1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.75 2003/02/10 23:45:56 guy Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_guid = -1;
43 static int hf_netlogon_rc = -1;
44 static int hf_netlogon_len = -1;
45 static int hf_netlogon_sensitive_data_flag = -1;
46 static int hf_netlogon_sensitive_data_len = -1;
47 static int hf_netlogon_sensitive_data = -1;
48 static int hf_netlogon_security_information = -1;
49 static int hf_netlogon_dummy = -1;
50 static int hf_netlogon_neg_flags = -1;
51 static int hf_netlogon_minworkingsetsize = -1;
52 static int hf_netlogon_maxworkingsetsize = -1;
53 static int hf_netlogon_pagedpoollimit = -1;
54 static int hf_netlogon_pagefilelimit = -1;
55 static int hf_netlogon_timelimit = -1;
56 static int hf_netlogon_nonpagedpoollimit = -1;
57 static int hf_netlogon_pac_size = -1;
58 static int hf_netlogon_pac_data = -1;
59 static int hf_netlogon_auth_size = -1;
60 static int hf_netlogon_auth_data = -1;
61 static int hf_netlogon_cipher_len = -1;
62 static int hf_netlogon_cipher_maxlen = -1;
63 static int hf_netlogon_cipher_current_data = -1;
64 static int hf_netlogon_cipher_current_set_time = -1;
65 static int hf_netlogon_cipher_old_data = -1;
66 static int hf_netlogon_cipher_old_set_time = -1;
67 static int hf_netlogon_priv = -1;
68 static int hf_netlogon_privilege_entries = -1;
69 static int hf_netlogon_privilege_control = -1;
70 static int hf_netlogon_privilege_name = -1;
71 static int hf_netlogon_systemflags = -1;
72 static int hf_netlogon_pdc_connection_status = -1;
73 static int hf_netlogon_tc_connection_status = -1;
74 static int hf_netlogon_restart_state = -1;
75 static int hf_netlogon_attrs = -1;
76 static int hf_netlogon_count = -1;
77 static int hf_netlogon_entries = -1;
78 static int hf_netlogon_minpasswdlen = -1;
79 static int hf_netlogon_passwdhistorylen = -1;
80 static int hf_netlogon_level16 = -1;
81 static int hf_netlogon_validation_level = -1;
82 static int hf_netlogon_reference = -1;
83 static int hf_netlogon_next_reference = -1;
84 static int hf_netlogon_timestamp = -1;
85 static int hf_netlogon_level = -1;
86 static int hf_netlogon_challenge = -1;
87 static int hf_netlogon_reserved = -1;
88 static int hf_netlogon_audit_retention_period = -1;
89 static int hf_netlogon_auditing_mode = -1;
90 static int hf_netlogon_max_audit_event_count = -1;
91 static int hf_netlogon_event_audit_option = -1;
92 static int hf_netlogon_unknown_string = -1;
93 static int hf_netlogon_unknown_long = -1;
94 static int hf_netlogon_unknown_short = -1;
95 static int hf_netlogon_unknown_char = -1;
96 static int hf_netlogon_logon_time = -1;
97 static int hf_netlogon_logoff_time = -1;
98 static int hf_netlogon_kickoff_time = -1;
99 static int hf_netlogon_pwd_last_set_time = -1;
100 static int hf_netlogon_pwd_can_change_time = -1;
101 static int hf_netlogon_pwd_must_change_time = -1;
102 static int hf_netlogon_nt_chal_resp = -1;
103 static int hf_netlogon_lm_chal_resp = -1;
104 static int hf_netlogon_credential = -1;
105 static int hf_netlogon_acct_name = -1;
106 static int hf_netlogon_acct_desc = -1;
107 static int hf_netlogon_group_desc = -1;
108 static int hf_netlogon_full_name = -1;
109 static int hf_netlogon_comment = -1;
110 static int hf_netlogon_parameters = -1;
111 static int hf_netlogon_logon_script = -1;
112 static int hf_netlogon_profile_path = -1;
113 static int hf_netlogon_home_dir = -1;
114 static int hf_netlogon_dir_drive = -1;
115 static int hf_netlogon_logon_count = -1;
116 static int hf_netlogon_logon_count16 = -1;
117 static int hf_netlogon_bad_pw_count = -1;
118 static int hf_netlogon_bad_pw_count16 = -1;
119 static int hf_netlogon_user_rid = -1;
120 static int hf_netlogon_alias_rid = -1;
121 static int hf_netlogon_group_rid = -1;
122 static int hf_netlogon_logon_srv = -1;
123 static int hf_netlogon_principal = -1;
124 static int hf_netlogon_logon_dom = -1;
125 static int hf_netlogon_downlevel_domain_name = -1;
126 static int hf_netlogon_dns_domain_name = -1;
127 static int hf_netlogon_domain_name = -1;
128 static int hf_netlogon_domain_create_time = -1;
129 static int hf_netlogon_domain_modify_time = -1;
130 static int hf_netlogon_modify_count = -1;
131 static int hf_netlogon_db_modify_time = -1;
132 static int hf_netlogon_db_create_time = -1;
133 static int hf_netlogon_oem_info = -1;
134 static int hf_netlogon_serial_number = -1;
135 static int hf_netlogon_num_rids = -1;
136 static int hf_netlogon_num_trusts = -1;
137 static int hf_netlogon_num_controllers = -1;
138 static int hf_netlogon_num_other_groups = -1;
139 static int hf_netlogon_computer_name = -1;
140 static int hf_netlogon_site_name = -1;
141 static int hf_netlogon_trusted_dc_name = -1;
142 static int hf_netlogon_dc_name = -1;
143 static int hf_netlogon_dc_site_name = -1;
144 static int hf_netlogon_dns_forest_name = -1;
145 static int hf_netlogon_dc_address = -1;
146 static int hf_netlogon_dc_address_type = -1;
147 static int hf_netlogon_client_site_name = -1;
148 static int hf_netlogon_workstation = -1;
149 static int hf_netlogon_workstation_site_name = -1;
150 static int hf_netlogon_workstation_os = -1;
151 static int hf_netlogon_workstations = -1;
152 static int hf_netlogon_workstation_fqdn = -1;
153 static int hf_netlogon_group_name = -1;
154 static int hf_netlogon_alias_name = -1;
155 static int hf_netlogon_country = -1;
156 static int hf_netlogon_codepage = -1;
157 static int hf_netlogon_flags = -1;
158 static int hf_netlogon_trust_attribs = -1;
159 static int hf_netlogon_trust_type = -1;
160 static int hf_netlogon_trust_flags = -1;
161 static int hf_netlogon_trust_flags_inbound = -1;
162 static int hf_netlogon_trust_flags_outbound = -1;
163 static int hf_netlogon_trust_flags_in_forest = -1;
164 static int hf_netlogon_trust_flags_native_mode = -1;
165 static int hf_netlogon_trust_flags_primary = -1;
166 static int hf_netlogon_trust_flags_tree_root = -1;
167 static int hf_netlogon_trust_parent_index = -1;
168 static int hf_netlogon_user_flags = -1;
169 static int hf_netlogon_auth_flags = -1;
170 static int hf_netlogon_pwd_expired = -1;
171 static int hf_netlogon_nt_pwd_present = -1;
172 static int hf_netlogon_lm_pwd_present = -1;
173 static int hf_netlogon_code = -1;
174 static int hf_netlogon_database_id = -1;
175 static int hf_netlogon_sync_context = -1;
176 static int hf_netlogon_max_size = -1;
177 static int hf_netlogon_max_log_size = -1;
178 static int hf_netlogon_dns_host = -1;
179 static int hf_netlogon_acct_expiry_time = -1;
180 static int hf_netlogon_encrypted_lm_owf_password = -1;
181 static int hf_netlogon_lm_owf_password = -1;
182 static int hf_netlogon_nt_owf_password = -1;
183 static int hf_netlogon_param_ctrl = -1;
184 static int hf_netlogon_logon_id = -1;
185 static int hf_netlogon_num_deltas = -1;
186 static int hf_netlogon_user_session_key = -1;
187 static int hf_netlogon_blob_size = -1;
188 static int hf_netlogon_blob = -1;
189 static int hf_netlogon_logon_attempts = -1;
190 static int hf_netlogon_authoritative = -1;
191 static int hf_netlogon_secure_channel_type = -1;
192 static int hf_netlogon_logonsrv_handle = -1;
193 static int hf_netlogon_delta_type = -1;
194 static int hf_netlogon_get_dcname_request_flags = -1;
195 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
196 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
197 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
198 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
199 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
200 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
201 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
202 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
203 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
204 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
205 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
206 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
207 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
208 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
209 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
210 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
211 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
212 static int hf_netlogon_dc_flags = -1;
213 static int hf_netlogon_dc_flags_pdc_flag = -1;
214 static int hf_netlogon_dc_flags_gc_flag = -1;
215 static int hf_netlogon_dc_flags_ldap_flag = -1;
216 static int hf_netlogon_dc_flags_ds_flag = -1;
217 static int hf_netlogon_dc_flags_kdc_flag = -1;
218 static int hf_netlogon_dc_flags_timeserv_flag = -1;
219 static int hf_netlogon_dc_flags_closest_flag = -1;
220 static int hf_netlogon_dc_flags_writable_flag = -1;
221 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
222 static int hf_netlogon_dc_flags_ndnc_flag = -1;
223 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
224 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
225 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
227 static gint ett_dcerpc_netlogon = -1;
228 static gint ett_QUOTA_LIMITS = -1;
229 static gint ett_IDENTITY_INFO = -1;
230 static gint ett_DELTA_ENUM = -1;
231 static gint ett_CYPHER_VALUE = -1;
232 static gint ett_UNICODE_MULTI = -1;
233 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
234 static gint ett_UNICODE_STRING_512 = -1;
235 static gint ett_TYPE_50 = -1;
236 static gint ett_TYPE_52 = -1;
237 static gint ett_DELTA_ID_UNION = -1;
238 static gint ett_TYPE_44 = -1;
239 static gint ett_DELTA_UNION = -1;
240 static gint ett_LM_OWF_PASSWORD = -1;
241 static gint ett_NT_OWF_PASSWORD = -1;
242 static gint ett_GROUP_MEMBERSHIP = -1;
243 static gint ett_BLOB = -1;
244 static gint ett_DS_DOMAIN_TRUSTS = -1;
245 static gint ett_DOMAIN_TRUST_INFO = -1;
246 static gint ett_trust_flags = -1;
247 static gint ett_get_dcname_request_flags = -1;
248 static gint ett_dc_flags = -1;
250 static e_uuid_t uuid_dcerpc_netlogon = {
251 0x12345678, 0x1234, 0xabcd,
252 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
255 static guint16 ver_dcerpc_netlogon = 1;
260 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
261 packet_info *pinfo, proto_tree *tree,
264 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
265 NDR_POINTER_UNIQUE, "Server Handle",
266 hf_netlogon_logonsrv_handle, 0);
272 * IDL typedef struct {
273 * IDL [unique][string] wchar_t *effective_name;
275 * IDL long auth_flags;
276 * IDL long logon_count;
277 * IDL long bad_pw_count;
278 * IDL long last_logon;
279 * IDL long last_logoff;
280 * IDL long logoff_time;
281 * IDL long kickoff_time;
282 * IDL long password_age;
283 * IDL long pw_can_change;
284 * IDL long pw_must_change;
285 * IDL [unique][string] wchar_t *computer;
286 * IDL [unique][string] wchar_t *domain;
287 * IDL [unique][string] wchar_t *script_path;
291 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
292 packet_info *pinfo, proto_tree *tree,
297 di=pinfo->private_data;
298 if(di->conformant_run){
299 /*just a run to handle conformant arrays, nothing to dissect */
303 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
304 NDR_POINTER_UNIQUE, "Effective Account",
305 hf_netlogon_acct_name, 0);
307 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
308 hf_netlogon_priv, NULL);
310 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
311 hf_netlogon_auth_flags, NULL);
313 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
314 hf_netlogon_logon_count, NULL);
316 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
317 hf_netlogon_bad_pw_count, NULL);
319 /* XXX - are these all UNIX "time_t"s, like the time stamps in
322 Or are they, as per some RAP-based operations, UTIMEs? */
323 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
326 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
329 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
332 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
335 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
338 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
341 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
344 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
345 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
347 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
348 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
350 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
351 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
353 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
354 hf_netlogon_reserved, NULL);
360 * IDL long NetLogonUasLogon(
361 * IDL [in][unique][string] wchar_t *ServerName,
362 * IDL [in][ref][string] wchar_t *UserName,
363 * IDL [in][ref][string] wchar_t *Workstation,
364 * IDL [out][unique] VALIDATION_UAS_INFO *info
368 netlogon_dissect_netlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
369 packet_info *pinfo, proto_tree *tree, char *drep)
371 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
374 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
375 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
377 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
378 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
385 netlogon_dissect_netlogonuaslogon_reply(tvbuff_t *tvb, int offset,
386 packet_info *pinfo, proto_tree *tree, char *drep)
388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
389 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
390 "VALIDATION_UAS_INFO", -1);
392 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
393 hf_netlogon_rc, NULL);
399 * IDL typedef struct {
401 * IDL short logon_count;
402 * IDL } LOGOFF_UAS_INFO;
405 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
406 packet_info *pinfo, proto_tree *tree,
411 di=pinfo->private_data;
412 if(di->conformant_run){
413 /*just a run to handle conformant arrays, nothing to dissect */
417 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
420 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
421 hf_netlogon_logon_count16, NULL);
427 * IDL long NetLogonUasLogoff(
428 * IDL [in][unique][string] wchar_t *ServerName,
429 * IDL [in][ref][string] wchar_t *UserName,
430 * IDL [in][ref][string] wchar_t *Workstation,
431 * IDL [out][ref] LOGOFF_UAS_INFO *info
435 netlogon_dissect_netlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
436 packet_info *pinfo, proto_tree *tree, char *drep)
438 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
441 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
442 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
444 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
445 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
452 netlogon_dissect_netlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
453 packet_info *pinfo, proto_tree *tree, char *drep)
455 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
456 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
457 "LOGOFF_UAS_INFO", -1);
459 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
460 hf_netlogon_rc, NULL);
469 * IDL typedef struct {
470 * IDL UNICODESTRING LogonDomainName;
471 * IDL long ParameterControl;
472 * IDL uint64 LogonID;
473 * IDL UNICODESTRING UserName;
474 * IDL UNICODESTRING Workstation;
475 * IDL } LOGON_IDENTITY_INFO;
478 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
479 packet_info *pinfo, proto_tree *parent_tree,
482 proto_item *item=NULL;
483 proto_tree *tree=NULL;
484 int old_offset=offset;
487 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
489 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
492 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
493 hf_netlogon_logon_dom, 0);
495 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
496 hf_netlogon_param_ctrl, NULL);
498 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
499 hf_netlogon_logon_id, NULL);
501 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
502 hf_netlogon_acct_name, 0);
504 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
505 hf_netlogon_workstation, 0);
508 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
509 /* XXX 8 extra bytes here */
510 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
511 the idl file. Could be a bug in either the NETLOGON implementation or in the
514 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
517 proto_item_set_len(item, offset-old_offset);
523 * IDL typedef struct {
524 * IDL char password[16];
525 * IDL } LM_OWF_PASSWORD;
528 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
529 packet_info *pinfo, proto_tree *parent_tree,
532 proto_item *item=NULL;
533 proto_tree *tree=NULL;
536 di=pinfo->private_data;
537 if(di->conformant_run){
538 /*just a run to handle conformant arrays, nothing to dissect.*/
543 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
545 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
548 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
556 * IDL typedef struct {
557 * IDL char password[16];
558 * IDL } NT_OWF_PASSWORD;
561 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
562 packet_info *pinfo, proto_tree *parent_tree,
565 proto_item *item=NULL;
566 proto_tree *tree=NULL;
569 di=pinfo->private_data;
570 if(di->conformant_run){
571 /*just a run to handle conformant arrays, nothing to dissect.*/
576 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
578 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
581 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
590 * IDL typedef struct {
591 * IDL LOGON_IDENTITY_INFO identity_info;
592 * IDL LM_OWF_PASSWORD lmpassword;
593 * IDL NT_OWF_PASSWORD ntpassword;
594 * IDL } INTERACTIVE_INFO;
597 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
598 packet_info *pinfo, proto_tree *tree,
601 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
604 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
607 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
614 * IDL typedef struct {
619 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
620 packet_info *pinfo, proto_tree *tree,
625 di=pinfo->private_data;
626 if(di->conformant_run){
627 /*just a run to handle conformant arrays, nothing to dissect.*/
631 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
639 * IDL typedef struct {
640 * IDL LOGON_IDENTITY_INFO logon_info;
641 * IDL CHALLENGE chal;
642 * IDL STRING ntchallengeresponse;
643 * IDL STRING lmchallengeresponse;
644 * IDL } NETWORK_INFO;
647 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
648 packet_info *pinfo, proto_tree *tree,
651 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
654 offset = netlogon_dissect_CHALLENGE(tvb, offset,
657 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
658 hf_netlogon_nt_chal_resp);
660 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
661 hf_netlogon_lm_chal_resp);
667 * IDL typedef struct {
668 * IDL LOGON_IDENTITY_INFO logon_info;
669 * IDL LM_OWF_PASSWORD lmpassword;
670 * IDL NT_OWF_PASSWORD ntpassword;
671 * IDL } SERVICE_INFO;
674 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
675 packet_info *pinfo, proto_tree *tree,
678 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
681 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
684 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
691 * IDL typedef [switch_type(short)] union {
692 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
693 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
694 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
698 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
699 packet_info *pinfo, proto_tree *tree,
704 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
705 hf_netlogon_level16, &level);
710 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
711 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
712 "INTERACTIVE_INFO:", -1);
715 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
716 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
717 "NETWORK_INFO:", -1);
720 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
721 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
722 "SERVICE_INFO:", -1);
730 * IDL typedef struct {
735 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
736 packet_info *pinfo, proto_tree *tree,
741 di=pinfo->private_data;
742 if(di->conformant_run){
743 /*just a run to handle conformant arrays, nothing to dissect.*/
747 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
756 * IDL typedef struct {
757 * IDL CREDENTIAL cred;
758 * IDL long timestamp;
759 * IDL } AUTHENTICATOR;
762 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
763 packet_info *pinfo, proto_tree *tree,
769 di=pinfo->private_data;
770 if(di->conformant_run){
771 /*just a run to handle conformant arrays, nothing to dissect */
775 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
779 * XXX - this appears to be a UNIX time_t in some credentials, but
780 * appears to be random junk in other credentials.
781 * For example, it looks like a UNIX time_t in "credential"
782 * AUTHENTICATORs, but like random junk in "return_authenticator"
786 ts.secs = tvb_get_letohl(tvb, offset);
788 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
796 * IDL typedef struct {
798 * IDL long attributes;
799 * IDL } GROUP_MEMBERSHIP;
802 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
803 packet_info *pinfo, proto_tree *parent_tree,
806 proto_item *item=NULL;
807 proto_tree *tree=NULL;
810 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
811 "GROUP_MEMBERSHIP:");
812 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
815 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
816 hf_netlogon_user_rid, NULL);
818 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
819 hf_netlogon_attrs, NULL);
825 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
826 packet_info *pinfo, proto_tree *tree,
829 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
830 netlogon_dissect_GROUP_MEMBERSHIP);
836 * IDL typedef struct {
837 * IDL char user_session_key[16];
838 * IDL } USER_SESSION_KEY;
841 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
842 packet_info *pinfo, proto_tree *tree,
847 di=pinfo->private_data;
848 if(di->conformant_run){
849 /*just a run to handle conformant arrays, nothing to dissect.*/
853 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
861 * IDL typedef struct {
862 * IDL uint64 LogonTime;
863 * IDL uint64 LogoffTime;
864 * IDL uint64 KickOffTime;
865 * IDL uint64 PasswdLastSet;
866 * IDL uint64 PasswdCanChange;
867 * IDL uint64 PasswdMustChange;
868 * IDL unicodestring effectivename;
869 * IDL unicodestring fullname;
870 * IDL unicodestring logonscript;
871 * IDL unicodestring profilepath;
872 * IDL unicodestring homedirectory;
873 * IDL unicodestring homedirectorydrive;
874 * IDL short LogonCount;
875 * IDL short BadPasswdCount;
877 * IDL long primarygroup;
878 * IDL long groupcount;
879 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
880 * IDL long userflags;
881 * IDL USER_SESSION_KEY key;
882 * IDL unicodestring logonserver;
883 * IDL unicodestring domainname;
884 * IDL [unique] SID logondomainid;
885 * IDL long expansionroom[10];
886 * IDL } VALIDATION_SAM_INFO;
889 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
890 packet_info *pinfo, proto_tree *tree,
895 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
896 hf_netlogon_logon_time);
898 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
899 hf_netlogon_logoff_time);
901 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
902 hf_netlogon_kickoff_time);
904 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
905 hf_netlogon_pwd_last_set_time);
907 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
908 hf_netlogon_pwd_can_change_time);
910 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
911 hf_netlogon_pwd_must_change_time);
913 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
914 hf_netlogon_acct_name, 0);
916 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
917 hf_netlogon_full_name, 0);
919 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
920 hf_netlogon_logon_script, 0);
922 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
923 hf_netlogon_profile_path, 0);
925 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
926 hf_netlogon_home_dir, 0);
928 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
929 hf_netlogon_dir_drive, 0);
931 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
932 hf_netlogon_logon_count16, NULL);
934 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
935 hf_netlogon_bad_pw_count16, NULL);
937 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
938 hf_netlogon_user_rid, NULL);
940 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
941 hf_netlogon_group_rid, NULL);
943 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
944 hf_netlogon_num_rids, NULL);
946 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
947 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
948 "GROUP_MEMBERSHIP_ARRAY", -1);
950 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
951 hf_netlogon_user_flags, NULL);
953 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
956 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
957 hf_netlogon_logon_srv, 0);
959 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
960 hf_netlogon_logon_dom, 0);
962 offset = dissect_ndr_nt_PSID(tvb, offset,
966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
967 hf_netlogon_reserved, NULL);
976 * IDL typedef struct {
977 * IDL uint64 LogonTime;
978 * IDL uint64 LogoffTime;
979 * IDL uint64 KickOffTime;
980 * IDL uint64 PasswdLastSet;
981 * IDL uint64 PasswdCanChange;
982 * IDL uint64 PasswdMustChange;
983 * IDL unicodestring effectivename;
984 * IDL unicodestring fullname;
985 * IDL unicodestring logonscript;
986 * IDL unicodestring profilepath;
987 * IDL unicodestring homedirectory;
988 * IDL unicodestring homedirectorydrive;
989 * IDL short LogonCount;
990 * IDL short BadPasswdCount;
992 * IDL long primarygroup;
993 * IDL long groupcount;
994 * IDL [unique] GROUP_MEMBERSHIP *groupids;
995 * IDL long userflags;
996 * IDL USER_SESSION_KEY key;
997 * IDL unicodestring logonserver;
998 * IDL unicodestring domainname;
999 * IDL [unique] SID logondomainid;
1000 * IDL long expansionroom[10];
1001 * IDL long sidcount;
1002 * IDL [unique] SID_AND_ATTRIBS;
1003 * IDL } VALIDATION_SAM_INFO2;
1006 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1007 packet_info *pinfo, proto_tree *tree,
1012 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1013 hf_netlogon_logon_time);
1015 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1016 hf_netlogon_logoff_time);
1018 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1019 hf_netlogon_kickoff_time);
1021 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1022 hf_netlogon_pwd_last_set_time);
1024 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1025 hf_netlogon_pwd_can_change_time);
1027 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1028 hf_netlogon_pwd_must_change_time);
1030 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1031 hf_netlogon_acct_name, 0);
1033 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1034 hf_netlogon_full_name, 0);
1036 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1037 hf_netlogon_logon_script, 0);
1039 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1040 hf_netlogon_profile_path, 0);
1042 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1043 hf_netlogon_home_dir, 0);
1045 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1046 hf_netlogon_dir_drive, 0);
1048 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1049 hf_netlogon_logon_count16, NULL);
1051 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1052 hf_netlogon_bad_pw_count16, NULL);
1054 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1055 hf_netlogon_user_rid, NULL);
1057 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1058 hf_netlogon_group_rid, NULL);
1060 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1061 hf_netlogon_num_rids, NULL);
1063 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1064 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1065 "GROUP_MEMBERSHIP_ARRAY", -1);
1067 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1068 hf_netlogon_user_flags, NULL);
1070 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1073 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1074 hf_netlogon_logon_srv, 0);
1076 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1077 hf_netlogon_logon_dom, 0);
1079 offset = dissect_ndr_nt_PSID(tvb, offset,
1083 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1084 hf_netlogon_unknown_long, NULL);
1087 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1088 hf_netlogon_num_other_groups, NULL);
1090 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1091 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1092 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1100 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1101 packet_info *pinfo, proto_tree *tree,
1107 di=pinfo->private_data;
1108 if(di->conformant_run){
1109 /*just a run to handle conformant arrays, nothing to dissect */
1113 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1114 hf_netlogon_pac_size, &pac_size);
1116 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1124 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1125 packet_info *pinfo, proto_tree *tree,
1131 di=pinfo->private_data;
1132 if(di->conformant_run){
1133 /*just a run to handle conformant arrays, nothing to dissect */
1137 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1138 hf_netlogon_auth_size, &auth_size);
1140 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1142 offset += auth_size;
1149 * IDL typedef struct {
1151 * IDL [unique][size_is(pac_size)] char *pac;
1152 * IDL UNICODESTRING logondomain;
1153 * IDL UNICODESTRING logonserver;
1154 * IDL UNICODESTRING principalname;
1155 * IDL long auth_size;
1156 * IDL [unique][size_is(auth_size)] char *auth;
1157 * IDL USER_SESSION_KEY user_session_key;
1158 * IDL long expansionroom[10];
1159 * IDL UNICODESTRING dummy1;
1160 * IDL UNICODESTRING dummy2;
1161 * IDL UNICODESTRING dummy3;
1162 * IDL UNICODESTRING dummy4;
1163 * IDL } VALIDATION_PAC_INFO;
1166 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1167 packet_info *pinfo, proto_tree *tree,
1172 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1173 hf_netlogon_pac_size, NULL);
1175 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1176 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1178 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1179 hf_netlogon_logon_dom, 0);
1181 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1182 hf_netlogon_logon_srv, 0);
1184 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1185 hf_netlogon_principal, 0);
1187 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1188 hf_netlogon_auth_size, NULL);
1190 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1191 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1193 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1197 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1198 hf_netlogon_unknown_long, NULL);
1201 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1202 hf_netlogon_dummy, 0);
1204 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1205 hf_netlogon_dummy, 0);
1207 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1208 hf_netlogon_dummy, 0);
1210 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1211 hf_netlogon_dummy, 0);
1218 * IDL typedef [switch_type(short)] union {
1219 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1220 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1221 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1222 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1226 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1227 packet_info *pinfo, proto_tree *tree,
1232 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1233 hf_netlogon_validation_level, &level);
1238 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1239 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1240 "VALIDATION_SAM_INFO:", -1);
1243 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1244 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1245 "VALIDATION_SAM_INFO2:", -1);
1248 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1249 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1250 "VALIDATION_PAC_INFO:", -1);
1253 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1254 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1255 "VALIDATION_PAC_INFO:", -1);
1264 * IDL long NetLogonSamLogon(
1265 * IDL [in][unique][string] wchar_t *ServerName,
1266 * IDL [in][unique][string] wchar_t *Workstation,
1267 * IDL [in][unique] AUTHENTICATOR *credential,
1268 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1269 * IDL [in] short LogonLevel,
1270 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1271 * IDL [in] short ValidationLevel,
1272 * IDL [out][ref] VALIDATION *validation,
1273 * IDL [out][ref] boolean Authorative
1277 netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1278 packet_info *pinfo, proto_tree *tree, char *drep)
1280 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1283 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1284 NDR_POINTER_UNIQUE, "Computer Name",
1285 hf_netlogon_computer_name, 0);
1287 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1288 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1289 "AUTHENTICATOR: credential", -1);
1291 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1292 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1293 "AUTHENTICATOR: return_authenticator", -1);
1295 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1296 hf_netlogon_level16, NULL);
1298 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1299 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1300 "LEVEL: LogonLevel", -1);
1302 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1303 hf_netlogon_validation_level, NULL);
1309 netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1310 packet_info *pinfo, proto_tree *tree, char *drep)
1312 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1313 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1314 "AUTHENTICATOR: return_authenticator", -1);
1316 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1317 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1320 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1321 hf_netlogon_authoritative, NULL);
1323 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1324 hf_netlogon_rc, NULL);
1331 * IDL long NetLogonSamLogoff(
1332 * IDL [in][unique][string] wchar_t *ServerName,
1333 * IDL [in][unique][string] wchar_t *ComputerName,
1334 * IDL [in][unique] AUTHENTICATOR credential,
1335 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1336 * IDL [in] short logon_level,
1337 * IDL [in][ref] LEVEL logoninformation
1341 netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1342 packet_info *pinfo, proto_tree *tree, char *drep)
1344 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1347 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1348 NDR_POINTER_UNIQUE, "Computer Name",
1349 hf_netlogon_computer_name, 0);
1351 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1352 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1353 "AUTHENTICATOR: credential", -1);
1355 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1356 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1357 "AUTHENTICATOR: return_authenticator", -1);
1359 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1360 hf_netlogon_level16, NULL);
1362 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1363 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1364 "LEVEL: logoninformation", -1);
1369 netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1370 packet_info *pinfo, proto_tree *tree, char *drep)
1373 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1374 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1375 "AUTHENTICATOR: return_authenticator", -1);
1377 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1378 hf_netlogon_rc, NULL);
1385 * IDL long NetServerReqChallenge(
1386 * IDL [in][unique][string] wchar_t *ServerName,
1387 * IDL [in][ref][string] wchar_t *ComputerName,
1388 * IDL [in][ref] CREDENTIAL client_credential,
1389 * IDL [out][ref] CREDENTIAL server_credential
1393 netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1394 packet_info *pinfo, proto_tree *tree, char *drep)
1396 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1399 offset = dissect_ndr_pointer_cb(
1400 tvb, offset, pinfo, tree, drep,
1401 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
1402 "Computer Name", hf_netlogon_computer_name,
1404 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1406 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1407 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1408 "CREDENTIAL: client challenge", -1);
1413 netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1414 packet_info *pinfo, proto_tree *tree, char *drep)
1416 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1417 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1418 "CREDENTIAL: server credential", -1);
1420 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1421 hf_netlogon_rc, NULL);
1428 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1429 packet_info *pinfo, proto_tree *tree,
1432 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1433 hf_netlogon_secure_channel_type, NULL);
1440 * IDL long NetServerAuthenticate(
1441 * IDL [in][unique][string] wchar_t *ServerName,
1442 * IDL [in][ref][string] wchar_t *UserName,
1443 * IDL [in] short secure_challenge_type,
1444 * IDL [in][ref][string] wchar_t *ComputerName,
1445 * IDL [in][ref] CREDENTIAL client_challenge,
1446 * IDL [out][ref] CREDENTIAL server_challenge
1450 netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1451 packet_info *pinfo, proto_tree *tree, char *drep)
1453 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1456 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1457 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1459 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1462 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1463 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1465 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1466 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1467 "CREDENTIAL: client challenge", -1);
1472 netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
1473 packet_info *pinfo, proto_tree *tree, char *drep)
1475 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1476 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1477 "CREDENTIAL: server challenge", -1);
1479 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1480 hf_netlogon_rc, NULL);
1488 * IDL typedef struct {
1489 * IDL char encrypted_password[16];
1490 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1493 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1494 packet_info *pinfo, proto_tree *tree,
1499 di=pinfo->private_data;
1500 if(di->conformant_run){
1501 /*just a run to handle conformant arrays, nothing to dissect.*/
1505 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1513 * IDL long NetServerPasswordSet(
1514 * IDL [in][unique][string] wchar_t *ServerName,
1515 * IDL [in][ref][string] wchar_t *UserName,
1516 * IDL [in] short secure_challenge_type,
1517 * IDL [in][ref][string] wchar_t *ComputerName,
1518 * IDL [in][ref] AUTHENTICATOR credential,
1519 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1520 * IDL [out][ref] AUTHENTICATOR return_authenticator
1524 netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1525 packet_info *pinfo, proto_tree *tree, char *drep)
1527 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1530 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1531 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1533 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1536 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1537 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1539 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1540 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1541 "AUTHENTICATOR: credential", -1);
1543 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1544 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1545 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
1550 netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
1551 packet_info *pinfo, proto_tree *tree, char *drep)
1553 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1554 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1555 "AUTHENTICATOR: return_authenticator", -1);
1557 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1558 hf_netlogon_rc, NULL);
1565 * IDL typedef struct {
1566 * IDL [unique][string] wchar_t *UserName;
1567 * IDL UNICODESTRING dummy1;
1568 * IDL UNICODESTRING dummy2;
1569 * IDL UNICODESTRING dummy3;
1570 * IDL UNICODESTRING dummy4;
1575 * IDL } DELTA_DELETE_USER;
1578 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1579 packet_info *pinfo, proto_tree *tree,
1582 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1583 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
1585 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1586 hf_netlogon_dummy, 0);
1588 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1589 hf_netlogon_dummy, 0);
1591 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1592 hf_netlogon_dummy, 0);
1594 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1595 hf_netlogon_dummy, 0);
1597 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1598 hf_netlogon_reserved, NULL);
1600 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1601 hf_netlogon_reserved, NULL);
1603 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1604 hf_netlogon_reserved, NULL);
1606 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1607 hf_netlogon_reserved, NULL);
1614 * IDL typedef struct {
1615 * IDL bool SensitiveDataFlag;
1616 * IDL long DataLength;
1617 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1618 * IDL } USER_PRIVATE_INFO;
1621 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1622 packet_info *pinfo, proto_tree *tree,
1628 di=pinfo->private_data;
1629 if(di->conformant_run){
1630 /*just a run to handle conformant arrays, nothing to dissect */
1634 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1635 hf_netlogon_sensitive_data_len, &data_len);
1637 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1644 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1645 packet_info *pinfo, proto_tree *tree,
1648 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1649 hf_netlogon_sensitive_data_flag, NULL);
1651 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1652 hf_netlogon_sensitive_data_len, NULL);
1654 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1655 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1656 "SENSITIVE_DATA", -1);
1662 * IDL typedef struct {
1663 * IDL UNICODESTRING UserName;
1664 * IDL UNICODESTRING FullName;
1666 * IDL long PrimaryGroupID;
1667 * IDL UNICODESTRING HomeDir;
1668 * IDL UNICODESTRING HomeDirDrive;
1669 * IDL UNICODESTRING LogonScript;
1670 * IDL UNICODESTRING Comment;
1671 * IDL UNICODESTRING Workstations;
1672 * IDL NTTIME LastLogon;
1673 * IDL NTTIME LastLogoff;
1674 * IDL LOGON_HOURS logonhours;
1675 * IDL short BadPwCount;
1676 * IDL short LogonCount;
1677 * IDL NTTIME PwLastSet;
1678 * IDL NTTIME AccountExpires;
1679 * IDL long AccountControl;
1680 * IDL LM_OWF_PASSWORD lmpw;
1681 * IDL NT_OWF_PASSWORD ntpw;
1682 * IDL bool NTPwPresent;
1683 * IDL bool LMPwPresent;
1684 * IDL bool PwExpired;
1685 * IDL UNICODESTRING UserComment;
1686 * IDL UNICODESTRING Parameters;
1687 * IDL short CountryCode;
1688 * IDL short CodePage;
1689 * IDL USER_PRIVATE_INFO user_private_info;
1690 * IDL long SecurityInformation;
1691 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1692 * IDL UNICODESTRING dummy1;
1693 * IDL UNICODESTRING dummy2;
1694 * IDL UNICODESTRING dummy3;
1695 * IDL UNICODESTRING dummy4;
1703 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1704 packet_info *pinfo, proto_tree *tree,
1707 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1708 hf_netlogon_acct_name, 0);
1710 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1711 hf_netlogon_full_name, 0);
1713 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1714 hf_netlogon_user_rid, NULL);
1716 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1717 hf_netlogon_group_rid, NULL);
1719 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1720 hf_netlogon_home_dir, 0);
1722 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1723 hf_netlogon_dir_drive, 0);
1725 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1726 hf_netlogon_logon_script, 0);
1728 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1729 hf_netlogon_acct_desc, 0);
1731 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1732 hf_netlogon_workstations, 0);
1734 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1735 hf_netlogon_logon_time);
1737 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1738 hf_netlogon_logoff_time);
1740 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1742 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1743 hf_netlogon_bad_pw_count16, NULL);
1745 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1746 hf_netlogon_logon_count16, NULL);
1748 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1749 hf_netlogon_pwd_last_set_time);
1751 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1752 hf_netlogon_acct_expiry_time);
1754 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1756 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1759 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1762 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1763 hf_netlogon_nt_pwd_present, NULL);
1765 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1766 hf_netlogon_lm_pwd_present, NULL);
1768 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1769 hf_netlogon_pwd_expired, NULL);
1771 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1772 hf_netlogon_comment, 0);
1774 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1775 hf_netlogon_parameters, 0);
1777 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1778 hf_netlogon_country, NULL);
1780 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1781 hf_netlogon_codepage, NULL);
1783 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1786 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1787 hf_netlogon_security_information, NULL);
1789 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1792 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1793 hf_netlogon_dummy, 0);
1795 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1796 hf_netlogon_dummy, 0);
1798 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1799 hf_netlogon_dummy, 0);
1801 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1802 hf_netlogon_dummy, 0);
1804 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1805 hf_netlogon_reserved, NULL);
1807 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1808 hf_netlogon_reserved, NULL);
1810 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1811 hf_netlogon_reserved, NULL);
1813 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1814 hf_netlogon_reserved, NULL);
1821 * IDL typedef struct {
1822 * IDL UNICODESTRING DomainName;
1823 * IDL UNICODESTRING OEMInfo;
1824 * IDL NTTIME forcedlogoff;
1825 * IDL short minpasswdlen;
1826 * IDL short passwdhistorylen;
1827 * IDL NTTIME pwd_must_change_time;
1828 * IDL NTTIME pwd_can_change_time;
1829 * IDL NTTIME domain_modify_time;
1830 * IDL NTTIME domain_create_time;
1831 * IDL long SecurityInformation;
1832 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1833 * IDL UNICODESTRING dummy1;
1834 * IDL UNICODESTRING dummy2;
1835 * IDL UNICODESTRING dummy3;
1836 * IDL UNICODESTRING dummy4;
1841 * IDL } DELTA_DOMAIN;
1844 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
1845 packet_info *pinfo, proto_tree *tree,
1848 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1849 hf_netlogon_domain_name, 1);
1851 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1852 hf_netlogon_oem_info, 0);
1854 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1855 hf_netlogon_kickoff_time);
1857 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1858 hf_netlogon_minpasswdlen, NULL);
1860 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1861 hf_netlogon_passwdhistorylen, NULL);
1863 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1864 hf_netlogon_pwd_must_change_time);
1866 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1867 hf_netlogon_pwd_can_change_time);
1869 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1870 hf_netlogon_domain_modify_time);
1872 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1873 hf_netlogon_domain_create_time);
1875 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1876 hf_netlogon_security_information, NULL);
1878 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1881 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1882 hf_netlogon_dummy, 0);
1884 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1885 hf_netlogon_dummy, 0);
1887 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1888 hf_netlogon_dummy, 0);
1890 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1891 hf_netlogon_dummy, 0);
1893 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1894 hf_netlogon_reserved, NULL);
1896 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1897 hf_netlogon_reserved, NULL);
1899 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1900 hf_netlogon_reserved, NULL);
1902 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1903 hf_netlogon_reserved, NULL);
1910 * IDL typedef struct {
1911 * IDL UNICODESTRING groupname;
1912 * IDL GROUP_MEMBERSHIP group_membership;
1913 * IDL UNICODESTRING comment;
1914 * IDL long SecurityInformation;
1915 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1916 * IDL UNICODESTRING dummy1;
1917 * IDL UNICODESTRING dummy2;
1918 * IDL UNICODESTRING dummy3;
1919 * IDL UNICODESTRING dummy4;
1924 * IDL } DELTA_GROUP;
1927 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
1928 packet_info *pinfo, proto_tree *tree,
1931 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1932 hf_netlogon_group_name, 0);
1934 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
1937 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1938 hf_netlogon_group_desc, 0);
1940 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1941 hf_netlogon_security_information, NULL);
1943 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1946 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1947 hf_netlogon_dummy, 0);
1949 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1950 hf_netlogon_dummy, 0);
1952 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1953 hf_netlogon_dummy, 0);
1955 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1956 hf_netlogon_dummy, 0);
1958 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1959 hf_netlogon_reserved, NULL);
1961 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1962 hf_netlogon_reserved, NULL);
1964 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1965 hf_netlogon_reserved, NULL);
1967 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1968 hf_netlogon_reserved, NULL);
1975 * IDL typedef struct {
1976 * IDL UNICODESTRING OldName;
1977 * IDL UNICODESTRING NewName;
1978 * IDL UNICODESTRING dummy1;
1979 * IDL UNICODESTRING dummy2;
1980 * IDL UNICODESTRING dummy3;
1981 * IDL UNICODESTRING dummy4;
1986 * IDL } DELTA_RENAME;
1989 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
1990 packet_info *pinfo, proto_tree *tree,
1995 di=pinfo->private_data;
1997 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2000 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2003 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2004 hf_netlogon_dummy, 0);
2006 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2007 hf_netlogon_dummy, 0);
2009 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2010 hf_netlogon_dummy, 0);
2012 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2013 hf_netlogon_dummy, 0);
2015 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2016 hf_netlogon_reserved, NULL);
2018 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2019 hf_netlogon_reserved, NULL);
2021 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2022 hf_netlogon_reserved, NULL);
2024 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2025 hf_netlogon_reserved, NULL);
2032 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2033 packet_info *pinfo, proto_tree *tree,
2036 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2037 hf_netlogon_user_rid, NULL);
2043 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2044 packet_info *pinfo, proto_tree *tree,
2047 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2048 netlogon_dissect_RID);
2054 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2055 packet_info *pinfo, proto_tree *tree,
2058 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2059 hf_netlogon_attrs, NULL);
2065 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2066 packet_info *pinfo, proto_tree *tree,
2069 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2070 netlogon_dissect_ATTRIB);
2076 * IDL typedef struct {
2077 * IDL [unique][size_is(num_rids)] long *rids;
2078 * IDL [unique][size_is(num_rids)] long *attribs;
2079 * IDL long num_rids;
2084 * IDL } DELTA_GROUP_MEMBER;
2087 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2088 packet_info *pinfo, proto_tree *tree,
2091 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2092 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2095 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2096 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2099 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2100 hf_netlogon_num_rids, NULL);
2102 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2103 hf_netlogon_reserved, NULL);
2105 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2106 hf_netlogon_reserved, NULL);
2108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2109 hf_netlogon_reserved, NULL);
2111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2112 hf_netlogon_reserved, NULL);
2119 * IDL typedef struct {
2120 * IDL UNICODESTRING alias_name;
2122 * IDL long SecurityInformation;
2123 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2124 * IDL UNICODESTRING dummy1;
2125 * IDL UNICODESTRING dummy2;
2126 * IDL UNICODESTRING dummy3;
2127 * IDL UNICODESTRING dummy4;
2132 * IDL } DELTA_ALIAS;
2135 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2136 packet_info *pinfo, proto_tree *tree,
2139 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2140 hf_netlogon_alias_name, 0);
2142 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2143 hf_netlogon_alias_rid, NULL);
2145 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2146 hf_netlogon_security_information, NULL);
2148 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2151 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2152 hf_netlogon_dummy, 0);
2154 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2155 hf_netlogon_dummy, 0);
2157 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2158 hf_netlogon_dummy, 0);
2160 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2161 hf_netlogon_dummy, 0);
2163 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2164 hf_netlogon_reserved, NULL);
2166 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2167 hf_netlogon_reserved, NULL);
2169 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2170 hf_netlogon_reserved, NULL);
2172 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2173 hf_netlogon_reserved, NULL);
2180 * IDL typedef struct {
2181 * IDL [unique] SID_ARRAY sids;
2186 * IDL } DELTA_ALIAS_MEMBER;
2189 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2190 packet_info *pinfo, proto_tree *tree,
2193 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2195 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2196 hf_netlogon_reserved, NULL);
2198 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2199 hf_netlogon_reserved, NULL);
2201 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2202 hf_netlogon_reserved, NULL);
2204 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2205 hf_netlogon_reserved, NULL);
2212 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2213 packet_info *pinfo, proto_tree *tree,
2216 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2217 hf_netlogon_event_audit_option, NULL);
2223 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2224 packet_info *pinfo, proto_tree *tree,
2227 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2228 netlogon_dissect_EVENT_AUDIT_OPTION);
2235 * IDL typedef struct {
2236 * IDL long pagedpoollimit;
2237 * IDL long nonpagedpoollimit;
2238 * IDL long minimumworkingsetsize;
2239 * IDL long maximumworkingsetsize;
2240 * IDL long pagefilelimit;
2241 * IDL NTTIME timelimit;
2242 * IDL } QUOTA_LIMITS;
2245 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2246 packet_info *pinfo, proto_tree *parent_tree,
2249 proto_item *item=NULL;
2250 proto_tree *tree=NULL;
2251 int old_offset=offset;
2254 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2256 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2259 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2260 hf_netlogon_pagedpoollimit, NULL);
2262 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2263 hf_netlogon_nonpagedpoollimit, NULL);
2265 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2266 hf_netlogon_minworkingsetsize, NULL);
2268 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2269 hf_netlogon_maxworkingsetsize, NULL);
2271 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2272 hf_netlogon_pagefilelimit, NULL);
2274 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2275 hf_netlogon_timelimit);
2277 proto_item_set_len(item, offset-old_offset);
2283 * IDL typedef struct {
2284 * IDL long maxlogsize;
2285 * IDL NTTIME auditretentionperiod;
2286 * IDL bool auditingmode;
2287 * IDL long maxauditeventcount;
2288 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2289 * IDL UNICODESTRING primarydomainname;
2290 * IDL [unique] SID *sid;
2291 * IDL QUOTA_LIMITS quota_limits;
2292 * IDL NTTIME db_modify_time;
2293 * IDL NTTIME db_create_time;
2294 * IDL long SecurityInformation;
2295 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2296 * IDL UNICODESTRING dummy1;
2297 * IDL UNICODESTRING dummy2;
2298 * IDL UNICODESTRING dummy3;
2299 * IDL UNICODESTRING dummy4;
2304 * IDL } DELTA_POLICY;
2307 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2308 packet_info *pinfo, proto_tree *tree,
2311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2312 hf_netlogon_max_log_size, NULL);
2314 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2315 hf_netlogon_audit_retention_period);
2317 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2318 hf_netlogon_auditing_mode, NULL);
2320 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2321 hf_netlogon_max_audit_event_count, NULL);
2323 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2324 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2325 "Event Audit Options:", -1);
2327 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2328 hf_netlogon_domain_name, 0);
2330 offset = dissect_ndr_nt_PSID(tvb, offset,
2333 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2336 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2337 hf_netlogon_db_modify_time);
2339 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2340 hf_netlogon_db_create_time);
2342 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2343 hf_netlogon_security_information, NULL);
2345 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2348 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2349 hf_netlogon_dummy, 0);
2351 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2352 hf_netlogon_dummy, 0);
2354 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2355 hf_netlogon_dummy, 0);
2357 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2358 hf_netlogon_dummy, 0);
2360 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2361 hf_netlogon_reserved, NULL);
2363 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2364 hf_netlogon_reserved, NULL);
2366 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2367 hf_netlogon_reserved, NULL);
2369 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2370 hf_netlogon_reserved, NULL);
2377 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2378 packet_info *pinfo, proto_tree *tree,
2381 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2382 hf_netlogon_dc_name, 0);
2388 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2389 packet_info *pinfo, proto_tree *tree,
2392 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2393 netlogon_dissect_CONTROLLER);
2400 * IDL typedef struct {
2401 * IDL UNICODESTRING DomainName;
2402 * IDL long num_controllers;
2403 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2404 * IDL long SecurityInformation;
2405 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2406 * IDL UNICODESTRING dummy1;
2407 * IDL UNICODESTRING dummy2;
2408 * IDL UNICODESTRING dummy3;
2409 * IDL UNICODESTRING dummy4;
2414 * IDL } DELTA_TRUSTED_DOMAINS;
2417 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2418 packet_info *pinfo, proto_tree *tree,
2421 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2422 hf_netlogon_domain_name, 0);
2424 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2425 hf_netlogon_num_controllers, NULL);
2427 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2428 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2429 "Domain Controllers:", -1);
2431 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2432 hf_netlogon_security_information, NULL);
2434 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2437 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2438 hf_netlogon_dummy, 0);
2440 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2441 hf_netlogon_dummy, 0);
2443 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2444 hf_netlogon_dummy, 0);
2446 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2447 hf_netlogon_dummy, 0);
2449 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2450 hf_netlogon_reserved, NULL);
2452 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2453 hf_netlogon_reserved, NULL);
2455 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2456 hf_netlogon_reserved, NULL);
2458 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2459 hf_netlogon_reserved, NULL);
2466 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2467 packet_info *pinfo, proto_tree *tree,
2470 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2471 hf_netlogon_attrs, NULL);
2477 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2478 packet_info *pinfo, proto_tree *tree,
2481 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2482 netlogon_dissect_PRIV_ATTR);
2488 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2489 packet_info *pinfo, proto_tree *tree,
2492 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2493 hf_netlogon_privilege_name, 1);
2499 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2500 packet_info *pinfo, proto_tree *tree,
2503 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2504 netlogon_dissect_PRIV_NAME);
2512 * IDL typedef struct {
2513 * IDL long privilegeentries;
2514 * IDL long provolegecontrol;
2515 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2516 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2517 * IDL QUOTALIMITS quotalimits;
2518 * IDL long SecurityInformation;
2519 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2520 * IDL UNICODESTRING dummy1;
2521 * IDL UNICODESTRING dummy2;
2522 * IDL UNICODESTRING dummy3;
2523 * IDL UNICODESTRING dummy4;
2528 * IDL } DELTA_ACCOUNTS;
2531 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2532 packet_info *pinfo, proto_tree *tree,
2535 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2536 hf_netlogon_privilege_entries, NULL);
2538 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2539 hf_netlogon_privilege_control, NULL);
2541 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2542 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2543 "PRIV_ATTR_ARRAY:", -1);
2545 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2546 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2547 "PRIV_NAME_ARRAY:", -1);
2549 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2552 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2553 hf_netlogon_systemflags, NULL);
2555 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2556 hf_netlogon_security_information, NULL);
2558 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2561 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2562 hf_netlogon_dummy, 0);
2564 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2565 hf_netlogon_dummy, 0);
2567 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2568 hf_netlogon_dummy, 0);
2570 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2571 hf_netlogon_dummy, 0);
2573 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2574 hf_netlogon_reserved, NULL);
2576 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2577 hf_netlogon_reserved, NULL);
2579 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2580 hf_netlogon_reserved, NULL);
2582 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2583 hf_netlogon_reserved, NULL);
2589 * IDL typedef struct {
2592 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2593 * IDL } CIPHER_VALUE;
2596 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2597 packet_info *pinfo, proto_tree *tree,
2603 di=pinfo->private_data;
2604 if(di->conformant_run){
2605 /*just a run to handle conformant arrays, nothing to dissect */
2609 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2610 hf_netlogon_cipher_maxlen, NULL);
2615 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2616 hf_netlogon_cipher_len, &data_len);
2618 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2625 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2626 packet_info *pinfo, proto_tree *parent_tree,
2627 char *drep, char *name, int hf_index)
2629 proto_item *item=NULL;
2630 proto_tree *tree=NULL;
2631 int old_offset=offset;
2634 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2636 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2639 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2640 hf_netlogon_cipher_len, NULL);
2642 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2643 hf_netlogon_cipher_maxlen, NULL);
2645 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2646 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2649 proto_item_set_len(item, offset-old_offset);
2654 * IDL typedef struct {
2655 * IDL CIPHER_VALUE current_cipher;
2656 * IDL NTTIME current_cipher_set_time;
2657 * IDL CIPHER_VALUE old_cipher;
2658 * IDL NTTIME old_cipher_set_time;
2659 * IDL long SecurityInformation;
2660 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2661 * IDL UNICODESTRING dummy1;
2662 * IDL UNICODESTRING dummy2;
2663 * IDL UNICODESTRING dummy3;
2664 * IDL UNICODESTRING dummy4;
2669 * IDL } DELTA_SECRET;
2672 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2673 packet_info *pinfo, proto_tree *tree,
2676 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2678 "CIPHER_VALUE: current cipher value",
2679 hf_netlogon_cipher_current_data);
2681 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2682 hf_netlogon_cipher_current_set_time);
2684 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2686 "CIPHER_VALUE: old cipher value",
2687 hf_netlogon_cipher_old_data);
2689 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2690 hf_netlogon_cipher_old_set_time);
2692 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2693 hf_netlogon_security_information, NULL);
2695 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2698 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2699 hf_netlogon_dummy, 0);
2701 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2702 hf_netlogon_dummy, 0);
2704 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2705 hf_netlogon_dummy, 0);
2707 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2708 hf_netlogon_dummy, 0);
2710 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2711 hf_netlogon_reserved, NULL);
2713 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2714 hf_netlogon_reserved, NULL);
2716 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2717 hf_netlogon_reserved, NULL);
2719 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2720 hf_netlogon_reserved, NULL);
2726 * IDL typedef struct {
2727 * IDL long low_value;
2728 * IDL long high_value;
2732 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2733 packet_info *pinfo, proto_tree *tree,
2736 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2737 hf_netlogon_modify_count, NULL);
2743 #define DT_DELTA_DOMAIN 1
2744 #define DT_DELTA_GROUP 2
2745 #define DT_DELTA_RENAME_GROUP 4
2746 #define DT_DELTA_USER 5
2747 #define DT_DELTA_RENAME_USER 7
2748 #define DT_DELTA_GROUP_MEMBER 8
2749 #define DT_DELTA_ALIAS 9
2750 #define DT_DELTA_RENAME_ALIAS 11
2751 #define DT_DELTA_ALIAS_MEMBER 12
2752 #define DT_DELTA_POLICY 13
2753 #define DT_DELTA_TRUSTED_DOMAINS 14
2754 #define DT_DELTA_ACCOUNTS 16
2755 #define DT_DELTA_SECRET 18
2756 #define DT_DELTA_DELETE_GROUP 20
2757 #define DT_DELTA_DELETE_USER 21
2758 #define DT_MODIFIED_COUNT 22
2759 static const value_string delta_type_vals[] = {
2760 { DT_DELTA_DOMAIN, "Domain" },
2761 { DT_DELTA_GROUP, "Group" },
2762 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2763 { DT_DELTA_USER, "User" },
2764 { DT_DELTA_RENAME_USER, "Rename User" },
2765 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2766 { DT_DELTA_ALIAS, "Alias" },
2767 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2768 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2769 { DT_DELTA_POLICY, "Policy" },
2770 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2771 { DT_DELTA_ACCOUNTS, "Accounts" },
2772 { DT_DELTA_SECRET, "Secret" },
2773 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2774 { DT_DELTA_DELETE_USER, "Delete User" },
2775 { DT_MODIFIED_COUNT, "Modified Count" },
2779 * IDL typedef [switch_type(short)] union {
2780 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2781 * IDL [case(2)][unique] DELTA_GROUP *group;
2782 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2783 * IDL [case(5)][unique] DELTA_USER *user;
2784 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2785 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2786 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2787 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2788 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2789 * IDL [case(13)][unique] DELTA_POLICY *policy;
2790 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2791 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2792 * IDL [case(18)][unique] DELTA_SECRET *secret;
2793 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2794 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2795 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2796 * IDL } DELTA_UNION;
2799 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2800 packet_info *pinfo, proto_tree *parent_tree,
2803 proto_item *item=NULL;
2804 proto_tree *tree=NULL;
2805 int old_offset=offset;
2809 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2811 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2814 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2815 hf_netlogon_delta_type, &level);
2820 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2821 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2822 "DELTA_DOMAIN:", -1);
2825 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2826 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2827 "DELTA_GROUP:", -1);
2830 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2831 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2832 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
2835 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2836 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
2840 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2841 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2842 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
2845 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2846 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
2847 "DELTA_GROUP_MEMBER:", -1);
2850 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2851 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
2852 "DELTA_ALIAS:", -1);
2855 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2856 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2857 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
2860 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2861 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
2862 "DELTA_ALIAS_MEMBER:", -1);
2865 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2866 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
2867 "DELTA_POLICY:", -1);
2870 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2871 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
2872 "DELTA_TRUSTED_DOMAINS:", -1);
2875 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2876 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
2877 "DELTA_ACCOUNTS:", -1);
2880 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2881 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
2882 "DELTA_SECRET:", -1);
2885 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2886 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2887 "DELTA_DELETE_GROUP:", -1);
2890 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2891 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2892 "DELTA_DELETE_USER:", -1);
2895 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2896 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
2897 "MODIFIED_COUNT:", -1);
2901 proto_item_set_len(item, offset-old_offset);
2907 /* IDL XXX must verify this one, especially 13-19
2908 * IDL typedef [switch_type(short)] union {
2909 * IDL [case(1)] long rid;
2910 * IDL [case(2)] long rid;
2911 * IDL [case(3)] long rid;
2912 * IDL [case(4)] long rid;
2913 * IDL [case(5)] long rid;
2914 * IDL [case(6)] long rid;
2915 * IDL [case(7)] long rid;
2916 * IDL [case(8)] long rid;
2917 * IDL [case(9)] long rid;
2918 * IDL [case(10)] long rid;
2919 * IDL [case(11)] long rid;
2920 * IDL [case(12)] long rid;
2921 * IDL [case(13)] [unique] SID *sid;
2922 * IDL [case(14)] [unique] SID *sid;
2923 * IDL [case(15)] [unique] SID *sid;
2924 * IDL [case(16)] [unique] SID *sid;
2925 * IDL [case(17)] [unique] SID *sid;
2926 * IDL [case(18)] [unique][string] wchar_t *Name ;
2927 * IDL [case(19)] [unique][string] wchar_t *Name ;
2928 * IDL [case(20)] long rid;
2929 * IDL [case(21)] long rid;
2930 * IDL } DELTA_ID_UNION;
2933 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
2934 packet_info *pinfo, proto_tree *parent_tree,
2937 proto_item *item=NULL;
2938 proto_tree *tree=NULL;
2939 int old_offset=offset;
2943 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2945 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
2948 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2949 hf_netlogon_level16, &level);
2954 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2955 hf_netlogon_user_rid, NULL);
2958 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2959 hf_netlogon_user_rid, NULL);
2962 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2963 hf_netlogon_user_rid, NULL);
2966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2967 hf_netlogon_user_rid, NULL);
2970 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2971 hf_netlogon_user_rid, NULL);
2974 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2975 hf_netlogon_user_rid, NULL);
2978 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2979 hf_netlogon_user_rid, NULL);
2982 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2983 hf_netlogon_user_rid, NULL);
2986 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2987 hf_netlogon_user_rid, NULL);
2990 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2991 hf_netlogon_user_rid, NULL);
2994 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2995 hf_netlogon_user_rid, NULL);
2998 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2999 hf_netlogon_user_rid, NULL);
3002 offset = dissect_ndr_nt_PSID(tvb, offset,
3006 offset = dissect_ndr_nt_PSID(tvb, offset,
3010 offset = dissect_ndr_nt_PSID(tvb, offset,
3014 offset = dissect_ndr_nt_PSID(tvb, offset,
3018 offset = dissect_ndr_nt_PSID(tvb, offset,
3022 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3023 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3024 hf_netlogon_unknown_string, 0);
3027 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3028 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3029 hf_netlogon_unknown_string, 0);
3032 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3033 hf_netlogon_user_rid, NULL);
3036 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3037 hf_netlogon_user_rid, NULL);
3041 proto_item_set_len(item, offset-old_offset);
3046 * IDL typedef struct {
3047 * IDL short delta_type;
3048 * IDL DELTA_ID_UNION delta_id_union;
3049 * IDL DELTA_UNION delta_union;
3053 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3054 packet_info *pinfo, proto_tree *parent_tree,
3057 proto_item *item=NULL;
3058 proto_tree *tree=NULL;
3059 int old_offset=offset;
3062 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3064 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3067 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3068 hf_netlogon_delta_type, NULL);
3070 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3073 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3076 proto_item_set_len(item, offset-old_offset);
3081 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3082 packet_info *pinfo, proto_tree *tree,
3085 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3086 netlogon_dissect_DELTA_ENUM);
3092 * IDL typedef struct {
3093 * IDL long num_deltas;
3094 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3095 * IDL } DELTA_ENUM_ARRAY;
3098 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3099 packet_info *pinfo, proto_tree *tree,
3102 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3103 hf_netlogon_num_deltas, NULL);
3105 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3106 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3107 "DELTA_ENUM: deltas", -1);
3114 * IDL long NetDatabaseDeltas(
3115 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3116 * IDL [in][string][ref] wchar_t *computername,
3117 * IDL [in][ref] AUTHENTICATOR credential,
3118 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3119 * IDL [in] long database_id,
3120 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3121 * IDL [in] long preferredmaximumlength,
3122 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3126 netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
3127 packet_info *pinfo, proto_tree *tree, char *drep)
3129 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3130 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3132 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3133 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3135 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3136 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3137 "AUTHENTICATOR: credential", -1);
3139 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3140 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3141 "AUTHENTICATOR: return_authenticator", -1);
3143 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3144 hf_netlogon_database_id, NULL);
3146 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3147 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3148 "MODIFIED_COUNT: domain modified count", -1);
3150 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3151 hf_netlogon_max_size, NULL);
3156 netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
3157 packet_info *pinfo, proto_tree *tree, char *drep)
3159 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3160 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3161 "AUTHENTICATOR: return_authenticator", -1);
3163 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3164 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3165 "MODIFIED_COUNT: domain modified count", -1);
3167 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3168 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3169 "DELTA_ENUM_ARRAY: deltas", -1);
3171 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3172 hf_netlogon_rc, NULL);
3179 * IDL long NetDatabaseSync(
3180 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3181 * IDL [in][string][ref] wchar_t *computername,
3182 * IDL [in][ref] AUTHENTICATOR credential,
3183 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3184 * IDL [in] long database_id,
3185 * IDL [in][out][ref] long sync_context,
3186 * IDL [in] long preferredmaximumlength,
3187 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3191 netlogon_dissect_netlogondatabasesync_rqst(tvbuff_t *tvb, int offset,
3192 packet_info *pinfo, proto_tree *tree, char *drep)
3194 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3195 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3197 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3198 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3200 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3201 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3202 "AUTHENTICATOR: credential", -1);
3204 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3205 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3206 "AUTHENTICATOR: return_authenticator", -1);
3208 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3209 hf_netlogon_database_id, NULL);
3211 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3212 hf_netlogon_sync_context, NULL);
3214 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3215 hf_netlogon_max_size, NULL);
3222 netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset,
3223 packet_info *pinfo, proto_tree *tree, char *drep)
3225 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3226 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3227 "AUTHENTICATOR: return_authenticator", -1);
3229 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3230 hf_netlogon_sync_context, NULL);
3232 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3233 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3234 "DELTA_ENUM_ARRAY: deltas", -1);
3236 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3237 hf_netlogon_rc, NULL);
3243 * IDL typedef struct {
3244 * IDL char computer_name[16];
3245 * IDL long timecreated;
3246 * IDL long serial_number;
3250 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3251 packet_info *pinfo, proto_tree *tree,
3256 di=pinfo->private_data;
3257 if(di->conformant_run){
3258 /*just a run to handle conformant arrays, nothing to dissect */
3262 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3265 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3268 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3269 hf_netlogon_serial_number, NULL);
3276 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3277 packet_info *pinfo, proto_tree *tree,
3280 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3281 hf_netlogon_unknown_char, NULL);
3287 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3288 packet_info *pinfo, proto_tree *tree,
3291 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3292 netlogon_dissect_BYTE_byte);
3298 * IDL long NetAccountDelta(
3299 * IDL [in][string][unique] wchar_t *logonserver,
3300 * IDL [in][string][ref] wchar_t *computername,
3301 * IDL [in][ref] AUTHENTICATOR credential,
3302 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3303 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3304 * IDL [out][ref] long count_returned,
3305 * IDL [out][ref] long total_entries,
3306 * IDL [in][out][ref] UAS_INFO_0 recordid,
3307 * IDL [in][long] count,
3308 * IDL [in][long] level,
3309 * IDL [in][long] buffersize,
3313 netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset,
3314 packet_info *pinfo, proto_tree *tree, char *drep)
3316 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3319 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3320 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3322 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3323 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3324 "AUTHENTICATOR: credential", -1);
3326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3327 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3328 "AUTHENTICATOR: return_authenticator", -1);
3330 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3331 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3332 "UAS_INFO_0: RecordID", -1);
3334 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3335 hf_netlogon_count, NULL);
3337 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3338 hf_netlogon_level, NULL);
3340 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3341 hf_netlogon_max_size, NULL);
3346 netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset,
3347 packet_info *pinfo, proto_tree *tree, char *drep)
3349 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3350 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3351 "AUTHENTICATOR: return_authenticator", -1);
3353 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3354 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3355 "BYTE_array: Buffer", -1);
3357 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3358 hf_netlogon_count, NULL);
3360 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3361 hf_netlogon_entries, NULL);
3363 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3364 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3365 "UAS_INFO_0: RecordID", -1);
3367 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3368 hf_netlogon_rc, NULL);
3375 * IDL long NetAccountDelta(
3376 * IDL [in][string][unique] wchar_t *logonserver,
3377 * IDL [in][string][ref] wchar_t *computername,
3378 * IDL [in][ref] AUTHENTICATOR credential,
3379 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3380 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3381 * IDL [out][ref] long count_returned,
3382 * IDL [out][ref] long total_entries,
3383 * IDL [out][ref] long next_reference,
3384 * IDL [in][long] reference,
3385 * IDL [in][long] level,
3386 * IDL [in][long] buffersize,
3387 * IDL [in][out][ref] UAS_INFO_0 recordid,
3391 netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset,
3392 packet_info *pinfo, proto_tree *tree, char *drep)
3394 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3397 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3398 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3400 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3401 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3402 "AUTHENTICATOR: credential", -1);
3404 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3405 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3406 "AUTHENTICATOR: return_authenticator", -1);
3408 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3409 hf_netlogon_reference, NULL);
3411 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3412 hf_netlogon_level, NULL);
3414 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3415 hf_netlogon_max_size, NULL);
3420 netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset,
3421 packet_info *pinfo, proto_tree *tree, char *drep)
3423 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3424 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3425 "AUTHENTICATOR: return_authenticator", -1);
3427 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3428 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3429 "BYTE_array: Buffer", -1);
3431 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3432 hf_netlogon_count, NULL);
3434 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3435 hf_netlogon_entries, NULL);
3437 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3438 hf_netlogon_next_reference, NULL);
3440 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3441 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3442 "UAS_INFO_0: RecordID", -1);
3444 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3445 hf_netlogon_rc, NULL);
3452 * IDL long NetGetDCName(
3453 * IDL [in][ref][string] wchar_t *logon_server,
3454 * IDL [in][unique][string] wchar_t *domainname,
3455 * IDL [out][unique][string] wchar_t *dcname,
3459 netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset,
3460 packet_info *pinfo, proto_tree *tree, char *drep)
3462 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3463 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3465 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3466 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3471 netlogon_dissect_netlogongetdcname_reply(tvbuff_t *tvb, int offset,
3472 packet_info *pinfo, proto_tree *tree, char *drep)
3474 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3475 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3477 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3478 hf_netlogon_rc, NULL);
3486 * IDL typedef struct {
3488 * IDL long pdc_connection_status;
3489 * IDL } NETLOGON_INFO_1;
3492 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3493 packet_info *pinfo, proto_tree *tree,
3496 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3497 hf_netlogon_flags, NULL);
3499 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3500 hf_netlogon_pdc_connection_status, NULL);
3507 * IDL typedef struct {
3509 * IDL long pdc_connection_status;
3510 * IDL [unique][string] wchar_t trusted_dc_name;
3511 * IDL long tc_connection_status;
3512 * IDL } NETLOGON_INFO_2;
3515 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3516 packet_info *pinfo, proto_tree *tree,
3519 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3520 hf_netlogon_flags, NULL);
3522 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3523 hf_netlogon_pdc_connection_status, NULL);
3525 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3526 NDR_POINTER_UNIQUE, "Trusted DC Name",
3527 hf_netlogon_trusted_dc_name, 0);
3529 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3530 hf_netlogon_tc_connection_status, NULL);
3537 * IDL typedef struct {
3539 * IDL long logon_attempts;
3540 * IDL long reserved;
3541 * IDL long reserved;
3542 * IDL long reserved;
3543 * IDL long reserved;
3544 * IDL long reserved;
3545 * IDL } NETLOGON_INFO_3;
3548 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3549 packet_info *pinfo, proto_tree *tree,
3552 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3553 hf_netlogon_flags, NULL);
3555 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3556 hf_netlogon_logon_attempts, NULL);
3558 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3559 hf_netlogon_reserved, NULL);
3561 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3562 hf_netlogon_reserved, NULL);
3564 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3565 hf_netlogon_reserved, NULL);
3567 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3568 hf_netlogon_reserved, NULL);
3570 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3571 hf_netlogon_reserved, NULL);
3578 * IDL typedef [switch_type(long)] union {
3579 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
3580 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
3581 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
3582 * IDL } CONTROL_QUERY_INFORMATION;
3585 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
3586 packet_info *pinfo, proto_tree *tree,
3591 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3592 hf_netlogon_level, &level);
3597 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3598 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
3599 "NETLOGON_INFO_1:", -1);
3602 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3603 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
3604 "NETLOGON_INFO_2:", -1);
3607 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3608 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
3609 "NETLOGON_INFO_3:", -1);
3618 * IDL long NetLogonControl(
3619 * IDL [in][string][unique] wchar_t *logonserver,
3620 * IDL [in] long function_code,
3621 * IDL [in] long level,
3622 * IDL [out][ref] CONTROL_QUERY_INFORMATION
3626 netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
3627 packet_info *pinfo, proto_tree *tree, char *drep)
3629 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3632 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3633 hf_netlogon_code, NULL);
3635 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3636 hf_netlogon_level, NULL);
3641 netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
3642 packet_info *pinfo, proto_tree *tree, char *drep)
3644 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3645 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3646 "CONTROL_QUERY_INFORMATION:", -1);
3648 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3649 hf_netlogon_rc, NULL);
3656 * IDL long NetGetDCName(
3657 * IDL [in][unique][string] wchar_t *logon_server,
3658 * IDL [in][unique][string] wchar_t *domainname,
3659 * IDL [out][unique][string] wchar_t *dcname,
3663 netlogon_dissect_netlogongetanydcname_rqst(tvbuff_t *tvb, int offset,
3664 packet_info *pinfo, proto_tree *tree, char *drep)
3666 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3667 NDR_POINTER_UNIQUE, "Server Handle",
3668 hf_netlogon_logonsrv_handle, 0);
3670 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3671 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3676 netlogon_dissect_netlogongetanydcname_reply(tvbuff_t *tvb, int offset,
3677 packet_info *pinfo, proto_tree *tree, char *drep)
3679 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3680 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3682 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3683 hf_netlogon_rc, NULL);
3690 * IDL typedef [switch_type(long)] union {
3691 * IDL [case(5)] [unique][string] wchar_t *unknown;
3692 * IDL [case(6)] [unique][string] wchar_t *unknown;
3693 * IDL [case(0xfffe)] long unknown;
3694 * IDL [case(7)] [unique][string] wchar_t *unknown;
3695 * IDL } CONTROL_DATA_INFORMATION;
3698 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
3699 * to look like. However NetMon does not recognize any such informationlevels.
3701 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
3702 * until someone has any source of better authority to call upon.
3705 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
3706 packet_info *pinfo, proto_tree *tree,
3711 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3712 hf_netlogon_level, &level);
3717 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3718 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3719 hf_netlogon_unknown_string, 0);
3722 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3723 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3724 hf_netlogon_unknown_string, 0);
3727 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3728 hf_netlogon_unknown_long, NULL);
3731 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3732 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3733 hf_netlogon_unknown_string, 0);
3742 * IDL long NetLogonControl2(
3743 * IDL [in][string][unique] wchar_t *logonserver,
3744 * IDL [in] long function_code,
3745 * IDL [in] long level,
3746 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3747 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3751 netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
3752 packet_info *pinfo, proto_tree *tree, char *drep)
3754 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3757 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3758 hf_netlogon_code, NULL);
3760 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3761 hf_netlogon_level, NULL);
3763 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3764 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3765 "CONTROL_DATA_INFORMATION: ", -1);
3771 netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
3772 packet_info *pinfo, proto_tree *tree, char *drep)
3774 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3775 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3776 "CONTROL_QUERY_INFORMATION:", -1);
3778 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3779 hf_netlogon_rc, NULL);
3786 * IDL long NetServerAuthenticate2(
3787 * IDL [in][string][unique] wchar_t *logonserver,
3788 * IDL [in][ref][string] wchar_t *username,
3789 * IDL [in] short secure_channel_type,
3790 * IDL [in][ref][string] wchar_t *computername,
3791 * IDL [in][ref] CREDENTIAL *client_chal,
3792 * IDL [out][ref] CREDENTIAL *server_chal,
3793 * IDL [in][out][ref] long *negotiate_flags,
3797 netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
3798 packet_info *pinfo, proto_tree *tree, char *drep)
3800 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3803 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3804 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
3806 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3809 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3810 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3812 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3813 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3814 "CREDENTIAL: client_chal", -1);
3816 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3817 hf_netlogon_neg_flags, NULL);
3823 netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
3824 packet_info *pinfo, proto_tree *tree, char *drep)
3826 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3827 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3828 "CREDENTIAL: server_chal", -1);
3830 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3831 hf_netlogon_neg_flags, NULL);
3833 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3834 hf_netlogon_rc, NULL);
3841 * IDL long NetDatabaseSync2(
3842 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3843 * IDL [in][string][ref] wchar_t *computername,
3844 * IDL [in][ref] AUTHENTICATOR credential,
3845 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3846 * IDL [in] long database_id,
3847 * IDL [in] short restart_state,
3848 * IDL [in][out][ref] long *sync_context,
3849 * IDL [in] long preferredmaximumlength,
3850 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3854 netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
3855 packet_info *pinfo, proto_tree *tree, char *drep)
3857 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3858 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3860 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3861 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3863 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3864 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3865 "AUTHENTICATOR: credential", -1);
3867 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3868 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3869 "AUTHENTICATOR: return_authenticator", -1);
3871 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3872 hf_netlogon_database_id, NULL);
3874 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3875 hf_netlogon_restart_state, NULL);
3877 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3878 hf_netlogon_sync_context, NULL);
3880 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3881 hf_netlogon_max_size, NULL);
3887 netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
3888 packet_info *pinfo, proto_tree *tree, char *drep)
3890 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3891 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3892 "AUTHENTICATOR: return_authenticator", -1);
3894 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3895 hf_netlogon_sync_context, NULL);
3897 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3898 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3899 "DELTA_ENUM_ARRAY: deltas", -1);
3901 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3902 hf_netlogon_rc, NULL);
3909 * IDL long NetDatabaseRedo(
3910 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3911 * IDL [in][string][ref] wchar_t *computername,
3912 * IDL [in][ref] AUTHENTICATOR credential,
3913 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3914 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
3915 * IDL [in] long change_log_entry_size,
3916 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3920 netlogon_dissect_netlogondatabaseredo_rqst(tvbuff_t *tvb, int offset,
3921 packet_info *pinfo, proto_tree *tree, char *drep)
3923 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3924 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3926 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3927 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3929 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3930 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3931 "AUTHENTICATOR: credential", -1);
3933 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3934 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3935 "AUTHENTICATOR: return_authenticator", -1);
3937 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3938 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3939 "Change log entry: ", -1);
3941 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3942 hf_netlogon_max_log_size, NULL);
3948 netlogon_dissect_netlogondatabaseredo_reply(tvbuff_t *tvb, int offset,
3949 packet_info *pinfo, proto_tree *tree, char *drep)
3951 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3952 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3953 "AUTHENTICATOR: return_authenticator", -1);
3955 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3956 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3957 "DELTA_ENUM_ARRAY: deltas", -1);
3959 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3960 hf_netlogon_rc, NULL);
3966 /* XXX NetMon does not recognize this as a valid function. Muddle however
3967 * tells us what parameters it takes but not their names.
3968 * It looks similar to logoncontrol2. perhaps it is logoncontrol3?
3971 * IDL long NetFunction_12(
3972 * IDL [in][string][unique] wchar_t *logonserver,
3973 * IDL [in] long function_code,
3974 * IDL [in] long level,
3975 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3976 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3980 netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
3981 packet_info *pinfo, proto_tree *tree, char *drep)
3983 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3986 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3987 hf_netlogon_code, NULL);
3989 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3990 hf_netlogon_level, NULL);
3992 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3993 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3994 "CONTROL_DATA_INFORMATION: ", -1);
3999 netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
4000 packet_info *pinfo, proto_tree *tree, char *drep)
4002 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4003 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4004 "CONTROL_QUERY_INFORMATION:", -1);
4006 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4007 hf_netlogon_rc, NULL);
4016 /* Updated above this line */
4018 static const value_string trust_type_vals[] = {
4026 #define DS_INET_ADDRESS 1
4027 #define DS_NETBIOS_ADDRESS 2
4028 static const value_string dc_address_types[] = {
4029 { DS_INET_ADDRESS, "IP/DNS name" },
4030 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
4035 #define DS_DOMAIN_IN_FOREST 0x0001
4036 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
4037 #define DS_DOMAIN_TREE_ROOT 0x0004
4038 #define DS_DOMAIN_PRIMARY 0x0008
4039 #define DS_DOMAIN_NATIVE_MODE 0x0010
4040 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
4041 static const true_false_string trust_inbound = {
4042 "There is a DIRECT INBOUND trust for the servers domain",
4043 "There is NO direct inbound trust for the servers domain"
4045 static const true_false_string trust_outbound = {
4046 "There is a DIRECT OUTBOUND trust for this domain",
4047 "There is NO direct outbound trust for this domain"
4049 static const true_false_string trust_in_forest = {
4050 "The domain is a member IN the same FOREST as the queried server",
4051 "The domain is NOT a member of the queried servers domain"
4053 static const true_false_string trust_native_mode = {
4054 "The primary domain is a NATIVE MODE w2k domain",
4055 "The primary is NOT a native mode w2k domain"
4057 static const true_false_string trust_primary = {
4058 "The domain is the PRIMARY domain of the queried server",
4059 "The domain is NOT the primary domain of the queried server"
4061 static const true_false_string trust_tree_root = {
4062 "The domain is the ROOT of a domain TREE",
4063 "The domain is NOT a root of a domain tree"
4066 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4067 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4070 proto_item *item = NULL;
4071 proto_tree *tree = NULL;
4074 di=pinfo->private_data;
4075 if(di->conformant_run){
4076 /*just a run to handle conformant arrays, nothing to dissect */
4080 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4081 hf_netlogon_trust_flags, &mask);
4084 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4085 tvb, offset-4, 4, mask);
4086 tree = proto_item_add_subtree(item, ett_trust_flags);
4089 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4090 tvb, offset-4, 4, mask);
4091 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4092 tvb, offset-4, 4, mask);
4093 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4094 tvb, offset-4, 4, mask);
4095 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4096 tvb, offset-4, 4, mask);
4097 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4098 tvb, offset-4, 4, mask);
4099 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4100 tvb, offset-4, 4, mask);
4106 #define DS_FORCE_REDISCOVERY 0x00000001
4107 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
4108 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
4109 #define DS_GC_SERVER_REQUIRED 0x00000040
4110 #define DS_PDC_REQUIRED 0x00000080
4111 #define DS_BACKGROUND_ONLY 0x00000100
4112 #define DS_IP_REQUIRED 0x00000200
4113 #define DS_KDC_REQUIRED 0x00000400
4114 #define DS_TIMESERV_REQUIRED 0x00000800
4115 #define DS_WRITABLE_REQUIRED 0x00001000
4116 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
4117 #define DS_AVOID_SELF 0x00004000
4118 #define DS_ONLY_LDAP_NEEDED 0x00008000
4119 #define DS_IS_FLAT_NAME 0x00010000
4120 #define DS_IS_DNS_NAME 0x00020000
4121 #define DS_RETURN_DNS_NAME 0x40000000
4122 #define DS_RETURN_FLAT_NAME 0x80000000
4123 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4124 "FORCE REDISCOVERY of any cached data",
4125 "You may return cached data"
4127 static const true_false_string get_dcname_request_flags_directory_service_required = {
4128 "DIRECRTORY SERVICE is REQUIRED on the server",
4129 "We do NOT require directory service servers"
4131 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4132 "DIRECTORY SERVICE servers are PREFERRED",
4133 "We do NOT have a preference for directory service servers"
4135 static const true_false_string get_dcname_request_flags_gc_server_required = {
4136 "GC SERVER is REQUIRED",
4137 "gc server is NOT required"
4139 static const true_false_string get_dcname_request_flags_pdc_required = {
4140 "PDC SERVER is REQUIRED",
4141 "pdc server is NOT required"
4143 static const true_false_string get_dcname_request_flags_background_only = {
4144 "Only returned cahced data, even if it has expired",
4145 "Return cached data unless it has expired"
4147 static const true_false_string get_dcname_request_flags_ip_required = {
4148 "IP address is REQUIRED",
4149 "ip address is NOT required"
4151 static const true_false_string get_dcname_request_flags_kdc_required = {
4152 "KDC server is REQUIRED",
4153 "kdc server is NOT required"
4155 static const true_false_string get_dcname_request_flags_timeserv_required = {
4156 "TIMESERV service is REQUIRED",
4157 "timeserv service is NOT required"
4159 static const true_false_string get_dcname_request_flags_writable_required = {
4160 "the requrned dc MUST be WRITEABLE",
4161 "a read-only dc may be returned"
4163 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4164 "GOOD TIMESERV servers are PREFERRED",
4165 "we do NOT have a preference for good timeserv servers"
4167 static const true_false_string get_dcname_request_flags_avoid_self = {
4168 "do NOT return self as dc, return someone else",
4169 "you may return yourSELF as the dc"
4171 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4172 "we ONLY NEED LDAP, you dont have to return a dc",
4173 "we need a normal dc, an ldap only server will not do"
4175 static const true_false_string get_dcname_request_flags_is_flat_name = {
4176 "the name we specify is a NetBIOS name",
4177 "the name we specify is NOT a NetBIOS name"
4179 static const true_false_string get_dcname_request_flags_is_dns_name = {
4180 "the name we specify is a DNS name",
4181 "ther name we specify is NOT a dns name"
4183 static const true_false_string get_dcname_request_flags_return_dns_name = {
4184 "return a DNS name",
4185 "you may return a NON-dns name"
4187 static const true_false_string get_dcname_request_flags_return_flat_name = {
4188 "return a NetBIOS name",
4189 "you may return a NON-NetBIOS name"
4192 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4193 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4196 proto_item *item = NULL;
4197 proto_tree *tree = NULL;
4200 di=pinfo->private_data;
4201 if(di->conformant_run){
4202 /*just a run to handle conformant arrays, nothing to dissect */
4206 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4207 hf_netlogon_get_dcname_request_flags, &mask);
4210 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4211 tvb, offset-4, 4, mask);
4212 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4215 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4216 tvb, offset-4, 4, mask);
4217 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4218 tvb, offset-4, 4, mask);
4219 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4220 tvb, offset-4, 4, mask);
4221 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4222 tvb, offset-4, 4, mask);
4223 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4224 tvb, offset-4, 4, mask);
4225 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4226 tvb, offset-4, 4, mask);
4227 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4228 tvb, offset-4, 4, mask);
4229 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4230 tvb, offset-4, 4, mask);
4231 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4232 tvb, offset-4, 4, mask);
4233 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4234 tvb, offset-4, 4, mask);
4235 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4236 tvb, offset-4, 4, mask);
4237 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4238 tvb, offset-4, 4, mask);
4239 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4240 tvb, offset-4, 4, mask);
4241 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4242 tvb, offset-4, 4, mask);
4243 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4244 tvb, offset-4, 4, mask);
4245 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4246 tvb, offset-4, 4, mask);
4247 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4248 tvb, offset-4, 4, mask);
4255 #define DS_PDC_FLAG 0x00000001
4256 #define DS_GC_FLAG 0x00000004
4257 #define DS_LDAP_FLAG 0x00000008
4258 #define DS_DS_FLAG 0x00000010
4259 #define DS_KDC_FLAG 0x00000020
4260 #define DS_TIMESERV_FLAG 0x00000040
4261 #define DS_CLOSEST_FLAG 0x00000080
4262 #define DS_WRITABLE_FLAG 0x00000100
4263 #define DS_GOOD_TIMESERV_FLAG 0x00000200
4264 #define DS_NDNC_FLAG 0x00000400
4265 #define DS_DNS_CONTROLLER_FLAG 0x20000000
4266 #define DS_DNS_DOMAIN_FLAG 0x40000000
4267 #define DS_DNS_FOREST_FLAG 0x80000000
4268 static const true_false_string dc_flags_pdc_flag = {
4269 "this is the PDC of the domain",
4270 "this is NOT the pdc of the domain"
4272 static const true_false_string dc_flags_gc_flag = {
4273 "this is the GC of the forest",
4274 "this is NOT the gc of the forest"
4276 static const true_false_string dc_flags_ldap_flag = {
4277 "this is an LDAP server",
4278 "this is NOT an ldap server"
4280 static const true_false_string dc_flags_ds_flag = {
4281 "this is a DS server",
4282 "this is NOT a ds server"
4284 static const true_false_string dc_flags_kdc_flag = {
4285 "this is a KDC server",
4286 "this is NOT a kdc server"
4288 static const true_false_string dc_flags_timeserv_flag = {
4289 "this is a TIMESERV server",
4290 "this is NOT a timeserv server"
4292 static const true_false_string dc_flags_closest_flag = {
4293 "this is the CLOSEST server",
4294 "this is NOT the closest server"
4296 static const true_false_string dc_flags_writable_flag = {
4297 "this server has a WRITABLE ds database",
4298 "this server has a READ-ONLY ds database"
4300 static const true_false_string dc_flags_good_timeserv_flag = {
4301 "this server is a GOOD TIMESERV server",
4302 "this is NOT a good timeserv server"
4304 static const true_false_string dc_flags_ndnc_flag = {
4308 static const true_false_string dc_flags_dns_controller_flag = {
4309 "DomainControllerName is a DNS name",
4310 "DomainControllerName is NOT a dns name"
4312 static const true_false_string dc_flags_dns_domain_flag = {
4313 "DomainName is a DNS name",
4314 "DomainName is NOT a dns name"
4316 static const true_false_string dc_flags_dns_forest_flag = {
4317 "DnsForestName is a DNS name",
4318 "DnsForestName is NOT a dns name"
4321 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4322 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4325 proto_item *item = NULL;
4326 proto_tree *tree = NULL;
4329 di=pinfo->private_data;
4330 if(di->conformant_run){
4331 /*just a run to handle conformant arrays, nothing to dissect */
4335 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4336 hf_netlogon_dc_flags, &mask);
4339 item = proto_tree_add_uint_format(parent_tree, hf_netlogon_dc_flags,
4340 tvb, offset-4, 4, mask, "Domain Controller Flags: 0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
4341 tree = proto_item_add_subtree(item, ett_dc_flags);
4344 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4345 tvb, offset-4, 4, mask);
4346 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4347 tvb, offset-4, 4, mask);
4348 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4349 tvb, offset-4, 4, mask);
4350 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4351 tvb, offset-4, 4, mask);
4352 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4353 tvb, offset-4, 4, mask);
4354 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4355 tvb, offset-4, 4, mask);
4356 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4357 tvb, offset-4, 4, mask);
4358 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4359 tvb, offset-4, 4, mask);
4360 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4361 tvb, offset-4, 4, mask);
4362 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4363 tvb, offset-4, 4, mask);
4364 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4365 tvb, offset-4, 4, mask);
4366 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4367 tvb, offset-4, 4, mask);
4368 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4369 tvb, offset-4, 4, mask);
4377 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4378 packet_info *pinfo, proto_tree *tree,
4383 di=pinfo->private_data;
4384 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4385 di->hf_index, NULL);
4390 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4391 packet_info *pinfo, proto_tree *tree,
4396 di=pinfo->private_data;
4397 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4398 di->hf_index, NULL);
4403 netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
4404 packet_info *pinfo, proto_tree *parent_tree,
4405 char *drep, int type, int hf_index, dcerpc_callback_fnct_t *callback)
4407 proto_item *item=NULL;
4408 proto_tree *tree=NULL;
4409 int old_offset=offset;
4413 di=pinfo->private_data;
4414 if(di->conformant_run){
4415 /*just a run to handle conformant arrays, nothing to dissect */
4419 name = proto_registrar_get_name(hf_index);
4421 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4423 tree = proto_item_add_subtree(item, ett_nt_unicode_string);
4426 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
4427 dissect_ndr_wchar_cvstring, type,
4428 name, hf_index, callback, NULL);
4430 proto_item_set_len(item, offset-old_offset);
4436 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4437 packet_info *pinfo, proto_tree *tree,
4440 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4441 hf_netlogon_unknown_char, NULL);
4447 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4448 packet_info *pinfo, proto_tree *tree,
4451 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4452 netlogon_dissect_UNICODE_MULTI_byte);
4458 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4459 packet_info *pinfo, proto_tree *parent_tree,
4462 proto_item *item=NULL;
4463 proto_tree *tree=NULL;
4464 int old_offset=offset;
4467 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4469 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4472 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4473 hf_netlogon_len, NULL);
4475 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4476 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4477 "unknown", hf_netlogon_unknown_string);
4479 proto_item_set_len(item, offset-old_offset);
4484 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4485 packet_info *pinfo, proto_tree *tree,
4488 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4494 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4495 packet_info *pinfo, proto_tree *parent_tree,
4498 proto_item *item=NULL;
4499 proto_tree *tree=NULL;
4500 int old_offset=offset;
4503 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4504 "DOMAIN_CONTROLLER_INFO:");
4505 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4508 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4509 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
4511 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4512 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
4514 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4515 hf_netlogon_dc_address_type, NULL);
4517 offset = dissect_nt_GUID(tvb, offset,
4520 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4521 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
4523 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4524 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
4526 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
4528 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4529 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
4531 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4532 NDR_POINTER_UNIQUE, "Client Site",
4533 hf_netlogon_client_site_name, 0);
4535 proto_item_set_len(item, offset-old_offset);
4540 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4541 packet_info *pinfo, proto_tree *tree,
4547 di=pinfo->private_data;
4548 if(di->conformant_run){
4549 /*just a run to handle conformant arrays, nothing to dissect.*/
4553 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4554 hf_netlogon_blob_size, &len);
4556 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4564 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4565 packet_info *pinfo, proto_tree *parent_tree,
4568 proto_item *item=NULL;
4569 proto_tree *tree=NULL;
4572 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4574 tree = proto_item_add_subtree(item, ett_BLOB);
4577 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4578 hf_netlogon_blob_size, NULL);
4580 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4581 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4588 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
4589 packet_info *pinfo, proto_tree *parent_tree,
4592 proto_item *item=NULL;
4593 proto_tree *tree=NULL;
4594 int old_offset=offset;
4597 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4598 "DOMAIN_TRUST_INFO:");
4599 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
4603 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
4605 /* Guesses at best. */
4606 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4607 hf_netlogon_unknown_string, 0);
4609 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4610 hf_netlogon_unknown_string, 0);
4612 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4613 hf_netlogon_unknown_string, 0);
4615 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4616 hf_netlogon_unknown_string, 0);
4618 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4619 hf_netlogon_unknown_long, NULL);
4621 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4622 hf_netlogon_unknown_long, NULL);
4624 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4625 hf_netlogon_unknown_long, NULL);
4627 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4628 hf_netlogon_unknown_long, NULL);
4630 proto_item_set_len(item, offset-old_offset);
4635 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
4636 packet_info *pinfo, proto_tree *tree,
4639 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4640 netlogon_dissect_DOMAIN_TRUST_INFO);
4646 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
4647 packet_info *pinfo, proto_tree *tree,
4650 offset = netlogon_dissect_BLOB(tvb, offset,
4653 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4654 NDR_POINTER_UNIQUE, "Workstation FQDN",
4655 hf_netlogon_workstation_fqdn, 0);
4657 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4658 NDR_POINTER_UNIQUE, "Workstation Site",
4659 hf_netlogon_workstation_site_name, 0);
4661 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4662 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4664 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4665 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4667 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4668 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4670 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4671 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4673 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4674 hf_netlogon_unknown_string, 0);
4676 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4677 hf_netlogon_workstation_os, 0);
4679 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4680 hf_netlogon_unknown_string, 0);
4682 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4683 hf_netlogon_unknown_string, 0);
4685 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4686 hf_netlogon_unknown_long, NULL);
4688 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4689 hf_netlogon_unknown_long, NULL);
4691 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4692 hf_netlogon_unknown_long, NULL);
4694 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4695 hf_netlogon_unknown_long, NULL);
4701 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
4702 packet_info *pinfo, proto_tree *tree,
4705 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
4707 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4708 hf_netlogon_num_trusts, NULL);
4710 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4711 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4712 "DOMAIN_TRUST_ARRAY: Trusts", -1);
4714 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4715 hf_netlogon_num_trusts, NULL);
4717 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4718 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4719 "DOMAIN_TRUST_ARRAY:", -1);
4721 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4722 hf_netlogon_dns_domain_name, 0);
4724 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4725 hf_netlogon_unknown_string, 0);
4727 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4728 hf_netlogon_unknown_string, 0);
4730 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4731 hf_netlogon_unknown_string, 0);
4733 /* These four integers appear to mirror the last four in the query. */
4734 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4735 hf_netlogon_unknown_long, NULL);
4737 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4738 hf_netlogon_unknown_long, NULL);
4740 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4741 hf_netlogon_unknown_long, NULL);
4743 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4744 hf_netlogon_unknown_long, NULL);
4751 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
4752 packet_info *pinfo, proto_tree *tree,
4757 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4758 hf_netlogon_level, &level);
4763 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4764 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
4765 "DOMAIN_INFO_1:", -1);
4773 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
4774 packet_info *pinfo, proto_tree *parent_tree,
4777 proto_item *item=NULL;
4778 proto_tree *tree=NULL;
4779 int old_offset=offset;
4783 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4784 "UNICODE_STRING_512:");
4785 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
4789 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4790 hf_netlogon_unknown_short, NULL);
4793 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4794 hf_netlogon_unknown_long, NULL);
4796 proto_item_set_len(item, offset-old_offset);
4801 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
4802 packet_info *pinfo, proto_tree *tree,
4805 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4806 hf_netlogon_unknown_char, NULL);
4812 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
4813 packet_info *pinfo, proto_tree *tree,
4816 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4817 netlogon_dissect_element_844_byte);
4823 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
4824 packet_info *pinfo, proto_tree *parent_tree,
4827 proto_item *item=NULL;
4828 proto_tree *tree=NULL;
4829 int old_offset=offset;
4832 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4834 tree = proto_item_add_subtree(item, ett_TYPE_50);
4837 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4838 hf_netlogon_unknown_long, NULL);
4840 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4841 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
4842 "unknown", hf_netlogon_unknown_string);
4844 proto_item_set_len(item, offset-old_offset);
4849 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
4850 packet_info *pinfo, proto_tree *tree,
4853 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4854 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
4855 "TYPE_50 pointer: unknown_TYPE_50", -1);
4861 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
4862 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4865 proto_item *item=NULL;
4866 proto_tree *tree=NULL;
4867 int old_offset=offset;
4870 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4871 "DS_DOMAIN_TRUSTS");
4872 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
4876 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4877 NDR_POINTER_UNIQUE, "NetBIOS Name",
4878 hf_netlogon_downlevel_domain_name, 0);
4881 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4882 NDR_POINTER_UNIQUE, "DNS Domain Name",
4883 hf_netlogon_dns_domain_name, 0);
4885 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
4887 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4888 hf_netlogon_trust_parent_index, &tmp);
4890 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4891 hf_netlogon_trust_type, &tmp);
4893 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4894 hf_netlogon_trust_attribs, &tmp);
4897 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4900 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
4902 proto_item_set_len(item, offset-old_offset);
4907 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
4908 packet_info *pinfo, proto_tree *tree,
4911 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4912 netlogon_dissect_DS_DOMAIN_TRUSTS);
4918 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
4919 packet_info *pinfo, proto_tree *tree,
4922 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4923 hf_netlogon_unknown_char, NULL);
4929 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
4930 packet_info *pinfo, proto_tree *tree,
4933 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4934 netlogon_dissect_element_865_byte);
4940 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
4941 packet_info *pinfo, proto_tree *tree,
4944 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4945 hf_netlogon_unknown_char, NULL);
4951 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
4952 packet_info *pinfo, proto_tree *tree,
4955 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4956 netlogon_dissect_element_866_byte);
4962 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
4963 packet_info *pinfo, proto_tree *parent_tree,
4966 proto_item *item=NULL;
4967 proto_tree *tree=NULL;
4968 int old_offset=offset;
4971 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4973 tree = proto_item_add_subtree(item, ett_TYPE_52);
4976 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4977 hf_netlogon_unknown_long, NULL);
4979 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4980 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
4981 "unknown", hf_netlogon_unknown_string);
4983 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4984 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
4985 "unknown", hf_netlogon_unknown_string);
4987 proto_item_set_len(item, offset-old_offset);
4992 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
4993 packet_info *pinfo, proto_tree *tree,
4996 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4997 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
4998 "TYPE_52 pointer: unknown_TYPE_52", -1);
5004 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5005 packet_info *pinfo, proto_tree *parent_tree,
5008 proto_item *item=NULL;
5009 proto_tree *tree=NULL;
5010 int old_offset=offset;
5014 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5016 tree = proto_item_add_subtree(item, ett_TYPE_44);
5019 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5020 hf_netlogon_level, &level);
5025 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5026 hf_netlogon_unknown_long, NULL);
5030 proto_item_set_len(item, offset-old_offset);
5035 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5036 packet_info *pinfo, proto_tree *tree,
5041 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5042 hf_netlogon_level, &level);
5047 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5048 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5049 "DOMAIN_QUERY_1:", -1);
5052 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5053 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5054 "DOMAIN_QUERY_1:", -1);
5062 netlogon_dissect_nettrusteddomainlist_rqst(tvbuff_t *tvb, int offset,
5063 packet_info *pinfo, proto_tree *tree, char *drep)
5065 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5073 netlogon_dissect_nettrusteddomainlist_reply(tvbuff_t *tvb, int offset,
5074 packet_info *pinfo, proto_tree *tree, char *drep)
5076 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5077 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5078 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5080 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5081 hf_netlogon_rc, NULL);
5087 netlogon_dissect_dsrgetdcname2_rqst(tvbuff_t *tvb, int offset,
5088 packet_info *pinfo, proto_tree *tree, char *drep)
5090 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5093 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5094 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5096 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5097 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5098 "GUID pointer: domain_guid", -1);
5100 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5101 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5102 "GUID pointer: site_guid", -1);
5104 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5105 hf_netlogon_flags, NULL);
5112 netlogon_dissect_dsrgetdcname2_reply(tvbuff_t *tvb, int offset,
5113 packet_info *pinfo, proto_tree *tree, char *drep)
5115 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5116 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5117 "DOMAIN_CONTROLLER_INFO:", -1);
5119 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5120 hf_netlogon_rc, NULL);
5126 netlogon_dissect_function_15_rqst(tvbuff_t *tvb, int offset,
5127 packet_info *pinfo, proto_tree *tree, char *drep)
5129 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5132 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5133 NDR_POINTER_UNIQUE, "unknown string",
5134 hf_netlogon_unknown_string, 0);
5136 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5137 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5138 "AUTHENTICATOR: credential", -1);
5140 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5141 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5142 "AUTHENTICATOR: return_authenticator", -1);
5144 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5145 hf_netlogon_unknown_long, NULL);
5152 netlogon_dissect_function_15_reply(tvbuff_t *tvb, int offset,
5153 packet_info *pinfo, proto_tree *tree, char *drep)
5155 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5156 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5157 "AUTHENTICATOR: return_authenticator", -1);
5159 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5160 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5161 "TYPE_44 pointer: unknown_TYPE_44", -1);
5163 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5164 hf_netlogon_rc, NULL);
5170 netlogon_dissect_function_16_rqst(tvbuff_t *tvb, int offset,
5171 packet_info *pinfo, proto_tree *tree, char *drep)
5173 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5176 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5177 hf_netlogon_unknown_long, NULL);
5179 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5180 hf_netlogon_unknown_long, NULL);
5187 netlogon_dissect_function_16_reply(tvbuff_t *tvb, int offset,
5188 packet_info *pinfo, proto_tree *tree, char *drep)
5190 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5191 hf_netlogon_rc, NULL);
5197 netlogon_dissect_function_17_rqst(tvbuff_t *tvb, int offset,
5198 packet_info *pinfo, proto_tree *tree, char *drep)
5200 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5203 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5204 NDR_POINTER_UNIQUE, "unknown string",
5205 hf_netlogon_unknown_string, 0);
5212 netlogon_dissect_function_17_reply(tvbuff_t *tvb, int offset,
5213 packet_info *pinfo, proto_tree *tree, char *drep)
5215 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5216 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5217 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5219 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5220 hf_netlogon_rc, NULL);
5226 netlogon_dissect_function_18_rqst(tvbuff_t *tvb, int offset,
5227 packet_info *pinfo, proto_tree *tree, char *drep)
5229 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5232 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5233 hf_netlogon_unknown_long, NULL);
5235 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5236 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5237 "BYTE pointer: unknown_BYTE", -1);
5239 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5240 hf_netlogon_unknown_long, NULL);
5246 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5247 packet_info *pinfo, proto_tree *tree, char *drep)
5252 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5253 hf_netlogon_unknown_char, NULL);
5260 netlogon_dissect_function_18_reply(tvbuff_t *tvb, int offset,
5261 packet_info *pinfo, proto_tree *tree, char *drep)
5263 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5264 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5265 "BYTE pointer: unknown_BYTE", -1);
5267 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5268 hf_netlogon_rc, NULL);
5274 netlogon_dissect_function_19_rqst(tvbuff_t *tvb, int offset,
5275 packet_info *pinfo, proto_tree *tree, char *drep)
5277 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5280 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5281 NDR_POINTER_UNIQUE, "unknown string",
5282 hf_netlogon_unknown_string, 0);
5284 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5285 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5286 "BYTE pointer: unknown_BYTE", -1);
5288 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5289 hf_netlogon_unknown_long, NULL);
5296 netlogon_dissect_function_19_reply(tvbuff_t *tvb, int offset,
5297 packet_info *pinfo, proto_tree *tree, char *drep)
5299 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5300 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5301 "BYTE pointer: unknown_BYTE", -1);
5303 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5304 hf_netlogon_rc, NULL);
5310 netlogon_dissect_netserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5311 packet_info *pinfo, proto_tree *tree, char *drep)
5313 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5316 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5317 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5319 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5322 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5323 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5325 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5326 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5327 "CREDENTIAL: authenticator", -1);
5329 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5330 hf_netlogon_neg_flags, NULL);
5337 netlogon_dissect_netserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5338 packet_info *pinfo, proto_tree *tree, char *drep)
5340 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5341 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5342 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5344 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5345 hf_netlogon_neg_flags, NULL);
5347 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5348 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5349 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5351 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5352 hf_netlogon_rc, NULL);
5358 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5359 packet_info *pinfo, proto_tree *tree, char *drep)
5361 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5364 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5365 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5367 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5368 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5369 "GUID pointer: domain_guid", -1);
5371 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5372 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5374 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5381 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5382 packet_info *pinfo, proto_tree *tree, char *drep)
5384 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5385 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5386 "DOMAIN_CONTROLLER_INFO:", -1);
5388 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5389 hf_netlogon_rc, NULL);
5395 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5396 packet_info *pinfo, proto_tree *tree, char *drep)
5398 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5406 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5407 packet_info *pinfo, proto_tree *tree, char *drep)
5410 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
5411 NDR_POINTER_REF, hf_netlogon_site_name, 0);
5413 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5414 hf_netlogon_rc, NULL);
5420 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5421 packet_info *pinfo, proto_tree *tree, char *drep)
5423 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5424 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5425 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5427 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5428 NDR_POINTER_UNIQUE, "Computer Name",
5429 hf_netlogon_computer_name, 0);
5431 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5432 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5433 "AUTHENTICATOR: credential", -1);
5435 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5436 hf_netlogon_unknown_long, NULL);
5438 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5439 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5440 "AUTHENTICATOR: return_authenticator", -1);
5442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5443 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5444 "DOMAIN_QUERY: ", -1);
5451 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5452 packet_info *pinfo, proto_tree *tree, char *drep)
5454 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5455 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5456 "AUTHENTICATOR: return_authenticator", -1);
5458 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5459 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5460 "DOMAIN_INFO: ", -1);
5462 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5463 hf_netlogon_rc, NULL);
5469 netlogon_dissect_function_1e_rqst(tvbuff_t *tvb, int offset,
5470 packet_info *pinfo, proto_tree *tree, char *drep)
5472 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5475 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5476 NDR_POINTER_UNIQUE, "unknown string",
5477 hf_netlogon_unknown_string, 0);
5479 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5480 hf_netlogon_unknown_short, NULL);
5482 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5483 NDR_POINTER_UNIQUE, "unknown string",
5484 hf_netlogon_unknown_string, 0);
5486 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5487 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5488 "AUTHENTICATOR: credential", -1);
5490 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5498 netlogon_dissect_function_1e_reply(tvbuff_t *tvb, int offset,
5499 packet_info *pinfo, proto_tree *tree, char *drep)
5501 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5502 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5503 "AUTHENTICATOR: return_authenticator", -1);
5505 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5506 hf_netlogon_rc, NULL);
5512 netlogon_dissect_netserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5513 packet_info *pinfo, proto_tree *tree, char *drep)
5515 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5518 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5519 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
5521 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5524 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5525 NDR_POINTER_UNIQUE, "Computer Name",
5526 hf_netlogon_computer_name, 0);
5528 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5529 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5530 "AUTHENTICATOR: credential", -1);
5537 netlogon_dissect_netserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5538 packet_info *pinfo, proto_tree *tree, char *drep)
5540 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5541 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5542 "AUTHENTICATOR: return_authenticator", -1);
5544 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5545 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5546 "LM_OWF_PASSWORD pointer: server_pwd", -1);
5548 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5549 hf_netlogon_rc, NULL);
5555 netlogon_dissect_function_20_rqst(tvbuff_t *tvb, int offset,
5556 packet_info *pinfo, proto_tree *tree, char *drep)
5558 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5561 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5562 NDR_POINTER_UNIQUE, "unknown string",
5563 hf_netlogon_unknown_string, 0);
5565 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5566 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5567 "AUTHENTICATOR: credential", -1);
5569 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5570 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5571 "BYTE pointer: unknown_BYTE", -1);
5573 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5574 hf_netlogon_unknown_long, NULL);
5581 netlogon_dissect_function_20_reply(tvbuff_t *tvb, int offset,
5582 packet_info *pinfo, proto_tree *tree, char *drep)
5584 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5585 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5586 "AUTHENTICATOR: return_authenticator", -1);
5588 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5589 hf_netlogon_rc, NULL);
5595 netlogon_dissect_function_21_rqst(tvbuff_t *tvb, int offset,
5596 packet_info *pinfo, proto_tree *tree, char *drep)
5598 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5601 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5602 hf_netlogon_unknown_long, NULL);
5604 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5605 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5606 "BYTE pointer: unknown_BYTE", -1);
5613 netlogon_dissect_function_21_reply(tvbuff_t *tvb, int offset,
5614 packet_info *pinfo, proto_tree *tree, char *drep)
5616 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5617 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5618 "TYPE_50** pointer: unknown_TYPE_50", -1);
5620 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5621 hf_netlogon_rc, NULL);
5627 netlogon_dissect_function_22_rqst(tvbuff_t *tvb, int offset,
5628 packet_info *pinfo, proto_tree *tree, char *drep)
5630 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5633 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5634 NDR_POINTER_UNIQUE, "unknown string",
5635 hf_netlogon_unknown_string, 0);
5637 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5638 hf_netlogon_unknown_long, NULL);
5640 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5641 NDR_POINTER_UNIQUE, "unknown string",
5642 hf_netlogon_unknown_string, 0);
5644 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5645 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5646 "GUID pointer: unknown_GUID", -1);
5648 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5649 NDR_POINTER_UNIQUE, "unknown string",
5650 hf_netlogon_unknown_string, 0);
5652 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5653 hf_netlogon_unknown_long, NULL);
5660 netlogon_dissect_function_22_reply(tvbuff_t *tvb, int offset,
5661 packet_info *pinfo, proto_tree *tree, char *drep)
5663 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5664 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5665 "DOMAIN_CONTROLLER_INFO:", -1);
5667 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5668 hf_netlogon_rc, NULL);
5674 netlogon_dissect_function_23_rqst(tvbuff_t *tvb, int offset,
5675 packet_info *pinfo, proto_tree *tree, char *drep)
5677 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5685 netlogon_dissect_function_23_reply(tvbuff_t *tvb, int offset,
5686 packet_info *pinfo, proto_tree *tree, char *drep)
5688 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5689 NDR_POINTER_UNIQUE, "unknown string",
5690 hf_netlogon_unknown_string, 0);
5692 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5693 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5694 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5696 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5697 hf_netlogon_rc, NULL);
5703 netlogon_dissect_function_24_rqst(tvbuff_t *tvb, int offset,
5704 packet_info *pinfo, proto_tree *tree, char *drep)
5706 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5713 netlogon_dissect_function_24_reply(tvbuff_t *tvb, int offset,
5714 packet_info *pinfo, proto_tree *tree, char *drep)
5716 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5717 hf_netlogon_entries, NULL);
5719 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5720 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5721 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5723 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5724 hf_netlogon_rc, NULL);
5730 netlogon_dissect_function_25_rqst(tvbuff_t *tvb, int offset,
5731 packet_info *pinfo, proto_tree *tree, char *drep)
5733 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5736 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5737 hf_netlogon_unknown_long, NULL);
5739 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5740 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5741 "BYTE pointer: unknown_BYTE", -1);
5748 netlogon_dissect_function_25_reply(tvbuff_t *tvb, int offset,
5749 packet_info *pinfo, proto_tree *tree, char *drep)
5751 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5752 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
5753 "TYPE_52 pointer: unknown_TYPE_52", -1);
5755 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5756 hf_netlogon_rc, NULL);
5763 netlogon_dissect_function_26_rqst(tvbuff_t *tvb, int offset,
5764 packet_info *pinfo, proto_tree *tree, char *drep)
5766 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5767 NDR_POINTER_UNIQUE, "unknown string",
5768 hf_netlogon_unknown_string, 0);
5775 netlogon_dissect_function_26_reply(tvbuff_t *tvb, int offset,
5776 packet_info *pinfo, proto_tree *tree, char *drep)
5778 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5779 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5780 "TYPE_50** pointer: unknown_TYPE_50", -1);
5782 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5783 hf_netlogon_rc, NULL);
5789 netlogon_dissect_logonsamlogonex_rqst(tvbuff_t *tvb, int offset,
5790 packet_info *pinfo, proto_tree *tree, char *drep)
5792 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5793 NDR_POINTER_UNIQUE, "unknown string",
5794 hf_netlogon_unknown_string, 0);
5796 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5797 NDR_POINTER_UNIQUE, "unknown string",
5798 hf_netlogon_unknown_string, 0);
5800 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5801 hf_netlogon_unknown_short, NULL);
5803 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5804 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
5805 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
5807 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5808 hf_netlogon_unknown_short, NULL);
5810 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5811 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5812 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5818 netlogon_dissect_logonsamlogonex_reply(tvbuff_t *tvb, int offset,
5819 packet_info *pinfo, proto_tree *tree, char *drep)
5821 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5822 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
5823 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
5825 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5826 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
5827 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
5829 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5830 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5831 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5833 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5834 hf_netlogon_rc, NULL);
5841 netlogon_dissect_dsenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5842 packet_info *pinfo, proto_tree *tree, char *drep)
5844 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5847 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5854 netlogon_dissect_dsenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5855 packet_info *pinfo, proto_tree *tree, char *drep)
5857 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5858 hf_netlogon_entries, NULL);
5860 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5861 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5862 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5864 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5865 hf_netlogon_rc, NULL);
5871 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
5872 packet_info *pinfo, proto_tree *tree, char *drep)
5874 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5877 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5878 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5880 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5881 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5882 "GUID pointer: domain_guid", -1);
5884 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5885 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5886 "GUID pointer: dsa_guid", -1);
5888 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5889 NDR_POINTER_UNIQUE, "dns_host", hf_netlogon_dns_host, 0);
5896 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
5897 packet_info *pinfo, proto_tree *tree, char *drep)
5899 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5900 hf_netlogon_rc, NULL);
5907 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
5908 { NETLOGON_UASLOGON, "UasLogon",
5909 netlogon_dissect_netlogonuaslogon_rqst,
5910 netlogon_dissect_netlogonuaslogon_reply },
5911 { NETLOGON_UASLOGOFF, "UasLogoff",
5912 netlogon_dissect_netlogonuaslogoff_rqst,
5913 netlogon_dissect_netlogonuaslogoff_reply },
5914 { NETLOGON_NETLOGONSAMLOGON, "SamLogon",
5915 netlogon_dissect_netlogonsamlogon_rqst,
5916 netlogon_dissect_netlogonsamlogon_reply },
5917 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff",
5918 netlogon_dissect_netlogonsamlogoff_rqst,
5919 netlogon_dissect_netlogonsamlogoff_reply },
5920 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge",
5921 netlogon_dissect_netserverreqchallenge_rqst,
5922 netlogon_dissect_netserverreqchallenge_reply },
5923 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate",
5924 netlogon_dissect_netserverauthenticate_rqst,
5925 netlogon_dissect_netserverauthenticate_reply },
5926 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet",
5927 netlogon_dissect_netserverpasswordset_rqst,
5928 netlogon_dissect_netserverpasswordset_reply },
5929 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas",
5930 netlogon_dissect_netsamdeltas_rqst,
5931 netlogon_dissect_netsamdeltas_reply },
5932 { NETLOGON_DATABASESYNC, "DatabaseSync",
5933 netlogon_dissect_netlogondatabasesync_rqst,
5934 netlogon_dissect_netlogondatabasesync_reply },
5935 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas",
5936 netlogon_dissect_netlogonaccountdeltas_rqst,
5937 netlogon_dissect_netlogonaccountdeltas_reply },
5938 { NETLOGON_ACCOUNTSYNC, "AccountSync",
5939 netlogon_dissect_netlogonaccountsync_rqst,
5940 netlogon_dissect_netlogonaccountsync_reply },
5941 { NETLOGON_GETDCNAME, "GetDCName",
5942 netlogon_dissect_netlogongetdcname_rqst,
5943 netlogon_dissect_netlogongetdcname_reply },
5944 { NETLOGON_NETLOGONCONTROL, "LogonControl",
5945 netlogon_dissect_netlogoncontrol_rqst,
5946 netlogon_dissect_netlogoncontrol_reply },
5947 { NETLOGON_GETANYDCNAME, "GetAnyDCName",
5948 netlogon_dissect_netlogongetanydcname_rqst,
5949 netlogon_dissect_netlogongetanydcname_reply },
5950 { NETLOGON_NETLOGONCONTROL2, "LogonControl2",
5951 netlogon_dissect_netlogoncontrol2_rqst,
5952 netlogon_dissect_netlogoncontrol2_reply },
5953 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2",
5954 netlogon_dissect_netserverauthenticate2_rqst,
5955 netlogon_dissect_netserverauthenticate2_reply },
5956 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2",
5957 netlogon_dissect_netdatabasesync2_rqst,
5958 netlogon_dissect_netdatabasesync2_reply },
5959 { NETLOGON_DATABASEREDO, "DatabaseRedo",
5960 netlogon_dissect_netlogondatabaseredo_rqst,
5961 netlogon_dissect_netlogondatabaseredo_reply },
5962 { NETLOGON_FUNCTION_12, "Function_0x12",
5963 netlogon_dissect_function_12_rqst,
5964 netlogon_dissect_function_12_reply },
5965 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList",
5966 netlogon_dissect_nettrusteddomainlist_rqst,
5967 netlogon_dissect_nettrusteddomainlist_reply },
5968 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2",
5969 netlogon_dissect_dsrgetdcname2_rqst,
5970 netlogon_dissect_dsrgetdcname2_reply },
5971 { NETLOGON_FUNCTION_15, "Function 0x15",
5972 netlogon_dissect_function_15_rqst,
5973 netlogon_dissect_function_15_reply },
5974 { NETLOGON_FUNCTION_16, "Function 0x16",
5975 netlogon_dissect_function_16_rqst,
5976 netlogon_dissect_function_16_reply },
5977 { NETLOGON_FUNCTION_17, "Function 0x17",
5978 netlogon_dissect_function_17_rqst,
5979 netlogon_dissect_function_17_reply },
5980 { NETLOGON_FUNCTION_18, "Function 0x18",
5981 netlogon_dissect_function_18_rqst,
5982 netlogon_dissect_function_18_reply },
5983 { NETLOGON_FUNCTION_19, "Function 0x19",
5984 netlogon_dissect_function_19_rqst,
5985 netlogon_dissect_function_19_reply },
5986 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3",
5987 netlogon_dissect_netserverauthenticate3_rqst,
5988 netlogon_dissect_netserverauthenticate3_reply },
5989 { NETLOGON_DSRGETDCNAME, "DsrGetDCName",
5990 netlogon_dissect_dsrgetdcname_rqst,
5991 netlogon_dissect_dsrgetdcname_reply },
5992 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
5993 netlogon_dissect_dsrgetsitename_rqst,
5994 netlogon_dissect_dsrgetsitename_reply },
5995 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
5996 netlogon_dissect_netrlogongetdomaininfo_rqst,
5997 netlogon_dissect_netrlogongetdomaininfo_reply },
5998 { NETLOGON_FUNCTION_1E, "Function_0x1E",
5999 netlogon_dissect_function_1e_rqst,
6000 netlogon_dissect_function_1e_reply },
6001 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2",
6002 netlogon_dissect_netserverpasswordset2_rqst,
6003 netlogon_dissect_netserverpasswordset2_reply },
6004 { NETLOGON_FUNCTION_20, "Function_0x20",
6005 netlogon_dissect_function_20_rqst,
6006 netlogon_dissect_function_20_reply },
6007 { NETLOGON_FUNCTION_21, "Function_0x21",
6008 netlogon_dissect_function_21_rqst,
6009 netlogon_dissect_function_21_reply },
6010 { NETLOGON_FUNCTION_22, "Function_0x22",
6011 netlogon_dissect_function_22_rqst,
6012 netlogon_dissect_function_22_reply },
6013 { NETLOGON_FUNCTION_23, "Function_0x23",
6014 netlogon_dissect_function_23_rqst,
6015 netlogon_dissect_function_23_reply },
6016 { NETLOGON_FUNCTION_24, "Function_0x24",
6017 netlogon_dissect_function_24_rqst,
6018 netlogon_dissect_function_24_reply },
6019 { NETLOGON_FUNCTION_25, "Function_0x25",
6020 netlogon_dissect_function_25_rqst,
6021 netlogon_dissect_function_25_reply },
6022 { NETLOGON_FUNCTION_26, "Function_0x26",
6023 netlogon_dissect_function_26_rqst,
6024 netlogon_dissect_function_26_reply },
6025 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx",
6026 netlogon_dissect_logonsamlogonex_rqst,
6027 netlogon_dissect_logonsamlogonex_reply },
6028 { NETLOGON_DSENUMERATETRUSTEDDOMAINS, "DSEnumerateTrustedDomains",
6029 netlogon_dissect_dsenumeratetrusteddomains_rqst,
6030 netlogon_dissect_dsenumeratetrusteddomains_reply },
6031 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords",
6032 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6033 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6034 {0, NULL, NULL, NULL }
6037 static const value_string netlogon_opnum_vals[] = {
6038 { NETLOGON_UASLOGON, "UasLogon" },
6039 { NETLOGON_UASLOGOFF, "UasLogoff" },
6040 { NETLOGON_NETLOGONSAMLOGON, "SamLogon" },
6041 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff" },
6042 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge" },
6043 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate" },
6044 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet" },
6045 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas" },
6046 { NETLOGON_DATABASESYNC, "DatabaseSync" },
6047 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas" },
6048 { NETLOGON_ACCOUNTSYNC, "AccountSync" },
6049 { NETLOGON_GETDCNAME, "GetDCName" },
6050 { NETLOGON_NETLOGONCONTROL, "LogonControl" },
6051 { NETLOGON_GETANYDCNAME, "GetAnyDCName" },
6052 { NETLOGON_NETLOGONCONTROL2, "LogonControl2" },
6053 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2" },
6054 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2" },
6055 { NETLOGON_DATABASEREDO, "DatabaseRedo" },
6056 { NETLOGON_FUNCTION_12, "Function_0x12" },
6057 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList" },
6058 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2" },
6059 { NETLOGON_FUNCTION_15, "Function_0x15" },
6060 { NETLOGON_FUNCTION_16, "Function_0x16" },
6061 { NETLOGON_FUNCTION_17, "Function_0x17" },
6062 { NETLOGON_FUNCTION_18, "Function_0x18" },
6063 { NETLOGON_FUNCTION_19, "Function_0x19" },
6064 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3" },
6065 { NETLOGON_DSRGETDCNAME, "DsrGetDCName" },
6066 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName" },
6067 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo" },
6068 { NETLOGON_FUNCTION_1E, "Function_0x1E" },
6069 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2" },
6070 { NETLOGON_FUNCTION_20, "Function_0x20" },
6071 { NETLOGON_FUNCTION_21, "Function_0x21" },
6072 { NETLOGON_FUNCTION_22, "Function_0x22" },
6073 { NETLOGON_FUNCTION_23, "Function_0x23" },
6074 { NETLOGON_FUNCTION_24, "Function_0x24" },
6075 { NETLOGON_FUNCTION_25, "Function_0x25" },
6076 { NETLOGON_FUNCTION_26, "Function_0x26" },
6077 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx" },
6078 { NETLOGON_DSENUMERATETRUSTEDDOMAINS, "DSEnumerateTrustedDomains" },
6079 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords" },
6083 /* Secure channel types */
6085 static const value_string sec_chan_type_vals[] = {
6086 { SEC_CHAN_WKSTA, "Workstation" },
6087 { SEC_CHAN_DOMAIN, "Domain trust" },
6088 { SEC_CHAN_BDC, "Backup domain controller" },
6093 proto_register_dcerpc_netlogon(void)
6096 static hf_register_info hf[] = {
6097 { &hf_netlogon_opnum,
6098 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6099 VALS(netlogon_opnum_vals), 0x0, "Operation", HFILL }},
6101 { &hf_netlogon_rc, {
6102 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6103 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6105 { &hf_netlogon_param_ctrl, {
6106 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6107 NULL, 0x0, "Param ctrl", HFILL }},
6109 { &hf_netlogon_logon_id, {
6110 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6111 NULL, 0x0, "Logon ID", HFILL }},
6113 { &hf_netlogon_modify_count, {
6114 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6115 NULL, 0x0, "How many times the object has been modified", HFILL }},
6117 { &hf_netlogon_security_information, {
6118 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6119 NULL, 0x0, "Security Information", HFILL }},
6121 { &hf_netlogon_count, {
6122 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6123 NULL, 0x0, "", HFILL }},
6125 { &hf_netlogon_entries, {
6126 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6127 NULL, 0x0, "", HFILL }},
6129 { &hf_netlogon_credential, {
6130 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6131 NULL, 0x0, "Netlogon credential", HFILL }},
6133 { &hf_netlogon_challenge, {
6134 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6135 NULL, 0x0, "Netlogon challenge", HFILL }},
6137 { &hf_netlogon_lm_owf_password, {
6138 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6139 NULL, 0x0, "LanManager OWF Password", HFILL }},
6141 { &hf_netlogon_user_session_key, {
6142 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6143 NULL, 0x0, "User Session Key", HFILL }},
6145 { &hf_netlogon_encrypted_lm_owf_password, {
6146 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6147 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6149 { &hf_netlogon_nt_owf_password, {
6150 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6151 NULL, 0x0, "NT OWF Password", HFILL }},
6153 { &hf_netlogon_blob, {
6154 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6155 NULL, 0x0, "BLOB", HFILL }},
6157 { &hf_netlogon_len, {
6158 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6159 NULL, 0, "Length", HFILL }},
6161 { &hf_netlogon_priv, {
6162 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6163 NULL, 0, "", HFILL }},
6165 { &hf_netlogon_privilege_entries, {
6166 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6167 NULL, 0, "", HFILL }},
6169 { &hf_netlogon_privilege_control, {
6170 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6171 NULL, 0, "", HFILL }},
6173 { &hf_netlogon_privilege_name, {
6174 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6175 NULL, 0, "", HFILL }},
6177 { &hf_netlogon_pdc_connection_status, {
6178 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6179 NULL, 0, "PDC Connection Status", HFILL }},
6181 { &hf_netlogon_tc_connection_status, {
6182 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6183 NULL, 0, "TC Connection Status", HFILL }},
6185 { &hf_netlogon_attrs, {
6186 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6187 NULL, 0, "Attributes", HFILL }},
6189 { &hf_netlogon_unknown_string,
6190 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6191 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
6192 { &hf_netlogon_unknown_long,
6193 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6194 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
6195 { &hf_netlogon_reserved,
6196 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6197 NULL, 0x0, "Reserved", HFILL }},
6198 { &hf_netlogon_unknown_short,
6199 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6200 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
6202 { &hf_netlogon_unknown_char,
6203 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6204 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
6206 { &hf_netlogon_acct_expiry_time,
6207 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6208 NULL, 0x0, "When this account will expire", HFILL }},
6210 { &hf_netlogon_nt_pwd_present,
6211 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6212 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6214 { &hf_netlogon_lm_pwd_present,
6215 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6216 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6218 { &hf_netlogon_pwd_expired,
6219 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6220 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6222 { &hf_netlogon_authoritative,
6223 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6224 NULL, 0x0, "", HFILL }},
6226 { &hf_netlogon_sensitive_data_flag,
6227 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6228 NULL, 0x0, "Sensitive data flag", HFILL }},
6230 { &hf_netlogon_auditing_mode,
6231 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6232 NULL, 0x0, "Auditing Mode", HFILL }},
6234 { &hf_netlogon_max_audit_event_count,
6235 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6236 NULL, 0x0, "Max audit event count", HFILL }},
6238 { &hf_netlogon_event_audit_option,
6239 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6240 NULL, 0x0, "Event audit option", HFILL }},
6242 { &hf_netlogon_sensitive_data_len,
6243 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6244 NULL, 0x0, "Length of sensitive data", HFILL }},
6246 { &hf_netlogon_nt_chal_resp,
6247 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6248 NULL, 0, "Challenge response for NT authentication", HFILL }},
6250 { &hf_netlogon_lm_chal_resp,
6251 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6252 NULL, 0, "Challenge response for LM authentication", HFILL }},
6254 { &hf_netlogon_cipher_len,
6255 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6256 NULL, 0, "", HFILL }},
6258 { &hf_netlogon_cipher_maxlen,
6259 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6260 NULL, 0, "", HFILL }},
6262 { &hf_netlogon_pac_data,
6263 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6264 NULL, 0, "Pac Data", HFILL }},
6266 { &hf_netlogon_sensitive_data,
6267 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6268 NULL, 0, "Sensitive Data", HFILL }},
6270 { &hf_netlogon_auth_data,
6271 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6272 NULL, 0, "Auth Data", HFILL }},
6274 { &hf_netlogon_cipher_current_data,
6275 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6276 NULL, 0, "", HFILL }},
6278 { &hf_netlogon_cipher_old_data,
6279 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6280 NULL, 0, "", HFILL }},
6282 { &hf_netlogon_acct_name,
6283 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6284 NULL, 0, "Account Name", HFILL }},
6286 { &hf_netlogon_acct_desc,
6287 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6288 NULL, 0, "Account Description", HFILL }},
6290 { &hf_netlogon_group_desc,
6291 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6292 NULL, 0, "Group Description", HFILL }},
6294 { &hf_netlogon_full_name,
6295 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6296 NULL, 0, "Full Name", HFILL }},
6298 { &hf_netlogon_comment,
6299 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6300 NULL, 0, "Comment", HFILL }},
6302 { &hf_netlogon_parameters,
6303 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6304 NULL, 0, "Parameters", HFILL }},
6306 { &hf_netlogon_logon_script,
6307 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6308 NULL, 0, "Logon Script", HFILL }},
6310 { &hf_netlogon_profile_path,
6311 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6312 NULL, 0, "Profile Path", HFILL }},
6314 { &hf_netlogon_home_dir,
6315 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6316 NULL, 0, "Home Directory", HFILL }},
6318 { &hf_netlogon_dir_drive,
6319 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6320 NULL, 0, "Drive letter for home directory", HFILL }},
6322 { &hf_netlogon_logon_srv,
6323 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6324 NULL, 0, "Server", HFILL }},
6326 { &hf_netlogon_principal,
6327 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6328 NULL, 0, "Principal", HFILL }},
6330 { &hf_netlogon_logon_dom,
6331 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6332 NULL, 0, "Domain", HFILL }},
6334 { &hf_netlogon_computer_name,
6335 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6336 NULL, 0, "Computer Name", HFILL }},
6338 { &hf_netlogon_site_name,
6339 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6340 NULL, 0, "Site Name", HFILL }},
6342 { &hf_netlogon_dc_name,
6343 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6344 NULL, 0, "DC Name", HFILL }},
6346 { &hf_netlogon_dc_site_name,
6347 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6348 NULL, 0, "DC Site Name", HFILL }},
6350 { &hf_netlogon_dns_forest_name,
6351 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6352 NULL, 0, "DNS Forest Name", HFILL }},
6354 { &hf_netlogon_dc_address,
6355 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6356 NULL, 0, "DC Address", HFILL }},
6358 { &hf_netlogon_dc_address_type,
6359 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6360 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
6362 { &hf_netlogon_client_site_name,
6363 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6364 NULL, 0, "Client Site Name", HFILL }},
6366 { &hf_netlogon_workstation_site_name,
6367 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6368 NULL, 0, "Workstation Site Name", HFILL }},
6370 { &hf_netlogon_workstation,
6371 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6372 NULL, 0, "Workstation Name", HFILL }},
6374 { &hf_netlogon_workstation_os,
6375 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6376 NULL, 0, "Workstation OS", HFILL }},
6378 { &hf_netlogon_workstations,
6379 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6380 NULL, 0, "Workstations", HFILL }},
6382 { &hf_netlogon_workstation_fqdn,
6383 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6384 NULL, 0, "Workstation FQDN", HFILL }},
6386 { &hf_netlogon_group_name,
6387 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6388 NULL, 0, "Group Name", HFILL }},
6390 { &hf_netlogon_alias_name,
6391 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6392 NULL, 0, "Alias Name", HFILL }},
6394 { &hf_netlogon_dns_host,
6395 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6396 NULL, 0, "DNS Host", HFILL }},
6398 { &hf_netlogon_downlevel_domain_name,
6399 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6400 NULL, 0, "Downlevel Domain Name", HFILL }},
6402 { &hf_netlogon_dns_domain_name,
6403 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6404 NULL, 0, "DNS Domain Name", HFILL }},
6406 { &hf_netlogon_domain_name,
6407 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6408 NULL, 0, "Domain Name", HFILL }},
6410 { &hf_netlogon_oem_info,
6411 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6412 NULL, 0, "OEM Info", HFILL }},
6414 { &hf_netlogon_trusted_dc_name,
6415 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6416 NULL, 0, "Trusted DC", HFILL }},
6418 { &hf_netlogon_logonsrv_handle,
6419 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6420 NULL, 0, "Logon Srv Handle", HFILL }},
6422 { &hf_netlogon_dummy,
6423 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6424 NULL, 0, "Dummy string", HFILL }},
6426 { &hf_netlogon_logon_count16,
6427 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6428 NULL, 0x0, "Number of successful logins", HFILL }},
6430 { &hf_netlogon_logon_count,
6431 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6432 NULL, 0x0, "Number of successful logins", HFILL }},
6434 { &hf_netlogon_bad_pw_count16,
6435 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6436 NULL, 0x0, "Number of failed logins", HFILL }},
6438 { &hf_netlogon_bad_pw_count,
6439 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6440 NULL, 0x0, "Number of failed logins", HFILL }},
6442 { &hf_netlogon_country,
6443 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6444 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6446 { &hf_netlogon_codepage,
6447 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6448 NULL, 0x0, "Codepage setting for this account", HFILL }},
6450 { &hf_netlogon_level16,
6451 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6452 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6454 { &hf_netlogon_validation_level,
6455 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6456 NULL, 0x0, "Requested level of validation", HFILL }},
6458 { &hf_netlogon_minpasswdlen,
6459 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6460 NULL, 0x0, "Minimum length of password", HFILL }},
6462 { &hf_netlogon_passwdhistorylen,
6463 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6464 NULL, 0x0, "Length of password history", HFILL }},
6466 { &hf_netlogon_secure_channel_type,
6467 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
6468 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
6470 { &hf_netlogon_restart_state,
6471 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
6472 NULL, 0x0, "Restart State", HFILL }},
6474 { &hf_netlogon_delta_type,
6475 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6476 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6478 { &hf_netlogon_blob_size,
6479 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6480 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6482 { &hf_netlogon_code,
6483 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6484 NULL, 0x0, "Code", HFILL }},
6486 { &hf_netlogon_level,
6487 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6488 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6490 { &hf_netlogon_reference,
6491 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
6492 NULL, 0x0, "", HFILL }},
6494 { &hf_netlogon_next_reference,
6495 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
6496 NULL, 0x0, "", HFILL }},
6498 { &hf_netlogon_timestamp,
6499 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
6500 NULL, 0, "", HFILL }},
6502 { &hf_netlogon_user_rid,
6503 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6504 NULL, 0x0, "", HFILL }},
6506 { &hf_netlogon_alias_rid,
6507 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6508 NULL, 0x0, "", HFILL }},
6510 { &hf_netlogon_group_rid,
6511 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6512 NULL, 0x0, "", HFILL }},
6514 { &hf_netlogon_num_rids,
6515 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6516 NULL, 0x0, "Number of RIDs", HFILL }},
6518 { &hf_netlogon_num_controllers,
6519 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6520 NULL, 0x0, "Number of domain controllers", HFILL }},
6522 { &hf_netlogon_num_other_groups,
6523 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6524 NULL, 0x0, "", HFILL }},
6526 { &hf_netlogon_flags,
6527 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6528 NULL, 0x0, "", HFILL }},
6530 { &hf_netlogon_user_flags,
6531 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6532 NULL, 0x0, "", HFILL }},
6534 { &hf_netlogon_auth_flags,
6535 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6536 NULL, 0x0, "", HFILL }},
6538 { &hf_netlogon_systemflags,
6539 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6540 NULL, 0x0, "", HFILL }},
6542 { &hf_netlogon_database_id,
6543 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6544 NULL, 0x0, "Database Id", HFILL }},
6546 { &hf_netlogon_sync_context,
6547 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6548 NULL, 0x0, "Sync Context", HFILL }},
6550 { &hf_netlogon_max_size,
6551 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6552 NULL, 0x0, "Max Size of database", HFILL }},
6554 { &hf_netlogon_max_log_size,
6555 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6556 NULL, 0x0, "Max Size of log", HFILL }},
6558 { &hf_netlogon_pac_size,
6559 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6560 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6562 { &hf_netlogon_auth_size,
6563 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6564 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6566 { &hf_netlogon_num_deltas,
6567 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6568 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6570 { &hf_netlogon_num_trusts,
6571 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
6572 NULL, 0x0, "", HFILL }},
6574 { &hf_netlogon_logon_attempts,
6575 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6576 NULL, 0x0, "Number of logon attempts", HFILL }},
6578 { &hf_netlogon_pagefilelimit,
6579 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6580 NULL, 0x0, "", HFILL }},
6582 { &hf_netlogon_pagedpoollimit,
6583 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6584 NULL, 0x0, "", HFILL }},
6586 { &hf_netlogon_nonpagedpoollimit,
6587 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6588 NULL, 0x0, "", HFILL }},
6590 { &hf_netlogon_minworkingsetsize,
6591 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6592 NULL, 0x0, "", HFILL }},
6594 { &hf_netlogon_maxworkingsetsize,
6595 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6596 NULL, 0x0, "", HFILL }},
6598 { &hf_netlogon_serial_number,
6599 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
6600 NULL, 0x0, "", HFILL }},
6602 { &hf_netlogon_neg_flags,
6603 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
6604 NULL, 0x0, "Negotiation Flags", HFILL }},
6606 { &hf_netlogon_dc_flags,
6607 { "Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
6608 NULL, 0x0, "Domain Controller Flags", HFILL }},
6610 { &hf_netlogon_dc_flags_pdc_flag,
6611 { "PDC", "netlogon.dc.flags.pdc",
6612 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
6613 "If this server is a PDC", HFILL }},
6615 { &hf_netlogon_dc_flags_gc_flag,
6616 { "GC", "netlogon.dc.flags.gc",
6617 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
6618 "If this server is a GC", HFILL }},
6620 { &hf_netlogon_dc_flags_ldap_flag,
6621 { "LDAP", "netlogon.dc.flags.ldap",
6622 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
6623 "If this is an LDAP server", HFILL }},
6625 { &hf_netlogon_dc_flags_ds_flag,
6626 { "DS", "netlogon.dc.flags.ds",
6627 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
6628 "If this server is a DS", HFILL }},
6630 { &hf_netlogon_dc_flags_kdc_flag,
6631 { "KDC", "netlogon.dc.flags.kdc",
6632 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
6633 "If this is a KDC", HFILL }},
6635 { &hf_netlogon_dc_flags_timeserv_flag,
6636 { "Timeserv", "netlogon.dc.flags.timeserv",
6637 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
6638 "If this server is a TimeServer", HFILL }},
6640 { &hf_netlogon_dc_flags_closest_flag,
6641 { "Closest", "netlogon.dc.flags.closest",
6642 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
6643 "If this is the closest server", HFILL }},
6645 { &hf_netlogon_dc_flags_writable_flag,
6646 { "Writable", "netlogon.dc.flags.writable",
6647 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
6648 "If this server can do updates to the database", HFILL }},
6650 { &hf_netlogon_dc_flags_good_timeserv_flag,
6651 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
6652 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
6653 "If this is a Good TimeServer", HFILL }},
6655 { &hf_netlogon_dc_flags_ndnc_flag,
6656 { "NDNC", "netlogon.dc.flags.ndnc",
6657 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
6658 "If this is an NDNC server", HFILL }},
6660 { &hf_netlogon_dc_flags_dns_controller_flag,
6661 { "DNS Controller", "netlogon.dc.flags.dns_controller",
6662 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
6663 "If this server is a DNS Controller", HFILL }},
6665 { &hf_netlogon_dc_flags_dns_domain_flag,
6666 { "DNS Domain", "netlogon.dc.flags.dns_domain",
6667 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
6670 { &hf_netlogon_dc_flags_dns_forest_flag,
6671 { "DNS Forest", "netlogon.dc.flags.dns_forest",
6672 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
6675 { &hf_netlogon_get_dcname_request_flags,
6676 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
6677 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
6679 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
6680 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
6681 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
6682 "Whether to allow the server to returned cached information or not", HFILL }},
6684 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
6685 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
6686 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
6687 "Whether we require that the returned DC supports w2k or not", HFILL }},
6689 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
6690 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
6691 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
6692 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
6694 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
6695 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
6696 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
6697 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
6699 { &hf_netlogon_get_dcname_request_flags_pdc_required,
6700 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
6701 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
6702 "Whether we require the returned DC to be the PDC", HFILL }},
6704 { &hf_netlogon_get_dcname_request_flags_background_only,
6705 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
6706 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
6707 "If we want cached data, even if it may have expired", HFILL }},
6709 { &hf_netlogon_get_dcname_request_flags_ip_required,
6710 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
6711 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
6712 "If we requre the IP of the DC in the reply", HFILL }},
6714 { &hf_netlogon_get_dcname_request_flags_kdc_required,
6715 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
6716 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
6717 "If we require that the returned server is a KDC", HFILL }},
6719 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
6720 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
6721 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
6722 "If we require the retruned server to be a NTP serveruns WindowsTimeServicer", HFILL }},
6724 { &hf_netlogon_get_dcname_request_flags_writable_required,
6725 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
6726 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
6727 "If we require that the return server is writable", HFILL }},
6729 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
6730 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
6731 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
6732 "If we prefer Windows Time Servers", HFILL }},
6734 { &hf_netlogon_get_dcname_request_flags_avoid_self,
6735 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
6736 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
6737 "Return another DC than the one we ask", HFILL }},
6739 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
6740 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
6741 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
6742 "We just want an LDAP server, it does not have to be a DC", HFILL }},
6744 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
6745 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
6746 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
6747 "If the specified domain name is a NetBIOS name", HFILL }},
6749 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
6750 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
6751 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
6752 "If the specified domain name is a DNS name", HFILL }},
6754 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
6755 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
6756 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
6757 "Only return a DNS name (or an error)", HFILL }},
6759 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
6760 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
6761 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
6762 "Only return a NetBIOS name (or an error)", HFILL }},
6764 { &hf_netlogon_trust_attribs,
6765 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
6766 NULL, 0x0, "Trust Attributes", HFILL }},
6768 { &hf_netlogon_trust_type,
6769 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
6770 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
6772 { &hf_netlogon_trust_flags,
6773 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
6774 NULL, 0x0, "Trust Flags", HFILL }},
6776 { &hf_netlogon_trust_flags_inbound,
6777 { "Inbound Trust", "netlogon.trust.flags.inbound",
6778 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
6779 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
6781 { &hf_netlogon_trust_flags_outbound,
6782 { "Outbound Trust", "netlogon.trust.flags.outbound",
6783 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
6784 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
6786 { &hf_netlogon_trust_flags_in_forest,
6787 { "In Forest", "netlogon.trust.flags.in_forest",
6788 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
6789 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
6791 { &hf_netlogon_trust_flags_native_mode,
6792 { "Native Mode", "netlogon.trust.flags.native_mode",
6793 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
6794 "Whether the domain is a w2k native mode domain or not", HFILL }},
6796 { &hf_netlogon_trust_flags_primary,
6797 { "Primary", "netlogon.trust.flags.primary",
6798 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
6799 "Whether the domain is the primary domain for the queried server or not", HFILL }},
6801 { &hf_netlogon_trust_flags_tree_root,
6802 { "Tree Root", "netlogon.trust.flags.tree_root",
6803 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
6804 "Whether the domain is the root of the tree for the queried server", HFILL }},
6806 { &hf_netlogon_trust_parent_index,
6807 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
6808 NULL, 0x0, "Parent Index", HFILL }},
6810 { &hf_netlogon_logon_time,
6811 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
6812 NULL, 0, "Time for last time this user logged on", HFILL }},
6814 { &hf_netlogon_kickoff_time,
6815 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6816 NULL, 0, "Time when this user will be kicked off", HFILL }},
6818 { &hf_netlogon_logoff_time,
6819 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6820 NULL, 0, "Time for last time this user logged off", HFILL }},
6822 { &hf_netlogon_pwd_last_set_time,
6823 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6824 NULL, 0, "Last time this users password was changed", HFILL }},
6826 { &hf_netlogon_pwd_can_change_time,
6827 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6828 NULL, 0, "When this users password may be changed", HFILL }},
6830 { &hf_netlogon_pwd_must_change_time,
6831 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6832 NULL, 0, "When this users password must be changed", HFILL }},
6834 { &hf_netlogon_domain_create_time,
6835 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6836 NULL, 0, "Time when this domain was created", HFILL }},
6838 { &hf_netlogon_domain_modify_time,
6839 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6840 NULL, 0, "Time when this domain was last modified", HFILL }},
6842 { &hf_netlogon_db_modify_time,
6843 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6844 NULL, 0, "Time when last modified", HFILL }},
6846 { &hf_netlogon_db_create_time,
6847 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6848 NULL, 0, "Time when created", HFILL }},
6850 { &hf_netlogon_cipher_current_set_time,
6851 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6852 NULL, 0, "Time when current cipher was initiated", HFILL }},
6854 { &hf_netlogon_cipher_old_set_time,
6855 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6856 NULL, 0, "Time when previous cipher was initiated", HFILL }},
6858 { &hf_netlogon_audit_retention_period,
6859 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
6860 NULL, 0, "Audit retention period", HFILL }},
6862 { &hf_netlogon_guid,
6863 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
6864 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
6866 { &hf_netlogon_timelimit,
6867 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
6868 NULL, 0, "", HFILL }}
6872 static gint *ett[] = {
6873 &ett_dcerpc_netlogon,
6879 &ett_DOMAIN_CONTROLLER_INFO,
6880 &ett_UNICODE_STRING_512,
6883 &ett_DELTA_ID_UNION,
6886 &ett_LM_OWF_PASSWORD,
6887 &ett_NT_OWF_PASSWORD,
6888 &ett_GROUP_MEMBERSHIP,
6889 &ett_DS_DOMAIN_TRUSTS,
6891 &ett_DOMAIN_TRUST_INFO,
6893 &ett_get_dcname_request_flags,
6897 proto_dcerpc_netlogon = proto_register_protocol(
6898 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
6900 proto_register_field_array(proto_dcerpc_netlogon, hf,
6902 proto_register_subtree_array(ett, array_length(ett));
6906 proto_reg_handoff_dcerpc_netlogon(void)
6908 /* Register protocol as dcerpc */
6910 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
6911 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
6912 dcerpc_netlogon_dissectors, hf_netlogon_opnum);