1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.100 2004/04/08 10:21:10 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_group_attrs_mandatory = -1;
42 static int hf_netlogon_group_attrs_enabled_by_default = -1;
43 static int hf_netlogon_group_attrs_enabled = -1;
44 static int hf_netlogon_opnum = -1;
45 static int hf_netlogon_guid = -1;
46 static int hf_netlogon_rc = -1;
47 static int hf_netlogon_len = -1;
48 static int hf_netlogon_sensitive_data_flag = -1;
49 static int hf_netlogon_sensitive_data_len = -1;
50 static int hf_netlogon_sensitive_data = -1;
51 static int hf_netlogon_security_information = -1;
52 static int hf_netlogon_dummy = -1;
53 static int hf_netlogon_neg_flags = -1;
54 static int hf_netlogon_minworkingsetsize = -1;
55 static int hf_netlogon_maxworkingsetsize = -1;
56 static int hf_netlogon_pagedpoollimit = -1;
57 static int hf_netlogon_pagefilelimit = -1;
58 static int hf_netlogon_timelimit = -1;
59 static int hf_netlogon_nonpagedpoollimit = -1;
60 static int hf_netlogon_pac_size = -1;
61 static int hf_netlogon_pac_data = -1;
62 static int hf_netlogon_auth_size = -1;
63 static int hf_netlogon_auth_data = -1;
64 static int hf_netlogon_cipher_len = -1;
65 static int hf_netlogon_cipher_maxlen = -1;
66 static int hf_netlogon_cipher_current_data = -1;
67 static int hf_netlogon_cipher_current_set_time = -1;
68 static int hf_netlogon_cipher_old_data = -1;
69 static int hf_netlogon_cipher_old_set_time = -1;
70 static int hf_netlogon_priv = -1;
71 static int hf_netlogon_privilege_entries = -1;
72 static int hf_netlogon_privilege_control = -1;
73 static int hf_netlogon_privilege_name = -1;
74 static int hf_netlogon_systemflags = -1;
75 static int hf_netlogon_pdc_connection_status = -1;
76 static int hf_netlogon_tc_connection_status = -1;
77 static int hf_netlogon_restart_state = -1;
78 static int hf_netlogon_attrs = -1;
79 static int hf_netlogon_count = -1;
80 static int hf_netlogon_entries = -1;
81 static int hf_netlogon_minpasswdlen = -1;
82 static int hf_netlogon_passwdhistorylen = -1;
83 static int hf_netlogon_level16 = -1;
84 static int hf_netlogon_validation_level = -1;
85 static int hf_netlogon_reference = -1;
86 static int hf_netlogon_next_reference = -1;
87 static int hf_netlogon_timestamp = -1;
88 static int hf_netlogon_level = -1;
89 static int hf_netlogon_challenge = -1;
90 static int hf_netlogon_reserved = -1;
91 static int hf_netlogon_audit_retention_period = -1;
92 static int hf_netlogon_auditing_mode = -1;
93 static int hf_netlogon_max_audit_event_count = -1;
94 static int hf_netlogon_event_audit_option = -1;
95 static int hf_netlogon_unknown_string = -1;
96 static int hf_netlogon_unknown_long = -1;
97 static int hf_netlogon_unknown_short = -1;
98 static int hf_netlogon_unknown_char = -1;
99 static int hf_netlogon_logon_time = -1;
100 static int hf_netlogon_logoff_time = -1;
101 static int hf_netlogon_kickoff_time = -1;
102 static int hf_netlogon_pwd_last_set_time = -1;
103 static int hf_netlogon_pwd_can_change_time = -1;
104 static int hf_netlogon_pwd_must_change_time = -1;
105 static int hf_netlogon_nt_chal_resp = -1;
106 static int hf_netlogon_lm_chal_resp = -1;
107 static int hf_netlogon_credential = -1;
108 static int hf_netlogon_acct_name = -1;
109 static int hf_netlogon_acct_desc = -1;
110 static int hf_netlogon_group_desc = -1;
111 static int hf_netlogon_full_name = -1;
112 static int hf_netlogon_comment = -1;
113 static int hf_netlogon_parameters = -1;
114 static int hf_netlogon_logon_script = -1;
115 static int hf_netlogon_profile_path = -1;
116 static int hf_netlogon_home_dir = -1;
117 static int hf_netlogon_dir_drive = -1;
118 static int hf_netlogon_logon_count = -1;
119 static int hf_netlogon_logon_count16 = -1;
120 static int hf_netlogon_bad_pw_count = -1;
121 static int hf_netlogon_bad_pw_count16 = -1;
122 static int hf_netlogon_user_rid = -1;
123 static int hf_netlogon_alias_rid = -1;
124 static int hf_netlogon_group_rid = -1;
125 static int hf_netlogon_logon_srv = -1;
126 static int hf_netlogon_principal = -1;
127 static int hf_netlogon_logon_dom = -1;
128 static int hf_netlogon_resourcegroupdomainsid = -1;
129 static int hf_netlogon_resourcegroupcount = -1;
130 static int hf_netlogon_downlevel_domain_name = -1;
131 static int hf_netlogon_dns_domain_name = -1;
132 static int hf_netlogon_domain_name = -1;
133 static int hf_netlogon_domain_create_time = -1;
134 static int hf_netlogon_domain_modify_time = -1;
135 static int hf_netlogon_modify_count = -1;
136 static int hf_netlogon_db_modify_time = -1;
137 static int hf_netlogon_db_create_time = -1;
138 static int hf_netlogon_oem_info = -1;
139 static int hf_netlogon_serial_number = -1;
140 static int hf_netlogon_num_rids = -1;
141 static int hf_netlogon_num_trusts = -1;
142 static int hf_netlogon_num_controllers = -1;
143 static int hf_netlogon_num_other_groups = -1;
144 static int hf_netlogon_computer_name = -1;
145 static int hf_netlogon_site_name = -1;
146 static int hf_netlogon_trusted_dc_name = -1;
147 static int hf_netlogon_dc_name = -1;
148 static int hf_netlogon_dc_site_name = -1;
149 static int hf_netlogon_dns_forest_name = -1;
150 static int hf_netlogon_dc_address = -1;
151 static int hf_netlogon_dc_address_type = -1;
152 static int hf_netlogon_client_site_name = -1;
153 static int hf_netlogon_workstation = -1;
154 static int hf_netlogon_workstation_site_name = -1;
155 static int hf_netlogon_workstation_os = -1;
156 static int hf_netlogon_workstations = -1;
157 static int hf_netlogon_workstation_fqdn = -1;
158 static int hf_netlogon_group_name = -1;
159 static int hf_netlogon_alias_name = -1;
160 static int hf_netlogon_country = -1;
161 static int hf_netlogon_codepage = -1;
162 static int hf_netlogon_flags = -1;
163 static int hf_netlogon_trust_attribs = -1;
164 static int hf_netlogon_trust_type = -1;
165 static int hf_netlogon_trust_flags = -1;
166 static int hf_netlogon_trust_flags_inbound = -1;
167 static int hf_netlogon_trust_flags_outbound = -1;
168 static int hf_netlogon_trust_flags_in_forest = -1;
169 static int hf_netlogon_trust_flags_native_mode = -1;
170 static int hf_netlogon_trust_flags_primary = -1;
171 static int hf_netlogon_trust_flags_tree_root = -1;
172 static int hf_netlogon_trust_parent_index = -1;
173 static int hf_netlogon_user_account_control = -1;
174 static int hf_netlogon_user_account_control_dont_require_preauth = -1;
175 static int hf_netlogon_user_account_control_use_des_key_only = -1;
176 static int hf_netlogon_user_account_control_not_delegated = -1;
177 static int hf_netlogon_user_account_control_trusted_for_delegation = -1;
178 static int hf_netlogon_user_account_control_smartcard_required = -1;
179 static int hf_netlogon_user_account_control_encrypted_text_password_allowed = -1;
180 static int hf_netlogon_user_account_control_account_auto_locked = -1;
181 static int hf_netlogon_user_account_control_dont_expire_password = -1;
182 static int hf_netlogon_user_account_control_server_trust_account = -1;
183 static int hf_netlogon_user_account_control_workstation_trust_account = -1;
184 static int hf_netlogon_user_account_control_interdomain_trust_account = -1;
185 static int hf_netlogon_user_account_control_mns_logon_account = -1;
186 static int hf_netlogon_user_account_control_normal_account = -1;
187 static int hf_netlogon_user_account_control_temp_duplicate_account = -1;
188 static int hf_netlogon_user_account_control_password_not_required = -1;
189 static int hf_netlogon_user_account_control_home_directory_required = -1;
190 static int hf_netlogon_user_account_control_account_disabled = -1;
191 static int hf_netlogon_user_flags = -1;
192 static int hf_netlogon_user_flags_extra_sids = -1;
193 static int hf_netlogon_user_flags_resource_groups = -1;
194 static int hf_netlogon_auth_flags = -1;
195 static int hf_netlogon_pwd_expired = -1;
196 static int hf_netlogon_nt_pwd_present = -1;
197 static int hf_netlogon_lm_pwd_present = -1;
198 static int hf_netlogon_code = -1;
199 static int hf_netlogon_database_id = -1;
200 static int hf_netlogon_sync_context = -1;
201 static int hf_netlogon_max_size = -1;
202 static int hf_netlogon_max_log_size = -1;
203 static int hf_netlogon_dns_host = -1;
204 static int hf_netlogon_acct_expiry_time = -1;
205 static int hf_netlogon_encrypted_lm_owf_password = -1;
206 static int hf_netlogon_lm_owf_password = -1;
207 static int hf_netlogon_nt_owf_password = -1;
208 static int hf_netlogon_param_ctrl = -1;
209 static int hf_netlogon_logon_id = -1;
210 static int hf_netlogon_num_deltas = -1;
211 static int hf_netlogon_user_session_key = -1;
212 static int hf_netlogon_blob_size = -1;
213 static int hf_netlogon_blob = -1;
214 static int hf_netlogon_logon_attempts = -1;
215 static int hf_netlogon_authoritative = -1;
216 static int hf_netlogon_secure_channel_type = -1;
217 static int hf_netlogon_logonsrv_handle = -1;
218 static int hf_netlogon_delta_type = -1;
219 static int hf_netlogon_get_dcname_request_flags = -1;
220 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
221 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
222 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
223 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
224 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
225 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
226 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
227 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
228 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
229 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
230 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
231 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
232 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
233 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
234 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
235 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
236 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
237 static int hf_netlogon_dc_flags = -1;
238 static int hf_netlogon_dc_flags_pdc_flag = -1;
239 static int hf_netlogon_dc_flags_gc_flag = -1;
240 static int hf_netlogon_dc_flags_ldap_flag = -1;
241 static int hf_netlogon_dc_flags_ds_flag = -1;
242 static int hf_netlogon_dc_flags_kdc_flag = -1;
243 static int hf_netlogon_dc_flags_timeserv_flag = -1;
244 static int hf_netlogon_dc_flags_closest_flag = -1;
245 static int hf_netlogon_dc_flags_writable_flag = -1;
246 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
247 static int hf_netlogon_dc_flags_ndnc_flag = -1;
248 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
249 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
250 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
252 static gint ett_dcerpc_netlogon = -1;
253 static gint ett_group_attrs = -1;
254 static gint ett_user_flags = -1;
255 static gint ett_user_account_control = -1;
256 static gint ett_QUOTA_LIMITS = -1;
257 static gint ett_IDENTITY_INFO = -1;
258 static gint ett_DELTA_ENUM = -1;
259 static gint ett_CYPHER_VALUE = -1;
260 static gint ett_UNICODE_MULTI = -1;
261 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
262 static gint ett_UNICODE_STRING_512 = -1;
263 static gint ett_TYPE_50 = -1;
264 static gint ett_TYPE_52 = -1;
265 static gint ett_DELTA_ID_UNION = -1;
266 static gint ett_TYPE_44 = -1;
267 static gint ett_DELTA_UNION = -1;
268 static gint ett_LM_OWF_PASSWORD = -1;
269 static gint ett_NT_OWF_PASSWORD = -1;
270 static gint ett_GROUP_MEMBERSHIP = -1;
271 static gint ett_BLOB = -1;
272 static gint ett_DS_DOMAIN_TRUSTS = -1;
273 static gint ett_DOMAIN_TRUST_INFO = -1;
274 static gint ett_trust_flags = -1;
275 static gint ett_get_dcname_request_flags = -1;
276 static gint ett_dc_flags = -1;
278 static e_uuid_t uuid_dcerpc_netlogon = {
279 0x12345678, 0x1234, 0xabcd,
280 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
283 static guint16 ver_dcerpc_netlogon = 1;
286 static const true_false_string user_account_control_dont_require_preauth= {
287 "This account DONT_REQUIRE_PREAUTHENTICATION",
288 "This account REQUIRES preauthentication",
290 static const true_false_string user_account_control_use_des_key_only= {
291 "This account must USE_DES_KEY_ONLY for passwords",
292 "This account does NOT have to use_des_key_only",
294 static const true_false_string user_account_control_not_delegated= {
295 "This account is NOT_DELEGATED",
296 "This might have been delegated",
298 static const true_false_string user_account_control_trusted_for_delegation= {
299 "This account is TRUSTED_FOR_DELEGATION",
300 "This account is NOT trusted_for_delegation",
302 static const true_false_string user_account_control_smartcard_required= {
303 "This account REQUIRES_SMARTCARD to authenticate",
304 "This account does NOT require_smartcard to authenticate",
306 static const true_false_string user_account_control_encrypted_text_password_allowed= {
307 "This account allows ENCRYPTED_TEXT_PASSWORD",
308 "This account does NOT allow encrypted_text_password",
310 static const true_false_string user_account_control_account_auto_locked= {
311 "This account is AUTO_LOCKED",
312 "This account is NOT auto_locked",
314 static const true_false_string user_account_control_dont_expire_password= {
315 "This account DONT_EXPIRE_PASSWORDs",
316 "This account might expire_passwords",
318 static const true_false_string user_account_control_server_trust_account= {
319 "This account is a SERVER_TRUST_ACCOUNT",
320 "This account is NOT a server_trust_account",
322 static const true_false_string user_account_control_workstation_trust_account= {
323 "This account is a WORKSTATION_TRUST_ACCOUNT",
324 "This account is NOT a workstation_trust_account",
326 static const true_false_string user_account_control_interdomain_trust_account= {
327 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
328 "This account is NOT an interdomain_trust_account",
330 static const true_false_string user_account_control_mns_logon_account= {
331 "This account is a MNS_LOGON_ACCOUNT",
332 "This account is NOT a mns_logon_account",
334 static const true_false_string user_account_control_normal_account= {
335 "This account is a NORMAL_ACCOUNT",
336 "This account is NOT a normal_account",
338 static const true_false_string user_account_control_temp_duplicate_account= {
339 "This account is a TEMP_DUPLICATE_ACCOUNT",
340 "This account is NOT a temp_duplicate_account",
342 static const true_false_string user_account_control_password_not_required= {
343 "This account REQUIRES_NO_PASSWORD",
344 "This account REQUIRES a password",
346 static const true_false_string user_account_control_home_directory_required= {
347 "This account REQUIRES_HOME_DIRECTORY",
348 "This account does NOT require_home_directory",
350 static const true_false_string user_account_control_account_disabled= {
351 "This account is DISABLED",
352 "This account is NOT disabled",
355 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
356 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
359 proto_item *item = NULL;
360 proto_tree *tree = NULL;
363 di=pinfo->private_data;
364 if(di->conformant_run){
365 /*just a run to handle conformant arrays, nothing to dissect */
369 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
370 hf_netlogon_user_account_control, &mask);
373 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_account_control,
374 tvb, offset-4, 4, mask);
375 tree = proto_item_add_subtree(item, ett_user_account_control);
378 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_require_preauth,
379 tvb, offset-4, 4, mask);
380 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_use_des_key_only,
381 tvb, offset-4, 4, mask);
382 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_not_delegated,
383 tvb, offset-4, 4, mask);
384 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_trusted_for_delegation,
385 tvb, offset-4, 4, mask);
386 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_smartcard_required,
387 tvb, offset-4, 4, mask);
388 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_encrypted_text_password_allowed,
389 tvb, offset-4, 4, mask);
390 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_auto_locked,
391 tvb, offset-4, 4, mask);
392 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_expire_password,
393 tvb, offset-4, 4, mask);
394 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_server_trust_account,
395 tvb, offset-4, 4, mask);
396 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_workstation_trust_account,
397 tvb, offset-4, 4, mask);
398 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_interdomain_trust_account,
399 tvb, offset-4, 4, mask);
400 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_mns_logon_account,
401 tvb, offset-4, 4, mask);
402 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_normal_account,
403 tvb, offset-4, 4, mask);
404 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_temp_duplicate_account,
405 tvb, offset-4, 4, mask);
406 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_password_not_required,
407 tvb, offset-4, 4, mask);
408 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_home_directory_required,
409 tvb, offset-4, 4, mask);
410 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_disabled,
411 tvb, offset-4, 4, mask);
417 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
418 packet_info *pinfo, proto_tree *tree,
421 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
422 NDR_POINTER_UNIQUE, "Server Handle",
423 hf_netlogon_logonsrv_handle, 0);
429 * IDL typedef struct {
430 * IDL [unique][string] wchar_t *effective_name;
432 * IDL long auth_flags;
433 * IDL long logon_count;
434 * IDL long bad_pw_count;
435 * IDL long last_logon;
436 * IDL long last_logoff;
437 * IDL long logoff_time;
438 * IDL long kickoff_time;
439 * IDL long password_age;
440 * IDL long pw_can_change;
441 * IDL long pw_must_change;
442 * IDL [unique][string] wchar_t *computer;
443 * IDL [unique][string] wchar_t *domain;
444 * IDL [unique][string] wchar_t *script_path;
448 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
449 packet_info *pinfo, proto_tree *tree,
454 di=pinfo->private_data;
455 if(di->conformant_run){
456 /*just a run to handle conformant arrays, nothing to dissect */
460 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
461 NDR_POINTER_UNIQUE, "Effective Account",
462 hf_netlogon_acct_name, 0);
464 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
465 hf_netlogon_priv, NULL);
467 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
468 hf_netlogon_auth_flags, NULL);
470 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
471 hf_netlogon_logon_count, NULL);
473 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
474 hf_netlogon_bad_pw_count, NULL);
476 /* XXX - are these all UNIX "time_t"s, like the time stamps in
479 Or are they, as per some RAP-based operations, UTIMEs? */
480 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
483 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
486 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
489 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
492 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
495 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
498 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
501 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
502 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
504 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
505 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
507 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
508 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
510 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
511 hf_netlogon_reserved, NULL);
517 * IDL long NetrLogonUasLogon(
518 * IDL [in][unique][string] wchar_t *ServerName,
519 * IDL [in][ref][string] wchar_t *UserName,
520 * IDL [in][ref][string] wchar_t *Workstation,
521 * IDL [out][unique] VALIDATION_UAS_INFO *info
525 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
526 packet_info *pinfo, proto_tree *tree, guint8 *drep)
528 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
531 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
532 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
534 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
535 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
542 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
543 packet_info *pinfo, proto_tree *tree, guint8 *drep)
545 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
546 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
547 "VALIDATION_UAS_INFO", -1);
549 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
550 hf_netlogon_rc, NULL);
556 * IDL typedef struct {
558 * IDL short logon_count;
559 * IDL } LOGOFF_UAS_INFO;
562 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
563 packet_info *pinfo, proto_tree *tree,
568 di=pinfo->private_data;
569 if(di->conformant_run){
570 /*just a run to handle conformant arrays, nothing to dissect */
574 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
577 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
578 hf_netlogon_logon_count16, NULL);
584 * IDL long NetrLogonUasLogoff(
585 * IDL [in][unique][string] wchar_t *ServerName,
586 * IDL [in][ref][string] wchar_t *UserName,
587 * IDL [in][ref][string] wchar_t *Workstation,
588 * IDL [out][ref] LOGOFF_UAS_INFO *info
592 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
593 packet_info *pinfo, proto_tree *tree, guint8 *drep)
595 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
598 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
599 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
601 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
602 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
609 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
610 packet_info *pinfo, proto_tree *tree, guint8 *drep)
612 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
613 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
614 "LOGOFF_UAS_INFO", -1);
616 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
617 hf_netlogon_rc, NULL);
626 * IDL typedef struct {
627 * IDL UNICODESTRING LogonDomainName;
628 * IDL long ParameterControl;
629 * IDL uint64 LogonID;
630 * IDL UNICODESTRING UserName;
631 * IDL UNICODESTRING Workstation;
632 * IDL } LOGON_IDENTITY_INFO;
635 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
636 packet_info *pinfo, proto_tree *parent_tree,
639 proto_item *item=NULL;
640 proto_tree *tree=NULL;
641 int old_offset=offset;
644 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
646 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
649 /* XXX: It would be nice to get the domain and account name
650 displayed in COL_INFO. */
652 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
653 hf_netlogon_logon_dom, 0);
655 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
656 hf_netlogon_param_ctrl, NULL);
658 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
659 hf_netlogon_logon_id, NULL);
661 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
662 hf_netlogon_acct_name, 0);
664 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
665 hf_netlogon_workstation, 0);
668 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
669 /* XXX 8 extra bytes here */
670 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
671 the idl file. Could be a bug in either the NETLOGON implementation or in the
674 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
677 proto_item_set_len(item, offset-old_offset);
683 * IDL typedef struct {
684 * IDL char password[16];
685 * IDL } LM_OWF_PASSWORD;
688 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
689 packet_info *pinfo, proto_tree *parent_tree,
692 proto_item *item=NULL;
693 proto_tree *tree=NULL;
696 di=pinfo->private_data;
697 if(di->conformant_run){
698 /*just a run to handle conformant arrays, nothing to dissect.*/
703 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
705 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
708 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
716 * IDL typedef struct {
717 * IDL char password[16];
718 * IDL } NT_OWF_PASSWORD;
721 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
722 packet_info *pinfo, proto_tree *parent_tree,
725 proto_item *item=NULL;
726 proto_tree *tree=NULL;
729 di=pinfo->private_data;
730 if(di->conformant_run){
731 /*just a run to handle conformant arrays, nothing to dissect.*/
736 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
738 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
741 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
750 * IDL typedef struct {
751 * IDL LOGON_IDENTITY_INFO identity_info;
752 * IDL LM_OWF_PASSWORD lmpassword;
753 * IDL NT_OWF_PASSWORD ntpassword;
754 * IDL } INTERACTIVE_INFO;
757 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
758 packet_info *pinfo, proto_tree *tree,
761 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
764 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
767 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
774 * IDL typedef struct {
779 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
780 packet_info *pinfo, proto_tree *tree,
785 di=pinfo->private_data;
786 if(di->conformant_run){
787 /*just a run to handle conformant arrays, nothing to dissect.*/
791 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
799 * IDL typedef struct {
800 * IDL LOGON_IDENTITY_INFO logon_info;
801 * IDL CHALLENGE chal;
802 * IDL STRING ntchallengeresponse;
803 * IDL STRING lmchallengeresponse;
804 * IDL } NETWORK_INFO;
807 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
808 proto_item *item _U_, tvbuff_t *tvb,
809 int start_offset, int end_offset,
810 void *callback_args _U_)
814 /* Skip over 3 guint32's in NDR format */
816 if (start_offset % 4)
817 start_offset += 4 - (start_offset % 4);
820 len = end_offset - start_offset;
822 /* Call ntlmv2 response dissector */
825 dissect_ntlmv2_response(tvb, tree, start_offset, len);
829 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
830 packet_info *pinfo, proto_tree *tree,
833 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
836 offset = netlogon_dissect_CHALLENGE(tvb, offset,
839 offset = dissect_ndr_counted_byte_array_cb(
840 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
841 dissect_nt_chal_resp_cb, NULL);
843 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
844 hf_netlogon_lm_chal_resp);
850 * IDL typedef struct {
851 * IDL LOGON_IDENTITY_INFO logon_info;
852 * IDL LM_OWF_PASSWORD lmpassword;
853 * IDL NT_OWF_PASSWORD ntpassword;
854 * IDL } SERVICE_INFO;
857 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
858 packet_info *pinfo, proto_tree *tree,
861 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
864 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
867 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
874 * IDL typedef [switch_type(short)] union {
875 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
876 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
877 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
881 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
882 packet_info *pinfo, proto_tree *tree,
887 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
888 hf_netlogon_level16, &level);
893 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
894 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
895 "INTERACTIVE_INFO:", -1);
898 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
899 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
900 "NETWORK_INFO:", -1);
903 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
904 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
905 "SERVICE_INFO:", -1);
913 * IDL typedef struct {
918 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
919 packet_info *pinfo, proto_tree *tree,
924 di=pinfo->private_data;
925 if(di->conformant_run){
926 /*just a run to handle conformant arrays, nothing to dissect.*/
930 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
939 * IDL typedef struct {
940 * IDL CREDENTIAL cred;
941 * IDL long timestamp;
942 * IDL } AUTHENTICATOR;
945 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
946 packet_info *pinfo, proto_tree *tree,
952 di=pinfo->private_data;
953 if(di->conformant_run){
954 /*just a run to handle conformant arrays, nothing to dissect */
958 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
962 * XXX - this appears to be a UNIX time_t in some credentials, but
963 * appears to be random junk in other credentials.
964 * For example, it looks like a UNIX time_t in "credential"
965 * AUTHENTICATORs, but like random junk in "return_authenticator"
969 ts.secs = tvb_get_letohl(tvb, offset);
971 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
978 static const true_false_string group_attrs_mandatory = {
979 "The MANDATORY bit is SET",
980 "The mandatory bit is NOT set",
982 static const true_false_string group_attrs_enabled_by_default = {
983 "The ENABLED_BY_DEFAULT bit is SET",
984 "The enabled_by_default bit is NOT set",
986 static const true_false_string group_attrs_enabled = {
987 "The enabled bit is SET",
988 "The enabled bit is NOT set",
991 netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvbuff_t *tvb, int offset,
992 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
995 proto_item *item = NULL;
996 proto_tree *tree = NULL;
999 di=pinfo->private_data;
1000 if(di->conformant_run){
1001 /*just a run to handle conformant arrays, nothing to dissect */
1005 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1006 hf_netlogon_attrs, &mask);
1009 item = proto_tree_add_uint(parent_tree, hf_netlogon_attrs,
1010 tvb, offset-4, 4, mask);
1011 tree = proto_item_add_subtree(item, ett_group_attrs);
1014 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled,
1015 tvb, offset-4, 4, mask);
1016 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled_by_default,
1017 tvb, offset-4, 4, mask);
1018 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_mandatory,
1019 tvb, offset-4, 4, mask);
1025 * IDL typedef struct {
1027 * IDL long attributes;
1028 * IDL } GROUP_MEMBERSHIP;
1031 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1032 packet_info *pinfo, proto_tree *parent_tree,
1035 proto_item *item=NULL;
1036 proto_tree *tree=NULL;
1039 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1040 "GROUP_MEMBERSHIP:");
1041 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
1044 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1045 hf_netlogon_group_rid, NULL);
1047 offset = netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvb, offset,
1054 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1055 packet_info *pinfo, proto_tree *tree,
1058 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
1059 netlogon_dissect_GROUP_MEMBERSHIP);
1065 * IDL typedef struct {
1066 * IDL char user_session_key[16];
1067 * IDL } USER_SESSION_KEY;
1070 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1071 packet_info *pinfo, proto_tree *tree,
1076 di=pinfo->private_data;
1077 if(di->conformant_run){
1078 /*just a run to handle conformant arrays, nothing to dissect.*/
1082 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1091 static const true_false_string user_flags_extra_sids= {
1092 "The EXTRA_SIDS bit is SET",
1093 "The extra_sids is NOT set",
1095 static const true_false_string user_flags_resource_groups= {
1096 "The RESOURCE_GROUPS bit is SET",
1097 "The resource_groups is NOT set",
1100 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1101 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
1104 proto_item *item = NULL;
1105 proto_tree *tree = NULL;
1108 di=pinfo->private_data;
1109 if(di->conformant_run){
1110 /*just a run to handle conformant arrays, nothing to dissect */
1114 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1115 hf_netlogon_user_flags, &mask);
1118 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_flags,
1119 tvb, offset-4, 4, mask);
1120 tree = proto_item_add_subtree(item, ett_user_flags);
1123 proto_tree_add_boolean(tree, hf_netlogon_user_flags_resource_groups,
1124 tvb, offset-4, 4, mask);
1125 proto_tree_add_boolean(tree, hf_netlogon_user_flags_extra_sids,
1126 tvb, offset-4, 4, mask);
1132 * IDL typedef struct {
1133 * IDL uint64 LogonTime;
1134 * IDL uint64 LogoffTime;
1135 * IDL uint64 KickOffTime;
1136 * IDL uint64 PasswdLastSet;
1137 * IDL uint64 PasswdCanChange;
1138 * IDL uint64 PasswdMustChange;
1139 * IDL unicodestring effectivename;
1140 * IDL unicodestring fullname;
1141 * IDL unicodestring logonscript;
1142 * IDL unicodestring profilepath;
1143 * IDL unicodestring homedirectory;
1144 * IDL unicodestring homedirectorydrive;
1145 * IDL short LogonCount;
1146 * IDL short BadPasswdCount;
1148 * IDL long primarygroup;
1149 * IDL long groupcount;
1150 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1151 * IDL long userflags;
1152 * IDL USER_SESSION_KEY key;
1153 * IDL unicodestring logonserver;
1154 * IDL unicodestring domainname;
1155 * IDL [unique] SID logondomainid;
1156 * IDL long expansionroom[2];
1157 * IDL long useraccountcontrol;
1158 * IDL long expansionroom[7];
1159 * IDL } VALIDATION_SAM_INFO;
1162 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1163 packet_info *pinfo, proto_tree *tree,
1168 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1169 hf_netlogon_logon_time);
1171 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1172 hf_netlogon_logoff_time);
1174 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1175 hf_netlogon_kickoff_time);
1177 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1178 hf_netlogon_pwd_last_set_time);
1180 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1181 hf_netlogon_pwd_can_change_time);
1183 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1184 hf_netlogon_pwd_must_change_time);
1186 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1187 hf_netlogon_acct_name, 0);
1189 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1190 hf_netlogon_full_name, 0);
1192 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1193 hf_netlogon_logon_script, 0);
1195 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1196 hf_netlogon_profile_path, 0);
1198 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1199 hf_netlogon_home_dir, 0);
1201 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1202 hf_netlogon_dir_drive, 0);
1204 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1205 hf_netlogon_logon_count16, NULL);
1207 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1208 hf_netlogon_bad_pw_count16, NULL);
1210 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1211 hf_netlogon_user_rid, NULL);
1213 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1214 hf_netlogon_group_rid, NULL);
1216 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1217 hf_netlogon_num_rids, NULL);
1219 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1220 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1221 "GROUP_MEMBERSHIP_ARRAY", -1);
1223 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1226 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1229 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1230 hf_netlogon_logon_srv, 0);
1232 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1233 hf_netlogon_logon_dom, 0);
1235 offset = dissect_ndr_nt_PSID(tvb, offset,
1236 pinfo, tree, drep, -1);
1239 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1240 hf_netlogon_unknown_long, NULL);
1242 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1246 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1247 hf_netlogon_unknown_long, NULL);
1256 * IDL typedef struct {
1257 * IDL uint64 LogonTime;
1258 * IDL uint64 LogoffTime;
1259 * IDL uint64 KickOffTime;
1260 * IDL uint64 PasswdLastSet;
1261 * IDL uint64 PasswdCanChange;
1262 * IDL uint64 PasswdMustChange;
1263 * IDL unicodestring effectivename;
1264 * IDL unicodestring fullname;
1265 * IDL unicodestring logonscript;
1266 * IDL unicodestring profilepath;
1267 * IDL unicodestring homedirectory;
1268 * IDL unicodestring homedirectorydrive;
1269 * IDL short LogonCount;
1270 * IDL short BadPasswdCount;
1272 * IDL long primarygroup;
1273 * IDL long groupcount;
1274 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1275 * IDL long userflags;
1276 * IDL USER_SESSION_KEY key;
1277 * IDL unicodestring logonserver;
1278 * IDL unicodestring domainname;
1279 * IDL [unique] SID logondomainid;
1280 * IDL long expansionroom[2];
1281 * IDL long useraccountcontrol;
1282 * IDL long expansionroom[7];
1283 * IDL long sidcount;
1284 * IDL [unique] SID_AND_ATTRIBS;
1285 * IDL } VALIDATION_SAM_INFO2;
1288 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1289 packet_info *pinfo, proto_tree *tree,
1294 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1295 hf_netlogon_logon_time);
1297 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1298 hf_netlogon_logoff_time);
1300 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1301 hf_netlogon_kickoff_time);
1303 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1304 hf_netlogon_pwd_last_set_time);
1306 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1307 hf_netlogon_pwd_can_change_time);
1309 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1310 hf_netlogon_pwd_must_change_time);
1312 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1313 hf_netlogon_acct_name, 0);
1315 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1316 hf_netlogon_full_name, 0);
1318 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1319 hf_netlogon_logon_script, 0);
1321 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1322 hf_netlogon_profile_path, 0);
1324 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1325 hf_netlogon_home_dir, 0);
1327 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1328 hf_netlogon_dir_drive, 0);
1330 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1331 hf_netlogon_logon_count16, NULL);
1333 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1334 hf_netlogon_bad_pw_count16, NULL);
1336 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1337 hf_netlogon_user_rid, NULL);
1339 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1340 hf_netlogon_group_rid, NULL);
1342 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1343 hf_netlogon_num_rids, NULL);
1345 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1346 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1347 "GROUP_MEMBERSHIP_ARRAY", -1);
1349 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1352 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1355 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1356 hf_netlogon_logon_srv, 0);
1358 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1359 hf_netlogon_logon_dom, 0);
1361 offset = dissect_ndr_nt_PSID(tvb, offset,
1362 pinfo, tree, drep, -1);
1365 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1366 hf_netlogon_unknown_long, NULL);
1368 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1372 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1373 hf_netlogon_unknown_long, NULL);
1376 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1377 hf_netlogon_num_other_groups, NULL);
1379 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1380 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1381 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1391 * IDL typedef struct {
1392 * IDL uint64 LogonTime;
1393 * IDL uint64 LogoffTime;
1394 * IDL uint64 KickOffTime;
1395 * IDL uint64 PasswdLastSet;
1396 * IDL uint64 PasswdCanChange;
1397 * IDL uint64 PasswdMustChange;
1398 * IDL unicodestring effectivename;
1399 * IDL unicodestring fullname;
1400 * IDL unicodestring logonscript;
1401 * IDL unicodestring profilepath;
1402 * IDL unicodestring homedirectory;
1403 * IDL unicodestring homedirectorydrive;
1404 * IDL short LogonCount;
1405 * IDL short BadPasswdCount;
1407 * IDL long primarygroup;
1408 * IDL long groupcount;
1409 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1410 * IDL long userflags;
1411 * IDL USER_SESSION_KEY key;
1412 * IDL unicodestring logonserver;
1413 * IDL unicodestring domainname;
1414 * IDL [unique] SID logondomainid;
1415 * IDL long expansionroom[2];
1416 * IDL long useraccountcontrol;
1417 * IDL long expansionroom[7];
1418 * IDL long sidcount;
1419 * IDL [unique] SID_AND_ATTRIBS;
1420 * IDL [unique] SID resourcegroupdomainsid;
1421 * IDL long resourcegroupcount;
1423 * IDL } PAC_LOGON_INFO;
1426 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
1427 packet_info *pinfo, proto_tree *tree,
1433 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1434 hf_netlogon_logon_time);
1436 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1437 hf_netlogon_logoff_time);
1439 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1440 hf_netlogon_kickoff_time);
1442 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1443 hf_netlogon_pwd_last_set_time);
1445 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1446 hf_netlogon_pwd_can_change_time);
1448 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1449 hf_netlogon_pwd_must_change_time);
1451 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1452 hf_netlogon_acct_name, 0);
1454 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1455 hf_netlogon_full_name, 0);
1457 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1458 hf_netlogon_logon_script, 0);
1460 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1461 hf_netlogon_profile_path, 0);
1463 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1464 hf_netlogon_home_dir, 0);
1466 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1467 hf_netlogon_dir_drive, 0);
1469 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1470 hf_netlogon_logon_count16, NULL);
1472 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1473 hf_netlogon_bad_pw_count16, NULL);
1475 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1476 hf_netlogon_user_rid, NULL);
1478 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1479 hf_netlogon_group_rid, NULL);
1481 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1482 hf_netlogon_num_rids, NULL);
1484 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1485 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1486 "GROUP_MEMBERSHIP_ARRAY", -1);
1488 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1491 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1494 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1495 hf_netlogon_logon_srv, 0);
1497 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1498 hf_netlogon_logon_dom, 0);
1500 offset = dissect_ndr_nt_PSID(tvb, offset,
1501 pinfo, tree, drep, -1);
1504 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1505 hf_netlogon_unknown_long, NULL);
1507 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1511 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1512 hf_netlogon_unknown_long, NULL);
1515 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1516 hf_netlogon_num_other_groups, NULL);
1518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1519 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1520 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1522 offset = dissect_ndr_nt_PSID(tvb, offset,
1523 pinfo, tree, drep, hf_netlogon_resourcegroupdomainsid);
1525 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1526 hf_netlogon_resourcegroupcount, &rgc);
1528 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1529 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1530 "ResourceGroupIDs", -1);
1538 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1539 packet_info *pinfo, proto_tree *tree,
1545 di=pinfo->private_data;
1546 if(di->conformant_run){
1547 /*just a run to handle conformant arrays, nothing to dissect */
1551 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1552 hf_netlogon_pac_size, &pac_size);
1554 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1562 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1563 packet_info *pinfo, proto_tree *tree,
1569 di=pinfo->private_data;
1570 if(di->conformant_run){
1571 /*just a run to handle conformant arrays, nothing to dissect */
1575 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1576 hf_netlogon_auth_size, &auth_size);
1578 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1580 offset += auth_size;
1587 * IDL typedef struct {
1589 * IDL [unique][size_is(pac_size)] char *pac;
1590 * IDL UNICODESTRING logondomain;
1591 * IDL UNICODESTRING logonserver;
1592 * IDL UNICODESTRING principalname;
1593 * IDL long auth_size;
1594 * IDL [unique][size_is(auth_size)] char *auth;
1595 * IDL USER_SESSION_KEY user_session_key;
1596 * IDL long expansionroom[2];
1597 * IDL long useraccountcontrol;
1598 * IDL long expansionroom[7];
1599 * IDL UNICODESTRING dummy1;
1600 * IDL UNICODESTRING dummy2;
1601 * IDL UNICODESTRING dummy3;
1602 * IDL UNICODESTRING dummy4;
1603 * IDL } VALIDATION_PAC_INFO;
1606 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1607 packet_info *pinfo, proto_tree *tree,
1612 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1613 hf_netlogon_pac_size, NULL);
1615 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1616 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1618 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1619 hf_netlogon_logon_dom, 0);
1621 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1622 hf_netlogon_logon_srv, 0);
1624 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1625 hf_netlogon_principal, 0);
1627 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1628 hf_netlogon_auth_size, NULL);
1630 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1631 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1633 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1637 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1638 hf_netlogon_unknown_long, NULL);
1640 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1644 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1645 hf_netlogon_unknown_long, NULL);
1648 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1649 hf_netlogon_dummy, 0);
1651 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1652 hf_netlogon_dummy, 0);
1654 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1655 hf_netlogon_dummy, 0);
1657 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1658 hf_netlogon_dummy, 0);
1665 * IDL typedef [switch_type(short)] union {
1666 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1667 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1668 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1669 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1673 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1674 packet_info *pinfo, proto_tree *tree,
1679 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1680 hf_netlogon_validation_level, &level);
1685 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1686 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1687 "VALIDATION_SAM_INFO:", -1);
1690 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1691 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1692 "VALIDATION_SAM_INFO2:", -1);
1695 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1696 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1697 "VALIDATION_PAC_INFO:", -1);
1700 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1701 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1702 "VALIDATION_PAC_INFO:", -1);
1711 * IDL long NetrLogonSamLogon(
1712 * IDL [in][unique][string] wchar_t *ServerName,
1713 * IDL [in][unique][string] wchar_t *Workstation,
1714 * IDL [in][unique] AUTHENTICATOR *credential,
1715 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1716 * IDL [in] short LogonLevel,
1717 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1718 * IDL [in] short ValidationLevel,
1719 * IDL [out][ref] VALIDATION *validation,
1720 * IDL [out][ref] boolean Authorative
1724 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1725 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1727 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1730 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1731 NDR_POINTER_UNIQUE, "Computer Name",
1732 hf_netlogon_computer_name, 0);
1734 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1735 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1736 "AUTHENTICATOR: credential", -1);
1738 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1739 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1740 "AUTHENTICATOR: return_authenticator", -1);
1742 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1743 hf_netlogon_level16, NULL);
1745 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1746 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1747 "LEVEL: LogonLevel", -1);
1749 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1750 hf_netlogon_validation_level, NULL);
1756 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1757 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1759 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1760 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1761 "AUTHENTICATOR: return_authenticator", -1);
1763 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1764 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1767 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1768 hf_netlogon_authoritative, NULL);
1770 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1771 hf_netlogon_rc, NULL);
1778 * IDL long NetrLogonSamLogoff(
1779 * IDL [in][unique][string] wchar_t *ServerName,
1780 * IDL [in][unique][string] wchar_t *ComputerName,
1781 * IDL [in][unique] AUTHENTICATOR credential,
1782 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1783 * IDL [in] short logon_level,
1784 * IDL [in][ref] LEVEL logoninformation
1788 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1789 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1791 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1794 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1795 NDR_POINTER_UNIQUE, "Computer Name",
1796 hf_netlogon_computer_name, 0);
1798 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1799 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1800 "AUTHENTICATOR: credential", -1);
1802 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1803 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1804 "AUTHENTICATOR: return_authenticator", -1);
1806 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1807 hf_netlogon_level16, NULL);
1809 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1810 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1811 "LEVEL: logoninformation", -1);
1816 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1817 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1820 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1821 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1822 "AUTHENTICATOR: return_authenticator", -1);
1824 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1825 hf_netlogon_rc, NULL);
1832 * IDL long NetrServerReqChallenge(
1833 * IDL [in][unique][string] wchar_t *ServerName,
1834 * IDL [in][ref][string] wchar_t *ComputerName,
1835 * IDL [in][ref] CREDENTIAL client_credential,
1836 * IDL [out][ref] CREDENTIAL server_credential
1840 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1841 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1843 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1846 offset = dissect_ndr_pointer_cb(
1847 tvb, offset, pinfo, tree, drep,
1848 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
1849 "Computer Name", hf_netlogon_computer_name,
1850 cb_wstr_postprocess,
1851 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1853 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1854 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1855 "CREDENTIAL: client challenge", -1);
1860 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1861 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1863 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1864 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1865 "CREDENTIAL: server credential", -1);
1867 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1868 hf_netlogon_rc, NULL);
1875 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1876 packet_info *pinfo, proto_tree *tree,
1879 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1880 hf_netlogon_secure_channel_type, NULL);
1887 * IDL long NetrServerAuthenticate(
1888 * IDL [in][unique][string] wchar_t *ServerName,
1889 * IDL [in][ref][string] wchar_t *UserName,
1890 * IDL [in] short secure_challenge_type,
1891 * IDL [in][ref][string] wchar_t *ComputerName,
1892 * IDL [in][ref] CREDENTIAL client_challenge,
1893 * IDL [out][ref] CREDENTIAL server_challenge
1897 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1898 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1900 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1903 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1904 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1906 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1909 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1910 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1912 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1913 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1914 "CREDENTIAL: client challenge", -1);
1919 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
1920 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1922 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1923 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1924 "CREDENTIAL: server challenge", -1);
1926 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1927 hf_netlogon_rc, NULL);
1935 * IDL typedef struct {
1936 * IDL char encrypted_password[16];
1937 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1940 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1941 packet_info *pinfo, proto_tree *tree,
1946 di=pinfo->private_data;
1947 if(di->conformant_run){
1948 /*just a run to handle conformant arrays, nothing to dissect.*/
1952 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1960 * IDL long NetrServerPasswordSet(
1961 * IDL [in][unique][string] wchar_t *ServerName,
1962 * IDL [in][ref][string] wchar_t *UserName,
1963 * IDL [in] short secure_challenge_type,
1964 * IDL [in][ref][string] wchar_t *ComputerName,
1965 * IDL [in][ref] AUTHENTICATOR credential,
1966 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1967 * IDL [out][ref] AUTHENTICATOR return_authenticator
1971 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1972 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1974 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1977 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1978 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1980 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1983 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1984 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1986 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1987 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1988 "AUTHENTICATOR: credential", -1);
1990 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1991 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1992 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
1997 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
1998 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2000 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2001 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2002 "AUTHENTICATOR: return_authenticator", -1);
2004 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2005 hf_netlogon_rc, NULL);
2012 * IDL typedef struct {
2013 * IDL [unique][string] wchar_t *UserName;
2014 * IDL UNICODESTRING dummy1;
2015 * IDL UNICODESTRING dummy2;
2016 * IDL UNICODESTRING dummy3;
2017 * IDL UNICODESTRING dummy4;
2022 * IDL } DELTA_DELETE_USER;
2025 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
2026 packet_info *pinfo, proto_tree *tree,
2029 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2030 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
2032 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2033 hf_netlogon_dummy, 0);
2035 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2036 hf_netlogon_dummy, 0);
2038 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2039 hf_netlogon_dummy, 0);
2041 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2042 hf_netlogon_dummy, 0);
2044 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2045 hf_netlogon_reserved, NULL);
2047 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2048 hf_netlogon_reserved, NULL);
2050 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2051 hf_netlogon_reserved, NULL);
2053 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2054 hf_netlogon_reserved, NULL);
2061 * IDL typedef struct {
2062 * IDL bool SensitiveDataFlag;
2063 * IDL long DataLength;
2064 * IDL [unique][size_is(DataLength)] char *SensitiveData;
2065 * IDL } USER_PRIVATE_INFO;
2068 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
2069 packet_info *pinfo, proto_tree *tree,
2075 di=pinfo->private_data;
2076 if(di->conformant_run){
2077 /*just a run to handle conformant arrays, nothing to dissect */
2081 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2082 hf_netlogon_sensitive_data_len, &data_len);
2084 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
2091 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
2092 packet_info *pinfo, proto_tree *tree,
2095 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2096 hf_netlogon_sensitive_data_flag, NULL);
2098 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2099 hf_netlogon_sensitive_data_len, NULL);
2101 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2102 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
2103 "SENSITIVE_DATA", -1);
2109 * IDL typedef struct {
2110 * IDL UNICODESTRING UserName;
2111 * IDL UNICODESTRING FullName;
2113 * IDL long PrimaryGroupID;
2114 * IDL UNICODESTRING HomeDir;
2115 * IDL UNICODESTRING HomeDirDrive;
2116 * IDL UNICODESTRING LogonScript;
2117 * IDL UNICODESTRING Comment;
2118 * IDL UNICODESTRING Workstations;
2119 * IDL NTTIME LastLogon;
2120 * IDL NTTIME LastLogoff;
2121 * IDL LOGON_HOURS logonhours;
2122 * IDL short BadPwCount;
2123 * IDL short LogonCount;
2124 * IDL NTTIME PwLastSet;
2125 * IDL NTTIME AccountExpires;
2126 * IDL long AccountControl;
2127 * IDL LM_OWF_PASSWORD lmpw;
2128 * IDL NT_OWF_PASSWORD ntpw;
2129 * IDL bool NTPwPresent;
2130 * IDL bool LMPwPresent;
2131 * IDL bool PwExpired;
2132 * IDL UNICODESTRING UserComment;
2133 * IDL UNICODESTRING Parameters;
2134 * IDL short CountryCode;
2135 * IDL short CodePage;
2136 * IDL USER_PRIVATE_INFO user_private_info;
2137 * IDL long SecurityInformation;
2138 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2139 * IDL UNICODESTRING dummy1;
2140 * IDL UNICODESTRING dummy2;
2141 * IDL UNICODESTRING dummy3;
2142 * IDL UNICODESTRING dummy4;
2150 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
2151 packet_info *pinfo, proto_tree *tree,
2154 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2155 hf_netlogon_acct_name, 3);
2157 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2158 hf_netlogon_full_name, 0);
2160 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2161 hf_netlogon_user_rid, NULL);
2163 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2164 hf_netlogon_group_rid, NULL);
2166 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2167 hf_netlogon_home_dir, 0);
2169 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2170 hf_netlogon_dir_drive, 0);
2172 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2173 hf_netlogon_logon_script, 0);
2175 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2176 hf_netlogon_acct_desc, 0);
2178 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2179 hf_netlogon_workstations, 0);
2181 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2182 hf_netlogon_logon_time);
2184 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2185 hf_netlogon_logoff_time);
2187 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
2189 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2190 hf_netlogon_bad_pw_count16, NULL);
2192 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2193 hf_netlogon_logon_count16, NULL);
2195 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2196 hf_netlogon_pwd_last_set_time);
2198 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2199 hf_netlogon_acct_expiry_time);
2201 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
2203 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
2206 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
2209 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2210 hf_netlogon_nt_pwd_present, NULL);
2212 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2213 hf_netlogon_lm_pwd_present, NULL);
2215 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2216 hf_netlogon_pwd_expired, NULL);
2218 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2219 hf_netlogon_comment, 0);
2221 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2222 hf_netlogon_parameters, 0);
2224 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2225 hf_netlogon_country, NULL);
2227 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2228 hf_netlogon_codepage, NULL);
2230 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
2233 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2234 hf_netlogon_security_information, NULL);
2236 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2239 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2240 hf_netlogon_dummy, 0);
2242 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2243 hf_netlogon_dummy, 0);
2245 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2246 hf_netlogon_dummy, 0);
2248 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2249 hf_netlogon_dummy, 0);
2251 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2252 hf_netlogon_reserved, NULL);
2254 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2255 hf_netlogon_reserved, NULL);
2257 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2258 hf_netlogon_reserved, NULL);
2260 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2261 hf_netlogon_reserved, NULL);
2268 * IDL typedef struct {
2269 * IDL UNICODESTRING DomainName;
2270 * IDL UNICODESTRING OEMInfo;
2271 * IDL NTTIME forcedlogoff;
2272 * IDL short minpasswdlen;
2273 * IDL short passwdhistorylen;
2274 * IDL NTTIME pwd_must_change_time;
2275 * IDL NTTIME pwd_can_change_time;
2276 * IDL NTTIME domain_modify_time;
2277 * IDL NTTIME domain_create_time;
2278 * IDL long SecurityInformation;
2279 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2280 * IDL UNICODESTRING dummy1;
2281 * IDL UNICODESTRING dummy2;
2282 * IDL UNICODESTRING dummy3;
2283 * IDL UNICODESTRING dummy4;
2288 * IDL } DELTA_DOMAIN;
2291 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
2292 packet_info *pinfo, proto_tree *tree,
2295 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2296 hf_netlogon_domain_name, 3);
2298 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2299 hf_netlogon_oem_info, 0);
2301 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2302 hf_netlogon_kickoff_time);
2304 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2305 hf_netlogon_minpasswdlen, NULL);
2307 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2308 hf_netlogon_passwdhistorylen, NULL);
2310 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2311 hf_netlogon_pwd_must_change_time);
2313 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2314 hf_netlogon_pwd_can_change_time);
2316 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2317 hf_netlogon_domain_modify_time);
2319 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2320 hf_netlogon_domain_create_time);
2322 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2323 hf_netlogon_security_information, NULL);
2325 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2328 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2329 hf_netlogon_dummy, 0);
2331 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2332 hf_netlogon_dummy, 0);
2334 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2335 hf_netlogon_dummy, 0);
2337 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2338 hf_netlogon_dummy, 0);
2340 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2341 hf_netlogon_reserved, NULL);
2343 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2344 hf_netlogon_reserved, NULL);
2346 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2347 hf_netlogon_reserved, NULL);
2349 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2350 hf_netlogon_reserved, NULL);
2357 * IDL typedef struct {
2358 * IDL UNICODESTRING groupname;
2359 * IDL GROUP_MEMBERSHIP group_membership;
2360 * IDL UNICODESTRING comment;
2361 * IDL long SecurityInformation;
2362 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2363 * IDL UNICODESTRING dummy1;
2364 * IDL UNICODESTRING dummy2;
2365 * IDL UNICODESTRING dummy3;
2366 * IDL UNICODESTRING dummy4;
2371 * IDL } DELTA_GROUP;
2374 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
2375 packet_info *pinfo, proto_tree *tree,
2378 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2379 hf_netlogon_group_name, 3);
2381 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
2384 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2385 hf_netlogon_group_desc, 0);
2387 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2388 hf_netlogon_security_information, NULL);
2390 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2393 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2394 hf_netlogon_dummy, 0);
2396 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2397 hf_netlogon_dummy, 0);
2399 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2400 hf_netlogon_dummy, 0);
2402 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2403 hf_netlogon_dummy, 0);
2405 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2406 hf_netlogon_reserved, NULL);
2408 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2409 hf_netlogon_reserved, NULL);
2411 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2412 hf_netlogon_reserved, NULL);
2414 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2415 hf_netlogon_reserved, NULL);
2422 * IDL typedef struct {
2423 * IDL UNICODESTRING OldName;
2424 * IDL UNICODESTRING NewName;
2425 * IDL UNICODESTRING dummy1;
2426 * IDL UNICODESTRING dummy2;
2427 * IDL UNICODESTRING dummy3;
2428 * IDL UNICODESTRING dummy4;
2433 * IDL } DELTA_RENAME;
2436 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
2437 packet_info *pinfo, proto_tree *tree,
2442 di=pinfo->private_data;
2444 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2447 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2450 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2451 hf_netlogon_dummy, 0);
2453 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2454 hf_netlogon_dummy, 0);
2456 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2457 hf_netlogon_dummy, 0);
2459 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2460 hf_netlogon_dummy, 0);
2462 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2463 hf_netlogon_reserved, NULL);
2465 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2466 hf_netlogon_reserved, NULL);
2468 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2469 hf_netlogon_reserved, NULL);
2471 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2472 hf_netlogon_reserved, NULL);
2479 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2480 packet_info *pinfo, proto_tree *tree,
2483 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2484 hf_netlogon_user_rid, NULL);
2490 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2491 packet_info *pinfo, proto_tree *tree,
2494 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2495 netlogon_dissect_RID);
2501 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2502 packet_info *pinfo, proto_tree *tree,
2505 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2506 hf_netlogon_attrs, NULL);
2512 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2513 packet_info *pinfo, proto_tree *tree,
2516 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2517 netlogon_dissect_ATTRIB);
2523 * IDL typedef struct {
2524 * IDL [unique][size_is(num_rids)] long *rids;
2525 * IDL [unique][size_is(num_rids)] long *attribs;
2526 * IDL long num_rids;
2531 * IDL } DELTA_GROUP_MEMBER;
2534 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2535 packet_info *pinfo, proto_tree *tree,
2538 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2539 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2542 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2543 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2546 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2547 hf_netlogon_num_rids, NULL);
2549 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2550 hf_netlogon_reserved, NULL);
2552 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2553 hf_netlogon_reserved, NULL);
2555 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2556 hf_netlogon_reserved, NULL);
2558 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2559 hf_netlogon_reserved, NULL);
2566 * IDL typedef struct {
2567 * IDL UNICODESTRING alias_name;
2569 * IDL long SecurityInformation;
2570 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2571 * IDL UNICODESTRING dummy1;
2572 * IDL UNICODESTRING dummy2;
2573 * IDL UNICODESTRING dummy3;
2574 * IDL UNICODESTRING dummy4;
2579 * IDL } DELTA_ALIAS;
2582 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2583 packet_info *pinfo, proto_tree *tree,
2586 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2587 hf_netlogon_alias_name, 0);
2589 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2590 hf_netlogon_alias_rid, NULL);
2592 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2593 hf_netlogon_security_information, NULL);
2595 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2598 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2599 hf_netlogon_dummy, 0);
2601 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2602 hf_netlogon_dummy, 0);
2604 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2605 hf_netlogon_dummy, 0);
2607 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2608 hf_netlogon_dummy, 0);
2610 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2611 hf_netlogon_reserved, NULL);
2613 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2614 hf_netlogon_reserved, NULL);
2616 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2617 hf_netlogon_reserved, NULL);
2619 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2620 hf_netlogon_reserved, NULL);
2627 * IDL typedef struct {
2628 * IDL [unique] SID_ARRAY sids;
2633 * IDL } DELTA_ALIAS_MEMBER;
2636 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2637 packet_info *pinfo, proto_tree *tree,
2640 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2642 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2643 hf_netlogon_reserved, NULL);
2645 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2646 hf_netlogon_reserved, NULL);
2648 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2649 hf_netlogon_reserved, NULL);
2651 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2652 hf_netlogon_reserved, NULL);
2659 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2660 packet_info *pinfo, proto_tree *tree,
2663 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2664 hf_netlogon_event_audit_option, NULL);
2670 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2671 packet_info *pinfo, proto_tree *tree,
2674 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2675 netlogon_dissect_EVENT_AUDIT_OPTION);
2682 * IDL typedef struct {
2683 * IDL long pagedpoollimit;
2684 * IDL long nonpagedpoollimit;
2685 * IDL long minimumworkingsetsize;
2686 * IDL long maximumworkingsetsize;
2687 * IDL long pagefilelimit;
2688 * IDL NTTIME timelimit;
2689 * IDL } QUOTA_LIMITS;
2692 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2693 packet_info *pinfo, proto_tree *parent_tree,
2696 proto_item *item=NULL;
2697 proto_tree *tree=NULL;
2698 int old_offset=offset;
2701 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2703 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2706 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2707 hf_netlogon_pagedpoollimit, NULL);
2709 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2710 hf_netlogon_nonpagedpoollimit, NULL);
2712 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2713 hf_netlogon_minworkingsetsize, NULL);
2715 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2716 hf_netlogon_maxworkingsetsize, NULL);
2718 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2719 hf_netlogon_pagefilelimit, NULL);
2721 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2722 hf_netlogon_timelimit);
2724 proto_item_set_len(item, offset-old_offset);
2730 * IDL typedef struct {
2731 * IDL long maxlogsize;
2732 * IDL NTTIME auditretentionperiod;
2733 * IDL bool auditingmode;
2734 * IDL long maxauditeventcount;
2735 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2736 * IDL UNICODESTRING primarydomainname;
2737 * IDL [unique] SID *sid;
2738 * IDL QUOTA_LIMITS quota_limits;
2739 * IDL NTTIME db_modify_time;
2740 * IDL NTTIME db_create_time;
2741 * IDL long SecurityInformation;
2742 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2743 * IDL UNICODESTRING dummy1;
2744 * IDL UNICODESTRING dummy2;
2745 * IDL UNICODESTRING dummy3;
2746 * IDL UNICODESTRING dummy4;
2751 * IDL } DELTA_POLICY;
2754 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2755 packet_info *pinfo, proto_tree *tree,
2758 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2759 hf_netlogon_max_log_size, NULL);
2761 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2762 hf_netlogon_audit_retention_period);
2764 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2765 hf_netlogon_auditing_mode, NULL);
2767 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2768 hf_netlogon_max_audit_event_count, NULL);
2770 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2771 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2772 "Event Audit Options:", -1);
2774 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2775 hf_netlogon_domain_name, 0);
2777 offset = dissect_ndr_nt_PSID(tvb, offset,
2778 pinfo, tree, drep, -1);
2780 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2783 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2784 hf_netlogon_db_modify_time);
2786 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2787 hf_netlogon_db_create_time);
2789 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2790 hf_netlogon_security_information, NULL);
2792 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2795 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2796 hf_netlogon_dummy, 0);
2798 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2799 hf_netlogon_dummy, 0);
2801 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2802 hf_netlogon_dummy, 0);
2804 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2805 hf_netlogon_dummy, 0);
2807 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2808 hf_netlogon_reserved, NULL);
2810 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2811 hf_netlogon_reserved, NULL);
2813 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2814 hf_netlogon_reserved, NULL);
2816 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2817 hf_netlogon_reserved, NULL);
2824 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2825 packet_info *pinfo, proto_tree *tree,
2828 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2829 hf_netlogon_dc_name, 0);
2835 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2836 packet_info *pinfo, proto_tree *tree,
2839 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2840 netlogon_dissect_CONTROLLER);
2847 * IDL typedef struct {
2848 * IDL UNICODESTRING DomainName;
2849 * IDL long num_controllers;
2850 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2851 * IDL long SecurityInformation;
2852 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2853 * IDL UNICODESTRING dummy1;
2854 * IDL UNICODESTRING dummy2;
2855 * IDL UNICODESTRING dummy3;
2856 * IDL UNICODESTRING dummy4;
2861 * IDL } DELTA_TRUSTED_DOMAINS;
2864 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2865 packet_info *pinfo, proto_tree *tree,
2868 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2869 hf_netlogon_domain_name, 0);
2871 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2872 hf_netlogon_num_controllers, NULL);
2874 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2875 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2876 "Domain Controllers:", -1);
2878 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2879 hf_netlogon_security_information, NULL);
2881 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2884 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2885 hf_netlogon_dummy, 0);
2887 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2888 hf_netlogon_dummy, 0);
2890 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2891 hf_netlogon_dummy, 0);
2893 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2894 hf_netlogon_dummy, 0);
2896 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2897 hf_netlogon_reserved, NULL);
2899 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2900 hf_netlogon_reserved, NULL);
2902 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2903 hf_netlogon_reserved, NULL);
2905 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2906 hf_netlogon_reserved, NULL);
2913 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2914 packet_info *pinfo, proto_tree *tree,
2917 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2918 hf_netlogon_attrs, NULL);
2924 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2925 packet_info *pinfo, proto_tree *tree,
2928 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2929 netlogon_dissect_PRIV_ATTR);
2935 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2936 packet_info *pinfo, proto_tree *tree,
2939 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2940 hf_netlogon_privilege_name, 1);
2946 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2947 packet_info *pinfo, proto_tree *tree,
2950 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2951 netlogon_dissect_PRIV_NAME);
2959 * IDL typedef struct {
2960 * IDL long privilegeentries;
2961 * IDL long provolegecontrol;
2962 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2963 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2964 * IDL QUOTALIMITS quotalimits;
2965 * IDL long SecurityInformation;
2966 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2967 * IDL UNICODESTRING dummy1;
2968 * IDL UNICODESTRING dummy2;
2969 * IDL UNICODESTRING dummy3;
2970 * IDL UNICODESTRING dummy4;
2975 * IDL } DELTA_ACCOUNTS;
2978 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2979 packet_info *pinfo, proto_tree *tree,
2982 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2983 hf_netlogon_privilege_entries, NULL);
2985 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2986 hf_netlogon_privilege_control, NULL);
2988 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2989 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2990 "PRIV_ATTR_ARRAY:", -1);
2992 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2993 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2994 "PRIV_NAME_ARRAY:", -1);
2996 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2999 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3000 hf_netlogon_systemflags, NULL);
3002 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3003 hf_netlogon_security_information, NULL);
3005 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
3008 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3009 hf_netlogon_dummy, 0);
3011 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3012 hf_netlogon_dummy, 0);
3014 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3015 hf_netlogon_dummy, 0);
3017 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3018 hf_netlogon_dummy, 0);
3020 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3021 hf_netlogon_reserved, NULL);
3023 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3024 hf_netlogon_reserved, NULL);
3026 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3027 hf_netlogon_reserved, NULL);
3029 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3030 hf_netlogon_reserved, NULL);
3036 * IDL typedef struct {
3039 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
3040 * IDL } CIPHER_VALUE;
3043 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
3044 packet_info *pinfo, proto_tree *tree,
3050 di=pinfo->private_data;
3051 if(di->conformant_run){
3052 /*just a run to handle conformant arrays, nothing to dissect */
3056 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3057 hf_netlogon_cipher_maxlen, NULL);
3062 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3063 hf_netlogon_cipher_len, &data_len);
3065 proto_tree_add_item(tree, di->hf_index, tvb, offset,
3072 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
3073 packet_info *pinfo, proto_tree *parent_tree,
3074 guint8 *drep, char *name, int hf_index)
3076 proto_item *item=NULL;
3077 proto_tree *tree=NULL;
3078 int old_offset=offset;
3081 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3083 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
3086 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3087 hf_netlogon_cipher_len, NULL);
3089 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3090 hf_netlogon_cipher_maxlen, NULL);
3092 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3093 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
3096 proto_item_set_len(item, offset-old_offset);
3101 * IDL typedef struct {
3102 * IDL CIPHER_VALUE current_cipher;
3103 * IDL NTTIME current_cipher_set_time;
3104 * IDL CIPHER_VALUE old_cipher;
3105 * IDL NTTIME old_cipher_set_time;
3106 * IDL long SecurityInformation;
3107 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3108 * IDL UNICODESTRING dummy1;
3109 * IDL UNICODESTRING dummy2;
3110 * IDL UNICODESTRING dummy3;
3111 * IDL UNICODESTRING dummy4;
3116 * IDL } DELTA_SECRET;
3119 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
3120 packet_info *pinfo, proto_tree *tree,
3123 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3125 "CIPHER_VALUE: current cipher value",
3126 hf_netlogon_cipher_current_data);
3128 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3129 hf_netlogon_cipher_current_set_time);
3131 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3133 "CIPHER_VALUE: old cipher value",
3134 hf_netlogon_cipher_old_data);
3136 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3137 hf_netlogon_cipher_old_set_time);
3139 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3140 hf_netlogon_security_information, NULL);
3142 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
3145 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3146 hf_netlogon_dummy, 0);
3148 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3149 hf_netlogon_dummy, 0);
3151 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3152 hf_netlogon_dummy, 0);
3154 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3155 hf_netlogon_dummy, 0);
3157 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3158 hf_netlogon_reserved, NULL);
3160 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3161 hf_netlogon_reserved, NULL);
3163 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3164 hf_netlogon_reserved, NULL);
3166 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3167 hf_netlogon_reserved, NULL);
3173 * IDL typedef struct {
3174 * IDL long low_value;
3175 * IDL long high_value;
3179 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
3180 packet_info *pinfo, proto_tree *tree,
3183 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
3184 hf_netlogon_modify_count, NULL);
3190 #define DT_DELTA_DOMAIN 1
3191 #define DT_DELTA_GROUP 2
3192 #define DT_DELTA_RENAME_GROUP 4
3193 #define DT_DELTA_USER 5
3194 #define DT_DELTA_RENAME_USER 7
3195 #define DT_DELTA_GROUP_MEMBER 8
3196 #define DT_DELTA_ALIAS 9
3197 #define DT_DELTA_RENAME_ALIAS 11
3198 #define DT_DELTA_ALIAS_MEMBER 12
3199 #define DT_DELTA_POLICY 13
3200 #define DT_DELTA_TRUSTED_DOMAINS 14
3201 #define DT_DELTA_ACCOUNTS 16
3202 #define DT_DELTA_SECRET 18
3203 #define DT_DELTA_DELETE_GROUP 20
3204 #define DT_DELTA_DELETE_USER 21
3205 #define DT_MODIFIED_COUNT 22
3206 static const value_string delta_type_vals[] = {
3207 { DT_DELTA_DOMAIN, "Domain" },
3208 { DT_DELTA_GROUP, "Group" },
3209 { DT_DELTA_RENAME_GROUP, "Rename Group" },
3210 { DT_DELTA_USER, "User" },
3211 { DT_DELTA_RENAME_USER, "Rename User" },
3212 { DT_DELTA_GROUP_MEMBER, "Group Member" },
3213 { DT_DELTA_ALIAS, "Alias" },
3214 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
3215 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
3216 { DT_DELTA_POLICY, "Policy" },
3217 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
3218 { DT_DELTA_ACCOUNTS, "Accounts" },
3219 { DT_DELTA_SECRET, "Secret" },
3220 { DT_DELTA_DELETE_GROUP, "Delete Group" },
3221 { DT_DELTA_DELETE_USER, "Delete User" },
3222 { DT_MODIFIED_COUNT, "Modified Count" },
3226 * IDL typedef [switch_type(short)] union {
3227 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
3228 * IDL [case(2)][unique] DELTA_GROUP *group;
3229 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
3230 * IDL [case(5)][unique] DELTA_USER *user;
3231 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
3232 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
3233 * IDL [case(9)][unique] DELTA_ALIAS *alias;
3234 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
3235 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
3236 * IDL [case(13)][unique] DELTA_POLICY *policy;
3237 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
3238 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
3239 * IDL [case(18)][unique] DELTA_SECRET *secret;
3240 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
3241 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
3242 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
3243 * IDL } DELTA_UNION;
3246 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
3247 packet_info *pinfo, proto_tree *parent_tree,
3250 proto_item *item=NULL;
3251 proto_tree *tree=NULL;
3252 int old_offset=offset;
3256 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3258 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
3261 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3262 hf_netlogon_delta_type, &level);
3267 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3268 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
3269 "DELTA_DOMAIN:", -1);
3272 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3273 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
3274 "DELTA_GROUP:", -1);
3277 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3278 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3279 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
3282 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3283 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
3287 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3288 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3289 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
3292 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3293 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
3294 "DELTA_GROUP_MEMBER:", -1);
3297 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3298 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
3299 "DELTA_ALIAS:", -1);
3302 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3303 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3304 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
3307 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3308 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
3309 "DELTA_ALIAS_MEMBER:", -1);
3312 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3313 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
3314 "DELTA_POLICY:", -1);
3317 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3318 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
3319 "DELTA_TRUSTED_DOMAINS:", -1);
3322 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3323 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
3324 "DELTA_ACCOUNTS:", -1);
3327 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3328 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
3329 "DELTA_SECRET:", -1);
3332 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3333 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3334 "DELTA_DELETE_GROUP:", -1);
3337 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3338 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3339 "DELTA_DELETE_USER:", -1);
3342 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3343 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
3344 "MODIFIED_COUNT:", -1);
3348 proto_item_set_len(item, offset-old_offset);
3354 /* IDL XXX must verify this one, especially 13-19
3355 * IDL typedef [switch_type(short)] union {
3356 * IDL [case(1)] long rid;
3357 * IDL [case(2)] long rid;
3358 * IDL [case(3)] long rid;
3359 * IDL [case(4)] long rid;
3360 * IDL [case(5)] long rid;
3361 * IDL [case(6)] long rid;
3362 * IDL [case(7)] long rid;
3363 * IDL [case(8)] long rid;
3364 * IDL [case(9)] long rid;
3365 * IDL [case(10)] long rid;
3366 * IDL [case(11)] long rid;
3367 * IDL [case(12)] long rid;
3368 * IDL [case(13)] [unique] SID *sid;
3369 * IDL [case(14)] [unique] SID *sid;
3370 * IDL [case(15)] [unique] SID *sid;
3371 * IDL [case(16)] [unique] SID *sid;
3372 * IDL [case(17)] [unique] SID *sid;
3373 * IDL [case(18)] [unique][string] wchar_t *Name ;
3374 * IDL [case(19)] [unique][string] wchar_t *Name ;
3375 * IDL [case(20)] long rid;
3376 * IDL [case(21)] long rid;
3377 * IDL } DELTA_ID_UNION;
3380 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
3381 packet_info *pinfo, proto_tree *parent_tree,
3384 proto_item *item=NULL;
3385 proto_tree *tree=NULL;
3386 int old_offset=offset;
3390 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3392 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
3395 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3396 hf_netlogon_delta_type, &level);
3401 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3402 hf_netlogon_group_rid, NULL);
3405 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3406 hf_netlogon_user_rid, NULL);
3409 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3410 hf_netlogon_user_rid, NULL);
3413 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3414 hf_netlogon_user_rid, NULL);
3417 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3418 hf_netlogon_user_rid, NULL);
3421 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3422 hf_netlogon_user_rid, NULL);
3425 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3426 hf_netlogon_user_rid, NULL);
3429 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3430 hf_netlogon_user_rid, NULL);
3433 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3434 hf_netlogon_user_rid, NULL);
3437 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3438 hf_netlogon_user_rid, NULL);
3441 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3442 hf_netlogon_user_rid, NULL);
3445 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3446 hf_netlogon_user_rid, NULL);
3449 offset = dissect_ndr_nt_PSID(tvb, offset,
3450 pinfo, tree, drep, -1);
3453 offset = dissect_ndr_nt_PSID(tvb, offset,
3454 pinfo, tree, drep, -1);
3457 offset = dissect_ndr_nt_PSID(tvb, offset,
3458 pinfo, tree, drep, -1);
3461 offset = dissect_ndr_nt_PSID(tvb, offset,
3462 pinfo, tree, drep, -1);
3465 offset = dissect_ndr_nt_PSID(tvb, offset,
3466 pinfo, tree, drep, -1);
3469 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3470 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3471 hf_netlogon_unknown_string, 0);
3474 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3475 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3476 hf_netlogon_unknown_string, 0);
3479 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3480 hf_netlogon_user_rid, NULL);
3483 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3484 hf_netlogon_user_rid, NULL);
3488 proto_item_set_len(item, offset-old_offset);
3493 * IDL typedef struct {
3494 * IDL short delta_type;
3495 * IDL DELTA_ID_UNION delta_id_union;
3496 * IDL DELTA_UNION delta_union;
3500 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3501 packet_info *pinfo, proto_tree *parent_tree,
3504 proto_item *item=NULL;
3505 proto_tree *tree=NULL;
3506 int old_offset=offset;
3510 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3512 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3515 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3516 hf_netlogon_delta_type, &type);
3518 proto_item_append_text(item, val_to_str(
3519 type, delta_type_vals, "Unknown"));
3521 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3524 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3527 proto_item_set_len(item, offset-old_offset);
3532 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3533 packet_info *pinfo, proto_tree *tree,
3536 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3537 netlogon_dissect_DELTA_ENUM);
3543 * IDL typedef struct {
3544 * IDL long num_deltas;
3545 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3546 * IDL } DELTA_ENUM_ARRAY;
3549 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3550 packet_info *pinfo, proto_tree *tree,
3553 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3554 hf_netlogon_num_deltas, NULL);
3556 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3557 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3558 "DELTA_ENUM: deltas", -1);
3565 * IDL long NetrDatabaseDeltas(
3566 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3567 * IDL [in][string][ref] wchar_t *computername,
3568 * IDL [in][ref] AUTHENTICATOR credential,
3569 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3570 * IDL [in] long database_id,
3571 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3572 * IDL [in] long preferredmaximumlength,
3573 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3577 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
3578 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3580 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3581 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3583 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3584 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3586 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3587 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3588 "AUTHENTICATOR: credential", -1);
3590 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3591 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3592 "AUTHENTICATOR: return_authenticator", -1);
3594 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3595 hf_netlogon_database_id, NULL);
3597 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3598 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3599 "MODIFIED_COUNT: domain modified count", -1);
3601 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3602 hf_netlogon_max_size, NULL);
3607 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
3608 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3610 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3611 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3612 "AUTHENTICATOR: return_authenticator", -1);
3614 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3615 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3616 "MODIFIED_COUNT: domain modified count", -1);
3618 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3619 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3620 "DELTA_ENUM_ARRAY: deltas", -1);
3622 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3623 hf_netlogon_rc, NULL);
3630 * IDL long NetrDatabaseSync(
3631 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3632 * IDL [in][string][ref] wchar_t *computername,
3633 * IDL [in][ref] AUTHENTICATOR credential,
3634 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3635 * IDL [in] long database_id,
3636 * IDL [in][out][ref] long sync_context,
3637 * IDL [in] long preferredmaximumlength,
3638 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3642 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
3643 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3645 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3646 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3648 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3649 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3651 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3652 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3653 "AUTHENTICATOR: credential", -1);
3655 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3656 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3657 "AUTHENTICATOR: return_authenticator", -1);
3659 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3660 hf_netlogon_database_id, NULL);
3662 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3663 hf_netlogon_sync_context, NULL);
3665 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3666 hf_netlogon_max_size, NULL);
3673 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
3674 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3676 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3677 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3678 "AUTHENTICATOR: return_authenticator", -1);
3680 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3681 hf_netlogon_sync_context, NULL);
3683 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3684 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3685 "DELTA_ENUM_ARRAY: deltas", -1);
3687 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3688 hf_netlogon_rc, NULL);
3694 * IDL typedef struct {
3695 * IDL char computer_name[16];
3696 * IDL long timecreated;
3697 * IDL long serial_number;
3701 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3702 packet_info *pinfo, proto_tree *tree,
3707 di=pinfo->private_data;
3708 if(di->conformant_run){
3709 /*just a run to handle conformant arrays, nothing to dissect */
3713 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3716 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3719 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3720 hf_netlogon_serial_number, NULL);
3727 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3728 packet_info *pinfo, proto_tree *tree,
3731 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3732 hf_netlogon_unknown_char, NULL);
3738 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3739 packet_info *pinfo, proto_tree *tree,
3742 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3743 netlogon_dissect_BYTE_byte);
3749 * IDL long NetrAccountDeltas(
3750 * IDL [in][string][unique] wchar_t *logonserver,
3751 * IDL [in][string][ref] wchar_t *computername,
3752 * IDL [in][ref] AUTHENTICATOR credential,
3753 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3754 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3755 * IDL [out][ref] long count_returned,
3756 * IDL [out][ref] long total_entries,
3757 * IDL [in][out][ref] UAS_INFO_0 recordid,
3758 * IDL [in][long] count,
3759 * IDL [in][long] level,
3760 * IDL [in][long] buffersize,
3764 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
3765 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3767 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3770 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3771 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3773 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3774 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3775 "AUTHENTICATOR: credential", -1);
3777 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3778 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3779 "AUTHENTICATOR: return_authenticator", -1);
3781 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3782 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3783 "UAS_INFO_0: RecordID", -1);
3785 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3786 hf_netlogon_count, NULL);
3788 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3789 hf_netlogon_level, NULL);
3791 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3792 hf_netlogon_max_size, NULL);
3797 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
3798 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3800 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3801 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3802 "AUTHENTICATOR: return_authenticator", -1);
3804 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3805 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3806 "BYTE_array: Buffer", -1);
3808 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3809 hf_netlogon_count, NULL);
3811 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3812 hf_netlogon_entries, NULL);
3814 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3815 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3816 "UAS_INFO_0: RecordID", -1);
3818 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3819 hf_netlogon_rc, NULL);
3826 * IDL long NetrAccountSync(
3827 * IDL [in][string][unique] wchar_t *logonserver,
3828 * IDL [in][string][ref] wchar_t *computername,
3829 * IDL [in][ref] AUTHENTICATOR credential,
3830 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3831 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3832 * IDL [out][ref] long count_returned,
3833 * IDL [out][ref] long total_entries,
3834 * IDL [out][ref] long next_reference,
3835 * IDL [in][long] reference,
3836 * IDL [in][long] level,
3837 * IDL [in][long] buffersize,
3838 * IDL [in][out][ref] UAS_INFO_0 recordid,
3842 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
3843 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3845 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3848 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3849 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3851 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3852 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3853 "AUTHENTICATOR: credential", -1);
3855 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3856 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3857 "AUTHENTICATOR: return_authenticator", -1);
3859 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3860 hf_netlogon_reference, NULL);
3862 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3863 hf_netlogon_level, NULL);
3865 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3866 hf_netlogon_max_size, NULL);
3871 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
3872 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3874 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3875 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3876 "AUTHENTICATOR: return_authenticator", -1);
3878 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3879 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3880 "BYTE_array: Buffer", -1);
3882 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3883 hf_netlogon_count, NULL);
3885 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3886 hf_netlogon_entries, NULL);
3888 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3889 hf_netlogon_next_reference, NULL);
3891 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3892 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3893 "UAS_INFO_0: RecordID", -1);
3895 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3896 hf_netlogon_rc, NULL);
3903 * IDL long NetrGetDcName(
3904 * IDL [in][ref][string] wchar_t *logon_server,
3905 * IDL [in][unique][string] wchar_t *domainname,
3906 * IDL [out][unique][string] wchar_t *dcname,
3910 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
3911 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3913 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3914 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3916 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3917 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3922 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
3923 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3925 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3926 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3928 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3929 hf_netlogon_rc, NULL);
3937 * IDL typedef struct {
3939 * IDL long pdc_connection_status;
3940 * IDL } NETLOGON_INFO_1;
3943 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3944 packet_info *pinfo, proto_tree *tree,
3947 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3948 hf_netlogon_flags, NULL);
3950 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3951 hf_netlogon_pdc_connection_status, NULL);
3958 * IDL typedef struct {
3960 * IDL long pdc_connection_status;
3961 * IDL [unique][string] wchar_t trusted_dc_name;
3962 * IDL long tc_connection_status;
3963 * IDL } NETLOGON_INFO_2;
3966 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3967 packet_info *pinfo, proto_tree *tree,
3970 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3971 hf_netlogon_flags, NULL);
3973 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3974 hf_netlogon_pdc_connection_status, NULL);
3976 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3977 NDR_POINTER_UNIQUE, "Trusted DC Name",
3978 hf_netlogon_trusted_dc_name, 0);
3980 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3981 hf_netlogon_tc_connection_status, NULL);
3988 * IDL typedef struct {
3990 * IDL long logon_attempts;
3991 * IDL long reserved;
3992 * IDL long reserved;
3993 * IDL long reserved;
3994 * IDL long reserved;
3995 * IDL long reserved;
3996 * IDL } NETLOGON_INFO_3;
3999 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
4000 packet_info *pinfo, proto_tree *tree,
4003 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4004 hf_netlogon_flags, NULL);
4006 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4007 hf_netlogon_logon_attempts, NULL);
4009 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4010 hf_netlogon_reserved, NULL);
4012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4013 hf_netlogon_reserved, NULL);
4015 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4016 hf_netlogon_reserved, NULL);
4018 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4019 hf_netlogon_reserved, NULL);
4021 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4022 hf_netlogon_reserved, NULL);
4029 * IDL typedef [switch_type(long)] union {
4030 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
4031 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
4032 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
4033 * IDL } CONTROL_QUERY_INFORMATION;
4036 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
4037 packet_info *pinfo, proto_tree *tree,
4042 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4043 hf_netlogon_level, &level);
4048 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4049 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
4050 "NETLOGON_INFO_1:", -1);
4053 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4054 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
4055 "NETLOGON_INFO_2:", -1);
4058 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4059 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
4060 "NETLOGON_INFO_3:", -1);
4069 * IDL long NetrLogonControl(
4070 * IDL [in][string][unique] wchar_t *logonserver,
4071 * IDL [in] long function_code,
4072 * IDL [in] long level,
4073 * IDL [out][ref] CONTROL_QUERY_INFORMATION
4077 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
4078 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4080 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4083 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4084 hf_netlogon_code, NULL);
4086 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4087 hf_netlogon_level, NULL);
4092 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
4093 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4095 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4096 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4097 "CONTROL_QUERY_INFORMATION:", -1);
4099 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4100 hf_netlogon_rc, NULL);
4107 * IDL long NetrGetAnyDCName(
4108 * IDL [in][unique][string] wchar_t *logon_server,
4109 * IDL [in][unique][string] wchar_t *domainname,
4110 * IDL [out][unique][string] wchar_t *dcname,
4114 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
4115 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4117 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4118 NDR_POINTER_UNIQUE, "Server Handle",
4119 hf_netlogon_logonsrv_handle, 0);
4121 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4122 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4127 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
4128 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4130 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4131 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4133 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4134 hf_netlogon_rc, NULL);
4141 * IDL typedef [switch_type(long)] union {
4142 * IDL [case(5)] [unique][string] wchar_t *unknown;
4143 * IDL [case(6)] [unique][string] wchar_t *unknown;
4144 * IDL [case(0xfffe)] long unknown;
4145 * IDL [case(7)] [unique][string] wchar_t *unknown;
4146 * IDL } CONTROL_DATA_INFORMATION;
4149 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
4150 * to look like. However NetMon does not recognize any such informationlevels.
4152 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
4153 * until someone has any source of better authority to call upon.
4156 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
4157 packet_info *pinfo, proto_tree *tree,
4162 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4163 hf_netlogon_level, &level);
4168 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4169 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4170 hf_netlogon_unknown_string, 0);
4173 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4174 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4175 hf_netlogon_unknown_string, 0);
4178 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4179 hf_netlogon_unknown_long, NULL);
4182 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4183 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4184 hf_netlogon_unknown_string, 0);
4193 * IDL long NetrLogonControl2(
4194 * IDL [in][string][unique] wchar_t *logonserver,
4195 * IDL [in] long function_code,
4196 * IDL [in] long level,
4197 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4198 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4202 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
4203 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4205 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4208 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4209 hf_netlogon_code, NULL);
4211 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4212 hf_netlogon_level, NULL);
4214 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4215 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4216 "CONTROL_DATA_INFORMATION: ", -1);
4222 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
4223 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4225 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4226 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4227 "CONTROL_QUERY_INFORMATION:", -1);
4229 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4230 hf_netlogon_rc, NULL);
4237 * IDL long NetrServerAuthenticate2(
4238 * IDL [in][string][unique] wchar_t *logonserver,
4239 * IDL [in][ref][string] wchar_t *username,
4240 * IDL [in] short secure_channel_type,
4241 * IDL [in][ref][string] wchar_t *computername,
4242 * IDL [in][ref] CREDENTIAL *client_chal,
4243 * IDL [out][ref] CREDENTIAL *server_chal,
4244 * IDL [in][out][ref] long *negotiate_flags,
4248 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
4249 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4251 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4254 offset = dissect_ndr_pointer_cb(
4255 tvb, offset, pinfo, tree, drep,
4256 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
4257 "User Name", hf_netlogon_acct_name,
4258 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
4260 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4263 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4264 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4266 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4267 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4268 "CREDENTIAL: client_chal", -1);
4270 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4271 hf_netlogon_neg_flags, NULL);
4277 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
4278 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4280 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4281 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4282 "CREDENTIAL: server_chal", -1);
4284 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4285 hf_netlogon_neg_flags, NULL);
4287 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4288 hf_netlogon_rc, NULL);
4295 * IDL long NetrDatabaseSync2(
4296 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4297 * IDL [in][string][ref] wchar_t *computername,
4298 * IDL [in][ref] AUTHENTICATOR credential,
4299 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4300 * IDL [in] long database_id,
4301 * IDL [in] short restart_state,
4302 * IDL [in][out][ref] long *sync_context,
4303 * IDL [in] long preferredmaximumlength,
4304 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4308 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
4309 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4311 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4312 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4314 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4315 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4317 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4318 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4319 "AUTHENTICATOR: credential", -1);
4321 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4322 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4323 "AUTHENTICATOR: return_authenticator", -1);
4325 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4326 hf_netlogon_database_id, NULL);
4328 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4329 hf_netlogon_restart_state, NULL);
4331 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4332 hf_netlogon_sync_context, NULL);
4334 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4335 hf_netlogon_max_size, NULL);
4341 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
4342 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4344 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4345 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4346 "AUTHENTICATOR: return_authenticator", -1);
4348 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4349 hf_netlogon_sync_context, NULL);
4351 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4352 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4353 "DELTA_ENUM_ARRAY: deltas", -1);
4355 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4356 hf_netlogon_rc, NULL);
4363 * IDL long NetrDatabaseRedo(
4364 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4365 * IDL [in][string][ref] wchar_t *computername,
4366 * IDL [in][ref] AUTHENTICATOR credential,
4367 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4368 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
4369 * IDL [in] long change_log_entry_size,
4370 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4374 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
4375 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4377 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4378 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4380 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4381 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4383 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4384 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4385 "AUTHENTICATOR: credential", -1);
4387 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4388 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4389 "AUTHENTICATOR: return_authenticator", -1);
4391 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4392 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4393 "Change log entry: ", -1);
4395 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4396 hf_netlogon_max_log_size, NULL);
4402 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
4403 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4405 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4406 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4407 "AUTHENTICATOR: return_authenticator", -1);
4409 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4410 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4411 "DELTA_ENUM_ARRAY: deltas", -1);
4413 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4414 hf_netlogon_rc, NULL);
4421 * IDL long NetrLogonControl2Ex(
4422 * IDL [in][string][unique] wchar_t *logonserver,
4423 * IDL [in] long function_code,
4424 * IDL [in] long level,
4425 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4426 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4430 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
4431 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4433 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4436 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4437 hf_netlogon_code, NULL);
4439 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4440 hf_netlogon_level, NULL);
4442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4443 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4444 "CONTROL_DATA_INFORMATION: ", -1);
4449 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
4450 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4452 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4453 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4454 "CONTROL_QUERY_INFORMATION:", -1);
4456 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4457 hf_netlogon_rc, NULL);
4465 static const value_string trust_type_vals[] = {
4473 #define DS_INET_ADDRESS 1
4474 #define DS_NETBIOS_ADDRESS 2
4475 static const value_string dc_address_types[] = {
4476 { DS_INET_ADDRESS, "IP/DNS name" },
4477 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
4482 #define DS_DOMAIN_IN_FOREST 0x0001
4483 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
4484 #define DS_DOMAIN_TREE_ROOT 0x0004
4485 #define DS_DOMAIN_PRIMARY 0x0008
4486 #define DS_DOMAIN_NATIVE_MODE 0x0010
4487 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
4488 static const true_false_string trust_inbound = {
4489 "There is a DIRECT INBOUND trust for the servers domain",
4490 "There is NO direct inbound trust for the servers domain"
4492 static const true_false_string trust_outbound = {
4493 "There is a DIRECT OUTBOUND trust for this domain",
4494 "There is NO direct outbound trust for this domain"
4496 static const true_false_string trust_in_forest = {
4497 "The domain is a member IN the same FOREST as the queried server",
4498 "The domain is NOT a member of the queried servers domain"
4500 static const true_false_string trust_native_mode = {
4501 "The primary domain is a NATIVE MODE w2k domain",
4502 "The primary is NOT a native mode w2k domain"
4504 static const true_false_string trust_primary = {
4505 "The domain is the PRIMARY domain of the queried server",
4506 "The domain is NOT the primary domain of the queried server"
4508 static const true_false_string trust_tree_root = {
4509 "The domain is the ROOT of a domain TREE",
4510 "The domain is NOT a root of a domain tree"
4513 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4514 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4517 proto_item *item = NULL;
4518 proto_tree *tree = NULL;
4521 di=pinfo->private_data;
4522 if(di->conformant_run){
4523 /*just a run to handle conformant arrays, nothing to dissect */
4527 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4528 hf_netlogon_trust_flags, &mask);
4531 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4532 tvb, offset-4, 4, mask);
4533 tree = proto_item_add_subtree(item, ett_trust_flags);
4536 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4537 tvb, offset-4, 4, mask);
4538 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4539 tvb, offset-4, 4, mask);
4540 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4541 tvb, offset-4, 4, mask);
4542 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4543 tvb, offset-4, 4, mask);
4544 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4545 tvb, offset-4, 4, mask);
4546 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4547 tvb, offset-4, 4, mask);
4553 #define DS_FORCE_REDISCOVERY 0x00000001
4554 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
4555 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
4556 #define DS_GC_SERVER_REQUIRED 0x00000040
4557 #define DS_PDC_REQUIRED 0x00000080
4558 #define DS_BACKGROUND_ONLY 0x00000100
4559 #define DS_IP_REQUIRED 0x00000200
4560 #define DS_KDC_REQUIRED 0x00000400
4561 #define DS_TIMESERV_REQUIRED 0x00000800
4562 #define DS_WRITABLE_REQUIRED 0x00001000
4563 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
4564 #define DS_AVOID_SELF 0x00004000
4565 #define DS_ONLY_LDAP_NEEDED 0x00008000
4566 #define DS_IS_FLAT_NAME 0x00010000
4567 #define DS_IS_DNS_NAME 0x00020000
4568 #define DS_RETURN_DNS_NAME 0x40000000
4569 #define DS_RETURN_FLAT_NAME 0x80000000
4570 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4571 "FORCE REDISCOVERY of any cached data",
4572 "You may return cached data"
4574 static const true_false_string get_dcname_request_flags_directory_service_required = {
4575 "DIRECRTORY SERVICE is REQUIRED on the server",
4576 "We do NOT require directory service servers"
4578 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4579 "DIRECTORY SERVICE servers are PREFERRED",
4580 "We do NOT have a preference for directory service servers"
4582 static const true_false_string get_dcname_request_flags_gc_server_required = {
4583 "GC SERVER is REQUIRED",
4584 "gc server is NOT required"
4586 static const true_false_string get_dcname_request_flags_pdc_required = {
4587 "PDC SERVER is REQUIRED",
4588 "pdc server is NOT required"
4590 static const true_false_string get_dcname_request_flags_background_only = {
4591 "Only returned cahced data, even if it has expired",
4592 "Return cached data unless it has expired"
4594 static const true_false_string get_dcname_request_flags_ip_required = {
4595 "IP address is REQUIRED",
4596 "ip address is NOT required"
4598 static const true_false_string get_dcname_request_flags_kdc_required = {
4599 "KDC server is REQUIRED",
4600 "kdc server is NOT required"
4602 static const true_false_string get_dcname_request_flags_timeserv_required = {
4603 "TIMESERV service is REQUIRED",
4604 "timeserv service is NOT required"
4606 static const true_false_string get_dcname_request_flags_writable_required = {
4607 "the requrned dc MUST be WRITEABLE",
4608 "a read-only dc may be returned"
4610 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4611 "GOOD TIMESERV servers are PREFERRED",
4612 "we do NOT have a preference for good timeserv servers"
4614 static const true_false_string get_dcname_request_flags_avoid_self = {
4615 "do NOT return self as dc, return someone else",
4616 "you may return yourSELF as the dc"
4618 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4619 "we ONLY NEED LDAP, you dont have to return a dc",
4620 "we need a normal dc, an ldap only server will not do"
4622 static const true_false_string get_dcname_request_flags_is_flat_name = {
4623 "the name we specify is a NetBIOS name",
4624 "the name we specify is NOT a NetBIOS name"
4626 static const true_false_string get_dcname_request_flags_is_dns_name = {
4627 "the name we specify is a DNS name",
4628 "ther name we specify is NOT a dns name"
4630 static const true_false_string get_dcname_request_flags_return_dns_name = {
4631 "return a DNS name",
4632 "you may return a NON-dns name"
4634 static const true_false_string get_dcname_request_flags_return_flat_name = {
4635 "return a NetBIOS name",
4636 "you may return a NON-NetBIOS name"
4639 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4640 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4643 proto_item *item = NULL;
4644 proto_tree *tree = NULL;
4647 di=pinfo->private_data;
4648 if(di->conformant_run){
4649 /*just a run to handle conformant arrays, nothing to dissect */
4653 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4654 hf_netlogon_get_dcname_request_flags, &mask);
4657 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4658 tvb, offset-4, 4, mask);
4659 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4662 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4663 tvb, offset-4, 4, mask);
4664 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4665 tvb, offset-4, 4, mask);
4666 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4667 tvb, offset-4, 4, mask);
4668 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4669 tvb, offset-4, 4, mask);
4670 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4671 tvb, offset-4, 4, mask);
4672 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4673 tvb, offset-4, 4, mask);
4674 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4675 tvb, offset-4, 4, mask);
4676 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4677 tvb, offset-4, 4, mask);
4678 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4679 tvb, offset-4, 4, mask);
4680 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4681 tvb, offset-4, 4, mask);
4682 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4683 tvb, offset-4, 4, mask);
4684 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4685 tvb, offset-4, 4, mask);
4686 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4687 tvb, offset-4, 4, mask);
4688 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4689 tvb, offset-4, 4, mask);
4690 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4691 tvb, offset-4, 4, mask);
4692 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4693 tvb, offset-4, 4, mask);
4694 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4695 tvb, offset-4, 4, mask);
4702 #define DS_PDC_FLAG 0x00000001
4703 #define DS_GC_FLAG 0x00000004
4704 #define DS_LDAP_FLAG 0x00000008
4705 #define DS_DS_FLAG 0x00000010
4706 #define DS_KDC_FLAG 0x00000020
4707 #define DS_TIMESERV_FLAG 0x00000040
4708 #define DS_CLOSEST_FLAG 0x00000080
4709 #define DS_WRITABLE_FLAG 0x00000100
4710 #define DS_GOOD_TIMESERV_FLAG 0x00000200
4711 #define DS_NDNC_FLAG 0x00000400
4712 #define DS_DNS_CONTROLLER_FLAG 0x20000000
4713 #define DS_DNS_DOMAIN_FLAG 0x40000000
4714 #define DS_DNS_FOREST_FLAG 0x80000000
4715 static const true_false_string dc_flags_pdc_flag = {
4716 "this is the PDC of the domain",
4717 "this is NOT the pdc of the domain"
4719 static const true_false_string dc_flags_gc_flag = {
4720 "this is the GC of the forest",
4721 "this is NOT the gc of the forest"
4723 static const true_false_string dc_flags_ldap_flag = {
4724 "this is an LDAP server",
4725 "this is NOT an ldap server"
4727 static const true_false_string dc_flags_ds_flag = {
4728 "this is a DS server",
4729 "this is NOT a ds server"
4731 static const true_false_string dc_flags_kdc_flag = {
4732 "this is a KDC server",
4733 "this is NOT a kdc server"
4735 static const true_false_string dc_flags_timeserv_flag = {
4736 "this is a TIMESERV server",
4737 "this is NOT a timeserv server"
4739 static const true_false_string dc_flags_closest_flag = {
4740 "this is the CLOSEST server",
4741 "this is NOT the closest server"
4743 static const true_false_string dc_flags_writable_flag = {
4744 "this server has a WRITABLE ds database",
4745 "this server has a READ-ONLY ds database"
4747 static const true_false_string dc_flags_good_timeserv_flag = {
4748 "this server is a GOOD TIMESERV server",
4749 "this is NOT a good timeserv server"
4751 static const true_false_string dc_flags_ndnc_flag = {
4755 static const true_false_string dc_flags_dns_controller_flag = {
4756 "DomainControllerName is a DNS name",
4757 "DomainControllerName is NOT a dns name"
4759 static const true_false_string dc_flags_dns_domain_flag = {
4760 "DomainName is a DNS name",
4761 "DomainName is NOT a dns name"
4763 static const true_false_string dc_flags_dns_forest_flag = {
4764 "DnsForestName is a DNS name",
4765 "DnsForestName is NOT a dns name"
4768 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4769 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4772 proto_item *item = NULL;
4773 proto_tree *tree = NULL;
4776 di=pinfo->private_data;
4777 if(di->conformant_run){
4778 /*just a run to handle conformant arrays, nothing to dissect */
4782 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4783 hf_netlogon_dc_flags, &mask);
4786 item = proto_tree_add_uint_format(parent_tree, hf_netlogon_dc_flags,
4787 tvb, offset-4, 4, mask, "Domain Controller Flags: 0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
4788 tree = proto_item_add_subtree(item, ett_dc_flags);
4791 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4792 tvb, offset-4, 4, mask);
4793 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4794 tvb, offset-4, 4, mask);
4795 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4796 tvb, offset-4, 4, mask);
4797 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4798 tvb, offset-4, 4, mask);
4799 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4800 tvb, offset-4, 4, mask);
4801 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4802 tvb, offset-4, 4, mask);
4803 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4804 tvb, offset-4, 4, mask);
4805 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4806 tvb, offset-4, 4, mask);
4807 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4808 tvb, offset-4, 4, mask);
4809 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4810 tvb, offset-4, 4, mask);
4811 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4812 tvb, offset-4, 4, mask);
4813 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4814 tvb, offset-4, 4, mask);
4815 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4816 tvb, offset-4, 4, mask);
4824 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4825 packet_info *pinfo, proto_tree *tree,
4830 di=pinfo->private_data;
4831 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4832 di->hf_index, NULL);
4837 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4838 packet_info *pinfo, proto_tree *tree,
4843 di=pinfo->private_data;
4844 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4845 di->hf_index, NULL);
4850 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4851 packet_info *pinfo, proto_tree *tree,
4854 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4855 hf_netlogon_unknown_char, NULL);
4861 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4862 packet_info *pinfo, proto_tree *tree,
4865 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4866 netlogon_dissect_UNICODE_MULTI_byte);
4872 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4873 packet_info *pinfo, proto_tree *parent_tree,
4876 proto_item *item=NULL;
4877 proto_tree *tree=NULL;
4878 int old_offset=offset;
4881 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4883 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4886 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4887 hf_netlogon_len, NULL);
4889 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4890 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4891 "unknown", hf_netlogon_unknown_string);
4893 proto_item_set_len(item, offset-old_offset);
4898 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4899 packet_info *pinfo, proto_tree *tree,
4902 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4908 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4909 packet_info *pinfo, proto_tree *parent_tree,
4912 proto_item *item=NULL;
4913 proto_tree *tree=NULL;
4914 int old_offset=offset;
4917 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4918 "DOMAIN_CONTROLLER_INFO:");
4919 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4922 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4923 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
4925 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4926 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
4928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4929 hf_netlogon_dc_address_type, NULL);
4931 offset = dissect_nt_GUID(tvb, offset,
4934 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4935 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
4937 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4938 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
4940 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
4942 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4943 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
4945 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4946 NDR_POINTER_UNIQUE, "Client Site",
4947 hf_netlogon_client_site_name, 0);
4949 proto_item_set_len(item, offset-old_offset);
4954 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4955 packet_info *pinfo, proto_tree *tree,
4961 di=pinfo->private_data;
4962 if(di->conformant_run){
4963 /*just a run to handle conformant arrays, nothing to dissect.*/
4967 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4968 hf_netlogon_blob_size, &len);
4970 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4978 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4979 packet_info *pinfo, proto_tree *parent_tree,
4982 proto_item *item=NULL;
4983 proto_tree *tree=NULL;
4986 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4988 tree = proto_item_add_subtree(item, ett_BLOB);
4991 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4992 hf_netlogon_blob_size, NULL);
4994 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4995 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
5002 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
5003 packet_info *pinfo, proto_tree *parent_tree,
5006 proto_item *item=NULL;
5007 proto_tree *tree=NULL;
5008 int old_offset=offset;
5011 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5012 "DOMAIN_TRUST_INFO:");
5013 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
5017 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
5019 /* Guesses at best. */
5020 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5021 hf_netlogon_unknown_string, 0);
5023 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5024 hf_netlogon_unknown_string, 0);
5026 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5027 hf_netlogon_unknown_string, 0);
5029 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5030 hf_netlogon_unknown_string, 0);
5032 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5033 hf_netlogon_unknown_long, NULL);
5035 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5036 hf_netlogon_unknown_long, NULL);
5038 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5039 hf_netlogon_unknown_long, NULL);
5041 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5042 hf_netlogon_unknown_long, NULL);
5044 proto_item_set_len(item, offset-old_offset);
5049 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
5050 packet_info *pinfo, proto_tree *tree,
5053 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5054 netlogon_dissect_DOMAIN_TRUST_INFO);
5060 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
5061 packet_info *pinfo, proto_tree *tree,
5064 offset = netlogon_dissect_BLOB(tvb, offset,
5067 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5068 NDR_POINTER_UNIQUE, "Workstation FQDN",
5069 hf_netlogon_workstation_fqdn, 0);
5071 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5072 NDR_POINTER_UNIQUE, "Workstation Site",
5073 hf_netlogon_workstation_site_name, 0);
5075 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5076 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5078 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5079 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5081 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5082 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5084 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5085 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5087 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5088 hf_netlogon_unknown_string, 0);
5090 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5091 hf_netlogon_workstation_os, 0);
5093 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5094 hf_netlogon_unknown_string, 0);
5096 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5097 hf_netlogon_unknown_string, 0);
5099 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5100 hf_netlogon_unknown_long, NULL);
5102 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5103 hf_netlogon_unknown_long, NULL);
5105 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5106 hf_netlogon_unknown_long, NULL);
5108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5109 hf_netlogon_unknown_long, NULL);
5115 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
5116 packet_info *pinfo, proto_tree *tree,
5119 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
5121 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5122 hf_netlogon_num_trusts, NULL);
5124 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5125 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5126 "DOMAIN_TRUST_ARRAY: Trusts", -1);
5128 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5129 hf_netlogon_num_trusts, NULL);
5131 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5132 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5133 "DOMAIN_TRUST_ARRAY:", -1);
5135 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5136 hf_netlogon_dns_domain_name, 0);
5138 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5139 hf_netlogon_unknown_string, 0);
5141 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5142 hf_netlogon_unknown_string, 0);
5144 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5145 hf_netlogon_unknown_string, 0);
5147 /* These four integers appear to mirror the last four in the query. */
5148 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5149 hf_netlogon_unknown_long, NULL);
5151 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5152 hf_netlogon_unknown_long, NULL);
5154 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5155 hf_netlogon_unknown_long, NULL);
5157 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5158 hf_netlogon_unknown_long, NULL);
5165 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5166 packet_info *pinfo, proto_tree *tree,
5171 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5172 hf_netlogon_level, &level);
5177 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5178 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
5179 "DOMAIN_INFO_1:", -1);
5187 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
5188 packet_info *pinfo, proto_tree *parent_tree,
5191 proto_item *item=NULL;
5192 proto_tree *tree=NULL;
5193 int old_offset=offset;
5197 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5198 "UNICODE_STRING_512:");
5199 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
5203 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5204 hf_netlogon_unknown_short, NULL);
5207 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5208 hf_netlogon_unknown_long, NULL);
5210 proto_item_set_len(item, offset-old_offset);
5215 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
5216 packet_info *pinfo, proto_tree *tree,
5219 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5220 hf_netlogon_unknown_char, NULL);
5226 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
5227 packet_info *pinfo, proto_tree *tree,
5230 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5231 netlogon_dissect_element_844_byte);
5237 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
5238 packet_info *pinfo, proto_tree *parent_tree,
5241 proto_item *item=NULL;
5242 proto_tree *tree=NULL;
5243 int old_offset=offset;
5246 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5248 tree = proto_item_add_subtree(item, ett_TYPE_50);
5251 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5252 hf_netlogon_unknown_long, NULL);
5254 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5255 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
5256 "unknown", hf_netlogon_unknown_string);
5258 proto_item_set_len(item, offset-old_offset);
5263 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
5264 packet_info *pinfo, proto_tree *tree,
5267 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5268 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
5269 "TYPE_50 pointer: unknown_TYPE_50", -1);
5275 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
5276 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5279 proto_item *item=NULL;
5280 proto_tree *tree=NULL;
5281 int old_offset=offset;
5284 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5285 "DS_DOMAIN_TRUSTS");
5286 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
5290 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5291 NDR_POINTER_UNIQUE, "NetBIOS Name",
5292 hf_netlogon_downlevel_domain_name, 0);
5295 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5296 NDR_POINTER_UNIQUE, "DNS Domain Name",
5297 hf_netlogon_dns_domain_name, 0);
5299 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5301 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5302 hf_netlogon_trust_parent_index, &tmp);
5304 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5305 hf_netlogon_trust_type, &tmp);
5307 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5308 hf_netlogon_trust_attribs, &tmp);
5311 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep, -1);
5314 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
5316 proto_item_set_len(item, offset-old_offset);
5321 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
5322 packet_info *pinfo, proto_tree *tree,
5325 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5326 netlogon_dissect_DS_DOMAIN_TRUSTS);
5332 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
5333 packet_info *pinfo, proto_tree *tree,
5336 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5337 hf_netlogon_unknown_char, NULL);
5343 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
5344 packet_info *pinfo, proto_tree *tree,
5347 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5348 netlogon_dissect_element_865_byte);
5354 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
5355 packet_info *pinfo, proto_tree *tree,
5358 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5359 hf_netlogon_unknown_char, NULL);
5365 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
5366 packet_info *pinfo, proto_tree *tree,
5369 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5370 netlogon_dissect_element_866_byte);
5376 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
5377 packet_info *pinfo, proto_tree *parent_tree,
5380 proto_item *item=NULL;
5381 proto_tree *tree=NULL;
5382 int old_offset=offset;
5385 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5387 tree = proto_item_add_subtree(item, ett_TYPE_52);
5390 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5391 hf_netlogon_unknown_long, NULL);
5393 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5394 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
5395 "unknown", hf_netlogon_unknown_string);
5397 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5398 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
5399 "unknown", hf_netlogon_unknown_string);
5401 proto_item_set_len(item, offset-old_offset);
5406 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
5407 packet_info *pinfo, proto_tree *tree,
5410 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5411 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
5412 "TYPE_52 pointer: unknown_TYPE_52", -1);
5418 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5419 packet_info *pinfo, proto_tree *parent_tree,
5422 proto_item *item=NULL;
5423 proto_tree *tree=NULL;
5424 int old_offset=offset;
5428 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5430 tree = proto_item_add_subtree(item, ett_TYPE_44);
5433 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5434 hf_netlogon_level, &level);
5439 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5440 hf_netlogon_unknown_long, NULL);
5444 proto_item_set_len(item, offset-old_offset);
5449 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5450 packet_info *pinfo, proto_tree *tree,
5455 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5456 hf_netlogon_level, &level);
5461 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5462 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5463 "DOMAIN_QUERY_1:", -1);
5466 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5467 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5468 "DOMAIN_QUERY_1:", -1);
5476 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5477 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5479 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5487 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5488 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5490 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5491 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5492 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5494 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5495 hf_netlogon_rc, NULL);
5501 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5502 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5504 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5507 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5508 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5510 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5511 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5512 "GUID pointer: domain_guid", -1);
5514 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5515 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5516 "GUID pointer: site_guid", -1);
5518 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5519 hf_netlogon_flags, NULL);
5526 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5527 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5529 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5530 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5531 "DOMAIN_CONTROLLER_INFO:", -1);
5533 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5534 hf_netlogon_rc, NULL);
5540 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
5541 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5543 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5546 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5547 NDR_POINTER_UNIQUE, "unknown string",
5548 hf_netlogon_unknown_string, 0);
5550 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5551 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5552 "AUTHENTICATOR: credential", -1);
5554 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5555 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5556 "AUTHENTICATOR: return_authenticator", -1);
5558 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5559 hf_netlogon_unknown_long, NULL);
5566 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
5567 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5569 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5570 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5571 "AUTHENTICATOR: return_authenticator", -1);
5573 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5574 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5575 "TYPE_44 pointer: unknown_TYPE_44", -1);
5577 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5578 hf_netlogon_rc, NULL);
5584 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
5585 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5587 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5590 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5591 hf_netlogon_unknown_long, NULL);
5593 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5594 hf_netlogon_unknown_long, NULL);
5601 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
5602 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5604 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5605 hf_netlogon_rc, NULL);
5612 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
5613 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5615 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5618 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5619 NDR_POINTER_UNIQUE, "unknown string",
5620 hf_netlogon_unknown_string, 0);
5627 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
5628 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5630 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5631 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5632 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5634 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5635 hf_netlogon_rc, NULL);
5642 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
5643 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5645 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5648 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5649 hf_netlogon_unknown_long, NULL);
5651 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5652 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5653 "BYTE pointer: unknown_BYTE", -1);
5655 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5656 hf_netlogon_unknown_long, NULL);
5662 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5663 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5668 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5669 hf_netlogon_unknown_char, NULL);
5676 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
5677 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5679 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5680 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5681 "BYTE pointer: unknown_BYTE", -1);
5683 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5684 hf_netlogon_rc, NULL);
5690 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
5691 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5693 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5696 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5697 NDR_POINTER_UNIQUE, "unknown string",
5698 hf_netlogon_unknown_string, 0);
5700 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5701 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5702 "BYTE pointer: unknown_BYTE", -1);
5704 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5705 hf_netlogon_unknown_long, NULL);
5712 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
5713 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5715 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5716 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5717 "BYTE pointer: unknown_BYTE", -1);
5719 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5720 hf_netlogon_rc, NULL);
5726 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5727 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5729 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5732 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5733 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5735 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5738 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5739 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5741 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5742 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5743 "CREDENTIAL: authenticator", -1);
5745 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5746 hf_netlogon_neg_flags, NULL);
5753 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5754 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5756 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5757 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5758 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5760 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5761 hf_netlogon_neg_flags, NULL);
5763 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5764 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5765 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5767 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5768 hf_netlogon_rc, NULL);
5774 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
5775 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5777 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5780 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5781 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5783 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5784 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5785 "GUID pointer: domain_guid", -1);
5787 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5788 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5790 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5797 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
5798 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5800 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5801 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5802 "DOMAIN_CONTROLLER_INFO:", -1);
5804 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5805 hf_netlogon_rc, NULL);
5811 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5812 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5814 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5822 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5823 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5826 /* XXX hmmm this does not really look like a UNIQUE pointer but
5827 will do for now. I think it is really a 32bit integer followed by
5828 a REF pointer to a unicode string */
5829 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
5830 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
5831 hf_netlogon_site_name, cb_wstr_postprocess,
5832 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
5834 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5835 hf_netlogon_rc, NULL);
5841 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5842 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5844 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5845 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5846 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5848 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5849 NDR_POINTER_UNIQUE, "Computer Name",
5850 hf_netlogon_computer_name, 0);
5852 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5853 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5854 "AUTHENTICATOR: credential", -1);
5856 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5857 hf_netlogon_unknown_long, NULL);
5859 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5860 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5861 "AUTHENTICATOR: return_authenticator", -1);
5863 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5864 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5865 "DOMAIN_QUERY: ", -1);
5872 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5873 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5875 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5876 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5877 "AUTHENTICATOR: return_authenticator", -1);
5879 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5880 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5881 "DOMAIN_INFO: ", -1);
5883 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5884 hf_netlogon_rc, NULL);
5890 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5891 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5893 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5896 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5897 NDR_POINTER_UNIQUE, "unknown string",
5898 hf_netlogon_unknown_string, 0);
5900 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5901 hf_netlogon_unknown_short, NULL);
5903 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5904 NDR_POINTER_UNIQUE, "unknown string",
5905 hf_netlogon_unknown_string, 0);
5907 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5908 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5909 "AUTHENTICATOR: credential", -1);
5911 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5919 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5920 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5922 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5923 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5924 "AUTHENTICATOR: return_authenticator", -1);
5926 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5927 hf_netlogon_rc, NULL);
5933 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
5934 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5936 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5939 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5940 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
5942 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5945 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5946 NDR_POINTER_UNIQUE, "Computer Name",
5947 hf_netlogon_computer_name, 0);
5949 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5950 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5951 "AUTHENTICATOR: credential", -1);
5958 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
5959 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5961 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5962 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5963 "AUTHENTICATOR: return_authenticator", -1);
5965 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5966 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5967 "LM_OWF_PASSWORD pointer: server_pwd", -1);
5969 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5970 hf_netlogon_rc, NULL);
5976 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
5977 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5979 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5982 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5983 NDR_POINTER_UNIQUE, "unknown string",
5984 hf_netlogon_unknown_string, 0);
5986 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5987 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5988 "AUTHENTICATOR: credential", -1);
5990 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5991 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5992 "BYTE pointer: unknown_BYTE", -1);
5994 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5995 hf_netlogon_unknown_long, NULL);
6002 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
6003 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6005 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6006 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6007 "AUTHENTICATOR: return_authenticator", -1);
6009 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6010 hf_netlogon_rc, NULL);
6016 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
6017 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6019 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6022 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6023 hf_netlogon_unknown_long, NULL);
6025 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6026 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6027 "BYTE pointer: unknown_BYTE", -1);
6034 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
6035 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6037 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6038 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
6039 "TYPE_50** pointer: unknown_TYPE_50", -1);
6041 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6042 hf_netlogon_rc, NULL);
6048 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
6049 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6051 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6054 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6055 NDR_POINTER_UNIQUE, "unknown string",
6056 hf_netlogon_unknown_string, 0);
6058 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6059 hf_netlogon_unknown_long, NULL);
6061 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6062 NDR_POINTER_UNIQUE, "unknown string",
6063 hf_netlogon_unknown_string, 0);
6065 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6066 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6067 "GUID pointer: unknown_GUID", -1);
6069 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6070 NDR_POINTER_UNIQUE, "unknown string",
6071 hf_netlogon_unknown_string, 0);
6073 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6074 hf_netlogon_unknown_long, NULL);
6081 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
6082 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6084 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6085 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6086 "DOMAIN_CONTROLLER_INFO:", -1);
6088 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6089 hf_netlogon_rc, NULL);
6095 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
6096 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6098 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6106 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
6107 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6109 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6110 NDR_POINTER_UNIQUE, "unknown string",
6111 hf_netlogon_unknown_string, 0);
6113 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6114 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6115 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6117 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6118 hf_netlogon_rc, NULL);
6124 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
6125 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6127 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6134 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
6135 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6137 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6138 hf_netlogon_entries, NULL);
6140 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6141 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6142 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6144 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6145 hf_netlogon_rc, NULL);
6151 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
6152 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6154 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6157 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6158 hf_netlogon_unknown_long, NULL);
6160 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6161 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6162 "BYTE pointer: unknown_BYTE", -1);
6169 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
6170 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6172 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6173 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
6174 "TYPE_52 pointer: unknown_TYPE_52", -1);
6176 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6177 hf_netlogon_rc, NULL);
6184 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
6185 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6187 offset = dissect_ndr_counted_string_cb(
6188 tvb, offset, pinfo, tree, drep, hf_netlogon_site_name,
6189 cb_wstr_postprocess,
6190 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
6195 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
6196 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6198 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
6199 netlogon_dissect_site_name_item);
6205 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
6206 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6208 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6209 hf_netlogon_count, NULL);
6211 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6212 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
6213 "Site name array", -1);
6219 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
6220 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6222 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6230 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
6231 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6233 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6234 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
6237 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6238 hf_netlogon_rc, NULL);
6244 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
6245 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6247 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6248 NDR_POINTER_UNIQUE, "unknown string",
6249 hf_netlogon_unknown_string, 0);
6251 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6252 NDR_POINTER_UNIQUE, "unknown string",
6253 hf_netlogon_unknown_string, 0);
6255 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6256 hf_netlogon_unknown_short, NULL);
6258 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6259 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
6260 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
6262 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6263 hf_netlogon_unknown_short, NULL);
6265 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6266 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6267 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6273 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
6274 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6276 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6277 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
6278 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
6280 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6281 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
6282 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
6284 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6285 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6286 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6288 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6289 hf_netlogon_rc, NULL);
6296 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
6297 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6299 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6302 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
6309 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
6310 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6312 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6313 hf_netlogon_entries, NULL);
6315 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6316 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6317 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6319 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6320 hf_netlogon_rc, NULL);
6326 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
6327 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6329 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6332 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6333 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6335 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6336 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6337 "GUID pointer: domain_guid", -1);
6339 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6340 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6341 "GUID pointer: dsa_guid", -1);
6343 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6344 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
6351 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
6352 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6354 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6355 hf_netlogon_rc, NULL);
6360 /* Dissect secure channel stuff */
6362 static int hf_netlogon_secchan_bind_unknown1 = -1;
6363 static int hf_netlogon_secchan_bind_unknown2 = -1;
6364 static int hf_netlogon_secchan_domain = -1;
6365 static int hf_netlogon_secchan_host = -1;
6366 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
6367 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
6368 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
6370 static gint ett_secchan_verf = -1;
6371 static gint ett_secchan_bind_creds = -1;
6372 static gint ett_secchan_bind_ack_creds = -1;
6374 static int dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
6376 proto_tree *tree, guint8 *drep)
6378 proto_item *item = NULL;
6379 proto_tree *subtree = NULL;
6383 item = proto_tree_add_text(
6384 tree, tvb, offset, -1,
6385 "Secure Channel Bind Credentials");
6386 subtree = proto_item_add_subtree(
6387 item, ett_secchan_bind_creds);
6390 /* We can't use the NDR routines as the DCERPC call data hasn't
6391 been initialised since we haven't made a DCERPC call yet, just
6394 offset = dissect_dcerpc_uint32(
6395 tvb, offset, pinfo, subtree, drep,
6396 hf_netlogon_secchan_bind_unknown1, NULL);
6398 offset = dissect_dcerpc_uint32(
6399 tvb, offset, pinfo, subtree, drep,
6400 hf_netlogon_secchan_bind_unknown2, NULL);
6402 len = tvb_strsize(tvb, offset);
6404 proto_tree_add_item(
6405 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
6409 len = tvb_strsize(tvb, offset);
6411 proto_tree_add_item(
6412 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
6419 static int dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
6421 proto_tree *tree, guint8 *drep)
6423 proto_item *item = NULL;
6424 proto_tree *subtree = NULL;
6427 item = proto_tree_add_text(
6428 tree, tvb, offset, -1,
6429 "Secure Channel Bind ACK Credentials");
6430 subtree = proto_item_add_subtree(
6431 item, ett_secchan_bind_ack_creds);
6434 /* Don't use NDR routines here */
6436 offset = dissect_dcerpc_uint32(
6437 tvb, offset, pinfo, subtree, drep,
6438 hf_netlogon_secchan_bind_ack_unknown1, NULL);
6440 offset = dissect_dcerpc_uint32(
6441 tvb, offset, pinfo, subtree, drep,
6442 hf_netlogon_secchan_bind_ack_unknown2, NULL);
6444 offset = dissect_dcerpc_uint32(
6445 tvb, offset, pinfo, subtree, drep,
6446 hf_netlogon_secchan_bind_ack_unknown3, NULL);
6453 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
6454 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
6455 netlogon_dissect_netrlogonuaslogon_rqst,
6456 netlogon_dissect_netrlogonuaslogon_reply },
6457 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
6458 netlogon_dissect_netrlogonuaslogoff_rqst,
6459 netlogon_dissect_netrlogonuaslogoff_reply },
6460 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
6461 netlogon_dissect_netrlogonsamlogon_rqst,
6462 netlogon_dissect_netrlogonsamlogon_reply },
6463 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
6464 netlogon_dissect_netrlogonsamlogoff_rqst,
6465 netlogon_dissect_netrlogonsamlogoff_reply },
6466 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
6467 netlogon_dissect_netrserverreqchallenge_rqst,
6468 netlogon_dissect_netrserverreqchallenge_reply },
6469 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
6470 netlogon_dissect_netrserverauthenticate_rqst,
6471 netlogon_dissect_netrserverauthenticate_reply },
6472 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
6473 netlogon_dissect_netrserverpasswordset_rqst,
6474 netlogon_dissect_netrserverpasswordset_reply },
6475 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
6476 netlogon_dissect_netrdatabasedeltas_rqst,
6477 netlogon_dissect_netrdatabasedeltas_reply },
6478 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
6479 netlogon_dissect_netrdatabasesync_rqst,
6480 netlogon_dissect_netrdatabasesync_reply },
6481 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
6482 netlogon_dissect_netraccountdeltas_rqst,
6483 netlogon_dissect_netraccountdeltas_reply },
6484 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
6485 netlogon_dissect_netraccountsync_rqst,
6486 netlogon_dissect_netraccountsync_reply },
6487 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
6488 netlogon_dissect_netrgetdcname_rqst,
6489 netlogon_dissect_netrgetdcname_reply },
6490 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
6491 netlogon_dissect_netrlogoncontrol_rqst,
6492 netlogon_dissect_netrlogoncontrol_reply },
6493 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
6494 netlogon_dissect_netrgetanydcname_rqst,
6495 netlogon_dissect_netrgetanydcname_reply },
6496 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
6497 netlogon_dissect_netrlogoncontrol2_rqst,
6498 netlogon_dissect_netrlogoncontrol2_reply },
6499 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
6500 netlogon_dissect_netrserverauthenticate2_rqst,
6501 netlogon_dissect_netrserverauthenticate2_reply },
6502 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
6503 netlogon_dissect_netrdatabasesync2_rqst,
6504 netlogon_dissect_netrdatabasesync2_reply },
6505 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
6506 netlogon_dissect_netrdatabaseredo_rqst,
6507 netlogon_dissect_netrdatabaseredo_reply },
6508 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
6509 netlogon_dissect_netrlogoncontrol2ex_rqst,
6510 netlogon_dissect_netrlogoncontrol2ex_reply },
6511 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
6512 netlogon_dissect_netrenumeratetrusteddomains_rqst,
6513 netlogon_dissect_netrenumeratetrusteddomains_reply },
6514 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
6515 netlogon_dissect_dsrgetdcname_rqst,
6516 netlogon_dissect_dsrgetdcname_reply },
6517 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
6518 netlogon_dissect_netrlogondummyroutine1_rqst,
6519 netlogon_dissect_netrlogondummyroutine1_reply },
6520 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
6521 netlogon_dissect_netrlogonsetservicebits_rqst,
6522 netlogon_dissect_netrlogonsetservicebits_reply },
6523 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
6524 netlogon_dissect_netrlogongettrustrid_rqst,
6525 netlogon_dissect_netrlogongettrustrid_reply },
6526 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
6527 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
6528 netlogon_dissect_netrlogoncomputeserverdigest_reply },
6529 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
6530 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
6531 netlogon_dissect_netrlogoncomputeclientdigest_reply },
6532 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
6533 netlogon_dissect_netrserverauthenticate3_rqst,
6534 netlogon_dissect_netrserverauthenticate3_reply },
6535 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
6536 netlogon_dissect_dsrgetdcnameex_rqst,
6537 netlogon_dissect_dsrgetdcnameex_reply },
6538 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
6539 netlogon_dissect_dsrgetsitename_rqst,
6540 netlogon_dissect_dsrgetsitename_reply },
6541 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6542 netlogon_dissect_netrlogongetdomaininfo_rqst,
6543 netlogon_dissect_netrlogongetdomaininfo_reply },
6544 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
6545 netlogon_dissect_netrserverpasswordset2_rqst,
6546 netlogon_dissect_netrserverpasswordset2_reply },
6547 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
6548 netlogon_dissect_netrserverpasswordget_rqst,
6549 netlogon_dissect_netrserverpasswordget_reply },
6550 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
6551 netlogon_dissect_netrlogonsendtosam_rqst,
6552 netlogon_dissect_netrlogonsendtosam_reply },
6553 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
6554 netlogon_dissect_dsraddresstositenamesw_rqst,
6555 netlogon_dissect_dsraddresstositenamesw_reply },
6556 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
6557 netlogon_dissect_dsrgetdcnameex2_rqst,
6558 netlogon_dissect_dsrgetdcnameex2_reply },
6559 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
6560 "NetrLogonGetTimeServiceParentDomain",
6561 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
6562 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
6563 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
6564 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
6565 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
6566 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
6567 netlogon_dissect_dsraddresstositenamesexw_rqst,
6568 netlogon_dissect_dsraddresstositenamesexw_reply },
6569 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
6570 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
6571 netlogon_dissect_dsrgetdcsitecoveragew_reply },
6572 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
6573 netlogon_dissect_netrlogonsamlogonex_rqst,
6574 netlogon_dissect_netrlogonsamlogonex_reply },
6575 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
6576 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
6577 netlogon_dissect_dsrenumeratedomaintrusts_reply },
6578 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
6579 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6580 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6581 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
6583 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
6585 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
6587 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
6589 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
6591 {0, NULL, NULL, NULL }
6594 static int hf_netlogon_secchan_verf = -1;
6595 static int hf_netlogon_secchan_verf_sig = -1;
6596 static int hf_netlogon_secchan_verf_unk = -1;
6597 static int hf_netlogon_secchan_verf_seq = -1;
6598 static int hf_netlogon_secchan_verf_nonce = -1;
6601 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
6602 proto_tree *tree, guint8 *drep _U_)
6604 proto_item *vf = NULL;
6605 proto_tree *subtree = NULL;
6608 * Create a new tree, and split into 4 components ...
6610 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
6612 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
6614 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sig, tvb,
6618 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_unk, tvb,
6622 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_seq, tvb,
6626 /* In some cases the nonce isn't present although it isn't clear
6629 if (tvb_bytes_exist(tvb, offset, 8)) {
6630 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_nonce,
6631 tvb, offset, 8, FALSE);
6638 /* Secure channel types */
6640 static const value_string sec_chan_type_vals[] = {
6641 { SEC_CHAN_WKSTA, "Workstation" },
6642 { SEC_CHAN_DOMAIN, "Domain trust" },
6643 { SEC_CHAN_BDC, "Backup domain controller" },
6648 proto_register_dcerpc_netlogon(void)
6651 static hf_register_info hf[] = {
6652 { &hf_netlogon_opnum,
6653 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6654 NULL, 0x0, "Operation", HFILL }},
6656 { &hf_netlogon_rc, {
6657 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6658 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6660 { &hf_netlogon_param_ctrl, {
6661 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6662 NULL, 0x0, "Param ctrl", HFILL }},
6664 { &hf_netlogon_logon_id, {
6665 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6666 NULL, 0x0, "Logon ID", HFILL }},
6668 { &hf_netlogon_modify_count, {
6669 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6670 NULL, 0x0, "How many times the object has been modified", HFILL }},
6672 { &hf_netlogon_security_information, {
6673 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6674 NULL, 0x0, "Security Information", HFILL }},
6676 { &hf_netlogon_count, {
6677 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6678 NULL, 0x0, "", HFILL }},
6680 { &hf_netlogon_entries, {
6681 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6682 NULL, 0x0, "", HFILL }},
6684 { &hf_netlogon_credential, {
6685 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6686 NULL, 0x0, "Netlogon Credential", HFILL }},
6688 { &hf_netlogon_challenge, {
6689 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6690 NULL, 0x0, "Netlogon challenge", HFILL }},
6692 { &hf_netlogon_lm_owf_password, {
6693 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6694 NULL, 0x0, "LanManager OWF Password", HFILL }},
6696 { &hf_netlogon_user_session_key, {
6697 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6698 NULL, 0x0, "User Session Key", HFILL }},
6700 { &hf_netlogon_encrypted_lm_owf_password, {
6701 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6702 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6704 { &hf_netlogon_nt_owf_password, {
6705 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6706 NULL, 0x0, "NT OWF Password", HFILL }},
6708 { &hf_netlogon_blob, {
6709 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6710 NULL, 0x0, "BLOB", HFILL }},
6712 { &hf_netlogon_len, {
6713 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6714 NULL, 0, "Length", HFILL }},
6716 { &hf_netlogon_priv, {
6717 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6718 NULL, 0, "", HFILL }},
6720 { &hf_netlogon_privilege_entries, {
6721 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6722 NULL, 0, "", HFILL }},
6724 { &hf_netlogon_privilege_control, {
6725 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6726 NULL, 0, "", HFILL }},
6728 { &hf_netlogon_privilege_name, {
6729 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6730 NULL, 0, "", HFILL }},
6732 { &hf_netlogon_pdc_connection_status, {
6733 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6734 NULL, 0, "PDC Connection Status", HFILL }},
6736 { &hf_netlogon_tc_connection_status, {
6737 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6738 NULL, 0, "TC Connection Status", HFILL }},
6740 { &hf_netlogon_attrs, {
6741 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6742 NULL, 0, "Attributes", HFILL }},
6744 { &hf_netlogon_unknown_string,
6745 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6746 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
6747 { &hf_netlogon_unknown_long,
6748 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6749 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
6750 { &hf_netlogon_reserved,
6751 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6752 NULL, 0x0, "Reserved", HFILL }},
6753 { &hf_netlogon_unknown_short,
6754 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6755 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
6757 { &hf_netlogon_unknown_char,
6758 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6759 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
6761 { &hf_netlogon_acct_expiry_time,
6762 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6763 NULL, 0x0, "When this account will expire", HFILL }},
6765 { &hf_netlogon_nt_pwd_present,
6766 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6767 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6769 { &hf_netlogon_lm_pwd_present,
6770 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6771 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6773 { &hf_netlogon_pwd_expired,
6774 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6775 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6777 { &hf_netlogon_authoritative,
6778 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6779 NULL, 0x0, "", HFILL }},
6781 { &hf_netlogon_sensitive_data_flag,
6782 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6783 NULL, 0x0, "Sensitive data flag", HFILL }},
6785 { &hf_netlogon_auditing_mode,
6786 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6787 NULL, 0x0, "Auditing Mode", HFILL }},
6789 { &hf_netlogon_max_audit_event_count,
6790 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6791 NULL, 0x0, "Max audit event count", HFILL }},
6793 { &hf_netlogon_event_audit_option,
6794 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6795 NULL, 0x0, "Event audit option", HFILL }},
6797 { &hf_netlogon_sensitive_data_len,
6798 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6799 NULL, 0x0, "Length of sensitive data", HFILL }},
6801 { &hf_netlogon_nt_chal_resp,
6802 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6803 NULL, 0, "Challenge response for NT authentication", HFILL }},
6805 { &hf_netlogon_lm_chal_resp,
6806 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6807 NULL, 0, "Challenge response for LM authentication", HFILL }},
6809 { &hf_netlogon_cipher_len,
6810 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6811 NULL, 0, "", HFILL }},
6813 { &hf_netlogon_cipher_maxlen,
6814 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6815 NULL, 0, "", HFILL }},
6817 { &hf_netlogon_pac_data,
6818 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6819 NULL, 0, "Pac Data", HFILL }},
6821 { &hf_netlogon_sensitive_data,
6822 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6823 NULL, 0, "Sensitive Data", HFILL }},
6825 { &hf_netlogon_auth_data,
6826 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6827 NULL, 0, "Auth Data", HFILL }},
6829 { &hf_netlogon_cipher_current_data,
6830 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6831 NULL, 0, "", HFILL }},
6833 { &hf_netlogon_cipher_old_data,
6834 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6835 NULL, 0, "", HFILL }},
6837 { &hf_netlogon_acct_name,
6838 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6839 NULL, 0, "Account Name", HFILL }},
6841 { &hf_netlogon_acct_desc,
6842 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6843 NULL, 0, "Account Description", HFILL }},
6845 { &hf_netlogon_group_desc,
6846 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6847 NULL, 0, "Group Description", HFILL }},
6849 { &hf_netlogon_full_name,
6850 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6851 NULL, 0, "Full Name", HFILL }},
6853 { &hf_netlogon_comment,
6854 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6855 NULL, 0, "Comment", HFILL }},
6857 { &hf_netlogon_parameters,
6858 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6859 NULL, 0, "Parameters", HFILL }},
6861 { &hf_netlogon_logon_script,
6862 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6863 NULL, 0, "Logon Script", HFILL }},
6865 { &hf_netlogon_profile_path,
6866 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6867 NULL, 0, "Profile Path", HFILL }},
6869 { &hf_netlogon_home_dir,
6870 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6871 NULL, 0, "Home Directory", HFILL }},
6873 { &hf_netlogon_dir_drive,
6874 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6875 NULL, 0, "Drive letter for home directory", HFILL }},
6877 { &hf_netlogon_logon_srv,
6878 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6879 NULL, 0, "Server", HFILL }},
6881 { &hf_netlogon_principal,
6882 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6883 NULL, 0, "Principal", HFILL }},
6885 { &hf_netlogon_logon_dom,
6886 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6887 NULL, 0, "Domain", HFILL }},
6889 { &hf_netlogon_resourcegroupdomainsid,
6890 { "ResourceGroupDomainSID", "netlogon.resourcegroupdomainsid", FT_STRING, BASE_NONE,
6891 NULL, 0, "Resource Group Domain SID", HFILL }},
6893 { &hf_netlogon_resourcegroupcount,
6894 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
6895 NULL, 0, "Number of Resource Groups", HFILL }},
6897 { &hf_netlogon_computer_name,
6898 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6899 NULL, 0, "Computer Name", HFILL }},
6901 { &hf_netlogon_site_name,
6902 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6903 NULL, 0, "Site Name", HFILL }},
6905 { &hf_netlogon_dc_name,
6906 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6907 NULL, 0, "DC Name", HFILL }},
6909 { &hf_netlogon_dc_site_name,
6910 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6911 NULL, 0, "DC Site Name", HFILL }},
6913 { &hf_netlogon_dns_forest_name,
6914 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6915 NULL, 0, "DNS Forest Name", HFILL }},
6917 { &hf_netlogon_dc_address,
6918 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6919 NULL, 0, "DC Address", HFILL }},
6921 { &hf_netlogon_dc_address_type,
6922 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6923 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
6925 { &hf_netlogon_client_site_name,
6926 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6927 NULL, 0, "Client Site Name", HFILL }},
6929 { &hf_netlogon_workstation_site_name,
6930 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6931 NULL, 0, "Workstation Site Name", HFILL }},
6933 { &hf_netlogon_workstation,
6934 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6935 NULL, 0, "Workstation Name", HFILL }},
6937 { &hf_netlogon_workstation_os,
6938 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6939 NULL, 0, "Workstation OS", HFILL }},
6941 { &hf_netlogon_workstations,
6942 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6943 NULL, 0, "Workstations", HFILL }},
6945 { &hf_netlogon_workstation_fqdn,
6946 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6947 NULL, 0, "Workstation FQDN", HFILL }},
6949 { &hf_netlogon_group_name,
6950 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6951 NULL, 0, "Group Name", HFILL }},
6953 { &hf_netlogon_alias_name,
6954 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6955 NULL, 0, "Alias Name", HFILL }},
6957 { &hf_netlogon_dns_host,
6958 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6959 NULL, 0, "DNS Host", HFILL }},
6961 { &hf_netlogon_downlevel_domain_name,
6962 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6963 NULL, 0, "Downlevel Domain Name", HFILL }},
6965 { &hf_netlogon_dns_domain_name,
6966 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6967 NULL, 0, "DNS Domain Name", HFILL }},
6969 { &hf_netlogon_domain_name,
6970 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6971 NULL, 0, "Domain Name", HFILL }},
6973 { &hf_netlogon_oem_info,
6974 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6975 NULL, 0, "OEM Info", HFILL }},
6977 { &hf_netlogon_trusted_dc_name,
6978 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6979 NULL, 0, "Trusted DC", HFILL }},
6981 { &hf_netlogon_logonsrv_handle,
6982 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6983 NULL, 0, "Logon Srv Handle", HFILL }},
6985 { &hf_netlogon_dummy,
6986 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6987 NULL, 0, "Dummy string", HFILL }},
6989 { &hf_netlogon_logon_count16,
6990 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6991 NULL, 0x0, "Number of successful logins", HFILL }},
6993 { &hf_netlogon_logon_count,
6994 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6995 NULL, 0x0, "Number of successful logins", HFILL }},
6997 { &hf_netlogon_bad_pw_count16,
6998 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6999 NULL, 0x0, "Number of failed logins", HFILL }},
7001 { &hf_netlogon_bad_pw_count,
7002 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
7003 NULL, 0x0, "Number of failed logins", HFILL }},
7005 { &hf_netlogon_country,
7006 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
7007 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
7009 { &hf_netlogon_codepage,
7010 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
7011 NULL, 0x0, "Codepage setting for this account", HFILL }},
7013 { &hf_netlogon_level16,
7014 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
7015 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7017 { &hf_netlogon_validation_level,
7018 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
7019 NULL, 0x0, "Requested level of validation", HFILL }},
7021 { &hf_netlogon_minpasswdlen,
7022 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
7023 NULL, 0x0, "Minimum length of password", HFILL }},
7025 { &hf_netlogon_passwdhistorylen,
7026 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
7027 NULL, 0x0, "Length of password history", HFILL }},
7029 { &hf_netlogon_secure_channel_type,
7030 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
7031 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
7033 { &hf_netlogon_restart_state,
7034 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
7035 NULL, 0x0, "Restart State", HFILL }},
7037 { &hf_netlogon_delta_type,
7038 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
7039 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
7041 { &hf_netlogon_blob_size,
7042 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
7043 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
7045 { &hf_netlogon_code,
7046 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
7047 NULL, 0x0, "Code", HFILL }},
7049 { &hf_netlogon_level,
7050 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
7051 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7053 { &hf_netlogon_reference,
7054 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
7055 NULL, 0x0, "", HFILL }},
7057 { &hf_netlogon_next_reference,
7058 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
7059 NULL, 0x0, "", HFILL }},
7061 { &hf_netlogon_timestamp,
7062 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
7063 NULL, 0, "", HFILL }},
7065 { &hf_netlogon_user_rid,
7066 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
7067 NULL, 0x0, "", HFILL }},
7069 { &hf_netlogon_alias_rid,
7070 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
7071 NULL, 0x0, "", HFILL }},
7073 { &hf_netlogon_group_rid,
7074 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
7075 NULL, 0x0, "", HFILL }},
7077 { &hf_netlogon_num_rids,
7078 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
7079 NULL, 0x0, "Number of RIDs", HFILL }},
7081 { &hf_netlogon_num_controllers,
7082 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
7083 NULL, 0x0, "Number of domain controllers", HFILL }},
7085 { &hf_netlogon_num_other_groups,
7086 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
7087 NULL, 0x0, "", HFILL }},
7089 { &hf_netlogon_flags,
7090 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
7091 NULL, 0x0, "", HFILL }},
7093 { &hf_netlogon_user_account_control,
7094 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
7095 NULL, 0x0, "User Account control", HFILL }},
7097 { &hf_netlogon_user_flags,
7098 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
7099 NULL, 0x0, "User flags", HFILL }},
7101 { &hf_netlogon_auth_flags,
7102 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
7103 NULL, 0x0, "", HFILL }},
7105 { &hf_netlogon_systemflags,
7106 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
7107 NULL, 0x0, "", HFILL }},
7109 { &hf_netlogon_database_id,
7110 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
7111 NULL, 0x0, "Database Id", HFILL }},
7113 { &hf_netlogon_sync_context,
7114 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
7115 NULL, 0x0, "Sync Context", HFILL }},
7117 { &hf_netlogon_max_size,
7118 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
7119 NULL, 0x0, "Max Size of database", HFILL }},
7121 { &hf_netlogon_max_log_size,
7122 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
7123 NULL, 0x0, "Max Size of log", HFILL }},
7125 { &hf_netlogon_pac_size,
7126 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
7127 NULL, 0x0, "Size of PacData in bytes", HFILL }},
7129 { &hf_netlogon_auth_size,
7130 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
7131 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
7133 { &hf_netlogon_num_deltas,
7134 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
7135 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
7137 { &hf_netlogon_num_trusts,
7138 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
7139 NULL, 0x0, "", HFILL }},
7141 { &hf_netlogon_logon_attempts,
7142 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
7143 NULL, 0x0, "Number of logon attempts", HFILL }},
7145 { &hf_netlogon_pagefilelimit,
7146 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
7147 NULL, 0x0, "", HFILL }},
7149 { &hf_netlogon_pagedpoollimit,
7150 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
7151 NULL, 0x0, "", HFILL }},
7153 { &hf_netlogon_nonpagedpoollimit,
7154 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
7155 NULL, 0x0, "", HFILL }},
7157 { &hf_netlogon_minworkingsetsize,
7158 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
7159 NULL, 0x0, "", HFILL }},
7161 { &hf_netlogon_maxworkingsetsize,
7162 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
7163 NULL, 0x0, "", HFILL }},
7165 { &hf_netlogon_serial_number,
7166 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
7167 NULL, 0x0, "", HFILL }},
7169 { &hf_netlogon_neg_flags,
7170 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
7171 NULL, 0x0, "Negotiation Flags", HFILL }},
7173 { &hf_netlogon_dc_flags,
7174 { "Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
7175 NULL, 0x0, "Domain Controller Flags", HFILL }},
7177 { &hf_netlogon_dc_flags_pdc_flag,
7178 { "PDC", "netlogon.dc.flags.pdc",
7179 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
7180 "If this server is a PDC", HFILL }},
7182 { &hf_netlogon_dc_flags_gc_flag,
7183 { "GC", "netlogon.dc.flags.gc",
7184 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
7185 "If this server is a GC", HFILL }},
7187 { &hf_netlogon_dc_flags_ldap_flag,
7188 { "LDAP", "netlogon.dc.flags.ldap",
7189 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
7190 "If this is an LDAP server", HFILL }},
7192 { &hf_netlogon_dc_flags_ds_flag,
7193 { "DS", "netlogon.dc.flags.ds",
7194 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
7195 "If this server is a DS", HFILL }},
7197 { &hf_netlogon_dc_flags_kdc_flag,
7198 { "KDC", "netlogon.dc.flags.kdc",
7199 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
7200 "If this is a KDC", HFILL }},
7202 { &hf_netlogon_dc_flags_timeserv_flag,
7203 { "Timeserv", "netlogon.dc.flags.timeserv",
7204 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
7205 "If this server is a TimeServer", HFILL }},
7207 { &hf_netlogon_dc_flags_closest_flag,
7208 { "Closest", "netlogon.dc.flags.closest",
7209 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
7210 "If this is the closest server", HFILL }},
7212 { &hf_netlogon_dc_flags_writable_flag,
7213 { "Writable", "netlogon.dc.flags.writable",
7214 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
7215 "If this server can do updates to the database", HFILL }},
7217 { &hf_netlogon_dc_flags_good_timeserv_flag,
7218 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
7219 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
7220 "If this is a Good TimeServer", HFILL }},
7222 { &hf_netlogon_dc_flags_ndnc_flag,
7223 { "NDNC", "netlogon.dc.flags.ndnc",
7224 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
7225 "If this is an NDNC server", HFILL }},
7227 { &hf_netlogon_dc_flags_dns_controller_flag,
7228 { "DNS Controller", "netlogon.dc.flags.dns_controller",
7229 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
7230 "If this server is a DNS Controller", HFILL }},
7232 { &hf_netlogon_dc_flags_dns_domain_flag,
7233 { "DNS Domain", "netlogon.dc.flags.dns_domain",
7234 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
7237 { &hf_netlogon_dc_flags_dns_forest_flag,
7238 { "DNS Forest", "netlogon.dc.flags.dns_forest",
7239 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
7242 { &hf_netlogon_get_dcname_request_flags,
7243 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
7244 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
7246 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
7247 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
7248 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
7249 "Whether to allow the server to returned cached information or not", HFILL }},
7251 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
7252 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
7253 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
7254 "Whether we require that the returned DC supports w2k or not", HFILL }},
7256 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
7257 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
7258 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
7259 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
7261 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
7262 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
7263 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
7264 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
7266 { &hf_netlogon_get_dcname_request_flags_pdc_required,
7267 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
7268 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
7269 "Whether we require the returned DC to be the PDC", HFILL }},
7271 { &hf_netlogon_get_dcname_request_flags_background_only,
7272 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
7273 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
7274 "If we want cached data, even if it may have expired", HFILL }},
7276 { &hf_netlogon_get_dcname_request_flags_ip_required,
7277 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
7278 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
7279 "If we requre the IP of the DC in the reply", HFILL }},
7281 { &hf_netlogon_get_dcname_request_flags_kdc_required,
7282 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
7283 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
7284 "If we require that the returned server is a KDC", HFILL }},
7286 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
7287 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
7288 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
7289 "If we require the retruned server to be a NTP serveruns WindowsTimeServicer", HFILL }},
7291 { &hf_netlogon_get_dcname_request_flags_writable_required,
7292 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
7293 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
7294 "If we require that the return server is writable", HFILL }},
7296 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
7297 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
7298 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
7299 "If we prefer Windows Time Servers", HFILL }},
7301 { &hf_netlogon_get_dcname_request_flags_avoid_self,
7302 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
7303 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
7304 "Return another DC than the one we ask", HFILL }},
7306 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
7307 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
7308 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
7309 "We just want an LDAP server, it does not have to be a DC", HFILL }},
7311 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
7312 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
7313 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
7314 "If the specified domain name is a NetBIOS name", HFILL }},
7316 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
7317 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
7318 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
7319 "If the specified domain name is a DNS name", HFILL }},
7321 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
7322 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
7323 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
7324 "Only return a DNS name (or an error)", HFILL }},
7326 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
7327 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
7328 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
7329 "Only return a NetBIOS name (or an error)", HFILL }},
7331 { &hf_netlogon_trust_attribs,
7332 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
7333 NULL, 0x0, "Trust Attributes", HFILL }},
7335 { &hf_netlogon_trust_type,
7336 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
7337 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
7339 { &hf_netlogon_trust_flags,
7340 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
7341 NULL, 0x0, "Trust Flags", HFILL }},
7343 { &hf_netlogon_trust_flags_inbound,
7344 { "Inbound Trust", "netlogon.trust.flags.inbound",
7345 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
7346 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
7348 { &hf_netlogon_trust_flags_outbound,
7349 { "Outbound Trust", "netlogon.trust.flags.outbound",
7350 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
7351 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
7353 { &hf_netlogon_trust_flags_in_forest,
7354 { "In Forest", "netlogon.trust.flags.in_forest",
7355 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
7356 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
7358 { &hf_netlogon_trust_flags_native_mode,
7359 { "Native Mode", "netlogon.trust.flags.native_mode",
7360 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
7361 "Whether the domain is a w2k native mode domain or not", HFILL }},
7363 { &hf_netlogon_trust_flags_primary,
7364 { "Primary", "netlogon.trust.flags.primary",
7365 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
7366 "Whether the domain is the primary domain for the queried server or not", HFILL }},
7368 { &hf_netlogon_trust_flags_tree_root,
7369 { "Tree Root", "netlogon.trust.flags.tree_root",
7370 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
7371 "Whether the domain is the root of the tree for the queried server", HFILL }},
7373 { &hf_netlogon_trust_parent_index,
7374 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
7375 NULL, 0x0, "Parent Index", HFILL }},
7377 { &hf_netlogon_logon_time,
7378 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
7379 NULL, 0, "Time for last time this user logged on", HFILL }},
7381 { &hf_netlogon_kickoff_time,
7382 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7383 NULL, 0, "Time when this user will be kicked off", HFILL }},
7385 { &hf_netlogon_logoff_time,
7386 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7387 NULL, 0, "Time for last time this user logged off", HFILL }},
7389 { &hf_netlogon_pwd_last_set_time,
7390 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7391 NULL, 0, "Last time this users password was changed", HFILL }},
7393 { &hf_netlogon_pwd_can_change_time,
7394 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7395 NULL, 0, "When this users password may be changed", HFILL }},
7397 { &hf_netlogon_pwd_must_change_time,
7398 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7399 NULL, 0, "When this users password must be changed", HFILL }},
7401 { &hf_netlogon_domain_create_time,
7402 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7403 NULL, 0, "Time when this domain was created", HFILL }},
7405 { &hf_netlogon_domain_modify_time,
7406 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7407 NULL, 0, "Time when this domain was last modified", HFILL }},
7409 { &hf_netlogon_db_modify_time,
7410 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7411 NULL, 0, "Time when last modified", HFILL }},
7413 { &hf_netlogon_db_create_time,
7414 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7415 NULL, 0, "Time when created", HFILL }},
7417 { &hf_netlogon_cipher_current_set_time,
7418 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7419 NULL, 0, "Time when current cipher was initiated", HFILL }},
7421 { &hf_netlogon_cipher_old_set_time,
7422 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7423 NULL, 0, "Time when previous cipher was initiated", HFILL }},
7425 { &hf_netlogon_audit_retention_period,
7426 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
7427 NULL, 0, "Audit retention period", HFILL }},
7429 { &hf_netlogon_guid,
7430 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
7431 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
7433 { &hf_netlogon_timelimit,
7434 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
7435 NULL, 0, "", HFILL }},
7437 /* Secure channel dissection */
7439 { &hf_netlogon_secchan_bind_unknown1,
7440 { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
7441 NULL, 0x0, "", HFILL }},
7443 { &hf_netlogon_secchan_bind_unknown2,
7444 { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
7445 NULL, 0x0, "", HFILL }},
7447 { &hf_netlogon_secchan_domain,
7448 { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
7449 NULL, 0, "", HFILL }},
7451 { &hf_netlogon_secchan_host,
7452 { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
7453 NULL, 0, "", HFILL }},
7455 { &hf_netlogon_secchan_bind_ack_unknown1,
7456 { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32,
7457 BASE_HEX, NULL, 0x0, "", HFILL }},
7459 { &hf_netlogon_secchan_bind_ack_unknown2,
7460 { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32,
7461 BASE_HEX, NULL, 0x0, "", HFILL }},
7463 { &hf_netlogon_secchan_bind_ack_unknown3,
7464 { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32,
7465 BASE_HEX, NULL, 0x0, "", HFILL }},
7467 { &hf_netlogon_secchan_verf,
7468 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
7469 NULL, 0x0, "Verifier", HFILL }},
7471 { &hf_netlogon_secchan_verf_sig,
7472 { "Signature", "netlogon.secchan.sig", FT_BYTES, BASE_HEX, NULL,
7473 0x0, "Signature", HFILL }},
7475 { &hf_netlogon_secchan_verf_unk,
7476 { "Unknown", "netlogon.secchan.unk", FT_BYTES, BASE_HEX, NULL,
7477 0x0, "Unknown", HFILL }},
7479 { &hf_netlogon_secchan_verf_seq,
7480 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_HEX, NULL,
7481 0x0, "Sequence No", HFILL }},
7483 { &hf_netlogon_secchan_verf_nonce,
7484 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_HEX, NULL,
7485 0x0, "Nonce", HFILL }},
7487 { &hf_netlogon_group_attrs_mandatory,
7488 { "Mandatory", "netlogon.groups.attrs.mandatory",
7489 FT_BOOLEAN, 32, TFS(&group_attrs_mandatory), 0x00000001,
7490 "The group attributes MANDATORY flag", HFILL }},
7492 { &hf_netlogon_group_attrs_enabled_by_default,
7493 { "Enabled By Default", "netlogon.groups.attrs.enabled_by_default",
7494 FT_BOOLEAN, 32, TFS(&group_attrs_enabled_by_default), 0x00000002,
7495 "The group attributes ENABLED_BY_DEFAULT flag", HFILL }},
7497 { &hf_netlogon_group_attrs_enabled,
7498 { "Enabled", "netlogon.groups.attrs.enabled",
7499 FT_BOOLEAN, 32, TFS(&group_attrs_enabled), 0x00000004,
7500 "The group attributes ENABLED flag", HFILL }},
7502 { &hf_netlogon_user_flags_extra_sids,
7503 { "Extra SIDs", "netlogon.user.flags.extra_sids",
7504 FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
7505 "The user flags EXTRA_SIDS", HFILL }},
7507 { &hf_netlogon_user_flags_resource_groups,
7508 { "Resource Groups", "netlogon.user.flags.resource_groups",
7509 FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
7510 "The user flags RESOURCE_GROUPS", HFILL }},
7512 { &hf_netlogon_user_account_control_dont_require_preauth,
7513 { "Dont Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
7514 FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
7515 "The user account control DONT_REQUIRE_PREAUTH flag ", HFILL }},
7517 { &hf_netlogon_user_account_control_use_des_key_only,
7518 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
7519 FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
7520 "The user account control use_des_key_only flag ", HFILL }},
7522 { &hf_netlogon_user_account_control_not_delegated,
7523 { "Not Delegated", "netlogon.user.account_control.not_delegated",
7524 FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
7525 "The user account control not_delegated flag ", HFILL }},
7527 { &hf_netlogon_user_account_control_trusted_for_delegation,
7528 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
7529 FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
7530 "The user account control trusted_for_delegation flag ", HFILL }},
7532 { &hf_netlogon_user_account_control_smartcard_required,
7533 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
7534 FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
7535 "The user account control smartcard_required flag ", HFILL }},
7537 { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
7538 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
7539 FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
7540 "The user account control encrypted_text_password_allowed flag ", HFILL }},
7542 { &hf_netlogon_user_account_control_account_auto_locked,
7543 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
7544 FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
7545 "The user account control account_auto_locked flag ", HFILL }},
7547 { &hf_netlogon_user_account_control_dont_expire_password,
7548 { "Dont Expire Password", "netlogon.user.account_control.dont_expire_password",
7549 FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
7550 "The user account control dont_expire_password flag ", HFILL }},
7552 { &hf_netlogon_user_account_control_server_trust_account,
7553 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
7554 FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
7555 "The user account control server_trust_account flag ", HFILL }},
7557 { &hf_netlogon_user_account_control_workstation_trust_account,
7558 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
7559 FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
7560 "The user account control workstation_trust_account flag ", HFILL }},
7562 { &hf_netlogon_user_account_control_interdomain_trust_account,
7563 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
7564 FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
7565 "The user account control interdomain_trust_account flag ", HFILL }},
7567 { &hf_netlogon_user_account_control_mns_logon_account,
7568 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
7569 FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
7570 "The user account control mns_logon_account flag ", HFILL }},
7572 { &hf_netlogon_user_account_control_normal_account,
7573 { "Normal Account", "netlogon.user.account_control.normal_account",
7574 FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
7575 "The user account control normal_account flag ", HFILL }},
7577 { &hf_netlogon_user_account_control_temp_duplicate_account,
7578 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
7579 FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
7580 "The user account control temp_duplicate_account flag ", HFILL }},
7582 { &hf_netlogon_user_account_control_password_not_required,
7583 { "Password Not Required", "netlogon.user.account_control.password_not_required",
7584 FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
7585 "The user account control password_not_required flag ", HFILL }},
7587 { &hf_netlogon_user_account_control_home_directory_required,
7588 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
7589 FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
7590 "The user account control home_directory_required flag ", HFILL }},
7592 { &hf_netlogon_user_account_control_account_disabled,
7593 { "Account Disabled", "netlogon.user.account_control.account_disabled",
7594 FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
7595 "The user account control account_disabled flag ", HFILL }},
7599 static gint *ett[] = {
7600 &ett_dcerpc_netlogon,
7606 &ett_DOMAIN_CONTROLLER_INFO,
7607 &ett_UNICODE_STRING_512,
7610 &ett_DELTA_ID_UNION,
7613 &ett_LM_OWF_PASSWORD,
7614 &ett_NT_OWF_PASSWORD,
7615 &ett_GROUP_MEMBERSHIP,
7616 &ett_DS_DOMAIN_TRUSTS,
7618 &ett_DOMAIN_TRUST_INFO,
7620 &ett_get_dcname_request_flags,
7622 &ett_secchan_bind_creds,
7623 &ett_secchan_bind_ack_creds,
7627 &ett_user_account_control
7630 proto_dcerpc_netlogon = proto_register_protocol(
7631 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
7633 proto_register_field_array(proto_dcerpc_netlogon, hf,
7635 proto_register_subtree_array(ett, array_length(ett));
7638 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
7639 dissect_secchan_bind_creds, /* Bind */
7640 dissect_secchan_bind_ack_creds, /* Bind ACK */
7642 dissect_secchan_verf, /* Request verifier */
7643 dissect_secchan_verf, /* Response verifier */
7644 NULL, /* Request data */
7645 NULL /* Response data */
7649 proto_reg_handoff_dcerpc_netlogon(void)
7651 /* Register protocol as dcerpc */
7653 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
7654 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
7655 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
7657 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
7658 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7660 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
7661 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,