1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \\PIPE\\NETLOGON packet disassembly
3 * Copyright 2001, Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.61 2002/11/04 11:52:36 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_guid = -1;
43 static int hf_netlogon_rc = -1;
44 static int hf_netlogon_len = -1;
45 static int hf_netlogon_sensitive_data_flag = -1;
46 static int hf_netlogon_sensitive_data_len = -1;
47 static int hf_netlogon_sensitive_data = -1;
48 static int hf_netlogon_security_information = -1;
49 static int hf_netlogon_dummy = -1;
50 static int hf_netlogon_neg_flags = -1;
51 static int hf_netlogon_minworkingsetsize = -1;
52 static int hf_netlogon_maxworkingsetsize = -1;
53 static int hf_netlogon_pagedpoollimit = -1;
54 static int hf_netlogon_pagefilelimit = -1;
55 static int hf_netlogon_timelimit = -1;
56 static int hf_netlogon_nonpagedpoollimit = -1;
57 static int hf_netlogon_pac_size = -1;
58 static int hf_netlogon_pac_data = -1;
59 static int hf_netlogon_auth_size = -1;
60 static int hf_netlogon_auth_data = -1;
61 static int hf_netlogon_cipher_len = -1;
62 static int hf_netlogon_cipher_maxlen = -1;
63 static int hf_netlogon_cipher_current_data = -1;
64 static int hf_netlogon_cipher_current_set_time = -1;
65 static int hf_netlogon_cipher_old_data = -1;
66 static int hf_netlogon_cipher_old_set_time = -1;
67 static int hf_netlogon_priv = -1;
68 static int hf_netlogon_privilege_entries = -1;
69 static int hf_netlogon_privilege_control = -1;
70 static int hf_netlogon_privilege_name = -1;
71 static int hf_netlogon_systemflags = -1;
72 static int hf_netlogon_pdc_connection_status = -1;
73 static int hf_netlogon_tc_connection_status = -1;
74 static int hf_netlogon_restart_state = -1;
75 static int hf_netlogon_attrs = -1;
76 static int hf_netlogon_count = -1;
77 static int hf_netlogon_entries = -1;
78 static int hf_netlogon_minpasswdlen = -1;
79 static int hf_netlogon_passwdhistorylen = -1;
80 static int hf_netlogon_level16 = -1;
81 static int hf_netlogon_validation_level = -1;
82 static int hf_netlogon_reference = -1;
83 static int hf_netlogon_next_reference = -1;
84 static int hf_netlogon_timestamp = -1;
85 static int hf_netlogon_level = -1;
86 static int hf_netlogon_challenge = -1;
87 static int hf_netlogon_reserved = -1;
88 static int hf_netlogon_audit_retention_period = -1;
89 static int hf_netlogon_auditing_mode = -1;
90 static int hf_netlogon_max_audit_event_count = -1;
91 static int hf_netlogon_event_audit_option = -1;
92 static int hf_netlogon_unknown_string = -1;
93 static int hf_netlogon_unknown_long = -1;
94 static int hf_netlogon_unknown_short = -1;
95 static int hf_netlogon_unknown_char = -1;
96 static int hf_netlogon_logon_time = -1;
97 static int hf_netlogon_logoff_time = -1;
98 static int hf_netlogon_kickoff_time = -1;
99 static int hf_netlogon_pwd_last_set_time = -1;
100 static int hf_netlogon_pwd_can_change_time = -1;
101 static int hf_netlogon_pwd_must_change_time = -1;
102 static int hf_netlogon_nt_chal_resp = -1;
103 static int hf_netlogon_lm_chal_resp = -1;
104 static int hf_netlogon_credential = -1;
105 static int hf_netlogon_acct_name = -1;
106 static int hf_netlogon_acct_desc = -1;
107 static int hf_netlogon_group_desc = -1;
108 static int hf_netlogon_full_name = -1;
109 static int hf_netlogon_comment = -1;
110 static int hf_netlogon_parameters = -1;
111 static int hf_netlogon_logon_script = -1;
112 static int hf_netlogon_profile_path = -1;
113 static int hf_netlogon_home_dir = -1;
114 static int hf_netlogon_dir_drive = -1;
115 static int hf_netlogon_logon_count = -1;
116 static int hf_netlogon_logon_count16 = -1;
117 static int hf_netlogon_bad_pw_count = -1;
118 static int hf_netlogon_bad_pw_count16 = -1;
119 static int hf_netlogon_user_rid = -1;
120 static int hf_netlogon_alias_rid = -1;
121 static int hf_netlogon_group_rid = -1;
122 static int hf_netlogon_logon_srv = -1;
123 static int hf_netlogon_principal = -1;
124 static int hf_netlogon_logon_dom = -1;
125 static int hf_netlogon_downlevel_domain_name = -1;
126 static int hf_netlogon_dns_domain_name = -1;
127 static int hf_netlogon_domain_name = -1;
128 static int hf_netlogon_domain_create_time = -1;
129 static int hf_netlogon_domain_modify_time = -1;
130 static int hf_netlogon_modify_count = -1;
131 static int hf_netlogon_db_modify_time = -1;
132 static int hf_netlogon_db_create_time = -1;
133 static int hf_netlogon_oem_info = -1;
134 static int hf_netlogon_serial_number = -1;
135 static int hf_netlogon_num_rids = -1;
136 static int hf_netlogon_num_controllers = -1;
137 static int hf_netlogon_num_other_groups = -1;
138 static int hf_netlogon_computer_name = -1;
139 static int hf_netlogon_site_name = -1;
140 static int hf_netlogon_trusted_dc_name = -1;
141 static int hf_netlogon_dc_name = -1;
142 static int hf_netlogon_dc_site_name = -1;
143 static int hf_netlogon_dns_forest_name = -1;
144 static int hf_netlogon_dc_address = -1;
145 static int hf_netlogon_dc_address_type = -1;
146 static int hf_netlogon_client_site_name = -1;
147 static int hf_netlogon_workstation = -1;
148 static int hf_netlogon_workstation_site_name = -1;
149 static int hf_netlogon_workstation_os = -1;
150 static int hf_netlogon_workstations = -1;
151 static int hf_netlogon_workstation_fqdn = -1;
152 static int hf_netlogon_group_name = -1;
153 static int hf_netlogon_alias_name = -1;
154 static int hf_netlogon_country = -1;
155 static int hf_netlogon_codepage = -1;
156 static int hf_netlogon_flags = -1;
157 static int hf_netlogon_user_flags = -1;
158 static int hf_netlogon_auth_flags = -1;
159 static int hf_netlogon_pwd_expired = -1;
160 static int hf_netlogon_nt_pwd_present = -1;
161 static int hf_netlogon_lm_pwd_present = -1;
162 static int hf_netlogon_code = -1;
163 static int hf_netlogon_database_id = -1;
164 static int hf_netlogon_sync_context = -1;
165 static int hf_netlogon_max_size = -1;
166 static int hf_netlogon_max_log_size = -1;
167 static int hf_netlogon_dns_host = -1;
168 static int hf_netlogon_acct_expiry_time = -1;
169 static int hf_netlogon_encrypted_lm_owf_password = -1;
170 static int hf_netlogon_lm_owf_password = -1;
171 static int hf_netlogon_nt_owf_password = -1;
172 static int hf_netlogon_param_ctrl = -1;
173 static int hf_netlogon_logon_id = -1;
174 static int hf_netlogon_num_deltas = -1;
175 static int hf_netlogon_user_session_key = -1;
176 static int hf_netlogon_blob_size = -1;
177 static int hf_netlogon_blob = -1;
178 static int hf_netlogon_logon_attempts = -1;
179 static int hf_netlogon_authoritative = -1;
180 static int hf_netlogon_secure_channel_type = -1;
181 static int hf_netlogon_logonsrv_handle = -1;
182 static int hf_netlogon_delta_type = -1;
184 static gint ett_dcerpc_netlogon = -1;
185 static gint ett_QUOTA_LIMITS = -1;
186 static gint ett_IDENTITY_INFO = -1;
187 static gint ett_DELTA_ENUM = -1;
188 static gint ett_CYPHER_VALUE = -1;
189 static gint ett_UNICODE_MULTI = -1;
190 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
191 static gint ett_UNICODE_STRING_512 = -1;
192 static gint ett_TYPE_50 = -1;
193 static gint ett_TYPE_52 = -1;
194 static gint ett_DELTA_ID_UNION = -1;
195 static gint ett_TYPE_44 = -1;
196 static gint ett_DELTA_UNION = -1;
197 static gint ett_LM_OWF_PASSWORD = -1;
198 static gint ett_NT_OWF_PASSWORD = -1;
199 static gint ett_GROUP_MEMBERSHIP = -1;
200 static gint ett_BLOB = -1;
201 static gint ett_DSROLE_DOMAIN_INFO_EX = -1;
203 static e_uuid_t uuid_dcerpc_netlogon = {
204 0x12345678, 0x1234, 0xabcd,
205 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
208 static guint16 ver_dcerpc_netlogon = 1;
213 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
214 packet_info *pinfo, proto_tree *tree,
217 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
218 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
219 "Server Handle", hf_netlogon_logonsrv_handle, 0);
225 * IDL typedef struct {
226 * IDL [unique][string] wchar_t *effective_name;
228 * IDL long auth_flags;
229 * IDL long logon_count;
230 * IDL long bad_pw_count;
231 * IDL long last_logon;
232 * IDL long last_logoff;
233 * IDL long logoff_time;
234 * IDL long kickoff_time;
235 * IDL long password_age;
236 * IDL long pw_can_change;
237 * IDL long pw_must_change;
238 * IDL [unique][string] wchar_t *computer;
239 * IDL [unique][string] wchar_t *domain;
240 * IDL [unique][string] wchar_t *script_path;
244 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
245 packet_info *pinfo, proto_tree *tree,
250 di=pinfo->private_data;
251 if(di->conformant_run){
252 /*just a run to handle conformant arrays, nothing to dissect */
256 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
257 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
258 "Effective Account", hf_netlogon_acct_name, 0);
260 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
261 hf_netlogon_priv, NULL);
263 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
264 hf_netlogon_auth_flags, NULL);
266 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
267 hf_netlogon_logon_count, NULL);
269 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
270 hf_netlogon_bad_pw_count, NULL);
272 /* XXX - are these all UNIX "time_t"s, like the time stamps in
275 Or are they, as per some RAP-based operations, UTIMEs? */
276 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
279 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
282 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
285 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
288 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
291 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
294 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
297 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
298 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
299 "Computer", hf_netlogon_computer_name, 0);
301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
302 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
303 "Domain", hf_netlogon_domain_name, 0);
305 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
306 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
307 "Script", hf_netlogon_logon_script, 0);
309 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
310 hf_netlogon_reserved, NULL);
316 * IDL long NetLogonUasLogon(
317 * IDL [in][unique][string] wchar_t *ServerName,
318 * IDL [in][ref][string] wchar_t *UserName,
319 * IDL [in][ref][string] wchar_t *Workstation,
320 * IDL [out][unique] VALIDATION_UAS_INFO *info
324 netlogon_dissect_netlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
325 packet_info *pinfo, proto_tree *tree, char *drep)
327 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
330 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
331 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
332 "Account", hf_netlogon_acct_name, 0);
334 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
335 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
336 "Workstation", hf_netlogon_workstation, 0);
343 netlogon_dissect_netlogonuaslogon_reply(tvbuff_t *tvb, int offset,
344 packet_info *pinfo, proto_tree *tree, char *drep)
346 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
347 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
348 "VALIDATION_UAS_INFO", -1, 0);
350 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
351 hf_netlogon_rc, NULL);
357 * IDL typedef struct {
359 * IDL short logon_count;
360 * IDL } LOGOFF_UAS_INFO;
363 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
364 packet_info *pinfo, proto_tree *tree,
369 di=pinfo->private_data;
370 if(di->conformant_run){
371 /*just a run to handle conformant arrays, nothing to dissect */
375 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
378 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
379 hf_netlogon_logon_count16, NULL);
385 * IDL long NetLogonUasLogoff(
386 * IDL [in][unique][string] wchar_t *ServerName,
387 * IDL [in][ref][string] wchar_t *UserName,
388 * IDL [in][ref][string] wchar_t *Workstation,
389 * IDL [out][ref] LOGOFF_UAS_INFO *info
393 netlogon_dissect_netlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
394 packet_info *pinfo, proto_tree *tree, char *drep)
396 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
399 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
400 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
401 "Account", hf_netlogon_acct_name, 0);
403 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
404 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
405 "Workstation", hf_netlogon_workstation, 0);
412 netlogon_dissect_netlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
413 packet_info *pinfo, proto_tree *tree, char *drep)
415 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
416 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
417 "LOGOFF_UAS_INFO", -1, 0);
419 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
420 hf_netlogon_rc, NULL);
429 * IDL typedef struct {
430 * IDL UNICODESTRING LogonDomainName;
431 * IDL long ParameterControl;
432 * IDL uint64 LogonID;
433 * IDL UNICODESTRING UserName;
434 * IDL UNICODESTRING Workstation;
435 * IDL } LOGON_IDENTITY_INFO;
438 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
439 packet_info *pinfo, proto_tree *parent_tree,
442 proto_item *item=NULL;
443 proto_tree *tree=NULL;
444 int old_offset=offset;
447 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
449 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
452 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
453 hf_netlogon_logon_dom, 0);
455 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
456 hf_netlogon_param_ctrl, NULL);
458 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
459 hf_netlogon_logon_id, NULL);
461 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
462 hf_netlogon_acct_name, 0);
464 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
465 hf_netlogon_workstation, 0);
468 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
469 /* XXX 8 extra bytes here */
470 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
471 the idl file. Could be a bug in either the NETLOGON implementation or in the
474 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
477 proto_item_set_len(item, offset-old_offset);
483 * IDL typedef struct {
484 * IDL char password[16];
485 * IDL } LM_OWF_PASSWORD;
488 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
489 packet_info *pinfo, proto_tree *parent_tree,
492 proto_item *item=NULL;
493 proto_tree *tree=NULL;
496 di=pinfo->private_data;
497 if(di->conformant_run){
498 /*just a run to handle conformant arrays, nothing to dissect.*/
503 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
505 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
508 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
516 * IDL typedef struct {
517 * IDL char password[16];
518 * IDL } NT_OWF_PASSWORD;
521 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
522 packet_info *pinfo, proto_tree *parent_tree,
525 proto_item *item=NULL;
526 proto_tree *tree=NULL;
529 di=pinfo->private_data;
530 if(di->conformant_run){
531 /*just a run to handle conformant arrays, nothing to dissect.*/
536 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
538 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
541 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
550 * IDL typedef struct {
551 * IDL LOGON_IDENTITY_INFO identity_info;
552 * IDL LM_OWF_PASSWORD lmpassword;
553 * IDL NT_OWF_PASSWORD ntpassword;
554 * IDL } INTERACTIVE_INFO;
557 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
558 packet_info *pinfo, proto_tree *tree,
561 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
564 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
567 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
574 * IDL typedef struct {
579 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
580 packet_info *pinfo, proto_tree *tree,
585 di=pinfo->private_data;
586 if(di->conformant_run){
587 /*just a run to handle conformant arrays, nothing to dissect.*/
591 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
599 * IDL typedef struct {
600 * IDL LOGON_IDENTITY_INFO logon_info;
601 * IDL CHALLENGE chal;
602 * IDL STRING ntchallengeresponse;
603 * IDL STRING lmchallengeresponse;
604 * IDL } NETWORK_INFO;
607 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
608 packet_info *pinfo, proto_tree *tree,
611 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
614 offset = netlogon_dissect_CHALLENGE(tvb, offset,
617 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
618 hf_netlogon_nt_chal_resp, 0);
620 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
621 hf_netlogon_lm_chal_resp, 0);
627 * IDL typedef struct {
628 * IDL LOGON_IDENTITY_INFO logon_info;
629 * IDL LM_OWF_PASSWORD lmpassword;
630 * IDL NT_OWF_PASSWORD ntpassword;
631 * IDL } SERVICE_INFO;
634 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
635 packet_info *pinfo, proto_tree *tree,
638 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
641 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
644 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
651 * IDL typedef [switch_type(short)] union {
652 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
653 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
654 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
658 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
659 packet_info *pinfo, proto_tree *tree,
664 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
665 hf_netlogon_level16, &level);
670 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
671 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
672 "INTERACTIVE_INFO:", -1, 0);
675 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
676 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
677 "NETWORK_INFO:", -1, 0);
680 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
681 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
682 "SERVICE_INFO:", -1, 0);
690 * IDL typedef struct {
695 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
696 packet_info *pinfo, proto_tree *tree,
701 di=pinfo->private_data;
702 if(di->conformant_run){
703 /*just a run to handle conformant arrays, nothing to dissect.*/
707 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
716 * IDL typedef struct {
717 * IDL CREDENTIAL cred;
718 * IDL long timestamp;
719 * IDL } AUTHENTICATOR;
722 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
723 packet_info *pinfo, proto_tree *tree,
729 di=pinfo->private_data;
730 if(di->conformant_run){
731 /*just a run to handle conformant arrays, nothing to dissect */
735 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
739 * XXX - this appears to be a UNIX time_t in some credentials, but
740 * appears to be random junk in other credentials.
741 * For example, it looks like a UNIX time_t in "credential"
742 * AUTHENTICATORs, but like random junk in "return_authenticator"
746 ts.secs = tvb_get_letohl(tvb, offset);
748 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
756 * IDL typedef struct {
758 * IDL long attributes;
759 * IDL } GROUP_MEMBERSHIP;
762 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
763 packet_info *pinfo, proto_tree *parent_tree,
766 proto_item *item=NULL;
767 proto_tree *tree=NULL;
770 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
771 "GROUP_MEMBERSHIP:");
772 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
775 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
776 hf_netlogon_user_rid, NULL);
778 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
779 hf_netlogon_attrs, NULL);
785 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
786 packet_info *pinfo, proto_tree *tree,
789 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
790 netlogon_dissect_GROUP_MEMBERSHIP);
796 * IDL typedef struct {
797 * IDL char user_session_key[16];
798 * IDL } USER_SESSION_KEY;
801 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
802 packet_info *pinfo, proto_tree *tree,
807 di=pinfo->private_data;
808 if(di->conformant_run){
809 /*just a run to handle conformant arrays, nothing to dissect.*/
813 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
821 * IDL typedef struct {
822 * IDL uint64 LogonTime;
823 * IDL uint64 LogoffTime;
824 * IDL uint64 KickOffTime;
825 * IDL uint64 PasswdLastSet;
826 * IDL uint64 PasswdCanChange;
827 * IDL uint64 PasswdMustChange;
828 * IDL unicodestring effectivename;
829 * IDL unicodestring fullname;
830 * IDL unicodestring logonscript;
831 * IDL unicodestring profilepath;
832 * IDL unicodestring homedirectory;
833 * IDL unicodestring homedirectorydrive;
834 * IDL short LogonCount;
835 * IDL short BadPasswdCount;
837 * IDL long primarygroup;
838 * IDL long groupcount;
839 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
840 * IDL long userflags;
841 * IDL USER_SESSION_KEY key;
842 * IDL unicodestring logonserver;
843 * IDL unicodestring domainname;
844 * IDL [unique] SID logondomainid;
845 * IDL long expansionroom[10];
846 * IDL } VALIDATION_SAM_INFO;
849 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
850 packet_info *pinfo, proto_tree *tree,
855 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
856 hf_netlogon_logon_time);
858 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
859 hf_netlogon_logoff_time);
861 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
862 hf_netlogon_kickoff_time);
864 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
865 hf_netlogon_pwd_last_set_time);
867 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
868 hf_netlogon_pwd_can_change_time);
870 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
871 hf_netlogon_pwd_must_change_time);
873 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
874 hf_netlogon_acct_name, 0);
876 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
877 hf_netlogon_full_name, 0);
879 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
880 hf_netlogon_logon_script, 0);
882 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
883 hf_netlogon_profile_path, 0);
885 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
886 hf_netlogon_home_dir, 0);
888 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
889 hf_netlogon_dir_drive, 0);
891 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
892 hf_netlogon_logon_count16, NULL);
894 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
895 hf_netlogon_bad_pw_count16, NULL);
897 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
898 hf_netlogon_user_rid, NULL);
900 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
901 hf_netlogon_group_rid, NULL);
903 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
904 hf_netlogon_num_rids, NULL);
906 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
907 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
908 "GROUP_MEMBERSHIP_ARRAY", -1, 0);
910 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
911 hf_netlogon_user_flags, NULL);
913 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
916 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
917 hf_netlogon_logon_srv, 0);
919 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
920 hf_netlogon_logon_dom, 0);
922 offset = dissect_ndr_nt_PSID(tvb, offset,
926 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
927 hf_netlogon_reserved, NULL);
936 * IDL typedef struct {
937 * IDL uint64 LogonTime;
938 * IDL uint64 LogoffTime;
939 * IDL uint64 KickOffTime;
940 * IDL uint64 PasswdLastSet;
941 * IDL uint64 PasswdCanChange;
942 * IDL uint64 PasswdMustChange;
943 * IDL unicodestring effectivename;
944 * IDL unicodestring fullname;
945 * IDL unicodestring logonscript;
946 * IDL unicodestring profilepath;
947 * IDL unicodestring homedirectory;
948 * IDL unicodestring homedirectorydrive;
949 * IDL short LogonCount;
950 * IDL short BadPasswdCount;
952 * IDL long primarygroup;
953 * IDL long groupcount;
954 * IDL [unique] GROUP_MEMBERSHIP *groupids;
955 * IDL long userflags;
956 * IDL USER_SESSION_KEY key;
957 * IDL unicodestring logonserver;
958 * IDL unicodestring domainname;
959 * IDL [unique] SID logondomainid;
960 * IDL long expansionroom[10];
962 * IDL [unique] SID_AND_ATTRIBS;
963 * IDL } VALIDATION_SAM_INFO2;
966 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
967 packet_info *pinfo, proto_tree *tree,
972 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
973 hf_netlogon_logon_time);
975 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
976 hf_netlogon_logoff_time);
978 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
979 hf_netlogon_kickoff_time);
981 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
982 hf_netlogon_pwd_last_set_time);
984 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
985 hf_netlogon_pwd_can_change_time);
987 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
988 hf_netlogon_pwd_must_change_time);
990 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
991 hf_netlogon_acct_name, 0);
993 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
994 hf_netlogon_full_name, 0);
996 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
997 hf_netlogon_logon_script, 0);
999 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1000 hf_netlogon_profile_path, 0);
1002 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1003 hf_netlogon_home_dir, 0);
1005 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1006 hf_netlogon_dir_drive, 0);
1008 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1009 hf_netlogon_logon_count16, NULL);
1011 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1012 hf_netlogon_bad_pw_count16, NULL);
1014 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1015 hf_netlogon_user_rid, NULL);
1017 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1018 hf_netlogon_group_rid, NULL);
1020 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1021 hf_netlogon_num_rids, NULL);
1023 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1024 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1025 "GROUP_MEMBERSHIP_ARRAY", -1, 0);
1027 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1028 hf_netlogon_user_flags, NULL);
1030 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1033 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1034 hf_netlogon_logon_srv, 0);
1036 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1037 hf_netlogon_logon_dom, 0);
1039 offset = dissect_ndr_nt_PSID(tvb, offset,
1043 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1044 hf_netlogon_unknown_long, NULL);
1047 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1048 hf_netlogon_num_other_groups, NULL);
1050 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1051 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1052 "SID_AND_ATTRIBUTES_ARRAY:", -1, 0);
1060 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1061 packet_info *pinfo, proto_tree *tree,
1067 di=pinfo->private_data;
1068 if(di->conformant_run){
1069 /*just a run to handle conformant arrays, nothing to dissect */
1073 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1074 hf_netlogon_pac_size, &pac_size);
1076 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1084 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1085 packet_info *pinfo, proto_tree *tree,
1091 di=pinfo->private_data;
1092 if(di->conformant_run){
1093 /*just a run to handle conformant arrays, nothing to dissect */
1097 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1098 hf_netlogon_auth_size, &auth_size);
1100 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1102 offset += auth_size;
1109 * IDL typedef struct {
1111 * IDL [unique][size_is(pac_size)] char *pac;
1112 * IDL UNICODESTRING logondomain;
1113 * IDL UNICODESTRING logonserver;
1114 * IDL UNICODESTRING principalname;
1115 * IDL long auth_size;
1116 * IDL [unique][size_is(auth_size)] char *auth;
1117 * IDL USER_SESSION_KEY user_session_key;
1118 * IDL long expansionroom[10];
1119 * IDL UNICODESTRING dummy1;
1120 * IDL UNICODESTRING dummy2;
1121 * IDL UNICODESTRING dummy3;
1122 * IDL UNICODESTRING dummy4;
1123 * IDL } VALIDATION_PAC_INFO;
1126 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1127 packet_info *pinfo, proto_tree *tree,
1132 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1133 hf_netlogon_pac_size, NULL);
1135 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1136 netlogon_dissect_PAC, NDR_POINTER_UNIQUE,
1139 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1140 hf_netlogon_logon_dom, 0);
1142 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1143 hf_netlogon_logon_srv, 0);
1145 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1146 hf_netlogon_principal, 0);
1148 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1149 hf_netlogon_auth_size, NULL);
1151 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1152 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE,
1155 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1159 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1160 hf_netlogon_unknown_long, NULL);
1163 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1164 hf_netlogon_dummy, 0);
1166 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1167 hf_netlogon_dummy, 0);
1169 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1170 hf_netlogon_dummy, 0);
1172 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1173 hf_netlogon_dummy, 0);
1180 * IDL typedef [switch_type(short)] union {
1181 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1182 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1183 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1184 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1188 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1189 packet_info *pinfo, proto_tree *tree,
1194 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1195 hf_netlogon_validation_level, &level);
1200 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1201 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1202 "VALIDATION_SAM_INFO:", -1, 0);
1205 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1206 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1207 "VALIDATION_SAM_INFO2:", -1, 0);
1210 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1211 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1212 "VALIDATION_PAC_INFO:", -1, 0);
1215 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1216 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1217 "VALIDATION_PAC_INFO:", -1, 0);
1226 * IDL long NetLogonSamLogon(
1227 * IDL [in][unique][string] wchar_t *ServerName,
1228 * IDL [in][unique][string] wchar_t *Workstation,
1229 * IDL [in][unique] AUTHENTICATOR *credential,
1230 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1231 * IDL [in] short LogonLevel,
1232 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1233 * IDL [in] short ValidationLevel,
1234 * IDL [out][ref] VALIDATION *validation,
1235 * IDL [out][ref] boolean Authorative
1239 netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1240 packet_info *pinfo, proto_tree *tree, char *drep)
1242 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1245 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1246 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1247 "Computer Name", hf_netlogon_computer_name, 0);
1249 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1250 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1251 "AUTHENTICATOR: credential", -1, 0);
1253 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1254 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1255 "AUTHENTICATOR: return_authenticator", -1, 0);
1257 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1258 hf_netlogon_level16, NULL);
1260 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1261 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1262 "LEVEL: LogonLevel", -1, 0);
1264 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1265 hf_netlogon_validation_level, NULL);
1271 netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1272 packet_info *pinfo, proto_tree *tree, char *drep)
1274 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1275 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1276 "AUTHENTICATOR: return_authenticator", -1, 0);
1278 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1279 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1280 "VALIDATION:", -1, 0);
1282 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1283 hf_netlogon_authoritative, NULL);
1285 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1286 hf_netlogon_rc, NULL);
1293 * IDL long NetLogonSamLogoff(
1294 * IDL [in][unique][string] wchar_t *ServerName,
1295 * IDL [in][unique][string] wchar_t *ComputerName,
1296 * IDL [in][unique] AUTHENTICATOR credential,
1297 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1298 * IDL [in] short logon_level,
1299 * IDL [in][ref] LEVEL logoninformation
1303 netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1304 packet_info *pinfo, proto_tree *tree, char *drep)
1306 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1309 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1310 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1311 "Computer Name", hf_netlogon_computer_name, 0);
1313 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1314 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1315 "AUTHENTICATOR: credential", -1, 0);
1317 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1318 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1319 "AUTHENTICATOR: return_authenticator", -1, 0);
1321 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1322 hf_netlogon_level16, NULL);
1324 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1325 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1326 "LEVEL: logoninformation", -1, 0);
1331 netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1332 packet_info *pinfo, proto_tree *tree, char *drep)
1335 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1336 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1337 "AUTHENTICATOR: return_authenticator", -1, 0);
1339 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1340 hf_netlogon_rc, NULL);
1347 * IDL long NetServerReqChallenge(
1348 * IDL [in][unique][string] wchar_t *ServerName,
1349 * IDL [in][ref][string] wchar_t *ComputerName,
1350 * IDL [in][ref] CREDENTIAL client_credential,
1351 * IDL [out][ref] CREDENTIAL server_credential
1355 netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1356 packet_info *pinfo, proto_tree *tree, char *drep)
1358 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1361 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1362 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1363 "Computer Name", hf_netlogon_computer_name, 0);
1365 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1366 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1367 "CREDENTIAL: client challenge", -1, 0);
1372 netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1373 packet_info *pinfo, proto_tree *tree, char *drep)
1375 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1376 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1377 "CREDENTIAL: server credential", -1, 0);
1379 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1380 hf_netlogon_rc, NULL);
1387 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1388 packet_info *pinfo, proto_tree *tree,
1391 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1392 hf_netlogon_secure_channel_type, NULL);
1399 * IDL long NetServerAuthenticate(
1400 * IDL [in][unique][string] wchar_t *ServerName,
1401 * IDL [in][ref][string] wchar_t *UserName,
1402 * IDL [in] short secure_challenge_type,
1403 * IDL [in][ref][string] wchar_t *ComputerName,
1404 * IDL [in][ref] CREDENTIAL client_challenge,
1405 * IDL [out][ref] CREDENTIAL server_challenge
1409 netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1410 packet_info *pinfo, proto_tree *tree, char *drep)
1412 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1415 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1416 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1417 "User Name", hf_netlogon_acct_name, 0);
1419 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1422 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1423 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1424 "Computer Name", hf_netlogon_computer_name, 0);
1426 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1427 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1428 "CREDENTIAL: client challenge", -1, 0);
1433 netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
1434 packet_info *pinfo, proto_tree *tree, char *drep)
1436 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1437 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1438 "CREDENTIAL: server challenge", -1, 0);
1440 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1441 hf_netlogon_rc, NULL);
1449 * IDL typedef struct {
1450 * IDL char encrypted_password[16];
1451 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1454 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1455 packet_info *pinfo, proto_tree *tree,
1460 di=pinfo->private_data;
1461 if(di->conformant_run){
1462 /*just a run to handle conformant arrays, nothing to dissect.*/
1466 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1474 * IDL long NetServerPasswordSet(
1475 * IDL [in][unique][string] wchar_t *ServerName,
1476 * IDL [in][ref][string] wchar_t *UserName,
1477 * IDL [in] short secure_challenge_type,
1478 * IDL [in][ref][string] wchar_t *ComputerName,
1479 * IDL [in][ref] AUTHENTICATOR credential,
1480 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1481 * IDL [out][ref] AUTHENTICATOR return_authenticator
1485 netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1486 packet_info *pinfo, proto_tree *tree, char *drep)
1488 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1491 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1492 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1493 "User Name", hf_netlogon_acct_name, 0);
1495 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1498 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1499 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1500 "Computer Name", hf_netlogon_computer_name, 0);
1502 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1503 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1504 "AUTHENTICATOR: credential", -1, 0);
1506 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1507 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1508 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1, 0);
1513 netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
1514 packet_info *pinfo, proto_tree *tree, char *drep)
1516 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1517 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1518 "AUTHENTICATOR: return_authenticator", -1, 0);
1520 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1521 hf_netlogon_rc, NULL);
1528 * IDL typedef struct {
1529 * IDL [unique][string] wchar_t *UserName;
1530 * IDL UNICODESTRING dummy1;
1531 * IDL UNICODESTRING dummy2;
1532 * IDL UNICODESTRING dummy3;
1533 * IDL UNICODESTRING dummy4;
1538 * IDL } DELTA_DELETE_USER;
1541 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1542 packet_info *pinfo, proto_tree *tree,
1545 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1546 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1547 "Account Name", hf_netlogon_acct_name, -1);
1549 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1550 hf_netlogon_dummy, 0);
1552 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1553 hf_netlogon_dummy, 0);
1555 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1556 hf_netlogon_dummy, 0);
1558 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1559 hf_netlogon_dummy, 0);
1561 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1562 hf_netlogon_reserved, NULL);
1564 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1565 hf_netlogon_reserved, NULL);
1567 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1568 hf_netlogon_reserved, NULL);
1570 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1571 hf_netlogon_reserved, NULL);
1578 * IDL typedef struct {
1579 * IDL bool SensitiveDataFlag;
1580 * IDL long DataLength;
1581 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1582 * IDL } USER_PRIVATE_INFO;
1585 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1586 packet_info *pinfo, proto_tree *tree,
1592 di=pinfo->private_data;
1593 if(di->conformant_run){
1594 /*just a run to handle conformant arrays, nothing to dissect */
1598 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1599 hf_netlogon_sensitive_data_len, &data_len);
1601 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1608 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1609 packet_info *pinfo, proto_tree *tree,
1612 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1613 hf_netlogon_sensitive_data_flag, NULL);
1615 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1616 hf_netlogon_sensitive_data_len, NULL);
1618 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1619 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1620 "SENSITIVE_DATA", -1, 0);
1626 * IDL typedef struct {
1627 * IDL UNICODESTRING UserName;
1628 * IDL UNICODESTRING FullName;
1630 * IDL long PrimaryGroupID;
1631 * IDL UNICODESTRING HomeDir;
1632 * IDL UNICODESTRING HomeDirDrive;
1633 * IDL UNICODESTRING LogonScript;
1634 * IDL UNICODESTRING Comment;
1635 * IDL UNICODESTRING Workstations;
1636 * IDL NTTIME LastLogon;
1637 * IDL NTTIME LastLogoff;
1638 * IDL LOGON_HOURS logonhours;
1639 * IDL short BadPwCount;
1640 * IDL short LogonCount;
1641 * IDL NTTIME PwLastSet;
1642 * IDL NTTIME AccountExpires;
1643 * IDL long AccountControl;
1644 * IDL LM_OWF_PASSWORD lmpw;
1645 * IDL NT_OWF_PASSWORD ntpw;
1646 * IDL bool NTPwPresent;
1647 * IDL bool LMPwPresent;
1648 * IDL bool PwExpired;
1649 * IDL UNICODESTRING UserComment;
1650 * IDL UNICODESTRING Parameters;
1651 * IDL short CountryCode;
1652 * IDL short CodePage;
1653 * IDL USER_PRIVATE_INFO user_private_info;
1654 * IDL long SecurityInformation;
1655 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1656 * IDL UNICODESTRING dummy1;
1657 * IDL UNICODESTRING dummy2;
1658 * IDL UNICODESTRING dummy3;
1659 * IDL UNICODESTRING dummy4;
1667 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1668 packet_info *pinfo, proto_tree *tree,
1671 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1672 hf_netlogon_acct_name, 0);
1674 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1675 hf_netlogon_full_name, 0);
1677 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1678 hf_netlogon_user_rid, NULL);
1680 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1681 hf_netlogon_group_rid, NULL);
1683 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1684 hf_netlogon_home_dir, 0);
1686 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1687 hf_netlogon_dir_drive, 0);
1689 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1690 hf_netlogon_logon_script, 0);
1692 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1693 hf_netlogon_acct_desc, 0);
1695 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1696 hf_netlogon_workstations, 0);
1698 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1699 hf_netlogon_logon_time);
1701 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1702 hf_netlogon_logoff_time);
1704 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1706 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1707 hf_netlogon_bad_pw_count16, NULL);
1709 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1710 hf_netlogon_logon_count16, NULL);
1712 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1713 hf_netlogon_pwd_last_set_time);
1715 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1716 hf_netlogon_acct_expiry_time);
1718 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1720 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1723 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1726 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1727 hf_netlogon_nt_pwd_present, NULL);
1729 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1730 hf_netlogon_lm_pwd_present, NULL);
1732 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1733 hf_netlogon_pwd_expired, NULL);
1735 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1736 hf_netlogon_comment, 0);
1738 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1739 hf_netlogon_parameters, 0);
1741 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1742 hf_netlogon_country, NULL);
1744 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1745 hf_netlogon_codepage, NULL);
1747 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1750 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1751 hf_netlogon_security_information, NULL);
1753 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1756 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1757 hf_netlogon_dummy, 0);
1759 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1760 hf_netlogon_dummy, 0);
1762 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1763 hf_netlogon_dummy, 0);
1765 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1766 hf_netlogon_dummy, 0);
1768 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1769 hf_netlogon_reserved, NULL);
1771 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1772 hf_netlogon_reserved, NULL);
1774 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1775 hf_netlogon_reserved, NULL);
1777 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1778 hf_netlogon_reserved, NULL);
1785 * IDL typedef struct {
1786 * IDL UNICODESTRING DomainName;
1787 * IDL UNICODESTRING OEMInfo;
1788 * IDL NTTIME forcedlogoff;
1789 * IDL short minpasswdlen;
1790 * IDL short passwdhistorylen;
1791 * IDL NTTIME pwd_must_change_time;
1792 * IDL NTTIME pwd_can_change_time;
1793 * IDL NTTIME domain_modify_time;
1794 * IDL NTTIME domain_create_time;
1795 * IDL long SecurityInformation;
1796 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1797 * IDL UNICODESTRING dummy1;
1798 * IDL UNICODESTRING dummy2;
1799 * IDL UNICODESTRING dummy3;
1800 * IDL UNICODESTRING dummy4;
1805 * IDL } DELTA_DOMAIN;
1808 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
1809 packet_info *pinfo, proto_tree *tree,
1812 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1813 hf_netlogon_domain_name, 1);
1815 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1816 hf_netlogon_oem_info, 0);
1818 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1819 hf_netlogon_kickoff_time);
1821 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1822 hf_netlogon_minpasswdlen, NULL);
1824 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1825 hf_netlogon_passwdhistorylen, NULL);
1827 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1828 hf_netlogon_pwd_must_change_time);
1830 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1831 hf_netlogon_pwd_can_change_time);
1833 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1834 hf_netlogon_domain_modify_time);
1836 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1837 hf_netlogon_domain_create_time);
1839 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1840 hf_netlogon_security_information, NULL);
1842 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1845 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1846 hf_netlogon_dummy, 0);
1848 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1849 hf_netlogon_dummy, 0);
1851 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1852 hf_netlogon_dummy, 0);
1854 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1855 hf_netlogon_dummy, 0);
1857 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1858 hf_netlogon_reserved, NULL);
1860 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1861 hf_netlogon_reserved, NULL);
1863 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1864 hf_netlogon_reserved, NULL);
1866 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1867 hf_netlogon_reserved, NULL);
1874 * IDL typedef struct {
1875 * IDL UNICODESTRING groupname;
1876 * IDL GROUP_MEMBERSHIP group_membership;
1877 * IDL UNICODESTRING comment;
1878 * IDL long SecurityInformation;
1879 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1880 * IDL UNICODESTRING dummy1;
1881 * IDL UNICODESTRING dummy2;
1882 * IDL UNICODESTRING dummy3;
1883 * IDL UNICODESTRING dummy4;
1888 * IDL } DELTA_GROUP;
1891 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
1892 packet_info *pinfo, proto_tree *tree,
1895 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1896 hf_netlogon_group_name, 1);
1898 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
1901 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1902 hf_netlogon_group_desc, 0);
1904 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1905 hf_netlogon_security_information, NULL);
1907 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1910 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1911 hf_netlogon_dummy, 0);
1913 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1914 hf_netlogon_dummy, 0);
1916 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1917 hf_netlogon_dummy, 0);
1919 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1920 hf_netlogon_dummy, 0);
1922 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1923 hf_netlogon_reserved, NULL);
1925 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1926 hf_netlogon_reserved, NULL);
1928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1929 hf_netlogon_reserved, NULL);
1931 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1932 hf_netlogon_reserved, NULL);
1939 * IDL typedef struct {
1940 * IDL UNICODESTRING OldName;
1941 * IDL UNICODESTRING NewName;
1942 * IDL UNICODESTRING dummy1;
1943 * IDL UNICODESTRING dummy2;
1944 * IDL UNICODESTRING dummy3;
1945 * IDL UNICODESTRING dummy4;
1950 * IDL } DELTA_RENAME;
1953 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
1954 packet_info *pinfo, proto_tree *tree,
1959 di=pinfo->private_data;
1961 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1964 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1967 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1968 hf_netlogon_dummy, 0);
1970 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1971 hf_netlogon_dummy, 0);
1973 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1974 hf_netlogon_dummy, 0);
1976 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1977 hf_netlogon_dummy, 0);
1979 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1980 hf_netlogon_reserved, NULL);
1982 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1983 hf_netlogon_reserved, NULL);
1985 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1986 hf_netlogon_reserved, NULL);
1988 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1989 hf_netlogon_reserved, NULL);
1996 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
1997 packet_info *pinfo, proto_tree *tree,
2000 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2001 hf_netlogon_user_rid, NULL);
2007 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2008 packet_info *pinfo, proto_tree *tree,
2011 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2012 netlogon_dissect_RID);
2018 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2019 packet_info *pinfo, proto_tree *tree,
2022 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2023 hf_netlogon_attrs, NULL);
2029 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2030 packet_info *pinfo, proto_tree *tree,
2033 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2034 netlogon_dissect_ATTRIB);
2040 * IDL typedef struct {
2041 * IDL [unique][size_is(num_rids)] long *rids;
2042 * IDL [unique][size_is(num_rids)] long *attribs;
2043 * IDL long num_rids;
2048 * IDL } DELTA_GROUP_MEMBER;
2051 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2052 packet_info *pinfo, proto_tree *tree,
2055 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2056 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2059 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2060 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2063 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2064 hf_netlogon_num_rids, NULL);
2066 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2067 hf_netlogon_reserved, NULL);
2069 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2070 hf_netlogon_reserved, NULL);
2072 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2073 hf_netlogon_reserved, NULL);
2075 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2076 hf_netlogon_reserved, NULL);
2083 * IDL typedef struct {
2084 * IDL UNICODESTRING alias_name;
2086 * IDL long SecurityInformation;
2087 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2088 * IDL UNICODESTRING dummy1;
2089 * IDL UNICODESTRING dummy2;
2090 * IDL UNICODESTRING dummy3;
2091 * IDL UNICODESTRING dummy4;
2096 * IDL } DELTA_ALIAS;
2099 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2100 packet_info *pinfo, proto_tree *tree,
2103 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2104 hf_netlogon_alias_name, 1);
2106 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2107 hf_netlogon_alias_rid, NULL);
2109 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2110 hf_netlogon_security_information, NULL);
2112 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2115 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2116 hf_netlogon_dummy, 0);
2118 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2119 hf_netlogon_dummy, 0);
2121 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2122 hf_netlogon_dummy, 0);
2124 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2125 hf_netlogon_dummy, 0);
2127 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2128 hf_netlogon_reserved, NULL);
2130 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2131 hf_netlogon_reserved, NULL);
2133 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2134 hf_netlogon_reserved, NULL);
2136 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2137 hf_netlogon_reserved, NULL);
2144 * IDL typedef struct {
2145 * IDL [unique] SID_ARRAY sids;
2150 * IDL } DELTA_ALIAS_MEMBER;
2153 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2154 packet_info *pinfo, proto_tree *tree,
2157 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2159 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2160 hf_netlogon_reserved, NULL);
2162 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2163 hf_netlogon_reserved, NULL);
2165 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2166 hf_netlogon_reserved, NULL);
2168 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2169 hf_netlogon_reserved, NULL);
2176 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2177 packet_info *pinfo, proto_tree *tree,
2180 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2181 hf_netlogon_event_audit_option, NULL);
2187 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2188 packet_info *pinfo, proto_tree *tree,
2191 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2192 netlogon_dissect_EVENT_AUDIT_OPTION);
2199 * IDL typedef struct {
2200 * IDL long pagedpoollimit;
2201 * IDL long nonpagedpoollimit;
2202 * IDL long minimumworkingsetsize;
2203 * IDL long maximumworkingsetsize;
2204 * IDL long pagefilelimit;
2205 * IDL NTTIME timelimit;
2206 * IDL } QUOTA_LIMITS;
2209 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2210 packet_info *pinfo, proto_tree *parent_tree,
2213 proto_item *item=NULL;
2214 proto_tree *tree=NULL;
2215 int old_offset=offset;
2218 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2220 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2223 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2224 hf_netlogon_pagedpoollimit, NULL);
2226 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2227 hf_netlogon_nonpagedpoollimit, NULL);
2229 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2230 hf_netlogon_minworkingsetsize, NULL);
2232 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2233 hf_netlogon_maxworkingsetsize, NULL);
2235 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2236 hf_netlogon_pagefilelimit, NULL);
2238 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2239 hf_netlogon_timelimit);
2241 proto_item_set_len(item, offset-old_offset);
2247 * IDL typedef struct {
2248 * IDL long maxlogsize;
2249 * IDL NTTIME auditretentionperiod;
2250 * IDL bool auditingmode;
2251 * IDL long maxauditeventcount;
2252 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2253 * IDL UNICODESTRING primarydomainname;
2254 * IDL [unique] SID *sid;
2255 * IDL QUOTA_LIMITS quota_limits;
2256 * IDL NTTIME db_modify_time;
2257 * IDL NTTIME db_create_time;
2258 * IDL long SecurityInformation;
2259 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2260 * IDL UNICODESTRING dummy1;
2261 * IDL UNICODESTRING dummy2;
2262 * IDL UNICODESTRING dummy3;
2263 * IDL UNICODESTRING dummy4;
2268 * IDL } DELTA_POLICY;
2271 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2272 packet_info *pinfo, proto_tree *tree,
2275 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2276 hf_netlogon_max_log_size, NULL);
2278 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2279 hf_netlogon_audit_retention_period);
2281 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2282 hf_netlogon_auditing_mode, NULL);
2284 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2285 hf_netlogon_max_audit_event_count, NULL);
2287 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2288 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2289 "Event Audit Options:", -1, 0);
2291 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2292 hf_netlogon_domain_name, 0);
2294 offset = dissect_ndr_nt_PSID(tvb, offset,
2297 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2300 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2301 hf_netlogon_db_modify_time);
2303 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2304 hf_netlogon_db_create_time);
2306 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2307 hf_netlogon_security_information, NULL);
2309 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2312 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2313 hf_netlogon_dummy, 0);
2315 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2316 hf_netlogon_dummy, 0);
2318 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2319 hf_netlogon_dummy, 0);
2321 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2322 hf_netlogon_dummy, 0);
2324 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2325 hf_netlogon_reserved, NULL);
2327 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2328 hf_netlogon_reserved, NULL);
2330 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2331 hf_netlogon_reserved, NULL);
2333 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2334 hf_netlogon_reserved, NULL);
2341 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2342 packet_info *pinfo, proto_tree *tree,
2345 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2346 hf_netlogon_dc_name, 1);
2352 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2353 packet_info *pinfo, proto_tree *tree,
2356 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2357 netlogon_dissect_CONTROLLER);
2364 * IDL typedef struct {
2365 * IDL UNICODESTRING DomainName;
2366 * IDL long num_controllers;
2367 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2368 * IDL long SecurityInformation;
2369 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2370 * IDL UNICODESTRING dummy1;
2371 * IDL UNICODESTRING dummy2;
2372 * IDL UNICODESTRING dummy3;
2373 * IDL UNICODESTRING dummy4;
2378 * IDL } DELTA_TRUSTED_DOMAINS;
2381 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2382 packet_info *pinfo, proto_tree *tree,
2385 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2386 hf_netlogon_domain_name, 0);
2388 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2389 hf_netlogon_num_controllers, NULL);
2391 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2392 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2393 "Domain Controllers:", -1, 0);
2395 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2396 hf_netlogon_security_information, NULL);
2398 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2401 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2402 hf_netlogon_dummy, 0);
2404 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2405 hf_netlogon_dummy, 0);
2407 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2408 hf_netlogon_dummy, 0);
2410 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2411 hf_netlogon_dummy, 0);
2413 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2414 hf_netlogon_reserved, NULL);
2416 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2417 hf_netlogon_reserved, NULL);
2419 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2420 hf_netlogon_reserved, NULL);
2422 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2423 hf_netlogon_reserved, NULL);
2430 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2431 packet_info *pinfo, proto_tree *tree,
2434 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2435 hf_netlogon_attrs, NULL);
2441 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2442 packet_info *pinfo, proto_tree *tree,
2445 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2446 netlogon_dissect_PRIV_ATTR);
2452 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2453 packet_info *pinfo, proto_tree *tree,
2456 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2457 hf_netlogon_privilege_name, 1);
2463 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2464 packet_info *pinfo, proto_tree *tree,
2467 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2468 netlogon_dissect_PRIV_NAME);
2476 * IDL typedef struct {
2477 * IDL long privilegeentries;
2478 * IDL long provolegecontrol;
2479 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2480 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2481 * IDL QUOTALIMITS quotalimits;
2482 * IDL long SecurityInformation;
2483 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2484 * IDL UNICODESTRING dummy1;
2485 * IDL UNICODESTRING dummy2;
2486 * IDL UNICODESTRING dummy3;
2487 * IDL UNICODESTRING dummy4;
2492 * IDL } DELTA_ACCOUNTS;
2495 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2496 packet_info *pinfo, proto_tree *tree,
2499 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2500 hf_netlogon_privilege_entries, NULL);
2502 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2503 hf_netlogon_privilege_control, NULL);
2505 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2506 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2507 "PRIV_ATTR_ARRAY:", -1, 0);
2509 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2510 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2511 "PRIV_NAME_ARRAY:", -1, 0);
2513 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2516 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2517 hf_netlogon_systemflags, NULL);
2519 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2520 hf_netlogon_security_information, NULL);
2522 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2525 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2526 hf_netlogon_dummy, 0);
2528 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2529 hf_netlogon_dummy, 0);
2531 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2532 hf_netlogon_dummy, 0);
2534 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2535 hf_netlogon_dummy, 0);
2537 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2538 hf_netlogon_reserved, NULL);
2540 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2541 hf_netlogon_reserved, NULL);
2543 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2544 hf_netlogon_reserved, NULL);
2546 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2547 hf_netlogon_reserved, NULL);
2553 * IDL typedef struct {
2556 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2557 * IDL } CIPHER_VALUE;
2560 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2561 packet_info *pinfo, proto_tree *tree,
2567 di=pinfo->private_data;
2568 if(di->conformant_run){
2569 /*just a run to handle conformant arrays, nothing to dissect */
2573 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2574 hf_netlogon_cipher_maxlen, NULL);
2579 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2580 hf_netlogon_cipher_len, &data_len);
2582 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2589 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2590 packet_info *pinfo, proto_tree *parent_tree,
2591 char *drep, char *name, int hf_index)
2593 proto_item *item=NULL;
2594 proto_tree *tree=NULL;
2595 int old_offset=offset;
2598 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2600 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2603 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2604 hf_netlogon_cipher_len, NULL);
2606 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2607 hf_netlogon_cipher_maxlen, NULL);
2609 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2610 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2613 proto_item_set_len(item, offset-old_offset);
2618 * IDL typedef struct {
2619 * IDL CIPHER_VALUE current_cipher;
2620 * IDL NTTIME current_cipher_set_time;
2621 * IDL CIPHER_VALUE old_cipher;
2622 * IDL NTTIME old_cipher_set_time;
2623 * IDL long SecurityInformation;
2624 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2625 * IDL UNICODESTRING dummy1;
2626 * IDL UNICODESTRING dummy2;
2627 * IDL UNICODESTRING dummy3;
2628 * IDL UNICODESTRING dummy4;
2633 * IDL } DELTA_SECRET;
2636 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2637 packet_info *pinfo, proto_tree *tree,
2640 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2642 "CIPHER_VALUE: current cipher value",
2643 hf_netlogon_cipher_current_data);
2645 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2646 hf_netlogon_cipher_current_set_time);
2648 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2650 "CIPHER_VALUE: old cipher value",
2651 hf_netlogon_cipher_old_data);
2653 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2654 hf_netlogon_cipher_old_set_time);
2656 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2657 hf_netlogon_security_information, NULL);
2659 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2662 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2663 hf_netlogon_dummy, 0);
2665 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2666 hf_netlogon_dummy, 0);
2668 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2669 hf_netlogon_dummy, 0);
2671 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2672 hf_netlogon_dummy, 0);
2674 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2675 hf_netlogon_reserved, NULL);
2677 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2678 hf_netlogon_reserved, NULL);
2680 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2681 hf_netlogon_reserved, NULL);
2683 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2684 hf_netlogon_reserved, NULL);
2690 * IDL typedef struct {
2691 * IDL long low_value;
2692 * IDL long high_value;
2696 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2697 packet_info *pinfo, proto_tree *tree,
2700 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2701 hf_netlogon_modify_count, NULL);
2707 #define DT_DELTA_DOMAIN 1
2708 #define DT_DELTA_GROUP 2
2709 #define DT_DELTA_RENAME_GROUP 4
2710 #define DT_DELTA_USER 5
2711 #define DT_DELTA_RENAME_USER 7
2712 #define DT_DELTA_GROUP_MEMBER 8
2713 #define DT_DELTA_ALIAS 9
2714 #define DT_DELTA_RENAME_ALIAS 11
2715 #define DT_DELTA_ALIAS_MEMBER 12
2716 #define DT_DELTA_POLICY 13
2717 #define DT_DELTA_TRUSTED_DOMAINS 14
2718 #define DT_DELTA_ACCOUNTS 16
2719 #define DT_DELTA_SECRET 18
2720 #define DT_DELTA_DELETE_GROUP 20
2721 #define DT_DELTA_DELETE_USER 21
2722 #define DT_MODIFIED_COUNT 22
2723 static const value_string delta_type_vals[] = {
2724 { DT_DELTA_DOMAIN, "Domain" },
2725 { DT_DELTA_GROUP, "Group" },
2726 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2727 { DT_DELTA_USER, "User" },
2728 { DT_DELTA_RENAME_USER, "Rename User" },
2729 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2730 { DT_DELTA_ALIAS, "Alias" },
2731 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2732 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2733 { DT_DELTA_POLICY, "Policy" },
2734 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2735 { DT_DELTA_ACCOUNTS, "Accounts" },
2736 { DT_DELTA_SECRET, "Secret" },
2737 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2738 { DT_DELTA_DELETE_USER, "Delete User" },
2739 { DT_MODIFIED_COUNT, "Modified Count" },
2743 * IDL typedef [switch_type(short)] union {
2744 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2745 * IDL [case(2)][unique] DELTA_GROUP *group;
2746 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2747 * IDL [case(5)][unique] DELTA_USER *user;
2748 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2749 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2750 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2751 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2752 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2753 * IDL [case(13)][unique] DELTA_POLICY *policy;
2754 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2755 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2756 * IDL [case(18)][unique] DELTA_SECRET *secret;
2757 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2758 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2759 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2760 * IDL } DELTA_UNION;
2763 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2764 packet_info *pinfo, proto_tree *parent_tree,
2767 proto_item *item=NULL;
2768 proto_tree *tree=NULL;
2769 int old_offset=offset;
2773 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2775 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2778 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2779 hf_netlogon_delta_type, &level);
2784 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2785 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2786 "DELTA_DOMAIN:", -1, 0);
2789 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2790 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2791 "DELTA_GROUP:", -1, 0);
2794 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2795 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2796 "DELTA_RENAME_GROUP:", hf_netlogon_group_name, 0);
2799 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2800 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
2801 "DELTA_USER:", -1, 0);
2804 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2805 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2806 "DELTA_RENAME_USER:", hf_netlogon_acct_name, 0);
2809 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2810 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
2811 "DELTA_GROUP_MEMBER:", -1, 0);
2814 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2815 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
2816 "DELTA_ALIAS:", -1, 0);
2819 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2820 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2821 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name, 0);
2824 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2825 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
2826 "DELTA_ALIAS_MEMBER:", -1, 0);
2829 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2830 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
2831 "DELTA_POLICY:", -1, 0);
2834 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2835 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
2836 "DELTA_TRUSTED_DOMAINS:", -1, 0);
2839 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2840 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
2841 "DELTA_ACCOUNTS:", -1, 0);
2844 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2845 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
2846 "DELTA_SECRET:", -1, 0);
2849 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2850 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2851 "DELTA_DELETE_GROUP:", -1, 0);
2854 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2855 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2856 "DELTA_DELETE_USER:", -1, 0);
2859 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2860 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
2861 "MODIFIED_COUNT:", -1, 0);
2865 proto_item_set_len(item, offset-old_offset);
2871 /* IDL XXX must verify this one, especially 13-19
2872 * IDL typedef [switch_type(short)] union {
2873 * IDL [case(1)] long rid;
2874 * IDL [case(2)] long rid;
2875 * IDL [case(3)] long rid;
2876 * IDL [case(4)] long rid;
2877 * IDL [case(5)] long rid;
2878 * IDL [case(6)] long rid;
2879 * IDL [case(7)] long rid;
2880 * IDL [case(8)] long rid;
2881 * IDL [case(9)] long rid;
2882 * IDL [case(10)] long rid;
2883 * IDL [case(11)] long rid;
2884 * IDL [case(12)] long rid;
2885 * IDL [case(13)] [unique] SID *sid;
2886 * IDL [case(14)] [unique] SID *sid;
2887 * IDL [case(15)] [unique] SID *sid;
2888 * IDL [case(16)] [unique] SID *sid;
2889 * IDL [case(17)] [unique] SID *sid;
2890 * IDL [case(18)] [unique][string] wchar_t *Name ;
2891 * IDL [case(19)] [unique][string] wchar_t *Name ;
2892 * IDL [case(20)] long rid;
2893 * IDL [case(21)] long rid;
2894 * IDL } DELTA_ID_UNION;
2897 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
2898 packet_info *pinfo, proto_tree *parent_tree,
2901 proto_item *item=NULL;
2902 proto_tree *tree=NULL;
2903 int old_offset=offset;
2907 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2909 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
2912 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2913 hf_netlogon_level16, &level);
2918 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2919 hf_netlogon_user_rid, NULL);
2922 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2923 hf_netlogon_user_rid, NULL);
2926 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2927 hf_netlogon_user_rid, NULL);
2930 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2931 hf_netlogon_user_rid, NULL);
2934 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2935 hf_netlogon_user_rid, NULL);
2938 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2939 hf_netlogon_user_rid, NULL);
2942 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2943 hf_netlogon_user_rid, NULL);
2946 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2947 hf_netlogon_user_rid, NULL);
2950 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2951 hf_netlogon_user_rid, NULL);
2954 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2955 hf_netlogon_user_rid, NULL);
2958 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2959 hf_netlogon_user_rid, NULL);
2962 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2963 hf_netlogon_user_rid, NULL);
2966 offset = dissect_ndr_nt_PSID(tvb, offset,
2970 offset = dissect_ndr_nt_PSID(tvb, offset,
2974 offset = dissect_ndr_nt_PSID(tvb, offset,
2978 offset = dissect_ndr_nt_PSID(tvb, offset,
2982 offset = dissect_ndr_nt_PSID(tvb, offset,
2986 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2987 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
2988 "unknown", hf_netlogon_unknown_string, -1);
2991 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2992 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
2993 "unknown", hf_netlogon_unknown_string, -1);
2996 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2997 hf_netlogon_user_rid, NULL);
3000 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3001 hf_netlogon_user_rid, NULL);
3005 proto_item_set_len(item, offset-old_offset);
3010 * IDL typedef struct {
3011 * IDL short delta_type;
3012 * IDL DELTA_ID_UNION delta_id_union;
3013 * IDL DELTA_UNION delta_union;
3017 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3018 packet_info *pinfo, proto_tree *parent_tree,
3021 proto_item *item=NULL;
3022 proto_tree *tree=NULL;
3023 int old_offset=offset;
3026 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3028 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3031 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3032 hf_netlogon_delta_type, NULL);
3034 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3037 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3040 proto_item_set_len(item, offset-old_offset);
3045 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3046 packet_info *pinfo, proto_tree *tree,
3049 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3050 netlogon_dissect_DELTA_ENUM);
3056 * IDL typedef struct {
3057 * IDL long num_deltas;
3058 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3059 * IDL } DELTA_ENUM_ARRAY;
3062 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3063 packet_info *pinfo, proto_tree *tree,
3066 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3067 hf_netlogon_num_deltas, NULL);
3069 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3070 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3071 "DELTA_ENUM: deltas", -1, 0);
3078 * IDL long NetDatabaseDeltas(
3079 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3080 * IDL [in][string][ref] wchar_t *computername,
3081 * IDL [in][ref] AUTHENTICATOR credential,
3082 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3083 * IDL [in] long database_id,
3084 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3085 * IDL [in] long preferredmaximumlength,
3086 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3090 netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
3091 packet_info *pinfo, proto_tree *tree, char *drep)
3093 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3094 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3095 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3097 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3098 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3099 "Computer Name", hf_netlogon_computer_name, 0);
3101 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3102 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3103 "AUTHENTICATOR: credential", -1, 0);
3105 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3106 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3107 "AUTHENTICATOR: return_authenticator", -1, 0);
3109 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3110 hf_netlogon_database_id, NULL);
3112 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3113 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3114 "MODIFIED_COUNT: domain modified count", -1, 0);
3116 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3117 hf_netlogon_max_size, NULL);
3122 netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
3123 packet_info *pinfo, proto_tree *tree, char *drep)
3125 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3126 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3127 "AUTHENTICATOR: return_authenticator", -1, 0);
3129 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3130 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3131 "MODIFIED_COUNT: domain modified count", -1, 0);
3133 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3134 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3135 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3137 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3138 hf_netlogon_rc, NULL);
3145 * IDL long NetDatabaseSync(
3146 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3147 * IDL [in][string][ref] wchar_t *computername,
3148 * IDL [in][ref] AUTHENTICATOR credential,
3149 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3150 * IDL [in] long database_id,
3151 * IDL [in][out][ref] long sync_context,
3152 * IDL [in] long preferredmaximumlength,
3153 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3157 netlogon_dissect_netlogondatabasesync_rqst(tvbuff_t *tvb, int offset,
3158 packet_info *pinfo, proto_tree *tree, char *drep)
3160 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3161 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3162 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3164 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3165 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3166 "Computer Name", hf_netlogon_computer_name, 0);
3168 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3169 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3170 "AUTHENTICATOR: credential", -1, 0);
3172 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3173 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3174 "AUTHENTICATOR: return_authenticator", -1, 0);
3176 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3177 hf_netlogon_database_id, NULL);
3179 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3180 hf_netlogon_sync_context, NULL);
3182 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3183 hf_netlogon_max_size, NULL);
3190 netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset,
3191 packet_info *pinfo, proto_tree *tree, char *drep)
3193 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3194 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3195 "AUTHENTICATOR: return_authenticator", -1, 0);
3197 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3198 hf_netlogon_sync_context, NULL);
3200 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3201 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3202 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3204 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3205 hf_netlogon_rc, NULL);
3211 * IDL typedef struct {
3212 * IDL char computer_name[16];
3213 * IDL long timecreated;
3214 * IDL long serial_number;
3218 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3219 packet_info *pinfo, proto_tree *tree,
3224 di=pinfo->private_data;
3225 if(di->conformant_run){
3226 /*just a run to handle conformant arrays, nothing to dissect */
3230 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3233 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3236 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3237 hf_netlogon_serial_number, NULL);
3244 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3245 packet_info *pinfo, proto_tree *tree,
3248 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3249 hf_netlogon_unknown_char, NULL);
3255 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3256 packet_info *pinfo, proto_tree *tree,
3259 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3260 netlogon_dissect_BYTE_byte);
3266 * IDL long NetAccountDelta(
3267 * IDL [in][string][unique] wchar_t *logonserver,
3268 * IDL [in][string][ref] wchar_t *computername,
3269 * IDL [in][ref] AUTHENTICATOR credential,
3270 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3271 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3272 * IDL [out][ref] long count_returned,
3273 * IDL [out][ref] long total_entries,
3274 * IDL [in][out][ref] UAS_INFO_0 recordid,
3275 * IDL [in][long] count,
3276 * IDL [in][long] level,
3277 * IDL [in][long] buffersize,
3281 netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset,
3282 packet_info *pinfo, proto_tree *tree, char *drep)
3284 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3287 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3288 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3289 "Computer Name", hf_netlogon_computer_name, 0);
3291 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3292 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3293 "AUTHENTICATOR: credential", -1, 0);
3295 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3296 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3297 "AUTHENTICATOR: return_authenticator", -1, 0);
3299 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3300 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3301 "UAS_INFO_0: RecordID", -1, 0);
3303 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3304 hf_netlogon_count, NULL);
3306 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3307 hf_netlogon_level, NULL);
3309 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3310 hf_netlogon_max_size, NULL);
3315 netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset,
3316 packet_info *pinfo, proto_tree *tree, char *drep)
3318 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3319 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3320 "AUTHENTICATOR: return_authenticator", -1, 0);
3322 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3323 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3324 "BYTE_array: Buffer", -1, 0);
3326 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3327 hf_netlogon_count, NULL);
3329 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3330 hf_netlogon_entries, NULL);
3332 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3333 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3334 "UAS_INFO_0: RecordID", -1, 0);
3336 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3337 hf_netlogon_rc, NULL);
3344 * IDL long NetAccountDelta(
3345 * IDL [in][string][unique] wchar_t *logonserver,
3346 * IDL [in][string][ref] wchar_t *computername,
3347 * IDL [in][ref] AUTHENTICATOR credential,
3348 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3349 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3350 * IDL [out][ref] long count_returned,
3351 * IDL [out][ref] long total_entries,
3352 * IDL [out][ref] long next_reference,
3353 * IDL [in][long] reference,
3354 * IDL [in][long] level,
3355 * IDL [in][long] buffersize,
3356 * IDL [in][out][ref] UAS_INFO_0 recordid,
3360 netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset,
3361 packet_info *pinfo, proto_tree *tree, char *drep)
3363 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3366 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3367 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3368 "Computer Name", hf_netlogon_computer_name, 0);
3370 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3371 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3372 "AUTHENTICATOR: credential", -1, 0);
3374 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3375 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3376 "AUTHENTICATOR: return_authenticator", -1, 0);
3378 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3379 hf_netlogon_reference, NULL);
3381 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3382 hf_netlogon_level, NULL);
3384 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3385 hf_netlogon_max_size, NULL);
3390 netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset,
3391 packet_info *pinfo, proto_tree *tree, char *drep)
3393 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3394 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3395 "AUTHENTICATOR: return_authenticator", -1, 0);
3397 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3398 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3399 "BYTE_array: Buffer", -1, 0);
3401 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3402 hf_netlogon_count, NULL);
3404 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3405 hf_netlogon_entries, NULL);
3407 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3408 hf_netlogon_next_reference, NULL);
3410 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3411 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3412 "UAS_INFO_0: RecordID", -1, 0);
3414 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3415 hf_netlogon_rc, NULL);
3422 * IDL long NetGetDCName(
3423 * IDL [in][ref][string] wchar_t *logon_server,
3424 * IDL [in][unique][string] wchar_t *domainname,
3425 * IDL [out][unique][string] wchar_t *dcname,
3429 netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset,
3430 packet_info *pinfo, proto_tree *tree, char *drep)
3432 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3433 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3434 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3436 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3437 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3438 "Domain", hf_netlogon_domain_name, 0);
3443 netlogon_dissect_netlogongetdcname_reply(tvbuff_t *tvb, int offset,
3444 packet_info *pinfo, proto_tree *tree, char *drep)
3446 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3447 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3448 "Domain", hf_netlogon_dc_name, 0);
3450 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3451 hf_netlogon_rc, NULL);
3459 * IDL typedef struct {
3461 * IDL long pdc_connection_status;
3462 * IDL } NETLOGON_INFO_1;
3465 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3466 packet_info *pinfo, proto_tree *tree,
3469 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3470 hf_netlogon_flags, NULL);
3472 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3473 hf_netlogon_pdc_connection_status, NULL);
3480 * IDL typedef struct {
3482 * IDL long pdc_connection_status;
3483 * IDL [unique][string] wchar_t trusted_dc_name;
3484 * IDL long tc_connection_status;
3485 * IDL } NETLOGON_INFO_2;
3488 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3489 packet_info *pinfo, proto_tree *tree,
3492 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3493 hf_netlogon_flags, NULL);
3495 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3496 hf_netlogon_pdc_connection_status, NULL);
3498 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3499 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3500 "Trusted DC Name", hf_netlogon_trusted_dc_name, 0);
3502 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3503 hf_netlogon_tc_connection_status, NULL);
3510 * IDL typedef struct {
3512 * IDL long logon_attempts;
3513 * IDL long reserved;
3514 * IDL long reserved;
3515 * IDL long reserved;
3516 * IDL long reserved;
3517 * IDL long reserved;
3518 * IDL } NETLOGON_INFO_3;
3521 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3522 packet_info *pinfo, proto_tree *tree,
3525 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3526 hf_netlogon_flags, NULL);
3528 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3529 hf_netlogon_logon_attempts, NULL);
3531 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3532 hf_netlogon_reserved, NULL);
3534 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3535 hf_netlogon_reserved, NULL);
3537 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3538 hf_netlogon_reserved, NULL);
3540 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3541 hf_netlogon_reserved, NULL);
3543 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3544 hf_netlogon_reserved, NULL);
3551 * IDL typedef [switch_type(long)] union {
3552 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
3553 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
3554 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
3555 * IDL } CONTROL_QUERY_INFORMATION;
3558 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
3559 packet_info *pinfo, proto_tree *tree,
3564 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3565 hf_netlogon_level, &level);
3570 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3571 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
3572 "NETLOGON_INFO_1:", -1, 0);
3575 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3576 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
3577 "NETLOGON_INFO_2:", -1, 0);
3580 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3581 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
3582 "NETLOGON_INFO_3:", -1, 0);
3591 * IDL long NetLogonControl(
3592 * IDL [in][string][unique] wchar_t *logonserver,
3593 * IDL [in] long function_code,
3594 * IDL [in] long level,
3595 * IDL [out][ref] CONTROL_QUERY_INFORMATION
3599 netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
3600 packet_info *pinfo, proto_tree *tree, char *drep)
3602 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3605 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3606 hf_netlogon_code, NULL);
3608 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3609 hf_netlogon_level, NULL);
3614 netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
3615 packet_info *pinfo, proto_tree *tree, char *drep)
3617 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3618 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3619 "CONTROL_QUERY_INFORMATION:", -1, 0);
3621 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3622 hf_netlogon_rc, NULL);
3629 * IDL long NetGetDCName(
3630 * IDL [in][unique][string] wchar_t *logon_server,
3631 * IDL [in][unique][string] wchar_t *domainname,
3632 * IDL [out][unique][string] wchar_t *dcname,
3636 netlogon_dissect_netlogongetanydcname_rqst(tvbuff_t *tvb, int offset,
3637 packet_info *pinfo, proto_tree *tree, char *drep)
3639 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3640 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3641 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3643 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3644 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3645 "Domain", hf_netlogon_domain_name, 0);
3650 netlogon_dissect_netlogongetanydcname_reply(tvbuff_t *tvb, int offset,
3651 packet_info *pinfo, proto_tree *tree, char *drep)
3653 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3654 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3655 "Domain", hf_netlogon_dc_name, 0);
3657 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3658 hf_netlogon_rc, NULL);
3665 * IDL typedef [switch_type(long)] union {
3666 * IDL [case(5)] [unique][string] wchar_t *unknown;
3667 * IDL [case(6)] [unique][string] wchar_t *unknown;
3668 * IDL [case(0xfffe)] long unknown;
3669 * IDL [case(7)] [unique][string] wchar_t *unknown;
3670 * IDL } CONTROL_DATA_INFORMATION;
3673 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
3674 * to look like. However NetMon does not recognize any such informationlevels.
3676 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
3677 * until someone has any source of better authority to call upon.
3680 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
3681 packet_info *pinfo, proto_tree *tree,
3686 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3687 hf_netlogon_level, &level);
3692 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3693 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3694 "unknown", hf_netlogon_unknown_string, -1);
3697 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3698 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3699 "unknown", hf_netlogon_unknown_string, -1);
3702 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3703 hf_netlogon_unknown_long, NULL);
3706 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3707 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3708 "unknown", hf_netlogon_unknown_string, -1);
3717 * IDL long NetLogonControl2(
3718 * IDL [in][string][unique] wchar_t *logonserver,
3719 * IDL [in] long function_code,
3720 * IDL [in] long level,
3721 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3722 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3726 netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
3727 packet_info *pinfo, proto_tree *tree, char *drep)
3729 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3732 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3733 hf_netlogon_code, NULL);
3735 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3736 hf_netlogon_level, NULL);
3738 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3739 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3740 "CONTROL_DATA_INFORMATION: ", -1, 0);
3746 netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
3747 packet_info *pinfo, proto_tree *tree, char *drep)
3749 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3750 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3751 "CONTROL_QUERY_INFORMATION:", -1, 0);
3753 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3754 hf_netlogon_rc, NULL);
3761 * IDL long NetServerAuthenticate2(
3762 * IDL [in][string][unique] wchar_t *logonserver,
3763 * IDL [in][ref][string] wchar_t *username,
3764 * IDL [in] short secure_channel_type,
3765 * IDL [in][ref][string] wchar_t *computername,
3766 * IDL [in][ref] CREDENTIAL *client_chal,
3767 * IDL [out][ref] CREDENTIAL *server_chal,
3768 * IDL [in][out][ref] long *negotiate_flags,
3772 netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
3773 packet_info *pinfo, proto_tree *tree, char *drep)
3775 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3778 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3779 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3780 "User Name", hf_netlogon_acct_name, 0);
3782 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3785 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3786 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3787 "Computer Name", hf_netlogon_computer_name, 0);
3789 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3790 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3791 "CREDENTIAL: client_chal", -1, 0);
3793 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3794 hf_netlogon_neg_flags, NULL);
3800 netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
3801 packet_info *pinfo, proto_tree *tree, char *drep)
3803 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3804 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3805 "CREDENTIAL: server_chal", -1, 0);
3807 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3808 hf_netlogon_neg_flags, NULL);
3810 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3811 hf_netlogon_rc, NULL);
3818 * IDL long NetDatabaseSync2(
3819 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3820 * IDL [in][string][ref] wchar_t *computername,
3821 * IDL [in][ref] AUTHENTICATOR credential,
3822 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3823 * IDL [in] long database_id,
3824 * IDL [in] short restart_state,
3825 * IDL [in][out][ref] long *sync_context,
3826 * IDL [in] long preferredmaximumlength,
3827 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3831 netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
3832 packet_info *pinfo, proto_tree *tree, char *drep)
3834 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3835 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3836 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3838 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3839 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3840 "Computer Name", hf_netlogon_computer_name, 0);
3842 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3843 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3844 "AUTHENTICATOR: credential", -1, 0);
3846 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3847 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3848 "AUTHENTICATOR: return_authenticator", -1, 0);
3850 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3851 hf_netlogon_database_id, NULL);
3853 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3854 hf_netlogon_restart_state, NULL);
3856 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3857 hf_netlogon_sync_context, NULL);
3859 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3860 hf_netlogon_max_size, NULL);
3866 netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
3867 packet_info *pinfo, proto_tree *tree, char *drep)
3869 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3870 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3871 "AUTHENTICATOR: return_authenticator", -1, 0);
3873 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3874 hf_netlogon_sync_context, NULL);
3876 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3877 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3878 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3880 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3881 hf_netlogon_rc, NULL);
3888 * IDL long NetDatabaseRedo(
3889 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3890 * IDL [in][string][ref] wchar_t *computername,
3891 * IDL [in][ref] AUTHENTICATOR credential,
3892 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3893 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
3894 * IDL [in] long change_log_entry_size,
3895 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3899 netlogon_dissect_netlogondatabaseredo_rqst(tvbuff_t *tvb, int offset,
3900 packet_info *pinfo, proto_tree *tree, char *drep)
3902 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3903 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3904 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3906 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3907 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3908 "Computer Name", hf_netlogon_computer_name, 0);
3910 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3911 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3912 "AUTHENTICATOR: credential", -1, 0);
3914 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3915 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3916 "AUTHENTICATOR: return_authenticator", -1, 0);
3918 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3919 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3920 "Change log entry: ", -1, 0);
3922 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3923 hf_netlogon_max_log_size, NULL);
3929 netlogon_dissect_netlogondatabaseredo_reply(tvbuff_t *tvb, int offset,
3930 packet_info *pinfo, proto_tree *tree, char *drep)
3932 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3933 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3934 "AUTHENTICATOR: return_authenticator", -1, 0);
3936 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3937 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3938 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3940 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3941 hf_netlogon_rc, NULL);
3947 /* XXX NetMon does not recognize this as a valid function. Muddle however
3948 * tells us what parameters it takes but not their names.
3949 * It looks similar to logoncontrol2. perhaps it is logoncontrol3?
3952 * IDL long NetFunction_12(
3953 * IDL [in][string][unique] wchar_t *logonserver,
3954 * IDL [in] long function_code,
3955 * IDL [in] long level,
3956 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3957 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3961 netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
3962 packet_info *pinfo, proto_tree *tree, char *drep)
3964 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3967 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3968 hf_netlogon_code, NULL);
3970 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3971 hf_netlogon_level, NULL);
3973 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3974 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3975 "CONTROL_DATA_INFORMATION: ", -1, 0);
3980 netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
3981 packet_info *pinfo, proto_tree *tree, char *drep)
3983 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3984 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3985 "CONTROL_QUERY_INFORMATION:", -1, 0);
3987 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3988 hf_netlogon_rc, NULL);
3997 /* Updated above this line */
4005 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4006 packet_info *pinfo, proto_tree *tree,
4011 di=pinfo->private_data;
4012 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4013 di->hf_index, NULL);
4018 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4019 packet_info *pinfo, proto_tree *tree,
4024 di=pinfo->private_data;
4025 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4026 di->hf_index, NULL);
4031 netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
4032 packet_info *pinfo, proto_tree *parent_tree,
4033 char *drep, int type, int hf_index, int levels)
4035 proto_item *item=NULL;
4036 proto_tree *tree=NULL;
4037 int old_offset=offset;
4041 di=pinfo->private_data;
4042 if(di->conformant_run){
4043 /*just a run to handle conformant arrays, nothing to dissect */
4047 name = proto_registrar_get_name(hf_index);
4049 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4051 tree = proto_item_add_subtree(item, ett_nt_unicode_string);
4054 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4055 dissect_ndr_nt_UNICODE_STRING_str, type,
4056 name, hf_index, levels);
4058 proto_item_set_len(item, offset-old_offset);
4064 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4065 packet_info *pinfo, proto_tree *tree,
4068 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4069 hf_netlogon_unknown_char, NULL);
4075 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4076 packet_info *pinfo, proto_tree *tree,
4079 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4080 netlogon_dissect_UNICODE_MULTI_byte);
4086 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4087 packet_info *pinfo, proto_tree *parent_tree,
4090 proto_item *item=NULL;
4091 proto_tree *tree=NULL;
4092 int old_offset=offset;
4095 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4097 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4100 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4101 hf_netlogon_len, NULL);
4103 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4104 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4105 "unknown", hf_netlogon_unknown_string, 0);
4107 proto_item_set_len(item, offset-old_offset);
4112 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4113 packet_info *pinfo, proto_tree *tree,
4116 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4122 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4123 packet_info *pinfo, proto_tree *parent_tree,
4126 proto_item *item=NULL;
4127 proto_tree *tree=NULL;
4128 int old_offset=offset;
4131 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4132 "DOMAIN_CONTROLLER_INFO:");
4133 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4136 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4137 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4138 "DC Name", hf_netlogon_dc_name, 0);
4140 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4141 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4142 "DC Address", hf_netlogon_dc_address, 0);
4144 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4145 hf_netlogon_dc_address_type, NULL);
4147 offset = dissect_nt_GUID(tvb, offset,
4150 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4151 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4152 "Logon Domain", hf_netlogon_logon_dom, 0);
4154 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4155 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4156 "DNS Forest", hf_netlogon_dns_forest_name, 0);
4158 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4159 hf_netlogon_flags, NULL);
4161 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4162 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4163 "DC Site", hf_netlogon_dc_site_name, 0);
4165 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4166 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4167 "Client Site", hf_netlogon_client_site_name, 0);
4169 proto_item_set_len(item, offset-old_offset);
4174 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4175 packet_info *pinfo, proto_tree *tree,
4181 di=pinfo->private_data;
4182 if(di->conformant_run){
4183 /*just a run to handle conformant arrays, nothing to dissect.*/
4187 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4188 hf_netlogon_blob_size, &len);
4190 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4198 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4199 packet_info *pinfo, proto_tree *parent_tree,
4202 proto_item *item=NULL;
4203 proto_tree *tree=NULL;
4206 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4208 tree = proto_item_add_subtree(item, ett_BLOB);
4211 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4212 hf_netlogon_blob_size, NULL);
4214 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4215 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4222 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
4223 packet_info *pinfo, proto_tree *tree,
4226 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
4228 /* Guesses at best. */
4229 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4230 hf_netlogon_unknown_string, 0);
4232 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4233 hf_netlogon_unknown_string, 0);
4235 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4236 hf_netlogon_unknown_string, 0);
4238 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4239 hf_netlogon_unknown_string, 0);
4241 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4242 hf_netlogon_unknown_long, NULL);
4244 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4245 hf_netlogon_unknown_long, NULL);
4247 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4248 hf_netlogon_unknown_long, NULL);
4250 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4251 hf_netlogon_unknown_long, NULL);
4257 netlogon_dissect_DOMAIN_TRUST_INFO_ptr(tvbuff_t *tvb, int offset,
4258 packet_info *pinfo, proto_tree *tree,
4261 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4262 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
4263 "DOMAIN_TRUST_INFO pointer:", -1, 0);
4269 netlogon_dissect_DOMAIN_TRUST_INFO_ptr_ptr(tvbuff_t *tvb, int offset,
4270 packet_info *pinfo, proto_tree *tree,
4273 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4274 netlogon_dissect_DOMAIN_TRUST_INFO_ptr, NDR_POINTER_UNIQUE,
4275 "DOMAIN_TRUST_INFO pointer pointer:", -1, 0);
4280 /* Could this be an array? Ronnie? */
4282 netlogon_dissect_DOMAIN_TRUST_INFO_CTR(tvbuff_t *tvb, int offset,
4283 packet_info *pinfo, proto_tree *tree,
4288 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4289 hf_netlogon_level, &level);
4294 offset = netlogon_dissect_DOMAIN_TRUST_INFO_ptr_ptr(tvb, offset, pinfo, tree, drep);
4302 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
4303 packet_info *pinfo, proto_tree *tree,
4306 offset = netlogon_dissect_BLOB(tvb, offset,
4309 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4310 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4311 "Workstation FQDN", hf_netlogon_workstation_fqdn, 0);
4313 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4314 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4315 "unknown", hf_netlogon_unknown_string, -1);
4317 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4318 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4319 "unknown", hf_netlogon_unknown_string, -1);
4321 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4322 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4323 "unknown", hf_netlogon_unknown_string, -1);
4325 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4326 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4327 "unknown", hf_netlogon_unknown_string, -1);
4329 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4330 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4331 "unknown", hf_netlogon_unknown_string, -1);
4333 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4334 hf_netlogon_unknown_string, 0);
4336 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4337 hf_netlogon_workstation_os, 0);
4339 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4340 hf_netlogon_unknown_string, 0);
4342 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4343 hf_netlogon_unknown_string, 0);
4345 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4346 hf_netlogon_unknown_long, NULL);
4348 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4349 hf_netlogon_unknown_long, NULL);
4351 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4352 hf_netlogon_unknown_long, NULL);
4354 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4355 hf_netlogon_unknown_long, NULL);
4361 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
4362 packet_info *pinfo, proto_tree *tree,
4365 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
4367 offset = netlogon_dissect_DOMAIN_TRUST_INFO_CTR(tvb, offset, pinfo, tree, drep);
4369 offset = netlogon_dissect_BLOB(tvb, offset, pinfo, tree, drep);
4371 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4372 hf_netlogon_dns_domain_name, 0);
4374 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4375 hf_netlogon_unknown_string, 0);
4377 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4378 hf_netlogon_unknown_string, 0);
4380 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4381 hf_netlogon_unknown_string, 0);
4383 /* These four integers appear to mirror the last four in the query. */
4384 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4385 hf_netlogon_unknown_long, NULL);
4387 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4388 hf_netlogon_unknown_long, NULL);
4390 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4391 hf_netlogon_unknown_long, NULL);
4393 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4394 hf_netlogon_unknown_long, NULL);
4400 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
4401 packet_info *pinfo, proto_tree *parent_tree,
4404 proto_item *item=NULL;
4405 proto_tree *tree=NULL;
4406 int old_offset=offset;
4410 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4411 "UNICODE_STRING_512:");
4412 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
4416 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4417 hf_netlogon_unknown_short, NULL);
4420 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4421 hf_netlogon_unknown_long, NULL);
4423 proto_item_set_len(item, offset-old_offset);
4428 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
4429 packet_info *pinfo, proto_tree *tree,
4432 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4433 hf_netlogon_unknown_char, NULL);
4439 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
4440 packet_info *pinfo, proto_tree *tree,
4443 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4444 netlogon_dissect_element_844_byte);
4450 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
4451 packet_info *pinfo, proto_tree *parent_tree,
4454 proto_item *item=NULL;
4455 proto_tree *tree=NULL;
4456 int old_offset=offset;
4459 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4461 tree = proto_item_add_subtree(item, ett_TYPE_50);
4464 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4465 hf_netlogon_unknown_long, NULL);
4467 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4468 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
4469 "unknown", hf_netlogon_unknown_string, 0);
4471 proto_item_set_len(item, offset-old_offset);
4476 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
4477 packet_info *pinfo, proto_tree *tree,
4480 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4481 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
4482 "TYPE_50 pointer: unknown_TYPE_50", -1, 0);
4488 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX(tvbuff_t *tvb, int offset,
4489 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4492 proto_item *item=NULL;
4493 proto_tree *tree=NULL;
4494 int old_offset=offset;
4497 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4498 "DSROLE_DOMAIN_INFO_EX");
4499 tree = proto_item_add_subtree(item, ett_DSROLE_DOMAIN_INFO_EX);
4503 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4504 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4505 "NetBIOS Name", hf_netlogon_downlevel_domain_name, 1);
4508 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4509 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4510 "DNS Domain Name", hf_netlogon_dns_domain_name, 1);
4512 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4513 hf_netlogon_unknown_long, &tmp);
4515 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4516 hf_netlogon_unknown_long, &tmp);
4518 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4519 hf_netlogon_unknown_long, &tmp);
4521 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4522 hf_netlogon_unknown_long, &tmp);
4525 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4528 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
4530 proto_item_set_len(item, offset-old_offset);
4535 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY(tvbuff_t *tvb, int offset,
4536 packet_info *pinfo, proto_tree *tree,
4539 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4540 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX);
4546 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
4547 packet_info *pinfo, proto_tree *tree,
4550 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4551 hf_netlogon_unknown_char, NULL);
4557 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
4558 packet_info *pinfo, proto_tree *tree,
4561 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4562 netlogon_dissect_element_865_byte);
4568 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
4569 packet_info *pinfo, proto_tree *tree,
4572 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4573 hf_netlogon_unknown_char, NULL);
4579 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
4580 packet_info *pinfo, proto_tree *tree,
4583 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4584 netlogon_dissect_element_866_byte);
4590 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
4591 packet_info *pinfo, proto_tree *parent_tree,
4594 proto_item *item=NULL;
4595 proto_tree *tree=NULL;
4596 int old_offset=offset;
4599 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4601 tree = proto_item_add_subtree(item, ett_TYPE_52);
4604 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4605 hf_netlogon_unknown_long, NULL);
4607 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4608 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
4609 "unknown", hf_netlogon_unknown_string, 0);
4611 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4612 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
4613 "unknown", hf_netlogon_unknown_string, 0);
4615 proto_item_set_len(item, offset-old_offset);
4620 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
4621 packet_info *pinfo, proto_tree *tree,
4624 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4625 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
4626 "TYPE_52 pointer: unknown_TYPE_52", -1, 0);
4632 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
4633 packet_info *pinfo, proto_tree *parent_tree,
4636 proto_item *item=NULL;
4637 proto_tree *tree=NULL;
4638 int old_offset=offset;
4642 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4644 tree = proto_item_add_subtree(item, ett_TYPE_44);
4647 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4648 hf_netlogon_level, &level);
4653 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4654 hf_netlogon_unknown_long, NULL);
4658 proto_item_set_len(item, offset-old_offset);
4663 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
4664 packet_info *pinfo, proto_tree *tree,
4669 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4670 hf_netlogon_level, &level);
4675 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4676 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
4677 "DOMAIN_QUERY_1:", -1, 0);
4680 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4681 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
4682 "DOMAIN_QUERY_1:", -1, 0);
4690 netlogon_dissect_nettrusteddomainlist_rqst(tvbuff_t *tvb, int offset,
4691 packet_info *pinfo, proto_tree *tree, char *drep)
4693 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4701 netlogon_dissect_nettrusteddomainlist_reply(tvbuff_t *tvb, int offset,
4702 packet_info *pinfo, proto_tree *tree, char *drep)
4704 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4705 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
4706 "UNICODE_MULTI pointer: trust_dom_name_list", -1, 0);
4708 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4709 hf_netlogon_rc, NULL);
4715 netlogon_dissect_dsrgetdcname2_rqst(tvbuff_t *tvb, int offset,
4716 packet_info *pinfo, proto_tree *tree, char *drep)
4718 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4721 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4722 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4723 "Domain", hf_netlogon_logon_dom, 0);
4725 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4726 dissect_nt_GUID, NDR_POINTER_UNIQUE,
4727 "GUID pointer: domain_guid", -1, 0);
4729 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4730 dissect_nt_GUID, NDR_POINTER_UNIQUE,
4731 "GUID pointer: site_guid", -1, 0);
4733 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4734 hf_netlogon_flags, NULL);
4741 netlogon_dissect_dsrgetdcname2_reply(tvbuff_t *tvb, int offset,
4742 packet_info *pinfo, proto_tree *tree, char *drep)
4744 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4745 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
4746 "DOMAIN_CONTROLLER_INFO:", -1, 0);
4748 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4749 hf_netlogon_rc, NULL);
4755 netlogon_dissect_function_15_rqst(tvbuff_t *tvb, int offset,
4756 packet_info *pinfo, proto_tree *tree, char *drep)
4758 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4761 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4762 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4763 "unknown string", hf_netlogon_unknown_string, 0);
4765 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4766 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4767 "AUTHENTICATOR: credential", -1, 0);
4769 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4770 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
4771 "AUTHENTICATOR: return_authenticator", -1, 0);
4773 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4774 hf_netlogon_unknown_long, NULL);
4781 netlogon_dissect_function_15_reply(tvbuff_t *tvb, int offset,
4782 packet_info *pinfo, proto_tree *tree, char *drep)
4784 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4785 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
4786 "AUTHENTICATOR: return_authenticator", -1, 0);
4788 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4789 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
4790 "TYPE_44 pointer: unknown_TYPE_44", -1, 0);
4792 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4793 hf_netlogon_rc, NULL);
4799 netlogon_dissect_function_16_rqst(tvbuff_t *tvb, int offset,
4800 packet_info *pinfo, proto_tree *tree, char *drep)
4802 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4805 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4806 hf_netlogon_unknown_long, NULL);
4808 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4809 hf_netlogon_unknown_long, NULL);
4816 netlogon_dissect_function_16_reply(tvbuff_t *tvb, int offset,
4817 packet_info *pinfo, proto_tree *tree, char *drep)
4819 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4820 hf_netlogon_rc, NULL);
4826 netlogon_dissect_function_17_rqst(tvbuff_t *tvb, int offset,
4827 packet_info *pinfo, proto_tree *tree, char *drep)
4829 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4832 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4833 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4834 "unknown string", hf_netlogon_unknown_string, 0);
4841 netlogon_dissect_function_17_reply(tvbuff_t *tvb, int offset,
4842 packet_info *pinfo, proto_tree *tree, char *drep)
4844 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4845 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
4846 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4848 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4849 hf_netlogon_rc, NULL);
4855 netlogon_dissect_function_18_rqst(tvbuff_t *tvb, int offset,
4856 packet_info *pinfo, proto_tree *tree, char *drep)
4858 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4861 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4862 hf_netlogon_unknown_long, NULL);
4864 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4865 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
4866 "BYTE pointer: unknown_BYTE", -1, 0);
4868 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4869 hf_netlogon_unknown_long, NULL);
4875 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
4876 packet_info *pinfo, proto_tree *tree, char *drep)
4881 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4882 hf_netlogon_unknown_char, NULL);
4889 netlogon_dissect_function_18_reply(tvbuff_t *tvb, int offset,
4890 packet_info *pinfo, proto_tree *tree, char *drep)
4892 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4893 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
4894 "BYTE pointer: unknown_BYTE", -1, 0);
4896 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4897 hf_netlogon_rc, NULL);
4903 netlogon_dissect_function_19_rqst(tvbuff_t *tvb, int offset,
4904 packet_info *pinfo, proto_tree *tree, char *drep)
4906 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4909 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4910 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4911 "unknown string", hf_netlogon_unknown_string, 0);
4913 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4914 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
4915 "BYTE pointer: unknown_BYTE", -1, 0);
4917 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4918 hf_netlogon_unknown_long, NULL);
4925 netlogon_dissect_function_19_reply(tvbuff_t *tvb, int offset,
4926 packet_info *pinfo, proto_tree *tree, char *drep)
4928 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4929 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
4930 "BYTE pointer: unknown_BYTE", -1, 0);
4932 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4933 hf_netlogon_rc, NULL);
4939 netlogon_dissect_netserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
4940 packet_info *pinfo, proto_tree *tree, char *drep)
4942 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4945 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4946 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
4947 "Acct Name", hf_netlogon_acct_name, 0);
4949 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4952 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4953 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
4954 "Computer Name", hf_netlogon_computer_name, 0);
4956 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4957 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4958 "CREDENTIAL: authenticator", -1, 0);
4960 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4961 hf_netlogon_neg_flags, NULL);
4968 netlogon_dissect_netserverauthenticate3_reply(tvbuff_t *tvb, int offset,
4969 packet_info *pinfo, proto_tree *tree, char *drep)
4971 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4972 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4973 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1, 0);
4975 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4976 hf_netlogon_neg_flags, NULL);
4978 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4979 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4980 "ULONG: unknown_ULONG", hf_netlogon_unknown_long, 0);
4982 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4983 hf_netlogon_rc, NULL);
4989 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
4990 packet_info *pinfo, proto_tree *tree, char *drep)
4992 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4995 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4996 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4997 "Domain", hf_netlogon_logon_dom, 0);
4999 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5000 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5001 "GUID pointer: domain_guid", -1, 0);
5003 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5004 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5005 "Site Name", hf_netlogon_site_name, 0);
5007 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5008 hf_netlogon_flags, NULL);
5015 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5016 packet_info *pinfo, proto_tree *tree, char *drep)
5018 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5019 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5020 "DOMAIN_CONTROLLER_INFO:", -1, 0);
5022 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5023 hf_netlogon_rc, NULL);
5029 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5030 packet_info *pinfo, proto_tree *tree, char *drep)
5032 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5040 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5041 packet_info *pinfo, proto_tree *tree, char *drep)
5044 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
5045 NDR_POINTER_REF, hf_netlogon_site_name, 0);
5047 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5048 hf_netlogon_rc, NULL);
5054 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5055 packet_info *pinfo, proto_tree *tree, char *drep)
5057 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5058 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5059 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
5060 "Server Handle", hf_netlogon_computer_name, 0);
5062 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5063 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5064 "Computer Name", hf_netlogon_computer_name, 0);
5066 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5067 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5068 "AUTHENTICATOR: credential", -1, 0);
5070 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5071 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5072 "AUTHENTICATOR: return_authenticator", -1, 0);
5074 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5075 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5076 "DOMAIN_QUERY: ", -1, 0);
5083 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5084 packet_info *pinfo, proto_tree *tree, char *drep)
5086 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5087 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5088 "AUTHENTICATOR: return_authenticator", -1, 0);
5090 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5091 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
5092 "DOMAIN_INFO: ", -1, 0);
5094 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5095 hf_netlogon_rc, NULL);
5101 netlogon_dissect_function_1e_rqst(tvbuff_t *tvb, int offset,
5102 packet_info *pinfo, proto_tree *tree, char *drep)
5104 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5107 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5108 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5109 "unknown string", hf_netlogon_unknown_string, 0);
5111 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5112 hf_netlogon_unknown_short, NULL);
5114 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5115 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5116 "unknown string", hf_netlogon_unknown_string, 0);
5118 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5119 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5120 "AUTHENTICATOR: credential", -1, 0);
5122 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5130 netlogon_dissect_function_1e_reply(tvbuff_t *tvb, int offset,
5131 packet_info *pinfo, proto_tree *tree, char *drep)
5133 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5134 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5135 "AUTHENTICATOR: return_authenticator", -1, 0);
5137 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5138 hf_netlogon_rc, NULL);
5144 netlogon_dissect_netserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5145 packet_info *pinfo, proto_tree *tree, char *drep)
5147 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5150 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5151 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5152 "Acct Name", hf_netlogon_acct_name, 0);
5154 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5157 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5158 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5159 "Computer Name", hf_netlogon_computer_name, 0);
5161 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5162 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5163 "AUTHENTICATOR: credential", -1, 0);
5170 netlogon_dissect_netserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5171 packet_info *pinfo, proto_tree *tree, char *drep)
5173 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5174 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5175 "AUTHENTICATOR: return_authenticator", -1, 0);
5177 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5178 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5179 "LM_OWF_PASSWORD pointer: server_pwd", -1, 0);
5181 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5182 hf_netlogon_rc, NULL);
5188 netlogon_dissect_function_20_rqst(tvbuff_t *tvb, int offset,
5189 packet_info *pinfo, proto_tree *tree, char *drep)
5191 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5194 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5195 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5196 "unknown string", hf_netlogon_unknown_string, -1);
5198 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5199 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5200 "AUTHENTICATOR: credential", -1, 0);
5202 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5203 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5204 "BYTE pointer: unknown_BYTE", -1, 0);
5206 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5207 hf_netlogon_unknown_long, NULL);
5214 netlogon_dissect_function_20_reply(tvbuff_t *tvb, int offset,
5215 packet_info *pinfo, proto_tree *tree, char *drep)
5217 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5218 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5219 "AUTHENTICATOR: return_authenticator", -1, 0);
5221 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5222 hf_netlogon_rc, NULL);
5228 netlogon_dissect_function_21_rqst(tvbuff_t *tvb, int offset,
5229 packet_info *pinfo, proto_tree *tree, char *drep)
5231 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5234 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5235 hf_netlogon_unknown_long, NULL);
5237 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5238 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5239 "BYTE pointer: unknown_BYTE", -1, 0);
5246 netlogon_dissect_function_21_reply(tvbuff_t *tvb, int offset,
5247 packet_info *pinfo, proto_tree *tree, char *drep)
5249 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5250 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5251 "TYPE_50** pointer: unknown_TYPE_50", -1, 0);
5253 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5254 hf_netlogon_rc, NULL);
5260 netlogon_dissect_function_22_rqst(tvbuff_t *tvb, int offset,
5261 packet_info *pinfo, proto_tree *tree, char *drep)
5263 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5266 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5267 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5268 "unknown string", hf_netlogon_unknown_string, 0);
5270 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5271 hf_netlogon_unknown_long, NULL);
5273 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5274 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5275 "unknown string", hf_netlogon_unknown_string, 0);
5277 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5278 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5279 "GUID pointer: unknown_GUID", -1, 0);
5281 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5282 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5283 "unknown string", hf_netlogon_unknown_string, 0);
5285 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5286 hf_netlogon_unknown_long, NULL);
5293 netlogon_dissect_function_22_reply(tvbuff_t *tvb, int offset,
5294 packet_info *pinfo, proto_tree *tree, char *drep)
5296 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5297 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5298 "DOMAIN_CONTROLLER_INFO:", -1, 0);
5300 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5301 hf_netlogon_rc, NULL);
5307 netlogon_dissect_function_23_rqst(tvbuff_t *tvb, int offset,
5308 packet_info *pinfo, proto_tree *tree, char *drep)
5310 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5318 netlogon_dissect_function_23_reply(tvbuff_t *tvb, int offset,
5319 packet_info *pinfo, proto_tree *tree, char *drep)
5321 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5322 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5323 "unknown string", hf_netlogon_unknown_string, -1);
5325 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5326 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5327 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5329 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5330 hf_netlogon_rc, NULL);
5336 netlogon_dissect_function_24_rqst(tvbuff_t *tvb, int offset,
5337 packet_info *pinfo, proto_tree *tree, char *drep)
5339 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5346 netlogon_dissect_function_24_reply(tvbuff_t *tvb, int offset,
5347 packet_info *pinfo, proto_tree *tree, char *drep)
5349 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5350 hf_netlogon_entries, NULL);
5352 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5353 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY, NDR_POINTER_UNIQUE,
5354 "DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY:", -1, 0);
5356 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5357 hf_netlogon_rc, NULL);
5363 netlogon_dissect_function_25_rqst(tvbuff_t *tvb, int offset,
5364 packet_info *pinfo, proto_tree *tree, char *drep)
5366 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5369 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5370 hf_netlogon_unknown_long, NULL);
5372 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5373 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5374 "BYTE pointer: unknown_BYTE", -1, 0);
5381 netlogon_dissect_function_25_reply(tvbuff_t *tvb, int offset,
5382 packet_info *pinfo, proto_tree *tree, char *drep)
5384 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5385 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
5386 "TYPE_52 pointer: unknown_TYPE_52", -1, 0);
5388 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5389 hf_netlogon_rc, NULL);
5396 netlogon_dissect_function_26_rqst(tvbuff_t *tvb, int offset,
5397 packet_info *pinfo, proto_tree *tree, char *drep)
5399 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5400 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5401 "unknown string", hf_netlogon_unknown_string, 0);
5408 netlogon_dissect_function_26_reply(tvbuff_t *tvb, int offset,
5409 packet_info *pinfo, proto_tree *tree, char *drep)
5411 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5412 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5413 "TYPE_50** pointer: unknown_TYPE_50", -1, 0);
5415 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5416 hf_netlogon_rc, NULL);
5422 netlogon_dissect_logonsamlogonex_rqst(tvbuff_t *tvb, int offset,
5423 packet_info *pinfo, proto_tree *tree, char *drep)
5425 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5426 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5427 "unknown string", hf_netlogon_unknown_string, 0);
5429 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5430 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5431 "unknown string", hf_netlogon_unknown_string, 0);
5433 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5434 hf_netlogon_unknown_short, NULL);
5436 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5437 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
5438 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1, 0);
5440 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5441 hf_netlogon_unknown_short, NULL);
5443 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5444 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5445 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5451 netlogon_dissect_logonsamlogonex_reply(tvbuff_t *tvb, int offset,
5452 packet_info *pinfo, proto_tree *tree, char *drep)
5454 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5455 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
5456 "VALIDATION: unknown_NETLOGON_VALIDATION", -1, 0);
5458 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5459 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
5460 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char, 0);
5462 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5463 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5464 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5466 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5467 hf_netlogon_rc, NULL);
5473 netlogon_dissect_dsrrolegetprimarydomaininformation_rqst(tvbuff_t *tvb, int offset,
5474 packet_info *pinfo, proto_tree *tree, char *drep)
5476 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5479 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5480 hf_netlogon_unknown_long, NULL);
5487 netlogon_dissect_dsrrolegetprimarydomaininformation_reply(tvbuff_t *tvb, int offset,
5488 packet_info *pinfo, proto_tree *tree, char *drep)
5490 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5491 hf_netlogon_entries, NULL);
5493 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5494 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY, NDR_POINTER_UNIQUE,
5495 "DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY:", -1, 0);
5497 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5498 hf_netlogon_rc, NULL);
5504 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
5505 packet_info *pinfo, proto_tree *tree, char *drep)
5507 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5510 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5511 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5512 "Domain", hf_netlogon_logon_dom, 0);
5514 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5515 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5516 "GUID pointer: domain_guid", -1, 0);
5518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5519 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5520 "GUID pointer: dsa_guid", -1, 0);
5522 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5523 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5524 "dns_host", hf_netlogon_dns_host, -1);
5531 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
5532 packet_info *pinfo, proto_tree *tree, char *drep)
5534 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5535 hf_netlogon_rc, NULL);
5542 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
5543 { NETLOGON_UASLOGON, "UasLogon",
5544 netlogon_dissect_netlogonuaslogon_rqst,
5545 netlogon_dissect_netlogonuaslogon_reply },
5546 { NETLOGON_UASLOGOFF, "UasLogoff",
5547 netlogon_dissect_netlogonuaslogoff_rqst,
5548 netlogon_dissect_netlogonuaslogoff_reply },
5549 { NETLOGON_NETLOGONSAMLOGON, "SamLogon",
5550 netlogon_dissect_netlogonsamlogon_rqst,
5551 netlogon_dissect_netlogonsamlogon_reply },
5552 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff",
5553 netlogon_dissect_netlogonsamlogoff_rqst,
5554 netlogon_dissect_netlogonsamlogoff_reply },
5555 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge",
5556 netlogon_dissect_netserverreqchallenge_rqst,
5557 netlogon_dissect_netserverreqchallenge_reply },
5558 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate",
5559 netlogon_dissect_netserverauthenticate_rqst,
5560 netlogon_dissect_netserverauthenticate_reply },
5561 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet",
5562 netlogon_dissect_netserverpasswordset_rqst,
5563 netlogon_dissect_netserverpasswordset_reply },
5564 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas",
5565 netlogon_dissect_netsamdeltas_rqst,
5566 netlogon_dissect_netsamdeltas_reply },
5567 { NETLOGON_DATABASESYNC, "DatabaseSync",
5568 netlogon_dissect_netlogondatabasesync_rqst,
5569 netlogon_dissect_netlogondatabasesync_reply },
5570 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas",
5571 netlogon_dissect_netlogonaccountdeltas_rqst,
5572 netlogon_dissect_netlogonaccountdeltas_reply },
5573 { NETLOGON_ACCOUNTSYNC, "AccountSync",
5574 netlogon_dissect_netlogonaccountsync_rqst,
5575 netlogon_dissect_netlogonaccountsync_reply },
5576 { NETLOGON_GETDCNAME, "GetDCName",
5577 netlogon_dissect_netlogongetdcname_rqst,
5578 netlogon_dissect_netlogongetdcname_reply },
5579 { NETLOGON_NETLOGONCONTROL, "LogonControl",
5580 netlogon_dissect_netlogoncontrol_rqst,
5581 netlogon_dissect_netlogoncontrol_reply },
5582 { NETLOGON_GETANYDCNAME, "GetAnyDCName",
5583 netlogon_dissect_netlogongetanydcname_rqst,
5584 netlogon_dissect_netlogongetanydcname_reply },
5585 { NETLOGON_NETLOGONCONTROL2, "LogonControl2",
5586 netlogon_dissect_netlogoncontrol2_rqst,
5587 netlogon_dissect_netlogoncontrol2_reply },
5588 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2",
5589 netlogon_dissect_netserverauthenticate2_rqst,
5590 netlogon_dissect_netserverauthenticate2_reply },
5591 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2",
5592 netlogon_dissect_netdatabasesync2_rqst,
5593 netlogon_dissect_netdatabasesync2_reply },
5594 { NETLOGON_DATABASEREDO, "DatabaseRedo",
5595 netlogon_dissect_netlogondatabaseredo_rqst,
5596 netlogon_dissect_netlogondatabaseredo_reply },
5597 { NETLOGON_FUNCTION_12, "Function_0x12",
5598 netlogon_dissect_function_12_rqst,
5599 netlogon_dissect_function_12_reply },
5600 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList",
5601 netlogon_dissect_nettrusteddomainlist_rqst,
5602 netlogon_dissect_nettrusteddomainlist_reply },
5603 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2",
5604 netlogon_dissect_dsrgetdcname2_rqst,
5605 netlogon_dissect_dsrgetdcname2_reply },
5606 { NETLOGON_FUNCTION_15, "Function 0x15",
5607 netlogon_dissect_function_15_rqst,
5608 netlogon_dissect_function_15_reply },
5609 { NETLOGON_FUNCTION_16, "Function 0x16",
5610 netlogon_dissect_function_16_rqst,
5611 netlogon_dissect_function_16_reply },
5612 { NETLOGON_FUNCTION_17, "Function 0x17",
5613 netlogon_dissect_function_17_rqst,
5614 netlogon_dissect_function_17_reply },
5615 { NETLOGON_FUNCTION_18, "Function 0x18",
5616 netlogon_dissect_function_18_rqst,
5617 netlogon_dissect_function_18_reply },
5618 { NETLOGON_FUNCTION_19, "Function 0x19",
5619 netlogon_dissect_function_19_rqst,
5620 netlogon_dissect_function_19_reply },
5621 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3",
5622 netlogon_dissect_netserverauthenticate3_rqst,
5623 netlogon_dissect_netserverauthenticate3_reply },
5624 { NETLOGON_DSRGETDCNAME, "DsrGetDCName",
5625 netlogon_dissect_dsrgetdcname_rqst,
5626 netlogon_dissect_dsrgetdcname_reply },
5627 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
5628 netlogon_dissect_dsrgetsitename_rqst,
5629 netlogon_dissect_dsrgetsitename_reply },
5630 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
5631 netlogon_dissect_netrlogongetdomaininfo_rqst,
5632 netlogon_dissect_netrlogongetdomaininfo_reply },
5633 { NETLOGON_FUNCTION_1E, "Function_0x1E",
5634 netlogon_dissect_function_1e_rqst,
5635 netlogon_dissect_function_1e_reply },
5636 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2",
5637 netlogon_dissect_netserverpasswordset2_rqst,
5638 netlogon_dissect_netserverpasswordset2_reply },
5639 { NETLOGON_FUNCTION_20, "Function_0x20",
5640 netlogon_dissect_function_20_rqst,
5641 netlogon_dissect_function_20_reply },
5642 { NETLOGON_FUNCTION_21, "Function_0x21",
5643 netlogon_dissect_function_21_rqst,
5644 netlogon_dissect_function_21_reply },
5645 { NETLOGON_FUNCTION_22, "Function_0x22",
5646 netlogon_dissect_function_22_rqst,
5647 netlogon_dissect_function_22_reply },
5648 { NETLOGON_FUNCTION_23, "Function_0x23",
5649 netlogon_dissect_function_23_rqst,
5650 netlogon_dissect_function_23_reply },
5651 { NETLOGON_FUNCTION_24, "Function_0x24",
5652 netlogon_dissect_function_24_rqst,
5653 netlogon_dissect_function_24_reply },
5654 { NETLOGON_FUNCTION_25, "Function_0x25",
5655 netlogon_dissect_function_25_rqst,
5656 netlogon_dissect_function_25_reply },
5657 { NETLOGON_FUNCTION_26, "Function_0x26",
5658 netlogon_dissect_function_26_rqst,
5659 netlogon_dissect_function_26_reply },
5660 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx",
5661 netlogon_dissect_logonsamlogonex_rqst,
5662 netlogon_dissect_logonsamlogonex_reply },
5663 { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DsrRoleGetPrimaryDomainInformation",
5664 netlogon_dissect_dsrrolegetprimarydomaininformation_rqst,
5665 netlogon_dissect_dsrrolegetprimarydomaininformation_reply },
5666 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords",
5667 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
5668 netlogon_dissect_dsrderegisterdnshostrecords_reply },
5669 {0, NULL, NULL, NULL }
5672 static const value_string netlogon_opnum_vals[] = {
5673 { NETLOGON_UASLOGON, "UasLogon" },
5674 { NETLOGON_UASLOGOFF, "UasLogoff" },
5675 { NETLOGON_NETLOGONSAMLOGON, "SamLogon" },
5676 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff" },
5677 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge" },
5678 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate" },
5679 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet" },
5680 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas" },
5681 { NETLOGON_DATABASESYNC, "DatabaseSync" },
5682 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas" },
5683 { NETLOGON_ACCOUNTSYNC, "AccountSync" },
5684 { NETLOGON_GETDCNAME, "GetDCName" },
5685 { NETLOGON_NETLOGONCONTROL, "LogonControl" },
5686 { NETLOGON_GETANYDCNAME, "GetAnyDCName" },
5687 { NETLOGON_NETLOGONCONTROL2, "LogonControl2" },
5688 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2" },
5689 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2" },
5690 { NETLOGON_DATABASEREDO, "DatabaseRedo" },
5691 { NETLOGON_FUNCTION_12, "Function_0x12" },
5692 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList" },
5693 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2" },
5694 { NETLOGON_FUNCTION_15, "Function_0x15" },
5695 { NETLOGON_FUNCTION_16, "Function_0x16" },
5696 { NETLOGON_FUNCTION_17, "Function_0x17" },
5697 { NETLOGON_FUNCTION_18, "Function_0x18" },
5698 { NETLOGON_FUNCTION_19, "Function_0x19" },
5699 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3" },
5700 { NETLOGON_DSRGETDCNAME, "DsrGetDCName" },
5701 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName" },
5702 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo" },
5703 { NETLOGON_FUNCTION_1E, "Function_0x1E" },
5704 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2" },
5705 { NETLOGON_FUNCTION_20, "Function_0x20" },
5706 { NETLOGON_FUNCTION_21, "Function_0x21" },
5707 { NETLOGON_FUNCTION_22, "Function_0x22" },
5708 { NETLOGON_FUNCTION_23, "Function_0x23" },
5709 { NETLOGON_FUNCTION_24, "Function_0x24" },
5710 { NETLOGON_FUNCTION_25, "Function_0x25" },
5711 { NETLOGON_FUNCTION_26, "Function_0x26" },
5712 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx" },
5713 { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DsrRoleGetPrimaryDomainInformation" },
5714 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords" },
5719 proto_register_dcerpc_netlogon(void)
5722 static hf_register_info hf[] = {
5723 { &hf_netlogon_opnum,
5724 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
5725 VALS(netlogon_opnum_vals), 0x0, "Operation", HFILL }},
5727 { &hf_netlogon_rc, {
5728 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
5729 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
5731 { &hf_netlogon_param_ctrl, {
5732 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
5733 NULL, 0x0, "Param ctrl", HFILL }},
5735 { &hf_netlogon_logon_id, {
5736 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
5737 NULL, 0x0, "Logon ID", HFILL }},
5739 { &hf_netlogon_modify_count, {
5740 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
5741 NULL, 0x0, "How many times the object has been modified", HFILL }},
5743 { &hf_netlogon_security_information, {
5744 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
5745 NULL, 0x0, "Security Information", HFILL }},
5747 { &hf_netlogon_count, {
5748 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
5749 NULL, 0x0, "", HFILL }},
5751 { &hf_netlogon_entries, {
5752 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
5753 NULL, 0x0, "", HFILL }},
5755 { &hf_netlogon_credential, {
5756 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
5757 NULL, 0x0, "Netlogon credential", HFILL }},
5759 { &hf_netlogon_challenge, {
5760 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
5761 NULL, 0x0, "Netlogon challenge", HFILL }},
5763 { &hf_netlogon_lm_owf_password, {
5764 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
5765 NULL, 0x0, "LanManager OWF Password", HFILL }},
5767 { &hf_netlogon_user_session_key, {
5768 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
5769 NULL, 0x0, "User Session Key", HFILL }},
5771 { &hf_netlogon_encrypted_lm_owf_password, {
5772 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
5773 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
5775 { &hf_netlogon_nt_owf_password, {
5776 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
5777 NULL, 0x0, "NT OWF Password", HFILL }},
5779 { &hf_netlogon_blob, {
5780 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
5781 NULL, 0x0, "BLOB", HFILL }},
5783 { &hf_netlogon_len, {
5784 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
5785 NULL, 0, "Length", HFILL }},
5787 { &hf_netlogon_priv, {
5788 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
5789 NULL, 0, "", HFILL }},
5791 { &hf_netlogon_privilege_entries, {
5792 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
5793 NULL, 0, "", HFILL }},
5795 { &hf_netlogon_privilege_control, {
5796 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
5797 NULL, 0, "", HFILL }},
5799 { &hf_netlogon_privilege_name, {
5800 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
5801 NULL, 0, "", HFILL }},
5803 { &hf_netlogon_pdc_connection_status, {
5804 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
5805 NULL, 0, "PDC Connection Status", HFILL }},
5807 { &hf_netlogon_tc_connection_status, {
5808 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
5809 NULL, 0, "TC Connection Status", HFILL }},
5811 { &hf_netlogon_attrs, {
5812 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
5813 NULL, 0, "Attributes", HFILL }},
5815 { &hf_netlogon_unknown_string,
5816 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
5817 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
5818 { &hf_netlogon_unknown_long,
5819 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
5820 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
5821 { &hf_netlogon_reserved,
5822 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
5823 NULL, 0x0, "Reserved", HFILL }},
5824 { &hf_netlogon_unknown_short,
5825 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
5826 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
5828 { &hf_netlogon_unknown_char,
5829 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
5830 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
5832 { &hf_netlogon_acct_expiry_time,
5833 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
5834 NULL, 0x0, "When this account will expire", HFILL }},
5836 { &hf_netlogon_nt_pwd_present,
5837 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
5838 NULL, 0x0, "Is NT password present for this account?", HFILL }},
5840 { &hf_netlogon_lm_pwd_present,
5841 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
5842 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
5844 { &hf_netlogon_pwd_expired,
5845 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
5846 NULL, 0x0, "Whether this password has expired or not", HFILL }},
5848 { &hf_netlogon_authoritative,
5849 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
5850 NULL, 0x0, "", HFILL }},
5852 { &hf_netlogon_sensitive_data_flag,
5853 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
5854 NULL, 0x0, "Sensitive data flag", HFILL }},
5856 { &hf_netlogon_auditing_mode,
5857 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
5858 NULL, 0x0, "Auditing Mode", HFILL }},
5860 { &hf_netlogon_max_audit_event_count,
5861 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
5862 NULL, 0x0, "Max audit event count", HFILL }},
5864 { &hf_netlogon_event_audit_option,
5865 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
5866 NULL, 0x0, "Event audit option", HFILL }},
5868 { &hf_netlogon_sensitive_data_len,
5869 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
5870 NULL, 0x0, "Length of sensitive data", HFILL }},
5872 { &hf_netlogon_nt_chal_resp,
5873 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
5874 NULL, 0, "Challenge response for NT authentication", HFILL }},
5876 { &hf_netlogon_lm_chal_resp,
5877 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
5878 NULL, 0, "Challenge response for LM authentication", HFILL }},
5880 { &hf_netlogon_cipher_len,
5881 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
5882 NULL, 0, "", HFILL }},
5884 { &hf_netlogon_cipher_maxlen,
5885 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
5886 NULL, 0, "", HFILL }},
5888 { &hf_netlogon_pac_data,
5889 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
5890 NULL, 0, "Pac Data", HFILL }},
5892 { &hf_netlogon_sensitive_data,
5893 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
5894 NULL, 0, "Sensitive Data", HFILL }},
5896 { &hf_netlogon_auth_data,
5897 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
5898 NULL, 0, "Auth Data", HFILL }},
5900 { &hf_netlogon_cipher_current_data,
5901 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
5902 NULL, 0, "", HFILL }},
5904 { &hf_netlogon_cipher_old_data,
5905 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
5906 NULL, 0, "", HFILL }},
5908 { &hf_netlogon_acct_name,
5909 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
5910 NULL, 0, "Account Name", HFILL }},
5912 { &hf_netlogon_acct_desc,
5913 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
5914 NULL, 0, "Account Description", HFILL }},
5916 { &hf_netlogon_group_desc,
5917 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
5918 NULL, 0, "Group Description", HFILL }},
5920 { &hf_netlogon_full_name,
5921 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
5922 NULL, 0, "Full Name", HFILL }},
5924 { &hf_netlogon_comment,
5925 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
5926 NULL, 0, "Comment", HFILL }},
5928 { &hf_netlogon_parameters,
5929 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
5930 NULL, 0, "Parameters", HFILL }},
5932 { &hf_netlogon_logon_script,
5933 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
5934 NULL, 0, "Logon Script", HFILL }},
5936 { &hf_netlogon_profile_path,
5937 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
5938 NULL, 0, "Profile Path", HFILL }},
5940 { &hf_netlogon_home_dir,
5941 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
5942 NULL, 0, "Home Directory", HFILL }},
5944 { &hf_netlogon_dir_drive,
5945 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
5946 NULL, 0, "Drive letter for home directory", HFILL }},
5948 { &hf_netlogon_logon_srv,
5949 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
5950 NULL, 0, "Server", HFILL }},
5952 { &hf_netlogon_principal,
5953 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
5954 NULL, 0, "Principal", HFILL }},
5956 { &hf_netlogon_logon_dom,
5957 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
5958 NULL, 0, "Domain", HFILL }},
5960 { &hf_netlogon_computer_name,
5961 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
5962 NULL, 0, "Computer Name", HFILL }},
5964 { &hf_netlogon_site_name,
5965 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
5966 NULL, 0, "Site Name", HFILL }},
5968 { &hf_netlogon_dc_name,
5969 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
5970 NULL, 0, "DC Name", HFILL }},
5972 { &hf_netlogon_dc_site_name,
5973 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
5974 NULL, 0, "DC Site Name", HFILL }},
5976 { &hf_netlogon_dns_forest_name,
5977 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
5978 NULL, 0, "DNS Forest Name", HFILL }},
5980 { &hf_netlogon_dc_address,
5981 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
5982 NULL, 0, "DC Address", HFILL }},
5984 { &hf_netlogon_dc_address_type,
5985 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
5986 NULL, 0, "DC Address Type", HFILL }},
5988 { &hf_netlogon_client_site_name,
5989 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
5990 NULL, 0, "Client Site Name", HFILL }},
5992 { &hf_netlogon_workstation_site_name,
5993 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
5994 NULL, 0, "Workstation Site Name", HFILL }},
5996 { &hf_netlogon_workstation,
5997 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
5998 NULL, 0, "Workstation Name", HFILL }},
6000 { &hf_netlogon_workstation_os,
6001 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6002 NULL, 0, "Workstation OS", HFILL }},
6004 { &hf_netlogon_workstations,
6005 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6006 NULL, 0, "Workstations", HFILL }},
6008 { &hf_netlogon_workstation_fqdn,
6009 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6010 NULL, 0, "Workstation FQDN", HFILL }},
6012 { &hf_netlogon_group_name,
6013 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6014 NULL, 0, "Group Name", HFILL }},
6016 { &hf_netlogon_alias_name,
6017 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6018 NULL, 0, "Alias Name", HFILL }},
6020 { &hf_netlogon_dns_host,
6021 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6022 NULL, 0, "DNS Host", HFILL }},
6024 { &hf_netlogon_downlevel_domain_name,
6025 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6026 NULL, 0, "Downlevel Domain Name", HFILL }},
6028 { &hf_netlogon_dns_domain_name,
6029 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6030 NULL, 0, "DNS Domain Name", HFILL }},
6032 { &hf_netlogon_domain_name,
6033 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6034 NULL, 0, "Domain Name", HFILL }},
6036 { &hf_netlogon_oem_info,
6037 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6038 NULL, 0, "OEM Info", HFILL }},
6040 { &hf_netlogon_trusted_dc_name,
6041 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6042 NULL, 0, "Trusted DC", HFILL }},
6044 { &hf_netlogon_logonsrv_handle,
6045 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6046 NULL, 0, "Logon Srv Handle", HFILL }},
6048 { &hf_netlogon_dummy,
6049 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6050 NULL, 0, "Dummy string", HFILL }},
6052 { &hf_netlogon_logon_count16,
6053 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6054 NULL, 0x0, "Number of successful logins", HFILL }},
6056 { &hf_netlogon_logon_count,
6057 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6058 NULL, 0x0, "Number of successful logins", HFILL }},
6060 { &hf_netlogon_bad_pw_count16,
6061 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6062 NULL, 0x0, "Number of failed logins", HFILL }},
6064 { &hf_netlogon_bad_pw_count,
6065 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6066 NULL, 0x0, "Number of failed logins", HFILL }},
6068 { &hf_netlogon_country,
6069 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6070 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6072 { &hf_netlogon_codepage,
6073 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6074 NULL, 0x0, "Codepage setting for this account", HFILL }},
6076 { &hf_netlogon_level16,
6077 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6078 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6080 { &hf_netlogon_validation_level,
6081 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6082 NULL, 0x0, "Requested level of validation", HFILL }},
6084 { &hf_netlogon_minpasswdlen,
6085 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6086 NULL, 0x0, "Minimum length of password", HFILL }},
6088 { &hf_netlogon_passwdhistorylen,
6089 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6090 NULL, 0x0, "Length of password history", HFILL }},
6092 { &hf_netlogon_secure_channel_type,
6093 { "Sec Chn Type", "netlogon.sec_chn_type", FT_UINT16, BASE_DEC,
6094 NULL, 0x0, "Secure Channel Type", HFILL }},
6096 { &hf_netlogon_restart_state,
6097 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
6098 NULL, 0x0, "Restart State", HFILL }},
6100 { &hf_netlogon_delta_type,
6101 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6102 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6104 { &hf_netlogon_blob_size,
6105 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6106 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6108 { &hf_netlogon_code,
6109 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6110 NULL, 0x0, "Code", HFILL }},
6112 { &hf_netlogon_level,
6113 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6114 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6116 { &hf_netlogon_reference,
6117 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
6118 NULL, 0x0, "", HFILL }},
6120 { &hf_netlogon_next_reference,
6121 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
6122 NULL, 0x0, "", HFILL }},
6124 { &hf_netlogon_timestamp,
6125 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
6126 NULL, 0, "", HFILL }},
6128 { &hf_netlogon_user_rid,
6129 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6130 NULL, 0x0, "", HFILL }},
6132 { &hf_netlogon_alias_rid,
6133 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6134 NULL, 0x0, "", HFILL }},
6136 { &hf_netlogon_group_rid,
6137 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6138 NULL, 0x0, "", HFILL }},
6140 { &hf_netlogon_num_rids,
6141 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6142 NULL, 0x0, "Number of RIDs", HFILL }},
6144 { &hf_netlogon_num_controllers,
6145 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6146 NULL, 0x0, "Number of domain controllers", HFILL }},
6148 { &hf_netlogon_num_other_groups,
6149 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6150 NULL, 0x0, "", HFILL }},
6152 { &hf_netlogon_flags,
6153 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6154 NULL, 0x0, "", HFILL }},
6156 { &hf_netlogon_user_flags,
6157 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6158 NULL, 0x0, "", HFILL }},
6160 { &hf_netlogon_auth_flags,
6161 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6162 NULL, 0x0, "", HFILL }},
6164 { &hf_netlogon_systemflags,
6165 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6166 NULL, 0x0, "", HFILL }},
6168 { &hf_netlogon_database_id,
6169 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6170 NULL, 0x0, "Database Id", HFILL }},
6172 { &hf_netlogon_sync_context,
6173 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6174 NULL, 0x0, "Sync Context", HFILL }},
6176 { &hf_netlogon_max_size,
6177 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6178 NULL, 0x0, "Max Size of database", HFILL }},
6180 { &hf_netlogon_max_log_size,
6181 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6182 NULL, 0x0, "Max Size of log", HFILL }},
6184 { &hf_netlogon_pac_size,
6185 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6186 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6188 { &hf_netlogon_auth_size,
6189 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6190 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6192 { &hf_netlogon_num_deltas,
6193 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6194 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6196 { &hf_netlogon_logon_attempts,
6197 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6198 NULL, 0x0, "Number of logon attempts", HFILL }},
6200 { &hf_netlogon_pagefilelimit,
6201 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6202 NULL, 0x0, "", HFILL }},
6204 { &hf_netlogon_pagedpoollimit,
6205 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6206 NULL, 0x0, "", HFILL }},
6208 { &hf_netlogon_nonpagedpoollimit,
6209 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6210 NULL, 0x0, "", HFILL }},
6212 { &hf_netlogon_minworkingsetsize,
6213 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6214 NULL, 0x0, "", HFILL }},
6216 { &hf_netlogon_maxworkingsetsize,
6217 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6218 NULL, 0x0, "", HFILL }},
6220 { &hf_netlogon_serial_number,
6221 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
6222 NULL, 0x0, "", HFILL }},
6224 { &hf_netlogon_neg_flags,
6225 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
6226 NULL, 0x0, "Negotiation Flags", HFILL }},
6228 { &hf_netlogon_logon_time,
6229 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
6230 NULL, 0, "Time for last time this user logged on", HFILL }},
6232 { &hf_netlogon_kickoff_time,
6233 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6234 NULL, 0, "Time when this user will be kicked off", HFILL }},
6236 { &hf_netlogon_logoff_time,
6237 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6238 NULL, 0, "Time for last time this user logged off", HFILL }},
6240 { &hf_netlogon_pwd_last_set_time,
6241 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6242 NULL, 0, "Last time this users password was changed", HFILL }},
6244 { &hf_netlogon_pwd_can_change_time,
6245 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6246 NULL, 0, "When this users password may be changed", HFILL }},
6248 { &hf_netlogon_pwd_must_change_time,
6249 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6250 NULL, 0, "When this users password must be changed", HFILL }},
6252 { &hf_netlogon_domain_create_time,
6253 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6254 NULL, 0, "Time when this domain was created", HFILL }},
6256 { &hf_netlogon_domain_modify_time,
6257 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6258 NULL, 0, "Time when this domain was last modified", HFILL }},
6260 { &hf_netlogon_db_modify_time,
6261 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6262 NULL, 0, "Time when last modified", HFILL }},
6264 { &hf_netlogon_db_create_time,
6265 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6266 NULL, 0, "Time when created", HFILL }},
6268 { &hf_netlogon_cipher_current_set_time,
6269 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6270 NULL, 0, "Time when current cipher was initiated", HFILL }},
6272 { &hf_netlogon_cipher_old_set_time,
6273 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6274 NULL, 0, "Time when previous cipher was initiated", HFILL }},
6276 { &hf_netlogon_audit_retention_period,
6277 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
6278 NULL, 0, "Audit retention period", HFILL }},
6280 { &hf_netlogon_guid,
6281 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
6282 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
6284 { &hf_netlogon_timelimit,
6285 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
6286 NULL, 0, "", HFILL }}
6290 static gint *ett[] = {
6291 &ett_dcerpc_netlogon,
6297 &ett_DOMAIN_CONTROLLER_INFO,
6298 &ett_UNICODE_STRING_512,
6301 &ett_DELTA_ID_UNION,
6304 &ett_LM_OWF_PASSWORD,
6305 &ett_NT_OWF_PASSWORD,
6306 &ett_GROUP_MEMBERSHIP,
6307 &ett_DSROLE_DOMAIN_INFO_EX,
6311 proto_dcerpc_netlogon = proto_register_protocol(
6312 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
6314 proto_register_field_array(proto_dcerpc_netlogon, hf,
6316 proto_register_subtree_array(ett, array_length(ett));
6320 proto_reg_handoff_dcerpc_netlogon(void)
6322 /* Register protocol as dcerpc */
6324 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
6325 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
6326 dcerpc_netlogon_dissectors, hf_netlogon_opnum);