1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.80 2003/05/15 04:58:53 tpot Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_guid = -1;
43 static int hf_netlogon_rc = -1;
44 static int hf_netlogon_len = -1;
45 static int hf_netlogon_sensitive_data_flag = -1;
46 static int hf_netlogon_sensitive_data_len = -1;
47 static int hf_netlogon_sensitive_data = -1;
48 static int hf_netlogon_security_information = -1;
49 static int hf_netlogon_dummy = -1;
50 static int hf_netlogon_neg_flags = -1;
51 static int hf_netlogon_minworkingsetsize = -1;
52 static int hf_netlogon_maxworkingsetsize = -1;
53 static int hf_netlogon_pagedpoollimit = -1;
54 static int hf_netlogon_pagefilelimit = -1;
55 static int hf_netlogon_timelimit = -1;
56 static int hf_netlogon_nonpagedpoollimit = -1;
57 static int hf_netlogon_pac_size = -1;
58 static int hf_netlogon_pac_data = -1;
59 static int hf_netlogon_auth_size = -1;
60 static int hf_netlogon_auth_data = -1;
61 static int hf_netlogon_cipher_len = -1;
62 static int hf_netlogon_cipher_maxlen = -1;
63 static int hf_netlogon_cipher_current_data = -1;
64 static int hf_netlogon_cipher_current_set_time = -1;
65 static int hf_netlogon_cipher_old_data = -1;
66 static int hf_netlogon_cipher_old_set_time = -1;
67 static int hf_netlogon_priv = -1;
68 static int hf_netlogon_privilege_entries = -1;
69 static int hf_netlogon_privilege_control = -1;
70 static int hf_netlogon_privilege_name = -1;
71 static int hf_netlogon_systemflags = -1;
72 static int hf_netlogon_pdc_connection_status = -1;
73 static int hf_netlogon_tc_connection_status = -1;
74 static int hf_netlogon_restart_state = -1;
75 static int hf_netlogon_attrs = -1;
76 static int hf_netlogon_count = -1;
77 static int hf_netlogon_entries = -1;
78 static int hf_netlogon_minpasswdlen = -1;
79 static int hf_netlogon_passwdhistorylen = -1;
80 static int hf_netlogon_level16 = -1;
81 static int hf_netlogon_validation_level = -1;
82 static int hf_netlogon_reference = -1;
83 static int hf_netlogon_next_reference = -1;
84 static int hf_netlogon_timestamp = -1;
85 static int hf_netlogon_level = -1;
86 static int hf_netlogon_challenge = -1;
87 static int hf_netlogon_reserved = -1;
88 static int hf_netlogon_audit_retention_period = -1;
89 static int hf_netlogon_auditing_mode = -1;
90 static int hf_netlogon_max_audit_event_count = -1;
91 static int hf_netlogon_event_audit_option = -1;
92 static int hf_netlogon_unknown_string = -1;
93 static int hf_netlogon_unknown_long = -1;
94 static int hf_netlogon_unknown_short = -1;
95 static int hf_netlogon_unknown_char = -1;
96 static int hf_netlogon_logon_time = -1;
97 static int hf_netlogon_logoff_time = -1;
98 static int hf_netlogon_kickoff_time = -1;
99 static int hf_netlogon_pwd_last_set_time = -1;
100 static int hf_netlogon_pwd_can_change_time = -1;
101 static int hf_netlogon_pwd_must_change_time = -1;
102 static int hf_netlogon_nt_chal_resp = -1;
103 static int hf_netlogon_lm_chal_resp = -1;
104 static int hf_netlogon_credential_high = -1;
105 static int hf_netlogon_credential_low = -1;
106 static int hf_netlogon_acct_name = -1;
107 static int hf_netlogon_acct_desc = -1;
108 static int hf_netlogon_group_desc = -1;
109 static int hf_netlogon_full_name = -1;
110 static int hf_netlogon_comment = -1;
111 static int hf_netlogon_parameters = -1;
112 static int hf_netlogon_logon_script = -1;
113 static int hf_netlogon_profile_path = -1;
114 static int hf_netlogon_home_dir = -1;
115 static int hf_netlogon_dir_drive = -1;
116 static int hf_netlogon_logon_count = -1;
117 static int hf_netlogon_logon_count16 = -1;
118 static int hf_netlogon_bad_pw_count = -1;
119 static int hf_netlogon_bad_pw_count16 = -1;
120 static int hf_netlogon_user_rid = -1;
121 static int hf_netlogon_alias_rid = -1;
122 static int hf_netlogon_group_rid = -1;
123 static int hf_netlogon_logon_srv = -1;
124 static int hf_netlogon_principal = -1;
125 static int hf_netlogon_logon_dom = -1;
126 static int hf_netlogon_downlevel_domain_name = -1;
127 static int hf_netlogon_dns_domain_name = -1;
128 static int hf_netlogon_domain_name = -1;
129 static int hf_netlogon_domain_create_time = -1;
130 static int hf_netlogon_domain_modify_time = -1;
131 static int hf_netlogon_modify_count = -1;
132 static int hf_netlogon_db_modify_time = -1;
133 static int hf_netlogon_db_create_time = -1;
134 static int hf_netlogon_oem_info = -1;
135 static int hf_netlogon_serial_number = -1;
136 static int hf_netlogon_num_rids = -1;
137 static int hf_netlogon_num_trusts = -1;
138 static int hf_netlogon_num_controllers = -1;
139 static int hf_netlogon_num_other_groups = -1;
140 static int hf_netlogon_computer_name = -1;
141 static int hf_netlogon_site_name = -1;
142 static int hf_netlogon_trusted_dc_name = -1;
143 static int hf_netlogon_dc_name = -1;
144 static int hf_netlogon_dc_site_name = -1;
145 static int hf_netlogon_dns_forest_name = -1;
146 static int hf_netlogon_dc_address = -1;
147 static int hf_netlogon_dc_address_type = -1;
148 static int hf_netlogon_client_site_name = -1;
149 static int hf_netlogon_workstation = -1;
150 static int hf_netlogon_workstation_site_name = -1;
151 static int hf_netlogon_workstation_os = -1;
152 static int hf_netlogon_workstations = -1;
153 static int hf_netlogon_workstation_fqdn = -1;
154 static int hf_netlogon_group_name = -1;
155 static int hf_netlogon_alias_name = -1;
156 static int hf_netlogon_country = -1;
157 static int hf_netlogon_codepage = -1;
158 static int hf_netlogon_flags = -1;
159 static int hf_netlogon_trust_attribs = -1;
160 static int hf_netlogon_trust_type = -1;
161 static int hf_netlogon_trust_flags = -1;
162 static int hf_netlogon_trust_flags_inbound = -1;
163 static int hf_netlogon_trust_flags_outbound = -1;
164 static int hf_netlogon_trust_flags_in_forest = -1;
165 static int hf_netlogon_trust_flags_native_mode = -1;
166 static int hf_netlogon_trust_flags_primary = -1;
167 static int hf_netlogon_trust_flags_tree_root = -1;
168 static int hf_netlogon_trust_parent_index = -1;
169 static int hf_netlogon_user_flags = -1;
170 static int hf_netlogon_auth_flags = -1;
171 static int hf_netlogon_pwd_expired = -1;
172 static int hf_netlogon_nt_pwd_present = -1;
173 static int hf_netlogon_lm_pwd_present = -1;
174 static int hf_netlogon_code = -1;
175 static int hf_netlogon_database_id = -1;
176 static int hf_netlogon_sync_context = -1;
177 static int hf_netlogon_max_size = -1;
178 static int hf_netlogon_max_log_size = -1;
179 static int hf_netlogon_dns_host = -1;
180 static int hf_netlogon_acct_expiry_time = -1;
181 static int hf_netlogon_encrypted_lm_owf_password = -1;
182 static int hf_netlogon_lm_owf_password = -1;
183 static int hf_netlogon_nt_owf_password = -1;
184 static int hf_netlogon_param_ctrl = -1;
185 static int hf_netlogon_logon_id = -1;
186 static int hf_netlogon_num_deltas = -1;
187 static int hf_netlogon_user_session_key = -1;
188 static int hf_netlogon_blob_size = -1;
189 static int hf_netlogon_blob = -1;
190 static int hf_netlogon_logon_attempts = -1;
191 static int hf_netlogon_authoritative = -1;
192 static int hf_netlogon_secure_channel_type = -1;
193 static int hf_netlogon_logonsrv_handle = -1;
194 static int hf_netlogon_delta_type = -1;
195 static int hf_netlogon_get_dcname_request_flags = -1;
196 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
197 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
198 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
199 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
200 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
201 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
202 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
203 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
204 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
205 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
206 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
207 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
208 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
209 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
210 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
211 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
212 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
213 static int hf_netlogon_dc_flags = -1;
214 static int hf_netlogon_dc_flags_pdc_flag = -1;
215 static int hf_netlogon_dc_flags_gc_flag = -1;
216 static int hf_netlogon_dc_flags_ldap_flag = -1;
217 static int hf_netlogon_dc_flags_ds_flag = -1;
218 static int hf_netlogon_dc_flags_kdc_flag = -1;
219 static int hf_netlogon_dc_flags_timeserv_flag = -1;
220 static int hf_netlogon_dc_flags_closest_flag = -1;
221 static int hf_netlogon_dc_flags_writable_flag = -1;
222 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
223 static int hf_netlogon_dc_flags_ndnc_flag = -1;
224 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
225 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
226 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
228 static gint ett_dcerpc_netlogon = -1;
229 static gint ett_QUOTA_LIMITS = -1;
230 static gint ett_IDENTITY_INFO = -1;
231 static gint ett_DELTA_ENUM = -1;
232 static gint ett_CYPHER_VALUE = -1;
233 static gint ett_UNICODE_MULTI = -1;
234 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
235 static gint ett_UNICODE_STRING_512 = -1;
236 static gint ett_TYPE_50 = -1;
237 static gint ett_TYPE_52 = -1;
238 static gint ett_DELTA_ID_UNION = -1;
239 static gint ett_TYPE_44 = -1;
240 static gint ett_DELTA_UNION = -1;
241 static gint ett_LM_OWF_PASSWORD = -1;
242 static gint ett_NT_OWF_PASSWORD = -1;
243 static gint ett_GROUP_MEMBERSHIP = -1;
244 static gint ett_BLOB = -1;
245 static gint ett_DS_DOMAIN_TRUSTS = -1;
246 static gint ett_DOMAIN_TRUST_INFO = -1;
247 static gint ett_trust_flags = -1;
248 static gint ett_get_dcname_request_flags = -1;
249 static gint ett_dc_flags = -1;
251 static e_uuid_t uuid_dcerpc_netlogon = {
252 0x12345678, 0x1234, 0xabcd,
253 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
256 static guint16 ver_dcerpc_netlogon = 1;
261 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
262 packet_info *pinfo, proto_tree *tree,
265 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
266 NDR_POINTER_UNIQUE, "Server Handle",
267 hf_netlogon_logonsrv_handle, 0);
273 * IDL typedef struct {
274 * IDL [unique][string] wchar_t *effective_name;
276 * IDL long auth_flags;
277 * IDL long logon_count;
278 * IDL long bad_pw_count;
279 * IDL long last_logon;
280 * IDL long last_logoff;
281 * IDL long logoff_time;
282 * IDL long kickoff_time;
283 * IDL long password_age;
284 * IDL long pw_can_change;
285 * IDL long pw_must_change;
286 * IDL [unique][string] wchar_t *computer;
287 * IDL [unique][string] wchar_t *domain;
288 * IDL [unique][string] wchar_t *script_path;
292 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
293 packet_info *pinfo, proto_tree *tree,
298 di=pinfo->private_data;
299 if(di->conformant_run){
300 /*just a run to handle conformant arrays, nothing to dissect */
304 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
305 NDR_POINTER_UNIQUE, "Effective Account",
306 hf_netlogon_acct_name, 0);
308 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
309 hf_netlogon_priv, NULL);
311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
312 hf_netlogon_auth_flags, NULL);
314 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
315 hf_netlogon_logon_count, NULL);
317 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
318 hf_netlogon_bad_pw_count, NULL);
320 /* XXX - are these all UNIX "time_t"s, like the time stamps in
323 Or are they, as per some RAP-based operations, UTIMEs? */
324 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
327 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
330 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
333 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
336 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
339 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
342 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
345 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
346 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
348 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
349 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
351 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
352 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
354 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
355 hf_netlogon_reserved, NULL);
361 * IDL long NetLogonUasLogon(
362 * IDL [in][unique][string] wchar_t *ServerName,
363 * IDL [in][ref][string] wchar_t *UserName,
364 * IDL [in][ref][string] wchar_t *Workstation,
365 * IDL [out][unique] VALIDATION_UAS_INFO *info
369 netlogon_dissect_netlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
370 packet_info *pinfo, proto_tree *tree, char *drep)
372 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
375 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
376 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
378 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
379 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
386 netlogon_dissect_netlogonuaslogon_reply(tvbuff_t *tvb, int offset,
387 packet_info *pinfo, proto_tree *tree, char *drep)
389 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
390 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
391 "VALIDATION_UAS_INFO", -1);
393 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
394 hf_netlogon_rc, NULL);
400 * IDL typedef struct {
402 * IDL short logon_count;
403 * IDL } LOGOFF_UAS_INFO;
406 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
407 packet_info *pinfo, proto_tree *tree,
412 di=pinfo->private_data;
413 if(di->conformant_run){
414 /*just a run to handle conformant arrays, nothing to dissect */
418 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
421 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
422 hf_netlogon_logon_count16, NULL);
428 * IDL long NetLogonUasLogoff(
429 * IDL [in][unique][string] wchar_t *ServerName,
430 * IDL [in][ref][string] wchar_t *UserName,
431 * IDL [in][ref][string] wchar_t *Workstation,
432 * IDL [out][ref] LOGOFF_UAS_INFO *info
436 netlogon_dissect_netlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
437 packet_info *pinfo, proto_tree *tree, char *drep)
439 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
442 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
443 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
445 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
446 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
453 netlogon_dissect_netlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
454 packet_info *pinfo, proto_tree *tree, char *drep)
456 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
457 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
458 "LOGOFF_UAS_INFO", -1);
460 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
461 hf_netlogon_rc, NULL);
470 * IDL typedef struct {
471 * IDL UNICODESTRING LogonDomainName;
472 * IDL long ParameterControl;
473 * IDL uint64 LogonID;
474 * IDL UNICODESTRING UserName;
475 * IDL UNICODESTRING Workstation;
476 * IDL } LOGON_IDENTITY_INFO;
479 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
480 packet_info *pinfo, proto_tree *parent_tree,
483 proto_item *item=NULL;
484 proto_tree *tree=NULL;
485 int old_offset=offset;
488 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
490 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
493 /* XXX: It would be nice to get the domain and account name
494 displayed in COL_INFO. */
496 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
497 hf_netlogon_logon_dom, 0);
499 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
500 hf_netlogon_param_ctrl, NULL);
502 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
503 hf_netlogon_logon_id, NULL);
505 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
506 hf_netlogon_acct_name, 0);
508 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
509 hf_netlogon_workstation, 0);
512 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
513 /* XXX 8 extra bytes here */
514 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
515 the idl file. Could be a bug in either the NETLOGON implementation or in the
518 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
521 proto_item_set_len(item, offset-old_offset);
527 * IDL typedef struct {
528 * IDL char password[16];
529 * IDL } LM_OWF_PASSWORD;
532 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
533 packet_info *pinfo, proto_tree *parent_tree,
536 proto_item *item=NULL;
537 proto_tree *tree=NULL;
540 di=pinfo->private_data;
541 if(di->conformant_run){
542 /*just a run to handle conformant arrays, nothing to dissect.*/
547 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
549 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
552 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
560 * IDL typedef struct {
561 * IDL char password[16];
562 * IDL } NT_OWF_PASSWORD;
565 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
566 packet_info *pinfo, proto_tree *parent_tree,
569 proto_item *item=NULL;
570 proto_tree *tree=NULL;
573 di=pinfo->private_data;
574 if(di->conformant_run){
575 /*just a run to handle conformant arrays, nothing to dissect.*/
580 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
582 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
585 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
594 * IDL typedef struct {
595 * IDL LOGON_IDENTITY_INFO identity_info;
596 * IDL LM_OWF_PASSWORD lmpassword;
597 * IDL NT_OWF_PASSWORD ntpassword;
598 * IDL } INTERACTIVE_INFO;
601 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
602 packet_info *pinfo, proto_tree *tree,
605 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
608 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
611 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
618 * IDL typedef struct {
623 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
624 packet_info *pinfo, proto_tree *tree,
629 di=pinfo->private_data;
630 if(di->conformant_run){
631 /*just a run to handle conformant arrays, nothing to dissect.*/
635 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
643 * IDL typedef struct {
644 * IDL LOGON_IDENTITY_INFO logon_info;
645 * IDL CHALLENGE chal;
646 * IDL STRING ntchallengeresponse;
647 * IDL STRING lmchallengeresponse;
648 * IDL } NETWORK_INFO;
651 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
652 proto_item *item _U_, tvbuff_t *tvb,
653 int start_offset, int end_offset,
654 void *callback_args _U_)
658 /* Skip over 3 guint32's in NDR format */
660 if (start_offset % 4)
661 start_offset += 4 - (start_offset % 4);
664 len = end_offset - start_offset;
666 /* Call ntlmv2 response dissector */
669 dissect_ntlmv2_response(tvb, tree, start_offset, len);
673 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
674 packet_info *pinfo, proto_tree *tree,
677 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
680 offset = netlogon_dissect_CHALLENGE(tvb, offset,
683 offset = dissect_ndr_counted_byte_array_cb(
684 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
685 dissect_nt_chal_resp_cb, NULL);
687 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
688 hf_netlogon_lm_chal_resp);
694 * IDL typedef struct {
695 * IDL LOGON_IDENTITY_INFO logon_info;
696 * IDL LM_OWF_PASSWORD lmpassword;
697 * IDL NT_OWF_PASSWORD ntpassword;
698 * IDL } SERVICE_INFO;
701 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
702 packet_info *pinfo, proto_tree *tree,
705 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
708 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
711 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
718 * IDL typedef [switch_type(short)] union {
719 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
720 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
721 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
725 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
726 packet_info *pinfo, proto_tree *tree,
731 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
732 hf_netlogon_level16, &level);
737 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
738 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
739 "INTERACTIVE_INFO:", -1);
742 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
743 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
744 "NETWORK_INFO:", -1);
747 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
748 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
749 "SERVICE_INFO:", -1);
757 * IDL typedef struct {
762 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
763 packet_info *pinfo, proto_tree *tree,
768 di=pinfo->private_data;
769 if(di->conformant_run){
770 /*just a run to handle conformant arrays, nothing to dissect.*/
775 tree, hf_netlogon_credential_low, tvb, offset, 4, TRUE);
779 tree, hf_netlogon_credential_high, tvb, offset, 4, TRUE);
787 * IDL typedef struct {
788 * IDL CREDENTIAL cred;
789 * IDL long timestamp;
790 * IDL } AUTHENTICATOR;
793 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
794 packet_info *pinfo, proto_tree *tree,
800 di=pinfo->private_data;
801 if(di->conformant_run){
802 /*just a run to handle conformant arrays, nothing to dissect */
806 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
810 * XXX - this appears to be a UNIX time_t in some credentials, but
811 * appears to be random junk in other credentials.
812 * For example, it looks like a UNIX time_t in "credential"
813 * AUTHENTICATORs, but like random junk in "return_authenticator"
817 ts.secs = tvb_get_letohl(tvb, offset);
819 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
827 * IDL typedef struct {
829 * IDL long attributes;
830 * IDL } GROUP_MEMBERSHIP;
833 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
834 packet_info *pinfo, proto_tree *parent_tree,
837 proto_item *item=NULL;
838 proto_tree *tree=NULL;
841 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
842 "GROUP_MEMBERSHIP:");
843 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
846 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
847 hf_netlogon_user_rid, NULL);
849 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
850 hf_netlogon_attrs, NULL);
856 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
857 packet_info *pinfo, proto_tree *tree,
860 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
861 netlogon_dissect_GROUP_MEMBERSHIP);
867 * IDL typedef struct {
868 * IDL char user_session_key[16];
869 * IDL } USER_SESSION_KEY;
872 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
873 packet_info *pinfo, proto_tree *tree,
878 di=pinfo->private_data;
879 if(di->conformant_run){
880 /*just a run to handle conformant arrays, nothing to dissect.*/
884 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
892 * IDL typedef struct {
893 * IDL uint64 LogonTime;
894 * IDL uint64 LogoffTime;
895 * IDL uint64 KickOffTime;
896 * IDL uint64 PasswdLastSet;
897 * IDL uint64 PasswdCanChange;
898 * IDL uint64 PasswdMustChange;
899 * IDL unicodestring effectivename;
900 * IDL unicodestring fullname;
901 * IDL unicodestring logonscript;
902 * IDL unicodestring profilepath;
903 * IDL unicodestring homedirectory;
904 * IDL unicodestring homedirectorydrive;
905 * IDL short LogonCount;
906 * IDL short BadPasswdCount;
908 * IDL long primarygroup;
909 * IDL long groupcount;
910 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
911 * IDL long userflags;
912 * IDL USER_SESSION_KEY key;
913 * IDL unicodestring logonserver;
914 * IDL unicodestring domainname;
915 * IDL [unique] SID logondomainid;
916 * IDL long expansionroom[10];
917 * IDL } VALIDATION_SAM_INFO;
920 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
921 packet_info *pinfo, proto_tree *tree,
926 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
927 hf_netlogon_logon_time);
929 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
930 hf_netlogon_logoff_time);
932 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
933 hf_netlogon_kickoff_time);
935 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
936 hf_netlogon_pwd_last_set_time);
938 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
939 hf_netlogon_pwd_can_change_time);
941 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
942 hf_netlogon_pwd_must_change_time);
944 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
945 hf_netlogon_acct_name, 0);
947 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
948 hf_netlogon_full_name, 0);
950 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
951 hf_netlogon_logon_script, 0);
953 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
954 hf_netlogon_profile_path, 0);
956 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
957 hf_netlogon_home_dir, 0);
959 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
960 hf_netlogon_dir_drive, 0);
962 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
963 hf_netlogon_logon_count16, NULL);
965 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
966 hf_netlogon_bad_pw_count16, NULL);
968 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
969 hf_netlogon_user_rid, NULL);
971 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
972 hf_netlogon_group_rid, NULL);
974 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
975 hf_netlogon_num_rids, NULL);
977 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
978 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
979 "GROUP_MEMBERSHIP_ARRAY", -1);
981 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
982 hf_netlogon_user_flags, NULL);
984 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
987 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
988 hf_netlogon_logon_srv, 0);
990 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
991 hf_netlogon_logon_dom, 0);
993 offset = dissect_ndr_nt_PSID(tvb, offset,
997 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
998 hf_netlogon_reserved, NULL);
1007 * IDL typedef struct {
1008 * IDL uint64 LogonTime;
1009 * IDL uint64 LogoffTime;
1010 * IDL uint64 KickOffTime;
1011 * IDL uint64 PasswdLastSet;
1012 * IDL uint64 PasswdCanChange;
1013 * IDL uint64 PasswdMustChange;
1014 * IDL unicodestring effectivename;
1015 * IDL unicodestring fullname;
1016 * IDL unicodestring logonscript;
1017 * IDL unicodestring profilepath;
1018 * IDL unicodestring homedirectory;
1019 * IDL unicodestring homedirectorydrive;
1020 * IDL short LogonCount;
1021 * IDL short BadPasswdCount;
1023 * IDL long primarygroup;
1024 * IDL long groupcount;
1025 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1026 * IDL long userflags;
1027 * IDL USER_SESSION_KEY key;
1028 * IDL unicodestring logonserver;
1029 * IDL unicodestring domainname;
1030 * IDL [unique] SID logondomainid;
1031 * IDL long expansionroom[10];
1032 * IDL long sidcount;
1033 * IDL [unique] SID_AND_ATTRIBS;
1034 * IDL } VALIDATION_SAM_INFO2;
1037 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1038 packet_info *pinfo, proto_tree *tree,
1043 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1044 hf_netlogon_logon_time);
1046 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1047 hf_netlogon_logoff_time);
1049 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1050 hf_netlogon_kickoff_time);
1052 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1053 hf_netlogon_pwd_last_set_time);
1055 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1056 hf_netlogon_pwd_can_change_time);
1058 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1059 hf_netlogon_pwd_must_change_time);
1061 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1062 hf_netlogon_acct_name, 0);
1064 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1065 hf_netlogon_full_name, 0);
1067 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1068 hf_netlogon_logon_script, 0);
1070 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1071 hf_netlogon_profile_path, 0);
1073 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1074 hf_netlogon_home_dir, 0);
1076 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1077 hf_netlogon_dir_drive, 0);
1079 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1080 hf_netlogon_logon_count16, NULL);
1082 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1083 hf_netlogon_bad_pw_count16, NULL);
1085 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1086 hf_netlogon_user_rid, NULL);
1088 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1089 hf_netlogon_group_rid, NULL);
1091 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1092 hf_netlogon_num_rids, NULL);
1094 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1095 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1096 "GROUP_MEMBERSHIP_ARRAY", -1);
1098 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1099 hf_netlogon_user_flags, NULL);
1101 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1104 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1105 hf_netlogon_logon_srv, 0);
1107 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1108 hf_netlogon_logon_dom, 0);
1110 offset = dissect_ndr_nt_PSID(tvb, offset,
1114 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1115 hf_netlogon_unknown_long, NULL);
1118 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1119 hf_netlogon_num_other_groups, NULL);
1121 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1122 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1123 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1131 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1132 packet_info *pinfo, proto_tree *tree,
1138 di=pinfo->private_data;
1139 if(di->conformant_run){
1140 /*just a run to handle conformant arrays, nothing to dissect */
1144 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1145 hf_netlogon_pac_size, &pac_size);
1147 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1155 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1156 packet_info *pinfo, proto_tree *tree,
1162 di=pinfo->private_data;
1163 if(di->conformant_run){
1164 /*just a run to handle conformant arrays, nothing to dissect */
1168 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1169 hf_netlogon_auth_size, &auth_size);
1171 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1173 offset += auth_size;
1180 * IDL typedef struct {
1182 * IDL [unique][size_is(pac_size)] char *pac;
1183 * IDL UNICODESTRING logondomain;
1184 * IDL UNICODESTRING logonserver;
1185 * IDL UNICODESTRING principalname;
1186 * IDL long auth_size;
1187 * IDL [unique][size_is(auth_size)] char *auth;
1188 * IDL USER_SESSION_KEY user_session_key;
1189 * IDL long expansionroom[10];
1190 * IDL UNICODESTRING dummy1;
1191 * IDL UNICODESTRING dummy2;
1192 * IDL UNICODESTRING dummy3;
1193 * IDL UNICODESTRING dummy4;
1194 * IDL } VALIDATION_PAC_INFO;
1197 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1198 packet_info *pinfo, proto_tree *tree,
1203 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1204 hf_netlogon_pac_size, NULL);
1206 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1207 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1209 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1210 hf_netlogon_logon_dom, 0);
1212 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1213 hf_netlogon_logon_srv, 0);
1215 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1216 hf_netlogon_principal, 0);
1218 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1219 hf_netlogon_auth_size, NULL);
1221 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1222 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1224 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1228 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1229 hf_netlogon_unknown_long, NULL);
1232 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1233 hf_netlogon_dummy, 0);
1235 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1236 hf_netlogon_dummy, 0);
1238 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1239 hf_netlogon_dummy, 0);
1241 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1242 hf_netlogon_dummy, 0);
1249 * IDL typedef [switch_type(short)] union {
1250 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1251 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1252 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1253 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1257 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1258 packet_info *pinfo, proto_tree *tree,
1263 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1264 hf_netlogon_validation_level, &level);
1269 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1270 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1271 "VALIDATION_SAM_INFO:", -1);
1274 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1275 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1276 "VALIDATION_SAM_INFO2:", -1);
1279 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1280 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1281 "VALIDATION_PAC_INFO:", -1);
1284 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1285 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1286 "VALIDATION_PAC_INFO:", -1);
1295 * IDL long NetLogonSamLogon(
1296 * IDL [in][unique][string] wchar_t *ServerName,
1297 * IDL [in][unique][string] wchar_t *Workstation,
1298 * IDL [in][unique] AUTHENTICATOR *credential,
1299 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1300 * IDL [in] short LogonLevel,
1301 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1302 * IDL [in] short ValidationLevel,
1303 * IDL [out][ref] VALIDATION *validation,
1304 * IDL [out][ref] boolean Authorative
1308 netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1309 packet_info *pinfo, proto_tree *tree, char *drep)
1311 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1314 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1315 NDR_POINTER_UNIQUE, "Computer Name",
1316 hf_netlogon_computer_name, 0);
1318 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1319 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1320 "AUTHENTICATOR: credential", -1);
1322 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1323 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1324 "AUTHENTICATOR: return_authenticator", -1);
1326 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1327 hf_netlogon_level16, NULL);
1329 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1330 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1331 "LEVEL: LogonLevel", -1);
1333 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1334 hf_netlogon_validation_level, NULL);
1340 netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1341 packet_info *pinfo, proto_tree *tree, char *drep)
1343 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1344 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1345 "AUTHENTICATOR: return_authenticator", -1);
1347 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1348 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1351 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1352 hf_netlogon_authoritative, NULL);
1354 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1355 hf_netlogon_rc, NULL);
1362 * IDL long NetLogonSamLogoff(
1363 * IDL [in][unique][string] wchar_t *ServerName,
1364 * IDL [in][unique][string] wchar_t *ComputerName,
1365 * IDL [in][unique] AUTHENTICATOR credential,
1366 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1367 * IDL [in] short logon_level,
1368 * IDL [in][ref] LEVEL logoninformation
1372 netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1373 packet_info *pinfo, proto_tree *tree, char *drep)
1375 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1378 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1379 NDR_POINTER_UNIQUE, "Computer Name",
1380 hf_netlogon_computer_name, 0);
1382 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1383 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1384 "AUTHENTICATOR: credential", -1);
1386 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1387 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1388 "AUTHENTICATOR: return_authenticator", -1);
1390 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1391 hf_netlogon_level16, NULL);
1393 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1394 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1395 "LEVEL: logoninformation", -1);
1400 netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1401 packet_info *pinfo, proto_tree *tree, char *drep)
1404 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1405 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1406 "AUTHENTICATOR: return_authenticator", -1);
1408 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1409 hf_netlogon_rc, NULL);
1416 * IDL long NetServerReqChallenge(
1417 * IDL [in][unique][string] wchar_t *ServerName,
1418 * IDL [in][ref][string] wchar_t *ComputerName,
1419 * IDL [in][ref] CREDENTIAL client_credential,
1420 * IDL [out][ref] CREDENTIAL server_credential
1424 netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1425 packet_info *pinfo, proto_tree *tree, char *drep)
1427 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1430 offset = dissect_ndr_pointer_cb(
1431 tvb, offset, pinfo, tree, drep,
1432 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
1433 "Computer Name", hf_netlogon_computer_name,
1434 cb_wstr_postprocess,
1435 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1437 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1438 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1439 "CREDENTIAL: client challenge", -1);
1444 netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1445 packet_info *pinfo, proto_tree *tree, char *drep)
1447 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1448 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1449 "CREDENTIAL: server credential", -1);
1451 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1452 hf_netlogon_rc, NULL);
1459 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1460 packet_info *pinfo, proto_tree *tree,
1463 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1464 hf_netlogon_secure_channel_type, NULL);
1471 * IDL long NetServerAuthenticate(
1472 * IDL [in][unique][string] wchar_t *ServerName,
1473 * IDL [in][ref][string] wchar_t *UserName,
1474 * IDL [in] short secure_challenge_type,
1475 * IDL [in][ref][string] wchar_t *ComputerName,
1476 * IDL [in][ref] CREDENTIAL client_challenge,
1477 * IDL [out][ref] CREDENTIAL server_challenge
1481 netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1482 packet_info *pinfo, proto_tree *tree, char *drep)
1484 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1487 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1488 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1490 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1493 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1494 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1496 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1497 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1498 "CREDENTIAL: client challenge", -1);
1503 netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
1504 packet_info *pinfo, proto_tree *tree, char *drep)
1506 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1507 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1508 "CREDENTIAL: server challenge", -1);
1510 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1511 hf_netlogon_rc, NULL);
1519 * IDL typedef struct {
1520 * IDL char encrypted_password[16];
1521 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1524 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1525 packet_info *pinfo, proto_tree *tree,
1530 di=pinfo->private_data;
1531 if(di->conformant_run){
1532 /*just a run to handle conformant arrays, nothing to dissect.*/
1536 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1544 * IDL long NetServerPasswordSet(
1545 * IDL [in][unique][string] wchar_t *ServerName,
1546 * IDL [in][ref][string] wchar_t *UserName,
1547 * IDL [in] short secure_challenge_type,
1548 * IDL [in][ref][string] wchar_t *ComputerName,
1549 * IDL [in][ref] AUTHENTICATOR credential,
1550 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1551 * IDL [out][ref] AUTHENTICATOR return_authenticator
1555 netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1556 packet_info *pinfo, proto_tree *tree, char *drep)
1558 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1561 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1562 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1564 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1567 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1568 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1570 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1571 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1572 "AUTHENTICATOR: credential", -1);
1574 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1575 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1576 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
1581 netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
1582 packet_info *pinfo, proto_tree *tree, char *drep)
1584 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1585 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1586 "AUTHENTICATOR: return_authenticator", -1);
1588 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1589 hf_netlogon_rc, NULL);
1596 * IDL typedef struct {
1597 * IDL [unique][string] wchar_t *UserName;
1598 * IDL UNICODESTRING dummy1;
1599 * IDL UNICODESTRING dummy2;
1600 * IDL UNICODESTRING dummy3;
1601 * IDL UNICODESTRING dummy4;
1606 * IDL } DELTA_DELETE_USER;
1609 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1610 packet_info *pinfo, proto_tree *tree,
1613 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1614 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
1616 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1617 hf_netlogon_dummy, 0);
1619 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1620 hf_netlogon_dummy, 0);
1622 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1623 hf_netlogon_dummy, 0);
1625 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1626 hf_netlogon_dummy, 0);
1628 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1629 hf_netlogon_reserved, NULL);
1631 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1632 hf_netlogon_reserved, NULL);
1634 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1635 hf_netlogon_reserved, NULL);
1637 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1638 hf_netlogon_reserved, NULL);
1645 * IDL typedef struct {
1646 * IDL bool SensitiveDataFlag;
1647 * IDL long DataLength;
1648 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1649 * IDL } USER_PRIVATE_INFO;
1652 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1653 packet_info *pinfo, proto_tree *tree,
1659 di=pinfo->private_data;
1660 if(di->conformant_run){
1661 /*just a run to handle conformant arrays, nothing to dissect */
1665 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1666 hf_netlogon_sensitive_data_len, &data_len);
1668 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1675 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1676 packet_info *pinfo, proto_tree *tree,
1679 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1680 hf_netlogon_sensitive_data_flag, NULL);
1682 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1683 hf_netlogon_sensitive_data_len, NULL);
1685 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1686 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1687 "SENSITIVE_DATA", -1);
1693 * IDL typedef struct {
1694 * IDL UNICODESTRING UserName;
1695 * IDL UNICODESTRING FullName;
1697 * IDL long PrimaryGroupID;
1698 * IDL UNICODESTRING HomeDir;
1699 * IDL UNICODESTRING HomeDirDrive;
1700 * IDL UNICODESTRING LogonScript;
1701 * IDL UNICODESTRING Comment;
1702 * IDL UNICODESTRING Workstations;
1703 * IDL NTTIME LastLogon;
1704 * IDL NTTIME LastLogoff;
1705 * IDL LOGON_HOURS logonhours;
1706 * IDL short BadPwCount;
1707 * IDL short LogonCount;
1708 * IDL NTTIME PwLastSet;
1709 * IDL NTTIME AccountExpires;
1710 * IDL long AccountControl;
1711 * IDL LM_OWF_PASSWORD lmpw;
1712 * IDL NT_OWF_PASSWORD ntpw;
1713 * IDL bool NTPwPresent;
1714 * IDL bool LMPwPresent;
1715 * IDL bool PwExpired;
1716 * IDL UNICODESTRING UserComment;
1717 * IDL UNICODESTRING Parameters;
1718 * IDL short CountryCode;
1719 * IDL short CodePage;
1720 * IDL USER_PRIVATE_INFO user_private_info;
1721 * IDL long SecurityInformation;
1722 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1723 * IDL UNICODESTRING dummy1;
1724 * IDL UNICODESTRING dummy2;
1725 * IDL UNICODESTRING dummy3;
1726 * IDL UNICODESTRING dummy4;
1734 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1735 packet_info *pinfo, proto_tree *tree,
1738 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1739 hf_netlogon_acct_name, 0);
1741 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1742 hf_netlogon_full_name, 0);
1744 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1745 hf_netlogon_user_rid, NULL);
1747 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1748 hf_netlogon_group_rid, NULL);
1750 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1751 hf_netlogon_home_dir, 0);
1753 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1754 hf_netlogon_dir_drive, 0);
1756 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1757 hf_netlogon_logon_script, 0);
1759 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1760 hf_netlogon_acct_desc, 0);
1762 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1763 hf_netlogon_workstations, 0);
1765 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1766 hf_netlogon_logon_time);
1768 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1769 hf_netlogon_logoff_time);
1771 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1773 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1774 hf_netlogon_bad_pw_count16, NULL);
1776 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1777 hf_netlogon_logon_count16, NULL);
1779 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1780 hf_netlogon_pwd_last_set_time);
1782 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1783 hf_netlogon_acct_expiry_time);
1785 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1787 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1790 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1793 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1794 hf_netlogon_nt_pwd_present, NULL);
1796 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1797 hf_netlogon_lm_pwd_present, NULL);
1799 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1800 hf_netlogon_pwd_expired, NULL);
1802 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1803 hf_netlogon_comment, 0);
1805 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1806 hf_netlogon_parameters, 0);
1808 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1809 hf_netlogon_country, NULL);
1811 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1812 hf_netlogon_codepage, NULL);
1814 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1817 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1818 hf_netlogon_security_information, NULL);
1820 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1823 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1824 hf_netlogon_dummy, 0);
1826 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1827 hf_netlogon_dummy, 0);
1829 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1830 hf_netlogon_dummy, 0);
1832 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1833 hf_netlogon_dummy, 0);
1835 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1836 hf_netlogon_reserved, NULL);
1838 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1839 hf_netlogon_reserved, NULL);
1841 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1842 hf_netlogon_reserved, NULL);
1844 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1845 hf_netlogon_reserved, NULL);
1852 * IDL typedef struct {
1853 * IDL UNICODESTRING DomainName;
1854 * IDL UNICODESTRING OEMInfo;
1855 * IDL NTTIME forcedlogoff;
1856 * IDL short minpasswdlen;
1857 * IDL short passwdhistorylen;
1858 * IDL NTTIME pwd_must_change_time;
1859 * IDL NTTIME pwd_can_change_time;
1860 * IDL NTTIME domain_modify_time;
1861 * IDL NTTIME domain_create_time;
1862 * IDL long SecurityInformation;
1863 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1864 * IDL UNICODESTRING dummy1;
1865 * IDL UNICODESTRING dummy2;
1866 * IDL UNICODESTRING dummy3;
1867 * IDL UNICODESTRING dummy4;
1872 * IDL } DELTA_DOMAIN;
1875 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
1876 packet_info *pinfo, proto_tree *tree,
1879 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1880 hf_netlogon_domain_name, 1);
1882 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1883 hf_netlogon_oem_info, 0);
1885 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1886 hf_netlogon_kickoff_time);
1888 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1889 hf_netlogon_minpasswdlen, NULL);
1891 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1892 hf_netlogon_passwdhistorylen, NULL);
1894 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1895 hf_netlogon_pwd_must_change_time);
1897 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1898 hf_netlogon_pwd_can_change_time);
1900 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1901 hf_netlogon_domain_modify_time);
1903 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1904 hf_netlogon_domain_create_time);
1906 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1907 hf_netlogon_security_information, NULL);
1909 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1912 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1913 hf_netlogon_dummy, 0);
1915 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1916 hf_netlogon_dummy, 0);
1918 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1919 hf_netlogon_dummy, 0);
1921 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1922 hf_netlogon_dummy, 0);
1924 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1925 hf_netlogon_reserved, NULL);
1927 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1928 hf_netlogon_reserved, NULL);
1930 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1931 hf_netlogon_reserved, NULL);
1933 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1934 hf_netlogon_reserved, NULL);
1941 * IDL typedef struct {
1942 * IDL UNICODESTRING groupname;
1943 * IDL GROUP_MEMBERSHIP group_membership;
1944 * IDL UNICODESTRING comment;
1945 * IDL long SecurityInformation;
1946 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1947 * IDL UNICODESTRING dummy1;
1948 * IDL UNICODESTRING dummy2;
1949 * IDL UNICODESTRING dummy3;
1950 * IDL UNICODESTRING dummy4;
1955 * IDL } DELTA_GROUP;
1958 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
1959 packet_info *pinfo, proto_tree *tree,
1962 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1963 hf_netlogon_group_name, 0);
1965 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
1968 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1969 hf_netlogon_group_desc, 0);
1971 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1972 hf_netlogon_security_information, NULL);
1974 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1977 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1978 hf_netlogon_dummy, 0);
1980 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1981 hf_netlogon_dummy, 0);
1983 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1984 hf_netlogon_dummy, 0);
1986 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1987 hf_netlogon_dummy, 0);
1989 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1990 hf_netlogon_reserved, NULL);
1992 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1993 hf_netlogon_reserved, NULL);
1995 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1996 hf_netlogon_reserved, NULL);
1998 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1999 hf_netlogon_reserved, NULL);
2006 * IDL typedef struct {
2007 * IDL UNICODESTRING OldName;
2008 * IDL UNICODESTRING NewName;
2009 * IDL UNICODESTRING dummy1;
2010 * IDL UNICODESTRING dummy2;
2011 * IDL UNICODESTRING dummy3;
2012 * IDL UNICODESTRING dummy4;
2017 * IDL } DELTA_RENAME;
2020 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
2021 packet_info *pinfo, proto_tree *tree,
2026 di=pinfo->private_data;
2028 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2031 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2034 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2035 hf_netlogon_dummy, 0);
2037 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2038 hf_netlogon_dummy, 0);
2040 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2041 hf_netlogon_dummy, 0);
2043 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2044 hf_netlogon_dummy, 0);
2046 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2047 hf_netlogon_reserved, NULL);
2049 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2050 hf_netlogon_reserved, NULL);
2052 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2053 hf_netlogon_reserved, NULL);
2055 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2056 hf_netlogon_reserved, NULL);
2063 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2064 packet_info *pinfo, proto_tree *tree,
2067 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2068 hf_netlogon_user_rid, NULL);
2074 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2075 packet_info *pinfo, proto_tree *tree,
2078 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2079 netlogon_dissect_RID);
2085 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2086 packet_info *pinfo, proto_tree *tree,
2089 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2090 hf_netlogon_attrs, NULL);
2096 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2097 packet_info *pinfo, proto_tree *tree,
2100 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2101 netlogon_dissect_ATTRIB);
2107 * IDL typedef struct {
2108 * IDL [unique][size_is(num_rids)] long *rids;
2109 * IDL [unique][size_is(num_rids)] long *attribs;
2110 * IDL long num_rids;
2115 * IDL } DELTA_GROUP_MEMBER;
2118 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2119 packet_info *pinfo, proto_tree *tree,
2122 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2123 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2126 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2127 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2130 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2131 hf_netlogon_num_rids, NULL);
2133 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2134 hf_netlogon_reserved, NULL);
2136 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2137 hf_netlogon_reserved, NULL);
2139 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2140 hf_netlogon_reserved, NULL);
2142 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2143 hf_netlogon_reserved, NULL);
2150 * IDL typedef struct {
2151 * IDL UNICODESTRING alias_name;
2153 * IDL long SecurityInformation;
2154 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2155 * IDL UNICODESTRING dummy1;
2156 * IDL UNICODESTRING dummy2;
2157 * IDL UNICODESTRING dummy3;
2158 * IDL UNICODESTRING dummy4;
2163 * IDL } DELTA_ALIAS;
2166 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2167 packet_info *pinfo, proto_tree *tree,
2170 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2171 hf_netlogon_alias_name, 0);
2173 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2174 hf_netlogon_alias_rid, NULL);
2176 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2177 hf_netlogon_security_information, NULL);
2179 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2182 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2183 hf_netlogon_dummy, 0);
2185 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2186 hf_netlogon_dummy, 0);
2188 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2189 hf_netlogon_dummy, 0);
2191 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2192 hf_netlogon_dummy, 0);
2194 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2195 hf_netlogon_reserved, NULL);
2197 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2198 hf_netlogon_reserved, NULL);
2200 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2201 hf_netlogon_reserved, NULL);
2203 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2204 hf_netlogon_reserved, NULL);
2211 * IDL typedef struct {
2212 * IDL [unique] SID_ARRAY sids;
2217 * IDL } DELTA_ALIAS_MEMBER;
2220 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2221 packet_info *pinfo, proto_tree *tree,
2224 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2226 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2227 hf_netlogon_reserved, NULL);
2229 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2230 hf_netlogon_reserved, NULL);
2232 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2233 hf_netlogon_reserved, NULL);
2235 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2236 hf_netlogon_reserved, NULL);
2243 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2244 packet_info *pinfo, proto_tree *tree,
2247 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2248 hf_netlogon_event_audit_option, NULL);
2254 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2255 packet_info *pinfo, proto_tree *tree,
2258 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2259 netlogon_dissect_EVENT_AUDIT_OPTION);
2266 * IDL typedef struct {
2267 * IDL long pagedpoollimit;
2268 * IDL long nonpagedpoollimit;
2269 * IDL long minimumworkingsetsize;
2270 * IDL long maximumworkingsetsize;
2271 * IDL long pagefilelimit;
2272 * IDL NTTIME timelimit;
2273 * IDL } QUOTA_LIMITS;
2276 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2277 packet_info *pinfo, proto_tree *parent_tree,
2280 proto_item *item=NULL;
2281 proto_tree *tree=NULL;
2282 int old_offset=offset;
2285 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2287 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2290 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2291 hf_netlogon_pagedpoollimit, NULL);
2293 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2294 hf_netlogon_nonpagedpoollimit, NULL);
2296 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2297 hf_netlogon_minworkingsetsize, NULL);
2299 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2300 hf_netlogon_maxworkingsetsize, NULL);
2302 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2303 hf_netlogon_pagefilelimit, NULL);
2305 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2306 hf_netlogon_timelimit);
2308 proto_item_set_len(item, offset-old_offset);
2314 * IDL typedef struct {
2315 * IDL long maxlogsize;
2316 * IDL NTTIME auditretentionperiod;
2317 * IDL bool auditingmode;
2318 * IDL long maxauditeventcount;
2319 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2320 * IDL UNICODESTRING primarydomainname;
2321 * IDL [unique] SID *sid;
2322 * IDL QUOTA_LIMITS quota_limits;
2323 * IDL NTTIME db_modify_time;
2324 * IDL NTTIME db_create_time;
2325 * IDL long SecurityInformation;
2326 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2327 * IDL UNICODESTRING dummy1;
2328 * IDL UNICODESTRING dummy2;
2329 * IDL UNICODESTRING dummy3;
2330 * IDL UNICODESTRING dummy4;
2335 * IDL } DELTA_POLICY;
2338 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2339 packet_info *pinfo, proto_tree *tree,
2342 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2343 hf_netlogon_max_log_size, NULL);
2345 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2346 hf_netlogon_audit_retention_period);
2348 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2349 hf_netlogon_auditing_mode, NULL);
2351 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2352 hf_netlogon_max_audit_event_count, NULL);
2354 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2355 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2356 "Event Audit Options:", -1);
2358 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2359 hf_netlogon_domain_name, 0);
2361 offset = dissect_ndr_nt_PSID(tvb, offset,
2364 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2367 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2368 hf_netlogon_db_modify_time);
2370 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2371 hf_netlogon_db_create_time);
2373 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2374 hf_netlogon_security_information, NULL);
2376 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2379 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2380 hf_netlogon_dummy, 0);
2382 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2383 hf_netlogon_dummy, 0);
2385 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2386 hf_netlogon_dummy, 0);
2388 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2389 hf_netlogon_dummy, 0);
2391 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2392 hf_netlogon_reserved, NULL);
2394 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2395 hf_netlogon_reserved, NULL);
2397 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2398 hf_netlogon_reserved, NULL);
2400 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2401 hf_netlogon_reserved, NULL);
2408 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2409 packet_info *pinfo, proto_tree *tree,
2412 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2413 hf_netlogon_dc_name, 0);
2419 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2420 packet_info *pinfo, proto_tree *tree,
2423 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2424 netlogon_dissect_CONTROLLER);
2431 * IDL typedef struct {
2432 * IDL UNICODESTRING DomainName;
2433 * IDL long num_controllers;
2434 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2435 * IDL long SecurityInformation;
2436 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2437 * IDL UNICODESTRING dummy1;
2438 * IDL UNICODESTRING dummy2;
2439 * IDL UNICODESTRING dummy3;
2440 * IDL UNICODESTRING dummy4;
2445 * IDL } DELTA_TRUSTED_DOMAINS;
2448 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2449 packet_info *pinfo, proto_tree *tree,
2452 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2453 hf_netlogon_domain_name, 0);
2455 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2456 hf_netlogon_num_controllers, NULL);
2458 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2459 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2460 "Domain Controllers:", -1);
2462 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2463 hf_netlogon_security_information, NULL);
2465 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2468 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2469 hf_netlogon_dummy, 0);
2471 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2472 hf_netlogon_dummy, 0);
2474 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2475 hf_netlogon_dummy, 0);
2477 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2478 hf_netlogon_dummy, 0);
2480 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2481 hf_netlogon_reserved, NULL);
2483 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2484 hf_netlogon_reserved, NULL);
2486 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2487 hf_netlogon_reserved, NULL);
2489 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2490 hf_netlogon_reserved, NULL);
2497 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2498 packet_info *pinfo, proto_tree *tree,
2501 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2502 hf_netlogon_attrs, NULL);
2508 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2509 packet_info *pinfo, proto_tree *tree,
2512 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2513 netlogon_dissect_PRIV_ATTR);
2519 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2520 packet_info *pinfo, proto_tree *tree,
2523 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2524 hf_netlogon_privilege_name, 1);
2530 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2531 packet_info *pinfo, proto_tree *tree,
2534 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2535 netlogon_dissect_PRIV_NAME);
2543 * IDL typedef struct {
2544 * IDL long privilegeentries;
2545 * IDL long provolegecontrol;
2546 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2547 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2548 * IDL QUOTALIMITS quotalimits;
2549 * IDL long SecurityInformation;
2550 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2551 * IDL UNICODESTRING dummy1;
2552 * IDL UNICODESTRING dummy2;
2553 * IDL UNICODESTRING dummy3;
2554 * IDL UNICODESTRING dummy4;
2559 * IDL } DELTA_ACCOUNTS;
2562 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2563 packet_info *pinfo, proto_tree *tree,
2566 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2567 hf_netlogon_privilege_entries, NULL);
2569 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2570 hf_netlogon_privilege_control, NULL);
2572 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2573 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2574 "PRIV_ATTR_ARRAY:", -1);
2576 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2577 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2578 "PRIV_NAME_ARRAY:", -1);
2580 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2583 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2584 hf_netlogon_systemflags, NULL);
2586 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2587 hf_netlogon_security_information, NULL);
2589 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2592 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2593 hf_netlogon_dummy, 0);
2595 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2596 hf_netlogon_dummy, 0);
2598 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2599 hf_netlogon_dummy, 0);
2601 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2602 hf_netlogon_dummy, 0);
2604 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2605 hf_netlogon_reserved, NULL);
2607 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2608 hf_netlogon_reserved, NULL);
2610 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2611 hf_netlogon_reserved, NULL);
2613 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2614 hf_netlogon_reserved, NULL);
2620 * IDL typedef struct {
2623 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2624 * IDL } CIPHER_VALUE;
2627 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2628 packet_info *pinfo, proto_tree *tree,
2634 di=pinfo->private_data;
2635 if(di->conformant_run){
2636 /*just a run to handle conformant arrays, nothing to dissect */
2640 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2641 hf_netlogon_cipher_maxlen, NULL);
2646 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2647 hf_netlogon_cipher_len, &data_len);
2649 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2656 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2657 packet_info *pinfo, proto_tree *parent_tree,
2658 char *drep, char *name, int hf_index)
2660 proto_item *item=NULL;
2661 proto_tree *tree=NULL;
2662 int old_offset=offset;
2665 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2667 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2670 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2671 hf_netlogon_cipher_len, NULL);
2673 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2674 hf_netlogon_cipher_maxlen, NULL);
2676 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2677 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2680 proto_item_set_len(item, offset-old_offset);
2685 * IDL typedef struct {
2686 * IDL CIPHER_VALUE current_cipher;
2687 * IDL NTTIME current_cipher_set_time;
2688 * IDL CIPHER_VALUE old_cipher;
2689 * IDL NTTIME old_cipher_set_time;
2690 * IDL long SecurityInformation;
2691 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2692 * IDL UNICODESTRING dummy1;
2693 * IDL UNICODESTRING dummy2;
2694 * IDL UNICODESTRING dummy3;
2695 * IDL UNICODESTRING dummy4;
2700 * IDL } DELTA_SECRET;
2703 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2704 packet_info *pinfo, proto_tree *tree,
2707 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2709 "CIPHER_VALUE: current cipher value",
2710 hf_netlogon_cipher_current_data);
2712 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2713 hf_netlogon_cipher_current_set_time);
2715 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2717 "CIPHER_VALUE: old cipher value",
2718 hf_netlogon_cipher_old_data);
2720 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2721 hf_netlogon_cipher_old_set_time);
2723 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2724 hf_netlogon_security_information, NULL);
2726 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2729 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2730 hf_netlogon_dummy, 0);
2732 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2733 hf_netlogon_dummy, 0);
2735 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2736 hf_netlogon_dummy, 0);
2738 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2739 hf_netlogon_dummy, 0);
2741 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2742 hf_netlogon_reserved, NULL);
2744 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2745 hf_netlogon_reserved, NULL);
2747 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2748 hf_netlogon_reserved, NULL);
2750 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2751 hf_netlogon_reserved, NULL);
2757 * IDL typedef struct {
2758 * IDL long low_value;
2759 * IDL long high_value;
2763 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2764 packet_info *pinfo, proto_tree *tree,
2767 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2768 hf_netlogon_modify_count, NULL);
2774 #define DT_DELTA_DOMAIN 1
2775 #define DT_DELTA_GROUP 2
2776 #define DT_DELTA_RENAME_GROUP 4
2777 #define DT_DELTA_USER 5
2778 #define DT_DELTA_RENAME_USER 7
2779 #define DT_DELTA_GROUP_MEMBER 8
2780 #define DT_DELTA_ALIAS 9
2781 #define DT_DELTA_RENAME_ALIAS 11
2782 #define DT_DELTA_ALIAS_MEMBER 12
2783 #define DT_DELTA_POLICY 13
2784 #define DT_DELTA_TRUSTED_DOMAINS 14
2785 #define DT_DELTA_ACCOUNTS 16
2786 #define DT_DELTA_SECRET 18
2787 #define DT_DELTA_DELETE_GROUP 20
2788 #define DT_DELTA_DELETE_USER 21
2789 #define DT_MODIFIED_COUNT 22
2790 static const value_string delta_type_vals[] = {
2791 { DT_DELTA_DOMAIN, "Domain" },
2792 { DT_DELTA_GROUP, "Group" },
2793 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2794 { DT_DELTA_USER, "User" },
2795 { DT_DELTA_RENAME_USER, "Rename User" },
2796 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2797 { DT_DELTA_ALIAS, "Alias" },
2798 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2799 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2800 { DT_DELTA_POLICY, "Policy" },
2801 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2802 { DT_DELTA_ACCOUNTS, "Accounts" },
2803 { DT_DELTA_SECRET, "Secret" },
2804 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2805 { DT_DELTA_DELETE_USER, "Delete User" },
2806 { DT_MODIFIED_COUNT, "Modified Count" },
2810 * IDL typedef [switch_type(short)] union {
2811 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2812 * IDL [case(2)][unique] DELTA_GROUP *group;
2813 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2814 * IDL [case(5)][unique] DELTA_USER *user;
2815 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2816 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2817 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2818 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2819 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2820 * IDL [case(13)][unique] DELTA_POLICY *policy;
2821 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2822 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2823 * IDL [case(18)][unique] DELTA_SECRET *secret;
2824 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2825 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2826 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2827 * IDL } DELTA_UNION;
2830 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2831 packet_info *pinfo, proto_tree *parent_tree,
2834 proto_item *item=NULL;
2835 proto_tree *tree=NULL;
2836 int old_offset=offset;
2840 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2842 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2845 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2846 hf_netlogon_delta_type, &level);
2851 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2852 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2853 "DELTA_DOMAIN:", -1);
2856 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2857 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2858 "DELTA_GROUP:", -1);
2861 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2862 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2863 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
2866 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2867 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
2871 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2872 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2873 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
2876 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2877 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
2878 "DELTA_GROUP_MEMBER:", -1);
2881 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2882 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
2883 "DELTA_ALIAS:", -1);
2886 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2887 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2888 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
2891 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2892 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
2893 "DELTA_ALIAS_MEMBER:", -1);
2896 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2897 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
2898 "DELTA_POLICY:", -1);
2901 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2902 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
2903 "DELTA_TRUSTED_DOMAINS:", -1);
2906 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2907 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
2908 "DELTA_ACCOUNTS:", -1);
2911 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2912 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
2913 "DELTA_SECRET:", -1);
2916 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2917 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2918 "DELTA_DELETE_GROUP:", -1);
2921 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2922 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2923 "DELTA_DELETE_USER:", -1);
2926 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2927 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
2928 "MODIFIED_COUNT:", -1);
2932 proto_item_set_len(item, offset-old_offset);
2938 /* IDL XXX must verify this one, especially 13-19
2939 * IDL typedef [switch_type(short)] union {
2940 * IDL [case(1)] long rid;
2941 * IDL [case(2)] long rid;
2942 * IDL [case(3)] long rid;
2943 * IDL [case(4)] long rid;
2944 * IDL [case(5)] long rid;
2945 * IDL [case(6)] long rid;
2946 * IDL [case(7)] long rid;
2947 * IDL [case(8)] long rid;
2948 * IDL [case(9)] long rid;
2949 * IDL [case(10)] long rid;
2950 * IDL [case(11)] long rid;
2951 * IDL [case(12)] long rid;
2952 * IDL [case(13)] [unique] SID *sid;
2953 * IDL [case(14)] [unique] SID *sid;
2954 * IDL [case(15)] [unique] SID *sid;
2955 * IDL [case(16)] [unique] SID *sid;
2956 * IDL [case(17)] [unique] SID *sid;
2957 * IDL [case(18)] [unique][string] wchar_t *Name ;
2958 * IDL [case(19)] [unique][string] wchar_t *Name ;
2959 * IDL [case(20)] long rid;
2960 * IDL [case(21)] long rid;
2961 * IDL } DELTA_ID_UNION;
2964 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
2965 packet_info *pinfo, proto_tree *parent_tree,
2968 proto_item *item=NULL;
2969 proto_tree *tree=NULL;
2970 int old_offset=offset;
2974 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2976 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
2979 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2980 hf_netlogon_level16, &level);
2985 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2986 hf_netlogon_user_rid, NULL);
2989 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2990 hf_netlogon_user_rid, NULL);
2993 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2994 hf_netlogon_user_rid, NULL);
2997 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2998 hf_netlogon_user_rid, NULL);
3001 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3002 hf_netlogon_user_rid, NULL);
3005 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3006 hf_netlogon_user_rid, NULL);
3009 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3010 hf_netlogon_user_rid, NULL);
3013 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3014 hf_netlogon_user_rid, NULL);
3017 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3018 hf_netlogon_user_rid, NULL);
3021 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3022 hf_netlogon_user_rid, NULL);
3025 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3026 hf_netlogon_user_rid, NULL);
3029 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3030 hf_netlogon_user_rid, NULL);
3033 offset = dissect_ndr_nt_PSID(tvb, offset,
3037 offset = dissect_ndr_nt_PSID(tvb, offset,
3041 offset = dissect_ndr_nt_PSID(tvb, offset,
3045 offset = dissect_ndr_nt_PSID(tvb, offset,
3049 offset = dissect_ndr_nt_PSID(tvb, offset,
3053 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3054 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3055 hf_netlogon_unknown_string, 0);
3058 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3059 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3060 hf_netlogon_unknown_string, 0);
3063 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3064 hf_netlogon_user_rid, NULL);
3067 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3068 hf_netlogon_user_rid, NULL);
3072 proto_item_set_len(item, offset-old_offset);
3077 * IDL typedef struct {
3078 * IDL short delta_type;
3079 * IDL DELTA_ID_UNION delta_id_union;
3080 * IDL DELTA_UNION delta_union;
3084 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3085 packet_info *pinfo, proto_tree *parent_tree,
3088 proto_item *item=NULL;
3089 proto_tree *tree=NULL;
3090 int old_offset=offset;
3093 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3095 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3098 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3099 hf_netlogon_delta_type, NULL);
3101 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3104 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3107 proto_item_set_len(item, offset-old_offset);
3112 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3113 packet_info *pinfo, proto_tree *tree,
3116 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3117 netlogon_dissect_DELTA_ENUM);
3123 * IDL typedef struct {
3124 * IDL long num_deltas;
3125 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3126 * IDL } DELTA_ENUM_ARRAY;
3129 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3130 packet_info *pinfo, proto_tree *tree,
3133 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3134 hf_netlogon_num_deltas, NULL);
3136 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3137 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3138 "DELTA_ENUM: deltas", -1);
3145 * IDL long NetDatabaseDeltas(
3146 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3147 * IDL [in][string][ref] wchar_t *computername,
3148 * IDL [in][ref] AUTHENTICATOR credential,
3149 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3150 * IDL [in] long database_id,
3151 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3152 * IDL [in] long preferredmaximumlength,
3153 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3157 netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
3158 packet_info *pinfo, proto_tree *tree, char *drep)
3160 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3161 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3163 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3164 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3166 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3167 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3168 "AUTHENTICATOR: credential", -1);
3170 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3171 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3172 "AUTHENTICATOR: return_authenticator", -1);
3174 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3175 hf_netlogon_database_id, NULL);
3177 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3178 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3179 "MODIFIED_COUNT: domain modified count", -1);
3181 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3182 hf_netlogon_max_size, NULL);
3187 netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
3188 packet_info *pinfo, proto_tree *tree, char *drep)
3190 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3191 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3192 "AUTHENTICATOR: return_authenticator", -1);
3194 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3195 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3196 "MODIFIED_COUNT: domain modified count", -1);
3198 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3199 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3200 "DELTA_ENUM_ARRAY: deltas", -1);
3202 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3203 hf_netlogon_rc, NULL);
3210 * IDL long NetDatabaseSync(
3211 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3212 * IDL [in][string][ref] wchar_t *computername,
3213 * IDL [in][ref] AUTHENTICATOR credential,
3214 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3215 * IDL [in] long database_id,
3216 * IDL [in][out][ref] long sync_context,
3217 * IDL [in] long preferredmaximumlength,
3218 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3222 netlogon_dissect_netlogondatabasesync_rqst(tvbuff_t *tvb, int offset,
3223 packet_info *pinfo, proto_tree *tree, char *drep)
3225 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3226 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3228 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3229 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3231 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3232 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3233 "AUTHENTICATOR: credential", -1);
3235 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3236 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3237 "AUTHENTICATOR: return_authenticator", -1);
3239 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3240 hf_netlogon_database_id, NULL);
3242 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3243 hf_netlogon_sync_context, NULL);
3245 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3246 hf_netlogon_max_size, NULL);
3253 netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset,
3254 packet_info *pinfo, proto_tree *tree, char *drep)
3256 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3257 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3258 "AUTHENTICATOR: return_authenticator", -1);
3260 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3261 hf_netlogon_sync_context, NULL);
3263 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3264 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3265 "DELTA_ENUM_ARRAY: deltas", -1);
3267 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3268 hf_netlogon_rc, NULL);
3274 * IDL typedef struct {
3275 * IDL char computer_name[16];
3276 * IDL long timecreated;
3277 * IDL long serial_number;
3281 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3282 packet_info *pinfo, proto_tree *tree,
3287 di=pinfo->private_data;
3288 if(di->conformant_run){
3289 /*just a run to handle conformant arrays, nothing to dissect */
3293 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3296 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3299 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3300 hf_netlogon_serial_number, NULL);
3307 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3308 packet_info *pinfo, proto_tree *tree,
3311 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3312 hf_netlogon_unknown_char, NULL);
3318 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3319 packet_info *pinfo, proto_tree *tree,
3322 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3323 netlogon_dissect_BYTE_byte);
3329 * IDL long NetAccountDelta(
3330 * IDL [in][string][unique] wchar_t *logonserver,
3331 * IDL [in][string][ref] wchar_t *computername,
3332 * IDL [in][ref] AUTHENTICATOR credential,
3333 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3334 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3335 * IDL [out][ref] long count_returned,
3336 * IDL [out][ref] long total_entries,
3337 * IDL [in][out][ref] UAS_INFO_0 recordid,
3338 * IDL [in][long] count,
3339 * IDL [in][long] level,
3340 * IDL [in][long] buffersize,
3344 netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset,
3345 packet_info *pinfo, proto_tree *tree, char *drep)
3347 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3350 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3351 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3353 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3354 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3355 "AUTHENTICATOR: credential", -1);
3357 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3358 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3359 "AUTHENTICATOR: return_authenticator", -1);
3361 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3362 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3363 "UAS_INFO_0: RecordID", -1);
3365 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3366 hf_netlogon_count, NULL);
3368 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3369 hf_netlogon_level, NULL);
3371 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3372 hf_netlogon_max_size, NULL);
3377 netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset,
3378 packet_info *pinfo, proto_tree *tree, char *drep)
3380 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3381 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3382 "AUTHENTICATOR: return_authenticator", -1);
3384 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3385 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3386 "BYTE_array: Buffer", -1);
3388 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3389 hf_netlogon_count, NULL);
3391 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3392 hf_netlogon_entries, NULL);
3394 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3395 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3396 "UAS_INFO_0: RecordID", -1);
3398 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3399 hf_netlogon_rc, NULL);
3406 * IDL long NetAccountDelta(
3407 * IDL [in][string][unique] wchar_t *logonserver,
3408 * IDL [in][string][ref] wchar_t *computername,
3409 * IDL [in][ref] AUTHENTICATOR credential,
3410 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3411 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3412 * IDL [out][ref] long count_returned,
3413 * IDL [out][ref] long total_entries,
3414 * IDL [out][ref] long next_reference,
3415 * IDL [in][long] reference,
3416 * IDL [in][long] level,
3417 * IDL [in][long] buffersize,
3418 * IDL [in][out][ref] UAS_INFO_0 recordid,
3422 netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset,
3423 packet_info *pinfo, proto_tree *tree, char *drep)
3425 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3428 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3429 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3431 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3432 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3433 "AUTHENTICATOR: credential", -1);
3435 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3436 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3437 "AUTHENTICATOR: return_authenticator", -1);
3439 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3440 hf_netlogon_reference, NULL);
3442 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3443 hf_netlogon_level, NULL);
3445 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3446 hf_netlogon_max_size, NULL);
3451 netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset,
3452 packet_info *pinfo, proto_tree *tree, char *drep)
3454 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3455 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3456 "AUTHENTICATOR: return_authenticator", -1);
3458 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3459 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3460 "BYTE_array: Buffer", -1);
3462 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3463 hf_netlogon_count, NULL);
3465 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3466 hf_netlogon_entries, NULL);
3468 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3469 hf_netlogon_next_reference, NULL);
3471 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3472 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3473 "UAS_INFO_0: RecordID", -1);
3475 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3476 hf_netlogon_rc, NULL);
3483 * IDL long NetGetDCName(
3484 * IDL [in][ref][string] wchar_t *logon_server,
3485 * IDL [in][unique][string] wchar_t *domainname,
3486 * IDL [out][unique][string] wchar_t *dcname,
3490 netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset,
3491 packet_info *pinfo, proto_tree *tree, char *drep)
3493 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3494 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3496 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3497 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3502 netlogon_dissect_netlogongetdcname_reply(tvbuff_t *tvb, int offset,
3503 packet_info *pinfo, proto_tree *tree, char *drep)
3505 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3506 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3508 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3509 hf_netlogon_rc, NULL);
3517 * IDL typedef struct {
3519 * IDL long pdc_connection_status;
3520 * IDL } NETLOGON_INFO_1;
3523 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3524 packet_info *pinfo, proto_tree *tree,
3527 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3528 hf_netlogon_flags, NULL);
3530 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3531 hf_netlogon_pdc_connection_status, NULL);
3538 * IDL typedef struct {
3540 * IDL long pdc_connection_status;
3541 * IDL [unique][string] wchar_t trusted_dc_name;
3542 * IDL long tc_connection_status;
3543 * IDL } NETLOGON_INFO_2;
3546 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3547 packet_info *pinfo, proto_tree *tree,
3550 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3551 hf_netlogon_flags, NULL);
3553 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3554 hf_netlogon_pdc_connection_status, NULL);
3556 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3557 NDR_POINTER_UNIQUE, "Trusted DC Name",
3558 hf_netlogon_trusted_dc_name, 0);
3560 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3561 hf_netlogon_tc_connection_status, NULL);
3568 * IDL typedef struct {
3570 * IDL long logon_attempts;
3571 * IDL long reserved;
3572 * IDL long reserved;
3573 * IDL long reserved;
3574 * IDL long reserved;
3575 * IDL long reserved;
3576 * IDL } NETLOGON_INFO_3;
3579 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3580 packet_info *pinfo, proto_tree *tree,
3583 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3584 hf_netlogon_flags, NULL);
3586 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3587 hf_netlogon_logon_attempts, NULL);
3589 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3590 hf_netlogon_reserved, NULL);
3592 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3593 hf_netlogon_reserved, NULL);
3595 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3596 hf_netlogon_reserved, NULL);
3598 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3599 hf_netlogon_reserved, NULL);
3601 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3602 hf_netlogon_reserved, NULL);
3609 * IDL typedef [switch_type(long)] union {
3610 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
3611 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
3612 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
3613 * IDL } CONTROL_QUERY_INFORMATION;
3616 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
3617 packet_info *pinfo, proto_tree *tree,
3622 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3623 hf_netlogon_level, &level);
3628 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3629 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
3630 "NETLOGON_INFO_1:", -1);
3633 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3634 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
3635 "NETLOGON_INFO_2:", -1);
3638 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3639 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
3640 "NETLOGON_INFO_3:", -1);
3649 * IDL long NetLogonControl(
3650 * IDL [in][string][unique] wchar_t *logonserver,
3651 * IDL [in] long function_code,
3652 * IDL [in] long level,
3653 * IDL [out][ref] CONTROL_QUERY_INFORMATION
3657 netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
3658 packet_info *pinfo, proto_tree *tree, char *drep)
3660 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3663 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3664 hf_netlogon_code, NULL);
3666 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3667 hf_netlogon_level, NULL);
3672 netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
3673 packet_info *pinfo, proto_tree *tree, char *drep)
3675 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3676 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3677 "CONTROL_QUERY_INFORMATION:", -1);
3679 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3680 hf_netlogon_rc, NULL);
3687 * IDL long NetGetDCName(
3688 * IDL [in][unique][string] wchar_t *logon_server,
3689 * IDL [in][unique][string] wchar_t *domainname,
3690 * IDL [out][unique][string] wchar_t *dcname,
3694 netlogon_dissect_netlogongetanydcname_rqst(tvbuff_t *tvb, int offset,
3695 packet_info *pinfo, proto_tree *tree, char *drep)
3697 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3698 NDR_POINTER_UNIQUE, "Server Handle",
3699 hf_netlogon_logonsrv_handle, 0);
3701 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3702 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3707 netlogon_dissect_netlogongetanydcname_reply(tvbuff_t *tvb, int offset,
3708 packet_info *pinfo, proto_tree *tree, char *drep)
3710 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3711 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3713 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3714 hf_netlogon_rc, NULL);
3721 * IDL typedef [switch_type(long)] union {
3722 * IDL [case(5)] [unique][string] wchar_t *unknown;
3723 * IDL [case(6)] [unique][string] wchar_t *unknown;
3724 * IDL [case(0xfffe)] long unknown;
3725 * IDL [case(7)] [unique][string] wchar_t *unknown;
3726 * IDL } CONTROL_DATA_INFORMATION;
3729 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
3730 * to look like. However NetMon does not recognize any such informationlevels.
3732 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
3733 * until someone has any source of better authority to call upon.
3736 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
3737 packet_info *pinfo, proto_tree *tree,
3742 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3743 hf_netlogon_level, &level);
3748 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3749 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3750 hf_netlogon_unknown_string, 0);
3753 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3754 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3755 hf_netlogon_unknown_string, 0);
3758 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3759 hf_netlogon_unknown_long, NULL);
3762 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3763 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3764 hf_netlogon_unknown_string, 0);
3773 * IDL long NetLogonControl2(
3774 * IDL [in][string][unique] wchar_t *logonserver,
3775 * IDL [in] long function_code,
3776 * IDL [in] long level,
3777 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3778 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3782 netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
3783 packet_info *pinfo, proto_tree *tree, char *drep)
3785 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3788 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3789 hf_netlogon_code, NULL);
3791 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3792 hf_netlogon_level, NULL);
3794 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3795 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3796 "CONTROL_DATA_INFORMATION: ", -1);
3802 netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
3803 packet_info *pinfo, proto_tree *tree, char *drep)
3805 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3806 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3807 "CONTROL_QUERY_INFORMATION:", -1);
3809 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3810 hf_netlogon_rc, NULL);
3817 * IDL long NetServerAuthenticate2(
3818 * IDL [in][string][unique] wchar_t *logonserver,
3819 * IDL [in][ref][string] wchar_t *username,
3820 * IDL [in] short secure_channel_type,
3821 * IDL [in][ref][string] wchar_t *computername,
3822 * IDL [in][ref] CREDENTIAL *client_chal,
3823 * IDL [out][ref] CREDENTIAL *server_chal,
3824 * IDL [in][out][ref] long *negotiate_flags,
3828 netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
3829 packet_info *pinfo, proto_tree *tree, char *drep)
3831 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3834 offset = dissect_ndr_pointer_cb(
3835 tvb, offset, pinfo, tree, drep,
3836 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
3837 "User Name", hf_netlogon_acct_name,
3838 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
3840 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3843 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3844 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3846 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3847 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3848 "CREDENTIAL: client_chal", -1);
3850 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3851 hf_netlogon_neg_flags, NULL);
3857 netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
3858 packet_info *pinfo, proto_tree *tree, char *drep)
3860 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3861 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3862 "CREDENTIAL: server_chal", -1);
3864 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3865 hf_netlogon_neg_flags, NULL);
3867 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3868 hf_netlogon_rc, NULL);
3875 * IDL long NetDatabaseSync2(
3876 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3877 * IDL [in][string][ref] wchar_t *computername,
3878 * IDL [in][ref] AUTHENTICATOR credential,
3879 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3880 * IDL [in] long database_id,
3881 * IDL [in] short restart_state,
3882 * IDL [in][out][ref] long *sync_context,
3883 * IDL [in] long preferredmaximumlength,
3884 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3888 netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
3889 packet_info *pinfo, proto_tree *tree, char *drep)
3891 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3892 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3894 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3895 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3897 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3898 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3899 "AUTHENTICATOR: credential", -1);
3901 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3902 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3903 "AUTHENTICATOR: return_authenticator", -1);
3905 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3906 hf_netlogon_database_id, NULL);
3908 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3909 hf_netlogon_restart_state, NULL);
3911 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3912 hf_netlogon_sync_context, NULL);
3914 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3915 hf_netlogon_max_size, NULL);
3921 netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
3922 packet_info *pinfo, proto_tree *tree, char *drep)
3924 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3925 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3926 "AUTHENTICATOR: return_authenticator", -1);
3928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3929 hf_netlogon_sync_context, NULL);
3931 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3932 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3933 "DELTA_ENUM_ARRAY: deltas", -1);
3935 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3936 hf_netlogon_rc, NULL);
3943 * IDL long NetDatabaseRedo(
3944 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3945 * IDL [in][string][ref] wchar_t *computername,
3946 * IDL [in][ref] AUTHENTICATOR credential,
3947 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3948 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
3949 * IDL [in] long change_log_entry_size,
3950 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3954 netlogon_dissect_netlogondatabaseredo_rqst(tvbuff_t *tvb, int offset,
3955 packet_info *pinfo, proto_tree *tree, char *drep)
3957 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3958 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3960 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3961 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3963 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3964 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3965 "AUTHENTICATOR: credential", -1);
3967 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3968 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3969 "AUTHENTICATOR: return_authenticator", -1);
3971 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3972 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3973 "Change log entry: ", -1);
3975 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3976 hf_netlogon_max_log_size, NULL);
3982 netlogon_dissect_netlogondatabaseredo_reply(tvbuff_t *tvb, int offset,
3983 packet_info *pinfo, proto_tree *tree, char *drep)
3985 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3986 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3987 "AUTHENTICATOR: return_authenticator", -1);
3989 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3990 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3991 "DELTA_ENUM_ARRAY: deltas", -1);
3993 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3994 hf_netlogon_rc, NULL);
4000 /* XXX NetMon does not recognize this as a valid function. Muddle however
4001 * tells us what parameters it takes but not their names.
4002 * It looks similar to logoncontrol2. perhaps it is logoncontrol3?
4005 * IDL long NetFunction_12(
4006 * IDL [in][string][unique] wchar_t *logonserver,
4007 * IDL [in] long function_code,
4008 * IDL [in] long level,
4009 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4010 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4014 netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
4015 packet_info *pinfo, proto_tree *tree, char *drep)
4017 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4020 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4021 hf_netlogon_code, NULL);
4023 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4024 hf_netlogon_level, NULL);
4026 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4027 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4028 "CONTROL_DATA_INFORMATION: ", -1);
4033 netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
4034 packet_info *pinfo, proto_tree *tree, char *drep)
4036 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4037 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4038 "CONTROL_QUERY_INFORMATION:", -1);
4040 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4041 hf_netlogon_rc, NULL);
4050 /* Updated above this line */
4052 static const value_string trust_type_vals[] = {
4060 #define DS_INET_ADDRESS 1
4061 #define DS_NETBIOS_ADDRESS 2
4062 static const value_string dc_address_types[] = {
4063 { DS_INET_ADDRESS, "IP/DNS name" },
4064 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
4069 #define DS_DOMAIN_IN_FOREST 0x0001
4070 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
4071 #define DS_DOMAIN_TREE_ROOT 0x0004
4072 #define DS_DOMAIN_PRIMARY 0x0008
4073 #define DS_DOMAIN_NATIVE_MODE 0x0010
4074 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
4075 static const true_false_string trust_inbound = {
4076 "There is a DIRECT INBOUND trust for the servers domain",
4077 "There is NO direct inbound trust for the servers domain"
4079 static const true_false_string trust_outbound = {
4080 "There is a DIRECT OUTBOUND trust for this domain",
4081 "There is NO direct outbound trust for this domain"
4083 static const true_false_string trust_in_forest = {
4084 "The domain is a member IN the same FOREST as the queried server",
4085 "The domain is NOT a member of the queried servers domain"
4087 static const true_false_string trust_native_mode = {
4088 "The primary domain is a NATIVE MODE w2k domain",
4089 "The primary is NOT a native mode w2k domain"
4091 static const true_false_string trust_primary = {
4092 "The domain is the PRIMARY domain of the queried server",
4093 "The domain is NOT the primary domain of the queried server"
4095 static const true_false_string trust_tree_root = {
4096 "The domain is the ROOT of a domain TREE",
4097 "The domain is NOT a root of a domain tree"
4100 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4101 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4104 proto_item *item = NULL;
4105 proto_tree *tree = NULL;
4108 di=pinfo->private_data;
4109 if(di->conformant_run){
4110 /*just a run to handle conformant arrays, nothing to dissect */
4114 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4115 hf_netlogon_trust_flags, &mask);
4118 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4119 tvb, offset-4, 4, mask);
4120 tree = proto_item_add_subtree(item, ett_trust_flags);
4123 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4124 tvb, offset-4, 4, mask);
4125 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4126 tvb, offset-4, 4, mask);
4127 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4128 tvb, offset-4, 4, mask);
4129 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4130 tvb, offset-4, 4, mask);
4131 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4132 tvb, offset-4, 4, mask);
4133 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4134 tvb, offset-4, 4, mask);
4140 #define DS_FORCE_REDISCOVERY 0x00000001
4141 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
4142 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
4143 #define DS_GC_SERVER_REQUIRED 0x00000040
4144 #define DS_PDC_REQUIRED 0x00000080
4145 #define DS_BACKGROUND_ONLY 0x00000100
4146 #define DS_IP_REQUIRED 0x00000200
4147 #define DS_KDC_REQUIRED 0x00000400
4148 #define DS_TIMESERV_REQUIRED 0x00000800
4149 #define DS_WRITABLE_REQUIRED 0x00001000
4150 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
4151 #define DS_AVOID_SELF 0x00004000
4152 #define DS_ONLY_LDAP_NEEDED 0x00008000
4153 #define DS_IS_FLAT_NAME 0x00010000
4154 #define DS_IS_DNS_NAME 0x00020000
4155 #define DS_RETURN_DNS_NAME 0x40000000
4156 #define DS_RETURN_FLAT_NAME 0x80000000
4157 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4158 "FORCE REDISCOVERY of any cached data",
4159 "You may return cached data"
4161 static const true_false_string get_dcname_request_flags_directory_service_required = {
4162 "DIRECRTORY SERVICE is REQUIRED on the server",
4163 "We do NOT require directory service servers"
4165 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4166 "DIRECTORY SERVICE servers are PREFERRED",
4167 "We do NOT have a preference for directory service servers"
4169 static const true_false_string get_dcname_request_flags_gc_server_required = {
4170 "GC SERVER is REQUIRED",
4171 "gc server is NOT required"
4173 static const true_false_string get_dcname_request_flags_pdc_required = {
4174 "PDC SERVER is REQUIRED",
4175 "pdc server is NOT required"
4177 static const true_false_string get_dcname_request_flags_background_only = {
4178 "Only returned cahced data, even if it has expired",
4179 "Return cached data unless it has expired"
4181 static const true_false_string get_dcname_request_flags_ip_required = {
4182 "IP address is REQUIRED",
4183 "ip address is NOT required"
4185 static const true_false_string get_dcname_request_flags_kdc_required = {
4186 "KDC server is REQUIRED",
4187 "kdc server is NOT required"
4189 static const true_false_string get_dcname_request_flags_timeserv_required = {
4190 "TIMESERV service is REQUIRED",
4191 "timeserv service is NOT required"
4193 static const true_false_string get_dcname_request_flags_writable_required = {
4194 "the requrned dc MUST be WRITEABLE",
4195 "a read-only dc may be returned"
4197 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4198 "GOOD TIMESERV servers are PREFERRED",
4199 "we do NOT have a preference for good timeserv servers"
4201 static const true_false_string get_dcname_request_flags_avoid_self = {
4202 "do NOT return self as dc, return someone else",
4203 "you may return yourSELF as the dc"
4205 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4206 "we ONLY NEED LDAP, you dont have to return a dc",
4207 "we need a normal dc, an ldap only server will not do"
4209 static const true_false_string get_dcname_request_flags_is_flat_name = {
4210 "the name we specify is a NetBIOS name",
4211 "the name we specify is NOT a NetBIOS name"
4213 static const true_false_string get_dcname_request_flags_is_dns_name = {
4214 "the name we specify is a DNS name",
4215 "ther name we specify is NOT a dns name"
4217 static const true_false_string get_dcname_request_flags_return_dns_name = {
4218 "return a DNS name",
4219 "you may return a NON-dns name"
4221 static const true_false_string get_dcname_request_flags_return_flat_name = {
4222 "return a NetBIOS name",
4223 "you may return a NON-NetBIOS name"
4226 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4227 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4230 proto_item *item = NULL;
4231 proto_tree *tree = NULL;
4234 di=pinfo->private_data;
4235 if(di->conformant_run){
4236 /*just a run to handle conformant arrays, nothing to dissect */
4240 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4241 hf_netlogon_get_dcname_request_flags, &mask);
4244 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4245 tvb, offset-4, 4, mask);
4246 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4249 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4250 tvb, offset-4, 4, mask);
4251 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4252 tvb, offset-4, 4, mask);
4253 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4254 tvb, offset-4, 4, mask);
4255 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4256 tvb, offset-4, 4, mask);
4257 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4258 tvb, offset-4, 4, mask);
4259 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4260 tvb, offset-4, 4, mask);
4261 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4262 tvb, offset-4, 4, mask);
4263 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4264 tvb, offset-4, 4, mask);
4265 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4266 tvb, offset-4, 4, mask);
4267 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4268 tvb, offset-4, 4, mask);
4269 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4270 tvb, offset-4, 4, mask);
4271 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4272 tvb, offset-4, 4, mask);
4273 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4274 tvb, offset-4, 4, mask);
4275 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4276 tvb, offset-4, 4, mask);
4277 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4278 tvb, offset-4, 4, mask);
4279 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4280 tvb, offset-4, 4, mask);
4281 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4282 tvb, offset-4, 4, mask);
4289 #define DS_PDC_FLAG 0x00000001
4290 #define DS_GC_FLAG 0x00000004
4291 #define DS_LDAP_FLAG 0x00000008
4292 #define DS_DS_FLAG 0x00000010
4293 #define DS_KDC_FLAG 0x00000020
4294 #define DS_TIMESERV_FLAG 0x00000040
4295 #define DS_CLOSEST_FLAG 0x00000080
4296 #define DS_WRITABLE_FLAG 0x00000100
4297 #define DS_GOOD_TIMESERV_FLAG 0x00000200
4298 #define DS_NDNC_FLAG 0x00000400
4299 #define DS_DNS_CONTROLLER_FLAG 0x20000000
4300 #define DS_DNS_DOMAIN_FLAG 0x40000000
4301 #define DS_DNS_FOREST_FLAG 0x80000000
4302 static const true_false_string dc_flags_pdc_flag = {
4303 "this is the PDC of the domain",
4304 "this is NOT the pdc of the domain"
4306 static const true_false_string dc_flags_gc_flag = {
4307 "this is the GC of the forest",
4308 "this is NOT the gc of the forest"
4310 static const true_false_string dc_flags_ldap_flag = {
4311 "this is an LDAP server",
4312 "this is NOT an ldap server"
4314 static const true_false_string dc_flags_ds_flag = {
4315 "this is a DS server",
4316 "this is NOT a ds server"
4318 static const true_false_string dc_flags_kdc_flag = {
4319 "this is a KDC server",
4320 "this is NOT a kdc server"
4322 static const true_false_string dc_flags_timeserv_flag = {
4323 "this is a TIMESERV server",
4324 "this is NOT a timeserv server"
4326 static const true_false_string dc_flags_closest_flag = {
4327 "this is the CLOSEST server",
4328 "this is NOT the closest server"
4330 static const true_false_string dc_flags_writable_flag = {
4331 "this server has a WRITABLE ds database",
4332 "this server has a READ-ONLY ds database"
4334 static const true_false_string dc_flags_good_timeserv_flag = {
4335 "this server is a GOOD TIMESERV server",
4336 "this is NOT a good timeserv server"
4338 static const true_false_string dc_flags_ndnc_flag = {
4342 static const true_false_string dc_flags_dns_controller_flag = {
4343 "DomainControllerName is a DNS name",
4344 "DomainControllerName is NOT a dns name"
4346 static const true_false_string dc_flags_dns_domain_flag = {
4347 "DomainName is a DNS name",
4348 "DomainName is NOT a dns name"
4350 static const true_false_string dc_flags_dns_forest_flag = {
4351 "DnsForestName is a DNS name",
4352 "DnsForestName is NOT a dns name"
4355 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4356 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4359 proto_item *item = NULL;
4360 proto_tree *tree = NULL;
4363 di=pinfo->private_data;
4364 if(di->conformant_run){
4365 /*just a run to handle conformant arrays, nothing to dissect */
4369 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4370 hf_netlogon_dc_flags, &mask);
4373 item = proto_tree_add_uint_format(parent_tree, hf_netlogon_dc_flags,
4374 tvb, offset-4, 4, mask, "Domain Controller Flags: 0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
4375 tree = proto_item_add_subtree(item, ett_dc_flags);
4378 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4379 tvb, offset-4, 4, mask);
4380 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4381 tvb, offset-4, 4, mask);
4382 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4383 tvb, offset-4, 4, mask);
4384 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4385 tvb, offset-4, 4, mask);
4386 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4387 tvb, offset-4, 4, mask);
4388 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4389 tvb, offset-4, 4, mask);
4390 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4391 tvb, offset-4, 4, mask);
4392 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4393 tvb, offset-4, 4, mask);
4394 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4395 tvb, offset-4, 4, mask);
4396 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4397 tvb, offset-4, 4, mask);
4398 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4399 tvb, offset-4, 4, mask);
4400 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4401 tvb, offset-4, 4, mask);
4402 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4403 tvb, offset-4, 4, mask);
4411 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4412 packet_info *pinfo, proto_tree *tree,
4417 di=pinfo->private_data;
4418 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4419 di->hf_index, NULL);
4424 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4425 packet_info *pinfo, proto_tree *tree,
4430 di=pinfo->private_data;
4431 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4432 di->hf_index, NULL);
4437 netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
4438 packet_info *pinfo, proto_tree *parent_tree,
4439 char *drep, int type, int hf_index, dcerpc_callback_fnct_t *callback)
4441 proto_item *item=NULL;
4442 proto_tree *tree=NULL;
4443 int old_offset=offset;
4447 di=pinfo->private_data;
4448 if(di->conformant_run){
4449 /*just a run to handle conformant arrays, nothing to dissect */
4453 name = proto_registrar_get_name(hf_index);
4455 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4457 tree = proto_item_add_subtree(item, ett_nt_unicode_string);
4460 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
4461 dissect_ndr_wchar_cvstring, type,
4462 name, hf_index, callback, NULL);
4464 proto_item_set_len(item, offset-old_offset);
4470 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4471 packet_info *pinfo, proto_tree *tree,
4474 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4475 hf_netlogon_unknown_char, NULL);
4481 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4482 packet_info *pinfo, proto_tree *tree,
4485 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4486 netlogon_dissect_UNICODE_MULTI_byte);
4492 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4493 packet_info *pinfo, proto_tree *parent_tree,
4496 proto_item *item=NULL;
4497 proto_tree *tree=NULL;
4498 int old_offset=offset;
4501 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4503 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4506 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4507 hf_netlogon_len, NULL);
4509 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4510 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4511 "unknown", hf_netlogon_unknown_string);
4513 proto_item_set_len(item, offset-old_offset);
4518 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4519 packet_info *pinfo, proto_tree *tree,
4522 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4528 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4529 packet_info *pinfo, proto_tree *parent_tree,
4532 proto_item *item=NULL;
4533 proto_tree *tree=NULL;
4534 int old_offset=offset;
4537 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4538 "DOMAIN_CONTROLLER_INFO:");
4539 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4542 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4543 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
4545 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4546 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
4548 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4549 hf_netlogon_dc_address_type, NULL);
4551 offset = dissect_nt_GUID(tvb, offset,
4554 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4555 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
4557 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4558 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
4560 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
4562 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4563 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
4565 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4566 NDR_POINTER_UNIQUE, "Client Site",
4567 hf_netlogon_client_site_name, 0);
4569 proto_item_set_len(item, offset-old_offset);
4574 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4575 packet_info *pinfo, proto_tree *tree,
4581 di=pinfo->private_data;
4582 if(di->conformant_run){
4583 /*just a run to handle conformant arrays, nothing to dissect.*/
4587 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4588 hf_netlogon_blob_size, &len);
4590 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4598 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4599 packet_info *pinfo, proto_tree *parent_tree,
4602 proto_item *item=NULL;
4603 proto_tree *tree=NULL;
4606 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4608 tree = proto_item_add_subtree(item, ett_BLOB);
4611 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4612 hf_netlogon_blob_size, NULL);
4614 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4615 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4622 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
4623 packet_info *pinfo, proto_tree *parent_tree,
4626 proto_item *item=NULL;
4627 proto_tree *tree=NULL;
4628 int old_offset=offset;
4631 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4632 "DOMAIN_TRUST_INFO:");
4633 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
4637 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
4639 /* Guesses at best. */
4640 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4641 hf_netlogon_unknown_string, 0);
4643 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4644 hf_netlogon_unknown_string, 0);
4646 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4647 hf_netlogon_unknown_string, 0);
4649 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4650 hf_netlogon_unknown_string, 0);
4652 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4653 hf_netlogon_unknown_long, NULL);
4655 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4656 hf_netlogon_unknown_long, NULL);
4658 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4659 hf_netlogon_unknown_long, NULL);
4661 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4662 hf_netlogon_unknown_long, NULL);
4664 proto_item_set_len(item, offset-old_offset);
4669 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
4670 packet_info *pinfo, proto_tree *tree,
4673 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4674 netlogon_dissect_DOMAIN_TRUST_INFO);
4680 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
4681 packet_info *pinfo, proto_tree *tree,
4684 offset = netlogon_dissect_BLOB(tvb, offset,
4687 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4688 NDR_POINTER_UNIQUE, "Workstation FQDN",
4689 hf_netlogon_workstation_fqdn, 0);
4691 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4692 NDR_POINTER_UNIQUE, "Workstation Site",
4693 hf_netlogon_workstation_site_name, 0);
4695 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4696 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4698 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4699 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4701 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4702 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4704 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4705 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4707 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4708 hf_netlogon_unknown_string, 0);
4710 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4711 hf_netlogon_workstation_os, 0);
4713 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4714 hf_netlogon_unknown_string, 0);
4716 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4717 hf_netlogon_unknown_string, 0);
4719 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4720 hf_netlogon_unknown_long, NULL);
4722 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4723 hf_netlogon_unknown_long, NULL);
4725 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4726 hf_netlogon_unknown_long, NULL);
4728 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4729 hf_netlogon_unknown_long, NULL);
4735 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
4736 packet_info *pinfo, proto_tree *tree,
4739 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
4741 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4742 hf_netlogon_num_trusts, NULL);
4744 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4745 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4746 "DOMAIN_TRUST_ARRAY: Trusts", -1);
4748 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4749 hf_netlogon_num_trusts, NULL);
4751 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4752 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4753 "DOMAIN_TRUST_ARRAY:", -1);
4755 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4756 hf_netlogon_dns_domain_name, 0);
4758 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4759 hf_netlogon_unknown_string, 0);
4761 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4762 hf_netlogon_unknown_string, 0);
4764 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4765 hf_netlogon_unknown_string, 0);
4767 /* These four integers appear to mirror the last four in the query. */
4768 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4769 hf_netlogon_unknown_long, NULL);
4771 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4772 hf_netlogon_unknown_long, NULL);
4774 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4775 hf_netlogon_unknown_long, NULL);
4777 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4778 hf_netlogon_unknown_long, NULL);
4785 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
4786 packet_info *pinfo, proto_tree *tree,
4791 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4792 hf_netlogon_level, &level);
4797 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4798 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
4799 "DOMAIN_INFO_1:", -1);
4807 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
4808 packet_info *pinfo, proto_tree *parent_tree,
4811 proto_item *item=NULL;
4812 proto_tree *tree=NULL;
4813 int old_offset=offset;
4817 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4818 "UNICODE_STRING_512:");
4819 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
4823 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4824 hf_netlogon_unknown_short, NULL);
4827 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4828 hf_netlogon_unknown_long, NULL);
4830 proto_item_set_len(item, offset-old_offset);
4835 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
4836 packet_info *pinfo, proto_tree *tree,
4839 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4840 hf_netlogon_unknown_char, NULL);
4846 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
4847 packet_info *pinfo, proto_tree *tree,
4850 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4851 netlogon_dissect_element_844_byte);
4857 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
4858 packet_info *pinfo, proto_tree *parent_tree,
4861 proto_item *item=NULL;
4862 proto_tree *tree=NULL;
4863 int old_offset=offset;
4866 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4868 tree = proto_item_add_subtree(item, ett_TYPE_50);
4871 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4872 hf_netlogon_unknown_long, NULL);
4874 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4875 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
4876 "unknown", hf_netlogon_unknown_string);
4878 proto_item_set_len(item, offset-old_offset);
4883 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
4884 packet_info *pinfo, proto_tree *tree,
4887 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4888 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
4889 "TYPE_50 pointer: unknown_TYPE_50", -1);
4895 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
4896 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4899 proto_item *item=NULL;
4900 proto_tree *tree=NULL;
4901 int old_offset=offset;
4904 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4905 "DS_DOMAIN_TRUSTS");
4906 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
4910 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4911 NDR_POINTER_UNIQUE, "NetBIOS Name",
4912 hf_netlogon_downlevel_domain_name, 0);
4915 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4916 NDR_POINTER_UNIQUE, "DNS Domain Name",
4917 hf_netlogon_dns_domain_name, 0);
4919 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
4921 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4922 hf_netlogon_trust_parent_index, &tmp);
4924 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4925 hf_netlogon_trust_type, &tmp);
4927 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4928 hf_netlogon_trust_attribs, &tmp);
4931 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4934 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
4936 proto_item_set_len(item, offset-old_offset);
4941 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
4942 packet_info *pinfo, proto_tree *tree,
4945 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4946 netlogon_dissect_DS_DOMAIN_TRUSTS);
4952 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
4953 packet_info *pinfo, proto_tree *tree,
4956 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4957 hf_netlogon_unknown_char, NULL);
4963 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
4964 packet_info *pinfo, proto_tree *tree,
4967 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4968 netlogon_dissect_element_865_byte);
4974 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
4975 packet_info *pinfo, proto_tree *tree,
4978 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4979 hf_netlogon_unknown_char, NULL);
4985 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
4986 packet_info *pinfo, proto_tree *tree,
4989 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4990 netlogon_dissect_element_866_byte);
4996 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
4997 packet_info *pinfo, proto_tree *parent_tree,
5000 proto_item *item=NULL;
5001 proto_tree *tree=NULL;
5002 int old_offset=offset;
5005 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5007 tree = proto_item_add_subtree(item, ett_TYPE_52);
5010 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5011 hf_netlogon_unknown_long, NULL);
5013 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5014 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
5015 "unknown", hf_netlogon_unknown_string);
5017 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5018 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
5019 "unknown", hf_netlogon_unknown_string);
5021 proto_item_set_len(item, offset-old_offset);
5026 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
5027 packet_info *pinfo, proto_tree *tree,
5030 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5031 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
5032 "TYPE_52 pointer: unknown_TYPE_52", -1);
5038 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5039 packet_info *pinfo, proto_tree *parent_tree,
5042 proto_item *item=NULL;
5043 proto_tree *tree=NULL;
5044 int old_offset=offset;
5048 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5050 tree = proto_item_add_subtree(item, ett_TYPE_44);
5053 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5054 hf_netlogon_level, &level);
5059 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5060 hf_netlogon_unknown_long, NULL);
5064 proto_item_set_len(item, offset-old_offset);
5069 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5070 packet_info *pinfo, proto_tree *tree,
5075 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5076 hf_netlogon_level, &level);
5081 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5082 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5083 "DOMAIN_QUERY_1:", -1);
5086 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5087 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5088 "DOMAIN_QUERY_1:", -1);
5096 netlogon_dissect_nettrusteddomainlist_rqst(tvbuff_t *tvb, int offset,
5097 packet_info *pinfo, proto_tree *tree, char *drep)
5099 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5107 netlogon_dissect_nettrusteddomainlist_reply(tvbuff_t *tvb, int offset,
5108 packet_info *pinfo, proto_tree *tree, char *drep)
5110 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5111 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5112 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5114 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5115 hf_netlogon_rc, NULL);
5121 netlogon_dissect_dsrgetdcname2_rqst(tvbuff_t *tvb, int offset,
5122 packet_info *pinfo, proto_tree *tree, char *drep)
5124 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5127 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5128 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5130 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5131 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5132 "GUID pointer: domain_guid", -1);
5134 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5135 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5136 "GUID pointer: site_guid", -1);
5138 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5139 hf_netlogon_flags, NULL);
5146 netlogon_dissect_dsrgetdcname2_reply(tvbuff_t *tvb, int offset,
5147 packet_info *pinfo, proto_tree *tree, char *drep)
5149 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5150 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5151 "DOMAIN_CONTROLLER_INFO:", -1);
5153 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5154 hf_netlogon_rc, NULL);
5160 netlogon_dissect_function_15_rqst(tvbuff_t *tvb, int offset,
5161 packet_info *pinfo, proto_tree *tree, char *drep)
5163 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5166 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5167 NDR_POINTER_UNIQUE, "unknown string",
5168 hf_netlogon_unknown_string, 0);
5170 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5171 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5172 "AUTHENTICATOR: credential", -1);
5174 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5175 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5176 "AUTHENTICATOR: return_authenticator", -1);
5178 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5179 hf_netlogon_unknown_long, NULL);
5186 netlogon_dissect_function_15_reply(tvbuff_t *tvb, int offset,
5187 packet_info *pinfo, proto_tree *tree, char *drep)
5189 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5190 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5191 "AUTHENTICATOR: return_authenticator", -1);
5193 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5194 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5195 "TYPE_44 pointer: unknown_TYPE_44", -1);
5197 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5198 hf_netlogon_rc, NULL);
5204 netlogon_dissect_function_16_rqst(tvbuff_t *tvb, int offset,
5205 packet_info *pinfo, proto_tree *tree, char *drep)
5207 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5210 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5211 hf_netlogon_unknown_long, NULL);
5213 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5214 hf_netlogon_unknown_long, NULL);
5221 netlogon_dissect_function_16_reply(tvbuff_t *tvb, int offset,
5222 packet_info *pinfo, proto_tree *tree, char *drep)
5224 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5225 hf_netlogon_rc, NULL);
5231 netlogon_dissect_function_17_rqst(tvbuff_t *tvb, int offset,
5232 packet_info *pinfo, proto_tree *tree, char *drep)
5234 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5237 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5238 NDR_POINTER_UNIQUE, "unknown string",
5239 hf_netlogon_unknown_string, 0);
5246 netlogon_dissect_function_17_reply(tvbuff_t *tvb, int offset,
5247 packet_info *pinfo, proto_tree *tree, char *drep)
5249 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5250 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5251 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5253 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5254 hf_netlogon_rc, NULL);
5260 netlogon_dissect_function_18_rqst(tvbuff_t *tvb, int offset,
5261 packet_info *pinfo, proto_tree *tree, char *drep)
5263 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5266 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5267 hf_netlogon_unknown_long, NULL);
5269 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5270 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5271 "BYTE pointer: unknown_BYTE", -1);
5273 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5274 hf_netlogon_unknown_long, NULL);
5280 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5281 packet_info *pinfo, proto_tree *tree, char *drep)
5286 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5287 hf_netlogon_unknown_char, NULL);
5294 netlogon_dissect_function_18_reply(tvbuff_t *tvb, int offset,
5295 packet_info *pinfo, proto_tree *tree, char *drep)
5297 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5298 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5299 "BYTE pointer: unknown_BYTE", -1);
5301 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5302 hf_netlogon_rc, NULL);
5308 netlogon_dissect_function_19_rqst(tvbuff_t *tvb, int offset,
5309 packet_info *pinfo, proto_tree *tree, char *drep)
5311 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5314 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5315 NDR_POINTER_UNIQUE, "unknown string",
5316 hf_netlogon_unknown_string, 0);
5318 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5319 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5320 "BYTE pointer: unknown_BYTE", -1);
5322 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5323 hf_netlogon_unknown_long, NULL);
5330 netlogon_dissect_function_19_reply(tvbuff_t *tvb, int offset,
5331 packet_info *pinfo, proto_tree *tree, char *drep)
5333 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5334 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5335 "BYTE pointer: unknown_BYTE", -1);
5337 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5338 hf_netlogon_rc, NULL);
5344 netlogon_dissect_netserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5345 packet_info *pinfo, proto_tree *tree, char *drep)
5347 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5350 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5351 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5353 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5356 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5357 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5359 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5360 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5361 "CREDENTIAL: authenticator", -1);
5363 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5364 hf_netlogon_neg_flags, NULL);
5371 netlogon_dissect_netserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5372 packet_info *pinfo, proto_tree *tree, char *drep)
5374 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5375 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5376 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5378 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5379 hf_netlogon_neg_flags, NULL);
5381 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5382 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5383 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5385 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5386 hf_netlogon_rc, NULL);
5392 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5393 packet_info *pinfo, proto_tree *tree, char *drep)
5395 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5398 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5399 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5401 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5402 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5403 "GUID pointer: domain_guid", -1);
5405 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5406 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5408 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5415 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5416 packet_info *pinfo, proto_tree *tree, char *drep)
5418 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5419 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5420 "DOMAIN_CONTROLLER_INFO:", -1);
5422 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5423 hf_netlogon_rc, NULL);
5429 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5430 packet_info *pinfo, proto_tree *tree, char *drep)
5432 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5440 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5441 packet_info *pinfo, proto_tree *tree, char *drep)
5444 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
5445 NDR_POINTER_REF, hf_netlogon_site_name, 0);
5447 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5448 hf_netlogon_rc, NULL);
5454 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5455 packet_info *pinfo, proto_tree *tree, char *drep)
5457 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5458 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5459 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5461 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5462 NDR_POINTER_UNIQUE, "Computer Name",
5463 hf_netlogon_computer_name, 0);
5465 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5466 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5467 "AUTHENTICATOR: credential", -1);
5469 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5470 hf_netlogon_unknown_long, NULL);
5472 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5473 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5474 "AUTHENTICATOR: return_authenticator", -1);
5476 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5477 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5478 "DOMAIN_QUERY: ", -1);
5485 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5486 packet_info *pinfo, proto_tree *tree, char *drep)
5488 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5489 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5490 "AUTHENTICATOR: return_authenticator", -1);
5492 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5493 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5494 "DOMAIN_INFO: ", -1);
5496 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5497 hf_netlogon_rc, NULL);
5503 netlogon_dissect_function_1e_rqst(tvbuff_t *tvb, int offset,
5504 packet_info *pinfo, proto_tree *tree, char *drep)
5506 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5509 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5510 NDR_POINTER_UNIQUE, "unknown string",
5511 hf_netlogon_unknown_string, 0);
5513 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5514 hf_netlogon_unknown_short, NULL);
5516 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5517 NDR_POINTER_UNIQUE, "unknown string",
5518 hf_netlogon_unknown_string, 0);
5520 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5521 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5522 "AUTHENTICATOR: credential", -1);
5524 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5532 netlogon_dissect_function_1e_reply(tvbuff_t *tvb, int offset,
5533 packet_info *pinfo, proto_tree *tree, char *drep)
5535 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5536 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5537 "AUTHENTICATOR: return_authenticator", -1);
5539 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5540 hf_netlogon_rc, NULL);
5546 netlogon_dissect_netserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5547 packet_info *pinfo, proto_tree *tree, char *drep)
5549 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5552 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5553 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
5555 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5558 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5559 NDR_POINTER_UNIQUE, "Computer Name",
5560 hf_netlogon_computer_name, 0);
5562 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5563 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5564 "AUTHENTICATOR: credential", -1);
5571 netlogon_dissect_netserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5572 packet_info *pinfo, proto_tree *tree, char *drep)
5574 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5575 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5576 "AUTHENTICATOR: return_authenticator", -1);
5578 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5579 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5580 "LM_OWF_PASSWORD pointer: server_pwd", -1);
5582 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5583 hf_netlogon_rc, NULL);
5589 netlogon_dissect_function_20_rqst(tvbuff_t *tvb, int offset,
5590 packet_info *pinfo, proto_tree *tree, char *drep)
5592 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5595 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5596 NDR_POINTER_UNIQUE, "unknown string",
5597 hf_netlogon_unknown_string, 0);
5599 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5600 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5601 "AUTHENTICATOR: credential", -1);
5603 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5604 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5605 "BYTE pointer: unknown_BYTE", -1);
5607 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5608 hf_netlogon_unknown_long, NULL);
5615 netlogon_dissect_function_20_reply(tvbuff_t *tvb, int offset,
5616 packet_info *pinfo, proto_tree *tree, char *drep)
5618 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5619 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5620 "AUTHENTICATOR: return_authenticator", -1);
5622 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5623 hf_netlogon_rc, NULL);
5629 netlogon_dissect_function_21_rqst(tvbuff_t *tvb, int offset,
5630 packet_info *pinfo, proto_tree *tree, char *drep)
5632 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5635 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5636 hf_netlogon_unknown_long, NULL);
5638 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5639 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5640 "BYTE pointer: unknown_BYTE", -1);
5647 netlogon_dissect_function_21_reply(tvbuff_t *tvb, int offset,
5648 packet_info *pinfo, proto_tree *tree, char *drep)
5650 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5651 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5652 "TYPE_50** pointer: unknown_TYPE_50", -1);
5654 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5655 hf_netlogon_rc, NULL);
5661 netlogon_dissect_function_22_rqst(tvbuff_t *tvb, int offset,
5662 packet_info *pinfo, proto_tree *tree, char *drep)
5664 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5667 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5668 NDR_POINTER_UNIQUE, "unknown string",
5669 hf_netlogon_unknown_string, 0);
5671 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5672 hf_netlogon_unknown_long, NULL);
5674 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5675 NDR_POINTER_UNIQUE, "unknown string",
5676 hf_netlogon_unknown_string, 0);
5678 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5679 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5680 "GUID pointer: unknown_GUID", -1);
5682 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5683 NDR_POINTER_UNIQUE, "unknown string",
5684 hf_netlogon_unknown_string, 0);
5686 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5687 hf_netlogon_unknown_long, NULL);
5694 netlogon_dissect_function_22_reply(tvbuff_t *tvb, int offset,
5695 packet_info *pinfo, proto_tree *tree, char *drep)
5697 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5698 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5699 "DOMAIN_CONTROLLER_INFO:", -1);
5701 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5702 hf_netlogon_rc, NULL);
5708 netlogon_dissect_function_23_rqst(tvbuff_t *tvb, int offset,
5709 packet_info *pinfo, proto_tree *tree, char *drep)
5711 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5719 netlogon_dissect_function_23_reply(tvbuff_t *tvb, int offset,
5720 packet_info *pinfo, proto_tree *tree, char *drep)
5722 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5723 NDR_POINTER_UNIQUE, "unknown string",
5724 hf_netlogon_unknown_string, 0);
5726 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5727 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5728 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5730 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5731 hf_netlogon_rc, NULL);
5737 netlogon_dissect_function_24_rqst(tvbuff_t *tvb, int offset,
5738 packet_info *pinfo, proto_tree *tree, char *drep)
5740 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5747 netlogon_dissect_function_24_reply(tvbuff_t *tvb, int offset,
5748 packet_info *pinfo, proto_tree *tree, char *drep)
5750 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5751 hf_netlogon_entries, NULL);
5753 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5754 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5755 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5757 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5758 hf_netlogon_rc, NULL);
5764 netlogon_dissect_function_25_rqst(tvbuff_t *tvb, int offset,
5765 packet_info *pinfo, proto_tree *tree, char *drep)
5767 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5770 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5771 hf_netlogon_unknown_long, NULL);
5773 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5774 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5775 "BYTE pointer: unknown_BYTE", -1);
5782 netlogon_dissect_function_25_reply(tvbuff_t *tvb, int offset,
5783 packet_info *pinfo, proto_tree *tree, char *drep)
5785 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5786 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
5787 "TYPE_52 pointer: unknown_TYPE_52", -1);
5789 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5790 hf_netlogon_rc, NULL);
5797 netlogon_dissect_function_26_rqst(tvbuff_t *tvb, int offset,
5798 packet_info *pinfo, proto_tree *tree, char *drep)
5800 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5801 NDR_POINTER_UNIQUE, "unknown string",
5802 hf_netlogon_unknown_string, 0);
5809 netlogon_dissect_function_26_reply(tvbuff_t *tvb, int offset,
5810 packet_info *pinfo, proto_tree *tree, char *drep)
5812 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5813 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5814 "TYPE_50** pointer: unknown_TYPE_50", -1);
5816 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5817 hf_netlogon_rc, NULL);
5823 netlogon_dissect_logonsamlogonex_rqst(tvbuff_t *tvb, int offset,
5824 packet_info *pinfo, proto_tree *tree, char *drep)
5826 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5827 NDR_POINTER_UNIQUE, "unknown string",
5828 hf_netlogon_unknown_string, 0);
5830 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5831 NDR_POINTER_UNIQUE, "unknown string",
5832 hf_netlogon_unknown_string, 0);
5834 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5835 hf_netlogon_unknown_short, NULL);
5837 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5838 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
5839 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
5841 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5842 hf_netlogon_unknown_short, NULL);
5844 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5845 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5846 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5852 netlogon_dissect_logonsamlogonex_reply(tvbuff_t *tvb, int offset,
5853 packet_info *pinfo, proto_tree *tree, char *drep)
5855 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5856 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
5857 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
5859 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5860 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
5861 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
5863 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5864 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5865 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5867 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5868 hf_netlogon_rc, NULL);
5875 netlogon_dissect_dsenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5876 packet_info *pinfo, proto_tree *tree, char *drep)
5878 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5881 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5888 netlogon_dissect_dsenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5889 packet_info *pinfo, proto_tree *tree, char *drep)
5891 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5892 hf_netlogon_entries, NULL);
5894 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5895 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5896 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5898 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5899 hf_netlogon_rc, NULL);
5905 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
5906 packet_info *pinfo, proto_tree *tree, char *drep)
5908 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5911 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5912 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5914 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5915 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5916 "GUID pointer: domain_guid", -1);
5918 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5919 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5920 "GUID pointer: dsa_guid", -1);
5922 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5923 NDR_POINTER_UNIQUE, "dns_host", hf_netlogon_dns_host, 0);
5930 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
5931 packet_info *pinfo, proto_tree *tree, char *drep)
5933 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5934 hf_netlogon_rc, NULL);
5939 /* Dissect secure channel stuff */
5941 static int hf_netlogon_secchan_bind_unknown1 = -1;
5942 static int hf_netlogon_secchan_bind_unknown2 = -1;
5943 static int hf_netlogon_secchan_domain = -1;
5944 static int hf_netlogon_secchan_host = -1;
5945 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
5946 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
5947 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
5949 static gint ett_secchan = -1;
5950 static gint ett_secchan_bind_creds = -1;
5951 static gint ett_secchan_bind_ack_creds = -1;
5953 int netlogon_dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
5954 packet_info *pinfo, proto_tree *tree,
5957 int start_offset = offset;
5958 proto_item *item = NULL;
5959 proto_tree *subtree = NULL;
5963 item = proto_tree_add_text(
5964 tree, tvb, offset, 0,
5965 "Secure Channel Bind Credentials");
5966 subtree = proto_item_add_subtree(
5967 item, ett_secchan_bind_creds);
5970 /* We can't use the NDR routines as the DCERPC call data hasn't
5971 been initialised since we haven't made a DCERPC call yet, just
5974 offset = dissect_dcerpc_uint32(
5975 tvb, offset, pinfo, subtree, drep,
5976 hf_netlogon_secchan_bind_unknown1, NULL);
5978 offset = dissect_dcerpc_uint32(
5979 tvb, offset, pinfo, subtree, drep,
5980 hf_netlogon_secchan_bind_unknown2, NULL);
5982 len = tvb_strsize(tvb, offset);
5984 proto_tree_add_item(
5985 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
5989 len = tvb_strsize(tvb, offset);
5991 proto_tree_add_item(
5992 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
5996 proto_item_set_len(item, offset - start_offset);
6001 int netlogon_dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
6003 proto_tree *tree, char *drep)
6005 proto_item *item = NULL;
6006 proto_tree *subtree = NULL;
6009 item = proto_tree_add_text(
6010 tree, tvb, offset, 0,
6011 "Secure Channel Bind ACK Credentials");
6012 subtree = proto_item_add_subtree(
6013 item, ett_secchan_bind_ack_creds);
6016 /* Don't use NDR routines here */
6018 offset = dissect_dcerpc_uint32(
6019 tvb, offset, pinfo, subtree, drep,
6020 hf_netlogon_secchan_bind_ack_unknown1, NULL);
6022 offset = dissect_dcerpc_uint32(
6023 tvb, offset, pinfo, subtree, drep,
6024 hf_netlogon_secchan_bind_ack_unknown2, NULL);
6026 offset = dissect_dcerpc_uint32(
6027 tvb, offset, pinfo, subtree, drep,
6028 hf_netlogon_secchan_bind_ack_unknown3, NULL);
6033 static int hf_netlogon_secchan = -1;
6034 static int hf_netlogon_secchan_sig = -1;
6035 static int hf_netlogon_secchan_unk = -1;
6036 static int hf_netlogon_secchan_seq = -1;
6037 static int hf_netlogon_secchan_nonce = -1;
6039 int netlogon_dissect_secchan_verf(tvbuff_t *tvb, int offset,
6040 packet_info *pinfo _U_, proto_tree *tree,
6044 proto_tree *sec_chan_tree;
6046 * Create a new tree, and split into 4 components ...
6048 vf = proto_tree_add_item(tree, hf_netlogon_secchan, tvb,
6050 sec_chan_tree = proto_item_add_subtree(vf, ett_secchan);
6052 proto_tree_add_item(sec_chan_tree, hf_netlogon_secchan_sig, tvb,
6055 proto_tree_add_item(sec_chan_tree, hf_netlogon_secchan_unk, tvb,
6056 offset + 8, 8, FALSE);
6058 proto_tree_add_item(sec_chan_tree, hf_netlogon_secchan_seq, tvb,
6059 offset + 16, 8, FALSE);
6061 proto_tree_add_item(sec_chan_tree, hf_netlogon_secchan_nonce, tvb,
6062 offset + 24, 8, FALSE);
6069 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
6070 { NETLOGON_UASLOGON, "UasLogon",
6071 netlogon_dissect_netlogonuaslogon_rqst,
6072 netlogon_dissect_netlogonuaslogon_reply },
6073 { NETLOGON_UASLOGOFF, "UasLogoff",
6074 netlogon_dissect_netlogonuaslogoff_rqst,
6075 netlogon_dissect_netlogonuaslogoff_reply },
6076 { NETLOGON_NETLOGONSAMLOGON, "SamLogon",
6077 netlogon_dissect_netlogonsamlogon_rqst,
6078 netlogon_dissect_netlogonsamlogon_reply },
6079 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff",
6080 netlogon_dissect_netlogonsamlogoff_rqst,
6081 netlogon_dissect_netlogonsamlogoff_reply },
6082 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge",
6083 netlogon_dissect_netserverreqchallenge_rqst,
6084 netlogon_dissect_netserverreqchallenge_reply },
6085 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate",
6086 netlogon_dissect_netserverauthenticate_rqst,
6087 netlogon_dissect_netserverauthenticate_reply },
6088 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet",
6089 netlogon_dissect_netserverpasswordset_rqst,
6090 netlogon_dissect_netserverpasswordset_reply },
6091 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas",
6092 netlogon_dissect_netsamdeltas_rqst,
6093 netlogon_dissect_netsamdeltas_reply },
6094 { NETLOGON_DATABASESYNC, "DatabaseSync",
6095 netlogon_dissect_netlogondatabasesync_rqst,
6096 netlogon_dissect_netlogondatabasesync_reply },
6097 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas",
6098 netlogon_dissect_netlogonaccountdeltas_rqst,
6099 netlogon_dissect_netlogonaccountdeltas_reply },
6100 { NETLOGON_ACCOUNTSYNC, "AccountSync",
6101 netlogon_dissect_netlogonaccountsync_rqst,
6102 netlogon_dissect_netlogonaccountsync_reply },
6103 { NETLOGON_GETDCNAME, "GetDCName",
6104 netlogon_dissect_netlogongetdcname_rqst,
6105 netlogon_dissect_netlogongetdcname_reply },
6106 { NETLOGON_NETLOGONCONTROL, "LogonControl",
6107 netlogon_dissect_netlogoncontrol_rqst,
6108 netlogon_dissect_netlogoncontrol_reply },
6109 { NETLOGON_GETANYDCNAME, "GetAnyDCName",
6110 netlogon_dissect_netlogongetanydcname_rqst,
6111 netlogon_dissect_netlogongetanydcname_reply },
6112 { NETLOGON_NETLOGONCONTROL2, "LogonControl2",
6113 netlogon_dissect_netlogoncontrol2_rqst,
6114 netlogon_dissect_netlogoncontrol2_reply },
6115 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2",
6116 netlogon_dissect_netserverauthenticate2_rqst,
6117 netlogon_dissect_netserverauthenticate2_reply },
6118 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2",
6119 netlogon_dissect_netdatabasesync2_rqst,
6120 netlogon_dissect_netdatabasesync2_reply },
6121 { NETLOGON_DATABASEREDO, "DatabaseRedo",
6122 netlogon_dissect_netlogondatabaseredo_rqst,
6123 netlogon_dissect_netlogondatabaseredo_reply },
6124 { NETLOGON_FUNCTION_12, "Function_0x12",
6125 netlogon_dissect_function_12_rqst,
6126 netlogon_dissect_function_12_reply },
6127 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList",
6128 netlogon_dissect_nettrusteddomainlist_rqst,
6129 netlogon_dissect_nettrusteddomainlist_reply },
6130 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2",
6131 netlogon_dissect_dsrgetdcname2_rqst,
6132 netlogon_dissect_dsrgetdcname2_reply },
6133 { NETLOGON_FUNCTION_15, "Function 0x15",
6134 netlogon_dissect_function_15_rqst,
6135 netlogon_dissect_function_15_reply },
6136 { NETLOGON_FUNCTION_16, "Function 0x16",
6137 netlogon_dissect_function_16_rqst,
6138 netlogon_dissect_function_16_reply },
6139 { NETLOGON_FUNCTION_17, "Function 0x17",
6140 netlogon_dissect_function_17_rqst,
6141 netlogon_dissect_function_17_reply },
6142 { NETLOGON_FUNCTION_18, "Function 0x18",
6143 netlogon_dissect_function_18_rqst,
6144 netlogon_dissect_function_18_reply },
6145 { NETLOGON_FUNCTION_19, "Function 0x19",
6146 netlogon_dissect_function_19_rqst,
6147 netlogon_dissect_function_19_reply },
6148 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3",
6149 netlogon_dissect_netserverauthenticate3_rqst,
6150 netlogon_dissect_netserverauthenticate3_reply },
6151 { NETLOGON_DSRGETDCNAME, "DsrGetDCName",
6152 netlogon_dissect_dsrgetdcname_rqst,
6153 netlogon_dissect_dsrgetdcname_reply },
6154 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
6155 netlogon_dissect_dsrgetsitename_rqst,
6156 netlogon_dissect_dsrgetsitename_reply },
6157 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6158 netlogon_dissect_netrlogongetdomaininfo_rqst,
6159 netlogon_dissect_netrlogongetdomaininfo_reply },
6160 { NETLOGON_FUNCTION_1E, "Function_0x1E",
6161 netlogon_dissect_function_1e_rqst,
6162 netlogon_dissect_function_1e_reply },
6163 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2",
6164 netlogon_dissect_netserverpasswordset2_rqst,
6165 netlogon_dissect_netserverpasswordset2_reply },
6166 { NETLOGON_FUNCTION_20, "Function_0x20",
6167 netlogon_dissect_function_20_rqst,
6168 netlogon_dissect_function_20_reply },
6169 { NETLOGON_FUNCTION_21, "Function_0x21",
6170 netlogon_dissect_function_21_rqst,
6171 netlogon_dissect_function_21_reply },
6172 { NETLOGON_FUNCTION_22, "Function_0x22",
6173 netlogon_dissect_function_22_rqst,
6174 netlogon_dissect_function_22_reply },
6175 { NETLOGON_FUNCTION_23, "Function_0x23",
6176 netlogon_dissect_function_23_rqst,
6177 netlogon_dissect_function_23_reply },
6178 { NETLOGON_FUNCTION_24, "Function_0x24",
6179 netlogon_dissect_function_24_rqst,
6180 netlogon_dissect_function_24_reply },
6181 { NETLOGON_FUNCTION_25, "Function_0x25",
6182 netlogon_dissect_function_25_rqst,
6183 netlogon_dissect_function_25_reply },
6184 { NETLOGON_FUNCTION_26, "Function_0x26",
6185 netlogon_dissect_function_26_rqst,
6186 netlogon_dissect_function_26_reply },
6187 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx",
6188 netlogon_dissect_logonsamlogonex_rqst,
6189 netlogon_dissect_logonsamlogonex_reply },
6190 { NETLOGON_DSENUMERATETRUSTEDDOMAINS, "DSEnumerateTrustedDomains",
6191 netlogon_dissect_dsenumeratetrusteddomains_rqst,
6192 netlogon_dissect_dsenumeratetrusteddomains_reply },
6193 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords",
6194 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6195 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6196 {0, NULL, NULL, NULL }
6199 static const value_string netlogon_opnum_vals[] = {
6200 { NETLOGON_UASLOGON, "UasLogon" },
6201 { NETLOGON_UASLOGOFF, "UasLogoff" },
6202 { NETLOGON_NETLOGONSAMLOGON, "SamLogon" },
6203 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff" },
6204 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge" },
6205 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate" },
6206 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet" },
6207 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas" },
6208 { NETLOGON_DATABASESYNC, "DatabaseSync" },
6209 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas" },
6210 { NETLOGON_ACCOUNTSYNC, "AccountSync" },
6211 { NETLOGON_GETDCNAME, "GetDCName" },
6212 { NETLOGON_NETLOGONCONTROL, "LogonControl" },
6213 { NETLOGON_GETANYDCNAME, "GetAnyDCName" },
6214 { NETLOGON_NETLOGONCONTROL2, "LogonControl2" },
6215 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2" },
6216 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2" },
6217 { NETLOGON_DATABASEREDO, "DatabaseRedo" },
6218 { NETLOGON_FUNCTION_12, "Function_0x12" },
6219 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList" },
6220 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2" },
6221 { NETLOGON_FUNCTION_15, "Function_0x15" },
6222 { NETLOGON_FUNCTION_16, "Function_0x16" },
6223 { NETLOGON_FUNCTION_17, "Function_0x17" },
6224 { NETLOGON_FUNCTION_18, "Function_0x18" },
6225 { NETLOGON_FUNCTION_19, "Function_0x19" },
6226 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3" },
6227 { NETLOGON_DSRGETDCNAME, "DsrGetDCName" },
6228 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName" },
6229 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo" },
6230 { NETLOGON_FUNCTION_1E, "Function_0x1E" },
6231 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2" },
6232 { NETLOGON_FUNCTION_20, "Function_0x20" },
6233 { NETLOGON_FUNCTION_21, "Function_0x21" },
6234 { NETLOGON_FUNCTION_22, "Function_0x22" },
6235 { NETLOGON_FUNCTION_23, "Function_0x23" },
6236 { NETLOGON_FUNCTION_24, "Function_0x24" },
6237 { NETLOGON_FUNCTION_25, "Function_0x25" },
6238 { NETLOGON_FUNCTION_26, "Function_0x26" },
6239 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx" },
6240 { NETLOGON_DSENUMERATETRUSTEDDOMAINS, "DSEnumerateTrustedDomains" },
6241 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords" },
6245 /* Secure channel types */
6247 static const value_string sec_chan_type_vals[] = {
6248 { SEC_CHAN_WKSTA, "Workstation" },
6249 { SEC_CHAN_DOMAIN, "Domain trust" },
6250 { SEC_CHAN_BDC, "Backup domain controller" },
6255 proto_register_dcerpc_netlogon(void)
6258 static hf_register_info hf[] = {
6259 { &hf_netlogon_opnum,
6260 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6261 VALS(netlogon_opnum_vals), 0x0, "Operation", HFILL }},
6263 { &hf_netlogon_rc, {
6264 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6265 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6267 { &hf_netlogon_param_ctrl, {
6268 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6269 NULL, 0x0, "Param ctrl", HFILL }},
6271 { &hf_netlogon_logon_id, {
6272 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6273 NULL, 0x0, "Logon ID", HFILL }},
6275 { &hf_netlogon_modify_count, {
6276 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6277 NULL, 0x0, "How many times the object has been modified", HFILL }},
6279 { &hf_netlogon_security_information, {
6280 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6281 NULL, 0x0, "Security Information", HFILL }},
6283 { &hf_netlogon_count, {
6284 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6285 NULL, 0x0, "", HFILL }},
6287 { &hf_netlogon_entries, {
6288 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6289 NULL, 0x0, "", HFILL }},
6291 { &hf_netlogon_credential_low, {
6292 "Credential low", "netlogon.credential.low", FT_UINT32,
6293 BASE_HEX, NULL, 0x0, "Netlogon credential (low)", HFILL }},
6295 { &hf_netlogon_credential_high, {
6296 "Credential high", "netlogon.credential.high", FT_UINT32,
6297 BASE_HEX, NULL, 0x0, "Netlogon credential (high)", HFILL }},
6299 { &hf_netlogon_challenge, {
6300 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6301 NULL, 0x0, "Netlogon challenge", HFILL }},
6303 { &hf_netlogon_lm_owf_password, {
6304 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6305 NULL, 0x0, "LanManager OWF Password", HFILL }},
6307 { &hf_netlogon_user_session_key, {
6308 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6309 NULL, 0x0, "User Session Key", HFILL }},
6311 { &hf_netlogon_encrypted_lm_owf_password, {
6312 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6313 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6315 { &hf_netlogon_nt_owf_password, {
6316 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6317 NULL, 0x0, "NT OWF Password", HFILL }},
6319 { &hf_netlogon_blob, {
6320 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6321 NULL, 0x0, "BLOB", HFILL }},
6323 { &hf_netlogon_len, {
6324 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6325 NULL, 0, "Length", HFILL }},
6327 { &hf_netlogon_priv, {
6328 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6329 NULL, 0, "", HFILL }},
6331 { &hf_netlogon_privilege_entries, {
6332 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6333 NULL, 0, "", HFILL }},
6335 { &hf_netlogon_privilege_control, {
6336 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6337 NULL, 0, "", HFILL }},
6339 { &hf_netlogon_privilege_name, {
6340 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6341 NULL, 0, "", HFILL }},
6343 { &hf_netlogon_pdc_connection_status, {
6344 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6345 NULL, 0, "PDC Connection Status", HFILL }},
6347 { &hf_netlogon_tc_connection_status, {
6348 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6349 NULL, 0, "TC Connection Status", HFILL }},
6351 { &hf_netlogon_attrs, {
6352 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6353 NULL, 0, "Attributes", HFILL }},
6355 { &hf_netlogon_unknown_string,
6356 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6357 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
6358 { &hf_netlogon_unknown_long,
6359 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6360 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
6361 { &hf_netlogon_reserved,
6362 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6363 NULL, 0x0, "Reserved", HFILL }},
6364 { &hf_netlogon_unknown_short,
6365 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6366 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
6368 { &hf_netlogon_unknown_char,
6369 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6370 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
6372 { &hf_netlogon_acct_expiry_time,
6373 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6374 NULL, 0x0, "When this account will expire", HFILL }},
6376 { &hf_netlogon_nt_pwd_present,
6377 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6378 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6380 { &hf_netlogon_lm_pwd_present,
6381 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6382 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6384 { &hf_netlogon_pwd_expired,
6385 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6386 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6388 { &hf_netlogon_authoritative,
6389 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6390 NULL, 0x0, "", HFILL }},
6392 { &hf_netlogon_sensitive_data_flag,
6393 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6394 NULL, 0x0, "Sensitive data flag", HFILL }},
6396 { &hf_netlogon_auditing_mode,
6397 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6398 NULL, 0x0, "Auditing Mode", HFILL }},
6400 { &hf_netlogon_max_audit_event_count,
6401 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6402 NULL, 0x0, "Max audit event count", HFILL }},
6404 { &hf_netlogon_event_audit_option,
6405 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6406 NULL, 0x0, "Event audit option", HFILL }},
6408 { &hf_netlogon_sensitive_data_len,
6409 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6410 NULL, 0x0, "Length of sensitive data", HFILL }},
6412 { &hf_netlogon_nt_chal_resp,
6413 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6414 NULL, 0, "Challenge response for NT authentication", HFILL }},
6416 { &hf_netlogon_lm_chal_resp,
6417 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6418 NULL, 0, "Challenge response for LM authentication", HFILL }},
6420 { &hf_netlogon_cipher_len,
6421 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6422 NULL, 0, "", HFILL }},
6424 { &hf_netlogon_cipher_maxlen,
6425 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6426 NULL, 0, "", HFILL }},
6428 { &hf_netlogon_pac_data,
6429 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6430 NULL, 0, "Pac Data", HFILL }},
6432 { &hf_netlogon_sensitive_data,
6433 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6434 NULL, 0, "Sensitive Data", HFILL }},
6436 { &hf_netlogon_auth_data,
6437 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6438 NULL, 0, "Auth Data", HFILL }},
6440 { &hf_netlogon_cipher_current_data,
6441 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6442 NULL, 0, "", HFILL }},
6444 { &hf_netlogon_cipher_old_data,
6445 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6446 NULL, 0, "", HFILL }},
6448 { &hf_netlogon_acct_name,
6449 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6450 NULL, 0, "Account Name", HFILL }},
6452 { &hf_netlogon_acct_desc,
6453 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6454 NULL, 0, "Account Description", HFILL }},
6456 { &hf_netlogon_group_desc,
6457 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6458 NULL, 0, "Group Description", HFILL }},
6460 { &hf_netlogon_full_name,
6461 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6462 NULL, 0, "Full Name", HFILL }},
6464 { &hf_netlogon_comment,
6465 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6466 NULL, 0, "Comment", HFILL }},
6468 { &hf_netlogon_parameters,
6469 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6470 NULL, 0, "Parameters", HFILL }},
6472 { &hf_netlogon_logon_script,
6473 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6474 NULL, 0, "Logon Script", HFILL }},
6476 { &hf_netlogon_profile_path,
6477 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6478 NULL, 0, "Profile Path", HFILL }},
6480 { &hf_netlogon_home_dir,
6481 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6482 NULL, 0, "Home Directory", HFILL }},
6484 { &hf_netlogon_dir_drive,
6485 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6486 NULL, 0, "Drive letter for home directory", HFILL }},
6488 { &hf_netlogon_logon_srv,
6489 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6490 NULL, 0, "Server", HFILL }},
6492 { &hf_netlogon_principal,
6493 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6494 NULL, 0, "Principal", HFILL }},
6496 { &hf_netlogon_logon_dom,
6497 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6498 NULL, 0, "Domain", HFILL }},
6500 { &hf_netlogon_computer_name,
6501 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6502 NULL, 0, "Computer Name", HFILL }},
6504 { &hf_netlogon_site_name,
6505 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6506 NULL, 0, "Site Name", HFILL }},
6508 { &hf_netlogon_dc_name,
6509 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6510 NULL, 0, "DC Name", HFILL }},
6512 { &hf_netlogon_dc_site_name,
6513 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6514 NULL, 0, "DC Site Name", HFILL }},
6516 { &hf_netlogon_dns_forest_name,
6517 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6518 NULL, 0, "DNS Forest Name", HFILL }},
6520 { &hf_netlogon_dc_address,
6521 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6522 NULL, 0, "DC Address", HFILL }},
6524 { &hf_netlogon_dc_address_type,
6525 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6526 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
6528 { &hf_netlogon_client_site_name,
6529 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6530 NULL, 0, "Client Site Name", HFILL }},
6532 { &hf_netlogon_workstation_site_name,
6533 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6534 NULL, 0, "Workstation Site Name", HFILL }},
6536 { &hf_netlogon_workstation,
6537 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6538 NULL, 0, "Workstation Name", HFILL }},
6540 { &hf_netlogon_workstation_os,
6541 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6542 NULL, 0, "Workstation OS", HFILL }},
6544 { &hf_netlogon_workstations,
6545 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6546 NULL, 0, "Workstations", HFILL }},
6548 { &hf_netlogon_workstation_fqdn,
6549 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6550 NULL, 0, "Workstation FQDN", HFILL }},
6552 { &hf_netlogon_group_name,
6553 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6554 NULL, 0, "Group Name", HFILL }},
6556 { &hf_netlogon_alias_name,
6557 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6558 NULL, 0, "Alias Name", HFILL }},
6560 { &hf_netlogon_dns_host,
6561 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6562 NULL, 0, "DNS Host", HFILL }},
6564 { &hf_netlogon_downlevel_domain_name,
6565 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6566 NULL, 0, "Downlevel Domain Name", HFILL }},
6568 { &hf_netlogon_dns_domain_name,
6569 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6570 NULL, 0, "DNS Domain Name", HFILL }},
6572 { &hf_netlogon_domain_name,
6573 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6574 NULL, 0, "Domain Name", HFILL }},
6576 { &hf_netlogon_oem_info,
6577 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6578 NULL, 0, "OEM Info", HFILL }},
6580 { &hf_netlogon_trusted_dc_name,
6581 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6582 NULL, 0, "Trusted DC", HFILL }},
6584 { &hf_netlogon_logonsrv_handle,
6585 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6586 NULL, 0, "Logon Srv Handle", HFILL }},
6588 { &hf_netlogon_dummy,
6589 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6590 NULL, 0, "Dummy string", HFILL }},
6592 { &hf_netlogon_logon_count16,
6593 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6594 NULL, 0x0, "Number of successful logins", HFILL }},
6596 { &hf_netlogon_logon_count,
6597 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6598 NULL, 0x0, "Number of successful logins", HFILL }},
6600 { &hf_netlogon_bad_pw_count16,
6601 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6602 NULL, 0x0, "Number of failed logins", HFILL }},
6604 { &hf_netlogon_bad_pw_count,
6605 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6606 NULL, 0x0, "Number of failed logins", HFILL }},
6608 { &hf_netlogon_country,
6609 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6610 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6612 { &hf_netlogon_codepage,
6613 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6614 NULL, 0x0, "Codepage setting for this account", HFILL }},
6616 { &hf_netlogon_level16,
6617 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6618 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6620 { &hf_netlogon_validation_level,
6621 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6622 NULL, 0x0, "Requested level of validation", HFILL }},
6624 { &hf_netlogon_minpasswdlen,
6625 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6626 NULL, 0x0, "Minimum length of password", HFILL }},
6628 { &hf_netlogon_passwdhistorylen,
6629 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6630 NULL, 0x0, "Length of password history", HFILL }},
6632 { &hf_netlogon_secure_channel_type,
6633 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
6634 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
6636 { &hf_netlogon_restart_state,
6637 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
6638 NULL, 0x0, "Restart State", HFILL }},
6640 { &hf_netlogon_delta_type,
6641 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6642 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6644 { &hf_netlogon_blob_size,
6645 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6646 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6648 { &hf_netlogon_code,
6649 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6650 NULL, 0x0, "Code", HFILL }},
6652 { &hf_netlogon_level,
6653 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6654 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6656 { &hf_netlogon_reference,
6657 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
6658 NULL, 0x0, "", HFILL }},
6660 { &hf_netlogon_next_reference,
6661 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
6662 NULL, 0x0, "", HFILL }},
6664 { &hf_netlogon_timestamp,
6665 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
6666 NULL, 0, "", HFILL }},
6668 { &hf_netlogon_user_rid,
6669 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6670 NULL, 0x0, "", HFILL }},
6672 { &hf_netlogon_alias_rid,
6673 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6674 NULL, 0x0, "", HFILL }},
6676 { &hf_netlogon_group_rid,
6677 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6678 NULL, 0x0, "", HFILL }},
6680 { &hf_netlogon_num_rids,
6681 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6682 NULL, 0x0, "Number of RIDs", HFILL }},
6684 { &hf_netlogon_num_controllers,
6685 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6686 NULL, 0x0, "Number of domain controllers", HFILL }},
6688 { &hf_netlogon_num_other_groups,
6689 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6690 NULL, 0x0, "", HFILL }},
6692 { &hf_netlogon_flags,
6693 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6694 NULL, 0x0, "", HFILL }},
6696 { &hf_netlogon_user_flags,
6697 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6698 NULL, 0x0, "", HFILL }},
6700 { &hf_netlogon_auth_flags,
6701 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6702 NULL, 0x0, "", HFILL }},
6704 { &hf_netlogon_systemflags,
6705 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6706 NULL, 0x0, "", HFILL }},
6708 { &hf_netlogon_database_id,
6709 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6710 NULL, 0x0, "Database Id", HFILL }},
6712 { &hf_netlogon_sync_context,
6713 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6714 NULL, 0x0, "Sync Context", HFILL }},
6716 { &hf_netlogon_max_size,
6717 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6718 NULL, 0x0, "Max Size of database", HFILL }},
6720 { &hf_netlogon_max_log_size,
6721 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6722 NULL, 0x0, "Max Size of log", HFILL }},
6724 { &hf_netlogon_pac_size,
6725 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6726 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6728 { &hf_netlogon_auth_size,
6729 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6730 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6732 { &hf_netlogon_num_deltas,
6733 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6734 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6736 { &hf_netlogon_num_trusts,
6737 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
6738 NULL, 0x0, "", HFILL }},
6740 { &hf_netlogon_logon_attempts,
6741 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6742 NULL, 0x0, "Number of logon attempts", HFILL }},
6744 { &hf_netlogon_pagefilelimit,
6745 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6746 NULL, 0x0, "", HFILL }},
6748 { &hf_netlogon_pagedpoollimit,
6749 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6750 NULL, 0x0, "", HFILL }},
6752 { &hf_netlogon_nonpagedpoollimit,
6753 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6754 NULL, 0x0, "", HFILL }},
6756 { &hf_netlogon_minworkingsetsize,
6757 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6758 NULL, 0x0, "", HFILL }},
6760 { &hf_netlogon_maxworkingsetsize,
6761 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6762 NULL, 0x0, "", HFILL }},
6764 { &hf_netlogon_serial_number,
6765 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
6766 NULL, 0x0, "", HFILL }},
6768 { &hf_netlogon_neg_flags,
6769 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
6770 NULL, 0x0, "Negotiation Flags", HFILL }},
6772 { &hf_netlogon_dc_flags,
6773 { "Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
6774 NULL, 0x0, "Domain Controller Flags", HFILL }},
6776 { &hf_netlogon_dc_flags_pdc_flag,
6777 { "PDC", "netlogon.dc.flags.pdc",
6778 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
6779 "If this server is a PDC", HFILL }},
6781 { &hf_netlogon_dc_flags_gc_flag,
6782 { "GC", "netlogon.dc.flags.gc",
6783 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
6784 "If this server is a GC", HFILL }},
6786 { &hf_netlogon_dc_flags_ldap_flag,
6787 { "LDAP", "netlogon.dc.flags.ldap",
6788 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
6789 "If this is an LDAP server", HFILL }},
6791 { &hf_netlogon_dc_flags_ds_flag,
6792 { "DS", "netlogon.dc.flags.ds",
6793 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
6794 "If this server is a DS", HFILL }},
6796 { &hf_netlogon_dc_flags_kdc_flag,
6797 { "KDC", "netlogon.dc.flags.kdc",
6798 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
6799 "If this is a KDC", HFILL }},
6801 { &hf_netlogon_dc_flags_timeserv_flag,
6802 { "Timeserv", "netlogon.dc.flags.timeserv",
6803 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
6804 "If this server is a TimeServer", HFILL }},
6806 { &hf_netlogon_dc_flags_closest_flag,
6807 { "Closest", "netlogon.dc.flags.closest",
6808 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
6809 "If this is the closest server", HFILL }},
6811 { &hf_netlogon_dc_flags_writable_flag,
6812 { "Writable", "netlogon.dc.flags.writable",
6813 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
6814 "If this server can do updates to the database", HFILL }},
6816 { &hf_netlogon_dc_flags_good_timeserv_flag,
6817 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
6818 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
6819 "If this is a Good TimeServer", HFILL }},
6821 { &hf_netlogon_dc_flags_ndnc_flag,
6822 { "NDNC", "netlogon.dc.flags.ndnc",
6823 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
6824 "If this is an NDNC server", HFILL }},
6826 { &hf_netlogon_dc_flags_dns_controller_flag,
6827 { "DNS Controller", "netlogon.dc.flags.dns_controller",
6828 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
6829 "If this server is a DNS Controller", HFILL }},
6831 { &hf_netlogon_dc_flags_dns_domain_flag,
6832 { "DNS Domain", "netlogon.dc.flags.dns_domain",
6833 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
6836 { &hf_netlogon_dc_flags_dns_forest_flag,
6837 { "DNS Forest", "netlogon.dc.flags.dns_forest",
6838 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
6841 { &hf_netlogon_get_dcname_request_flags,
6842 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
6843 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
6845 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
6846 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
6847 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
6848 "Whether to allow the server to returned cached information or not", HFILL }},
6850 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
6851 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
6852 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
6853 "Whether we require that the returned DC supports w2k or not", HFILL }},
6855 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
6856 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
6857 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
6858 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
6860 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
6861 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
6862 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
6863 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
6865 { &hf_netlogon_get_dcname_request_flags_pdc_required,
6866 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
6867 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
6868 "Whether we require the returned DC to be the PDC", HFILL }},
6870 { &hf_netlogon_get_dcname_request_flags_background_only,
6871 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
6872 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
6873 "If we want cached data, even if it may have expired", HFILL }},
6875 { &hf_netlogon_get_dcname_request_flags_ip_required,
6876 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
6877 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
6878 "If we requre the IP of the DC in the reply", HFILL }},
6880 { &hf_netlogon_get_dcname_request_flags_kdc_required,
6881 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
6882 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
6883 "If we require that the returned server is a KDC", HFILL }},
6885 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
6886 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
6887 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
6888 "If we require the retruned server to be a NTP serveruns WindowsTimeServicer", HFILL }},
6890 { &hf_netlogon_get_dcname_request_flags_writable_required,
6891 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
6892 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
6893 "If we require that the return server is writable", HFILL }},
6895 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
6896 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
6897 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
6898 "If we prefer Windows Time Servers", HFILL }},
6900 { &hf_netlogon_get_dcname_request_flags_avoid_self,
6901 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
6902 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
6903 "Return another DC than the one we ask", HFILL }},
6905 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
6906 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
6907 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
6908 "We just want an LDAP server, it does not have to be a DC", HFILL }},
6910 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
6911 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
6912 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
6913 "If the specified domain name is a NetBIOS name", HFILL }},
6915 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
6916 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
6917 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
6918 "If the specified domain name is a DNS name", HFILL }},
6920 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
6921 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
6922 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
6923 "Only return a DNS name (or an error)", HFILL }},
6925 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
6926 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
6927 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
6928 "Only return a NetBIOS name (or an error)", HFILL }},
6930 { &hf_netlogon_trust_attribs,
6931 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
6932 NULL, 0x0, "Trust Attributes", HFILL }},
6934 { &hf_netlogon_trust_type,
6935 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
6936 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
6938 { &hf_netlogon_trust_flags,
6939 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
6940 NULL, 0x0, "Trust Flags", HFILL }},
6942 { &hf_netlogon_trust_flags_inbound,
6943 { "Inbound Trust", "netlogon.trust.flags.inbound",
6944 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
6945 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
6947 { &hf_netlogon_trust_flags_outbound,
6948 { "Outbound Trust", "netlogon.trust.flags.outbound",
6949 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
6950 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
6952 { &hf_netlogon_trust_flags_in_forest,
6953 { "In Forest", "netlogon.trust.flags.in_forest",
6954 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
6955 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
6957 { &hf_netlogon_trust_flags_native_mode,
6958 { "Native Mode", "netlogon.trust.flags.native_mode",
6959 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
6960 "Whether the domain is a w2k native mode domain or not", HFILL }},
6962 { &hf_netlogon_trust_flags_primary,
6963 { "Primary", "netlogon.trust.flags.primary",
6964 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
6965 "Whether the domain is the primary domain for the queried server or not", HFILL }},
6967 { &hf_netlogon_trust_flags_tree_root,
6968 { "Tree Root", "netlogon.trust.flags.tree_root",
6969 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
6970 "Whether the domain is the root of the tree for the queried server", HFILL }},
6972 { &hf_netlogon_trust_parent_index,
6973 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
6974 NULL, 0x0, "Parent Index", HFILL }},
6976 { &hf_netlogon_logon_time,
6977 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
6978 NULL, 0, "Time for last time this user logged on", HFILL }},
6980 { &hf_netlogon_kickoff_time,
6981 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6982 NULL, 0, "Time when this user will be kicked off", HFILL }},
6984 { &hf_netlogon_logoff_time,
6985 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6986 NULL, 0, "Time for last time this user logged off", HFILL }},
6988 { &hf_netlogon_pwd_last_set_time,
6989 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6990 NULL, 0, "Last time this users password was changed", HFILL }},
6992 { &hf_netlogon_pwd_can_change_time,
6993 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6994 NULL, 0, "When this users password may be changed", HFILL }},
6996 { &hf_netlogon_pwd_must_change_time,
6997 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6998 NULL, 0, "When this users password must be changed", HFILL }},
7000 { &hf_netlogon_domain_create_time,
7001 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7002 NULL, 0, "Time when this domain was created", HFILL }},
7004 { &hf_netlogon_domain_modify_time,
7005 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7006 NULL, 0, "Time when this domain was last modified", HFILL }},
7008 { &hf_netlogon_db_modify_time,
7009 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7010 NULL, 0, "Time when last modified", HFILL }},
7012 { &hf_netlogon_db_create_time,
7013 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7014 NULL, 0, "Time when created", HFILL }},
7016 { &hf_netlogon_cipher_current_set_time,
7017 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7018 NULL, 0, "Time when current cipher was initiated", HFILL }},
7020 { &hf_netlogon_cipher_old_set_time,
7021 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7022 NULL, 0, "Time when previous cipher was initiated", HFILL }},
7024 { &hf_netlogon_audit_retention_period,
7025 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
7026 NULL, 0, "Audit retention period", HFILL }},
7028 { &hf_netlogon_guid,
7029 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
7030 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
7032 { &hf_netlogon_timelimit,
7033 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
7034 NULL, 0, "", HFILL }},
7036 /* Secure channel dissection */
7038 { &hf_netlogon_secchan_bind_unknown1,
7039 { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
7040 NULL, 0x0, "", HFILL }},
7042 { &hf_netlogon_secchan_bind_unknown2,
7043 { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
7044 NULL, 0x0, "", HFILL }},
7046 { &hf_netlogon_secchan_domain,
7047 { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
7048 NULL, 0, "", HFILL }},
7050 { &hf_netlogon_secchan_host,
7051 { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
7052 NULL, 0, "", HFILL }},
7054 { &hf_netlogon_secchan_bind_ack_unknown1,
7055 { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32,
7056 BASE_HEX, NULL, 0x0, "", HFILL }},
7058 { &hf_netlogon_secchan_bind_ack_unknown2,
7059 { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32,
7060 BASE_HEX, NULL, 0x0, "", HFILL }},
7062 { &hf_netlogon_secchan_bind_ack_unknown3,
7063 { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32,
7064 BASE_HEX, NULL, 0x0, "", HFILL }},
7066 { &hf_netlogon_secchan,
7067 { "Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
7068 NULL, 0x0, "Verifier", HFILL }},
7070 { &hf_netlogon_secchan_sig,
7071 { "Signature", "netlogon.secchan.sig", FT_BYTES, BASE_HEX, NULL,
7072 0x0, "Signature", HFILL }},
7074 { &hf_netlogon_secchan_unk,
7075 { "Unknown", "netlogon.secchan.unk", FT_BYTES, BASE_HEX, NULL,
7076 0x0, "Unknown", HFILL }},
7078 { &hf_netlogon_secchan_seq,
7079 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_HEX, NULL,
7080 0x0, "Sequence No", HFILL }},
7082 { &hf_netlogon_secchan_nonce,
7083 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_HEX, NULL,
7084 0x0, "Nonce", HFILL }},
7088 static gint *ett[] = {
7089 &ett_dcerpc_netlogon,
7095 &ett_DOMAIN_CONTROLLER_INFO,
7096 &ett_UNICODE_STRING_512,
7099 &ett_DELTA_ID_UNION,
7102 &ett_LM_OWF_PASSWORD,
7103 &ett_NT_OWF_PASSWORD,
7104 &ett_GROUP_MEMBERSHIP,
7105 &ett_DS_DOMAIN_TRUSTS,
7107 &ett_DOMAIN_TRUST_INFO,
7109 &ett_get_dcname_request_flags,
7111 &ett_secchan_bind_creds,
7112 &ett_secchan_bind_ack_creds,
7116 proto_dcerpc_netlogon = proto_register_protocol(
7117 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
7119 proto_register_field_array(proto_dcerpc_netlogon, hf,
7121 proto_register_subtree_array(ett, array_length(ett));
7125 proto_reg_handoff_dcerpc_netlogon(void)
7127 /* Register protocol as dcerpc */
7129 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
7130 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
7131 dcerpc_netlogon_dissectors, hf_netlogon_opnum);