_string, 0);
4116 proto_item_set_len(item, offset-old_offset);
4121 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4122 packet_info *pinfo, proto_tree *parent_tree,
4125 proto_item *item=NULL;
4126 proto_tree *tree=NULL;
4127 int old_offset=offset;
4131 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4133 tree = proto_item_add_subtree(item, ett_GUID);
4136 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4137 hf_netlogon_unknown_long, NULL);
4139 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4140 hf_netlogon_unknown_short, NULL);
4142 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4143 hf_netlogon_unknown_short, NULL);
4146 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4147 hf_netlogon_unknown_char, NULL);
4150 proto_item_set_len(item, offset-old_offset);
4155 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4156 packet_info *pinfo, proto_tree *parent_tree,
4159 proto_item *item=NULL;
4160 proto_tree *tree=NULL;
4161 int old_offset=offset;
4164 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4165 "DOMAIN_CONTROLLER_INFO:");
4166 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4169 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4170 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4171 "unknown", hf_netlogon_dc_name, -1);
4173 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4174 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4175 "unknown", hf_netlogon_dc_address, -1);
4177 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4178 hf_netlogon_dc_address_type, NULL);
4180 offset = dissect_nt_GUID(tvb, offset,
4183 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4184 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4185 "unknown", hf_netlogon_logon_dom, -1);
4187 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4188 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4189 "unknown", hf_netlogon_dns_forest_name, -1);
4191 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4192 hf_netlogon_flags, NULL);
4194 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4195 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4196 "unknown", hf_netlogon_dc_site_name, -1);
4198 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4199 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4200 "unknown", hf_netlogon_client_site_name, -1);
4202 proto_item_set_len(item, offset-old_offset);
4207 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr(tvbuff_t *tvb, int offset,
4208 packet_info *pinfo, proto_tree *tree,
4211 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4212 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
4213 "DOMAIN_CONTROLLER_INFO pointer: info", -1, 0);
4219 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr_ptr(tvbuff_t *tvb, int offset,
4220 packet_info *pinfo, proto_tree *tree,
4223 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4224 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_UNIQUE,
4225 "DOMAIN_CONTROLLER_INFO pointer: info", -1, 0);
4231 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4232 packet_info *pinfo, proto_tree *tree,
4238 di=pinfo->private_data;
4239 if(di->conformant_run){
4240 /*just a run to handle conformant arrays, nothing to dissect.*/
4244 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4245 hf_netlogon_blob_size, &len);
4247 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4255 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4256 packet_info *pinfo, proto_tree *parent_tree,
4259 proto_item *item=NULL;
4260 proto_tree *tree=NULL;
4263 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4265 tree = proto_item_add_subtree(item, ett_BLOB);
4268 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4269 hf_netlogon_blob_size, NULL);
4271 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4272 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4279 netlogon_dissect_TYPE_46(tvbuff_t *tvb, int offset,
4280 packet_info *pinfo, proto_tree *parent_tree,
4283 proto_item *item=NULL;
4284 proto_tree *tree=NULL;
4285 int old_offset=offset;
4288 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4290 tree = proto_item_add_subtree(item, ett_TYPE_46);
4293 offset = netlogon_dissect_BLOB(tvb, offset,
4296 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4297 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4298 "unknown", hf_netlogon_workstation_fqdn, -1);
4300 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4301 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4302 "unknown", hf_netlogon_workstation_site_name, -1);
4304 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4305 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4306 "unknown", hf_netlogon_workstation_os, -1);
4308 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4309 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4310 "unknown", hf_netlogon_unknown_string, -1);
4312 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4313 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4314 "unknown", hf_netlogon_unknown_string, -1);
4316 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4317 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4318 "unknown", hf_netlogon_unknown_string, -1);
4320 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4321 hf_netlogon_unknown_string, 0);
4323 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4324 hf_netlogon_unknown_string, 0);
4326 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4327 hf_netlogon_unknown_string, 0);
4329 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4330 hf_netlogon_unknown_string, 0);
4332 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4333 hf_netlogon_unknown_long, NULL);
4335 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4336 hf_netlogon_unknown_long, NULL);
4338 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4339 hf_netlogon_unknown_long, NULL);
4341 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4342 hf_netlogon_unknown_long, NULL);
4344 proto_item_set_len(item, offset-old_offset);
4349 netlogon_dissect_TYPE_48(tvbuff_t *tvb, int offset,
4350 packet_info *pinfo, proto_tree *parent_tree,
4353 proto_item *item=NULL;
4354 proto_tree *tree=NULL;
4355 int old_offset=offset;
4358 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4360 tree = proto_item_add_subtree(item, ett_TYPE_48);
4363 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4364 hf_netlogon_unknown_string, 0);
4366 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4367 hf_netlogon_unknown_string, 0);
4369 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4370 hf_netlogon_unknown_string, 0);
4372 offset = dissect_nt_GUID(tvb, offset,
4375 offset = dissect_ndr_nt_PSID(tvb, offset,
4378 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4379 hf_netlogon_unknown_string, 0);
4381 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4382 hf_netlogon_unknown_string, 0);
4384 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4385 hf_netlogon_unknown_string, 0);
4387 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4388 hf_netlogon_unknown_string, 0);
4390 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4391 hf_netlogon_unknown_long, NULL);
4393 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4394 hf_netlogon_unknown_long, NULL);
4396 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4397 hf_netlogon_unknown_long, NULL);
4399 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4400 hf_netlogon_unknown_long, NULL);
4402 offset = netlogon_dissect_BLOB(tvb, offset,
4405 offset = netlogon_dissect_BLOB(tvb, offset,
4408 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4409 hf_netlogon_unknown_string, 0);
4411 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4412 hf_netlogon_unknown_string, 0);
4414 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4415 hf_netlogon_unknown_string, 0);
4417 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4418 hf_netlogon_unknown_string, 0);
4420 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4421 hf_netlogon_unknown_long, NULL);
4423 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4424 hf_netlogon_unknown_long, NULL);
4426 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4427 hf_netlogon_unknown_long, NULL);
4429 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4430 hf_netlogon_unknown_long, NULL);
4432 proto_item_set_len(item, offset-old_offset);
4437 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
4438 packet_info *pinfo, proto_tree *parent_tree,
4441 proto_item *item=NULL;
4442 proto_tree *tree=NULL;
4443 int old_offset=offset;
4447 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4448 "UNICODE_STRING_512:");
4449 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
4453 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4454 hf_netlogon_unknown_short, NULL);
4457 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4458 hf_netlogon_unknown_long, NULL);
4460 proto_item_set_len(item, offset-old_offset);
4465 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
4466 packet_info *pinfo, proto_tree *tree,
4469 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4470 hf_netlogon_unknown_char, NULL);
4476 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
4477 packet_info *pinfo, proto_tree *tree,
4480 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4481 netlogon_dissect_element_844_byte);
4487 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
4488 packet_info *pinfo, proto_tree *parent_tree,
4491 proto_item *item=NULL;
4492 proto_tree *tree=NULL;
4493 int old_offset=offset;
4496 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4498 tree = proto_item_add_subtree(item, ett_TYPE_50);
4501 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4502 hf_netlogon_unknown_long, NULL);
4504 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4505 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
4506 "unknown", hf_netlogon_unknown_string, 0);
4508 proto_item_set_len(item, offset-old_offset);
4513 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
4514 packet_info *pinfo, proto_tree *tree,
4517 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4518 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
4519 "TYPE_50 pointer: unknown_TYPE_50", -1, 0);
4525 netlogon_dissect_TYPE_50_ptr_ptr(tvbuff_t *tvb, int offset,
4526 packet_info *pinfo, proto_tree *tree,
4529 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4530 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
4531 "TYPE_50* pointer: unknown_TYPE_50", -1, 0);
4537 netlogon_dissect_element_861_byte(tvbuff_t *tvb, int offset,
4538 packet_info *pinfo, proto_tree *tree,
4541 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4542 hf_netlogon_unknown_char, NULL);
4548 netlogon_dissect_element_861_array(tvbuff_t *tvb, int offset,
4549 packet_info *pinfo, proto_tree *tree,
4552 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4553 netlogon_dissect_element_861_byte);
4559 netlogon_dissect_TYPE_51(tvbuff_t *tvb, int offset,
4560 packet_info *pinfo, proto_tree *parent_tree,
4563 proto_item *item=NULL;
4564 proto_tree *tree=NULL;
4565 int old_offset=offset;
4568 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4570 tree = proto_item_add_subtree(item, ett_TYPE_51);
4573 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4574 hf_netlogon_unknown_long, NULL);
4576 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4577 netlogon_dissect_element_861_array, NDR_POINTER_UNIQUE,
4578 "unknown", hf_netlogon_unknown_string, 0);
4580 proto_item_set_len(item, offset-old_offset);
4585 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
4586 packet_info *pinfo, proto_tree *tree,
4589 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4590 hf_netlogon_unknown_char, NULL);
4596 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
4597 packet_info *pinfo, proto_tree *tree,
4600 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4601 netlogon_dissect_element_865_byte);
4607 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
4608 packet_info *pinfo, proto_tree *tree,
4611 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4612 hf_netlogon_unknown_char, NULL);
4618 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
4619 packet_info *pinfo, proto_tree *tree,
4622 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4623 netlogon_dissect_element_866_byte);
4629 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
4630 packet_info *pinfo, proto_tree *parent_tree,
4633 proto_item *item=NULL;
4634 proto_tree *tree=NULL;
4635 int old_offset=offset;
4638 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4640 tree = proto_item_add_subtree(item, ett_TYPE_52);
4643 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4644 hf_netlogon_unknown_long, NULL);
4646 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4647 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
4648 "unknown", hf_netlogon_unknown_string, 0);
4650 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4651 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
4652 "unknown", hf_netlogon_unknown_string, 0);
4654 proto_item_set_len(item, offset-old_offset);
4659 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
4660 packet_info *pinfo, proto_tree *tree,
4663 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4664 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
4665 "TYPE_52 pointer: unknown_TYPE_52", -1, 0);
4670 netlogon_dissect_TYPE_52_ptr_ptr(tvbuff_t *tvb, int offset,
4671 packet_info *pinfo, proto_tree *tree,
4674 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4675 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
4676 "TYPE_52* pointer: unknown_TYPE_52", -1, 0);
4682 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
4683 packet_info *pinfo, proto_tree *parent_tree,
4686 proto_item *item=NULL;
4687 proto_tree *tree=NULL;
4688 int old_offset=offset;
4692 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4694 tree = proto_item_add_subtree(item, ett_TYPE_44);
4697 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4698 hf_netlogon_level, &level);
4703 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4704 hf_netlogon_unknown_long, NULL);
4708 proto_item_set_len(item, offset-old_offset);
4713 netlogon_dissect_TYPE_45(tvbuff_t *tvb, int offset,
4714 packet_info *pinfo, proto_tree *parent_tree,
4717 proto_item *item=NULL;
4718 proto_tree *tree=NULL;
4719 int old_offset=offset;
4723 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4725 tree = proto_item_add_subtree(item, ett_TYPE_45);
4728 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4729 hf_netlogon_level, &level);
4734 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4735 netlogon_dissect_TYPE_46, NDR_POINTER_UNIQUE,
4736 "TYPE_46 pointer:", -1, 0);
4739 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4740 netlogon_dissect_TYPE_46, NDR_POINTER_UNIQUE,
4741 "TYPE_46 pointer:", -1, 0);
4745 proto_item_set_len(item, offset-old_offset);
4750 netlogon_dissect_TYPE_47(tvbuff_t *tvb, int offset,
4751 packet_info *pinfo, proto_tree *parent_tree,
4754 proto_item *item=NULL;
4755 proto_tree *tree=NULL;
4756 int old_offset=offset;
4760 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4762 tree = proto_item_add_subtree(item, ett_TYPE_47);
4765 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4766 hf_netlogon_level, &level);
4771 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4772 netlogon_dissect_TYPE_48, NDR_POINTER_UNIQUE,
4773 "TYPE_48 pointer:", -1, 0);
4776 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4777 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_UNIQUE,
4778 "UNICODE_MULTI pointer:", -1, 0);
4782 proto_item_set_len(item, offset-old_offset);
4787 netlogon_dissect_nettrusteddomainlist_rqst(tvbuff_t *tvb, int offset,
4788 packet_info *pinfo, proto_tree *tree, char *drep)
4790 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4798 netlogon_dissect_nettrusteddomainlist_reply(tvbuff_t *tvb, int offset,
4799 packet_info *pinfo, proto_tree *tree, char *drep)
4801 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4802 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
4803 "UNICODE_MULTI pointer: trust_dom_name_list", -1, 0);
4805 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4806 hf_netlogon_rc, NULL);
4812 netlogon_dissect_dsrgetdcname2_rqst(tvbuff_t *tvb, int offset,
4813 packet_info *pinfo, proto_tree *tree, char *drep)
4815 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4818 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4819 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4820 "Domain", hf_netlogon_logon_dom, 0);
4822 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4823 dissect_nt_GUID, NDR_POINTER_UNIQUE,
4824 "GUID pointer: domain_guid", -1, 0);
4826 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4827 dissect_nt_GUID, NDR_POINTER_UNIQUE,
4828 "GUID pointer: site_guid", -1, 0);
4830 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4831 hf_netlogon_flags, NULL);
4838 netlogon_dissect_dsrgetdcname2_reply(tvbuff_t *tvb, int offset,
4839 packet_info *pinfo, proto_tree *tree, char *drep)
4841 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4842 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_REF,
4843 "DOMAIN_CONTROLLER_INFO* pointer: info", -1, 0);
4845 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4846 hf_netlogon_rc, NULL);
4852 netlogon_dissect_function_15_rqst(tvbuff_t *tvb, int offset,
4853 packet_info *pinfo, proto_tree *tree, char *drep)
4855 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4858 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4859 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4860 "unknown string", hf_netlogon_unknown_string, 0);
4862 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4863 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4864 "AUTHENTICATOR: credential", -1, 0);
4866 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4867 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
4868 "AUTHENTICATOR: return_authenticator", -1, 0);
4870 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4871 hf_netlogon_unknown_long, NULL);
4878 netlogon_dissect_function_15_reply(tvbuff_t *tvb, int offset,
4879 packet_info *pinfo, proto_tree *tree, char *drep)
4881 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4882 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
4883 "AUTHENTICATOR: return_authenticator", -1, 0);
4885 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4886 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
4887 "TYPE_44 pointer: unknown_TYPE_44", -1, 0);
4889 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4890 hf_netlogon_rc, NULL);
4896 netlogon_dissect_function_16_rqst(tvbuff_t *tvb, int offset,
4897 packet_info *pinfo, proto_tree *tree, char *drep)
4899 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4902 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4903 hf_netlogon_unknown_long, NULL);
4905 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4906 hf_netlogon_unknown_long, NULL);
4913 netlogon_dissect_function_16_reply(tvbuff_t *tvb, int offset,
4914 packet_info *pinfo, proto_tree *tree, char *drep)
4916 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4917 hf_netlogon_rc, NULL);
4923 netlogon_dissect_function_17_rqst(tvbuff_t *tvb, int offset,
4924 packet_info *pinfo, proto_tree *tree, char *drep)
4926 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4929 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4930 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4931 "unknown string", hf_netlogon_unknown_string, 0);
4938 netlogon_dissect_function_17_reply(tvbuff_t *tvb, int offset,
4939 packet_info *pinfo, proto_tree *tree, char *drep)
4941 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4942 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
4943 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4945 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4946 hf_netlogon_rc, NULL);
4952 netlogon_dissect_function_18_rqst(tvbuff_t *tvb, int offset,
4953 packet_info *pinfo, proto_tree *tree, char *drep)
4955 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4958 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4959 hf_netlogon_unknown_long, NULL);
4961 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4962 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
4963 "BYTE pointer: unknown_BYTE", -1, 0);
4965 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4966 hf_netlogon_unknown_long, NULL);
4972 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
4973 packet_info *pinfo, proto_tree *tree, char *drep)
4978 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4979 hf_netlogon_unknown_char, NULL);
4986 netlogon_dissect_function_18_reply(tvbuff_t *tvb, int offset,
4987 packet_info *pinfo, proto_tree *tree, char *drep)
4989 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4990 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
4991 "BYTE pointer: unknown_BYTE", -1, 0);
4993 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4994 hf_netlogon_rc, NULL);
5000 netlogon_dissect_function_19_rqst(tvbuff_t *tvb, int offset,
5001 packet_info *pinfo, proto_tree *tree, char *drep)
5003 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5006 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5007 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5008 "unknown string", hf_netlogon_unknown_string, 0);
5010 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5011 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5012 "BYTE pointer: unknown_BYTE", -1, 0);
5014 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5015 hf_netlogon_unknown_long, NULL);
5022 netlogon_dissect_function_19_reply(tvbuff_t *tvb, int offset,
5023 packet_info *pinfo, proto_tree *tree, char *drep)
5025 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5026 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5027 "BYTE pointer: unknown_BYTE", -1, 0);
5029 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5030 hf_netlogon_rc, NULL);
5036 netlogon_dissect_netserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5037 packet_info *pinfo, proto_tree *tree, char *drep)
5039 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5042 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5043 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5044 "Acct Name", hf_netlogon_acct_name, 0);
5046 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5049 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5050 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5051 "Computer Name", hf_netlogon_computer_name, 0);
5053 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5054 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5055 "CREDENTIAL pointer: authenticator", -1, 0);
5057 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5058 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5059 "ULONG pointer: negotiate_flags", hf_netlogon_unknown_long, 0);
5066 netlogon_dissect_netserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5067 packet_info *pinfo, proto_tree *tree, char *drep)
5069 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5070 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5071 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1, 0);
5073 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5074 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5075 "ULONG pointer: negotiate_flags", hf_netlogon_unknown_long, 0);
5077 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5078 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5079 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5081 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5082 hf_netlogon_rc, NULL);
5088 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5089 packet_info *pinfo, proto_tree *tree, char *drep)
5091 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5094 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5095 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5096 "Domain", hf_netlogon_logon_dom, 0);
5098 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5099 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5100 "GUID pointer: domain_guid", -1, 0);
5102 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5103 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5104 "Site Name", hf_netlogon_site_name, 0);
5106 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5107 hf_netlogon_flags, NULL);
5114 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5115 packet_info *pinfo, proto_tree *tree, char *drep)
5117 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5118 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_REF,
5119 "DOMAIN_CONTROLLER_INFO* pointer: info", -1, 0);
5121 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5122 hf_netlogon_rc, NULL);
5128 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5129 packet_info *pinfo, proto_tree *tree, char *drep)
5131 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5139 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5140 packet_info *pinfo, proto_tree *tree, char *drep)
5143 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
5144 NDR_POINTER_REF, hf_netlogon_site_name, 0);
5146 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5147 hf_netlogon_rc, NULL);
5153 netlogon_dissect_function_1d_rqst(tvbuff_t *tvb, int offset,
5154 packet_info *pinfo, proto_tree *tree, char *drep)
5156 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5159 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5160 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5161 "Computer Name", hf_netlogon_computer_name, 0);
5163 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5164 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5165 "AUTHENTICATOR: credential", -1, 0);
5167 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5168 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5169 "AUTHENTICATOR: return_authenticator", -1, 0);
5171 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5172 hf_netlogon_unknown_long, NULL);
5174 offset = netlogon_dissect_TYPE_45(tvb, offset,
5182 netlogon_dissect_function_1d_reply(tvbuff_t *tvb, int offset,
5183 packet_info *pinfo, proto_tree *tree, char *drep)
5185 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5186 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5187 "AUTHENTICATOR: return_authenticator", -1, 0);
5189 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5190 netlogon_dissect_TYPE_47, NDR_POINTER_UNIQUE,
5191 "TYPE_47 pointer: unknown_TYPE_47", -1, 0);
5193 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5194 hf_netlogon_rc, NULL);
5200 netlogon_dissect_function_1e_rqst(tvbuff_t *tvb, int offset,
5201 packet_info *pinfo, proto_tree *tree, char *drep)
5203 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5206 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5207 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5208 "unknown string", hf_netlogon_unknown_string, 0);
5210 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5211 hf_netlogon_unknown_short, NULL);
5213 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5214 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5215 "unknown string", hf_netlogon_unknown_string, 0);
5217 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5218 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5219 "AUTHENTICATOR: credential", -1, 0);
5221 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5229 netlogon_dissect_function_1e_reply(tvbuff_t *tvb, int offset,
5230 packet_info *pinfo, proto_tree *tree, char *drep)
5232 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5233 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5234 "AUTHENTICATOR: return_authenticator", -1, 0);
5236 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5237 hf_netlogon_rc, NULL);
5243 netlogon_dissect_netserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5244 packet_info *pinfo, proto_tree *tree, char *drep)
5246 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5249 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5250 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5251 "Acct Name", hf_netlogon_acct_name, 0);
5253 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5256 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5257 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5258 "Computer Name", hf_netlogon_computer_name, 0);
5260 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5261 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5262 "AUTHENTICATOR: credential", -1, 0);
5269 netlogon_dissect_netserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5270 packet_info *pinfo, proto_tree *tree, char *drep)
5272 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5273 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5274 "AUTHENTICATOR: return_authenticator", -1, 0);
5276 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5277 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5278 "LM_OWF_PASSWORD pointer: server_pwd", -1, 0);
5280 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5281 hf_netlogon_rc, NULL);
5287 netlogon_dissect_function_20_rqst(tvbuff_t *tvb, int offset,
5288 packet_info *pinfo, proto_tree *tree, char *drep)
5290 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5293 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5294 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5295 "unknown string", hf_netlogon_unknown_string, -1);
5297 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5298 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5299 "AUTHENTICATOR: credential", -1, 0);
5301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5302 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5303 "BYTE pointer: unknown_BYTE", -1, 0);
5305 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5306 hf_netlogon_unknown_long, NULL);
5313 netlogon_dissect_function_20_reply(tvbuff_t *tvb, int offset,
5314 packet_info *pinfo, proto_tree *tree, char *drep)
5316 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5317 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5318 "AUTHENTICATOR: return_authenticator", -1, 0);
5320 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5321 hf_netlogon_rc, NULL);
5327 netlogon_dissect_function_21_rqst(tvbuff_t *tvb, int offset,
5328 packet_info *pinfo, proto_tree *tree, char *drep)
5330 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5333 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5334 hf_netlogon_unknown_long, NULL);
5336 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5337 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5338 "BYTE pointer: unknown_BYTE", -1, 0);
5345 netlogon_dissect_function_21_reply(tvbuff_t *tvb, int offset,
5346 packet_info *pinfo, proto_tree *tree, char *drep)
5348 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5349 netlogon_dissect_TYPE_50_ptr_ptr, NDR_POINTER_REF,
5350 "TYPE_50** pointer: unknown_TYPE_50", -1, 0);
5352 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5353 hf_netlogon_rc, NULL);
5359 netlogon_dissect_function_22_rqst(tvbuff_t *tvb, int offset,
5360 packet_info *pinfo, proto_tree *tree, char *drep)
5362 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5365 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5366 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5367 "unknown string", hf_netlogon_unknown_string, 0);
5369 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5370 hf_netlogon_unknown_long, NULL);
5372 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5373 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5374 "unknown string", hf_netlogon_unknown_string, 0);
5376 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5377 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5378 "GUID pointer: unknown_GUID", -1, 0);
5380 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5381 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5382 "unknown string", hf_netlogon_unknown_string, 0);
5384 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5385 hf_netlogon_unknown_long, NULL);
5392 netlogon_dissect_function_22_reply(tvbuff_t *tvb, int offset,
5393 packet_info *pinfo, proto_tree *tree, char *drep)
5395 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5396 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr_ptr, NDR_POINTER_REF,
5397 "DOMAIN_CONTROLLER_INFO** pointer: unknown_DOMAIN_CONTROLLER_INFO", -1, 0);
5399 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5400 hf_netlogon_rc, NULL);
5406 netlogon_dissect_function_23_rqst(tvbuff_t *tvb, int offset,
5407 packet_info *pinfo, proto_tree *tree, char *drep)
5409 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5417 netlogon_dissect_function_23_reply(tvbuff_t *tvb, int offset,
5418 packet_info *pinfo, proto_tree *tree, char *drep)
5420 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5421 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5422 "unknown string", hf_netlogon_unknown_string, -1);
5424 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5425 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5426 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5428 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5429 hf_netlogon_rc, NULL);
5435 netlogon_dissect_function_24_rqst(tvbuff_t *tvb, int offset,
5436 packet_info *pinfo, proto_tree *tree, char *drep)
5438 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5446 netlogon_dissect_function_24_reply(tvbuff_t *tvb, int offset,
5447 packet_info *pinfo, proto_tree *tree, char *drep)
5449 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5450 netlogon_dissect_TYPE_51, NDR_POINTER_UNIQUE,
5451 "TYPE_51 pointer: unknown_TYPE_51", -1, 0);
5453 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5454 hf_netlogon_rc, NULL);
5460 netlogon_dissect_function_25_rqst(tvbuff_t *tvb, int offset,
5461 packet_info *pinfo, proto_tree *tree, char *drep)
5463 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5466 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5467 hf_netlogon_unknown_long, NULL);
5469 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5470 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5471 "BYTE pointer: unknown_BYTE", -1, 0);
5478 netlogon_dissect_function_25_reply(tvbuff_t *tvb, int offset,
5479 packet_info *pinfo, proto_tree *tree, char *drep)
5481 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5482 netlogon_dissect_TYPE_52_ptr_ptr, NDR_POINTER_REF,
5483 "TYPE_52** pointer: unknown_TYPE_52", -1, 0);
5485 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5486 hf_netlogon_rc, NULL);
5493 netlogon_dissect_function_26_rqst(tvbuff_t *tvb, int offset,
5494 packet_info *pinfo, proto_tree *tree, char *drep)
5496 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5497 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5498 "unknown string", hf_netlogon_unknown_string, 0);
5505 netlogon_dissect_function_26_reply(tvbuff_t *tvb, int offset,
5506 packet_info *pinfo, proto_tree *tree, char *drep)
5508 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5509 netlogon_dissect_TYPE_50_ptr_ptr, NDR_POINTER_REF,
5510 "TYPE_50** pointer: unknown_TYPE_50", -1, 0);
5512 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5513 hf_netlogon_rc, NULL);
5519 netlogon_dissect_function_27_rqst(tvbuff_t *tvb, int offset,
5520 packet_info *pinfo, proto_tree *tree, char *drep)
5522 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5523 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5524 "unknown string", hf_netlogon_unknown_string, 0);
5526 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5527 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5528 "unknown string", hf_netlogon_unknown_string, 0);
5530 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5531 hf_netlogon_unknown_short, NULL);
5533 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5534 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
5535 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1, 0);
5537 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5538 hf_netlogon_unknown_short, NULL);
5540 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5541 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5542 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5548 netlogon_dissect_function_27_reply(tvbuff_t *tvb, int offset,
5549 packet_info *pinfo, proto_tree *tree, char *drep)
5551 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5552 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
5553 "VALIDATION: unknown_NETLOGON_VALIDATION", -1, 0);
5555 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5556 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
5557 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char, 0);
5559 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5560 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5561 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5563 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5564 hf_netlogon_rc, NULL);
5570 netlogon_dissect_dsrrolegetprimarydomaininformation_rqst(tvbuff_t *tvb, int offset,
5571 packet_info *pinfo, proto_tree *tree, char *drep)
5573 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5576 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5577 hf_netlogon_unknown_long, NULL);
5584 netlogon_dissect_dsrrolegetprimarydomaininformation_reply(tvbuff_t *tvb, int offset,
5585 packet_info *pinfo, proto_tree *tree, char *drep)
5587 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5588 netlogon_dissect_TYPE_51, NDR_POINTER_UNIQUE,
5589 "TYPE_51 pointer: unknown_TYPE_51", -1, 0);
5591 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5592 hf_netlogon_rc, NULL);
5598 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
5599 packet_info *pinfo, proto_tree *tree, char *drep)
5601 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5604 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5605 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5606 "Domain", hf_netlogon_logon_dom, 0);
5608 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5609 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5610 "GUID pointer: domain_guid", -1, 0);
5612 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5613 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5614 "GUID pointer: dsa_guid", -1, 0);
5616 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5617 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5618 "dns_host", hf_netlogon_dns_host, -1);
5625 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
5626 packet_info *pinfo, proto_tree *tree, char *drep)
5628 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5629 hf_netlogon_rc, NULL);
5636 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
5637 { NETLOGON_UASLOGON, "UasLogon",
5638 netlogon_dissect_netlogonuaslogon_rqst,
5639 netlogon_dissect_netlogonuaslogon_reply },
5640 { NETLOGON_UASLOGOFF, "UasLogoff",
5641 netlogon_dissect_netlogonuaslogoff_rqst,
5642 netlogon_dissect_netlogonuaslogoff_reply },
5643 { NETLOGON_NETLOGONSAMLOGON, "SamLogon",
5644 netlogon_dissect_netlogonsamlogon_rqst,
5645 netlogon_dissect_netlogonsamlogon_reply },
5646 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff",
5647 netlogon_dissect_netlogonsamlogoff_rqst,
5648 netlogon_dissect_netlogonsamlogoff_reply },
5649 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge",
5650 netlogon_dissect_netserverreqchallenge_rqst,
5651 netlogon_dissect_netserverreqchallenge_reply },
5652 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate",
5653 netlogon_dissect_netserverauthenticate_rqst,
5654 netlogon_dissect_netserverauthenticate_reply },
5655 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet",
5656 netlogon_dissect_netserverpasswordset_rqst,
5657 netlogon_dissect_netserverpasswordset_reply },
5658 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas",
5659 netlogon_dissect_netsamdeltas_rqst,
5660 netlogon_dissect_netsamdeltas_reply },
5661 { NETLOGON_DATABASESYNC, "DatabaseSync",
5662 netlogon_dissect_netlogondatabasesync_rqst,
5663 netlogon_dissect_netlogondatabasesync_reply },
5664 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas",
5665 netlogon_dissect_netlogonaccountdeltas_rqst,
5666 netlogon_dissect_netlogonaccountdeltas_reply },
5667 { NETLOGON_ACCOUNTSYNC, "AccountSync",
5668 netlogon_dissect_netlogonaccountsync_rqst,
5669 netlogon_dissect_netlogonaccountsync_reply },
5670 { NETLOGON_GETDCNAME, "GetDCName",
5671 netlogon_dissect_netlogongetdcname_rqst,
5672 netlogon_dissect_netlogongetdcname_reply },
5673 { NETLOGON_NETLOGONCONTROL, "LogonControl",
5674 netlogon_dissect_netlogoncontrol_rqst,
5675 netlogon_dissect_netlogoncontrol_reply },
5676 { NETLOGON_GETANYDCNAME, "GetAnyDCName",
5677 netlogon_dissect_netlogongetanydcname_rqst,
5678 netlogon_dissect_netlogongetanydcname_reply },
5679 { NETLOGON_NETLOGONCONTROL2, "LogonControl2",
5680 netlogon_dissect_netlogoncontrol2_rqst,
5681 netlogon_dissect_netlogoncontrol2_reply },
5682 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2",
5683 netlogon_dissect_netserverauthenticate2_rqst,
5684 netlogon_dissect_netserverauthenticate2_reply },
5685 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2",
5686 netlogon_dissect_netdatabasesync2_rqst,
5687 netlogon_dissect_netdatabasesync2_reply },
5688 { NETLOGON_DATABASEREDO, "DatabaseRedo",
5689 netlogon_dissect_netlogondatabaseredo_rqst,
5690 netlogon_dissect_netlogondatabaseredo_reply },
5691 { NETLOGON_FUNCTION_12, "UNKNOWN_FUNCTION_12",
5692 netlogon_dissect_function_12_rqst,
5693 netlogon_dissect_function_12_reply },
5694 { NETLOGON_NETTRUSTEDDOMAINLIST, "NETTRUSTEDDOMAINLIST",
5695 netlogon_dissect_nettrusteddomainlist_rqst,
5696 netlogon_dissect_nettrusteddomainlist_reply },
5697 { NETLOGON_DSRGETDCNAME2, "DSRGETDCNAME2",
5698 netlogon_dissect_dsrgetdcname2_rqst,
5699 netlogon_dissect_dsrgetdcname2_reply },
5700 { NETLOGON_FUNCTION_15, "FUNCTION_15",
5701 netlogon_dissect_function_15_rqst,
5702 netlogon_dissect_function_15_reply },
5703 { NETLOGON_FUNCTION_16, "FUNCTION_16",
5704 netlogon_dissect_function_16_rqst,
5705 netlogon_dissect_function_16_reply },
5706 { NETLOGON_FUNCTION_17, "FUNCTION_17",
5707 netlogon_dissect_function_17_rqst,
5708 netlogon_dissect_function_17_reply },
5709 { NETLOGON_FUNCTION_18, "FUNCTION_18",
5710 netlogon_dissect_function_18_rqst,
5711 netlogon_dissect_function_18_reply },
5712 { NETLOGON_FUNCTION_19, "FUNCTION_19",
5713 netlogon_dissect_function_19_rqst,
5714 netlogon_dissect_function_19_reply },
5715 { NETLOGON_NETSERVERAUTHENTICATE3, "NETSERVERAUTHENTICATE3",
5716 netlogon_dissect_netserverauthenticate3_rqst,
5717 netlogon_dissect_netserverauthenticate3_reply },
5718 { NETLOGON_DSRGETDCNAME, "DSRGETDCNAME",
5719 netlogon_dissect_dsrgetdcname_rqst,
5720 netlogon_dissect_dsrgetdcname_reply },
5721 { NETLOGON_DSRGETSITENAME, "DSRGETSITENAME",
5722 netlogon_dissect_dsrgetsitename_rqst,
5723 netlogon_dissect_dsrgetsitename_reply },
5724 { NETLOGON_FUNCTION_1D, "FUNCTION_1D",
5725 netlogon_dissect_function_1d_rqst,
5726 netlogon_dissect_function_1d_reply },
5727 { NETLOGON_FUNCTION_1E, "FUNCTION_1E",
5728 netlogon_dissect_function_1e_rqst,
5729 netlogon_dissect_function_1e_reply },
5730 { NETLOGON_NETSERVERPASSWORDSET2, "NETSERVERPASSWORDSET2",
5731 netlogon_dissect_netserverpasswordset2_rqst,
5732 netlogon_dissect_netserverpasswordset2_reply },
5733 { NETLOGON_FUNCTION_20, "FUNCTION_20",
5734 netlogon_dissect_function_20_rqst,
5735 netlogon_dissect_function_20_reply },
5736 { NETLOGON_FUNCTION_21, "FUNCTION_21",
5737 netlogon_dissect_function_21_rqst,
5738 netlogon_dissect_function_21_reply },
5739 { NETLOGON_FUNCTION_22, "FUNCTION_22",
5740 netlogon_dissect_function_22_rqst,
5741 netlogon_dissect_function_22_reply },
5742 { NETLOGON_FUNCTION_23, "FUNCTION_23",
5743 netlogon_dissect_function_23_rqst,
5744 netlogon_dissect_function_23_reply },
5745 { NETLOGON_FUNCTION_24, "FUNCTION_24",
5746 netlogon_dissect_function_24_rqst,
5747 netlogon_dissect_function_24_reply },
5748 { NETLOGON_FUNCTION_25, "FUNCTION_25",
5749 netlogon_dissect_function_25_rqst,
5750 netlogon_dissect_function_25_reply },
5751 { NETLOGON_FUNCTION_26, "FUNCTION_26",
5752 netlogon_dissect_function_26_rqst,
5753 netlogon_dissect_function_26_reply },
5754 { NETLOGON_FUNCTION_27, "FUNCTION_27",
5755 netlogon_dissect_function_27_rqst,
5756 netlogon_dissect_function_27_reply },
5757 { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DSRROLEGETPRIMARYDOMAININFORMATION",
5758 netlogon_dissect_dsrrolegetprimarydomaininformation_rqst,
5759 netlogon_dissect_dsrrolegetprimarydomaininformation_reply },
5760 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DSRDEREGISTERDNSHOSTRECORDS",
5761 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
5762 netlogon_dissect_dsrderegisterdnshostrecords_reply },
5763 {0, NULL, NULL, NULL }
5766 static const value_string netlogon_opnum_vals[] = {
5767 { NETLOGON_UASLOGON, "UasLogon" },
5768 { NETLOGON_UASLOGOFF, "UasLogoff" },
5769 { NETLOGON_NETLOGONSAMLOGON, "SamLogon" },
5770 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff" },
5771 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge" },
5772 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate" },
5773 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet" },
5774 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas" },
5775 { NETLOGON_DATABASESYNC, "DatabaseSync" },
5776 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas" },
5777 { NETLOGON_ACCOUNTSYNC, "AccountSync" },
5778 { NETLOGON_GETDCNAME, "GetDCName" },
5779 { NETLOGON_NETLOGONCONTROL, "LogonControl" },
5780 { NETLOGON_GETANYDCNAME, "GetAnyDCName" },
5781 { NETLOGON_NETLOGONCONTROL2, "LogonControl2" },
5782 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2" },
5783 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2" },
5784 { NETLOGON_DATABASEREDO, "DatabaseRedo" },
5785 { NETLOGON_FUNCTION_12, "UNKNOWN_FUNCTION_12" },
5786 { NETLOGON_NETTRUSTEDDOMAINLIST, "NETTRUSTEDDOMAINLIST" },
5787 { NETLOGON_DSRGETDCNAME2, "DSRGETDCNAME2" },
5788 { NETLOGON_FUNCTION_15, "FUNCTION_15" },
5789 { NETLOGON_FUNCTION_16, "FUNCTION_16" },
5790 { NETLOGON_FUNCTION_17, "FUNCTION_17" },
5791 { NETLOGON_FUNCTION_18, "FUNCTION_18" },
5792 { NETLOGON_FUNCTION_19, "FUNCTION_19" },
5793 { NETLOGON_NETSERVERAUTHENTICATE3, "NETSERVERAUTHENTICATE3" },
5794 { NETLOGON_DSRGETDCNAME, "DSRGETDCNAME" },
5795 { NETLOGON_DSRGETSITENAME, "DSRGETSITENAME" },
5796 { NETLOGON_FUNCTION_1D, "FUNCTION_1D" },
5797 { NETLOGON_FUNCTION_1E, "FUNCTION_1E" },
5798 { NETLOGON_NETSERVERPASSWORDSET2, "NETSERVERPASSWORDSET2" },
5799 { NETLOGON_FUNCTION_20, "FUNCTION_20" },
5800 { NETLOGON_FUNCTION_21, "FUNCTION_21" },
5801 { NETLOGON_FUNCTION_22, "FUNCTION_22" },
5802 { NETLOGON_FUNCTION_23, "FUNCTION_23" },
5803 { NETLOGON_FUNCTION_24, "FUNCTION_24" },
5804 { NETLOGON_FUNCTION_25, "FUNCTION_25" },
5805 { NETLOGON_FUNCTION_26, "FUNCTION_26" },
5806 { NETLOGON_FUNCTION_27, "FUNCTION_27" },
5807 { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DSRROLEGETPRIMARYDOMAININFORMATION" },
5808 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DSRDEREGISTERDNSHOSTRECORDS" },
5813 proto_register_dcerpc_netlogon(void)
5816 static hf_register_info hf[] = {
5817 { &hf_netlogon_opnum,
5818 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
5819 VALS(netlogon_opnum_vals), 0x0, "Operation", HFILL }},
5821 { &hf_netlogon_rc, {
5822 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
5823 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
5825 { &hf_netlogon_param_ctrl, {
5826 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
5827 NULL, 0x0, "Param ctrl", HFILL }},
5829 { &hf_netlogon_logon_id, {
5830 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
5831 NULL, 0x0, "Logon ID", HFILL }},
5833 { &hf_netlogon_modify_count, {
5834 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
5835 NULL, 0x0, "How many times the object has been modified", HFILL }},
5837 { &hf_netlogon_security_information, {
5838 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
5839 NULL, 0x0, "Security Information", HFILL }},
5841 { &hf_netlogon_count, {
5842 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
5843 NULL, 0x0, "", HFILL }},
5845 { &hf_netlogon_entries, {
5846 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
5847 NULL, 0x0, "", HFILL }},
5849 { &hf_netlogon_credential, {
5850 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
5851 NULL, 0x0, "Netlogon credential", HFILL }},
5853 { &hf_netlogon_challenge, {
5854 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
5855 NULL, 0x0, "Netlogon challenge", HFILL }},
5857 { &hf_netlogon_lm_owf_password, {
5858 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
5859 NULL, 0x0, "LanManager OWF Password", HFILL }},
5861 { &hf_netlogon_user_session_key, {
5862 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
5863 NULL, 0x0, "User Session Key", HFILL }},
5865 { &hf_netlogon_encrypted_lm_owf_password, {
5866 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
5867 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
5869 { &hf_netlogon_nt_owf_password, {
5870 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
5871 NULL, 0x0, "NT OWF Password", HFILL }},
5873 { &hf_netlogon_blob, {
5874 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
5875 NULL, 0x0, "BLOB", HFILL }},
5877 { &hf_netlogon_len, {
5878 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
5879 NULL, 0, "Length", HFILL }},
5881 { &hf_netlogon_priv, {
5882 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
5883 NULL, 0, "", HFILL }},
5885 { &hf_netlogon_privilege_entries, {
5886 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
5887 NULL, 0, "", HFILL }},
5889 { &hf_netlogon_privilege_control, {
5890 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
5891 NULL, 0, "", HFILL }},
5893 { &hf_netlogon_privilege_name, {
5894 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
5895 NULL, 0, "", HFILL }},
5897 { &hf_netlogon_pdc_connection_status, {
5898 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
5899 NULL, 0, "PDC Connection Status", HFILL }},
5901 { &hf_netlogon_tc_connection_status, {
5902 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
5903 NULL, 0, "TC Connection Status", HFILL }},
5905 { &hf_netlogon_attrs, {
5906 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
5907 NULL, 0, "Attributes", HFILL }},
5909 { &hf_netlogon_unknown_string,
5910 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
5911 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
5912 { &hf_netlogon_unknown_long,
5913 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
5914 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
5915 { &hf_netlogon_reserved,
5916 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
5917 NULL, 0x0, "Reserved", HFILL }},
5918 { &hf_netlogon_unknown_short,
5919 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
5920 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
5922 { &hf_netlogon_unknown_char,
5923 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
5924 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
5926 { &hf_netlogon_unknown_time,
5927 { "Unknown time", "netlogon.unknown.time", FT_ABSOLUTE_TIME, BASE_NONE,
5928 NULL, 0x0, "Unknown time. If you know what this is, contact ethereal developers.", HFILL }},
5930 { &hf_netlogon_acct_expiry_time,
5931 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
5932 NULL, 0x0, "When this account will expire", HFILL }},
5934 { &hf_netlogon_nt_pwd_present,
5935 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
5936 NULL, 0x0, "Is NT password present for this account?", HFILL }},
5938 { &hf_netlogon_lm_pwd_present,
5939 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
5940 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
5942 { &hf_netlogon_pwd_expired,
5943 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
5944 NULL, 0x0, "Whether this password has expired or not", HFILL }},
5946 { &hf_netlogon_num_pwd_pairs,
5947 { "Num PWD Pairs", "netlogon.num_pwd_pairs", FT_UINT8, BASE_DEC,
5948 NULL, 0x0, "Number of password pairs. Password history length?", HFILL }},
5950 { &hf_netlogon_authoritative,
5951 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
5952 NULL, 0x0, "", HFILL }},
5954 { &hf_netlogon_sensitive_data_flag,
5955 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
5956 NULL, 0x0, "Sensitive data flag", HFILL }},
5958 { &hf_netlogon_auditing_mode,
5959 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
5960 NULL, 0x0, "Auditing Mode", HFILL }},
5962 { &hf_netlogon_max_audit_event_count,
5963 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
5964 NULL, 0x0, "Max audit event count", HFILL }},
5966 { &hf_netlogon_event_audit_option,
5967 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
5968 NULL, 0x0, "Event audit option", HFILL }},
5970 { &hf_netlogon_sensitive_data_len,
5971 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
5972 NULL, 0x0, "Length of sensitive data", HFILL }},
5974 { &hf_netlogon_nt_chal_resp,
5975 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
5976 NULL, 0, "Challenge response for NT authentication", HFILL }},
5978 { &hf_netlogon_lm_chal_resp,
5979 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
5980 NULL, 0, "Challenge response for LM authentication", HFILL }},
5982 { &hf_netlogon_cipher_len,
5983 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
5984 NULL, 0, "", HFILL }},
5986 { &hf_netlogon_cipher_maxlen,
5987 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
5988 NULL, 0, "", HFILL }},
5990 { &hf_netlogon_pac_data,
5991 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
5992 NULL, 0, "Pac Data", HFILL }},
5994 { &hf_netlogon_sensitive_data,
5995 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
5996 NULL, 0, "Sensitive Data", HFILL }},
5998 { &hf_netlogon_auth_data,
5999 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6000 NULL, 0, "Auth Data", HFILL }},
6002 { &hf_netlogon_cipher_current_data,
6003 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6004 NULL, 0, "", HFILL }},
6006 { &hf_netlogon_cipher_old_data,
6007 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6008 NULL, 0, "", HFILL }},
6010 { &hf_netlogon_acct_name,
6011 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6012 NULL, 0, "Account Name", HFILL }},
6014 { &hf_netlogon_acct_desc,
6015 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6016 NULL, 0, "Account Description", HFILL }},
6018 { &hf_netlogon_group_desc,
6019 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6020 NULL, 0, "Group Description", HFILL }},
6022 { &hf_netlogon_full_name,
6023 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6024 NULL, 0, "Full Name", HFILL }},
6026 { &hf_netlogon_comment,
6027 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6028 NULL, 0, "Comment", HFILL }},
6030 { &hf_netlogon_parameters,
6031 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6032 NULL, 0, "Parameters", HFILL }},
6034 { &hf_netlogon_logon_script,
6035 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6036 NULL, 0, "Logon Script", HFILL }},
6038 { &hf_netlogon_profile_path,
6039 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6040 NULL, 0, "Profile Path", HFILL }},
6042 { &hf_netlogon_home_dir,
6043 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6044 NULL, 0, "Home Directory", HFILL }},
6046 { &hf_netlogon_dir_drive,
6047 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6048 NULL, 0, "Drive letter for home directory", HFILL }},
6050 { &hf_netlogon_logon_srv,
6051 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6052 NULL, 0, "Server", HFILL }},
6054 { &hf_netlogon_principal,
6055 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6056 NULL, 0, "Principal", HFILL }},
6058 { &hf_netlogon_logon_dom,
6059 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6060 NULL, 0, "Domain", HFILL }},
6062 { &hf_netlogon_computer_name,
6063 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6064 NULL, 0, "Computer Name", HFILL }},
6066 { &hf_netlogon_site_name,
6067 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6068 NULL, 0, "Site Name", HFILL }},
6070 { &hf_netlogon_dc_name,
6071 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6072 NULL, 0, "DC Name", HFILL }},
6074 { &hf_netlogon_dc_site_name,
6075 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6076 NULL, 0, "DC Site Name", HFILL }},
6078 { &hf_netlogon_dns_forest_name,
6079 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6080 NULL, 0, "DNS Forest Name", HFILL }},
6082 { &hf_netlogon_dc_address,
6083 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6084 NULL, 0, "DC Address", HFILL }},
6086 { &hf_netlogon_dc_address_type,
6087 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6088 NULL, 0, "DC Address Type", HFILL }},
6090 { &hf_netlogon_client_name,
6091 { "Client Name", "netlogon.client.name", FT_STRING, BASE_NONE,
6092 NULL, 0, "Client Name", HFILL }},
6094 { &hf_netlogon_client_site_name,
6095 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6096 NULL, 0, "Client Site Name", HFILL }},
6098 { &hf_netlogon_workstation_site_name,
6099 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6100 NULL, 0, "Workstation Site Name", HFILL }},
6102 { &hf_netlogon_workstation,
6103 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6104 NULL, 0, "Workstation Name", HFILL }},
6106 { &hf_netlogon_workstation_os,
6107 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6108 NULL, 0, "Workstation OS", HFILL }},
6110 { &hf_netlogon_workstations,
6111 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6112 NULL, 0, "Workstations", HFILL }},
6114 { &hf_netlogon_workstation_fqdn,
6115 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6116 NULL, 0, "Workstation FQDN", HFILL }},
6118 { &hf_netlogon_group_name,
6119 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6120 NULL, 0, "Group Name", HFILL }},
6122 { &hf_netlogon_alias_name,
6123 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6124 NULL, 0, "Alias Name", HFILL }},
6126 { &hf_netlogon_dns_host,
6127 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6128 NULL, 0, "DNS Host", HFILL }},
6130 { &hf_netlogon_trusted_domain_name,
6131 { "Trusted Domain", "netlogon.trusted_domain", FT_STRING, BASE_NONE,
6132 NULL, 0, "Trusted Domain Name", HFILL }},
6134 { &hf_netlogon_domain_name,
6135 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6136 NULL, 0, "Domain Name", HFILL }},
6138 { &hf_netlogon_oem_info,
6139 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6140 NULL, 0, "OEM Info", HFILL }},
6142 { &hf_netlogon_trusted_dc_name,
6143 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6144 NULL, 0, "Trusted DC", HFILL }},
6146 { &hf_netlogon_logonsrv_handle,
6147 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6148 NULL, 0, "Logon Srv Handle", HFILL }},
6150 { &hf_netlogon_dummy,
6151 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6152 NULL, 0, "Dummy string", HFILL }},
6154 { &hf_netlogon_logon_count16,
6155 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6156 NULL, 0x0, "Number of successful logins", HFILL }},
6158 { &hf_netlogon_logon_count,
6159 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6160 NULL, 0x0, "Number of successful logins", HFILL }},
6162 { &hf_netlogon_last_logon,
6163 { "Last Logon", "netlogon.last_logon", FT_UINT32, BASE_DEC,
6164 NULL, 0x0, "Last Logon", HFILL }},
6166 { &hf_netlogon_last_logoff,
6167 { "Last Logoff", "netlogon.last_logoff", FT_UINT32, BASE_DEC,
6168 NULL, 0x0, "Last Logoff", HFILL }},
6170 { &hf_netlogon_bad_pw_count16,
6171 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6172 NULL, 0x0, "Number of failed logins", HFILL }},
6174 { &hf_netlogon_bad_pw_count,
6175 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6176 NULL, 0x0, "Number of failed logins", HFILL }},
6178 { &hf_netlogon_country,
6179 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6180 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6182 { &hf_netlogon_codepage,
6183 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6184 NULL, 0x0, "Codepage setting for this account", HFILL }},
6186 { &hf_netlogon_level16,
6187 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6188 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6190 { &hf_netlogon_validation_level,
6191 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6192 NULL, 0x0, "Requested level of validation", HFILL }},
6194 { &hf_netlogon_minpasswdlen,
6195 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6196 NULL, 0x0, "Minimum length of password", HFILL }},
6198 { &hf_netlogon_passwdhistorylen,
6199 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6200 NULL, 0x0, "Length of password history", HFILL }},
6202 { &hf_netlogon_secure_channel_type,
6203 { "Sec Chn Type", "netlogon.sec_chn_type", FT_UINT16, BASE_DEC,
6204 NULL, 0x0, "Secure Channel Type", HFILL }},
6206 { &hf_netlogon_restart_state,
6207 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
6208 NULL, 0x0, "Restart State", HFILL }},
6210 { &hf_netlogon_delta_type,
6211 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6212 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6214 { &hf_netlogon_blob_size,
6215 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6216 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6218 { &hf_netlogon_code,
6219 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6220 NULL, 0x0, "Code", HFILL }},
6222 { &hf_netlogon_level,
6223 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6224 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6226 { &hf_netlogon_reference,
6227 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
6228 NULL, 0x0, "", HFILL }},
6230 { &hf_netlogon_next_reference,
6231 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
6232 NULL, 0x0, "", HFILL }},
6234 { &hf_netlogon_timestamp,
6235 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
6236 NULL, 0, "", HFILL }},
6238 { &hf_netlogon_user_rid,
6239 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6240 NULL, 0x0, "", HFILL }},
6242 { &hf_netlogon_alias_rid,
6243 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6244 NULL, 0x0, "", HFILL }},
6246 { &hf_netlogon_group_rid,
6247 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6248 NULL, 0x0, "", HFILL }},
6250 { &hf_netlogon_num_rids,
6251 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6252 NULL, 0x0, "Number of RIDs", HFILL }},
6254 { &hf_netlogon_num_controllers,
6255 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6256 NULL, 0x0, "Number of domain controllers", HFILL }},
6258 { &hf_netlogon_num_other_groups,
6259 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6260 NULL, 0x0, "", HFILL }},
6262 { &hf_netlogon_flags,
6263 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6264 NULL, 0x0, "", HFILL }},
6266 { &hf_netlogon_user_flags,
6267 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6268 NULL, 0x0, "", HFILL }},
6270 { &hf_netlogon_auth_flags,
6271 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6272 NULL, 0x0, "", HFILL }},
6274 { &hf_netlogon_systemflags,
6275 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6276 NULL, 0x0, "", HFILL }},
6278 { &hf_netlogon_database_id,
6279 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6280 NULL, 0x0, "Database Id", HFILL }},
6282 { &hf_netlogon_sync_context,
6283 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6284 NULL, 0x0, "Sync Context", HFILL }},
6286 { &hf_netlogon_max_size,
6287 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6288 NULL, 0x0, "Max Size of database", HFILL }},
6290 { &hf_netlogon_max_log_size,
6291 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6292 NULL, 0x0, "Max Size of log", HFILL }},
6294 { &hf_netlogon_change_log_size,
6295 { "Change Log Entry Size", "netlogon.change_log_size", FT_UINT32, BASE_DEC,
6296 NULL, 0x0, "Size of log entry change", HFILL }},
6298 { &hf_netlogon_pac_size,
6299 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6300 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6302 { &hf_netlogon_auth_size,
6303 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6304 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6306 { &hf_netlogon_num_deltas,
6307 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6308 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6310 { &hf_netlogon_logon_attempts,
6311 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6312 NULL, 0x0, "Number of logon attempts", HFILL }},
6314 { &hf_netlogon_pagefilelimit,
6315 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6316 NULL, 0x0, "", HFILL }},
6318 { &hf_netlogon_pagedpoollimit,
6319 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6320 NULL, 0x0, "", HFILL }},
6322 { &hf_netlogon_nonpagedpoollimit,
6323 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6324 NULL, 0x0, "", HFILL }},
6326 { &hf_netlogon_minworkingsetsize,
6327 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6328 NULL, 0x0, "", HFILL }},
6330 { &hf_netlogon_maxworkingsetsize,
6331 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6332 NULL, 0x0, "", HFILL }},
6334 { &hf_netlogon_serial_number,
6335 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
6336 NULL, 0x0, "", HFILL }},
6338 { &hf_netlogon_neg_flags,
6339 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
6340 NULL, 0x0, "Negotiation Flags", HFILL }},
6342 { &hf_netlogon_logon_time,
6343 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
6344 NULL, 0, "Time for last time this user logged on", HFILL }},
6346 { &hf_netlogon_kickoff_time,
6347 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6348 NULL, 0, "Time when this user will be kicked off", HFILL }},
6350 { &hf_netlogon_logoff_time,
6351 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6352 NULL, 0, "Time for last time this user logged off", HFILL }},
6354 { &hf_netlogon_pwd_last_set_time,
6355 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6356 NULL, 0, "Last time this users password was changed", HFILL }},
6358 { &hf_netlogon_pwd_can_change_time,
6359 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6360 NULL, 0, "When this users password may be changed", HFILL }},
6362 { &hf_netlogon_pwd_must_change_time,
6363 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6364 NULL, 0, "When this users password must be changed", HFILL }},
6366 { &hf_netlogon_domain_create_time,
6367 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6368 NULL, 0, "Time when this domain was created", HFILL }},
6370 { &hf_netlogon_domain_modify_time,
6371 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6372 NULL, 0, "Time when this domain was last modified", HFILL }},
6374 { &hf_netlogon_db_modify_time,
6375 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6376 NULL, 0, "Time when last modified", HFILL }},
6378 { &hf_netlogon_db_create_time,
6379 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6380 NULL, 0, "Time when created", HFILL }},
6382 { &hf_netlogon_cipher_current_set_time,
6383 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6384 NULL, 0, "Time when current cipher was initiated", HFILL }},
6386 { &hf_netlogon_cipher_old_set_time,
6387 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6388 NULL, 0, "Time when previous cipher was initiated", HFILL }},
6390 { &hf_netlogon_audit_retention_period,
6391 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
6392 NULL, 0, "Audit retention period", HFILL }},
6394 { &hf_netlogon_timelimit,
6395 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
6396 NULL, 0, "", HFILL }}
6400 static gint *ett[] = {
6401 &ett_dcerpc_netlogon,
6407 &ett_DOMAIN_CONTROLLER_INFO,
6410 &ett_UNICODE_STRING_512,
6414 &ett_DELTA_ID_UNION,
6420 &ett_LM_OWF_PASSWORD,
6421 &ett_NT_OWF_PASSWORD,
6422 &ett_GROUP_MEMBERSHIP,
6426 proto_dcerpc_netlogon = proto_register_protocol(
6427 "Microsoft Network Logon", "NETLOGON", "rpc_netlogon");
6429 proto_register_field_array(proto_dcerpc_netlogon, hf,
6431 proto_register_subtree_array(ett, array_length(ett));
6435 proto_reg_handoff_dcerpc_netlogon(void)
6437 /* Register protocol as dcerpc */
6439 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
6440 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
6441 dcerpc_netlogon_dissectors, hf_netlogon_opnum);