git.samba.org / obnox / wireshark / wip.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Get rid of get_ber_last_reated_item() and fix dissection of wIN-TriggerList.
[obnox/wireshark/wip.git] / epan / dissectors / packet-dcerpc-netlogon.c
1 /* packet-dcerpc-netlogon.c
2  * Routines for SMB \PIPE\NETLOGON packet disassembly
3  * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4  *  2002 structure and command dissectors by Ronnie Sahlberg
5  *
6  * $Id$
7  *
8  * Wireshark - Network traffic analyzer
9  * By Gerald Combs <gerald@wireshark.org>
10  * Copyright 1998 Gerald Combs
11  *
12  * This program is free software; you can redistribute it and/or
13  * modify it under the terms of the GNU General Public License
14  * as published by the Free Software Foundation; either version 2
15  * of the License, or (at your option) any later version.
16  *
17  * This program is distributed in the hope that it will be useful,
18  * but WITHOUT ANY WARRANTY; without even the implied warranty of
19  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20  * GNU General Public License for more details.
21  *
22  * You should have received a copy of the GNU General Public License
23  * along with this program; if not, write to the Free Software
24  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
25  */
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #include <glib.h>
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "packet-windows-common.h"
37 #include "packet-ntlmssp.h"
38 #include "packet-dcerpc-lsa.h"
39
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_group_attrs_mandatory = -1;
42 static int hf_netlogon_group_attrs_enabled_by_default = -1;
43 static int hf_netlogon_group_attrs_enabled = -1;
44 static int hf_netlogon_opnum = -1;
45 static int hf_netlogon_rc = -1;
46 static int hf_netlogon_dos_rc = -1;
47 static int hf_netlogon_werr_rc = -1;
48 static int hf_netlogon_len = -1;
49 static int hf_netlogon_sensitive_data_flag = -1;
50 static int hf_netlogon_sensitive_data_len = -1;
51 static int hf_netlogon_sensitive_data = -1;
52 static int hf_netlogon_security_information = -1;
53 static int hf_netlogon_dummy = -1;
54 static int hf_netlogon_neg_flags = -1;
55 static int hf_netlogon_minworkingsetsize = -1;
56 static int hf_netlogon_maxworkingsetsize = -1;
57 static int hf_netlogon_pagedpoollimit = -1;
58 static int hf_netlogon_pagefilelimit = -1;
59 static int hf_netlogon_timelimit = -1;
60 static int hf_netlogon_nonpagedpoollimit = -1;
61 static int hf_netlogon_pac_size = -1;
62 static int hf_netlogon_pac_data = -1;
63 static int hf_netlogon_auth_size = -1;
64 static int hf_netlogon_auth_data = -1;
65 static int hf_netlogon_cipher_len = -1;
66 static int hf_netlogon_cipher_maxlen = -1;
67 static int hf_netlogon_cipher_current_data = -1;
68 static int hf_netlogon_cipher_current_set_time = -1;
69 static int hf_netlogon_cipher_old_data = -1;
70 static int hf_netlogon_cipher_old_set_time = -1;
71 static int hf_netlogon_priv = -1;
72 static int hf_netlogon_privilege_entries = -1;
73 static int hf_netlogon_privilege_control = -1;
74 static int hf_netlogon_privilege_name = -1;
75 static int hf_netlogon_systemflags = -1;
76 static int hf_netlogon_pdc_connection_status = -1;
77 static int hf_netlogon_tc_connection_status = -1;
78 static int hf_netlogon_restart_state = -1;
79 static int hf_netlogon_attrs = -1;
80 static int hf_netlogon_count = -1;
81 static int hf_netlogon_entries = -1;
82 static int hf_netlogon_minpasswdlen = -1;
83 static int hf_netlogon_passwdhistorylen = -1;
84 static int hf_netlogon_level16 = -1;
85 static int hf_netlogon_validation_level = -1;
86 static int hf_netlogon_reference = -1;
87 static int hf_netlogon_next_reference = -1;
88 static int hf_netlogon_timestamp = -1;
89 static int hf_netlogon_level = -1;
90 static int hf_netlogon_challenge = -1;
91 static int hf_netlogon_reserved = -1;
92 static int hf_netlogon_audit_retention_period = -1;
93 static int hf_netlogon_auditing_mode = -1;
94 static int hf_netlogon_max_audit_event_count = -1;
95 static int hf_netlogon_event_audit_option = -1;
96 static int hf_netlogon_unknown_string = -1;
97 static int hf_netlogon_unknown_long = -1;
98 static int hf_netlogon_unknown_short = -1;
99 static int hf_netlogon_unknown_char = -1;
100 static int hf_netlogon_logon_time = -1;
101 static int hf_netlogon_logoff_time = -1;
102 static int hf_netlogon_last_logoff_time = -1;
103 static int hf_netlogon_kickoff_time = -1;
104 static int hf_netlogon_pwd_age = -1;
105 static int hf_netlogon_pwd_last_set_time = -1;
106 static int hf_netlogon_pwd_can_change_time = -1;
107 static int hf_netlogon_pwd_must_change_time = -1;
108 static int hf_netlogon_nt_chal_resp = -1;
109 static int hf_netlogon_lm_chal_resp = -1;
110 static int hf_netlogon_credential = -1;
111 static int hf_netlogon_acct_name = -1;
112 static int hf_netlogon_acct_desc = -1;
113 static int hf_netlogon_group_desc = -1;
114 static int hf_netlogon_full_name = -1;
115 static int hf_netlogon_comment = -1;
116 static int hf_netlogon_parameters = -1;
117 static int hf_netlogon_logon_script = -1;
118 static int hf_netlogon_profile_path = -1;
119 static int hf_netlogon_home_dir = -1;
120 static int hf_netlogon_dir_drive = -1;
121 static int hf_netlogon_logon_count = -1;
122 static int hf_netlogon_logon_count16 = -1;
123 static int hf_netlogon_bad_pw_count = -1;
124 static int hf_netlogon_bad_pw_count16 = -1;
125 static int hf_netlogon_user_rid = -1;
126 static int hf_netlogon_alias_rid = -1;
127 static int hf_netlogon_group_rid = -1;
128 static int hf_netlogon_logon_srv = -1;
129 static int hf_netlogon_principal = -1;
130 static int hf_netlogon_logon_dom = -1;
131 static int hf_netlogon_resourcegroupcount = -1;
132 static int hf_netlogon_downlevel_domain_name = -1;
133 static int hf_netlogon_dns_domain_name = -1;
134 static int hf_netlogon_domain_name = -1;
135 static int hf_netlogon_domain_create_time = -1;
136 static int hf_netlogon_domain_modify_time = -1;
137 static int hf_netlogon_modify_count = -1;
138 static int hf_netlogon_db_modify_time = -1;
139 static int hf_netlogon_db_create_time = -1;
140 static int hf_netlogon_oem_info = -1;
141 static int hf_netlogon_serial_number = -1;
142 static int hf_netlogon_num_rids = -1;
143 static int hf_netlogon_num_trusts = -1;
144 static int hf_netlogon_num_controllers = -1;
145 static int hf_netlogon_num_other_groups = -1;
146 static int hf_netlogon_computer_name = -1;
147 static int hf_netlogon_site_name = -1;
148 static int hf_netlogon_trusted_dc_name = -1;
149 static int hf_netlogon_dc_name = -1;
150 static int hf_netlogon_dc_site_name = -1;
151 static int hf_netlogon_dns_forest_name = -1;
152 static int hf_netlogon_dc_address = -1;
153 static int hf_netlogon_dc_address_type = -1;
154 static int hf_netlogon_client_site_name = -1;
155 static int hf_netlogon_workstation = -1;
156 static int hf_netlogon_workstation_site_name = -1;
157 static int hf_netlogon_workstation_os = -1;
158 static int hf_netlogon_workstations = -1;
159 static int hf_netlogon_workstation_fqdn = -1;
160 static int hf_netlogon_group_name = -1;
161 static int hf_netlogon_alias_name = -1;
162 static int hf_netlogon_country = -1;
163 static int hf_netlogon_codepage = -1;
164 static int hf_netlogon_flags = -1;
165 static int hf_netlogon_trust_attribs = -1;
166 static int hf_netlogon_trust_attribs_non_transitive = -1;
167 static int hf_netlogon_trust_attribs_uplevel_only = -1;
168 static int hf_netlogon_trust_attribs_quarantined_domain = -1;
169 static int hf_netlogon_trust_attribs_forest_transitive = -1;
170 static int hf_netlogon_trust_attribs_cross_organization = -1;
171 static int hf_netlogon_trust_attribs_within_forest = -1;
172 static int hf_netlogon_trust_attribs_treat_as_external = -1;
173 static int hf_netlogon_trust_type = -1;
174 static int hf_netlogon_trust_flags = -1;
175 static int hf_netlogon_trust_flags_inbound = -1;
176 static int hf_netlogon_trust_flags_outbound = -1;
177 static int hf_netlogon_trust_flags_in_forest = -1;
178 static int hf_netlogon_trust_flags_native_mode = -1;
179 static int hf_netlogon_trust_flags_primary = -1;
180 static int hf_netlogon_trust_flags_tree_root = -1;
181 static int hf_netlogon_trust_parent_index = -1;
182 static int hf_netlogon_user_account_control = -1;
183 static int hf_netlogon_user_account_control_dont_require_preauth = -1;
184 static int hf_netlogon_user_account_control_use_des_key_only = -1;
185 static int hf_netlogon_user_account_control_not_delegated = -1;
186 static int hf_netlogon_user_account_control_trusted_for_delegation = -1;
187 static int hf_netlogon_user_account_control_smartcard_required = -1;
188 static int hf_netlogon_user_account_control_encrypted_text_password_allowed = -1;
189 static int hf_netlogon_user_account_control_account_auto_locked = -1;
190 static int hf_netlogon_user_account_control_dont_expire_password = -1;
191 static int hf_netlogon_user_account_control_server_trust_account = -1;
192 static int hf_netlogon_user_account_control_workstation_trust_account = -1;
193 static int hf_netlogon_user_account_control_interdomain_trust_account = -1;
194 static int hf_netlogon_user_account_control_mns_logon_account = -1;
195 static int hf_netlogon_user_account_control_normal_account = -1;
196 static int hf_netlogon_user_account_control_temp_duplicate_account = -1;
197 static int hf_netlogon_user_account_control_password_not_required = -1;
198 static int hf_netlogon_user_account_control_home_directory_required = -1;
199 static int hf_netlogon_user_account_control_account_disabled = -1;
200 static int hf_netlogon_user_flags = -1;
201 static int hf_netlogon_user_flags_extra_sids = -1;
202 static int hf_netlogon_user_flags_resource_groups = -1;
203 static int hf_netlogon_auth_flags = -1;
204 static int hf_netlogon_pwd_expired = -1;
205 static int hf_netlogon_nt_pwd_present = -1;
206 static int hf_netlogon_lm_pwd_present = -1;
207 static int hf_netlogon_code = -1;
208 static int hf_netlogon_database_id = -1;
209 static int hf_netlogon_sync_context = -1;
210 static int hf_netlogon_max_size = -1;
211 static int hf_netlogon_max_log_size = -1;
212 static int hf_netlogon_dns_host = -1;
213 static int hf_netlogon_acct_expiry_time = -1;
214 static int hf_netlogon_encrypted_lm_owf_password = -1;
215 static int hf_netlogon_lm_owf_password = -1;
216 static int hf_netlogon_nt_owf_password = -1;
217 static int hf_netlogon_param_ctrl = -1;
218 static int hf_netlogon_logon_id = -1;
219 static int hf_netlogon_num_deltas = -1;
220 static int hf_netlogon_user_session_key = -1;
221 static int hf_netlogon_blob_size = -1;
222 static int hf_netlogon_blob = -1;
223 static int hf_netlogon_logon_attempts = -1;
224 static int hf_netlogon_authoritative = -1;
225 static int hf_netlogon_secure_channel_type = -1;
226 static int hf_netlogon_logonsrv_handle = -1;
227 static int hf_netlogon_delta_type = -1;
228 static int hf_netlogon_get_dcname_request_flags = -1;
229 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
230 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
231 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
232 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
233 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
234 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
235 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
236 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
237 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
238 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
239 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
240 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
241 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
242 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
243 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
244 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
245 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
246 static int hf_netlogon_dc_flags = -1;
247 static int hf_netlogon_dc_flags_pdc_flag = -1;
248 static int hf_netlogon_dc_flags_gc_flag = -1;
249 static int hf_netlogon_dc_flags_ldap_flag = -1;
250 static int hf_netlogon_dc_flags_ds_flag = -1;
251 static int hf_netlogon_dc_flags_kdc_flag = -1;
252 static int hf_netlogon_dc_flags_timeserv_flag = -1;
253 static int hf_netlogon_dc_flags_closest_flag = -1;
254 static int hf_netlogon_dc_flags_writable_flag = -1;
255 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
256 static int hf_netlogon_dc_flags_ndnc_flag = -1;
257 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
258 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
259 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
260
261 static gint ett_dcerpc_netlogon = -1;
262 static gint ett_group_attrs = -1;
263 static gint ett_user_flags = -1;
264 static gint ett_user_account_control = -1;
265 static gint ett_QUOTA_LIMITS = -1;
266 static gint ett_IDENTITY_INFO = -1;
267 static gint ett_DELTA_ENUM = -1;
268 static gint ett_CYPHER_VALUE = -1;
269 static gint ett_UNICODE_MULTI = -1;
270 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
271 static gint ett_UNICODE_STRING_512 = -1;
272 static gint ett_TYPE_50 = -1;
273 static gint ett_TYPE_52 = -1;
274 static gint ett_DELTA_ID_UNION = -1;
275 static gint ett_TYPE_44 = -1;
276 static gint ett_DELTA_UNION = -1;
277 static gint ett_LM_OWF_PASSWORD = -1;
278 static gint ett_NT_OWF_PASSWORD = -1;
279 static gint ett_GROUP_MEMBERSHIP = -1;
280 static gint ett_BLOB = -1;
281 static gint ett_DS_DOMAIN_TRUSTS = -1;
282 static gint ett_DOMAIN_TRUST_INFO = -1;
283 static gint ett_trust_flags = -1;
284 static gint ett_trust_attribs = -1;
285 static gint ett_get_dcname_request_flags = -1;
286 static gint ett_dc_flags = -1;
287
288 static e_uuid_t uuid_dcerpc_netlogon = {
289         0x12345678, 0x1234, 0xabcd,
290         { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
291 };
292
293 static guint16 ver_dcerpc_netlogon = 1;
294
295
296 static const true_false_string user_account_control_dont_require_preauth= {
297         "This account DONT_REQUIRE_PREAUTHENTICATION",
298         "This account REQUIRES preauthentication",
299 };
300 static const true_false_string user_account_control_use_des_key_only= {
301         "This account must USE_DES_KEY_ONLY for passwords",
302         "This account does NOT have to use_des_key_only",
303 };
304 static const true_false_string user_account_control_not_delegated= {
305         "This account is NOT_DELEGATED",
306         "This might have been delegated",
307 };
308 static const true_false_string user_account_control_trusted_for_delegation= {
309         "This account is TRUSTED_FOR_DELEGATION",
310         "This account is NOT trusted_for_delegation",
311 };
312 static const true_false_string user_account_control_smartcard_required= {
313         "This account REQUIRES_SMARTCARD to authenticate",
314         "This account does NOT require_smartcard to authenticate",
315 };
316 static const true_false_string user_account_control_encrypted_text_password_allowed= {
317         "This account allows ENCRYPTED_TEXT_PASSWORD",
318         "This account does NOT allow encrypted_text_password",
319 };
320 static const true_false_string user_account_control_account_auto_locked= {
321         "This account is AUTO_LOCKED",
322         "This account is NOT auto_locked",
323 };
324 static const true_false_string user_account_control_dont_expire_password= {
325         "This account DONT_EXPIRE_PASSWORDs",
326         "This account might expire_passwords",
327 };
328 static const true_false_string user_account_control_server_trust_account= {
329         "This account is a SERVER_TRUST_ACCOUNT",
330         "This account is NOT a server_trust_account",
331 };
332 static const true_false_string user_account_control_workstation_trust_account= {
333         "This account is a WORKSTATION_TRUST_ACCOUNT",
334         "This account is NOT a workstation_trust_account",
335 };
336 static const true_false_string user_account_control_interdomain_trust_account= {
337         "This account is an INTERDOMAIN_TRUST_ACCOUNT",
338         "This account is NOT an interdomain_trust_account",
339 };
340 static const true_false_string user_account_control_mns_logon_account= {
341         "This account is a MNS_LOGON_ACCOUNT",
342         "This account is NOT a mns_logon_account",
343 };
344 static const true_false_string user_account_control_normal_account= {
345         "This account is a NORMAL_ACCOUNT",
346         "This account is NOT a normal_account",
347 };
348 static const true_false_string user_account_control_temp_duplicate_account= {
349         "This account is a TEMP_DUPLICATE_ACCOUNT",
350         "This account is NOT a temp_duplicate_account",
351 };
352 static const true_false_string user_account_control_password_not_required= {
353         "This account REQUIRES_NO_PASSWORD",
354         "This account REQUIRES a password",
355 };
356 static const true_false_string user_account_control_home_directory_required= {
357         "This account REQUIRES_HOME_DIRECTORY",
358         "This account does NOT require_home_directory",
359 };
360 static const true_false_string user_account_control_account_disabled= {
361         "This account is DISABLED",
362         "This account is NOT disabled",
363 };
364 static int
365 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
366         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
367 {
368         guint32 mask;
369         proto_item *item = NULL;
370         proto_tree *tree = NULL;
371         dcerpc_info *di;
372
373         di=pinfo->private_data;
374         if(di->conformant_run){
375                 /*just a run to handle conformant arrays, nothing to dissect */
376                 return offset;
377         }
378
379         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
380                         hf_netlogon_user_account_control, &mask);
381
382         if(parent_tree){
383                 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_account_control,
384                         tvb, offset-4, 4, mask);
385                 tree = proto_item_add_subtree(item, ett_user_account_control);
386         }
387
388         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_require_preauth,
389                 tvb, offset-4, 4, mask);
390         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_use_des_key_only,
391                 tvb, offset-4, 4, mask);
392         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_not_delegated,
393                 tvb, offset-4, 4, mask);
394         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_trusted_for_delegation,
395                 tvb, offset-4, 4, mask);
396         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_smartcard_required,
397                 tvb, offset-4, 4, mask);
398         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_encrypted_text_password_allowed,
399                 tvb, offset-4, 4, mask);
400         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_auto_locked,
401                 tvb, offset-4, 4, mask);
402         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_expire_password,
403                 tvb, offset-4, 4, mask);
404         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_server_trust_account,
405                 tvb, offset-4, 4, mask);
406         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_workstation_trust_account,
407                 tvb, offset-4, 4, mask);
408         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_interdomain_trust_account,
409                 tvb, offset-4, 4, mask);
410         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_mns_logon_account,
411                 tvb, offset-4, 4, mask);
412         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_normal_account,
413                 tvb, offset-4, 4, mask);
414         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_temp_duplicate_account,
415                 tvb, offset-4, 4, mask);
416         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_password_not_required,
417                 tvb, offset-4, 4, mask);
418         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_home_directory_required,
419                 tvb, offset-4, 4, mask);
420         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_disabled,
421                 tvb, offset-4, 4, mask);
422         return offset;
423 }
424
425
426 static int
427 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
428                         packet_info *pinfo, proto_tree *tree,
429                         guint8 *drep)
430 {
431         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
432                 NDR_POINTER_UNIQUE, "Server Handle", 
433                 hf_netlogon_logonsrv_handle, 0);
434
435         return offset;
436 }
437
438 /*
439  * IDL typedef struct {
440  * IDL    [unique][string] wchar_t *effective_name;
441  * IDL    long priv;
442  * IDL    long auth_flags;
443  * IDL    long logon_count;
444  * IDL    long bad_pw_count;
445  * IDL    long last_logon;
446  * IDL    long last_logoff;
447  * IDL    long logoff_time;
448  * IDL    long kickoff_time;
449  * IDL    long password_age;
450  * IDL    long pw_can_change;
451  * IDL    long pw_must_change;
452  * IDL    [unique][string] wchar_t *computer;
453  * IDL    [unique][string] wchar_t *domain;
454  * IDL    [unique][string] wchar_t *script_path;
455  * IDL    long reserved;
456  */
457 static int
458 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
459                         packet_info *pinfo, proto_tree *tree,
460                         guint8 *drep)
461 {
462         dcerpc_info *di;
463
464         di=pinfo->private_data;
465         if(di->conformant_run){
466                 /*just a run to handle conformant arrays, nothing to dissect */
467                 return offset;
468         }
469
470         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
471                 NDR_POINTER_UNIQUE, "Effective Account", 
472                 hf_netlogon_acct_name, 0);
473
474         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
475                 hf_netlogon_priv, NULL);
476
477         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
478                 hf_netlogon_auth_flags, NULL);
479
480         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
481                 hf_netlogon_logon_count, NULL);
482
483         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
484                 hf_netlogon_bad_pw_count, NULL);
485
486
487         offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_logon_time, NULL);
488
489         offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_last_logoff_time, NULL);
490
491         offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_logoff_time, NULL);
492
493         offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_kickoff_time, NULL);
494
495         offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_age, NULL);
496
497         offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_can_change_time, NULL);
498
499         offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_must_change_time, NULL);
500
501         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
502                 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
503
504         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
505                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
506
507         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
508                 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
509
510         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
511                 hf_netlogon_reserved, NULL);
512
513         return offset;
514 }
515
516 /*
517  * IDL long NetrLogonUasLogon(
518  * IDL      [in][unique][string] wchar_t *ServerName,
519  * IDL      [in][ref][string] wchar_t *UserName,
520  * IDL      [in][ref][string] wchar_t *Workstation,
521  * IDL      [out][unique] VALIDATION_UAS_INFO *info
522  * IDL );
523  */
524 static int
525 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
526         packet_info *pinfo, proto_tree *tree, guint8 *drep)
527 {
528         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
529                 pinfo, tree, drep);
530
531         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
532                 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
533
534         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
535                 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
536
537         return offset;
538 }
539
540
541 static int
542 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
543         packet_info *pinfo, proto_tree *tree, guint8 *drep)
544 {
545         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
546                 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
547                 "VALIDATION_UAS_INFO", -1);
548
549         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
550                                   hf_netlogon_dos_rc, NULL);
551
552         return offset;
553 }
554
555 /*
556  * IDL typedef struct {
557  * IDL   long duration;
558  * IDL   short logon_count;
559  * IDL } LOGOFF_UAS_INFO;
560  */
561 static int
562 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
563                         packet_info *pinfo, proto_tree *tree,
564                         guint8 *drep)
565 {
566         dcerpc_info *di;
567
568         di=pinfo->private_data;
569         if(di->conformant_run){
570                 /*just a run to handle conformant arrays, nothing to dissect */
571                 return offset;
572         }
573
574         proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
575         offset+= 4;
576
577         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
578                 hf_netlogon_logon_count16, NULL);
579
580         return offset;
581 }
582
583 /*
584  * IDL long NetrLogonUasLogoff(
585  * IDL      [in][unique][string] wchar_t *ServerName,
586  * IDL      [in][ref][string] wchar_t *UserName,
587  * IDL      [in][ref][string] wchar_t *Workstation,
588  * IDL      [out][ref] LOGOFF_UAS_INFO *info
589  * IDL );
590  */
591 static int
592 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
593         packet_info *pinfo, proto_tree *tree, guint8 *drep)
594 {
595         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
596                 pinfo, tree, drep);
597
598         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
599                 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
600
601         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
602                 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
603
604         return offset;
605 }
606
607
608 static int
609 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
610         packet_info *pinfo, proto_tree *tree, guint8 *drep)
611 {
612         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
613                 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
614                 "LOGOFF_UAS_INFO", -1);
615
616         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
617                                   hf_netlogon_dos_rc, NULL);
618
619         return offset;
620 }
621
622
623
624
625 /*
626  * IDL typedef struct {
627  * IDL   UNICODESTRING LogonDomainName;
628  * IDL   long ParameterControl;
629  * IDL   uint64 LogonID;
630  * IDL   UNICODESTRING UserName;
631  * IDL   UNICODESTRING Workstation;
632  * IDL } LOGON_IDENTITY_INFO;
633  */
634 static int
635 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
636                         packet_info *pinfo, proto_tree *parent_tree,
637                         guint8 *drep)
638 {
639         proto_item *item=NULL;
640         proto_tree *tree=NULL;
641         int old_offset=offset;
642
643         if(parent_tree){
644                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
645                         "IDENTITY_INFO:");
646                 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
647         }
648
649         /* XXX: It would be nice to get the domain and account name 
650            displayed in COL_INFO. */
651
652         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
653                 hf_netlogon_logon_dom, 0);
654
655         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
656                 hf_netlogon_param_ctrl, NULL);
657
658         offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, drep,
659                 hf_netlogon_logon_id, NULL);
660
661         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
662                 hf_netlogon_acct_name, CB_STR_COL_INFO|3);
663
664         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
665                 hf_netlogon_workstation, 0);
666
667 #ifdef REMOVED
668         /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
669         /* XXX 8 extra bytes here */
670         /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
671            the idl file. Could be a bug in either the NETLOGON implementation or in the
672            idl file.
673         */
674         offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
675 #endif
676
677         proto_item_set_len(item, offset-old_offset);
678         return offset;
679 }
680
681
682 /*
683  * IDL typedef struct {
684  * IDL   char password[16];
685  * IDL } LM_OWF_PASSWORD;
686  */
687 static int
688 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
689                         packet_info *pinfo, proto_tree *parent_tree,
690                         guint8 *drep _U_)
691 {
692         proto_item *item=NULL;
693         proto_tree *tree=NULL;
694         dcerpc_info *di;
695
696         di=pinfo->private_data;
697         if(di->conformant_run){
698                 /*just a run to handle conformant arrays, nothing to dissect.*/
699                 return offset;
700         }
701
702         if(parent_tree){
703                 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
704                         "LM_OWF_PASSWORD:");
705                 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
706         }
707
708         proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
709                 FALSE);
710         offset += 16;
711
712         return offset;
713 }
714
715 /*
716  * IDL typedef struct {
717  * IDL   char password[16];
718  * IDL } NT_OWF_PASSWORD;
719  */
720 static int
721 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
722                         packet_info *pinfo, proto_tree *parent_tree,
723                         guint8 *drep _U_)
724 {
725         proto_item *item=NULL;
726         proto_tree *tree=NULL;
727         dcerpc_info *di;
728
729         di=pinfo->private_data;
730         if(di->conformant_run){
731                 /*just a run to handle conformant arrays, nothing to dissect.*/
732                 return offset;
733         }
734
735         if(parent_tree){
736                 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
737                         "NT_OWF_PASSWORD:");
738                 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
739         }
740
741         proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
742                 FALSE);
743         offset += 16;
744
745         return offset;
746 }
747
748
749 /*
750  * IDL typedef struct {
751  * IDL   LOGON_IDENTITY_INFO identity_info;
752  * IDL   LM_OWF_PASSWORD lmpassword;
753  * IDL   NT_OWF_PASSWORD ntpassword;
754  * IDL } INTERACTIVE_INFO;
755  */
756 static int
757 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
758                         packet_info *pinfo, proto_tree *tree,
759                         guint8 *drep)
760 {
761         offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
762                 pinfo, tree, drep);
763
764         offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
765                 pinfo, tree, drep);
766
767         offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
768                 pinfo, tree, drep);
769
770         return offset;
771 }
772
773 /*
774  * IDL typedef struct {
775  * IDL   char chl[8];
776  * IDL } CHALLENGE;
777  */
778 static int
779 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
780                         packet_info *pinfo, proto_tree *tree,
781                         guint8 *drep _U_)
782 {
783         dcerpc_info *di;
784
785         di=pinfo->private_data;
786         if(di->conformant_run){
787                 /*just a run to handle conformant arrays, nothing to dissect.*/
788                 return offset;
789         }
790
791         proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
792                 FALSE);
793         offset += 8;
794
795         return offset;
796 }
797
798 /*
799  * IDL typedef struct {
800  * IDL   LOGON_IDENTITY_INFO logon_info;
801  * IDL   CHALLENGE chal;
802  * IDL   STRING ntchallengeresponse;
803  * IDL   STRING lmchallengeresponse;
804  * IDL } NETWORK_INFO;
805  */
806
807 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree, 
808                                     proto_item *item _U_, tvbuff_t *tvb, 
809                                     int start_offset, int end_offset, 
810                                     void *callback_args _U_)
811 {
812         int len;
813
814         /* Skip over 3 guint32's in NDR format */
815
816         if (start_offset % 4)
817                 start_offset += 4 - (start_offset % 4);
818
819         start_offset += 12;
820         len = end_offset - start_offset;
821
822         /* Call ntlmv2 response dissector */
823
824         if (len > 24)
825                 dissect_ntlmv2_response(tvb, tree, start_offset, len);
826 }
827
828 static int
829 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
830                 packet_info *pinfo, proto_tree *tree,
831                 guint8 *drep)
832 {
833         offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
834                 pinfo, tree, drep);
835
836         offset = netlogon_dissect_CHALLENGE(tvb, offset,
837                 pinfo, tree, drep);
838
839         offset = dissect_ndr_counted_byte_array_cb(
840                 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
841                 dissect_nt_chal_resp_cb, NULL);
842
843         offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
844                 hf_netlogon_lm_chal_resp, 0);
845
846         return offset;
847 }
848
849 /*
850  * IDL typedef struct {
851  * IDL   LOGON_IDENTITY_INFO logon_info;
852  * IDL   LM_OWF_PASSWORD lmpassword;
853  * IDL   NT_OWF_PASSWORD ntpassword;
854  * IDL } SERVICE_INFO;
855  */
856 static int
857 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
858                 packet_info *pinfo, proto_tree *tree,
859                 guint8 *drep)
860 {
861         offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
862                 pinfo, tree, drep);
863
864         offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
865                 pinfo, tree, drep);
866
867         offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
868                 pinfo, tree, drep);
869
870         return offset;
871 }
872
873 /*
874  * IDL typedef [switch_type(short)] union {
875  * IDL    [case(1)][unique] INTERACTIVE_INFO *iinfo;
876  * IDL    [case(2)][unique] NETWORK_INFO *ninfo;
877  * IDL    [case(3)][unique] SERVICE_INFO *sinfo;
878  * IDL } LEVEL;
879  */
880 static int
881 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
882                         packet_info *pinfo, proto_tree *tree,
883                         guint8 *drep)
884 {
885         guint16 level;
886
887         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
888                 hf_netlogon_level16, &level);
889
890         ALIGN_TO_4_BYTES;
891         switch(level){
892         case 1:
893                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
894                         netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
895                         "INTERACTIVE_INFO:", -1);
896                 break;
897         case 2:
898                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
899                         netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
900                         "NETWORK_INFO:", -1);
901                 break;
902         case 3:
903                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
904                         netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
905                         "SERVICE_INFO:", -1);
906                 break;
907         }
908
909         return offset;
910 }
911
912 /*
913  * IDL typedef struct {
914  * IDL   char cred[8];
915  * IDL } CREDENTIAL;
916  */
917 static int
918 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
919                         packet_info *pinfo, proto_tree *tree,
920                         guint8 *drep _U_)
921 {
922         dcerpc_info *di;
923
924         di=pinfo->private_data;
925         if(di->conformant_run){
926                 /*just a run to handle conformant arrays, nothing to dissect.*/
927                 return offset;
928         }
929
930         proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
931                 FALSE);
932         offset += 8;
933
934         return offset;
935 }
936
937
938 /*
939  * IDL typedef struct {
940  * IDL   CREDENTIAL cred;
941  * IDL   long timestamp;
942  * IDL } AUTHENTICATOR;
943  */
944 static int
945 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
946                         packet_info *pinfo, proto_tree *tree,
947                         guint8 *drep)
948 {
949         dcerpc_info *di;
950         nstime_t ts;
951
952         di=pinfo->private_data;
953         if(di->conformant_run){
954                 /*just a run to handle conformant arrays, nothing to dissect */
955                 return offset;
956         }
957
958         offset = netlogon_dissect_CREDENTIAL(tvb, offset,
959                 pinfo, tree, drep);
960
961         /*
962          * XXX - this appears to be a UNIX time_t in some credentials, but
963          * appears to be random junk in other credentials.
964          * For example, it looks like a UNIX time_t in "credential"
965          * AUTHENTICATORs, but like random junk in "return_authenticator"
966          * AUTHENTICATORs.
967          */
968         ALIGN_TO_4_BYTES;
969         ts.secs = tvb_get_letohl(tvb, offset);
970         ts.nsecs = 0;
971         proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
972         offset+= 4;
973
974         return offset;
975 }
976
977
978 static const true_false_string group_attrs_mandatory = {
979         "The MANDATORY bit is SET",
980         "The mandatory bit is NOT set",
981 };
982 static const true_false_string group_attrs_enabled_by_default = {
983         "The ENABLED_BY_DEFAULT bit is SET",
984         "The enabled_by_default bit is NOT set",
985 };
986 static const true_false_string group_attrs_enabled = {
987         "The enabled bit is SET",
988         "The enabled bit is NOT set",
989 };
990 static int
991 netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvbuff_t *tvb, int offset,
992         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
993 {
994         guint32 mask;
995         proto_item *item = NULL;
996         proto_tree *tree = NULL;
997         dcerpc_info *di;
998
999         di=pinfo->private_data;
1000         if(di->conformant_run){
1001                 /*just a run to handle conformant arrays, nothing to dissect */
1002                 return offset;
1003         }
1004
1005         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1006                         hf_netlogon_attrs, &mask);
1007
1008         if(parent_tree){
1009                 item = proto_tree_add_uint(parent_tree, hf_netlogon_attrs,
1010                         tvb, offset-4, 4, mask);
1011                 tree = proto_item_add_subtree(item, ett_group_attrs);
1012         }
1013
1014         proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled,
1015                 tvb, offset-4, 4, mask);
1016         proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled_by_default,
1017                 tvb, offset-4, 4, mask);
1018         proto_tree_add_boolean(tree, hf_netlogon_group_attrs_mandatory,
1019                 tvb, offset-4, 4, mask);
1020
1021         return offset;
1022 }
1023
1024 /*
1025  * IDL typedef struct {
1026  * IDL   long user_id;
1027  * IDL   long attributes;
1028  * IDL } GROUP_MEMBERSHIP;
1029  */
1030 static int
1031 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1032                         packet_info *pinfo, proto_tree *parent_tree,
1033                         guint8 *drep)
1034 {
1035         proto_item *item=NULL;
1036         proto_tree *tree=NULL;
1037
1038         if(parent_tree){
1039                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1040                         "GROUP_MEMBERSHIP:");
1041                 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
1042         }
1043
1044         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1045                 hf_netlogon_group_rid, NULL);
1046
1047         offset = netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvb, offset,
1048                 pinfo, tree, drep);
1049
1050         return offset;
1051 }
1052
1053 static int
1054 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1055                         packet_info *pinfo, proto_tree *tree,
1056                         guint8 *drep)
1057 {
1058         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
1059                 netlogon_dissect_GROUP_MEMBERSHIP);
1060
1061         return offset;
1062 }
1063
1064 /*
1065  * IDL typedef struct {
1066  * IDL   char user_session_key[16];
1067  * IDL } USER_SESSION_KEY;
1068  */
1069 static int
1070 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1071                         packet_info *pinfo, proto_tree *tree,
1072                         guint8 *drep _U_)
1073 {
1074         dcerpc_info *di;
1075
1076         di=pinfo->private_data;
1077         if(di->conformant_run){
1078                 /*just a run to handle conformant arrays, nothing to dissect.*/
1079                 return offset;
1080         }
1081
1082         proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1083                 FALSE);
1084         offset += 16;
1085
1086         return offset;
1087 }
1088
1089
1090
1091 static const true_false_string user_flags_extra_sids= {
1092         "The EXTRA_SIDS bit is SET",
1093         "The extra_sids is NOT set",
1094 };
1095 static const true_false_string user_flags_resource_groups= {
1096         "The RESOURCE_GROUPS bit is SET",
1097         "The resource_groups is NOT set",
1098 };
1099 static int
1100 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1101         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
1102 {
1103         guint32 mask;
1104         proto_item *item = NULL;
1105         proto_tree *tree = NULL;
1106         dcerpc_info *di;
1107
1108         di=pinfo->private_data;
1109         if(di->conformant_run){
1110                 /*just a run to handle conformant arrays, nothing to dissect */
1111                 return offset;
1112         }
1113
1114         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1115                         hf_netlogon_user_flags, &mask);
1116
1117         if(parent_tree){
1118                 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_flags,
1119                         tvb, offset-4, 4, mask);
1120                 tree = proto_item_add_subtree(item, ett_user_flags);
1121         }
1122
1123         proto_tree_add_boolean(tree, hf_netlogon_user_flags_resource_groups,
1124                 tvb, offset-4, 4, mask);
1125         proto_tree_add_boolean(tree, hf_netlogon_user_flags_extra_sids,
1126                 tvb, offset-4, 4, mask);
1127
1128         return offset;
1129 }
1130
1131 /*
1132  * IDL typedef struct {
1133  * IDL   uint64 LogonTime;
1134  * IDL   uint64 LogoffTime;
1135  * IDL   uint64 KickOffTime;
1136  * IDL   uint64 PasswdLastSet;
1137  * IDL   uint64 PasswdCanChange;
1138  * IDL   uint64 PasswdMustChange;
1139  * IDL   unicodestring effectivename;
1140  * IDL   unicodestring fullname;
1141  * IDL   unicodestring logonscript;
1142  * IDL   unicodestring profilepath;
1143  * IDL   unicodestring homedirectory;
1144  * IDL   unicodestring homedirectorydrive;
1145  * IDL   short LogonCount;
1146  * IDL   short BadPasswdCount;
1147  * IDL   long userid;
1148  * IDL   long primarygroup;
1149  * IDL   long groupcount;
1150  * IDL   [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1151  * IDL   long userflags;
1152  * IDL   USER_SESSION_KEY key;
1153  * IDL   unicodestring logonserver;
1154  * IDL   unicodestring domainname;
1155  * IDL   [unique] SID logondomainid;
1156  * IDL   long expansionroom[2];
1157  * IDL   long useraccountcontrol;
1158  * IDL   long expansionroom[7];
1159  * IDL } VALIDATION_SAM_INFO;
1160  */
1161 static int
1162 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1163                 packet_info *pinfo, proto_tree *tree,
1164                 guint8 *drep)
1165 {
1166         int i;
1167
1168         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1169                 hf_netlogon_logon_time);
1170
1171         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1172                 hf_netlogon_logoff_time);
1173
1174         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1175                 hf_netlogon_kickoff_time);
1176
1177         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1178                 hf_netlogon_pwd_last_set_time);
1179
1180         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1181                 hf_netlogon_pwd_can_change_time);
1182
1183         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1184                 hf_netlogon_pwd_must_change_time);
1185
1186         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1187                 hf_netlogon_acct_name, 0);
1188
1189         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1190                 hf_netlogon_full_name, 0);
1191
1192         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1193                 hf_netlogon_logon_script, 0);
1194
1195         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1196                 hf_netlogon_profile_path, 0);
1197
1198         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1199                 hf_netlogon_home_dir, 0);
1200
1201         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1202                 hf_netlogon_dir_drive, 0);
1203
1204         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1205                 hf_netlogon_logon_count16, NULL);
1206
1207         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1208                 hf_netlogon_bad_pw_count16, NULL);
1209
1210         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1211                 hf_netlogon_user_rid, NULL);
1212
1213         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1214                 hf_netlogon_group_rid, NULL);
1215
1216         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1217                 hf_netlogon_num_rids, NULL);
1218
1219         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1220                 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1221                 "GROUP_MEMBERSHIP_ARRAY", -1);
1222
1223         offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1224                 pinfo, tree, drep);
1225
1226         offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1227                 pinfo, tree, drep);
1228
1229         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1230                 hf_netlogon_logon_srv, 0);
1231
1232         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1233                 hf_netlogon_logon_dom, 0);
1234
1235         offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1236
1237         for(i=0;i<2;i++){
1238                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1239                         hf_netlogon_unknown_long, NULL);
1240         }
1241         offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1242                         pinfo, tree, drep);
1243
1244         for(i=0;i<7;i++){
1245                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1246                         hf_netlogon_unknown_long, NULL);
1247         }
1248
1249         return offset;
1250 }
1251
1252
1253
1254 /*
1255  * IDL typedef struct {
1256  * IDL   uint64 LogonTime;
1257  * IDL   uint64 LogoffTime;
1258  * IDL   uint64 KickOffTime;
1259  * IDL   uint64 PasswdLastSet;
1260  * IDL   uint64 PasswdCanChange;
1261  * IDL   uint64 PasswdMustChange;
1262  * IDL   unicodestring effectivename;
1263  * IDL   unicodestring fullname;
1264  * IDL   unicodestring logonscript;
1265  * IDL   unicodestring profilepath;
1266  * IDL   unicodestring homedirectory;
1267  * IDL   unicodestring homedirectorydrive;
1268  * IDL   short LogonCount;
1269  * IDL   short BadPasswdCount;
1270  * IDL   long userid;
1271  * IDL   long primarygroup;
1272  * IDL   long groupcount;
1273  * IDL   [unique] GROUP_MEMBERSHIP *groupids;
1274  * IDL   long userflags;
1275  * IDL   USER_SESSION_KEY key;
1276  * IDL   unicodestring logonserver;
1277  * IDL   unicodestring domainname;
1278  * IDL   [unique] SID logondomainid;
1279  * IDL   long expansionroom[2];
1280  * IDL   long useraccountcontrol;
1281  * IDL   long expansionroom[7];
1282  * IDL   long sidcount;
1283  * IDL   [unique] SID_AND_ATTRIBS;
1284  * IDL } VALIDATION_SAM_INFO2;
1285  */
1286 static int
1287 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1288                         packet_info *pinfo, proto_tree *tree,
1289                         guint8 *drep)
1290 {
1291         int i;
1292
1293         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1294                 hf_netlogon_logon_time);
1295
1296         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1297                 hf_netlogon_logoff_time);
1298
1299         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1300                 hf_netlogon_kickoff_time);
1301
1302         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1303                 hf_netlogon_pwd_last_set_time);
1304
1305         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1306                 hf_netlogon_pwd_can_change_time);
1307
1308         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1309                 hf_netlogon_pwd_must_change_time);
1310
1311         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1312                 hf_netlogon_acct_name, 0);
1313
1314         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1315                 hf_netlogon_full_name, 0);
1316
1317         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1318                 hf_netlogon_logon_script, 0);
1319
1320         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1321                 hf_netlogon_profile_path, 0);
1322
1323         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1324                 hf_netlogon_home_dir, 0);
1325
1326         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1327                 hf_netlogon_dir_drive, 0);
1328
1329         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1330                 hf_netlogon_logon_count16, NULL);
1331
1332         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1333                 hf_netlogon_bad_pw_count16, NULL);
1334
1335         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1336                 hf_netlogon_user_rid, NULL);
1337
1338         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1339                 hf_netlogon_group_rid, NULL);
1340
1341         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1342                 hf_netlogon_num_rids, NULL);
1343
1344         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1345                 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1346                 "GROUP_MEMBERSHIP_ARRAY", -1);
1347
1348         offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1349                 pinfo, tree, drep);
1350
1351         offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1352                 pinfo, tree, drep);
1353
1354         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1355                 hf_netlogon_logon_srv, 0);
1356
1357         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1358                 hf_netlogon_logon_dom, 0);
1359
1360         offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1361
1362         for(i=0;i<2;i++){
1363                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1364                         hf_netlogon_unknown_long, NULL);
1365         }
1366         offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1367                         pinfo, tree, drep);
1368
1369         for(i=0;i<7;i++){
1370                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1371                         hf_netlogon_unknown_long, NULL);
1372         }
1373
1374         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1375                 hf_netlogon_num_other_groups, NULL);
1376
1377         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1378                 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1379                 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1380
1381         return offset;
1382 }
1383
1384
1385
1386
1387
1388 /*
1389  * IDL typedef struct {
1390  * IDL   uint64 LogonTime;
1391  * IDL   uint64 LogoffTime;
1392  * IDL   uint64 KickOffTime;
1393  * IDL   uint64 PasswdLastSet;
1394  * IDL   uint64 PasswdCanChange;
1395  * IDL   uint64 PasswdMustChange;
1396  * IDL   unicodestring effectivename;
1397  * IDL   unicodestring fullname;
1398  * IDL   unicodestring logonscript;
1399  * IDL   unicodestring profilepath;
1400  * IDL   unicodestring homedirectory;
1401  * IDL   unicodestring homedirectorydrive;
1402  * IDL   short LogonCount;
1403  * IDL   short BadPasswdCount;
1404  * IDL   long userid;
1405  * IDL   long primarygroup;
1406  * IDL   long groupcount;
1407  * IDL   [unique] GROUP_MEMBERSHIP *groupids;
1408  * IDL   long userflags;
1409  * IDL   USER_SESSION_KEY key;
1410  * IDL   unicodestring logonserver;
1411  * IDL   unicodestring domainname;
1412  * IDL   [unique] SID logondomainid;
1413  * IDL   long expansionroom[2];
1414  * IDL   long useraccountcontrol;
1415  * IDL   long expansionroom[7];
1416  * IDL   long sidcount;
1417  * IDL   [unique] SID_AND_ATTRIBS;
1418  * IDL   [unique] SID resourcegroupdomainsid;
1419  * IDL   long resourcegroupcount;
1420 qqq
1421  * IDL } PAC_LOGON_INFO;
1422  */
1423 int
1424 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
1425                         packet_info *pinfo, proto_tree *tree,
1426                         guint8 *drep)
1427 {
1428         int i;
1429         guint32 rgc;
1430
1431         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1432                 hf_netlogon_logon_time);
1433
1434         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1435                 hf_netlogon_logoff_time);
1436
1437         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1438                 hf_netlogon_kickoff_time);
1439
1440         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1441                 hf_netlogon_pwd_last_set_time);
1442
1443         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1444                 hf_netlogon_pwd_can_change_time);
1445
1446         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1447                 hf_netlogon_pwd_must_change_time);
1448
1449         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1450                 hf_netlogon_acct_name, 0);
1451
1452         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1453                 hf_netlogon_full_name, 0);
1454
1455         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1456                 hf_netlogon_logon_script, 0);
1457
1458         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1459                 hf_netlogon_profile_path, 0);
1460
1461         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1462                 hf_netlogon_home_dir, 0);
1463
1464         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1465                 hf_netlogon_dir_drive, 0);
1466
1467         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1468                 hf_netlogon_logon_count16, NULL);
1469
1470         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1471                 hf_netlogon_bad_pw_count16, NULL);
1472
1473         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1474                 hf_netlogon_user_rid, NULL);
1475
1476         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1477                 hf_netlogon_group_rid, NULL);
1478
1479         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1480                 hf_netlogon_num_rids, NULL);
1481
1482         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1483                 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1484                 "GROUP_MEMBERSHIP_ARRAY", -1);
1485
1486         offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1487                 pinfo, tree, drep);
1488
1489         offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1490                 pinfo, tree, drep);
1491
1492         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1493                 hf_netlogon_logon_srv, 0);
1494
1495         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1496                 hf_netlogon_logon_dom, 0);
1497
1498         offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1499
1500         for(i=0;i<2;i++){
1501                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1502                         hf_netlogon_unknown_long, NULL);
1503         }
1504         offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1505                         pinfo, tree, drep);
1506
1507         for(i=0;i<7;i++){
1508                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1509                         hf_netlogon_unknown_long, NULL);
1510         }
1511
1512         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1513                 hf_netlogon_num_other_groups, NULL);
1514
1515         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1516                 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1517                 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1518
1519         offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1520
1521         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1522                 hf_netlogon_resourcegroupcount, &rgc);
1523
1524         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1525                 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1526                 "ResourceGroupIDs", -1);
1527
1528         return offset;
1529 }
1530
1531 static int
1532 netlogon_dissect_CONSTRAINED_DELEGATION_name(tvbuff_t *tvb, int offset,
1533                         packet_info *pinfo, proto_tree *tree,
1534                         guint8 *drep)
1535 {
1536         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1537                 hf_netlogon_unknown_string, 0);
1538
1539         return offset;
1540 }
1541
1542 static int
1543 netlogon_dissect_CONSTRAINED_DELEGATION_array(tvbuff_t *tvb, int offset,
1544                         packet_info *pinfo, proto_tree *tree,
1545                         guint8 *drep)
1546 {
1547         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
1548                         netlogon_dissect_CONSTRAINED_DELEGATION_name);
1549
1550         return offset;
1551 }
1552
1553 int
1554 netlogon_dissect_PAC_CONSTRAINED_DELEGATION(tvbuff_t *tvb, int offset,
1555                         packet_info *pinfo, proto_tree *tree,
1556                         guint8 *drep)
1557 {
1558         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1559                 hf_netlogon_unknown_string, 0);
1560
1561         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1562                 hf_netlogon_unknown_long, NULL);
1563
1564         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1565                 netlogon_dissect_CONSTRAINED_DELEGATION_array, NDR_POINTER_UNIQUE,
1566                 "names:", -1);
1567
1568         return offset;
1569 }
1570
1571 static int
1572 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1573                         packet_info *pinfo, proto_tree *tree,
1574                         guint8 *drep _U_)
1575 {
1576         dcerpc_info *di;
1577         guint32 pac_size;
1578
1579         di=pinfo->private_data;
1580         if(di->conformant_run){
1581                 /*just a run to handle conformant arrays, nothing to dissect */
1582                 return offset;
1583         }
1584
1585         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1586                 hf_netlogon_pac_size, &pac_size);
1587
1588         proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1589                 FALSE);
1590         offset += pac_size;
1591
1592         return offset;
1593 }
1594
1595 static int
1596 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1597                         packet_info *pinfo, proto_tree *tree,
1598                         guint8 *drep _U_)
1599 {
1600         dcerpc_info *di;
1601         guint32 auth_size;
1602
1603         di=pinfo->private_data;
1604         if(di->conformant_run){
1605                 /*just a run to handle conformant arrays, nothing to dissect */
1606                 return offset;
1607         }
1608
1609         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1610                 hf_netlogon_auth_size, &auth_size);
1611
1612         proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1613                 FALSE);
1614         offset += auth_size;
1615
1616         return offset;
1617 }
1618
1619
1620 /*
1621  * IDL typedef struct {
1622  * IDL   long pac_size
1623  * IDL   [unique][size_is(pac_size)] char *pac;
1624  * IDL   UNICODESTRING logondomain;
1625  * IDL   UNICODESTRING logonserver;
1626  * IDL   UNICODESTRING principalname;
1627  * IDL   long auth_size;
1628  * IDL   [unique][size_is(auth_size)] char *auth;
1629  * IDL   USER_SESSION_KEY user_session_key;
1630  * IDL   long expansionroom[2];
1631  * IDL   long useraccountcontrol;
1632  * IDL   long expansionroom[7];
1633  * IDL   UNICODESTRING dummy1;
1634  * IDL   UNICODESTRING dummy2;
1635  * IDL   UNICODESTRING dummy3;
1636  * IDL   UNICODESTRING dummy4;
1637  * IDL } VALIDATION_PAC_INFO;
1638  */
1639 static int
1640 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1641                         packet_info *pinfo, proto_tree *tree,
1642                         guint8 *drep)
1643 {
1644         int i;
1645
1646         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1647                 hf_netlogon_pac_size, NULL);
1648
1649         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1650                 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1651
1652         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1653                 hf_netlogon_logon_dom, 0);
1654
1655         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1656                 hf_netlogon_logon_srv, 0);
1657
1658         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1659                 hf_netlogon_principal, 0);
1660
1661         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1662                 hf_netlogon_auth_size, NULL);
1663
1664         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1665                 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1666
1667         offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1668                 pinfo, tree, drep);
1669
1670         for(i=0;i<2;i++){
1671                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1672                         hf_netlogon_unknown_long, NULL);
1673         }
1674         offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1675                         pinfo, tree, drep);
1676
1677         for(i=0;i<7;i++){
1678                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1679                         hf_netlogon_unknown_long, NULL);
1680         }
1681
1682         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1683                 hf_netlogon_dummy, 0);
1684
1685         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1686                 hf_netlogon_dummy, 0);
1687
1688         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1689                 hf_netlogon_dummy, 0);
1690
1691         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1692                 hf_netlogon_dummy, 0);
1693
1694         return offset;
1695 }
1696
1697
1698 /*
1699  * IDL typedef [switch_type(short)] union {
1700  * IDL    [case(2)][unique] VALIDATION_SAM_INFO *sam;
1701  * IDL    [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1702  * IDL    [case(4)][unique] VALIDATION_PAC_INFO *pac;
1703  * IDL    [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1704  * IDL } VALIDATION;
1705  */
1706 static int
1707 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1708                         packet_info *pinfo, proto_tree *tree,
1709                         guint8 *drep)
1710 {
1711         guint16 level;
1712
1713         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1714                 hf_netlogon_validation_level, &level);
1715
1716         ALIGN_TO_4_BYTES;
1717         switch(level){
1718         case 2:
1719                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1720                         netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1721                         "VALIDATION_SAM_INFO:", -1);
1722                 break;
1723         case 3:
1724                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1725                         netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1726                         "VALIDATION_SAM_INFO2:", -1);
1727                 break;
1728         case 4:
1729                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1730                         netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1731                         "VALIDATION_PAC_INFO:", -1);
1732                 break;
1733         case 5:
1734                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1735                         netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1736                         "VALIDATION_PAC_INFO:", -1);
1737                 break;
1738         }
1739
1740         return offset;
1741 }
1742
1743
1744 /*
1745  * IDL long NetrLogonSamLogon(
1746  * IDL      [in][unique][string] wchar_t *ServerName,
1747  * IDL      [in][unique][string] wchar_t *Workstation,
1748  * IDL      [in][unique] AUTHENTICATOR *credential,
1749  * IDL      [in][out][unique] AUTHENTICATOR *returnauthenticator,
1750  * IDL      [in] short LogonLevel,
1751  * IDL      [in][ref] LOGON_LEVEL *logonlevel,
1752  * IDL      [in] short ValidationLevel,
1753  * IDL      [out][ref] VALIDATION *validation,
1754  * IDL      [out][ref] boolean Authorative
1755  * IDL );
1756  */
1757 static int
1758 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1759         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1760 {
1761         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1762                 pinfo, tree, drep);
1763
1764         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1765                 NDR_POINTER_UNIQUE, "Computer Name", 
1766                 hf_netlogon_computer_name, 0);
1767
1768         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1769                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1770                 "AUTHENTICATOR: credential", -1);
1771
1772         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1773                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1774                 "AUTHENTICATOR: return_authenticator", -1);
1775
1776         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1777                 hf_netlogon_level16, NULL);
1778
1779         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1780                 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1781                 "LEVEL: LogonLevel", -1);
1782
1783         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1784                 hf_netlogon_validation_level, NULL);
1785
1786         return offset;
1787 }
1788
1789 static int
1790 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1791         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1792 {
1793         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1794                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1795                 "AUTHENTICATOR: return_authenticator", -1);
1796
1797         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1798                 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1799                 "VALIDATION:", -1);
1800
1801         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1802                 hf_netlogon_authoritative, NULL);
1803
1804         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1805                                   hf_netlogon_rc, NULL);
1806
1807         return offset;
1808 }
1809
1810
1811 /*
1812  * IDL long NetrLogonSamLogoff(
1813  * IDL      [in][unique][string] wchar_t *ServerName,
1814  * IDL      [in][unique][string] wchar_t *ComputerName,
1815  * IDL      [in][unique] AUTHENTICATOR credential,
1816  * IDL      [in][unique] AUTHENTICATOR return_authenticator,
1817  * IDL      [in] short logon_level,
1818  * IDL      [in][ref] LEVEL logoninformation
1819  * IDL );
1820  */
1821 static int
1822 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1823         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1824 {
1825         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1826                 pinfo, tree, drep);
1827
1828         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1829                 NDR_POINTER_UNIQUE, "Computer Name", 
1830                 hf_netlogon_computer_name, 0);
1831
1832         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1833                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1834                 "AUTHENTICATOR: credential", -1);
1835
1836         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1837                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1838                 "AUTHENTICATOR: return_authenticator", -1);
1839
1840         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1841                 hf_netlogon_level16, NULL);
1842
1843         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1844                 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1845                 "LEVEL: logoninformation", -1);
1846
1847         return offset;
1848 }
1849 static int
1850 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1851         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1852 {
1853
1854         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1855                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1856                 "AUTHENTICATOR: return_authenticator", -1);
1857
1858         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1859                                   hf_netlogon_rc, NULL);
1860
1861         return offset;
1862 }
1863
1864
1865 /*
1866  * IDL long NetrServerReqChallenge(
1867  * IDL      [in][unique][string] wchar_t *ServerName,
1868  * IDL      [in][ref][string] wchar_t *ComputerName,
1869  * IDL      [in][ref] CREDENTIAL client_credential,
1870  * IDL      [out][ref] CREDENTIAL server_credential
1871  * IDL );
1872  */
1873 static int
1874 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1875         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1876 {
1877         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1878                 pinfo, tree, drep);
1879
1880         offset = dissect_ndr_pointer_cb(
1881                 tvb, offset, pinfo, tree, drep, 
1882                 dissect_ndr_wchar_cvstring, NDR_POINTER_REF, 
1883                 "Computer Name", hf_netlogon_computer_name, 
1884                 cb_wstr_postprocess, 
1885                 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1886
1887         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1888                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1889                 "CREDENTIAL: client challenge", -1);
1890
1891         return offset;
1892 }
1893 static int
1894 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1895         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1896 {
1897         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1898                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1899                 "CREDENTIAL: server credential", -1);
1900
1901         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1902                                   hf_netlogon_rc, NULL);
1903
1904         return offset;
1905 }
1906
1907
1908 static int
1909 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1910                         packet_info *pinfo, proto_tree *tree,
1911                         guint8 *drep)
1912 {
1913         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1914                         hf_netlogon_secure_channel_type, NULL);
1915
1916         return offset;
1917 }
1918
1919
1920 /*
1921  * IDL long NetrServerAuthenticate(
1922  * IDL      [in][unique][string] wchar_t *ServerName,
1923  * IDL      [in][ref][string] wchar_t *UserName,
1924  * IDL      [in] short secure_challenge_type,
1925  * IDL      [in][ref][string] wchar_t *ComputerName,
1926  * IDL      [in][ref] CREDENTIAL client_challenge,
1927  * IDL      [out][ref] CREDENTIAL server_challenge
1928  * IDL );
1929  */
1930 static int
1931 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1932         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1933 {
1934         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1935                 pinfo, tree, drep);
1936
1937         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1938                 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO);
1939
1940         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1941                 pinfo, tree, drep);
1942
1943         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1944                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO);
1945
1946         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1947                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1948                 "CREDENTIAL: client challenge", -1);
1949
1950         return offset;
1951 }
1952 static int
1953 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
1954         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1955 {
1956         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1957                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1958                 "CREDENTIAL: server challenge", -1);
1959
1960         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1961                                   hf_netlogon_rc, NULL);
1962
1963         return offset;
1964 }
1965
1966
1967
1968 /*
1969  * IDL typedef struct {
1970  * IDL   char encrypted_password[16];
1971  * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1972  */
1973 static int
1974 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1975                         packet_info *pinfo, proto_tree *tree,
1976                         guint8 *drep _U_)
1977 {
1978         dcerpc_info *di;
1979
1980         di=pinfo->private_data;
1981         if(di->conformant_run){
1982                 /*just a run to handle conformant arrays, nothing to dissect.*/
1983                 return offset;
1984         }
1985
1986         proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1987                 FALSE);
1988         offset += 16;
1989
1990         return offset;
1991 }
1992
1993 /*
1994  * IDL long NetrServerPasswordSet(
1995  * IDL      [in][unique][string] wchar_t *ServerName,
1996  * IDL      [in][ref][string] wchar_t *UserName,
1997  * IDL      [in] short secure_challenge_type,
1998  * IDL      [in][ref][string] wchar_t *ComputerName,
1999  * IDL      [in][ref] AUTHENTICATOR credential,
2000  * IDL      [in][ref] LM_OWF_PASSWORD UasNewPassword,
2001  * IDL      [out][ref] AUTHENTICATOR return_authenticator
2002  * IDL );
2003  */
2004 static int
2005 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
2006         packet_info *pinfo, proto_tree *tree, guint8 *drep)
2007 {
2008         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2009                 pinfo, tree, drep);
2010
2011         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2012                 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
2013
2014         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
2015                 pinfo, tree, drep);
2016
2017         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2018                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
2019
2020         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2021                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2022                 "AUTHENTICATOR: credential", -1);
2023
2024         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2025                 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
2026                 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
2027
2028         return offset;
2029 }
2030 static int
2031 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
2032         packet_info *pinfo, proto_tree *tree, guint8 *drep)
2033 {
2034         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2035                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2036                 "AUTHENTICATOR: return_authenticator", -1);
2037
2038         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2039                                   hf_netlogon_rc, NULL);
2040
2041         return offset;
2042 }
2043
2044
2045 /*
2046  * IDL typedef struct {
2047  * IDL   [unique][string] wchar_t *UserName;
2048  * IDL   UNICODESTRING dummy1;
2049  * IDL   UNICODESTRING dummy2;
2050  * IDL   UNICODESTRING dummy3;
2051  * IDL   UNICODESTRING dummy4;
2052  * IDL   long dummy5;
2053  * IDL   long dummy6;
2054  * IDL   long dummy7;
2055  * IDL   long dummy8;
2056  * IDL } DELTA_DELETE_USER;
2057  */
2058 static int
2059 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
2060                         packet_info *pinfo, proto_tree *tree,
2061                         guint8 *drep)
2062 {
2063         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2064                 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
2065
2066         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2067                 hf_netlogon_dummy, 0);
2068
2069         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2070                 hf_netlogon_dummy, 0);
2071
2072         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2073                 hf_netlogon_dummy, 0);
2074
2075         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2076                 hf_netlogon_dummy, 0);
2077
2078         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2079                 hf_netlogon_reserved, NULL);
2080
2081         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2082                 hf_netlogon_reserved, NULL);
2083
2084         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2085                 hf_netlogon_reserved, NULL);
2086
2087         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2088                 hf_netlogon_reserved, NULL);
2089
2090         return offset;
2091 }
2092
2093
2094 /*
2095  * IDL typedef struct {
2096  * IDL   bool SensitiveDataFlag;
2097  * IDL   long DataLength;
2098  * IDL   [unique][size_is(DataLength)] char *SensitiveData;
2099  * IDL } USER_PRIVATE_INFO;
2100  */
2101 static int
2102 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
2103                         packet_info *pinfo, proto_tree *tree,
2104                         guint8 *drep)
2105 {
2106         dcerpc_info *di;
2107         guint32 data_len;
2108
2109         di=pinfo->private_data;
2110         if(di->conformant_run){
2111                 /*just a run to handle conformant arrays, nothing to dissect */
2112                 return offset;
2113         }
2114
2115         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2116                 hf_netlogon_sensitive_data_len, &data_len);
2117
2118         proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
2119                 data_len, FALSE);
2120         offset += data_len;
2121
2122         return offset;
2123 }
2124 static int
2125 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
2126                         packet_info *pinfo, proto_tree *tree,
2127                         guint8 *drep)
2128 {
2129         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2130                 hf_netlogon_sensitive_data_flag, NULL);
2131
2132         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2133                 hf_netlogon_sensitive_data_len, NULL);
2134
2135         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2136                 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
2137                 "SENSITIVE_DATA", -1);
2138
2139         return offset;
2140 }
2141
2142 /*
2143  * IDL typedef struct {
2144  * IDL   UNICODESTRING UserName;
2145  * IDL   UNICODESTRING FullName;
2146  * IDL   long UserID;
2147  * IDL   long PrimaryGroupID;
2148  * IDL   UNICODESTRING HomeDir;
2149  * IDL   UNICODESTRING HomeDirDrive;
2150  * IDL   UNICODESTRING LogonScript;
2151  * IDL   UNICODESTRING Comment;
2152  * IDL   UNICODESTRING Workstations;
2153  * IDL   NTTIME LastLogon;
2154  * IDL   NTTIME LastLogoff;
2155  * IDL   LOGON_HOURS logonhours;
2156  * IDL   short BadPwCount;
2157  * IDL   short LogonCount;
2158  * IDL   NTTIME PwLastSet;
2159  * IDL   NTTIME AccountExpires;
2160  * IDL   long AccountControl;
2161  * IDL   LM_OWF_PASSWORD lmpw;
2162  * IDL   NT_OWF_PASSWORD ntpw;
2163  * IDL   bool NTPwPresent;
2164  * IDL   bool LMPwPresent;
2165  * IDL   bool PwExpired;
2166  * IDL   UNICODESTRING UserComment;
2167  * IDL   UNICODESTRING Parameters;
2168  * IDL   short CountryCode;
2169  * IDL   short CodePage;
2170  * IDL   USER_PRIVATE_INFO user_private_info;
2171  * IDL   long SecurityInformation;
2172  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2173  * IDL   UNICODESTRING dummy1;
2174  * IDL   UNICODESTRING dummy2;
2175  * IDL   UNICODESTRING dummy3;
2176  * IDL   UNICODESTRING dummy4;
2177  * IDL   long dummy5;
2178  * IDL   long dummy6;
2179  * IDL   long dummy7;
2180  * IDL   long dummy8;
2181  * IDL } DELTA_USER;
2182  */
2183 static int
2184 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
2185                         packet_info *pinfo, proto_tree *tree,
2186                         guint8 *drep)
2187 {
2188         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2189                 hf_netlogon_acct_name, 3);
2190
2191         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2192                 hf_netlogon_full_name, 0);
2193
2194         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2195                 hf_netlogon_user_rid, NULL);
2196
2197         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2198                 hf_netlogon_group_rid, NULL);
2199
2200         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2201                 hf_netlogon_home_dir, 0);
2202
2203         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2204                 hf_netlogon_dir_drive, 0);
2205
2206         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2207                 hf_netlogon_logon_script, 0);
2208
2209         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2210                 hf_netlogon_acct_desc, 0);
2211
2212         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2213                 hf_netlogon_workstations, 0);
2214
2215         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2216                 hf_netlogon_logon_time);
2217
2218         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2219                 hf_netlogon_logoff_time);
2220
2221         offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
2222
2223         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2224                 hf_netlogon_bad_pw_count16, NULL);
2225
2226         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2227                 hf_netlogon_logon_count16, NULL);
2228
2229         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2230                 hf_netlogon_pwd_last_set_time);
2231
2232         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2233                 hf_netlogon_acct_expiry_time);
2234
2235         offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
2236
2237         offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
2238                 pinfo, tree, drep);
2239
2240         offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
2241                 pinfo, tree, drep);
2242
2243         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2244                 hf_netlogon_nt_pwd_present, NULL);
2245
2246         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2247                 hf_netlogon_lm_pwd_present, NULL);
2248
2249         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2250                 hf_netlogon_pwd_expired, NULL);
2251
2252         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2253                 hf_netlogon_comment, 0);
2254
2255         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2256                 hf_netlogon_parameters, 0);
2257
2258         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2259                 hf_netlogon_country, NULL);
2260
2261         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2262                 hf_netlogon_codepage, NULL);
2263
2264         offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
2265                 drep);
2266
2267         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2268                 hf_netlogon_security_information, NULL);
2269
2270         offset = lsa_dissect_sec_desc_buf(tvb, offset,
2271                 pinfo, tree, drep, 0, 0);
2272
2273         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2274                 hf_netlogon_dummy, 0);
2275
2276         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2277                 hf_netlogon_dummy, 0);
2278
2279         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2280                 hf_netlogon_dummy, 0);
2281
2282         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2283                 hf_netlogon_dummy, 0);
2284
2285         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2286                 hf_netlogon_reserved, NULL);
2287
2288         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2289                 hf_netlogon_reserved, NULL);
2290
2291         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2292                 hf_netlogon_reserved, NULL);
2293
2294         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2295                 hf_netlogon_reserved, NULL);
2296
2297         return offset;
2298 }
2299
2300
2301 /*
2302  * IDL typedef struct {
2303  * IDL   UNICODESTRING DomainName;
2304  * IDL   UNICODESTRING OEMInfo;
2305  * IDL   NTTIME forcedlogoff;
2306  * IDL   short minpasswdlen;
2307  * IDL   short passwdhistorylen;
2308  * IDL   NTTIME pwd_must_change_time;
2309  * IDL   NTTIME pwd_can_change_time;
2310  * IDL   NTTIME domain_modify_time;
2311  * IDL   NTTIME domain_create_time;
2312  * IDL   long SecurityInformation;
2313  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2314  * IDL   UNICODESTRING dummy1;
2315  * IDL   UNICODESTRING dummy2;
2316  * IDL   UNICODESTRING dummy3;
2317  * IDL   UNICODESTRING dummy4;
2318  * IDL   long dummy5;
2319  * IDL   long dummy6;
2320  * IDL   long dummy7;
2321  * IDL   long dummy8;
2322  * IDL } DELTA_DOMAIN;
2323  */
2324 static int
2325 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
2326                         packet_info *pinfo, proto_tree *tree,
2327                         guint8 *drep)
2328 {
2329         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2330                 hf_netlogon_domain_name, 3);
2331
2332         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2333                 hf_netlogon_oem_info, 0);
2334
2335         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2336                 hf_netlogon_kickoff_time);
2337
2338         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2339                 hf_netlogon_minpasswdlen, NULL);
2340
2341         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2342                 hf_netlogon_passwdhistorylen, NULL);
2343
2344         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2345                 hf_netlogon_pwd_must_change_time);
2346
2347         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2348                 hf_netlogon_pwd_can_change_time);
2349
2350         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2351                 hf_netlogon_domain_modify_time);
2352
2353         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2354                 hf_netlogon_domain_create_time);
2355
2356         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2357                 hf_netlogon_security_information, NULL);
2358
2359         offset = lsa_dissect_sec_desc_buf(tvb, offset,
2360                 pinfo, tree, drep, 0, 0);
2361
2362         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2363                 hf_netlogon_dummy, 0);
2364
2365         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2366                 hf_netlogon_dummy, 0);
2367
2368         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2369                 hf_netlogon_dummy, 0);
2370
2371         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2372                 hf_netlogon_dummy, 0);
2373
2374         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2375                 hf_netlogon_reserved, NULL);
2376
2377         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2378                 hf_netlogon_reserved, NULL);
2379
2380         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2381                 hf_netlogon_reserved, NULL);
2382
2383         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2384                 hf_netlogon_reserved, NULL);
2385
2386         return offset;
2387 }
2388
2389
2390 /*
2391  * IDL typedef struct {
2392  * IDL   UNICODESTRING groupname;
2393  * IDL   GROUP_MEMBERSHIP group_membership;
2394  * IDL   UNICODESTRING comment;
2395  * IDL   long SecurityInformation;
2396  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2397  * IDL   UNICODESTRING dummy1;
2398  * IDL   UNICODESTRING dummy2;
2399  * IDL   UNICODESTRING dummy3;
2400  * IDL   UNICODESTRING dummy4;
2401  * IDL   long dummy5;
2402  * IDL   long dummy6;
2403  * IDL   long dummy7;
2404  * IDL   long dummy8;
2405  * IDL } DELTA_GROUP;
2406  */
2407 static int
2408 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
2409                         packet_info *pinfo, proto_tree *tree,
2410                         guint8 *drep)
2411 {
2412         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2413                 hf_netlogon_group_name, 3);
2414
2415         offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
2416                 pinfo, tree, drep);
2417
2418         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2419                 hf_netlogon_group_desc, 0);
2420
2421         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2422                 hf_netlogon_security_information, NULL);
2423
2424         offset = lsa_dissect_sec_desc_buf(tvb, offset,
2425                 pinfo, tree, drep, 0, 0);
2426
2427         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2428                 hf_netlogon_dummy, 0);
2429
2430         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2431                 hf_netlogon_dummy, 0);
2432
2433         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2434                 hf_netlogon_dummy, 0);
2435
2436         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2437                 hf_netlogon_dummy, 0);
2438
2439         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2440                 hf_netlogon_reserved, NULL);
2441
2442         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2443                 hf_netlogon_reserved, NULL);
2444
2445         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2446                 hf_netlogon_reserved, NULL);
2447
2448         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2449                 hf_netlogon_reserved, NULL);
2450
2451         return offset;
2452 }
2453
2454
2455 /*
2456  * IDL typedef struct {
2457  * IDL   UNICODESTRING OldName;
2458  * IDL   UNICODESTRING NewName;
2459  * IDL   UNICODESTRING dummy1;
2460  * IDL   UNICODESTRING dummy2;
2461  * IDL   UNICODESTRING dummy3;
2462  * IDL   UNICODESTRING dummy4;
2463  * IDL   long dummy5;
2464  * IDL   long dummy6;
2465  * IDL   long dummy7;
2466  * IDL   long dummy8;
2467  * IDL } DELTA_RENAME;
2468  */
2469 static int
2470 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
2471                         packet_info *pinfo, proto_tree *tree,
2472                         guint8 *drep)
2473 {
2474         dcerpc_info *di;
2475
2476         di=pinfo->private_data;
2477
2478         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2479                 di->hf_index, 0);
2480
2481         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2482                 di->hf_index, 0);
2483
2484         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2485                 hf_netlogon_dummy, 0);
2486
2487         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2488                 hf_netlogon_dummy, 0);
2489
2490         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2491                 hf_netlogon_dummy, 0);
2492
2493         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2494                 hf_netlogon_dummy, 0);
2495
2496         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2497                 hf_netlogon_reserved, NULL);
2498
2499         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2500                 hf_netlogon_reserved, NULL);
2501
2502         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2503                 hf_netlogon_reserved, NULL);
2504
2505         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2506                 hf_netlogon_reserved, NULL);
2507
2508         return offset;
2509 }
2510
2511
2512 static int
2513 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2514                         packet_info *pinfo, proto_tree *tree,
2515                         guint8 *drep)
2516 {
2517         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2518                                 hf_netlogon_user_rid, NULL);
2519
2520         return offset;
2521 }
2522
2523 static int
2524 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2525                         packet_info *pinfo, proto_tree *tree,
2526                         guint8 *drep)
2527 {
2528         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2529                         netlogon_dissect_RID);
2530
2531         return offset;
2532 }
2533
2534 static int
2535 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2536                         packet_info *pinfo, proto_tree *tree,
2537                         guint8 *drep)
2538 {
2539         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2540                 hf_netlogon_attrs, NULL);
2541
2542         return offset;
2543 }
2544
2545 static int
2546 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2547                         packet_info *pinfo, proto_tree *tree,
2548                         guint8 *drep)
2549 {
2550         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2551                         netlogon_dissect_ATTRIB);
2552
2553         return offset;
2554 }
2555
2556 /*
2557  * IDL typedef struct {
2558  * IDL   [unique][size_is(num_rids)] long *rids;
2559  * IDL   [unique][size_is(num_rids)] long *attribs;
2560  * IDL   long num_rids;
2561  * IDL   long dummy1;
2562  * IDL   long dummy2;
2563  * IDL   long dummy3;
2564  * IDL   long dummy4;
2565  * IDL } DELTA_GROUP_MEMBER;
2566  */
2567 static int
2568 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2569                         packet_info *pinfo, proto_tree *tree,
2570                         guint8 *drep)
2571 {
2572         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2573                 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2574                 "RIDs:", -1);
2575
2576         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2577                 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2578                 "Attribs:", -1);
2579
2580         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2581                 hf_netlogon_num_rids, NULL);
2582
2583         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2584                 hf_netlogon_reserved, NULL);
2585
2586         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2587                 hf_netlogon_reserved, NULL);
2588
2589         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2590                 hf_netlogon_reserved, NULL);
2591
2592         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2593                 hf_netlogon_reserved, NULL);
2594
2595         return offset;
2596 }
2597
2598
2599 /*
2600  * IDL typedef struct {
2601  * IDL   UNICODESTRING alias_name;
2602  * IDL   long rid;
2603  * IDL   long SecurityInformation;
2604  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2605  * IDL   UNICODESTRING dummy1;
2606  * IDL   UNICODESTRING dummy2;
2607  * IDL   UNICODESTRING dummy3;
2608  * IDL   UNICODESTRING dummy4;
2609  * IDL   long dummy5;
2610  * IDL   long dummy6;
2611  * IDL   long dummy7;
2612  * IDL   long dummy8;
2613  * IDL } DELTA_ALIAS;
2614  */
2615 static int
2616 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2617                         packet_info *pinfo, proto_tree *tree,
2618                         guint8 *drep)
2619 {
2620         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2621                 hf_netlogon_alias_name, 0);
2622
2623         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2624                 hf_netlogon_alias_rid, NULL);
2625
2626         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2627                 hf_netlogon_security_information, NULL);
2628
2629         offset = lsa_dissect_sec_desc_buf(tvb, offset,
2630                 pinfo, tree, drep, 0, 0);
2631
2632         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2633                 hf_netlogon_dummy, 0);
2634
2635         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2636                 hf_netlogon_dummy, 0);
2637
2638         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2639                 hf_netlogon_dummy, 0);
2640
2641         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2642                 hf_netlogon_dummy, 0);
2643
2644         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2645                 hf_netlogon_reserved, NULL);
2646
2647         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2648                 hf_netlogon_reserved, NULL);
2649
2650         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2651                 hf_netlogon_reserved, NULL);
2652
2653         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2654                 hf_netlogon_reserved, NULL);
2655
2656         return offset;
2657 }
2658
2659
2660 /*
2661  * IDL typedef struct {
2662  * IDL   [unique] SID_ARRAY sids;
2663  * IDL   long dummy1;
2664  * IDL   long dummy2;
2665  * IDL   long dummy3;
2666  * IDL   long dummy4;
2667  * IDL } DELTA_ALIAS_MEMBER;
2668  */
2669 static int
2670 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2671                         packet_info *pinfo, proto_tree *tree,
2672                         guint8 *drep)
2673 {
2674         offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2675
2676         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2677                 hf_netlogon_reserved, NULL);
2678
2679         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2680                 hf_netlogon_reserved, NULL);
2681
2682         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2683                 hf_netlogon_reserved, NULL);
2684
2685         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2686                 hf_netlogon_reserved, NULL);
2687
2688         return offset;
2689 }
2690
2691
2692 static int
2693 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2694                         packet_info *pinfo, proto_tree *tree,
2695                         guint8 *drep)
2696 {
2697         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2698                 hf_netlogon_event_audit_option, NULL);
2699
2700         return offset;
2701 }
2702
2703 static int
2704 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2705                         packet_info *pinfo, proto_tree *tree,
2706                         guint8 *drep)
2707 {
2708         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2709                 netlogon_dissect_EVENT_AUDIT_OPTION);
2710
2711         return offset;
2712 }
2713
2714
2715 /*
2716  * IDL typedef struct {
2717  * IDL   long pagedpoollimit;
2718  * IDL   long nonpagedpoollimit;
2719  * IDL   long minimumworkingsetsize;
2720  * IDL   long maximumworkingsetsize;
2721  * IDL   long pagefilelimit;
2722  * IDL   NTTIME timelimit;
2723  * IDL } QUOTA_LIMITS;
2724  */
2725 static int
2726 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2727                         packet_info *pinfo, proto_tree *parent_tree,
2728                         guint8 *drep)
2729 {
2730         proto_item *item=NULL;
2731         proto_tree *tree=NULL;
2732         int old_offset=offset;
2733
2734         if(parent_tree){
2735                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2736                         "QUOTA_LIMTS:");
2737                 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2738         }
2739
2740         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2741                 hf_netlogon_pagedpoollimit, NULL);
2742
2743         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2744                 hf_netlogon_nonpagedpoollimit, NULL);
2745
2746         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2747                 hf_netlogon_minworkingsetsize, NULL);
2748
2749         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2750                 hf_netlogon_maxworkingsetsize, NULL);
2751
2752         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2753                 hf_netlogon_pagefilelimit, NULL);
2754
2755         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2756                 hf_netlogon_timelimit);
2757
2758         proto_item_set_len(item, offset-old_offset);
2759         return offset;
2760 }
2761
2762
2763 /*
2764  * IDL typedef struct {
2765  * IDL   long maxlogsize;
2766  * IDL   NTTIME auditretentionperiod;
2767  * IDL   bool auditingmode;
2768  * IDL   long maxauditeventcount;
2769  * IDL   [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2770  * IDL   UNICODESTRING primarydomainname;
2771  * IDL   [unique] SID *sid;
2772  * IDL   QUOTA_LIMITS quota_limits;
2773  * IDL   NTTIME db_modify_time;
2774  * IDL   NTTIME db_create_time;
2775  * IDL   long SecurityInformation;
2776  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2777  * IDL   UNICODESTRING dummy1;
2778  * IDL   UNICODESTRING dummy2;
2779  * IDL   UNICODESTRING dummy3;
2780  * IDL   UNICODESTRING dummy4;
2781  * IDL   long dummy5;
2782  * IDL   long dummy6;
2783  * IDL   long dummy7;
2784  * IDL   long dummy8;
2785  * IDL } DELTA_POLICY;
2786  */
2787 static int
2788 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2789                         packet_info *pinfo, proto_tree *tree,
2790                         guint8 *drep)
2791 {
2792         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2793                 hf_netlogon_max_log_size, NULL);
2794
2795         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2796                 hf_netlogon_audit_retention_period);
2797
2798         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2799                 hf_netlogon_auditing_mode, NULL);
2800
2801         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2802                 hf_netlogon_max_audit_event_count, NULL);
2803
2804         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2805                 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2806                 "Event Audit Options:", -1);
2807
2808         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2809                 hf_netlogon_domain_name, 0);
2810
2811         offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
2812
2813         offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2814                 pinfo, tree, drep);
2815
2816         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2817                 hf_netlogon_db_modify_time);
2818
2819         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2820                 hf_netlogon_db_create_time);
2821
2822         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2823                 hf_netlogon_security_information, NULL);
2824
2825         offset = lsa_dissect_sec_desc_buf(tvb, offset,
2826                 pinfo, tree, drep, 0, 0);
2827
2828         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2829                 hf_netlogon_dummy, 0);
2830
2831         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2832                 hf_netlogon_dummy, 0);
2833
2834         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2835                 hf_netlogon_dummy, 0);
2836
2837         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2838                 hf_netlogon_dummy, 0);
2839
2840         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2841                 hf_netlogon_reserved, NULL);
2842
2843         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2844                 hf_netlogon_reserved, NULL);
2845
2846         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2847                 hf_netlogon_reserved, NULL);
2848
2849         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2850                 hf_netlogon_reserved, NULL);
2851
2852         return offset;
2853 }
2854
2855
2856 static int
2857 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2858                         packet_info *pinfo, proto_tree *tree,
2859                         guint8 *drep)
2860 {
2861         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2862                 hf_netlogon_dc_name, 0);
2863
2864         return offset;
2865 }
2866
2867 static int
2868 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2869                         packet_info *pinfo, proto_tree *tree,
2870                         guint8 *drep)
2871 {
2872         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2873                 netlogon_dissect_CONTROLLER);
2874
2875         return offset;
2876 }
2877
2878
2879 /*
2880  * IDL typedef struct {
2881  * IDL   UNICODESTRING DomainName;
2882  * IDL   long num_controllers;
2883  * IDL   [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2884  * IDL   long SecurityInformation;
2885  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2886  * IDL   UNICODESTRING dummy1;
2887  * IDL   UNICODESTRING dummy2;
2888  * IDL   UNICODESTRING dummy3;
2889  * IDL   UNICODESTRING dummy4;
2890  * IDL   long dummy5;
2891  * IDL   long dummy6;
2892  * IDL   long dummy7;
2893  * IDL   long dummy8;
2894  * IDL } DELTA_TRUSTED_DOMAINS;
2895  */
2896 static int
2897 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2898                         packet_info *pinfo, proto_tree *tree,
2899                         guint8 *drep)
2900 {
2901         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2902                 hf_netlogon_domain_name, 0);
2903
2904         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2905                 hf_netlogon_num_controllers, NULL);
2906
2907         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2908                 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2909                 "Domain Controllers:", -1);
2910
2911         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2912                 hf_netlogon_security_information, NULL);
2913
2914         offset = lsa_dissect_sec_desc_buf(tvb, offset,
2915                 pinfo, tree, drep, 0, 0);
2916
2917         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2918                 hf_netlogon_dummy, 0);
2919
2920         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2921                 hf_netlogon_dummy, 0);
2922
2923         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2924                 hf_netlogon_dummy, 0);
2925
2926         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2927                 hf_netlogon_dummy, 0);
2928
2929         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2930                 hf_netlogon_reserved, NULL);
2931
2932         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2933                 hf_netlogon_reserved, NULL);
2934
2935         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2936                 hf_netlogon_reserved, NULL);
2937
2938         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2939                 hf_netlogon_reserved, NULL);
2940
2941         return offset;
2942 }
2943
2944
2945 static int
2946 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2947                         packet_info *pinfo, proto_tree *tree,
2948                         guint8 *drep)
2949 {
2950         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2951                 hf_netlogon_attrs, NULL);
2952
2953         return offset;
2954 }
2955
2956 static int
2957 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2958                         packet_info *pinfo, proto_tree *tree,
2959                         guint8 *drep)
2960 {
2961         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2962                 netlogon_dissect_PRIV_ATTR);
2963
2964         return offset;
2965 }
2966
2967 static int
2968 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2969                         packet_info *pinfo, proto_tree *tree,
2970                         guint8 *drep)
2971 {
2972         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2973                 hf_netlogon_privilege_name, 1);
2974
2975         return offset;
2976 }
2977
2978 static int
2979 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2980                         packet_info *pinfo, proto_tree *tree,
2981                         guint8 *drep)
2982 {
2983         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2984                 netlogon_dissect_PRIV_NAME);
2985
2986         return offset;
2987 }
2988
2989
2990
2991 /*
2992  * IDL typedef struct {
2993  * IDL   long privilegeentries;
2994  * IDL   long provolegecontrol;
2995  * IDL   [unique][size_is(privilege_entries)] long *privilege_attrib;
2996  * IDL   [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2997  * IDL   QUOTALIMITS quotalimits;
2998  * IDL   long SecurityInformation;
2999  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
3000  * IDL   UNICODESTRING dummy1;
3001  * IDL   UNICODESTRING dummy2;
3002  * IDL   UNICODESTRING dummy3;
3003  * IDL   UNICODESTRING dummy4;
3004  * IDL   long dummy5;
3005  * IDL   long dummy6;
3006  * IDL   long dummy7;
3007  * IDL   long dummy8;
3008  * IDL } DELTA_ACCOUNTS;
3009  */
3010 static int
3011 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
3012                         packet_info *pinfo, proto_tree *tree,
3013                         guint8 *drep)
3014 {
3015         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3016                 hf_netlogon_privilege_entries, NULL);
3017
3018         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3019                 hf_netlogon_privilege_control, NULL);
3020
3021         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3022                 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
3023                 "PRIV_ATTR_ARRAY:", -1);
3024
3025         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3026                 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
3027                 "PRIV_NAME_ARRAY:", -1);
3028
3029         offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3030                 pinfo, tree, drep);
3031
3032         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3033                 hf_netlogon_systemflags, NULL);
3034
3035         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3036                 hf_netlogon_security_information, NULL);
3037
3038         offset = lsa_dissect_sec_desc_buf(tvb, offset,
3039                 pinfo, tree, drep, 0, 0);
3040
3041         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3042                 hf_netlogon_dummy, 0);
3043
3044         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3045                 hf_netlogon_dummy, 0);
3046
3047         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3048                 hf_netlogon_dummy, 0);
3049
3050         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3051                 hf_netlogon_dummy, 0);
3052
3053         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3054                 hf_netlogon_reserved, NULL);
3055
3056         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3057                 hf_netlogon_reserved, NULL);
3058
3059         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3060                 hf_netlogon_reserved, NULL);
3061
3062         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3063                 hf_netlogon_reserved, NULL);
3064
3065         return offset;
3066 }
3067
3068 /*
3069  * IDL typedef struct {
3070  * IDL   long len;
3071  * IDL   long maxlen;
3072  * IDL   [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
3073  * IDL } CIPHER_VALUE;
3074  */
3075 static int
3076 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
3077                         packet_info *pinfo, proto_tree *tree,
3078                         guint8 *drep)
3079 {
3080         dcerpc_info *di;
3081         guint32 data_len;
3082
3083         di=pinfo->private_data;
3084         if(di->conformant_run){
3085                 /*just a run to handle conformant arrays, nothing to dissect */
3086                 return offset;
3087         }
3088
3089         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3090                 hf_netlogon_cipher_maxlen, NULL);
3091
3092         /* skip offset */
3093         offset += 4;
3094
3095         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3096                 hf_netlogon_cipher_len, &data_len);
3097
3098         proto_tree_add_item(tree, di->hf_index, tvb, offset,
3099                 data_len, FALSE);
3100         offset += data_len;
3101
3102         return offset;
3103 }
3104 static int
3105 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
3106                         packet_info *pinfo, proto_tree *parent_tree,
3107                         guint8 *drep, const char *name, int hf_index)
3108 {
3109         proto_item *item=NULL;
3110         proto_tree *tree=NULL;
3111         int old_offset=offset;
3112
3113         if(parent_tree){
3114                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3115                         name);
3116                 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
3117         }
3118
3119         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3120                 hf_netlogon_cipher_len, NULL);
3121
3122         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3123                 hf_netlogon_cipher_maxlen, NULL);
3124
3125         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3126                 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
3127                 name, hf_index);
3128
3129         proto_item_set_len(item, offset-old_offset);
3130         return offset;
3131 }
3132
3133 /*
3134  * IDL typedef struct {
3135  * IDL   CIPHER_VALUE current_cipher;
3136  * IDL   NTTIME current_cipher_set_time;
3137  * IDL   CIPHER_VALUE old_cipher;
3138  * IDL   NTTIME old_cipher_set_time;
3139  * IDL   long SecurityInformation;
3140  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
3141  * IDL   UNICODESTRING dummy1;
3142  * IDL   UNICODESTRING dummy2;
3143  * IDL   UNICODESTRING dummy3;
3144  * IDL   UNICODESTRING dummy4;
3145  * IDL   long dummy5;
3146  * IDL   long dummy6;
3147  * IDL   long dummy7;
3148  * IDL   long dummy8;
3149  * IDL } DELTA_SECRET;
3150  */
3151 static int
3152 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
3153                         packet_info *pinfo, proto_tree *tree,
3154                         guint8 *drep)
3155 {
3156         offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3157                 pinfo, tree, drep,
3158                 "CIPHER_VALUE: current cipher value",
3159                 hf_netlogon_cipher_current_data);
3160
3161         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3162                 hf_netlogon_cipher_current_set_time);
3163
3164         offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3165                 pinfo, tree, drep,
3166                 "CIPHER_VALUE: old cipher value",
3167                 hf_netlogon_cipher_old_data);
3168
3169         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3170                 hf_netlogon_cipher_old_set_time);
3171
3172         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3173                 hf_netlogon_security_information, NULL);
3174
3175         offset = lsa_dissect_sec_desc_buf(tvb, offset,
3176                 pinfo, tree, drep, 0, 0);
3177
3178         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3179                 hf_netlogon_dummy, 0);
3180
3181         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3182                 hf_netlogon_dummy, 0);
3183
3184         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3185                 hf_netlogon_dummy, 0);
3186
3187         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3188                 hf_netlogon_dummy, 0);
3189
3190         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3191                 hf_netlogon_reserved, NULL);
3192
3193         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3194                 hf_netlogon_reserved, NULL);
3195
3196         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3197                 hf_netlogon_reserved, NULL);
3198
3199         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3200                 hf_netlogon_reserved, NULL);
3201
3202         return offset;
3203 }
3204
3205 /*
3206  * IDL typedef struct {
3207  * IDL   long low_value;
3208  * IDL   long high_value;
3209  * } MODIFIED_COUNT;
3210  */
3211 static int
3212 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
3213                         packet_info *pinfo, proto_tree *tree,
3214                         guint8 *drep)
3215 {
3216         offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, drep,
3217                 hf_netlogon_modify_count, NULL);
3218
3219         return offset;
3220 }
3221
3222
3223 #define DT_DELTA_DOMAIN                 1
3224 #define DT_DELTA_GROUP                  2
3225 #define DT_DELTA_DELETE_GROUP           3
3226 #define DT_DELTA_RENAME_GROUP           4
3227 #define DT_DELTA_USER                   5
3228 #define DT_DELTA_DELETE_USER            6
3229 #define DT_DELTA_RENAME_USER            7
3230 #define DT_DELTA_GROUP_MEMBER           8
3231 #define DT_DELTA_ALIAS                  9
3232 #define DT_DELTA_DELETE_ALIAS           10
3233 #define DT_DELTA_RENAME_ALIAS           11
3234 #define DT_DELTA_ALIAS_MEMBER           12
3235 #define DT_DELTA_POLICY                 13
3236 #define DT_DELTA_TRUSTED_DOMAINS        14
3237 #define DT_DELTA_DELETE_TRUST           15
3238 #define DT_DELTA_ACCOUNTS               16
3239 #define DT_DELTA_DELETE_ACCOUNT         17
3240 #define DT_DELTA_SECRET                 18
3241 #define DT_DELTA_DELETE_SECRET          19
3242 #define DT_DELTA_DELETE_GROUP2          20
3243 #define DT_DELTA_DELETE_USER2           21
3244 #define DT_MODIFIED_COUNT               22
3245 static const value_string delta_type_vals[] = {
3246         { DT_DELTA_DOMAIN,              "Domain" },
3247         { DT_DELTA_GROUP,               "Group" },
3248         { DT_DELTA_DELETE_GROUP,        "Delete Group" },
3249         { DT_DELTA_RENAME_GROUP,        "Rename Group" },
3250         { DT_DELTA_USER,                "User" },
3251         { DT_DELTA_DELETE_USER,         "Delete User" },
3252         { DT_DELTA_RENAME_USER,         "Rename User" },
3253         { DT_DELTA_GROUP_MEMBER,        "Group Member" },
3254         { DT_DELTA_ALIAS,               "Alias" },
3255         { DT_DELTA_DELETE_ALIAS,        "Delete Alias" },
3256         { DT_DELTA_RENAME_ALIAS,        "Rename Alias" },
3257         { DT_DELTA_ALIAS_MEMBER,        "Alias Member" },
3258         { DT_DELTA_POLICY,              "Policy" },
3259         { DT_DELTA_TRUSTED_DOMAINS,     "Trusted Domains" },
3260         { DT_DELTA_DELETE_TRUST,        "Delete Trust" },
3261         { DT_DELTA_ACCOUNTS,            "Accounts" },
3262         { DT_DELTA_DELETE_ACCOUNT,      "Delete Account" },
3263         { DT_DELTA_SECRET,              "Secret" },
3264         { DT_DELTA_DELETE_SECRET,       "Delete Secret" },
3265         { DT_DELTA_DELETE_GROUP2,       "Delete Group2" },
3266         { DT_DELTA_DELETE_USER2,        "Delete User2" },
3267         { DT_MODIFIED_COUNT,            "Modified Count" },
3268         { 0, NULL }
3269 };
3270 /*
3271  * IDL typedef [switch_type(short)] union {
3272  * IDL   [case(1)][unique] DELTA_DOMAIN *domain;
3273  * IDL   [case(2)][unique] DELTA_GROUP *group;
3274  * IDL   [case(3)][unique] rid only ;
3275  * IDL   [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
3276  * IDL   [case(5)][unique] DELTA_USER *user;
3277  * IDL   [case(6)][unique] rid only ;
3278  * IDL   [case(7)][unique] DELTA_RENAME_USER *rename_user;
3279  * IDL   [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
3280  * IDL   [case(9)][unique] DELTA_ALIAS *alias;
3281  * IDL   [case(10)][unique] rid only ;
3282  * IDL   [case(11)][unique] DELTA_RENAME_ALIAS *alias;
3283  * IDL   [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
3284  * IDL   [case(13)][unique] DELTA_POLICY *policy;
3285  * IDL   [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
3286  * IDL   [case(15)][unique] PSID ;
3287  * IDL   [case(16)][unique] DELTA_ACCOUNTS *accounts;
3288  * IDL   [case(17)][unique] PSID ;
3289  * IDL   [case(18)][unique] DELTA_SECRET *secret;
3290  * IDL   [case(19)][unique] string;
3291  * IDL   [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
3292  * IDL   [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
3293  * IDL   [case(22)][unique] MODIFIED_COUNT *modified_count;
3294  * IDL } DELTA_UNION;
3295  */
3296 static int
3297 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
3298                         packet_info *pinfo, proto_tree *parent_tree,
3299                         guint8 *drep)
3300 {
3301         proto_item *item=NULL;
3302         proto_tree *tree=NULL;
3303         int old_offset=offset;
3304         guint16 level;
3305
3306         if(parent_tree){
3307                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3308                         "DELTA_UNION:");
3309                 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
3310         }
3311
3312         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3313                 hf_netlogon_delta_type, &level);
3314
3315         ALIGN_TO_4_BYTES;
3316         switch(level){
3317         case 1:
3318                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3319                         netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
3320                         "DELTA_DOMAIN:", -1);
3321                 break;
3322         case 2:
3323                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3324                         netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
3325                         "DELTA_GROUP:", -1);
3326                 break;
3327         case 4:
3328                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3329                         netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3330                         "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
3331                 break;
3332         case 5:
3333                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3334                         netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
3335                         "DELTA_USER:", -1);
3336                 break;
3337         case 7:
3338                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3339                         netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3340                         "DELTA_RENAME_USER:", hf_netlogon_acct_name);
3341                 break;
3342         case 8:
3343                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3344                         netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
3345                         "DELTA_GROUP_MEMBER:", -1);
3346                 break;
3347         case 9:
3348                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3349                         netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
3350                         "DELTA_ALIAS:", -1);
3351                 break;
3352         case 11:
3353                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3354                         netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3355                         "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
3356                 break;
3357         case 12:
3358                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3359                         netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
3360                         "DELTA_ALIAS_MEMBER:", -1);
3361                 break;
3362         case 13:
3363                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3364                         netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
3365                         "DELTA_POLICY:", -1);
3366                 break;
3367         case 14:
3368                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3369                         netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
3370                         "DELTA_TRUSTED_DOMAINS:", -1);
3371                 break;
3372         case 16:
3373                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3374                         netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
3375                         "DELTA_ACCOUNTS:", -1);
3376                 break;
3377         case 18:
3378                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3379                         netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
3380                         "DELTA_SECRET:", -1);
3381                 break;
3382         case 20:
3383                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3384                         netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3385                         "DELTA_DELETE_GROUP:", -1);
3386                 break;
3387         case 21:
3388                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3389                         netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3390                         "DELTA_DELETE_USER:", -1);
3391                 break;
3392         case 22:
3393                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3394                         netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
3395                         "MODIFIED_COUNT:", -1);
3396                 break;
3397         }
3398
3399         proto_item_set_len(item, offset-old_offset);
3400         return offset;
3401 }
3402
3403
3404
3405 /* IDL XXX must verify this one, especially 13-19
3406  * IDL typedef [switch_type(short)] union {
3407  * IDL   [case(1)] long rid;
3408  * IDL   [case(2)] long rid;
3409  * IDL   [case(3)] long rid;
3410  * IDL   [case(4)] long rid;
3411  * IDL   [case(5)] long rid;
3412  * IDL   [case(6)] long rid;
3413  * IDL   [case(7)] long rid;
3414  * IDL   [case(8)] long rid;
3415  * IDL   [case(9)] long rid;
3416  * IDL   [case(10)] long rid;
3417  * IDL   [case(11)] long rid;
3418  * IDL   [case(12)] long rid;
3419  * IDL   [case(13)] [unique] SID *sid;
3420  * IDL   [case(14)] [unique] SID *sid;
3421  * IDL   [case(15)] [unique] SID *sid;
3422  * IDL   [case(16)] [unique] SID *sid;
3423  * IDL   [case(17)] [unique] SID *sid;
3424  * IDL   [case(18)] [unique][string] wchar_t *Name ;
3425  * IDL   [case(19)] [unique][string] wchar_t *Name ;
3426  * IDL   [case(20)] long rid;
3427  * IDL   [case(21)] long rid;
3428  * IDL } DELTA_ID_UNION;
3429  */
3430 static int
3431 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
3432                         packet_info *pinfo, proto_tree *parent_tree,
3433                         guint8 *drep)
3434 {
3435         proto_item *item=NULL;
3436         proto_tree *tree=NULL;
3437         int old_offset=offset;
3438         guint16 level;
3439
3440         if(parent_tree){
3441                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3442                         "DELTA_ID_UNION:");
3443                 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
3444         }
3445
3446         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3447                 hf_netlogon_delta_type, &level);
3448
3449         ALIGN_TO_4_BYTES;
3450         switch(level){
3451         case 1:
3452                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3453                         hf_netlogon_group_rid, NULL);
3454                 break;
3455         case 2:
3456                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3457                         hf_netlogon_user_rid, NULL);
3458                 break;
3459         case 3:
3460                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3461                         hf_netlogon_user_rid, NULL);
3462                 break;
3463         case 4:
3464                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3465                         hf_netlogon_user_rid, NULL);
3466                 break;
3467         case 5:
3468                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3469                         hf_netlogon_user_rid, NULL);
3470                 break;
3471         case 6:
3472                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3473                         hf_netlogon_user_rid, NULL);
3474                 break;
3475         case 7:
3476                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3477                         hf_netlogon_user_rid, NULL);
3478                 break;
3479         case 8:
3480                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3481                         hf_netlogon_user_rid, NULL);
3482                 break;
3483         case 9:
3484                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3485                         hf_netlogon_user_rid, NULL);
3486                 break;
3487         case 10:
3488                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3489                         hf_netlogon_user_rid, NULL);
3490                 break;
3491         case 11:
3492                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3493                         hf_netlogon_user_rid, NULL);
3494                 break;
3495         case 12:
3496                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3497                         hf_netlogon_user_rid, NULL);
3498                 break;
3499         case 13:
3500                 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3501                 break;
3502         case 14:
3503                 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3504                 break;
3505         case 15:
3506                 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3507                 break;
3508         case 16:
3509                 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3510                 break;
3511         case 17:
3512                 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3513                 break;
3514         case 18:
3515                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
3516                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
3517                         hf_netlogon_unknown_string, 0);
3518                 break;
3519         case 19:
3520                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
3521                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
3522                         hf_netlogon_unknown_string, 0);
3523                 break;
3524         case 20:
3525                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3526                         hf_netlogon_user_rid, NULL);
3527                 break;
3528         case 21:
3529                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3530                         hf_netlogon_user_rid, NULL);
3531                 break;
3532         }
3533
3534         proto_item_set_len(item, offset-old_offset);
3535         return offset;
3536 }
3537
3538 /*
3539  * IDL typedef struct {
3540  * IDL   short delta_type;
3541  * IDL   DELTA_ID_UNION delta_id_union;
3542  * IDL   DELTA_UNION delta_union;
3543  * IDL } DELTA_ENUM;
3544  */
3545 static int
3546 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3547                         packet_info *pinfo, proto_tree *parent_tree,
3548                         guint8 *drep)
3549 {
3550         proto_item *item=NULL;
3551         proto_tree *tree=NULL;
3552         int old_offset=offset;
3553         guint16 type;
3554
3555         if(parent_tree){
3556                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3557                         "DELTA_ENUM:");
3558                 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3559         }
3560
3561         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3562                 hf_netlogon_delta_type, &type);
3563
3564         proto_item_append_text(item, val_to_str(
3565                                        type, delta_type_vals, "Unknown"));
3566
3567         offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3568                 pinfo, tree, drep);
3569
3570         offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3571                 pinfo, tree, drep);
3572
3573         proto_item_set_len(item, offset-old_offset);
3574         return offset;
3575 }
3576
3577 static int
3578 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3579                         packet_info *pinfo, proto_tree *tree,
3580                         guint8 *drep)
3581 {
3582         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3583                 netlogon_dissect_DELTA_ENUM);
3584
3585         return offset;
3586 }
3587
3588 /*
3589  * IDL typedef struct {
3590  * IDL   long num_deltas;
3591  * IDL   [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3592  * IDL } DELTA_ENUM_ARRAY;
3593  */
3594 static int
3595 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3596                         packet_info *pinfo, proto_tree *tree,
3597                         guint8 *drep)
3598 {
3599         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3600                 hf_netlogon_num_deltas, NULL);
3601
3602         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3603                 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3604                 "DELTA_ENUM: deltas", -1);
3605
3606         return offset;
3607 }
3608
3609
3610 /*
3611  * IDL long NetrDatabaseDeltas(
3612  * IDL      [in][string][ref] wchar_t *logonserver, # REF!!!
3613  * IDL      [in][string][ref] wchar_t *computername,
3614  * IDL      [in][ref] AUTHENTICATOR credential,
3615  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
3616  * IDL      [in] long database_id,
3617  * IDL      [in][out][ref] MODIFIED_COUNT domain_modify_count,
3618  * IDL      [in] long preferredmaximumlength,
3619  * IDL      [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3620  * IDL );
3621  */
3622 static int
3623 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
3624         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3625 {
3626         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3627                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3628
3629         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3630                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3631
3632         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3633                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3634                 "AUTHENTICATOR: credential", -1);
3635
3636         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3637                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3638                 "AUTHENTICATOR: return_authenticator", -1);
3639
3640         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3641                 hf_netlogon_database_id, NULL);
3642
3643         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3644                 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3645                 "MODIFIED_COUNT: domain modified count", -1);
3646
3647         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3648                 hf_netlogon_max_size, NULL);
3649
3650         return offset;
3651 }
3652 static int
3653 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
3654         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3655 {
3656         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3657                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3658                 "AUTHENTICATOR: return_authenticator", -1);
3659
3660         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3661                 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3662                 "MODIFIED_COUNT: domain modified count", -1);
3663
3664         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3665                 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3666                 "DELTA_ENUM_ARRAY: deltas", -1);
3667
3668         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3669                                   hf_netlogon_rc, NULL);
3670
3671         return offset;
3672 }
3673
3674
3675 /*
3676  * IDL long NetrDatabaseSync(
3677  * IDL      [in][string][ref] wchar_t *logonserver, # REF!!!
3678  * IDL      [in][string][ref] wchar_t *computername,
3679  * IDL      [in][ref] AUTHENTICATOR credential,
3680  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
3681  * IDL      [in] long database_id,
3682  * IDL      [in][out][ref] long sync_context,
3683  * IDL      [in] long preferredmaximumlength,
3684  * IDL      [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3685  * IDL );
3686  */
3687 static int
3688 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
3689         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3690 {
3691         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3692                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3693
3694         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3695                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3696
3697         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3698                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3699                 "AUTHENTICATOR: credential", -1);
3700
3701         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3702                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3703                 "AUTHENTICATOR: return_authenticator", -1);
3704
3705         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3706                 hf_netlogon_database_id, NULL);
3707
3708         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3709                 hf_netlogon_sync_context, NULL);
3710
3711         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3712                 hf_netlogon_max_size, NULL);
3713
3714         return offset;
3715 }
3716
3717
3718 static int
3719 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
3720         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3721 {
3722         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3723                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3724                 "AUTHENTICATOR: return_authenticator", -1);
3725
3726         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3727                 hf_netlogon_sync_context, NULL);
3728
3729         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3730                 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3731                 "DELTA_ENUM_ARRAY: deltas", -1);
3732
3733         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3734                                   hf_netlogon_rc, NULL);
3735
3736         return offset;
3737 }
3738
3739 /*
3740  * IDL typedef struct {
3741  * IDL   char computer_name[16];
3742  * IDL   long timecreated;
3743  * IDL   long serial_number;
3744  * IDL } UAS_INFO_0;
3745  */
3746 static int
3747 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3748                         packet_info *pinfo, proto_tree *tree,
3749                         guint8 *drep)
3750 {
3751         dcerpc_info *di;
3752
3753         di=pinfo->private_data;
3754         if(di->conformant_run){
3755                 /*just a run to handle conformant arrays, nothing to dissect */
3756                 return offset;
3757         }
3758
3759         proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3760         offset += 16;
3761
3762         proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3763         offset+= 4;
3764
3765         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3766                 hf_netlogon_serial_number, NULL);
3767
3768         return offset;
3769 }
3770
3771
3772 static int
3773 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3774                         packet_info *pinfo, proto_tree *tree,
3775                         guint8 *drep)
3776 {
3777                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3778                         hf_netlogon_unknown_char, NULL);
3779
3780         return offset;
3781 }
3782
3783 static int
3784 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3785                         packet_info *pinfo, proto_tree *tree,
3786                         guint8 *drep)
3787 {
3788         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3789                 netlogon_dissect_BYTE_byte);
3790
3791         return offset;
3792 }
3793
3794 /*
3795  * IDL long NetrAccountDeltas(
3796  * IDL      [in][string][unique] wchar_t *logonserver,
3797  * IDL      [in][string][ref] wchar_t *computername,
3798  * IDL      [in][ref] AUTHENTICATOR credential,
3799  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
3800  * IDL      [out][ref][size_is(count_returned)] char *Buffer,
3801  * IDL      [out][ref] long count_returned,
3802  * IDL      [out][ref] long total_entries,
3803  * IDL      [in][out][ref] UAS_INFO_0 recordid,
3804  * IDL      [in][long] count,
3805  * IDL      [in][long] level,
3806  * IDL      [in][long] buffersize,
3807  * IDL );
3808  */
3809 static int
3810 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
3811         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3812 {
3813         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3814                 pinfo, tree, drep);
3815
3816         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3817                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3818
3819         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3820                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3821                 "AUTHENTICATOR: credential", -1);
3822
3823         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3824                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3825                 "AUTHENTICATOR: return_authenticator", -1);
3826
3827         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3828                 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3829                 "UAS_INFO_0: RecordID", -1);
3830
3831         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3832                 hf_netlogon_count, NULL);
3833
3834         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3835                 hf_netlogon_level, NULL);
3836
3837         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3838                 hf_netlogon_max_size, NULL);
3839
3840         return offset;
3841 }
3842 static int
3843 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
3844         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3845 {
3846         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3847                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3848                 "AUTHENTICATOR: return_authenticator", -1);
3849
3850         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3851                 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3852                 "BYTE_array: Buffer", -1);
3853
3854         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3855                 hf_netlogon_count, NULL);
3856
3857         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3858                 hf_netlogon_entries, NULL);
3859
3860         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3861                 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3862                 "UAS_INFO_0: RecordID", -1);
3863
3864         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3865                                   hf_netlogon_rc, NULL);
3866
3867         return offset;
3868 }
3869
3870
3871 /*
3872  * IDL long NetrAccountSync(
3873  * IDL      [in][string][unique] wchar_t *logonserver,
3874  * IDL      [in][string][ref] wchar_t *computername,
3875  * IDL      [in][ref] AUTHENTICATOR credential,
3876  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
3877  * IDL      [out][ref][size_is(count_returned)] char *Buffer,
3878  * IDL      [out][ref] long count_returned,
3879  * IDL      [out][ref] long total_entries,
3880  * IDL      [out][ref] long next_reference,
3881  * IDL      [in][long] reference,
3882  * IDL      [in][long] level,
3883  * IDL      [in][long] buffersize,
3884  * IDL      [in][out][ref] UAS_INFO_0 recordid,
3885  * IDL );
3886  */
3887 static int
3888 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
3889         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3890 {
3891         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3892                 pinfo, tree, drep);
3893
3894         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3895                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3896
3897         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3898                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3899                 "AUTHENTICATOR: credential", -1);
3900
3901         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3902                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3903                 "AUTHENTICATOR: return_authenticator", -1);
3904
3905         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3906                 hf_netlogon_reference, NULL);
3907
3908         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3909                 hf_netlogon_level, NULL);
3910
3911         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3912                 hf_netlogon_max_size, NULL);
3913
3914         return offset;
3915 }
3916 static int
3917 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
3918         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3919 {
3920         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3921                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3922                 "AUTHENTICATOR: return_authenticator", -1);
3923
3924         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3925                 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3926                 "BYTE_array: Buffer", -1);
3927
3928         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3929                 hf_netlogon_count, NULL);
3930
3931         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3932                 hf_netlogon_entries, NULL);
3933
3934         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3935                 hf_netlogon_next_reference, NULL);
3936
3937         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3938                 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3939                 "UAS_INFO_0: RecordID", -1);
3940
3941         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3942                                   hf_netlogon_rc, NULL);
3943
3944         return offset;
3945 }
3946
3947
3948 /*
3949  * IDL long NetrGetDcName(
3950  * IDL    [in][ref][string] wchar_t *logon_server,
3951  * IDL    [in][unique][string] wchar_t *domainname,
3952  * IDL    [out][unique][string] wchar_t *dcname,
3953  * IDL };
3954  */
3955 static int
3956 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
3957         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3958 {
3959         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3960                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3961
3962         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3963                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3964
3965         return offset;
3966 }
3967 static int
3968 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
3969         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3970 {
3971         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3972                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3973
3974         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3975                                   hf_netlogon_rc, NULL);
3976
3977         return offset;
3978 }
3979
3980
3981
3982 /*
3983  * IDL typedef struct {
3984  * IDL   long flags;
3985  * IDL   long pdc_connection_status;
3986  * IDL } NETLOGON_INFO_1;
3987  */
3988 static int
3989 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3990                         packet_info *pinfo, proto_tree *tree,
3991                         guint8 *drep)
3992 {
3993         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3994                 hf_netlogon_flags, NULL);
3995
3996         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3997                 hf_netlogon_pdc_connection_status, NULL);
3998
3999         return offset;
4000 }
4001
4002
4003 /*
4004  * IDL typedef struct {
4005  * IDL   long flags;
4006  * IDL   long pdc_connection_status;
4007  * IDL   [unique][string] wchar_t trusted_dc_name;
4008  * IDL   long tc_connection_status;
4009  * IDL } NETLOGON_INFO_2;
4010  */
4011 static int
4012 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
4013                         packet_info *pinfo, proto_tree *tree,
4014                         guint8 *drep)
4015 {
4016         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4017                 hf_netlogon_flags, NULL);
4018
4019         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4020                 hf_netlogon_pdc_connection_status, NULL);
4021
4022         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4023                 NDR_POINTER_UNIQUE, "Trusted DC Name", 
4024                 hf_netlogon_trusted_dc_name, 0);
4025
4026         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4027                 hf_netlogon_tc_connection_status, NULL);
4028
4029         return offset;
4030 }
4031
4032
4033 /*
4034  * IDL typedef struct {
4035  * IDL   long flags;
4036  * IDL   long logon_attempts;
4037  * IDL   long reserved;
4038  * IDL   long reserved;
4039  * IDL   long reserved;
4040  * IDL   long reserved;
4041  * IDL   long reserved;
4042  * IDL } NETLOGON_INFO_3;
4043  */
4044 static int
4045 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
4046                         packet_info *pinfo, proto_tree *tree,
4047                         guint8 *drep)
4048 {
4049         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4050                 hf_netlogon_flags, NULL);
4051
4052         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4053                 hf_netlogon_logon_attempts, NULL);
4054
4055         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4056                 hf_netlogon_reserved, NULL);
4057
4058         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4059                 hf_netlogon_reserved, NULL);
4060
4061         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4062                 hf_netlogon_reserved, NULL);
4063
4064         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4065                 hf_netlogon_reserved, NULL);
4066
4067         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4068                 hf_netlogon_reserved, NULL);
4069
4070         return offset;
4071 }
4072
4073
4074 /*
4075  * IDL typedef [switch_type(long)] union {
4076  * IDL   [case(1)] [unique] NETLOGON_INFO_1 *i1;
4077  * IDL   [case(2)] [unique] NETLOGON_INFO_2 *i2;
4078  * IDL   [case(3)] [unique] NETLOGON_INFO_3 *i3;
4079  * IDL } CONTROL_QUERY_INFORMATION;
4080  */
4081 static int
4082 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
4083                         packet_info *pinfo, proto_tree *tree,
4084                         guint8 *drep)
4085 {
4086         guint32 level;
4087
4088         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4089                 hf_netlogon_level, &level);
4090
4091         ALIGN_TO_4_BYTES;
4092         switch(level){
4093         case 1:
4094                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4095                         netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
4096                         "NETLOGON_INFO_1:", -1);
4097                 break;
4098         case 2:
4099                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4100                         netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
4101                         "NETLOGON_INFO_2:", -1);
4102                 break;
4103         case 3:
4104                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4105                         netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
4106                         "NETLOGON_INFO_3:", -1);
4107                 break;
4108         }
4109
4110         return offset;
4111 }
4112
4113
4114 /*
4115  * IDL long NetrLogonControl(
4116  * IDL      [in][string][unique] wchar_t *logonserver,
4117  * IDL      [in] long function_code,
4118  * IDL      [in] long level,
4119  * IDL      [out][ref] CONTROL_QUERY_INFORMATION
4120  * IDL );
4121  */
4122 static int
4123 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
4124         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4125 {
4126         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4127                 pinfo, tree, drep);
4128
4129         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4130                 hf_netlogon_code, NULL);
4131
4132         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4133                 hf_netlogon_level, NULL);
4134
4135         return offset;
4136 }
4137 static int
4138 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
4139         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4140 {
4141         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4142                 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4143                 "CONTROL_QUERY_INFORMATION:", -1);
4144
4145         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4146                                   hf_netlogon_dos_rc, NULL);
4147
4148         return offset;
4149 }
4150
4151
4152 /*
4153  * IDL long NetrGetAnyDCName(
4154  * IDL    [in][unique][string] wchar_t *logon_server,
4155  * IDL    [in][unique][string] wchar_t *domainname,
4156  * IDL    [out][unique][string] wchar_t *dcname,
4157  * IDL };
4158  */
4159 static int
4160 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
4161         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4162 {
4163         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4164                 NDR_POINTER_UNIQUE, "Server Handle", 
4165                 hf_netlogon_logonsrv_handle, 0);
4166
4167         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4168                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4169
4170         return offset;
4171 }
4172 static int
4173 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
4174         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4175 {
4176         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4177                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4178
4179         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4180                                   hf_netlogon_dos_rc, NULL);
4181
4182         return offset;
4183 }
4184
4185
4186 /*
4187  * IDL typedef [switch_type(long)] union {
4188  * IDL   [case(5)] [unique][string] wchar_t *unknown;
4189  * IDL   [case(6)] [unique][string] wchar_t *unknown;
4190  * IDL   [case(0xfffe)] long unknown;
4191  * IDL   [case(7)] [unique][string] wchar_t *unknown;
4192  * IDL } CONTROL_DATA_INFORMATION;
4193  */
4194 /* XXX
4195  * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
4196  * to look like. However NetMon does not recognize any such informationlevels.
4197  *
4198  * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
4199  * until someone has any source of better authority to call upon.
4200  */
4201 static int
4202 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
4203                         packet_info *pinfo, proto_tree *tree,
4204                         guint8 *drep)
4205 {
4206         guint32 level;
4207
4208         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4209                 hf_netlogon_level, &level);
4210
4211         ALIGN_TO_4_BYTES;
4212         switch(level){
4213         case 5:
4214                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
4215                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
4216                         hf_netlogon_unknown_string, 0);
4217                 break;
4218         case 6:
4219                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
4220                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
4221                         hf_netlogon_unknown_string, 0);
4222                 break;
4223         case 0xfffe:
4224                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4225                         hf_netlogon_unknown_long, NULL);
4226                 break;
4227         case 8:
4228                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
4229                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
4230                         hf_netlogon_unknown_string, 0);
4231                 break;
4232         }
4233
4234         return offset;
4235 }
4236
4237
4238 /*
4239  * IDL long NetrLogonControl2(
4240  * IDL      [in][string][unique] wchar_t *logonserver,
4241  * IDL      [in] long function_code,
4242  * IDL      [in] long level,
4243  * IDL      [in][ref] CONTROL_DATA_INFORMATION *data,
4244  * IDL      [out][ref] CONTROL_QUERY_INFORMATION *query
4245  * IDL );
4246  */
4247 static int
4248 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
4249         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4250 {
4251         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4252                 pinfo, tree, drep);
4253
4254         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4255                 hf_netlogon_code, NULL);
4256
4257         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4258                 hf_netlogon_level, NULL);
4259
4260         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4261                 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4262                 "CONTROL_DATA_INFORMATION: ", -1);
4263
4264         return offset;
4265 }
4266
4267 static int
4268 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
4269         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4270 {
4271         guint32 status;
4272
4273         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4274                 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4275                 "CONTROL_QUERY_INFORMATION:", -1);
4276
4277         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_netlogon_werr_rc, &status);
4278
4279         if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
4280                 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown WERR error 0x%08x"));
4281
4282
4283         return offset;
4284 }
4285
4286
4287 /*
4288  * IDL long NetrServerAuthenticate2(
4289  * IDL      [in][string][unique] wchar_t *logonserver,
4290  * IDL      [in][ref][string] wchar_t *username,
4291  * IDL      [in] short secure_channel_type,
4292  * IDL      [in][ref][string] wchar_t *computername,
4293  * IDL      [in][ref] CREDENTIAL *client_chal,
4294  * IDL      [out][ref] CREDENTIAL *server_chal,
4295  * IDL      [in][out][ref] long *negotiate_flags,
4296  * IDL );
4297  */
4298 static int
4299 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
4300         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4301 {
4302         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4303                 pinfo, tree, drep);
4304
4305         offset = dissect_ndr_pointer_cb(
4306                 tvb, offset, pinfo, tree, drep, 
4307                 dissect_ndr_wchar_cvstring, NDR_POINTER_REF, 
4308                 "User Name", hf_netlogon_acct_name, 
4309                 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
4310
4311         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4312                 pinfo, tree, drep);
4313
4314         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4315                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4316
4317         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4318                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4319                 "CREDENTIAL: client_chal", -1);
4320
4321         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4322                 hf_netlogon_neg_flags, NULL);
4323
4324         return offset;
4325 }
4326
4327 static int
4328 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
4329         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4330 {
4331         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4332                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4333                 "CREDENTIAL: server_chal", -1);
4334
4335         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4336                 hf_netlogon_neg_flags, NULL);
4337
4338         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4339                                   hf_netlogon_rc, NULL);
4340
4341         return offset;
4342 }
4343
4344
4345 /*
4346  * IDL long NetrDatabaseSync2(
4347  * IDL      [in][string][ref] wchar_t *logonserver, # REF!!!
4348  * IDL      [in][string][ref] wchar_t *computername,
4349  * IDL      [in][ref] AUTHENTICATOR credential,
4350  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
4351  * IDL      [in] long database_id,
4352  * IDL      [in] short restart_state,
4353  * IDL      [in][out][ref] long *sync_context,
4354  * IDL      [in] long preferredmaximumlength,
4355  * IDL      [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4356  * IDL );
4357  */
4358 static int
4359 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
4360         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4361 {
4362         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4363                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4364
4365         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4366                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4367
4368         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4369                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4370                 "AUTHENTICATOR: credential", -1);
4371
4372         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4373                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4374                 "AUTHENTICATOR: return_authenticator", -1);
4375
4376         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4377                 hf_netlogon_database_id, NULL);
4378
4379         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4380                 hf_netlogon_restart_state, NULL);
4381
4382         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4383                 hf_netlogon_sync_context, NULL);
4384
4385         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4386                 hf_netlogon_max_size, NULL);
4387
4388         return offset;
4389 }
4390
4391 static int
4392 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
4393         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4394 {
4395         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4396                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4397                 "AUTHENTICATOR: return_authenticator", -1);
4398
4399         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4400                 hf_netlogon_sync_context, NULL);
4401
4402         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4403                 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4404                 "DELTA_ENUM_ARRAY: deltas", -1);
4405
4406         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4407                                   hf_netlogon_rc, NULL);
4408
4409         return offset;
4410 }
4411
4412
4413 /*
4414  * IDL long NetrDatabaseRedo(
4415  * IDL      [in][string][ref] wchar_t *logonserver, # REF!!!
4416  * IDL      [in][string][ref] wchar_t *computername,
4417  * IDL      [in][ref] AUTHENTICATOR credential,
4418  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
4419  * IDL      [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
4420  * IDL      [in] long change_log_entry_size,
4421  * IDL      [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4422  * IDL );
4423  */
4424 static int
4425 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
4426         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4427 {
4428         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4429                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4430
4431         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4432                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4433
4434         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4435                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4436                 "AUTHENTICATOR: credential", -1);
4437
4438         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4439                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4440                 "AUTHENTICATOR: return_authenticator", -1);
4441
4442         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4443                 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4444                 "Change log entry: ", -1);
4445
4446         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4447                 hf_netlogon_max_log_size, NULL);
4448
4449         return offset;
4450 }
4451
4452 static int
4453 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
4454         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4455 {
4456         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4457                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4458                 "AUTHENTICATOR: return_authenticator", -1);
4459
4460         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4461                 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4462                 "DELTA_ENUM_ARRAY: deltas", -1);
4463
4464         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4465                                   hf_netlogon_rc, NULL);
4466
4467         return offset;
4468 }
4469
4470
4471 /*
4472  * IDL long NetrLogonControl2Ex(
4473  * IDL      [in][string][unique] wchar_t *logonserver,
4474  * IDL      [in] long function_code,
4475  * IDL      [in] long level,
4476  * IDL      [in][ref] CONTROL_DATA_INFORMATION *data,
4477  * IDL      [out][ref] CONTROL_QUERY_INFORMATION *query
4478  * IDL );
4479  */
4480 static int
4481 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
4482         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4483 {
4484         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4485                 pinfo, tree, drep);
4486
4487         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4488                 hf_netlogon_code, NULL);
4489
4490         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4491                 hf_netlogon_level, NULL);
4492
4493         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4494                 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4495                 "CONTROL_DATA_INFORMATION: ", -1);
4496
4497         return offset;
4498 }
4499 static int
4500 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
4501         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4502 {
4503         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4504                 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4505                 "CONTROL_QUERY_INFORMATION:", -1);
4506
4507         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4508                                   hf_netlogon_dos_rc, NULL);
4509
4510         return offset;
4511 }
4512
4513
4514
4515
4516 static const value_string trust_type_vals[] = {
4517         { 1,                            "DOWNLEVEL" },
4518         { 2,                            "UPLEVEL" },
4519         { 3,                            "MIT" },
4520         { 4,                            "DCE" },
4521         { 0, NULL }
4522 };
4523
4524 #define DS_INET_ADDRESS         1
4525 #define DS_NETBIOS_ADDRESS      2
4526 static const value_string dc_address_types[] = {
4527         { DS_INET_ADDRESS,              "IP/DNS name" },
4528         { DS_NETBIOS_ADDRESS,           "NetBIOS name" },
4529         { 0, NULL}
4530 };
4531
4532
4533 #define DS_DOMAIN_IN_FOREST             0x0001
4534 #define DS_DOMAIN_DIRECT_OUTBOUND       0x0002
4535 #define DS_DOMAIN_TREE_ROOT             0x0004
4536 #define DS_DOMAIN_PRIMARY               0x0008
4537 #define DS_DOMAIN_NATIVE_MODE           0x0010
4538 #define DS_DOMAIN_DIRECT_INBOUND        0x0020
4539 static const true_false_string trust_inbound = {
4540         "There is a DIRECT INBOUND trust for the servers domain",
4541         "There is NO direct inbound trust for the servers domain"
4542 };
4543 static const true_false_string trust_outbound = {
4544         "There is a DIRECT OUTBOUND trust for this domain",
4545         "There is NO direct outbound trust for this domain"
4546 };
4547 static const true_false_string trust_in_forest = {
4548         "The domain is a member IN the same FOREST as the queried server",
4549         "The domain is NOT a member of the queried servers domain"
4550 };
4551 static const true_false_string trust_native_mode = {
4552         "The primary domain is a NATIVE MODE w2k domain",
4553         "The primary is NOT a native mode w2k domain"
4554 };
4555 static const true_false_string trust_primary = {
4556         "The domain is the PRIMARY domain of the queried server",
4557         "The domain is NOT the primary domain of the queried server"
4558 };
4559 static const true_false_string trust_tree_root = {
4560         "The domain is the ROOT of a domain TREE",
4561         "The domain is NOT a root of a domain tree"
4562 };
4563 static int
4564 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4565         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4566 {
4567         guint32 mask;
4568         proto_item *item = NULL;
4569         proto_tree *tree = NULL;
4570         dcerpc_info *di;
4571
4572         di=pinfo->private_data;
4573         if(di->conformant_run){
4574                 /*just a run to handle conformant arrays, nothing to dissect */
4575                 return offset;
4576         }
4577
4578         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4579                         hf_netlogon_trust_flags, &mask);
4580
4581         if(parent_tree){
4582                 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4583                         tvb, offset-4, 4, mask);
4584                 tree = proto_item_add_subtree(item, ett_trust_flags);
4585         }
4586
4587         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4588                 tvb, offset-4, 4, mask);
4589         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4590                 tvb, offset-4, 4, mask);
4591         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4592                 tvb, offset-4, 4, mask);
4593         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4594                 tvb, offset-4, 4, mask);
4595         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4596                 tvb, offset-4, 4, mask);
4597         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4598                 tvb, offset-4, 4, mask);
4599
4600         return offset;
4601 }
4602
4603
4604
4605 static const true_false_string trust_attribs_non_transitive = {
4606         "This is a NON TRANSITIVE trust relation",
4607         "This is a normal trust"
4608 };
4609 static const true_false_string trust_attribs_uplevel_only = {
4610         "This is an UPLEVEL ONLY trust relation",
4611         "This is a normal trust"
4612 };
4613 static const true_false_string trust_attribs_quarantined_domain = {
4614         "This is a QUARANTINED DOMAIN (so dont expect lookupsids to work)",
4615         "This is a normal trust"
4616 };
4617 static const true_false_string trust_attribs_forest_transitive = {
4618         "This is a FOREST TRANSITIVE trust",
4619         "This is a normal trust"
4620 };
4621 static const true_false_string trust_attribs_cross_organization = {
4622         "This is a CROSS ORGANIZATION trust",
4623         "This is a normal trust"
4624 };
4625 static const true_false_string trust_attribs_within_forest = {
4626         "This is a WITHIN FOREST trust",
4627         "This is a normal trust"
4628 };
4629 static const true_false_string trust_attribs_treat_as_external = {
4630         "TREAT this trust AS an EXTERNAL trust",
4631         "This is a normal trust"
4632 };
4633
4634 static int
4635 netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t *tvb, int offset,
4636         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4637 {
4638         guint32 mask;
4639         proto_item *item = NULL;
4640         proto_tree *tree = NULL;
4641         dcerpc_info *di;
4642
4643         di=pinfo->private_data;
4644         if(di->conformant_run){
4645                 /*just a run to handle conformant arrays, nothing to dissect */
4646                 return offset;
4647         }
4648
4649         offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4650                 hf_netlogon_trust_attribs, &mask);
4651
4652         if(parent_tree){
4653                 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_attribs,
4654                         tvb, offset-4, 4, mask);
4655                 tree = proto_item_add_subtree(item, ett_trust_attribs);
4656         }
4657
4658         proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_treat_as_external,
4659                 tvb, offset-4, 4, mask);
4660         proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_within_forest,
4661                 tvb, offset-4, 4, mask);
4662         proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_cross_organization,
4663                 tvb, offset-4, 4, mask);
4664         proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_forest_transitive,
4665                 tvb, offset-4, 4, mask);
4666         proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_quarantined_domain,
4667                 tvb, offset-4, 4, mask);
4668         proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_uplevel_only,
4669                 tvb, offset-4, 4, mask);
4670         proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_non_transitive,
4671                 tvb, offset-4, 4, mask);
4672
4673
4674         return offset;
4675 }
4676
4677
4678 #define DS_FORCE_REDISCOVERY            0x00000001
4679 #define DS_DIRECTORY_SERVICE_REQUIRED   0x00000010
4680 #define DS_DIRECTORY_SERVICE_PREFERRED  0x00000020
4681 #define DS_GC_SERVER_REQUIRED           0x00000040
4682 #define DS_PDC_REQUIRED                 0x00000080
4683 #define DS_BACKGROUND_ONLY              0x00000100
4684 #define DS_IP_REQUIRED                  0x00000200
4685 #define DS_KDC_REQUIRED                 0x00000400
4686 #define DS_TIMESERV_REQUIRED            0x00000800
4687 #define DS_WRITABLE_REQUIRED            0x00001000
4688 #define DS_GOOD_TIMESERV_PREFERRED      0x00002000
4689 #define DS_AVOID_SELF                   0x00004000
4690 #define DS_ONLY_LDAP_NEEDED             0x00008000
4691 #define DS_IS_FLAT_NAME                 0x00010000
4692 #define DS_IS_DNS_NAME                  0x00020000
4693 #define DS_RETURN_DNS_NAME              0x40000000
4694 #define DS_RETURN_FLAT_NAME             0x80000000
4695 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4696         "FORCE REDISCOVERY of any cached data",
4697         "You may return cached data"
4698 };
4699 static const true_false_string get_dcname_request_flags_directory_service_required = {
4700         "DIRECRTORY SERVICE is REQUIRED on the server",
4701         "We do NOT require directory service servers"
4702 };
4703 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4704         "DIRECTORY SERVICE servers are PREFERRED",
4705         "We do NOT have a preference for directory service servers"
4706 };
4707 static const true_false_string get_dcname_request_flags_gc_server_required = {
4708         "GC SERVER is REQUIRED",
4709         "gc server is NOT required"
4710 };
4711 static const true_false_string get_dcname_request_flags_pdc_required = {
4712         "PDC SERVER is REQUIRED",
4713         "pdc server is NOT required"
4714 };
4715 static const true_false_string get_dcname_request_flags_background_only = {
4716         "Only return cached data, even if it has expired",
4717         "Return cached data unless it has expired"
4718 };
4719 static const true_false_string get_dcname_request_flags_ip_required = {
4720         "IP address is REQUIRED",
4721         "ip address is NOT required"
4722 };
4723 static const true_false_string get_dcname_request_flags_kdc_required = {
4724         "KDC server is REQUIRED",
4725         "kdc server is NOT required"
4726 };
4727 static const true_false_string get_dcname_request_flags_timeserv_required = {
4728         "TIMESERV service is REQUIRED",
4729         "timeserv service is NOT required"
4730 };
4731 static const true_false_string get_dcname_request_flags_writable_required = {
4732         "the requrned dc MUST be WRITEABLE",
4733         "a read-only dc may be returned"
4734 };
4735 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4736         "GOOD TIMESERV servers are PREFERRED",
4737         "we do NOT have a preference for good timeserv servers"
4738 };
4739 static const true_false_string get_dcname_request_flags_avoid_self = {
4740         "do NOT return self as dc, return someone else",
4741         "you may return yourSELF as the dc"
4742 };
4743 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4744         "we ONLY NEED LDAP, you dont have to return a dc",
4745         "we need a normal dc, an ldap only server will not do"
4746 };
4747 static const true_false_string get_dcname_request_flags_is_flat_name = {
4748         "the name we specify is a NetBIOS name",
4749         "the name we specify is NOT a NetBIOS name"
4750 };
4751 static const true_false_string get_dcname_request_flags_is_dns_name = {
4752         "the name we specify is a DNS name",
4753         "ther name we specify is NOT a dns name"
4754 };
4755 static const true_false_string get_dcname_request_flags_return_dns_name = {
4756         "return a DNS name",
4757         "you may return a NON-dns name"
4758 };
4759 static const true_false_string get_dcname_request_flags_return_flat_name = {
4760         "return a NetBIOS name",
4761         "you may return a NON-NetBIOS name"
4762 };
4763 static int
4764 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4765         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4766 {
4767         guint32 mask;
4768         proto_item *item = NULL;
4769         proto_tree *tree = NULL;
4770         dcerpc_info *di;
4771
4772         di=pinfo->private_data;
4773         if(di->conformant_run){
4774                 /*just a run to handle conformant arrays, nothing to dissect */
4775                 return offset;
4776         }
4777
4778         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4779                         hf_netlogon_get_dcname_request_flags, &mask);
4780
4781         if(parent_tree){
4782                 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4783                         tvb, offset-4, 4, mask);
4784                 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4785         }
4786
4787         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4788                 tvb, offset-4, 4, mask);
4789         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4790                 tvb, offset-4, 4, mask);
4791         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4792                 tvb, offset-4, 4, mask);
4793         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4794                 tvb, offset-4, 4, mask);
4795         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4796                 tvb, offset-4, 4, mask);
4797         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4798                 tvb, offset-4, 4, mask);
4799         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4800                 tvb, offset-4, 4, mask);
4801         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4802                 tvb, offset-4, 4, mask);
4803         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4804                 tvb, offset-4, 4, mask);
4805         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4806                 tvb, offset-4, 4, mask);
4807         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4808                 tvb, offset-4, 4, mask);
4809         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4810                 tvb, offset-4, 4, mask);
4811         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4812                 tvb, offset-4, 4, mask);
4813         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4814                 tvb, offset-4, 4, mask);
4815         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4816                 tvb, offset-4, 4, mask);
4817         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4818                 tvb, offset-4, 4, mask);
4819         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4820                 tvb, offset-4, 4, mask);
4821         
4822         return offset;
4823 }
4824
4825
4826
4827 #define DS_PDC_FLAG             0x00000001
4828 #define DS_GC_FLAG              0x00000004
4829 #define DS_LDAP_FLAG            0x00000008
4830 #define DS_DS_FLAG              0x00000010
4831 #define DS_KDC_FLAG             0x00000020
4832 #define DS_TIMESERV_FLAG        0x00000040
4833 #define DS_CLOSEST_FLAG         0x00000080
4834 #define DS_WRITABLE_FLAG        0x00000100
4835 #define DS_GOOD_TIMESERV_FLAG   0x00000200
4836 #define DS_NDNC_FLAG            0x00000400
4837 #define DS_DNS_CONTROLLER_FLAG  0x20000000
4838 #define DS_DNS_DOMAIN_FLAG      0x40000000
4839 #define DS_DNS_FOREST_FLAG      0x80000000
4840 static const true_false_string dc_flags_pdc_flag = {
4841         "this is the PDC of the domain",
4842         "this is NOT the pdc of the domain"
4843 };
4844 static const true_false_string dc_flags_gc_flag = {
4845         "this is the GC of the forest",
4846         "this is NOT the gc of the forest"
4847 };
4848 static const true_false_string dc_flags_ldap_flag = {
4849         "this is an LDAP server",
4850         "this is NOT an ldap server"
4851 };
4852 static const true_false_string dc_flags_ds_flag = {
4853         "this is a DS server",
4854         "this is NOT a ds server"
4855 };
4856 static const true_false_string dc_flags_kdc_flag = {
4857         "this is a KDC server",
4858         "this is NOT a kdc server"
4859 };
4860 static const true_false_string dc_flags_timeserv_flag = {
4861         "this is a TIMESERV server",
4862         "this is NOT a timeserv server"
4863 };
4864 static const true_false_string dc_flags_closest_flag = {
4865         "this is the CLOSEST server",
4866         "this is NOT the closest server"
4867 };
4868 static const true_false_string dc_flags_writable_flag = {
4869         "this server has a WRITABLE ds database",
4870         "this server has a READ-ONLY ds database"
4871 };
4872 static const true_false_string dc_flags_good_timeserv_flag = {
4873         "this server is a GOOD TIMESERV server",
4874         "this is NOT a good timeserv server"
4875 };
4876 static const true_false_string dc_flags_ndnc_flag = {
4877         "NDNC is set",
4878         "ndnc is NOT set"
4879 };
4880 static const true_false_string dc_flags_dns_controller_flag = {
4881         "DomainControllerName is a DNS name",
4882         "DomainControllerName is NOT a dns name"
4883 };
4884 static const true_false_string dc_flags_dns_domain_flag = {
4885         "DomainName is a DNS name",
4886         "DomainName is NOT a dns name"
4887 };
4888 static const true_false_string dc_flags_dns_forest_flag = {
4889         "DnsForestName is a DNS name",
4890         "DnsForestName is NOT a dns name"
4891 };
4892 static int
4893 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4894         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4895 {
4896         guint32 mask;
4897         proto_item *item = NULL;
4898         proto_tree *tree = NULL;
4899         dcerpc_info *di;
4900
4901         di=pinfo->private_data;
4902         if(di->conformant_run){
4903                 /*just a run to handle conformant arrays, nothing to dissect */
4904                 return offset;
4905         }
4906
4907         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4908                         hf_netlogon_dc_flags, &mask);
4909
4910         if(parent_tree){
4911                 item = proto_tree_add_uint_format_value(parent_tree, hf_netlogon_dc_flags,
4912                                 tvb, offset-4, 4, mask, "0x%08x%s", mask, (mask==0x0000ffff)?"  PING (mask==0x0000ffff)":"");
4913                 tree = proto_item_add_subtree(item, ett_dc_flags);
4914         }
4915
4916         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4917                 tvb, offset-4, 4, mask);
4918         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4919                 tvb, offset-4, 4, mask);
4920         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4921                 tvb, offset-4, 4, mask);
4922         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4923                 tvb, offset-4, 4, mask);
4924         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4925                 tvb, offset-4, 4, mask);
4926         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4927                 tvb, offset-4, 4, mask);
4928         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4929                 tvb, offset-4, 4, mask);
4930         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4931                 tvb, offset-4, 4, mask);
4932         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4933                 tvb, offset-4, 4, mask);
4934         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4935                 tvb, offset-4, 4, mask);
4936         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4937                 tvb, offset-4, 4, mask);
4938         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4939                 tvb, offset-4, 4, mask);
4940         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4941                 tvb, offset-4, 4, mask);
4942
4943         return offset;
4944 }
4945
4946
4947
4948 static int
4949 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4950                              packet_info *pinfo, proto_tree *tree,
4951                              guint8 *drep)
4952 {
4953         dcerpc_info *di;
4954
4955         di=pinfo->private_data;
4956         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4957                                      di->hf_index, NULL);
4958         return offset;
4959 }
4960
4961 static int
4962 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4963                              packet_info *pinfo, proto_tree *tree,
4964                              guint8 *drep)
4965 {
4966         dcerpc_info *di;
4967
4968         di=pinfo->private_data;
4969         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4970                                      di->hf_index, NULL);
4971         return offset;
4972 }
4973
4974 static int
4975 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4976                         packet_info *pinfo, proto_tree *tree,
4977                         guint8 *drep)
4978 {
4979                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4980                         hf_netlogon_unknown_char, NULL);
4981
4982         return offset;
4983 }
4984
4985 static int
4986 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4987                         packet_info *pinfo, proto_tree *tree,
4988                         guint8 *drep)
4989 {
4990         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4991                 netlogon_dissect_UNICODE_MULTI_byte);
4992
4993         return offset;
4994 }
4995
4996 static int
4997 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4998                         packet_info *pinfo, proto_tree *parent_tree,
4999                         guint8 *drep)
5000 {
5001         proto_item *item=NULL;
5002         proto_tree *tree=NULL;
5003         int old_offset=offset;
5004
5005         if(parent_tree){
5006                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5007                         "UNICODE_MULTI:");
5008                 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
5009         }
5010
5011         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5012                 hf_netlogon_len, NULL);
5013
5014         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5015                 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
5016                 "unknown", hf_netlogon_unknown_string);
5017
5018         proto_item_set_len(item, offset-old_offset);
5019         return offset;
5020 }
5021
5022 static int
5023 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
5024                         packet_info *pinfo, proto_tree *parent_tree,
5025                         guint8 *drep)
5026 {
5027         proto_item *item=NULL;
5028         proto_tree *tree=NULL;
5029         int old_offset=offset;
5030
5031         if(parent_tree){
5032                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5033                         "DOMAIN_CONTROLLER_INFO:");
5034                 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
5035         }
5036
5037         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5038                 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
5039
5040         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5041                 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
5042
5043         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5044                 hf_netlogon_dc_address_type, NULL);
5045
5046         offset = dissect_nt_GUID(tvb, offset,
5047                 pinfo, tree, drep);
5048
5049         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5050                 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
5051
5052         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5053                 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
5054
5055         offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
5056
5057         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5058                 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
5059
5060         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5061                 NDR_POINTER_UNIQUE, "Client Site", 
5062                 hf_netlogon_client_site_name, 0);
5063
5064         proto_item_set_len(item, offset-old_offset);
5065         return offset;
5066 }
5067
5068 static int
5069 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
5070                         packet_info *pinfo, proto_tree *tree,
5071                         guint8 *drep)
5072 {
5073         guint32 len;
5074         dcerpc_info *di;
5075
5076         di=pinfo->private_data;
5077         if(di->conformant_run){
5078                 /*just a run to handle conformant arrays, nothing to dissect.*/
5079                 return offset;
5080         }
5081
5082         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5083                 hf_netlogon_blob_size, &len);
5084
5085         proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
5086                 FALSE);
5087         offset += len;
5088
5089         return offset;
5090 }
5091
5092 static int
5093 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
5094                         packet_info *pinfo, proto_tree *parent_tree,
5095                         guint8 *drep)
5096 {
5097         proto_item *item=NULL;
5098         proto_tree *tree=NULL;
5099
5100         if(parent_tree){
5101                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5102                         "BLOB:");
5103                 tree = proto_item_add_subtree(item, ett_BLOB);
5104         }
5105
5106         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5107                 hf_netlogon_blob_size, NULL);
5108
5109         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5110                 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
5111                 "BLOB:", -1);
5112
5113         return offset;
5114 }
5115
5116 static int
5117 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
5118                         packet_info *pinfo, proto_tree *parent_tree,
5119                         guint8 *drep)
5120 {
5121         proto_item *item=NULL;
5122         proto_tree *tree=NULL;
5123         int old_offset=offset;
5124
5125         if(parent_tree){
5126                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5127                         "DOMAIN_TRUST_INFO:");
5128                 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
5129         }
5130
5131
5132         offset = lsa_dissect_DnsDomainInfo(tvb, offset, pinfo, tree, drep, 0, 0);
5133
5134         /* Guesses at best. */
5135         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5136                 hf_netlogon_unknown_string, 0);
5137
5138         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5139                 hf_netlogon_unknown_string, 0);
5140
5141         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5142                 hf_netlogon_unknown_string, 0);
5143
5144         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5145                 hf_netlogon_unknown_string, 0);
5146
5147         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5148                 hf_netlogon_unknown_long, NULL);
5149
5150         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5151                 hf_netlogon_unknown_long, NULL);
5152
5153         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5154                 hf_netlogon_unknown_long, NULL);
5155
5156         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5157                 hf_netlogon_unknown_long, NULL);
5158
5159         proto_item_set_len(item, offset-old_offset);
5160         return offset;
5161 }
5162
5163 static int
5164 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
5165                         packet_info *pinfo, proto_tree *tree,
5166                         guint8 *drep)
5167 {
5168         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5169                 netlogon_dissect_DOMAIN_TRUST_INFO);
5170
5171         return offset;
5172 }
5173
5174 static int
5175 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
5176                         packet_info *pinfo, proto_tree *tree,
5177                         guint8 *drep)
5178 {
5179         offset = netlogon_dissect_BLOB(tvb, offset,
5180                 pinfo, tree, drep);
5181
5182         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5183                 NDR_POINTER_UNIQUE, "Workstation FQDN", 
5184                 hf_netlogon_workstation_fqdn, 0);
5185
5186         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5187                 NDR_POINTER_UNIQUE, "Workstation Site", 
5188                 hf_netlogon_workstation_site_name, 0);
5189
5190         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5191                 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5192
5193         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5194                 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5195
5196         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5197                 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5198
5199         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5200                 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5201
5202         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5203                 hf_netlogon_unknown_string, 0);
5204
5205         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5206                 hf_netlogon_workstation_os, 0);
5207
5208         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5209                 hf_netlogon_unknown_string, 0);
5210
5211         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5212                 hf_netlogon_unknown_string, 0);
5213
5214         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5215                 hf_netlogon_unknown_long, NULL);
5216
5217         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5218                 hf_netlogon_unknown_long, NULL);
5219
5220         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5221                 hf_netlogon_unknown_long, NULL);
5222
5223         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5224                 hf_netlogon_unknown_long, NULL);
5225
5226         return offset;
5227 }
5228
5229 static int
5230 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
5231                         packet_info *pinfo, proto_tree *tree,
5232                         guint8 *drep)
5233 {
5234         offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
5235
5236         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5237                 hf_netlogon_num_trusts, NULL);
5238
5239         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5240                 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5241                 "DOMAIN_TRUST_ARRAY: Trusts", -1);
5242
5243         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5244                 hf_netlogon_num_trusts, NULL);
5245
5246         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5247                 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5248                 "DOMAIN_TRUST_ARRAY:", -1);
5249  
5250         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5251                 hf_netlogon_dns_domain_name, 0);
5252
5253         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5254                 hf_netlogon_unknown_string, 0);
5255
5256         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5257                 hf_netlogon_unknown_string, 0);
5258
5259         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5260                 hf_netlogon_unknown_string, 0);
5261
5262         /* These four integers appear to mirror the last four in the query. */
5263         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5264                 hf_netlogon_unknown_long, NULL);
5265
5266         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5267                 hf_netlogon_unknown_long, NULL);
5268
5269         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5270                 hf_netlogon_unknown_long, NULL);
5271
5272         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5273                 hf_netlogon_unknown_long, NULL);
5274
5275         return offset;
5276 }
5277
5278
5279 static int
5280 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5281                         packet_info *pinfo, proto_tree *tree,
5282                         guint8 *drep)
5283 {
5284         guint32 level;
5285
5286         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5287                 hf_netlogon_level, &level);
5288
5289         ALIGN_TO_4_BYTES;
5290         switch(level){
5291         case 1:
5292                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5293                         netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
5294                         "DOMAIN_INFO_1:", -1);
5295                 break;
5296         }
5297
5298         return offset;
5299 }
5300
5301 static int
5302 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
5303                         packet_info *pinfo, proto_tree *parent_tree,
5304                         guint8 *drep)
5305 {
5306         proto_item *item=NULL;
5307         proto_tree *tree=NULL;
5308         int old_offset=offset;
5309         int i;
5310
5311         if(parent_tree){
5312                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5313                         "UNICODE_STRING_512:");
5314                 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
5315         }
5316
5317         for(i=0;i<512;i++){
5318                 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5319                         hf_netlogon_unknown_short, NULL);
5320         }
5321
5322         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5323                 hf_netlogon_unknown_long, NULL);
5324
5325         proto_item_set_len(item, offset-old_offset);
5326         return offset;
5327 }
5328
5329 static int
5330 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
5331                         packet_info *pinfo, proto_tree *tree,
5332                         guint8 *drep)
5333 {
5334                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5335                         hf_netlogon_unknown_char, NULL);
5336
5337         return offset;
5338 }
5339
5340 static int
5341 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
5342                         packet_info *pinfo, proto_tree *tree,
5343                         guint8 *drep)
5344 {
5345         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5346                 netlogon_dissect_element_844_byte);
5347
5348         return offset;
5349 }
5350
5351 static int
5352 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
5353                         packet_info *pinfo, proto_tree *parent_tree,
5354                         guint8 *drep)
5355 {
5356         proto_item *item=NULL;
5357         proto_tree *tree=NULL;
5358         int old_offset=offset;
5359
5360         if(parent_tree){
5361                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5362                         "TYPE_50:");
5363                 tree = proto_item_add_subtree(item, ett_TYPE_50);
5364         }
5365
5366         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5367                 hf_netlogon_unknown_long, NULL);
5368
5369         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5370                 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
5371                 "unknown", hf_netlogon_unknown_string);
5372
5373         proto_item_set_len(item, offset-old_offset);
5374         return offset;
5375 }
5376
5377 static int
5378 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
5379                         packet_info *pinfo, proto_tree *tree,
5380                         guint8 *drep)
5381 {
5382         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5383                 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
5384                 "TYPE_50 pointer: unknown_TYPE_50", -1);
5385
5386         return offset;
5387 }
5388
5389 static int
5390 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
5391         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5392 {
5393         guint32 tmp;
5394         proto_item *item=NULL;
5395         proto_tree *tree=NULL;
5396         int old_offset=offset;
5397
5398         if(parent_tree){
5399                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5400                         "DS_DOMAIN_TRUSTS");
5401                 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
5402         }
5403
5404         /* name */
5405         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5406                 NDR_POINTER_UNIQUE, "NetBIOS Name", 
5407                 hf_netlogon_downlevel_domain_name, 0);
5408
5409         /* domain */
5410         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5411                 NDR_POINTER_UNIQUE, "DNS Domain Name", 
5412                 hf_netlogon_dns_domain_name, 0);
5413
5414         offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5415
5416         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5417                 hf_netlogon_trust_parent_index, &tmp);
5418
5419         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5420                 hf_netlogon_trust_type, &tmp);
5421
5422         offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, drep);
5423
5424         /* SID pointer */
5425         offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
5426
5427         /* GUID */
5428         offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
5429
5430         proto_item_set_len(item, offset-old_offset);
5431         return offset;
5432 }
5433
5434 static int
5435 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
5436                         packet_info *pinfo, proto_tree *tree,
5437                         guint8 *drep)
5438 {
5439         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5440                 netlogon_dissect_DS_DOMAIN_TRUSTS);
5441
5442         return offset;
5443 }
5444
5445 static int
5446 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
5447                         packet_info *pinfo, proto_tree *tree,
5448                         guint8 *drep)
5449 {
5450                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5451                         hf_netlogon_unknown_char, NULL);
5452
5453         return offset;
5454 }
5455
5456 static int
5457 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
5458                         packet_info *pinfo, proto_tree *tree,
5459                         guint8 *drep)
5460 {
5461         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5462                 netlogon_dissect_element_865_byte);
5463
5464         return offset;
5465 }
5466
5467 static int
5468 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
5469                         packet_info *pinfo, proto_tree *tree,
5470                         guint8 *drep)
5471 {
5472                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5473                         hf_netlogon_unknown_char, NULL);
5474
5475         return offset;
5476 }
5477
5478 static int
5479 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
5480                         packet_info *pinfo, proto_tree *tree,
5481                         guint8 *drep)
5482 {
5483         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5484                 netlogon_dissect_element_866_byte);
5485
5486         return offset;
5487 }
5488
5489 static int
5490 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
5491                         packet_info *pinfo, proto_tree *parent_tree,
5492                         guint8 *drep)
5493 {
5494         proto_item *item=NULL;
5495         proto_tree *tree=NULL;
5496         int old_offset=offset;
5497
5498         if(parent_tree){
5499                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5500                         "TYPE_52:");
5501                 tree = proto_item_add_subtree(item, ett_TYPE_52);
5502         }
5503
5504         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5505                 hf_netlogon_unknown_long, NULL);
5506
5507         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5508                 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
5509                 "unknown", hf_netlogon_unknown_string);
5510
5511         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5512                 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
5513                 "unknown", hf_netlogon_unknown_string);
5514
5515         proto_item_set_len(item, offset-old_offset);
5516         return offset;
5517 }
5518
5519 static int
5520 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
5521                         packet_info *pinfo, proto_tree *tree,
5522                         guint8 *drep)
5523 {
5524         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5525                 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
5526                 "TYPE_52 pointer: unknown_TYPE_52", -1);
5527         return offset;
5528 }
5529
5530
5531 static int
5532 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5533                         packet_info *pinfo, proto_tree *parent_tree,
5534                         guint8 *drep)
5535 {
5536         proto_item *item=NULL;
5537         proto_tree *tree=NULL;
5538         int old_offset=offset;
5539         guint32 level;
5540
5541         if(parent_tree){
5542                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5543                         "TYPE_44:");
5544                 tree = proto_item_add_subtree(item, ett_TYPE_44);
5545         }
5546
5547         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5548                 hf_netlogon_level, &level);
5549
5550         ALIGN_TO_4_BYTES;
5551         switch(level){
5552         case 1:
5553                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5554                         hf_netlogon_unknown_long, NULL);
5555                 break;
5556         }
5557
5558         proto_item_set_len(item, offset-old_offset);
5559         return offset;
5560 }
5561
5562 static int
5563 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5564                         packet_info *pinfo, proto_tree *tree,
5565                         guint8 *drep)
5566 {
5567         guint32 level;
5568
5569         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5570                 hf_netlogon_level, &level);
5571
5572         ALIGN_TO_4_BYTES;
5573         switch(level){
5574         case 1:
5575                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5576                         netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5577                         "DOMAIN_QUERY_1:", -1);
5578                 break;
5579         case 2:
5580                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5581                         netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5582                         "DOMAIN_QUERY_1:", -1);
5583                 break;
5584         }
5585
5586         return offset;
5587 }
5588
5589 static int
5590 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5591         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5592 {
5593         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5594                 pinfo, tree, drep);
5595
5596         return offset;
5597 }
5598
5599
5600 static int
5601 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5602         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5603 {
5604         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5605                 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5606                 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5607
5608         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5609                                   hf_netlogon_dos_rc, NULL);
5610
5611         return offset;
5612 }
5613
5614 static int
5615 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5616         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5617 {
5618         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5619                 pinfo, tree, drep);
5620
5621         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5622                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5623
5624         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5625                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5626                 "GUID pointer: domain_guid", -1);
5627
5628         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5629                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5630                 "GUID pointer: site_guid", -1);
5631
5632         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5633                 hf_netlogon_flags, NULL);
5634
5635         return offset;
5636 }
5637
5638
5639 static int
5640 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5641         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5642 {
5643         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5644                 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5645                 "DOMAIN_CONTROLLER_INFO:", -1);
5646
5647         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5648                                   hf_netlogon_dos_rc, NULL);
5649
5650         return offset;
5651 }
5652
5653 static int
5654 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
5655         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5656 {
5657         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5658                 pinfo, tree, drep);
5659
5660         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5661                 NDR_POINTER_UNIQUE, "unknown string", 
5662                 hf_netlogon_unknown_string, 0);
5663
5664         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5665                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5666                 "AUTHENTICATOR: credential", -1);
5667
5668         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5669                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5670                 "AUTHENTICATOR: return_authenticator", -1);
5671
5672         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5673                 hf_netlogon_unknown_long, NULL);
5674
5675         return offset;
5676 }
5677
5678
5679 static int
5680 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
5681         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5682 {
5683         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5684                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5685                 "AUTHENTICATOR: return_authenticator", -1);
5686
5687         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5688                 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5689                 "TYPE_44 pointer: unknown_TYPE_44", -1);
5690
5691         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5692                                   hf_netlogon_rc, NULL);
5693
5694         return offset;
5695 }
5696
5697 static int
5698 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
5699         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5700 {
5701         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5702                 pinfo, tree, drep);
5703
5704         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5705                 hf_netlogon_unknown_long, NULL);
5706
5707         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5708                 hf_netlogon_unknown_long, NULL);
5709
5710         return offset;
5711 }
5712
5713
5714 static int
5715 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
5716         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5717 {
5718         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5719                                   hf_netlogon_rc, NULL);
5720
5721         return offset;
5722 }
5723
5724
5725 static int
5726 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
5727         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5728 {
5729         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5730                 pinfo, tree, drep);
5731
5732         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5733                 NDR_POINTER_UNIQUE, "unknown string", 
5734                 hf_netlogon_unknown_string, 0);
5735
5736         return offset;
5737 }
5738
5739
5740 static int
5741 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
5742         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5743 {
5744         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5745                 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5746                 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5747
5748         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5749                                   hf_netlogon_rc, NULL);
5750
5751         return offset;
5752 }
5753
5754
5755 static int
5756 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
5757         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5758 {
5759         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5760                 pinfo, tree, drep);
5761
5762         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5763                 hf_netlogon_unknown_long, NULL);
5764
5765         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5766                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5767                 "BYTE pointer: unknown_BYTE", -1);
5768
5769         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5770                 hf_netlogon_unknown_long, NULL);
5771
5772         return offset;
5773 }
5774
5775 static int
5776 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5777         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5778 {
5779         int i;
5780
5781         for(i=0;i<16;i++){
5782                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5783                         hf_netlogon_unknown_char, NULL);
5784         }
5785
5786         return offset;
5787 }
5788
5789 static int
5790 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
5791         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5792 {
5793         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5794                 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5795                 "BYTE pointer: unknown_BYTE", -1);
5796
5797         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5798                                   hf_netlogon_rc, NULL);
5799
5800         return offset;
5801 }
5802
5803 static int
5804 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
5805         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5806 {
5807         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5808                 pinfo, tree, drep);
5809
5810         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5811                 NDR_POINTER_UNIQUE, "unknown string", 
5812                 hf_netlogon_unknown_string, 0);
5813
5814         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5815                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5816                 "BYTE pointer: unknown_BYTE", -1);
5817
5818         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5819                 hf_netlogon_unknown_long, NULL);
5820
5821         return offset;
5822 }
5823
5824
5825 static int
5826 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
5827         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5828 {
5829         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5830                 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5831                 "BYTE pointer: unknown_BYTE", -1);
5832
5833         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5834                                   hf_netlogon_rc, NULL);
5835
5836         return offset;
5837 }
5838
5839 static int
5840 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5841         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5842 {
5843         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5844                 pinfo, tree, drep);
5845
5846         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5847                 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5848
5849         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5850                 pinfo, tree, drep);
5851
5852         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5853                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5854
5855         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5856                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5857                 "CREDENTIAL: authenticator", -1);
5858
5859         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5860                 hf_netlogon_neg_flags, NULL);
5861
5862         return offset;
5863 }
5864
5865
5866 static int
5867 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5868         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5869 {
5870         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5871                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5872                 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5873
5874         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5875                 hf_netlogon_neg_flags, NULL);
5876
5877         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5878                 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5879                 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5880
5881         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5882                                   hf_netlogon_rc, NULL);
5883
5884         return offset;
5885 }
5886
5887 static int
5888 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
5889         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5890 {
5891         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5892                 pinfo, tree, drep);
5893
5894         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5895                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5896
5897         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5898                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5899                 "GUID pointer: domain_guid", -1);
5900
5901         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5902                 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5903
5904         offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5905
5906         return offset;
5907 }
5908
5909
5910 static int
5911 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
5912         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5913 {
5914         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5915                 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5916                 "DOMAIN_CONTROLLER_INFO:", -1);
5917
5918         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5919                                   hf_netlogon_rc, NULL);
5920
5921         return offset;
5922 }
5923
5924 static int
5925 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5926         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5927 {
5928         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5929                 pinfo, tree, drep);
5930
5931         return offset;
5932 }
5933
5934
5935 static int
5936 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5937         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5938 {
5939
5940         /* XXX hmmm this does not really look like a UNIQUE pointer but
5941            will do for now.   I think it is really a 32bit integer followed by
5942            a REF pointer to a unicode string */
5943         offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
5944                 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name", 
5945                 hf_netlogon_site_name, cb_wstr_postprocess, 
5946                 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
5947
5948         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5949                                   hf_netlogon_dos_rc, NULL);
5950
5951         return offset;
5952 }
5953
5954 static int
5955 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5956         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5957 {
5958        /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5959        offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5960                NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5961
5962         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5963                 NDR_POINTER_UNIQUE, "Computer Name", 
5964                 hf_netlogon_computer_name, 0);
5965
5966         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5967                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5968                 "AUTHENTICATOR: credential", -1);
5969
5970         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5971                 hf_netlogon_unknown_long, NULL);
5972
5973         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5974                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5975                 "AUTHENTICATOR: return_authenticator", -1);
5976
5977         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5978                 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5979                 "DOMAIN_QUERY: ", -1);
5980
5981         return offset;
5982 }
5983
5984
5985 static int
5986 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5987         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5988 {
5989         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5990                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5991                 "AUTHENTICATOR: return_authenticator", -1);
5992
5993         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5994                 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5995                 "DOMAIN_INFO: ", -1);
5996
5997         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5998                                   hf_netlogon_rc, NULL);
5999
6000         return offset;
6001 }
6002
6003 static int
6004 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
6005         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6006 {
6007         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6008                 pinfo, tree, drep);
6009
6010         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6011                 NDR_POINTER_UNIQUE, "unknown string", 
6012                 hf_netlogon_unknown_string, 0);
6013
6014         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6015                 hf_netlogon_unknown_short, NULL);
6016
6017         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6018                 NDR_POINTER_UNIQUE, "unknown string", 
6019                 hf_netlogon_unknown_string, 0);
6020
6021         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6022                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6023                 "AUTHENTICATOR: credential", -1);
6024
6025         offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
6026                 pinfo, tree, drep);
6027
6028         return offset;
6029 }
6030
6031
6032 static int
6033 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
6034         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6035 {
6036         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6037                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6038                 "AUTHENTICATOR: return_authenticator", -1);
6039
6040         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6041                                   hf_netlogon_rc, NULL);
6042
6043         return offset;
6044 }
6045
6046 static int
6047 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
6048         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6049 {
6050         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6051                 pinfo, tree, drep);
6052
6053         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6054                 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
6055
6056         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
6057                 pinfo, tree, drep);
6058
6059         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6060                 NDR_POINTER_UNIQUE, "Computer Name", 
6061                 hf_netlogon_computer_name, 0);
6062
6063         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6064                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6065                 "AUTHENTICATOR: credential", -1);
6066
6067         return offset;
6068 }
6069
6070
6071 static int
6072 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
6073         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6074 {
6075         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6076                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6077                 "AUTHENTICATOR: return_authenticator", -1);
6078
6079         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6080                 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
6081                 "LM_OWF_PASSWORD pointer: server_pwd", -1);
6082
6083         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6084                                   hf_netlogon_rc, NULL);
6085
6086         return offset;
6087 }
6088
6089 static int
6090 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
6091         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6092 {
6093         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6094                 pinfo, tree, drep);
6095
6096         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6097                 NDR_POINTER_UNIQUE, "unknown string", 
6098                 hf_netlogon_unknown_string, 0);
6099
6100         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6101                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6102                 "AUTHENTICATOR: credential", -1);
6103
6104         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6105                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6106                 "BYTE pointer: unknown_BYTE", -1);
6107
6108         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6109                 hf_netlogon_unknown_long, NULL);
6110
6111         return offset;
6112 }
6113
6114
6115 static int
6116 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
6117         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6118 {
6119         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6120                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6121                 "AUTHENTICATOR: return_authenticator", -1);
6122
6123         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6124                                   hf_netlogon_rc, NULL);
6125
6126         return offset;
6127 }
6128
6129 static int
6130 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
6131         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6132 {
6133         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6134                 pinfo, tree, drep);
6135
6136         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6137                 hf_netlogon_unknown_long, NULL);
6138
6139         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6140                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6141                 "BYTE pointer: unknown_BYTE", -1);
6142
6143         return offset;
6144 }
6145
6146
6147 static int
6148 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
6149         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6150 {
6151         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6152                 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
6153                 "TYPE_50** pointer: unknown_TYPE_50", -1);
6154
6155         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6156                                   hf_netlogon_rc, NULL);
6157
6158         return offset;
6159 }
6160
6161 static int
6162 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
6163         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6164 {
6165         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6166                 pinfo, tree, drep);
6167
6168         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6169                 NDR_POINTER_UNIQUE, "Client Account", 
6170                 hf_netlogon_acct_name, 0);
6171
6172         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6173                 hf_netlogon_unknown_long, NULL);
6174
6175         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6176                 NDR_POINTER_UNIQUE, "Client Account", 
6177                 hf_netlogon_logon_dom, 0);
6178
6179         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6180                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6181                 "Domain GUID:", -1);
6182
6183         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6184                 NDR_POINTER_UNIQUE, "Client Site", 
6185                 hf_netlogon_site_name, 0);
6186
6187         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6188                 hf_netlogon_unknown_long, NULL);
6189
6190         return offset;
6191 }
6192
6193
6194 static int
6195 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
6196         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6197 {
6198         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6199                 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6200                 "DOMAIN_CONTROLLER_INFO:", -1);
6201
6202         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6203                                   hf_netlogon_dos_rc, NULL);
6204
6205         return offset;
6206 }
6207
6208 static int
6209 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
6210         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6211 {
6212         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6213                 pinfo, tree, drep);
6214
6215         return offset;
6216 }
6217
6218
6219 static int
6220 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
6221         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6222 {
6223         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6224                 NDR_POINTER_UNIQUE, "unknown string", 
6225                 hf_netlogon_unknown_string, 0);
6226
6227         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6228                 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6229                 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6230
6231         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6232                                   hf_netlogon_rc, NULL);
6233
6234         return offset;
6235 }
6236
6237 static int
6238 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
6239         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6240 {
6241         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6242                 pinfo, tree, drep);
6243
6244         return offset;
6245 }
6246
6247 static int
6248 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
6249         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6250 {
6251         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6252                 hf_netlogon_entries, NULL);
6253
6254         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6255                 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6256                 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6257
6258         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6259                                   hf_netlogon_rc, NULL);
6260
6261         return offset;
6262 }
6263
6264 static int
6265 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
6266         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6267 {
6268         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6269                 pinfo, tree, drep);
6270
6271         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6272                 hf_netlogon_unknown_long, NULL);
6273
6274         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6275                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6276                 "BYTE pointer: unknown_BYTE", -1);
6277
6278         return offset;
6279 }
6280
6281
6282 static int
6283 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
6284         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6285 {
6286         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6287                 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
6288                 "TYPE_52 pointer: unknown_TYPE_52", -1);
6289
6290         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6291                                   hf_netlogon_rc, NULL);
6292
6293         return offset;
6294 }
6295
6296
6297 static int
6298 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
6299         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6300 {
6301         offset = dissect_ndr_counted_string_cb(
6302                 tvb, offset, pinfo, tree, drep, hf_netlogon_site_name,
6303                 cb_wstr_postprocess, 
6304                 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
6305
6306         return offset;
6307 }
6308 static int
6309 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
6310         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6311 {
6312         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
6313                 netlogon_dissect_site_name_item);
6314
6315         return offset;
6316 }
6317
6318 static int
6319 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
6320         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6321 {
6322         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6323                 hf_netlogon_count, NULL);
6324
6325         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6326                 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
6327                 "Site name array", -1);
6328
6329         return offset;
6330 }
6331
6332 static int
6333 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
6334         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6335 {
6336         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6337                 pinfo, tree, drep);
6338
6339         return offset;
6340 }
6341
6342
6343 static int
6344 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
6345         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6346 {
6347         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6348                 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
6349                 "Site names", -1);
6350
6351         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6352                                   hf_netlogon_rc, NULL);
6353
6354         return offset;
6355 }
6356
6357 static int
6358 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
6359         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6360 {
6361         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6362                 NDR_POINTER_UNIQUE, "unknown string", 
6363                 hf_netlogon_unknown_string, 0);
6364
6365         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6366                 NDR_POINTER_UNIQUE, "unknown string", 
6367                 hf_netlogon_unknown_string, 0);
6368
6369         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6370                 hf_netlogon_unknown_short, NULL);
6371
6372         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6373                 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
6374                 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
6375
6376         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6377                 hf_netlogon_unknown_short, NULL);
6378
6379         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6380                 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6381                 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6382         return offset;
6383 }
6384
6385
6386 static int
6387 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
6388         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6389 {
6390         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6391                 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
6392                 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
6393
6394         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6395                 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
6396                 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
6397
6398         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6399                 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6400                 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6401
6402         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6403                                   hf_netlogon_rc, NULL);
6404
6405         return offset;
6406 }
6407
6408
6409 static int
6410 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
6411         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6412 {
6413         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6414                 pinfo, tree, drep);
6415
6416         offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
6417
6418         return offset;
6419 }
6420
6421
6422 static int
6423 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
6424         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6425 {
6426         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6427                 hf_netlogon_entries, NULL);
6428
6429         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6430                 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6431                 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6432
6433         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6434                                   hf_netlogon_dos_rc, NULL);
6435
6436         return offset;
6437 }
6438
6439 static int
6440 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
6441         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6442 {
6443         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6444                 pinfo, tree, drep);
6445
6446         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6447                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6448
6449         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6450                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6451                 "GUID pointer: domain_guid", -1);
6452
6453         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6454                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6455                 "GUID pointer: dsa_guid", -1);
6456
6457         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6458                 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
6459
6460         return offset;
6461 }
6462
6463
6464 static int
6465 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
6466         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6467 {
6468         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6469                                   hf_netlogon_rc, NULL);
6470
6471         return offset;
6472 }
6473
6474 /* Dissect secure channel stuff */
6475
6476 static int hf_netlogon_secchan_bind_unknown1 = -1;
6477 static int hf_netlogon_secchan_bind_unknown2 = -1;
6478 static int hf_netlogon_secchan_domain = -1;
6479 static int hf_netlogon_secchan_host = -1;
6480 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
6481 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
6482 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
6483
6484 static gint ett_secchan_verf = -1;
6485 static gint ett_secchan_bind_creds = -1;
6486 static gint ett_secchan_bind_ack_creds = -1;
6487
6488 static int dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
6489                                       packet_info *pinfo, 
6490                                       proto_tree *tree, guint8 *drep)
6491 {
6492         proto_item *item = NULL;
6493         proto_tree *subtree = NULL;
6494         int len;
6495
6496         if (tree) {
6497                 item = proto_tree_add_text(
6498                         tree, tvb, offset, -1,
6499                         "Secure Channel Bind Credentials");
6500                 subtree = proto_item_add_subtree(
6501                         item, ett_secchan_bind_creds);
6502         }
6503
6504         /* We can't use the NDR routines as the DCERPC call data hasn't
6505            been initialised since we haven't made a DCERPC call yet, just
6506            a bind request. */
6507
6508         offset = dissect_dcerpc_uint32(
6509                 tvb, offset, pinfo, subtree, drep, 
6510                 hf_netlogon_secchan_bind_unknown1, NULL);
6511
6512         offset = dissect_dcerpc_uint32(
6513                 tvb, offset, pinfo, subtree, drep, 
6514                 hf_netlogon_secchan_bind_unknown2, NULL);
6515
6516         len = tvb_strsize(tvb, offset);
6517
6518         proto_tree_add_item(
6519                 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
6520
6521         offset += len;
6522
6523         len = tvb_strsize(tvb, offset);
6524
6525         proto_tree_add_item(
6526                 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
6527
6528         offset += len;
6529
6530         return offset;
6531 }
6532
6533 static int dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
6534                                           packet_info *pinfo, 
6535                                           proto_tree *tree, guint8 *drep)
6536 {
6537         proto_item *item = NULL;
6538         proto_tree *subtree = NULL;
6539
6540         if (tree) {
6541                 item = proto_tree_add_text(
6542                         tree, tvb, offset, -1,
6543                         "Secure Channel Bind ACK Credentials");
6544                 subtree = proto_item_add_subtree(
6545                         item, ett_secchan_bind_ack_creds);
6546         }
6547
6548         /* Don't use NDR routines here */
6549
6550         offset = dissect_dcerpc_uint32(
6551                 tvb, offset, pinfo, subtree, drep, 
6552                 hf_netlogon_secchan_bind_ack_unknown1, NULL);
6553
6554         offset = dissect_dcerpc_uint32(
6555                 tvb, offset, pinfo, subtree, drep, 
6556                 hf_netlogon_secchan_bind_ack_unknown2, NULL);
6557
6558         offset = dissect_dcerpc_uint32(
6559                 tvb, offset, pinfo, subtree, drep, 
6560                 hf_netlogon_secchan_bind_ack_unknown3, NULL);
6561
6562         return offset;
6563 }
6564
6565 /* Subdissectors */
6566
6567 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
6568         { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
6569                 netlogon_dissect_netrlogonuaslogon_rqst,
6570                 netlogon_dissect_netrlogonuaslogon_reply },
6571         { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
6572                 netlogon_dissect_netrlogonuaslogoff_rqst,
6573                 netlogon_dissect_netrlogonuaslogoff_reply },
6574         { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
6575                 netlogon_dissect_netrlogonsamlogon_rqst,
6576                 netlogon_dissect_netrlogonsamlogon_reply },
6577         { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
6578                 netlogon_dissect_netrlogonsamlogoff_rqst,
6579                 netlogon_dissect_netrlogonsamlogoff_reply },
6580         { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
6581                 netlogon_dissect_netrserverreqchallenge_rqst,
6582                 netlogon_dissect_netrserverreqchallenge_reply },
6583         { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
6584                 netlogon_dissect_netrserverauthenticate_rqst,
6585                 netlogon_dissect_netrserverauthenticate_reply },
6586         { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
6587                 netlogon_dissect_netrserverpasswordset_rqst,
6588                 netlogon_dissect_netrserverpasswordset_reply },
6589         { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
6590                 netlogon_dissect_netrdatabasedeltas_rqst,
6591                 netlogon_dissect_netrdatabasedeltas_reply },
6592         { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
6593                 netlogon_dissect_netrdatabasesync_rqst,
6594                 netlogon_dissect_netrdatabasesync_reply },
6595         { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
6596                 netlogon_dissect_netraccountdeltas_rqst,
6597                 netlogon_dissect_netraccountdeltas_reply },
6598         { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
6599                 netlogon_dissect_netraccountsync_rqst,
6600                 netlogon_dissect_netraccountsync_reply },
6601         { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
6602                 netlogon_dissect_netrgetdcname_rqst,
6603                 netlogon_dissect_netrgetdcname_reply },
6604         { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
6605                 netlogon_dissect_netrlogoncontrol_rqst,
6606                 netlogon_dissect_netrlogoncontrol_reply },
6607         { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
6608                 netlogon_dissect_netrgetanydcname_rqst,
6609                 netlogon_dissect_netrgetanydcname_reply },
6610         { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
6611                 netlogon_dissect_netrlogoncontrol2_rqst,
6612                 netlogon_dissect_netrlogoncontrol2_reply },
6613         { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
6614                 netlogon_dissect_netrserverauthenticate2_rqst,
6615                 netlogon_dissect_netrserverauthenticate2_reply },
6616         { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
6617                 netlogon_dissect_netrdatabasesync2_rqst,
6618                 netlogon_dissect_netrdatabasesync2_reply },
6619         { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
6620                 netlogon_dissect_netrdatabaseredo_rqst,
6621                 netlogon_dissect_netrdatabaseredo_reply },
6622         { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
6623                 netlogon_dissect_netrlogoncontrol2ex_rqst,
6624                 netlogon_dissect_netrlogoncontrol2ex_reply },
6625         { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
6626                 netlogon_dissect_netrenumeratetrusteddomains_rqst,
6627                 netlogon_dissect_netrenumeratetrusteddomains_reply },
6628         { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
6629                 netlogon_dissect_dsrgetdcname_rqst,
6630                 netlogon_dissect_dsrgetdcname_reply },
6631         { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
6632                 netlogon_dissect_netrlogondummyroutine1_rqst,
6633                 netlogon_dissect_netrlogondummyroutine1_reply },
6634         { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
6635                 netlogon_dissect_netrlogonsetservicebits_rqst,
6636                 netlogon_dissect_netrlogonsetservicebits_reply },
6637         { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
6638                 netlogon_dissect_netrlogongettrustrid_rqst,
6639                 netlogon_dissect_netrlogongettrustrid_reply },
6640         { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
6641                 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
6642                 netlogon_dissect_netrlogoncomputeserverdigest_reply },
6643         { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
6644                 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
6645                 netlogon_dissect_netrlogoncomputeclientdigest_reply },
6646         { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
6647                 netlogon_dissect_netrserverauthenticate3_rqst,
6648                 netlogon_dissect_netrserverauthenticate3_reply },
6649         { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
6650                 netlogon_dissect_dsrgetdcnameex_rqst,
6651                 netlogon_dissect_dsrgetdcnameex_reply },
6652         { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
6653                 netlogon_dissect_dsrgetsitename_rqst,
6654                 netlogon_dissect_dsrgetsitename_reply },
6655         { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6656                 netlogon_dissect_netrlogongetdomaininfo_rqst,
6657                 netlogon_dissect_netrlogongetdomaininfo_reply },
6658         { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
6659                 netlogon_dissect_netrserverpasswordset2_rqst,
6660                 netlogon_dissect_netrserverpasswordset2_reply },
6661         { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
6662                 netlogon_dissect_netrserverpasswordget_rqst,
6663                 netlogon_dissect_netrserverpasswordget_reply },
6664         { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
6665                 netlogon_dissect_netrlogonsendtosam_rqst,
6666                 netlogon_dissect_netrlogonsendtosam_reply },
6667         { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
6668                 netlogon_dissect_dsraddresstositenamesw_rqst,
6669                 netlogon_dissect_dsraddresstositenamesw_reply },
6670         { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
6671                 netlogon_dissect_dsrgetdcnameex2_rqst,
6672                 netlogon_dissect_dsrgetdcnameex2_reply },
6673         { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN, 
6674                 "NetrLogonGetTimeServiceParentDomain",
6675                 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
6676                 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
6677         { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
6678                 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
6679                 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
6680         { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
6681                 netlogon_dissect_dsraddresstositenamesexw_rqst,
6682                 netlogon_dissect_dsraddresstositenamesexw_reply },
6683         { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
6684                 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
6685                 netlogon_dissect_dsrgetdcsitecoveragew_reply },
6686         { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
6687                 netlogon_dissect_netrlogonsamlogonex_rqst,
6688                 netlogon_dissect_netrlogonsamlogonex_reply },
6689         { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
6690                 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
6691                 netlogon_dissect_dsrenumeratedomaintrusts_reply },
6692         { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
6693                 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6694                 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6695         { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
6696                 NULL, NULL },
6697         { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
6698                 NULL, NULL },
6699         { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
6700                 NULL, NULL },
6701         { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags", 
6702                 NULL, NULL },
6703         { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
6704                 NULL, NULL },
6705         {0, NULL, NULL,  NULL }
6706 };
6707
6708 static int hf_netlogon_secchan_verf = -1;
6709 static int hf_netlogon_secchan_verf_sig = -1;
6710 static int hf_netlogon_secchan_verf_digest = -1;
6711 static int hf_netlogon_secchan_verf_seq = -1;
6712 static int hf_netlogon_secchan_verf_nonce = -1;
6713
6714 static int
6715 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, 
6716                      proto_tree *tree, guint8 *drep _U_)
6717 {
6718           proto_item *vf = NULL;
6719           proto_tree *subtree = NULL;
6720           
6721           /*
6722            * Create a new tree, and split into 4 components ...
6723            */
6724           vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
6725               offset, -1, FALSE);
6726           subtree = proto_item_add_subtree(vf, ett_secchan_verf);
6727
6728           proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sig, tvb,
6729               offset, 8, FALSE);
6730           offset += 8;
6731
6732           proto_tree_add_item(subtree, hf_netlogon_secchan_verf_digest, tvb,
6733               offset, 8, FALSE);
6734           offset += 8;
6735
6736           proto_tree_add_item(subtree, hf_netlogon_secchan_verf_seq, tvb,
6737               offset, 8, FALSE);
6738           offset += 8;
6739
6740           /* In some cases the nonce isn't present although it isn't clear
6741              why this is so. */
6742
6743           if (tvb_bytes_exist(tvb, offset, 8)) {
6744                   proto_tree_add_item(subtree, hf_netlogon_secchan_verf_nonce,
6745                                       tvb, offset, 8, FALSE);
6746                   offset += 8;
6747           }
6748
6749           return offset;
6750 }
6751
6752 /* Secure channel types */
6753
6754 static const value_string sec_chan_type_vals[] = {
6755         { SEC_CHAN_WKSTA,  "Workstation" },
6756         { SEC_CHAN_DOMAIN, "Domain trust" },
6757         { SEC_CHAN_BDC,    "Backup domain controller" },
6758         { 0, NULL }
6759 };
6760
6761 void
6762 proto_register_dcerpc_netlogon(void)
6763 {
6764
6765 static hf_register_info hf[] = {
6766         { &hf_netlogon_opnum,
6767           { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6768             NULL, 0x0, "Operation", HFILL }},
6769
6770         { &hf_netlogon_rc, {
6771                 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6772                 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6773
6774         { &hf_netlogon_dos_rc,
6775             { "DOS error code", "netlogon.dos.rc", FT_UINT32,
6776               BASE_HEX, VALS(DOS_errors), 0x0, "DOS Error Code", HFILL}},
6777
6778         { &hf_netlogon_werr_rc,
6779             { "WERR error code", "netlogon.werr.rc", FT_UINT32,
6780               BASE_HEX, VALS(WERR_errors), 0x0, "WERR Error Code", HFILL}},
6781
6782         { &hf_netlogon_param_ctrl, {
6783                 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6784                 NULL, 0x0, "Param ctrl", HFILL }},
6785
6786         { &hf_netlogon_logon_id, {
6787                 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6788                 NULL, 0x0, "Logon ID", HFILL }},
6789
6790         { &hf_netlogon_modify_count, {
6791                 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6792                 NULL, 0x0, "How many times the object has been modified", HFILL }},
6793
6794         { &hf_netlogon_security_information, {
6795                 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6796                 NULL, 0x0, "Security Information", HFILL }},
6797
6798         { &hf_netlogon_count, {
6799                 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6800                 NULL, 0x0, "", HFILL }},
6801
6802         { &hf_netlogon_entries, {
6803                 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6804                 NULL, 0x0, "", HFILL }},
6805
6806         { &hf_netlogon_credential, {
6807                 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6808                 NULL, 0x0, "Netlogon Credential", HFILL }},
6809
6810         { &hf_netlogon_challenge, {
6811                 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6812                 NULL, 0x0, "Netlogon challenge", HFILL }},
6813
6814         { &hf_netlogon_lm_owf_password, {
6815                 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6816                 NULL, 0x0, "LanManager OWF Password", HFILL }},
6817
6818         { &hf_netlogon_user_session_key, {
6819                 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6820                 NULL, 0x0, "User Session Key", HFILL }},
6821
6822         { &hf_netlogon_encrypted_lm_owf_password, {
6823                 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6824                 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6825
6826         { &hf_netlogon_nt_owf_password, {
6827                 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6828                 NULL, 0x0, "NT OWF Password", HFILL }},
6829
6830         { &hf_netlogon_blob, {
6831                 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6832                 NULL, 0x0, "BLOB", HFILL }},
6833
6834         { &hf_netlogon_len, {
6835                 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6836                 NULL, 0, "Length", HFILL }},
6837
6838         { &hf_netlogon_priv, {
6839                 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6840                 NULL, 0, "", HFILL }},
6841
6842         { &hf_netlogon_privilege_entries, {
6843                 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6844                 NULL, 0, "", HFILL }},
6845
6846         { &hf_netlogon_privilege_control, {
6847                 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6848                 NULL, 0, "", HFILL }},
6849
6850         { &hf_netlogon_privilege_name, {
6851                 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6852                 NULL, 0, "", HFILL }},
6853
6854         { &hf_netlogon_pdc_connection_status, {
6855                 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6856                 NULL, 0, "PDC Connection Status", HFILL }},
6857
6858         { &hf_netlogon_tc_connection_status, {
6859                 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6860                 NULL, 0, "TC Connection Status", HFILL }},
6861
6862         { &hf_netlogon_attrs, {
6863                 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6864                 NULL, 0, "Attributes", HFILL }},
6865
6866         { &hf_netlogon_unknown_string,
6867                 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6868                 NULL, 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL }},
6869         { &hf_netlogon_unknown_long,
6870                 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6871                 NULL, 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL }},
6872         { &hf_netlogon_reserved,
6873                 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6874                 NULL, 0x0, "Reserved", HFILL }},
6875         { &hf_netlogon_unknown_short,
6876                 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6877                 NULL, 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL }},
6878
6879         { &hf_netlogon_unknown_char,
6880                 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6881                 NULL, 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL }},
6882
6883         { &hf_netlogon_acct_expiry_time,
6884                 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6885                 NULL, 0x0, "When this account will expire", HFILL }},
6886
6887         { &hf_netlogon_nt_pwd_present,
6888                 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6889                 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6890
6891         { &hf_netlogon_lm_pwd_present,
6892                 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6893                 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6894
6895         { &hf_netlogon_pwd_expired,
6896                 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6897                 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6898
6899         { &hf_netlogon_authoritative,
6900                 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6901                 NULL, 0x0, "", HFILL }},
6902
6903         { &hf_netlogon_sensitive_data_flag,
6904                 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6905                 NULL, 0x0, "Sensitive data flag", HFILL }},
6906
6907         { &hf_netlogon_auditing_mode,
6908                 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6909                 NULL, 0x0, "Auditing Mode", HFILL }},
6910
6911         { &hf_netlogon_max_audit_event_count,
6912                 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6913                 NULL, 0x0, "Max audit event count", HFILL }},
6914
6915         { &hf_netlogon_event_audit_option,
6916                 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6917                 NULL, 0x0, "Event audit option", HFILL }},
6918
6919         { &hf_netlogon_sensitive_data_len,
6920                 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6921                 NULL, 0x0, "Length of sensitive data", HFILL }},
6922
6923         { &hf_netlogon_nt_chal_resp,
6924                 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6925                 NULL, 0, "Challenge response for NT authentication", HFILL }},
6926
6927         { &hf_netlogon_lm_chal_resp,
6928                 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6929                 NULL, 0, "Challenge response for LM authentication", HFILL }},
6930
6931         { &hf_netlogon_cipher_len,
6932                 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6933                 NULL, 0, "", HFILL }},
6934
6935         { &hf_netlogon_cipher_maxlen,
6936                 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6937                 NULL, 0, "", HFILL }},
6938
6939         { &hf_netlogon_pac_data,
6940                 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6941                 NULL, 0, "Pac Data", HFILL }},
6942
6943         { &hf_netlogon_sensitive_data,
6944                 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6945                 NULL, 0, "Sensitive Data", HFILL }},
6946
6947         { &hf_netlogon_auth_data,
6948                 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6949                 NULL, 0, "Auth Data", HFILL }},
6950
6951         { &hf_netlogon_cipher_current_data,
6952                 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6953                 NULL, 0, "", HFILL }},
6954
6955         { &hf_netlogon_cipher_old_data,
6956                 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6957                 NULL, 0, "", HFILL }},
6958
6959         { &hf_netlogon_acct_name,
6960                 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6961                 NULL, 0, "Account Name", HFILL }},
6962
6963         { &hf_netlogon_acct_desc,
6964                 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6965                 NULL, 0, "Account Description", HFILL }},
6966
6967         { &hf_netlogon_group_desc,
6968                 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6969                 NULL, 0, "Group Description", HFILL }},
6970
6971         { &hf_netlogon_full_name,
6972                 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6973                 NULL, 0, "Full Name", HFILL }},
6974
6975         { &hf_netlogon_comment,
6976                 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6977                 NULL, 0, "Comment", HFILL }},
6978
6979         { &hf_netlogon_parameters,
6980                 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6981                 NULL, 0, "Parameters", HFILL }},
6982
6983         { &hf_netlogon_logon_script,
6984                 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6985                 NULL, 0, "Logon Script", HFILL }},
6986
6987         { &hf_netlogon_profile_path,
6988                 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6989                 NULL, 0, "Profile Path", HFILL }},
6990
6991         { &hf_netlogon_home_dir,
6992                 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6993                 NULL, 0, "Home Directory", HFILL }},
6994
6995         { &hf_netlogon_dir_drive,
6996                 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6997                 NULL, 0, "Drive letter for home directory", HFILL }},
6998
6999         { &hf_netlogon_logon_srv,
7000                 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
7001                 NULL, 0, "Server", HFILL }},
7002
7003         { &hf_netlogon_principal,
7004                 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
7005                 NULL, 0, "Principal", HFILL }},
7006
7007         { &hf_netlogon_logon_dom,
7008                 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
7009                 NULL, 0, "Domain", HFILL }},
7010
7011         { &hf_netlogon_resourcegroupcount,
7012                 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
7013                 NULL, 0, "Number of Resource Groups", HFILL }},
7014
7015         { &hf_netlogon_computer_name,
7016                 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
7017                 NULL, 0, "Computer Name", HFILL }},
7018
7019         { &hf_netlogon_site_name,
7020                 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
7021                 NULL, 0, "Site Name", HFILL }},
7022
7023         { &hf_netlogon_dc_name,
7024                 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
7025                 NULL, 0, "DC Name", HFILL }},
7026
7027         { &hf_netlogon_dc_site_name,
7028                 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
7029                 NULL, 0, "DC Site Name", HFILL }},
7030
7031         { &hf_netlogon_dns_forest_name,
7032                 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
7033                 NULL, 0, "DNS Forest Name", HFILL }},
7034
7035         { &hf_netlogon_dc_address,
7036                 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
7037                 NULL, 0, "DC Address", HFILL }},
7038
7039         { &hf_netlogon_dc_address_type,
7040                 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
7041                 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
7042
7043         { &hf_netlogon_client_site_name,
7044                 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
7045                 NULL, 0, "Client Site Name", HFILL }},
7046
7047         { &hf_netlogon_workstation_site_name,
7048                 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
7049                 NULL, 0, "Workstation Site Name", HFILL }},
7050
7051         { &hf_netlogon_workstation,
7052                 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
7053                 NULL, 0, "Workstation Name", HFILL }},
7054
7055         { &hf_netlogon_workstation_os,
7056                 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
7057                 NULL, 0, "Workstation OS", HFILL }},
7058
7059         { &hf_netlogon_workstations,
7060                 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
7061                 NULL, 0, "Workstations", HFILL }},
7062
7063         { &hf_netlogon_workstation_fqdn,
7064                 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
7065                 NULL, 0, "Workstation FQDN", HFILL }},
7066
7067         { &hf_netlogon_group_name,
7068                 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
7069                 NULL, 0, "Group Name", HFILL }},
7070
7071         { &hf_netlogon_alias_name,
7072                 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
7073                 NULL, 0, "Alias Name", HFILL }},
7074
7075         { &hf_netlogon_dns_host,
7076                 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
7077                 NULL, 0, "DNS Host", HFILL }},
7078
7079         { &hf_netlogon_downlevel_domain_name,
7080                 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
7081                 NULL, 0, "Downlevel Domain Name", HFILL }},
7082
7083         { &hf_netlogon_dns_domain_name,
7084                 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
7085                 NULL, 0, "DNS Domain Name", HFILL }},
7086
7087         { &hf_netlogon_domain_name,
7088                 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
7089                 NULL, 0, "Domain Name", HFILL }},
7090
7091         { &hf_netlogon_oem_info,
7092                 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
7093                 NULL, 0, "OEM Info", HFILL }},
7094
7095         { &hf_netlogon_trusted_dc_name,
7096                 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
7097                 NULL, 0, "Trusted DC", HFILL }},
7098
7099         { &hf_netlogon_logonsrv_handle,
7100                 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
7101                 NULL, 0, "Logon Srv Handle", HFILL }},
7102
7103         { &hf_netlogon_dummy,
7104                 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
7105                 NULL, 0, "Dummy string", HFILL }},
7106
7107         { &hf_netlogon_logon_count16,
7108                 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
7109                 NULL, 0x0, "Number of successful logins", HFILL }},
7110
7111         { &hf_netlogon_logon_count,
7112                 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
7113                 NULL, 0x0, "Number of successful logins", HFILL }},
7114
7115         { &hf_netlogon_bad_pw_count16,
7116                 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
7117                 NULL, 0x0, "Number of failed logins", HFILL }},
7118
7119         { &hf_netlogon_bad_pw_count,
7120                 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
7121                 NULL, 0x0, "Number of failed logins", HFILL }},
7122
7123         { &hf_netlogon_country,
7124                 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
7125                 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
7126
7127         { &hf_netlogon_codepage,
7128                 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
7129                 NULL, 0x0, "Codepage setting for this account", HFILL }},
7130
7131         { &hf_netlogon_level16,
7132                 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
7133                 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7134
7135         { &hf_netlogon_validation_level,
7136                 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
7137                 NULL, 0x0, "Requested level of validation", HFILL }},
7138
7139         { &hf_netlogon_minpasswdlen,
7140                 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
7141                 NULL, 0x0, "Minimum length of password", HFILL }},
7142
7143         { &hf_netlogon_passwdhistorylen,
7144                 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
7145                 NULL, 0x0, "Length of password history", HFILL }},
7146
7147         { &hf_netlogon_secure_channel_type,
7148                 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
7149                 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
7150
7151         { &hf_netlogon_restart_state,
7152                 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
7153                 NULL, 0x0, "Restart State", HFILL }},
7154
7155         { &hf_netlogon_delta_type,
7156                 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
7157                 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
7158
7159         { &hf_netlogon_blob_size,
7160                 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
7161                 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
7162
7163         { &hf_netlogon_code,
7164                 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
7165                 NULL, 0x0, "Code", HFILL }},
7166
7167         { &hf_netlogon_level,
7168                 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
7169                 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7170
7171         { &hf_netlogon_reference,
7172                 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
7173                 NULL, 0x0, "", HFILL }},
7174
7175         { &hf_netlogon_next_reference,
7176                 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
7177                 NULL, 0x0, "", HFILL }},
7178
7179         { &hf_netlogon_timestamp,
7180                 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
7181                 NULL, 0, "", HFILL }},
7182
7183         { &hf_netlogon_user_rid,
7184                 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
7185                 NULL, 0x0, "", HFILL }},
7186
7187         { &hf_netlogon_alias_rid,
7188                 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
7189                 NULL, 0x0, "", HFILL }},
7190
7191         { &hf_netlogon_group_rid,
7192                 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
7193                 NULL, 0x0, "", HFILL }},
7194
7195         { &hf_netlogon_num_rids,
7196                 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
7197                 NULL, 0x0, "Number of RIDs", HFILL }},
7198
7199         { &hf_netlogon_num_controllers,
7200                 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
7201                 NULL, 0x0, "Number of domain controllers", HFILL }},
7202
7203         { &hf_netlogon_num_other_groups,
7204                 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
7205                 NULL, 0x0, "", HFILL }},
7206
7207         { &hf_netlogon_flags,
7208                 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
7209                 NULL, 0x0, "", HFILL }},
7210
7211         { &hf_netlogon_user_account_control,
7212                 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
7213                 NULL, 0x0, "User Account control", HFILL }},
7214
7215         { &hf_netlogon_user_flags,
7216                 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
7217                 NULL, 0x0, "User flags", HFILL }},
7218
7219         { &hf_netlogon_auth_flags,
7220                 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
7221                 NULL, 0x0, "", HFILL }},
7222
7223         { &hf_netlogon_systemflags,
7224                 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
7225                 NULL, 0x0, "", HFILL }},
7226
7227         { &hf_netlogon_database_id,
7228                 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
7229                 NULL, 0x0, "Database Id", HFILL }},
7230
7231         { &hf_netlogon_sync_context,
7232                 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
7233                 NULL, 0x0, "Sync Context", HFILL }},
7234
7235         { &hf_netlogon_max_size,
7236                 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
7237                 NULL, 0x0, "Max Size of database", HFILL }},
7238
7239         { &hf_netlogon_max_log_size,
7240                 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
7241                 NULL, 0x0, "Max Size of log", HFILL }},
7242
7243         { &hf_netlogon_pac_size,
7244                 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
7245                 NULL, 0x0, "Size of PacData in bytes", HFILL }},
7246
7247         { &hf_netlogon_auth_size,
7248                 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
7249                 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
7250
7251         { &hf_netlogon_num_deltas,
7252                 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
7253                 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
7254
7255         { &hf_netlogon_num_trusts,
7256                 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
7257                 NULL, 0x0, "", HFILL }},
7258
7259         { &hf_netlogon_logon_attempts,
7260                 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
7261                 NULL, 0x0, "Number of logon attempts", HFILL }},
7262
7263         { &hf_netlogon_pagefilelimit,
7264                 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
7265                 NULL, 0x0, "", HFILL }},
7266
7267         { &hf_netlogon_pagedpoollimit,
7268                 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
7269                 NULL, 0x0, "", HFILL }},
7270
7271         { &hf_netlogon_nonpagedpoollimit,
7272                 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
7273                 NULL, 0x0, "", HFILL }},
7274
7275         { &hf_netlogon_minworkingsetsize,
7276                 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
7277                 NULL, 0x0, "", HFILL }},
7278
7279         { &hf_netlogon_maxworkingsetsize,
7280                 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
7281                 NULL, 0x0, "", HFILL }},
7282
7283         { &hf_netlogon_serial_number,
7284                 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
7285                 NULL, 0x0, "", HFILL }},
7286
7287         { &hf_netlogon_neg_flags,
7288                 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
7289                 NULL, 0x0, "Negotiation Flags", HFILL }},
7290
7291         { &hf_netlogon_dc_flags,
7292                 { "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
7293                 NULL, 0x0, "Domain Controller Flags", HFILL }},
7294
7295         { &hf_netlogon_dc_flags_pdc_flag,
7296                 { "PDC", "netlogon.dc.flags.pdc",
7297                   FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
7298                   "If this server is a PDC", HFILL }},
7299
7300         { &hf_netlogon_dc_flags_gc_flag,
7301                 { "GC", "netlogon.dc.flags.gc",
7302                   FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
7303                   "If this server is a GC", HFILL }},
7304
7305         { &hf_netlogon_dc_flags_ldap_flag,
7306                 { "LDAP", "netlogon.dc.flags.ldap",
7307                   FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
7308                   "If this is an LDAP server", HFILL }},
7309
7310         { &hf_netlogon_dc_flags_ds_flag,
7311                 { "DS", "netlogon.dc.flags.ds",
7312                   FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
7313                   "If this server is a DS", HFILL }},
7314
7315         { &hf_netlogon_dc_flags_kdc_flag,
7316                 { "KDC", "netlogon.dc.flags.kdc",
7317                   FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
7318                   "If this is a KDC", HFILL }},
7319
7320         { &hf_netlogon_dc_flags_timeserv_flag,
7321                 { "Timeserv", "netlogon.dc.flags.timeserv",
7322                   FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
7323                   "If this server is a TimeServer", HFILL }},
7324
7325         { &hf_netlogon_dc_flags_closest_flag,
7326                 { "Closest", "netlogon.dc.flags.closest",
7327                   FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
7328                   "If this is the closest server", HFILL }},
7329
7330         { &hf_netlogon_dc_flags_writable_flag,
7331                 { "Writable", "netlogon.dc.flags.writable",
7332                   FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
7333                   "If this server can do updates to the database", HFILL }},
7334
7335         { &hf_netlogon_dc_flags_good_timeserv_flag,
7336                 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
7337                   FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
7338                   "If this is a Good TimeServer", HFILL }},
7339
7340         { &hf_netlogon_dc_flags_ndnc_flag,
7341                 { "NDNC", "netlogon.dc.flags.ndnc",
7342                   FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
7343                   "If this is an NDNC server", HFILL }},
7344
7345         { &hf_netlogon_dc_flags_dns_controller_flag,
7346                 { "DNS Controller", "netlogon.dc.flags.dns_controller",
7347                   FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
7348                   "If this server is a DNS Controller", HFILL }},
7349
7350         { &hf_netlogon_dc_flags_dns_domain_flag,
7351                 { "DNS Domain", "netlogon.dc.flags.dns_domain",
7352                   FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
7353                   "", HFILL }},
7354
7355         { &hf_netlogon_dc_flags_dns_forest_flag,
7356                 { "DNS Forest", "netlogon.dc.flags.dns_forest",
7357                   FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
7358                   "", HFILL }},
7359
7360         { &hf_netlogon_get_dcname_request_flags,
7361                 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
7362                 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
7363
7364         { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
7365                 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
7366                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
7367                   "Whether to allow the server to returned cached information or not", HFILL }},
7368
7369         { &hf_netlogon_get_dcname_request_flags_directory_service_required,
7370                 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
7371                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
7372                   "Whether we require that the returned DC supports w2k or not", HFILL }},
7373
7374         { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
7375                 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
7376                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
7377                   "Whether we prefer the call to return a w2k server (if available)", HFILL }},
7378
7379         { &hf_netlogon_get_dcname_request_flags_gc_server_required,
7380                 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
7381                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
7382                   "Whether we require that the returned DC is a Global Catalog server", HFILL }},
7383
7384         { &hf_netlogon_get_dcname_request_flags_pdc_required,
7385                 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
7386                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
7387                   "Whether we require the returned DC to be the PDC", HFILL }},
7388
7389         { &hf_netlogon_get_dcname_request_flags_background_only,
7390                 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
7391                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
7392                   "If we want cached data, even if it may have expired", HFILL }},
7393
7394         { &hf_netlogon_get_dcname_request_flags_ip_required,
7395                 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
7396                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
7397                   "If we requre the IP of the DC in the reply", HFILL }},
7398
7399         { &hf_netlogon_get_dcname_request_flags_kdc_required,
7400                 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
7401                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
7402                   "If we require that the returned server is a KDC", HFILL }},
7403
7404         { &hf_netlogon_get_dcname_request_flags_timeserv_required,
7405                 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
7406                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
7407                   "If we require the returned server to be a WindowsTimeServ server", HFILL }},
7408
7409         { &hf_netlogon_get_dcname_request_flags_writable_required,
7410                 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
7411                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
7412                   "If we require that the returned server is writable", HFILL }},
7413
7414         { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
7415                 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
7416                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
7417                   "If we prefer Windows Time Servers", HFILL }},
7418
7419         { &hf_netlogon_get_dcname_request_flags_avoid_self,
7420                 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
7421                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
7422                   "Return another DC than the one we ask", HFILL }},
7423
7424         { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
7425                 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
7426                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
7427                   "We just want an LDAP server, it does not have to be a DC", HFILL }},
7428
7429         { &hf_netlogon_get_dcname_request_flags_is_flat_name,
7430                 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
7431                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
7432                   "If the specified domain name is a NetBIOS name", HFILL }},
7433
7434         { &hf_netlogon_get_dcname_request_flags_is_dns_name,
7435                 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
7436                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
7437                   "If the specified domain name is a DNS name", HFILL }},
7438
7439         { &hf_netlogon_get_dcname_request_flags_return_dns_name,
7440                 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
7441                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
7442                   "Only return a DNS name (or an error)", HFILL }},
7443
7444         { &hf_netlogon_get_dcname_request_flags_return_flat_name,
7445                 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
7446                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
7447                   "Only return a NetBIOS name (or an error)", HFILL }},
7448
7449         { &hf_netlogon_trust_attribs,
7450                 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
7451                 NULL, 0x0, "Trust Attributes", HFILL }},
7452
7453         { &hf_netlogon_trust_attribs_non_transitive,
7454                 { "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN, 32, 
7455                 TFS(&trust_attribs_non_transitive), 0x00000001, "", HFILL }},
7456
7457         { &hf_netlogon_trust_attribs_uplevel_only,
7458                 { "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN, 32, 
7459                 TFS(&trust_attribs_uplevel_only), 0x00000002, "", HFILL }},
7460
7461         { &hf_netlogon_trust_attribs_quarantined_domain,
7462                 { "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN, 32, 
7463                 TFS(&trust_attribs_quarantined_domain), 0x00000004, "", HFILL }},
7464
7465         { &hf_netlogon_trust_attribs_forest_transitive,
7466                 { "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN, 32, 
7467                 TFS(&trust_attribs_forest_transitive), 0x00000008, "", HFILL }},
7468
7469         { &hf_netlogon_trust_attribs_cross_organization,
7470                 { "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN, 32, 
7471                 TFS(&trust_attribs_cross_organization), 0x00000010, "", HFILL }},
7472
7473         { &hf_netlogon_trust_attribs_within_forest,
7474                 { "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN, 32, 
7475                 TFS(&trust_attribs_within_forest), 0x00000020, "", HFILL }},
7476
7477         { &hf_netlogon_trust_attribs_treat_as_external,
7478                 { "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN, 32, 
7479                 TFS(&trust_attribs_treat_as_external), 0x00000040, "", HFILL }},
7480
7481         { &hf_netlogon_trust_type,
7482                 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
7483                 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
7484
7485         { &hf_netlogon_trust_flags,
7486                 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
7487                 NULL, 0x0, "Trust Flags", HFILL }},
7488
7489         { &hf_netlogon_trust_flags_inbound,
7490                 { "Inbound Trust", "netlogon.trust.flags.inbound",
7491                   FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
7492                   "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
7493
7494         { &hf_netlogon_trust_flags_outbound,
7495                 { "Outbound Trust", "netlogon.trust.flags.outbound",
7496                   FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
7497                   "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
7498
7499         { &hf_netlogon_trust_flags_in_forest,
7500                 { "In Forest", "netlogon.trust.flags.in_forest",
7501                   FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
7502                   "Whether this domain is a member of the same forest as the servers domain", HFILL }},
7503
7504         { &hf_netlogon_trust_flags_native_mode,
7505                 { "Native Mode", "netlogon.trust.flags.native_mode",
7506                   FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
7507                   "Whether the domain is a w2k native mode domain or not", HFILL }},
7508
7509         { &hf_netlogon_trust_flags_primary,
7510                 { "Primary", "netlogon.trust.flags.primary",
7511                   FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
7512                   "Whether the domain is the primary domain for the queried server or not", HFILL }},
7513
7514         { &hf_netlogon_trust_flags_tree_root,
7515                 { "Tree Root", "netlogon.trust.flags.tree_root",
7516                   FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
7517                   "Whether the domain is the root of the tree for the queried server", HFILL }},
7518
7519         { &hf_netlogon_trust_parent_index,
7520                 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
7521                 NULL, 0x0, "Parent Index", HFILL }},
7522
7523         { &hf_netlogon_logon_time,
7524                 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
7525                 NULL, 0, "Time for last time this user logged on", HFILL }},
7526
7527         { &hf_netlogon_kickoff_time,
7528                 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7529                 NULL, 0, "Time when this user will be kicked off", HFILL }},
7530
7531         { &hf_netlogon_logoff_time,
7532                 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7533                 NULL, 0, "Time for last time this user logged off", HFILL }},
7534
7535         { &hf_netlogon_last_logoff_time,
7536                 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7537                 NULL, 0, "Time for last time this user logged off", HFILL }},
7538
7539         { &hf_netlogon_pwd_last_set_time,
7540                 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7541                 NULL, 0, "Last time this users password was changed", HFILL }},
7542
7543         { &hf_netlogon_pwd_age,
7544                 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
7545                 NULL, 0, "Time since this users password was changed", HFILL }},
7546
7547         { &hf_netlogon_pwd_can_change_time,
7548                 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7549                 NULL, 0, "When this users password may be changed", HFILL }},
7550
7551         { &hf_netlogon_pwd_must_change_time,
7552                 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7553                 NULL, 0, "When this users password must be changed", HFILL }},
7554
7555         { &hf_netlogon_domain_create_time,
7556                 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7557                 NULL, 0, "Time when this domain was created", HFILL }},
7558
7559         { &hf_netlogon_domain_modify_time,
7560                 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7561                 NULL, 0, "Time when this domain was last modified", HFILL }},
7562
7563         { &hf_netlogon_db_modify_time,
7564                 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7565                 NULL, 0, "Time when last modified", HFILL }},
7566
7567         { &hf_netlogon_db_create_time,
7568                 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7569                 NULL, 0, "Time when created", HFILL }},
7570
7571         { &hf_netlogon_cipher_current_set_time,
7572                 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7573                 NULL, 0, "Time when current cipher was initiated", HFILL }},
7574
7575         { &hf_netlogon_cipher_old_set_time,
7576                 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7577                 NULL, 0, "Time when previous cipher was initiated", HFILL }},
7578
7579         { &hf_netlogon_audit_retention_period,
7580                 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
7581                 NULL, 0, "Audit retention period", HFILL }},
7582
7583         { &hf_netlogon_timelimit,
7584                 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
7585                 NULL, 0, "", HFILL }},
7586
7587         /* Secure channel dissection */
7588
7589         { &hf_netlogon_secchan_bind_unknown1,
7590           { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
7591             NULL, 0x0, "", HFILL }},
7592
7593         { &hf_netlogon_secchan_bind_unknown2,
7594           { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
7595             NULL, 0x0, "", HFILL }},
7596
7597         { &hf_netlogon_secchan_domain,
7598           { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
7599             NULL, 0, "", HFILL }},
7600
7601         { &hf_netlogon_secchan_host,
7602           { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
7603             NULL, 0, "", HFILL }},
7604
7605         { &hf_netlogon_secchan_bind_ack_unknown1,
7606           { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32, 
7607             BASE_HEX, NULL, 0x0, "", HFILL }},
7608
7609         { &hf_netlogon_secchan_bind_ack_unknown2,
7610           { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32, 
7611             BASE_HEX, NULL, 0x0, "", HFILL }},
7612
7613         { &hf_netlogon_secchan_bind_ack_unknown3,
7614           { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32, 
7615             BASE_HEX, NULL, 0x0, "", HFILL }},
7616
7617         { &hf_netlogon_secchan_verf,
7618           { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE, 
7619             NULL, 0x0, "Verifier", HFILL }},
7620
7621         { &hf_netlogon_secchan_verf_sig,
7622           { "Signature", "netlogon.secchan.sig", FT_BYTES, BASE_HEX, NULL, 
7623             0x0, "Signature", HFILL }}, 
7624
7625         { &hf_netlogon_secchan_verf_digest,
7626           { "Packet Digest", "netlogon.secchan.digest", FT_BYTES, BASE_HEX, NULL, 
7627           0x0, "Packet Digest", HFILL }}, 
7628
7629         { &hf_netlogon_secchan_verf_seq,
7630           { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_HEX, NULL, 
7631           0x0, "Sequence No", HFILL }}, 
7632
7633         { &hf_netlogon_secchan_verf_nonce,
7634           { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_HEX, NULL, 
7635           0x0, "Nonce", HFILL }}, 
7636
7637         { &hf_netlogon_group_attrs_mandatory,
7638                 { "Mandatory", "netlogon.groups.attrs.mandatory",
7639                   FT_BOOLEAN, 32, TFS(&group_attrs_mandatory), 0x00000001,
7640                   "The group attributes MANDATORY flag", HFILL }},
7641
7642         { &hf_netlogon_group_attrs_enabled_by_default,
7643                 { "Enabled By Default", "netlogon.groups.attrs.enabled_by_default",
7644                   FT_BOOLEAN, 32, TFS(&group_attrs_enabled_by_default), 0x00000002,
7645                   "The group attributes ENABLED_BY_DEFAULT flag", HFILL }},
7646
7647         { &hf_netlogon_group_attrs_enabled,
7648                 { "Enabled", "netlogon.groups.attrs.enabled",
7649                   FT_BOOLEAN, 32, TFS(&group_attrs_enabled), 0x00000004,
7650                   "The group attributes ENABLED flag", HFILL }},
7651
7652         { &hf_netlogon_user_flags_extra_sids,
7653                 { "Extra SIDs", "netlogon.user.flags.extra_sids",
7654                   FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
7655                   "The user flags EXTRA_SIDS", HFILL }},
7656
7657         { &hf_netlogon_user_flags_resource_groups,
7658                 { "Resource Groups", "netlogon.user.flags.resource_groups",
7659                   FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
7660                   "The user flags RESOURCE_GROUPS", HFILL }},
7661
7662         { &hf_netlogon_user_account_control_dont_require_preauth,
7663                 { "Dont Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
7664                   FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
7665                   "The user account control DONT_REQUIRE_PREAUTH flag ", HFILL }},
7666
7667         { &hf_netlogon_user_account_control_use_des_key_only,
7668                 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
7669                   FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
7670                   "The user account control use_des_key_only flag ", HFILL }},
7671
7672         { &hf_netlogon_user_account_control_not_delegated,
7673                 { "Not Delegated", "netlogon.user.account_control.not_delegated",
7674                   FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
7675                   "The user account control not_delegated flag ", HFILL }},
7676
7677         { &hf_netlogon_user_account_control_trusted_for_delegation,
7678                 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
7679                   FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
7680                   "The user account control trusted_for_delegation flag ", HFILL }},
7681
7682         { &hf_netlogon_user_account_control_smartcard_required,
7683                 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
7684                   FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
7685                   "The user account control smartcard_required flag ", HFILL }},
7686
7687         { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
7688                 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
7689                   FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
7690                   "The user account control encrypted_text_password_allowed flag ", HFILL }},
7691
7692         { &hf_netlogon_user_account_control_account_auto_locked,
7693                 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
7694                   FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
7695                   "The user account control account_auto_locked flag ", HFILL }},
7696
7697         { &hf_netlogon_user_account_control_dont_expire_password,
7698                 { "Dont Expire Password", "netlogon.user.account_control.dont_expire_password",
7699                   FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
7700                   "The user account control dont_expire_password flag ", HFILL }},
7701
7702         { &hf_netlogon_user_account_control_server_trust_account,
7703                 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
7704                   FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
7705                   "The user account control server_trust_account flag ", HFILL }},
7706
7707         { &hf_netlogon_user_account_control_workstation_trust_account,
7708                 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
7709                   FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
7710                   "The user account control workstation_trust_account flag ", HFILL }},
7711
7712         { &hf_netlogon_user_account_control_interdomain_trust_account,
7713                 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
7714                   FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
7715                   "The user account control interdomain_trust_account flag ", HFILL }},
7716
7717         { &hf_netlogon_user_account_control_mns_logon_account,
7718                 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
7719                   FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
7720                   "The user account control mns_logon_account flag ", HFILL }},
7721
7722         { &hf_netlogon_user_account_control_normal_account,
7723                 { "Normal Account", "netlogon.user.account_control.normal_account",
7724                   FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
7725                   "The user account control normal_account flag ", HFILL }},
7726
7727         { &hf_netlogon_user_account_control_temp_duplicate_account,
7728                 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
7729                   FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
7730                   "The user account control temp_duplicate_account flag ", HFILL }},
7731
7732         { &hf_netlogon_user_account_control_password_not_required,
7733                 { "Password Not Required", "netlogon.user.account_control.password_not_required",
7734                   FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
7735                   "The user account control password_not_required flag ", HFILL }},
7736
7737         { &hf_netlogon_user_account_control_home_directory_required,
7738                 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
7739                   FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
7740                   "The user account control home_directory_required flag ", HFILL }},
7741
7742         { &hf_netlogon_user_account_control_account_disabled,
7743                 { "Account Disabled", "netlogon.user.account_control.account_disabled",
7744                   FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
7745                   "The user account control account_disabled flag ", HFILL }},
7746
7747         };
7748
7749         static gint *ett[] = {
7750                 &ett_dcerpc_netlogon,
7751                 &ett_CYPHER_VALUE,
7752                 &ett_QUOTA_LIMITS,
7753                 &ett_IDENTITY_INFO,
7754                 &ett_DELTA_ENUM,
7755                 &ett_UNICODE_MULTI,
7756                 &ett_DOMAIN_CONTROLLER_INFO,
7757                 &ett_UNICODE_STRING_512,
7758                 &ett_TYPE_50,
7759                 &ett_TYPE_52,
7760                 &ett_DELTA_ID_UNION,
7761                 &ett_TYPE_44,
7762                 &ett_DELTA_UNION,
7763                 &ett_LM_OWF_PASSWORD,
7764                 &ett_NT_OWF_PASSWORD,
7765                 &ett_GROUP_MEMBERSHIP,
7766                 &ett_DS_DOMAIN_TRUSTS,
7767                 &ett_BLOB,
7768                 &ett_DOMAIN_TRUST_INFO,
7769                 &ett_trust_flags,
7770                 &ett_trust_attribs,
7771                 &ett_get_dcname_request_flags,
7772                 &ett_dc_flags,
7773                 &ett_secchan_bind_creds,
7774                 &ett_secchan_bind_ack_creds,
7775                 &ett_secchan_verf,
7776                 &ett_group_attrs,
7777                 &ett_user_flags,
7778                 &ett_user_account_control
7779         };
7780
7781         proto_dcerpc_netlogon = proto_register_protocol(
7782                 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
7783
7784         proto_register_field_array(proto_dcerpc_netlogon, hf,
7785                                    array_length(hf));
7786         proto_register_subtree_array(ett, array_length(ett));
7787 }
7788
7789 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
7790         dissect_secchan_bind_creds,             /* Bind */
7791         dissect_secchan_bind_ack_creds,         /* Bind ACK */
7792         NULL,                                   /* AUTH3 */
7793         dissect_secchan_verf,                   /* Request verifier */
7794         dissect_secchan_verf,                   /* Response verifier */
7795         NULL,                                   /* Request data */
7796         NULL                                    /* Response data */
7797 };
7798
7799 void
7800 proto_reg_handoff_dcerpc_netlogon(void)
7801 {
7802         /* Register protocol as dcerpc */
7803
7804         dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
7805                          &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
7806                          dcerpc_netlogon_dissectors, hf_netlogon_opnum);
7807
7808         register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
7809                                           DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7810                                           &secchan_auth_fns);   
7811         register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
7812                                           DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7813                                           &secchan_auth_fns);   
7814 }
git mirror of the wireshark svn