1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "packet-windows-common.h"
37 #include "packet-ntlmssp.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_group_attrs_mandatory = -1;
42 static int hf_netlogon_group_attrs_enabled_by_default = -1;
43 static int hf_netlogon_group_attrs_enabled = -1;
44 static int hf_netlogon_opnum = -1;
45 static int hf_netlogon_rc = -1;
46 static int hf_netlogon_dos_rc = -1;
47 static int hf_netlogon_werr_rc = -1;
48 static int hf_netlogon_len = -1;
49 static int hf_netlogon_sensitive_data_flag = -1;
50 static int hf_netlogon_sensitive_data_len = -1;
51 static int hf_netlogon_sensitive_data = -1;
52 static int hf_netlogon_security_information = -1;
53 static int hf_netlogon_dummy = -1;
54 static int hf_netlogon_neg_flags = -1;
55 static int hf_netlogon_minworkingsetsize = -1;
56 static int hf_netlogon_maxworkingsetsize = -1;
57 static int hf_netlogon_pagedpoollimit = -1;
58 static int hf_netlogon_pagefilelimit = -1;
59 static int hf_netlogon_timelimit = -1;
60 static int hf_netlogon_nonpagedpoollimit = -1;
61 static int hf_netlogon_pac_size = -1;
62 static int hf_netlogon_pac_data = -1;
63 static int hf_netlogon_auth_size = -1;
64 static int hf_netlogon_auth_data = -1;
65 static int hf_netlogon_cipher_len = -1;
66 static int hf_netlogon_cipher_maxlen = -1;
67 static int hf_netlogon_cipher_current_data = -1;
68 static int hf_netlogon_cipher_current_set_time = -1;
69 static int hf_netlogon_cipher_old_data = -1;
70 static int hf_netlogon_cipher_old_set_time = -1;
71 static int hf_netlogon_priv = -1;
72 static int hf_netlogon_privilege_entries = -1;
73 static int hf_netlogon_privilege_control = -1;
74 static int hf_netlogon_privilege_name = -1;
75 static int hf_netlogon_systemflags = -1;
76 static int hf_netlogon_pdc_connection_status = -1;
77 static int hf_netlogon_tc_connection_status = -1;
78 static int hf_netlogon_restart_state = -1;
79 static int hf_netlogon_attrs = -1;
80 static int hf_netlogon_count = -1;
81 static int hf_netlogon_entries = -1;
82 static int hf_netlogon_minpasswdlen = -1;
83 static int hf_netlogon_passwdhistorylen = -1;
84 static int hf_netlogon_level16 = -1;
85 static int hf_netlogon_validation_level = -1;
86 static int hf_netlogon_reference = -1;
87 static int hf_netlogon_next_reference = -1;
88 static int hf_netlogon_timestamp = -1;
89 static int hf_netlogon_level = -1;
90 static int hf_netlogon_challenge = -1;
91 static int hf_netlogon_reserved = -1;
92 static int hf_netlogon_audit_retention_period = -1;
93 static int hf_netlogon_auditing_mode = -1;
94 static int hf_netlogon_max_audit_event_count = -1;
95 static int hf_netlogon_event_audit_option = -1;
96 static int hf_netlogon_unknown_string = -1;
97 static int hf_netlogon_unknown_long = -1;
98 static int hf_netlogon_unknown_short = -1;
99 static int hf_netlogon_unknown_char = -1;
100 static int hf_netlogon_logon_time = -1;
101 static int hf_netlogon_logoff_time = -1;
102 static int hf_netlogon_last_logoff_time = -1;
103 static int hf_netlogon_kickoff_time = -1;
104 static int hf_netlogon_pwd_age = -1;
105 static int hf_netlogon_pwd_last_set_time = -1;
106 static int hf_netlogon_pwd_can_change_time = -1;
107 static int hf_netlogon_pwd_must_change_time = -1;
108 static int hf_netlogon_nt_chal_resp = -1;
109 static int hf_netlogon_lm_chal_resp = -1;
110 static int hf_netlogon_credential = -1;
111 static int hf_netlogon_acct_name = -1;
112 static int hf_netlogon_acct_desc = -1;
113 static int hf_netlogon_group_desc = -1;
114 static int hf_netlogon_full_name = -1;
115 static int hf_netlogon_comment = -1;
116 static int hf_netlogon_parameters = -1;
117 static int hf_netlogon_logon_script = -1;
118 static int hf_netlogon_profile_path = -1;
119 static int hf_netlogon_home_dir = -1;
120 static int hf_netlogon_dir_drive = -1;
121 static int hf_netlogon_logon_count = -1;
122 static int hf_netlogon_logon_count16 = -1;
123 static int hf_netlogon_bad_pw_count = -1;
124 static int hf_netlogon_bad_pw_count16 = -1;
125 static int hf_netlogon_user_rid = -1;
126 static int hf_netlogon_alias_rid = -1;
127 static int hf_netlogon_group_rid = -1;
128 static int hf_netlogon_logon_srv = -1;
129 static int hf_netlogon_principal = -1;
130 static int hf_netlogon_logon_dom = -1;
131 static int hf_netlogon_resourcegroupcount = -1;
132 static int hf_netlogon_downlevel_domain_name = -1;
133 static int hf_netlogon_dns_domain_name = -1;
134 static int hf_netlogon_domain_name = -1;
135 static int hf_netlogon_domain_create_time = -1;
136 static int hf_netlogon_domain_modify_time = -1;
137 static int hf_netlogon_modify_count = -1;
138 static int hf_netlogon_db_modify_time = -1;
139 static int hf_netlogon_db_create_time = -1;
140 static int hf_netlogon_oem_info = -1;
141 static int hf_netlogon_serial_number = -1;
142 static int hf_netlogon_num_rids = -1;
143 static int hf_netlogon_num_trusts = -1;
144 static int hf_netlogon_num_controllers = -1;
145 static int hf_netlogon_num_other_groups = -1;
146 static int hf_netlogon_computer_name = -1;
147 static int hf_netlogon_site_name = -1;
148 static int hf_netlogon_trusted_dc_name = -1;
149 static int hf_netlogon_dc_name = -1;
150 static int hf_netlogon_dc_site_name = -1;
151 static int hf_netlogon_dns_forest_name = -1;
152 static int hf_netlogon_dc_address = -1;
153 static int hf_netlogon_dc_address_type = -1;
154 static int hf_netlogon_client_site_name = -1;
155 static int hf_netlogon_workstation = -1;
156 static int hf_netlogon_workstation_site_name = -1;
157 static int hf_netlogon_workstation_os = -1;
158 static int hf_netlogon_workstations = -1;
159 static int hf_netlogon_workstation_fqdn = -1;
160 static int hf_netlogon_group_name = -1;
161 static int hf_netlogon_alias_name = -1;
162 static int hf_netlogon_country = -1;
163 static int hf_netlogon_codepage = -1;
164 static int hf_netlogon_flags = -1;
165 static int hf_netlogon_trust_attribs = -1;
166 static int hf_netlogon_trust_attribs_non_transitive = -1;
167 static int hf_netlogon_trust_attribs_uplevel_only = -1;
168 static int hf_netlogon_trust_attribs_quarantined_domain = -1;
169 static int hf_netlogon_trust_attribs_forest_transitive = -1;
170 static int hf_netlogon_trust_attribs_cross_organization = -1;
171 static int hf_netlogon_trust_attribs_within_forest = -1;
172 static int hf_netlogon_trust_attribs_treat_as_external = -1;
173 static int hf_netlogon_trust_type = -1;
174 static int hf_netlogon_trust_flags = -1;
175 static int hf_netlogon_trust_flags_inbound = -1;
176 static int hf_netlogon_trust_flags_outbound = -1;
177 static int hf_netlogon_trust_flags_in_forest = -1;
178 static int hf_netlogon_trust_flags_native_mode = -1;
179 static int hf_netlogon_trust_flags_primary = -1;
180 static int hf_netlogon_trust_flags_tree_root = -1;
181 static int hf_netlogon_trust_parent_index = -1;
182 static int hf_netlogon_user_account_control = -1;
183 static int hf_netlogon_user_account_control_dont_require_preauth = -1;
184 static int hf_netlogon_user_account_control_use_des_key_only = -1;
185 static int hf_netlogon_user_account_control_not_delegated = -1;
186 static int hf_netlogon_user_account_control_trusted_for_delegation = -1;
187 static int hf_netlogon_user_account_control_smartcard_required = -1;
188 static int hf_netlogon_user_account_control_encrypted_text_password_allowed = -1;
189 static int hf_netlogon_user_account_control_account_auto_locked = -1;
190 static int hf_netlogon_user_account_control_dont_expire_password = -1;
191 static int hf_netlogon_user_account_control_server_trust_account = -1;
192 static int hf_netlogon_user_account_control_workstation_trust_account = -1;
193 static int hf_netlogon_user_account_control_interdomain_trust_account = -1;
194 static int hf_netlogon_user_account_control_mns_logon_account = -1;
195 static int hf_netlogon_user_account_control_normal_account = -1;
196 static int hf_netlogon_user_account_control_temp_duplicate_account = -1;
197 static int hf_netlogon_user_account_control_password_not_required = -1;
198 static int hf_netlogon_user_account_control_home_directory_required = -1;
199 static int hf_netlogon_user_account_control_account_disabled = -1;
200 static int hf_netlogon_user_flags = -1;
201 static int hf_netlogon_user_flags_extra_sids = -1;
202 static int hf_netlogon_user_flags_resource_groups = -1;
203 static int hf_netlogon_auth_flags = -1;
204 static int hf_netlogon_pwd_expired = -1;
205 static int hf_netlogon_nt_pwd_present = -1;
206 static int hf_netlogon_lm_pwd_present = -1;
207 static int hf_netlogon_code = -1;
208 static int hf_netlogon_database_id = -1;
209 static int hf_netlogon_sync_context = -1;
210 static int hf_netlogon_max_size = -1;
211 static int hf_netlogon_max_log_size = -1;
212 static int hf_netlogon_dns_host = -1;
213 static int hf_netlogon_acct_expiry_time = -1;
214 static int hf_netlogon_encrypted_lm_owf_password = -1;
215 static int hf_netlogon_lm_owf_password = -1;
216 static int hf_netlogon_nt_owf_password = -1;
217 static int hf_netlogon_param_ctrl = -1;
218 static int hf_netlogon_logon_id = -1;
219 static int hf_netlogon_num_deltas = -1;
220 static int hf_netlogon_user_session_key = -1;
221 static int hf_netlogon_blob_size = -1;
222 static int hf_netlogon_blob = -1;
223 static int hf_netlogon_logon_attempts = -1;
224 static int hf_netlogon_authoritative = -1;
225 static int hf_netlogon_secure_channel_type = -1;
226 static int hf_netlogon_logonsrv_handle = -1;
227 static int hf_netlogon_delta_type = -1;
228 static int hf_netlogon_get_dcname_request_flags = -1;
229 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
230 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
231 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
232 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
233 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
234 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
235 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
236 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
237 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
238 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
239 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
240 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
241 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
242 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
243 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
244 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
245 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
246 static int hf_netlogon_dc_flags = -1;
247 static int hf_netlogon_dc_flags_pdc_flag = -1;
248 static int hf_netlogon_dc_flags_gc_flag = -1;
249 static int hf_netlogon_dc_flags_ldap_flag = -1;
250 static int hf_netlogon_dc_flags_ds_flag = -1;
251 static int hf_netlogon_dc_flags_kdc_flag = -1;
252 static int hf_netlogon_dc_flags_timeserv_flag = -1;
253 static int hf_netlogon_dc_flags_closest_flag = -1;
254 static int hf_netlogon_dc_flags_writable_flag = -1;
255 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
256 static int hf_netlogon_dc_flags_ndnc_flag = -1;
257 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
258 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
259 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
261 static gint ett_dcerpc_netlogon = -1;
262 static gint ett_group_attrs = -1;
263 static gint ett_user_flags = -1;
264 static gint ett_user_account_control = -1;
265 static gint ett_QUOTA_LIMITS = -1;
266 static gint ett_IDENTITY_INFO = -1;
267 static gint ett_DELTA_ENUM = -1;
268 static gint ett_CYPHER_VALUE = -1;
269 static gint ett_UNICODE_MULTI = -1;
270 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
271 static gint ett_UNICODE_STRING_512 = -1;
272 static gint ett_TYPE_50 = -1;
273 static gint ett_TYPE_52 = -1;
274 static gint ett_DELTA_ID_UNION = -1;
275 static gint ett_TYPE_44 = -1;
276 static gint ett_DELTA_UNION = -1;
277 static gint ett_LM_OWF_PASSWORD = -1;
278 static gint ett_NT_OWF_PASSWORD = -1;
279 static gint ett_GROUP_MEMBERSHIP = -1;
280 static gint ett_BLOB = -1;
281 static gint ett_DS_DOMAIN_TRUSTS = -1;
282 static gint ett_DOMAIN_TRUST_INFO = -1;
283 static gint ett_trust_flags = -1;
284 static gint ett_trust_attribs = -1;
285 static gint ett_get_dcname_request_flags = -1;
286 static gint ett_dc_flags = -1;
288 static e_uuid_t uuid_dcerpc_netlogon = {
289 0x12345678, 0x1234, 0xabcd,
290 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
293 static guint16 ver_dcerpc_netlogon = 1;
296 static const true_false_string user_account_control_dont_require_preauth= {
297 "This account DONT_REQUIRE_PREAUTHENTICATION",
298 "This account REQUIRES preauthentication",
300 static const true_false_string user_account_control_use_des_key_only= {
301 "This account must USE_DES_KEY_ONLY for passwords",
302 "This account does NOT have to use_des_key_only",
304 static const true_false_string user_account_control_not_delegated= {
305 "This account is NOT_DELEGATED",
306 "This might have been delegated",
308 static const true_false_string user_account_control_trusted_for_delegation= {
309 "This account is TRUSTED_FOR_DELEGATION",
310 "This account is NOT trusted_for_delegation",
312 static const true_false_string user_account_control_smartcard_required= {
313 "This account REQUIRES_SMARTCARD to authenticate",
314 "This account does NOT require_smartcard to authenticate",
316 static const true_false_string user_account_control_encrypted_text_password_allowed= {
317 "This account allows ENCRYPTED_TEXT_PASSWORD",
318 "This account does NOT allow encrypted_text_password",
320 static const true_false_string user_account_control_account_auto_locked= {
321 "This account is AUTO_LOCKED",
322 "This account is NOT auto_locked",
324 static const true_false_string user_account_control_dont_expire_password= {
325 "This account DONT_EXPIRE_PASSWORDs",
326 "This account might expire_passwords",
328 static const true_false_string user_account_control_server_trust_account= {
329 "This account is a SERVER_TRUST_ACCOUNT",
330 "This account is NOT a server_trust_account",
332 static const true_false_string user_account_control_workstation_trust_account= {
333 "This account is a WORKSTATION_TRUST_ACCOUNT",
334 "This account is NOT a workstation_trust_account",
336 static const true_false_string user_account_control_interdomain_trust_account= {
337 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
338 "This account is NOT an interdomain_trust_account",
340 static const true_false_string user_account_control_mns_logon_account= {
341 "This account is a MNS_LOGON_ACCOUNT",
342 "This account is NOT a mns_logon_account",
344 static const true_false_string user_account_control_normal_account= {
345 "This account is a NORMAL_ACCOUNT",
346 "This account is NOT a normal_account",
348 static const true_false_string user_account_control_temp_duplicate_account= {
349 "This account is a TEMP_DUPLICATE_ACCOUNT",
350 "This account is NOT a temp_duplicate_account",
352 static const true_false_string user_account_control_password_not_required= {
353 "This account REQUIRES_NO_PASSWORD",
354 "This account REQUIRES a password",
356 static const true_false_string user_account_control_home_directory_required= {
357 "This account REQUIRES_HOME_DIRECTORY",
358 "This account does NOT require_home_directory",
360 static const true_false_string user_account_control_account_disabled= {
361 "This account is DISABLED",
362 "This account is NOT disabled",
365 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
366 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
369 proto_item *item = NULL;
370 proto_tree *tree = NULL;
373 di=pinfo->private_data;
374 if(di->conformant_run){
375 /*just a run to handle conformant arrays, nothing to dissect */
379 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
380 hf_netlogon_user_account_control, &mask);
383 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_account_control,
384 tvb, offset-4, 4, mask);
385 tree = proto_item_add_subtree(item, ett_user_account_control);
388 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_require_preauth,
389 tvb, offset-4, 4, mask);
390 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_use_des_key_only,
391 tvb, offset-4, 4, mask);
392 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_not_delegated,
393 tvb, offset-4, 4, mask);
394 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_trusted_for_delegation,
395 tvb, offset-4, 4, mask);
396 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_smartcard_required,
397 tvb, offset-4, 4, mask);
398 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_encrypted_text_password_allowed,
399 tvb, offset-4, 4, mask);
400 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_auto_locked,
401 tvb, offset-4, 4, mask);
402 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_expire_password,
403 tvb, offset-4, 4, mask);
404 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_server_trust_account,
405 tvb, offset-4, 4, mask);
406 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_workstation_trust_account,
407 tvb, offset-4, 4, mask);
408 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_interdomain_trust_account,
409 tvb, offset-4, 4, mask);
410 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_mns_logon_account,
411 tvb, offset-4, 4, mask);
412 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_normal_account,
413 tvb, offset-4, 4, mask);
414 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_temp_duplicate_account,
415 tvb, offset-4, 4, mask);
416 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_password_not_required,
417 tvb, offset-4, 4, mask);
418 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_home_directory_required,
419 tvb, offset-4, 4, mask);
420 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_disabled,
421 tvb, offset-4, 4, mask);
427 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
428 packet_info *pinfo, proto_tree *tree,
431 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
432 NDR_POINTER_UNIQUE, "Server Handle",
433 hf_netlogon_logonsrv_handle, 0);
439 * IDL typedef struct {
440 * IDL [unique][string] wchar_t *effective_name;
442 * IDL long auth_flags;
443 * IDL long logon_count;
444 * IDL long bad_pw_count;
445 * IDL long last_logon;
446 * IDL long last_logoff;
447 * IDL long logoff_time;
448 * IDL long kickoff_time;
449 * IDL long password_age;
450 * IDL long pw_can_change;
451 * IDL long pw_must_change;
452 * IDL [unique][string] wchar_t *computer;
453 * IDL [unique][string] wchar_t *domain;
454 * IDL [unique][string] wchar_t *script_path;
458 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
459 packet_info *pinfo, proto_tree *tree,
464 di=pinfo->private_data;
465 if(di->conformant_run){
466 /*just a run to handle conformant arrays, nothing to dissect */
470 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
471 NDR_POINTER_UNIQUE, "Effective Account",
472 hf_netlogon_acct_name, 0);
474 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
475 hf_netlogon_priv, NULL);
477 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
478 hf_netlogon_auth_flags, NULL);
480 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
481 hf_netlogon_logon_count, NULL);
483 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
484 hf_netlogon_bad_pw_count, NULL);
487 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_logon_time, NULL);
489 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_last_logoff_time, NULL);
491 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_logoff_time, NULL);
493 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_kickoff_time, NULL);
495 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_age, NULL);
497 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_can_change_time, NULL);
499 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_must_change_time, NULL);
501 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
502 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
504 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
505 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
507 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
508 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
510 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
511 hf_netlogon_reserved, NULL);
517 * IDL long NetrLogonUasLogon(
518 * IDL [in][unique][string] wchar_t *ServerName,
519 * IDL [in][ref][string] wchar_t *UserName,
520 * IDL [in][ref][string] wchar_t *Workstation,
521 * IDL [out][unique] VALIDATION_UAS_INFO *info
525 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
526 packet_info *pinfo, proto_tree *tree, guint8 *drep)
528 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
531 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
532 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
534 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
535 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
542 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
543 packet_info *pinfo, proto_tree *tree, guint8 *drep)
545 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
546 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
547 "VALIDATION_UAS_INFO", -1);
549 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
550 hf_netlogon_dos_rc, NULL);
556 * IDL typedef struct {
558 * IDL short logon_count;
559 * IDL } LOGOFF_UAS_INFO;
562 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
563 packet_info *pinfo, proto_tree *tree,
568 di=pinfo->private_data;
569 if(di->conformant_run){
570 /*just a run to handle conformant arrays, nothing to dissect */
574 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
577 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
578 hf_netlogon_logon_count16, NULL);
584 * IDL long NetrLogonUasLogoff(
585 * IDL [in][unique][string] wchar_t *ServerName,
586 * IDL [in][ref][string] wchar_t *UserName,
587 * IDL [in][ref][string] wchar_t *Workstation,
588 * IDL [out][ref] LOGOFF_UAS_INFO *info
592 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
593 packet_info *pinfo, proto_tree *tree, guint8 *drep)
595 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
598 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
599 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
601 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
602 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
609 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
610 packet_info *pinfo, proto_tree *tree, guint8 *drep)
612 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
613 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
614 "LOGOFF_UAS_INFO", -1);
616 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
617 hf_netlogon_dos_rc, NULL);
626 * IDL typedef struct {
627 * IDL UNICODESTRING LogonDomainName;
628 * IDL long ParameterControl;
629 * IDL uint64 LogonID;
630 * IDL UNICODESTRING UserName;
631 * IDL UNICODESTRING Workstation;
632 * IDL } LOGON_IDENTITY_INFO;
635 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
636 packet_info *pinfo, proto_tree *parent_tree,
639 proto_item *item=NULL;
640 proto_tree *tree=NULL;
641 int old_offset=offset;
644 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
646 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
649 /* XXX: It would be nice to get the domain and account name
650 displayed in COL_INFO. */
652 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
653 hf_netlogon_logon_dom, 0);
655 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
656 hf_netlogon_param_ctrl, NULL);
658 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, drep,
659 hf_netlogon_logon_id, NULL);
661 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
662 hf_netlogon_acct_name, CB_STR_COL_INFO|3);
664 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
665 hf_netlogon_workstation, 0);
668 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
669 /* XXX 8 extra bytes here */
670 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
671 the idl file. Could be a bug in either the NETLOGON implementation or in the
674 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
677 proto_item_set_len(item, offset-old_offset);
683 * IDL typedef struct {
684 * IDL char password[16];
685 * IDL } LM_OWF_PASSWORD;
688 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
689 packet_info *pinfo, proto_tree *parent_tree,
692 proto_item *item=NULL;
693 proto_tree *tree=NULL;
696 di=pinfo->private_data;
697 if(di->conformant_run){
698 /*just a run to handle conformant arrays, nothing to dissect.*/
703 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
705 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
708 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
716 * IDL typedef struct {
717 * IDL char password[16];
718 * IDL } NT_OWF_PASSWORD;
721 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
722 packet_info *pinfo, proto_tree *parent_tree,
725 proto_item *item=NULL;
726 proto_tree *tree=NULL;
729 di=pinfo->private_data;
730 if(di->conformant_run){
731 /*just a run to handle conformant arrays, nothing to dissect.*/
736 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
738 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
741 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
750 * IDL typedef struct {
751 * IDL LOGON_IDENTITY_INFO identity_info;
752 * IDL LM_OWF_PASSWORD lmpassword;
753 * IDL NT_OWF_PASSWORD ntpassword;
754 * IDL } INTERACTIVE_INFO;
757 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
758 packet_info *pinfo, proto_tree *tree,
761 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
764 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
767 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
774 * IDL typedef struct {
779 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
780 packet_info *pinfo, proto_tree *tree,
785 di=pinfo->private_data;
786 if(di->conformant_run){
787 /*just a run to handle conformant arrays, nothing to dissect.*/
791 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
799 * IDL typedef struct {
800 * IDL LOGON_IDENTITY_INFO logon_info;
801 * IDL CHALLENGE chal;
802 * IDL STRING ntchallengeresponse;
803 * IDL STRING lmchallengeresponse;
804 * IDL } NETWORK_INFO;
807 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
808 proto_item *item _U_, tvbuff_t *tvb,
809 int start_offset, int end_offset,
810 void *callback_args _U_)
814 /* Skip over 3 guint32's in NDR format */
816 if (start_offset % 4)
817 start_offset += 4 - (start_offset % 4);
820 len = end_offset - start_offset;
822 /* Call ntlmv2 response dissector */
825 dissect_ntlmv2_response(tvb, tree, start_offset, len);
829 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
830 packet_info *pinfo, proto_tree *tree,
833 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
836 offset = netlogon_dissect_CHALLENGE(tvb, offset,
839 offset = dissect_ndr_counted_byte_array_cb(
840 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
841 dissect_nt_chal_resp_cb, NULL);
843 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
844 hf_netlogon_lm_chal_resp, 0);
850 * IDL typedef struct {
851 * IDL LOGON_IDENTITY_INFO logon_info;
852 * IDL LM_OWF_PASSWORD lmpassword;
853 * IDL NT_OWF_PASSWORD ntpassword;
854 * IDL } SERVICE_INFO;
857 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
858 packet_info *pinfo, proto_tree *tree,
861 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
864 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
867 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
874 * IDL typedef [switch_type(short)] union {
875 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
876 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
877 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
881 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
882 packet_info *pinfo, proto_tree *tree,
887 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
888 hf_netlogon_level16, &level);
893 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
894 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
895 "INTERACTIVE_INFO:", -1);
898 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
899 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
900 "NETWORK_INFO:", -1);
903 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
904 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
905 "SERVICE_INFO:", -1);
913 * IDL typedef struct {
918 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
919 packet_info *pinfo, proto_tree *tree,
924 di=pinfo->private_data;
925 if(di->conformant_run){
926 /*just a run to handle conformant arrays, nothing to dissect.*/
930 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
939 * IDL typedef struct {
940 * IDL CREDENTIAL cred;
941 * IDL long timestamp;
942 * IDL } AUTHENTICATOR;
945 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
946 packet_info *pinfo, proto_tree *tree,
952 di=pinfo->private_data;
953 if(di->conformant_run){
954 /*just a run to handle conformant arrays, nothing to dissect */
958 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
962 * XXX - this appears to be a UNIX time_t in some credentials, but
963 * appears to be random junk in other credentials.
964 * For example, it looks like a UNIX time_t in "credential"
965 * AUTHENTICATORs, but like random junk in "return_authenticator"
969 ts.secs = tvb_get_letohl(tvb, offset);
971 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
978 static const true_false_string group_attrs_mandatory = {
979 "The MANDATORY bit is SET",
980 "The mandatory bit is NOT set",
982 static const true_false_string group_attrs_enabled_by_default = {
983 "The ENABLED_BY_DEFAULT bit is SET",
984 "The enabled_by_default bit is NOT set",
986 static const true_false_string group_attrs_enabled = {
987 "The enabled bit is SET",
988 "The enabled bit is NOT set",
991 netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvbuff_t *tvb, int offset,
992 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
995 proto_item *item = NULL;
996 proto_tree *tree = NULL;
999 di=pinfo->private_data;
1000 if(di->conformant_run){
1001 /*just a run to handle conformant arrays, nothing to dissect */
1005 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1006 hf_netlogon_attrs, &mask);
1009 item = proto_tree_add_uint(parent_tree, hf_netlogon_attrs,
1010 tvb, offset-4, 4, mask);
1011 tree = proto_item_add_subtree(item, ett_group_attrs);
1014 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled,
1015 tvb, offset-4, 4, mask);
1016 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled_by_default,
1017 tvb, offset-4, 4, mask);
1018 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_mandatory,
1019 tvb, offset-4, 4, mask);
1025 * IDL typedef struct {
1027 * IDL long attributes;
1028 * IDL } GROUP_MEMBERSHIP;
1031 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1032 packet_info *pinfo, proto_tree *parent_tree,
1035 proto_item *item=NULL;
1036 proto_tree *tree=NULL;
1039 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1040 "GROUP_MEMBERSHIP:");
1041 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
1044 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1045 hf_netlogon_group_rid, NULL);
1047 offset = netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvb, offset,
1054 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1055 packet_info *pinfo, proto_tree *tree,
1058 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
1059 netlogon_dissect_GROUP_MEMBERSHIP);
1065 * IDL typedef struct {
1066 * IDL char user_session_key[16];
1067 * IDL } USER_SESSION_KEY;
1070 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1071 packet_info *pinfo, proto_tree *tree,
1076 di=pinfo->private_data;
1077 if(di->conformant_run){
1078 /*just a run to handle conformant arrays, nothing to dissect.*/
1082 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1091 static const true_false_string user_flags_extra_sids= {
1092 "The EXTRA_SIDS bit is SET",
1093 "The extra_sids is NOT set",
1095 static const true_false_string user_flags_resource_groups= {
1096 "The RESOURCE_GROUPS bit is SET",
1097 "The resource_groups is NOT set",
1100 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1101 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
1104 proto_item *item = NULL;
1105 proto_tree *tree = NULL;
1108 di=pinfo->private_data;
1109 if(di->conformant_run){
1110 /*just a run to handle conformant arrays, nothing to dissect */
1114 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1115 hf_netlogon_user_flags, &mask);
1118 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_flags,
1119 tvb, offset-4, 4, mask);
1120 tree = proto_item_add_subtree(item, ett_user_flags);
1123 proto_tree_add_boolean(tree, hf_netlogon_user_flags_resource_groups,
1124 tvb, offset-4, 4, mask);
1125 proto_tree_add_boolean(tree, hf_netlogon_user_flags_extra_sids,
1126 tvb, offset-4, 4, mask);
1132 * IDL typedef struct {
1133 * IDL uint64 LogonTime;
1134 * IDL uint64 LogoffTime;
1135 * IDL uint64 KickOffTime;
1136 * IDL uint64 PasswdLastSet;
1137 * IDL uint64 PasswdCanChange;
1138 * IDL uint64 PasswdMustChange;
1139 * IDL unicodestring effectivename;
1140 * IDL unicodestring fullname;
1141 * IDL unicodestring logonscript;
1142 * IDL unicodestring profilepath;
1143 * IDL unicodestring homedirectory;
1144 * IDL unicodestring homedirectorydrive;
1145 * IDL short LogonCount;
1146 * IDL short BadPasswdCount;
1148 * IDL long primarygroup;
1149 * IDL long groupcount;
1150 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1151 * IDL long userflags;
1152 * IDL USER_SESSION_KEY key;
1153 * IDL unicodestring logonserver;
1154 * IDL unicodestring domainname;
1155 * IDL [unique] SID logondomainid;
1156 * IDL long expansionroom[2];
1157 * IDL long useraccountcontrol;
1158 * IDL long expansionroom[7];
1159 * IDL } VALIDATION_SAM_INFO;
1162 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1163 packet_info *pinfo, proto_tree *tree,
1168 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1169 hf_netlogon_logon_time);
1171 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1172 hf_netlogon_logoff_time);
1174 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1175 hf_netlogon_kickoff_time);
1177 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1178 hf_netlogon_pwd_last_set_time);
1180 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1181 hf_netlogon_pwd_can_change_time);
1183 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1184 hf_netlogon_pwd_must_change_time);
1186 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1187 hf_netlogon_acct_name, 0);
1189 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1190 hf_netlogon_full_name, 0);
1192 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1193 hf_netlogon_logon_script, 0);
1195 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1196 hf_netlogon_profile_path, 0);
1198 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1199 hf_netlogon_home_dir, 0);
1201 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1202 hf_netlogon_dir_drive, 0);
1204 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1205 hf_netlogon_logon_count16, NULL);
1207 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1208 hf_netlogon_bad_pw_count16, NULL);
1210 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1211 hf_netlogon_user_rid, NULL);
1213 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1214 hf_netlogon_group_rid, NULL);
1216 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1217 hf_netlogon_num_rids, NULL);
1219 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1220 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1221 "GROUP_MEMBERSHIP_ARRAY", -1);
1223 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1226 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1229 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1230 hf_netlogon_logon_srv, 0);
1232 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1233 hf_netlogon_logon_dom, 0);
1235 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1238 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1239 hf_netlogon_unknown_long, NULL);
1241 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1245 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1246 hf_netlogon_unknown_long, NULL);
1255 * IDL typedef struct {
1256 * IDL uint64 LogonTime;
1257 * IDL uint64 LogoffTime;
1258 * IDL uint64 KickOffTime;
1259 * IDL uint64 PasswdLastSet;
1260 * IDL uint64 PasswdCanChange;
1261 * IDL uint64 PasswdMustChange;
1262 * IDL unicodestring effectivename;
1263 * IDL unicodestring fullname;
1264 * IDL unicodestring logonscript;
1265 * IDL unicodestring profilepath;
1266 * IDL unicodestring homedirectory;
1267 * IDL unicodestring homedirectorydrive;
1268 * IDL short LogonCount;
1269 * IDL short BadPasswdCount;
1271 * IDL long primarygroup;
1272 * IDL long groupcount;
1273 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1274 * IDL long userflags;
1275 * IDL USER_SESSION_KEY key;
1276 * IDL unicodestring logonserver;
1277 * IDL unicodestring domainname;
1278 * IDL [unique] SID logondomainid;
1279 * IDL long expansionroom[2];
1280 * IDL long useraccountcontrol;
1281 * IDL long expansionroom[7];
1282 * IDL long sidcount;
1283 * IDL [unique] SID_AND_ATTRIBS;
1284 * IDL } VALIDATION_SAM_INFO2;
1287 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1288 packet_info *pinfo, proto_tree *tree,
1293 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1294 hf_netlogon_logon_time);
1296 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1297 hf_netlogon_logoff_time);
1299 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1300 hf_netlogon_kickoff_time);
1302 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1303 hf_netlogon_pwd_last_set_time);
1305 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1306 hf_netlogon_pwd_can_change_time);
1308 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1309 hf_netlogon_pwd_must_change_time);
1311 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1312 hf_netlogon_acct_name, 0);
1314 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1315 hf_netlogon_full_name, 0);
1317 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1318 hf_netlogon_logon_script, 0);
1320 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1321 hf_netlogon_profile_path, 0);
1323 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1324 hf_netlogon_home_dir, 0);
1326 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1327 hf_netlogon_dir_drive, 0);
1329 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1330 hf_netlogon_logon_count16, NULL);
1332 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1333 hf_netlogon_bad_pw_count16, NULL);
1335 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1336 hf_netlogon_user_rid, NULL);
1338 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1339 hf_netlogon_group_rid, NULL);
1341 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1342 hf_netlogon_num_rids, NULL);
1344 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1345 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1346 "GROUP_MEMBERSHIP_ARRAY", -1);
1348 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1351 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1354 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1355 hf_netlogon_logon_srv, 0);
1357 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1358 hf_netlogon_logon_dom, 0);
1360 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1363 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1364 hf_netlogon_unknown_long, NULL);
1366 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1370 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1371 hf_netlogon_unknown_long, NULL);
1374 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1375 hf_netlogon_num_other_groups, NULL);
1377 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1378 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1379 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1389 * IDL typedef struct {
1390 * IDL uint64 LogonTime;
1391 * IDL uint64 LogoffTime;
1392 * IDL uint64 KickOffTime;
1393 * IDL uint64 PasswdLastSet;
1394 * IDL uint64 PasswdCanChange;
1395 * IDL uint64 PasswdMustChange;
1396 * IDL unicodestring effectivename;
1397 * IDL unicodestring fullname;
1398 * IDL unicodestring logonscript;
1399 * IDL unicodestring profilepath;
1400 * IDL unicodestring homedirectory;
1401 * IDL unicodestring homedirectorydrive;
1402 * IDL short LogonCount;
1403 * IDL short BadPasswdCount;
1405 * IDL long primarygroup;
1406 * IDL long groupcount;
1407 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1408 * IDL long userflags;
1409 * IDL USER_SESSION_KEY key;
1410 * IDL unicodestring logonserver;
1411 * IDL unicodestring domainname;
1412 * IDL [unique] SID logondomainid;
1413 * IDL long expansionroom[2];
1414 * IDL long useraccountcontrol;
1415 * IDL long expansionroom[7];
1416 * IDL long sidcount;
1417 * IDL [unique] SID_AND_ATTRIBS;
1418 * IDL [unique] SID resourcegroupdomainsid;
1419 * IDL long resourcegroupcount;
1421 * IDL } PAC_LOGON_INFO;
1424 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
1425 packet_info *pinfo, proto_tree *tree,
1431 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1432 hf_netlogon_logon_time);
1434 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1435 hf_netlogon_logoff_time);
1437 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1438 hf_netlogon_kickoff_time);
1440 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1441 hf_netlogon_pwd_last_set_time);
1443 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1444 hf_netlogon_pwd_can_change_time);
1446 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1447 hf_netlogon_pwd_must_change_time);
1449 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1450 hf_netlogon_acct_name, 0);
1452 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1453 hf_netlogon_full_name, 0);
1455 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1456 hf_netlogon_logon_script, 0);
1458 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1459 hf_netlogon_profile_path, 0);
1461 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1462 hf_netlogon_home_dir, 0);
1464 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1465 hf_netlogon_dir_drive, 0);
1467 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1468 hf_netlogon_logon_count16, NULL);
1470 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1471 hf_netlogon_bad_pw_count16, NULL);
1473 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1474 hf_netlogon_user_rid, NULL);
1476 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1477 hf_netlogon_group_rid, NULL);
1479 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1480 hf_netlogon_num_rids, NULL);
1482 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1483 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1484 "GROUP_MEMBERSHIP_ARRAY", -1);
1486 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1489 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1492 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1493 hf_netlogon_logon_srv, 0);
1495 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1496 hf_netlogon_logon_dom, 0);
1498 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1501 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1502 hf_netlogon_unknown_long, NULL);
1504 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1508 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1509 hf_netlogon_unknown_long, NULL);
1512 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1513 hf_netlogon_num_other_groups, NULL);
1515 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1516 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1517 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1519 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1521 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1522 hf_netlogon_resourcegroupcount, &rgc);
1524 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1525 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1526 "ResourceGroupIDs", -1);
1532 netlogon_dissect_CONSTRAINED_DELEGATION_name(tvbuff_t *tvb, int offset,
1533 packet_info *pinfo, proto_tree *tree,
1536 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1537 hf_netlogon_unknown_string, 0);
1543 netlogon_dissect_CONSTRAINED_DELEGATION_array(tvbuff_t *tvb, int offset,
1544 packet_info *pinfo, proto_tree *tree,
1547 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
1548 netlogon_dissect_CONSTRAINED_DELEGATION_name);
1554 netlogon_dissect_PAC_CONSTRAINED_DELEGATION(tvbuff_t *tvb, int offset,
1555 packet_info *pinfo, proto_tree *tree,
1558 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1559 hf_netlogon_unknown_string, 0);
1561 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1562 hf_netlogon_unknown_long, NULL);
1564 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1565 netlogon_dissect_CONSTRAINED_DELEGATION_array, NDR_POINTER_UNIQUE,
1572 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1573 packet_info *pinfo, proto_tree *tree,
1579 di=pinfo->private_data;
1580 if(di->conformant_run){
1581 /*just a run to handle conformant arrays, nothing to dissect */
1585 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1586 hf_netlogon_pac_size, &pac_size);
1588 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1596 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1597 packet_info *pinfo, proto_tree *tree,
1603 di=pinfo->private_data;
1604 if(di->conformant_run){
1605 /*just a run to handle conformant arrays, nothing to dissect */
1609 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1610 hf_netlogon_auth_size, &auth_size);
1612 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1614 offset += auth_size;
1621 * IDL typedef struct {
1623 * IDL [unique][size_is(pac_size)] char *pac;
1624 * IDL UNICODESTRING logondomain;
1625 * IDL UNICODESTRING logonserver;
1626 * IDL UNICODESTRING principalname;
1627 * IDL long auth_size;
1628 * IDL [unique][size_is(auth_size)] char *auth;
1629 * IDL USER_SESSION_KEY user_session_key;
1630 * IDL long expansionroom[2];
1631 * IDL long useraccountcontrol;
1632 * IDL long expansionroom[7];
1633 * IDL UNICODESTRING dummy1;
1634 * IDL UNICODESTRING dummy2;
1635 * IDL UNICODESTRING dummy3;
1636 * IDL UNICODESTRING dummy4;
1637 * IDL } VALIDATION_PAC_INFO;
1640 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1641 packet_info *pinfo, proto_tree *tree,
1646 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1647 hf_netlogon_pac_size, NULL);
1649 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1650 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1652 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1653 hf_netlogon_logon_dom, 0);
1655 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1656 hf_netlogon_logon_srv, 0);
1658 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1659 hf_netlogon_principal, 0);
1661 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1662 hf_netlogon_auth_size, NULL);
1664 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1665 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1667 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1671 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1672 hf_netlogon_unknown_long, NULL);
1674 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1678 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1679 hf_netlogon_unknown_long, NULL);
1682 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1683 hf_netlogon_dummy, 0);
1685 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1686 hf_netlogon_dummy, 0);
1688 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1689 hf_netlogon_dummy, 0);
1691 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1692 hf_netlogon_dummy, 0);
1699 * IDL typedef [switch_type(short)] union {
1700 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1701 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1702 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1703 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1707 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1708 packet_info *pinfo, proto_tree *tree,
1713 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1714 hf_netlogon_validation_level, &level);
1719 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1720 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1721 "VALIDATION_SAM_INFO:", -1);
1724 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1725 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1726 "VALIDATION_SAM_INFO2:", -1);
1729 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1730 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1731 "VALIDATION_PAC_INFO:", -1);
1734 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1735 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1736 "VALIDATION_PAC_INFO:", -1);
1745 * IDL long NetrLogonSamLogon(
1746 * IDL [in][unique][string] wchar_t *ServerName,
1747 * IDL [in][unique][string] wchar_t *Workstation,
1748 * IDL [in][unique] AUTHENTICATOR *credential,
1749 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1750 * IDL [in] short LogonLevel,
1751 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1752 * IDL [in] short ValidationLevel,
1753 * IDL [out][ref] VALIDATION *validation,
1754 * IDL [out][ref] boolean Authorative
1758 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1759 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1761 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1764 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1765 NDR_POINTER_UNIQUE, "Computer Name",
1766 hf_netlogon_computer_name, 0);
1768 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1769 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1770 "AUTHENTICATOR: credential", -1);
1772 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1773 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1774 "AUTHENTICATOR: return_authenticator", -1);
1776 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1777 hf_netlogon_level16, NULL);
1779 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1780 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1781 "LEVEL: LogonLevel", -1);
1783 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1784 hf_netlogon_validation_level, NULL);
1790 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1791 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1793 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1794 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1795 "AUTHENTICATOR: return_authenticator", -1);
1797 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1798 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1801 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1802 hf_netlogon_authoritative, NULL);
1804 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1805 hf_netlogon_rc, NULL);
1812 * IDL long NetrLogonSamLogoff(
1813 * IDL [in][unique][string] wchar_t *ServerName,
1814 * IDL [in][unique][string] wchar_t *ComputerName,
1815 * IDL [in][unique] AUTHENTICATOR credential,
1816 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1817 * IDL [in] short logon_level,
1818 * IDL [in][ref] LEVEL logoninformation
1822 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1823 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1825 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1828 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1829 NDR_POINTER_UNIQUE, "Computer Name",
1830 hf_netlogon_computer_name, 0);
1832 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1833 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1834 "AUTHENTICATOR: credential", -1);
1836 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1837 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1838 "AUTHENTICATOR: return_authenticator", -1);
1840 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1841 hf_netlogon_level16, NULL);
1843 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1844 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1845 "LEVEL: logoninformation", -1);
1850 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1851 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1854 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1855 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1856 "AUTHENTICATOR: return_authenticator", -1);
1858 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1859 hf_netlogon_rc, NULL);
1866 * IDL long NetrServerReqChallenge(
1867 * IDL [in][unique][string] wchar_t *ServerName,
1868 * IDL [in][ref][string] wchar_t *ComputerName,
1869 * IDL [in][ref] CREDENTIAL client_credential,
1870 * IDL [out][ref] CREDENTIAL server_credential
1874 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1875 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1877 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1880 offset = dissect_ndr_pointer_cb(
1881 tvb, offset, pinfo, tree, drep,
1882 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
1883 "Computer Name", hf_netlogon_computer_name,
1884 cb_wstr_postprocess,
1885 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1887 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1888 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1889 "CREDENTIAL: client challenge", -1);
1894 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1895 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1897 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1898 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1899 "CREDENTIAL: server credential", -1);
1901 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1902 hf_netlogon_rc, NULL);
1909 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1910 packet_info *pinfo, proto_tree *tree,
1913 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1914 hf_netlogon_secure_channel_type, NULL);
1921 * IDL long NetrServerAuthenticate(
1922 * IDL [in][unique][string] wchar_t *ServerName,
1923 * IDL [in][ref][string] wchar_t *UserName,
1924 * IDL [in] short secure_challenge_type,
1925 * IDL [in][ref][string] wchar_t *ComputerName,
1926 * IDL [in][ref] CREDENTIAL client_challenge,
1927 * IDL [out][ref] CREDENTIAL server_challenge
1931 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1932 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1934 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1937 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1938 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO);
1940 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1943 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1944 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO);
1946 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1947 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1948 "CREDENTIAL: client challenge", -1);
1953 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
1954 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1956 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1957 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1958 "CREDENTIAL: server challenge", -1);
1960 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1961 hf_netlogon_rc, NULL);
1969 * IDL typedef struct {
1970 * IDL char encrypted_password[16];
1971 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1974 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1975 packet_info *pinfo, proto_tree *tree,
1980 di=pinfo->private_data;
1981 if(di->conformant_run){
1982 /*just a run to handle conformant arrays, nothing to dissect.*/
1986 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1994 * IDL long NetrServerPasswordSet(
1995 * IDL [in][unique][string] wchar_t *ServerName,
1996 * IDL [in][ref][string] wchar_t *UserName,
1997 * IDL [in] short secure_challenge_type,
1998 * IDL [in][ref][string] wchar_t *ComputerName,
1999 * IDL [in][ref] AUTHENTICATOR credential,
2000 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
2001 * IDL [out][ref] AUTHENTICATOR return_authenticator
2005 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
2006 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2008 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2011 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2012 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
2014 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
2017 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2018 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
2020 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2021 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2022 "AUTHENTICATOR: credential", -1);
2024 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2025 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
2026 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
2031 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
2032 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2034 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2035 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2036 "AUTHENTICATOR: return_authenticator", -1);
2038 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2039 hf_netlogon_rc, NULL);
2046 * IDL typedef struct {
2047 * IDL [unique][string] wchar_t *UserName;
2048 * IDL UNICODESTRING dummy1;
2049 * IDL UNICODESTRING dummy2;
2050 * IDL UNICODESTRING dummy3;
2051 * IDL UNICODESTRING dummy4;
2056 * IDL } DELTA_DELETE_USER;
2059 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
2060 packet_info *pinfo, proto_tree *tree,
2063 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2064 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
2066 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2067 hf_netlogon_dummy, 0);
2069 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2070 hf_netlogon_dummy, 0);
2072 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2073 hf_netlogon_dummy, 0);
2075 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2076 hf_netlogon_dummy, 0);
2078 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2079 hf_netlogon_reserved, NULL);
2081 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2082 hf_netlogon_reserved, NULL);
2084 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2085 hf_netlogon_reserved, NULL);
2087 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2088 hf_netlogon_reserved, NULL);
2095 * IDL typedef struct {
2096 * IDL bool SensitiveDataFlag;
2097 * IDL long DataLength;
2098 * IDL [unique][size_is(DataLength)] char *SensitiveData;
2099 * IDL } USER_PRIVATE_INFO;
2102 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
2103 packet_info *pinfo, proto_tree *tree,
2109 di=pinfo->private_data;
2110 if(di->conformant_run){
2111 /*just a run to handle conformant arrays, nothing to dissect */
2115 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2116 hf_netlogon_sensitive_data_len, &data_len);
2118 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
2125 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
2126 packet_info *pinfo, proto_tree *tree,
2129 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2130 hf_netlogon_sensitive_data_flag, NULL);
2132 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2133 hf_netlogon_sensitive_data_len, NULL);
2135 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2136 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
2137 "SENSITIVE_DATA", -1);
2143 * IDL typedef struct {
2144 * IDL UNICODESTRING UserName;
2145 * IDL UNICODESTRING FullName;
2147 * IDL long PrimaryGroupID;
2148 * IDL UNICODESTRING HomeDir;
2149 * IDL UNICODESTRING HomeDirDrive;
2150 * IDL UNICODESTRING LogonScript;
2151 * IDL UNICODESTRING Comment;
2152 * IDL UNICODESTRING Workstations;
2153 * IDL NTTIME LastLogon;
2154 * IDL NTTIME LastLogoff;
2155 * IDL LOGON_HOURS logonhours;
2156 * IDL short BadPwCount;
2157 * IDL short LogonCount;
2158 * IDL NTTIME PwLastSet;
2159 * IDL NTTIME AccountExpires;
2160 * IDL long AccountControl;
2161 * IDL LM_OWF_PASSWORD lmpw;
2162 * IDL NT_OWF_PASSWORD ntpw;
2163 * IDL bool NTPwPresent;
2164 * IDL bool LMPwPresent;
2165 * IDL bool PwExpired;
2166 * IDL UNICODESTRING UserComment;
2167 * IDL UNICODESTRING Parameters;
2168 * IDL short CountryCode;
2169 * IDL short CodePage;
2170 * IDL USER_PRIVATE_INFO user_private_info;
2171 * IDL long SecurityInformation;
2172 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2173 * IDL UNICODESTRING dummy1;
2174 * IDL UNICODESTRING dummy2;
2175 * IDL UNICODESTRING dummy3;
2176 * IDL UNICODESTRING dummy4;
2184 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
2185 packet_info *pinfo, proto_tree *tree,
2188 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2189 hf_netlogon_acct_name, 3);
2191 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2192 hf_netlogon_full_name, 0);
2194 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2195 hf_netlogon_user_rid, NULL);
2197 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2198 hf_netlogon_group_rid, NULL);
2200 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2201 hf_netlogon_home_dir, 0);
2203 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2204 hf_netlogon_dir_drive, 0);
2206 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2207 hf_netlogon_logon_script, 0);
2209 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2210 hf_netlogon_acct_desc, 0);
2212 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2213 hf_netlogon_workstations, 0);
2215 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2216 hf_netlogon_logon_time);
2218 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2219 hf_netlogon_logoff_time);
2221 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
2223 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2224 hf_netlogon_bad_pw_count16, NULL);
2226 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2227 hf_netlogon_logon_count16, NULL);
2229 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2230 hf_netlogon_pwd_last_set_time);
2232 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2233 hf_netlogon_acct_expiry_time);
2235 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
2237 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
2240 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
2243 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2244 hf_netlogon_nt_pwd_present, NULL);
2246 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2247 hf_netlogon_lm_pwd_present, NULL);
2249 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2250 hf_netlogon_pwd_expired, NULL);
2252 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2253 hf_netlogon_comment, 0);
2255 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2256 hf_netlogon_parameters, 0);
2258 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2259 hf_netlogon_country, NULL);
2261 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2262 hf_netlogon_codepage, NULL);
2264 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
2267 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2268 hf_netlogon_security_information, NULL);
2270 offset = lsa_dissect_sec_desc_buf(tvb, offset,
2271 pinfo, tree, drep, 0, 0);
2273 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2274 hf_netlogon_dummy, 0);
2276 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2277 hf_netlogon_dummy, 0);
2279 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2280 hf_netlogon_dummy, 0);
2282 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2283 hf_netlogon_dummy, 0);
2285 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2286 hf_netlogon_reserved, NULL);
2288 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2289 hf_netlogon_reserved, NULL);
2291 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2292 hf_netlogon_reserved, NULL);
2294 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2295 hf_netlogon_reserved, NULL);
2302 * IDL typedef struct {
2303 * IDL UNICODESTRING DomainName;
2304 * IDL UNICODESTRING OEMInfo;
2305 * IDL NTTIME forcedlogoff;
2306 * IDL short minpasswdlen;
2307 * IDL short passwdhistorylen;
2308 * IDL NTTIME pwd_must_change_time;
2309 * IDL NTTIME pwd_can_change_time;
2310 * IDL NTTIME domain_modify_time;
2311 * IDL NTTIME domain_create_time;
2312 * IDL long SecurityInformation;
2313 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2314 * IDL UNICODESTRING dummy1;
2315 * IDL UNICODESTRING dummy2;
2316 * IDL UNICODESTRING dummy3;
2317 * IDL UNICODESTRING dummy4;
2322 * IDL } DELTA_DOMAIN;
2325 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
2326 packet_info *pinfo, proto_tree *tree,
2329 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2330 hf_netlogon_domain_name, 3);
2332 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2333 hf_netlogon_oem_info, 0);
2335 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2336 hf_netlogon_kickoff_time);
2338 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2339 hf_netlogon_minpasswdlen, NULL);
2341 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2342 hf_netlogon_passwdhistorylen, NULL);
2344 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2345 hf_netlogon_pwd_must_change_time);
2347 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2348 hf_netlogon_pwd_can_change_time);
2350 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2351 hf_netlogon_domain_modify_time);
2353 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2354 hf_netlogon_domain_create_time);
2356 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2357 hf_netlogon_security_information, NULL);
2359 offset = lsa_dissect_sec_desc_buf(tvb, offset,
2360 pinfo, tree, drep, 0, 0);
2362 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2363 hf_netlogon_dummy, 0);
2365 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2366 hf_netlogon_dummy, 0);
2368 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2369 hf_netlogon_dummy, 0);
2371 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2372 hf_netlogon_dummy, 0);
2374 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2375 hf_netlogon_reserved, NULL);
2377 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2378 hf_netlogon_reserved, NULL);
2380 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2381 hf_netlogon_reserved, NULL);
2383 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2384 hf_netlogon_reserved, NULL);
2391 * IDL typedef struct {
2392 * IDL UNICODESTRING groupname;
2393 * IDL GROUP_MEMBERSHIP group_membership;
2394 * IDL UNICODESTRING comment;
2395 * IDL long SecurityInformation;
2396 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2397 * IDL UNICODESTRING dummy1;
2398 * IDL UNICODESTRING dummy2;
2399 * IDL UNICODESTRING dummy3;
2400 * IDL UNICODESTRING dummy4;
2405 * IDL } DELTA_GROUP;
2408 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
2409 packet_info *pinfo, proto_tree *tree,
2412 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2413 hf_netlogon_group_name, 3);
2415 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
2418 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2419 hf_netlogon_group_desc, 0);
2421 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2422 hf_netlogon_security_information, NULL);
2424 offset = lsa_dissect_sec_desc_buf(tvb, offset,
2425 pinfo, tree, drep, 0, 0);
2427 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2428 hf_netlogon_dummy, 0);
2430 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2431 hf_netlogon_dummy, 0);
2433 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2434 hf_netlogon_dummy, 0);
2436 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2437 hf_netlogon_dummy, 0);
2439 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2440 hf_netlogon_reserved, NULL);
2442 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2443 hf_netlogon_reserved, NULL);
2445 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2446 hf_netlogon_reserved, NULL);
2448 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2449 hf_netlogon_reserved, NULL);
2456 * IDL typedef struct {
2457 * IDL UNICODESTRING OldName;
2458 * IDL UNICODESTRING NewName;
2459 * IDL UNICODESTRING dummy1;
2460 * IDL UNICODESTRING dummy2;
2461 * IDL UNICODESTRING dummy3;
2462 * IDL UNICODESTRING dummy4;
2467 * IDL } DELTA_RENAME;
2470 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
2471 packet_info *pinfo, proto_tree *tree,
2476 di=pinfo->private_data;
2478 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2481 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2484 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2485 hf_netlogon_dummy, 0);
2487 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2488 hf_netlogon_dummy, 0);
2490 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2491 hf_netlogon_dummy, 0);
2493 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2494 hf_netlogon_dummy, 0);
2496 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2497 hf_netlogon_reserved, NULL);
2499 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2500 hf_netlogon_reserved, NULL);
2502 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2503 hf_netlogon_reserved, NULL);
2505 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2506 hf_netlogon_reserved, NULL);
2513 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2514 packet_info *pinfo, proto_tree *tree,
2517 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2518 hf_netlogon_user_rid, NULL);
2524 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2525 packet_info *pinfo, proto_tree *tree,
2528 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2529 netlogon_dissect_RID);
2535 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2536 packet_info *pinfo, proto_tree *tree,
2539 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2540 hf_netlogon_attrs, NULL);
2546 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2547 packet_info *pinfo, proto_tree *tree,
2550 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2551 netlogon_dissect_ATTRIB);
2557 * IDL typedef struct {
2558 * IDL [unique][size_is(num_rids)] long *rids;
2559 * IDL [unique][size_is(num_rids)] long *attribs;
2560 * IDL long num_rids;
2565 * IDL } DELTA_GROUP_MEMBER;
2568 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2569 packet_info *pinfo, proto_tree *tree,
2572 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2573 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2576 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2577 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2580 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2581 hf_netlogon_num_rids, NULL);
2583 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2584 hf_netlogon_reserved, NULL);
2586 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2587 hf_netlogon_reserved, NULL);
2589 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2590 hf_netlogon_reserved, NULL);
2592 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2593 hf_netlogon_reserved, NULL);
2600 * IDL typedef struct {
2601 * IDL UNICODESTRING alias_name;
2603 * IDL long SecurityInformation;
2604 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2605 * IDL UNICODESTRING dummy1;
2606 * IDL UNICODESTRING dummy2;
2607 * IDL UNICODESTRING dummy3;
2608 * IDL UNICODESTRING dummy4;
2613 * IDL } DELTA_ALIAS;
2616 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2617 packet_info *pinfo, proto_tree *tree,
2620 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2621 hf_netlogon_alias_name, 0);
2623 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2624 hf_netlogon_alias_rid, NULL);
2626 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2627 hf_netlogon_security_information, NULL);
2629 offset = lsa_dissect_sec_desc_buf(tvb, offset,
2630 pinfo, tree, drep, 0, 0);
2632 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2633 hf_netlogon_dummy, 0);
2635 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2636 hf_netlogon_dummy, 0);
2638 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2639 hf_netlogon_dummy, 0);
2641 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2642 hf_netlogon_dummy, 0);
2644 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2645 hf_netlogon_reserved, NULL);
2647 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2648 hf_netlogon_reserved, NULL);
2650 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2651 hf_netlogon_reserved, NULL);
2653 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2654 hf_netlogon_reserved, NULL);
2661 * IDL typedef struct {
2662 * IDL [unique] SID_ARRAY sids;
2667 * IDL } DELTA_ALIAS_MEMBER;
2670 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2671 packet_info *pinfo, proto_tree *tree,
2674 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2676 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2677 hf_netlogon_reserved, NULL);
2679 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2680 hf_netlogon_reserved, NULL);
2682 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2683 hf_netlogon_reserved, NULL);
2685 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2686 hf_netlogon_reserved, NULL);
2693 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2694 packet_info *pinfo, proto_tree *tree,
2697 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2698 hf_netlogon_event_audit_option, NULL);
2704 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2705 packet_info *pinfo, proto_tree *tree,
2708 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2709 netlogon_dissect_EVENT_AUDIT_OPTION);
2716 * IDL typedef struct {
2717 * IDL long pagedpoollimit;
2718 * IDL long nonpagedpoollimit;
2719 * IDL long minimumworkingsetsize;
2720 * IDL long maximumworkingsetsize;
2721 * IDL long pagefilelimit;
2722 * IDL NTTIME timelimit;
2723 * IDL } QUOTA_LIMITS;
2726 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2727 packet_info *pinfo, proto_tree *parent_tree,
2730 proto_item *item=NULL;
2731 proto_tree *tree=NULL;
2732 int old_offset=offset;
2735 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2737 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2740 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2741 hf_netlogon_pagedpoollimit, NULL);
2743 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2744 hf_netlogon_nonpagedpoollimit, NULL);
2746 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2747 hf_netlogon_minworkingsetsize, NULL);
2749 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2750 hf_netlogon_maxworkingsetsize, NULL);
2752 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2753 hf_netlogon_pagefilelimit, NULL);
2755 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2756 hf_netlogon_timelimit);
2758 proto_item_set_len(item, offset-old_offset);
2764 * IDL typedef struct {
2765 * IDL long maxlogsize;
2766 * IDL NTTIME auditretentionperiod;
2767 * IDL bool auditingmode;
2768 * IDL long maxauditeventcount;
2769 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2770 * IDL UNICODESTRING primarydomainname;
2771 * IDL [unique] SID *sid;
2772 * IDL QUOTA_LIMITS quota_limits;
2773 * IDL NTTIME db_modify_time;
2774 * IDL NTTIME db_create_time;
2775 * IDL long SecurityInformation;
2776 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2777 * IDL UNICODESTRING dummy1;
2778 * IDL UNICODESTRING dummy2;
2779 * IDL UNICODESTRING dummy3;
2780 * IDL UNICODESTRING dummy4;
2785 * IDL } DELTA_POLICY;
2788 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2789 packet_info *pinfo, proto_tree *tree,
2792 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2793 hf_netlogon_max_log_size, NULL);
2795 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2796 hf_netlogon_audit_retention_period);
2798 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2799 hf_netlogon_auditing_mode, NULL);
2801 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2802 hf_netlogon_max_audit_event_count, NULL);
2804 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2805 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2806 "Event Audit Options:", -1);
2808 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2809 hf_netlogon_domain_name, 0);
2811 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
2813 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2816 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2817 hf_netlogon_db_modify_time);
2819 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2820 hf_netlogon_db_create_time);
2822 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2823 hf_netlogon_security_information, NULL);
2825 offset = lsa_dissect_sec_desc_buf(tvb, offset,
2826 pinfo, tree, drep, 0, 0);
2828 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2829 hf_netlogon_dummy, 0);
2831 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2832 hf_netlogon_dummy, 0);
2834 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2835 hf_netlogon_dummy, 0);
2837 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2838 hf_netlogon_dummy, 0);
2840 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2841 hf_netlogon_reserved, NULL);
2843 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2844 hf_netlogon_reserved, NULL);
2846 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2847 hf_netlogon_reserved, NULL);
2849 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2850 hf_netlogon_reserved, NULL);
2857 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2858 packet_info *pinfo, proto_tree *tree,
2861 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2862 hf_netlogon_dc_name, 0);
2868 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2869 packet_info *pinfo, proto_tree *tree,
2872 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2873 netlogon_dissect_CONTROLLER);
2880 * IDL typedef struct {
2881 * IDL UNICODESTRING DomainName;
2882 * IDL long num_controllers;
2883 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2884 * IDL long SecurityInformation;
2885 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2886 * IDL UNICODESTRING dummy1;
2887 * IDL UNICODESTRING dummy2;
2888 * IDL UNICODESTRING dummy3;
2889 * IDL UNICODESTRING dummy4;
2894 * IDL } DELTA_TRUSTED_DOMAINS;
2897 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2898 packet_info *pinfo, proto_tree *tree,
2901 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2902 hf_netlogon_domain_name, 0);
2904 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2905 hf_netlogon_num_controllers, NULL);
2907 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2908 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2909 "Domain Controllers:", -1);
2911 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2912 hf_netlogon_security_information, NULL);
2914 offset = lsa_dissect_sec_desc_buf(tvb, offset,
2915 pinfo, tree, drep, 0, 0);
2917 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2918 hf_netlogon_dummy, 0);
2920 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2921 hf_netlogon_dummy, 0);
2923 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2924 hf_netlogon_dummy, 0);
2926 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2927 hf_netlogon_dummy, 0);
2929 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2930 hf_netlogon_reserved, NULL);
2932 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2933 hf_netlogon_reserved, NULL);
2935 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2936 hf_netlogon_reserved, NULL);
2938 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2939 hf_netlogon_reserved, NULL);
2946 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2947 packet_info *pinfo, proto_tree *tree,
2950 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2951 hf_netlogon_attrs, NULL);
2957 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2958 packet_info *pinfo, proto_tree *tree,
2961 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2962 netlogon_dissect_PRIV_ATTR);
2968 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2969 packet_info *pinfo, proto_tree *tree,
2972 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2973 hf_netlogon_privilege_name, 1);
2979 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2980 packet_info *pinfo, proto_tree *tree,
2983 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2984 netlogon_dissect_PRIV_NAME);
2992 * IDL typedef struct {
2993 * IDL long privilegeentries;
2994 * IDL long provolegecontrol;
2995 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2996 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2997 * IDL QUOTALIMITS quotalimits;
2998 * IDL long SecurityInformation;
2999 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3000 * IDL UNICODESTRING dummy1;
3001 * IDL UNICODESTRING dummy2;
3002 * IDL UNICODESTRING dummy3;
3003 * IDL UNICODESTRING dummy4;
3008 * IDL } DELTA_ACCOUNTS;
3011 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
3012 packet_info *pinfo, proto_tree *tree,
3015 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3016 hf_netlogon_privilege_entries, NULL);
3018 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3019 hf_netlogon_privilege_control, NULL);
3021 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3022 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
3023 "PRIV_ATTR_ARRAY:", -1);
3025 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3026 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
3027 "PRIV_NAME_ARRAY:", -1);
3029 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3032 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3033 hf_netlogon_systemflags, NULL);
3035 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3036 hf_netlogon_security_information, NULL);
3038 offset = lsa_dissect_sec_desc_buf(tvb, offset,
3039 pinfo, tree, drep, 0, 0);
3041 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3042 hf_netlogon_dummy, 0);
3044 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3045 hf_netlogon_dummy, 0);
3047 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3048 hf_netlogon_dummy, 0);
3050 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3051 hf_netlogon_dummy, 0);
3053 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3054 hf_netlogon_reserved, NULL);
3056 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3057 hf_netlogon_reserved, NULL);
3059 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3060 hf_netlogon_reserved, NULL);
3062 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3063 hf_netlogon_reserved, NULL);
3069 * IDL typedef struct {
3072 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
3073 * IDL } CIPHER_VALUE;
3076 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
3077 packet_info *pinfo, proto_tree *tree,
3083 di=pinfo->private_data;
3084 if(di->conformant_run){
3085 /*just a run to handle conformant arrays, nothing to dissect */
3089 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3090 hf_netlogon_cipher_maxlen, NULL);
3095 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3096 hf_netlogon_cipher_len, &data_len);
3098 proto_tree_add_item(tree, di->hf_index, tvb, offset,
3105 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
3106 packet_info *pinfo, proto_tree *parent_tree,
3107 guint8 *drep, const char *name, int hf_index)
3109 proto_item *item=NULL;
3110 proto_tree *tree=NULL;
3111 int old_offset=offset;
3114 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3116 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
3119 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3120 hf_netlogon_cipher_len, NULL);
3122 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3123 hf_netlogon_cipher_maxlen, NULL);
3125 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3126 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
3129 proto_item_set_len(item, offset-old_offset);
3134 * IDL typedef struct {
3135 * IDL CIPHER_VALUE current_cipher;
3136 * IDL NTTIME current_cipher_set_time;
3137 * IDL CIPHER_VALUE old_cipher;
3138 * IDL NTTIME old_cipher_set_time;
3139 * IDL long SecurityInformation;
3140 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3141 * IDL UNICODESTRING dummy1;
3142 * IDL UNICODESTRING dummy2;
3143 * IDL UNICODESTRING dummy3;
3144 * IDL UNICODESTRING dummy4;
3149 * IDL } DELTA_SECRET;
3152 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
3153 packet_info *pinfo, proto_tree *tree,
3156 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3158 "CIPHER_VALUE: current cipher value",
3159 hf_netlogon_cipher_current_data);
3161 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3162 hf_netlogon_cipher_current_set_time);
3164 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3166 "CIPHER_VALUE: old cipher value",
3167 hf_netlogon_cipher_old_data);
3169 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3170 hf_netlogon_cipher_old_set_time);
3172 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3173 hf_netlogon_security_information, NULL);
3175 offset = lsa_dissect_sec_desc_buf(tvb, offset,
3176 pinfo, tree, drep, 0, 0);
3178 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3179 hf_netlogon_dummy, 0);
3181 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3182 hf_netlogon_dummy, 0);
3184 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3185 hf_netlogon_dummy, 0);
3187 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3188 hf_netlogon_dummy, 0);
3190 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3191 hf_netlogon_reserved, NULL);
3193 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3194 hf_netlogon_reserved, NULL);
3196 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3197 hf_netlogon_reserved, NULL);
3199 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3200 hf_netlogon_reserved, NULL);
3206 * IDL typedef struct {
3207 * IDL long low_value;
3208 * IDL long high_value;
3212 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
3213 packet_info *pinfo, proto_tree *tree,
3216 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, drep,
3217 hf_netlogon_modify_count, NULL);
3223 #define DT_DELTA_DOMAIN 1
3224 #define DT_DELTA_GROUP 2
3225 #define DT_DELTA_DELETE_GROUP 3
3226 #define DT_DELTA_RENAME_GROUP 4
3227 #define DT_DELTA_USER 5
3228 #define DT_DELTA_DELETE_USER 6
3229 #define DT_DELTA_RENAME_USER 7
3230 #define DT_DELTA_GROUP_MEMBER 8
3231 #define DT_DELTA_ALIAS 9
3232 #define DT_DELTA_DELETE_ALIAS 10
3233 #define DT_DELTA_RENAME_ALIAS 11
3234 #define DT_DELTA_ALIAS_MEMBER 12
3235 #define DT_DELTA_POLICY 13
3236 #define DT_DELTA_TRUSTED_DOMAINS 14
3237 #define DT_DELTA_DELETE_TRUST 15
3238 #define DT_DELTA_ACCOUNTS 16
3239 #define DT_DELTA_DELETE_ACCOUNT 17
3240 #define DT_DELTA_SECRET 18
3241 #define DT_DELTA_DELETE_SECRET 19
3242 #define DT_DELTA_DELETE_GROUP2 20
3243 #define DT_DELTA_DELETE_USER2 21
3244 #define DT_MODIFIED_COUNT 22
3245 static const value_string delta_type_vals[] = {
3246 { DT_DELTA_DOMAIN, "Domain" },
3247 { DT_DELTA_GROUP, "Group" },
3248 { DT_DELTA_DELETE_GROUP, "Delete Group" },
3249 { DT_DELTA_RENAME_GROUP, "Rename Group" },
3250 { DT_DELTA_USER, "User" },
3251 { DT_DELTA_DELETE_USER, "Delete User" },
3252 { DT_DELTA_RENAME_USER, "Rename User" },
3253 { DT_DELTA_GROUP_MEMBER, "Group Member" },
3254 { DT_DELTA_ALIAS, "Alias" },
3255 { DT_DELTA_DELETE_ALIAS, "Delete Alias" },
3256 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
3257 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
3258 { DT_DELTA_POLICY, "Policy" },
3259 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
3260 { DT_DELTA_DELETE_TRUST, "Delete Trust" },
3261 { DT_DELTA_ACCOUNTS, "Accounts" },
3262 { DT_DELTA_DELETE_ACCOUNT, "Delete Account" },
3263 { DT_DELTA_SECRET, "Secret" },
3264 { DT_DELTA_DELETE_SECRET, "Delete Secret" },
3265 { DT_DELTA_DELETE_GROUP2, "Delete Group2" },
3266 { DT_DELTA_DELETE_USER2, "Delete User2" },
3267 { DT_MODIFIED_COUNT, "Modified Count" },
3271 * IDL typedef [switch_type(short)] union {
3272 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
3273 * IDL [case(2)][unique] DELTA_GROUP *group;
3274 * IDL [case(3)][unique] rid only ;
3275 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
3276 * IDL [case(5)][unique] DELTA_USER *user;
3277 * IDL [case(6)][unique] rid only ;
3278 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
3279 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
3280 * IDL [case(9)][unique] DELTA_ALIAS *alias;
3281 * IDL [case(10)][unique] rid only ;
3282 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
3283 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
3284 * IDL [case(13)][unique] DELTA_POLICY *policy;
3285 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
3286 * IDL [case(15)][unique] PSID ;
3287 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
3288 * IDL [case(17)][unique] PSID ;
3289 * IDL [case(18)][unique] DELTA_SECRET *secret;
3290 * IDL [case(19)][unique] string;
3291 * IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
3292 * IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
3293 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
3294 * IDL } DELTA_UNION;
3297 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
3298 packet_info *pinfo, proto_tree *parent_tree,
3301 proto_item *item=NULL;
3302 proto_tree *tree=NULL;
3303 int old_offset=offset;
3307 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3309 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
3312 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3313 hf_netlogon_delta_type, &level);
3318 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3319 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
3320 "DELTA_DOMAIN:", -1);
3323 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3324 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
3325 "DELTA_GROUP:", -1);
3328 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3329 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3330 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
3333 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3334 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
3338 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3339 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3340 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
3343 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3344 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
3345 "DELTA_GROUP_MEMBER:", -1);
3348 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3349 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
3350 "DELTA_ALIAS:", -1);
3353 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3354 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3355 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
3358 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3359 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
3360 "DELTA_ALIAS_MEMBER:", -1);
3363 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3364 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
3365 "DELTA_POLICY:", -1);
3368 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3369 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
3370 "DELTA_TRUSTED_DOMAINS:", -1);
3373 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3374 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
3375 "DELTA_ACCOUNTS:", -1);
3378 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3379 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
3380 "DELTA_SECRET:", -1);
3383 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3384 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3385 "DELTA_DELETE_GROUP:", -1);
3388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3389 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3390 "DELTA_DELETE_USER:", -1);
3393 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3394 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
3395 "MODIFIED_COUNT:", -1);
3399 proto_item_set_len(item, offset-old_offset);
3405 /* IDL XXX must verify this one, especially 13-19
3406 * IDL typedef [switch_type(short)] union {
3407 * IDL [case(1)] long rid;
3408 * IDL [case(2)] long rid;
3409 * IDL [case(3)] long rid;
3410 * IDL [case(4)] long rid;
3411 * IDL [case(5)] long rid;
3412 * IDL [case(6)] long rid;
3413 * IDL [case(7)] long rid;
3414 * IDL [case(8)] long rid;
3415 * IDL [case(9)] long rid;
3416 * IDL [case(10)] long rid;
3417 * IDL [case(11)] long rid;
3418 * IDL [case(12)] long rid;
3419 * IDL [case(13)] [unique] SID *sid;
3420 * IDL [case(14)] [unique] SID *sid;
3421 * IDL [case(15)] [unique] SID *sid;
3422 * IDL [case(16)] [unique] SID *sid;
3423 * IDL [case(17)] [unique] SID *sid;
3424 * IDL [case(18)] [unique][string] wchar_t *Name ;
3425 * IDL [case(19)] [unique][string] wchar_t *Name ;
3426 * IDL [case(20)] long rid;
3427 * IDL [case(21)] long rid;
3428 * IDL } DELTA_ID_UNION;
3431 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
3432 packet_info *pinfo, proto_tree *parent_tree,
3435 proto_item *item=NULL;
3436 proto_tree *tree=NULL;
3437 int old_offset=offset;
3441 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3443 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
3446 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3447 hf_netlogon_delta_type, &level);
3452 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3453 hf_netlogon_group_rid, NULL);
3456 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3457 hf_netlogon_user_rid, NULL);
3460 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3461 hf_netlogon_user_rid, NULL);
3464 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3465 hf_netlogon_user_rid, NULL);
3468 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3469 hf_netlogon_user_rid, NULL);
3472 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3473 hf_netlogon_user_rid, NULL);
3476 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3477 hf_netlogon_user_rid, NULL);
3480 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3481 hf_netlogon_user_rid, NULL);
3484 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3485 hf_netlogon_user_rid, NULL);
3488 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3489 hf_netlogon_user_rid, NULL);
3492 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3493 hf_netlogon_user_rid, NULL);
3496 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3497 hf_netlogon_user_rid, NULL);
3500 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3503 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3506 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3509 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3512 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3515 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3516 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3517 hf_netlogon_unknown_string, 0);
3520 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3521 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3522 hf_netlogon_unknown_string, 0);
3525 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3526 hf_netlogon_user_rid, NULL);
3529 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3530 hf_netlogon_user_rid, NULL);
3534 proto_item_set_len(item, offset-old_offset);
3539 * IDL typedef struct {
3540 * IDL short delta_type;
3541 * IDL DELTA_ID_UNION delta_id_union;
3542 * IDL DELTA_UNION delta_union;
3546 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3547 packet_info *pinfo, proto_tree *parent_tree,
3550 proto_item *item=NULL;
3551 proto_tree *tree=NULL;
3552 int old_offset=offset;
3556 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3558 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3561 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3562 hf_netlogon_delta_type, &type);
3564 proto_item_append_text(item, val_to_str(
3565 type, delta_type_vals, "Unknown"));
3567 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3570 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3573 proto_item_set_len(item, offset-old_offset);
3578 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3579 packet_info *pinfo, proto_tree *tree,
3582 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3583 netlogon_dissect_DELTA_ENUM);
3589 * IDL typedef struct {
3590 * IDL long num_deltas;
3591 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3592 * IDL } DELTA_ENUM_ARRAY;
3595 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3596 packet_info *pinfo, proto_tree *tree,
3599 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3600 hf_netlogon_num_deltas, NULL);
3602 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3603 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3604 "DELTA_ENUM: deltas", -1);
3611 * IDL long NetrDatabaseDeltas(
3612 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3613 * IDL [in][string][ref] wchar_t *computername,
3614 * IDL [in][ref] AUTHENTICATOR credential,
3615 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3616 * IDL [in] long database_id,
3617 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3618 * IDL [in] long preferredmaximumlength,
3619 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3623 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
3624 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3626 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3627 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3629 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3630 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3632 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3633 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3634 "AUTHENTICATOR: credential", -1);
3636 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3637 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3638 "AUTHENTICATOR: return_authenticator", -1);
3640 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3641 hf_netlogon_database_id, NULL);
3643 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3644 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3645 "MODIFIED_COUNT: domain modified count", -1);
3647 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3648 hf_netlogon_max_size, NULL);
3653 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
3654 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3656 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3657 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3658 "AUTHENTICATOR: return_authenticator", -1);
3660 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3661 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3662 "MODIFIED_COUNT: domain modified count", -1);
3664 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3665 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3666 "DELTA_ENUM_ARRAY: deltas", -1);
3668 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3669 hf_netlogon_rc, NULL);
3676 * IDL long NetrDatabaseSync(
3677 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3678 * IDL [in][string][ref] wchar_t *computername,
3679 * IDL [in][ref] AUTHENTICATOR credential,
3680 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3681 * IDL [in] long database_id,
3682 * IDL [in][out][ref] long sync_context,
3683 * IDL [in] long preferredmaximumlength,
3684 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3688 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
3689 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3691 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3692 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3694 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3695 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3697 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3698 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3699 "AUTHENTICATOR: credential", -1);
3701 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3702 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3703 "AUTHENTICATOR: return_authenticator", -1);
3705 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3706 hf_netlogon_database_id, NULL);
3708 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3709 hf_netlogon_sync_context, NULL);
3711 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3712 hf_netlogon_max_size, NULL);
3719 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
3720 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3722 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3723 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3724 "AUTHENTICATOR: return_authenticator", -1);
3726 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3727 hf_netlogon_sync_context, NULL);
3729 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3730 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3731 "DELTA_ENUM_ARRAY: deltas", -1);
3733 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3734 hf_netlogon_rc, NULL);
3740 * IDL typedef struct {
3741 * IDL char computer_name[16];
3742 * IDL long timecreated;
3743 * IDL long serial_number;
3747 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3748 packet_info *pinfo, proto_tree *tree,
3753 di=pinfo->private_data;
3754 if(di->conformant_run){
3755 /*just a run to handle conformant arrays, nothing to dissect */
3759 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3762 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3765 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3766 hf_netlogon_serial_number, NULL);
3773 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3774 packet_info *pinfo, proto_tree *tree,
3777 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3778 hf_netlogon_unknown_char, NULL);
3784 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3785 packet_info *pinfo, proto_tree *tree,
3788 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3789 netlogon_dissect_BYTE_byte);
3795 * IDL long NetrAccountDeltas(
3796 * IDL [in][string][unique] wchar_t *logonserver,
3797 * IDL [in][string][ref] wchar_t *computername,
3798 * IDL [in][ref] AUTHENTICATOR credential,
3799 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3800 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3801 * IDL [out][ref] long count_returned,
3802 * IDL [out][ref] long total_entries,
3803 * IDL [in][out][ref] UAS_INFO_0 recordid,
3804 * IDL [in][long] count,
3805 * IDL [in][long] level,
3806 * IDL [in][long] buffersize,
3810 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
3811 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3813 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3816 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3817 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3819 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3820 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3821 "AUTHENTICATOR: credential", -1);
3823 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3824 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3825 "AUTHENTICATOR: return_authenticator", -1);
3827 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3828 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3829 "UAS_INFO_0: RecordID", -1);
3831 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3832 hf_netlogon_count, NULL);
3834 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3835 hf_netlogon_level, NULL);
3837 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3838 hf_netlogon_max_size, NULL);
3843 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
3844 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3846 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3847 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3848 "AUTHENTICATOR: return_authenticator", -1);
3850 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3851 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3852 "BYTE_array: Buffer", -1);
3854 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3855 hf_netlogon_count, NULL);
3857 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3858 hf_netlogon_entries, NULL);
3860 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3861 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3862 "UAS_INFO_0: RecordID", -1);
3864 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3865 hf_netlogon_rc, NULL);
3872 * IDL long NetrAccountSync(
3873 * IDL [in][string][unique] wchar_t *logonserver,
3874 * IDL [in][string][ref] wchar_t *computername,
3875 * IDL [in][ref] AUTHENTICATOR credential,
3876 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3877 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3878 * IDL [out][ref] long count_returned,
3879 * IDL [out][ref] long total_entries,
3880 * IDL [out][ref] long next_reference,
3881 * IDL [in][long] reference,
3882 * IDL [in][long] level,
3883 * IDL [in][long] buffersize,
3884 * IDL [in][out][ref] UAS_INFO_0 recordid,
3888 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
3889 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3891 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3894 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3895 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3897 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3898 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3899 "AUTHENTICATOR: credential", -1);
3901 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3902 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3903 "AUTHENTICATOR: return_authenticator", -1);
3905 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3906 hf_netlogon_reference, NULL);
3908 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3909 hf_netlogon_level, NULL);
3911 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3912 hf_netlogon_max_size, NULL);
3917 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
3918 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3920 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3921 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3922 "AUTHENTICATOR: return_authenticator", -1);
3924 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3925 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3926 "BYTE_array: Buffer", -1);
3928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3929 hf_netlogon_count, NULL);
3931 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3932 hf_netlogon_entries, NULL);
3934 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3935 hf_netlogon_next_reference, NULL);
3937 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3938 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3939 "UAS_INFO_0: RecordID", -1);
3941 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3942 hf_netlogon_rc, NULL);
3949 * IDL long NetrGetDcName(
3950 * IDL [in][ref][string] wchar_t *logon_server,
3951 * IDL [in][unique][string] wchar_t *domainname,
3952 * IDL [out][unique][string] wchar_t *dcname,
3956 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
3957 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3959 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3960 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3962 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3963 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3968 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
3969 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3971 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3972 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3974 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3975 hf_netlogon_rc, NULL);
3983 * IDL typedef struct {
3985 * IDL long pdc_connection_status;
3986 * IDL } NETLOGON_INFO_1;
3989 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3990 packet_info *pinfo, proto_tree *tree,
3993 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3994 hf_netlogon_flags, NULL);
3996 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3997 hf_netlogon_pdc_connection_status, NULL);
4004 * IDL typedef struct {
4006 * IDL long pdc_connection_status;
4007 * IDL [unique][string] wchar_t trusted_dc_name;
4008 * IDL long tc_connection_status;
4009 * IDL } NETLOGON_INFO_2;
4012 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
4013 packet_info *pinfo, proto_tree *tree,
4016 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4017 hf_netlogon_flags, NULL);
4019 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4020 hf_netlogon_pdc_connection_status, NULL);
4022 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4023 NDR_POINTER_UNIQUE, "Trusted DC Name",
4024 hf_netlogon_trusted_dc_name, 0);
4026 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4027 hf_netlogon_tc_connection_status, NULL);
4034 * IDL typedef struct {
4036 * IDL long logon_attempts;
4037 * IDL long reserved;
4038 * IDL long reserved;
4039 * IDL long reserved;
4040 * IDL long reserved;
4041 * IDL long reserved;
4042 * IDL } NETLOGON_INFO_3;
4045 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
4046 packet_info *pinfo, proto_tree *tree,
4049 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4050 hf_netlogon_flags, NULL);
4052 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4053 hf_netlogon_logon_attempts, NULL);
4055 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4056 hf_netlogon_reserved, NULL);
4058 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4059 hf_netlogon_reserved, NULL);
4061 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4062 hf_netlogon_reserved, NULL);
4064 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4065 hf_netlogon_reserved, NULL);
4067 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4068 hf_netlogon_reserved, NULL);
4075 * IDL typedef [switch_type(long)] union {
4076 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
4077 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
4078 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
4079 * IDL } CONTROL_QUERY_INFORMATION;
4082 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
4083 packet_info *pinfo, proto_tree *tree,
4088 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4089 hf_netlogon_level, &level);
4094 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4095 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
4096 "NETLOGON_INFO_1:", -1);
4099 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4100 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
4101 "NETLOGON_INFO_2:", -1);
4104 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4105 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
4106 "NETLOGON_INFO_3:", -1);
4115 * IDL long NetrLogonControl(
4116 * IDL [in][string][unique] wchar_t *logonserver,
4117 * IDL [in] long function_code,
4118 * IDL [in] long level,
4119 * IDL [out][ref] CONTROL_QUERY_INFORMATION
4123 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
4124 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4126 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4129 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4130 hf_netlogon_code, NULL);
4132 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4133 hf_netlogon_level, NULL);
4138 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
4139 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4141 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4142 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4143 "CONTROL_QUERY_INFORMATION:", -1);
4145 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4146 hf_netlogon_dos_rc, NULL);
4153 * IDL long NetrGetAnyDCName(
4154 * IDL [in][unique][string] wchar_t *logon_server,
4155 * IDL [in][unique][string] wchar_t *domainname,
4156 * IDL [out][unique][string] wchar_t *dcname,
4160 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
4161 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4163 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4164 NDR_POINTER_UNIQUE, "Server Handle",
4165 hf_netlogon_logonsrv_handle, 0);
4167 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4168 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4173 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
4174 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4176 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4177 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4179 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4180 hf_netlogon_dos_rc, NULL);
4187 * IDL typedef [switch_type(long)] union {
4188 * IDL [case(5)] [unique][string] wchar_t *unknown;
4189 * IDL [case(6)] [unique][string] wchar_t *unknown;
4190 * IDL [case(0xfffe)] long unknown;
4191 * IDL [case(7)] [unique][string] wchar_t *unknown;
4192 * IDL } CONTROL_DATA_INFORMATION;
4195 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
4196 * to look like. However NetMon does not recognize any such informationlevels.
4198 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
4199 * until someone has any source of better authority to call upon.
4202 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
4203 packet_info *pinfo, proto_tree *tree,
4208 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4209 hf_netlogon_level, &level);
4214 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4215 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4216 hf_netlogon_unknown_string, 0);
4219 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4220 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4221 hf_netlogon_unknown_string, 0);
4224 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4225 hf_netlogon_unknown_long, NULL);
4228 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4229 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4230 hf_netlogon_unknown_string, 0);
4239 * IDL long NetrLogonControl2(
4240 * IDL [in][string][unique] wchar_t *logonserver,
4241 * IDL [in] long function_code,
4242 * IDL [in] long level,
4243 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4244 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4248 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
4249 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4251 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4254 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4255 hf_netlogon_code, NULL);
4257 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4258 hf_netlogon_level, NULL);
4260 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4261 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4262 "CONTROL_DATA_INFORMATION: ", -1);
4268 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
4269 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4273 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4274 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4275 "CONTROL_QUERY_INFORMATION:", -1);
4277 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_netlogon_werr_rc, &status);
4279 if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
4280 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown WERR error 0x%08x"));
4288 * IDL long NetrServerAuthenticate2(
4289 * IDL [in][string][unique] wchar_t *logonserver,
4290 * IDL [in][ref][string] wchar_t *username,
4291 * IDL [in] short secure_channel_type,
4292 * IDL [in][ref][string] wchar_t *computername,
4293 * IDL [in][ref] CREDENTIAL *client_chal,
4294 * IDL [out][ref] CREDENTIAL *server_chal,
4295 * IDL [in][out][ref] long *negotiate_flags,
4299 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
4300 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4302 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4305 offset = dissect_ndr_pointer_cb(
4306 tvb, offset, pinfo, tree, drep,
4307 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
4308 "User Name", hf_netlogon_acct_name,
4309 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
4311 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4314 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4315 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4317 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4318 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4319 "CREDENTIAL: client_chal", -1);
4321 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4322 hf_netlogon_neg_flags, NULL);
4328 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
4329 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4331 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4332 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4333 "CREDENTIAL: server_chal", -1);
4335 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4336 hf_netlogon_neg_flags, NULL);
4338 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4339 hf_netlogon_rc, NULL);
4346 * IDL long NetrDatabaseSync2(
4347 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4348 * IDL [in][string][ref] wchar_t *computername,
4349 * IDL [in][ref] AUTHENTICATOR credential,
4350 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4351 * IDL [in] long database_id,
4352 * IDL [in] short restart_state,
4353 * IDL [in][out][ref] long *sync_context,
4354 * IDL [in] long preferredmaximumlength,
4355 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4359 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
4360 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4362 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4363 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4365 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4366 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4368 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4369 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4370 "AUTHENTICATOR: credential", -1);
4372 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4373 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4374 "AUTHENTICATOR: return_authenticator", -1);
4376 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4377 hf_netlogon_database_id, NULL);
4379 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4380 hf_netlogon_restart_state, NULL);
4382 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4383 hf_netlogon_sync_context, NULL);
4385 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4386 hf_netlogon_max_size, NULL);
4392 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
4393 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4395 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4396 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4397 "AUTHENTICATOR: return_authenticator", -1);
4399 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4400 hf_netlogon_sync_context, NULL);
4402 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4403 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4404 "DELTA_ENUM_ARRAY: deltas", -1);
4406 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4407 hf_netlogon_rc, NULL);
4414 * IDL long NetrDatabaseRedo(
4415 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4416 * IDL [in][string][ref] wchar_t *computername,
4417 * IDL [in][ref] AUTHENTICATOR credential,
4418 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4419 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
4420 * IDL [in] long change_log_entry_size,
4421 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4425 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
4426 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4428 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4429 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4431 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4432 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4434 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4435 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4436 "AUTHENTICATOR: credential", -1);
4438 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4439 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4440 "AUTHENTICATOR: return_authenticator", -1);
4442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4443 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4444 "Change log entry: ", -1);
4446 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4447 hf_netlogon_max_log_size, NULL);
4453 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
4454 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4456 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4457 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4458 "AUTHENTICATOR: return_authenticator", -1);
4460 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4461 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4462 "DELTA_ENUM_ARRAY: deltas", -1);
4464 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4465 hf_netlogon_rc, NULL);
4472 * IDL long NetrLogonControl2Ex(
4473 * IDL [in][string][unique] wchar_t *logonserver,
4474 * IDL [in] long function_code,
4475 * IDL [in] long level,
4476 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4477 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4481 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
4482 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4484 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4487 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4488 hf_netlogon_code, NULL);
4490 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4491 hf_netlogon_level, NULL);
4493 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4494 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4495 "CONTROL_DATA_INFORMATION: ", -1);
4500 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
4501 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4503 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4504 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4505 "CONTROL_QUERY_INFORMATION:", -1);
4507 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4508 hf_netlogon_dos_rc, NULL);
4516 static const value_string trust_type_vals[] = {
4524 #define DS_INET_ADDRESS 1
4525 #define DS_NETBIOS_ADDRESS 2
4526 static const value_string dc_address_types[] = {
4527 { DS_INET_ADDRESS, "IP/DNS name" },
4528 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
4533 #define DS_DOMAIN_IN_FOREST 0x0001
4534 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
4535 #define DS_DOMAIN_TREE_ROOT 0x0004
4536 #define DS_DOMAIN_PRIMARY 0x0008
4537 #define DS_DOMAIN_NATIVE_MODE 0x0010
4538 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
4539 static const true_false_string trust_inbound = {
4540 "There is a DIRECT INBOUND trust for the servers domain",
4541 "There is NO direct inbound trust for the servers domain"
4543 static const true_false_string trust_outbound = {
4544 "There is a DIRECT OUTBOUND trust for this domain",
4545 "There is NO direct outbound trust for this domain"
4547 static const true_false_string trust_in_forest = {
4548 "The domain is a member IN the same FOREST as the queried server",
4549 "The domain is NOT a member of the queried servers domain"
4551 static const true_false_string trust_native_mode = {
4552 "The primary domain is a NATIVE MODE w2k domain",
4553 "The primary is NOT a native mode w2k domain"
4555 static const true_false_string trust_primary = {
4556 "The domain is the PRIMARY domain of the queried server",
4557 "The domain is NOT the primary domain of the queried server"
4559 static const true_false_string trust_tree_root = {
4560 "The domain is the ROOT of a domain TREE",
4561 "The domain is NOT a root of a domain tree"
4564 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4565 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4568 proto_item *item = NULL;
4569 proto_tree *tree = NULL;
4572 di=pinfo->private_data;
4573 if(di->conformant_run){
4574 /*just a run to handle conformant arrays, nothing to dissect */
4578 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4579 hf_netlogon_trust_flags, &mask);
4582 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4583 tvb, offset-4, 4, mask);
4584 tree = proto_item_add_subtree(item, ett_trust_flags);
4587 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4588 tvb, offset-4, 4, mask);
4589 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4590 tvb, offset-4, 4, mask);
4591 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4592 tvb, offset-4, 4, mask);
4593 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4594 tvb, offset-4, 4, mask);
4595 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4596 tvb, offset-4, 4, mask);
4597 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4598 tvb, offset-4, 4, mask);
4605 static const true_false_string trust_attribs_non_transitive = {
4606 "This is a NON TRANSITIVE trust relation",
4607 "This is a normal trust"
4609 static const true_false_string trust_attribs_uplevel_only = {
4610 "This is an UPLEVEL ONLY trust relation",
4611 "This is a normal trust"
4613 static const true_false_string trust_attribs_quarantined_domain = {
4614 "This is a QUARANTINED DOMAIN (so dont expect lookupsids to work)",
4615 "This is a normal trust"
4617 static const true_false_string trust_attribs_forest_transitive = {
4618 "This is a FOREST TRANSITIVE trust",
4619 "This is a normal trust"
4621 static const true_false_string trust_attribs_cross_organization = {
4622 "This is a CROSS ORGANIZATION trust",
4623 "This is a normal trust"
4625 static const true_false_string trust_attribs_within_forest = {
4626 "This is a WITHIN FOREST trust",
4627 "This is a normal trust"
4629 static const true_false_string trust_attribs_treat_as_external = {
4630 "TREAT this trust AS an EXTERNAL trust",
4631 "This is a normal trust"
4635 netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t *tvb, int offset,
4636 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4639 proto_item *item = NULL;
4640 proto_tree *tree = NULL;
4643 di=pinfo->private_data;
4644 if(di->conformant_run){
4645 /*just a run to handle conformant arrays, nothing to dissect */
4649 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4650 hf_netlogon_trust_attribs, &mask);
4653 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_attribs,
4654 tvb, offset-4, 4, mask);
4655 tree = proto_item_add_subtree(item, ett_trust_attribs);
4658 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_treat_as_external,
4659 tvb, offset-4, 4, mask);
4660 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_within_forest,
4661 tvb, offset-4, 4, mask);
4662 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_cross_organization,
4663 tvb, offset-4, 4, mask);
4664 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_forest_transitive,
4665 tvb, offset-4, 4, mask);
4666 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_quarantined_domain,
4667 tvb, offset-4, 4, mask);
4668 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_uplevel_only,
4669 tvb, offset-4, 4, mask);
4670 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_non_transitive,
4671 tvb, offset-4, 4, mask);
4678 #define DS_FORCE_REDISCOVERY 0x00000001
4679 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
4680 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
4681 #define DS_GC_SERVER_REQUIRED 0x00000040
4682 #define DS_PDC_REQUIRED 0x00000080
4683 #define DS_BACKGROUND_ONLY 0x00000100
4684 #define DS_IP_REQUIRED 0x00000200
4685 #define DS_KDC_REQUIRED 0x00000400
4686 #define DS_TIMESERV_REQUIRED 0x00000800
4687 #define DS_WRITABLE_REQUIRED 0x00001000
4688 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
4689 #define DS_AVOID_SELF 0x00004000
4690 #define DS_ONLY_LDAP_NEEDED 0x00008000
4691 #define DS_IS_FLAT_NAME 0x00010000
4692 #define DS_IS_DNS_NAME 0x00020000
4693 #define DS_RETURN_DNS_NAME 0x40000000
4694 #define DS_RETURN_FLAT_NAME 0x80000000
4695 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4696 "FORCE REDISCOVERY of any cached data",
4697 "You may return cached data"
4699 static const true_false_string get_dcname_request_flags_directory_service_required = {
4700 "DIRECRTORY SERVICE is REQUIRED on the server",
4701 "We do NOT require directory service servers"
4703 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4704 "DIRECTORY SERVICE servers are PREFERRED",
4705 "We do NOT have a preference for directory service servers"
4707 static const true_false_string get_dcname_request_flags_gc_server_required = {
4708 "GC SERVER is REQUIRED",
4709 "gc server is NOT required"
4711 static const true_false_string get_dcname_request_flags_pdc_required = {
4712 "PDC SERVER is REQUIRED",
4713 "pdc server is NOT required"
4715 static const true_false_string get_dcname_request_flags_background_only = {
4716 "Only return cached data, even if it has expired",
4717 "Return cached data unless it has expired"
4719 static const true_false_string get_dcname_request_flags_ip_required = {
4720 "IP address is REQUIRED",
4721 "ip address is NOT required"
4723 static const true_false_string get_dcname_request_flags_kdc_required = {
4724 "KDC server is REQUIRED",
4725 "kdc server is NOT required"
4727 static const true_false_string get_dcname_request_flags_timeserv_required = {
4728 "TIMESERV service is REQUIRED",
4729 "timeserv service is NOT required"
4731 static const true_false_string get_dcname_request_flags_writable_required = {
4732 "the requrned dc MUST be WRITEABLE",
4733 "a read-only dc may be returned"
4735 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4736 "GOOD TIMESERV servers are PREFERRED",
4737 "we do NOT have a preference for good timeserv servers"
4739 static const true_false_string get_dcname_request_flags_avoid_self = {
4740 "do NOT return self as dc, return someone else",
4741 "you may return yourSELF as the dc"
4743 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4744 "we ONLY NEED LDAP, you dont have to return a dc",
4745 "we need a normal dc, an ldap only server will not do"
4747 static const true_false_string get_dcname_request_flags_is_flat_name = {
4748 "the name we specify is a NetBIOS name",
4749 "the name we specify is NOT a NetBIOS name"
4751 static const true_false_string get_dcname_request_flags_is_dns_name = {
4752 "the name we specify is a DNS name",
4753 "ther name we specify is NOT a dns name"
4755 static const true_false_string get_dcname_request_flags_return_dns_name = {
4756 "return a DNS name",
4757 "you may return a NON-dns name"
4759 static const true_false_string get_dcname_request_flags_return_flat_name = {
4760 "return a NetBIOS name",
4761 "you may return a NON-NetBIOS name"
4764 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4765 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4768 proto_item *item = NULL;
4769 proto_tree *tree = NULL;
4772 di=pinfo->private_data;
4773 if(di->conformant_run){
4774 /*just a run to handle conformant arrays, nothing to dissect */
4778 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4779 hf_netlogon_get_dcname_request_flags, &mask);
4782 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4783 tvb, offset-4, 4, mask);
4784 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4787 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4788 tvb, offset-4, 4, mask);
4789 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4790 tvb, offset-4, 4, mask);
4791 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4792 tvb, offset-4, 4, mask);
4793 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4794 tvb, offset-4, 4, mask);
4795 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4796 tvb, offset-4, 4, mask);
4797 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4798 tvb, offset-4, 4, mask);
4799 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4800 tvb, offset-4, 4, mask);
4801 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4802 tvb, offset-4, 4, mask);
4803 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4804 tvb, offset-4, 4, mask);
4805 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4806 tvb, offset-4, 4, mask);
4807 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4808 tvb, offset-4, 4, mask);
4809 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4810 tvb, offset-4, 4, mask);
4811 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4812 tvb, offset-4, 4, mask);
4813 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4814 tvb, offset-4, 4, mask);
4815 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4816 tvb, offset-4, 4, mask);
4817 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4818 tvb, offset-4, 4, mask);
4819 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4820 tvb, offset-4, 4, mask);
4827 #define DS_PDC_FLAG 0x00000001
4828 #define DS_GC_FLAG 0x00000004
4829 #define DS_LDAP_FLAG 0x00000008
4830 #define DS_DS_FLAG 0x00000010
4831 #define DS_KDC_FLAG 0x00000020
4832 #define DS_TIMESERV_FLAG 0x00000040
4833 #define DS_CLOSEST_FLAG 0x00000080
4834 #define DS_WRITABLE_FLAG 0x00000100
4835 #define DS_GOOD_TIMESERV_FLAG 0x00000200
4836 #define DS_NDNC_FLAG 0x00000400
4837 #define DS_DNS_CONTROLLER_FLAG 0x20000000
4838 #define DS_DNS_DOMAIN_FLAG 0x40000000
4839 #define DS_DNS_FOREST_FLAG 0x80000000
4840 static const true_false_string dc_flags_pdc_flag = {
4841 "this is the PDC of the domain",
4842 "this is NOT the pdc of the domain"
4844 static const true_false_string dc_flags_gc_flag = {
4845 "this is the GC of the forest",
4846 "this is NOT the gc of the forest"
4848 static const true_false_string dc_flags_ldap_flag = {
4849 "this is an LDAP server",
4850 "this is NOT an ldap server"
4852 static const true_false_string dc_flags_ds_flag = {
4853 "this is a DS server",
4854 "this is NOT a ds server"
4856 static const true_false_string dc_flags_kdc_flag = {
4857 "this is a KDC server",
4858 "this is NOT a kdc server"
4860 static const true_false_string dc_flags_timeserv_flag = {
4861 "this is a TIMESERV server",
4862 "this is NOT a timeserv server"
4864 static const true_false_string dc_flags_closest_flag = {
4865 "this is the CLOSEST server",
4866 "this is NOT the closest server"
4868 static const true_false_string dc_flags_writable_flag = {
4869 "this server has a WRITABLE ds database",
4870 "this server has a READ-ONLY ds database"
4872 static const true_false_string dc_flags_good_timeserv_flag = {
4873 "this server is a GOOD TIMESERV server",
4874 "this is NOT a good timeserv server"
4876 static const true_false_string dc_flags_ndnc_flag = {
4880 static const true_false_string dc_flags_dns_controller_flag = {
4881 "DomainControllerName is a DNS name",
4882 "DomainControllerName is NOT a dns name"
4884 static const true_false_string dc_flags_dns_domain_flag = {
4885 "DomainName is a DNS name",
4886 "DomainName is NOT a dns name"
4888 static const true_false_string dc_flags_dns_forest_flag = {
4889 "DnsForestName is a DNS name",
4890 "DnsForestName is NOT a dns name"
4893 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4894 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4897 proto_item *item = NULL;
4898 proto_tree *tree = NULL;
4901 di=pinfo->private_data;
4902 if(di->conformant_run){
4903 /*just a run to handle conformant arrays, nothing to dissect */
4907 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4908 hf_netlogon_dc_flags, &mask);
4911 item = proto_tree_add_uint_format_value(parent_tree, hf_netlogon_dc_flags,
4912 tvb, offset-4, 4, mask, "0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
4913 tree = proto_item_add_subtree(item, ett_dc_flags);
4916 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4917 tvb, offset-4, 4, mask);
4918 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4919 tvb, offset-4, 4, mask);
4920 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4921 tvb, offset-4, 4, mask);
4922 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4923 tvb, offset-4, 4, mask);
4924 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4925 tvb, offset-4, 4, mask);
4926 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4927 tvb, offset-4, 4, mask);
4928 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4929 tvb, offset-4, 4, mask);
4930 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4931 tvb, offset-4, 4, mask);
4932 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4933 tvb, offset-4, 4, mask);
4934 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4935 tvb, offset-4, 4, mask);
4936 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4937 tvb, offset-4, 4, mask);
4938 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4939 tvb, offset-4, 4, mask);
4940 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4941 tvb, offset-4, 4, mask);
4949 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4950 packet_info *pinfo, proto_tree *tree,
4955 di=pinfo->private_data;
4956 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4957 di->hf_index, NULL);
4962 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4963 packet_info *pinfo, proto_tree *tree,
4968 di=pinfo->private_data;
4969 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4970 di->hf_index, NULL);
4975 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4976 packet_info *pinfo, proto_tree *tree,
4979 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4980 hf_netlogon_unknown_char, NULL);
4986 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4987 packet_info *pinfo, proto_tree *tree,
4990 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4991 netlogon_dissect_UNICODE_MULTI_byte);
4997 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4998 packet_info *pinfo, proto_tree *parent_tree,
5001 proto_item *item=NULL;
5002 proto_tree *tree=NULL;
5003 int old_offset=offset;
5006 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5008 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
5011 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5012 hf_netlogon_len, NULL);
5014 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5015 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
5016 "unknown", hf_netlogon_unknown_string);
5018 proto_item_set_len(item, offset-old_offset);
5023 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
5024 packet_info *pinfo, proto_tree *parent_tree,
5027 proto_item *item=NULL;
5028 proto_tree *tree=NULL;
5029 int old_offset=offset;
5032 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5033 "DOMAIN_CONTROLLER_INFO:");
5034 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
5037 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5038 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
5040 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5041 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
5043 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5044 hf_netlogon_dc_address_type, NULL);
5046 offset = dissect_nt_GUID(tvb, offset,
5049 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5050 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
5052 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5053 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
5055 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
5057 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5058 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
5060 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5061 NDR_POINTER_UNIQUE, "Client Site",
5062 hf_netlogon_client_site_name, 0);
5064 proto_item_set_len(item, offset-old_offset);
5069 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
5070 packet_info *pinfo, proto_tree *tree,
5076 di=pinfo->private_data;
5077 if(di->conformant_run){
5078 /*just a run to handle conformant arrays, nothing to dissect.*/
5082 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5083 hf_netlogon_blob_size, &len);
5085 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
5093 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
5094 packet_info *pinfo, proto_tree *parent_tree,
5097 proto_item *item=NULL;
5098 proto_tree *tree=NULL;
5101 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5103 tree = proto_item_add_subtree(item, ett_BLOB);
5106 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5107 hf_netlogon_blob_size, NULL);
5109 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5110 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
5117 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
5118 packet_info *pinfo, proto_tree *parent_tree,
5121 proto_item *item=NULL;
5122 proto_tree *tree=NULL;
5123 int old_offset=offset;
5126 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5127 "DOMAIN_TRUST_INFO:");
5128 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
5132 offset = lsa_dissect_DnsDomainInfo(tvb, offset, pinfo, tree, drep, 0, 0);
5134 /* Guesses at best. */
5135 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5136 hf_netlogon_unknown_string, 0);
5138 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5139 hf_netlogon_unknown_string, 0);
5141 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5142 hf_netlogon_unknown_string, 0);
5144 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5145 hf_netlogon_unknown_string, 0);
5147 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5148 hf_netlogon_unknown_long, NULL);
5150 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5151 hf_netlogon_unknown_long, NULL);
5153 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5154 hf_netlogon_unknown_long, NULL);
5156 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5157 hf_netlogon_unknown_long, NULL);
5159 proto_item_set_len(item, offset-old_offset);
5164 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
5165 packet_info *pinfo, proto_tree *tree,
5168 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5169 netlogon_dissect_DOMAIN_TRUST_INFO);
5175 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
5176 packet_info *pinfo, proto_tree *tree,
5179 offset = netlogon_dissect_BLOB(tvb, offset,
5182 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5183 NDR_POINTER_UNIQUE, "Workstation FQDN",
5184 hf_netlogon_workstation_fqdn, 0);
5186 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5187 NDR_POINTER_UNIQUE, "Workstation Site",
5188 hf_netlogon_workstation_site_name, 0);
5190 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5191 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5193 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5194 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5196 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5197 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5199 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5200 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5202 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5203 hf_netlogon_unknown_string, 0);
5205 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5206 hf_netlogon_workstation_os, 0);
5208 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5209 hf_netlogon_unknown_string, 0);
5211 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5212 hf_netlogon_unknown_string, 0);
5214 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5215 hf_netlogon_unknown_long, NULL);
5217 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5218 hf_netlogon_unknown_long, NULL);
5220 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5221 hf_netlogon_unknown_long, NULL);
5223 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5224 hf_netlogon_unknown_long, NULL);
5230 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
5231 packet_info *pinfo, proto_tree *tree,
5234 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
5236 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5237 hf_netlogon_num_trusts, NULL);
5239 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5240 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5241 "DOMAIN_TRUST_ARRAY: Trusts", -1);
5243 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5244 hf_netlogon_num_trusts, NULL);
5246 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5247 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5248 "DOMAIN_TRUST_ARRAY:", -1);
5250 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5251 hf_netlogon_dns_domain_name, 0);
5253 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5254 hf_netlogon_unknown_string, 0);
5256 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5257 hf_netlogon_unknown_string, 0);
5259 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5260 hf_netlogon_unknown_string, 0);
5262 /* These four integers appear to mirror the last four in the query. */
5263 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5264 hf_netlogon_unknown_long, NULL);
5266 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5267 hf_netlogon_unknown_long, NULL);
5269 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5270 hf_netlogon_unknown_long, NULL);
5272 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5273 hf_netlogon_unknown_long, NULL);
5280 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5281 packet_info *pinfo, proto_tree *tree,
5286 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5287 hf_netlogon_level, &level);
5292 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5293 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
5294 "DOMAIN_INFO_1:", -1);
5302 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
5303 packet_info *pinfo, proto_tree *parent_tree,
5306 proto_item *item=NULL;
5307 proto_tree *tree=NULL;
5308 int old_offset=offset;
5312 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5313 "UNICODE_STRING_512:");
5314 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
5318 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5319 hf_netlogon_unknown_short, NULL);
5322 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5323 hf_netlogon_unknown_long, NULL);
5325 proto_item_set_len(item, offset-old_offset);
5330 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
5331 packet_info *pinfo, proto_tree *tree,
5334 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5335 hf_netlogon_unknown_char, NULL);
5341 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
5342 packet_info *pinfo, proto_tree *tree,
5345 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5346 netlogon_dissect_element_844_byte);
5352 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
5353 packet_info *pinfo, proto_tree *parent_tree,
5356 proto_item *item=NULL;
5357 proto_tree *tree=NULL;
5358 int old_offset=offset;
5361 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5363 tree = proto_item_add_subtree(item, ett_TYPE_50);
5366 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5367 hf_netlogon_unknown_long, NULL);
5369 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5370 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
5371 "unknown", hf_netlogon_unknown_string);
5373 proto_item_set_len(item, offset-old_offset);
5378 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
5379 packet_info *pinfo, proto_tree *tree,
5382 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5383 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
5384 "TYPE_50 pointer: unknown_TYPE_50", -1);
5390 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
5391 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5394 proto_item *item=NULL;
5395 proto_tree *tree=NULL;
5396 int old_offset=offset;
5399 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5400 "DS_DOMAIN_TRUSTS");
5401 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
5405 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5406 NDR_POINTER_UNIQUE, "NetBIOS Name",
5407 hf_netlogon_downlevel_domain_name, 0);
5410 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5411 NDR_POINTER_UNIQUE, "DNS Domain Name",
5412 hf_netlogon_dns_domain_name, 0);
5414 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5416 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5417 hf_netlogon_trust_parent_index, &tmp);
5419 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5420 hf_netlogon_trust_type, &tmp);
5422 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, drep);
5425 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
5428 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
5430 proto_item_set_len(item, offset-old_offset);
5435 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
5436 packet_info *pinfo, proto_tree *tree,
5439 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5440 netlogon_dissect_DS_DOMAIN_TRUSTS);
5446 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
5447 packet_info *pinfo, proto_tree *tree,
5450 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5451 hf_netlogon_unknown_char, NULL);
5457 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
5458 packet_info *pinfo, proto_tree *tree,
5461 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5462 netlogon_dissect_element_865_byte);
5468 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
5469 packet_info *pinfo, proto_tree *tree,
5472 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5473 hf_netlogon_unknown_char, NULL);
5479 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
5480 packet_info *pinfo, proto_tree *tree,
5483 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5484 netlogon_dissect_element_866_byte);
5490 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
5491 packet_info *pinfo, proto_tree *parent_tree,
5494 proto_item *item=NULL;
5495 proto_tree *tree=NULL;
5496 int old_offset=offset;
5499 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5501 tree = proto_item_add_subtree(item, ett_TYPE_52);
5504 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5505 hf_netlogon_unknown_long, NULL);
5507 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5508 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
5509 "unknown", hf_netlogon_unknown_string);
5511 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5512 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
5513 "unknown", hf_netlogon_unknown_string);
5515 proto_item_set_len(item, offset-old_offset);
5520 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
5521 packet_info *pinfo, proto_tree *tree,
5524 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5525 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
5526 "TYPE_52 pointer: unknown_TYPE_52", -1);
5532 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5533 packet_info *pinfo, proto_tree *parent_tree,
5536 proto_item *item=NULL;
5537 proto_tree *tree=NULL;
5538 int old_offset=offset;
5542 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5544 tree = proto_item_add_subtree(item, ett_TYPE_44);
5547 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5548 hf_netlogon_level, &level);
5553 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5554 hf_netlogon_unknown_long, NULL);
5558 proto_item_set_len(item, offset-old_offset);
5563 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5564 packet_info *pinfo, proto_tree *tree,
5569 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5570 hf_netlogon_level, &level);
5575 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5576 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5577 "DOMAIN_QUERY_1:", -1);
5580 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5581 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5582 "DOMAIN_QUERY_1:", -1);
5590 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5591 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5593 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5601 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5602 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5604 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5605 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5606 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5608 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5609 hf_netlogon_dos_rc, NULL);
5615 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5616 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5618 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5621 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5622 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5624 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5625 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5626 "GUID pointer: domain_guid", -1);
5628 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5629 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5630 "GUID pointer: site_guid", -1);
5632 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5633 hf_netlogon_flags, NULL);
5640 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5641 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5643 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5644 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5645 "DOMAIN_CONTROLLER_INFO:", -1);
5647 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5648 hf_netlogon_dos_rc, NULL);
5654 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
5655 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5657 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5660 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5661 NDR_POINTER_UNIQUE, "unknown string",
5662 hf_netlogon_unknown_string, 0);
5664 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5665 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5666 "AUTHENTICATOR: credential", -1);
5668 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5669 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5670 "AUTHENTICATOR: return_authenticator", -1);
5672 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5673 hf_netlogon_unknown_long, NULL);
5680 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
5681 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5683 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5684 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5685 "AUTHENTICATOR: return_authenticator", -1);
5687 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5688 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5689 "TYPE_44 pointer: unknown_TYPE_44", -1);
5691 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5692 hf_netlogon_rc, NULL);
5698 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
5699 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5701 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5704 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5705 hf_netlogon_unknown_long, NULL);
5707 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5708 hf_netlogon_unknown_long, NULL);
5715 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
5716 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5718 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5719 hf_netlogon_rc, NULL);
5726 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
5727 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5729 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5732 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5733 NDR_POINTER_UNIQUE, "unknown string",
5734 hf_netlogon_unknown_string, 0);
5741 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
5742 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5744 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5745 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5746 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5748 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5749 hf_netlogon_rc, NULL);
5756 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
5757 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5759 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5762 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5763 hf_netlogon_unknown_long, NULL);
5765 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5766 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5767 "BYTE pointer: unknown_BYTE", -1);
5769 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5770 hf_netlogon_unknown_long, NULL);
5776 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5777 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5782 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5783 hf_netlogon_unknown_char, NULL);
5790 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
5791 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5793 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5794 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5795 "BYTE pointer: unknown_BYTE", -1);
5797 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5798 hf_netlogon_rc, NULL);
5804 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
5805 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5807 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5810 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5811 NDR_POINTER_UNIQUE, "unknown string",
5812 hf_netlogon_unknown_string, 0);
5814 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5815 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5816 "BYTE pointer: unknown_BYTE", -1);
5818 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5819 hf_netlogon_unknown_long, NULL);
5826 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
5827 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5829 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5830 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5831 "BYTE pointer: unknown_BYTE", -1);
5833 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5834 hf_netlogon_rc, NULL);
5840 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5841 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5843 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5846 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5847 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5849 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5852 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5853 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5855 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5856 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5857 "CREDENTIAL: authenticator", -1);
5859 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5860 hf_netlogon_neg_flags, NULL);
5867 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5868 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5870 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5871 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5872 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5874 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5875 hf_netlogon_neg_flags, NULL);
5877 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5878 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5879 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5881 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5882 hf_netlogon_rc, NULL);
5888 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
5889 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5891 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5894 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5895 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5897 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5898 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5899 "GUID pointer: domain_guid", -1);
5901 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5902 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5904 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5911 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
5912 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5914 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5915 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5916 "DOMAIN_CONTROLLER_INFO:", -1);
5918 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5919 hf_netlogon_rc, NULL);
5925 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5926 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5928 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5936 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5937 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5940 /* XXX hmmm this does not really look like a UNIQUE pointer but
5941 will do for now. I think it is really a 32bit integer followed by
5942 a REF pointer to a unicode string */
5943 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
5944 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
5945 hf_netlogon_site_name, cb_wstr_postprocess,
5946 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
5948 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5949 hf_netlogon_dos_rc, NULL);
5955 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5956 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5958 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5959 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5960 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5962 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5963 NDR_POINTER_UNIQUE, "Computer Name",
5964 hf_netlogon_computer_name, 0);
5966 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5967 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5968 "AUTHENTICATOR: credential", -1);
5970 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5971 hf_netlogon_unknown_long, NULL);
5973 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5974 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5975 "AUTHENTICATOR: return_authenticator", -1);
5977 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5978 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5979 "DOMAIN_QUERY: ", -1);
5986 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5987 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5989 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5990 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5991 "AUTHENTICATOR: return_authenticator", -1);
5993 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5994 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5995 "DOMAIN_INFO: ", -1);
5997 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5998 hf_netlogon_rc, NULL);
6004 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
6005 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6007 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6010 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6011 NDR_POINTER_UNIQUE, "unknown string",
6012 hf_netlogon_unknown_string, 0);
6014 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6015 hf_netlogon_unknown_short, NULL);
6017 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6018 NDR_POINTER_UNIQUE, "unknown string",
6019 hf_netlogon_unknown_string, 0);
6021 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6022 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6023 "AUTHENTICATOR: credential", -1);
6025 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
6033 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
6034 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6036 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6037 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6038 "AUTHENTICATOR: return_authenticator", -1);
6040 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6041 hf_netlogon_rc, NULL);
6047 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
6048 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6050 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6053 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6054 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
6056 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
6059 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6060 NDR_POINTER_UNIQUE, "Computer Name",
6061 hf_netlogon_computer_name, 0);
6063 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6064 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6065 "AUTHENTICATOR: credential", -1);
6072 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
6073 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6075 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6076 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6077 "AUTHENTICATOR: return_authenticator", -1);
6079 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6080 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
6081 "LM_OWF_PASSWORD pointer: server_pwd", -1);
6083 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6084 hf_netlogon_rc, NULL);
6090 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
6091 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6093 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6096 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6097 NDR_POINTER_UNIQUE, "unknown string",
6098 hf_netlogon_unknown_string, 0);
6100 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6101 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6102 "AUTHENTICATOR: credential", -1);
6104 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6105 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6106 "BYTE pointer: unknown_BYTE", -1);
6108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6109 hf_netlogon_unknown_long, NULL);
6116 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
6117 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6119 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6120 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6121 "AUTHENTICATOR: return_authenticator", -1);
6123 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6124 hf_netlogon_rc, NULL);
6130 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
6131 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6133 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6136 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6137 hf_netlogon_unknown_long, NULL);
6139 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6140 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6141 "BYTE pointer: unknown_BYTE", -1);
6148 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
6149 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6151 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6152 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
6153 "TYPE_50** pointer: unknown_TYPE_50", -1);
6155 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6156 hf_netlogon_rc, NULL);
6162 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
6163 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6165 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6168 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6169 NDR_POINTER_UNIQUE, "Client Account",
6170 hf_netlogon_acct_name, 0);
6172 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6173 hf_netlogon_unknown_long, NULL);
6175 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6176 NDR_POINTER_UNIQUE, "Client Account",
6177 hf_netlogon_logon_dom, 0);
6179 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6180 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6181 "Domain GUID:", -1);
6183 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6184 NDR_POINTER_UNIQUE, "Client Site",
6185 hf_netlogon_site_name, 0);
6187 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6188 hf_netlogon_unknown_long, NULL);
6195 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
6196 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6198 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6199 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6200 "DOMAIN_CONTROLLER_INFO:", -1);
6202 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6203 hf_netlogon_dos_rc, NULL);
6209 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
6210 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6212 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6220 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
6221 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6223 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6224 NDR_POINTER_UNIQUE, "unknown string",
6225 hf_netlogon_unknown_string, 0);
6227 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6228 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6229 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6231 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6232 hf_netlogon_rc, NULL);
6238 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
6239 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6241 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6248 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
6249 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6251 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6252 hf_netlogon_entries, NULL);
6254 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6255 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6256 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6258 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6259 hf_netlogon_rc, NULL);
6265 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
6266 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6268 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6271 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6272 hf_netlogon_unknown_long, NULL);
6274 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6275 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6276 "BYTE pointer: unknown_BYTE", -1);
6283 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
6284 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6286 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6287 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
6288 "TYPE_52 pointer: unknown_TYPE_52", -1);
6290 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6291 hf_netlogon_rc, NULL);
6298 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
6299 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6301 offset = dissect_ndr_counted_string_cb(
6302 tvb, offset, pinfo, tree, drep, hf_netlogon_site_name,
6303 cb_wstr_postprocess,
6304 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
6309 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
6310 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6312 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
6313 netlogon_dissect_site_name_item);
6319 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
6320 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6322 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6323 hf_netlogon_count, NULL);
6325 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6326 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
6327 "Site name array", -1);
6333 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
6334 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6336 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6344 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
6345 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6347 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6348 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
6351 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6352 hf_netlogon_rc, NULL);
6358 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
6359 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6361 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6362 NDR_POINTER_UNIQUE, "unknown string",
6363 hf_netlogon_unknown_string, 0);
6365 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6366 NDR_POINTER_UNIQUE, "unknown string",
6367 hf_netlogon_unknown_string, 0);
6369 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6370 hf_netlogon_unknown_short, NULL);
6372 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6373 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
6374 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
6376 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6377 hf_netlogon_unknown_short, NULL);
6379 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6380 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6381 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6387 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
6388 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6390 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6391 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
6392 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
6394 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6395 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
6396 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
6398 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6399 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6400 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6402 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6403 hf_netlogon_rc, NULL);
6410 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
6411 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6413 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6416 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
6423 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
6424 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6426 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6427 hf_netlogon_entries, NULL);
6429 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6430 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6431 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6433 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6434 hf_netlogon_dos_rc, NULL);
6440 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
6441 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6443 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6446 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6447 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6449 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6450 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6451 "GUID pointer: domain_guid", -1);
6453 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6454 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6455 "GUID pointer: dsa_guid", -1);
6457 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6458 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
6465 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
6466 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6468 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6469 hf_netlogon_rc, NULL);
6474 /* Dissect secure channel stuff */
6476 static int hf_netlogon_secchan_bind_unknown1 = -1;
6477 static int hf_netlogon_secchan_bind_unknown2 = -1;
6478 static int hf_netlogon_secchan_domain = -1;
6479 static int hf_netlogon_secchan_host = -1;
6480 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
6481 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
6482 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
6484 static gint ett_secchan_verf = -1;
6485 static gint ett_secchan_bind_creds = -1;
6486 static gint ett_secchan_bind_ack_creds = -1;
6488 static int dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
6490 proto_tree *tree, guint8 *drep)
6492 proto_item *item = NULL;
6493 proto_tree *subtree = NULL;
6497 item = proto_tree_add_text(
6498 tree, tvb, offset, -1,
6499 "Secure Channel Bind Credentials");
6500 subtree = proto_item_add_subtree(
6501 item, ett_secchan_bind_creds);
6504 /* We can't use the NDR routines as the DCERPC call data hasn't
6505 been initialised since we haven't made a DCERPC call yet, just
6508 offset = dissect_dcerpc_uint32(
6509 tvb, offset, pinfo, subtree, drep,
6510 hf_netlogon_secchan_bind_unknown1, NULL);
6512 offset = dissect_dcerpc_uint32(
6513 tvb, offset, pinfo, subtree, drep,
6514 hf_netlogon_secchan_bind_unknown2, NULL);
6516 len = tvb_strsize(tvb, offset);
6518 proto_tree_add_item(
6519 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
6523 len = tvb_strsize(tvb, offset);
6525 proto_tree_add_item(
6526 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
6533 static int dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
6535 proto_tree *tree, guint8 *drep)
6537 proto_item *item = NULL;
6538 proto_tree *subtree = NULL;
6541 item = proto_tree_add_text(
6542 tree, tvb, offset, -1,
6543 "Secure Channel Bind ACK Credentials");
6544 subtree = proto_item_add_subtree(
6545 item, ett_secchan_bind_ack_creds);
6548 /* Don't use NDR routines here */
6550 offset = dissect_dcerpc_uint32(
6551 tvb, offset, pinfo, subtree, drep,
6552 hf_netlogon_secchan_bind_ack_unknown1, NULL);
6554 offset = dissect_dcerpc_uint32(
6555 tvb, offset, pinfo, subtree, drep,
6556 hf_netlogon_secchan_bind_ack_unknown2, NULL);
6558 offset = dissect_dcerpc_uint32(
6559 tvb, offset, pinfo, subtree, drep,
6560 hf_netlogon_secchan_bind_ack_unknown3, NULL);
6567 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
6568 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
6569 netlogon_dissect_netrlogonuaslogon_rqst,
6570 netlogon_dissect_netrlogonuaslogon_reply },
6571 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
6572 netlogon_dissect_netrlogonuaslogoff_rqst,
6573 netlogon_dissect_netrlogonuaslogoff_reply },
6574 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
6575 netlogon_dissect_netrlogonsamlogon_rqst,
6576 netlogon_dissect_netrlogonsamlogon_reply },
6577 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
6578 netlogon_dissect_netrlogonsamlogoff_rqst,
6579 netlogon_dissect_netrlogonsamlogoff_reply },
6580 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
6581 netlogon_dissect_netrserverreqchallenge_rqst,
6582 netlogon_dissect_netrserverreqchallenge_reply },
6583 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
6584 netlogon_dissect_netrserverauthenticate_rqst,
6585 netlogon_dissect_netrserverauthenticate_reply },
6586 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
6587 netlogon_dissect_netrserverpasswordset_rqst,
6588 netlogon_dissect_netrserverpasswordset_reply },
6589 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
6590 netlogon_dissect_netrdatabasedeltas_rqst,
6591 netlogon_dissect_netrdatabasedeltas_reply },
6592 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
6593 netlogon_dissect_netrdatabasesync_rqst,
6594 netlogon_dissect_netrdatabasesync_reply },
6595 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
6596 netlogon_dissect_netraccountdeltas_rqst,
6597 netlogon_dissect_netraccountdeltas_reply },
6598 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
6599 netlogon_dissect_netraccountsync_rqst,
6600 netlogon_dissect_netraccountsync_reply },
6601 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
6602 netlogon_dissect_netrgetdcname_rqst,
6603 netlogon_dissect_netrgetdcname_reply },
6604 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
6605 netlogon_dissect_netrlogoncontrol_rqst,
6606 netlogon_dissect_netrlogoncontrol_reply },
6607 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
6608 netlogon_dissect_netrgetanydcname_rqst,
6609 netlogon_dissect_netrgetanydcname_reply },
6610 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
6611 netlogon_dissect_netrlogoncontrol2_rqst,
6612 netlogon_dissect_netrlogoncontrol2_reply },
6613 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
6614 netlogon_dissect_netrserverauthenticate2_rqst,
6615 netlogon_dissect_netrserverauthenticate2_reply },
6616 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
6617 netlogon_dissect_netrdatabasesync2_rqst,
6618 netlogon_dissect_netrdatabasesync2_reply },
6619 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
6620 netlogon_dissect_netrdatabaseredo_rqst,
6621 netlogon_dissect_netrdatabaseredo_reply },
6622 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
6623 netlogon_dissect_netrlogoncontrol2ex_rqst,
6624 netlogon_dissect_netrlogoncontrol2ex_reply },
6625 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
6626 netlogon_dissect_netrenumeratetrusteddomains_rqst,
6627 netlogon_dissect_netrenumeratetrusteddomains_reply },
6628 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
6629 netlogon_dissect_dsrgetdcname_rqst,
6630 netlogon_dissect_dsrgetdcname_reply },
6631 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
6632 netlogon_dissect_netrlogondummyroutine1_rqst,
6633 netlogon_dissect_netrlogondummyroutine1_reply },
6634 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
6635 netlogon_dissect_netrlogonsetservicebits_rqst,
6636 netlogon_dissect_netrlogonsetservicebits_reply },
6637 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
6638 netlogon_dissect_netrlogongettrustrid_rqst,
6639 netlogon_dissect_netrlogongettrustrid_reply },
6640 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
6641 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
6642 netlogon_dissect_netrlogoncomputeserverdigest_reply },
6643 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
6644 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
6645 netlogon_dissect_netrlogoncomputeclientdigest_reply },
6646 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
6647 netlogon_dissect_netrserverauthenticate3_rqst,
6648 netlogon_dissect_netrserverauthenticate3_reply },
6649 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
6650 netlogon_dissect_dsrgetdcnameex_rqst,
6651 netlogon_dissect_dsrgetdcnameex_reply },
6652 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
6653 netlogon_dissect_dsrgetsitename_rqst,
6654 netlogon_dissect_dsrgetsitename_reply },
6655 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6656 netlogon_dissect_netrlogongetdomaininfo_rqst,
6657 netlogon_dissect_netrlogongetdomaininfo_reply },
6658 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
6659 netlogon_dissect_netrserverpasswordset2_rqst,
6660 netlogon_dissect_netrserverpasswordset2_reply },
6661 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
6662 netlogon_dissect_netrserverpasswordget_rqst,
6663 netlogon_dissect_netrserverpasswordget_reply },
6664 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
6665 netlogon_dissect_netrlogonsendtosam_rqst,
6666 netlogon_dissect_netrlogonsendtosam_reply },
6667 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
6668 netlogon_dissect_dsraddresstositenamesw_rqst,
6669 netlogon_dissect_dsraddresstositenamesw_reply },
6670 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
6671 netlogon_dissect_dsrgetdcnameex2_rqst,
6672 netlogon_dissect_dsrgetdcnameex2_reply },
6673 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
6674 "NetrLogonGetTimeServiceParentDomain",
6675 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
6676 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
6677 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
6678 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
6679 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
6680 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
6681 netlogon_dissect_dsraddresstositenamesexw_rqst,
6682 netlogon_dissect_dsraddresstositenamesexw_reply },
6683 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
6684 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
6685 netlogon_dissect_dsrgetdcsitecoveragew_reply },
6686 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
6687 netlogon_dissect_netrlogonsamlogonex_rqst,
6688 netlogon_dissect_netrlogonsamlogonex_reply },
6689 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
6690 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
6691 netlogon_dissect_dsrenumeratedomaintrusts_reply },
6692 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
6693 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6694 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6695 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
6697 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
6699 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
6701 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
6703 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
6705 {0, NULL, NULL, NULL }
6708 static int hf_netlogon_secchan_verf = -1;
6709 static int hf_netlogon_secchan_verf_sig = -1;
6710 static int hf_netlogon_secchan_verf_digest = -1;
6711 static int hf_netlogon_secchan_verf_seq = -1;
6712 static int hf_netlogon_secchan_verf_nonce = -1;
6715 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
6716 proto_tree *tree, guint8 *drep _U_)
6718 proto_item *vf = NULL;
6719 proto_tree *subtree = NULL;
6722 * Create a new tree, and split into 4 components ...
6724 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
6726 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
6728 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sig, tvb,
6732 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_digest, tvb,
6736 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_seq, tvb,
6740 /* In some cases the nonce isn't present although it isn't clear
6743 if (tvb_bytes_exist(tvb, offset, 8)) {
6744 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_nonce,
6745 tvb, offset, 8, FALSE);
6752 /* Secure channel types */
6754 static const value_string sec_chan_type_vals[] = {
6755 { SEC_CHAN_WKSTA, "Workstation" },
6756 { SEC_CHAN_DOMAIN, "Domain trust" },
6757 { SEC_CHAN_BDC, "Backup domain controller" },
6762 proto_register_dcerpc_netlogon(void)
6765 static hf_register_info hf[] = {
6766 { &hf_netlogon_opnum,
6767 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6768 NULL, 0x0, "Operation", HFILL }},
6770 { &hf_netlogon_rc, {
6771 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6772 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6774 { &hf_netlogon_dos_rc,
6775 { "DOS error code", "netlogon.dos.rc", FT_UINT32,
6776 BASE_HEX, VALS(DOS_errors), 0x0, "DOS Error Code", HFILL}},
6778 { &hf_netlogon_werr_rc,
6779 { "WERR error code", "netlogon.werr.rc", FT_UINT32,
6780 BASE_HEX, VALS(WERR_errors), 0x0, "WERR Error Code", HFILL}},
6782 { &hf_netlogon_param_ctrl, {
6783 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6784 NULL, 0x0, "Param ctrl", HFILL }},
6786 { &hf_netlogon_logon_id, {
6787 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6788 NULL, 0x0, "Logon ID", HFILL }},
6790 { &hf_netlogon_modify_count, {
6791 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6792 NULL, 0x0, "How many times the object has been modified", HFILL }},
6794 { &hf_netlogon_security_information, {
6795 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6796 NULL, 0x0, "Security Information", HFILL }},
6798 { &hf_netlogon_count, {
6799 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6800 NULL, 0x0, "", HFILL }},
6802 { &hf_netlogon_entries, {
6803 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6804 NULL, 0x0, "", HFILL }},
6806 { &hf_netlogon_credential, {
6807 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6808 NULL, 0x0, "Netlogon Credential", HFILL }},
6810 { &hf_netlogon_challenge, {
6811 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6812 NULL, 0x0, "Netlogon challenge", HFILL }},
6814 { &hf_netlogon_lm_owf_password, {
6815 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6816 NULL, 0x0, "LanManager OWF Password", HFILL }},
6818 { &hf_netlogon_user_session_key, {
6819 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6820 NULL, 0x0, "User Session Key", HFILL }},
6822 { &hf_netlogon_encrypted_lm_owf_password, {
6823 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6824 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6826 { &hf_netlogon_nt_owf_password, {
6827 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6828 NULL, 0x0, "NT OWF Password", HFILL }},
6830 { &hf_netlogon_blob, {
6831 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6832 NULL, 0x0, "BLOB", HFILL }},
6834 { &hf_netlogon_len, {
6835 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6836 NULL, 0, "Length", HFILL }},
6838 { &hf_netlogon_priv, {
6839 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6840 NULL, 0, "", HFILL }},
6842 { &hf_netlogon_privilege_entries, {
6843 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6844 NULL, 0, "", HFILL }},
6846 { &hf_netlogon_privilege_control, {
6847 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6848 NULL, 0, "", HFILL }},
6850 { &hf_netlogon_privilege_name, {
6851 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6852 NULL, 0, "", HFILL }},
6854 { &hf_netlogon_pdc_connection_status, {
6855 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6856 NULL, 0, "PDC Connection Status", HFILL }},
6858 { &hf_netlogon_tc_connection_status, {
6859 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6860 NULL, 0, "TC Connection Status", HFILL }},
6862 { &hf_netlogon_attrs, {
6863 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6864 NULL, 0, "Attributes", HFILL }},
6866 { &hf_netlogon_unknown_string,
6867 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6868 NULL, 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL }},
6869 { &hf_netlogon_unknown_long,
6870 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6871 NULL, 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL }},
6872 { &hf_netlogon_reserved,
6873 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6874 NULL, 0x0, "Reserved", HFILL }},
6875 { &hf_netlogon_unknown_short,
6876 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6877 NULL, 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL }},
6879 { &hf_netlogon_unknown_char,
6880 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6881 NULL, 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL }},
6883 { &hf_netlogon_acct_expiry_time,
6884 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6885 NULL, 0x0, "When this account will expire", HFILL }},
6887 { &hf_netlogon_nt_pwd_present,
6888 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6889 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6891 { &hf_netlogon_lm_pwd_present,
6892 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6893 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6895 { &hf_netlogon_pwd_expired,
6896 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6897 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6899 { &hf_netlogon_authoritative,
6900 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6901 NULL, 0x0, "", HFILL }},
6903 { &hf_netlogon_sensitive_data_flag,
6904 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6905 NULL, 0x0, "Sensitive data flag", HFILL }},
6907 { &hf_netlogon_auditing_mode,
6908 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6909 NULL, 0x0, "Auditing Mode", HFILL }},
6911 { &hf_netlogon_max_audit_event_count,
6912 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6913 NULL, 0x0, "Max audit event count", HFILL }},
6915 { &hf_netlogon_event_audit_option,
6916 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6917 NULL, 0x0, "Event audit option", HFILL }},
6919 { &hf_netlogon_sensitive_data_len,
6920 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6921 NULL, 0x0, "Length of sensitive data", HFILL }},
6923 { &hf_netlogon_nt_chal_resp,
6924 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6925 NULL, 0, "Challenge response for NT authentication", HFILL }},
6927 { &hf_netlogon_lm_chal_resp,
6928 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6929 NULL, 0, "Challenge response for LM authentication", HFILL }},
6931 { &hf_netlogon_cipher_len,
6932 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6933 NULL, 0, "", HFILL }},
6935 { &hf_netlogon_cipher_maxlen,
6936 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6937 NULL, 0, "", HFILL }},
6939 { &hf_netlogon_pac_data,
6940 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6941 NULL, 0, "Pac Data", HFILL }},
6943 { &hf_netlogon_sensitive_data,
6944 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6945 NULL, 0, "Sensitive Data", HFILL }},
6947 { &hf_netlogon_auth_data,
6948 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6949 NULL, 0, "Auth Data", HFILL }},
6951 { &hf_netlogon_cipher_current_data,
6952 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6953 NULL, 0, "", HFILL }},
6955 { &hf_netlogon_cipher_old_data,
6956 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6957 NULL, 0, "", HFILL }},
6959 { &hf_netlogon_acct_name,
6960 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6961 NULL, 0, "Account Name", HFILL }},
6963 { &hf_netlogon_acct_desc,
6964 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6965 NULL, 0, "Account Description", HFILL }},
6967 { &hf_netlogon_group_desc,
6968 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6969 NULL, 0, "Group Description", HFILL }},
6971 { &hf_netlogon_full_name,
6972 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6973 NULL, 0, "Full Name", HFILL }},
6975 { &hf_netlogon_comment,
6976 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6977 NULL, 0, "Comment", HFILL }},
6979 { &hf_netlogon_parameters,
6980 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6981 NULL, 0, "Parameters", HFILL }},
6983 { &hf_netlogon_logon_script,
6984 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6985 NULL, 0, "Logon Script", HFILL }},
6987 { &hf_netlogon_profile_path,
6988 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6989 NULL, 0, "Profile Path", HFILL }},
6991 { &hf_netlogon_home_dir,
6992 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6993 NULL, 0, "Home Directory", HFILL }},
6995 { &hf_netlogon_dir_drive,
6996 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6997 NULL, 0, "Drive letter for home directory", HFILL }},
6999 { &hf_netlogon_logon_srv,
7000 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
7001 NULL, 0, "Server", HFILL }},
7003 { &hf_netlogon_principal,
7004 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
7005 NULL, 0, "Principal", HFILL }},
7007 { &hf_netlogon_logon_dom,
7008 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
7009 NULL, 0, "Domain", HFILL }},
7011 { &hf_netlogon_resourcegroupcount,
7012 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
7013 NULL, 0, "Number of Resource Groups", HFILL }},
7015 { &hf_netlogon_computer_name,
7016 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
7017 NULL, 0, "Computer Name", HFILL }},
7019 { &hf_netlogon_site_name,
7020 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
7021 NULL, 0, "Site Name", HFILL }},
7023 { &hf_netlogon_dc_name,
7024 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
7025 NULL, 0, "DC Name", HFILL }},
7027 { &hf_netlogon_dc_site_name,
7028 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
7029 NULL, 0, "DC Site Name", HFILL }},
7031 { &hf_netlogon_dns_forest_name,
7032 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
7033 NULL, 0, "DNS Forest Name", HFILL }},
7035 { &hf_netlogon_dc_address,
7036 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
7037 NULL, 0, "DC Address", HFILL }},
7039 { &hf_netlogon_dc_address_type,
7040 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
7041 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
7043 { &hf_netlogon_client_site_name,
7044 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
7045 NULL, 0, "Client Site Name", HFILL }},
7047 { &hf_netlogon_workstation_site_name,
7048 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
7049 NULL, 0, "Workstation Site Name", HFILL }},
7051 { &hf_netlogon_workstation,
7052 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
7053 NULL, 0, "Workstation Name", HFILL }},
7055 { &hf_netlogon_workstation_os,
7056 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
7057 NULL, 0, "Workstation OS", HFILL }},
7059 { &hf_netlogon_workstations,
7060 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
7061 NULL, 0, "Workstations", HFILL }},
7063 { &hf_netlogon_workstation_fqdn,
7064 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
7065 NULL, 0, "Workstation FQDN", HFILL }},
7067 { &hf_netlogon_group_name,
7068 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
7069 NULL, 0, "Group Name", HFILL }},
7071 { &hf_netlogon_alias_name,
7072 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
7073 NULL, 0, "Alias Name", HFILL }},
7075 { &hf_netlogon_dns_host,
7076 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
7077 NULL, 0, "DNS Host", HFILL }},
7079 { &hf_netlogon_downlevel_domain_name,
7080 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
7081 NULL, 0, "Downlevel Domain Name", HFILL }},
7083 { &hf_netlogon_dns_domain_name,
7084 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
7085 NULL, 0, "DNS Domain Name", HFILL }},
7087 { &hf_netlogon_domain_name,
7088 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
7089 NULL, 0, "Domain Name", HFILL }},
7091 { &hf_netlogon_oem_info,
7092 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
7093 NULL, 0, "OEM Info", HFILL }},
7095 { &hf_netlogon_trusted_dc_name,
7096 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
7097 NULL, 0, "Trusted DC", HFILL }},
7099 { &hf_netlogon_logonsrv_handle,
7100 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
7101 NULL, 0, "Logon Srv Handle", HFILL }},
7103 { &hf_netlogon_dummy,
7104 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
7105 NULL, 0, "Dummy string", HFILL }},
7107 { &hf_netlogon_logon_count16,
7108 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
7109 NULL, 0x0, "Number of successful logins", HFILL }},
7111 { &hf_netlogon_logon_count,
7112 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
7113 NULL, 0x0, "Number of successful logins", HFILL }},
7115 { &hf_netlogon_bad_pw_count16,
7116 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
7117 NULL, 0x0, "Number of failed logins", HFILL }},
7119 { &hf_netlogon_bad_pw_count,
7120 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
7121 NULL, 0x0, "Number of failed logins", HFILL }},
7123 { &hf_netlogon_country,
7124 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
7125 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
7127 { &hf_netlogon_codepage,
7128 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
7129 NULL, 0x0, "Codepage setting for this account", HFILL }},
7131 { &hf_netlogon_level16,
7132 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
7133 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7135 { &hf_netlogon_validation_level,
7136 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
7137 NULL, 0x0, "Requested level of validation", HFILL }},
7139 { &hf_netlogon_minpasswdlen,
7140 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
7141 NULL, 0x0, "Minimum length of password", HFILL }},
7143 { &hf_netlogon_passwdhistorylen,
7144 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
7145 NULL, 0x0, "Length of password history", HFILL }},
7147 { &hf_netlogon_secure_channel_type,
7148 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
7149 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
7151 { &hf_netlogon_restart_state,
7152 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
7153 NULL, 0x0, "Restart State", HFILL }},
7155 { &hf_netlogon_delta_type,
7156 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
7157 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
7159 { &hf_netlogon_blob_size,
7160 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
7161 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
7163 { &hf_netlogon_code,
7164 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
7165 NULL, 0x0, "Code", HFILL }},
7167 { &hf_netlogon_level,
7168 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
7169 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7171 { &hf_netlogon_reference,
7172 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
7173 NULL, 0x0, "", HFILL }},
7175 { &hf_netlogon_next_reference,
7176 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
7177 NULL, 0x0, "", HFILL }},
7179 { &hf_netlogon_timestamp,
7180 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
7181 NULL, 0, "", HFILL }},
7183 { &hf_netlogon_user_rid,
7184 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
7185 NULL, 0x0, "", HFILL }},
7187 { &hf_netlogon_alias_rid,
7188 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
7189 NULL, 0x0, "", HFILL }},
7191 { &hf_netlogon_group_rid,
7192 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
7193 NULL, 0x0, "", HFILL }},
7195 { &hf_netlogon_num_rids,
7196 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
7197 NULL, 0x0, "Number of RIDs", HFILL }},
7199 { &hf_netlogon_num_controllers,
7200 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
7201 NULL, 0x0, "Number of domain controllers", HFILL }},
7203 { &hf_netlogon_num_other_groups,
7204 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
7205 NULL, 0x0, "", HFILL }},
7207 { &hf_netlogon_flags,
7208 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
7209 NULL, 0x0, "", HFILL }},
7211 { &hf_netlogon_user_account_control,
7212 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
7213 NULL, 0x0, "User Account control", HFILL }},
7215 { &hf_netlogon_user_flags,
7216 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
7217 NULL, 0x0, "User flags", HFILL }},
7219 { &hf_netlogon_auth_flags,
7220 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
7221 NULL, 0x0, "", HFILL }},
7223 { &hf_netlogon_systemflags,
7224 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
7225 NULL, 0x0, "", HFILL }},
7227 { &hf_netlogon_database_id,
7228 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
7229 NULL, 0x0, "Database Id", HFILL }},
7231 { &hf_netlogon_sync_context,
7232 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
7233 NULL, 0x0, "Sync Context", HFILL }},
7235 { &hf_netlogon_max_size,
7236 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
7237 NULL, 0x0, "Max Size of database", HFILL }},
7239 { &hf_netlogon_max_log_size,
7240 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
7241 NULL, 0x0, "Max Size of log", HFILL }},
7243 { &hf_netlogon_pac_size,
7244 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
7245 NULL, 0x0, "Size of PacData in bytes", HFILL }},
7247 { &hf_netlogon_auth_size,
7248 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
7249 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
7251 { &hf_netlogon_num_deltas,
7252 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
7253 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
7255 { &hf_netlogon_num_trusts,
7256 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
7257 NULL, 0x0, "", HFILL }},
7259 { &hf_netlogon_logon_attempts,
7260 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
7261 NULL, 0x0, "Number of logon attempts", HFILL }},
7263 { &hf_netlogon_pagefilelimit,
7264 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
7265 NULL, 0x0, "", HFILL }},
7267 { &hf_netlogon_pagedpoollimit,
7268 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
7269 NULL, 0x0, "", HFILL }},
7271 { &hf_netlogon_nonpagedpoollimit,
7272 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
7273 NULL, 0x0, "", HFILL }},
7275 { &hf_netlogon_minworkingsetsize,
7276 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
7277 NULL, 0x0, "", HFILL }},
7279 { &hf_netlogon_maxworkingsetsize,
7280 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
7281 NULL, 0x0, "", HFILL }},
7283 { &hf_netlogon_serial_number,
7284 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
7285 NULL, 0x0, "", HFILL }},
7287 { &hf_netlogon_neg_flags,
7288 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
7289 NULL, 0x0, "Negotiation Flags", HFILL }},
7291 { &hf_netlogon_dc_flags,
7292 { "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
7293 NULL, 0x0, "Domain Controller Flags", HFILL }},
7295 { &hf_netlogon_dc_flags_pdc_flag,
7296 { "PDC", "netlogon.dc.flags.pdc",
7297 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
7298 "If this server is a PDC", HFILL }},
7300 { &hf_netlogon_dc_flags_gc_flag,
7301 { "GC", "netlogon.dc.flags.gc",
7302 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
7303 "If this server is a GC", HFILL }},
7305 { &hf_netlogon_dc_flags_ldap_flag,
7306 { "LDAP", "netlogon.dc.flags.ldap",
7307 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
7308 "If this is an LDAP server", HFILL }},
7310 { &hf_netlogon_dc_flags_ds_flag,
7311 { "DS", "netlogon.dc.flags.ds",
7312 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
7313 "If this server is a DS", HFILL }},
7315 { &hf_netlogon_dc_flags_kdc_flag,
7316 { "KDC", "netlogon.dc.flags.kdc",
7317 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
7318 "If this is a KDC", HFILL }},
7320 { &hf_netlogon_dc_flags_timeserv_flag,
7321 { "Timeserv", "netlogon.dc.flags.timeserv",
7322 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
7323 "If this server is a TimeServer", HFILL }},
7325 { &hf_netlogon_dc_flags_closest_flag,
7326 { "Closest", "netlogon.dc.flags.closest",
7327 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
7328 "If this is the closest server", HFILL }},
7330 { &hf_netlogon_dc_flags_writable_flag,
7331 { "Writable", "netlogon.dc.flags.writable",
7332 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
7333 "If this server can do updates to the database", HFILL }},
7335 { &hf_netlogon_dc_flags_good_timeserv_flag,
7336 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
7337 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
7338 "If this is a Good TimeServer", HFILL }},
7340 { &hf_netlogon_dc_flags_ndnc_flag,
7341 { "NDNC", "netlogon.dc.flags.ndnc",
7342 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
7343 "If this is an NDNC server", HFILL }},
7345 { &hf_netlogon_dc_flags_dns_controller_flag,
7346 { "DNS Controller", "netlogon.dc.flags.dns_controller",
7347 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
7348 "If this server is a DNS Controller", HFILL }},
7350 { &hf_netlogon_dc_flags_dns_domain_flag,
7351 { "DNS Domain", "netlogon.dc.flags.dns_domain",
7352 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
7355 { &hf_netlogon_dc_flags_dns_forest_flag,
7356 { "DNS Forest", "netlogon.dc.flags.dns_forest",
7357 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
7360 { &hf_netlogon_get_dcname_request_flags,
7361 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
7362 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
7364 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
7365 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
7366 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
7367 "Whether to allow the server to returned cached information or not", HFILL }},
7369 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
7370 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
7371 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
7372 "Whether we require that the returned DC supports w2k or not", HFILL }},
7374 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
7375 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
7376 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
7377 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
7379 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
7380 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
7381 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
7382 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
7384 { &hf_netlogon_get_dcname_request_flags_pdc_required,
7385 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
7386 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
7387 "Whether we require the returned DC to be the PDC", HFILL }},
7389 { &hf_netlogon_get_dcname_request_flags_background_only,
7390 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
7391 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
7392 "If we want cached data, even if it may have expired", HFILL }},
7394 { &hf_netlogon_get_dcname_request_flags_ip_required,
7395 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
7396 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
7397 "If we requre the IP of the DC in the reply", HFILL }},
7399 { &hf_netlogon_get_dcname_request_flags_kdc_required,
7400 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
7401 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
7402 "If we require that the returned server is a KDC", HFILL }},
7404 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
7405 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
7406 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
7407 "If we require the returned server to be a WindowsTimeServ server", HFILL }},
7409 { &hf_netlogon_get_dcname_request_flags_writable_required,
7410 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
7411 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
7412 "If we require that the returned server is writable", HFILL }},
7414 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
7415 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
7416 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
7417 "If we prefer Windows Time Servers", HFILL }},
7419 { &hf_netlogon_get_dcname_request_flags_avoid_self,
7420 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
7421 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
7422 "Return another DC than the one we ask", HFILL }},
7424 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
7425 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
7426 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
7427 "We just want an LDAP server, it does not have to be a DC", HFILL }},
7429 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
7430 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
7431 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
7432 "If the specified domain name is a NetBIOS name", HFILL }},
7434 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
7435 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
7436 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
7437 "If the specified domain name is a DNS name", HFILL }},
7439 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
7440 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
7441 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
7442 "Only return a DNS name (or an error)", HFILL }},
7444 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
7445 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
7446 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
7447 "Only return a NetBIOS name (or an error)", HFILL }},
7449 { &hf_netlogon_trust_attribs,
7450 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
7451 NULL, 0x0, "Trust Attributes", HFILL }},
7453 { &hf_netlogon_trust_attribs_non_transitive,
7454 { "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN, 32,
7455 TFS(&trust_attribs_non_transitive), 0x00000001, "", HFILL }},
7457 { &hf_netlogon_trust_attribs_uplevel_only,
7458 { "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN, 32,
7459 TFS(&trust_attribs_uplevel_only), 0x00000002, "", HFILL }},
7461 { &hf_netlogon_trust_attribs_quarantined_domain,
7462 { "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN, 32,
7463 TFS(&trust_attribs_quarantined_domain), 0x00000004, "", HFILL }},
7465 { &hf_netlogon_trust_attribs_forest_transitive,
7466 { "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN, 32,
7467 TFS(&trust_attribs_forest_transitive), 0x00000008, "", HFILL }},
7469 { &hf_netlogon_trust_attribs_cross_organization,
7470 { "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN, 32,
7471 TFS(&trust_attribs_cross_organization), 0x00000010, "", HFILL }},
7473 { &hf_netlogon_trust_attribs_within_forest,
7474 { "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN, 32,
7475 TFS(&trust_attribs_within_forest), 0x00000020, "", HFILL }},
7477 { &hf_netlogon_trust_attribs_treat_as_external,
7478 { "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN, 32,
7479 TFS(&trust_attribs_treat_as_external), 0x00000040, "", HFILL }},
7481 { &hf_netlogon_trust_type,
7482 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
7483 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
7485 { &hf_netlogon_trust_flags,
7486 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
7487 NULL, 0x0, "Trust Flags", HFILL }},
7489 { &hf_netlogon_trust_flags_inbound,
7490 { "Inbound Trust", "netlogon.trust.flags.inbound",
7491 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
7492 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
7494 { &hf_netlogon_trust_flags_outbound,
7495 { "Outbound Trust", "netlogon.trust.flags.outbound",
7496 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
7497 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
7499 { &hf_netlogon_trust_flags_in_forest,
7500 { "In Forest", "netlogon.trust.flags.in_forest",
7501 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
7502 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
7504 { &hf_netlogon_trust_flags_native_mode,
7505 { "Native Mode", "netlogon.trust.flags.native_mode",
7506 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
7507 "Whether the domain is a w2k native mode domain or not", HFILL }},
7509 { &hf_netlogon_trust_flags_primary,
7510 { "Primary", "netlogon.trust.flags.primary",
7511 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
7512 "Whether the domain is the primary domain for the queried server or not", HFILL }},
7514 { &hf_netlogon_trust_flags_tree_root,
7515 { "Tree Root", "netlogon.trust.flags.tree_root",
7516 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
7517 "Whether the domain is the root of the tree for the queried server", HFILL }},
7519 { &hf_netlogon_trust_parent_index,
7520 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
7521 NULL, 0x0, "Parent Index", HFILL }},
7523 { &hf_netlogon_logon_time,
7524 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
7525 NULL, 0, "Time for last time this user logged on", HFILL }},
7527 { &hf_netlogon_kickoff_time,
7528 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7529 NULL, 0, "Time when this user will be kicked off", HFILL }},
7531 { &hf_netlogon_logoff_time,
7532 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7533 NULL, 0, "Time for last time this user logged off", HFILL }},
7535 { &hf_netlogon_last_logoff_time,
7536 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7537 NULL, 0, "Time for last time this user logged off", HFILL }},
7539 { &hf_netlogon_pwd_last_set_time,
7540 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7541 NULL, 0, "Last time this users password was changed", HFILL }},
7543 { &hf_netlogon_pwd_age,
7544 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
7545 NULL, 0, "Time since this users password was changed", HFILL }},
7547 { &hf_netlogon_pwd_can_change_time,
7548 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7549 NULL, 0, "When this users password may be changed", HFILL }},
7551 { &hf_netlogon_pwd_must_change_time,
7552 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7553 NULL, 0, "When this users password must be changed", HFILL }},
7555 { &hf_netlogon_domain_create_time,
7556 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7557 NULL, 0, "Time when this domain was created", HFILL }},
7559 { &hf_netlogon_domain_modify_time,
7560 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7561 NULL, 0, "Time when this domain was last modified", HFILL }},
7563 { &hf_netlogon_db_modify_time,
7564 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7565 NULL, 0, "Time when last modified", HFILL }},
7567 { &hf_netlogon_db_create_time,
7568 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7569 NULL, 0, "Time when created", HFILL }},
7571 { &hf_netlogon_cipher_current_set_time,
7572 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7573 NULL, 0, "Time when current cipher was initiated", HFILL }},
7575 { &hf_netlogon_cipher_old_set_time,
7576 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7577 NULL, 0, "Time when previous cipher was initiated", HFILL }},
7579 { &hf_netlogon_audit_retention_period,
7580 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
7581 NULL, 0, "Audit retention period", HFILL }},
7583 { &hf_netlogon_timelimit,
7584 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
7585 NULL, 0, "", HFILL }},
7587 /* Secure channel dissection */
7589 { &hf_netlogon_secchan_bind_unknown1,
7590 { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
7591 NULL, 0x0, "", HFILL }},
7593 { &hf_netlogon_secchan_bind_unknown2,
7594 { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
7595 NULL, 0x0, "", HFILL }},
7597 { &hf_netlogon_secchan_domain,
7598 { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
7599 NULL, 0, "", HFILL }},
7601 { &hf_netlogon_secchan_host,
7602 { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
7603 NULL, 0, "", HFILL }},
7605 { &hf_netlogon_secchan_bind_ack_unknown1,
7606 { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32,
7607 BASE_HEX, NULL, 0x0, "", HFILL }},
7609 { &hf_netlogon_secchan_bind_ack_unknown2,
7610 { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32,
7611 BASE_HEX, NULL, 0x0, "", HFILL }},
7613 { &hf_netlogon_secchan_bind_ack_unknown3,
7614 { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32,
7615 BASE_HEX, NULL, 0x0, "", HFILL }},
7617 { &hf_netlogon_secchan_verf,
7618 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
7619 NULL, 0x0, "Verifier", HFILL }},
7621 { &hf_netlogon_secchan_verf_sig,
7622 { "Signature", "netlogon.secchan.sig", FT_BYTES, BASE_HEX, NULL,
7623 0x0, "Signature", HFILL }},
7625 { &hf_netlogon_secchan_verf_digest,
7626 { "Packet Digest", "netlogon.secchan.digest", FT_BYTES, BASE_HEX, NULL,
7627 0x0, "Packet Digest", HFILL }},
7629 { &hf_netlogon_secchan_verf_seq,
7630 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_HEX, NULL,
7631 0x0, "Sequence No", HFILL }},
7633 { &hf_netlogon_secchan_verf_nonce,
7634 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_HEX, NULL,
7635 0x0, "Nonce", HFILL }},
7637 { &hf_netlogon_group_attrs_mandatory,
7638 { "Mandatory", "netlogon.groups.attrs.mandatory",
7639 FT_BOOLEAN, 32, TFS(&group_attrs_mandatory), 0x00000001,
7640 "The group attributes MANDATORY flag", HFILL }},
7642 { &hf_netlogon_group_attrs_enabled_by_default,
7643 { "Enabled By Default", "netlogon.groups.attrs.enabled_by_default",
7644 FT_BOOLEAN, 32, TFS(&group_attrs_enabled_by_default), 0x00000002,
7645 "The group attributes ENABLED_BY_DEFAULT flag", HFILL }},
7647 { &hf_netlogon_group_attrs_enabled,
7648 { "Enabled", "netlogon.groups.attrs.enabled",
7649 FT_BOOLEAN, 32, TFS(&group_attrs_enabled), 0x00000004,
7650 "The group attributes ENABLED flag", HFILL }},
7652 { &hf_netlogon_user_flags_extra_sids,
7653 { "Extra SIDs", "netlogon.user.flags.extra_sids",
7654 FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
7655 "The user flags EXTRA_SIDS", HFILL }},
7657 { &hf_netlogon_user_flags_resource_groups,
7658 { "Resource Groups", "netlogon.user.flags.resource_groups",
7659 FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
7660 "The user flags RESOURCE_GROUPS", HFILL }},
7662 { &hf_netlogon_user_account_control_dont_require_preauth,
7663 { "Dont Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
7664 FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
7665 "The user account control DONT_REQUIRE_PREAUTH flag ", HFILL }},
7667 { &hf_netlogon_user_account_control_use_des_key_only,
7668 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
7669 FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
7670 "The user account control use_des_key_only flag ", HFILL }},
7672 { &hf_netlogon_user_account_control_not_delegated,
7673 { "Not Delegated", "netlogon.user.account_control.not_delegated",
7674 FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
7675 "The user account control not_delegated flag ", HFILL }},
7677 { &hf_netlogon_user_account_control_trusted_for_delegation,
7678 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
7679 FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
7680 "The user account control trusted_for_delegation flag ", HFILL }},
7682 { &hf_netlogon_user_account_control_smartcard_required,
7683 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
7684 FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
7685 "The user account control smartcard_required flag ", HFILL }},
7687 { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
7688 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
7689 FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
7690 "The user account control encrypted_text_password_allowed flag ", HFILL }},
7692 { &hf_netlogon_user_account_control_account_auto_locked,
7693 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
7694 FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
7695 "The user account control account_auto_locked flag ", HFILL }},
7697 { &hf_netlogon_user_account_control_dont_expire_password,
7698 { "Dont Expire Password", "netlogon.user.account_control.dont_expire_password",
7699 FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
7700 "The user account control dont_expire_password flag ", HFILL }},
7702 { &hf_netlogon_user_account_control_server_trust_account,
7703 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
7704 FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
7705 "The user account control server_trust_account flag ", HFILL }},
7707 { &hf_netlogon_user_account_control_workstation_trust_account,
7708 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
7709 FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
7710 "The user account control workstation_trust_account flag ", HFILL }},
7712 { &hf_netlogon_user_account_control_interdomain_trust_account,
7713 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
7714 FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
7715 "The user account control interdomain_trust_account flag ", HFILL }},
7717 { &hf_netlogon_user_account_control_mns_logon_account,
7718 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
7719 FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
7720 "The user account control mns_logon_account flag ", HFILL }},
7722 { &hf_netlogon_user_account_control_normal_account,
7723 { "Normal Account", "netlogon.user.account_control.normal_account",
7724 FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
7725 "The user account control normal_account flag ", HFILL }},
7727 { &hf_netlogon_user_account_control_temp_duplicate_account,
7728 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
7729 FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
7730 "The user account control temp_duplicate_account flag ", HFILL }},
7732 { &hf_netlogon_user_account_control_password_not_required,
7733 { "Password Not Required", "netlogon.user.account_control.password_not_required",
7734 FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
7735 "The user account control password_not_required flag ", HFILL }},
7737 { &hf_netlogon_user_account_control_home_directory_required,
7738 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
7739 FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
7740 "The user account control home_directory_required flag ", HFILL }},
7742 { &hf_netlogon_user_account_control_account_disabled,
7743 { "Account Disabled", "netlogon.user.account_control.account_disabled",
7744 FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
7745 "The user account control account_disabled flag ", HFILL }},
7749 static gint *ett[] = {
7750 &ett_dcerpc_netlogon,
7756 &ett_DOMAIN_CONTROLLER_INFO,
7757 &ett_UNICODE_STRING_512,
7760 &ett_DELTA_ID_UNION,
7763 &ett_LM_OWF_PASSWORD,
7764 &ett_NT_OWF_PASSWORD,
7765 &ett_GROUP_MEMBERSHIP,
7766 &ett_DS_DOMAIN_TRUSTS,
7768 &ett_DOMAIN_TRUST_INFO,
7771 &ett_get_dcname_request_flags,
7773 &ett_secchan_bind_creds,
7774 &ett_secchan_bind_ack_creds,
7778 &ett_user_account_control
7781 proto_dcerpc_netlogon = proto_register_protocol(
7782 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
7784 proto_register_field_array(proto_dcerpc_netlogon, hf,
7786 proto_register_subtree_array(ett, array_length(ett));
7789 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
7790 dissect_secchan_bind_creds, /* Bind */
7791 dissect_secchan_bind_ack_creds, /* Bind ACK */
7793 dissect_secchan_verf, /* Request verifier */
7794 dissect_secchan_verf, /* Response verifier */
7795 NULL, /* Request data */
7796 NULL /* Response data */
7800 proto_reg_handoff_dcerpc_netlogon(void)
7802 /* Register protocol as dcerpc */
7804 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
7805 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
7806 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
7808 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
7809 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7811 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
7812 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,