1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
31 #include <wsutil/rc4.h>
32 #include <wsutil/md4.h>
33 #include <wsutil/md5.h>
34 #include <wsutil/des.h>
36 #include <epan/packet.h>
37 #include <epan/wmem/wmem.h>
38 /* for dissect_mscldap_string */
39 #include "packet-ldap.h"
40 #include "packet-dcerpc.h"
41 #include "packet-dcerpc-nt.h"
42 #include "packet-dcerpc-netlogon.h"
43 #include "packet-windows-common.h"
44 #include "packet-ntlmssp.h"
45 #include "packet-dcerpc-lsa.h"
46 /* for keytab format */
47 #include <epan/asn1.h>
48 #include "packet-kerberos.h"
51 void proto_register_dcerpc_netlogon(void);
52 void proto_reg_handoff_dcerpc_netlogon(void);
54 extern const char *gbl_nt_password;
58 #define debugprintf(...) fprintf(stderr,__VA_ARGS__)
59 static void printnbyte(const guint8* tab,int nb,const char* txt,const char* txt2)
62 debugprintf("%s ",txt);
65 debugprintf("%02X ",*(tab+i));
67 debugprintf("%s",txt2);
70 #define debugprintf(...)
71 static void printnbyte(const guint8* tab _U_,int nb _U_,const char* txt _U_,const char* txt2 _U_) {}
74 #define NETLOGON_FLAG_80000000 0x80000000
75 #define NETLOGON_FLAG_40000000 0x40000000
76 #define NETLOGON_FLAG_20000000 0x20000000
77 #define NETLOGON_FLAG_10000000 0x10000000
78 #define NETLOGON_FLAG_8000000 0x8000000
79 #define NETLOGON_FLAG_4000000 0x4000000
80 #define NETLOGON_FLAG_2000000 0x2000000
81 #define NETLOGON_FLAG_1000000 0x1000000
82 #define NETLOGON_FLAG_800000 0x800000
83 #define NETLOGON_FLAG_USEAES 0x400000
84 #define NETLOGON_FLAG_200000 0x200000
85 #define NETLOGON_FLAG_100000 0x100000
86 #define NETLOGON_FLAG_80000 0x80000
87 #define NETLOGON_FLAG_40000 0x40000
88 #define NETLOGON_FLAG_20000 0x20000
89 #define NETLOGON_FLAG_10000 0x10000
90 #define NETLOGON_FLAG_8000 0x8000
91 #define NETLOGON_FLAG_STRONGKEY 0x4000
92 #define NETLOGON_FLAG_2000 0x2000
93 #define NETLOGON_FLAG_1000 0x1000
94 #define NETLOGON_FLAG_800 0x800
95 #define NETLOGON_FLAG_400 0x400
96 #define NETLOGON_FLAG_200 0x200
97 #define NETLOGON_FLAG_100 0x100
98 #define NETLOGON_FLAG_80 0x80
99 #define NETLOGON_FLAG_40 0x40
100 #define NETLOGON_FLAG_20 0x20
101 #define NETLOGON_FLAG_10 0x10
102 #define NETLOGON_FLAG_8 0x8
103 #define NETLOGON_FLAG_4 0x4
104 #define NETLOGON_FLAG_2 0x2
105 #define NETLOGON_FLAG_1 0x1
107 static GHashTable *netlogon_auths=NULL;
108 static GHashTable *schannel_auths;
109 static gint hf_netlogon_TrustedDomainName_string = -1;
110 static gint hf_netlogon_UserName_string = -1;
111 static gint DomainInfo_sid = -1;
112 static gint DnsDomainInfo_sid = -1;
113 static gint DnsDomainInfo_domain_guid = -1;
114 static gint DnsDomainInfo_dns_domain = -1;
115 static gint DnsDomainInfo_dns_forest = -1;
116 static gint DnsDomainInfo_name = -1;
117 static int hf_client_challenge = -1;
118 static int hf_server_rid = -1;
119 static int hf_server_challenge = -1;
120 static int hf_client_credential = -1;
121 static int hf_server_credential = -1;
122 static int proto_dcerpc_netlogon = -1;
123 static int hf_netlogon_logon_dnslogondomainname = -1;
124 static int hf_netlogon_logon_upn = -1;
125 static int hf_netlogon_group_attrs_mandatory = -1;
126 static int hf_netlogon_group_attrs_enabled_by_default = -1;
127 static int hf_netlogon_group_attrs_enabled = -1;
128 static int hf_netlogon_opnum = -1;
129 static int hf_netlogon_data_length = -1;
130 static int hf_netlogon_extraflags = -1;
131 static int hf_netlogon_extra_flags_root_forest = -1;
132 static int hf_netlogon_trust_flags_dc_firsthop = -1;
133 static int hf_netlogon_trust_flags_rodc_to_dc = -1;
134 static int hf_netlogon_trust_flags_rodc_ntlm = -1;
135 static int hf_netlogon_package_name = -1;
136 static int hf_netlogon_rc = -1;
137 static int hf_netlogon_dos_rc = -1;
138 static int hf_netlogon_werr_rc = -1;
139 static int hf_netlogon_len = -1;
140 static int hf_netlogon_sensitive_data_flag = -1;
141 static int hf_netlogon_sensitive_data_len = -1;
142 static int hf_netlogon_sensitive_data = -1;
143 static int hf_netlogon_security_information = -1;
144 static int hf_netlogon_dummy = -1;
145 static int hf_netlogon_neg_flags = -1;
146 /* static int hf_netlogon_neg_flags_80000000 = -1; */
147 static int hf_netlogon_neg_flags_40000000 = -1;
148 static int hf_netlogon_neg_flags_20000000 = -1;
149 /* static int hf_netlogon_neg_flags_10000000 = -1; */
150 /* static int hf_netlogon_neg_flags_8000000 = -1; */
151 /* static int hf_netlogon_neg_flags_4000000 = -1; */
152 /* static int hf_netlogon_neg_flags_2000000 = -1; */
153 static int hf_netlogon_neg_flags_1000000 = -1;
154 /* static int hf_netlogon_neg_flags_800000 = -1; */
155 static int hf_netlogon_neg_flags_400000 = -1;
156 static int hf_netlogon_neg_flags_200000 = -1;
157 static int hf_netlogon_neg_flags_100000 = -1;
158 static int hf_netlogon_neg_flags_80000 = -1;
159 static int hf_netlogon_neg_flags_40000 = -1;
160 static int hf_netlogon_neg_flags_20000 = -1;
161 static int hf_netlogon_neg_flags_10000 = -1;
162 static int hf_netlogon_neg_flags_8000 = -1;
163 static int hf_netlogon_neg_flags_4000 = -1;
164 static int hf_netlogon_neg_flags_2000 = -1;
165 static int hf_netlogon_neg_flags_1000 = -1;
166 static int hf_netlogon_neg_flags_800 = -1;
167 static int hf_netlogon_neg_flags_400 = -1;
168 static int hf_netlogon_neg_flags_200 = -1;
169 static int hf_netlogon_neg_flags_100 = -1;
170 static int hf_netlogon_neg_flags_80 = -1;
171 static int hf_netlogon_neg_flags_40 = -1;
172 static int hf_netlogon_neg_flags_20 = -1;
173 static int hf_netlogon_neg_flags_10 = -1;
174 static int hf_netlogon_neg_flags_8 = -1;
175 static int hf_netlogon_neg_flags_4 = -1;
176 static int hf_netlogon_neg_flags_2 = -1;
177 static int hf_netlogon_neg_flags_1 = -1;
178 static int hf_netlogon_minworkingsetsize = -1;
179 static int hf_netlogon_maxworkingsetsize = -1;
180 static int hf_netlogon_pagedpoollimit = -1;
181 static int hf_netlogon_pagefilelimit = -1;
182 static int hf_netlogon_timelimit = -1;
183 static int hf_netlogon_nonpagedpoollimit = -1;
184 /* static int hf_netlogon_pac_size = -1; */
185 /* static int hf_netlogon_pac_data = -1; */
186 /* static int hf_netlogon_auth_size = -1; */
187 /* static int hf_netlogon_auth_data = -1; */
188 static int hf_netlogon_cipher_len = -1;
189 static int hf_netlogon_cipher_maxlen = -1;
190 static int hf_netlogon_cipher_current_data = -1;
191 static int hf_netlogon_cipher_current_set_time = -1;
192 static int hf_netlogon_cipher_old_data = -1;
193 static int hf_netlogon_cipher_old_set_time = -1;
194 static int hf_netlogon_priv = -1;
195 static int hf_netlogon_privilege_entries = -1;
196 static int hf_netlogon_privilege_control = -1;
197 static int hf_netlogon_privilege_name = -1;
198 static int hf_netlogon_systemflags = -1;
199 static int hf_netlogon_pdc_connection_status = -1;
200 static int hf_netlogon_tc_connection_status = -1;
201 static int hf_netlogon_restart_state = -1;
202 static int hf_netlogon_attrs = -1;
203 static int hf_netlogon_lsapolicy_len = -1;
204 /* static int hf_netlogon_lsapolicy_referentid = -1; */
205 /* static int hf_netlogon_lsapolicy_pointer = -1; */
206 static int hf_netlogon_count = -1;
207 static int hf_netlogon_entries = -1;
208 static int hf_netlogon_minpasswdlen = -1;
209 static int hf_netlogon_passwdhistorylen = -1;
210 static int hf_netlogon_level16 = -1;
211 static int hf_netlogon_validation_level = -1;
212 static int hf_netlogon_reference = -1;
213 static int hf_netlogon_next_reference = -1;
214 static int hf_netlogon_timestamp = -1;
215 static int hf_netlogon_level = -1;
216 static int hf_netlogon_challenge = -1;
217 static int hf_netlogon_reserved = -1;
218 static int hf_netlogon_audit_retention_period = -1;
219 static int hf_netlogon_auditing_mode = -1;
220 static int hf_netlogon_max_audit_event_count = -1;
221 static int hf_netlogon_event_audit_option = -1;
222 static int hf_netlogon_unknown_string = -1;
223 static int hf_netlogon_trust_extention = -1;
224 static int hf_netlogon_trust_max = -1;
225 static int hf_netlogon_trust_offset = -1;
226 static int hf_netlogon_trust_len = -1;
227 static int hf_netlogon_dummy_string = -1;
228 static int hf_netlogon_dummy_string2 = -1;
229 static int hf_netlogon_dummy_string3 = -1;
230 static int hf_netlogon_dummy_string4 = -1;
231 static int hf_netlogon_dummy_string5 = -1;
232 static int hf_netlogon_dummy_string6 = -1;
233 static int hf_netlogon_dummy_string7 = -1;
234 static int hf_netlogon_dummy_string8 = -1;
235 static int hf_netlogon_dummy_string9 = -1;
236 static int hf_netlogon_dummy_string10 = -1;
237 static int hf_netlogon_unknown_short = -1;
238 static int hf_netlogon_unknown_long = -1;
239 static int hf_netlogon_dummy1_long = -1;
240 static int hf_netlogon_dummy2_long = -1;
241 static int hf_netlogon_dummy3_long = -1;
242 static int hf_netlogon_dummy4_long = -1;
243 static int hf_netlogon_dummy5_long = -1;
244 static int hf_netlogon_dummy6_long = -1;
245 static int hf_netlogon_dummy7_long = -1;
246 static int hf_netlogon_dummy8_long = -1;
247 static int hf_netlogon_dummy9_long = -1;
248 static int hf_netlogon_dummy10_long = -1;
249 static int hf_netlogon_unknown_char = -1;
250 static int hf_netlogon_logon_time = -1;
251 static int hf_netlogon_logoff_time = -1;
252 static int hf_netlogon_last_logoff_time = -1;
253 static int hf_netlogon_kickoff_time = -1;
254 static int hf_netlogon_pwd_age = -1;
255 static int hf_netlogon_pwd_last_set_time = -1;
256 static int hf_netlogon_pwd_can_change_time = -1;
257 static int hf_netlogon_pwd_must_change_time = -1;
258 /* static int hf_netlogon_nt_chal_resp = -1; */
259 static int hf_netlogon_lm_chal_resp = -1;
260 static int hf_netlogon_credential = -1;
261 static int hf_netlogon_acct_name = -1;
262 static int hf_netlogon_acct_desc = -1;
263 static int hf_netlogon_group_desc = -1;
264 static int hf_netlogon_full_name = -1;
265 static int hf_netlogon_comment = -1;
266 static int hf_netlogon_parameters = -1;
267 static int hf_netlogon_logon_script = -1;
268 static int hf_netlogon_profile_path = -1;
269 static int hf_netlogon_home_dir = -1;
270 static int hf_netlogon_dir_drive = -1;
271 static int hf_netlogon_logon_count = -1;
272 static int hf_netlogon_logon_count16 = -1;
273 static int hf_netlogon_bad_pw_count = -1;
274 static int hf_netlogon_bad_pw_count16 = -1;
275 static int hf_netlogon_user_rid = -1;
276 static int hf_netlogon_alias_rid = -1;
277 static int hf_netlogon_group_rid = -1;
278 static int hf_netlogon_logon_srv = -1;
279 /* static int hf_netlogon_principal = -1; */
280 static int hf_netlogon_logon_dom = -1;
281 static int hf_netlogon_resourcegroupcount = -1;
282 static int hf_netlogon_downlevel_domain_name = -1;
283 static int hf_netlogon_dns_domain_name = -1;
284 static int hf_netlogon_ad_client_dns_name = -1;
285 static int hf_netlogon_domain_name = -1;
286 static int hf_netlogon_domain_create_time = -1;
287 static int hf_netlogon_domain_modify_time = -1;
288 static int hf_netlogon_modify_count = -1;
289 static int hf_netlogon_db_modify_time = -1;
290 static int hf_netlogon_db_create_time = -1;
291 static int hf_netlogon_oem_info = -1;
292 static int hf_netlogon_serial_number = -1;
293 static int hf_netlogon_num_rids = -1;
294 static int hf_netlogon_num_trusts = -1;
295 static int hf_netlogon_num_controllers = -1;
296 static int hf_netlogon_num_sid = -1;
297 static int hf_netlogon_computer_name = -1;
298 static int hf_netlogon_site_name = -1;
299 static int hf_netlogon_trusted_dc_name = -1;
300 static int hf_netlogon_dc_name = -1;
301 static int hf_netlogon_dc_site_name = -1;
302 static int hf_netlogon_dns_forest_name = -1;
303 static int hf_netlogon_dc_address = -1;
304 static int hf_netlogon_dc_address_type = -1;
305 static int hf_netlogon_client_site_name = -1;
306 static int hf_netlogon_workstation = -1;
307 static int hf_netlogon_workstation_site_name = -1;
308 static int hf_netlogon_os_version = -1;
309 static int hf_netlogon_workstation_os = -1;
310 static int hf_netlogon_workstation_flags = -1;
311 static int hf_netlogon_supportedenctypes = -1;
313 static int hf_netlogon_workstations = -1;
314 static int hf_netlogon_workstation_fqdn = -1;
315 static int hf_netlogon_group_name = -1;
316 static int hf_netlogon_alias_name = -1;
317 static int hf_netlogon_country = -1;
318 static int hf_netlogon_codepage = -1;
319 static int hf_netlogon_flags = -1;
320 static int hf_netlogon_trust_attribs = -1;
321 static int hf_netlogon_trust_attribs_non_transitive = -1;
322 static int hf_netlogon_trust_attribs_uplevel_only = -1;
323 static int hf_netlogon_trust_attribs_quarantined_domain = -1;
324 static int hf_netlogon_trust_attribs_forest_transitive = -1;
325 static int hf_netlogon_trust_attribs_cross_organization = -1;
326 static int hf_netlogon_trust_attribs_within_forest = -1;
327 static int hf_netlogon_trust_attribs_treat_as_external = -1;
328 static int hf_netlogon_trust_type = -1;
329 static int hf_netlogon_trust_flags = -1;
330 static int hf_netlogon_trust_flags_inbound = -1;
331 static int hf_netlogon_trust_flags_outbound = -1;
332 static int hf_netlogon_trust_flags_in_forest = -1;
333 static int hf_netlogon_trust_flags_native_mode = -1;
334 static int hf_netlogon_trust_flags_primary = -1;
335 static int hf_netlogon_trust_flags_tree_root = -1;
336 static int hf_netlogon_trust_parent_index = -1;
337 static int hf_netlogon_user_account_control = -1;
338 static int hf_netlogon_user_account_control_dont_require_preauth = -1;
339 static int hf_netlogon_user_account_control_use_des_key_only = -1;
340 static int hf_netlogon_user_account_control_not_delegated = -1;
341 static int hf_netlogon_user_account_control_trusted_for_delegation = -1;
342 static int hf_netlogon_user_account_control_smartcard_required = -1;
343 static int hf_netlogon_user_account_control_encrypted_text_password_allowed = -1;
344 static int hf_netlogon_user_account_control_account_auto_locked = -1;
345 static int hf_netlogon_user_account_control_dont_expire_password = -1;
346 static int hf_netlogon_user_account_control_server_trust_account = -1;
347 static int hf_netlogon_user_account_control_workstation_trust_account = -1;
348 static int hf_netlogon_user_account_control_interdomain_trust_account = -1;
349 static int hf_netlogon_user_account_control_mns_logon_account = -1;
350 static int hf_netlogon_user_account_control_normal_account = -1;
351 static int hf_netlogon_user_account_control_temp_duplicate_account = -1;
352 static int hf_netlogon_user_account_control_password_not_required = -1;
353 static int hf_netlogon_user_account_control_home_directory_required = -1;
354 static int hf_netlogon_user_account_control_account_disabled = -1;
355 static int hf_netlogon_user_flags = -1;
356 static int hf_netlogon_user_flags_extra_sids = -1;
357 static int hf_netlogon_user_flags_resource_groups = -1;
358 static int hf_netlogon_auth_flags = -1;
359 static int hf_netlogon_pwd_expired = -1;
360 static int hf_netlogon_nt_pwd_present = -1;
361 static int hf_netlogon_lm_pwd_present = -1;
362 static int hf_netlogon_code = -1;
363 static int hf_netlogon_database_id = -1;
364 static int hf_netlogon_sync_context = -1;
365 static int hf_netlogon_max_size = -1;
366 static int hf_netlogon_max_log_size = -1;
367 static int hf_netlogon_dns_host = -1;
368 static int hf_netlogon_acct_expiry_time = -1;
369 static int hf_netlogon_encrypted_lm_owf_password = -1;
370 static int hf_netlogon_lm_owf_password = -1;
371 static int hf_netlogon_nt_owf_password = -1;
372 static int hf_netlogon_param_ctrl = -1;
373 static int hf_netlogon_logon_id = -1;
374 static int hf_netlogon_num_deltas = -1;
375 static int hf_netlogon_user_session_key = -1;
376 static int hf_netlogon_blob_size = -1;
377 static int hf_netlogon_blob = -1;
378 static int hf_netlogon_logon_attempts = -1;
379 static int hf_netlogon_authoritative = -1;
380 static int hf_netlogon_secure_channel_type = -1;
381 static int hf_netlogon_logonsrv_handle = -1;
382 static int hf_netlogon_delta_type = -1;
383 static int hf_netlogon_get_dcname_request_flags = -1;
384 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
385 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
386 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
387 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
388 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
389 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
390 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
391 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
392 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
393 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
394 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
395 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
396 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
397 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
398 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
399 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
400 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
401 static int hf_netlogon_dc_flags = -1;
402 static int hf_netlogon_dc_flags_pdc_flag = -1;
403 static int hf_netlogon_dc_flags_gc_flag = -1;
404 static int hf_netlogon_dc_flags_ldap_flag = -1;
405 static int hf_netlogon_dc_flags_ds_flag = -1;
406 static int hf_netlogon_dc_flags_kdc_flag = -1;
407 static int hf_netlogon_dc_flags_timeserv_flag = -1;
408 static int hf_netlogon_dc_flags_closest_flag = -1;
409 static int hf_netlogon_dc_flags_writable_flag = -1;
410 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
411 static int hf_netlogon_dc_flags_ndnc_flag = -1;
412 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
413 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
414 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
415 /* static int hf_netlogon_dnsdomaininfo = -1; */
416 static int hf_netlogon_s4u2proxytarget = -1;
417 static int hf_netlogon_transitedlistsize = -1;
418 static int hf_netlogon_transited_service = -1;
420 static gint ett_nt_counted_longs_as_string = -1;
421 static gint ett_dcerpc_netlogon = -1;
422 static gint ett_group_attrs = -1;
423 static gint ett_user_flags = -1;
424 static gint ett_user_account_control = -1;
425 static gint ett_QUOTA_LIMITS = -1;
426 static gint ett_IDENTITY_INFO = -1;
427 static gint ett_DELTA_ENUM = -1;
428 static gint ett_authenticate_flags = -1;
429 static gint ett_CYPHER_VALUE = -1;
430 static gint ett_UNICODE_MULTI = -1;
431 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
432 static gint ett_UNICODE_STRING_512 = -1;
433 static gint ett_TYPE_50 = -1;
434 static gint ett_TYPE_52 = -1;
435 static gint ett_DELTA_ID_UNION = -1;
436 static gint ett_TYPE_44 = -1;
437 static gint ett_DELTA_UNION = -1;
438 static gint ett_LM_OWF_PASSWORD = -1;
439 static gint ett_NT_OWF_PASSWORD = -1;
440 static gint ett_GROUP_MEMBERSHIP = -1;
441 static gint ett_BLOB = -1;
442 static gint ett_DS_DOMAIN_TRUSTS = -1;
443 static gint ett_LSA_POLICY_INFO = -1;
444 static gint ett_DOMAIN_TRUST_INFO = -1;
445 static gint ett_trust_flags = -1;
446 static gint ett_trust_attribs = -1;
447 static gint ett_get_dcname_request_flags = -1;
448 static gint ett_dc_flags = -1;
450 typedef struct _netlogon_auth_vars {
451 guint64 client_challenge;
452 guint64 server_challenge;
453 guint8 session_key[16];
454 guint8 encryption_key[16];
460 gboolean can_decrypt;
464 struct _netlogon_auth_vars *next;
465 } netlogon_auth_vars;
467 typedef struct _md4_pass {
471 typedef struct _seen_packet {
476 static seen_packet seen;
478 static e_uuid_t uuid_dcerpc_netlogon = {
479 0x12345678, 0x1234, 0xabcd,
480 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
483 static guint16 ver_dcerpc_netlogon = 1;
485 static gint dissect_dcerpc_8bytes (tvbuff_t *tvb, gint offset, packet_info *pinfo _U_,
486 proto_tree *tree, guint8 *drep,
487 int hfindex, guint64 *pdata)
491 data = ((drep[0] & DREP_LITTLE_ENDIAN)
492 ? tvb_get_letoh64 (tvb, offset)
493 : tvb_get_ntoh64 (tvb, offset));
495 /* These fields are FT_BYTES, hence the byte order doesn't matter */
497 proto_tree_add_item(tree, hfindex, tvb, offset, 8, ENC_NA);
504 static const true_false_string user_account_control_dont_require_preauth= {
505 "This account DOESN'T_REQUIRE_PREAUTHENTICATION",
506 "This account REQUIRES preauthentication",
508 static const true_false_string user_account_control_use_des_key_only= {
509 "This account must USE_DES_KEY_ONLY for passwords",
510 "This account does NOT have to use_des_key_only",
512 static const true_false_string user_account_control_not_delegated= {
513 "This account is NOT_DELEGATED",
514 "This might have been delegated",
516 static const true_false_string user_account_control_trusted_for_delegation= {
517 "This account is TRUSTED_FOR_DELEGATION",
518 "This account is NOT trusted_for_delegation",
520 static const true_false_string user_account_control_smartcard_required= {
521 "This account REQUIRES_SMARTCARD to authenticate",
522 "This account does NOT require_smartcard to authenticate",
524 static const true_false_string user_account_control_encrypted_text_password_allowed= {
525 "This account allows ENCRYPTED_TEXT_PASSWORD",
526 "This account does NOT allow encrypted_text_password",
528 static const true_false_string user_account_control_account_auto_locked= {
529 "This account is AUTO_LOCKED",
530 "This account is NOT auto_locked",
532 static const true_false_string user_account_control_dont_expire_password= {
533 "This account DOESN'T_EXPIRE_PASSWORDs",
534 "This account might expire_passwords",
536 static const true_false_string user_account_control_server_trust_account= {
537 "This account is a SERVER_TRUST_ACCOUNT",
538 "This account is NOT a server_trust_account",
540 static const true_false_string user_account_control_workstation_trust_account= {
541 "This account is a WORKSTATION_TRUST_ACCOUNT",
542 "This account is NOT a workstation_trust_account",
544 static const true_false_string user_account_control_interdomain_trust_account= {
545 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
546 "This account is NOT an interdomain_trust_account",
548 static const true_false_string user_account_control_mns_logon_account= {
549 "This account is a MNS_LOGON_ACCOUNT",
550 "This account is NOT a mns_logon_account",
552 static const true_false_string user_account_control_normal_account= {
553 "This account is a NORMAL_ACCOUNT",
554 "This account is NOT a normal_account",
556 static const true_false_string user_account_control_temp_duplicate_account= {
557 "This account is a TEMP_DUPLICATE_ACCOUNT",
558 "This account is NOT a temp_duplicate_account",
560 static const true_false_string user_account_control_password_not_required= {
561 "This account REQUIRES_NO_PASSWORD",
562 "This account REQUIRES a password",
564 static const true_false_string user_account_control_home_directory_required= {
565 "This account REQUIRES_HOME_DIRECTORY",
566 "This account does NOT require_home_directory",
568 static const true_false_string user_account_control_account_disabled= {
569 "This account is DISABLED",
570 "This account is NOT disabled",
573 typedef struct _netlogon_auth_key {
582 netlogon_auth_equal (gconstpointer k1, gconstpointer k2)
584 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k1;
585 const netlogon_auth_key *key2 = (const netlogon_auth_key *)k2;
586 if(key1->name == NULL || key2->name ==NULL)
587 return ((key1->srcport == key2->srcport) && (key1->dstport == key2->dstport) && ADDRESSES_EQUAL(&key1->src,&key2->src) &&
588 ADDRESSES_EQUAL(&key1->dst,&key2->dst));
590 return ((strcmp(key1->name,key2->name)==0) && ADDRESSES_EQUAL(&key1->src,&key2->src) &&
591 ADDRESSES_EQUAL(&key1->dst,&key2->dst));
595 netlogon_auth_hash (gconstpointer k)
597 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k;
599 if(key1->name == NULL) {
600 hash_val1 = key1->dstport;
601 hash_val1 += key1->srcport;
606 for(i=0; key1->name[i]; i++) {
607 hash_val1 += key1->name[i];
611 ADD_ADDRESS_TO_HASH(hash_val1, &key1->src);
612 ADD_ADDRESS_TO_HASH(hash_val1, &key1->dst);
616 netlogon_dissect_EXTRA_FLAGS(tvbuff_t *tvb, int offset,
617 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
620 proto_item *item = NULL;
621 proto_tree *tree = NULL;
623 if(di->conformant_run){
624 /*just a run to handle conformant arrays, nothing to dissect */
628 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
629 hf_netlogon_extraflags, &mask);
632 item = proto_tree_add_uint(parent_tree, hf_netlogon_extraflags,
633 tvb, offset-4, 4, mask);
634 tree = proto_item_add_subtree(item, ett_trust_flags);
637 proto_tree_add_boolean(tree, hf_netlogon_extra_flags_root_forest,
638 tvb, offset-4, 4, mask);
639 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_dc_firsthop,
640 tvb, offset-4, 4, mask);
641 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_rodc_to_dc,
642 tvb, offset-4, 4, mask);
643 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_rodc_ntlm,
644 tvb, offset-4, 4, mask);
649 dissect_ndr_lm_nt_hash_cb(tvbuff_t *tvb, int offset,
650 packet_info *pinfo, proto_tree *tree,
651 dcerpc_info *di, guint8 *drep, int hf_index,
652 dcerpc_callback_fnct_t *callback,
657 /* Structure starts with short, but is aligned for longs */
661 if (di->conformant_run)
668 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
673 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
676 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
677 hf_nt_cs_size, &size);
679 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
680 dissect_ndr_byte_array, NDR_POINTER_UNIQUE,
681 "Bytes Array", hf_index, callback, callback_args);
686 dissect_ndr_lm_nt_hash_helper(tvbuff_t *tvb, int offset,
687 packet_info *pinfo, proto_tree *tree,
688 dcerpc_info *di, guint8 *drep, int hf_index, int levels _U_,
689 gboolean add_subtree)
692 proto_tree *subtree = tree;
696 item = proto_tree_add_text(
697 tree, tvb, offset, 0, "%s",
698 proto_registrar_get_name(hf_index));
700 subtree = proto_item_add_subtree(item,ett_LM_OWF_PASSWORD);
703 return dissect_ndr_lm_nt_hash_cb(
704 tvb, offset, pinfo, subtree, di, drep, hf_index,
706 /*cb_wstr_postprocess, GINT_TO_POINTER(2 + levels));*/
709 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
710 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
713 proto_item *item = NULL;
714 proto_tree *tree = NULL;
716 if(di->conformant_run){
717 /*just a run to handle conformant arrays, nothing to dissect */
721 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
722 hf_netlogon_user_account_control, &mask);
725 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_account_control,
726 tvb, offset-4, 4, mask);
727 tree = proto_item_add_subtree(item, ett_user_account_control);
730 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_require_preauth,
731 tvb, offset-4, 4, mask);
732 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_use_des_key_only,
733 tvb, offset-4, 4, mask);
734 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_not_delegated,
735 tvb, offset-4, 4, mask);
736 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_trusted_for_delegation,
737 tvb, offset-4, 4, mask);
738 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_smartcard_required,
739 tvb, offset-4, 4, mask);
740 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_encrypted_text_password_allowed,
741 tvb, offset-4, 4, mask);
742 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_auto_locked,
743 tvb, offset-4, 4, mask);
744 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_expire_password,
745 tvb, offset-4, 4, mask);
746 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_server_trust_account,
747 tvb, offset-4, 4, mask);
748 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_workstation_trust_account,
749 tvb, offset-4, 4, mask);
750 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_interdomain_trust_account,
751 tvb, offset-4, 4, mask);
752 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_mns_logon_account,
753 tvb, offset-4, 4, mask);
754 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_normal_account,
755 tvb, offset-4, 4, mask);
756 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_temp_duplicate_account,
757 tvb, offset-4, 4, mask);
758 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_password_not_required,
759 tvb, offset-4, 4, mask);
760 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_home_directory_required,
761 tvb, offset-4, 4, mask);
762 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_disabled,
763 tvb, offset-4, 4, mask);
769 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
770 packet_info *pinfo, proto_tree *tree,
771 dcerpc_info *di, guint8 *drep)
773 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
774 NDR_POINTER_UNIQUE, "Server Handle",
775 hf_netlogon_logonsrv_handle, 0);
781 * IDL typedef struct {
782 * IDL [unique][string] wchar_t *effective_name;
784 * IDL long auth_flags;
785 * IDL long logon_count;
786 * IDL long bad_pw_count;
787 * IDL long last_logon;
788 * IDL long last_logoff;
789 * IDL long logoff_time;
790 * IDL long kickoff_time;
791 * IDL long password_age;
792 * IDL long pw_can_change;
793 * IDL long pw_must_change;
794 * IDL [unique][string] wchar_t *computer;
795 * IDL [unique][string] wchar_t *domain;
796 * IDL [unique][string] wchar_t *script_path;
800 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
801 packet_info *pinfo, proto_tree *tree,
802 dcerpc_info *di, guint8 *drep)
804 if(di->conformant_run){
805 /*just a run to handle conformant arrays, nothing to dissect */
809 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
810 NDR_POINTER_UNIQUE, "Effective Account",
811 hf_netlogon_acct_name, 0);
813 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
814 hf_netlogon_priv, NULL);
816 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
817 hf_netlogon_auth_flags, NULL);
819 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
820 hf_netlogon_logon_count, NULL);
822 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
823 hf_netlogon_bad_pw_count, NULL);
826 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logon_time, NULL);
828 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_last_logoff_time, NULL);
830 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logoff_time, NULL);
832 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_kickoff_time, NULL);
834 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_age, NULL);
836 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_can_change_time, NULL);
838 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_must_change_time, NULL);
840 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
841 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
843 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
844 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
846 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
847 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
849 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
850 hf_netlogon_reserved, NULL);
856 * IDL long NetrLogonUasLogon(
857 * IDL [in][unique][string] wchar_t *ServerName,
858 * IDL [in][ref][string] wchar_t *UserName,
859 * IDL [in][ref][string] wchar_t *Workstation,
860 * IDL [out][unique] VALIDATION_UAS_INFO *info
864 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
865 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
867 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
868 pinfo, tree, di, drep);
870 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
871 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
873 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
874 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
881 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
882 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
884 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
885 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
886 "VALIDATION_UAS_INFO", -1);
888 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
889 hf_netlogon_dos_rc, NULL);
895 * IDL typedef struct {
897 * IDL short logon_count;
898 * IDL } LOGOFF_UAS_INFO;
901 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
902 packet_info *pinfo, proto_tree *tree,
903 dcerpc_info *di, guint8 *drep)
905 if(di->conformant_run){
906 /*just a run to handle conformant arrays, nothing to dissect */
910 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
913 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
914 hf_netlogon_logon_count16, NULL);
920 * IDL long NetrLogonUasLogoff(
921 * IDL [in][unique][string] wchar_t *ServerName,
922 * IDL [in][ref][string] wchar_t *UserName,
923 * IDL [in][ref][string] wchar_t *Workstation,
924 * IDL [out][ref] LOGOFF_UAS_INFO *info
928 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
929 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
931 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
932 pinfo, tree, di, drep);
934 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
935 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
937 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
938 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
945 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
946 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
948 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
949 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
950 "LOGOFF_UAS_INFO", -1);
952 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
953 hf_netlogon_dos_rc, NULL);
959 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
960 packet_info *pinfo, proto_tree *tree,
961 dcerpc_info *di, guint8 *drep)
963 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
964 hf_netlogon_unknown_char, NULL);
970 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
971 packet_info *pinfo, proto_tree *tree,
972 dcerpc_info *di, guint8 *drep)
974 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
975 netlogon_dissect_BYTE_byte);
984 * IDL typedef struct {
985 * IDL UNICODESTRING LogonDomainName;
986 * IDL long ParameterControl;
987 * IDL uint64 LogonID;
988 * IDL UNICODESTRING UserName;
989 * IDL UNICODESTRING Workstation;
990 * IDL } LOGON_IDENTITY_INFO;
993 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
994 packet_info *pinfo, proto_tree *parent_tree,
995 dcerpc_info *di, guint8 *drep)
997 proto_item *item=NULL;
998 proto_tree *tree=NULL;
999 int old_offset=offset;
1002 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1004 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
1007 /* XXX: It would be nice to get the domain and account name
1008 displayed in COL_INFO. */
1010 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1011 hf_netlogon_logon_dom, 0);
1013 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1014 hf_netlogon_param_ctrl, NULL);
1016 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
1017 hf_netlogon_logon_id, NULL);
1019 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1020 hf_netlogon_acct_name, 1);
1022 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1023 hf_netlogon_workstation, 0);
1026 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
1027 /* XXX 8 extra bytes here */
1028 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
1029 the idl file. Could be a bug in either the NETLOGON implementation or in the
1032 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, di, drep);
1035 proto_item_set_len(item, offset-old_offset);
1041 * IDL typedef struct {
1042 * IDL char password[16];
1043 * IDL } LM_OWF_PASSWORD;
1046 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1047 packet_info *pinfo _U_, proto_tree *parent_tree,
1048 dcerpc_info *di, guint8 *drep _U_)
1050 proto_item *item=NULL;
1051 proto_tree *tree=NULL;
1053 if(di->conformant_run){
1054 /*just a run to handle conformant arrays, nothing to dissect.*/
1059 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
1060 "LM_OWF_PASSWORD:");
1061 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
1064 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
1072 * IDL typedef struct {
1073 * IDL char password[16];
1074 * IDL } NT_OWF_PASSWORD;
1077 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1078 packet_info *pinfo _U_, proto_tree *parent_tree,
1079 dcerpc_info *di, guint8 *drep _U_)
1081 proto_item *item=NULL;
1082 proto_tree *tree=NULL;
1084 if(di->conformant_run){
1085 /*just a run to handle conformant arrays, nothing to dissect.*/
1090 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
1091 "NT_OWF_PASSWORD:");
1092 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
1095 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
1104 * IDL typedef struct {
1105 * IDL LOGON_IDENTITY_INFO identity_info;
1106 * IDL LM_OWF_PASSWORD lmpassword;
1107 * IDL NT_OWF_PASSWORD ntpassword;
1108 * IDL } INTERACTIVE_INFO;
1111 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
1112 packet_info *pinfo, proto_tree *tree,
1113 dcerpc_info *di, guint8 *drep)
1115 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1116 pinfo, tree, di, drep);
1118 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1119 pinfo, tree, di, drep);
1121 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1122 pinfo, tree, di, drep);
1128 * IDL typedef struct {
1133 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
1134 packet_info *pinfo _U_, proto_tree *tree,
1135 dcerpc_info *di, guint8 *drep _U_)
1137 if(di->conformant_run){
1138 /*just a run to handle conformant arrays, nothing to dissect.*/
1142 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
1151 * IDL typedef struct {
1152 * IDL LOGON_IDENTITY_INFO logon_info;
1153 * IDL CHALLENGE chal;
1154 * IDL STRING ntchallengeresponse;
1155 * IDL STRING lmchallengeresponse;
1156 * IDL } NETWORK_INFO;
1158 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
1159 proto_item *item _U_, tvbuff_t *tvb,
1160 int start_offset, int end_offset,
1161 void *callback_args )
1164 gint options = GPOINTER_TO_INT(callback_args);
1165 gint levels = CB_STR_ITEM_LEVELS(options);
1169 /* Skip over 3 guint32's in NDR format */
1171 if (start_offset % 4)
1172 start_offset += 4 - (start_offset % 4);
1175 len = end_offset - start_offset;
1177 s = tvb_bytes_to_ep_str(tvb, start_offset, len);
1179 /* Append string to upper-level proto_items */
1181 if (levels > 0 && item && s && s[0]) {
1182 proto_item_append_text(item, ": %s", s);
1183 item = item->parent;
1186 proto_item_append_text(item, ": %s", s);
1187 item = item->parent;
1189 while (levels > 0) {
1190 proto_item_append_text(item, " %s", s);
1191 item = item->parent;
1196 /* Call ntlmv2 response dissector */
1199 dissect_ntlmv2_response(tvb, tree, start_offset, len);
1204 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
1205 packet_info *pinfo, proto_tree *tree,
1206 dcerpc_info *di, guint8 *drep)
1209 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1210 pinfo, tree, di, drep);
1211 offset = netlogon_dissect_CHALLENGE(tvb, offset,
1212 pinfo, tree, di, drep);
1214 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
1215 NDR_POINTER_UNIQUE, "NT ",
1216 hf_netlogon_nt_owf_password, 0);
1217 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1218 hf_netlogon_data_length, NULL);
1220 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep, hf_netlogon_lm_chal_resp, 0,TRUE);
1221 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep, hf_netlogon_lm_chal_resp, 0,TRUE);
1222 /* Not really sure that it really works with NTLM v2 ....*/
1224 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1225 pinfo, tree, di, drep);
1227 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1228 pinfo, tree, di, drep);
1232 offset = dissect_ndr_counted_byte_array_cb(
1233 tvb, offset, pinfo, tree, di, drep, hf_netlogon_nt_chal_resp,
1234 dissect_nt_chal_resp_cb,GINT_TO_POINTER(2));
1236 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, di, drep,
1237 hf_netlogon_lm_chal_resp, 0);
1245 * IDL typedef struct {
1246 * IDL LOGON_IDENTITY_INFO logon_info;
1247 * IDL LM_OWF_PASSWORD lmpassword;
1248 * IDL NT_OWF_PASSWORD ntpassword;
1249 * IDL } SERVICE_INFO;
1252 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
1253 packet_info *pinfo, proto_tree *tree,
1254 dcerpc_info *di, guint8 *drep)
1256 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1257 pinfo, tree, di, drep);
1259 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1260 pinfo, tree, di, drep);
1262 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1263 pinfo, tree, di, drep);
1269 netlogon_dissect_GENERIC_INFO(tvbuff_t *tvb, int offset,
1270 packet_info *pinfo, proto_tree *tree,
1271 dcerpc_info *di, guint8 *drep)
1273 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1274 pinfo, tree, di, drep);
1276 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1277 hf_netlogon_package_name, 0|CB_STR_SAVE);
1279 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1280 hf_netlogon_data_length, NULL);
1282 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1283 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
1288 * IDL typedef [switch_type(short)] union {
1289 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
1290 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
1291 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
1295 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
1296 packet_info *pinfo, proto_tree *tree,
1297 dcerpc_info *di, guint8 *drep)
1301 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1302 hf_netlogon_level16, &level);
1306 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1307 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1308 "INTERACTIVE_INFO:", -1);
1311 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1312 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1313 "NETWORK_INFO:", -1);
1316 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1317 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1318 "SERVICE_INFO:", -1);
1321 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1322 netlogon_dissect_GENERIC_INFO, NDR_POINTER_UNIQUE,
1323 "GENERIC_INFO:", -1);
1326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1327 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1328 "INTERACTIVE_TRANSITIVE_INFO:", -1);
1331 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1332 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1333 "NETWORK_TRANSITIVE_INFO", -1);
1336 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1337 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1338 "SERVICE_TRANSITIVE_INFO", -1);
1345 * IDL typedef struct {
1350 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
1351 packet_info *pinfo _U_, proto_tree *tree,
1352 dcerpc_info *di, guint8 *drep _U_)
1354 if(di->conformant_run){
1355 /*just a run to handle conformant arrays, nothing to dissect.*/
1359 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
1368 * IDL typedef struct {
1369 * IDL CREDENTIAL cred;
1370 * IDL long timestamp;
1371 * IDL } AUTHENTICATOR;
1374 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
1375 packet_info *pinfo, proto_tree *tree,
1376 dcerpc_info *di, guint8 *drep)
1380 if(di->conformant_run){
1381 /*just a run to handle conformant arrays, nothing to dissect */
1385 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
1386 pinfo, tree, di, drep);
1389 * XXX - this appears to be a UNIX time_t in some credentials, but
1390 * appears to be random junk in other credentials.
1391 * For example, it looks like a UNIX time_t in "credential"
1392 * AUTHENTICATORs, but like random junk in "return_authenticator"
1396 ts.secs = tvb_get_letohl(tvb, offset);
1398 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
1405 static const true_false_string group_attrs_mandatory = {
1406 "The MANDATORY bit is SET",
1407 "The mandatory bit is NOT set",
1409 static const true_false_string group_attrs_enabled_by_default = {
1410 "The ENABLED_BY_DEFAULT bit is SET",
1411 "The enabled_by_default bit is NOT set",
1413 static const true_false_string group_attrs_enabled = {
1414 "The enabled bit is SET",
1415 "The enabled bit is NOT set",
1418 netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvbuff_t *tvb, int offset,
1419 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
1422 proto_item *item = NULL;
1423 proto_tree *tree = NULL;
1425 if(di->conformant_run){
1426 /*just a run to handle conformant arrays, nothing to dissect */
1430 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
1431 hf_netlogon_attrs, &mask);
1434 item = proto_tree_add_uint(parent_tree, hf_netlogon_attrs,
1435 tvb, offset-4, 4, mask);
1436 tree = proto_item_add_subtree(item, ett_group_attrs);
1439 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled,
1440 tvb, offset-4, 4, mask);
1441 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled_by_default,
1442 tvb, offset-4, 4, mask);
1443 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_mandatory,
1444 tvb, offset-4, 4, mask);
1450 * IDL typedef struct {
1452 * IDL long attributes;
1453 * IDL } GROUP_MEMBERSHIP;
1456 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1457 packet_info *pinfo, proto_tree *parent_tree,
1458 dcerpc_info *di, guint8 *drep)
1460 proto_item *item=NULL;
1461 proto_tree *tree=NULL;
1464 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1465 "GROUP_MEMBERSHIP:");
1466 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
1469 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1470 hf_netlogon_group_rid, NULL);
1472 offset = netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvb, offset,
1473 pinfo, tree, di, drep);
1479 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1480 packet_info *pinfo, proto_tree *tree,
1481 dcerpc_info *di, guint8 *drep)
1483 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1484 netlogon_dissect_GROUP_MEMBERSHIP);
1490 * IDL typedef struct {
1491 * IDL char user_session_key[16];
1492 * IDL } USER_SESSION_KEY;
1495 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1496 packet_info *pinfo _U_, proto_tree *tree,
1497 dcerpc_info *di, guint8 *drep _U_)
1499 if(di->conformant_run){
1500 /*just a run to handle conformant arrays, nothing to dissect.*/
1504 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1513 static const true_false_string user_flags_extra_sids= {
1514 "The EXTRA_SIDS bit is SET",
1515 "The extra_sids is NOT set",
1517 static const true_false_string user_flags_resource_groups= {
1518 "The RESOURCE_GROUPS bit is SET",
1519 "The resource_groups is NOT set",
1522 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1523 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
1526 proto_item *item = NULL;
1527 proto_tree *tree = NULL;
1529 if(di->conformant_run){
1530 /*just a run to handle conformant arrays, nothing to dissect */
1534 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
1535 hf_netlogon_user_flags, &mask);
1538 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_flags,
1539 tvb, offset-4, 4, mask);
1540 tree = proto_item_add_subtree(item, ett_user_flags);
1543 proto_tree_add_boolean(tree, hf_netlogon_user_flags_resource_groups,
1544 tvb, offset-4, 4, mask);
1545 proto_tree_add_boolean(tree, hf_netlogon_user_flags_extra_sids,
1546 tvb, offset-4, 4, mask);
1552 * IDL typedef struct {
1553 * IDL uint64 LogonTime;
1554 * IDL uint64 LogoffTime;
1555 * IDL uint64 KickOffTime;
1556 * IDL uint64 PasswdLastSet;
1557 * IDL uint64 PasswdCanChange;
1558 * IDL uint64 PasswdMustChange;
1559 * IDL unicodestring effectivename;
1560 * IDL unicodestring fullname;
1561 * IDL unicodestring logonscript;
1562 * IDL unicodestring profilepath;
1563 * IDL unicodestring homedirectory;
1564 * IDL unicodestring homedirectorydrive;
1565 * IDL short LogonCount;
1566 * IDL short BadPasswdCount;
1568 * IDL long primarygroup;
1569 * IDL long groupcount;
1570 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1571 * IDL long userflags;
1572 * IDL USER_SESSION_KEY key;
1573 * IDL unicodestring logonserver;
1574 * IDL unicodestring domainname;
1575 * IDL [unique] SID logondomainid;
1576 * IDL long expansionroom[2];
1577 * IDL long useraccountcontrol;
1578 * IDL long expansionroom[7];
1579 * IDL } VALIDATION_SAM_INFO;
1582 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1583 packet_info *pinfo, proto_tree *tree,
1584 dcerpc_info *di, guint8 *drep)
1587 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1588 hf_netlogon_logon_time);
1590 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1591 hf_netlogon_logoff_time);
1593 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1594 hf_netlogon_kickoff_time);
1596 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1597 hf_netlogon_pwd_last_set_time);
1599 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1600 hf_netlogon_pwd_can_change_time);
1602 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1603 hf_netlogon_pwd_must_change_time);
1605 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1606 hf_netlogon_acct_name, 0);
1608 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1609 hf_netlogon_full_name, 0);
1611 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1612 hf_netlogon_logon_script, 0);
1614 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1615 hf_netlogon_profile_path, 0);
1617 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1618 hf_netlogon_home_dir, 0);
1620 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1621 hf_netlogon_dir_drive, 0);
1623 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1624 hf_netlogon_logon_count16, NULL);
1626 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1627 hf_netlogon_bad_pw_count16, NULL);
1629 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1630 hf_netlogon_user_rid, NULL);
1632 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1633 hf_netlogon_group_rid, NULL);
1635 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1636 hf_netlogon_num_rids, NULL);
1638 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1639 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1640 "GROUP_MEMBERSHIP_ARRAY", -1);
1642 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1643 pinfo, tree, di, drep);
1645 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1646 pinfo, tree, di, drep);
1648 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1649 hf_netlogon_logon_srv, 0);
1651 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1652 hf_netlogon_logon_dom, 0);
1654 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1656 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1657 hf_netlogon_dummy1_long, NULL);
1659 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1660 hf_netlogon_dummy2_long, NULL);
1662 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1663 pinfo, tree, di, drep);
1665 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1666 hf_netlogon_dummy4_long, NULL);
1668 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1669 hf_netlogon_dummy5_long, NULL);
1671 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1672 hf_netlogon_dummy6_long, NULL);
1674 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1675 hf_netlogon_dummy7_long, NULL);
1677 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1678 hf_netlogon_dummy8_long, NULL);
1680 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1681 hf_netlogon_dummy9_long, NULL);
1683 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1684 hf_netlogon_dummy10_long, NULL);
1692 * IDL typedef struct {
1693 * IDL uint64 LogonTime;
1694 * IDL uint64 LogoffTime;
1695 * IDL uint64 KickOffTime;
1696 * IDL uint64 PasswdLastSet;
1697 * IDL uint64 PasswdCanChange;
1698 * IDL uint64 PasswdMustChange;
1699 * IDL unicodestring effectivename;
1700 * IDL unicodestring fullname;
1701 * IDL unicodestring logonscript;
1702 * IDL unicodestring profilepath;
1703 * IDL unicodestring homedirectory;
1704 * IDL unicodestring homedirectorydrive;
1705 * IDL short LogonCount;
1706 * IDL short BadPasswdCount;
1708 * IDL long primarygroup;
1709 * IDL long groupcount;
1710 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1711 * IDL long userflags;
1712 * IDL USER_SESSION_KEY key;
1713 * IDL unicodestring logonserver;
1714 * IDL unicodestring domainname;
1715 * IDL [unique] SID logondomainid;
1716 * IDL long expansionroom[2];
1717 * IDL long useraccountcontrol;
1718 * IDL long expansionroom[7];
1719 * IDL long sidcount;
1720 * IDL [unique] SID_AND_ATTRIBS;
1721 * IDL } VALIDATION_SAM_INFO2;
1724 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1725 packet_info *pinfo, proto_tree *tree,
1726 dcerpc_info *di, guint8 *drep)
1728 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di,drep);
1732 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1733 hf_netlogon_logon_time);
1735 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1736 hf_netlogon_logoff_time);
1738 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1739 hf_netlogon_kickoff_time);
1741 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1742 hf_netlogon_pwd_last_set_time);
1744 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1745 hf_netlogon_pwd_can_change_time);
1747 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1748 hf_netlogon_pwd_must_change_time);
1750 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1751 hf_netlogon_acct_name, 0);
1753 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1754 hf_netlogon_full_name, 0);
1756 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1757 hf_netlogon_logon_script, 0);
1759 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1760 hf_netlogon_profile_path, 0);
1762 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1763 hf_netlogon_home_dir, 0);
1765 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1766 hf_netlogon_dir_drive, 0);
1768 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1769 hf_netlogon_logon_count16, NULL);
1771 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1772 hf_netlogon_bad_pw_count16, NULL);
1774 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1775 hf_netlogon_user_rid, NULL);
1777 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1778 hf_netlogon_group_rid, NULL);
1780 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1781 hf_netlogon_num_rids, NULL);
1783 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1784 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1785 "GROUP_MEMBERSHIP_ARRAY", -1);
1787 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1788 pinfo, tree, di, drep);
1790 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1791 pinfo, tree, di, drep);
1793 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1794 hf_netlogon_logon_srv, 0);
1796 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1797 hf_netlogon_logon_dom, 0);
1799 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1802 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1803 hf_netlogon_unknown_long, NULL);
1805 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1806 pinfo, tree, di, drep);
1809 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1810 hf_netlogon_unknown_long, NULL);
1813 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1814 hf_netlogon_num_sid, NULL);
1816 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1817 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1818 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1825 netlogon_dissect_VALIDATION_SAM_INFO4(tvbuff_t *tvb, int offset,
1826 packet_info *pinfo, proto_tree *tree,
1827 dcerpc_info *di, guint8 *drep)
1829 offset = netlogon_dissect_VALIDATION_SAM_INFO2(tvb,offset,pinfo,tree,di,drep);
1831 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1832 hf_netlogon_logon_dnslogondomainname, 0);
1834 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1835 hf_netlogon_logon_upn, 0);
1837 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1838 hf_netlogon_dummy_string, 0);
1840 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1841 hf_netlogon_dummy_string2, 0);
1843 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1844 hf_netlogon_dummy_string3, 0);
1846 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1847 hf_netlogon_dummy_string4, 0);
1849 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1850 hf_netlogon_dummy_string5, 0);
1852 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1853 hf_netlogon_dummy_string6, 0);
1855 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1856 hf_netlogon_dummy_string7, 0);
1858 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1859 hf_netlogon_dummy_string8, 0);
1861 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1862 hf_netlogon_dummy_string9, 0);
1864 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1865 hf_netlogon_dummy_string10, 0);
1869 * IDL typedef struct {
1870 * IDL uint64 LogonTime;
1871 * IDL uint64 LogoffTime;
1872 * IDL uint64 KickOffTime;
1873 * IDL uint64 PasswdLastSet;
1874 * IDL uint64 PasswdCanChange;
1875 * IDL uint64 PasswdMustChange;
1876 * IDL unicodestring effectivename;
1877 * IDL unicodestring fullname;
1878 * IDL unicodestring logonscript;
1879 * IDL unicodestring profilepath;
1880 * IDL unicodestring homedirectory;
1881 * IDL unicodestring homedirectorydrive;
1882 * IDL short LogonCount;
1883 * IDL short BadPasswdCount;
1885 * IDL long primarygroup;
1886 * IDL long groupcount;
1887 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1888 * IDL long userflags;
1889 * IDL USER_SESSION_KEY key;
1890 * IDL unicodestring logonserver;
1891 * IDL unicodestring domainname;
1892 * IDL [unique] SID logondomainid;
1893 * IDL long expansionroom[2];
1894 * IDL long useraccountcontrol;
1895 * IDL long expansionroom[7];
1896 * IDL long sidcount;
1897 * IDL [unique] SID_AND_ATTRIBS;
1898 * IDL [unique] SID resourcegroupdomainsid;
1899 * IDL long resourcegroupcount;
1901 * IDL } PAC_LOGON_INFO;
1904 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
1905 packet_info *pinfo, proto_tree *tree,
1906 dcerpc_info *di, guint8 *drep)
1909 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di, drep);
1913 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1914 hf_netlogon_logon_time);
1916 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1917 hf_netlogon_logoff_time);
1919 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1920 hf_netlogon_kickoff_time);
1922 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1923 hf_netlogon_pwd_last_set_time);
1925 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1926 hf_netlogon_pwd_can_change_time);
1928 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1929 hf_netlogon_pwd_must_change_time);
1931 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1932 hf_netlogon_acct_name, 0);
1934 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1935 hf_netlogon_full_name, 0);
1937 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1938 hf_netlogon_logon_script, 0);
1940 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1941 hf_netlogon_profile_path, 0);
1943 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1944 hf_netlogon_home_dir, 0);
1946 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1947 hf_netlogon_dir_drive, 0);
1949 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1950 hf_netlogon_logon_count16, NULL);
1952 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1953 hf_netlogon_bad_pw_count16, NULL);
1955 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1956 hf_netlogon_user_rid, NULL);
1958 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1959 hf_netlogon_group_rid, NULL);
1961 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1962 hf_netlogon_num_rids, NULL);
1964 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1965 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1966 "GROUP_MEMBERSHIP_ARRAY", -1);
1968 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1969 pinfo, tree, di, drep);
1971 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1972 pinfo, tree, di, drep);
1974 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1975 hf_netlogon_logon_srv, 0);
1977 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1978 hf_netlogon_logon_dom, 0);
1980 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1983 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1984 hf_netlogon_unknown_long, NULL);
1986 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1987 pinfo, tree, di, drep);
1990 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1991 hf_netlogon_unknown_long, NULL);
1995 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1996 hf_netlogon_num_sid, NULL);
1998 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1999 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
2000 "SID_AND_ATTRIBUTES_ARRAY:", -1);
2003 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
2005 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2006 hf_netlogon_resourcegroupcount, &rgc);
2008 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2009 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
2010 "ResourceGroupIDs", -1);
2016 netlogon_dissect_S4U_Transited_Service_name(tvbuff_t *tvb, int offset,
2017 packet_info *pinfo, proto_tree *tree,
2018 dcerpc_info *di, guint8 *drep)
2020 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2021 hf_netlogon_transited_service, 1);
2027 netlogon_dissect_S4U_Transited_Services_array(tvbuff_t *tvb, int offset,
2028 packet_info *pinfo, proto_tree *tree,
2029 dcerpc_info *di, guint8 *drep)
2031 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
2032 netlogon_dissect_S4U_Transited_Service_name);
2038 netlogon_dissect_PAC_S4U_DELEGATION_INFO(tvbuff_t *tvb, int offset,
2039 packet_info *pinfo, proto_tree *tree,
2040 dcerpc_info *di, guint8 *drep)
2042 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2043 hf_netlogon_s4u2proxytarget, 0);
2045 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2046 hf_netlogon_transitedlistsize, NULL);
2048 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2049 netlogon_dissect_S4U_Transited_Services_array, NDR_POINTER_UNIQUE,
2050 "S4UTransitedServices", -1);
2057 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
2058 packet_info *pinfo, proto_tree *tree,
2059 dcerpc_info *di, guint8 *drep _U_)
2063 if(di->conformant_run){
2067 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2068 hf_netlogon_pac_size, &pac_size);
2070 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
2078 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
2079 packet_info *pinfo, proto_tree *tree,
2080 dcerpc_info *di, guint8 *drep _U_)
2084 if(di->conformant_run){
2088 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2089 hf_netlogon_auth_size, &auth_size);
2091 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
2093 offset += auth_size;
2100 netlogon_dissect_VALIDATION_GENERIC_INFO2 (tvbuff_t *tvb, int offset,
2101 packet_info *pinfo, proto_tree *tree,
2102 dcerpc_info *di, guint8 *drep)
2104 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2105 hf_netlogon_data_length, NULL);
2107 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2108 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
2109 "Validation Data", -1);
2114 * IDL typedef struct {
2116 * IDL [unique][size_is(pac_size)] char *pac;
2117 * IDL UNICODESTRING logondomain;
2118 * IDL UNICODESTRING logonserver;
2119 * IDL UNICODESTRING principalname;
2120 * IDL long auth_size;
2121 * IDL [unique][size_is(auth_size)] char *auth;
2122 * IDL USER_SESSION_KEY user_session_key;
2123 * IDL long expansionroom[2];
2124 * IDL long useraccountcontrol;
2125 * IDL long expansionroom[7];
2126 * IDL UNICODESTRING dummy1;
2127 * IDL UNICODESTRING dummy2;
2128 * IDL UNICODESTRING dummy3;
2129 * IDL UNICODESTRING dummy4;
2130 * IDL } VALIDATION_PAC_INFO;
2132 #if 0 /* Not used (anymore ?) */
2134 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
2135 packet_info *pinfo, proto_tree *tree,
2136 dcerpc_info *di, guint8 *drep)
2140 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2141 hf_netlogon_pac_size, NULL);
2143 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2144 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
2146 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2147 hf_netlogon_logon_dom, 0);
2149 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2150 hf_netlogon_logon_srv, 0);
2152 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2153 hf_netlogon_principal, 0);
2155 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2156 hf_netlogon_auth_size, NULL);
2158 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2159 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
2161 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
2162 pinfo, tree, di, drep);
2165 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2166 hf_netlogon_unknown_long, NULL);
2168 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2169 pinfo, tree, di, drep);
2172 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2173 hf_netlogon_unknown_long, NULL);
2176 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2177 hf_netlogon_dummy, 0);
2179 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2180 hf_netlogon_dummy, 0);
2182 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2183 hf_netlogon_dummy, 0);
2185 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2186 hf_netlogon_dummy, 0);
2193 * IDL typedef [switch_type(short)] union {
2194 * IDL [case(1)][unique] VALIDATION_UAS *uas;
2195 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
2196 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
2197 * IDL [case(4)][unique] VALIDATION_GENERIC_INFO *generic;
2198 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2199 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2200 * IDL [case(6)][unique] VALIDATION_SAM_INFO4 *sam4;
2204 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
2205 packet_info *pinfo, proto_tree *tree,
2206 dcerpc_info *di, guint8 *drep)
2210 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2211 hf_netlogon_validation_level, &level);
2216 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2217 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
2218 "VALIDATION_UAS_INFO:", -1);
2221 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2222 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
2223 "VALIDATION_SAM_INFO:", -1);
2226 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2227 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
2228 "VALIDATION_SAM_INFO2:", -1);
2231 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2232 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2233 "VALIDATION_INFO:", -1);
2236 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2237 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2238 "VALIDATION_INFO2:", -1);
2241 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2242 netlogon_dissect_VALIDATION_SAM_INFO4, NDR_POINTER_UNIQUE,
2243 "VALIDATION_SAM_INFO4:", -1);
2249 * IDL long NetrLogonSamLogonWithFlags(
2250 * IDL [in][unique][string] wchar_t *ServerName,
2251 * IDL [in][unique][string] wchar_t *Workstation,
2252 * IDL [in][unique] AUTHENTICATOR *credential,
2253 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2254 * IDL [in] short LogonLevel,
2255 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2256 * IDL [in] short ValidationLevel,
2257 * IDL [out][ref] VALIDATION *validation,
2258 * IDL [out][ref] boolean Authorative
2259 * IDL [in][out] unsigned long ExtraFlags
2263 netlogon_dissect_netrlogonsamlogonflags_rqst(tvbuff_t *tvb, int offset,
2264 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2266 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2267 pinfo, tree, di, drep);
2269 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2270 NDR_POINTER_UNIQUE, "Computer Name",
2271 hf_netlogon_computer_name, 0);
2273 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2274 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2275 "AUTHENTICATOR: credential", -1);
2277 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2278 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2279 "AUTHENTICATOR: return_authenticator", -1);
2281 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2282 hf_netlogon_level16, NULL);
2284 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2285 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2286 "LEVEL: LogonLevel", -1);
2288 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2289 hf_netlogon_validation_level, NULL);
2291 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2297 netlogon_dissect_netrlogonsamlogonflags_reply(tvbuff_t *tvb, int offset,
2298 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2300 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2301 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2302 "AUTHENTICATOR: return_authenticator", -1);
2304 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2305 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2308 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2309 hf_netlogon_authoritative, NULL);
2311 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2313 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2314 hf_netlogon_rc, NULL);
2322 * IDL long NetrLogonSamLogon(
2323 * IDL [in][unique][string] wchar_t *ServerName,
2324 * IDL [in][unique][string] wchar_t *Workstation,
2325 * IDL [in][unique] AUTHENTICATOR *credential,
2326 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2327 * IDL [in] short LogonLevel,
2328 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2329 * IDL [in] short ValidationLevel,
2330 * IDL [out][ref] VALIDATION *validation,
2331 * IDL [out][ref] boolean Authorative
2335 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
2336 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2338 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2339 pinfo, tree, di, drep);
2341 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2342 NDR_POINTER_UNIQUE, "Computer Name",
2343 hf_netlogon_computer_name, 0);
2345 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2346 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2347 "AUTHENTICATOR: credential", -1);
2349 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2350 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2351 "AUTHENTICATOR: return_authenticator", -1);
2353 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2354 hf_netlogon_level16, NULL);
2356 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2357 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2358 "LEVEL: LogonLevel", -1);
2360 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2361 hf_netlogon_validation_level, NULL);
2367 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
2368 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2370 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2371 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2372 "AUTHENTICATOR: return_authenticator", -1);
2374 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2375 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2378 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2379 hf_netlogon_authoritative, NULL);
2381 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2382 hf_netlogon_rc, NULL);
2389 * IDL long NetrLogonSamLogoff(
2390 * IDL [in][unique][string] wchar_t *ServerName,
2391 * IDL [in][unique][string] wchar_t *ComputerName,
2392 * IDL [in][unique] AUTHENTICATOR credential,
2393 * IDL [in][unique] AUTHENTICATOR return_authenticator,
2394 * IDL [in] short logon_level,
2395 * IDL [in][ref] LEVEL logoninformation
2399 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
2400 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2402 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2403 pinfo, tree, di, drep);
2405 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2406 NDR_POINTER_UNIQUE, "Computer Name",
2407 hf_netlogon_computer_name, 0);
2409 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2410 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2411 "AUTHENTICATOR: credential", -1);
2413 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2414 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2415 "AUTHENTICATOR: return_authenticator", -1);
2417 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2418 hf_netlogon_level16, NULL);
2420 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2421 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2422 "LEVEL: logoninformation", -1);
2427 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
2428 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2431 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2432 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2433 "AUTHENTICATOR: return_authenticator", -1);
2435 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2436 hf_netlogon_rc, NULL);
2441 static void generate_hash_key(packet_info *pinfo,unsigned char is_server,netlogon_auth_key *key,char* name)
2444 key->dstport = pinfo->srcport;
2445 key->srcport = pinfo->destport;
2446 COPY_ADDRESS(&key->dst,&pinfo->src);
2447 COPY_ADDRESS(&key->src,&pinfo->dst);
2448 /* name has been durably allocated */
2452 COPY_ADDRESS(&key->dst,&pinfo->dst);
2453 COPY_ADDRESS(&key->src,&pinfo->src);
2454 key->dstport = pinfo->destport;
2455 key->srcport = pinfo->srcport;
2456 /* name has been durably allocated */
2463 * IDL long NetrServerReqChallenge(
2464 * IDL [in][unique][string] wchar_t *ServerName,
2465 * IDL [in][ref][string] wchar_t *ComputerName,
2466 * IDL [in][ref] CREDENTIAL client_credential,
2467 * IDL [out][ref] CREDENTIAL server_credential
2471 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
2472 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2474 /*int oldoffset = offset;*/
2475 netlogon_auth_vars *vars;
2476 netlogon_auth_vars *existing_vars;
2477 netlogon_auth_key *key = (netlogon_auth_key *)wmem_alloc(wmem_file_scope(), sizeof(netlogon_auth_key));
2478 guint8 tab[8] = { 0,0,0,0,0,0,0,0};
2479 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2481 /* As we are not always keeping this it could be more intelligent to g_malloc it
2482 and if we decide to keep it then transform it into wmem_alloc */
2483 vars = (netlogon_auth_vars *)wmem_alloc(wmem_file_scope(), sizeof(netlogon_auth_vars));
2484 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, pinfo, tree, di, drep);
2485 offset = dissect_ndr_pointer_cb(
2486 tvb, offset, pinfo, tree, di, drep,
2487 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
2488 "Computer Name", hf_netlogon_computer_name,
2489 cb_wstr_postprocess,
2490 GINT_TO_POINTER(CB_STR_COL_INFO |CB_STR_SAVE | 1));
2492 debugprintf("1)Len %d offset %d txt %s\n",(int) strlen(dcv->private_data),offset,(char*)dcv->private_data);
2493 vars->client_name = wmem_strdup(wmem_file_scope(), (const guint8 *)dcv->private_data);
2494 debugprintf("2)Len %d offset %d txt %s\n",(int) strlen(dcv->private_data),offset,vars->client_name);
2496 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2497 hf_client_challenge,&vars->client_challenge);
2498 memcpy(tab,&vars->client_challenge,8);
2500 vars->start = pinfo->fd->num;
2501 vars->next_start = -1;
2504 generate_hash_key(pinfo,0,key,NULL);
2505 existing_vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths, key);
2506 if (!existing_vars) {
2507 debugprintf("Adding initial vars with this start packet = %d\n",vars->start);
2508 g_hash_table_insert(netlogon_auths, key, vars);
2511 while(existing_vars->next != NULL && existing_vars->start < vars->start) {
2512 debugprintf("Looping to find existing vars ...\n");
2513 existing_vars = existing_vars->next;
2515 if(existing_vars->next != NULL || existing_vars->start == vars->start) {
2516 debugprintf("It seems that I already record this vars start packet = %d\n",vars->start);
2519 debugprintf("Adding a new entry with this start packet = %d\n",vars->start);
2520 existing_vars->next_start = pinfo->fd->num;
2521 existing_vars->next = vars;
2524 /* used by other rpc that use schannel ie lsa */
2526 generate_hash_key(pinfo,0,key,vars->client_name);
2527 existing_vars = NULL;
2528 existing_vars = g_hash_table_lookup(schannel_auths, key);
2531 g_hash_table_insert(schannel_auths, key, vars);
2535 while(existing_vars->next != NULL && existing_vars->start <= vars->start) {
2536 existing_vars = existing_vars->next;
2538 if(existing_vars->next != NULL || existing_vars == vars) {
2539 debugprintf("It seems that I already record this vars (schannel hash)%d\n",vars->start);
2542 existing_vars->next_start = pinfo->fd->num;
2543 existing_vars->next = vars;
2550 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
2551 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2553 netlogon_auth_vars *vars;
2554 netlogon_auth_key key;
2555 guint64 server_challenge;
2557 generate_hash_key(pinfo,1,&key,NULL);
2558 vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths,(gconstpointer*) &key);
2560 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2561 hf_server_challenge, &server_challenge);
2562 /*offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2563 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2564 "CREDENTIAL: server credential", -1);*/
2566 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2567 hf_netlogon_rc, NULL);
2569 while(vars !=NULL && vars->next_start != -1 && vars->next_start < (int)pinfo->fd->num )
2572 debugprintf("looping challenge reply... %d %d \n", vars->next_start, pinfo->fd->num);
2576 debugprintf("Something strange happened while searching for challenge_reply\n");
2580 vars->server_challenge = server_challenge;
2586 debugprintf("Vars not found in challenge reply\n");
2594 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
2595 packet_info *pinfo, proto_tree *tree,
2596 dcerpc_info *di, guint8 *drep)
2598 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2599 hf_netlogon_secure_channel_type, NULL);
2606 * IDL long NetrServerAuthenticate(
2607 * IDL [in][unique][string] wchar_t *ServerName,
2608 * IDL [in][ref][string] wchar_t *UserName,
2609 * IDL [in] short secure_challenge_type,
2610 * IDL [in][ref][string] wchar_t *ComputerName,
2611 * IDL [in][ref] CREDENTIAL client_challenge,
2612 * IDL [out][ref] CREDENTIAL server_challenge
2616 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
2617 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2619 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2620 pinfo, tree, di, drep);
2622 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2623 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO);
2625 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
2626 pinfo, tree, di, drep);
2628 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2629 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO);
2631 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2632 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2633 "CREDENTIAL: client challenge", -1);
2638 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
2639 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2641 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2642 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2643 "CREDENTIAL: server challenge", -1);
2645 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2646 hf_netlogon_rc, NULL);
2654 * IDL typedef struct {
2655 * IDL char encrypted_password[16];
2656 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
2659 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
2660 packet_info *pinfo _U_, proto_tree *tree,
2661 dcerpc_info *di, guint8 *drep _U_)
2663 if(di->conformant_run){
2664 /*just a run to handle conformant arrays, nothing to dissect.*/
2668 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
2676 * IDL long NetrServerPasswordSet(
2677 * IDL [in][unique][string] wchar_t *ServerName,
2678 * IDL [in][ref][string] wchar_t *UserName,
2679 * IDL [in] short secure_challenge_type,
2680 * IDL [in][ref][string] wchar_t *ComputerName,
2681 * IDL [in][ref] AUTHENTICATOR credential,
2682 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
2683 * IDL [out][ref] AUTHENTICATOR return_authenticator
2687 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
2688 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2690 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2691 pinfo, tree, di, drep);
2693 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2694 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
2696 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
2697 pinfo, tree, di, drep);
2699 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2700 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
2702 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2703 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2704 "AUTHENTICATOR: credential", -1);
2706 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2707 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
2708 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
2713 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
2714 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
2716 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2717 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2718 "AUTHENTICATOR: return_authenticator", -1);
2720 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2721 hf_netlogon_rc, NULL);
2728 * IDL typedef struct {
2729 * IDL [unique][string] wchar_t *UserName;
2730 * IDL UNICODESTRING dummy1;
2731 * IDL UNICODESTRING dummy2;
2732 * IDL UNICODESTRING dummy3;
2733 * IDL UNICODESTRING dummy4;
2738 * IDL } DELTA_DELETE_USER;
2741 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
2742 packet_info *pinfo, proto_tree *tree,
2743 dcerpc_info *di, guint8 *drep)
2745 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2746 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
2748 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2749 hf_netlogon_dummy, 0);
2751 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2752 hf_netlogon_dummy, 0);
2754 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2755 hf_netlogon_dummy, 0);
2757 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2758 hf_netlogon_dummy, 0);
2760 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2761 hf_netlogon_reserved, NULL);
2763 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2764 hf_netlogon_reserved, NULL);
2766 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2767 hf_netlogon_reserved, NULL);
2769 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2770 hf_netlogon_reserved, NULL);
2777 * IDL typedef struct {
2778 * IDL bool SensitiveDataFlag;
2779 * IDL long DataLength;
2780 * IDL [unique][size_is(DataLength)] char *SensitiveData;
2781 * IDL } USER_PRIVATE_INFO;
2784 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
2785 packet_info *pinfo, proto_tree *tree,
2786 dcerpc_info *di, guint8 *drep)
2790 if(di->conformant_run){
2791 /*just a run to handle conformant arrays, nothing to dissect */
2795 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2796 hf_netlogon_sensitive_data_len, &data_len);
2798 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
2805 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
2806 packet_info *pinfo, proto_tree *tree,
2807 dcerpc_info *di, guint8 *drep)
2809 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2810 hf_netlogon_sensitive_data_flag, NULL);
2812 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2813 hf_netlogon_sensitive_data_len, NULL);
2815 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2816 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
2817 "SENSITIVE_DATA", -1);
2823 * IDL typedef struct {
2824 * IDL UNICODESTRING UserName;
2825 * IDL UNICODESTRING FullName;
2827 * IDL long PrimaryGroupID;
2828 * IDL UNICODESTRING HomeDir;
2829 * IDL UNICODESTRING HomeDirDrive;
2830 * IDL UNICODESTRING LogonScript;
2831 * IDL UNICODESTRING Comment;
2832 * IDL UNICODESTRING Workstations;
2833 * IDL NTTIME LastLogon;
2834 * IDL NTTIME LastLogoff;
2835 * IDL LOGON_HOURS logonhours;
2836 * IDL short BadPwCount;
2837 * IDL short LogonCount;
2838 * IDL NTTIME PwLastSet;
2839 * IDL NTTIME AccountExpires;
2840 * IDL long AccountControl;
2841 * IDL LM_OWF_PASSWORD lmpw;
2842 * IDL NT_OWF_PASSWORD ntpw;
2843 * IDL bool NTPwPresent;
2844 * IDL bool LMPwPresent;
2845 * IDL bool PwExpired;
2846 * IDL UNICODESTRING UserComment;
2847 * IDL UNICODESTRING Parameters;
2848 * IDL short CountryCode;
2849 * IDL short CodePage;
2850 * IDL USER_PRIVATE_INFO user_private_info;
2851 * IDL long SecurityInformation;
2852 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2853 * IDL UNICODESTRING dummy1;
2854 * IDL UNICODESTRING dummy2;
2855 * IDL UNICODESTRING dummy3;
2856 * IDL UNICODESTRING dummy4;
2864 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
2865 packet_info *pinfo, proto_tree *tree,
2866 dcerpc_info *di, guint8 *drep)
2868 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2869 hf_netlogon_acct_name, 3);
2871 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2872 hf_netlogon_full_name, 0);
2874 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2875 hf_netlogon_user_rid, NULL);
2877 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2878 hf_netlogon_group_rid, NULL);
2880 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2881 hf_netlogon_home_dir, 0);
2883 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2884 hf_netlogon_dir_drive, 0);
2886 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2887 hf_netlogon_logon_script, 0);
2889 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2890 hf_netlogon_acct_desc, 0);
2892 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2893 hf_netlogon_workstations, 0);
2895 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2896 hf_netlogon_logon_time);
2898 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2899 hf_netlogon_logoff_time);
2901 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, di, drep);
2903 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2904 hf_netlogon_bad_pw_count16, NULL);
2906 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2907 hf_netlogon_logon_count16, NULL);
2909 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2910 hf_netlogon_pwd_last_set_time);
2912 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2913 hf_netlogon_acct_expiry_time);
2915 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, di, drep);
2917 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
2918 pinfo, tree, di, drep);
2920 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
2921 pinfo, tree, di, drep);
2923 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2924 hf_netlogon_nt_pwd_present, NULL);
2926 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2927 hf_netlogon_lm_pwd_present, NULL);
2929 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2930 hf_netlogon_pwd_expired, NULL);
2932 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2933 hf_netlogon_comment, 0);
2935 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2936 hf_netlogon_parameters, 0);
2938 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2939 hf_netlogon_country, NULL);
2941 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2942 hf_netlogon_codepage, NULL);
2944 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
2947 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2948 hf_netlogon_security_information, NULL);
2950 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
2952 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2953 hf_netlogon_dummy, 0);
2955 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2956 hf_netlogon_dummy, 0);
2958 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2959 hf_netlogon_dummy, 0);
2961 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2962 hf_netlogon_dummy, 0);
2964 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2965 hf_netlogon_reserved, NULL);
2967 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2968 hf_netlogon_reserved, NULL);
2970 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2971 hf_netlogon_reserved, NULL);
2973 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2974 hf_netlogon_reserved, NULL);
2981 * IDL typedef struct {
2982 * IDL UNICODESTRING DomainName;
2983 * IDL UNICODESTRING OEMInfo;
2984 * IDL NTTIME forcedlogoff;
2985 * IDL short minpasswdlen;
2986 * IDL short passwdhistorylen;
2987 * IDL NTTIME pwd_must_change_time;
2988 * IDL NTTIME pwd_can_change_time;
2989 * IDL NTTIME domain_modify_time;
2990 * IDL NTTIME domain_create_time;
2991 * IDL long SecurityInformation;
2992 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2993 * IDL UNICODESTRING dummy1;
2994 * IDL UNICODESTRING dummy2;
2995 * IDL UNICODESTRING dummy3;
2996 * IDL UNICODESTRING dummy4;
3001 * IDL } DELTA_DOMAIN;
3004 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
3005 packet_info *pinfo, proto_tree *tree,
3006 dcerpc_info *di, guint8 *drep)
3008 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3009 hf_netlogon_domain_name, 3);
3011 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3012 hf_netlogon_oem_info, 0);
3014 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3015 hf_netlogon_kickoff_time);
3017 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3018 hf_netlogon_minpasswdlen, NULL);
3020 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3021 hf_netlogon_passwdhistorylen, NULL);
3023 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3024 hf_netlogon_pwd_must_change_time);
3026 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3027 hf_netlogon_pwd_can_change_time);
3029 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3030 hf_netlogon_domain_modify_time);
3032 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3033 hf_netlogon_domain_create_time);
3035 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3036 hf_netlogon_security_information, NULL);
3038 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3040 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3041 hf_netlogon_dummy, 0);
3043 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3044 hf_netlogon_dummy, 0);
3046 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3047 hf_netlogon_dummy, 0);
3049 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3050 hf_netlogon_dummy, 0);
3052 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3053 hf_netlogon_reserved, NULL);
3055 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3056 hf_netlogon_reserved, NULL);
3058 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3059 hf_netlogon_reserved, NULL);
3061 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3062 hf_netlogon_reserved, NULL);
3069 * IDL typedef struct {
3070 * IDL UNICODESTRING groupname;
3071 * IDL GROUP_MEMBERSHIP group_membership;
3072 * IDL UNICODESTRING comment;
3073 * IDL long SecurityInformation;
3074 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3075 * IDL UNICODESTRING dummy1;
3076 * IDL UNICODESTRING dummy2;
3077 * IDL UNICODESTRING dummy3;
3078 * IDL UNICODESTRING dummy4;
3083 * IDL } DELTA_GROUP;
3086 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
3087 packet_info *pinfo, proto_tree *tree,
3088 dcerpc_info *di, guint8 *drep)
3090 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3091 hf_netlogon_group_name, 3);
3093 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
3094 pinfo, tree, di, drep);
3096 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3097 hf_netlogon_group_desc, 0);
3099 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3100 hf_netlogon_security_information, NULL);
3102 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3104 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3105 hf_netlogon_dummy, 0);
3107 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3108 hf_netlogon_dummy, 0);
3110 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3111 hf_netlogon_dummy, 0);
3113 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3114 hf_netlogon_dummy, 0);
3116 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3117 hf_netlogon_reserved, NULL);
3119 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3120 hf_netlogon_reserved, NULL);
3122 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3123 hf_netlogon_reserved, NULL);
3125 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3126 hf_netlogon_reserved, NULL);
3133 * IDL typedef struct {
3134 * IDL UNICODESTRING OldName;
3135 * IDL UNICODESTRING NewName;
3136 * IDL UNICODESTRING dummy1;
3137 * IDL UNICODESTRING dummy2;
3138 * IDL UNICODESTRING dummy3;
3139 * IDL UNICODESTRING dummy4;
3144 * IDL } DELTA_RENAME;
3147 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
3148 packet_info *pinfo, proto_tree *tree,
3149 dcerpc_info *di, guint8 *drep)
3151 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3154 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3157 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3158 hf_netlogon_dummy, 0);
3160 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3161 hf_netlogon_dummy, 0);
3163 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3164 hf_netlogon_dummy, 0);
3166 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3167 hf_netlogon_dummy, 0);
3169 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3170 hf_netlogon_reserved, NULL);
3172 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3173 hf_netlogon_reserved, NULL);
3175 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3176 hf_netlogon_reserved, NULL);
3178 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3179 hf_netlogon_reserved, NULL);
3186 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
3187 packet_info *pinfo, proto_tree *tree,
3188 dcerpc_info *di, guint8 *drep)
3190 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3191 hf_netlogon_user_rid, NULL);
3197 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
3198 packet_info *pinfo, proto_tree *tree,
3199 dcerpc_info *di, guint8 *drep)
3201 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3202 netlogon_dissect_RID);
3208 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
3209 packet_info *pinfo, proto_tree *tree,
3210 dcerpc_info *di, guint8 *drep)
3212 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3213 hf_netlogon_attrs, NULL);
3219 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
3220 packet_info *pinfo, proto_tree *tree,
3221 dcerpc_info *di, guint8 *drep)
3223 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3224 netlogon_dissect_ATTRIB);
3230 * IDL typedef struct {
3231 * IDL [unique][size_is(num_rids)] long *rids;
3232 * IDL [unique][size_is(num_rids)] long *attribs;
3233 * IDL long num_rids;
3238 * IDL } DELTA_GROUP_MEMBER;
3241 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
3242 packet_info *pinfo, proto_tree *tree,
3243 dcerpc_info *di, guint8 *drep)
3245 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3246 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
3249 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3250 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
3253 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3254 hf_netlogon_num_rids, NULL);
3256 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3257 hf_netlogon_reserved, NULL);
3259 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3260 hf_netlogon_reserved, NULL);
3262 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3263 hf_netlogon_reserved, NULL);
3265 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3266 hf_netlogon_reserved, NULL);
3273 * IDL typedef struct {
3274 * IDL UNICODESTRING alias_name;
3276 * IDL long SecurityInformation;
3277 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3278 * IDL UNICODESTRING dummy1;
3279 * IDL UNICODESTRING dummy2;
3280 * IDL UNICODESTRING dummy3;
3281 * IDL UNICODESTRING dummy4;
3286 * IDL } DELTA_ALIAS;
3289 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
3290 packet_info *pinfo, proto_tree *tree,
3291 dcerpc_info *di, guint8 *drep)
3293 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3294 hf_netlogon_alias_name, 0);
3296 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3297 hf_netlogon_alias_rid, NULL);
3299 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3300 hf_netlogon_security_information, NULL);
3302 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3304 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3305 hf_netlogon_dummy, 0);
3307 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3308 hf_netlogon_dummy, 0);
3310 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3311 hf_netlogon_dummy, 0);
3313 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3314 hf_netlogon_dummy, 0);
3316 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3317 hf_netlogon_reserved, NULL);
3319 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3320 hf_netlogon_reserved, NULL);
3322 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3323 hf_netlogon_reserved, NULL);
3325 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3326 hf_netlogon_reserved, NULL);
3333 * IDL typedef struct {
3334 * IDL [unique] SID_ARRAY sids;
3339 * IDL } DELTA_ALIAS_MEMBER;
3342 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
3343 packet_info *pinfo, proto_tree *tree,
3344 dcerpc_info *di, guint8 *drep)
3346 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, di, drep);
3348 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3349 hf_netlogon_reserved, NULL);
3351 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3352 hf_netlogon_reserved, NULL);
3354 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3355 hf_netlogon_reserved, NULL);
3357 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3358 hf_netlogon_reserved, NULL);
3365 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
3366 packet_info *pinfo, proto_tree *tree,
3367 dcerpc_info *di, guint8 *drep)
3369 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3370 hf_netlogon_event_audit_option, NULL);
3376 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
3377 packet_info *pinfo, proto_tree *tree,
3378 dcerpc_info *di, guint8 *drep)
3380 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3381 netlogon_dissect_EVENT_AUDIT_OPTION);
3388 * IDL typedef struct {
3389 * IDL long pagedpoollimit;
3390 * IDL long nonpagedpoollimit;
3391 * IDL long minimumworkingsetsize;
3392 * IDL long maximumworkingsetsize;
3393 * IDL long pagefilelimit;
3394 * IDL NTTIME timelimit;
3395 * IDL } QUOTA_LIMITS;
3398 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
3399 packet_info *pinfo, proto_tree *parent_tree,
3400 dcerpc_info *di, guint8 *drep)
3402 proto_item *item=NULL;
3403 proto_tree *tree=NULL;
3404 int old_offset=offset;
3407 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3409 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
3412 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3413 hf_netlogon_pagedpoollimit, NULL);
3415 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3416 hf_netlogon_nonpagedpoollimit, NULL);
3418 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3419 hf_netlogon_minworkingsetsize, NULL);
3421 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3422 hf_netlogon_maxworkingsetsize, NULL);
3424 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3425 hf_netlogon_pagefilelimit, NULL);
3427 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3428 hf_netlogon_timelimit);
3430 proto_item_set_len(item, offset-old_offset);
3436 * IDL typedef struct {
3437 * IDL long maxlogsize;
3438 * IDL NTTIME auditretentionperiod;
3439 * IDL bool auditingmode;
3440 * IDL long maxauditeventcount;
3441 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
3442 * IDL UNICODESTRING primarydomainname;
3443 * IDL [unique] SID *sid;
3444 * IDL QUOTA_LIMITS quota_limits;
3445 * IDL NTTIME db_modify_time;
3446 * IDL NTTIME db_create_time;
3447 * IDL long SecurityInformation;
3448 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3449 * IDL UNICODESTRING dummy1;
3450 * IDL UNICODESTRING dummy2;
3451 * IDL UNICODESTRING dummy3;
3452 * IDL UNICODESTRING dummy4;
3457 * IDL } DELTA_POLICY;
3460 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
3461 packet_info *pinfo, proto_tree *tree,
3462 dcerpc_info *di, guint8 *drep)
3464 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3465 hf_netlogon_max_log_size, NULL);
3467 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3468 hf_netlogon_audit_retention_period);
3470 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3471 hf_netlogon_auditing_mode, NULL);
3473 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3474 hf_netlogon_max_audit_event_count, NULL);
3476 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3477 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
3478 "Event Audit Options:", -1);
3480 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3481 hf_netlogon_domain_name, 0);
3483 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
3485 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3486 pinfo, tree, di, drep);
3488 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3489 hf_netlogon_db_modify_time);
3491 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3492 hf_netlogon_db_create_time);
3494 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3495 hf_netlogon_security_information, NULL);
3497 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3499 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3500 hf_netlogon_dummy, 0);
3502 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3503 hf_netlogon_dummy, 0);
3505 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3506 hf_netlogon_dummy, 0);
3508 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3509 hf_netlogon_dummy, 0);
3511 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3512 hf_netlogon_reserved, NULL);
3514 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3515 hf_netlogon_reserved, NULL);
3517 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3518 hf_netlogon_reserved, NULL);
3520 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3521 hf_netlogon_reserved, NULL);
3528 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
3529 packet_info *pinfo, proto_tree *tree,
3530 dcerpc_info *di, guint8 *drep)
3532 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3533 hf_netlogon_dc_name, 0);
3539 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
3540 packet_info *pinfo, proto_tree *tree,
3541 dcerpc_info *di, guint8 *drep)
3543 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3544 netlogon_dissect_CONTROLLER);
3551 * IDL typedef struct {
3552 * IDL UNICODESTRING DomainName;
3553 * IDL long num_controllers;
3554 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
3555 * IDL long SecurityInformation;
3556 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3557 * IDL UNICODESTRING dummy1;
3558 * IDL UNICODESTRING dummy2;
3559 * IDL UNICODESTRING dummy3;
3560 * IDL UNICODESTRING dummy4;
3565 * IDL } DELTA_TRUSTED_DOMAINS;
3568 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
3569 packet_info *pinfo, proto_tree *tree,
3570 dcerpc_info *di, guint8 *drep)
3572 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3573 hf_netlogon_domain_name, 0);
3575 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3576 hf_netlogon_num_controllers, NULL);
3578 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3579 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
3580 "Domain Controllers:", -1);
3582 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3583 hf_netlogon_security_information, NULL);
3585 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3587 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3588 hf_netlogon_dummy, 0);
3590 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3591 hf_netlogon_dummy, 0);
3593 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3594 hf_netlogon_dummy, 0);
3596 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3597 hf_netlogon_dummy, 0);
3599 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3600 hf_netlogon_reserved, NULL);
3602 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3603 hf_netlogon_reserved, NULL);
3605 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3606 hf_netlogon_reserved, NULL);
3608 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3609 hf_netlogon_reserved, NULL);
3616 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
3617 packet_info *pinfo, proto_tree *tree,
3618 dcerpc_info *di, guint8 *drep)
3620 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3621 hf_netlogon_attrs, NULL);
3627 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
3628 packet_info *pinfo, proto_tree *tree,
3629 dcerpc_info *di, guint8 *drep)
3631 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3632 netlogon_dissect_PRIV_ATTR);
3638 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
3639 packet_info *pinfo, proto_tree *tree,
3640 dcerpc_info *di, guint8 *drep)
3642 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3643 hf_netlogon_privilege_name, 1);
3649 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
3650 packet_info *pinfo, proto_tree *tree,
3651 dcerpc_info *di, guint8 *drep)
3653 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3654 netlogon_dissect_PRIV_NAME);
3662 * IDL typedef struct {
3663 * IDL long privilegeentries;
3664 * IDL long provolegecontrol;
3665 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
3666 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
3667 * IDL QUOTALIMITS quotalimits;
3668 * IDL long SecurityInformation;
3669 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3670 * IDL UNICODESTRING dummy1;
3671 * IDL UNICODESTRING dummy2;
3672 * IDL UNICODESTRING dummy3;
3673 * IDL UNICODESTRING dummy4;
3678 * IDL } DELTA_ACCOUNTS;
3681 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
3682 packet_info *pinfo, proto_tree *tree,
3683 dcerpc_info *di, guint8 *drep)
3685 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3686 hf_netlogon_privilege_entries, NULL);
3688 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3689 hf_netlogon_privilege_control, NULL);
3691 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3692 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
3693 "PRIV_ATTR_ARRAY:", -1);
3695 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3696 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
3697 "PRIV_NAME_ARRAY:", -1);
3699 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3700 pinfo, tree, di, drep);
3702 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3703 hf_netlogon_systemflags, NULL);
3705 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3706 hf_netlogon_security_information, NULL);
3708 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3710 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3711 hf_netlogon_dummy, 0);
3713 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3714 hf_netlogon_dummy, 0);
3716 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3717 hf_netlogon_dummy, 0);
3719 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3720 hf_netlogon_dummy, 0);
3722 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3723 hf_netlogon_reserved, NULL);
3725 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3726 hf_netlogon_reserved, NULL);
3728 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3729 hf_netlogon_reserved, NULL);
3731 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3732 hf_netlogon_reserved, NULL);
3738 * IDL typedef struct {
3741 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
3742 * IDL } CIPHER_VALUE;
3745 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
3746 packet_info *pinfo, proto_tree *tree,
3747 dcerpc_info *di, guint8 *drep)
3751 if(di->conformant_run){
3752 /*just a run to handle conformant arrays, nothing to dissect */
3756 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
3757 hf_netlogon_cipher_maxlen, NULL);
3762 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
3763 hf_netlogon_cipher_len, &data_len);
3765 proto_tree_add_item(tree, di->hf_index, tvb, offset,
3772 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
3773 packet_info *pinfo, proto_tree *parent_tree,
3774 dcerpc_info *di, guint8 *drep, const char *name, int hf_index)
3776 proto_item *item=NULL;
3777 proto_tree *tree=NULL;
3778 int old_offset=offset;
3781 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3783 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
3786 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
3787 hf_netlogon_cipher_len, NULL);
3789 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
3790 hf_netlogon_cipher_maxlen, NULL);
3792 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3793 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
3796 proto_item_set_len(item, offset-old_offset);
3801 * IDL typedef struct {
3802 * IDL CIPHER_VALUE current_cipher;
3803 * IDL NTTIME current_cipher_set_time;
3804 * IDL CIPHER_VALUE old_cipher;
3805 * IDL NTTIME old_cipher_set_time;
3806 * IDL long SecurityInformation;
3807 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3808 * IDL UNICODESTRING dummy1;
3809 * IDL UNICODESTRING dummy2;
3810 * IDL UNICODESTRING dummy3;
3811 * IDL UNICODESTRING dummy4;
3816 * IDL } DELTA_SECRET;
3819 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
3820 packet_info *pinfo, proto_tree *tree,
3821 dcerpc_info *di, guint8 *drep)
3823 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3824 pinfo, tree, di, drep,
3825 "CIPHER_VALUE: current cipher value",
3826 hf_netlogon_cipher_current_data);
3828 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3829 hf_netlogon_cipher_current_set_time);
3831 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3832 pinfo, tree, di, drep,
3833 "CIPHER_VALUE: old cipher value",
3834 hf_netlogon_cipher_old_data);
3836 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3837 hf_netlogon_cipher_old_set_time);
3839 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3840 hf_netlogon_security_information, NULL);
3842 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3844 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3845 hf_netlogon_dummy, 0);
3847 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3848 hf_netlogon_dummy, 0);
3850 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3851 hf_netlogon_dummy, 0);
3853 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3854 hf_netlogon_dummy, 0);
3856 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3857 hf_netlogon_reserved, NULL);
3859 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3860 hf_netlogon_reserved, NULL);
3862 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3863 hf_netlogon_reserved, NULL);
3865 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3866 hf_netlogon_reserved, NULL);
3872 * IDL typedef struct {
3873 * IDL long low_value;
3874 * IDL long high_value;
3878 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
3879 packet_info *pinfo, proto_tree *tree,
3880 dcerpc_info *di, guint8 *drep)
3882 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
3883 hf_netlogon_modify_count, NULL);
3889 #define DT_DELTA_DOMAIN 1
3890 #define DT_DELTA_GROUP 2
3891 #define DT_DELTA_DELETE_GROUP 3
3892 #define DT_DELTA_RENAME_GROUP 4
3893 #define DT_DELTA_USER 5
3894 #define DT_DELTA_DELETE_USER 6
3895 #define DT_DELTA_RENAME_USER 7
3896 #define DT_DELTA_GROUP_MEMBER 8
3897 #define DT_DELTA_ALIAS 9
3898 #define DT_DELTA_DELETE_ALIAS 10
3899 #define DT_DELTA_RENAME_ALIAS 11
3900 #define DT_DELTA_ALIAS_MEMBER 12
3901 #define DT_DELTA_POLICY 13
3902 #define DT_DELTA_TRUSTED_DOMAINS 14
3903 #define DT_DELTA_DELETE_TRUST 15
3904 #define DT_DELTA_ACCOUNTS 16
3905 #define DT_DELTA_DELETE_ACCOUNT 17
3906 #define DT_DELTA_SECRET 18
3907 #define DT_DELTA_DELETE_SECRET 19
3908 #define DT_DELTA_DELETE_GROUP2 20
3909 #define DT_DELTA_DELETE_USER2 21
3910 #define DT_MODIFIED_COUNT 22
3912 static const value_string delta_type_vals[] = {
3913 { DT_DELTA_DOMAIN, "Domain" },
3914 { DT_DELTA_GROUP, "Group" },
3915 { DT_DELTA_DELETE_GROUP, "Delete Group" },
3916 { DT_DELTA_RENAME_GROUP, "Rename Group" },
3917 { DT_DELTA_USER, "User" },
3918 { DT_DELTA_DELETE_USER, "Delete User" },
3919 { DT_DELTA_RENAME_USER, "Rename User" },
3920 { DT_DELTA_GROUP_MEMBER, "Group Member" },
3921 { DT_DELTA_ALIAS, "Alias" },
3922 { DT_DELTA_DELETE_ALIAS, "Delete Alias" },
3923 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
3924 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
3925 { DT_DELTA_POLICY, "Policy" },
3926 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
3927 { DT_DELTA_DELETE_TRUST, "Delete Trust" },
3928 { DT_DELTA_ACCOUNTS, "Accounts" },
3929 { DT_DELTA_DELETE_ACCOUNT, "Delete Account" },
3930 { DT_DELTA_SECRET, "Secret" },
3931 { DT_DELTA_DELETE_SECRET, "Delete Secret" },
3932 { DT_DELTA_DELETE_GROUP2, "Delete Group2" },
3933 { DT_DELTA_DELETE_USER2, "Delete User2" },
3934 { DT_MODIFIED_COUNT, "Modified Count" },
3938 * IDL typedef [switch_type(short)] union {
3939 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
3940 * IDL [case(2)][unique] DELTA_GROUP *group;
3941 * IDL [case(3)][unique] rid only ;
3942 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
3943 * IDL [case(5)][unique] DELTA_USER *user;
3944 * IDL [case(6)][unique] rid only ;
3945 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
3946 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
3947 * IDL [case(9)][unique] DELTA_ALIAS *alias;
3948 * IDL [case(10)][unique] rid only ;
3949 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
3950 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
3951 * IDL [case(13)][unique] DELTA_POLICY *policy;
3952 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
3953 * IDL [case(15)][unique] PSID ;
3954 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
3955 * IDL [case(17)][unique] PSID ;
3956 * IDL [case(18)][unique] DELTA_SECRET *secret;
3957 * IDL [case(19)][unique] string;
3958 * IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
3959 * IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
3960 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
3961 * IDL } DELTA_UNION;
3964 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
3965 packet_info *pinfo, proto_tree *parent_tree,
3966 dcerpc_info *di, guint8 *drep)
3968 proto_item *item=NULL;
3969 proto_tree *tree=NULL;
3970 int old_offset=offset;
3974 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3976 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
3979 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3980 hf_netlogon_delta_type, &level);
3985 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3986 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
3987 "DELTA_DOMAIN:", -1);
3990 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3991 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
3992 "DELTA_GROUP:", -1);
3995 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3996 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3997 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
4000 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4001 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
4005 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4006 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4007 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
4010 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4011 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
4012 "DELTA_GROUP_MEMBER:", -1);
4015 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4016 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
4017 "DELTA_ALIAS:", -1);
4020 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4021 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4022 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
4025 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4026 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
4027 "DELTA_ALIAS_MEMBER:", -1);
4030 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4031 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
4032 "DELTA_POLICY:", -1);
4035 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4036 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
4037 "DELTA_TRUSTED_DOMAINS:", -1);
4040 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4041 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
4042 "DELTA_ACCOUNTS:", -1);
4045 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4046 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
4047 "DELTA_SECRET:", -1);
4050 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4051 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4052 "DELTA_DELETE_GROUP:", -1);
4055 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4056 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4057 "DELTA_DELETE_USER:", -1);
4060 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4061 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
4062 "MODIFIED_COUNT:", -1);
4066 proto_item_set_len(item, offset-old_offset);
4072 /* IDL XXX must verify this one, especially 13-19
4073 * IDL typedef [switch_type(short)] union {
4074 * IDL [case(1)] long rid;
4075 * IDL [case(2)] long rid;
4076 * IDL [case(3)] long rid;
4077 * IDL [case(4)] long rid;
4078 * IDL [case(5)] long rid;
4079 * IDL [case(6)] long rid;
4080 * IDL [case(7)] long rid;
4081 * IDL [case(8)] long rid;
4082 * IDL [case(9)] long rid;
4083 * IDL [case(10)] long rid;
4084 * IDL [case(11)] long rid;
4085 * IDL [case(12)] long rid;
4086 * IDL [case(13)] [unique] SID *sid;
4087 * IDL [case(14)] [unique] SID *sid;
4088 * IDL [case(15)] [unique] SID *sid;
4089 * IDL [case(16)] [unique] SID *sid;
4090 * IDL [case(17)] [unique] SID *sid;
4091 * IDL [case(18)] [unique][string] wchar_t *Name ;
4092 * IDL [case(19)] [unique][string] wchar_t *Name ;
4093 * IDL [case(20)] long rid;
4094 * IDL [case(21)] long rid;
4095 * IDL } DELTA_ID_UNION;
4098 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
4099 packet_info *pinfo, proto_tree *parent_tree,
4100 dcerpc_info *di, guint8 *drep)
4102 proto_item *item=NULL;
4103 proto_tree *tree=NULL;
4104 int old_offset=offset;
4108 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4110 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
4113 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4114 hf_netlogon_delta_type, &level);
4119 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4120 hf_netlogon_group_rid, NULL);
4123 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4124 hf_netlogon_user_rid, NULL);
4127 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4128 hf_netlogon_user_rid, NULL);
4131 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4132 hf_netlogon_user_rid, NULL);
4135 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4136 hf_netlogon_user_rid, NULL);
4139 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4140 hf_netlogon_user_rid, NULL);
4143 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4144 hf_netlogon_user_rid, NULL);
4147 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4148 hf_netlogon_user_rid, NULL);
4151 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4152 hf_netlogon_user_rid, NULL);
4155 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4156 hf_netlogon_user_rid, NULL);
4159 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4160 hf_netlogon_user_rid, NULL);
4163 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4164 hf_netlogon_user_rid, NULL);
4167 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4170 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4173 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4176 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4179 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4182 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4183 tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
4184 hf_netlogon_unknown_string, 0);
4187 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4188 tree, di, drep, NDR_POINTER_UNIQUE, "unknown",
4189 hf_netlogon_unknown_string, 0);
4192 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4193 hf_netlogon_user_rid, NULL);
4196 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4197 hf_netlogon_user_rid, NULL);
4201 proto_item_set_len(item, offset-old_offset);
4206 * IDL typedef struct {
4207 * IDL short delta_type;
4208 * IDL DELTA_ID_UNION delta_id_union;
4209 * IDL DELTA_UNION delta_union;
4213 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
4214 packet_info *pinfo, proto_tree *parent_tree,
4215 dcerpc_info *di, guint8 *drep)
4217 proto_item *item=NULL;
4218 proto_tree *tree=NULL;
4219 int old_offset=offset;
4223 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4225 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
4228 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4229 hf_netlogon_delta_type, &type);
4231 proto_item_append_text(item, "%s", val_to_str(
4232 type, delta_type_vals, "Unknown"));
4234 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
4235 pinfo, tree, di, drep);
4237 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
4238 pinfo, tree, di, drep);
4240 proto_item_set_len(item, offset-old_offset);
4245 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
4246 packet_info *pinfo, proto_tree *tree,
4247 dcerpc_info *di, guint8 *drep)
4249 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4250 netlogon_dissect_DELTA_ENUM);
4256 * IDL typedef struct {
4257 * IDL long num_deltas;
4258 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
4259 * IDL } DELTA_ENUM_ARRAY;
4262 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
4263 packet_info *pinfo, proto_tree *tree,
4264 dcerpc_info *di, guint8 *drep)
4266 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4267 hf_netlogon_num_deltas, NULL);
4269 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4270 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
4271 "DELTA_ENUM: deltas", -1);
4278 * IDL long NetrDatabaseDeltas(
4279 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4280 * IDL [in][string][ref] wchar_t *computername,
4281 * IDL [in][ref] AUTHENTICATOR credential,
4282 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4283 * IDL [in] long database_id,
4284 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
4285 * IDL [in] long preferredmaximumlength,
4286 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4290 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
4291 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4293 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4294 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4296 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4297 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4299 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4300 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4301 "AUTHENTICATOR: credential", -1);
4303 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4304 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4305 "AUTHENTICATOR: return_authenticator", -1);
4307 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4308 hf_netlogon_database_id, NULL);
4310 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4311 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4312 "MODIFIED_COUNT: domain modified count", -1);
4314 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4315 hf_netlogon_max_size, NULL);
4320 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
4321 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4323 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4324 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4325 "AUTHENTICATOR: return_authenticator", -1);
4327 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4328 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4329 "MODIFIED_COUNT: domain modified count", -1);
4331 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4332 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4333 "DELTA_ENUM_ARRAY: deltas", -1);
4335 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4336 hf_netlogon_rc, NULL);
4343 * IDL long NetrDatabaseSync(
4344 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4345 * IDL [in][string][ref] wchar_t *computername,
4346 * IDL [in][ref] AUTHENTICATOR credential,
4347 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4348 * IDL [in] long database_id,
4349 * IDL [in][out][ref] long sync_context,
4350 * IDL [in] long preferredmaximumlength,
4351 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4355 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
4356 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4358 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4359 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4361 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4362 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4364 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4365 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4366 "AUTHENTICATOR: credential", -1);
4368 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4369 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4370 "AUTHENTICATOR: return_authenticator", -1);
4372 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4373 hf_netlogon_database_id, NULL);
4375 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4376 hf_netlogon_sync_context, NULL);
4378 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4379 hf_netlogon_max_size, NULL);
4386 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
4387 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4389 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4390 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4391 "AUTHENTICATOR: return_authenticator", -1);
4393 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4394 hf_netlogon_sync_context, NULL);
4396 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4397 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4398 "DELTA_ENUM_ARRAY: deltas", -1);
4400 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4401 hf_netlogon_rc, NULL);
4407 * IDL typedef struct {
4408 * IDL char computer_name[16];
4409 * IDL long timecreated;
4410 * IDL long serial_number;
4414 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
4415 packet_info *pinfo, proto_tree *tree,
4416 dcerpc_info *di, guint8 *drep)
4418 if(di->conformant_run){
4419 /*just a run to handle conformant arrays, nothing to dissect */
4423 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, ENC_ASCII|ENC_NA);
4426 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
4429 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4430 hf_netlogon_serial_number, NULL);
4437 * IDL long NetrAccountDeltas(
4438 * IDL [in][string][unique] wchar_t *logonserver,
4439 * IDL [in][string][ref] wchar_t *computername,
4440 * IDL [in][ref] AUTHENTICATOR credential,
4441 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4442 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4443 * IDL [out][ref] long count_returned,
4444 * IDL [out][ref] long total_entries,
4445 * IDL [in][out][ref] UAS_INFO_0 recordid,
4446 * IDL [in][long] count,
4447 * IDL [in][long] level,
4448 * IDL [in][long] buffersize,
4452 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
4453 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4455 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4456 pinfo, tree, di, drep);
4458 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4459 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4461 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4462 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4463 "AUTHENTICATOR: credential", -1);
4465 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4466 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4467 "AUTHENTICATOR: return_authenticator", -1);
4469 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4470 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4471 "UAS_INFO_0: RecordID", -1);
4473 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4474 hf_netlogon_count, NULL);
4476 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4477 hf_netlogon_level, NULL);
4479 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4480 hf_netlogon_max_size, NULL);
4485 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
4486 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4488 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4489 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4490 "AUTHENTICATOR: return_authenticator", -1);
4492 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4493 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4494 "BYTE_array: Buffer", -1);
4496 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4497 hf_netlogon_count, NULL);
4499 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4500 hf_netlogon_entries, NULL);
4502 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4503 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4504 "UAS_INFO_0: RecordID", -1);
4506 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4507 hf_netlogon_rc, NULL);
4514 * IDL long NetrAccountSync(
4515 * IDL [in][string][unique] wchar_t *logonserver,
4516 * IDL [in][string][ref] wchar_t *computername,
4517 * IDL [in][ref] AUTHENTICATOR credential,
4518 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4519 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4520 * IDL [out][ref] long count_returned,
4521 * IDL [out][ref] long total_entries,
4522 * IDL [out][ref] long next_reference,
4523 * IDL [in][long] reference,
4524 * IDL [in][long] level,
4525 * IDL [in][long] buffersize,
4526 * IDL [in][out][ref] UAS_INFO_0 recordid,
4530 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
4531 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4533 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4534 pinfo, tree, di, drep);
4536 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4537 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4539 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4540 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4541 "AUTHENTICATOR: credential", -1);
4543 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4544 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4545 "AUTHENTICATOR: return_authenticator", -1);
4547 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4548 hf_netlogon_reference, NULL);
4550 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4551 hf_netlogon_level, NULL);
4553 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4554 hf_netlogon_max_size, NULL);
4559 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
4560 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4562 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4563 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4564 "AUTHENTICATOR: return_authenticator", -1);
4566 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4567 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4568 "BYTE_array: Buffer", -1);
4570 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4571 hf_netlogon_count, NULL);
4573 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4574 hf_netlogon_entries, NULL);
4576 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4577 hf_netlogon_next_reference, NULL);
4579 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4580 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4581 "UAS_INFO_0: RecordID", -1);
4583 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4584 hf_netlogon_rc, NULL);
4591 * IDL long NetrGetDcName(
4592 * IDL [in][ref][string] wchar_t *logon_server,
4593 * IDL [in][unique][string] wchar_t *domainname,
4594 * IDL [out][unique][string] wchar_t *dcname,
4598 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
4599 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4601 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4602 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4604 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4605 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4610 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
4611 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4613 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4614 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4616 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4617 hf_netlogon_rc, NULL);
4625 * IDL typedef struct {
4627 * IDL long pdc_connection_status;
4628 * IDL } NETLOGON_INFO_1;
4631 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
4632 packet_info *pinfo, proto_tree *tree,
4633 dcerpc_info *di, guint8 *drep)
4635 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4636 hf_netlogon_flags, NULL);
4638 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4639 hf_netlogon_pdc_connection_status, NULL);
4646 * IDL typedef struct {
4648 * IDL long pdc_connection_status;
4649 * IDL [unique][string] wchar_t trusted_dc_name;
4650 * IDL long tc_connection_status;
4651 * IDL } NETLOGON_INFO_2;
4654 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
4655 packet_info *pinfo, proto_tree *tree,
4656 dcerpc_info *di, guint8 *drep)
4658 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4659 hf_netlogon_flags, NULL);
4661 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4662 hf_netlogon_pdc_connection_status, NULL);
4664 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4665 NDR_POINTER_UNIQUE, "Trusted DC Name",
4666 hf_netlogon_trusted_dc_name, 0);
4668 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4669 hf_netlogon_tc_connection_status, NULL);
4676 * IDL typedef struct {
4678 * IDL long logon_attempts;
4679 * IDL long reserved;
4680 * IDL long reserved;
4681 * IDL long reserved;
4682 * IDL long reserved;
4683 * IDL long reserved;
4684 * IDL } NETLOGON_INFO_3;
4687 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
4688 packet_info *pinfo, proto_tree *tree,
4689 dcerpc_info *di, guint8 *drep)
4691 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4692 hf_netlogon_flags, NULL);
4694 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4695 hf_netlogon_logon_attempts, NULL);
4697 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4698 hf_netlogon_reserved, NULL);
4700 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4701 hf_netlogon_reserved, NULL);
4703 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4704 hf_netlogon_reserved, NULL);
4706 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4707 hf_netlogon_reserved, NULL);
4709 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4710 hf_netlogon_reserved, NULL);
4717 * IDL typedef [switch_type(long)] union {
4718 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
4719 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
4720 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
4721 * IDL } CONTROL_QUERY_INFORMATION;
4724 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
4725 packet_info *pinfo, proto_tree *tree,
4726 dcerpc_info *di, guint8 *drep)
4730 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4731 hf_netlogon_level, &level);
4736 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4737 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
4738 "NETLOGON_INFO_1:", -1);
4741 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4742 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
4743 "NETLOGON_INFO_2:", -1);
4746 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4747 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
4748 "NETLOGON_INFO_3:", -1);
4757 * IDL long NetrLogonControl(
4758 * IDL [in][string][unique] wchar_t *logonserver,
4759 * IDL [in] long function_code,
4760 * IDL [in] long level,
4761 * IDL [out][ref] CONTROL_QUERY_INFORMATION
4765 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
4766 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4768 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4769 pinfo, tree, di, drep);
4771 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4772 hf_netlogon_code, NULL);
4774 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4775 hf_netlogon_level, NULL);
4780 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
4781 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4783 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4784 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4785 "CONTROL_QUERY_INFORMATION:", -1);
4787 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4788 hf_netlogon_dos_rc, NULL);
4795 * IDL long NetrGetAnyDCName(
4796 * IDL [in][unique][string] wchar_t *logon_server,
4797 * IDL [in][unique][string] wchar_t *domainname,
4798 * IDL [out][unique][string] wchar_t *dcname,
4802 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
4803 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4805 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4806 NDR_POINTER_UNIQUE, "Server Handle",
4807 hf_netlogon_logonsrv_handle, 0);
4809 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4810 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4815 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
4816 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4818 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4819 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4821 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4822 hf_netlogon_dos_rc, NULL);
4829 * IDL typedef [switch_type(long)] union {
4830 * IDL [case(5)] [unique][string] wchar_t *unknown;
4831 * IDL [case(6)] [unique][string] wchar_t *unknown;
4832 * IDL [case(0xfffe)] long unknown;
4833 * IDL [case(7)] [unique][string] wchar_t *unknown;
4834 * IDL } CONTROL_DATA_INFORMATION;
4837 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
4838 * to look like. However NetMon does not recognize any such informationlevels.
4840 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
4841 * until someone has any source of better authority to call upon.
4844 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
4845 packet_info *pinfo, proto_tree *tree,
4846 dcerpc_info *di, guint8 *drep)
4850 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4851 hf_netlogon_level, &level);
4856 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4857 tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
4858 hf_netlogon_TrustedDomainName_string, 0);
4861 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4862 tree, di, drep, NDR_POINTER_UNIQUE, "Trusted Domain Name",
4863 hf_netlogon_TrustedDomainName_string, 0);
4866 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4867 hf_netlogon_unknown_long, NULL);
4870 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4871 tree, di, drep, NDR_POINTER_UNIQUE, "UserName",
4872 hf_netlogon_UserName_string, 0);
4881 * IDL long NetrLogonControl2(
4882 * IDL [in][string][unique] wchar_t *logonserver,
4883 * IDL [in] long function_code,
4884 * IDL [in] long level,
4885 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4886 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4890 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
4891 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4893 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4894 pinfo, tree, di, drep);
4896 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4897 hf_netlogon_code, NULL);
4899 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4900 hf_netlogon_level, NULL);
4902 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4903 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4904 "CONTROL_DATA_INFORMATION: ", -1);
4910 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
4911 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4915 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4916 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4917 "CONTROL_QUERY_INFORMATION:", -1);
4919 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_werr_rc, &status);
4922 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown WERR error 0x%08x"));
4932 * IDL long NetrDatabaseSync2(
4933 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4934 * IDL [in][string][ref] wchar_t *computername,
4935 * IDL [in][ref] AUTHENTICATOR credential,
4936 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4937 * IDL [in] long database_id,
4938 * IDL [in] short restart_state,
4939 * IDL [in][out][ref] long *sync_context,
4940 * IDL [in] long preferredmaximumlength,
4941 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4945 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
4946 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4948 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4949 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4951 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4952 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4954 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4955 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4956 "AUTHENTICATOR: credential", -1);
4958 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4959 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4960 "AUTHENTICATOR: return_authenticator", -1);
4962 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4963 hf_netlogon_database_id, NULL);
4965 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4966 hf_netlogon_restart_state, NULL);
4968 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4969 hf_netlogon_sync_context, NULL);
4971 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4972 hf_netlogon_max_size, NULL);
4978 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
4979 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
4981 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4982 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4983 "AUTHENTICATOR: return_authenticator", -1);
4985 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4986 hf_netlogon_sync_context, NULL);
4988 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4989 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4990 "DELTA_ENUM_ARRAY: deltas", -1);
4992 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4993 hf_netlogon_rc, NULL);
5000 * IDL long NetrDatabaseRedo(
5001 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5002 * IDL [in][string][ref] wchar_t *computername,
5003 * IDL [in][ref] AUTHENTICATOR credential,
5004 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5005 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
5006 * IDL [in] long change_log_entry_size,
5007 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5011 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
5012 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
5014 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5015 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5017 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5018 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5020 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5021 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5022 "AUTHENTICATOR: credential", -1);
5024 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5025 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5026 "AUTHENTICATOR: return_authenticator", -1);
5028 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5029 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
5030 "Change log entry: ", -1);
5032 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5033 hf_netlogon_max_log_size, NULL);
5039 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
5040 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
5042 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5043 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5044 "AUTHENTICATOR: return_authenticator", -1);
5046 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5047 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
5048 "DELTA_ENUM_ARRAY: deltas", -1);
5050 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5051 hf_netlogon_rc, NULL);
5058 * IDL long NetrLogonControl2Ex(
5059 * IDL [in][string][unique] wchar_t *logonserver,
5060 * IDL [in] long function_code,
5061 * IDL [in] long level,
5062 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5063 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5067 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
5068 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
5070 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5071 pinfo, tree, di, drep);
5073 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5074 hf_netlogon_code, NULL);
5076 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5077 hf_netlogon_level, NULL);
5079 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5080 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
5081 "CONTROL_DATA_INFORMATION: ", -1);
5086 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
5087 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
5089 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5090 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
5091 "CONTROL_QUERY_INFORMATION:", -1);
5093 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5094 hf_netlogon_dos_rc, NULL);
5102 static const value_string trust_type_vals[] = {
5103 { 1, "NT4 Domain" },
5105 { 3, "MIT Kerberos realm" },
5110 #define DS_INET_ADDRESS 1
5111 #define DS_NETBIOS_ADDRESS 2
5113 static const value_string dc_address_types[] = {
5114 { DS_INET_ADDRESS, "IP/DNS name" },
5115 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
5120 #define RQ_ROOT_FOREST 0x0001
5121 #define RQ_DC_XFOREST 0x0002
5122 #define RQ_RODC_DIF_DOMAIN 0x0004
5123 #define RQ_NTLM_FROM_RODC 0x0008
5125 #define DS_DOMAIN_IN_FOREST 0x0001
5126 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
5127 #define DS_DOMAIN_TREE_ROOT 0x0004
5128 #define DS_DOMAIN_PRIMARY 0x0008
5129 #define DS_DOMAIN_NATIVE_MODE 0x0010
5130 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
5132 static const true_false_string trust_inbound = {
5133 "There is a DIRECT INBOUND trust for the servers domain",
5134 "There is NO direct inbound trust for the servers domain"
5136 static const true_false_string trust_outbound = {
5137 "There is a DIRECT OUTBOUND trust for this domain",
5138 "There is NO direct outbound trust for this domain"
5140 static const true_false_string trust_in_forest = {
5141 "The domain is a member IN the same FOREST as the queried server",
5142 "The domain is NOT a member of the queried servers domain"
5144 static const true_false_string trust_native_mode = {
5145 "The primary domain is a NATIVE MODE w2k domain",
5146 "The primary is NOT a native mode w2k domain"
5148 static const true_false_string trust_primary = {
5149 "The domain is the PRIMARY domain of the queried server",
5150 "The domain is NOT the primary domain of the queried server"
5152 static const true_false_string trust_tree_root = {
5153 "The domain is the ROOT of a domain TREE",
5154 "The domain is NOT a root of a domain tree"
5159 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
5160 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
5163 proto_item *item = NULL;
5164 proto_tree *tree = NULL;
5166 if(di->conformant_run){
5167 /*just a run to handle conformant arrays, nothing to dissect */
5171 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5172 hf_netlogon_trust_flags, &mask);
5175 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
5176 tvb, offset-4, 4, mask);
5177 tree = proto_item_add_subtree(item, ett_trust_flags);
5180 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
5181 tvb, offset-4, 4, mask);
5182 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
5183 tvb, offset-4, 4, mask);
5184 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
5185 tvb, offset-4, 4, mask);
5186 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
5187 tvb, offset-4, 4, mask);
5188 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
5189 tvb, offset-4, 4, mask);
5190 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
5191 tvb, offset-4, 4, mask);
5198 static const true_false_string trust_attribs_non_transitive = {
5199 "This is a NON TRANSITIVE trust relation",
5200 "This is a normal trust"
5202 static const true_false_string trust_attribs_uplevel_only = {
5203 "This is an UPLEVEL ONLY trust relation",
5204 "This is a normal trust"
5206 static const true_false_string trust_attribs_quarantined_domain = {
5207 "This is a QUARANTINED DOMAIN (so don't expect lookupsids to work)",
5208 "This is a normal trust"
5210 static const true_false_string trust_attribs_forest_transitive = {
5211 "This is a FOREST TRANSITIVE trust",
5212 "This is a normal trust"
5214 static const true_false_string trust_attribs_cross_organization = {
5215 "This is a CROSS ORGANIZATION trust",
5216 "This is a normal trust"
5218 static const true_false_string trust_attribs_within_forest = {
5219 "This is a WITHIN FOREST trust",
5220 "This is a normal trust"
5222 static const true_false_string trust_attribs_treat_as_external = {
5223 "TREAT this trust AS an EXTERNAL trust",
5224 "This is a normal trust"
5228 netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t *tvb, int offset,
5229 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
5232 proto_item *item = NULL;
5233 proto_tree *tree = NULL;
5235 if(di->conformant_run){
5236 /*just a run to handle conformant arrays, nothing to dissect */
5240 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5241 hf_netlogon_trust_attribs, &mask);
5244 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_attribs,
5245 tvb, offset-4, 4, mask);
5246 tree = proto_item_add_subtree(item, ett_trust_attribs);
5249 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_treat_as_external,
5250 tvb, offset-4, 4, mask);
5251 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_within_forest,
5252 tvb, offset-4, 4, mask);
5253 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_cross_organization,
5254 tvb, offset-4, 4, mask);
5255 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_forest_transitive,
5256 tvb, offset-4, 4, mask);
5257 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_quarantined_domain,
5258 tvb, offset-4, 4, mask);
5259 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_uplevel_only,
5260 tvb, offset-4, 4, mask);
5261 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_non_transitive,
5262 tvb, offset-4, 4, mask);
5269 #define DS_FORCE_REDISCOVERY 0x00000001
5270 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
5271 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
5272 #define DS_GC_SERVER_REQUIRED 0x00000040
5273 #define DS_PDC_REQUIRED 0x00000080
5274 #define DS_BACKGROUND_ONLY 0x00000100
5275 #define DS_IP_REQUIRED 0x00000200
5276 #define DS_KDC_REQUIRED 0x00000400
5277 #define DS_TIMESERV_REQUIRED 0x00000800
5278 #define DS_WRITABLE_REQUIRED 0x00001000
5279 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
5280 #define DS_AVOID_SELF 0x00004000
5281 #define DS_ONLY_LDAP_NEEDED 0x00008000
5282 #define DS_IS_FLAT_NAME 0x00010000
5283 #define DS_IS_DNS_NAME 0x00020000
5284 #define DS_RETURN_DNS_NAME 0x40000000
5285 #define DS_RETURN_FLAT_NAME 0x80000000
5287 static const true_false_string get_dcname_request_flags_force_rediscovery = {
5288 "FORCE REDISCOVERY of any cached data",
5289 "You may return cached data"
5291 static const true_false_string get_dcname_request_flags_directory_service_required = {
5292 "DIRECTORY SERVICE is REQUIRED on the server",
5293 "We do NOT require directory service servers"
5295 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
5296 "DIRECTORY SERVICE servers are PREFERRED",
5297 "We do NOT have a preference for directory service servers"
5299 static const true_false_string get_dcname_request_flags_gc_server_required = {
5300 "GC SERVER is REQUIRED",
5301 "gc server is NOT required"
5303 static const true_false_string get_dcname_request_flags_pdc_required = {
5304 "PDC SERVER is REQUIRED",
5305 "pdc server is NOT required"
5307 static const true_false_string get_dcname_request_flags_background_only = {
5308 "Only return cached data, even if it has expired",
5309 "Return cached data unless it has expired"
5311 static const true_false_string get_dcname_request_flags_ip_required = {
5312 "IP address is REQUIRED",
5313 "ip address is NOT required"
5315 static const true_false_string get_dcname_request_flags_kdc_required = {
5316 "KDC server is REQUIRED",
5317 "kdc server is NOT required"
5319 static const true_false_string get_dcname_request_flags_timeserv_required = {
5320 "TIMESERV service is REQUIRED",
5321 "timeserv service is NOT required"
5323 static const true_false_string get_dcname_request_flags_writable_required = {
5324 "the returned dc MUST be WRITEABLE",
5325 "a read-only dc may be returned"
5327 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
5328 "GOOD TIMESERV servers are PREFERRED",
5329 "we do NOT have a preference for good timeserv servers"
5331 static const true_false_string get_dcname_request_flags_avoid_self = {
5332 "do NOT return self as dc; return someone else",
5333 "you may return yourSELF as the dc"
5335 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
5336 "we ONLY NEED LDAP; you don't have to return a dc",
5337 "we need a normal dc; an ldap only server will not do"
5339 static const true_false_string get_dcname_request_flags_is_flat_name = {
5340 "the name we specify is a NetBIOS name",
5341 "the name we specify is NOT a NetBIOS name"
5343 static const true_false_string get_dcname_request_flags_is_dns_name = {
5344 "the name we specify is a DNS name",
5345 "the name we specify is NOT a dns name"
5347 static const true_false_string get_dcname_request_flags_return_dns_name = {
5348 "return a DNS name",
5349 "you may return a NON-dns name"
5351 static const true_false_string get_dcname_request_flags_return_flat_name = {
5352 "return a NetBIOS name",
5353 "you may return a NON-NetBIOS name"
5356 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
5357 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
5360 proto_item *item = NULL;
5361 proto_tree *tree = NULL;
5363 if(di->conformant_run){
5364 /*just a run to handle conformant arrays, nothing to dissect */
5368 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5369 hf_netlogon_get_dcname_request_flags, &mask);
5372 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
5373 tvb, offset-4, 4, mask);
5374 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
5377 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
5378 tvb, offset-4, 4, mask);
5379 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
5380 tvb, offset-4, 4, mask);
5381 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
5382 tvb, offset-4, 4, mask);
5383 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
5384 tvb, offset-4, 4, mask);
5385 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
5386 tvb, offset-4, 4, mask);
5387 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
5388 tvb, offset-4, 4, mask);
5389 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
5390 tvb, offset-4, 4, mask);
5391 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
5392 tvb, offset-4, 4, mask);
5393 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
5394 tvb, offset-4, 4, mask);
5395 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
5396 tvb, offset-4, 4, mask);
5397 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
5398 tvb, offset-4, 4, mask);
5399 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
5400 tvb, offset-4, 4, mask);
5401 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
5402 tvb, offset-4, 4, mask);
5403 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
5404 tvb, offset-4, 4, mask);
5405 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
5406 tvb, offset-4, 4, mask);
5407 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
5408 tvb, offset-4, 4, mask);
5409 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
5410 tvb, offset-4, 4, mask);
5417 #define DS_PDC_FLAG 0x00000001
5418 #define DS_GC_FLAG 0x00000004
5419 #define DS_LDAP_FLAG 0x00000008
5420 #define DS_DS_FLAG 0x00000010
5421 #define DS_KDC_FLAG 0x00000020
5422 #define DS_TIMESERV_FLAG 0x00000040
5423 #define DS_CLOSEST_FLAG 0x00000080
5424 #define DS_WRITABLE_FLAG 0x00000100
5425 #define DS_GOOD_TIMESERV_FLAG 0x00000200
5426 #define DS_NDNC_FLAG 0x00000400
5427 #define DS_DNS_CONTROLLER_FLAG 0x20000000
5428 #define DS_DNS_DOMAIN_FLAG 0x40000000
5429 #define DS_DNS_FOREST_FLAG 0x80000000
5431 static const true_false_string dc_flags_pdc_flag = {
5432 "this is the PDC of the domain",
5433 "this is NOT the pdc of the domain"
5435 static const true_false_string dc_flags_gc_flag = {
5436 "this is the GC of the forest",
5437 "this is NOT the gc of the forest"
5439 static const true_false_string dc_flags_ldap_flag = {
5440 "this is an LDAP server",
5441 "this is NOT an ldap server"
5443 static const true_false_string dc_flags_ds_flag = {
5444 "this is a DS server",
5445 "this is NOT a ds server"
5447 static const true_false_string dc_flags_kdc_flag = {
5448 "this is a KDC server",
5449 "this is NOT a kdc server"
5451 static const true_false_string dc_flags_timeserv_flag = {
5452 "this is a TIMESERV server",
5453 "this is NOT a timeserv server"
5455 static const true_false_string dc_flags_closest_flag = {
5456 "this is the CLOSEST server",
5457 "this is NOT the closest server"
5459 static const true_false_string dc_flags_writable_flag = {
5460 "this server has a WRITABLE ds database",
5461 "this server has a READ-ONLY ds database"
5463 static const true_false_string dc_flags_good_timeserv_flag = {
5464 "this server is a GOOD TIMESERV server",
5465 "this is NOT a good timeserv server"
5467 static const true_false_string dc_flags_ndnc_flag = {
5471 static const true_false_string dc_flags_dns_controller_flag = {
5472 "DomainControllerName is a DNS name",
5473 "DomainControllerName is NOT a dns name"
5475 static const true_false_string dc_flags_dns_domain_flag = {
5476 "DomainName is a DNS name",
5477 "DomainName is NOT a dns name"
5479 static const true_false_string dc_flags_dns_forest_flag = {
5480 "DnsForestName is a DNS name",
5481 "DnsForestName is NOT a dns name"
5484 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
5485 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
5488 proto_item *item = NULL;
5489 proto_tree *tree = NULL;
5491 if(di->conformant_run){
5492 /*just a run to handle conformant arrays, nothing to dissect */
5496 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, di, drep,
5497 hf_netlogon_dc_flags, &mask);
5500 item = proto_tree_add_uint_format_value(parent_tree, hf_netlogon_dc_flags,
5501 tvb, offset-4, 4, mask, "0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
5502 tree = proto_item_add_subtree(item, ett_dc_flags);
5505 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
5506 tvb, offset-4, 4, mask);
5507 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
5508 tvb, offset-4, 4, mask);
5509 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
5510 tvb, offset-4, 4, mask);
5511 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
5512 tvb, offset-4, 4, mask);
5513 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
5514 tvb, offset-4, 4, mask);
5515 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
5516 tvb, offset-4, 4, mask);
5517 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
5518 tvb, offset-4, 4, mask);
5519 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
5520 tvb, offset-4, 4, mask);
5521 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
5522 tvb, offset-4, 4, mask);
5523 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
5524 tvb, offset-4, 4, mask);
5525 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
5526 tvb, offset-4, 4, mask);
5527 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
5528 tvb, offset-4, 4, mask);
5529 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
5530 tvb, offset-4, 4, mask);
5538 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
5539 packet_info *pinfo, proto_tree *tree,
5540 dcerpc_info *di, guint8 *drep)
5542 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
5543 di->hf_index, NULL);
5549 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
5550 packet_info *pinfo, proto_tree *tree,
5551 dcerpc_info *di, guint8 *drep)
5553 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5554 di->hf_index, NULL);
5560 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
5561 packet_info *pinfo, proto_tree *tree,
5562 dcerpc_info *di, guint8 *drep)
5564 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5565 hf_netlogon_unknown_char, NULL);
5571 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
5572 packet_info *pinfo, proto_tree *tree,
5573 dcerpc_info *di, guint8 *drep)
5575 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
5576 netlogon_dissect_UNICODE_MULTI_byte);
5582 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
5583 packet_info *pinfo, proto_tree *parent_tree,
5584 dcerpc_info *di, guint8 *drep)
5586 proto_item *item=NULL;
5587 proto_tree *tree=NULL;
5588 int old_offset=offset;
5591 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5593 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
5596 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5597 hf_netlogon_len, NULL);
5599 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5600 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
5601 "unknown", hf_netlogon_unknown_string);
5603 proto_item_set_len(item, offset-old_offset);
5608 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
5609 packet_info *pinfo, proto_tree *parent_tree,
5610 dcerpc_info *di, guint8 *drep)
5612 proto_item *item=NULL;
5613 proto_tree *tree=NULL;
5614 int old_offset=offset;
5617 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5618 "DOMAIN_CONTROLLER_INFO:");
5619 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
5622 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5623 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
5625 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5626 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
5628 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5629 hf_netlogon_dc_address_type, NULL);
5631 offset = dissect_nt_GUID(tvb, offset,
5632 pinfo, tree, di, drep);
5634 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5635 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
5637 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5638 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
5640 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, di, drep);
5642 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5643 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
5645 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5646 NDR_POINTER_UNIQUE, "Client Site",
5647 hf_netlogon_client_site_name, 0);
5649 proto_item_set_len(item, offset-old_offset);
5656 dissect_ndr_trust_extension(tvbuff_t *tvb, int offset,
5657 packet_info *pinfo, proto_tree *tree,
5658 dcerpc_info *di, guint8 *drep)
5662 if(di->conformant_run){
5665 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5666 hf_netlogon_trust_max, &max);
5668 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5669 hf_netlogon_trust_offset, NULL);
5671 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5672 hf_netlogon_trust_len, &len);
5674 if( max * 2 == 16 ) {
5675 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
5677 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5678 hf_netlogon_trust_parent_index, NULL);
5680 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5681 hf_netlogon_trust_type, NULL);
5683 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
5685 /* else do something scream shout .... */
5691 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
5692 packet_info *pinfo, proto_tree *tree,
5693 dcerpc_info *di, guint8 *drep)
5697 if(di->conformant_run){
5701 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5702 hf_netlogon_blob_size, &len);
5704 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
5712 dissect_ndr_ulongs_as_counted_string(tvbuff_t *tvb, int offset,
5713 packet_info *pinfo, proto_tree *tree,
5714 dcerpc_info *di, guint8 *drep, int hf_index)
5717 gboolean add_subtree = TRUE; /* Manage room for evolution*/
5719 proto_tree *subtree = tree;
5723 item = proto_tree_add_text(
5724 tree, tvb, offset, 0, "%s",
5725 proto_registrar_get_name(hf_index));
5727 subtree = proto_item_add_subtree(item, ett_nt_counted_longs_as_string);
5729 /* Structure starts with short, but is aligned for longs */
5732 if (di->conformant_run)
5739 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
5744 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
5745 hf_nt_cs_len, &len);
5746 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
5747 hf_nt_cs_size, &size);
5748 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, subtree, di, drep,
5749 dissect_ndr_trust_extension, NDR_POINTER_UNIQUE,
5750 "Buffer", hf_index,NULL,NULL);
5755 DomainInfo_sid_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info *di, guint8 *drep _U_)
5757 offset = lsarpc_dissect_struct_dom_sid2(tvb,offset,pinfo,tree,di,drep,DomainInfo_sid,0);
5762 dissect_element_lsa_DnsDomainInfo_sid(tvbuff_t *tvb , int offset , packet_info *pinfo , proto_tree *tree , dcerpc_info *di, guint8 *drep )
5764 offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, DomainInfo_sid_, NDR_POINTER_UNIQUE, "Pointer to Sid (dom_sid2)",DnsDomainInfo_sid);
5769 dissect_element_lsa_DnsDomainInfo_domain_guid(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, dcerpc_info *di, guint8 *drep )
5771 offset = dissect_ndr_uuid_t(tvb, offset, pinfo, tree, di, drep, DnsDomainInfo_domain_guid, NULL);
5777 static int dissect_part_DnsDomainInfo(tvbuff_t *tvb , int offset, packet_info *pinfo, proto_tree *tree , dcerpc_info *di, guint8 *drep, int hf_index _U_, guint32 param _U_)
5780 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset,pinfo,tree,di,drep,DnsDomainInfo_name,0);
5782 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset,pinfo,tree,di,drep,DnsDomainInfo_dns_domain,0);
5784 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset,pinfo,tree,di,drep,DnsDomainInfo_dns_forest,0);
5786 offset = dissect_element_lsa_DnsDomainInfo_domain_guid(tvb, offset, pinfo, tree, di, drep);
5788 offset = dissect_element_lsa_DnsDomainInfo_sid(tvb, offset, pinfo, tree, di, drep);
5796 netlogon_dissect_ONE_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5797 packet_info *pinfo, proto_tree *parent_tree,
5798 dcerpc_info *di, guint8 *drep)
5800 proto_item *item=NULL;
5801 proto_tree *tree=NULL;
5802 int old_offset=offset;
5805 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5807 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
5809 /*hf_netlogon_dnsdomaininfo*/
5810 offset = dissect_part_DnsDomainInfo(tvb, offset, pinfo, tree, di, drep, 0, 0);
5813 /* It is structed as a string but it's not ... it's 4 ulong */
5814 offset = dissect_ndr_ulongs_as_counted_string(tvb, offset, pinfo, tree, di, drep,
5815 hf_netlogon_trust_extention);
5817 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5818 hf_netlogon_dummy_string2, 0);
5820 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5821 hf_netlogon_dummy_string3, 0);
5823 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5824 hf_netlogon_dummy_string4, 0);
5826 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5827 hf_netlogon_dummy1_long, NULL);
5829 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5830 hf_netlogon_dummy2_long, NULL);
5832 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5833 hf_netlogon_dummy3_long, NULL);
5835 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5836 hf_netlogon_dummy4_long, NULL);
5838 proto_item_set_len(item, offset-old_offset);
5843 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
5844 packet_info *pinfo, proto_tree *tree,
5845 dcerpc_info *di, guint8 *drep)
5847 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
5848 netlogon_dissect_ONE_DOMAIN_INFO);
5855 netlogon_dissect_LSA_POLICY_INFO(tvbuff_t *tvb _U_, int offset,
5856 packet_info *pinfo _U_, proto_tree *tree _U_,
5857 dcerpc_info *di, guint8 *drep _U_ )
5859 proto_item *item=NULL;
5860 proto_tree *subtree=NULL;
5863 if(di->conformant_run){
5868 item = proto_tree_add_text(tree, tvb, offset, 0,
5870 subtree = proto_item_add_subtree(item, ett_LSA_POLICY_INFO);
5872 offset = dissect_ndr_uint32(tvb, offset, pinfo, subtree, di, drep,
5873 hf_netlogon_lsapolicy_len, &len);
5875 offset = dissect_ndr_pointer(tvb, offset, pinfo, subtree, di, drep,
5876 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
5886 netlogon_dissect_WORKSTATION_INFO(tvbuff_t *tvb , int offset ,
5887 packet_info *pinfo , proto_tree *tree ,
5888 dcerpc_info *di, guint8 *drep )
5890 /* This is not the good way to do it ... it stinks ...
5891 * but after half of a day fighting against wireshark and ndr ...
5892 * I decided to keep this hack ...
5893 * At least data are correctly displayed without invented ints ...
5895 offset = netlogon_dissect_LSA_POLICY_INFO(tvb, offset,
5896 pinfo, tree, di, drep);
5898 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5899 NDR_POINTER_UNIQUE, "Workstation FQDN",
5900 hf_netlogon_workstation_fqdn, 0);
5902 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5903 NDR_POINTER_UNIQUE, "Workstation Site",
5904 hf_netlogon_workstation_site_name, 0);
5906 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5907 NDR_POINTER_UNIQUE, "Dummy 1", hf_netlogon_dummy_string, 0);
5909 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5910 NDR_POINTER_UNIQUE, "Dummy 2", hf_netlogon_dummy_string2, 0);
5912 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5913 NDR_POINTER_UNIQUE, "Dummy 3", hf_netlogon_dummy_string3, 0);
5915 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5916 NDR_POINTER_UNIQUE, "Dummy 4", hf_netlogon_dummy_string4, 0);
5918 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5919 hf_netlogon_os_version, 0);
5921 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5922 hf_netlogon_workstation_os, 0);
5924 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5925 hf_netlogon_dummy_string3, 0);
5927 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5928 hf_netlogon_dummy_string4, 0);
5930 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5931 hf_netlogon_workstation_flags, NULL);
5933 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5934 hf_netlogon_dummy2_long, NULL);
5936 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5937 hf_netlogon_dummy3_long, NULL);
5939 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5940 hf_netlogon_dummy4_long, NULL);
5945 netlogon_dissect_WORKSTATION_INFORMATION(tvbuff_t *tvb , int offset ,
5946 packet_info *pinfo , proto_tree *tree ,
5947 dcerpc_info *di, guint8 *drep ) {
5949 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5950 netlogon_dissect_WORKSTATION_INFO, NDR_POINTER_UNIQUE,
5951 "WORKSTATION INFO", -1);
5956 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5957 packet_info *pinfo, proto_tree *tree,
5958 dcerpc_info *di, guint8 *drep)
5960 offset = netlogon_dissect_ONE_DOMAIN_INFO(tvb, offset, pinfo, tree, di, drep);
5962 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5963 hf_netlogon_num_trusts, NULL);
5965 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5966 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
5967 "DOMAIN_TRUST_ARRAY: Trusted domains", -1);
5969 offset = netlogon_dissect_LSA_POLICY_INFO(tvb,offset,pinfo, tree,di,drep);
5971 /* offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5972 hf_netlogon_num_trusts, NULL);
5974 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5975 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
5978 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5979 hf_netlogon_ad_client_dns_name, 0);
5981 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5982 hf_netlogon_dummy_string2, 0);
5984 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5985 hf_netlogon_dummy_string3, 0);
5987 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
5988 hf_netlogon_dummy_string4, 0);
5990 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5991 hf_netlogon_workstation_flags, NULL);
5993 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5994 hf_netlogon_supportedenctypes, NULL);
5996 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5997 hf_netlogon_dummy3_long, NULL);
5999 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6000 hf_netlogon_dummy4_long, NULL);
6007 netlogon_dissect_DOMAIN_INFORMATION(tvbuff_t *tvb, int offset,
6008 packet_info *pinfo, proto_tree *tree,
6009 dcerpc_info *di, guint8 *drep)
6013 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6014 hf_netlogon_level, &level);
6019 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6020 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
6029 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
6030 packet_info *pinfo, proto_tree *parent_tree,
6031 dcerpc_info *di, guint8 *drep)
6033 proto_item *item=NULL;
6034 proto_tree *tree=NULL;
6035 int old_offset=offset;
6039 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6040 "UNICODE_STRING_512:");
6041 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
6045 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
6046 hf_netlogon_unknown_short, NULL);
6049 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6050 hf_netlogon_unknown_long, NULL);
6052 proto_item_set_len(item, offset-old_offset);
6057 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
6058 packet_info *pinfo, proto_tree *tree,
6059 dcerpc_info *di, guint8 *drep)
6061 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6062 hf_netlogon_unknown_char, NULL);
6068 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
6069 packet_info *pinfo, proto_tree *tree,
6070 dcerpc_info *di, guint8 *drep)
6072 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6073 netlogon_dissect_element_844_byte);
6079 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
6080 packet_info *pinfo, proto_tree *parent_tree,
6081 dcerpc_info *di, guint8 *drep)
6083 proto_item *item=NULL;
6084 proto_tree *tree=NULL;
6085 int old_offset=offset;
6088 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6090 tree = proto_item_add_subtree(item, ett_TYPE_50);
6093 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6094 hf_netlogon_unknown_long, NULL);
6096 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6097 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
6098 "unknown", hf_netlogon_unknown_string);
6100 proto_item_set_len(item, offset-old_offset);
6105 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
6106 packet_info *pinfo, proto_tree *tree,
6107 dcerpc_info *di, guint8 *drep)
6109 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6110 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
6111 "TYPE_50 pointer: unknown_TYPE_50", -1);
6117 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
6118 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, guint8 *drep)
6121 proto_item *item=NULL;
6122 proto_tree *tree=NULL;
6123 int old_offset=offset;
6126 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6127 "DS_DOMAIN_TRUSTS");
6128 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
6132 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6133 NDR_POINTER_UNIQUE, "NetBIOS Name",
6134 hf_netlogon_downlevel_domain_name, 0);
6137 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6138 NDR_POINTER_UNIQUE, "DNS Domain Name",
6139 hf_netlogon_dns_domain_name, 0);
6141 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
6143 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6144 hf_netlogon_trust_parent_index, &tmp);
6146 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6147 hf_netlogon_trust_type, &tmp);
6149 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
6152 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
6155 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, di, drep);
6157 proto_item_set_len(item, offset-old_offset);
6162 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
6163 packet_info *pinfo, proto_tree *tree,
6164 dcerpc_info *di, guint8 *drep)
6166 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6167 netlogon_dissect_DS_DOMAIN_TRUSTS);
6173 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
6174 packet_info *pinfo, proto_tree *tree,
6175 dcerpc_info *di, guint8 *drep)
6177 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6178 hf_netlogon_unknown_char, NULL);
6184 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
6185 packet_info *pinfo, proto_tree *tree,
6186 dcerpc_info *di, guint8 *drep)
6188 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6189 netlogon_dissect_element_865_byte);
6195 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
6196 packet_info *pinfo, proto_tree *tree,
6197 dcerpc_info *di, guint8 *drep)
6199 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6200 hf_netlogon_unknown_char, NULL);
6206 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
6207 packet_info *pinfo, proto_tree *tree,
6208 dcerpc_info *di, guint8 *drep)
6210 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6211 netlogon_dissect_element_866_byte);
6217 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
6218 packet_info *pinfo, proto_tree *parent_tree,
6219 dcerpc_info *di, guint8 *drep)
6221 proto_item *item=NULL;
6222 proto_tree *tree=NULL;
6223 int old_offset=offset;
6226 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6228 tree = proto_item_add_subtree(item, ett_TYPE_52);
6231 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6232 hf_netlogon_unknown_long, NULL);
6234 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6235 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
6236 "unknown", hf_netlogon_unknown_string);
6238 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6239 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
6240 "unknown", hf_netlogon_unknown_string);
6242 proto_item_set_len(item, offset-old_offset);
6247 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
6248 packet_info *pinfo, proto_tree *tree,
6249 dcerpc_info *di, guint8 *drep)
6251 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6252 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
6253 "TYPE_52 pointer: unknown_TYPE_52", -1);
6259 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
6260 packet_info *pinfo, proto_tree *parent_tree,
6261 dcerpc_info *di, guint8 *drep)
6263 proto_item *item=NULL;
6264 proto_tree *tree=NULL;
6265 int old_offset=offset;
6269 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6271 tree = proto_item_add_subtree(item, ett_TYPE_44);
6274 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6275 hf_netlogon_level, &level);
6280 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6281 hf_netlogon_unknown_long, NULL);
6285 proto_item_set_len(item, offset-old_offset);
6290 netlogon_dissect_WORKSTATION_BUFFER(tvbuff_t *tvb, int offset,
6291 packet_info *pinfo, proto_tree *tree,
6292 dcerpc_info *di, guint8 *drep)
6296 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6297 hf_netlogon_level, &level);
6299 /* Specs are not very clear (as usual ...) it seems that the
6300 * structure in both case is a NETLOGON_WORKSTATION_INFO
6301 * but in this case only the LSA POLICY INFO will contain
6304 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6305 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
6306 "LSA POLICY INFO", -1);
6310 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6311 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
6312 "WORKSTATION INFORMATION", -1);}
6318 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
6319 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6321 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6322 pinfo, tree, di, drep);
6329 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
6330 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6332 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6333 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
6334 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
6336 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6337 hf_netlogon_dos_rc, NULL);
6343 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
6344 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6346 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6347 pinfo, tree, di, drep);
6349 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6350 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6352 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6353 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6354 "GUID pointer: domain_guid", -1);
6356 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6357 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6358 "GUID pointer: site_guid", -1);
6360 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6361 hf_netlogon_flags, NULL);
6368 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
6369 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6371 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6372 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6373 "DOMAIN_CONTROLLER_INFO:", -1);
6375 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6376 hf_netlogon_dos_rc, NULL);
6382 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
6383 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6385 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6386 pinfo, tree, di, drep);
6388 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6389 NDR_POINTER_UNIQUE, "unknown string",
6390 hf_netlogon_unknown_string, 0);
6392 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6393 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6394 "AUTHENTICATOR: credential", -1);
6396 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6397 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6398 "AUTHENTICATOR: return_authenticator", -1);
6400 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6401 hf_netlogon_unknown_long, NULL);
6408 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
6409 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6411 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6412 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6413 "AUTHENTICATOR: return_authenticator", -1);
6415 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6416 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
6417 "TYPE_44 pointer: unknown_TYPE_44", -1);
6419 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6420 hf_netlogon_rc, NULL);
6426 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
6427 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6429 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6430 pinfo, tree, di, drep);
6432 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6433 hf_netlogon_unknown_long, NULL);
6435 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6436 hf_netlogon_unknown_long, NULL);
6443 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
6444 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6446 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6447 hf_netlogon_rc, NULL);
6454 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
6455 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6457 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6458 pinfo, tree, di, drep);
6460 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6461 NDR_POINTER_UNIQUE, "unknown string",
6462 hf_netlogon_unknown_string, 0);
6469 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
6470 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6472 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6473 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6474 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6476 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6477 hf_netlogon_rc, NULL);
6484 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
6485 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6487 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6488 pinfo, tree, di, drep);
6490 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6491 hf_netlogon_unknown_long, NULL);
6493 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6494 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6495 "BYTE pointer: unknown_BYTE", -1);
6497 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6498 hf_netlogon_unknown_long, NULL);
6504 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
6505 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6510 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6511 hf_netlogon_unknown_char, NULL);
6518 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
6519 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6521 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6522 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
6523 "BYTE pointer: unknown_BYTE", -1);
6525 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6526 hf_netlogon_rc, NULL);
6532 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
6533 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6535 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6536 pinfo, tree, di, drep);
6538 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6539 NDR_POINTER_UNIQUE, "unknown string",
6540 hf_netlogon_unknown_string, 0);
6542 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6543 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6544 "BYTE pointer: unknown_BYTE", -1);
6546 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6547 hf_netlogon_unknown_long, NULL);
6554 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
6555 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6557 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6558 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
6559 "BYTE pointer: unknown_BYTE", -1);
6561 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6562 hf_netlogon_rc, NULL);
6566 static int netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,guint32 flags,int offset)
6569 proto_tree *negotiate_flags_tree = NULL;
6570 proto_item *tf = NULL;
6571 tf = proto_tree_add_uint (tree,
6572 hf_netlogon_neg_flags,
6573 tvb, offset, 4,flags);
6574 negotiate_flags_tree = proto_item_add_subtree (tf,ett_authenticate_flags);
6577 proto_tree_add_boolean (negotiate_flags_tree,
6578 hf_netlogon_neg_flags_80000000,
6579 tvb, offset, 4, flags);
6581 proto_tree_add_boolean (negotiate_flags_tree,
6582 hf_netlogon_neg_flags_40000000,
6583 tvb, offset, 4, flags);
6584 proto_tree_add_boolean (negotiate_flags_tree,
6585 hf_netlogon_neg_flags_20000000,
6586 tvb, offset, 4, flags);
6588 proto_tree_add_boolean (negotiate_flags_tree,
6589 hf_netlogon_neg_flags_10000000,
6590 tvb, offset, 4, flags);
6591 proto_tree_add_boolean (negotiate_flags_tree,
6592 hf_netlogon_neg_flags_8000000,
6593 tvb, offset, 4, flags);
6594 proto_tree_add_boolean (negotiate_flags_tree,
6595 hf_netlogon_neg_flags_4000000,
6596 tvb, offset, 4, flags);
6597 proto_tree_add_boolean (negotiate_flags_tree,
6598 hf_netlogon_neg_flags_2000000,
6599 tvb, offset, 4, flags);
6600 proto_tree_add_boolean (negotiate_flags_tree,
6601 hf_netlogon_neg_flags_800000,
6602 tvb, offset, 4, flags);
6604 proto_tree_add_boolean (negotiate_flags_tree,
6605 hf_netlogon_neg_flags_1000000,
6606 tvb, offset, 4, flags);
6607 proto_tree_add_boolean (negotiate_flags_tree,
6608 hf_netlogon_neg_flags_400000,
6609 tvb, offset, 4, flags);
6610 proto_tree_add_boolean (negotiate_flags_tree,
6611 hf_netlogon_neg_flags_200000,
6612 tvb, offset, 4, flags);
6613 proto_tree_add_boolean (negotiate_flags_tree,
6614 hf_netlogon_neg_flags_100000,
6615 tvb, offset, 4, flags);
6616 proto_tree_add_boolean (negotiate_flags_tree,
6617 hf_netlogon_neg_flags_80000,
6618 tvb, offset, 4, flags);
6619 proto_tree_add_boolean (negotiate_flags_tree,
6620 hf_netlogon_neg_flags_40000,
6621 tvb, offset, 4, flags);
6622 proto_tree_add_boolean (negotiate_flags_tree,
6623 hf_netlogon_neg_flags_20000,
6624 tvb, offset, 4, flags);
6625 proto_tree_add_boolean (negotiate_flags_tree,
6626 hf_netlogon_neg_flags_10000,
6627 tvb, offset, 4, flags);
6628 proto_tree_add_boolean (negotiate_flags_tree,
6629 hf_netlogon_neg_flags_8000,
6630 tvb, offset, 4, flags);
6631 proto_tree_add_boolean (negotiate_flags_tree,
6632 hf_netlogon_neg_flags_4000,
6633 tvb, offset, 4, flags);
6634 proto_tree_add_boolean (negotiate_flags_tree,
6635 hf_netlogon_neg_flags_2000,
6636 tvb, offset, 4, flags);
6637 proto_tree_add_boolean (negotiate_flags_tree,
6638 hf_netlogon_neg_flags_1000,
6639 tvb, offset, 4, flags);
6640 proto_tree_add_boolean (negotiate_flags_tree,
6641 hf_netlogon_neg_flags_800,
6642 tvb, offset, 4, flags);
6643 proto_tree_add_boolean (negotiate_flags_tree,
6644 hf_netlogon_neg_flags_400,
6645 tvb, offset, 4, flags);
6646 proto_tree_add_boolean (negotiate_flags_tree,
6647 hf_netlogon_neg_flags_200,
6648 tvb, offset, 4, flags);
6649 proto_tree_add_boolean (negotiate_flags_tree,
6650 hf_netlogon_neg_flags_100,
6651 tvb, offset, 4, flags);
6652 proto_tree_add_boolean (negotiate_flags_tree,
6653 hf_netlogon_neg_flags_80,
6654 tvb, offset, 4, flags);
6655 proto_tree_add_boolean (negotiate_flags_tree,
6656 hf_netlogon_neg_flags_40,
6657 tvb, offset, 4, flags);
6658 proto_tree_add_boolean (negotiate_flags_tree,
6659 hf_netlogon_neg_flags_20,
6660 tvb, offset, 4, flags);
6661 proto_tree_add_boolean (negotiate_flags_tree,
6662 hf_netlogon_neg_flags_10,
6663 tvb, offset, 4, flags);
6664 proto_tree_add_boolean (negotiate_flags_tree,
6665 hf_netlogon_neg_flags_8,
6666 tvb, offset, 4, flags);
6667 proto_tree_add_boolean (negotiate_flags_tree,
6668 hf_netlogon_neg_flags_4,
6669 tvb, offset, 4, flags);
6670 proto_tree_add_boolean (negotiate_flags_tree,
6671 hf_netlogon_neg_flags_2,
6672 tvb, offset, 4, flags);
6673 proto_tree_add_boolean (negotiate_flags_tree,
6674 hf_netlogon_neg_flags_1,
6675 tvb, offset, 4, flags);
6681 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
6682 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6685 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6686 pinfo, tree, di, drep);
6687 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6688 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
6690 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
6691 pinfo, tree, di, drep);
6693 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6694 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
6696 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
6697 hf_client_credential, NULL);
6699 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6700 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
6701 "Client Challenge", -1);
6705 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6706 hf_netlogon_neg_flags, NULL);
6710 flags = tvb_get_letohl (tvb, offset);
6711 netlogon_dissect_neg_options(tvb,tree,flags,offset);
6712 seen.isseen = FALSE;
6719 * IDL long NetrServerAuthenticate2(
6720 * IDL [in][string][unique] wchar_t *logonserver,
6721 * IDL [in][ref][string] wchar_t *username,
6722 * IDL [in] short secure_channel_type,
6723 * IDL [in][ref][string] wchar_t *computername,
6724 * IDL [in][ref] CREDENTIAL *client_chal,
6725 * IDL [out][ref] CREDENTIAL *server_chal,
6726 * IDL [in][out][ref] long *negotiate_flags,
6730 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
6731 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6733 return netlogon_dissect_netrserverauthenticate3_rqst(tvb,offset,pinfo,tree,di,drep);
6736 #ifdef HAVE_KERBEROS
6737 static void str_to_unicode(const char *nt_password, char *nt_password_unicode)
6739 size_t password_len = 0;
6742 password_len = strlen(nt_password);
6743 if(nt_password_unicode != NULL)
6745 for(i=0;i<(password_len);i++)
6747 nt_password_unicode[i*2]=nt_password[i];
6748 nt_password_unicode[i*2+1]=0;
6750 nt_password_unicode[2*password_len]='\0';
6755 static guint32 get_keytab_as_list(md4_pass **p_pass_list,const char* ntlm_pass _U_)
6757 #ifdef HAVE_KERBEROS
6759 md4_pass* pass_list;
6760 md4_pass ntlm_pass_hash;
6762 guint32 nb_pass = 0;
6763 char ntlm_pass_unicode[258];
6771 read_keytab_file_from_preferences();
6772 memset(ntlm_pass_hash.md4,0,sizeof(md4_pass));
6774 for(ek=enc_key_list;ek;ek=ek->next){
6775 if( ek->keylength == 16 ) {
6780 if (ntlm_pass[0] != '\0' && ( strlen(ntlm_pass) < 129 )) {
6782 debugprintf("Password: %s\n",ntlm_pass);
6783 password_len = (int)strlen(ntlm_pass);
6784 str_to_unicode(ntlm_pass,ntlm_pass_unicode);
6785 crypt_md4(ntlm_pass_hash.md4,ntlm_pass_unicode,password_len*2);
6786 printnbyte(ntlm_pass_hash.md4,16,"Hash of the NT pass: ","\n");
6790 *p_pass_list = (md4_pass *)wmem_alloc(wmem_packet_scope(), nb_pass*sizeof(md4_pass));
6791 pass_list=*p_pass_list;
6793 memcpy(pass_list[0].md4,&(ntlm_pass_hash.md4),sizeof(md4_pass));
6797 for(ek=enc_key_list;ek;ek=ek->next){
6798 if( ek->keylength == 16 ) {
6799 memcpy(pass_list[i].md4,ek->keyvalue,16);
6805 *p_pass_list = NULL;
6811 netlogon_dissect_netrserverauthenticate23_reply(tvbuff_t *tvb, int offset,
6812 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep, int version3)
6815 netlogon_auth_vars *vars;
6816 netlogon_auth_key key;
6817 guint64 server_cred;
6819 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
6820 hf_server_credential, &server_cred);
6822 flags = tvb_get_letohl (tvb, offset);
6823 netlogon_dissect_neg_options(tvb,tree,flags,offset);
6828 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
6829 hf_server_rid, NULL);
6831 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6832 hf_netlogon_rc, NULL);
6834 generate_hash_key(pinfo, 1 , &key, NULL);
6836 vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths, &key);
6838 debugprintf("Found some vars (ie. server/client challenges), let's see if I can get a session key\n");
6839 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int) pinfo->fd->num ) {
6840 debugprintf("looping auth reply...\n");
6844 debugprintf("Something strange happened while searching for authenticate_reply\n");
6847 md4_pass *pass_list=NULL;
6848 guint32 list_size = 0;
6849 guint8 session_key[16];
6854 vars->flags = flags;
6855 vars->can_decrypt = FALSE;
6856 list_size = get_keytab_as_list(&pass_list,gbl_nt_password);
6857 debugprintf("Found %d passwords \n",list_size);
6858 if( flags & NETLOGON_FLAG_STRONGKEY ) {
6861 md5_state_t md5state;
6863 guint64 calculated_cred;
6867 md5_init(&md5state);
6868 md5_append(&md5state,zeros,4);
6869 md5_append(&md5state,(unsigned char*)&vars->client_challenge,8);
6870 md5_append(&md5state,(unsigned char*)&vars->server_challenge,8);
6871 md5_finish(&md5state,md5);
6872 printnbyte(md5,8,"MD5:","\n");
6873 printnbyte((guint8*)&vars->client_challenge,8,"Client challenge:","\n");
6874 printnbyte((guint8*)&vars->server_challenge,8,"Server challenge:","\n");
6875 printnbyte((guint8*)&server_cred,8,"Server creds:","\n");
6876 for(i=0;i<list_size;i++)
6878 password = pass_list[i];
6879 md5_hmac(md5,16,(guint8*) &password,16,session_key);
6880 crypt_des_ecb(buf,(unsigned char*)&vars->server_challenge,session_key,1);
6881 crypt_des_ecb((unsigned char*)&calculated_cred,buf,session_key+7,1);
6883 printnbyte((guint8*)&calculated_cred,8,"Calculated creds:","\n");
6885 if(calculated_cred==server_cred) {
6891 else if( flags&NETLOGON_FLAG_USEAES)
6894 debugprintf("AES not supported yet\n");
6895 memset(session_key,0,16);
6900 debugprintf("Else case not implemented\n");
6901 memset(session_key,0,16);
6904 memcpy(&vars->session_key,session_key,16);
6905 debugprintf("Found the good session key !\n");
6908 debugprintf("Session key not found !\n");
6909 memset(&vars->session_key,0,16);
6913 printnbyte((guint8*)&vars->session_key, 16, "Session key:","\n");
6920 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
6921 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6923 return netlogon_dissect_netrserverauthenticate23_reply(tvb,offset,pinfo,tree,di,drep,1);
6927 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
6928 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6930 return netlogon_dissect_netrserverauthenticate23_reply(tvb,offset,pinfo,tree,di,drep,0);
6935 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
6936 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6938 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6939 pinfo, tree, di, drep);
6941 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6942 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6944 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6945 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6946 "GUID pointer: domain_guid", -1);
6948 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6949 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
6951 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, di, drep);
6958 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
6959 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6961 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6962 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6963 "DOMAIN_CONTROLLER_INFO:", -1);
6965 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6966 hf_netlogon_rc, NULL);
6972 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
6973 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6975 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6976 pinfo, tree, di, drep);
6983 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
6984 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
6987 /* XXX hmmm this does not really look like a UNIQUE pointer but
6988 will do for now. I think it is really a 32bit integer followed by
6989 a REF pointer to a unicode string */
6990 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
6991 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
6992 hf_netlogon_site_name, cb_wstr_postprocess,
6993 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
6995 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6996 hf_netlogon_dos_rc, NULL);
7002 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
7003 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7005 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
7006 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7007 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
7008 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7009 NDR_POINTER_UNIQUE, "Computer Name",
7010 hf_netlogon_computer_name, 0);
7012 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7013 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7014 "AUTHENTICATOR: client", -1);
7016 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7017 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7018 "AUTHENTICATOR: return_authenticator", -1);
7019 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7020 netlogon_dissect_WORKSTATION_BUFFER, NDR_POINTER_REF,
7021 "WORKSTATION_BUFFER", -1);
7027 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
7028 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7030 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7031 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7032 "AUTHENTICATOR: return_authenticator", -1);
7034 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7035 netlogon_dissect_DOMAIN_INFORMATION, NDR_POINTER_REF,
7036 "DOMAIN_INFORMATION", -1);
7038 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7039 hf_netlogon_rc, NULL);
7045 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
7046 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7048 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7049 pinfo, tree, di, drep);
7051 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7052 NDR_POINTER_UNIQUE, "unknown string",
7053 hf_netlogon_unknown_string, 0);
7055 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7056 hf_netlogon_unknown_short, NULL);
7058 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7059 NDR_POINTER_UNIQUE, "unknown string",
7060 hf_netlogon_unknown_string, 0);
7062 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7063 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7064 "AUTHENTICATOR: credential", -1);
7066 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
7067 pinfo, tree, di, drep);
7074 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
7075 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7077 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7078 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
7079 "AUTHENTICATOR: return_authenticator", -1);
7081 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7082 hf_netlogon_rc, NULL);
7088 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
7089 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7091 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7092 pinfo, tree, di, drep);
7094 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7095 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
7097 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7098 pinfo, tree, di, drep);
7100 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7101 NDR_POINTER_UNIQUE, "Computer Name",
7102 hf_netlogon_computer_name, 0);
7104 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7105 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7106 "AUTHENTICATOR: credential", -1);
7113 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
7114 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7116 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7117 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7118 "AUTHENTICATOR: return_authenticator", -1);
7120 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7121 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
7122 "LM_OWF_PASSWORD pointer: server_pwd", -1);
7124 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7125 hf_netlogon_rc, NULL);
7131 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
7132 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7134 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7135 pinfo, tree, di, drep);
7137 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7138 NDR_POINTER_UNIQUE, "unknown string",
7139 hf_netlogon_unknown_string, 0);
7141 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7142 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7143 "AUTHENTICATOR: credential", -1);
7145 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7146 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7147 "BYTE pointer: unknown_BYTE", -1);
7149 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7150 hf_netlogon_unknown_long, NULL);
7157 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
7158 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7160 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7161 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
7162 "AUTHENTICATOR: return_authenticator", -1);
7164 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7165 hf_netlogon_rc, NULL);
7171 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
7172 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7174 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7175 pinfo, tree, di, drep);
7177 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7178 hf_netlogon_unknown_long, NULL);
7180 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7181 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7182 "BYTE pointer: unknown_BYTE", -1);
7189 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
7190 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7192 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7193 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
7194 "TYPE_50** pointer: unknown_TYPE_50", -1);
7196 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7197 hf_netlogon_rc, NULL);
7203 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
7204 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7206 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7207 pinfo, tree, di, drep);
7209 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7210 NDR_POINTER_UNIQUE, "Client Account",
7211 hf_netlogon_acct_name, 0);
7213 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7214 hf_netlogon_unknown_long, NULL);
7216 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7217 NDR_POINTER_UNIQUE, "Client Account",
7218 hf_netlogon_logon_dom, 0);
7220 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7221 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7222 "Domain GUID:", -1);
7224 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7225 NDR_POINTER_UNIQUE, "Client Site",
7226 hf_netlogon_site_name, 0);
7228 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7229 hf_netlogon_unknown_long, NULL);
7236 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
7237 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7239 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7240 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
7241 "DOMAIN_CONTROLLER_INFO:", -1);
7243 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7244 hf_netlogon_dos_rc, NULL);
7250 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
7251 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7253 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7254 pinfo, tree, di, drep);
7261 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
7262 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7264 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7265 NDR_POINTER_UNIQUE, "unknown string",
7266 hf_netlogon_unknown_string, 0);
7268 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7269 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7270 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7272 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7273 hf_netlogon_rc, NULL);
7279 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
7280 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7282 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7283 pinfo, tree, di, drep);
7289 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
7290 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7292 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7293 hf_netlogon_entries, NULL);
7295 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7296 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
7297 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
7299 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7300 hf_netlogon_rc, NULL);
7306 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
7307 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7309 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7310 pinfo, tree, di, drep);
7312 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7313 hf_netlogon_unknown_long, NULL);
7315 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7316 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7317 "BYTE pointer: unknown_BYTE", -1);
7324 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
7325 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7327 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7328 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
7329 "TYPE_52 pointer: unknown_TYPE_52", -1);
7331 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7332 hf_netlogon_rc, NULL);
7339 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
7340 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7342 offset = dissect_ndr_counted_string_cb(
7343 tvb, offset, pinfo, tree, di, drep, hf_netlogon_site_name,
7344 cb_wstr_postprocess,
7345 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
7350 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
7351 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7353 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
7354 netlogon_dissect_site_name_item);
7360 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
7361 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7363 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7364 hf_netlogon_count, NULL);
7366 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7367 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
7368 "Site name array", -1);
7374 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
7375 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7377 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7378 pinfo, tree, di, drep);
7385 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
7386 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7389 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
7392 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7393 hf_netlogon_rc, NULL);
7399 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
7400 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7403 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7404 NDR_POINTER_UNIQUE, "LogonServer",
7405 hf_netlogon_computer_name, 0);
7406 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7407 NDR_POINTER_UNIQUE, "Computer Name",
7408 hf_netlogon_computer_name, 0);
7409 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7410 hf_netlogon_level16, NULL);
7411 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7412 netlogon_dissect_LEVEL, NDR_POINTER_REF,
7413 "LEVEL: LogonLevel", -1);
7415 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7416 hf_netlogon_validation_level, NULL);
7418 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
7421 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7422 NDR_POINTER_UNIQUE, "unknown string",
7423 hf_netlogon_unknown_string, 0);
7425 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7426 NDR_POINTER_UNIQUE, "unknown string",
7427 hf_netlogon_unknown_string, 0);
7429 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7430 hf_netlogon_unknown_short, NULL);
7432 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7433 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
7434 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
7436 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
7437 hf_netlogon_unknown_short, NULL);
7439 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7440 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7441 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7448 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
7449 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7451 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7452 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
7455 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
7456 hf_netlogon_authoritative, NULL);
7458 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
7460 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7461 hf_netlogon_rc, NULL);
7463 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7464 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
7465 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
7467 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7468 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
7469 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
7471 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7472 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7473 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7475 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7476 hf_netlogon_rc, NULL);
7483 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
7484 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7486 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7487 pinfo, tree, di, drep);
7489 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
7496 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
7497 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7499 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7500 hf_netlogon_entries, NULL);
7502 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7503 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
7504 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
7506 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7507 hf_netlogon_dos_rc, NULL);
7513 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
7514 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7516 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7517 pinfo, tree, di, drep);
7519 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7520 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
7522 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7523 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7524 "GUID pointer: domain_guid", -1);
7526 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7527 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7528 "GUID pointer: dsa_guid", -1);
7530 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7531 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
7538 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
7539 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, guint8 *drep)
7541 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7542 hf_netlogon_rc, NULL);
7547 /* Dissect secure channel stuff */
7549 static int hf_netlogon_secchan_nl_message_type = -1;
7550 static int hf_netlogon_secchan_nl_message_flags = -1;
7551 static int hf_netlogon_secchan_nl_message_flags_nb_domain = -1;
7552 static int hf_netlogon_secchan_nl_message_flags_nb_host = -1;
7553 static int hf_netlogon_secchan_nl_message_flags_dns_domain = -1;
7554 static int hf_netlogon_secchan_nl_message_flags_dns_host = -1;
7555 static int hf_netlogon_secchan_nl_message_flags_nb_host_utf8 = -1;
7556 static int hf_netlogon_secchan_nl_nb_domain = -1;
7557 static int hf_netlogon_secchan_nl_nb_host = -1;
7558 static int hf_netlogon_secchan_nl_dns_domain = -1;
7559 static int hf_netlogon_secchan_nl_dns_host = -1;
7560 static int hf_netlogon_secchan_nl_nb_host_utf8 = -1;
7562 static gint ett_secchan_verf = -1;
7563 static gint ett_secchan_nl_auth_message = -1;
7564 static gint ett_secchan_nl_auth_message_flags = -1;
7566 static const value_string nl_auth_types[] = {
7567 { 0x00000000, "Request"},
7568 { 0x00000001, "Response"},
7573 /* MS-NRPC : 2.2.1.3.1 NL_AUTH_MESSAGE */
7574 static int dissect_secchan_nl_auth_message(tvbuff_t *tvb, int offset,
7576 proto_tree *tree, dcerpc_info *di _U_, guint8 *drep)
7578 proto_item *item = NULL;
7579 proto_tree *subtree = NULL;
7580 guint32 messagetype, messageflags;
7581 static const int *flag_fields[] = {
7582 &hf_netlogon_secchan_nl_message_flags_nb_domain,
7583 &hf_netlogon_secchan_nl_message_flags_nb_host,
7584 &hf_netlogon_secchan_nl_message_flags_dns_domain,
7585 &hf_netlogon_secchan_nl_message_flags_dns_host,
7586 &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
7592 item = proto_tree_add_text(
7593 tree, tvb, offset, -1,
7594 "Secure Channel NL_AUTH_MESSAGE");
7595 subtree = proto_item_add_subtree(
7596 item, ett_secchan_nl_auth_message);
7599 /* We can't use the NDR routines as the DCERPC call data hasn't
7600 been initialised since we haven't made a DCERPC call yet, just
7604 offset = dissect_dcerpc_uint32(
7605 tvb, offset, pinfo, subtree, drep,
7606 hf_netlogon_secchan_nl_message_type, &messagetype);
7609 proto_tree_add_bitmask(subtree, tvb, offset, hf_netlogon_secchan_nl_message_flags, ett_secchan_nl_auth_message_flags, flag_fields, (drep[0] & DREP_LITTLE_ENDIAN));
7610 messageflags = ((drep[0] & DREP_LITTLE_ENDIAN)
7611 ? tvb_get_letohl (tvb, offset)
7612 : tvb_get_ntohl (tvb, offset));
7617 /* netbios domain name */
7618 if (messageflags&0x00000001) {
7619 len = tvb_strsize(tvb, offset);
7620 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_domain, tvb, offset, len, ENC_ASCII|ENC_NA);
7624 /* netbios host name */
7625 if (messageflags&0x00000002) {
7626 len = tvb_strsize(tvb, offset);
7627 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_host, tvb, offset, len, ENC_ASCII|ENC_NA);
7631 /* DNS domain name */
7632 if (messageflags&0x00000004) {
7633 int old_offset=offset;
7636 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
7637 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_domain, tvb, old_offset, offset-old_offset, str);
7641 if (messageflags&0x00000008) {
7642 int old_offset=offset;
7645 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
7646 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_host, tvb, old_offset, offset-old_offset, str);
7649 /* NetBios host name (UTF8) */
7650 if (messageflags&0x00000010) {
7651 int old_offset=offset;
7654 offset=dissect_mscldap_string(tvb, offset, str, 255, FALSE);
7655 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_nb_host_utf8, tvb, old_offset, offset-old_offset, str);
7664 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
7665 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
7666 netlogon_dissect_netrlogonuaslogon_rqst,
7667 netlogon_dissect_netrlogonuaslogon_reply },
7668 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
7669 netlogon_dissect_netrlogonuaslogoff_rqst,
7670 netlogon_dissect_netrlogonuaslogoff_reply },
7671 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
7672 netlogon_dissect_netrlogonsamlogon_rqst,
7673 netlogon_dissect_netrlogonsamlogon_reply },
7674 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
7675 netlogon_dissect_netrlogonsamlogoff_rqst,
7676 netlogon_dissect_netrlogonsamlogoff_reply },
7677 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
7678 netlogon_dissect_netrserverreqchallenge_rqst,
7679 netlogon_dissect_netrserverreqchallenge_reply },
7680 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
7681 netlogon_dissect_netrserverauthenticate_rqst,
7682 netlogon_dissect_netrserverauthenticate_reply },
7683 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
7684 netlogon_dissect_netrserverpasswordset_rqst,
7685 netlogon_dissect_netrserverpasswordset_reply },
7686 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
7687 netlogon_dissect_netrdatabasedeltas_rqst,
7688 netlogon_dissect_netrdatabasedeltas_reply },
7689 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
7690 netlogon_dissect_netrdatabasesync_rqst,
7691 netlogon_dissect_netrdatabasesync_reply },
7692 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
7693 netlogon_dissect_netraccountdeltas_rqst,
7694 netlogon_dissect_netraccountdeltas_reply },
7695 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
7696 netlogon_dissect_netraccountsync_rqst,
7697 netlogon_dissect_netraccountsync_reply },
7698 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
7699 netlogon_dissect_netrgetdcname_rqst,
7700 netlogon_dissect_netrgetdcname_reply },
7701 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
7702 netlogon_dissect_netrlogoncontrol_rqst,
7703 netlogon_dissect_netrlogoncontrol_reply },
7704 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
7705 netlogon_dissect_netrgetanydcname_rqst,
7706 netlogon_dissect_netrgetanydcname_reply },
7707 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
7708 netlogon_dissect_netrlogoncontrol2_rqst,
7709 netlogon_dissect_netrlogoncontrol2_reply },
7710 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
7711 netlogon_dissect_netrserverauthenticate2_rqst,
7712 netlogon_dissect_netrserverauthenticate2_reply },
7713 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
7714 netlogon_dissect_netrdatabasesync2_rqst,
7715 netlogon_dissect_netrdatabasesync2_reply },
7716 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
7717 netlogon_dissect_netrdatabaseredo_rqst,
7718 netlogon_dissect_netrdatabaseredo_reply },
7719 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
7720 netlogon_dissect_netrlogoncontrol2ex_rqst,
7721 netlogon_dissect_netrlogoncontrol2ex_reply },
7722 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
7723 netlogon_dissect_netrenumeratetrusteddomains_rqst,
7724 netlogon_dissect_netrenumeratetrusteddomains_reply },
7725 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
7726 netlogon_dissect_dsrgetdcname_rqst,
7727 netlogon_dissect_dsrgetdcname_reply },
7728 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
7729 netlogon_dissect_netrlogondummyroutine1_rqst,
7730 netlogon_dissect_netrlogondummyroutine1_reply },
7731 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
7732 netlogon_dissect_netrlogonsetservicebits_rqst,
7733 netlogon_dissect_netrlogonsetservicebits_reply },
7734 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
7735 netlogon_dissect_netrlogongettrustrid_rqst,
7736 netlogon_dissect_netrlogongettrustrid_reply },
7737 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
7738 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
7739 netlogon_dissect_netrlogoncomputeserverdigest_reply },
7740 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
7741 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
7742 netlogon_dissect_netrlogoncomputeclientdigest_reply },
7743 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
7744 netlogon_dissect_netrserverauthenticate3_rqst,
7745 netlogon_dissect_netrserverauthenticate3_reply },
7746 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
7747 netlogon_dissect_dsrgetdcnameex_rqst,
7748 netlogon_dissect_dsrgetdcnameex_reply },
7749 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
7750 netlogon_dissect_dsrgetsitename_rqst,
7751 netlogon_dissect_dsrgetsitename_reply },
7752 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
7753 netlogon_dissect_netrlogongetdomaininfo_rqst,
7754 netlogon_dissect_netrlogongetdomaininfo_reply },
7755 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
7756 netlogon_dissect_netrserverpasswordset2_rqst,
7757 netlogon_dissect_netrserverpasswordset2_reply },
7758 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
7759 netlogon_dissect_netrserverpasswordget_rqst,
7760 netlogon_dissect_netrserverpasswordget_reply },
7761 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
7762 netlogon_dissect_netrlogonsendtosam_rqst,
7763 netlogon_dissect_netrlogonsendtosam_reply },
7764 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
7765 netlogon_dissect_dsraddresstositenamesw_rqst,
7766 netlogon_dissect_dsraddresstositenamesw_reply },
7767 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
7768 netlogon_dissect_dsrgetdcnameex2_rqst,
7769 netlogon_dissect_dsrgetdcnameex2_reply },
7770 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
7771 "NetrLogonGetTimeServiceParentDomain",
7772 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
7773 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
7774 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
7775 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
7776 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
7777 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
7778 netlogon_dissect_dsraddresstositenamesexw_rqst,
7779 netlogon_dissect_dsraddresstositenamesexw_reply },
7780 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
7781 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
7782 netlogon_dissect_dsrgetdcsitecoveragew_reply },
7783 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
7784 netlogon_dissect_netrlogonsamlogonex_rqst,
7785 netlogon_dissect_netrlogonsamlogonex_reply },
7786 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
7787 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
7788 netlogon_dissect_dsrenumeratedomaintrusts_reply },
7789 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
7790 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
7791 netlogon_dissect_dsrderegisterdnshostrecords_reply },
7792 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
7794 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
7796 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
7798 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
7799 netlogon_dissect_netrlogonsamlogonflags_rqst,
7800 netlogon_dissect_netrlogonsamlogonflags_reply },
7801 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
7803 {0, NULL, NULL, NULL }
7806 static int hf_netlogon_secchan_verf = -1;
7807 static int hf_netlogon_secchan_verf_signalg = -1;
7808 static int hf_netlogon_secchan_verf_sealalg = -1;
7809 static int hf_netlogon_secchan_verf_flag = -1;
7810 static int hf_netlogon_secchan_verf_digest = -1;
7811 static int hf_netlogon_secchan_verf_seq = -1;
7812 static int hf_netlogon_secchan_verf_nonce = -1;
7814 static const value_string sign_algs[] = {
7815 { 0x0077, "HMAC-MD5"},
7819 static const value_string seal_algs[] = {
7820 { 0xFFFF, "Not Encrypted"},
7825 static int get_seal_key(const guint8 *session_key,int key_len,guint64 sequence,guint8* seal_key)
7828 guint8 *buf = (guint8 *)wmem_alloc(wmem_packet_scope(), key_len);
7832 memset(zero_sk,0,16);
7833 memset(seal_key,0,16);
7834 if(memcmp(session_key,zero_sk,16)) {
7836 for(i=0;i<key_len;i++) {
7837 buf[i] = session_key[i] ^ 0xF0;
7839 md5_hmac(zeros,4,buf,key_len,buf2);
7840 md5_hmac((guint8*)&sequence,8,buf2,16,seal_key);
7849 static guint64 uncrypt_sequence(guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_)
7854 rc4_state_struct rc4state;
7855 guint8 *p_seq = (guint8*) &enc_seq;
7859 md5_hmac(zeros,4,session_key,16,buf);
7860 md5_hmac((guint8*)&checksum,8,buf,16,key);
7862 crypt_rc4_init(&rc4state,key,16);
7863 crypt_rc4(&rc4state,p_seq,8);
7864 /*temp = *((guint32*)p_seq);
7865 *((guint32*)p_seq) = *((guint32*)p_seq+1);
7866 *((guint32*)p_seq+1) = temp;
7869 *p_seq = *p_seq & 0x7F;
7876 dissect_packet_data(tvbuff_t *tvb ,tvbuff_t *auth_tvb _U_,
7877 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info _U_,unsigned char is_server)
7880 tvbuff_t *buf = NULL;
7882 netlogon_auth_vars *vars;
7883 netlogon_auth_key key;
7884 /*debugprintf("Dissection of request data offset %d len=%d on packet %d\n",offset,tvb_length_remaining(tvb,offset),pinfo->fd->num);*/
7886 generate_hash_key(pinfo,is_server,&key,NULL);
7887 vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths, &key);
7890 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int) pinfo->fd->num ) {
7894 debugprintf("Vars not found %d (packet_data)\n",g_hash_table_size(netlogon_auths));
7898 if(vars->can_decrypt == TRUE) {
7899 rc4_state_struct rc4state;
7901 guint64 copyconfounder = vars->confounder;
7903 data_len = tvb_length_remaining(tvb,offset);
7907 crypt_rc4_init(&rc4state,vars->encryption_key,16);
7908 crypt_rc4(&rc4state,(guint8*)©confounder,8);
7909 decrypted = (guint8*)tvb_memdup(NULL, tvb, offset,data_len);
7910 crypt_rc4_init(&rc4state,vars->encryption_key,16);
7911 crypt_rc4(&rc4state,decrypted,data_len);
7912 buf = tvb_new_child_real_data(tvb, decrypted, data_len, data_len);
7913 tvb_set_free_cb(buf, g_free);
7914 /* Note: caller does add_new_data_source(...) */
7917 debugprintf("Session key not found can't decrypt ...\n");
7921 debugprintf("Vars not found %d (packet_data)\n",g_hash_table_size(netlogon_auths));
7928 static tvbuff_t* dissect_request_data( tvbuff_t *tvb ,tvbuff_t *auth_tvb ,
7929 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info )
7931 return dissect_packet_data(tvb,auth_tvb,offset,pinfo,auth_info,0);
7933 static tvbuff_t* dissect_response_data( tvbuff_t *tvb ,tvbuff_t *auth_tvb ,
7934 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info )
7936 return dissect_packet_data(tvb,auth_tvb,offset,pinfo,auth_info,1);
7939 /* MS-NRPC 2.2.1.3.2 */
7941 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
7942 proto_tree *tree, guint8 *drep _U_, unsigned char is_server)
7944 netlogon_auth_vars *vars;
7945 netlogon_auth_key key;
7946 proto_item *vf = NULL;
7947 proto_tree *subtree = NULL;
7948 guint64 encrypted_seq;
7950 guint64 confounder = 0;
7951 int update_vars = 0;
7953 generate_hash_key(pinfo,is_server,&key,NULL);
7954 vars = (netlogon_auth_vars *)g_hash_table_lookup(netlogon_auths,(gconstpointer*) &key);
7955 if( ! (seen.isseen && seen.num == pinfo->fd->num) ) {
7957 * Create a new tree, and split into x components ...
7959 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
7960 offset, -1, ENC_NA);
7961 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
7963 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_signalg, tvb,
7964 offset, 2, ENC_LITTLE_ENDIAN);
7965 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sealalg, tvb,
7966 offset+2, 2, ENC_LITTLE_ENDIAN);
7968 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_flag, tvb,
7969 offset+6, 2, ENC_NA);
7972 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
7973 hf_netlogon_secchan_verf_seq, &encrypted_seq);
7975 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
7976 hf_netlogon_secchan_verf_digest, &digest);
7978 /* In some cases the nonce if the data/signture are encrypted ("integrity/seal in MS language")*/
7980 if (tvb_bytes_exist(tvb, offset, 8)) {
7981 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
7982 hf_netlogon_secchan_verf_nonce, &confounder);
7986 if( vars != NULL ) {
7987 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int)pinfo->fd->num ) {
7991 debugprintf("Vars not found %d (packet_data)\n",g_hash_table_size(netlogon_auths));
7996 vars->confounder = confounder;
7997 vars->seq = uncrypt_sequence(vars->session_key,digest,encrypted_seq,is_server);
8000 if(get_seal_key(vars->session_key,16,vars->seq,vars->encryption_key))
8002 vars->can_decrypt = TRUE;
8006 debugprintf("get seal key returned 0\n");
8012 debugprintf("Vars not found (is null %d) %d (dissect_verf)\n",vars==NULL,g_hash_table_size(netlogon_auths));
8014 /*debugprintf("Setting isseen to true, old packet %d new %d\n",seen.num,pinfo->fd->num);*/
8016 seen.num = pinfo->fd->num;
8021 dissect_request_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
8022 proto_tree *tree, dcerpc_info *di _U_, guint8 *drep )
8024 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep,0);
8027 dissect_response_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
8028 proto_tree *tree, dcerpc_info *di _U_, guint8 *drep )
8030 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep,1);
8033 /* Secure channel types */
8035 static const value_string sec_chan_type_vals[] = {
8036 { SEC_CHAN_WKSTA, "Workstation" },
8037 { SEC_CHAN_DOMAIN, "Domain trust" },
8038 { SEC_CHAN_BDC, "Backup domain controller" },
8042 netlogon_reassemble_init(void)
8044 if (netlogon_auths){
8045 g_hash_table_destroy (netlogon_auths);
8047 netlogon_auths = g_hash_table_new (netlogon_auth_hash, netlogon_auth_equal);
8048 if (schannel_auths){
8049 g_hash_table_destroy (schannel_auths);
8051 schannel_auths = g_hash_table_new (netlogon_auth_hash, netlogon_auth_equal);
8056 proto_register_dcerpc_netlogon(void)
8059 static hf_register_info hf[] = {
8060 { &hf_netlogon_opnum,
8061 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
8062 NULL, 0x0, NULL, HFILL }},
8064 { &hf_netlogon_rc, {
8065 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX | BASE_EXT_STRING,
8066 &NT_errors_ext, 0x0, "Netlogon return code", HFILL }},
8068 { &hf_netlogon_dos_rc,
8069 { "DOS error code", "netlogon.dos.rc", FT_UINT32,
8070 BASE_HEX | BASE_EXT_STRING, &DOS_errors_ext, 0x0, NULL, HFILL}},
8072 { &hf_netlogon_werr_rc,
8073 { "WERR error code", "netlogon.werr.rc", FT_UINT32,
8074 BASE_HEX | BASE_EXT_STRING, &WERR_errors_ext, 0x0, NULL, HFILL}},
8076 { &hf_netlogon_param_ctrl, {
8077 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
8078 NULL, 0x0, NULL, HFILL }},
8080 { &hf_netlogon_logon_id, {
8081 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
8082 NULL, 0x0, NULL, HFILL }},
8084 { &hf_netlogon_modify_count, {
8085 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
8086 NULL, 0x0, "How many times the object has been modified", HFILL }},
8088 { &hf_netlogon_security_information, {
8089 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
8090 NULL, 0x0, NULL, HFILL }},
8092 { &hf_netlogon_count, {
8093 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
8094 NULL, 0x0, NULL, HFILL }},
8096 { &hf_netlogon_entries, {
8097 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
8098 NULL, 0x0, NULL, HFILL }},
8100 { &hf_netlogon_credential, {
8101 "Credential", "netlogon.credential", FT_BYTES, BASE_NONE,
8102 NULL, 0x0, "Netlogon Credential", HFILL }},
8104 { &hf_netlogon_challenge, {
8105 "Challenge", "netlogon.challenge", FT_BYTES, BASE_NONE,
8106 NULL, 0x0, "Netlogon challenge", HFILL }},
8108 { &hf_netlogon_lm_owf_password, {
8109 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_NONE,
8110 NULL, 0x0, "LanManager OWF Password", HFILL }},
8112 { &hf_netlogon_user_session_key, {
8113 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_NONE,
8114 NULL, 0x0, NULL, HFILL }},
8116 { &hf_netlogon_encrypted_lm_owf_password, {
8117 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_NONE,
8118 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
8120 { &hf_netlogon_nt_owf_password, {
8121 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_NONE,
8122 NULL, 0x0, "NT OWF Password", HFILL }},
8124 { &hf_netlogon_blob, {
8125 "BLOB", "netlogon.blob", FT_BYTES, BASE_NONE,
8126 NULL, 0x0, NULL, HFILL }},
8128 { &hf_netlogon_len, {
8129 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
8130 NULL, 0, "Length", HFILL }},
8132 { &hf_netlogon_priv, {
8133 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
8134 NULL, 0, NULL, HFILL }},
8136 { &hf_netlogon_privilege_entries, {
8137 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
8138 NULL, 0, NULL, HFILL }},
8140 { &hf_netlogon_privilege_control, {
8141 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
8142 NULL, 0, NULL, HFILL }},
8144 { &hf_netlogon_privilege_name, {
8145 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_NONE,
8146 NULL, 0, NULL, HFILL }},
8148 { &hf_netlogon_pdc_connection_status, {
8149 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
8150 NULL, 0, NULL, HFILL }},
8152 { &hf_netlogon_tc_connection_status, {
8153 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
8154 NULL, 0, NULL, HFILL }},
8156 { &hf_netlogon_attrs, {
8157 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
8158 NULL, 0, NULL, HFILL }},
8161 { &hf_netlogon_lsapolicy_referentid,
8162 { "Referent ID", "netlogon.lsapolicy.referentID", FT_UINT32, BASE_HEX,
8163 NULL, 0x0, NULL, HFILL }},
8166 { &hf_netlogon_lsapolicy_len,
8167 { "Length", "netlogon.lsapolicy.length", FT_UINT32, BASE_DEC,
8168 NULL, 0x0, "Length of the policy buffer", HFILL }},
8171 { &hf_netlogon_lsapolicy_pointer,
8172 { "Pointer", "netlogon.lsapolicy.pointer", FT_BYTES, BASE_NONE,
8173 NULL, 0x0, "Pointer to LSA POLICY", HFILL }},
8176 { &hf_netlogon_unknown_string,
8177 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
8178 NULL, 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL }},
8180 { &hf_netlogon_TrustedDomainName_string,
8181 { "TrustedDomainName", "netlogon.TrustedDomainName", FT_STRING, BASE_NONE,
8182 NULL, 0, "TrustedDomainName string.", HFILL }},
8184 { &hf_netlogon_UserName_string,
8185 { "UserName", "netlogon.UserName", FT_STRING, BASE_NONE,
8186 NULL, 0, "UserName string.", HFILL }},
8188 { &hf_netlogon_dummy_string,
8189 { "Dummy String", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8190 NULL, 0, "Dummy String. Used is reserved for next evolutions.", HFILL }},
8192 { &hf_netlogon_trust_extention,
8193 { "Trust extension", "netlogon.trust.extention", FT_STRING, BASE_NONE,
8194 NULL, 0, "Trusts extension.", HFILL }},
8196 { &hf_netlogon_trust_offset,
8197 { "Offset", "netlogon.trust.extention_offset", FT_UINT32, BASE_DEC,
8198 NULL, 0, "Trusts extension.", HFILL }},
8200 { &hf_netlogon_trust_len,
8201 { "Length", "netlogon.trust.extention_length", FT_UINT32, BASE_DEC,
8202 NULL, 0, NULL, HFILL }},
8204 { &hf_netlogon_trust_max,
8205 { "Max Count", "netlogon.trust.extention.maxcount", FT_UINT32, BASE_DEC,
8206 NULL, 0, NULL, HFILL }},
8208 { &hf_netlogon_dummy_string2,
8209 { "Dummy String2", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8210 NULL, 0, "Dummy String 2. Used is reserved for next evolutions.", HFILL }},
8212 { &hf_netlogon_dummy_string3,
8213 { "Dummy String3", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8214 NULL, 0, "Dummy String 3. Used is reserved for next evolutions.", HFILL }},
8216 { &hf_netlogon_dummy_string4,
8217 { "Dummy String4", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8218 NULL, 0, "Dummy String 4. Used is reserved for next evolutions.", HFILL }},
8220 { &hf_netlogon_dummy_string5,
8221 { "Dummy String5", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8222 NULL, 0, "Dummy String 5. Used is reserved for next evolutions.", HFILL }},
8224 { &hf_netlogon_dummy_string6,
8225 { "Dummy String6", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8226 NULL, 0, "Dummy String 6. Used is reserved for next evolutions.", HFILL }},
8228 { &hf_netlogon_dummy_string7,
8229 { "Dummy String7", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8230 NULL, 0, "Dummy String 7. Used is reserved for next evolutions.", HFILL }},
8232 { &hf_netlogon_dummy_string8,
8233 { "Dummy String8", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8234 NULL, 0, "Dummy String 8. Used is reserved for next evolutions.", HFILL }},
8236 { &hf_netlogon_dummy_string9,
8237 { "Dummy String9", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8238 NULL, 0, "Dummy String 9. Used is reserved for next evolutions.", HFILL }},
8240 { &hf_netlogon_dummy_string10,
8241 { "Dummy String10", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8242 NULL, 0, "Dummy String 10. Used is reserved for next evolutions.", HFILL }},
8244 { &hf_netlogon_unknown_long,
8245 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
8246 NULL, 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL }},
8248 { &hf_netlogon_dummy1_long,
8249 { "Dummy1 Long", "netlogon.dummy.long1", FT_UINT32, BASE_HEX,
8250 NULL, 0x0, "Dummy long 1. Used is reserved for next evolutions.", HFILL }},
8252 { &hf_netlogon_dummy2_long,
8253 { "Dummy2 Long", "netlogon.dummy.long2", FT_UINT32, BASE_HEX,
8254 NULL, 0x0, "Dummy long 2. Used is reserved for next evolutions.", HFILL }},
8256 { &hf_netlogon_dummy3_long,
8257 { "Dummy3 Long", "netlogon.dummy.long3", FT_UINT32, BASE_HEX,
8258 NULL, 0x0, "Dummy long 3. Used is reserved for next evolutions.", HFILL }},
8260 { &hf_netlogon_dummy4_long,
8261 { "Dummy4 Long", "netlogon.dummy.long4", FT_UINT32, BASE_HEX,
8262 NULL, 0x0, "Dummy long 4. Used is reserved for next evolutions.", HFILL }},
8264 { &hf_netlogon_dummy5_long,
8265 { "Dummy5 Long", "netlogon.dummy.long5", FT_UINT32, BASE_HEX,
8266 NULL, 0x0, "Dummy long 5. Used is reserved for next evolutions.", HFILL }},
8268 { &hf_netlogon_dummy6_long,
8269 { "Dummy6 Long", "netlogon.dummy.long6", FT_UINT32, BASE_HEX,
8270 NULL, 0x0, "Dummy long 6. Used is reserved for next evolutions.", HFILL }},
8272 { &hf_netlogon_dummy7_long,
8273 { "Dummy7 Long", "netlogon.dummy.long7", FT_UINT32, BASE_HEX,
8274 NULL, 0x0, "Dummy long 7. Used is reserved for next evolutions.", HFILL }},
8276 { &hf_netlogon_dummy8_long,
8277 { "Dummy8 Long", "netlogon.dummy.long8", FT_UINT32, BASE_HEX,
8278 NULL, 0x0, "Dummy long 8. Used is reserved for next evolutions.", HFILL }},
8280 { &hf_netlogon_dummy9_long,
8281 { "Dummy9 Long", "netlogon.dummy.long9", FT_UINT32, BASE_HEX,
8282 NULL, 0x0, "Dummy long 9. Used is reserved for next evolutions.", HFILL }},
8284 { &hf_netlogon_dummy10_long,
8285 { "Dummy10 Long", "netlogon.dummy.long10", FT_UINT32, BASE_HEX,
8286 NULL, 0x0, "Dummy long 10. Used is reserved for next evolutions.", HFILL }},
8289 { &hf_netlogon_supportedenctypes,
8290 { "Supported Encryption Types", "netlogon.encryption.types", FT_UINT32, BASE_HEX,
8291 NULL, 0x0, "Encryption types", HFILL }},
8293 { &hf_netlogon_workstation_flags,
8294 { "Workstation Flags", "netlogon.workstation.flags", FT_UINT32, BASE_HEX,
8295 NULL, 0x0, "Flags", HFILL }},
8297 { &hf_netlogon_reserved,
8298 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
8299 NULL, 0x0, NULL, HFILL }},
8300 { &hf_netlogon_unknown_short,
8301 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
8302 NULL, 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL }},
8304 { &hf_netlogon_unknown_char,
8305 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
8306 NULL, 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL }},
8308 { &hf_netlogon_acct_expiry_time,
8309 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8310 NULL, 0x0, "When this account will expire", HFILL }},
8312 { &hf_netlogon_nt_pwd_present,
8313 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
8314 NULL, 0x0, "Is NT password present for this account?", HFILL }},
8316 { &hf_netlogon_lm_pwd_present,
8317 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
8318 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
8320 { &hf_netlogon_pwd_expired,
8321 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
8322 NULL, 0x0, "Whether this password has expired or not", HFILL }},
8324 { &hf_netlogon_authoritative,
8325 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
8326 NULL, 0x0, NULL, HFILL }},
8328 { &hf_netlogon_sensitive_data_flag,
8329 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
8330 NULL, 0x0, "Sensitive data flag", HFILL }},
8332 { &hf_netlogon_auditing_mode,
8333 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
8334 NULL, 0x0, NULL, HFILL }},
8336 { &hf_netlogon_max_audit_event_count,
8337 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
8338 NULL, 0x0, NULL, HFILL }},
8340 { &hf_netlogon_event_audit_option,
8341 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
8342 NULL, 0x0, NULL, HFILL }},
8344 { &hf_netlogon_sensitive_data_len,
8345 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
8346 NULL, 0x0, "Length of sensitive data", HFILL }},
8349 { &hf_netlogon_nt_chal_resp,
8350 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_NONE,
8351 NULL, 0, "Challenge response for NT authentication", HFILL }},
8354 { &hf_netlogon_lm_chal_resp,
8355 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_NONE,
8356 NULL, 0, "Challenge response for LM authentication", HFILL }},
8358 { &hf_netlogon_cipher_len,
8359 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
8360 NULL, 0, NULL, HFILL }},
8362 { &hf_netlogon_cipher_maxlen,
8363 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
8364 NULL, 0, NULL, HFILL }},
8367 { &hf_netlogon_pac_data,
8368 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_NONE,
8369 NULL, 0, NULL, HFILL }},
8372 { &hf_netlogon_sensitive_data,
8373 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_NONE,
8374 NULL, 0, "Sensitive Data", HFILL }},
8377 { &hf_netlogon_auth_data,
8378 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_NONE,
8379 NULL, 0, NULL, HFILL }},
8382 { &hf_netlogon_cipher_current_data,
8383 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_NONE,
8384 NULL, 0, NULL, HFILL }},
8386 { &hf_netlogon_cipher_old_data,
8387 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_NONE,
8388 NULL, 0, NULL, HFILL }},
8390 { &hf_netlogon_acct_name,
8391 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
8392 NULL, 0, "Account Name", HFILL }},
8394 { &hf_netlogon_acct_desc,
8395 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
8396 NULL, 0, "Account Description", HFILL }},
8398 { &hf_netlogon_group_desc,
8399 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
8400 NULL, 0, "Group Description", HFILL }},
8402 { &hf_netlogon_full_name,
8403 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
8404 NULL, 0, NULL, HFILL }},
8406 { &hf_netlogon_comment,
8407 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
8408 NULL, 0, NULL, HFILL }},
8410 { &hf_netlogon_parameters,
8411 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
8412 NULL, 0, NULL, HFILL }},
8414 { &hf_netlogon_logon_script,
8415 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
8416 NULL, 0, NULL, HFILL }},
8418 { &hf_netlogon_profile_path,
8419 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
8420 NULL, 0, NULL, HFILL }},
8422 { &hf_netlogon_home_dir,
8423 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
8424 NULL, 0, "Home Directory", HFILL }},
8426 { &hf_netlogon_dir_drive,
8427 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
8428 NULL, 0, "Drive letter for home directory", HFILL }},
8430 { &hf_netlogon_logon_srv,
8431 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
8432 NULL, 0, NULL, HFILL }},
8435 { &hf_netlogon_principal,
8436 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
8437 NULL, 0, NULL, HFILL }},
8440 { &hf_netlogon_logon_dom,
8441 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
8442 NULL, 0, NULL, HFILL }},
8444 { &hf_netlogon_resourcegroupcount,
8445 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
8446 NULL, 0, "Number of Resource Groups", HFILL }},
8448 { &hf_netlogon_computer_name,
8449 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
8450 NULL, 0, NULL, HFILL }},
8452 { &hf_netlogon_site_name,
8453 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
8454 NULL, 0, NULL, HFILL }},
8456 { &hf_netlogon_dc_name,
8457 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
8458 NULL, 0, NULL, HFILL }},
8460 { &hf_netlogon_dc_site_name,
8461 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
8462 NULL, 0, NULL, HFILL }},
8464 { &hf_netlogon_dns_forest_name,
8465 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
8466 NULL, 0, NULL, HFILL }},
8468 { &hf_netlogon_dc_address,
8469 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
8470 NULL, 0, NULL, HFILL }},
8472 { &hf_netlogon_dc_address_type,
8473 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
8474 VALS(dc_address_types), 0, NULL, HFILL }},
8476 { &hf_netlogon_client_site_name,
8477 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
8478 NULL, 0, NULL, HFILL }},
8480 { &hf_netlogon_workstation_site_name,
8481 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
8482 NULL, 0, "Workstation Site Name", HFILL }},
8484 { &hf_netlogon_workstation,
8485 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
8486 NULL, 0, "Workstation Name", HFILL }},
8488 { &hf_netlogon_os_version,
8489 { "OS version", "netlogon.os.version", FT_STRING, BASE_NONE,
8490 NULL, 0, NULL, HFILL }},
8492 { &hf_netlogon_workstation_os,
8493 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
8494 NULL, 0, "Workstation OS", HFILL }},
8496 { &hf_netlogon_workstations,
8497 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
8498 NULL, 0, NULL, HFILL }},
8500 { &hf_netlogon_workstation_fqdn,
8501 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
8502 NULL, 0, "Workstation FQDN", HFILL }},
8504 { &hf_netlogon_group_name,
8505 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
8506 NULL, 0, NULL, HFILL }},
8508 { &hf_netlogon_alias_name,
8509 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
8510 NULL, 0, NULL, HFILL }},
8512 { &hf_netlogon_dns_host,
8513 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
8514 NULL, 0, NULL, HFILL }},
8516 { &hf_netlogon_downlevel_domain_name,
8517 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
8518 NULL, 0, "Downlevel Domain Name", HFILL }},
8520 { &hf_netlogon_dns_domain_name,
8521 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
8522 NULL, 0, "DNS Domain Name", HFILL }},
8524 { &hf_netlogon_ad_client_dns_name,
8525 { "Client DNS Name", "netlogon.client_dns_name", FT_STRING, BASE_NONE,
8526 NULL, 0, NULL, HFILL }},
8528 { &hf_netlogon_domain_name,
8529 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
8530 NULL, 0, "Domain Name", HFILL }},
8532 { &hf_netlogon_oem_info,
8533 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
8534 NULL, 0, NULL, HFILL }},
8536 { &hf_netlogon_trusted_dc_name,
8537 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
8538 NULL, 0, NULL, HFILL }},
8540 { &hf_netlogon_logon_dnslogondomainname,
8541 { "DNS Logon Domain name", "netlogon.logon.dnslogondomainname", FT_STRING, BASE_NONE,
8542 NULL, 0, "DNS Name of the logon domain", HFILL }},
8544 { &hf_netlogon_logon_upn,
8545 { "UPN", "netlogon.logon.upn", FT_STRING, BASE_NONE,
8546 NULL, 0, "User Principal Name", HFILL }},
8548 { &hf_netlogon_logonsrv_handle,
8549 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
8550 NULL, 0, "Logon Srv Handle", HFILL }},
8552 { &hf_netlogon_dummy,
8553 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
8554 NULL, 0, "Dummy string", HFILL }},
8556 { &hf_netlogon_logon_count16,
8557 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
8558 NULL, 0x0, "Number of successful logins", HFILL }},
8560 { &hf_netlogon_logon_count,
8561 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
8562 NULL, 0x0, "Number of successful logins", HFILL }},
8564 { &hf_netlogon_bad_pw_count16,
8565 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
8566 NULL, 0x0, "Number of failed logins", HFILL }},
8568 { &hf_netlogon_bad_pw_count,
8569 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
8570 NULL, 0x0, "Number of failed logins", HFILL }},
8572 { &hf_netlogon_country,
8573 { "Country", "netlogon.country", FT_UINT16, BASE_DEC | BASE_EXT_STRING,
8574 &ms_country_codes_ext, 0x0, "Country setting for this account", HFILL }},
8576 { &hf_netlogon_codepage,
8577 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
8578 NULL, 0x0, "Codepage setting for this account", HFILL }},
8580 { &hf_netlogon_level16,
8581 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
8582 NULL, 0x0, "Which option of the union is represented here", HFILL }},
8584 { &hf_netlogon_validation_level,
8585 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
8586 NULL, 0x0, "Requested level of validation", HFILL }},
8588 { &hf_netlogon_minpasswdlen,
8589 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
8590 NULL, 0x0, "Minimum length of password", HFILL }},
8592 { &hf_netlogon_passwdhistorylen,
8593 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
8594 NULL, 0x0, "Length of password history", HFILL }},
8596 { &hf_netlogon_secure_channel_type,
8597 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
8598 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
8600 { &hf_netlogon_restart_state,
8601 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
8602 NULL, 0x0, NULL, HFILL }},
8604 { &hf_netlogon_delta_type,
8605 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
8606 VALS(delta_type_vals), 0x0, NULL, HFILL }},
8608 { &hf_netlogon_blob_size,
8609 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
8610 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
8612 { &hf_netlogon_code,
8613 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
8614 NULL, 0x0, NULL, HFILL }},
8616 { &hf_netlogon_level,
8617 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
8618 NULL, 0x0, "Which option of the union is represented here", HFILL }},
8620 { &hf_netlogon_reference,
8621 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
8622 NULL, 0x0, NULL, HFILL }},
8624 { &hf_netlogon_next_reference,
8625 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
8626 NULL, 0x0, NULL, HFILL }},
8628 { &hf_netlogon_timestamp,
8629 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8630 NULL, 0, NULL, HFILL }},
8632 { &hf_netlogon_user_rid,
8633 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
8634 NULL, 0x0, NULL, HFILL }},
8636 { &hf_netlogon_alias_rid,
8637 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
8638 NULL, 0x0, NULL, HFILL }},
8640 { &hf_netlogon_group_rid,
8641 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
8642 NULL, 0x0, NULL, HFILL }},
8644 { &hf_netlogon_num_rids,
8645 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
8646 NULL, 0x0, "Number of RIDs", HFILL }},
8648 { &hf_netlogon_num_controllers,
8649 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
8650 NULL, 0x0, "Number of domain controllers", HFILL }},
8652 { &hf_netlogon_num_sid,
8653 { "Num Extra SID", "netlogon.num_sid", FT_UINT32, BASE_DEC,
8654 NULL, 0x0, NULL, HFILL }},
8656 { &hf_netlogon_flags,
8657 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
8658 NULL, 0x0, NULL, HFILL }},
8660 { &hf_netlogon_user_account_control,
8661 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
8662 NULL, 0x0, NULL, HFILL }},
8664 { &hf_netlogon_user_flags,
8665 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
8666 NULL, 0x0, NULL, HFILL }},
8668 { &hf_netlogon_auth_flags,
8669 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
8670 NULL, 0x0, NULL, HFILL }},
8672 { &hf_netlogon_systemflags,
8673 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
8674 NULL, 0x0, NULL, HFILL }},
8676 { &hf_netlogon_database_id,
8677 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
8678 NULL, 0x0, NULL, HFILL }},
8680 { &hf_netlogon_sync_context,
8681 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
8682 NULL, 0x0, NULL, HFILL }},
8684 { &hf_netlogon_max_size,
8685 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
8686 NULL, 0x0, "Max Size of database", HFILL }},
8688 { &hf_netlogon_max_log_size,
8689 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
8690 NULL, 0x0, "Max Size of log", HFILL }},
8693 { &hf_netlogon_pac_size,
8694 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
8695 NULL, 0x0, "Size of PacData in bytes", HFILL }},
8699 { &hf_netlogon_auth_size,
8700 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
8701 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
8704 { &hf_netlogon_num_deltas,
8705 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
8706 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
8708 { &hf_netlogon_num_trusts,
8709 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
8710 NULL, 0x0, NULL, HFILL }},
8712 { &hf_netlogon_logon_attempts,
8713 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
8714 NULL, 0x0, "Number of logon attempts", HFILL }},
8716 { &hf_netlogon_pagefilelimit,
8717 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
8718 NULL, 0x0, NULL, HFILL }},
8720 { &hf_netlogon_pagedpoollimit,
8721 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
8722 NULL, 0x0, NULL, HFILL }},
8724 { &hf_netlogon_nonpagedpoollimit,
8725 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
8726 NULL, 0x0, NULL, HFILL }},
8728 { &hf_netlogon_minworkingsetsize,
8729 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
8730 NULL, 0x0, NULL, HFILL }},
8732 { &hf_netlogon_maxworkingsetsize,
8733 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
8734 NULL, 0x0, NULL, HFILL }},
8736 { &hf_netlogon_serial_number,
8737 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
8738 NULL, 0x0, NULL, HFILL }},
8740 { &hf_netlogon_neg_flags,
8741 { "Negotiation options", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
8742 NULL, 0x0, "Negotiation Flags", HFILL }},
8745 { &hf_netlogon_neg_flags_80000000,
8746 { "Not used 80000000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000000, "Not used", HFILL }},
8749 { &hf_netlogon_neg_flags_40000000,
8750 { "Authenticated RPC supported", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000000, NULL, HFILL }},
8752 { &hf_netlogon_neg_flags_20000000,
8753 { "Authenticated RPC via lsass supported", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000000, "rpc via lsass", HFILL }},
8756 { &hf_netlogon_neg_flags_10000000,
8757 { "Not used 10000000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000000, "Not used", HFILL }},
8761 { &hf_netlogon_neg_flags_8000000,
8762 { "Not used 8000000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000000, "Not used", HFILL }},
8766 { &hf_netlogon_neg_flags_4000000,
8767 { "Not used 4000000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4000000, "Not used", HFILL }},
8771 { &hf_netlogon_neg_flags_2000000,
8772 { "Not used 2000000", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000000, "Not used", HFILL }},
8775 { &hf_netlogon_neg_flags_1000000,
8776 { "AES supported", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1000000, "AES", HFILL }},
8779 { &hf_netlogon_neg_flags_800000,
8780 { "Not used 800000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800000, "Not used", HFILL }},
8783 { &hf_netlogon_neg_flags_400000,
8784 { "AES & SHA2 supported", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_USEAES, "AES&SHA2", HFILL }},
8786 { &hf_netlogon_neg_flags_200000,
8787 { "RODC pass-through", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200000, "rodc pt", HFILL }},
8789 { &hf_netlogon_neg_flags_100000,
8790 { "NO NT4 emulation", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100000, "No NT4 emu", HFILL }},
8792 { &hf_netlogon_neg_flags_80000,
8793 { "Cross forest trust", "ntlmssp.neg_flags.na80000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000, NULL, HFILL }},
8795 { &hf_netlogon_neg_flags_40000,
8796 { "GetDomainInfo supported", "ntlmssp.neg_flags.na40000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000, "GetDomainInfo", HFILL }},
8798 { &hf_netlogon_neg_flags_20000,
8799 { "ServerPasswordSet2 supported", "ntlmssp.neg_flags.na20000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000, "PasswordSet2", HFILL }},
8801 { &hf_netlogon_neg_flags_10000,
8802 { "DNS trusts supported", "ntlmssp.neg_flags.na10000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000, "DNS Trusts", HFILL }},
8804 { &hf_netlogon_neg_flags_8000,
8805 { "Transitive trusts", "ntlmssp.neg_flags.na8000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000, "Transitive trust", HFILL }},
8807 { &hf_netlogon_neg_flags_4000,
8808 { "Strong key", "ntlmssp.neg_flags.na4000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_STRONGKEY, NULL, HFILL }},
8810 { &hf_netlogon_neg_flags_2000,
8811 { "Avoid replication Auth database", "ntlmssp.neg_flags.na2000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000, NULL, HFILL }},
8813 { &hf_netlogon_neg_flags_1000,
8814 { "Avoid replication account database", "ntlmssp.neg_flags.na1000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1000, NULL, HFILL }},
8816 { &hf_netlogon_neg_flags_800,
8817 { "Concurent RPC", "ntlmssp.neg_flags.na800", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800, NULL, HFILL }},
8819 { &hf_netlogon_neg_flags_400,
8820 { "Generic pass-through", "ntlmssp.neg_flags.na400", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_400, NULL, HFILL }},
8822 { &hf_netlogon_neg_flags_200,
8823 { "SendToSam", "ntlmssp.neg_flags.na200", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200, NULL, HFILL }},
8825 { &hf_netlogon_neg_flags_100,
8826 { "Refusal of password change", "ntlmssp.neg_flags.na100", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100, "PWD change refusal", HFILL }},
8828 { &hf_netlogon_neg_flags_80,
8829 { "DatabaseRedo call", "ntlmssp.neg_flags.na80", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80, NULL, HFILL }},
8831 { &hf_netlogon_neg_flags_40,
8832 { "Handle multiple SIDs", "ntlmssp.neg_flags.na40", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40, NULL, HFILL }},
8834 { &hf_netlogon_neg_flags_20,
8835 { "Restarting full DC sync", "ntlmssp.neg_flags.na20", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20, NULL, HFILL }},
8837 { &hf_netlogon_neg_flags_10,
8838 { "BDC handling Changelogs", "ntlmssp.neg_flags.na10", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10, "BDC Changelog", HFILL }},
8840 { &hf_netlogon_neg_flags_8,
8841 { "Promotion count(deprecated)", "ntlmssp.neg_flags.na8", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8, "Promotion count", HFILL }},
8843 { &hf_netlogon_neg_flags_4,
8844 { "RC4 encryption", "ntlmssp.neg_flags.na4", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4, "RC4", HFILL }},
8846 { &hf_netlogon_neg_flags_2,
8847 { "NT3.5 BDC continuous update", "ntlmssp.neg_flags.na2", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2, "NT3.5", HFILL }},
8849 { &hf_netlogon_neg_flags_1,
8850 { "Account lockout", "ntlmssp.neg_flags.na1", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1, NULL, HFILL }},
8852 { &hf_netlogon_dc_flags,
8853 { "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
8854 NULL, 0x0, NULL, HFILL }},
8856 { &hf_netlogon_dc_flags_pdc_flag,
8857 { "PDC", "netlogon.dc.flags.pdc",
8858 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
8859 "If this server is a PDC", HFILL }},
8861 { &hf_netlogon_dc_flags_gc_flag,
8862 { "GC", "netlogon.dc.flags.gc",
8863 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
8864 "If this server is a GC", HFILL }},
8866 { &hf_netlogon_dc_flags_ldap_flag,
8867 { "LDAP", "netlogon.dc.flags.ldap",
8868 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
8869 "If this is an LDAP server", HFILL }},
8871 { &hf_netlogon_dc_flags_ds_flag,
8872 { "DS", "netlogon.dc.flags.ds",
8873 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
8874 "If this server is a DS", HFILL }},
8876 { &hf_netlogon_dc_flags_kdc_flag,
8877 { "KDC", "netlogon.dc.flags.kdc",
8878 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
8879 "If this is a KDC", HFILL }},
8881 { &hf_netlogon_dc_flags_timeserv_flag,
8882 { "Timeserv", "netlogon.dc.flags.timeserv",
8883 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
8884 "If this server is a TimeServer", HFILL }},
8886 { &hf_netlogon_dc_flags_closest_flag,
8887 { "Closest", "netlogon.dc.flags.closest",
8888 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
8889 "If this is the closest server", HFILL }},
8891 { &hf_netlogon_dc_flags_writable_flag,
8892 { "Writable", "netlogon.dc.flags.writable",
8893 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
8894 "If this server can do updates to the database", HFILL }},
8896 { &hf_netlogon_dc_flags_good_timeserv_flag,
8897 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
8898 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
8899 "If this is a Good TimeServer", HFILL }},
8901 { &hf_netlogon_dc_flags_ndnc_flag,
8902 { "NDNC", "netlogon.dc.flags.ndnc",
8903 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
8904 "If this is an NDNC server", HFILL }},
8906 { &hf_netlogon_dc_flags_dns_controller_flag,
8907 { "DNS Controller", "netlogon.dc.flags.dns_controller",
8908 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
8909 "If this server is a DNS Controller", HFILL }},
8911 { &hf_netlogon_dc_flags_dns_domain_flag,
8912 { "DNS Domain", "netlogon.dc.flags.dns_domain",
8913 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
8916 { &hf_netlogon_dc_flags_dns_forest_flag,
8917 { "DNS Forest", "netlogon.dc.flags.dns_forest",
8918 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
8921 { &hf_netlogon_get_dcname_request_flags,
8922 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
8923 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
8925 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
8926 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
8927 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
8928 "Whether to allow the server to returned cached information or not", HFILL }},
8930 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
8931 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
8932 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
8933 "Whether we require that the returned DC supports w2k or not", HFILL }},
8935 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
8936 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
8937 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
8938 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
8940 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
8941 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
8942 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
8943 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
8945 { &hf_netlogon_get_dcname_request_flags_pdc_required,
8946 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
8947 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
8948 "Whether we require the returned DC to be the PDC", HFILL }},
8950 { &hf_netlogon_get_dcname_request_flags_background_only,
8951 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
8952 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
8953 "If we want cached data, even if it may have expired", HFILL }},
8955 { &hf_netlogon_get_dcname_request_flags_ip_required,
8956 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
8957 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
8958 "If we require the IP of the DC in the reply", HFILL }},
8960 { &hf_netlogon_get_dcname_request_flags_kdc_required,
8961 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
8962 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
8963 "If we require that the returned server is a KDC", HFILL }},
8965 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
8966 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
8967 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
8968 "If we require the returned server to be a WindowsTimeServ server", HFILL }},
8970 { &hf_netlogon_get_dcname_request_flags_writable_required,
8971 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
8972 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
8973 "If we require that the returned server is writable", HFILL }},
8975 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
8976 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
8977 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
8978 "If we prefer Windows Time Servers", HFILL }},
8980 { &hf_netlogon_get_dcname_request_flags_avoid_self,
8981 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
8982 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
8983 "Return another DC than the one we ask", HFILL }},
8985 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
8986 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
8987 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
8988 "We just want an LDAP server, it does not have to be a DC", HFILL }},
8990 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
8991 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
8992 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
8993 "If the specified domain name is a NetBIOS name", HFILL }},
8995 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
8996 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
8997 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
8998 "If the specified domain name is a DNS name", HFILL }},
9000 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
9001 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
9002 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
9003 "Only return a DNS name (or an error)", HFILL }},
9005 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
9006 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
9007 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
9008 "Only return a NetBIOS name (or an error)", HFILL }},
9010 { &hf_netlogon_trust_attribs,
9011 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
9012 NULL, 0x0, NULL, HFILL }},
9014 { &hf_netlogon_trust_attribs_non_transitive,
9015 { "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN, 32,
9016 TFS(&trust_attribs_non_transitive), 0x00000001, NULL, HFILL }},
9018 { &hf_netlogon_trust_attribs_uplevel_only,
9019 { "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN, 32,
9020 TFS(&trust_attribs_uplevel_only), 0x00000002, NULL, HFILL }},
9022 { &hf_netlogon_trust_attribs_quarantined_domain,
9023 { "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN, 32,
9024 TFS(&trust_attribs_quarantined_domain), 0x00000004, NULL, HFILL }},
9026 { &hf_netlogon_trust_attribs_forest_transitive,
9027 { "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN, 32,
9028 TFS(&trust_attribs_forest_transitive), 0x00000008, NULL, HFILL }},
9030 { &hf_netlogon_trust_attribs_cross_organization,
9031 { "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN, 32,
9032 TFS(&trust_attribs_cross_organization), 0x00000010, NULL, HFILL }},
9034 { &hf_netlogon_trust_attribs_within_forest,
9035 { "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN, 32,
9036 TFS(&trust_attribs_within_forest), 0x00000020, NULL, HFILL }},
9038 { &hf_netlogon_trust_attribs_treat_as_external,
9039 { "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN, 32,
9040 TFS(&trust_attribs_treat_as_external), 0x00000040, NULL, HFILL }},
9042 { &hf_netlogon_trust_type,
9043 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
9044 VALS(trust_type_vals), 0x0, NULL, HFILL }},
9046 { &hf_netlogon_extraflags,
9047 { "Extra Flags", "netlogon.extra_flags", FT_UINT32, BASE_HEX,
9048 NULL, 0x0, NULL, HFILL }},
9050 { &hf_netlogon_extra_flags_root_forest,
9051 { "Request passed to DC of root forest", "netlogon.extra.flags.rootdc",
9052 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_ROOT_FOREST,
9055 { &hf_netlogon_trust_flags_dc_firsthop,
9056 { "DC at the end of the first hop of cross forest", "netlogon.extra.flags.dc_firsthop",
9057 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_DC_XFOREST,
9060 { &hf_netlogon_trust_flags_rodc_to_dc,
9061 { "Request from a RODC to a DC from another domain", "netlogon.extra.flags.rodc_to_dc",
9062 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_RODC_DIF_DOMAIN,
9065 { &hf_netlogon_trust_flags_rodc_ntlm,
9066 { "Request is a NTLM auth passed by a RODC", "netlogon.extra.flags.rodc_ntlm",
9067 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_NTLM_FROM_RODC,
9070 { &hf_netlogon_trust_flags,
9071 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
9072 NULL, 0x0, NULL, HFILL }},
9074 { &hf_netlogon_trust_flags_inbound,
9075 { "Inbound Trust", "netlogon.trust.flags.inbound",
9076 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
9077 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
9079 { &hf_netlogon_trust_flags_outbound,
9080 { "Outbound Trust", "netlogon.trust.flags.outbound",
9081 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
9082 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
9084 { &hf_netlogon_trust_flags_in_forest,
9085 { "In Forest", "netlogon.trust.flags.in_forest",
9086 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
9087 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
9089 { &hf_netlogon_trust_flags_native_mode,
9090 { "Native Mode", "netlogon.trust.flags.native_mode",
9091 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
9092 "Whether the domain is a w2k native mode domain or not", HFILL }},
9094 { &hf_netlogon_trust_flags_primary,
9095 { "Primary", "netlogon.trust.flags.primary",
9096 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
9097 "Whether the domain is the primary domain for the queried server or not", HFILL }},
9099 { &hf_netlogon_trust_flags_tree_root,
9100 { "Tree Root", "netlogon.trust.flags.tree_root",
9101 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
9102 "Whether the domain is the root of the tree for the queried server", HFILL }},
9104 { &hf_netlogon_trust_parent_index,
9105 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
9106 NULL, 0x0, NULL, HFILL }},
9108 { &hf_netlogon_logon_time,
9109 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9110 NULL, 0, "Time for last time this user logged on", HFILL }},
9112 { &hf_netlogon_kickoff_time,
9113 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9114 NULL, 0, "Time when this user will be kicked off", HFILL }},
9116 { &hf_netlogon_logoff_time,
9117 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9118 NULL, 0, "Time for last time this user logged off", HFILL }},
9120 { &hf_netlogon_last_logoff_time,
9121 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9122 NULL, 0, "Time for last time this user logged off", HFILL }},
9124 { &hf_netlogon_pwd_last_set_time,
9125 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9126 NULL, 0, "Last time this users password was changed", HFILL }},
9128 { &hf_netlogon_pwd_age,
9129 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
9130 NULL, 0, "Time since this users password was changed", HFILL }},
9132 { &hf_netlogon_pwd_can_change_time,
9133 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9134 NULL, 0, "When this users password may be changed", HFILL }},
9136 { &hf_netlogon_pwd_must_change_time,
9137 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9138 NULL, 0, "When this users password must be changed", HFILL }},
9140 { &hf_netlogon_domain_create_time,
9141 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9142 NULL, 0, "Time when this domain was created", HFILL }},
9144 { &hf_netlogon_domain_modify_time,
9145 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9146 NULL, 0, "Time when this domain was last modified", HFILL }},
9148 { &hf_netlogon_db_modify_time,
9149 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9150 NULL, 0, "Time when last modified", HFILL }},
9152 { &hf_netlogon_db_create_time,
9153 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9154 NULL, 0, "Time when created", HFILL }},
9156 { &hf_netlogon_cipher_current_set_time,
9157 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9158 NULL, 0, "Time when current cipher was initiated", HFILL }},
9160 { &hf_netlogon_cipher_old_set_time,
9161 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9162 NULL, 0, "Time when previous cipher was initiated", HFILL }},
9164 { &hf_netlogon_audit_retention_period,
9165 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
9166 NULL, 0, NULL, HFILL }},
9168 { &hf_netlogon_timelimit,
9169 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
9170 NULL, 0, NULL, HFILL }},
9173 { &hf_client_credential,
9174 { "Client Credential", "netlogon.clientcred", FT_BYTES, BASE_NONE,
9175 NULL, 0x0, NULL, HFILL }},
9177 { &hf_server_credential,
9178 { "Server Credential", "netlogon.servercred", FT_BYTES, BASE_NONE,
9179 NULL, 0x0, NULL, HFILL }},
9182 { "Account RID", "netlogon.serverrid", FT_UINT32, BASE_DEC,
9183 NULL, 0x0, NULL, HFILL }},
9185 { &hf_client_challenge,
9186 { "Client Challenge", "netlogon.clientchallenge", FT_BYTES, BASE_NONE,
9187 NULL, 0x0, NULL, HFILL }},
9189 { &hf_server_challenge,
9190 { "Server Challenge", "netlogon.serverchallenge", FT_BYTES, BASE_NONE,
9191 NULL, 0x0, NULL, HFILL }},
9193 { &hf_netlogon_secchan_nl_message_type,
9194 { "Message Type", "netlogon.secchan.nl_auth_message.message_type", FT_UINT32, BASE_HEX,
9195 VALS(nl_auth_types), 0x0, NULL, HFILL }},
9197 { &hf_netlogon_secchan_nl_message_flags,
9198 { "Message Flags", "netlogon.secchan.nl_auth_message.message_flags", FT_UINT32, BASE_HEX,
9199 NULL, 0x0, NULL, HFILL }},
9201 { &hf_netlogon_secchan_nl_message_flags_nb_domain,
9202 { "NetBios Domain", "netlogon.secchan.nl_auth_message.message_flags.nb_domain", FT_BOOLEAN, 32,
9203 NULL, 0x00000001, NULL, HFILL }},
9205 { &hf_netlogon_secchan_nl_message_flags_nb_host,
9206 { "NetBios Host", "netlogon.secchan.nl_auth_message.message_flags.nb_host", FT_BOOLEAN, 32,
9207 NULL, 0x00000002, NULL, HFILL }},
9209 { &hf_netlogon_secchan_nl_message_flags_dns_domain,
9210 { "DNS Domain", "netlogon.secchan.nl_auth_message.message_flags.dns_domain", FT_BOOLEAN, 32,
9211 NULL, 0x00000004, NULL, HFILL }},
9213 { &hf_netlogon_secchan_nl_message_flags_dns_host,
9214 { "DNS Host", "netlogon.secchan.nl_auth_message.message_flags.dns_host", FT_BOOLEAN, 32,
9215 NULL, 0x00000008, NULL, HFILL }},
9217 { &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
9218 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.message_flags.nb_host_utf8", FT_BOOLEAN, 32,
9219 NULL, 0x00000010, NULL, HFILL }},
9221 { &hf_netlogon_secchan_nl_nb_domain,
9222 { "NetBios Domain", "netlogon.secchan.nl_auth_message.nb_domain", FT_STRING, BASE_NONE,
9223 NULL, 0, NULL, HFILL }},
9225 { &hf_netlogon_secchan_nl_nb_host,
9226 { "NetBios Host", "netlogon.secchan.nl_auth_message.nb_host", FT_STRING, BASE_NONE,
9227 NULL, 0, NULL, HFILL }},
9229 { &hf_netlogon_secchan_nl_nb_host_utf8,
9230 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.nb_host_utf8", FT_STRING, BASE_NONE,
9231 NULL, 0, NULL, HFILL }},
9233 { &hf_netlogon_secchan_nl_dns_domain,
9234 { "DNS Domain", "netlogon.secchan.nl_auth_message.dns_domain", FT_STRING, BASE_NONE,
9235 NULL, 0, NULL, HFILL }},
9237 { &hf_netlogon_secchan_nl_dns_host,
9238 { "DNS Host", "netlogon.secchan.nl_auth_message.dns_host", FT_STRING, BASE_NONE,
9239 NULL, 0, NULL, HFILL }},
9241 { &hf_netlogon_data_length,
9242 { "Length of Data", "netlogon.data.length", FT_UINT32, BASE_DEC,
9243 NULL, 0, NULL, HFILL }},
9245 { &hf_netlogon_package_name,
9246 { "SSP Package Name", "netlogon.data.package_name", FT_STRING, BASE_NONE,
9247 NULL, 0, NULL, HFILL }},
9249 { &hf_netlogon_secchan_verf,
9250 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
9251 NULL, 0x0, "Verifier", HFILL }},
9253 { &hf_netlogon_secchan_verf_signalg,
9254 { "Sign algorithm", "netlogon.secchan.signalg", FT_UINT16, BASE_HEX,
9255 VALS(sign_algs), 0, NULL, HFILL }},
9257 { &hf_netlogon_secchan_verf_sealalg,
9258 { "Seal algorithm", "netlogon.secchan.sealalg", FT_UINT16, BASE_HEX,
9259 VALS(seal_algs), 0, NULL, HFILL }},
9261 { &hf_netlogon_secchan_verf_flag,
9262 { "Flags", "netlogon.secchan.flags", FT_BYTES, BASE_NONE, NULL,
9263 0x0, NULL, HFILL }},
9265 { &hf_netlogon_secchan_verf_digest,
9266 { "Packet Digest", "netlogon.secchan.digest", FT_BYTES, BASE_NONE, NULL,
9267 0x0, NULL, HFILL }},
9269 { &hf_netlogon_secchan_verf_seq,
9270 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_NONE, NULL,
9271 0x0, NULL, HFILL }},
9273 { &hf_netlogon_secchan_verf_nonce,
9274 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_NONE, NULL,
9275 0x0, NULL, HFILL }},
9277 { &hf_netlogon_group_attrs_mandatory,
9278 { "Mandatory", "netlogon.groups.attrs.mandatory",
9279 FT_BOOLEAN, 32, TFS(&group_attrs_mandatory), 0x00000001,
9280 "The group attributes MANDATORY flag", HFILL }},
9282 { &hf_netlogon_group_attrs_enabled_by_default,
9283 { "Enabled By Default", "netlogon.groups.attrs.enabled_by_default",
9284 FT_BOOLEAN, 32, TFS(&group_attrs_enabled_by_default), 0x00000002,
9285 "The group attributes ENABLED_BY_DEFAULT flag", HFILL }},
9287 { &hf_netlogon_group_attrs_enabled,
9288 { "Enabled", "netlogon.groups.attrs.enabled",
9289 FT_BOOLEAN, 32, TFS(&group_attrs_enabled), 0x00000004,
9290 "The group attributes ENABLED flag", HFILL }},
9292 { &hf_netlogon_user_flags_extra_sids,
9293 { "Extra SIDs", "netlogon.user.flags.extra_sids",
9294 FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
9295 "The user flags EXTRA_SIDS", HFILL }},
9297 { &hf_netlogon_user_flags_resource_groups,
9298 { "Resource Groups", "netlogon.user.flags.resource_groups",
9299 FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
9300 "The user flags RESOURCE_GROUPS", HFILL }},
9302 { &hf_netlogon_user_account_control_dont_require_preauth,
9303 { "Don't Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
9304 FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
9305 "The user account control DONT_REQUIRE_PREAUTH flag", HFILL }},
9307 { &hf_netlogon_user_account_control_use_des_key_only,
9308 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
9309 FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
9310 "The user account control use_des_key_only flag", HFILL }},
9312 { &hf_netlogon_user_account_control_not_delegated,
9313 { "Not Delegated", "netlogon.user.account_control.not_delegated",
9314 FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
9315 "The user account control not_delegated flag", HFILL }},
9317 { &hf_netlogon_user_account_control_trusted_for_delegation,
9318 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
9319 FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
9320 "The user account control trusted_for_delegation flag", HFILL }},
9322 { &hf_netlogon_user_account_control_smartcard_required,
9323 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
9324 FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
9325 "The user account control smartcard_required flag", HFILL }},
9327 { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
9328 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
9329 FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
9330 "The user account control encrypted_text_password_allowed flag", HFILL }},
9332 { &hf_netlogon_user_account_control_account_auto_locked,
9333 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
9334 FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
9335 "The user account control account_auto_locked flag", HFILL }},
9337 { &hf_netlogon_user_account_control_dont_expire_password,
9338 { "Don't Expire Password", "netlogon.user.account_control.dont_expire_password",
9339 FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
9340 "The user account control dont_expire_password flag", HFILL }},
9342 { &hf_netlogon_user_account_control_server_trust_account,
9343 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
9344 FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
9345 "The user account control server_trust_account flag", HFILL }},
9347 { &hf_netlogon_user_account_control_workstation_trust_account,
9348 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
9349 FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
9350 "The user account control workstation_trust_account flag", HFILL }},
9352 { &hf_netlogon_user_account_control_interdomain_trust_account,
9353 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
9354 FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
9355 "The user account control interdomain_trust_account flag", HFILL }},
9357 { &hf_netlogon_user_account_control_mns_logon_account,
9358 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
9359 FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
9360 "The user account control mns_logon_account flag", HFILL }},
9362 { &hf_netlogon_user_account_control_normal_account,
9363 { "Normal Account", "netlogon.user.account_control.normal_account",
9364 FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
9365 "The user account control normal_account flag", HFILL }},
9367 { &hf_netlogon_user_account_control_temp_duplicate_account,
9368 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
9369 FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
9370 "The user account control temp_duplicate_account flag", HFILL }},
9372 { &hf_netlogon_user_account_control_password_not_required,
9373 { "Password Not Required", "netlogon.user.account_control.password_not_required",
9374 FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
9375 "The user account control password_not_required flag", HFILL }},
9377 { &hf_netlogon_user_account_control_home_directory_required,
9378 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
9379 FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
9380 "The user account control home_directory_required flag", HFILL }},
9382 { &hf_netlogon_user_account_control_account_disabled,
9383 { "Account Disabled", "netlogon.user.account_control.account_disabled",
9384 FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
9385 "The user account control account_disabled flag", HFILL }},
9388 { &hf_netlogon_dnsdomaininfo,
9389 { "DnsDomainInfo", "netlogon.dnsdomaininfo", FT_NONE, BASE_NONE,
9390 NULL, 0x0, NULL, HFILL }},
9393 { &DnsDomainInfo_sid,
9394 { "Sid", "lsarpc.lsa_DnsDomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9396 { "Sid", "lsarpc.lsa_DomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9397 { &DnsDomainInfo_domain_guid,
9398 { "Domain Guid", "lsarpc.lsa_DnsDomainInfo.domain_guid", FT_GUID, BASE_NONE, NULL, 0, NULL, HFILL }},
9399 { &DnsDomainInfo_dns_forest,
9400 { "Dns Forest", "lsarpc.lsa_DnsDomainInfo.dns_forest", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9401 { &DnsDomainInfo_dns_domain,
9402 { "Dns Domain", "lsarpc.lsa_DnsDomainInfo.dns_domain", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9403 { &DnsDomainInfo_name,
9404 { "Name", "lsarpc.lsa_DnsDomainInfo.name", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9405 { &hf_netlogon_s4u2proxytarget,
9406 { "S4U2proxyTarget", "netlogon.s4u2proxytarget", FT_STRING, BASE_NONE,
9407 NULL, 0, "Target for constrained delegation using s4u2proxy", HFILL }},
9408 { &hf_netlogon_transitedlistsize,
9409 { "TransitedListSize", "netlogon.transited_list_size", FT_UINT32, BASE_HEX,
9410 NULL, 0x0, "Number of elements in the TransitedServices array.", HFILL }},
9411 { &hf_netlogon_transited_service,
9412 { "Transited Service", "netlogon.transited_service", FT_STRING, BASE_NONE,
9413 NULL, 0, "S4U2 Transited Service name", HFILL }},
9416 static gint *ett[] = {
9417 &ett_dcerpc_netlogon,
9418 &ett_authenticate_flags,
9424 &ett_DOMAIN_CONTROLLER_INFO,
9425 &ett_UNICODE_STRING_512,
9428 &ett_DELTA_ID_UNION,
9431 &ett_LM_OWF_PASSWORD,
9432 &ett_NT_OWF_PASSWORD,
9433 &ett_GROUP_MEMBERSHIP,
9434 &ett_DS_DOMAIN_TRUSTS,
9436 &ett_DOMAIN_TRUST_INFO,
9437 &ett_LSA_POLICY_INFO,
9440 &ett_get_dcname_request_flags,
9442 &ett_secchan_nl_auth_message,
9443 &ett_secchan_nl_auth_message_flags,
9447 &ett_nt_counted_longs_as_string,
9448 &ett_user_account_control
9451 proto_dcerpc_netlogon = proto_register_protocol(
9452 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
9454 proto_register_field_array(proto_dcerpc_netlogon, hf,
9456 proto_register_subtree_array(ett, array_length(ett));
9457 register_init_routine(netlogon_reassemble_init);
9461 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
9462 dissect_secchan_nl_auth_message, /* Bind */
9463 dissect_secchan_nl_auth_message, /* Bind ACK */
9465 dissect_request_secchan_verf, /* Request verifier */
9466 dissect_response_secchan_verf, /* Response verifier */
9467 dissect_request_data, /* Request data */
9468 dissect_response_data /* Response data */
9472 proto_reg_handoff_dcerpc_netlogon(void)
9474 /* Register protocol as dcerpc */
9475 seen.isseen = FALSE;
9477 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
9478 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
9479 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
9482 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
9483 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
9485 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
9486 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,