git.samba.org / obnox / wireshark / wip.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
From Clinton Work: dissect Cisco PID 0x010b as STP (it's actually their
[obnox/wireshark/wip.git] / packet-dcerpc-netlogon.c
1 /* packet-dcerpc-netlogon.c
2  * Routines for SMB \PIPE\NETLOGON packet disassembly
3  * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4  *  2002 structure and command dissectors by Ronnie Sahlberg
5  *
6  * $Id: packet-dcerpc-netlogon.c,v 1.100 2004/04/08 10:21:10 sahlberg Exp $
7  *
8  * Ethereal - Network traffic analyzer
9  * By Gerald Combs <gerald@ethereal.com>
10  * Copyright 1998 Gerald Combs
11  *
12  * This program is free software; you can redistribute it and/or
13  * modify it under the terms of the GNU General Public License
14  * as published by the Free Software Foundation; either version 2
15  * of the License, or (at your option) any later version.
16  *
17  * This program is distributed in the hope that it will be useful,
18  * but WITHOUT ANY WARRANTY; without even the implied warranty of
19  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
20  * GNU General Public License for more details.
21  *
22  * You should have received a copy of the GNU General Public License
23  * along with this program; if not, write to the Free Software
24  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
25  */
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #include <glib.h>
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h"        /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
39
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_group_attrs_mandatory = -1;
42 static int hf_netlogon_group_attrs_enabled_by_default = -1;
43 static int hf_netlogon_group_attrs_enabled = -1;
44 static int hf_netlogon_opnum = -1;
45 static int hf_netlogon_guid = -1;
46 static int hf_netlogon_rc = -1;
47 static int hf_netlogon_len = -1;
48 static int hf_netlogon_sensitive_data_flag = -1;
49 static int hf_netlogon_sensitive_data_len = -1;
50 static int hf_netlogon_sensitive_data = -1;
51 static int hf_netlogon_security_information = -1;
52 static int hf_netlogon_dummy = -1;
53 static int hf_netlogon_neg_flags = -1;
54 static int hf_netlogon_minworkingsetsize = -1;
55 static int hf_netlogon_maxworkingsetsize = -1;
56 static int hf_netlogon_pagedpoollimit = -1;
57 static int hf_netlogon_pagefilelimit = -1;
58 static int hf_netlogon_timelimit = -1;
59 static int hf_netlogon_nonpagedpoollimit = -1;
60 static int hf_netlogon_pac_size = -1;
61 static int hf_netlogon_pac_data = -1;
62 static int hf_netlogon_auth_size = -1;
63 static int hf_netlogon_auth_data = -1;
64 static int hf_netlogon_cipher_len = -1;
65 static int hf_netlogon_cipher_maxlen = -1;
66 static int hf_netlogon_cipher_current_data = -1;
67 static int hf_netlogon_cipher_current_set_time = -1;
68 static int hf_netlogon_cipher_old_data = -1;
69 static int hf_netlogon_cipher_old_set_time = -1;
70 static int hf_netlogon_priv = -1;
71 static int hf_netlogon_privilege_entries = -1;
72 static int hf_netlogon_privilege_control = -1;
73 static int hf_netlogon_privilege_name = -1;
74 static int hf_netlogon_systemflags = -1;
75 static int hf_netlogon_pdc_connection_status = -1;
76 static int hf_netlogon_tc_connection_status = -1;
77 static int hf_netlogon_restart_state = -1;
78 static int hf_netlogon_attrs = -1;
79 static int hf_netlogon_count = -1;
80 static int hf_netlogon_entries = -1;
81 static int hf_netlogon_minpasswdlen = -1;
82 static int hf_netlogon_passwdhistorylen = -1;
83 static int hf_netlogon_level16 = -1;
84 static int hf_netlogon_validation_level = -1;
85 static int hf_netlogon_reference = -1;
86 static int hf_netlogon_next_reference = -1;
87 static int hf_netlogon_timestamp = -1;
88 static int hf_netlogon_level = -1;
89 static int hf_netlogon_challenge = -1;
90 static int hf_netlogon_reserved = -1;
91 static int hf_netlogon_audit_retention_period = -1;
92 static int hf_netlogon_auditing_mode = -1;
93 static int hf_netlogon_max_audit_event_count = -1;
94 static int hf_netlogon_event_audit_option = -1;
95 static int hf_netlogon_unknown_string = -1;
96 static int hf_netlogon_unknown_long = -1;
97 static int hf_netlogon_unknown_short = -1;
98 static int hf_netlogon_unknown_char = -1;
99 static int hf_netlogon_logon_time = -1;
100 static int hf_netlogon_logoff_time = -1;
101 static int hf_netlogon_kickoff_time = -1;
102 static int hf_netlogon_pwd_last_set_time = -1;
103 static int hf_netlogon_pwd_can_change_time = -1;
104 static int hf_netlogon_pwd_must_change_time = -1;
105 static int hf_netlogon_nt_chal_resp = -1;
106 static int hf_netlogon_lm_chal_resp = -1;
107 static int hf_netlogon_credential = -1;
108 static int hf_netlogon_acct_name = -1;
109 static int hf_netlogon_acct_desc = -1;
110 static int hf_netlogon_group_desc = -1;
111 static int hf_netlogon_full_name = -1;
112 static int hf_netlogon_comment = -1;
113 static int hf_netlogon_parameters = -1;
114 static int hf_netlogon_logon_script = -1;
115 static int hf_netlogon_profile_path = -1;
116 static int hf_netlogon_home_dir = -1;
117 static int hf_netlogon_dir_drive = -1;
118 static int hf_netlogon_logon_count = -1;
119 static int hf_netlogon_logon_count16 = -1;
120 static int hf_netlogon_bad_pw_count = -1;
121 static int hf_netlogon_bad_pw_count16 = -1;
122 static int hf_netlogon_user_rid = -1;
123 static int hf_netlogon_alias_rid = -1;
124 static int hf_netlogon_group_rid = -1;
125 static int hf_netlogon_logon_srv = -1;
126 static int hf_netlogon_principal = -1;
127 static int hf_netlogon_logon_dom = -1;
128 static int hf_netlogon_resourcegroupdomainsid = -1;
129 static int hf_netlogon_resourcegroupcount = -1;
130 static int hf_netlogon_downlevel_domain_name = -1;
131 static int hf_netlogon_dns_domain_name = -1;
132 static int hf_netlogon_domain_name = -1;
133 static int hf_netlogon_domain_create_time = -1;
134 static int hf_netlogon_domain_modify_time = -1;
135 static int hf_netlogon_modify_count = -1;
136 static int hf_netlogon_db_modify_time = -1;
137 static int hf_netlogon_db_create_time = -1;
138 static int hf_netlogon_oem_info = -1;
139 static int hf_netlogon_serial_number = -1;
140 static int hf_netlogon_num_rids = -1;
141 static int hf_netlogon_num_trusts = -1;
142 static int hf_netlogon_num_controllers = -1;
143 static int hf_netlogon_num_other_groups = -1;
144 static int hf_netlogon_computer_name = -1;
145 static int hf_netlogon_site_name = -1;
146 static int hf_netlogon_trusted_dc_name = -1;
147 static int hf_netlogon_dc_name = -1;
148 static int hf_netlogon_dc_site_name = -1;
149 static int hf_netlogon_dns_forest_name = -1;
150 static int hf_netlogon_dc_address = -1;
151 static int hf_netlogon_dc_address_type = -1;
152 static int hf_netlogon_client_site_name = -1;
153 static int hf_netlogon_workstation = -1;
154 static int hf_netlogon_workstation_site_name = -1;
155 static int hf_netlogon_workstation_os = -1;
156 static int hf_netlogon_workstations = -1;
157 static int hf_netlogon_workstation_fqdn = -1;
158 static int hf_netlogon_group_name = -1;
159 static int hf_netlogon_alias_name = -1;
160 static int hf_netlogon_country = -1;
161 static int hf_netlogon_codepage = -1;
162 static int hf_netlogon_flags = -1;
163 static int hf_netlogon_trust_attribs = -1;
164 static int hf_netlogon_trust_type = -1;
165 static int hf_netlogon_trust_flags = -1;
166 static int hf_netlogon_trust_flags_inbound = -1;
167 static int hf_netlogon_trust_flags_outbound = -1;
168 static int hf_netlogon_trust_flags_in_forest = -1;
169 static int hf_netlogon_trust_flags_native_mode = -1;
170 static int hf_netlogon_trust_flags_primary = -1;
171 static int hf_netlogon_trust_flags_tree_root = -1;
172 static int hf_netlogon_trust_parent_index = -1;
173 static int hf_netlogon_user_account_control = -1;
174 static int hf_netlogon_user_account_control_dont_require_preauth = -1;
175 static int hf_netlogon_user_account_control_use_des_key_only = -1;
176 static int hf_netlogon_user_account_control_not_delegated = -1;
177 static int hf_netlogon_user_account_control_trusted_for_delegation = -1;
178 static int hf_netlogon_user_account_control_smartcard_required = -1;
179 static int hf_netlogon_user_account_control_encrypted_text_password_allowed = -1;
180 static int hf_netlogon_user_account_control_account_auto_locked = -1;
181 static int hf_netlogon_user_account_control_dont_expire_password = -1;
182 static int hf_netlogon_user_account_control_server_trust_account = -1;
183 static int hf_netlogon_user_account_control_workstation_trust_account = -1;
184 static int hf_netlogon_user_account_control_interdomain_trust_account = -1;
185 static int hf_netlogon_user_account_control_mns_logon_account = -1;
186 static int hf_netlogon_user_account_control_normal_account = -1;
187 static int hf_netlogon_user_account_control_temp_duplicate_account = -1;
188 static int hf_netlogon_user_account_control_password_not_required = -1;
189 static int hf_netlogon_user_account_control_home_directory_required = -1;
190 static int hf_netlogon_user_account_control_account_disabled = -1;
191 static int hf_netlogon_user_flags = -1;
192 static int hf_netlogon_user_flags_extra_sids = -1;
193 static int hf_netlogon_user_flags_resource_groups = -1;
194 static int hf_netlogon_auth_flags = -1;
195 static int hf_netlogon_pwd_expired = -1;
196 static int hf_netlogon_nt_pwd_present = -1;
197 static int hf_netlogon_lm_pwd_present = -1;
198 static int hf_netlogon_code = -1;
199 static int hf_netlogon_database_id = -1;
200 static int hf_netlogon_sync_context = -1;
201 static int hf_netlogon_max_size = -1;
202 static int hf_netlogon_max_log_size = -1;
203 static int hf_netlogon_dns_host = -1;
204 static int hf_netlogon_acct_expiry_time = -1;
205 static int hf_netlogon_encrypted_lm_owf_password = -1;
206 static int hf_netlogon_lm_owf_password = -1;
207 static int hf_netlogon_nt_owf_password = -1;
208 static int hf_netlogon_param_ctrl = -1;
209 static int hf_netlogon_logon_id = -1;
210 static int hf_netlogon_num_deltas = -1;
211 static int hf_netlogon_user_session_key = -1;
212 static int hf_netlogon_blob_size = -1;
213 static int hf_netlogon_blob = -1;
214 static int hf_netlogon_logon_attempts = -1;
215 static int hf_netlogon_authoritative = -1;
216 static int hf_netlogon_secure_channel_type = -1;
217 static int hf_netlogon_logonsrv_handle = -1;
218 static int hf_netlogon_delta_type = -1;
219 static int hf_netlogon_get_dcname_request_flags = -1;
220 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
221 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
222 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
223 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
224 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
225 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
226 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
227 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
228 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
229 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
230 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
231 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
232 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
233 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
234 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
235 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
236 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
237 static int hf_netlogon_dc_flags = -1;
238 static int hf_netlogon_dc_flags_pdc_flag = -1;
239 static int hf_netlogon_dc_flags_gc_flag = -1;
240 static int hf_netlogon_dc_flags_ldap_flag = -1;
241 static int hf_netlogon_dc_flags_ds_flag = -1;
242 static int hf_netlogon_dc_flags_kdc_flag = -1;
243 static int hf_netlogon_dc_flags_timeserv_flag = -1;
244 static int hf_netlogon_dc_flags_closest_flag = -1;
245 static int hf_netlogon_dc_flags_writable_flag = -1;
246 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
247 static int hf_netlogon_dc_flags_ndnc_flag = -1;
248 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
249 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
250 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
251
252 static gint ett_dcerpc_netlogon = -1;
253 static gint ett_group_attrs = -1;
254 static gint ett_user_flags = -1;
255 static gint ett_user_account_control = -1;
256 static gint ett_QUOTA_LIMITS = -1;
257 static gint ett_IDENTITY_INFO = -1;
258 static gint ett_DELTA_ENUM = -1;
259 static gint ett_CYPHER_VALUE = -1;
260 static gint ett_UNICODE_MULTI = -1;
261 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
262 static gint ett_UNICODE_STRING_512 = -1;
263 static gint ett_TYPE_50 = -1;
264 static gint ett_TYPE_52 = -1;
265 static gint ett_DELTA_ID_UNION = -1;
266 static gint ett_TYPE_44 = -1;
267 static gint ett_DELTA_UNION = -1;
268 static gint ett_LM_OWF_PASSWORD = -1;
269 static gint ett_NT_OWF_PASSWORD = -1;
270 static gint ett_GROUP_MEMBERSHIP = -1;
271 static gint ett_BLOB = -1;
272 static gint ett_DS_DOMAIN_TRUSTS = -1;
273 static gint ett_DOMAIN_TRUST_INFO = -1;
274 static gint ett_trust_flags = -1;
275 static gint ett_get_dcname_request_flags = -1;
276 static gint ett_dc_flags = -1;
277
278 static e_uuid_t uuid_dcerpc_netlogon = {
279         0x12345678, 0x1234, 0xabcd,
280         { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
281 };
282
283 static guint16 ver_dcerpc_netlogon = 1;
284
285
286 static const true_false_string user_account_control_dont_require_preauth= {
287         "This account DONT_REQUIRE_PREAUTHENTICATION",
288         "This account REQUIRES preauthentication",
289 };
290 static const true_false_string user_account_control_use_des_key_only= {
291         "This account must USE_DES_KEY_ONLY for passwords",
292         "This account does NOT have to use_des_key_only",
293 };
294 static const true_false_string user_account_control_not_delegated= {
295         "This account is NOT_DELEGATED",
296         "This might have been delegated",
297 };
298 static const true_false_string user_account_control_trusted_for_delegation= {
299         "This account is TRUSTED_FOR_DELEGATION",
300         "This account is NOT trusted_for_delegation",
301 };
302 static const true_false_string user_account_control_smartcard_required= {
303         "This account REQUIRES_SMARTCARD to authenticate",
304         "This account does NOT require_smartcard to authenticate",
305 };
306 static const true_false_string user_account_control_encrypted_text_password_allowed= {
307         "This account allows ENCRYPTED_TEXT_PASSWORD",
308         "This account does NOT allow encrypted_text_password",
309 };
310 static const true_false_string user_account_control_account_auto_locked= {
311         "This account is AUTO_LOCKED",
312         "This account is NOT auto_locked",
313 };
314 static const true_false_string user_account_control_dont_expire_password= {
315         "This account DONT_EXPIRE_PASSWORDs",
316         "This account might expire_passwords",
317 };
318 static const true_false_string user_account_control_server_trust_account= {
319         "This account is a SERVER_TRUST_ACCOUNT",
320         "This account is NOT a server_trust_account",
321 };
322 static const true_false_string user_account_control_workstation_trust_account= {
323         "This account is a WORKSTATION_TRUST_ACCOUNT",
324         "This account is NOT a workstation_trust_account",
325 };
326 static const true_false_string user_account_control_interdomain_trust_account= {
327         "This account is an INTERDOMAIN_TRUST_ACCOUNT",
328         "This account is NOT an interdomain_trust_account",
329 };
330 static const true_false_string user_account_control_mns_logon_account= {
331         "This account is a MNS_LOGON_ACCOUNT",
332         "This account is NOT a mns_logon_account",
333 };
334 static const true_false_string user_account_control_normal_account= {
335         "This account is a NORMAL_ACCOUNT",
336         "This account is NOT a normal_account",
337 };
338 static const true_false_string user_account_control_temp_duplicate_account= {
339         "This account is a TEMP_DUPLICATE_ACCOUNT",
340         "This account is NOT a temp_duplicate_account",
341 };
342 static const true_false_string user_account_control_password_not_required= {
343         "This account REQUIRES_NO_PASSWORD",
344         "This account REQUIRES a password",
345 };
346 static const true_false_string user_account_control_home_directory_required= {
347         "This account REQUIRES_HOME_DIRECTORY",
348         "This account does NOT require_home_directory",
349 };
350 static const true_false_string user_account_control_account_disabled= {
351         "This account is DISABLED",
352         "This account is NOT disabled",
353 };
354 static int
355 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
356         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
357 {
358         guint32 mask;
359         proto_item *item = NULL;
360         proto_tree *tree = NULL;
361         dcerpc_info *di;
362
363         di=pinfo->private_data;
364         if(di->conformant_run){
365                 /*just a run to handle conformant arrays, nothing to dissect */
366                 return offset;
367         }
368
369         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
370                         hf_netlogon_user_account_control, &mask);
371
372         if(parent_tree){
373                 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_account_control,
374                         tvb, offset-4, 4, mask);
375                 tree = proto_item_add_subtree(item, ett_user_account_control);
376         }
377
378         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_require_preauth,
379                 tvb, offset-4, 4, mask);
380         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_use_des_key_only,
381                 tvb, offset-4, 4, mask);
382         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_not_delegated,
383                 tvb, offset-4, 4, mask);
384         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_trusted_for_delegation,
385                 tvb, offset-4, 4, mask);
386         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_smartcard_required,
387                 tvb, offset-4, 4, mask);
388         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_encrypted_text_password_allowed,
389                 tvb, offset-4, 4, mask);
390         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_auto_locked,
391                 tvb, offset-4, 4, mask);
392         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_expire_password,
393                 tvb, offset-4, 4, mask);
394         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_server_trust_account,
395                 tvb, offset-4, 4, mask);
396         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_workstation_trust_account,
397                 tvb, offset-4, 4, mask);
398         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_interdomain_trust_account,
399                 tvb, offset-4, 4, mask);
400         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_mns_logon_account,
401                 tvb, offset-4, 4, mask);
402         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_normal_account,
403                 tvb, offset-4, 4, mask);
404         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_temp_duplicate_account,
405                 tvb, offset-4, 4, mask);
406         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_password_not_required,
407                 tvb, offset-4, 4, mask);
408         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_home_directory_required,
409                 tvb, offset-4, 4, mask);
410         proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_disabled,
411                 tvb, offset-4, 4, mask);
412         return offset;
413 }
414
415
416 static int
417 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
418                         packet_info *pinfo, proto_tree *tree,
419                         guint8 *drep)
420 {
421         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
422                 NDR_POINTER_UNIQUE, "Server Handle", 
423                 hf_netlogon_logonsrv_handle, 0);
424
425         return offset;
426 }
427
428 /*
429  * IDL typedef struct {
430  * IDL    [unique][string] wchar_t *effective_name;
431  * IDL    long priv;
432  * IDL    long auth_flags;
433  * IDL    long logon_count;
434  * IDL    long bad_pw_count;
435  * IDL    long last_logon;
436  * IDL    long last_logoff;
437  * IDL    long logoff_time;
438  * IDL    long kickoff_time;
439  * IDL    long password_age;
440  * IDL    long pw_can_change;
441  * IDL    long pw_must_change;
442  * IDL    [unique][string] wchar_t *computer;
443  * IDL    [unique][string] wchar_t *domain;
444  * IDL    [unique][string] wchar_t *script_path;
445  * IDL    long reserved;
446  */
447 static int
448 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
449                         packet_info *pinfo, proto_tree *tree,
450                         guint8 *drep)
451 {
452         dcerpc_info *di;
453
454         di=pinfo->private_data;
455         if(di->conformant_run){
456                 /*just a run to handle conformant arrays, nothing to dissect */
457                 return offset;
458         }
459
460         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
461                 NDR_POINTER_UNIQUE, "Effective Account", 
462                 hf_netlogon_acct_name, 0);
463
464         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
465                 hf_netlogon_priv, NULL);
466
467         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
468                 hf_netlogon_auth_flags, NULL);
469
470         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
471                 hf_netlogon_logon_count, NULL);
472
473         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
474                 hf_netlogon_bad_pw_count, NULL);
475
476         /* XXX - are these all UNIX "time_t"s, like the time stamps in
477            credentials?
478
479            Or are they, as per some RAP-based operations, UTIMEs? */
480         proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
481         offset+= 4;
482
483         proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
484         offset+= 4;
485
486         proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
487         offset+= 4;
488
489         proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
490         offset+= 4;
491
492         proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
493         offset+= 4;
494
495         proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
496         offset+= 4;
497
498         proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
499         offset+= 4;
500
501         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
502                 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
503
504         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
505                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
506
507         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
508                 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
509
510         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
511                 hf_netlogon_reserved, NULL);
512
513         return offset;
514 }
515
516 /*
517  * IDL long NetrLogonUasLogon(
518  * IDL      [in][unique][string] wchar_t *ServerName,
519  * IDL      [in][ref][string] wchar_t *UserName,
520  * IDL      [in][ref][string] wchar_t *Workstation,
521  * IDL      [out][unique] VALIDATION_UAS_INFO *info
522  * IDL );
523  */
524 static int
525 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
526         packet_info *pinfo, proto_tree *tree, guint8 *drep)
527 {
528         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
529                 pinfo, tree, drep);
530
531         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
532                 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
533
534         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
535                 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
536
537         return offset;
538 }
539
540
541 static int
542 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
543         packet_info *pinfo, proto_tree *tree, guint8 *drep)
544 {
545         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
546                 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
547                 "VALIDATION_UAS_INFO", -1);
548
549         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
550                                   hf_netlogon_rc, NULL);
551
552         return offset;
553 }
554
555 /*
556  * IDL typedef struct {
557  * IDL   long duration;
558  * IDL   short logon_count;
559  * IDL } LOGOFF_UAS_INFO;
560  */
561 static int
562 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
563                         packet_info *pinfo, proto_tree *tree,
564                         guint8 *drep)
565 {
566         dcerpc_info *di;
567
568         di=pinfo->private_data;
569         if(di->conformant_run){
570                 /*just a run to handle conformant arrays, nothing to dissect */
571                 return offset;
572         }
573
574         proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
575         offset+= 4;
576
577         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
578                 hf_netlogon_logon_count16, NULL);
579
580         return offset;
581 }
582
583 /*
584  * IDL long NetrLogonUasLogoff(
585  * IDL      [in][unique][string] wchar_t *ServerName,
586  * IDL      [in][ref][string] wchar_t *UserName,
587  * IDL      [in][ref][string] wchar_t *Workstation,
588  * IDL      [out][ref] LOGOFF_UAS_INFO *info
589  * IDL );
590  */
591 static int
592 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
593         packet_info *pinfo, proto_tree *tree, guint8 *drep)
594 {
595         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
596                 pinfo, tree, drep);
597
598         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
599                 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
600
601         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
602                 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
603
604         return offset;
605 }
606
607
608 static int
609 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
610         packet_info *pinfo, proto_tree *tree, guint8 *drep)
611 {
612         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
613                 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
614                 "LOGOFF_UAS_INFO", -1);
615
616         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
617                                   hf_netlogon_rc, NULL);
618
619         return offset;
620 }
621
622
623
624
625 /*
626  * IDL typedef struct {
627  * IDL   UNICODESTRING LogonDomainName;
628  * IDL   long ParameterControl;
629  * IDL   uint64 LogonID;
630  * IDL   UNICODESTRING UserName;
631  * IDL   UNICODESTRING Workstation;
632  * IDL } LOGON_IDENTITY_INFO;
633  */
634 static int
635 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
636                         packet_info *pinfo, proto_tree *parent_tree,
637                         guint8 *drep)
638 {
639         proto_item *item=NULL;
640         proto_tree *tree=NULL;
641         int old_offset=offset;
642
643         if(parent_tree){
644                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
645                         "IDENTITY_INFO:");
646                 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
647         }
648
649         /* XXX: It would be nice to get the domain and account name 
650            displayed in COL_INFO. */
651
652         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
653                 hf_netlogon_logon_dom, 0);
654
655         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
656                 hf_netlogon_param_ctrl, NULL);
657
658         offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
659                 hf_netlogon_logon_id, NULL);
660
661         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
662                 hf_netlogon_acct_name, 0);
663
664         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
665                 hf_netlogon_workstation, 0);
666
667 #ifdef REMOVED
668         /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
669         /* XXX 8 extra bytes here */
670         /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
671            the idl file. Could be a bug in either the NETLOGON implementation or in the
672            idl file.
673         */
674         offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
675 #endif
676
677         proto_item_set_len(item, offset-old_offset);
678         return offset;
679 }
680
681
682 /*
683  * IDL typedef struct {
684  * IDL   char password[16];
685  * IDL } LM_OWF_PASSWORD;
686  */
687 static int
688 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
689                         packet_info *pinfo, proto_tree *parent_tree,
690                         guint8 *drep _U_)
691 {
692         proto_item *item=NULL;
693         proto_tree *tree=NULL;
694         dcerpc_info *di;
695
696         di=pinfo->private_data;
697         if(di->conformant_run){
698                 /*just a run to handle conformant arrays, nothing to dissect.*/
699                 return offset;
700         }
701
702         if(parent_tree){
703                 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
704                         "LM_OWF_PASSWORD:");
705                 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
706         }
707
708         proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
709                 FALSE);
710         offset += 16;
711
712         return offset;
713 }
714
715 /*
716  * IDL typedef struct {
717  * IDL   char password[16];
718  * IDL } NT_OWF_PASSWORD;
719  */
720 static int
721 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
722                         packet_info *pinfo, proto_tree *parent_tree,
723                         guint8 *drep _U_)
724 {
725         proto_item *item=NULL;
726         proto_tree *tree=NULL;
727         dcerpc_info *di;
728
729         di=pinfo->private_data;
730         if(di->conformant_run){
731                 /*just a run to handle conformant arrays, nothing to dissect.*/
732                 return offset;
733         }
734
735         if(parent_tree){
736                 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
737                         "NT_OWF_PASSWORD:");
738                 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
739         }
740
741         proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
742                 FALSE);
743         offset += 16;
744
745         return offset;
746 }
747
748
749 /*
750  * IDL typedef struct {
751  * IDL   LOGON_IDENTITY_INFO identity_info;
752  * IDL   LM_OWF_PASSWORD lmpassword;
753  * IDL   NT_OWF_PASSWORD ntpassword;
754  * IDL } INTERACTIVE_INFO;
755  */
756 static int
757 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
758                         packet_info *pinfo, proto_tree *tree,
759                         guint8 *drep)
760 {
761         offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
762                 pinfo, tree, drep);
763
764         offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
765                 pinfo, tree, drep);
766
767         offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
768                 pinfo, tree, drep);
769
770         return offset;
771 }
772
773 /*
774  * IDL typedef struct {
775  * IDL   char chl[8];
776  * IDL } CHALLENGE;
777  */
778 static int
779 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
780                         packet_info *pinfo, proto_tree *tree,
781                         guint8 *drep _U_)
782 {
783         dcerpc_info *di;
784
785         di=pinfo->private_data;
786         if(di->conformant_run){
787                 /*just a run to handle conformant arrays, nothing to dissect.*/
788                 return offset;
789         }
790
791         proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
792                 FALSE);
793         offset += 8;
794
795         return offset;
796 }
797
798 /*
799  * IDL typedef struct {
800  * IDL   LOGON_IDENTITY_INFO logon_info;
801  * IDL   CHALLENGE chal;
802  * IDL   STRING ntchallengeresponse;
803  * IDL   STRING lmchallengeresponse;
804  * IDL } NETWORK_INFO;
805  */
806
807 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree, 
808                                     proto_item *item _U_, tvbuff_t *tvb, 
809                                     int start_offset, int end_offset, 
810                                     void *callback_args _U_)
811 {
812         int len;
813
814         /* Skip over 3 guint32's in NDR format */
815
816         if (start_offset % 4)
817                 start_offset += 4 - (start_offset % 4);
818
819         start_offset += 12;
820         len = end_offset - start_offset;
821
822         /* Call ntlmv2 response dissector */
823
824         if (len > 24)
825                 dissect_ntlmv2_response(tvb, tree, start_offset, len);
826 }
827
828 static int
829 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
830                 packet_info *pinfo, proto_tree *tree,
831                 guint8 *drep)
832 {
833         offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
834                 pinfo, tree, drep);
835
836         offset = netlogon_dissect_CHALLENGE(tvb, offset,
837                 pinfo, tree, drep);
838
839         offset = dissect_ndr_counted_byte_array_cb(
840                 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
841                 dissect_nt_chal_resp_cb, NULL);
842
843         offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
844                 hf_netlogon_lm_chal_resp);
845
846         return offset;
847 }
848
849 /*
850  * IDL typedef struct {
851  * IDL   LOGON_IDENTITY_INFO logon_info;
852  * IDL   LM_OWF_PASSWORD lmpassword;
853  * IDL   NT_OWF_PASSWORD ntpassword;
854  * IDL } SERVICE_INFO;
855  */
856 static int
857 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
858                 packet_info *pinfo, proto_tree *tree,
859                 guint8 *drep)
860 {
861         offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
862                 pinfo, tree, drep);
863
864         offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
865                 pinfo, tree, drep);
866
867         offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
868                 pinfo, tree, drep);
869
870         return offset;
871 }
872
873 /*
874  * IDL typedef [switch_type(short)] union {
875  * IDL    [case(1)][unique] INTERACTIVE_INFO *iinfo;
876  * IDL    [case(2)][unique] NETWORK_INFO *ninfo;
877  * IDL    [case(3)][unique] SERVICE_INFO *sinfo;
878  * IDL } LEVEL;
879  */
880 static int
881 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
882                         packet_info *pinfo, proto_tree *tree,
883                         guint8 *drep)
884 {
885         guint16 level;
886
887         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
888                 hf_netlogon_level16, &level);
889
890         ALIGN_TO_4_BYTES;
891         switch(level){
892         case 1:
893                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
894                         netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
895                         "INTERACTIVE_INFO:", -1);
896                 break;
897         case 2:
898                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
899                         netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
900                         "NETWORK_INFO:", -1);
901                 break;
902         case 3:
903                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
904                         netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
905                         "SERVICE_INFO:", -1);
906                 break;
907         }
908
909         return offset;
910 }
911
912 /*
913  * IDL typedef struct {
914  * IDL   char cred[8];
915  * IDL } CREDENTIAL;
916  */
917 static int
918 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
919                         packet_info *pinfo, proto_tree *tree,
920                         guint8 *drep _U_)
921 {
922         dcerpc_info *di;
923
924         di=pinfo->private_data;
925         if(di->conformant_run){
926                 /*just a run to handle conformant arrays, nothing to dissect.*/
927                 return offset;
928         }
929
930         proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
931                 FALSE);
932         offset += 8;
933
934         return offset;
935 }
936
937
938 /*
939  * IDL typedef struct {
940  * IDL   CREDENTIAL cred;
941  * IDL   long timestamp;
942  * IDL } AUTHENTICATOR;
943  */
944 static int
945 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
946                         packet_info *pinfo, proto_tree *tree,
947                         guint8 *drep)
948 {
949         dcerpc_info *di;
950         nstime_t ts;
951
952         di=pinfo->private_data;
953         if(di->conformant_run){
954                 /*just a run to handle conformant arrays, nothing to dissect */
955                 return offset;
956         }
957
958         offset = netlogon_dissect_CREDENTIAL(tvb, offset,
959                 pinfo, tree, drep);
960
961         /*
962          * XXX - this appears to be a UNIX time_t in some credentials, but
963          * appears to be random junk in other credentials.
964          * For example, it looks like a UNIX time_t in "credential"
965          * AUTHENTICATORs, but like random junk in "return_authenticator"
966          * AUTHENTICATORs.
967          */
968         ALIGN_TO_4_BYTES;
969         ts.secs = tvb_get_letohl(tvb, offset);
970         ts.nsecs = 0;
971         proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
972         offset+= 4;
973
974         return offset;
975 }
976
977
978 static const true_false_string group_attrs_mandatory = {
979         "The MANDATORY bit is SET",
980         "The mandatory bit is NOT set",
981 };
982 static const true_false_string group_attrs_enabled_by_default = {
983         "The ENABLED_BY_DEFAULT bit is SET",
984         "The enabled_by_default bit is NOT set",
985 };
986 static const true_false_string group_attrs_enabled = {
987         "The enabled bit is SET",
988         "The enabled bit is NOT set",
989 };
990 static int
991 netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvbuff_t *tvb, int offset,
992         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
993 {
994         guint32 mask;
995         proto_item *item = NULL;
996         proto_tree *tree = NULL;
997         dcerpc_info *di;
998
999         di=pinfo->private_data;
1000         if(di->conformant_run){
1001                 /*just a run to handle conformant arrays, nothing to dissect */
1002                 return offset;
1003         }
1004
1005         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1006                         hf_netlogon_attrs, &mask);
1007
1008         if(parent_tree){
1009                 item = proto_tree_add_uint(parent_tree, hf_netlogon_attrs,
1010                         tvb, offset-4, 4, mask);
1011                 tree = proto_item_add_subtree(item, ett_group_attrs);
1012         }
1013
1014         proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled,
1015                 tvb, offset-4, 4, mask);
1016         proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled_by_default,
1017                 tvb, offset-4, 4, mask);
1018         proto_tree_add_boolean(tree, hf_netlogon_group_attrs_mandatory,
1019                 tvb, offset-4, 4, mask);
1020
1021         return offset;
1022 }
1023
1024 /*
1025  * IDL typedef struct {
1026  * IDL   long user_id;
1027  * IDL   long attributes;
1028  * IDL } GROUP_MEMBERSHIP;
1029  */
1030 static int
1031 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1032                         packet_info *pinfo, proto_tree *parent_tree,
1033                         guint8 *drep)
1034 {
1035         proto_item *item=NULL;
1036         proto_tree *tree=NULL;
1037
1038         if(parent_tree){
1039                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1040                         "GROUP_MEMBERSHIP:");
1041                 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
1042         }
1043
1044         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1045                 hf_netlogon_group_rid, NULL);
1046
1047         offset = netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvb, offset,
1048                 pinfo, tree, drep);
1049
1050         return offset;
1051 }
1052
1053 static int
1054 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1055                         packet_info *pinfo, proto_tree *tree,
1056                         guint8 *drep)
1057 {
1058         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
1059                 netlogon_dissect_GROUP_MEMBERSHIP);
1060
1061         return offset;
1062 }
1063
1064 /*
1065  * IDL typedef struct {
1066  * IDL   char user_session_key[16];
1067  * IDL } USER_SESSION_KEY;
1068  */
1069 static int
1070 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1071                         packet_info *pinfo, proto_tree *tree,
1072                         guint8 *drep _U_)
1073 {
1074         dcerpc_info *di;
1075
1076         di=pinfo->private_data;
1077         if(di->conformant_run){
1078                 /*just a run to handle conformant arrays, nothing to dissect.*/
1079                 return offset;
1080         }
1081
1082         proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1083                 FALSE);
1084         offset += 16;
1085
1086         return offset;
1087 }
1088
1089
1090
1091 static const true_false_string user_flags_extra_sids= {
1092         "The EXTRA_SIDS bit is SET",
1093         "The extra_sids is NOT set",
1094 };
1095 static const true_false_string user_flags_resource_groups= {
1096         "The RESOURCE_GROUPS bit is SET",
1097         "The resource_groups is NOT set",
1098 };
1099 static int
1100 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1101         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
1102 {
1103         guint32 mask;
1104         proto_item *item = NULL;
1105         proto_tree *tree = NULL;
1106         dcerpc_info *di;
1107
1108         di=pinfo->private_data;
1109         if(di->conformant_run){
1110                 /*just a run to handle conformant arrays, nothing to dissect */
1111                 return offset;
1112         }
1113
1114         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1115                         hf_netlogon_user_flags, &mask);
1116
1117         if(parent_tree){
1118                 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_flags,
1119                         tvb, offset-4, 4, mask);
1120                 tree = proto_item_add_subtree(item, ett_user_flags);
1121         }
1122
1123         proto_tree_add_boolean(tree, hf_netlogon_user_flags_resource_groups,
1124                 tvb, offset-4, 4, mask);
1125         proto_tree_add_boolean(tree, hf_netlogon_user_flags_extra_sids,
1126                 tvb, offset-4, 4, mask);
1127
1128         return offset;
1129 }
1130
1131 /*
1132  * IDL typedef struct {
1133  * IDL   uint64 LogonTime;
1134  * IDL   uint64 LogoffTime;
1135  * IDL   uint64 KickOffTime;
1136  * IDL   uint64 PasswdLastSet;
1137  * IDL   uint64 PasswdCanChange;
1138  * IDL   uint64 PasswdMustChange;
1139  * IDL   unicodestring effectivename;
1140  * IDL   unicodestring fullname;
1141  * IDL   unicodestring logonscript;
1142  * IDL   unicodestring profilepath;
1143  * IDL   unicodestring homedirectory;
1144  * IDL   unicodestring homedirectorydrive;
1145  * IDL   short LogonCount;
1146  * IDL   short BadPasswdCount;
1147  * IDL   long userid;
1148  * IDL   long primarygroup;
1149  * IDL   long groupcount;
1150  * IDL   [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1151  * IDL   long userflags;
1152  * IDL   USER_SESSION_KEY key;
1153  * IDL   unicodestring logonserver;
1154  * IDL   unicodestring domainname;
1155  * IDL   [unique] SID logondomainid;
1156  * IDL   long expansionroom[2];
1157  * IDL   long useraccountcontrol;
1158  * IDL   long expansionroom[7];
1159  * IDL } VALIDATION_SAM_INFO;
1160  */
1161 static int
1162 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1163                 packet_info *pinfo, proto_tree *tree,
1164                 guint8 *drep)
1165 {
1166         int i;
1167
1168         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1169                 hf_netlogon_logon_time);
1170
1171         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1172                 hf_netlogon_logoff_time);
1173
1174         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1175                 hf_netlogon_kickoff_time);
1176
1177         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1178                 hf_netlogon_pwd_last_set_time);
1179
1180         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1181                 hf_netlogon_pwd_can_change_time);
1182
1183         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1184                 hf_netlogon_pwd_must_change_time);
1185
1186         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1187                 hf_netlogon_acct_name, 0);
1188
1189         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1190                 hf_netlogon_full_name, 0);
1191
1192         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1193                 hf_netlogon_logon_script, 0);
1194
1195         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1196                 hf_netlogon_profile_path, 0);
1197
1198         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1199                 hf_netlogon_home_dir, 0);
1200
1201         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1202                 hf_netlogon_dir_drive, 0);
1203
1204         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1205                 hf_netlogon_logon_count16, NULL);
1206
1207         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1208                 hf_netlogon_bad_pw_count16, NULL);
1209
1210         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1211                 hf_netlogon_user_rid, NULL);
1212
1213         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1214                 hf_netlogon_group_rid, NULL);
1215
1216         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1217                 hf_netlogon_num_rids, NULL);
1218
1219         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1220                 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1221                 "GROUP_MEMBERSHIP_ARRAY", -1);
1222
1223         offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1224                 pinfo, tree, drep);
1225
1226         offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1227                 pinfo, tree, drep);
1228
1229         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1230                 hf_netlogon_logon_srv, 0);
1231
1232         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1233                 hf_netlogon_logon_dom, 0);
1234
1235         offset = dissect_ndr_nt_PSID(tvb, offset,
1236                 pinfo, tree, drep, -1);
1237
1238         for(i=0;i<2;i++){
1239                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1240                         hf_netlogon_unknown_long, NULL);
1241         }
1242         offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1243                         pinfo, tree, drep);
1244
1245         for(i=0;i<7;i++){
1246                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1247                         hf_netlogon_unknown_long, NULL);
1248         }
1249
1250         return offset;
1251 }
1252
1253
1254
1255 /*
1256  * IDL typedef struct {
1257  * IDL   uint64 LogonTime;
1258  * IDL   uint64 LogoffTime;
1259  * IDL   uint64 KickOffTime;
1260  * IDL   uint64 PasswdLastSet;
1261  * IDL   uint64 PasswdCanChange;
1262  * IDL   uint64 PasswdMustChange;
1263  * IDL   unicodestring effectivename;
1264  * IDL   unicodestring fullname;
1265  * IDL   unicodestring logonscript;
1266  * IDL   unicodestring profilepath;
1267  * IDL   unicodestring homedirectory;
1268  * IDL   unicodestring homedirectorydrive;
1269  * IDL   short LogonCount;
1270  * IDL   short BadPasswdCount;
1271  * IDL   long userid;
1272  * IDL   long primarygroup;
1273  * IDL   long groupcount;
1274  * IDL   [unique] GROUP_MEMBERSHIP *groupids;
1275  * IDL   long userflags;
1276  * IDL   USER_SESSION_KEY key;
1277  * IDL   unicodestring logonserver;
1278  * IDL   unicodestring domainname;
1279  * IDL   [unique] SID logondomainid;
1280  * IDL   long expansionroom[2];
1281  * IDL   long useraccountcontrol;
1282  * IDL   long expansionroom[7];
1283  * IDL   long sidcount;
1284  * IDL   [unique] SID_AND_ATTRIBS;
1285  * IDL } VALIDATION_SAM_INFO2;
1286  */
1287 static int
1288 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1289                         packet_info *pinfo, proto_tree *tree,
1290                         guint8 *drep)
1291 {
1292         int i;
1293
1294         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1295                 hf_netlogon_logon_time);
1296
1297         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1298                 hf_netlogon_logoff_time);
1299
1300         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1301                 hf_netlogon_kickoff_time);
1302
1303         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1304                 hf_netlogon_pwd_last_set_time);
1305
1306         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1307                 hf_netlogon_pwd_can_change_time);
1308
1309         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1310                 hf_netlogon_pwd_must_change_time);
1311
1312         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1313                 hf_netlogon_acct_name, 0);
1314
1315         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1316                 hf_netlogon_full_name, 0);
1317
1318         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1319                 hf_netlogon_logon_script, 0);
1320
1321         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1322                 hf_netlogon_profile_path, 0);
1323
1324         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1325                 hf_netlogon_home_dir, 0);
1326
1327         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1328                 hf_netlogon_dir_drive, 0);
1329
1330         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1331                 hf_netlogon_logon_count16, NULL);
1332
1333         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1334                 hf_netlogon_bad_pw_count16, NULL);
1335
1336         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1337                 hf_netlogon_user_rid, NULL);
1338
1339         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1340                 hf_netlogon_group_rid, NULL);
1341
1342         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1343                 hf_netlogon_num_rids, NULL);
1344
1345         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1346                 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1347                 "GROUP_MEMBERSHIP_ARRAY", -1);
1348
1349         offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1350                 pinfo, tree, drep);
1351
1352         offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1353                 pinfo, tree, drep);
1354
1355         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1356                 hf_netlogon_logon_srv, 0);
1357
1358         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1359                 hf_netlogon_logon_dom, 0);
1360
1361         offset = dissect_ndr_nt_PSID(tvb, offset,
1362                 pinfo, tree, drep, -1);
1363
1364         for(i=0;i<2;i++){
1365                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1366                         hf_netlogon_unknown_long, NULL);
1367         }
1368         offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1369                         pinfo, tree, drep);
1370
1371         for(i=0;i<7;i++){
1372                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1373                         hf_netlogon_unknown_long, NULL);
1374         }
1375
1376         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1377                 hf_netlogon_num_other_groups, NULL);
1378
1379         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1380                 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1381                 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1382
1383         return offset;
1384 }
1385
1386
1387
1388
1389
1390 /*
1391  * IDL typedef struct {
1392  * IDL   uint64 LogonTime;
1393  * IDL   uint64 LogoffTime;
1394  * IDL   uint64 KickOffTime;
1395  * IDL   uint64 PasswdLastSet;
1396  * IDL   uint64 PasswdCanChange;
1397  * IDL   uint64 PasswdMustChange;
1398  * IDL   unicodestring effectivename;
1399  * IDL   unicodestring fullname;
1400  * IDL   unicodestring logonscript;
1401  * IDL   unicodestring profilepath;
1402  * IDL   unicodestring homedirectory;
1403  * IDL   unicodestring homedirectorydrive;
1404  * IDL   short LogonCount;
1405  * IDL   short BadPasswdCount;
1406  * IDL   long userid;
1407  * IDL   long primarygroup;
1408  * IDL   long groupcount;
1409  * IDL   [unique] GROUP_MEMBERSHIP *groupids;
1410  * IDL   long userflags;
1411  * IDL   USER_SESSION_KEY key;
1412  * IDL   unicodestring logonserver;
1413  * IDL   unicodestring domainname;
1414  * IDL   [unique] SID logondomainid;
1415  * IDL   long expansionroom[2];
1416  * IDL   long useraccountcontrol;
1417  * IDL   long expansionroom[7];
1418  * IDL   long sidcount;
1419  * IDL   [unique] SID_AND_ATTRIBS;
1420  * IDL   [unique] SID resourcegroupdomainsid;
1421  * IDL   long resourcegroupcount;
1422 qqq
1423  * IDL } PAC_LOGON_INFO;
1424  */
1425 int
1426 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
1427                         packet_info *pinfo, proto_tree *tree,
1428                         guint8 *drep)
1429 {
1430         int i;
1431         guint32 rgc;
1432
1433         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1434                 hf_netlogon_logon_time);
1435
1436         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1437                 hf_netlogon_logoff_time);
1438
1439         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1440                 hf_netlogon_kickoff_time);
1441
1442         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1443                 hf_netlogon_pwd_last_set_time);
1444
1445         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1446                 hf_netlogon_pwd_can_change_time);
1447
1448         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1449                 hf_netlogon_pwd_must_change_time);
1450
1451         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1452                 hf_netlogon_acct_name, 0);
1453
1454         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1455                 hf_netlogon_full_name, 0);
1456
1457         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1458                 hf_netlogon_logon_script, 0);
1459
1460         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1461                 hf_netlogon_profile_path, 0);
1462
1463         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1464                 hf_netlogon_home_dir, 0);
1465
1466         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1467                 hf_netlogon_dir_drive, 0);
1468
1469         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1470                 hf_netlogon_logon_count16, NULL);
1471
1472         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1473                 hf_netlogon_bad_pw_count16, NULL);
1474
1475         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1476                 hf_netlogon_user_rid, NULL);
1477
1478         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1479                 hf_netlogon_group_rid, NULL);
1480
1481         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1482                 hf_netlogon_num_rids, NULL);
1483
1484         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1485                 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1486                 "GROUP_MEMBERSHIP_ARRAY", -1);
1487
1488         offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1489                 pinfo, tree, drep);
1490
1491         offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1492                 pinfo, tree, drep);
1493
1494         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1495                 hf_netlogon_logon_srv, 0);
1496
1497         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1498                 hf_netlogon_logon_dom, 0);
1499
1500         offset = dissect_ndr_nt_PSID(tvb, offset,
1501                 pinfo, tree, drep, -1);
1502
1503         for(i=0;i<2;i++){
1504                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1505                         hf_netlogon_unknown_long, NULL);
1506         }
1507         offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1508                         pinfo, tree, drep);
1509
1510         for(i=0;i<7;i++){
1511                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1512                         hf_netlogon_unknown_long, NULL);
1513         }
1514
1515         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1516                 hf_netlogon_num_other_groups, NULL);
1517
1518         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1519                 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1520                 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1521
1522         offset = dissect_ndr_nt_PSID(tvb, offset,
1523                 pinfo, tree, drep, hf_netlogon_resourcegroupdomainsid);
1524
1525         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1526                 hf_netlogon_resourcegroupcount, &rgc);
1527
1528         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1529                 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1530                 "ResourceGroupIDs", -1);
1531
1532         return offset;
1533 }
1534
1535
1536
1537 static int
1538 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1539                         packet_info *pinfo, proto_tree *tree,
1540                         guint8 *drep _U_)
1541 {
1542         dcerpc_info *di;
1543         guint32 pac_size;
1544
1545         di=pinfo->private_data;
1546         if(di->conformant_run){
1547                 /*just a run to handle conformant arrays, nothing to dissect */
1548                 return offset;
1549         }
1550
1551         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1552                 hf_netlogon_pac_size, &pac_size);
1553
1554         proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1555                 FALSE);
1556         offset += pac_size;
1557
1558         return offset;
1559 }
1560
1561 static int
1562 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1563                         packet_info *pinfo, proto_tree *tree,
1564                         guint8 *drep _U_)
1565 {
1566         dcerpc_info *di;
1567         guint32 auth_size;
1568
1569         di=pinfo->private_data;
1570         if(di->conformant_run){
1571                 /*just a run to handle conformant arrays, nothing to dissect */
1572                 return offset;
1573         }
1574
1575         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1576                 hf_netlogon_auth_size, &auth_size);
1577
1578         proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1579                 FALSE);
1580         offset += auth_size;
1581
1582         return offset;
1583 }
1584
1585
1586 /*
1587  * IDL typedef struct {
1588  * IDL   long pac_size
1589  * IDL   [unique][size_is(pac_size)] char *pac;
1590  * IDL   UNICODESTRING logondomain;
1591  * IDL   UNICODESTRING logonserver;
1592  * IDL   UNICODESTRING principalname;
1593  * IDL   long auth_size;
1594  * IDL   [unique][size_is(auth_size)] char *auth;
1595  * IDL   USER_SESSION_KEY user_session_key;
1596  * IDL   long expansionroom[2];
1597  * IDL   long useraccountcontrol;
1598  * IDL   long expansionroom[7];
1599  * IDL   UNICODESTRING dummy1;
1600  * IDL   UNICODESTRING dummy2;
1601  * IDL   UNICODESTRING dummy3;
1602  * IDL   UNICODESTRING dummy4;
1603  * IDL } VALIDATION_PAC_INFO;
1604  */
1605 static int
1606 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1607                         packet_info *pinfo, proto_tree *tree,
1608                         guint8 *drep)
1609 {
1610         int i;
1611
1612         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1613                 hf_netlogon_pac_size, NULL);
1614
1615         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1616                 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1617
1618         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1619                 hf_netlogon_logon_dom, 0);
1620
1621         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1622                 hf_netlogon_logon_srv, 0);
1623
1624         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1625                 hf_netlogon_principal, 0);
1626
1627         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1628                 hf_netlogon_auth_size, NULL);
1629
1630         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1631                 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1632
1633         offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1634                 pinfo, tree, drep);
1635
1636         for(i=0;i<2;i++){
1637                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1638                         hf_netlogon_unknown_long, NULL);
1639         }
1640         offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1641                         pinfo, tree, drep);
1642
1643         for(i=0;i<7;i++){
1644                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1645                         hf_netlogon_unknown_long, NULL);
1646         }
1647
1648         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1649                 hf_netlogon_dummy, 0);
1650
1651         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1652                 hf_netlogon_dummy, 0);
1653
1654         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1655                 hf_netlogon_dummy, 0);
1656
1657         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1658                 hf_netlogon_dummy, 0);
1659
1660         return offset;
1661 }
1662
1663
1664 /*
1665  * IDL typedef [switch_type(short)] union {
1666  * IDL    [case(2)][unique] VALIDATION_SAM_INFO *sam;
1667  * IDL    [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1668  * IDL    [case(4)][unique] VALIDATION_PAC_INFO *pac;
1669  * IDL    [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1670  * IDL } VALIDATION;
1671  */
1672 static int
1673 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1674                         packet_info *pinfo, proto_tree *tree,
1675                         guint8 *drep)
1676 {
1677         guint16 level;
1678
1679         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1680                 hf_netlogon_validation_level, &level);
1681
1682         ALIGN_TO_4_BYTES;
1683         switch(level){
1684         case 2:
1685                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1686                         netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1687                         "VALIDATION_SAM_INFO:", -1);
1688                 break;
1689         case 3:
1690                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1691                         netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1692                         "VALIDATION_SAM_INFO2:", -1);
1693                 break;
1694         case 4:
1695                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1696                         netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1697                         "VALIDATION_PAC_INFO:", -1);
1698                 break;
1699         case 5:
1700                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1701                         netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1702                         "VALIDATION_PAC_INFO:", -1);
1703                 break;
1704         }
1705
1706         return offset;
1707 }
1708
1709
1710 /*
1711  * IDL long NetrLogonSamLogon(
1712  * IDL      [in][unique][string] wchar_t *ServerName,
1713  * IDL      [in][unique][string] wchar_t *Workstation,
1714  * IDL      [in][unique] AUTHENTICATOR *credential,
1715  * IDL      [in][out][unique] AUTHENTICATOR *returnauthenticator,
1716  * IDL      [in] short LogonLevel,
1717  * IDL      [in][ref] LOGON_LEVEL *logonlevel,
1718  * IDL      [in] short ValidationLevel,
1719  * IDL      [out][ref] VALIDATION *validation,
1720  * IDL      [out][ref] boolean Authorative
1721  * IDL );
1722  */
1723 static int
1724 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1725         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1726 {
1727         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1728                 pinfo, tree, drep);
1729
1730         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1731                 NDR_POINTER_UNIQUE, "Computer Name", 
1732                 hf_netlogon_computer_name, 0);
1733
1734         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1735                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1736                 "AUTHENTICATOR: credential", -1);
1737
1738         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1739                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1740                 "AUTHENTICATOR: return_authenticator", -1);
1741
1742         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1743                 hf_netlogon_level16, NULL);
1744
1745         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1746                 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1747                 "LEVEL: LogonLevel", -1);
1748
1749         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1750                 hf_netlogon_validation_level, NULL);
1751
1752         return offset;
1753 }
1754
1755 static int
1756 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1757         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1758 {
1759         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1760                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1761                 "AUTHENTICATOR: return_authenticator", -1);
1762
1763         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1764                 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1765                 "VALIDATION:", -1);
1766
1767         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1768                 hf_netlogon_authoritative, NULL);
1769
1770         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1771                                   hf_netlogon_rc, NULL);
1772
1773         return offset;
1774 }
1775
1776
1777 /*
1778  * IDL long NetrLogonSamLogoff(
1779  * IDL      [in][unique][string] wchar_t *ServerName,
1780  * IDL      [in][unique][string] wchar_t *ComputerName,
1781  * IDL      [in][unique] AUTHENTICATOR credential,
1782  * IDL      [in][unique] AUTHENTICATOR return_authenticator,
1783  * IDL      [in] short logon_level,
1784  * IDL      [in][ref] LEVEL logoninformation
1785  * IDL );
1786  */
1787 static int
1788 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1789         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1790 {
1791         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1792                 pinfo, tree, drep);
1793
1794         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1795                 NDR_POINTER_UNIQUE, "Computer Name", 
1796                 hf_netlogon_computer_name, 0);
1797
1798         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1799                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1800                 "AUTHENTICATOR: credential", -1);
1801
1802         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1803                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1804                 "AUTHENTICATOR: return_authenticator", -1);
1805
1806         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1807                 hf_netlogon_level16, NULL);
1808
1809         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1810                 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1811                 "LEVEL: logoninformation", -1);
1812
1813         return offset;
1814 }
1815 static int
1816 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1817         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1818 {
1819
1820         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1821                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1822                 "AUTHENTICATOR: return_authenticator", -1);
1823
1824         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1825                                   hf_netlogon_rc, NULL);
1826
1827         return offset;
1828 }
1829
1830
1831 /*
1832  * IDL long NetrServerReqChallenge(
1833  * IDL      [in][unique][string] wchar_t *ServerName,
1834  * IDL      [in][ref][string] wchar_t *ComputerName,
1835  * IDL      [in][ref] CREDENTIAL client_credential,
1836  * IDL      [out][ref] CREDENTIAL server_credential
1837  * IDL );
1838  */
1839 static int
1840 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1841         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1842 {
1843         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1844                 pinfo, tree, drep);
1845
1846         offset = dissect_ndr_pointer_cb(
1847                 tvb, offset, pinfo, tree, drep, 
1848                 dissect_ndr_wchar_cvstring, NDR_POINTER_REF, 
1849                 "Computer Name", hf_netlogon_computer_name, 
1850                 cb_wstr_postprocess, 
1851                 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1852
1853         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1854                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1855                 "CREDENTIAL: client challenge", -1);
1856
1857         return offset;
1858 }
1859 static int
1860 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1861         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1862 {
1863         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1864                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1865                 "CREDENTIAL: server credential", -1);
1866
1867         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1868                                   hf_netlogon_rc, NULL);
1869
1870         return offset;
1871 }
1872
1873
1874 static int
1875 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1876                         packet_info *pinfo, proto_tree *tree,
1877                         guint8 *drep)
1878 {
1879         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1880                         hf_netlogon_secure_channel_type, NULL);
1881
1882         return offset;
1883 }
1884
1885
1886 /*
1887  * IDL long NetrServerAuthenticate(
1888  * IDL      [in][unique][string] wchar_t *ServerName,
1889  * IDL      [in][ref][string] wchar_t *UserName,
1890  * IDL      [in] short secure_challenge_type,
1891  * IDL      [in][ref][string] wchar_t *ComputerName,
1892  * IDL      [in][ref] CREDENTIAL client_challenge,
1893  * IDL      [out][ref] CREDENTIAL server_challenge
1894  * IDL );
1895  */
1896 static int
1897 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1898         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1899 {
1900         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1901                 pinfo, tree, drep);
1902
1903         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1904                 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1905
1906         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1907                 pinfo, tree, drep);
1908
1909         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1910                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1911
1912         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1913                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1914                 "CREDENTIAL: client challenge", -1);
1915
1916         return offset;
1917 }
1918 static int
1919 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
1920         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1921 {
1922         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1923                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1924                 "CREDENTIAL: server challenge", -1);
1925
1926         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1927                                   hf_netlogon_rc, NULL);
1928
1929         return offset;
1930 }
1931
1932
1933
1934 /*
1935  * IDL typedef struct {
1936  * IDL   char encrypted_password[16];
1937  * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1938  */
1939 static int
1940 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1941                         packet_info *pinfo, proto_tree *tree,
1942                         guint8 *drep _U_)
1943 {
1944         dcerpc_info *di;
1945
1946         di=pinfo->private_data;
1947         if(di->conformant_run){
1948                 /*just a run to handle conformant arrays, nothing to dissect.*/
1949                 return offset;
1950         }
1951
1952         proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1953                 FALSE);
1954         offset += 16;
1955
1956         return offset;
1957 }
1958
1959 /*
1960  * IDL long NetrServerPasswordSet(
1961  * IDL      [in][unique][string] wchar_t *ServerName,
1962  * IDL      [in][ref][string] wchar_t *UserName,
1963  * IDL      [in] short secure_challenge_type,
1964  * IDL      [in][ref][string] wchar_t *ComputerName,
1965  * IDL      [in][ref] AUTHENTICATOR credential,
1966  * IDL      [in][ref] LM_OWF_PASSWORD UasNewPassword,
1967  * IDL      [out][ref] AUTHENTICATOR return_authenticator
1968  * IDL );
1969  */
1970 static int
1971 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1972         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1973 {
1974         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1975                 pinfo, tree, drep);
1976
1977         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1978                 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1979
1980         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1981                 pinfo, tree, drep);
1982
1983         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1984                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1985
1986         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1987                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1988                 "AUTHENTICATOR: credential", -1);
1989
1990         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1991                 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1992                 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
1993
1994         return offset;
1995 }
1996 static int
1997 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
1998         packet_info *pinfo, proto_tree *tree, guint8 *drep)
1999 {
2000         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2001                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2002                 "AUTHENTICATOR: return_authenticator", -1);
2003
2004         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2005                                   hf_netlogon_rc, NULL);
2006
2007         return offset;
2008 }
2009
2010
2011 /*
2012  * IDL typedef struct {
2013  * IDL   [unique][string] wchar_t *UserName;
2014  * IDL   UNICODESTRING dummy1;
2015  * IDL   UNICODESTRING dummy2;
2016  * IDL   UNICODESTRING dummy3;
2017  * IDL   UNICODESTRING dummy4;
2018  * IDL   long dummy5;
2019  * IDL   long dummy6;
2020  * IDL   long dummy7;
2021  * IDL   long dummy8;
2022  * IDL } DELTA_DELETE_USER;
2023  */
2024 static int
2025 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
2026                         packet_info *pinfo, proto_tree *tree,
2027                         guint8 *drep)
2028 {
2029         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2030                 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
2031
2032         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2033                 hf_netlogon_dummy, 0);
2034
2035         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2036                 hf_netlogon_dummy, 0);
2037
2038         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2039                 hf_netlogon_dummy, 0);
2040
2041         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2042                 hf_netlogon_dummy, 0);
2043
2044         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2045                 hf_netlogon_reserved, NULL);
2046
2047         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2048                 hf_netlogon_reserved, NULL);
2049
2050         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2051                 hf_netlogon_reserved, NULL);
2052
2053         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2054                 hf_netlogon_reserved, NULL);
2055
2056         return offset;
2057 }
2058
2059
2060 /*
2061  * IDL typedef struct {
2062  * IDL   bool SensitiveDataFlag;
2063  * IDL   long DataLength;
2064  * IDL   [unique][size_is(DataLength)] char *SensitiveData;
2065  * IDL } USER_PRIVATE_INFO;
2066  */
2067 static int
2068 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
2069                         packet_info *pinfo, proto_tree *tree,
2070                         guint8 *drep)
2071 {
2072         dcerpc_info *di;
2073         guint32 data_len;
2074
2075         di=pinfo->private_data;
2076         if(di->conformant_run){
2077                 /*just a run to handle conformant arrays, nothing to dissect */
2078                 return offset;
2079         }
2080
2081         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2082                 hf_netlogon_sensitive_data_len, &data_len);
2083
2084         proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
2085                 data_len, FALSE);
2086         offset += data_len;
2087
2088         return offset;
2089 }
2090 static int
2091 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
2092                         packet_info *pinfo, proto_tree *tree,
2093                         guint8 *drep)
2094 {
2095         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2096                 hf_netlogon_sensitive_data_flag, NULL);
2097
2098         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2099                 hf_netlogon_sensitive_data_len, NULL);
2100
2101         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2102                 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
2103                 "SENSITIVE_DATA", -1);
2104
2105         return offset;
2106 }
2107
2108 /*
2109  * IDL typedef struct {
2110  * IDL   UNICODESTRING UserName;
2111  * IDL   UNICODESTRING FullName;
2112  * IDL   long UserID;
2113  * IDL   long PrimaryGroupID;
2114  * IDL   UNICODESTRING HomeDir;
2115  * IDL   UNICODESTRING HomeDirDrive;
2116  * IDL   UNICODESTRING LogonScript;
2117  * IDL   UNICODESTRING Comment;
2118  * IDL   UNICODESTRING Workstations;
2119  * IDL   NTTIME LastLogon;
2120  * IDL   NTTIME LastLogoff;
2121  * IDL   LOGON_HOURS logonhours;
2122  * IDL   short BadPwCount;
2123  * IDL   short LogonCount;
2124  * IDL   NTTIME PwLastSet;
2125  * IDL   NTTIME AccountExpires;
2126  * IDL   long AccountControl;
2127  * IDL   LM_OWF_PASSWORD lmpw;
2128  * IDL   NT_OWF_PASSWORD ntpw;
2129  * IDL   bool NTPwPresent;
2130  * IDL   bool LMPwPresent;
2131  * IDL   bool PwExpired;
2132  * IDL   UNICODESTRING UserComment;
2133  * IDL   UNICODESTRING Parameters;
2134  * IDL   short CountryCode;
2135  * IDL   short CodePage;
2136  * IDL   USER_PRIVATE_INFO user_private_info;
2137  * IDL   long SecurityInformation;
2138  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2139  * IDL   UNICODESTRING dummy1;
2140  * IDL   UNICODESTRING dummy2;
2141  * IDL   UNICODESTRING dummy3;
2142  * IDL   UNICODESTRING dummy4;
2143  * IDL   long dummy5;
2144  * IDL   long dummy6;
2145  * IDL   long dummy7;
2146  * IDL   long dummy8;
2147  * IDL } DELTA_USER;
2148  */
2149 static int
2150 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
2151                         packet_info *pinfo, proto_tree *tree,
2152                         guint8 *drep)
2153 {
2154         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2155                 hf_netlogon_acct_name, 3);
2156
2157         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2158                 hf_netlogon_full_name, 0);
2159
2160         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2161                 hf_netlogon_user_rid, NULL);
2162
2163         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2164                 hf_netlogon_group_rid, NULL);
2165
2166         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2167                 hf_netlogon_home_dir, 0);
2168
2169         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2170                 hf_netlogon_dir_drive, 0);
2171
2172         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2173                 hf_netlogon_logon_script, 0);
2174
2175         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2176                 hf_netlogon_acct_desc, 0);
2177
2178         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2179                 hf_netlogon_workstations, 0);
2180
2181         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2182                 hf_netlogon_logon_time);
2183
2184         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2185                 hf_netlogon_logoff_time);
2186
2187         offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
2188
2189         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2190                 hf_netlogon_bad_pw_count16, NULL);
2191
2192         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2193                 hf_netlogon_logon_count16, NULL);
2194
2195         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2196                 hf_netlogon_pwd_last_set_time);
2197
2198         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2199                 hf_netlogon_acct_expiry_time);
2200
2201         offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
2202
2203         offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
2204                 pinfo, tree, drep);
2205
2206         offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
2207                 pinfo, tree, drep);
2208
2209         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2210                 hf_netlogon_nt_pwd_present, NULL);
2211
2212         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2213                 hf_netlogon_lm_pwd_present, NULL);
2214
2215         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2216                 hf_netlogon_pwd_expired, NULL);
2217
2218         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2219                 hf_netlogon_comment, 0);
2220
2221         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2222                 hf_netlogon_parameters, 0);
2223
2224         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2225                 hf_netlogon_country, NULL);
2226
2227         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2228                 hf_netlogon_codepage, NULL);
2229
2230         offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
2231                 drep);
2232
2233         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2234                 hf_netlogon_security_information, NULL);
2235
2236         offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2237                 pinfo, tree, drep);
2238
2239         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2240                 hf_netlogon_dummy, 0);
2241
2242         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2243                 hf_netlogon_dummy, 0);
2244
2245         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2246                 hf_netlogon_dummy, 0);
2247
2248         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2249                 hf_netlogon_dummy, 0);
2250
2251         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2252                 hf_netlogon_reserved, NULL);
2253
2254         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2255                 hf_netlogon_reserved, NULL);
2256
2257         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2258                 hf_netlogon_reserved, NULL);
2259
2260         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2261                 hf_netlogon_reserved, NULL);
2262
2263         return offset;
2264 }
2265
2266
2267 /*
2268  * IDL typedef struct {
2269  * IDL   UNICODESTRING DomainName;
2270  * IDL   UNICODESTRING OEMInfo;
2271  * IDL   NTTIME forcedlogoff;
2272  * IDL   short minpasswdlen;
2273  * IDL   short passwdhistorylen;
2274  * IDL   NTTIME pwd_must_change_time;
2275  * IDL   NTTIME pwd_can_change_time;
2276  * IDL   NTTIME domain_modify_time;
2277  * IDL   NTTIME domain_create_time;
2278  * IDL   long SecurityInformation;
2279  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2280  * IDL   UNICODESTRING dummy1;
2281  * IDL   UNICODESTRING dummy2;
2282  * IDL   UNICODESTRING dummy3;
2283  * IDL   UNICODESTRING dummy4;
2284  * IDL   long dummy5;
2285  * IDL   long dummy6;
2286  * IDL   long dummy7;
2287  * IDL   long dummy8;
2288  * IDL } DELTA_DOMAIN;
2289  */
2290 static int
2291 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
2292                         packet_info *pinfo, proto_tree *tree,
2293                         guint8 *drep)
2294 {
2295         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2296                 hf_netlogon_domain_name, 3);
2297
2298         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2299                 hf_netlogon_oem_info, 0);
2300
2301         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2302                 hf_netlogon_kickoff_time);
2303
2304         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2305                 hf_netlogon_minpasswdlen, NULL);
2306
2307         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2308                 hf_netlogon_passwdhistorylen, NULL);
2309
2310         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2311                 hf_netlogon_pwd_must_change_time);
2312
2313         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2314                 hf_netlogon_pwd_can_change_time);
2315
2316         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2317                 hf_netlogon_domain_modify_time);
2318
2319         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2320                 hf_netlogon_domain_create_time);
2321
2322         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2323                 hf_netlogon_security_information, NULL);
2324
2325         offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2326                 pinfo, tree, drep);
2327
2328         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2329                 hf_netlogon_dummy, 0);
2330
2331         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2332                 hf_netlogon_dummy, 0);
2333
2334         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2335                 hf_netlogon_dummy, 0);
2336
2337         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2338                 hf_netlogon_dummy, 0);
2339
2340         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2341                 hf_netlogon_reserved, NULL);
2342
2343         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2344                 hf_netlogon_reserved, NULL);
2345
2346         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2347                 hf_netlogon_reserved, NULL);
2348
2349         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2350                 hf_netlogon_reserved, NULL);
2351
2352         return offset;
2353 }
2354
2355
2356 /*
2357  * IDL typedef struct {
2358  * IDL   UNICODESTRING groupname;
2359  * IDL   GROUP_MEMBERSHIP group_membership;
2360  * IDL   UNICODESTRING comment;
2361  * IDL   long SecurityInformation;
2362  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2363  * IDL   UNICODESTRING dummy1;
2364  * IDL   UNICODESTRING dummy2;
2365  * IDL   UNICODESTRING dummy3;
2366  * IDL   UNICODESTRING dummy4;
2367  * IDL   long dummy5;
2368  * IDL   long dummy6;
2369  * IDL   long dummy7;
2370  * IDL   long dummy8;
2371  * IDL } DELTA_GROUP;
2372  */
2373 static int
2374 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
2375                         packet_info *pinfo, proto_tree *tree,
2376                         guint8 *drep)
2377 {
2378         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2379                 hf_netlogon_group_name, 3);
2380
2381         offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
2382                 pinfo, tree, drep);
2383
2384         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2385                 hf_netlogon_group_desc, 0);
2386
2387         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2388                 hf_netlogon_security_information, NULL);
2389
2390         offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2391                 pinfo, tree, drep);
2392
2393         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2394                 hf_netlogon_dummy, 0);
2395
2396         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2397                 hf_netlogon_dummy, 0);
2398
2399         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2400                 hf_netlogon_dummy, 0);
2401
2402         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2403                 hf_netlogon_dummy, 0);
2404
2405         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2406                 hf_netlogon_reserved, NULL);
2407
2408         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2409                 hf_netlogon_reserved, NULL);
2410
2411         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2412                 hf_netlogon_reserved, NULL);
2413
2414         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2415                 hf_netlogon_reserved, NULL);
2416
2417         return offset;
2418 }
2419
2420
2421 /*
2422  * IDL typedef struct {
2423  * IDL   UNICODESTRING OldName;
2424  * IDL   UNICODESTRING NewName;
2425  * IDL   UNICODESTRING dummy1;
2426  * IDL   UNICODESTRING dummy2;
2427  * IDL   UNICODESTRING dummy3;
2428  * IDL   UNICODESTRING dummy4;
2429  * IDL   long dummy5;
2430  * IDL   long dummy6;
2431  * IDL   long dummy7;
2432  * IDL   long dummy8;
2433  * IDL } DELTA_RENAME;
2434  */
2435 static int
2436 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
2437                         packet_info *pinfo, proto_tree *tree,
2438                         guint8 *drep)
2439 {
2440         dcerpc_info *di;
2441
2442         di=pinfo->private_data;
2443
2444         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2445                 di->hf_index, 0);
2446
2447         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2448                 di->hf_index, 0);
2449
2450         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2451                 hf_netlogon_dummy, 0);
2452
2453         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2454                 hf_netlogon_dummy, 0);
2455
2456         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2457                 hf_netlogon_dummy, 0);
2458
2459         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2460                 hf_netlogon_dummy, 0);
2461
2462         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2463                 hf_netlogon_reserved, NULL);
2464
2465         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2466                 hf_netlogon_reserved, NULL);
2467
2468         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2469                 hf_netlogon_reserved, NULL);
2470
2471         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2472                 hf_netlogon_reserved, NULL);
2473
2474         return offset;
2475 }
2476
2477
2478 static int
2479 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2480                         packet_info *pinfo, proto_tree *tree,
2481                         guint8 *drep)
2482 {
2483         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2484                                 hf_netlogon_user_rid, NULL);
2485
2486         return offset;
2487 }
2488
2489 static int
2490 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2491                         packet_info *pinfo, proto_tree *tree,
2492                         guint8 *drep)
2493 {
2494         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2495                         netlogon_dissect_RID);
2496
2497         return offset;
2498 }
2499
2500 static int
2501 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2502                         packet_info *pinfo, proto_tree *tree,
2503                         guint8 *drep)
2504 {
2505         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2506                 hf_netlogon_attrs, NULL);
2507
2508         return offset;
2509 }
2510
2511 static int
2512 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2513                         packet_info *pinfo, proto_tree *tree,
2514                         guint8 *drep)
2515 {
2516         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2517                         netlogon_dissect_ATTRIB);
2518
2519         return offset;
2520 }
2521
2522 /*
2523  * IDL typedef struct {
2524  * IDL   [unique][size_is(num_rids)] long *rids;
2525  * IDL   [unique][size_is(num_rids)] long *attribs;
2526  * IDL   long num_rids;
2527  * IDL   long dummy1;
2528  * IDL   long dummy2;
2529  * IDL   long dummy3;
2530  * IDL   long dummy4;
2531  * IDL } DELTA_GROUP_MEMBER;
2532  */
2533 static int
2534 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2535                         packet_info *pinfo, proto_tree *tree,
2536                         guint8 *drep)
2537 {
2538         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2539                 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2540                 "RIDs:", -1);
2541
2542         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2543                 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2544                 "Attribs:", -1);
2545
2546         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2547                 hf_netlogon_num_rids, NULL);
2548
2549         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2550                 hf_netlogon_reserved, NULL);
2551
2552         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2553                 hf_netlogon_reserved, NULL);
2554
2555         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2556                 hf_netlogon_reserved, NULL);
2557
2558         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2559                 hf_netlogon_reserved, NULL);
2560
2561         return offset;
2562 }
2563
2564
2565 /*
2566  * IDL typedef struct {
2567  * IDL   UNICODESTRING alias_name;
2568  * IDL   long rid;
2569  * IDL   long SecurityInformation;
2570  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2571  * IDL   UNICODESTRING dummy1;
2572  * IDL   UNICODESTRING dummy2;
2573  * IDL   UNICODESTRING dummy3;
2574  * IDL   UNICODESTRING dummy4;
2575  * IDL   long dummy5;
2576  * IDL   long dummy6;
2577  * IDL   long dummy7;
2578  * IDL   long dummy8;
2579  * IDL } DELTA_ALIAS;
2580  */
2581 static int
2582 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2583                         packet_info *pinfo, proto_tree *tree,
2584                         guint8 *drep)
2585 {
2586         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2587                 hf_netlogon_alias_name, 0);
2588
2589         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2590                 hf_netlogon_alias_rid, NULL);
2591
2592         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2593                 hf_netlogon_security_information, NULL);
2594
2595         offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2596                 pinfo, tree, drep);
2597
2598         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2599                 hf_netlogon_dummy, 0);
2600
2601         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2602                 hf_netlogon_dummy, 0);
2603
2604         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2605                 hf_netlogon_dummy, 0);
2606
2607         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2608                 hf_netlogon_dummy, 0);
2609
2610         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2611                 hf_netlogon_reserved, NULL);
2612
2613         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2614                 hf_netlogon_reserved, NULL);
2615
2616         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2617                 hf_netlogon_reserved, NULL);
2618
2619         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2620                 hf_netlogon_reserved, NULL);
2621
2622         return offset;
2623 }
2624
2625
2626 /*
2627  * IDL typedef struct {
2628  * IDL   [unique] SID_ARRAY sids;
2629  * IDL   long dummy1;
2630  * IDL   long dummy2;
2631  * IDL   long dummy3;
2632  * IDL   long dummy4;
2633  * IDL } DELTA_ALIAS_MEMBER;
2634  */
2635 static int
2636 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2637                         packet_info *pinfo, proto_tree *tree,
2638                         guint8 *drep)
2639 {
2640         offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2641
2642         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2643                 hf_netlogon_reserved, NULL);
2644
2645         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2646                 hf_netlogon_reserved, NULL);
2647
2648         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2649                 hf_netlogon_reserved, NULL);
2650
2651         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2652                 hf_netlogon_reserved, NULL);
2653
2654         return offset;
2655 }
2656
2657
2658 static int
2659 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2660                         packet_info *pinfo, proto_tree *tree,
2661                         guint8 *drep)
2662 {
2663         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2664                 hf_netlogon_event_audit_option, NULL);
2665
2666         return offset;
2667 }
2668
2669 static int
2670 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2671                         packet_info *pinfo, proto_tree *tree,
2672                         guint8 *drep)
2673 {
2674         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2675                 netlogon_dissect_EVENT_AUDIT_OPTION);
2676
2677         return offset;
2678 }
2679
2680
2681 /*
2682  * IDL typedef struct {
2683  * IDL   long pagedpoollimit;
2684  * IDL   long nonpagedpoollimit;
2685  * IDL   long minimumworkingsetsize;
2686  * IDL   long maximumworkingsetsize;
2687  * IDL   long pagefilelimit;
2688  * IDL   NTTIME timelimit;
2689  * IDL } QUOTA_LIMITS;
2690  */
2691 static int
2692 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2693                         packet_info *pinfo, proto_tree *parent_tree,
2694                         guint8 *drep)
2695 {
2696         proto_item *item=NULL;
2697         proto_tree *tree=NULL;
2698         int old_offset=offset;
2699
2700         if(parent_tree){
2701                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2702                         "QUOTA_LIMTS:");
2703                 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2704         }
2705
2706         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2707                 hf_netlogon_pagedpoollimit, NULL);
2708
2709         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2710                 hf_netlogon_nonpagedpoollimit, NULL);
2711
2712         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2713                 hf_netlogon_minworkingsetsize, NULL);
2714
2715         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2716                 hf_netlogon_maxworkingsetsize, NULL);
2717
2718         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2719                 hf_netlogon_pagefilelimit, NULL);
2720
2721         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2722                 hf_netlogon_timelimit);
2723
2724         proto_item_set_len(item, offset-old_offset);
2725         return offset;
2726 }
2727
2728
2729 /*
2730  * IDL typedef struct {
2731  * IDL   long maxlogsize;
2732  * IDL   NTTIME auditretentionperiod;
2733  * IDL   bool auditingmode;
2734  * IDL   long maxauditeventcount;
2735  * IDL   [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2736  * IDL   UNICODESTRING primarydomainname;
2737  * IDL   [unique] SID *sid;
2738  * IDL   QUOTA_LIMITS quota_limits;
2739  * IDL   NTTIME db_modify_time;
2740  * IDL   NTTIME db_create_time;
2741  * IDL   long SecurityInformation;
2742  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2743  * IDL   UNICODESTRING dummy1;
2744  * IDL   UNICODESTRING dummy2;
2745  * IDL   UNICODESTRING dummy3;
2746  * IDL   UNICODESTRING dummy4;
2747  * IDL   long dummy5;
2748  * IDL   long dummy6;
2749  * IDL   long dummy7;
2750  * IDL   long dummy8;
2751  * IDL } DELTA_POLICY;
2752  */
2753 static int
2754 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2755                         packet_info *pinfo, proto_tree *tree,
2756                         guint8 *drep)
2757 {
2758         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2759                 hf_netlogon_max_log_size, NULL);
2760
2761         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2762                 hf_netlogon_audit_retention_period);
2763
2764         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2765                 hf_netlogon_auditing_mode, NULL);
2766
2767         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2768                 hf_netlogon_max_audit_event_count, NULL);
2769
2770         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2771                 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2772                 "Event Audit Options:", -1);
2773
2774         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2775                 hf_netlogon_domain_name, 0);
2776
2777         offset = dissect_ndr_nt_PSID(tvb, offset,
2778                 pinfo, tree, drep, -1);
2779
2780         offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2781                 pinfo, tree, drep);
2782
2783         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2784                 hf_netlogon_db_modify_time);
2785
2786         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2787                 hf_netlogon_db_create_time);
2788
2789         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2790                 hf_netlogon_security_information, NULL);
2791
2792         offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2793                 pinfo, tree, drep);
2794
2795         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2796                 hf_netlogon_dummy, 0);
2797
2798         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2799                 hf_netlogon_dummy, 0);
2800
2801         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2802                 hf_netlogon_dummy, 0);
2803
2804         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2805                 hf_netlogon_dummy, 0);
2806
2807         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2808                 hf_netlogon_reserved, NULL);
2809
2810         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2811                 hf_netlogon_reserved, NULL);
2812
2813         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2814                 hf_netlogon_reserved, NULL);
2815
2816         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2817                 hf_netlogon_reserved, NULL);
2818
2819         return offset;
2820 }
2821
2822
2823 static int
2824 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2825                         packet_info *pinfo, proto_tree *tree,
2826                         guint8 *drep)
2827 {
2828         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2829                 hf_netlogon_dc_name, 0);
2830
2831         return offset;
2832 }
2833
2834 static int
2835 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2836                         packet_info *pinfo, proto_tree *tree,
2837                         guint8 *drep)
2838 {
2839         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2840                 netlogon_dissect_CONTROLLER);
2841
2842         return offset;
2843 }
2844
2845
2846 /*
2847  * IDL typedef struct {
2848  * IDL   UNICODESTRING DomainName;
2849  * IDL   long num_controllers;
2850  * IDL   [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2851  * IDL   long SecurityInformation;
2852  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2853  * IDL   UNICODESTRING dummy1;
2854  * IDL   UNICODESTRING dummy2;
2855  * IDL   UNICODESTRING dummy3;
2856  * IDL   UNICODESTRING dummy4;
2857  * IDL   long dummy5;
2858  * IDL   long dummy6;
2859  * IDL   long dummy7;
2860  * IDL   long dummy8;
2861  * IDL } DELTA_TRUSTED_DOMAINS;
2862  */
2863 static int
2864 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2865                         packet_info *pinfo, proto_tree *tree,
2866                         guint8 *drep)
2867 {
2868         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2869                 hf_netlogon_domain_name, 0);
2870
2871         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2872                 hf_netlogon_num_controllers, NULL);
2873
2874         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2875                 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2876                 "Domain Controllers:", -1);
2877
2878         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2879                 hf_netlogon_security_information, NULL);
2880
2881         offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2882                 pinfo, tree, drep);
2883
2884         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2885                 hf_netlogon_dummy, 0);
2886
2887         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2888                 hf_netlogon_dummy, 0);
2889
2890         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2891                 hf_netlogon_dummy, 0);
2892
2893         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2894                 hf_netlogon_dummy, 0);
2895
2896         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2897                 hf_netlogon_reserved, NULL);
2898
2899         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2900                 hf_netlogon_reserved, NULL);
2901
2902         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2903                 hf_netlogon_reserved, NULL);
2904
2905         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2906                 hf_netlogon_reserved, NULL);
2907
2908         return offset;
2909 }
2910
2911
2912 static int
2913 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2914                         packet_info *pinfo, proto_tree *tree,
2915                         guint8 *drep)
2916 {
2917         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2918                 hf_netlogon_attrs, NULL);
2919
2920         return offset;
2921 }
2922
2923 static int
2924 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2925                         packet_info *pinfo, proto_tree *tree,
2926                         guint8 *drep)
2927 {
2928         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2929                 netlogon_dissect_PRIV_ATTR);
2930
2931         return offset;
2932 }
2933
2934 static int
2935 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2936                         packet_info *pinfo, proto_tree *tree,
2937                         guint8 *drep)
2938 {
2939         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2940                 hf_netlogon_privilege_name, 1);
2941
2942         return offset;
2943 }
2944
2945 static int
2946 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2947                         packet_info *pinfo, proto_tree *tree,
2948                         guint8 *drep)
2949 {
2950         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2951                 netlogon_dissect_PRIV_NAME);
2952
2953         return offset;
2954 }
2955
2956
2957
2958 /*
2959  * IDL typedef struct {
2960  * IDL   long privilegeentries;
2961  * IDL   long provolegecontrol;
2962  * IDL   [unique][size_is(privilege_entries)] long *privilege_attrib;
2963  * IDL   [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2964  * IDL   QUOTALIMITS quotalimits;
2965  * IDL   long SecurityInformation;
2966  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
2967  * IDL   UNICODESTRING dummy1;
2968  * IDL   UNICODESTRING dummy2;
2969  * IDL   UNICODESTRING dummy3;
2970  * IDL   UNICODESTRING dummy4;
2971  * IDL   long dummy5;
2972  * IDL   long dummy6;
2973  * IDL   long dummy7;
2974  * IDL   long dummy8;
2975  * IDL } DELTA_ACCOUNTS;
2976  */
2977 static int
2978 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2979                         packet_info *pinfo, proto_tree *tree,
2980                         guint8 *drep)
2981 {
2982         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2983                 hf_netlogon_privilege_entries, NULL);
2984
2985         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2986                 hf_netlogon_privilege_control, NULL);
2987
2988         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2989                 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2990                 "PRIV_ATTR_ARRAY:", -1);
2991
2992         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2993                 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2994                 "PRIV_NAME_ARRAY:", -1);
2995
2996         offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2997                 pinfo, tree, drep);
2998
2999         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3000                 hf_netlogon_systemflags, NULL);
3001
3002         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3003                 hf_netlogon_security_information, NULL);
3004
3005         offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
3006                 pinfo, tree, drep);
3007
3008         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3009                 hf_netlogon_dummy, 0);
3010
3011         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3012                 hf_netlogon_dummy, 0);
3013
3014         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3015                 hf_netlogon_dummy, 0);
3016
3017         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3018                 hf_netlogon_dummy, 0);
3019
3020         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3021                 hf_netlogon_reserved, NULL);
3022
3023         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3024                 hf_netlogon_reserved, NULL);
3025
3026         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3027                 hf_netlogon_reserved, NULL);
3028
3029         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3030                 hf_netlogon_reserved, NULL);
3031
3032         return offset;
3033 }
3034
3035 /*
3036  * IDL typedef struct {
3037  * IDL   long len;
3038  * IDL   long maxlen;
3039  * IDL   [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
3040  * IDL } CIPHER_VALUE;
3041  */
3042 static int
3043 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
3044                         packet_info *pinfo, proto_tree *tree,
3045                         guint8 *drep)
3046 {
3047         dcerpc_info *di;
3048         guint32 data_len;
3049
3050         di=pinfo->private_data;
3051         if(di->conformant_run){
3052                 /*just a run to handle conformant arrays, nothing to dissect */
3053                 return offset;
3054         }
3055
3056         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3057                 hf_netlogon_cipher_maxlen, NULL);
3058
3059         /* skip offset */
3060         offset += 4;
3061
3062         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3063                 hf_netlogon_cipher_len, &data_len);
3064
3065         proto_tree_add_item(tree, di->hf_index, tvb, offset,
3066                 data_len, FALSE);
3067         offset += data_len;
3068
3069         return offset;
3070 }
3071 static int
3072 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
3073                         packet_info *pinfo, proto_tree *parent_tree,
3074                         guint8 *drep, char *name, int hf_index)
3075 {
3076         proto_item *item=NULL;
3077         proto_tree *tree=NULL;
3078         int old_offset=offset;
3079
3080         if(parent_tree){
3081                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3082                         name);
3083                 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
3084         }
3085
3086         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3087                 hf_netlogon_cipher_len, NULL);
3088
3089         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3090                 hf_netlogon_cipher_maxlen, NULL);
3091
3092         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3093                 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
3094                 name, hf_index);
3095
3096         proto_item_set_len(item, offset-old_offset);
3097         return offset;
3098 }
3099
3100 /*
3101  * IDL typedef struct {
3102  * IDL   CIPHER_VALUE current_cipher;
3103  * IDL   NTTIME current_cipher_set_time;
3104  * IDL   CIPHER_VALUE old_cipher;
3105  * IDL   NTTIME old_cipher_set_time;
3106  * IDL   long SecurityInformation;
3107  * IDL   LSA_SECURITY_DESCRIPTOR sec_desc;
3108  * IDL   UNICODESTRING dummy1;
3109  * IDL   UNICODESTRING dummy2;
3110  * IDL   UNICODESTRING dummy3;
3111  * IDL   UNICODESTRING dummy4;
3112  * IDL   long dummy5;
3113  * IDL   long dummy6;
3114  * IDL   long dummy7;
3115  * IDL   long dummy8;
3116  * IDL } DELTA_SECRET;
3117  */
3118 static int
3119 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
3120                         packet_info *pinfo, proto_tree *tree,
3121                         guint8 *drep)
3122 {
3123         offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3124                 pinfo, tree, drep,
3125                 "CIPHER_VALUE: current cipher value",
3126                 hf_netlogon_cipher_current_data);
3127
3128         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3129                 hf_netlogon_cipher_current_set_time);
3130
3131         offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3132                 pinfo, tree, drep,
3133                 "CIPHER_VALUE: old cipher value",
3134                 hf_netlogon_cipher_old_data);
3135
3136         offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3137                 hf_netlogon_cipher_old_set_time);
3138
3139         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3140                 hf_netlogon_security_information, NULL);
3141
3142         offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
3143                 pinfo, tree, drep);
3144
3145         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3146                 hf_netlogon_dummy, 0);
3147
3148         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3149                 hf_netlogon_dummy, 0);
3150
3151         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3152                 hf_netlogon_dummy, 0);
3153
3154         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3155                 hf_netlogon_dummy, 0);
3156
3157         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3158                 hf_netlogon_reserved, NULL);
3159
3160         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3161                 hf_netlogon_reserved, NULL);
3162
3163         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3164                 hf_netlogon_reserved, NULL);
3165
3166         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3167                 hf_netlogon_reserved, NULL);
3168
3169         return offset;
3170 }
3171
3172 /*
3173  * IDL typedef struct {
3174  * IDL   long low_value;
3175  * IDL   long high_value;
3176  * } MODIFIED_COUNT;
3177  */
3178 static int
3179 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
3180                         packet_info *pinfo, proto_tree *tree,
3181                         guint8 *drep)
3182 {
3183         offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
3184                 hf_netlogon_modify_count, NULL);
3185
3186         return offset;
3187 }
3188
3189
3190 #define DT_DELTA_DOMAIN                 1
3191 #define DT_DELTA_GROUP                  2
3192 #define DT_DELTA_RENAME_GROUP           4
3193 #define DT_DELTA_USER                   5
3194 #define DT_DELTA_RENAME_USER            7
3195 #define DT_DELTA_GROUP_MEMBER           8
3196 #define DT_DELTA_ALIAS                  9
3197 #define DT_DELTA_RENAME_ALIAS           11
3198 #define DT_DELTA_ALIAS_MEMBER           12
3199 #define DT_DELTA_POLICY                 13
3200 #define DT_DELTA_TRUSTED_DOMAINS        14
3201 #define DT_DELTA_ACCOUNTS               16
3202 #define DT_DELTA_SECRET                 18
3203 #define DT_DELTA_DELETE_GROUP           20
3204 #define DT_DELTA_DELETE_USER            21
3205 #define DT_MODIFIED_COUNT               22
3206 static const value_string delta_type_vals[] = {
3207         { DT_DELTA_DOMAIN,              "Domain" },
3208         { DT_DELTA_GROUP,               "Group" },
3209         { DT_DELTA_RENAME_GROUP,        "Rename Group" },
3210         { DT_DELTA_USER,                "User" },
3211         { DT_DELTA_RENAME_USER,         "Rename User" },
3212         { DT_DELTA_GROUP_MEMBER,        "Group Member" },
3213         { DT_DELTA_ALIAS,               "Alias" },
3214         { DT_DELTA_RENAME_ALIAS,        "Rename Alias" },
3215         { DT_DELTA_ALIAS_MEMBER,        "Alias Member" },
3216         { DT_DELTA_POLICY,              "Policy" },
3217         { DT_DELTA_TRUSTED_DOMAINS,     "Trusted Domains" },
3218         { DT_DELTA_ACCOUNTS,            "Accounts" },
3219         { DT_DELTA_SECRET,              "Secret" },
3220         { DT_DELTA_DELETE_GROUP,        "Delete Group" },
3221         { DT_DELTA_DELETE_USER,         "Delete User" },
3222         { DT_MODIFIED_COUNT,            "Modified Count" },
3223         { 0, NULL }
3224 };
3225 /*
3226  * IDL typedef [switch_type(short)] union {
3227  * IDL   [case(1)][unique] DELTA_DOMAIN *domain;
3228  * IDL   [case(2)][unique] DELTA_GROUP *group;
3229  * IDL   [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
3230  * IDL   [case(5)][unique] DELTA_USER *user;
3231  * IDL   [case(7)][unique] DELTA_RENAME_USER *rename_user;
3232  * IDL   [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
3233  * IDL   [case(9)][unique] DELTA_ALIAS *alias;
3234  * IDL   [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
3235  * IDL   [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
3236  * IDL   [case(13)][unique] DELTA_POLICY *policy;
3237  * IDL   [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
3238  * IDL   [case(16)][unique] DELTA_ACCOUNTS *accounts;
3239  * IDL   [case(18)][unique] DELTA_SECRET *secret;
3240  * IDL   [case(20)][unique] DELTA_DELETE_USER *delete_group;
3241  * IDL   [case(21)][unique] DELTA_DELETE_USER *delete_user;
3242  * IDL   [case(22)][unique] MODIFIED_COUNT *modified_count;
3243  * IDL } DELTA_UNION;
3244  */
3245 static int
3246 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
3247                         packet_info *pinfo, proto_tree *parent_tree,
3248                         guint8 *drep)
3249 {
3250         proto_item *item=NULL;
3251         proto_tree *tree=NULL;
3252         int old_offset=offset;
3253         guint16 level;
3254
3255         if(parent_tree){
3256                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3257                         "DELTA_UNION:");
3258                 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
3259         }
3260
3261         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3262                 hf_netlogon_delta_type, &level);
3263
3264         ALIGN_TO_4_BYTES;
3265         switch(level){
3266         case 1:
3267                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3268                         netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
3269                         "DELTA_DOMAIN:", -1);
3270                 break;
3271         case 2:
3272                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3273                         netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
3274                         "DELTA_GROUP:", -1);
3275                 break;
3276         case 4:
3277                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3278                         netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3279                         "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
3280                 break;
3281         case 5:
3282                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3283                         netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
3284                         "DELTA_USER:", -1);
3285                 break;
3286         case 7:
3287                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3288                         netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3289                         "DELTA_RENAME_USER:", hf_netlogon_acct_name);
3290                 break;
3291         case 8:
3292                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3293                         netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
3294                         "DELTA_GROUP_MEMBER:", -1);
3295                 break;
3296         case 9:
3297                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3298                         netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
3299                         "DELTA_ALIAS:", -1);
3300                 break;
3301         case 11:
3302                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3303                         netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3304                         "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
3305                 break;
3306         case 12:
3307                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3308                         netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
3309                         "DELTA_ALIAS_MEMBER:", -1);
3310                 break;
3311         case 13:
3312                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3313                         netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
3314                         "DELTA_POLICY:", -1);
3315                 break;
3316         case 14:
3317                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3318                         netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
3319                         "DELTA_TRUSTED_DOMAINS:", -1);
3320                 break;
3321         case 16:
3322                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3323                         netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
3324                         "DELTA_ACCOUNTS:", -1);
3325                 break;
3326         case 18:
3327                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3328                         netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
3329                         "DELTA_SECRET:", -1);
3330                 break;
3331         case 20:
3332                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3333                         netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3334                         "DELTA_DELETE_GROUP:", -1);
3335                 break;
3336         case 21:
3337                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3338                         netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3339                         "DELTA_DELETE_USER:", -1);
3340                 break;
3341         case 22:
3342                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3343                         netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
3344                         "MODIFIED_COUNT:", -1);
3345                 break;
3346         }
3347
3348         proto_item_set_len(item, offset-old_offset);
3349         return offset;
3350 }
3351
3352
3353
3354 /* IDL XXX must verify this one, especially 13-19
3355  * IDL typedef [switch_type(short)] union {
3356  * IDL   [case(1)] long rid;
3357  * IDL   [case(2)] long rid;
3358  * IDL   [case(3)] long rid;
3359  * IDL   [case(4)] long rid;
3360  * IDL   [case(5)] long rid;
3361  * IDL   [case(6)] long rid;
3362  * IDL   [case(7)] long rid;
3363  * IDL   [case(8)] long rid;
3364  * IDL   [case(9)] long rid;
3365  * IDL   [case(10)] long rid;
3366  * IDL   [case(11)] long rid;
3367  * IDL   [case(12)] long rid;
3368  * IDL   [case(13)] [unique] SID *sid;
3369  * IDL   [case(14)] [unique] SID *sid;
3370  * IDL   [case(15)] [unique] SID *sid;
3371  * IDL   [case(16)] [unique] SID *sid;
3372  * IDL   [case(17)] [unique] SID *sid;
3373  * IDL   [case(18)] [unique][string] wchar_t *Name ;
3374  * IDL   [case(19)] [unique][string] wchar_t *Name ;
3375  * IDL   [case(20)] long rid;
3376  * IDL   [case(21)] long rid;
3377  * IDL } DELTA_ID_UNION;
3378  */
3379 static int
3380 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
3381                         packet_info *pinfo, proto_tree *parent_tree,
3382                         guint8 *drep)
3383 {
3384         proto_item *item=NULL;
3385         proto_tree *tree=NULL;
3386         int old_offset=offset;
3387         guint16 level;
3388
3389         if(parent_tree){
3390                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3391                         "DELTA_ID_UNION:");
3392                 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
3393         }
3394
3395         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3396                 hf_netlogon_delta_type, &level);
3397
3398         ALIGN_TO_4_BYTES;
3399         switch(level){
3400         case 1:
3401                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3402                         hf_netlogon_group_rid, NULL);
3403                 break;
3404         case 2:
3405                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3406                         hf_netlogon_user_rid, NULL);
3407                 break;
3408         case 3:
3409                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3410                         hf_netlogon_user_rid, NULL);
3411                 break;
3412         case 4:
3413                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3414                         hf_netlogon_user_rid, NULL);
3415                 break;
3416         case 5:
3417                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3418                         hf_netlogon_user_rid, NULL);
3419                 break;
3420         case 6:
3421                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3422                         hf_netlogon_user_rid, NULL);
3423                 break;
3424         case 7:
3425                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3426                         hf_netlogon_user_rid, NULL);
3427                 break;
3428         case 8:
3429                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3430                         hf_netlogon_user_rid, NULL);
3431                 break;
3432         case 9:
3433                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3434                         hf_netlogon_user_rid, NULL);
3435                 break;
3436         case 10:
3437                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3438                         hf_netlogon_user_rid, NULL);
3439                 break;
3440         case 11:
3441                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3442                         hf_netlogon_user_rid, NULL);
3443                 break;
3444         case 12:
3445                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3446                         hf_netlogon_user_rid, NULL);
3447                 break;
3448         case 13:
3449                 offset = dissect_ndr_nt_PSID(tvb, offset,
3450                         pinfo, tree, drep, -1);
3451                 break;
3452         case 14:
3453                 offset = dissect_ndr_nt_PSID(tvb, offset,
3454                         pinfo, tree, drep, -1);
3455                 break;
3456         case 15:
3457                 offset = dissect_ndr_nt_PSID(tvb, offset,
3458                         pinfo, tree, drep, -1);
3459                 break;
3460         case 16:
3461                 offset = dissect_ndr_nt_PSID(tvb, offset,
3462                         pinfo, tree, drep, -1);
3463                 break;
3464         case 17:
3465                 offset = dissect_ndr_nt_PSID(tvb, offset,
3466                         pinfo, tree, drep, -1);
3467                 break;
3468         case 18:
3469                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
3470                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
3471                         hf_netlogon_unknown_string, 0);
3472                 break;
3473         case 19:
3474                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
3475                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
3476                         hf_netlogon_unknown_string, 0);
3477                 break;
3478         case 20:
3479                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3480                         hf_netlogon_user_rid, NULL);
3481                 break;
3482         case 21:
3483                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3484                         hf_netlogon_user_rid, NULL);
3485                 break;
3486         }
3487
3488         proto_item_set_len(item, offset-old_offset);
3489         return offset;
3490 }
3491
3492 /*
3493  * IDL typedef struct {
3494  * IDL   short delta_type;
3495  * IDL   DELTA_ID_UNION delta_id_union;
3496  * IDL   DELTA_UNION delta_union;
3497  * IDL } DELTA_ENUM;
3498  */
3499 static int
3500 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3501                         packet_info *pinfo, proto_tree *parent_tree,
3502                         guint8 *drep)
3503 {
3504         proto_item *item=NULL;
3505         proto_tree *tree=NULL;
3506         int old_offset=offset;
3507         guint16 type;
3508
3509         if(parent_tree){
3510                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3511                         "DELTA_ENUM:");
3512                 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3513         }
3514
3515         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3516                 hf_netlogon_delta_type, &type);
3517
3518         proto_item_append_text(item, val_to_str(
3519                                        type, delta_type_vals, "Unknown"));
3520
3521         offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3522                 pinfo, tree, drep);
3523
3524         offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3525                 pinfo, tree, drep);
3526
3527         proto_item_set_len(item, offset-old_offset);
3528         return offset;
3529 }
3530
3531 static int
3532 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3533                         packet_info *pinfo, proto_tree *tree,
3534                         guint8 *drep)
3535 {
3536         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3537                 netlogon_dissect_DELTA_ENUM);
3538
3539         return offset;
3540 }
3541
3542 /*
3543  * IDL typedef struct {
3544  * IDL   long num_deltas;
3545  * IDL   [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3546  * IDL } DELTA_ENUM_ARRAY;
3547  */
3548 static int
3549 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3550                         packet_info *pinfo, proto_tree *tree,
3551                         guint8 *drep)
3552 {
3553         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3554                 hf_netlogon_num_deltas, NULL);
3555
3556         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3557                 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3558                 "DELTA_ENUM: deltas", -1);
3559
3560         return offset;
3561 }
3562
3563
3564 /*
3565  * IDL long NetrDatabaseDeltas(
3566  * IDL      [in][string][ref] wchar_t *logonserver, # REF!!!
3567  * IDL      [in][string][ref] wchar_t *computername,
3568  * IDL      [in][ref] AUTHENTICATOR credential,
3569  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
3570  * IDL      [in] long database_id,
3571  * IDL      [in][out][ref] MODIFIED_COUNT domain_modify_count,
3572  * IDL      [in] long preferredmaximumlength,
3573  * IDL      [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3574  * IDL );
3575  */
3576 static int
3577 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
3578         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3579 {
3580         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3581                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3582
3583         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3584                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3585
3586         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3587                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3588                 "AUTHENTICATOR: credential", -1);
3589
3590         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3591                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3592                 "AUTHENTICATOR: return_authenticator", -1);
3593
3594         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3595                 hf_netlogon_database_id, NULL);
3596
3597         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3598                 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3599                 "MODIFIED_COUNT: domain modified count", -1);
3600
3601         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3602                 hf_netlogon_max_size, NULL);
3603
3604         return offset;
3605 }
3606 static int
3607 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
3608         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3609 {
3610         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3611                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3612                 "AUTHENTICATOR: return_authenticator", -1);
3613
3614         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3615                 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3616                 "MODIFIED_COUNT: domain modified count", -1);
3617
3618         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3619                 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3620                 "DELTA_ENUM_ARRAY: deltas", -1);
3621
3622         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3623                                   hf_netlogon_rc, NULL);
3624
3625         return offset;
3626 }
3627
3628
3629 /*
3630  * IDL long NetrDatabaseSync(
3631  * IDL      [in][string][ref] wchar_t *logonserver, # REF!!!
3632  * IDL      [in][string][ref] wchar_t *computername,
3633  * IDL      [in][ref] AUTHENTICATOR credential,
3634  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
3635  * IDL      [in] long database_id,
3636  * IDL      [in][out][ref] long sync_context,
3637  * IDL      [in] long preferredmaximumlength,
3638  * IDL      [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3639  * IDL );
3640  */
3641 static int
3642 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
3643         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3644 {
3645         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3646                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3647
3648         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3649                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3650
3651         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3652                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3653                 "AUTHENTICATOR: credential", -1);
3654
3655         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3656                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3657                 "AUTHENTICATOR: return_authenticator", -1);
3658
3659         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3660                 hf_netlogon_database_id, NULL);
3661
3662         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3663                 hf_netlogon_sync_context, NULL);
3664
3665         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3666                 hf_netlogon_max_size, NULL);
3667
3668         return offset;
3669 }
3670
3671
3672 static int
3673 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
3674         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3675 {
3676         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3677                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3678                 "AUTHENTICATOR: return_authenticator", -1);
3679
3680         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3681                 hf_netlogon_sync_context, NULL);
3682
3683         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3684                 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3685                 "DELTA_ENUM_ARRAY: deltas", -1);
3686
3687         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3688                                   hf_netlogon_rc, NULL);
3689
3690         return offset;
3691 }
3692
3693 /*
3694  * IDL typedef struct {
3695  * IDL   char computer_name[16];
3696  * IDL   long timecreated;
3697  * IDL   long serial_number;
3698  * IDL } UAS_INFO_0;
3699  */
3700 static int
3701 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3702                         packet_info *pinfo, proto_tree *tree,
3703                         guint8 *drep)
3704 {
3705         dcerpc_info *di;
3706
3707         di=pinfo->private_data;
3708         if(di->conformant_run){
3709                 /*just a run to handle conformant arrays, nothing to dissect */
3710                 return offset;
3711         }
3712
3713         proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3714         offset += 16;
3715
3716         proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3717         offset+= 4;
3718
3719         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3720                 hf_netlogon_serial_number, NULL);
3721
3722         return offset;
3723 }
3724
3725
3726 static int
3727 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3728                         packet_info *pinfo, proto_tree *tree,
3729                         guint8 *drep)
3730 {
3731                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3732                         hf_netlogon_unknown_char, NULL);
3733
3734         return offset;
3735 }
3736
3737 static int
3738 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3739                         packet_info *pinfo, proto_tree *tree,
3740                         guint8 *drep)
3741 {
3742         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3743                 netlogon_dissect_BYTE_byte);
3744
3745         return offset;
3746 }
3747
3748 /*
3749  * IDL long NetrAccountDeltas(
3750  * IDL      [in][string][unique] wchar_t *logonserver,
3751  * IDL      [in][string][ref] wchar_t *computername,
3752  * IDL      [in][ref] AUTHENTICATOR credential,
3753  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
3754  * IDL      [out][ref][size_is(count_returned)] char *Buffer,
3755  * IDL      [out][ref] long count_returned,
3756  * IDL      [out][ref] long total_entries,
3757  * IDL      [in][out][ref] UAS_INFO_0 recordid,
3758  * IDL      [in][long] count,
3759  * IDL      [in][long] level,
3760  * IDL      [in][long] buffersize,
3761  * IDL );
3762  */
3763 static int
3764 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
3765         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3766 {
3767         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3768                 pinfo, tree, drep);
3769
3770         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3771                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3772
3773         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3774                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3775                 "AUTHENTICATOR: credential", -1);
3776
3777         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3778                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3779                 "AUTHENTICATOR: return_authenticator", -1);
3780
3781         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3782                 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3783                 "UAS_INFO_0: RecordID", -1);
3784
3785         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3786                 hf_netlogon_count, NULL);
3787
3788         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3789                 hf_netlogon_level, NULL);
3790
3791         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3792                 hf_netlogon_max_size, NULL);
3793
3794         return offset;
3795 }
3796 static int
3797 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
3798         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3799 {
3800         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3801                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3802                 "AUTHENTICATOR: return_authenticator", -1);
3803
3804         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3805                 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3806                 "BYTE_array: Buffer", -1);
3807
3808         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3809                 hf_netlogon_count, NULL);
3810
3811         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3812                 hf_netlogon_entries, NULL);
3813
3814         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3815                 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3816                 "UAS_INFO_0: RecordID", -1);
3817
3818         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3819                                   hf_netlogon_rc, NULL);
3820
3821         return offset;
3822 }
3823
3824
3825 /*
3826  * IDL long NetrAccountSync(
3827  * IDL      [in][string][unique] wchar_t *logonserver,
3828  * IDL      [in][string][ref] wchar_t *computername,
3829  * IDL      [in][ref] AUTHENTICATOR credential,
3830  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
3831  * IDL      [out][ref][size_is(count_returned)] char *Buffer,
3832  * IDL      [out][ref] long count_returned,
3833  * IDL      [out][ref] long total_entries,
3834  * IDL      [out][ref] long next_reference,
3835  * IDL      [in][long] reference,
3836  * IDL      [in][long] level,
3837  * IDL      [in][long] buffersize,
3838  * IDL      [in][out][ref] UAS_INFO_0 recordid,
3839  * IDL );
3840  */
3841 static int
3842 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
3843         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3844 {
3845         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3846                 pinfo, tree, drep);
3847
3848         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3849                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3850
3851         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3852                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3853                 "AUTHENTICATOR: credential", -1);
3854
3855         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3856                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3857                 "AUTHENTICATOR: return_authenticator", -1);
3858
3859         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3860                 hf_netlogon_reference, NULL);
3861
3862         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3863                 hf_netlogon_level, NULL);
3864
3865         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3866                 hf_netlogon_max_size, NULL);
3867
3868         return offset;
3869 }
3870 static int
3871 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
3872         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3873 {
3874         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3875                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3876                 "AUTHENTICATOR: return_authenticator", -1);
3877
3878         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3879                 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3880                 "BYTE_array: Buffer", -1);
3881
3882         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3883                 hf_netlogon_count, NULL);
3884
3885         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3886                 hf_netlogon_entries, NULL);
3887
3888         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3889                 hf_netlogon_next_reference, NULL);
3890
3891         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3892                 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3893                 "UAS_INFO_0: RecordID", -1);
3894
3895         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3896                                   hf_netlogon_rc, NULL);
3897
3898         return offset;
3899 }
3900
3901
3902 /*
3903  * IDL long NetrGetDcName(
3904  * IDL    [in][ref][string] wchar_t *logon_server,
3905  * IDL    [in][unique][string] wchar_t *domainname,
3906  * IDL    [out][unique][string] wchar_t *dcname,
3907  * IDL };
3908  */
3909 static int
3910 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
3911         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3912 {
3913         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3914                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3915
3916         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3917                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3918
3919         return offset;
3920 }
3921 static int
3922 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
3923         packet_info *pinfo, proto_tree *tree, guint8 *drep)
3924 {
3925         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3926                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3927
3928         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3929                                   hf_netlogon_rc, NULL);
3930
3931         return offset;
3932 }
3933
3934
3935
3936 /*
3937  * IDL typedef struct {
3938  * IDL   long flags;
3939  * IDL   long pdc_connection_status;
3940  * IDL } NETLOGON_INFO_1;
3941  */
3942 static int
3943 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3944                         packet_info *pinfo, proto_tree *tree,
3945                         guint8 *drep)
3946 {
3947         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3948                 hf_netlogon_flags, NULL);
3949
3950         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3951                 hf_netlogon_pdc_connection_status, NULL);
3952
3953         return offset;
3954 }
3955
3956
3957 /*
3958  * IDL typedef struct {
3959  * IDL   long flags;
3960  * IDL   long pdc_connection_status;
3961  * IDL   [unique][string] wchar_t trusted_dc_name;
3962  * IDL   long tc_connection_status;
3963  * IDL } NETLOGON_INFO_2;
3964  */
3965 static int
3966 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3967                         packet_info *pinfo, proto_tree *tree,
3968                         guint8 *drep)
3969 {
3970         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3971                 hf_netlogon_flags, NULL);
3972
3973         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3974                 hf_netlogon_pdc_connection_status, NULL);
3975
3976         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3977                 NDR_POINTER_UNIQUE, "Trusted DC Name", 
3978                 hf_netlogon_trusted_dc_name, 0);
3979
3980         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3981                 hf_netlogon_tc_connection_status, NULL);
3982
3983         return offset;
3984 }
3985
3986
3987 /*
3988  * IDL typedef struct {
3989  * IDL   long flags;
3990  * IDL   long logon_attempts;
3991  * IDL   long reserved;
3992  * IDL   long reserved;
3993  * IDL   long reserved;
3994  * IDL   long reserved;
3995  * IDL   long reserved;
3996  * IDL } NETLOGON_INFO_3;
3997  */
3998 static int
3999 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
4000                         packet_info *pinfo, proto_tree *tree,
4001                         guint8 *drep)
4002 {
4003         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4004                 hf_netlogon_flags, NULL);
4005
4006         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4007                 hf_netlogon_logon_attempts, NULL);
4008
4009         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4010                 hf_netlogon_reserved, NULL);
4011
4012         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4013                 hf_netlogon_reserved, NULL);
4014
4015         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4016                 hf_netlogon_reserved, NULL);
4017
4018         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4019                 hf_netlogon_reserved, NULL);
4020
4021         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4022                 hf_netlogon_reserved, NULL);
4023
4024         return offset;
4025 }
4026
4027
4028 /*
4029  * IDL typedef [switch_type(long)] union {
4030  * IDL   [case(1)] [unique] NETLOGON_INFO_1 *i1;
4031  * IDL   [case(2)] [unique] NETLOGON_INFO_2 *i2;
4032  * IDL   [case(3)] [unique] NETLOGON_INFO_3 *i3;
4033  * IDL } CONTROL_QUERY_INFORMATION;
4034  */
4035 static int
4036 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
4037                         packet_info *pinfo, proto_tree *tree,
4038                         guint8 *drep)
4039 {
4040         guint32 level;
4041
4042         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4043                 hf_netlogon_level, &level);
4044
4045         ALIGN_TO_4_BYTES;
4046         switch(level){
4047         case 1:
4048                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4049                         netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
4050                         "NETLOGON_INFO_1:", -1);
4051                 break;
4052         case 2:
4053                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4054                         netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
4055                         "NETLOGON_INFO_2:", -1);
4056                 break;
4057         case 3:
4058                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4059                         netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
4060                         "NETLOGON_INFO_3:", -1);
4061                 break;
4062         }
4063
4064         return offset;
4065 }
4066
4067
4068 /*
4069  * IDL long NetrLogonControl(
4070  * IDL      [in][string][unique] wchar_t *logonserver,
4071  * IDL      [in] long function_code,
4072  * IDL      [in] long level,
4073  * IDL      [out][ref] CONTROL_QUERY_INFORMATION
4074  * IDL );
4075  */
4076 static int
4077 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
4078         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4079 {
4080         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4081                 pinfo, tree, drep);
4082
4083         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4084                 hf_netlogon_code, NULL);
4085
4086         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4087                 hf_netlogon_level, NULL);
4088
4089         return offset;
4090 }
4091 static int
4092 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
4093         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4094 {
4095         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4096                 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4097                 "CONTROL_QUERY_INFORMATION:", -1);
4098
4099         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4100                                   hf_netlogon_rc, NULL);
4101
4102         return offset;
4103 }
4104
4105
4106 /*
4107  * IDL long NetrGetAnyDCName(
4108  * IDL    [in][unique][string] wchar_t *logon_server,
4109  * IDL    [in][unique][string] wchar_t *domainname,
4110  * IDL    [out][unique][string] wchar_t *dcname,
4111  * IDL };
4112  */
4113 static int
4114 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
4115         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4116 {
4117         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4118                 NDR_POINTER_UNIQUE, "Server Handle", 
4119                 hf_netlogon_logonsrv_handle, 0);
4120
4121         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4122                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4123
4124         return offset;
4125 }
4126 static int
4127 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
4128         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4129 {
4130         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4131                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4132
4133         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4134                                   hf_netlogon_rc, NULL);
4135
4136         return offset;
4137 }
4138
4139
4140 /*
4141  * IDL typedef [switch_type(long)] union {
4142  * IDL   [case(5)] [unique][string] wchar_t *unknown;
4143  * IDL   [case(6)] [unique][string] wchar_t *unknown;
4144  * IDL   [case(0xfffe)] long unknown;
4145  * IDL   [case(7)] [unique][string] wchar_t *unknown;
4146  * IDL } CONTROL_DATA_INFORMATION;
4147  */
4148 /* XXX
4149  * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
4150  * to look like. However NetMon does not recognize any such informationlevels.
4151  *
4152  * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
4153  * until someone has any source of better authority to call upon.
4154  */
4155 static int
4156 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
4157                         packet_info *pinfo, proto_tree *tree,
4158                         guint8 *drep)
4159 {
4160         guint32 level;
4161
4162         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4163                 hf_netlogon_level, &level);
4164
4165         ALIGN_TO_4_BYTES;
4166         switch(level){
4167         case 5:
4168                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
4169                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
4170                         hf_netlogon_unknown_string, 0);
4171                 break;
4172         case 6:
4173                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
4174                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
4175                         hf_netlogon_unknown_string, 0);
4176                 break;
4177         case 0xfffe:
4178                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4179                         hf_netlogon_unknown_long, NULL);
4180                 break;
4181         case 8:
4182                 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, 
4183                         tree, drep, NDR_POINTER_UNIQUE, "unknown", 
4184                         hf_netlogon_unknown_string, 0);
4185                 break;
4186         }
4187
4188         return offset;
4189 }
4190
4191
4192 /*
4193  * IDL long NetrLogonControl2(
4194  * IDL      [in][string][unique] wchar_t *logonserver,
4195  * IDL      [in] long function_code,
4196  * IDL      [in] long level,
4197  * IDL      [in][ref] CONTROL_DATA_INFORMATION *data,
4198  * IDL      [out][ref] CONTROL_QUERY_INFORMATION *query
4199  * IDL );
4200  */
4201 static int
4202 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
4203         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4204 {
4205         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4206                 pinfo, tree, drep);
4207
4208         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4209                 hf_netlogon_code, NULL);
4210
4211         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4212                 hf_netlogon_level, NULL);
4213
4214         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4215                 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4216                 "CONTROL_DATA_INFORMATION: ", -1);
4217
4218         return offset;
4219 }
4220
4221 static int
4222 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
4223         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4224 {
4225         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4226                 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4227                 "CONTROL_QUERY_INFORMATION:", -1);
4228
4229         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4230                                   hf_netlogon_rc, NULL);
4231
4232         return offset;
4233 }
4234
4235
4236 /*
4237  * IDL long NetrServerAuthenticate2(
4238  * IDL      [in][string][unique] wchar_t *logonserver,
4239  * IDL      [in][ref][string] wchar_t *username,
4240  * IDL      [in] short secure_channel_type,
4241  * IDL      [in][ref][string] wchar_t *computername,
4242  * IDL      [in][ref] CREDENTIAL *client_chal,
4243  * IDL      [out][ref] CREDENTIAL *server_chal,
4244  * IDL      [in][out][ref] long *negotiate_flags,
4245  * IDL );
4246  */
4247 static int
4248 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
4249         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4250 {
4251         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4252                 pinfo, tree, drep);
4253
4254         offset = dissect_ndr_pointer_cb(
4255                 tvb, offset, pinfo, tree, drep, 
4256                 dissect_ndr_wchar_cvstring, NDR_POINTER_REF, 
4257                 "User Name", hf_netlogon_acct_name, 
4258                 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
4259
4260         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4261                 pinfo, tree, drep);
4262
4263         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4264                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4265
4266         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4267                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4268                 "CREDENTIAL: client_chal", -1);
4269
4270         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4271                 hf_netlogon_neg_flags, NULL);
4272
4273         return offset;
4274 }
4275
4276 static int
4277 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
4278         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4279 {
4280         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4281                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4282                 "CREDENTIAL: server_chal", -1);
4283
4284         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4285                 hf_netlogon_neg_flags, NULL);
4286
4287         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4288                                   hf_netlogon_rc, NULL);
4289
4290         return offset;
4291 }
4292
4293
4294 /*
4295  * IDL long NetrDatabaseSync2(
4296  * IDL      [in][string][ref] wchar_t *logonserver, # REF!!!
4297  * IDL      [in][string][ref] wchar_t *computername,
4298  * IDL      [in][ref] AUTHENTICATOR credential,
4299  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
4300  * IDL      [in] long database_id,
4301  * IDL      [in] short restart_state,
4302  * IDL      [in][out][ref] long *sync_context,
4303  * IDL      [in] long preferredmaximumlength,
4304  * IDL      [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4305  * IDL );
4306  */
4307 static int
4308 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
4309         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4310 {
4311         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4312                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4313
4314         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4315                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4316
4317         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4318                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4319                 "AUTHENTICATOR: credential", -1);
4320
4321         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4322                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4323                 "AUTHENTICATOR: return_authenticator", -1);
4324
4325         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4326                 hf_netlogon_database_id, NULL);
4327
4328         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4329                 hf_netlogon_restart_state, NULL);
4330
4331         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4332                 hf_netlogon_sync_context, NULL);
4333
4334         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4335                 hf_netlogon_max_size, NULL);
4336
4337         return offset;
4338 }
4339
4340 static int
4341 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
4342         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4343 {
4344         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4345                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4346                 "AUTHENTICATOR: return_authenticator", -1);
4347
4348         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4349                 hf_netlogon_sync_context, NULL);
4350
4351         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4352                 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4353                 "DELTA_ENUM_ARRAY: deltas", -1);
4354
4355         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4356                                   hf_netlogon_rc, NULL);
4357
4358         return offset;
4359 }
4360
4361
4362 /*
4363  * IDL long NetrDatabaseRedo(
4364  * IDL      [in][string][ref] wchar_t *logonserver, # REF!!!
4365  * IDL      [in][string][ref] wchar_t *computername,
4366  * IDL      [in][ref] AUTHENTICATOR credential,
4367  * IDL      [in][out][ref] AUTHENTICATOR return_authenticator,
4368  * IDL      [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
4369  * IDL      [in] long change_log_entry_size,
4370  * IDL      [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4371  * IDL );
4372  */
4373 static int
4374 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
4375         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4376 {
4377         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4378                 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4379
4380         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4381                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4382
4383         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4384                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4385                 "AUTHENTICATOR: credential", -1);
4386
4387         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4388                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4389                 "AUTHENTICATOR: return_authenticator", -1);
4390
4391         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4392                 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4393                 "Change log entry: ", -1);
4394
4395         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4396                 hf_netlogon_max_log_size, NULL);
4397
4398         return offset;
4399 }
4400
4401 static int
4402 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
4403         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4404 {
4405         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4406                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4407                 "AUTHENTICATOR: return_authenticator", -1);
4408
4409         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4410                 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4411                 "DELTA_ENUM_ARRAY: deltas", -1);
4412
4413         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4414                                   hf_netlogon_rc, NULL);
4415
4416         return offset;
4417 }
4418
4419
4420 /*
4421  * IDL long NetrLogonControl2Ex(
4422  * IDL      [in][string][unique] wchar_t *logonserver,
4423  * IDL      [in] long function_code,
4424  * IDL      [in] long level,
4425  * IDL      [in][ref] CONTROL_DATA_INFORMATION *data,
4426  * IDL      [out][ref] CONTROL_QUERY_INFORMATION *query
4427  * IDL );
4428  */
4429 static int
4430 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
4431         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4432 {
4433         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4434                 pinfo, tree, drep);
4435
4436         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4437                 hf_netlogon_code, NULL);
4438
4439         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4440                 hf_netlogon_level, NULL);
4441
4442         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4443                 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4444                 "CONTROL_DATA_INFORMATION: ", -1);
4445
4446         return offset;
4447 }
4448 static int
4449 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
4450         packet_info *pinfo, proto_tree *tree, guint8 *drep)
4451 {
4452         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4453                 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4454                 "CONTROL_QUERY_INFORMATION:", -1);
4455
4456         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4457                                   hf_netlogon_rc, NULL);
4458
4459         return offset;
4460 }
4461
4462
4463
4464
4465 static const value_string trust_type_vals[] = {
4466         { 1,                            "DOWNLEVEL" },
4467         { 2,                            "UPLEVEL" },
4468         { 3,                            "MIT" },
4469         { 4,                            "DCE" },
4470         { 0, NULL }
4471 };
4472
4473 #define DS_INET_ADDRESS         1
4474 #define DS_NETBIOS_ADDRESS      2
4475 static const value_string dc_address_types[] = {
4476         { DS_INET_ADDRESS,              "IP/DNS name" },
4477         { DS_NETBIOS_ADDRESS,           "NetBIOS name" },
4478         { 0, NULL}
4479 };
4480
4481
4482 #define DS_DOMAIN_IN_FOREST             0x0001
4483 #define DS_DOMAIN_DIRECT_OUTBOUND       0x0002
4484 #define DS_DOMAIN_TREE_ROOT             0x0004
4485 #define DS_DOMAIN_PRIMARY               0x0008
4486 #define DS_DOMAIN_NATIVE_MODE           0x0010
4487 #define DS_DOMAIN_DIRECT_INBOUND        0x0020
4488 static const true_false_string trust_inbound = {
4489         "There is a DIRECT INBOUND trust for the servers domain",
4490         "There is NO direct inbound trust for the servers domain"
4491 };
4492 static const true_false_string trust_outbound = {
4493         "There is a DIRECT OUTBOUND trust for this domain",
4494         "There is NO direct outbound trust for this domain"
4495 };
4496 static const true_false_string trust_in_forest = {
4497         "The domain is a member IN the same FOREST as the queried server",
4498         "The domain is NOT a member of the queried servers domain"
4499 };
4500 static const true_false_string trust_native_mode = {
4501         "The primary domain is a NATIVE MODE w2k domain",
4502         "The primary is NOT a native mode w2k domain"
4503 };
4504 static const true_false_string trust_primary = {
4505         "The domain is the PRIMARY domain of the queried server",
4506         "The domain is NOT the primary domain of the queried server"
4507 };
4508 static const true_false_string trust_tree_root = {
4509         "The domain is the ROOT of a domain TREE",
4510         "The domain is NOT a root of a domain tree"
4511 };
4512 static int
4513 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4514         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4515 {
4516         guint32 mask;
4517         proto_item *item = NULL;
4518         proto_tree *tree = NULL;
4519         dcerpc_info *di;
4520
4521         di=pinfo->private_data;
4522         if(di->conformant_run){
4523                 /*just a run to handle conformant arrays, nothing to dissect */
4524                 return offset;
4525         }
4526
4527         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4528                         hf_netlogon_trust_flags, &mask);
4529
4530         if(parent_tree){
4531                 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4532                         tvb, offset-4, 4, mask);
4533                 tree = proto_item_add_subtree(item, ett_trust_flags);
4534         }
4535
4536         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4537                 tvb, offset-4, 4, mask);
4538         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4539                 tvb, offset-4, 4, mask);
4540         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4541                 tvb, offset-4, 4, mask);
4542         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4543                 tvb, offset-4, 4, mask);
4544         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4545                 tvb, offset-4, 4, mask);
4546         proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4547                 tvb, offset-4, 4, mask);
4548
4549         return offset;
4550 }
4551
4552
4553 #define DS_FORCE_REDISCOVERY            0x00000001
4554 #define DS_DIRECTORY_SERVICE_REQUIRED   0x00000010
4555 #define DS_DIRECTORY_SERVICE_PREFERRED  0x00000020
4556 #define DS_GC_SERVER_REQUIRED           0x00000040
4557 #define DS_PDC_REQUIRED                 0x00000080
4558 #define DS_BACKGROUND_ONLY              0x00000100
4559 #define DS_IP_REQUIRED                  0x00000200
4560 #define DS_KDC_REQUIRED                 0x00000400
4561 #define DS_TIMESERV_REQUIRED            0x00000800
4562 #define DS_WRITABLE_REQUIRED            0x00001000
4563 #define DS_GOOD_TIMESERV_PREFERRED      0x00002000
4564 #define DS_AVOID_SELF                   0x00004000
4565 #define DS_ONLY_LDAP_NEEDED             0x00008000
4566 #define DS_IS_FLAT_NAME                 0x00010000
4567 #define DS_IS_DNS_NAME                  0x00020000
4568 #define DS_RETURN_DNS_NAME              0x40000000
4569 #define DS_RETURN_FLAT_NAME             0x80000000
4570 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4571         "FORCE REDISCOVERY of any cached data",
4572         "You may return cached data"
4573 };
4574 static const true_false_string get_dcname_request_flags_directory_service_required = {
4575         "DIRECRTORY SERVICE is REQUIRED on the server",
4576         "We do NOT require directory service servers"
4577 };
4578 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4579         "DIRECTORY SERVICE servers are PREFERRED",
4580         "We do NOT have a preference for directory service servers"
4581 };
4582 static const true_false_string get_dcname_request_flags_gc_server_required = {
4583         "GC SERVER is REQUIRED",
4584         "gc server is NOT required"
4585 };
4586 static const true_false_string get_dcname_request_flags_pdc_required = {
4587         "PDC SERVER is REQUIRED",
4588         "pdc server is NOT required"
4589 };
4590 static const true_false_string get_dcname_request_flags_background_only = {
4591         "Only returned cahced data, even if it has expired",
4592         "Return cached data unless it has expired"
4593 };
4594 static const true_false_string get_dcname_request_flags_ip_required = {
4595         "IP address is REQUIRED",
4596         "ip address is NOT required"
4597 };
4598 static const true_false_string get_dcname_request_flags_kdc_required = {
4599         "KDC server is REQUIRED",
4600         "kdc server is NOT required"
4601 };
4602 static const true_false_string get_dcname_request_flags_timeserv_required = {
4603         "TIMESERV service is REQUIRED",
4604         "timeserv service is NOT required"
4605 };
4606 static const true_false_string get_dcname_request_flags_writable_required = {
4607         "the requrned dc MUST be WRITEABLE",
4608         "a read-only dc may be returned"
4609 };
4610 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4611         "GOOD TIMESERV servers are PREFERRED",
4612         "we do NOT have a preference for good timeserv servers"
4613 };
4614 static const true_false_string get_dcname_request_flags_avoid_self = {
4615         "do NOT return self as dc, return someone else",
4616         "you may return yourSELF as the dc"
4617 };
4618 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4619         "we ONLY NEED LDAP, you dont have to return a dc",
4620         "we need a normal dc, an ldap only server will not do"
4621 };
4622 static const true_false_string get_dcname_request_flags_is_flat_name = {
4623         "the name we specify is a NetBIOS name",
4624         "the name we specify is NOT a NetBIOS name"
4625 };
4626 static const true_false_string get_dcname_request_flags_is_dns_name = {
4627         "the name we specify is a DNS name",
4628         "ther name we specify is NOT a dns name"
4629 };
4630 static const true_false_string get_dcname_request_flags_return_dns_name = {
4631         "return a DNS name",
4632         "you may return a NON-dns name"
4633 };
4634 static const true_false_string get_dcname_request_flags_return_flat_name = {
4635         "return a NetBIOS name",
4636         "you may return a NON-NetBIOS name"
4637 };
4638 static int
4639 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4640         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4641 {
4642         guint32 mask;
4643         proto_item *item = NULL;
4644         proto_tree *tree = NULL;
4645         dcerpc_info *di;
4646
4647         di=pinfo->private_data;
4648         if(di->conformant_run){
4649                 /*just a run to handle conformant arrays, nothing to dissect */
4650                 return offset;
4651         }
4652
4653         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4654                         hf_netlogon_get_dcname_request_flags, &mask);
4655
4656         if(parent_tree){
4657                 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4658                         tvb, offset-4, 4, mask);
4659                 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4660         }
4661
4662         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4663                 tvb, offset-4, 4, mask);
4664         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4665                 tvb, offset-4, 4, mask);
4666         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4667                 tvb, offset-4, 4, mask);
4668         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4669                 tvb, offset-4, 4, mask);
4670         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4671                 tvb, offset-4, 4, mask);
4672         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4673                 tvb, offset-4, 4, mask);
4674         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4675                 tvb, offset-4, 4, mask);
4676         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4677                 tvb, offset-4, 4, mask);
4678         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4679                 tvb, offset-4, 4, mask);
4680         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4681                 tvb, offset-4, 4, mask);
4682         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4683                 tvb, offset-4, 4, mask);
4684         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4685                 tvb, offset-4, 4, mask);
4686         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4687                 tvb, offset-4, 4, mask);
4688         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4689                 tvb, offset-4, 4, mask);
4690         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4691                 tvb, offset-4, 4, mask);
4692         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4693                 tvb, offset-4, 4, mask);
4694         proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4695                 tvb, offset-4, 4, mask);
4696         
4697         return offset;
4698 }
4699
4700
4701
4702 #define DS_PDC_FLAG             0x00000001
4703 #define DS_GC_FLAG              0x00000004
4704 #define DS_LDAP_FLAG            0x00000008
4705 #define DS_DS_FLAG              0x00000010
4706 #define DS_KDC_FLAG             0x00000020
4707 #define DS_TIMESERV_FLAG        0x00000040
4708 #define DS_CLOSEST_FLAG         0x00000080
4709 #define DS_WRITABLE_FLAG        0x00000100
4710 #define DS_GOOD_TIMESERV_FLAG   0x00000200
4711 #define DS_NDNC_FLAG            0x00000400
4712 #define DS_DNS_CONTROLLER_FLAG  0x20000000
4713 #define DS_DNS_DOMAIN_FLAG      0x40000000
4714 #define DS_DNS_FOREST_FLAG      0x80000000
4715 static const true_false_string dc_flags_pdc_flag = {
4716         "this is the PDC of the domain",
4717         "this is NOT the pdc of the domain"
4718 };
4719 static const true_false_string dc_flags_gc_flag = {
4720         "this is the GC of the forest",
4721         "this is NOT the gc of the forest"
4722 };
4723 static const true_false_string dc_flags_ldap_flag = {
4724         "this is an LDAP server",
4725         "this is NOT an ldap server"
4726 };
4727 static const true_false_string dc_flags_ds_flag = {
4728         "this is a DS server",
4729         "this is NOT a ds server"
4730 };
4731 static const true_false_string dc_flags_kdc_flag = {
4732         "this is a KDC server",
4733         "this is NOT a kdc server"
4734 };
4735 static const true_false_string dc_flags_timeserv_flag = {
4736         "this is a TIMESERV server",
4737         "this is NOT a timeserv server"
4738 };
4739 static const true_false_string dc_flags_closest_flag = {
4740         "this is the CLOSEST server",
4741         "this is NOT the closest server"
4742 };
4743 static const true_false_string dc_flags_writable_flag = {
4744         "this server has a WRITABLE ds database",
4745         "this server has a READ-ONLY ds database"
4746 };
4747 static const true_false_string dc_flags_good_timeserv_flag = {
4748         "this server is a GOOD TIMESERV server",
4749         "this is NOT a good timeserv server"
4750 };
4751 static const true_false_string dc_flags_ndnc_flag = {
4752         "NDNC is set",
4753         "ndnc is NOT set"
4754 };
4755 static const true_false_string dc_flags_dns_controller_flag = {
4756         "DomainControllerName is a DNS name",
4757         "DomainControllerName is NOT a dns name"
4758 };
4759 static const true_false_string dc_flags_dns_domain_flag = {
4760         "DomainName is a DNS name",
4761         "DomainName is NOT a dns name"
4762 };
4763 static const true_false_string dc_flags_dns_forest_flag = {
4764         "DnsForestName is a DNS name",
4765         "DnsForestName is NOT a dns name"
4766 };
4767 static int
4768 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4769         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4770 {
4771         guint32 mask;
4772         proto_item *item = NULL;
4773         proto_tree *tree = NULL;
4774         dcerpc_info *di;
4775
4776         di=pinfo->private_data;
4777         if(di->conformant_run){
4778                 /*just a run to handle conformant arrays, nothing to dissect */
4779                 return offset;
4780         }
4781
4782         offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4783                         hf_netlogon_dc_flags, &mask);
4784
4785         if(parent_tree){
4786                 item = proto_tree_add_uint_format(parent_tree, hf_netlogon_dc_flags,
4787                                 tvb, offset-4, 4, mask, "Domain Controller Flags: 0x%08x%s", mask, (mask==0x0000ffff)?"  PING (mask==0x0000ffff)":"");
4788                 tree = proto_item_add_subtree(item, ett_dc_flags);
4789         }
4790
4791         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4792                 tvb, offset-4, 4, mask);
4793         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4794                 tvb, offset-4, 4, mask);
4795         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4796                 tvb, offset-4, 4, mask);
4797         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4798                 tvb, offset-4, 4, mask);
4799         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4800                 tvb, offset-4, 4, mask);
4801         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4802                 tvb, offset-4, 4, mask);
4803         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4804                 tvb, offset-4, 4, mask);
4805         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4806                 tvb, offset-4, 4, mask);
4807         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4808                 tvb, offset-4, 4, mask);
4809         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4810                 tvb, offset-4, 4, mask);
4811         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4812                 tvb, offset-4, 4, mask);
4813         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4814                 tvb, offset-4, 4, mask);
4815         proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4816                 tvb, offset-4, 4, mask);
4817
4818         return offset;
4819 }
4820
4821
4822
4823 static int
4824 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4825                              packet_info *pinfo, proto_tree *tree,
4826                              guint8 *drep)
4827 {
4828         dcerpc_info *di;
4829
4830         di=pinfo->private_data;
4831         offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4832                                      di->hf_index, NULL);
4833         return offset;
4834 }
4835
4836 static int
4837 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4838                              packet_info *pinfo, proto_tree *tree,
4839                              guint8 *drep)
4840 {
4841         dcerpc_info *di;
4842
4843         di=pinfo->private_data;
4844         offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4845                                      di->hf_index, NULL);
4846         return offset;
4847 }
4848
4849 static int
4850 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4851                         packet_info *pinfo, proto_tree *tree,
4852                         guint8 *drep)
4853 {
4854                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4855                         hf_netlogon_unknown_char, NULL);
4856
4857         return offset;
4858 }
4859
4860 static int
4861 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4862                         packet_info *pinfo, proto_tree *tree,
4863                         guint8 *drep)
4864 {
4865         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4866                 netlogon_dissect_UNICODE_MULTI_byte);
4867
4868         return offset;
4869 }
4870
4871 static int
4872 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4873                         packet_info *pinfo, proto_tree *parent_tree,
4874                         guint8 *drep)
4875 {
4876         proto_item *item=NULL;
4877         proto_tree *tree=NULL;
4878         int old_offset=offset;
4879
4880         if(parent_tree){
4881                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4882                         "UNICODE_MULTI:");
4883                 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4884         }
4885
4886         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4887                 hf_netlogon_len, NULL);
4888
4889         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4890                 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4891                 "unknown", hf_netlogon_unknown_string);
4892
4893         proto_item_set_len(item, offset-old_offset);
4894         return offset;
4895 }
4896
4897 int
4898 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4899                         packet_info *pinfo, proto_tree *tree,
4900                         guint8 *drep)
4901 {
4902         offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4903
4904         return offset;
4905 }
4906
4907 static int
4908 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4909                         packet_info *pinfo, proto_tree *parent_tree,
4910                         guint8 *drep)
4911 {
4912         proto_item *item=NULL;
4913         proto_tree *tree=NULL;
4914         int old_offset=offset;
4915
4916         if(parent_tree){
4917                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4918                         "DOMAIN_CONTROLLER_INFO:");
4919                 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4920         }
4921
4922         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4923                 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
4924
4925         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4926                 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
4927
4928         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4929                 hf_netlogon_dc_address_type, NULL);
4930
4931         offset = dissect_nt_GUID(tvb, offset,
4932                 pinfo, tree, drep);
4933
4934         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4935                 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
4936
4937         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4938                 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
4939
4940         offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
4941
4942         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4943                 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
4944
4945         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4946                 NDR_POINTER_UNIQUE, "Client Site", 
4947                 hf_netlogon_client_site_name, 0);
4948
4949         proto_item_set_len(item, offset-old_offset);
4950         return offset;
4951 }
4952
4953 static int
4954 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4955                         packet_info *pinfo, proto_tree *tree,
4956                         guint8 *drep)
4957 {
4958         guint32 len;
4959         dcerpc_info *di;
4960
4961         di=pinfo->private_data;
4962         if(di->conformant_run){
4963                 /*just a run to handle conformant arrays, nothing to dissect.*/
4964                 return offset;
4965         }
4966
4967         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4968                 hf_netlogon_blob_size, &len);
4969
4970         proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4971                 FALSE);
4972         offset += len;
4973
4974         return offset;
4975 }
4976
4977 static int
4978 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4979                         packet_info *pinfo, proto_tree *parent_tree,
4980                         guint8 *drep)
4981 {
4982         proto_item *item=NULL;
4983         proto_tree *tree=NULL;
4984
4985         if(parent_tree){
4986                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4987                         "BLOB:");
4988                 tree = proto_item_add_subtree(item, ett_BLOB);
4989         }
4990
4991         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4992                 hf_netlogon_blob_size, NULL);
4993
4994         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4995                 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4996                 "BLOB:", -1);
4997
4998         return offset;
4999 }
5000
5001 static int
5002 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
5003                         packet_info *pinfo, proto_tree *parent_tree,
5004                         guint8 *drep)
5005 {
5006         proto_item *item=NULL;
5007         proto_tree *tree=NULL;
5008         int old_offset=offset;
5009
5010         if(parent_tree){
5011                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5012                         "DOMAIN_TRUST_INFO:");
5013                 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
5014         }
5015
5016
5017         offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
5018
5019         /* Guesses at best. */
5020         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5021                 hf_netlogon_unknown_string, 0);
5022
5023         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5024                 hf_netlogon_unknown_string, 0);
5025
5026         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5027                 hf_netlogon_unknown_string, 0);
5028
5029         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5030                 hf_netlogon_unknown_string, 0);
5031
5032         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5033                 hf_netlogon_unknown_long, NULL);
5034
5035         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5036                 hf_netlogon_unknown_long, NULL);
5037
5038         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5039                 hf_netlogon_unknown_long, NULL);
5040
5041         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5042                 hf_netlogon_unknown_long, NULL);
5043
5044         proto_item_set_len(item, offset-old_offset);
5045         return offset;
5046 }
5047
5048 static int
5049 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
5050                         packet_info *pinfo, proto_tree *tree,
5051                         guint8 *drep)
5052 {
5053         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5054                 netlogon_dissect_DOMAIN_TRUST_INFO);
5055
5056         return offset;
5057 }
5058
5059 static int
5060 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
5061                         packet_info *pinfo, proto_tree *tree,
5062                         guint8 *drep)
5063 {
5064         offset = netlogon_dissect_BLOB(tvb, offset,
5065                 pinfo, tree, drep);
5066
5067         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5068                 NDR_POINTER_UNIQUE, "Workstation FQDN", 
5069                 hf_netlogon_workstation_fqdn, 0);
5070
5071         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5072                 NDR_POINTER_UNIQUE, "Workstation Site", 
5073                 hf_netlogon_workstation_site_name, 0);
5074
5075         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5076                 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5077
5078         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5079                 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5080
5081         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5082                 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5083
5084         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5085                 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5086
5087         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5088                 hf_netlogon_unknown_string, 0);
5089
5090         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5091                 hf_netlogon_workstation_os, 0);
5092
5093         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5094                 hf_netlogon_unknown_string, 0);
5095
5096         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5097                 hf_netlogon_unknown_string, 0);
5098
5099         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5100                 hf_netlogon_unknown_long, NULL);
5101
5102         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5103                 hf_netlogon_unknown_long, NULL);
5104
5105         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5106                 hf_netlogon_unknown_long, NULL);
5107
5108         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5109                 hf_netlogon_unknown_long, NULL);
5110
5111         return offset;
5112 }
5113
5114 static int
5115 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
5116                         packet_info *pinfo, proto_tree *tree,
5117                         guint8 *drep)
5118 {
5119         offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
5120
5121         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5122                 hf_netlogon_num_trusts, NULL);
5123
5124         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5125                 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5126                 "DOMAIN_TRUST_ARRAY: Trusts", -1);
5127
5128         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5129                 hf_netlogon_num_trusts, NULL);
5130
5131         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5132                 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5133                 "DOMAIN_TRUST_ARRAY:", -1);
5134  
5135         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5136                 hf_netlogon_dns_domain_name, 0);
5137
5138         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5139                 hf_netlogon_unknown_string, 0);
5140
5141         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5142                 hf_netlogon_unknown_string, 0);
5143
5144         offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5145                 hf_netlogon_unknown_string, 0);
5146
5147         /* These four integers appear to mirror the last four in the query. */
5148         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5149                 hf_netlogon_unknown_long, NULL);
5150
5151         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5152                 hf_netlogon_unknown_long, NULL);
5153
5154         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5155                 hf_netlogon_unknown_long, NULL);
5156
5157         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5158                 hf_netlogon_unknown_long, NULL);
5159
5160         return offset;
5161 }
5162
5163
5164 static int
5165 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5166                         packet_info *pinfo, proto_tree *tree,
5167                         guint8 *drep)
5168 {
5169         guint32 level;
5170
5171         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5172                 hf_netlogon_level, &level);
5173
5174         ALIGN_TO_4_BYTES;
5175         switch(level){
5176         case 1:
5177                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5178                         netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
5179                         "DOMAIN_INFO_1:", -1);
5180                 break;
5181         }
5182
5183         return offset;
5184 }
5185
5186 static int
5187 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
5188                         packet_info *pinfo, proto_tree *parent_tree,
5189                         guint8 *drep)
5190 {
5191         proto_item *item=NULL;
5192         proto_tree *tree=NULL;
5193         int old_offset=offset;
5194         int i;
5195
5196         if(parent_tree){
5197                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5198                         "UNICODE_STRING_512:");
5199                 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
5200         }
5201
5202         for(i=0;i<512;i++){
5203                 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5204                         hf_netlogon_unknown_short, NULL);
5205         }
5206
5207         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5208                 hf_netlogon_unknown_long, NULL);
5209
5210         proto_item_set_len(item, offset-old_offset);
5211         return offset;
5212 }
5213
5214 static int
5215 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
5216                         packet_info *pinfo, proto_tree *tree,
5217                         guint8 *drep)
5218 {
5219                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5220                         hf_netlogon_unknown_char, NULL);
5221
5222         return offset;
5223 }
5224
5225 static int
5226 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
5227                         packet_info *pinfo, proto_tree *tree,
5228                         guint8 *drep)
5229 {
5230         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5231                 netlogon_dissect_element_844_byte);
5232
5233         return offset;
5234 }
5235
5236 static int
5237 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
5238                         packet_info *pinfo, proto_tree *parent_tree,
5239                         guint8 *drep)
5240 {
5241         proto_item *item=NULL;
5242         proto_tree *tree=NULL;
5243         int old_offset=offset;
5244
5245         if(parent_tree){
5246                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5247                         "TYPE_50:");
5248                 tree = proto_item_add_subtree(item, ett_TYPE_50);
5249         }
5250
5251         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5252                 hf_netlogon_unknown_long, NULL);
5253
5254         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5255                 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
5256                 "unknown", hf_netlogon_unknown_string);
5257
5258         proto_item_set_len(item, offset-old_offset);
5259         return offset;
5260 }
5261
5262 static int
5263 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
5264                         packet_info *pinfo, proto_tree *tree,
5265                         guint8 *drep)
5266 {
5267         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5268                 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
5269                 "TYPE_50 pointer: unknown_TYPE_50", -1);
5270
5271         return offset;
5272 }
5273
5274 static int
5275 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
5276         packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5277 {
5278         guint32 tmp;
5279         proto_item *item=NULL;
5280         proto_tree *tree=NULL;
5281         int old_offset=offset;
5282
5283         if(parent_tree){
5284                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5285                         "DS_DOMAIN_TRUSTS");
5286                 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
5287         }
5288
5289         /* name */
5290         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5291                 NDR_POINTER_UNIQUE, "NetBIOS Name", 
5292                 hf_netlogon_downlevel_domain_name, 0);
5293
5294         /* domain */
5295         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5296                 NDR_POINTER_UNIQUE, "DNS Domain Name", 
5297                 hf_netlogon_dns_domain_name, 0);
5298
5299         offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5300
5301         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5302                 hf_netlogon_trust_parent_index, &tmp);
5303
5304         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5305                 hf_netlogon_trust_type, &tmp);
5306
5307         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5308                 hf_netlogon_trust_attribs, &tmp);
5309
5310         /* SID pointer */
5311         offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep, -1);
5312
5313         /* GUID */
5314         offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
5315
5316         proto_item_set_len(item, offset-old_offset);
5317         return offset;
5318 }
5319
5320 static int
5321 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
5322                         packet_info *pinfo, proto_tree *tree,
5323                         guint8 *drep)
5324 {
5325         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5326                 netlogon_dissect_DS_DOMAIN_TRUSTS);
5327
5328         return offset;
5329 }
5330
5331 static int
5332 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
5333                         packet_info *pinfo, proto_tree *tree,
5334                         guint8 *drep)
5335 {
5336                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5337                         hf_netlogon_unknown_char, NULL);
5338
5339         return offset;
5340 }
5341
5342 static int
5343 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
5344                         packet_info *pinfo, proto_tree *tree,
5345                         guint8 *drep)
5346 {
5347         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5348                 netlogon_dissect_element_865_byte);
5349
5350         return offset;
5351 }
5352
5353 static int
5354 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
5355                         packet_info *pinfo, proto_tree *tree,
5356                         guint8 *drep)
5357 {
5358                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5359                         hf_netlogon_unknown_char, NULL);
5360
5361         return offset;
5362 }
5363
5364 static int
5365 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
5366                         packet_info *pinfo, proto_tree *tree,
5367                         guint8 *drep)
5368 {
5369         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5370                 netlogon_dissect_element_866_byte);
5371
5372         return offset;
5373 }
5374
5375 static int
5376 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
5377                         packet_info *pinfo, proto_tree *parent_tree,
5378                         guint8 *drep)
5379 {
5380         proto_item *item=NULL;
5381         proto_tree *tree=NULL;
5382         int old_offset=offset;
5383
5384         if(parent_tree){
5385                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5386                         "TYPE_52:");
5387                 tree = proto_item_add_subtree(item, ett_TYPE_52);
5388         }
5389
5390         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5391                 hf_netlogon_unknown_long, NULL);
5392
5393         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5394                 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
5395                 "unknown", hf_netlogon_unknown_string);
5396
5397         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5398                 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
5399                 "unknown", hf_netlogon_unknown_string);
5400
5401         proto_item_set_len(item, offset-old_offset);
5402         return offset;
5403 }
5404
5405 static int
5406 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
5407                         packet_info *pinfo, proto_tree *tree,
5408                         guint8 *drep)
5409 {
5410         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5411                 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
5412                 "TYPE_52 pointer: unknown_TYPE_52", -1);
5413         return offset;
5414 }
5415
5416
5417 static int
5418 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5419                         packet_info *pinfo, proto_tree *parent_tree,
5420                         guint8 *drep)
5421 {
5422         proto_item *item=NULL;
5423         proto_tree *tree=NULL;
5424         int old_offset=offset;
5425         guint32 level;
5426
5427         if(parent_tree){
5428                 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5429                         "TYPE_44:");
5430                 tree = proto_item_add_subtree(item, ett_TYPE_44);
5431         }
5432
5433         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5434                 hf_netlogon_level, &level);
5435
5436         ALIGN_TO_4_BYTES;
5437         switch(level){
5438         case 1:
5439                 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5440                         hf_netlogon_unknown_long, NULL);
5441                 break;
5442         }
5443
5444         proto_item_set_len(item, offset-old_offset);
5445         return offset;
5446 }
5447
5448 static int
5449 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5450                         packet_info *pinfo, proto_tree *tree,
5451                         guint8 *drep)
5452 {
5453         guint32 level;
5454
5455         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5456                 hf_netlogon_level, &level);
5457
5458         ALIGN_TO_4_BYTES;
5459         switch(level){
5460         case 1:
5461                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5462                         netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5463                         "DOMAIN_QUERY_1:", -1);
5464                 break;
5465         case 2:
5466                 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5467                         netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5468                         "DOMAIN_QUERY_1:", -1);
5469                 break;
5470         }
5471
5472         return offset;
5473 }
5474
5475 static int
5476 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5477         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5478 {
5479         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5480                 pinfo, tree, drep);
5481
5482         return offset;
5483 }
5484
5485
5486 static int
5487 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5488         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5489 {
5490         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5491                 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5492                 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5493
5494         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5495                                   hf_netlogon_rc, NULL);
5496
5497         return offset;
5498 }
5499
5500 static int
5501 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5502         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5503 {
5504         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5505                 pinfo, tree, drep);
5506
5507         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5508                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5509
5510         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5511                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5512                 "GUID pointer: domain_guid", -1);
5513
5514         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5515                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5516                 "GUID pointer: site_guid", -1);
5517
5518         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5519                 hf_netlogon_flags, NULL);
5520
5521         return offset;
5522 }
5523
5524
5525 static int
5526 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5527         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5528 {
5529         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5530                 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5531                 "DOMAIN_CONTROLLER_INFO:", -1);
5532
5533         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5534                                   hf_netlogon_rc, NULL);
5535
5536         return offset;
5537 }
5538
5539 static int
5540 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
5541         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5542 {
5543         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5544                 pinfo, tree, drep);
5545
5546         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5547                 NDR_POINTER_UNIQUE, "unknown string", 
5548                 hf_netlogon_unknown_string, 0);
5549
5550         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5551                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5552                 "AUTHENTICATOR: credential", -1);
5553
5554         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5555                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5556                 "AUTHENTICATOR: return_authenticator", -1);
5557
5558         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5559                 hf_netlogon_unknown_long, NULL);
5560
5561         return offset;
5562 }
5563
5564
5565 static int
5566 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
5567         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5568 {
5569         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5570                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5571                 "AUTHENTICATOR: return_authenticator", -1);
5572
5573         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5574                 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5575                 "TYPE_44 pointer: unknown_TYPE_44", -1);
5576
5577         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5578                                   hf_netlogon_rc, NULL);
5579
5580         return offset;
5581 }
5582
5583 static int
5584 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
5585         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5586 {
5587         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5588                 pinfo, tree, drep);
5589
5590         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5591                 hf_netlogon_unknown_long, NULL);
5592
5593         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5594                 hf_netlogon_unknown_long, NULL);
5595
5596         return offset;
5597 }
5598
5599
5600 static int
5601 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
5602         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5603 {
5604         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5605                                   hf_netlogon_rc, NULL);
5606
5607         return offset;
5608 }
5609
5610
5611 static int
5612 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
5613         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5614 {
5615         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5616                 pinfo, tree, drep);
5617
5618         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5619                 NDR_POINTER_UNIQUE, "unknown string", 
5620                 hf_netlogon_unknown_string, 0);
5621
5622         return offset;
5623 }
5624
5625
5626 static int
5627 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
5628         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5629 {
5630         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5631                 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5632                 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5633
5634         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5635                                   hf_netlogon_rc, NULL);
5636
5637         return offset;
5638 }
5639
5640
5641 static int
5642 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
5643         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5644 {
5645         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5646                 pinfo, tree, drep);
5647
5648         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5649                 hf_netlogon_unknown_long, NULL);
5650
5651         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5652                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5653                 "BYTE pointer: unknown_BYTE", -1);
5654
5655         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5656                 hf_netlogon_unknown_long, NULL);
5657
5658         return offset;
5659 }
5660
5661 static int
5662 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5663         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5664 {
5665         int i;
5666
5667         for(i=0;i<16;i++){
5668                 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5669                         hf_netlogon_unknown_char, NULL);
5670         }
5671
5672         return offset;
5673 }
5674
5675 static int
5676 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
5677         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5678 {
5679         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5680                 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5681                 "BYTE pointer: unknown_BYTE", -1);
5682
5683         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5684                                   hf_netlogon_rc, NULL);
5685
5686         return offset;
5687 }
5688
5689 static int
5690 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
5691         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5692 {
5693         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5694                 pinfo, tree, drep);
5695
5696         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5697                 NDR_POINTER_UNIQUE, "unknown string", 
5698                 hf_netlogon_unknown_string, 0);
5699
5700         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5701                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5702                 "BYTE pointer: unknown_BYTE", -1);
5703
5704         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5705                 hf_netlogon_unknown_long, NULL);
5706
5707         return offset;
5708 }
5709
5710
5711 static int
5712 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
5713         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5714 {
5715         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5716                 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5717                 "BYTE pointer: unknown_BYTE", -1);
5718
5719         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5720                                   hf_netlogon_rc, NULL);
5721
5722         return offset;
5723 }
5724
5725 static int
5726 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5727         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5728 {
5729         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5730                 pinfo, tree, drep);
5731
5732         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5733                 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5734
5735         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5736                 pinfo, tree, drep);
5737
5738         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5739                 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5740
5741         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5742                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5743                 "CREDENTIAL: authenticator", -1);
5744
5745         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5746                 hf_netlogon_neg_flags, NULL);
5747
5748         return offset;
5749 }
5750
5751
5752 static int
5753 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5754         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5755 {
5756         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5757                 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5758                 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5759
5760         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5761                 hf_netlogon_neg_flags, NULL);
5762
5763         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5764                 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5765                 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5766
5767         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5768                                   hf_netlogon_rc, NULL);
5769
5770         return offset;
5771 }
5772
5773 static int
5774 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
5775         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5776 {
5777         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5778                 pinfo, tree, drep);
5779
5780         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5781                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5782
5783         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5784                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5785                 "GUID pointer: domain_guid", -1);
5786
5787         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5788                 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5789
5790         offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5791
5792         return offset;
5793 }
5794
5795
5796 static int
5797 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
5798         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5799 {
5800         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5801                 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5802                 "DOMAIN_CONTROLLER_INFO:", -1);
5803
5804         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5805                                   hf_netlogon_rc, NULL);
5806
5807         return offset;
5808 }
5809
5810 static int
5811 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5812         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5813 {
5814         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5815                 pinfo, tree, drep);
5816
5817         return offset;
5818 }
5819
5820
5821 static int
5822 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5823         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5824 {
5825
5826         /* XXX hmmm this does not really look like a UNIQUE pointer but
5827            will do for now.   I think it is really a 32bit integer followed by
5828            a REF pointer to a unicode string */
5829         offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
5830                 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name", 
5831                 hf_netlogon_site_name, cb_wstr_postprocess, 
5832                 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
5833
5834         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5835                                   hf_netlogon_rc, NULL);
5836
5837         return offset;
5838 }
5839
5840 static int
5841 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5842         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5843 {
5844        /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5845        offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5846                NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5847
5848         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5849                 NDR_POINTER_UNIQUE, "Computer Name", 
5850                 hf_netlogon_computer_name, 0);
5851
5852         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5853                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5854                 "AUTHENTICATOR: credential", -1);
5855
5856         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5857                 hf_netlogon_unknown_long, NULL);
5858
5859         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5860                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5861                 "AUTHENTICATOR: return_authenticator", -1);
5862
5863         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5864                 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5865                 "DOMAIN_QUERY: ", -1);
5866
5867         return offset;
5868 }
5869
5870
5871 static int
5872 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5873         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5874 {
5875         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5876                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5877                 "AUTHENTICATOR: return_authenticator", -1);
5878
5879         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5880                 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5881                 "DOMAIN_INFO: ", -1);
5882
5883         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5884                                   hf_netlogon_rc, NULL);
5885
5886         return offset;
5887 }
5888
5889 static int
5890 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5891         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5892 {
5893         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5894                 pinfo, tree, drep);
5895
5896         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5897                 NDR_POINTER_UNIQUE, "unknown string", 
5898                 hf_netlogon_unknown_string, 0);
5899
5900         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5901                 hf_netlogon_unknown_short, NULL);
5902
5903         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5904                 NDR_POINTER_UNIQUE, "unknown string", 
5905                 hf_netlogon_unknown_string, 0);
5906
5907         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5908                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5909                 "AUTHENTICATOR: credential", -1);
5910
5911         offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5912                 pinfo, tree, drep);
5913
5914         return offset;
5915 }
5916
5917
5918 static int
5919 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5920         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5921 {
5922         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5923                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5924                 "AUTHENTICATOR: return_authenticator", -1);
5925
5926         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5927                                   hf_netlogon_rc, NULL);
5928
5929         return offset;
5930 }
5931
5932 static int
5933 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
5934         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5935 {
5936         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5937                 pinfo, tree, drep);
5938
5939         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5940                 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
5941
5942         offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5943                 pinfo, tree, drep);
5944
5945         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5946                 NDR_POINTER_UNIQUE, "Computer Name", 
5947                 hf_netlogon_computer_name, 0);
5948
5949         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5950                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5951                 "AUTHENTICATOR: credential", -1);
5952
5953         return offset;
5954 }
5955
5956
5957 static int
5958 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
5959         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5960 {
5961         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5962                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5963                 "AUTHENTICATOR: return_authenticator", -1);
5964
5965         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5966                 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5967                 "LM_OWF_PASSWORD pointer: server_pwd", -1);
5968
5969         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5970                                   hf_netlogon_rc, NULL);
5971
5972         return offset;
5973 }
5974
5975 static int
5976 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
5977         packet_info *pinfo, proto_tree *tree, guint8 *drep)
5978 {
5979         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5980                 pinfo, tree, drep);
5981
5982         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5983                 NDR_POINTER_UNIQUE, "unknown string", 
5984                 hf_netlogon_unknown_string, 0);
5985
5986         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5987                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5988                 "AUTHENTICATOR: credential", -1);
5989
5990         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5991                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5992                 "BYTE pointer: unknown_BYTE", -1);
5993
5994         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5995                 hf_netlogon_unknown_long, NULL);
5996
5997         return offset;
5998 }
5999
6000
6001 static int
6002 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
6003         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6004 {
6005         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6006                 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6007                 "AUTHENTICATOR: return_authenticator", -1);
6008
6009         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6010                                   hf_netlogon_rc, NULL);
6011
6012         return offset;
6013 }
6014
6015 static int
6016 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
6017         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6018 {
6019         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6020                 pinfo, tree, drep);
6021
6022         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6023                 hf_netlogon_unknown_long, NULL);
6024
6025         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6026                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6027                 "BYTE pointer: unknown_BYTE", -1);
6028
6029         return offset;
6030 }
6031
6032
6033 static int
6034 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
6035         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6036 {
6037         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6038                 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
6039                 "TYPE_50** pointer: unknown_TYPE_50", -1);
6040
6041         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6042                                   hf_netlogon_rc, NULL);
6043
6044         return offset;
6045 }
6046
6047 static int
6048 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
6049         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6050 {
6051         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6052                 pinfo, tree, drep);
6053
6054         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6055                 NDR_POINTER_UNIQUE, "unknown string", 
6056                 hf_netlogon_unknown_string, 0);
6057
6058         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6059                 hf_netlogon_unknown_long, NULL);
6060
6061         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6062                 NDR_POINTER_UNIQUE, "unknown string", 
6063                 hf_netlogon_unknown_string, 0);
6064
6065         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6066                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6067                 "GUID pointer: unknown_GUID", -1);
6068
6069         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6070                 NDR_POINTER_UNIQUE, "unknown string", 
6071                 hf_netlogon_unknown_string, 0);
6072
6073         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6074                 hf_netlogon_unknown_long, NULL);
6075
6076         return offset;
6077 }
6078
6079
6080 static int
6081 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
6082         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6083 {
6084         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6085                 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6086                 "DOMAIN_CONTROLLER_INFO:", -1);
6087
6088         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6089                                   hf_netlogon_rc, NULL);
6090
6091         return offset;
6092 }
6093
6094 static int
6095 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
6096         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6097 {
6098         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6099                 pinfo, tree, drep);
6100
6101         return offset;
6102 }
6103
6104
6105 static int
6106 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
6107         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6108 {
6109         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6110                 NDR_POINTER_UNIQUE, "unknown string", 
6111                 hf_netlogon_unknown_string, 0);
6112
6113         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6114                 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6115                 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6116
6117         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6118                                   hf_netlogon_rc, NULL);
6119
6120         return offset;
6121 }
6122
6123 static int
6124 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
6125         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6126 {
6127         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6128                 pinfo, tree, drep);
6129
6130         return offset;
6131 }
6132
6133 static int
6134 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
6135         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6136 {
6137         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6138                 hf_netlogon_entries, NULL);
6139
6140         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6141                 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6142                 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6143
6144         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6145                                   hf_netlogon_rc, NULL);
6146
6147         return offset;
6148 }
6149
6150 static int
6151 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
6152         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6153 {
6154         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6155                 pinfo, tree, drep);
6156
6157         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6158                 hf_netlogon_unknown_long, NULL);
6159
6160         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6161                 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6162                 "BYTE pointer: unknown_BYTE", -1);
6163
6164         return offset;
6165 }
6166
6167
6168 static int
6169 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
6170         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6171 {
6172         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6173                 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
6174                 "TYPE_52 pointer: unknown_TYPE_52", -1);
6175
6176         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6177                                   hf_netlogon_rc, NULL);
6178
6179         return offset;
6180 }
6181
6182
6183 static int
6184 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
6185         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6186 {
6187         offset = dissect_ndr_counted_string_cb(
6188                 tvb, offset, pinfo, tree, drep, hf_netlogon_site_name,
6189                 cb_wstr_postprocess, 
6190                 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
6191
6192         return offset;
6193 }
6194 static int
6195 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
6196         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6197 {
6198         offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
6199                 netlogon_dissect_site_name_item);
6200
6201         return offset;
6202 }
6203
6204 static int
6205 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
6206         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6207 {
6208         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6209                 hf_netlogon_count, NULL);
6210
6211         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6212                 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
6213                 "Site name array", -1);
6214
6215         return offset;
6216 }
6217
6218 static int
6219 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
6220         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6221 {
6222         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6223                 pinfo, tree, drep);
6224
6225         return offset;
6226 }
6227
6228
6229 static int
6230 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
6231         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6232 {
6233         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6234                 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
6235                 "Site names", -1);
6236
6237         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6238                                   hf_netlogon_rc, NULL);
6239
6240         return offset;
6241 }
6242
6243 static int
6244 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
6245         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6246 {
6247         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6248                 NDR_POINTER_UNIQUE, "unknown string", 
6249                 hf_netlogon_unknown_string, 0);
6250
6251         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6252                 NDR_POINTER_UNIQUE, "unknown string", 
6253                 hf_netlogon_unknown_string, 0);
6254
6255         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6256                 hf_netlogon_unknown_short, NULL);
6257
6258         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6259                 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
6260                 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
6261
6262         offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6263                 hf_netlogon_unknown_short, NULL);
6264
6265         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6266                 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6267                 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6268         return offset;
6269 }
6270
6271
6272 static int
6273 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
6274         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6275 {
6276         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6277                 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
6278                 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
6279
6280         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6281                 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
6282                 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
6283
6284         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6285                 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6286                 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6287
6288         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6289                                   hf_netlogon_rc, NULL);
6290
6291         return offset;
6292 }
6293
6294
6295 static int
6296 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
6297         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6298 {
6299         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6300                 pinfo, tree, drep);
6301
6302         offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
6303
6304         return offset;
6305 }
6306
6307
6308 static int
6309 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
6310         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6311 {
6312         offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6313                 hf_netlogon_entries, NULL);
6314
6315         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6316                 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6317                 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6318
6319         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6320                                   hf_netlogon_rc, NULL);
6321
6322         return offset;
6323 }
6324
6325 static int
6326 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
6327         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6328 {
6329         offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6330                 pinfo, tree, drep);
6331
6332         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6333                 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6334
6335         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6336                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6337                 "GUID pointer: domain_guid", -1);
6338
6339         offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6340                 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6341                 "GUID pointer: dsa_guid", -1);
6342
6343         offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6344                 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
6345
6346         return offset;
6347 }
6348
6349
6350 static int
6351 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
6352         packet_info *pinfo, proto_tree *tree, guint8 *drep)
6353 {
6354         offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6355                                   hf_netlogon_rc, NULL);
6356
6357         return offset;
6358 }
6359
6360 /* Dissect secure channel stuff */
6361
6362 static int hf_netlogon_secchan_bind_unknown1 = -1;
6363 static int hf_netlogon_secchan_bind_unknown2 = -1;
6364 static int hf_netlogon_secchan_domain = -1;
6365 static int hf_netlogon_secchan_host = -1;
6366 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
6367 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
6368 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
6369
6370 static gint ett_secchan_verf = -1;
6371 static gint ett_secchan_bind_creds = -1;
6372 static gint ett_secchan_bind_ack_creds = -1;
6373
6374 static int dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
6375                                       packet_info *pinfo, 
6376                                       proto_tree *tree, guint8 *drep)
6377 {
6378         proto_item *item = NULL;
6379         proto_tree *subtree = NULL;
6380         int len;
6381
6382         if (tree) {
6383                 item = proto_tree_add_text(
6384                         tree, tvb, offset, -1,
6385                         "Secure Channel Bind Credentials");
6386                 subtree = proto_item_add_subtree(
6387                         item, ett_secchan_bind_creds);
6388         }
6389
6390         /* We can't use the NDR routines as the DCERPC call data hasn't
6391            been initialised since we haven't made a DCERPC call yet, just
6392            a bind request. */
6393
6394         offset = dissect_dcerpc_uint32(
6395                 tvb, offset, pinfo, subtree, drep, 
6396                 hf_netlogon_secchan_bind_unknown1, NULL);
6397
6398         offset = dissect_dcerpc_uint32(
6399                 tvb, offset, pinfo, subtree, drep, 
6400                 hf_netlogon_secchan_bind_unknown2, NULL);
6401
6402         len = tvb_strsize(tvb, offset);
6403
6404         proto_tree_add_item(
6405                 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
6406
6407         offset += len;
6408
6409         len = tvb_strsize(tvb, offset);
6410
6411         proto_tree_add_item(
6412                 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
6413
6414         offset += len;
6415
6416         return offset;
6417 }
6418
6419 static int dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
6420                                           packet_info *pinfo, 
6421                                           proto_tree *tree, guint8 *drep)
6422 {
6423         proto_item *item = NULL;
6424         proto_tree *subtree = NULL;
6425
6426         if (tree) {
6427                 item = proto_tree_add_text(
6428                         tree, tvb, offset, -1,
6429                         "Secure Channel Bind ACK Credentials");
6430                 subtree = proto_item_add_subtree(
6431                         item, ett_secchan_bind_ack_creds);
6432         }
6433
6434         /* Don't use NDR routines here */
6435
6436         offset = dissect_dcerpc_uint32(
6437                 tvb, offset, pinfo, subtree, drep, 
6438                 hf_netlogon_secchan_bind_ack_unknown1, NULL);
6439
6440         offset = dissect_dcerpc_uint32(
6441                 tvb, offset, pinfo, subtree, drep, 
6442                 hf_netlogon_secchan_bind_ack_unknown2, NULL);
6443
6444         offset = dissect_dcerpc_uint32(
6445                 tvb, offset, pinfo, subtree, drep, 
6446                 hf_netlogon_secchan_bind_ack_unknown3, NULL);
6447
6448         return offset;
6449 }
6450
6451 /* Subdissectors */
6452
6453 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
6454         { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
6455                 netlogon_dissect_netrlogonuaslogon_rqst,
6456                 netlogon_dissect_netrlogonuaslogon_reply },
6457         { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
6458                 netlogon_dissect_netrlogonuaslogoff_rqst,
6459                 netlogon_dissect_netrlogonuaslogoff_reply },
6460         { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
6461                 netlogon_dissect_netrlogonsamlogon_rqst,
6462                 netlogon_dissect_netrlogonsamlogon_reply },
6463         { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
6464                 netlogon_dissect_netrlogonsamlogoff_rqst,
6465                 netlogon_dissect_netrlogonsamlogoff_reply },
6466         { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
6467                 netlogon_dissect_netrserverreqchallenge_rqst,
6468                 netlogon_dissect_netrserverreqchallenge_reply },
6469         { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
6470                 netlogon_dissect_netrserverauthenticate_rqst,
6471                 netlogon_dissect_netrserverauthenticate_reply },
6472         { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
6473                 netlogon_dissect_netrserverpasswordset_rqst,
6474                 netlogon_dissect_netrserverpasswordset_reply },
6475         { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
6476                 netlogon_dissect_netrdatabasedeltas_rqst,
6477                 netlogon_dissect_netrdatabasedeltas_reply },
6478         { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
6479                 netlogon_dissect_netrdatabasesync_rqst,
6480                 netlogon_dissect_netrdatabasesync_reply },
6481         { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
6482                 netlogon_dissect_netraccountdeltas_rqst,
6483                 netlogon_dissect_netraccountdeltas_reply },
6484         { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
6485                 netlogon_dissect_netraccountsync_rqst,
6486                 netlogon_dissect_netraccountsync_reply },
6487         { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
6488                 netlogon_dissect_netrgetdcname_rqst,
6489                 netlogon_dissect_netrgetdcname_reply },
6490         { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
6491                 netlogon_dissect_netrlogoncontrol_rqst,
6492                 netlogon_dissect_netrlogoncontrol_reply },
6493         { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
6494                 netlogon_dissect_netrgetanydcname_rqst,
6495                 netlogon_dissect_netrgetanydcname_reply },
6496         { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
6497                 netlogon_dissect_netrlogoncontrol2_rqst,
6498                 netlogon_dissect_netrlogoncontrol2_reply },
6499         { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
6500                 netlogon_dissect_netrserverauthenticate2_rqst,
6501                 netlogon_dissect_netrserverauthenticate2_reply },
6502         { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
6503                 netlogon_dissect_netrdatabasesync2_rqst,
6504                 netlogon_dissect_netrdatabasesync2_reply },
6505         { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
6506                 netlogon_dissect_netrdatabaseredo_rqst,
6507                 netlogon_dissect_netrdatabaseredo_reply },
6508         { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
6509                 netlogon_dissect_netrlogoncontrol2ex_rqst,
6510                 netlogon_dissect_netrlogoncontrol2ex_reply },
6511         { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
6512                 netlogon_dissect_netrenumeratetrusteddomains_rqst,
6513                 netlogon_dissect_netrenumeratetrusteddomains_reply },
6514         { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
6515                 netlogon_dissect_dsrgetdcname_rqst,
6516                 netlogon_dissect_dsrgetdcname_reply },
6517         { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
6518                 netlogon_dissect_netrlogondummyroutine1_rqst,
6519                 netlogon_dissect_netrlogondummyroutine1_reply },
6520         { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
6521                 netlogon_dissect_netrlogonsetservicebits_rqst,
6522                 netlogon_dissect_netrlogonsetservicebits_reply },
6523         { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
6524                 netlogon_dissect_netrlogongettrustrid_rqst,
6525                 netlogon_dissect_netrlogongettrustrid_reply },
6526         { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
6527                 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
6528                 netlogon_dissect_netrlogoncomputeserverdigest_reply },
6529         { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
6530                 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
6531                 netlogon_dissect_netrlogoncomputeclientdigest_reply },
6532         { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
6533                 netlogon_dissect_netrserverauthenticate3_rqst,
6534                 netlogon_dissect_netrserverauthenticate3_reply },
6535         { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
6536                 netlogon_dissect_dsrgetdcnameex_rqst,
6537                 netlogon_dissect_dsrgetdcnameex_reply },
6538         { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
6539                 netlogon_dissect_dsrgetsitename_rqst,
6540                 netlogon_dissect_dsrgetsitename_reply },
6541         { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6542                 netlogon_dissect_netrlogongetdomaininfo_rqst,
6543                 netlogon_dissect_netrlogongetdomaininfo_reply },
6544         { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
6545                 netlogon_dissect_netrserverpasswordset2_rqst,
6546                 netlogon_dissect_netrserverpasswordset2_reply },
6547         { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
6548                 netlogon_dissect_netrserverpasswordget_rqst,
6549                 netlogon_dissect_netrserverpasswordget_reply },
6550         { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
6551                 netlogon_dissect_netrlogonsendtosam_rqst,
6552                 netlogon_dissect_netrlogonsendtosam_reply },
6553         { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
6554                 netlogon_dissect_dsraddresstositenamesw_rqst,
6555                 netlogon_dissect_dsraddresstositenamesw_reply },
6556         { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
6557                 netlogon_dissect_dsrgetdcnameex2_rqst,
6558                 netlogon_dissect_dsrgetdcnameex2_reply },
6559         { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN, 
6560                 "NetrLogonGetTimeServiceParentDomain",
6561                 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
6562                 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
6563         { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
6564                 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
6565                 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
6566         { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
6567                 netlogon_dissect_dsraddresstositenamesexw_rqst,
6568                 netlogon_dissect_dsraddresstositenamesexw_reply },
6569         { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
6570                 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
6571                 netlogon_dissect_dsrgetdcsitecoveragew_reply },
6572         { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
6573                 netlogon_dissect_netrlogonsamlogonex_rqst,
6574                 netlogon_dissect_netrlogonsamlogonex_reply },
6575         { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
6576                 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
6577                 netlogon_dissect_dsrenumeratedomaintrusts_reply },
6578         { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
6579                 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6580                 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6581         { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
6582                 NULL, NULL },
6583         { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
6584                 NULL, NULL },
6585         { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
6586                 NULL, NULL },
6587         { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags", 
6588                 NULL, NULL },
6589         { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
6590                 NULL, NULL },
6591         {0, NULL, NULL,  NULL }
6592 };
6593
6594 static int hf_netlogon_secchan_verf = -1;
6595 static int hf_netlogon_secchan_verf_sig = -1;
6596 static int hf_netlogon_secchan_verf_unk = -1;
6597 static int hf_netlogon_secchan_verf_seq = -1;
6598 static int hf_netlogon_secchan_verf_nonce = -1;
6599
6600 static int
6601 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, 
6602                      proto_tree *tree, guint8 *drep _U_)
6603 {
6604           proto_item *vf = NULL;
6605           proto_tree *subtree = NULL;
6606           
6607           /*
6608            * Create a new tree, and split into 4 components ...
6609            */
6610           vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
6611               offset, -1, FALSE);
6612           subtree = proto_item_add_subtree(vf, ett_secchan_verf);
6613
6614           proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sig, tvb,
6615               offset, 8, FALSE);
6616           offset += 8;
6617
6618           proto_tree_add_item(subtree, hf_netlogon_secchan_verf_unk, tvb,
6619               offset, 8, FALSE);
6620           offset += 8;
6621
6622           proto_tree_add_item(subtree, hf_netlogon_secchan_verf_seq, tvb,
6623               offset, 8, FALSE);
6624           offset += 8;
6625
6626           /* In some cases the nonce isn't present although it isn't clear
6627              why this is so. */
6628
6629           if (tvb_bytes_exist(tvb, offset, 8)) {
6630                   proto_tree_add_item(subtree, hf_netlogon_secchan_verf_nonce,
6631                                       tvb, offset, 8, FALSE);
6632                   offset += 8;
6633           }
6634
6635           return offset;
6636 }
6637
6638 /* Secure channel types */
6639
6640 static const value_string sec_chan_type_vals[] = {
6641         { SEC_CHAN_WKSTA,  "Workstation" },
6642         { SEC_CHAN_DOMAIN, "Domain trust" },
6643         { SEC_CHAN_BDC,    "Backup domain controller" },
6644         { 0, NULL }
6645 };
6646
6647 void
6648 proto_register_dcerpc_netlogon(void)
6649 {
6650
6651 static hf_register_info hf[] = {
6652         { &hf_netlogon_opnum,
6653           { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6654             NULL, 0x0, "Operation", HFILL }},
6655
6656         { &hf_netlogon_rc, {
6657                 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6658                 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6659
6660         { &hf_netlogon_param_ctrl, {
6661                 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6662                 NULL, 0x0, "Param ctrl", HFILL }},
6663
6664         { &hf_netlogon_logon_id, {
6665                 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6666                 NULL, 0x0, "Logon ID", HFILL }},
6667
6668         { &hf_netlogon_modify_count, {
6669                 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6670                 NULL, 0x0, "How many times the object has been modified", HFILL }},
6671
6672         { &hf_netlogon_security_information, {
6673                 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6674                 NULL, 0x0, "Security Information", HFILL }},
6675
6676         { &hf_netlogon_count, {
6677                 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6678                 NULL, 0x0, "", HFILL }},
6679
6680         { &hf_netlogon_entries, {
6681                 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6682                 NULL, 0x0, "", HFILL }},
6683
6684         { &hf_netlogon_credential, {
6685                 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6686                 NULL, 0x0, "Netlogon Credential", HFILL }},
6687
6688         { &hf_netlogon_challenge, {
6689                 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6690                 NULL, 0x0, "Netlogon challenge", HFILL }},
6691
6692         { &hf_netlogon_lm_owf_password, {
6693                 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6694                 NULL, 0x0, "LanManager OWF Password", HFILL }},
6695
6696         { &hf_netlogon_user_session_key, {
6697                 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6698                 NULL, 0x0, "User Session Key", HFILL }},
6699
6700         { &hf_netlogon_encrypted_lm_owf_password, {
6701                 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6702                 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6703
6704         { &hf_netlogon_nt_owf_password, {
6705                 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6706                 NULL, 0x0, "NT OWF Password", HFILL }},
6707
6708         { &hf_netlogon_blob, {
6709                 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6710                 NULL, 0x0, "BLOB", HFILL }},
6711
6712         { &hf_netlogon_len, {
6713                 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6714                 NULL, 0, "Length", HFILL }},
6715
6716         { &hf_netlogon_priv, {
6717                 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6718                 NULL, 0, "", HFILL }},
6719
6720         { &hf_netlogon_privilege_entries, {
6721                 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6722                 NULL, 0, "", HFILL }},
6723
6724         { &hf_netlogon_privilege_control, {
6725                 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6726                 NULL, 0, "", HFILL }},
6727
6728         { &hf_netlogon_privilege_name, {
6729                 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6730                 NULL, 0, "", HFILL }},
6731
6732         { &hf_netlogon_pdc_connection_status, {
6733                 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6734                 NULL, 0, "PDC Connection Status", HFILL }},
6735
6736         { &hf_netlogon_tc_connection_status, {
6737                 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6738                 NULL, 0, "TC Connection Status", HFILL }},
6739
6740         { &hf_netlogon_attrs, {
6741                 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6742                 NULL, 0, "Attributes", HFILL }},
6743
6744         { &hf_netlogon_unknown_string,
6745                 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6746                 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
6747         { &hf_netlogon_unknown_long,
6748                 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6749                 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
6750         { &hf_netlogon_reserved,
6751                 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6752                 NULL, 0x0, "Reserved", HFILL }},
6753         { &hf_netlogon_unknown_short,
6754                 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6755                 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
6756
6757         { &hf_netlogon_unknown_char,
6758                 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6759                 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
6760
6761         { &hf_netlogon_acct_expiry_time,
6762                 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6763                 NULL, 0x0, "When this account will expire", HFILL }},
6764
6765         { &hf_netlogon_nt_pwd_present,
6766                 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6767                 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6768
6769         { &hf_netlogon_lm_pwd_present,
6770                 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6771                 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6772
6773         { &hf_netlogon_pwd_expired,
6774                 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6775                 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6776
6777         { &hf_netlogon_authoritative,
6778                 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6779                 NULL, 0x0, "", HFILL }},
6780
6781         { &hf_netlogon_sensitive_data_flag,
6782                 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6783                 NULL, 0x0, "Sensitive data flag", HFILL }},
6784
6785         { &hf_netlogon_auditing_mode,
6786                 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6787                 NULL, 0x0, "Auditing Mode", HFILL }},
6788
6789         { &hf_netlogon_max_audit_event_count,
6790                 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6791                 NULL, 0x0, "Max audit event count", HFILL }},
6792
6793         { &hf_netlogon_event_audit_option,
6794                 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6795                 NULL, 0x0, "Event audit option", HFILL }},
6796
6797         { &hf_netlogon_sensitive_data_len,
6798                 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6799                 NULL, 0x0, "Length of sensitive data", HFILL }},
6800
6801         { &hf_netlogon_nt_chal_resp,
6802                 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6803                 NULL, 0, "Challenge response for NT authentication", HFILL }},
6804
6805         { &hf_netlogon_lm_chal_resp,
6806                 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6807                 NULL, 0, "Challenge response for LM authentication", HFILL }},
6808
6809         { &hf_netlogon_cipher_len,
6810                 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6811                 NULL, 0, "", HFILL }},
6812
6813         { &hf_netlogon_cipher_maxlen,
6814                 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6815                 NULL, 0, "", HFILL }},
6816
6817         { &hf_netlogon_pac_data,
6818                 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6819                 NULL, 0, "Pac Data", HFILL }},
6820
6821         { &hf_netlogon_sensitive_data,
6822                 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6823                 NULL, 0, "Sensitive Data", HFILL }},
6824
6825         { &hf_netlogon_auth_data,
6826                 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6827                 NULL, 0, "Auth Data", HFILL }},
6828
6829         { &hf_netlogon_cipher_current_data,
6830                 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6831                 NULL, 0, "", HFILL }},
6832
6833         { &hf_netlogon_cipher_old_data,
6834                 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6835                 NULL, 0, "", HFILL }},
6836
6837         { &hf_netlogon_acct_name,
6838                 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6839                 NULL, 0, "Account Name", HFILL }},
6840
6841         { &hf_netlogon_acct_desc,
6842                 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6843                 NULL, 0, "Account Description", HFILL }},
6844
6845         { &hf_netlogon_group_desc,
6846                 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6847                 NULL, 0, "Group Description", HFILL }},
6848
6849         { &hf_netlogon_full_name,
6850                 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6851                 NULL, 0, "Full Name", HFILL }},
6852
6853         { &hf_netlogon_comment,
6854                 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6855                 NULL, 0, "Comment", HFILL }},
6856
6857         { &hf_netlogon_parameters,
6858                 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6859                 NULL, 0, "Parameters", HFILL }},
6860
6861         { &hf_netlogon_logon_script,
6862                 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6863                 NULL, 0, "Logon Script", HFILL }},
6864
6865         { &hf_netlogon_profile_path,
6866                 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6867                 NULL, 0, "Profile Path", HFILL }},
6868
6869         { &hf_netlogon_home_dir,
6870                 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6871                 NULL, 0, "Home Directory", HFILL }},
6872
6873         { &hf_netlogon_dir_drive,
6874                 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6875                 NULL, 0, "Drive letter for home directory", HFILL }},
6876
6877         { &hf_netlogon_logon_srv,
6878                 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6879                 NULL, 0, "Server", HFILL }},
6880
6881         { &hf_netlogon_principal,
6882                 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6883                 NULL, 0, "Principal", HFILL }},
6884
6885         { &hf_netlogon_logon_dom,
6886                 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6887                 NULL, 0, "Domain", HFILL }},
6888
6889         { &hf_netlogon_resourcegroupdomainsid,
6890                 { "ResourceGroupDomainSID", "netlogon.resourcegroupdomainsid", FT_STRING, BASE_NONE,
6891                 NULL, 0, "Resource Group Domain SID", HFILL }},
6892
6893         { &hf_netlogon_resourcegroupcount,
6894                 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
6895                 NULL, 0, "Number of Resource Groups", HFILL }},
6896
6897         { &hf_netlogon_computer_name,
6898                 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6899                 NULL, 0, "Computer Name", HFILL }},
6900
6901         { &hf_netlogon_site_name,
6902                 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6903                 NULL, 0, "Site Name", HFILL }},
6904
6905         { &hf_netlogon_dc_name,
6906                 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6907                 NULL, 0, "DC Name", HFILL }},
6908
6909         { &hf_netlogon_dc_site_name,
6910                 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6911                 NULL, 0, "DC Site Name", HFILL }},
6912
6913         { &hf_netlogon_dns_forest_name,
6914                 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6915                 NULL, 0, "DNS Forest Name", HFILL }},
6916
6917         { &hf_netlogon_dc_address,
6918                 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6919                 NULL, 0, "DC Address", HFILL }},
6920
6921         { &hf_netlogon_dc_address_type,
6922                 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6923                 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
6924
6925         { &hf_netlogon_client_site_name,
6926                 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6927                 NULL, 0, "Client Site Name", HFILL }},
6928
6929         { &hf_netlogon_workstation_site_name,
6930                 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6931                 NULL, 0, "Workstation Site Name", HFILL }},
6932
6933         { &hf_netlogon_workstation,
6934                 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6935                 NULL, 0, "Workstation Name", HFILL }},
6936
6937         { &hf_netlogon_workstation_os,
6938                 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6939                 NULL, 0, "Workstation OS", HFILL }},
6940
6941         { &hf_netlogon_workstations,
6942                 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6943                 NULL, 0, "Workstations", HFILL }},
6944
6945         { &hf_netlogon_workstation_fqdn,
6946                 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6947                 NULL, 0, "Workstation FQDN", HFILL }},
6948
6949         { &hf_netlogon_group_name,
6950                 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6951                 NULL, 0, "Group Name", HFILL }},
6952
6953         { &hf_netlogon_alias_name,
6954                 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6955                 NULL, 0, "Alias Name", HFILL }},
6956
6957         { &hf_netlogon_dns_host,
6958                 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6959                 NULL, 0, "DNS Host", HFILL }},
6960
6961         { &hf_netlogon_downlevel_domain_name,
6962                 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6963                 NULL, 0, "Downlevel Domain Name", HFILL }},
6964
6965         { &hf_netlogon_dns_domain_name,
6966                 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6967                 NULL, 0, "DNS Domain Name", HFILL }},
6968
6969         { &hf_netlogon_domain_name,
6970                 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6971                 NULL, 0, "Domain Name", HFILL }},
6972
6973         { &hf_netlogon_oem_info,
6974                 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6975                 NULL, 0, "OEM Info", HFILL }},
6976
6977         { &hf_netlogon_trusted_dc_name,
6978                 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6979                 NULL, 0, "Trusted DC", HFILL }},
6980
6981         { &hf_netlogon_logonsrv_handle,
6982                 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6983                 NULL, 0, "Logon Srv Handle", HFILL }},
6984
6985         { &hf_netlogon_dummy,
6986                 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6987                 NULL, 0, "Dummy string", HFILL }},
6988
6989         { &hf_netlogon_logon_count16,
6990                 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6991                 NULL, 0x0, "Number of successful logins", HFILL }},
6992
6993         { &hf_netlogon_logon_count,
6994                 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6995                 NULL, 0x0, "Number of successful logins", HFILL }},
6996
6997         { &hf_netlogon_bad_pw_count16,
6998                 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6999                 NULL, 0x0, "Number of failed logins", HFILL }},
7000
7001         { &hf_netlogon_bad_pw_count,
7002                 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
7003                 NULL, 0x0, "Number of failed logins", HFILL }},
7004
7005         { &hf_netlogon_country,
7006                 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
7007                 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
7008
7009         { &hf_netlogon_codepage,
7010                 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
7011                 NULL, 0x0, "Codepage setting for this account", HFILL }},
7012
7013         { &hf_netlogon_level16,
7014                 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
7015                 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7016
7017         { &hf_netlogon_validation_level,
7018                 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
7019                 NULL, 0x0, "Requested level of validation", HFILL }},
7020
7021         { &hf_netlogon_minpasswdlen,
7022                 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
7023                 NULL, 0x0, "Minimum length of password", HFILL }},
7024
7025         { &hf_netlogon_passwdhistorylen,
7026                 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
7027                 NULL, 0x0, "Length of password history", HFILL }},
7028
7029         { &hf_netlogon_secure_channel_type,
7030                 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
7031                 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
7032
7033         { &hf_netlogon_restart_state,
7034                 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
7035                 NULL, 0x0, "Restart State", HFILL }},
7036
7037         { &hf_netlogon_delta_type,
7038                 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
7039                 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
7040
7041         { &hf_netlogon_blob_size,
7042                 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
7043                 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
7044
7045         { &hf_netlogon_code,
7046                 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
7047                 NULL, 0x0, "Code", HFILL }},
7048
7049         { &hf_netlogon_level,
7050                 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
7051                 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7052
7053         { &hf_netlogon_reference,
7054                 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
7055                 NULL, 0x0, "", HFILL }},
7056
7057         { &hf_netlogon_next_reference,
7058                 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
7059                 NULL, 0x0, "", HFILL }},
7060
7061         { &hf_netlogon_timestamp,
7062                 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
7063                 NULL, 0, "", HFILL }},
7064
7065         { &hf_netlogon_user_rid,
7066                 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
7067                 NULL, 0x0, "", HFILL }},
7068
7069         { &hf_netlogon_alias_rid,
7070                 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
7071                 NULL, 0x0, "", HFILL }},
7072
7073         { &hf_netlogon_group_rid,
7074                 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
7075                 NULL, 0x0, "", HFILL }},
7076
7077         { &hf_netlogon_num_rids,
7078                 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
7079                 NULL, 0x0, "Number of RIDs", HFILL }},
7080
7081         { &hf_netlogon_num_controllers,
7082                 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
7083                 NULL, 0x0, "Number of domain controllers", HFILL }},
7084
7085         { &hf_netlogon_num_other_groups,
7086                 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
7087                 NULL, 0x0, "", HFILL }},
7088
7089         { &hf_netlogon_flags,
7090                 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
7091                 NULL, 0x0, "", HFILL }},
7092
7093         { &hf_netlogon_user_account_control,
7094                 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
7095                 NULL, 0x0, "User Account control", HFILL }},
7096
7097         { &hf_netlogon_user_flags,
7098                 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
7099                 NULL, 0x0, "User flags", HFILL }},
7100
7101         { &hf_netlogon_auth_flags,
7102                 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
7103                 NULL, 0x0, "", HFILL }},
7104
7105         { &hf_netlogon_systemflags,
7106                 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
7107                 NULL, 0x0, "", HFILL }},
7108
7109         { &hf_netlogon_database_id,
7110                 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
7111                 NULL, 0x0, "Database Id", HFILL }},
7112
7113         { &hf_netlogon_sync_context,
7114                 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
7115                 NULL, 0x0, "Sync Context", HFILL }},
7116
7117         { &hf_netlogon_max_size,
7118                 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
7119                 NULL, 0x0, "Max Size of database", HFILL }},
7120
7121         { &hf_netlogon_max_log_size,
7122                 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
7123                 NULL, 0x0, "Max Size of log", HFILL }},
7124
7125         { &hf_netlogon_pac_size,
7126                 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
7127                 NULL, 0x0, "Size of PacData in bytes", HFILL }},
7128
7129         { &hf_netlogon_auth_size,
7130                 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
7131                 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
7132
7133         { &hf_netlogon_num_deltas,
7134                 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
7135                 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
7136
7137         { &hf_netlogon_num_trusts,
7138                 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
7139                 NULL, 0x0, "", HFILL }},
7140
7141         { &hf_netlogon_logon_attempts,
7142                 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
7143                 NULL, 0x0, "Number of logon attempts", HFILL }},
7144
7145         { &hf_netlogon_pagefilelimit,
7146                 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
7147                 NULL, 0x0, "", HFILL }},
7148
7149         { &hf_netlogon_pagedpoollimit,
7150                 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
7151                 NULL, 0x0, "", HFILL }},
7152
7153         { &hf_netlogon_nonpagedpoollimit,
7154                 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
7155                 NULL, 0x0, "", HFILL }},
7156
7157         { &hf_netlogon_minworkingsetsize,
7158                 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
7159                 NULL, 0x0, "", HFILL }},
7160
7161         { &hf_netlogon_maxworkingsetsize,
7162                 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
7163                 NULL, 0x0, "", HFILL }},
7164
7165         { &hf_netlogon_serial_number,
7166                 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
7167                 NULL, 0x0, "", HFILL }},
7168
7169         { &hf_netlogon_neg_flags,
7170                 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
7171                 NULL, 0x0, "Negotiation Flags", HFILL }},
7172
7173         { &hf_netlogon_dc_flags,
7174                 { "Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
7175                 NULL, 0x0, "Domain Controller Flags", HFILL }},
7176
7177         { &hf_netlogon_dc_flags_pdc_flag,
7178                 { "PDC", "netlogon.dc.flags.pdc",
7179                   FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
7180                   "If this server is a PDC", HFILL }},
7181
7182         { &hf_netlogon_dc_flags_gc_flag,
7183                 { "GC", "netlogon.dc.flags.gc",
7184                   FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
7185                   "If this server is a GC", HFILL }},
7186
7187         { &hf_netlogon_dc_flags_ldap_flag,
7188                 { "LDAP", "netlogon.dc.flags.ldap",
7189                   FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
7190                   "If this is an LDAP server", HFILL }},
7191
7192         { &hf_netlogon_dc_flags_ds_flag,
7193                 { "DS", "netlogon.dc.flags.ds",
7194                   FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
7195                   "If this server is a DS", HFILL }},
7196
7197         { &hf_netlogon_dc_flags_kdc_flag,
7198                 { "KDC", "netlogon.dc.flags.kdc",
7199                   FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
7200                   "If this is a KDC", HFILL }},
7201
7202         { &hf_netlogon_dc_flags_timeserv_flag,
7203                 { "Timeserv", "netlogon.dc.flags.timeserv",
7204                   FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
7205                   "If this server is a TimeServer", HFILL }},
7206
7207         { &hf_netlogon_dc_flags_closest_flag,
7208                 { "Closest", "netlogon.dc.flags.closest",
7209                   FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
7210                   "If this is the closest server", HFILL }},
7211
7212         { &hf_netlogon_dc_flags_writable_flag,
7213                 { "Writable", "netlogon.dc.flags.writable",
7214                   FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
7215                   "If this server can do updates to the database", HFILL }},
7216
7217         { &hf_netlogon_dc_flags_good_timeserv_flag,
7218                 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
7219                   FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
7220                   "If this is a Good TimeServer", HFILL }},
7221
7222         { &hf_netlogon_dc_flags_ndnc_flag,
7223                 { "NDNC", "netlogon.dc.flags.ndnc",
7224                   FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
7225                   "If this is an NDNC server", HFILL }},
7226
7227         { &hf_netlogon_dc_flags_dns_controller_flag,
7228                 { "DNS Controller", "netlogon.dc.flags.dns_controller",
7229                   FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
7230                   "If this server is a DNS Controller", HFILL }},
7231
7232         { &hf_netlogon_dc_flags_dns_domain_flag,
7233                 { "DNS Domain", "netlogon.dc.flags.dns_domain",
7234                   FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
7235                   "", HFILL }},
7236
7237         { &hf_netlogon_dc_flags_dns_forest_flag,
7238                 { "DNS Forest", "netlogon.dc.flags.dns_forest",
7239                   FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
7240                   "", HFILL }},
7241
7242         { &hf_netlogon_get_dcname_request_flags,
7243                 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
7244                 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
7245
7246         { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
7247                 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
7248                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
7249                   "Whether to allow the server to returned cached information or not", HFILL }},
7250
7251         { &hf_netlogon_get_dcname_request_flags_directory_service_required,
7252                 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
7253                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
7254                   "Whether we require that the returned DC supports w2k or not", HFILL }},
7255
7256         { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
7257                 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
7258                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
7259                   "Whether we prefer the call to return a w2k server (if available)", HFILL }},
7260
7261         { &hf_netlogon_get_dcname_request_flags_gc_server_required,
7262                 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
7263                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
7264                   "Whether we require that the returned DC is a Global Catalog server", HFILL }},
7265
7266         { &hf_netlogon_get_dcname_request_flags_pdc_required,
7267                 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
7268                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
7269                   "Whether we require the returned DC to be the PDC", HFILL }},
7270
7271         { &hf_netlogon_get_dcname_request_flags_background_only,
7272                 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
7273                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
7274                   "If we want cached data, even if it may have expired", HFILL }},
7275
7276         { &hf_netlogon_get_dcname_request_flags_ip_required,
7277                 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
7278                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
7279                   "If we requre the IP of the DC in the reply", HFILL }},
7280
7281         { &hf_netlogon_get_dcname_request_flags_kdc_required,
7282                 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
7283                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
7284                   "If we require that the returned server is a KDC", HFILL }},
7285
7286         { &hf_netlogon_get_dcname_request_flags_timeserv_required,
7287                 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
7288                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
7289                   "If we require the retruned server to be a NTP serveruns WindowsTimeServicer", HFILL }},
7290
7291         { &hf_netlogon_get_dcname_request_flags_writable_required,
7292                 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
7293                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
7294                   "If we require that the return server is writable", HFILL }},
7295
7296         { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
7297                 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
7298                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
7299                   "If we prefer Windows Time Servers", HFILL }},
7300
7301         { &hf_netlogon_get_dcname_request_flags_avoid_self,
7302                 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
7303                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
7304                   "Return another DC than the one we ask", HFILL }},
7305
7306         { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
7307                 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
7308                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
7309                   "We just want an LDAP server, it does not have to be a DC", HFILL }},
7310
7311         { &hf_netlogon_get_dcname_request_flags_is_flat_name,
7312                 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
7313                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
7314                   "If the specified domain name is a NetBIOS name", HFILL }},
7315
7316         { &hf_netlogon_get_dcname_request_flags_is_dns_name,
7317                 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
7318                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
7319                   "If the specified domain name is a DNS name", HFILL }},
7320
7321         { &hf_netlogon_get_dcname_request_flags_return_dns_name,
7322                 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
7323                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
7324                   "Only return a DNS name (or an error)", HFILL }},
7325
7326         { &hf_netlogon_get_dcname_request_flags_return_flat_name,
7327                 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
7328                   FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
7329                   "Only return a NetBIOS name (or an error)", HFILL }},
7330
7331         { &hf_netlogon_trust_attribs,
7332                 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
7333                 NULL, 0x0, "Trust Attributes", HFILL }},
7334
7335         { &hf_netlogon_trust_type,
7336                 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
7337                 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
7338
7339         { &hf_netlogon_trust_flags,
7340                 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
7341                 NULL, 0x0, "Trust Flags", HFILL }},
7342
7343         { &hf_netlogon_trust_flags_inbound,
7344                 { "Inbound Trust", "netlogon.trust.flags.inbound",
7345                   FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
7346                   "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
7347
7348         { &hf_netlogon_trust_flags_outbound,
7349                 { "Outbound Trust", "netlogon.trust.flags.outbound",
7350                   FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
7351                   "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
7352
7353         { &hf_netlogon_trust_flags_in_forest,
7354                 { "In Forest", "netlogon.trust.flags.in_forest",
7355                   FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
7356                   "Whether this domain is a member of the same forest as the servers domain", HFILL }},
7357
7358         { &hf_netlogon_trust_flags_native_mode,
7359                 { "Native Mode", "netlogon.trust.flags.native_mode",
7360                   FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
7361                   "Whether the domain is a w2k native mode domain or not", HFILL }},
7362
7363         { &hf_netlogon_trust_flags_primary,
7364                 { "Primary", "netlogon.trust.flags.primary",
7365                   FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
7366                   "Whether the domain is the primary domain for the queried server or not", HFILL }},
7367
7368         { &hf_netlogon_trust_flags_tree_root,
7369                 { "Tree Root", "netlogon.trust.flags.tree_root",
7370                   FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
7371                   "Whether the domain is the root of the tree for the queried server", HFILL }},
7372
7373         { &hf_netlogon_trust_parent_index,
7374                 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
7375                 NULL, 0x0, "Parent Index", HFILL }},
7376
7377         { &hf_netlogon_logon_time,
7378                 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
7379                 NULL, 0, "Time for last time this user logged on", HFILL }},
7380
7381         { &hf_netlogon_kickoff_time,
7382                 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7383                 NULL, 0, "Time when this user will be kicked off", HFILL }},
7384
7385         { &hf_netlogon_logoff_time,
7386                 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7387                 NULL, 0, "Time for last time this user logged off", HFILL }},
7388
7389         { &hf_netlogon_pwd_last_set_time,
7390                 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7391                 NULL, 0, "Last time this users password was changed", HFILL }},
7392
7393         { &hf_netlogon_pwd_can_change_time,
7394                 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7395                 NULL, 0, "When this users password may be changed", HFILL }},
7396
7397         { &hf_netlogon_pwd_must_change_time,
7398                 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7399                 NULL, 0, "When this users password must be changed", HFILL }},
7400
7401         { &hf_netlogon_domain_create_time,
7402                 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7403                 NULL, 0, "Time when this domain was created", HFILL }},
7404
7405         { &hf_netlogon_domain_modify_time,
7406                 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7407                 NULL, 0, "Time when this domain was last modified", HFILL }},
7408
7409         { &hf_netlogon_db_modify_time,
7410                 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7411                 NULL, 0, "Time when last modified", HFILL }},
7412
7413         { &hf_netlogon_db_create_time,
7414                 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7415                 NULL, 0, "Time when created", HFILL }},
7416
7417         { &hf_netlogon_cipher_current_set_time,
7418                 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7419                 NULL, 0, "Time when current cipher was initiated", HFILL }},
7420
7421         { &hf_netlogon_cipher_old_set_time,
7422                 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7423                 NULL, 0, "Time when previous cipher was initiated", HFILL }},
7424
7425         { &hf_netlogon_audit_retention_period,
7426                 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
7427                 NULL, 0, "Audit retention period", HFILL }},
7428
7429         { &hf_netlogon_guid,
7430                 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE, 
7431                 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
7432
7433         { &hf_netlogon_timelimit,
7434                 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
7435                 NULL, 0, "", HFILL }},
7436
7437         /* Secure channel dissection */
7438
7439         { &hf_netlogon_secchan_bind_unknown1,
7440           { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
7441             NULL, 0x0, "", HFILL }},
7442
7443         { &hf_netlogon_secchan_bind_unknown2,
7444           { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
7445             NULL, 0x0, "", HFILL }},
7446
7447         { &hf_netlogon_secchan_domain,
7448           { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
7449             NULL, 0, "", HFILL }},
7450
7451         { &hf_netlogon_secchan_host,
7452           { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
7453             NULL, 0, "", HFILL }},
7454
7455         { &hf_netlogon_secchan_bind_ack_unknown1,
7456           { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32, 
7457             BASE_HEX, NULL, 0x0, "", HFILL }},
7458
7459         { &hf_netlogon_secchan_bind_ack_unknown2,
7460           { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32, 
7461             BASE_HEX, NULL, 0x0, "", HFILL }},
7462
7463         { &hf_netlogon_secchan_bind_ack_unknown3,
7464           { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32, 
7465             BASE_HEX, NULL, 0x0, "", HFILL }},
7466
7467         { &hf_netlogon_secchan_verf,
7468           { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE, 
7469             NULL, 0x0, "Verifier", HFILL }},
7470
7471         { &hf_netlogon_secchan_verf_sig,
7472           { "Signature", "netlogon.secchan.sig", FT_BYTES, BASE_HEX, NULL, 
7473             0x0, "Signature", HFILL }}, 
7474
7475         { &hf_netlogon_secchan_verf_unk,
7476           { "Unknown", "netlogon.secchan.unk", FT_BYTES, BASE_HEX, NULL, 
7477           0x0, "Unknown", HFILL }}, 
7478
7479         { &hf_netlogon_secchan_verf_seq,
7480           { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_HEX, NULL, 
7481           0x0, "Sequence No", HFILL }}, 
7482
7483         { &hf_netlogon_secchan_verf_nonce,
7484           { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_HEX, NULL, 
7485           0x0, "Nonce", HFILL }}, 
7486
7487         { &hf_netlogon_group_attrs_mandatory,
7488                 { "Mandatory", "netlogon.groups.attrs.mandatory",
7489                   FT_BOOLEAN, 32, TFS(&group_attrs_mandatory), 0x00000001,
7490                   "The group attributes MANDATORY flag", HFILL }},
7491
7492         { &hf_netlogon_group_attrs_enabled_by_default,
7493                 { "Enabled By Default", "netlogon.groups.attrs.enabled_by_default",
7494                   FT_BOOLEAN, 32, TFS(&group_attrs_enabled_by_default), 0x00000002,
7495                   "The group attributes ENABLED_BY_DEFAULT flag", HFILL }},
7496
7497         { &hf_netlogon_group_attrs_enabled,
7498                 { "Enabled", "netlogon.groups.attrs.enabled",
7499                   FT_BOOLEAN, 32, TFS(&group_attrs_enabled), 0x00000004,
7500                   "The group attributes ENABLED flag", HFILL }},
7501
7502         { &hf_netlogon_user_flags_extra_sids,
7503                 { "Extra SIDs", "netlogon.user.flags.extra_sids",
7504                   FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
7505                   "The user flags EXTRA_SIDS", HFILL }},
7506
7507         { &hf_netlogon_user_flags_resource_groups,
7508                 { "Resource Groups", "netlogon.user.flags.resource_groups",
7509                   FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
7510                   "The user flags RESOURCE_GROUPS", HFILL }},
7511
7512         { &hf_netlogon_user_account_control_dont_require_preauth,
7513                 { "Dont Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
7514                   FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
7515                   "The user account control DONT_REQUIRE_PREAUTH flag ", HFILL }},
7516
7517         { &hf_netlogon_user_account_control_use_des_key_only,
7518                 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
7519                   FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
7520                   "The user account control use_des_key_only flag ", HFILL }},
7521
7522         { &hf_netlogon_user_account_control_not_delegated,
7523                 { "Not Delegated", "netlogon.user.account_control.not_delegated",
7524                   FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
7525                   "The user account control not_delegated flag ", HFILL }},
7526
7527         { &hf_netlogon_user_account_control_trusted_for_delegation,
7528                 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
7529                   FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
7530                   "The user account control trusted_for_delegation flag ", HFILL }},
7531
7532         { &hf_netlogon_user_account_control_smartcard_required,
7533                 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
7534                   FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
7535                   "The user account control smartcard_required flag ", HFILL }},
7536
7537         { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
7538                 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
7539                   FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
7540                   "The user account control encrypted_text_password_allowed flag ", HFILL }},
7541
7542         { &hf_netlogon_user_account_control_account_auto_locked,
7543                 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
7544                   FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
7545                   "The user account control account_auto_locked flag ", HFILL }},
7546
7547         { &hf_netlogon_user_account_control_dont_expire_password,
7548                 { "Dont Expire Password", "netlogon.user.account_control.dont_expire_password",
7549                   FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
7550                   "The user account control dont_expire_password flag ", HFILL }},
7551
7552         { &hf_netlogon_user_account_control_server_trust_account,
7553                 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
7554                   FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
7555                   "The user account control server_trust_account flag ", HFILL }},
7556
7557         { &hf_netlogon_user_account_control_workstation_trust_account,
7558                 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
7559                   FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
7560                   "The user account control workstation_trust_account flag ", HFILL }},
7561
7562         { &hf_netlogon_user_account_control_interdomain_trust_account,
7563                 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
7564                   FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
7565                   "The user account control interdomain_trust_account flag ", HFILL }},
7566
7567         { &hf_netlogon_user_account_control_mns_logon_account,
7568                 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
7569                   FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
7570                   "The user account control mns_logon_account flag ", HFILL }},
7571
7572         { &hf_netlogon_user_account_control_normal_account,
7573                 { "Normal Account", "netlogon.user.account_control.normal_account",
7574                   FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
7575                   "The user account control normal_account flag ", HFILL }},
7576
7577         { &hf_netlogon_user_account_control_temp_duplicate_account,
7578                 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
7579                   FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
7580                   "The user account control temp_duplicate_account flag ", HFILL }},
7581
7582         { &hf_netlogon_user_account_control_password_not_required,
7583                 { "Password Not Required", "netlogon.user.account_control.password_not_required",
7584                   FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
7585                   "The user account control password_not_required flag ", HFILL }},
7586
7587         { &hf_netlogon_user_account_control_home_directory_required,
7588                 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
7589                   FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
7590                   "The user account control home_directory_required flag ", HFILL }},
7591
7592         { &hf_netlogon_user_account_control_account_disabled,
7593                 { "Account Disabled", "netlogon.user.account_control.account_disabled",
7594                   FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
7595                   "The user account control account_disabled flag ", HFILL }},
7596
7597         };
7598
7599         static gint *ett[] = {
7600                 &ett_dcerpc_netlogon,
7601                 &ett_CYPHER_VALUE,
7602                 &ett_QUOTA_LIMITS,
7603                 &ett_IDENTITY_INFO,
7604                 &ett_DELTA_ENUM,
7605                 &ett_UNICODE_MULTI,
7606                 &ett_DOMAIN_CONTROLLER_INFO,
7607                 &ett_UNICODE_STRING_512,
7608                 &ett_TYPE_50,
7609                 &ett_TYPE_52,
7610                 &ett_DELTA_ID_UNION,
7611                 &ett_TYPE_44,
7612                 &ett_DELTA_UNION,
7613                 &ett_LM_OWF_PASSWORD,
7614                 &ett_NT_OWF_PASSWORD,
7615                 &ett_GROUP_MEMBERSHIP,
7616                 &ett_DS_DOMAIN_TRUSTS,
7617                 &ett_BLOB,
7618                 &ett_DOMAIN_TRUST_INFO,
7619                 &ett_trust_flags,
7620                 &ett_get_dcname_request_flags,
7621                 &ett_dc_flags,
7622                 &ett_secchan_bind_creds,
7623                 &ett_secchan_bind_ack_creds,
7624                 &ett_secchan_verf,
7625                 &ett_group_attrs,
7626                 &ett_user_flags,
7627                 &ett_user_account_control
7628         };
7629
7630         proto_dcerpc_netlogon = proto_register_protocol(
7631                 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
7632
7633         proto_register_field_array(proto_dcerpc_netlogon, hf,
7634                                    array_length(hf));
7635         proto_register_subtree_array(ett, array_length(ett));
7636 }
7637
7638 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
7639         dissect_secchan_bind_creds,             /* Bind */
7640         dissect_secchan_bind_ack_creds,         /* Bind ACK */
7641         NULL,                                   /* AUTH3 */
7642         dissect_secchan_verf,                   /* Request verifier */
7643         dissect_secchan_verf,                   /* Response verifier */
7644         NULL,                                   /* Request data */
7645         NULL                                    /* Response data */
7646 };
7647
7648 void
7649 proto_reg_handoff_dcerpc_netlogon(void)
7650 {
7651         /* Register protocol as dcerpc */
7652
7653         dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
7654                          &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
7655                          dcerpc_netlogon_dissectors, hf_netlogon_opnum);
7656
7657         register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
7658                                           DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7659                                           &secchan_auth_fns);   
7660         register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
7661                                           DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7662                                           &secchan_auth_fns);   
7663 }
git mirror of the wireshark svn