1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.93 2003/09/27 23:48:04 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_guid = -1;
43 static int hf_netlogon_rc = -1;
44 static int hf_netlogon_len = -1;
45 static int hf_netlogon_sensitive_data_flag = -1;
46 static int hf_netlogon_sensitive_data_len = -1;
47 static int hf_netlogon_sensitive_data = -1;
48 static int hf_netlogon_security_information = -1;
49 static int hf_netlogon_dummy = -1;
50 static int hf_netlogon_neg_flags = -1;
51 static int hf_netlogon_minworkingsetsize = -1;
52 static int hf_netlogon_maxworkingsetsize = -1;
53 static int hf_netlogon_pagedpoollimit = -1;
54 static int hf_netlogon_pagefilelimit = -1;
55 static int hf_netlogon_timelimit = -1;
56 static int hf_netlogon_nonpagedpoollimit = -1;
57 static int hf_netlogon_pac_size = -1;
58 static int hf_netlogon_pac_data = -1;
59 static int hf_netlogon_auth_size = -1;
60 static int hf_netlogon_auth_data = -1;
61 static int hf_netlogon_cipher_len = -1;
62 static int hf_netlogon_cipher_maxlen = -1;
63 static int hf_netlogon_cipher_current_data = -1;
64 static int hf_netlogon_cipher_current_set_time = -1;
65 static int hf_netlogon_cipher_old_data = -1;
66 static int hf_netlogon_cipher_old_set_time = -1;
67 static int hf_netlogon_priv = -1;
68 static int hf_netlogon_privilege_entries = -1;
69 static int hf_netlogon_privilege_control = -1;
70 static int hf_netlogon_privilege_name = -1;
71 static int hf_netlogon_systemflags = -1;
72 static int hf_netlogon_pdc_connection_status = -1;
73 static int hf_netlogon_tc_connection_status = -1;
74 static int hf_netlogon_restart_state = -1;
75 static int hf_netlogon_attrs = -1;
76 static int hf_netlogon_count = -1;
77 static int hf_netlogon_entries = -1;
78 static int hf_netlogon_minpasswdlen = -1;
79 static int hf_netlogon_passwdhistorylen = -1;
80 static int hf_netlogon_level16 = -1;
81 static int hf_netlogon_validation_level = -1;
82 static int hf_netlogon_reference = -1;
83 static int hf_netlogon_next_reference = -1;
84 static int hf_netlogon_timestamp = -1;
85 static int hf_netlogon_level = -1;
86 static int hf_netlogon_challenge = -1;
87 static int hf_netlogon_reserved = -1;
88 static int hf_netlogon_audit_retention_period = -1;
89 static int hf_netlogon_auditing_mode = -1;
90 static int hf_netlogon_max_audit_event_count = -1;
91 static int hf_netlogon_event_audit_option = -1;
92 static int hf_netlogon_unknown_string = -1;
93 static int hf_netlogon_unknown_long = -1;
94 static int hf_netlogon_unknown_short = -1;
95 static int hf_netlogon_unknown_char = -1;
96 static int hf_netlogon_logon_time = -1;
97 static int hf_netlogon_logoff_time = -1;
98 static int hf_netlogon_kickoff_time = -1;
99 static int hf_netlogon_pwd_last_set_time = -1;
100 static int hf_netlogon_pwd_can_change_time = -1;
101 static int hf_netlogon_pwd_must_change_time = -1;
102 static int hf_netlogon_nt_chal_resp = -1;
103 static int hf_netlogon_lm_chal_resp = -1;
104 static int hf_netlogon_credential = -1;
105 static int hf_netlogon_acct_name = -1;
106 static int hf_netlogon_acct_desc = -1;
107 static int hf_netlogon_group_desc = -1;
108 static int hf_netlogon_full_name = -1;
109 static int hf_netlogon_comment = -1;
110 static int hf_netlogon_parameters = -1;
111 static int hf_netlogon_logon_script = -1;
112 static int hf_netlogon_profile_path = -1;
113 static int hf_netlogon_home_dir = -1;
114 static int hf_netlogon_dir_drive = -1;
115 static int hf_netlogon_logon_count = -1;
116 static int hf_netlogon_logon_count16 = -1;
117 static int hf_netlogon_bad_pw_count = -1;
118 static int hf_netlogon_bad_pw_count16 = -1;
119 static int hf_netlogon_user_rid = -1;
120 static int hf_netlogon_alias_rid = -1;
121 static int hf_netlogon_group_rid = -1;
122 static int hf_netlogon_logon_srv = -1;
123 static int hf_netlogon_principal = -1;
124 static int hf_netlogon_logon_dom = -1;
125 static int hf_netlogon_downlevel_domain_name = -1;
126 static int hf_netlogon_dns_domain_name = -1;
127 static int hf_netlogon_domain_name = -1;
128 static int hf_netlogon_domain_create_time = -1;
129 static int hf_netlogon_domain_modify_time = -1;
130 static int hf_netlogon_modify_count = -1;
131 static int hf_netlogon_db_modify_time = -1;
132 static int hf_netlogon_db_create_time = -1;
133 static int hf_netlogon_oem_info = -1;
134 static int hf_netlogon_serial_number = -1;
135 static int hf_netlogon_num_rids = -1;
136 static int hf_netlogon_num_trusts = -1;
137 static int hf_netlogon_num_controllers = -1;
138 static int hf_netlogon_num_other_groups = -1;
139 static int hf_netlogon_computer_name = -1;
140 static int hf_netlogon_site_name = -1;
141 static int hf_netlogon_trusted_dc_name = -1;
142 static int hf_netlogon_dc_name = -1;
143 static int hf_netlogon_dc_site_name = -1;
144 static int hf_netlogon_dns_forest_name = -1;
145 static int hf_netlogon_dc_address = -1;
146 static int hf_netlogon_dc_address_type = -1;
147 static int hf_netlogon_client_site_name = -1;
148 static int hf_netlogon_workstation = -1;
149 static int hf_netlogon_workstation_site_name = -1;
150 static int hf_netlogon_workstation_os = -1;
151 static int hf_netlogon_workstations = -1;
152 static int hf_netlogon_workstation_fqdn = -1;
153 static int hf_netlogon_group_name = -1;
154 static int hf_netlogon_alias_name = -1;
155 static int hf_netlogon_country = -1;
156 static int hf_netlogon_codepage = -1;
157 static int hf_netlogon_flags = -1;
158 static int hf_netlogon_trust_attribs = -1;
159 static int hf_netlogon_trust_type = -1;
160 static int hf_netlogon_trust_flags = -1;
161 static int hf_netlogon_trust_flags_inbound = -1;
162 static int hf_netlogon_trust_flags_outbound = -1;
163 static int hf_netlogon_trust_flags_in_forest = -1;
164 static int hf_netlogon_trust_flags_native_mode = -1;
165 static int hf_netlogon_trust_flags_primary = -1;
166 static int hf_netlogon_trust_flags_tree_root = -1;
167 static int hf_netlogon_trust_parent_index = -1;
168 static int hf_netlogon_user_flags = -1;
169 static int hf_netlogon_auth_flags = -1;
170 static int hf_netlogon_pwd_expired = -1;
171 static int hf_netlogon_nt_pwd_present = -1;
172 static int hf_netlogon_lm_pwd_present = -1;
173 static int hf_netlogon_code = -1;
174 static int hf_netlogon_database_id = -1;
175 static int hf_netlogon_sync_context = -1;
176 static int hf_netlogon_max_size = -1;
177 static int hf_netlogon_max_log_size = -1;
178 static int hf_netlogon_dns_host = -1;
179 static int hf_netlogon_acct_expiry_time = -1;
180 static int hf_netlogon_encrypted_lm_owf_password = -1;
181 static int hf_netlogon_lm_owf_password = -1;
182 static int hf_netlogon_nt_owf_password = -1;
183 static int hf_netlogon_param_ctrl = -1;
184 static int hf_netlogon_logon_id = -1;
185 static int hf_netlogon_num_deltas = -1;
186 static int hf_netlogon_user_session_key = -1;
187 static int hf_netlogon_blob_size = -1;
188 static int hf_netlogon_blob = -1;
189 static int hf_netlogon_logon_attempts = -1;
190 static int hf_netlogon_authoritative = -1;
191 static int hf_netlogon_secure_channel_type = -1;
192 static int hf_netlogon_logonsrv_handle = -1;
193 static int hf_netlogon_delta_type = -1;
194 static int hf_netlogon_get_dcname_request_flags = -1;
195 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
196 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
197 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
198 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
199 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
200 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
201 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
202 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
203 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
204 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
205 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
206 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
207 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
208 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
209 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
210 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
211 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
212 static int hf_netlogon_dc_flags = -1;
213 static int hf_netlogon_dc_flags_pdc_flag = -1;
214 static int hf_netlogon_dc_flags_gc_flag = -1;
215 static int hf_netlogon_dc_flags_ldap_flag = -1;
216 static int hf_netlogon_dc_flags_ds_flag = -1;
217 static int hf_netlogon_dc_flags_kdc_flag = -1;
218 static int hf_netlogon_dc_flags_timeserv_flag = -1;
219 static int hf_netlogon_dc_flags_closest_flag = -1;
220 static int hf_netlogon_dc_flags_writable_flag = -1;
221 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
222 static int hf_netlogon_dc_flags_ndnc_flag = -1;
223 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
224 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
225 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
227 static gint ett_dcerpc_netlogon = -1;
228 static gint ett_QUOTA_LIMITS = -1;
229 static gint ett_IDENTITY_INFO = -1;
230 static gint ett_DELTA_ENUM = -1;
231 static gint ett_CYPHER_VALUE = -1;
232 static gint ett_UNICODE_MULTI = -1;
233 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
234 static gint ett_UNICODE_STRING_512 = -1;
235 static gint ett_TYPE_50 = -1;
236 static gint ett_TYPE_52 = -1;
237 static gint ett_DELTA_ID_UNION = -1;
238 static gint ett_TYPE_44 = -1;
239 static gint ett_DELTA_UNION = -1;
240 static gint ett_LM_OWF_PASSWORD = -1;
241 static gint ett_NT_OWF_PASSWORD = -1;
242 static gint ett_GROUP_MEMBERSHIP = -1;
243 static gint ett_BLOB = -1;
244 static gint ett_DS_DOMAIN_TRUSTS = -1;
245 static gint ett_DOMAIN_TRUST_INFO = -1;
246 static gint ett_trust_flags = -1;
247 static gint ett_get_dcname_request_flags = -1;
248 static gint ett_dc_flags = -1;
250 static e_uuid_t uuid_dcerpc_netlogon = {
251 0x12345678, 0x1234, 0xabcd,
252 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
255 static guint16 ver_dcerpc_netlogon = 1;
260 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
261 packet_info *pinfo, proto_tree *tree,
264 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
265 NDR_POINTER_UNIQUE, "Server Handle",
266 hf_netlogon_logonsrv_handle, 0);
272 * IDL typedef struct {
273 * IDL [unique][string] wchar_t *effective_name;
275 * IDL long auth_flags;
276 * IDL long logon_count;
277 * IDL long bad_pw_count;
278 * IDL long last_logon;
279 * IDL long last_logoff;
280 * IDL long logoff_time;
281 * IDL long kickoff_time;
282 * IDL long password_age;
283 * IDL long pw_can_change;
284 * IDL long pw_must_change;
285 * IDL [unique][string] wchar_t *computer;
286 * IDL [unique][string] wchar_t *domain;
287 * IDL [unique][string] wchar_t *script_path;
291 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
292 packet_info *pinfo, proto_tree *tree,
297 di=pinfo->private_data;
298 if(di->conformant_run){
299 /*just a run to handle conformant arrays, nothing to dissect */
303 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
304 NDR_POINTER_UNIQUE, "Effective Account",
305 hf_netlogon_acct_name, 0);
307 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
308 hf_netlogon_priv, NULL);
310 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
311 hf_netlogon_auth_flags, NULL);
313 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
314 hf_netlogon_logon_count, NULL);
316 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
317 hf_netlogon_bad_pw_count, NULL);
319 /* XXX - are these all UNIX "time_t"s, like the time stamps in
322 Or are they, as per some RAP-based operations, UTIMEs? */
323 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
326 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
329 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
332 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
335 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
338 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
341 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
344 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
345 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
347 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
348 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
350 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
351 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
353 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
354 hf_netlogon_reserved, NULL);
360 * IDL long NetrLogonUasLogon(
361 * IDL [in][unique][string] wchar_t *ServerName,
362 * IDL [in][ref][string] wchar_t *UserName,
363 * IDL [in][ref][string] wchar_t *Workstation,
364 * IDL [out][unique] VALIDATION_UAS_INFO *info
368 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
369 packet_info *pinfo, proto_tree *tree, char *drep)
371 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
374 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
375 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
377 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
378 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
385 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
386 packet_info *pinfo, proto_tree *tree, char *drep)
388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
389 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
390 "VALIDATION_UAS_INFO", -1);
392 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
393 hf_netlogon_rc, NULL);
399 * IDL typedef struct {
401 * IDL short logon_count;
402 * IDL } LOGOFF_UAS_INFO;
405 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
406 packet_info *pinfo, proto_tree *tree,
411 di=pinfo->private_data;
412 if(di->conformant_run){
413 /*just a run to handle conformant arrays, nothing to dissect */
417 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
420 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
421 hf_netlogon_logon_count16, NULL);
427 * IDL long NetrLogonUasLogoff(
428 * IDL [in][unique][string] wchar_t *ServerName,
429 * IDL [in][ref][string] wchar_t *UserName,
430 * IDL [in][ref][string] wchar_t *Workstation,
431 * IDL [out][ref] LOGOFF_UAS_INFO *info
435 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
436 packet_info *pinfo, proto_tree *tree, char *drep)
438 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
441 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
442 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
444 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
445 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
452 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
453 packet_info *pinfo, proto_tree *tree, char *drep)
455 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
456 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
457 "LOGOFF_UAS_INFO", -1);
459 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
460 hf_netlogon_rc, NULL);
469 * IDL typedef struct {
470 * IDL UNICODESTRING LogonDomainName;
471 * IDL long ParameterControl;
472 * IDL uint64 LogonID;
473 * IDL UNICODESTRING UserName;
474 * IDL UNICODESTRING Workstation;
475 * IDL } LOGON_IDENTITY_INFO;
478 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
479 packet_info *pinfo, proto_tree *parent_tree,
482 proto_item *item=NULL;
483 proto_tree *tree=NULL;
484 int old_offset=offset;
487 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
489 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
492 /* XXX: It would be nice to get the domain and account name
493 displayed in COL_INFO. */
495 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
496 hf_netlogon_logon_dom, 0);
498 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
499 hf_netlogon_param_ctrl, NULL);
501 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
502 hf_netlogon_logon_id, NULL);
504 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
505 hf_netlogon_acct_name, 0);
507 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
508 hf_netlogon_workstation, 0);
511 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
512 /* XXX 8 extra bytes here */
513 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
514 the idl file. Could be a bug in either the NETLOGON implementation or in the
517 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
520 proto_item_set_len(item, offset-old_offset);
526 * IDL typedef struct {
527 * IDL char password[16];
528 * IDL } LM_OWF_PASSWORD;
531 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
532 packet_info *pinfo, proto_tree *parent_tree,
535 proto_item *item=NULL;
536 proto_tree *tree=NULL;
539 di=pinfo->private_data;
540 if(di->conformant_run){
541 /*just a run to handle conformant arrays, nothing to dissect.*/
546 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
548 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
551 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
559 * IDL typedef struct {
560 * IDL char password[16];
561 * IDL } NT_OWF_PASSWORD;
564 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
565 packet_info *pinfo, proto_tree *parent_tree,
568 proto_item *item=NULL;
569 proto_tree *tree=NULL;
572 di=pinfo->private_data;
573 if(di->conformant_run){
574 /*just a run to handle conformant arrays, nothing to dissect.*/
579 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
581 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
584 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
593 * IDL typedef struct {
594 * IDL LOGON_IDENTITY_INFO identity_info;
595 * IDL LM_OWF_PASSWORD lmpassword;
596 * IDL NT_OWF_PASSWORD ntpassword;
597 * IDL } INTERACTIVE_INFO;
600 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
601 packet_info *pinfo, proto_tree *tree,
604 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
607 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
610 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
617 * IDL typedef struct {
622 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
623 packet_info *pinfo, proto_tree *tree,
628 di=pinfo->private_data;
629 if(di->conformant_run){
630 /*just a run to handle conformant arrays, nothing to dissect.*/
634 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
642 * IDL typedef struct {
643 * IDL LOGON_IDENTITY_INFO logon_info;
644 * IDL CHALLENGE chal;
645 * IDL STRING ntchallengeresponse;
646 * IDL STRING lmchallengeresponse;
647 * IDL } NETWORK_INFO;
650 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
651 proto_item *item _U_, tvbuff_t *tvb,
652 int start_offset, int end_offset,
653 void *callback_args _U_)
657 /* Skip over 3 guint32's in NDR format */
659 if (start_offset % 4)
660 start_offset += 4 - (start_offset % 4);
663 len = end_offset - start_offset;
665 /* Call ntlmv2 response dissector */
668 dissect_ntlmv2_response(tvb, tree, start_offset, len);
672 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
673 packet_info *pinfo, proto_tree *tree,
676 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
679 offset = netlogon_dissect_CHALLENGE(tvb, offset,
682 offset = dissect_ndr_counted_byte_array_cb(
683 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
684 dissect_nt_chal_resp_cb, NULL);
686 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
687 hf_netlogon_lm_chal_resp);
693 * IDL typedef struct {
694 * IDL LOGON_IDENTITY_INFO logon_info;
695 * IDL LM_OWF_PASSWORD lmpassword;
696 * IDL NT_OWF_PASSWORD ntpassword;
697 * IDL } SERVICE_INFO;
700 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
701 packet_info *pinfo, proto_tree *tree,
704 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
707 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
710 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
717 * IDL typedef [switch_type(short)] union {
718 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
719 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
720 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
724 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
725 packet_info *pinfo, proto_tree *tree,
730 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
731 hf_netlogon_level16, &level);
736 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
737 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
738 "INTERACTIVE_INFO:", -1);
741 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
742 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
743 "NETWORK_INFO:", -1);
746 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
747 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
748 "SERVICE_INFO:", -1);
756 * IDL typedef struct {
761 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
762 packet_info *pinfo, proto_tree *tree,
767 di=pinfo->private_data;
768 if(di->conformant_run){
769 /*just a run to handle conformant arrays, nothing to dissect.*/
773 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
782 * IDL typedef struct {
783 * IDL CREDENTIAL cred;
784 * IDL long timestamp;
785 * IDL } AUTHENTICATOR;
788 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
789 packet_info *pinfo, proto_tree *tree,
795 di=pinfo->private_data;
796 if(di->conformant_run){
797 /*just a run to handle conformant arrays, nothing to dissect */
801 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
805 * XXX - this appears to be a UNIX time_t in some credentials, but
806 * appears to be random junk in other credentials.
807 * For example, it looks like a UNIX time_t in "credential"
808 * AUTHENTICATORs, but like random junk in "return_authenticator"
812 ts.secs = tvb_get_letohl(tvb, offset);
814 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
822 * IDL typedef struct {
824 * IDL long attributes;
825 * IDL } GROUP_MEMBERSHIP;
828 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
829 packet_info *pinfo, proto_tree *parent_tree,
832 proto_item *item=NULL;
833 proto_tree *tree=NULL;
836 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
837 "GROUP_MEMBERSHIP:");
838 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
841 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
842 hf_netlogon_group_rid, NULL);
844 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
845 hf_netlogon_attrs, NULL);
851 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
852 packet_info *pinfo, proto_tree *tree,
855 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
856 netlogon_dissect_GROUP_MEMBERSHIP);
862 * IDL typedef struct {
863 * IDL char user_session_key[16];
864 * IDL } USER_SESSION_KEY;
867 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
868 packet_info *pinfo, proto_tree *tree,
873 di=pinfo->private_data;
874 if(di->conformant_run){
875 /*just a run to handle conformant arrays, nothing to dissect.*/
879 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
887 * IDL typedef struct {
888 * IDL uint64 LogonTime;
889 * IDL uint64 LogoffTime;
890 * IDL uint64 KickOffTime;
891 * IDL uint64 PasswdLastSet;
892 * IDL uint64 PasswdCanChange;
893 * IDL uint64 PasswdMustChange;
894 * IDL unicodestring effectivename;
895 * IDL unicodestring fullname;
896 * IDL unicodestring logonscript;
897 * IDL unicodestring profilepath;
898 * IDL unicodestring homedirectory;
899 * IDL unicodestring homedirectorydrive;
900 * IDL short LogonCount;
901 * IDL short BadPasswdCount;
903 * IDL long primarygroup;
904 * IDL long groupcount;
905 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
906 * IDL long userflags;
907 * IDL USER_SESSION_KEY key;
908 * IDL unicodestring logonserver;
909 * IDL unicodestring domainname;
910 * IDL [unique] SID logondomainid;
911 * IDL long expansionroom[10];
912 * IDL } VALIDATION_SAM_INFO;
915 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
916 packet_info *pinfo, proto_tree *tree,
921 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
922 hf_netlogon_logon_time);
924 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
925 hf_netlogon_logoff_time);
927 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
928 hf_netlogon_kickoff_time);
930 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
931 hf_netlogon_pwd_last_set_time);
933 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
934 hf_netlogon_pwd_can_change_time);
936 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
937 hf_netlogon_pwd_must_change_time);
939 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
940 hf_netlogon_acct_name, 0);
942 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
943 hf_netlogon_full_name, 0);
945 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
946 hf_netlogon_logon_script, 0);
948 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
949 hf_netlogon_profile_path, 0);
951 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
952 hf_netlogon_home_dir, 0);
954 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
955 hf_netlogon_dir_drive, 0);
957 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
958 hf_netlogon_logon_count16, NULL);
960 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
961 hf_netlogon_bad_pw_count16, NULL);
963 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
964 hf_netlogon_user_rid, NULL);
966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
967 hf_netlogon_group_rid, NULL);
969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
970 hf_netlogon_num_rids, NULL);
972 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
973 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
974 "GROUP_MEMBERSHIP_ARRAY", -1);
976 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
977 hf_netlogon_user_flags, NULL);
979 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
982 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
983 hf_netlogon_logon_srv, 0);
985 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
986 hf_netlogon_logon_dom, 0);
988 offset = dissect_ndr_nt_PSID(tvb, offset,
989 pinfo, tree, drep, -1);
992 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
993 hf_netlogon_reserved, NULL);
1002 * IDL typedef struct {
1003 * IDL uint64 LogonTime;
1004 * IDL uint64 LogoffTime;
1005 * IDL uint64 KickOffTime;
1006 * IDL uint64 PasswdLastSet;
1007 * IDL uint64 PasswdCanChange;
1008 * IDL uint64 PasswdMustChange;
1009 * IDL unicodestring effectivename;
1010 * IDL unicodestring fullname;
1011 * IDL unicodestring logonscript;
1012 * IDL unicodestring profilepath;
1013 * IDL unicodestring homedirectory;
1014 * IDL unicodestring homedirectorydrive;
1015 * IDL short LogonCount;
1016 * IDL short BadPasswdCount;
1018 * IDL long primarygroup;
1019 * IDL long groupcount;
1020 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1021 * IDL long userflags;
1022 * IDL USER_SESSION_KEY key;
1023 * IDL unicodestring logonserver;
1024 * IDL unicodestring domainname;
1025 * IDL [unique] SID logondomainid;
1026 * IDL long expansionroom[10];
1027 * IDL long sidcount;
1028 * IDL [unique] SID_AND_ATTRIBS;
1029 * IDL } VALIDATION_SAM_INFO2;
1032 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1033 packet_info *pinfo, proto_tree *tree,
1038 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1039 hf_netlogon_logon_time);
1041 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1042 hf_netlogon_logoff_time);
1044 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1045 hf_netlogon_kickoff_time);
1047 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1048 hf_netlogon_pwd_last_set_time);
1050 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1051 hf_netlogon_pwd_can_change_time);
1053 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1054 hf_netlogon_pwd_must_change_time);
1056 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1057 hf_netlogon_acct_name, 0);
1059 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1060 hf_netlogon_full_name, 0);
1062 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1063 hf_netlogon_logon_script, 0);
1065 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1066 hf_netlogon_profile_path, 0);
1068 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1069 hf_netlogon_home_dir, 0);
1071 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1072 hf_netlogon_dir_drive, 0);
1074 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1075 hf_netlogon_logon_count16, NULL);
1077 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1078 hf_netlogon_bad_pw_count16, NULL);
1080 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1081 hf_netlogon_user_rid, NULL);
1083 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1084 hf_netlogon_group_rid, NULL);
1086 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1087 hf_netlogon_num_rids, NULL);
1089 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1090 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1091 "GROUP_MEMBERSHIP_ARRAY", -1);
1093 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1094 hf_netlogon_user_flags, NULL);
1096 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1099 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1100 hf_netlogon_logon_srv, 0);
1102 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1103 hf_netlogon_logon_dom, 0);
1105 offset = dissect_ndr_nt_PSID(tvb, offset,
1106 pinfo, tree, drep, -1);
1109 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1110 hf_netlogon_unknown_long, NULL);
1113 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1114 hf_netlogon_num_other_groups, NULL);
1116 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1117 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1118 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1126 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1127 packet_info *pinfo, proto_tree *tree,
1133 di=pinfo->private_data;
1134 if(di->conformant_run){
1135 /*just a run to handle conformant arrays, nothing to dissect */
1139 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1140 hf_netlogon_pac_size, &pac_size);
1142 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1150 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1151 packet_info *pinfo, proto_tree *tree,
1157 di=pinfo->private_data;
1158 if(di->conformant_run){
1159 /*just a run to handle conformant arrays, nothing to dissect */
1163 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1164 hf_netlogon_auth_size, &auth_size);
1166 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1168 offset += auth_size;
1175 * IDL typedef struct {
1177 * IDL [unique][size_is(pac_size)] char *pac;
1178 * IDL UNICODESTRING logondomain;
1179 * IDL UNICODESTRING logonserver;
1180 * IDL UNICODESTRING principalname;
1181 * IDL long auth_size;
1182 * IDL [unique][size_is(auth_size)] char *auth;
1183 * IDL USER_SESSION_KEY user_session_key;
1184 * IDL long expansionroom[10];
1185 * IDL UNICODESTRING dummy1;
1186 * IDL UNICODESTRING dummy2;
1187 * IDL UNICODESTRING dummy3;
1188 * IDL UNICODESTRING dummy4;
1189 * IDL } VALIDATION_PAC_INFO;
1192 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1193 packet_info *pinfo, proto_tree *tree,
1198 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1199 hf_netlogon_pac_size, NULL);
1201 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1202 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1204 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1205 hf_netlogon_logon_dom, 0);
1207 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1208 hf_netlogon_logon_srv, 0);
1210 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1211 hf_netlogon_principal, 0);
1213 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1214 hf_netlogon_auth_size, NULL);
1216 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1217 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1219 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1223 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1224 hf_netlogon_unknown_long, NULL);
1227 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1228 hf_netlogon_dummy, 0);
1230 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1231 hf_netlogon_dummy, 0);
1233 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1234 hf_netlogon_dummy, 0);
1236 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1237 hf_netlogon_dummy, 0);
1244 * IDL typedef [switch_type(short)] union {
1245 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1246 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1247 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1248 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1252 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1253 packet_info *pinfo, proto_tree *tree,
1258 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1259 hf_netlogon_validation_level, &level);
1264 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1265 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1266 "VALIDATION_SAM_INFO:", -1);
1269 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1270 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1271 "VALIDATION_SAM_INFO2:", -1);
1274 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1275 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1276 "VALIDATION_PAC_INFO:", -1);
1279 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1280 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1281 "VALIDATION_PAC_INFO:", -1);
1290 * IDL long NetrLogonSamLogon(
1291 * IDL [in][unique][string] wchar_t *ServerName,
1292 * IDL [in][unique][string] wchar_t *Workstation,
1293 * IDL [in][unique] AUTHENTICATOR *credential,
1294 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1295 * IDL [in] short LogonLevel,
1296 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1297 * IDL [in] short ValidationLevel,
1298 * IDL [out][ref] VALIDATION *validation,
1299 * IDL [out][ref] boolean Authorative
1303 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1304 packet_info *pinfo, proto_tree *tree, char *drep)
1306 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1309 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1310 NDR_POINTER_UNIQUE, "Computer Name",
1311 hf_netlogon_computer_name, 0);
1313 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1314 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1315 "AUTHENTICATOR: credential", -1);
1317 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1318 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1319 "AUTHENTICATOR: return_authenticator", -1);
1321 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1322 hf_netlogon_level16, NULL);
1324 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1325 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1326 "LEVEL: LogonLevel", -1);
1328 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1329 hf_netlogon_validation_level, NULL);
1335 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1336 packet_info *pinfo, proto_tree *tree, char *drep)
1338 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1339 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1340 "AUTHENTICATOR: return_authenticator", -1);
1342 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1343 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1346 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1347 hf_netlogon_authoritative, NULL);
1349 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1350 hf_netlogon_rc, NULL);
1357 * IDL long NetrLogonSamLogoff(
1358 * IDL [in][unique][string] wchar_t *ServerName,
1359 * IDL [in][unique][string] wchar_t *ComputerName,
1360 * IDL [in][unique] AUTHENTICATOR credential,
1361 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1362 * IDL [in] short logon_level,
1363 * IDL [in][ref] LEVEL logoninformation
1367 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1368 packet_info *pinfo, proto_tree *tree, char *drep)
1370 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1373 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1374 NDR_POINTER_UNIQUE, "Computer Name",
1375 hf_netlogon_computer_name, 0);
1377 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1378 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1379 "AUTHENTICATOR: credential", -1);
1381 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1382 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1383 "AUTHENTICATOR: return_authenticator", -1);
1385 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1386 hf_netlogon_level16, NULL);
1388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1389 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1390 "LEVEL: logoninformation", -1);
1395 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1396 packet_info *pinfo, proto_tree *tree, char *drep)
1399 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1400 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1401 "AUTHENTICATOR: return_authenticator", -1);
1403 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1404 hf_netlogon_rc, NULL);
1411 * IDL long NetrServerReqChallenge(
1412 * IDL [in][unique][string] wchar_t *ServerName,
1413 * IDL [in][ref][string] wchar_t *ComputerName,
1414 * IDL [in][ref] CREDENTIAL client_credential,
1415 * IDL [out][ref] CREDENTIAL server_credential
1419 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1420 packet_info *pinfo, proto_tree *tree, char *drep)
1422 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1425 offset = dissect_ndr_pointer_cb(
1426 tvb, offset, pinfo, tree, drep,
1427 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
1428 "Computer Name", hf_netlogon_computer_name,
1429 cb_wstr_postprocess,
1430 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1432 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1433 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1434 "CREDENTIAL: client challenge", -1);
1439 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1440 packet_info *pinfo, proto_tree *tree, char *drep)
1442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1443 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1444 "CREDENTIAL: server credential", -1);
1446 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1447 hf_netlogon_rc, NULL);
1454 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1455 packet_info *pinfo, proto_tree *tree,
1458 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1459 hf_netlogon_secure_channel_type, NULL);
1466 * IDL long NetrServerAuthenticate(
1467 * IDL [in][unique][string] wchar_t *ServerName,
1468 * IDL [in][ref][string] wchar_t *UserName,
1469 * IDL [in] short secure_challenge_type,
1470 * IDL [in][ref][string] wchar_t *ComputerName,
1471 * IDL [in][ref] CREDENTIAL client_challenge,
1472 * IDL [out][ref] CREDENTIAL server_challenge
1476 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1477 packet_info *pinfo, proto_tree *tree, char *drep)
1479 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1482 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1483 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1485 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1488 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1489 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1491 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1492 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1493 "CREDENTIAL: client challenge", -1);
1498 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
1499 packet_info *pinfo, proto_tree *tree, char *drep)
1501 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1502 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1503 "CREDENTIAL: server challenge", -1);
1505 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1506 hf_netlogon_rc, NULL);
1514 * IDL typedef struct {
1515 * IDL char encrypted_password[16];
1516 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1519 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1520 packet_info *pinfo, proto_tree *tree,
1525 di=pinfo->private_data;
1526 if(di->conformant_run){
1527 /*just a run to handle conformant arrays, nothing to dissect.*/
1531 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1539 * IDL long NetrServerPasswordSet(
1540 * IDL [in][unique][string] wchar_t *ServerName,
1541 * IDL [in][ref][string] wchar_t *UserName,
1542 * IDL [in] short secure_challenge_type,
1543 * IDL [in][ref][string] wchar_t *ComputerName,
1544 * IDL [in][ref] AUTHENTICATOR credential,
1545 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1546 * IDL [out][ref] AUTHENTICATOR return_authenticator
1550 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1551 packet_info *pinfo, proto_tree *tree, char *drep)
1553 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1556 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1557 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1559 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1562 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1563 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1565 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1566 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1567 "AUTHENTICATOR: credential", -1);
1569 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1570 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1571 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
1576 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
1577 packet_info *pinfo, proto_tree *tree, char *drep)
1579 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1580 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1581 "AUTHENTICATOR: return_authenticator", -1);
1583 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1584 hf_netlogon_rc, NULL);
1591 * IDL typedef struct {
1592 * IDL [unique][string] wchar_t *UserName;
1593 * IDL UNICODESTRING dummy1;
1594 * IDL UNICODESTRING dummy2;
1595 * IDL UNICODESTRING dummy3;
1596 * IDL UNICODESTRING dummy4;
1601 * IDL } DELTA_DELETE_USER;
1604 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1605 packet_info *pinfo, proto_tree *tree,
1608 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1609 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
1611 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1612 hf_netlogon_dummy, 0);
1614 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1615 hf_netlogon_dummy, 0);
1617 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1618 hf_netlogon_dummy, 0);
1620 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1621 hf_netlogon_dummy, 0);
1623 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1624 hf_netlogon_reserved, NULL);
1626 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1627 hf_netlogon_reserved, NULL);
1629 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1630 hf_netlogon_reserved, NULL);
1632 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1633 hf_netlogon_reserved, NULL);
1640 * IDL typedef struct {
1641 * IDL bool SensitiveDataFlag;
1642 * IDL long DataLength;
1643 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1644 * IDL } USER_PRIVATE_INFO;
1647 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1648 packet_info *pinfo, proto_tree *tree,
1654 di=pinfo->private_data;
1655 if(di->conformant_run){
1656 /*just a run to handle conformant arrays, nothing to dissect */
1660 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1661 hf_netlogon_sensitive_data_len, &data_len);
1663 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1670 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1671 packet_info *pinfo, proto_tree *tree,
1674 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1675 hf_netlogon_sensitive_data_flag, NULL);
1677 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1678 hf_netlogon_sensitive_data_len, NULL);
1680 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1681 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1682 "SENSITIVE_DATA", -1);
1688 * IDL typedef struct {
1689 * IDL UNICODESTRING UserName;
1690 * IDL UNICODESTRING FullName;
1692 * IDL long PrimaryGroupID;
1693 * IDL UNICODESTRING HomeDir;
1694 * IDL UNICODESTRING HomeDirDrive;
1695 * IDL UNICODESTRING LogonScript;
1696 * IDL UNICODESTRING Comment;
1697 * IDL UNICODESTRING Workstations;
1698 * IDL NTTIME LastLogon;
1699 * IDL NTTIME LastLogoff;
1700 * IDL LOGON_HOURS logonhours;
1701 * IDL short BadPwCount;
1702 * IDL short LogonCount;
1703 * IDL NTTIME PwLastSet;
1704 * IDL NTTIME AccountExpires;
1705 * IDL long AccountControl;
1706 * IDL LM_OWF_PASSWORD lmpw;
1707 * IDL NT_OWF_PASSWORD ntpw;
1708 * IDL bool NTPwPresent;
1709 * IDL bool LMPwPresent;
1710 * IDL bool PwExpired;
1711 * IDL UNICODESTRING UserComment;
1712 * IDL UNICODESTRING Parameters;
1713 * IDL short CountryCode;
1714 * IDL short CodePage;
1715 * IDL USER_PRIVATE_INFO user_private_info;
1716 * IDL long SecurityInformation;
1717 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1718 * IDL UNICODESTRING dummy1;
1719 * IDL UNICODESTRING dummy2;
1720 * IDL UNICODESTRING dummy3;
1721 * IDL UNICODESTRING dummy4;
1729 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1730 packet_info *pinfo, proto_tree *tree,
1733 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1734 hf_netlogon_acct_name, 3);
1736 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1737 hf_netlogon_full_name, 0);
1739 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1740 hf_netlogon_user_rid, NULL);
1742 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1743 hf_netlogon_group_rid, NULL);
1745 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1746 hf_netlogon_home_dir, 0);
1748 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1749 hf_netlogon_dir_drive, 0);
1751 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1752 hf_netlogon_logon_script, 0);
1754 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1755 hf_netlogon_acct_desc, 0);
1757 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1758 hf_netlogon_workstations, 0);
1760 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1761 hf_netlogon_logon_time);
1763 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1764 hf_netlogon_logoff_time);
1766 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1768 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1769 hf_netlogon_bad_pw_count16, NULL);
1771 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1772 hf_netlogon_logon_count16, NULL);
1774 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1775 hf_netlogon_pwd_last_set_time);
1777 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1778 hf_netlogon_acct_expiry_time);
1780 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1782 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1785 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1788 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1789 hf_netlogon_nt_pwd_present, NULL);
1791 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1792 hf_netlogon_lm_pwd_present, NULL);
1794 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1795 hf_netlogon_pwd_expired, NULL);
1797 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1798 hf_netlogon_comment, 0);
1800 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1801 hf_netlogon_parameters, 0);
1803 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1804 hf_netlogon_country, NULL);
1806 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1807 hf_netlogon_codepage, NULL);
1809 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1812 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1813 hf_netlogon_security_information, NULL);
1815 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1818 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1819 hf_netlogon_dummy, 0);
1821 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1822 hf_netlogon_dummy, 0);
1824 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1825 hf_netlogon_dummy, 0);
1827 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1828 hf_netlogon_dummy, 0);
1830 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1831 hf_netlogon_reserved, NULL);
1833 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1834 hf_netlogon_reserved, NULL);
1836 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1837 hf_netlogon_reserved, NULL);
1839 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1840 hf_netlogon_reserved, NULL);
1847 * IDL typedef struct {
1848 * IDL UNICODESTRING DomainName;
1849 * IDL UNICODESTRING OEMInfo;
1850 * IDL NTTIME forcedlogoff;
1851 * IDL short minpasswdlen;
1852 * IDL short passwdhistorylen;
1853 * IDL NTTIME pwd_must_change_time;
1854 * IDL NTTIME pwd_can_change_time;
1855 * IDL NTTIME domain_modify_time;
1856 * IDL NTTIME domain_create_time;
1857 * IDL long SecurityInformation;
1858 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1859 * IDL UNICODESTRING dummy1;
1860 * IDL UNICODESTRING dummy2;
1861 * IDL UNICODESTRING dummy3;
1862 * IDL UNICODESTRING dummy4;
1867 * IDL } DELTA_DOMAIN;
1870 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
1871 packet_info *pinfo, proto_tree *tree,
1874 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1875 hf_netlogon_domain_name, 3);
1877 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1878 hf_netlogon_oem_info, 0);
1880 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1881 hf_netlogon_kickoff_time);
1883 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1884 hf_netlogon_minpasswdlen, NULL);
1886 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1887 hf_netlogon_passwdhistorylen, NULL);
1889 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1890 hf_netlogon_pwd_must_change_time);
1892 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1893 hf_netlogon_pwd_can_change_time);
1895 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1896 hf_netlogon_domain_modify_time);
1898 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1899 hf_netlogon_domain_create_time);
1901 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1902 hf_netlogon_security_information, NULL);
1904 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1907 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1908 hf_netlogon_dummy, 0);
1910 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1911 hf_netlogon_dummy, 0);
1913 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1914 hf_netlogon_dummy, 0);
1916 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1917 hf_netlogon_dummy, 0);
1919 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1920 hf_netlogon_reserved, NULL);
1922 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1923 hf_netlogon_reserved, NULL);
1925 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1926 hf_netlogon_reserved, NULL);
1928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1929 hf_netlogon_reserved, NULL);
1936 * IDL typedef struct {
1937 * IDL UNICODESTRING groupname;
1938 * IDL GROUP_MEMBERSHIP group_membership;
1939 * IDL UNICODESTRING comment;
1940 * IDL long SecurityInformation;
1941 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1942 * IDL UNICODESTRING dummy1;
1943 * IDL UNICODESTRING dummy2;
1944 * IDL UNICODESTRING dummy3;
1945 * IDL UNICODESTRING dummy4;
1950 * IDL } DELTA_GROUP;
1953 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
1954 packet_info *pinfo, proto_tree *tree,
1957 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1958 hf_netlogon_group_name, 3);
1960 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
1963 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1964 hf_netlogon_group_desc, 0);
1966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1967 hf_netlogon_security_information, NULL);
1969 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1972 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1973 hf_netlogon_dummy, 0);
1975 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1976 hf_netlogon_dummy, 0);
1978 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1979 hf_netlogon_dummy, 0);
1981 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1982 hf_netlogon_dummy, 0);
1984 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1985 hf_netlogon_reserved, NULL);
1987 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1988 hf_netlogon_reserved, NULL);
1990 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1991 hf_netlogon_reserved, NULL);
1993 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1994 hf_netlogon_reserved, NULL);
2001 * IDL typedef struct {
2002 * IDL UNICODESTRING OldName;
2003 * IDL UNICODESTRING NewName;
2004 * IDL UNICODESTRING dummy1;
2005 * IDL UNICODESTRING dummy2;
2006 * IDL UNICODESTRING dummy3;
2007 * IDL UNICODESTRING dummy4;
2012 * IDL } DELTA_RENAME;
2015 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
2016 packet_info *pinfo, proto_tree *tree,
2021 di=pinfo->private_data;
2023 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2026 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2029 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2030 hf_netlogon_dummy, 0);
2032 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2033 hf_netlogon_dummy, 0);
2035 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2036 hf_netlogon_dummy, 0);
2038 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2039 hf_netlogon_dummy, 0);
2041 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2042 hf_netlogon_reserved, NULL);
2044 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2045 hf_netlogon_reserved, NULL);
2047 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2048 hf_netlogon_reserved, NULL);
2050 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2051 hf_netlogon_reserved, NULL);
2058 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2059 packet_info *pinfo, proto_tree *tree,
2062 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2063 hf_netlogon_user_rid, NULL);
2069 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2070 packet_info *pinfo, proto_tree *tree,
2073 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2074 netlogon_dissect_RID);
2080 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2081 packet_info *pinfo, proto_tree *tree,
2084 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2085 hf_netlogon_attrs, NULL);
2091 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2092 packet_info *pinfo, proto_tree *tree,
2095 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2096 netlogon_dissect_ATTRIB);
2102 * IDL typedef struct {
2103 * IDL [unique][size_is(num_rids)] long *rids;
2104 * IDL [unique][size_is(num_rids)] long *attribs;
2105 * IDL long num_rids;
2110 * IDL } DELTA_GROUP_MEMBER;
2113 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2114 packet_info *pinfo, proto_tree *tree,
2117 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2118 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2121 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2122 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2125 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2126 hf_netlogon_num_rids, NULL);
2128 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2129 hf_netlogon_reserved, NULL);
2131 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2132 hf_netlogon_reserved, NULL);
2134 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2135 hf_netlogon_reserved, NULL);
2137 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2138 hf_netlogon_reserved, NULL);
2145 * IDL typedef struct {
2146 * IDL UNICODESTRING alias_name;
2148 * IDL long SecurityInformation;
2149 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2150 * IDL UNICODESTRING dummy1;
2151 * IDL UNICODESTRING dummy2;
2152 * IDL UNICODESTRING dummy3;
2153 * IDL UNICODESTRING dummy4;
2158 * IDL } DELTA_ALIAS;
2161 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2162 packet_info *pinfo, proto_tree *tree,
2165 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2166 hf_netlogon_alias_name, 0);
2168 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2169 hf_netlogon_alias_rid, NULL);
2171 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2172 hf_netlogon_security_information, NULL);
2174 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2177 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2178 hf_netlogon_dummy, 0);
2180 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2181 hf_netlogon_dummy, 0);
2183 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2184 hf_netlogon_dummy, 0);
2186 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2187 hf_netlogon_dummy, 0);
2189 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2190 hf_netlogon_reserved, NULL);
2192 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2193 hf_netlogon_reserved, NULL);
2195 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2196 hf_netlogon_reserved, NULL);
2198 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2199 hf_netlogon_reserved, NULL);
2206 * IDL typedef struct {
2207 * IDL [unique] SID_ARRAY sids;
2212 * IDL } DELTA_ALIAS_MEMBER;
2215 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2216 packet_info *pinfo, proto_tree *tree,
2219 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2221 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2222 hf_netlogon_reserved, NULL);
2224 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2225 hf_netlogon_reserved, NULL);
2227 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2228 hf_netlogon_reserved, NULL);
2230 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2231 hf_netlogon_reserved, NULL);
2238 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2239 packet_info *pinfo, proto_tree *tree,
2242 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2243 hf_netlogon_event_audit_option, NULL);
2249 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2250 packet_info *pinfo, proto_tree *tree,
2253 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2254 netlogon_dissect_EVENT_AUDIT_OPTION);
2261 * IDL typedef struct {
2262 * IDL long pagedpoollimit;
2263 * IDL long nonpagedpoollimit;
2264 * IDL long minimumworkingsetsize;
2265 * IDL long maximumworkingsetsize;
2266 * IDL long pagefilelimit;
2267 * IDL NTTIME timelimit;
2268 * IDL } QUOTA_LIMITS;
2271 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2272 packet_info *pinfo, proto_tree *parent_tree,
2275 proto_item *item=NULL;
2276 proto_tree *tree=NULL;
2277 int old_offset=offset;
2280 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2282 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2285 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2286 hf_netlogon_pagedpoollimit, NULL);
2288 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2289 hf_netlogon_nonpagedpoollimit, NULL);
2291 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2292 hf_netlogon_minworkingsetsize, NULL);
2294 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2295 hf_netlogon_maxworkingsetsize, NULL);
2297 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2298 hf_netlogon_pagefilelimit, NULL);
2300 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2301 hf_netlogon_timelimit);
2303 proto_item_set_len(item, offset-old_offset);
2309 * IDL typedef struct {
2310 * IDL long maxlogsize;
2311 * IDL NTTIME auditretentionperiod;
2312 * IDL bool auditingmode;
2313 * IDL long maxauditeventcount;
2314 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2315 * IDL UNICODESTRING primarydomainname;
2316 * IDL [unique] SID *sid;
2317 * IDL QUOTA_LIMITS quota_limits;
2318 * IDL NTTIME db_modify_time;
2319 * IDL NTTIME db_create_time;
2320 * IDL long SecurityInformation;
2321 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2322 * IDL UNICODESTRING dummy1;
2323 * IDL UNICODESTRING dummy2;
2324 * IDL UNICODESTRING dummy3;
2325 * IDL UNICODESTRING dummy4;
2330 * IDL } DELTA_POLICY;
2333 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2334 packet_info *pinfo, proto_tree *tree,
2337 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2338 hf_netlogon_max_log_size, NULL);
2340 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2341 hf_netlogon_audit_retention_period);
2343 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2344 hf_netlogon_auditing_mode, NULL);
2346 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2347 hf_netlogon_max_audit_event_count, NULL);
2349 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2350 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2351 "Event Audit Options:", -1);
2353 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2354 hf_netlogon_domain_name, 0);
2356 offset = dissect_ndr_nt_PSID(tvb, offset,
2357 pinfo, tree, drep, -1);
2359 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2362 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2363 hf_netlogon_db_modify_time);
2365 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2366 hf_netlogon_db_create_time);
2368 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2369 hf_netlogon_security_information, NULL);
2371 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2374 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2375 hf_netlogon_dummy, 0);
2377 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2378 hf_netlogon_dummy, 0);
2380 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2381 hf_netlogon_dummy, 0);
2383 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2384 hf_netlogon_dummy, 0);
2386 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2387 hf_netlogon_reserved, NULL);
2389 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2390 hf_netlogon_reserved, NULL);
2392 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2393 hf_netlogon_reserved, NULL);
2395 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2396 hf_netlogon_reserved, NULL);
2403 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2404 packet_info *pinfo, proto_tree *tree,
2407 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2408 hf_netlogon_dc_name, 0);
2414 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2415 packet_info *pinfo, proto_tree *tree,
2418 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2419 netlogon_dissect_CONTROLLER);
2426 * IDL typedef struct {
2427 * IDL UNICODESTRING DomainName;
2428 * IDL long num_controllers;
2429 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2430 * IDL long SecurityInformation;
2431 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2432 * IDL UNICODESTRING dummy1;
2433 * IDL UNICODESTRING dummy2;
2434 * IDL UNICODESTRING dummy3;
2435 * IDL UNICODESTRING dummy4;
2440 * IDL } DELTA_TRUSTED_DOMAINS;
2443 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2444 packet_info *pinfo, proto_tree *tree,
2447 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2448 hf_netlogon_domain_name, 0);
2450 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2451 hf_netlogon_num_controllers, NULL);
2453 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2454 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2455 "Domain Controllers:", -1);
2457 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2458 hf_netlogon_security_information, NULL);
2460 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2463 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2464 hf_netlogon_dummy, 0);
2466 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2467 hf_netlogon_dummy, 0);
2469 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2470 hf_netlogon_dummy, 0);
2472 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2473 hf_netlogon_dummy, 0);
2475 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2476 hf_netlogon_reserved, NULL);
2478 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2479 hf_netlogon_reserved, NULL);
2481 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2482 hf_netlogon_reserved, NULL);
2484 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2485 hf_netlogon_reserved, NULL);
2492 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2493 packet_info *pinfo, proto_tree *tree,
2496 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2497 hf_netlogon_attrs, NULL);
2503 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2504 packet_info *pinfo, proto_tree *tree,
2507 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2508 netlogon_dissect_PRIV_ATTR);
2514 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2515 packet_info *pinfo, proto_tree *tree,
2518 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2519 hf_netlogon_privilege_name, 1);
2525 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2526 packet_info *pinfo, proto_tree *tree,
2529 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2530 netlogon_dissect_PRIV_NAME);
2538 * IDL typedef struct {
2539 * IDL long privilegeentries;
2540 * IDL long provolegecontrol;
2541 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2542 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2543 * IDL QUOTALIMITS quotalimits;
2544 * IDL long SecurityInformation;
2545 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2546 * IDL UNICODESTRING dummy1;
2547 * IDL UNICODESTRING dummy2;
2548 * IDL UNICODESTRING dummy3;
2549 * IDL UNICODESTRING dummy4;
2554 * IDL } DELTA_ACCOUNTS;
2557 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2558 packet_info *pinfo, proto_tree *tree,
2561 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2562 hf_netlogon_privilege_entries, NULL);
2564 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2565 hf_netlogon_privilege_control, NULL);
2567 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2568 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2569 "PRIV_ATTR_ARRAY:", -1);
2571 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2572 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2573 "PRIV_NAME_ARRAY:", -1);
2575 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2578 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2579 hf_netlogon_systemflags, NULL);
2581 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2582 hf_netlogon_security_information, NULL);
2584 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2587 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2588 hf_netlogon_dummy, 0);
2590 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2591 hf_netlogon_dummy, 0);
2593 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2594 hf_netlogon_dummy, 0);
2596 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2597 hf_netlogon_dummy, 0);
2599 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2600 hf_netlogon_reserved, NULL);
2602 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2603 hf_netlogon_reserved, NULL);
2605 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2606 hf_netlogon_reserved, NULL);
2608 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2609 hf_netlogon_reserved, NULL);
2615 * IDL typedef struct {
2618 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2619 * IDL } CIPHER_VALUE;
2622 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2623 packet_info *pinfo, proto_tree *tree,
2629 di=pinfo->private_data;
2630 if(di->conformant_run){
2631 /*just a run to handle conformant arrays, nothing to dissect */
2635 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2636 hf_netlogon_cipher_maxlen, NULL);
2641 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2642 hf_netlogon_cipher_len, &data_len);
2644 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2651 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2652 packet_info *pinfo, proto_tree *parent_tree,
2653 char *drep, char *name, int hf_index)
2655 proto_item *item=NULL;
2656 proto_tree *tree=NULL;
2657 int old_offset=offset;
2660 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2662 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2665 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2666 hf_netlogon_cipher_len, NULL);
2668 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2669 hf_netlogon_cipher_maxlen, NULL);
2671 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2672 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2675 proto_item_set_len(item, offset-old_offset);
2680 * IDL typedef struct {
2681 * IDL CIPHER_VALUE current_cipher;
2682 * IDL NTTIME current_cipher_set_time;
2683 * IDL CIPHER_VALUE old_cipher;
2684 * IDL NTTIME old_cipher_set_time;
2685 * IDL long SecurityInformation;
2686 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2687 * IDL UNICODESTRING dummy1;
2688 * IDL UNICODESTRING dummy2;
2689 * IDL UNICODESTRING dummy3;
2690 * IDL UNICODESTRING dummy4;
2695 * IDL } DELTA_SECRET;
2698 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2699 packet_info *pinfo, proto_tree *tree,
2702 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2704 "CIPHER_VALUE: current cipher value",
2705 hf_netlogon_cipher_current_data);
2707 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2708 hf_netlogon_cipher_current_set_time);
2710 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2712 "CIPHER_VALUE: old cipher value",
2713 hf_netlogon_cipher_old_data);
2715 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2716 hf_netlogon_cipher_old_set_time);
2718 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2719 hf_netlogon_security_information, NULL);
2721 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2724 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2725 hf_netlogon_dummy, 0);
2727 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2728 hf_netlogon_dummy, 0);
2730 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2731 hf_netlogon_dummy, 0);
2733 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2734 hf_netlogon_dummy, 0);
2736 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2737 hf_netlogon_reserved, NULL);
2739 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2740 hf_netlogon_reserved, NULL);
2742 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2743 hf_netlogon_reserved, NULL);
2745 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2746 hf_netlogon_reserved, NULL);
2752 * IDL typedef struct {
2753 * IDL long low_value;
2754 * IDL long high_value;
2758 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2759 packet_info *pinfo, proto_tree *tree,
2762 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2763 hf_netlogon_modify_count, NULL);
2769 #define DT_DELTA_DOMAIN 1
2770 #define DT_DELTA_GROUP 2
2771 #define DT_DELTA_RENAME_GROUP 4
2772 #define DT_DELTA_USER 5
2773 #define DT_DELTA_RENAME_USER 7
2774 #define DT_DELTA_GROUP_MEMBER 8
2775 #define DT_DELTA_ALIAS 9
2776 #define DT_DELTA_RENAME_ALIAS 11
2777 #define DT_DELTA_ALIAS_MEMBER 12
2778 #define DT_DELTA_POLICY 13
2779 #define DT_DELTA_TRUSTED_DOMAINS 14
2780 #define DT_DELTA_ACCOUNTS 16
2781 #define DT_DELTA_SECRET 18
2782 #define DT_DELTA_DELETE_GROUP 20
2783 #define DT_DELTA_DELETE_USER 21
2784 #define DT_MODIFIED_COUNT 22
2785 static const value_string delta_type_vals[] = {
2786 { DT_DELTA_DOMAIN, "Domain" },
2787 { DT_DELTA_GROUP, "Group" },
2788 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2789 { DT_DELTA_USER, "User" },
2790 { DT_DELTA_RENAME_USER, "Rename User" },
2791 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2792 { DT_DELTA_ALIAS, "Alias" },
2793 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2794 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2795 { DT_DELTA_POLICY, "Policy" },
2796 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2797 { DT_DELTA_ACCOUNTS, "Accounts" },
2798 { DT_DELTA_SECRET, "Secret" },
2799 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2800 { DT_DELTA_DELETE_USER, "Delete User" },
2801 { DT_MODIFIED_COUNT, "Modified Count" },
2805 * IDL typedef [switch_type(short)] union {
2806 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2807 * IDL [case(2)][unique] DELTA_GROUP *group;
2808 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2809 * IDL [case(5)][unique] DELTA_USER *user;
2810 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2811 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2812 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2813 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2814 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2815 * IDL [case(13)][unique] DELTA_POLICY *policy;
2816 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2817 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2818 * IDL [case(18)][unique] DELTA_SECRET *secret;
2819 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2820 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2821 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2822 * IDL } DELTA_UNION;
2825 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2826 packet_info *pinfo, proto_tree *parent_tree,
2829 proto_item *item=NULL;
2830 proto_tree *tree=NULL;
2831 int old_offset=offset;
2835 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2837 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2840 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2841 hf_netlogon_delta_type, &level);
2846 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2847 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2848 "DELTA_DOMAIN:", -1);
2851 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2852 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2853 "DELTA_GROUP:", -1);
2856 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2857 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2858 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
2861 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2862 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
2866 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2867 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2868 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
2871 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2872 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
2873 "DELTA_GROUP_MEMBER:", -1);
2876 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2877 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
2878 "DELTA_ALIAS:", -1);
2881 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2882 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2883 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
2886 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2887 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
2888 "DELTA_ALIAS_MEMBER:", -1);
2891 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2892 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
2893 "DELTA_POLICY:", -1);
2896 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2897 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
2898 "DELTA_TRUSTED_DOMAINS:", -1);
2901 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2902 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
2903 "DELTA_ACCOUNTS:", -1);
2906 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2907 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
2908 "DELTA_SECRET:", -1);
2911 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2912 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2913 "DELTA_DELETE_GROUP:", -1);
2916 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2917 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2918 "DELTA_DELETE_USER:", -1);
2921 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2922 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
2923 "MODIFIED_COUNT:", -1);
2927 proto_item_set_len(item, offset-old_offset);
2933 /* IDL XXX must verify this one, especially 13-19
2934 * IDL typedef [switch_type(short)] union {
2935 * IDL [case(1)] long rid;
2936 * IDL [case(2)] long rid;
2937 * IDL [case(3)] long rid;
2938 * IDL [case(4)] long rid;
2939 * IDL [case(5)] long rid;
2940 * IDL [case(6)] long rid;
2941 * IDL [case(7)] long rid;
2942 * IDL [case(8)] long rid;
2943 * IDL [case(9)] long rid;
2944 * IDL [case(10)] long rid;
2945 * IDL [case(11)] long rid;
2946 * IDL [case(12)] long rid;
2947 * IDL [case(13)] [unique] SID *sid;
2948 * IDL [case(14)] [unique] SID *sid;
2949 * IDL [case(15)] [unique] SID *sid;
2950 * IDL [case(16)] [unique] SID *sid;
2951 * IDL [case(17)] [unique] SID *sid;
2952 * IDL [case(18)] [unique][string] wchar_t *Name ;
2953 * IDL [case(19)] [unique][string] wchar_t *Name ;
2954 * IDL [case(20)] long rid;
2955 * IDL [case(21)] long rid;
2956 * IDL } DELTA_ID_UNION;
2959 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
2960 packet_info *pinfo, proto_tree *parent_tree,
2963 proto_item *item=NULL;
2964 proto_tree *tree=NULL;
2965 int old_offset=offset;
2969 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2971 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
2974 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2975 hf_netlogon_delta_type, &level);
2980 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2981 hf_netlogon_group_rid, NULL);
2984 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2985 hf_netlogon_user_rid, NULL);
2988 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2989 hf_netlogon_user_rid, NULL);
2992 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2993 hf_netlogon_user_rid, NULL);
2996 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2997 hf_netlogon_user_rid, NULL);
3000 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3001 hf_netlogon_user_rid, NULL);
3004 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3005 hf_netlogon_user_rid, NULL);
3008 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3009 hf_netlogon_user_rid, NULL);
3012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3013 hf_netlogon_user_rid, NULL);
3016 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3017 hf_netlogon_user_rid, NULL);
3020 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3021 hf_netlogon_user_rid, NULL);
3024 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3025 hf_netlogon_user_rid, NULL);
3028 offset = dissect_ndr_nt_PSID(tvb, offset,
3029 pinfo, tree, drep, -1);
3032 offset = dissect_ndr_nt_PSID(tvb, offset,
3033 pinfo, tree, drep, -1);
3036 offset = dissect_ndr_nt_PSID(tvb, offset,
3037 pinfo, tree, drep, -1);
3040 offset = dissect_ndr_nt_PSID(tvb, offset,
3041 pinfo, tree, drep, -1);
3044 offset = dissect_ndr_nt_PSID(tvb, offset,
3045 pinfo, tree, drep, -1);
3048 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3049 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3050 hf_netlogon_unknown_string, 0);
3053 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3054 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3055 hf_netlogon_unknown_string, 0);
3058 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3059 hf_netlogon_user_rid, NULL);
3062 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3063 hf_netlogon_user_rid, NULL);
3067 proto_item_set_len(item, offset-old_offset);
3072 * IDL typedef struct {
3073 * IDL short delta_type;
3074 * IDL DELTA_ID_UNION delta_id_union;
3075 * IDL DELTA_UNION delta_union;
3079 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3080 packet_info *pinfo, proto_tree *parent_tree,
3083 proto_item *item=NULL;
3084 proto_tree *tree=NULL;
3085 int old_offset=offset;
3089 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3091 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3094 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3095 hf_netlogon_delta_type, &type);
3097 proto_item_append_text(item, val_to_str(
3098 type, delta_type_vals, "Unknown"));
3100 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3103 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3106 proto_item_set_len(item, offset-old_offset);
3111 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3112 packet_info *pinfo, proto_tree *tree,
3115 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3116 netlogon_dissect_DELTA_ENUM);
3122 * IDL typedef struct {
3123 * IDL long num_deltas;
3124 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3125 * IDL } DELTA_ENUM_ARRAY;
3128 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3129 packet_info *pinfo, proto_tree *tree,
3132 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3133 hf_netlogon_num_deltas, NULL);
3135 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3136 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3137 "DELTA_ENUM: deltas", -1);
3144 * IDL long NetrDatabaseDeltas(
3145 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3146 * IDL [in][string][ref] wchar_t *computername,
3147 * IDL [in][ref] AUTHENTICATOR credential,
3148 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3149 * IDL [in] long database_id,
3150 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3151 * IDL [in] long preferredmaximumlength,
3152 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3156 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
3157 packet_info *pinfo, proto_tree *tree, char *drep)
3159 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3160 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3162 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3163 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3165 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3166 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3167 "AUTHENTICATOR: credential", -1);
3169 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3170 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3171 "AUTHENTICATOR: return_authenticator", -1);
3173 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3174 hf_netlogon_database_id, NULL);
3176 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3177 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3178 "MODIFIED_COUNT: domain modified count", -1);
3180 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3181 hf_netlogon_max_size, NULL);
3186 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
3187 packet_info *pinfo, proto_tree *tree, char *drep)
3189 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3190 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3191 "AUTHENTICATOR: return_authenticator", -1);
3193 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3194 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3195 "MODIFIED_COUNT: domain modified count", -1);
3197 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3198 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3199 "DELTA_ENUM_ARRAY: deltas", -1);
3201 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3202 hf_netlogon_rc, NULL);
3209 * IDL long NetrDatabaseSync(
3210 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3211 * IDL [in][string][ref] wchar_t *computername,
3212 * IDL [in][ref] AUTHENTICATOR credential,
3213 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3214 * IDL [in] long database_id,
3215 * IDL [in][out][ref] long sync_context,
3216 * IDL [in] long preferredmaximumlength,
3217 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3221 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
3222 packet_info *pinfo, proto_tree *tree, char *drep)
3224 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3225 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3227 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3228 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3230 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3231 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3232 "AUTHENTICATOR: credential", -1);
3234 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3235 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3236 "AUTHENTICATOR: return_authenticator", -1);
3238 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3239 hf_netlogon_database_id, NULL);
3241 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3242 hf_netlogon_sync_context, NULL);
3244 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3245 hf_netlogon_max_size, NULL);
3252 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
3253 packet_info *pinfo, proto_tree *tree, char *drep)
3255 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3256 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3257 "AUTHENTICATOR: return_authenticator", -1);
3259 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3260 hf_netlogon_sync_context, NULL);
3262 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3263 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3264 "DELTA_ENUM_ARRAY: deltas", -1);
3266 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3267 hf_netlogon_rc, NULL);
3273 * IDL typedef struct {
3274 * IDL char computer_name[16];
3275 * IDL long timecreated;
3276 * IDL long serial_number;
3280 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3281 packet_info *pinfo, proto_tree *tree,
3286 di=pinfo->private_data;
3287 if(di->conformant_run){
3288 /*just a run to handle conformant arrays, nothing to dissect */
3292 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3295 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3298 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3299 hf_netlogon_serial_number, NULL);
3306 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3307 packet_info *pinfo, proto_tree *tree,
3310 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3311 hf_netlogon_unknown_char, NULL);
3317 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3318 packet_info *pinfo, proto_tree *tree,
3321 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3322 netlogon_dissect_BYTE_byte);
3328 * IDL long NetrAccountDeltas(
3329 * IDL [in][string][unique] wchar_t *logonserver,
3330 * IDL [in][string][ref] wchar_t *computername,
3331 * IDL [in][ref] AUTHENTICATOR credential,
3332 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3333 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3334 * IDL [out][ref] long count_returned,
3335 * IDL [out][ref] long total_entries,
3336 * IDL [in][out][ref] UAS_INFO_0 recordid,
3337 * IDL [in][long] count,
3338 * IDL [in][long] level,
3339 * IDL [in][long] buffersize,
3343 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
3344 packet_info *pinfo, proto_tree *tree, char *drep)
3346 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3349 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3350 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3352 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3353 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3354 "AUTHENTICATOR: credential", -1);
3356 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3357 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3358 "AUTHENTICATOR: return_authenticator", -1);
3360 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3361 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3362 "UAS_INFO_0: RecordID", -1);
3364 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3365 hf_netlogon_count, NULL);
3367 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3368 hf_netlogon_level, NULL);
3370 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3371 hf_netlogon_max_size, NULL);
3376 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
3377 packet_info *pinfo, proto_tree *tree, char *drep)
3379 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3380 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3381 "AUTHENTICATOR: return_authenticator", -1);
3383 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3384 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3385 "BYTE_array: Buffer", -1);
3387 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3388 hf_netlogon_count, NULL);
3390 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3391 hf_netlogon_entries, NULL);
3393 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3394 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3395 "UAS_INFO_0: RecordID", -1);
3397 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3398 hf_netlogon_rc, NULL);
3405 * IDL long NetrAccountSync(
3406 * IDL [in][string][unique] wchar_t *logonserver,
3407 * IDL [in][string][ref] wchar_t *computername,
3408 * IDL [in][ref] AUTHENTICATOR credential,
3409 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3410 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3411 * IDL [out][ref] long count_returned,
3412 * IDL [out][ref] long total_entries,
3413 * IDL [out][ref] long next_reference,
3414 * IDL [in][long] reference,
3415 * IDL [in][long] level,
3416 * IDL [in][long] buffersize,
3417 * IDL [in][out][ref] UAS_INFO_0 recordid,
3421 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
3422 packet_info *pinfo, proto_tree *tree, char *drep)
3424 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3427 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3428 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3430 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3431 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3432 "AUTHENTICATOR: credential", -1);
3434 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3435 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3436 "AUTHENTICATOR: return_authenticator", -1);
3438 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3439 hf_netlogon_reference, NULL);
3441 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3442 hf_netlogon_level, NULL);
3444 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3445 hf_netlogon_max_size, NULL);
3450 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
3451 packet_info *pinfo, proto_tree *tree, char *drep)
3453 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3454 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3455 "AUTHENTICATOR: return_authenticator", -1);
3457 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3458 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3459 "BYTE_array: Buffer", -1);
3461 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3462 hf_netlogon_count, NULL);
3464 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3465 hf_netlogon_entries, NULL);
3467 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3468 hf_netlogon_next_reference, NULL);
3470 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3471 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3472 "UAS_INFO_0: RecordID", -1);
3474 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3475 hf_netlogon_rc, NULL);
3482 * IDL long NetrGetDcName(
3483 * IDL [in][ref][string] wchar_t *logon_server,
3484 * IDL [in][unique][string] wchar_t *domainname,
3485 * IDL [out][unique][string] wchar_t *dcname,
3489 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
3490 packet_info *pinfo, proto_tree *tree, char *drep)
3492 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3493 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3495 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3496 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3501 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
3502 packet_info *pinfo, proto_tree *tree, char *drep)
3504 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3505 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3507 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3508 hf_netlogon_rc, NULL);
3516 * IDL typedef struct {
3518 * IDL long pdc_connection_status;
3519 * IDL } NETLOGON_INFO_1;
3522 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3523 packet_info *pinfo, proto_tree *tree,
3526 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3527 hf_netlogon_flags, NULL);
3529 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3530 hf_netlogon_pdc_connection_status, NULL);
3537 * IDL typedef struct {
3539 * IDL long pdc_connection_status;
3540 * IDL [unique][string] wchar_t trusted_dc_name;
3541 * IDL long tc_connection_status;
3542 * IDL } NETLOGON_INFO_2;
3545 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3546 packet_info *pinfo, proto_tree *tree,
3549 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3550 hf_netlogon_flags, NULL);
3552 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3553 hf_netlogon_pdc_connection_status, NULL);
3555 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3556 NDR_POINTER_UNIQUE, "Trusted DC Name",
3557 hf_netlogon_trusted_dc_name, 0);
3559 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3560 hf_netlogon_tc_connection_status, NULL);
3567 * IDL typedef struct {
3569 * IDL long logon_attempts;
3570 * IDL long reserved;
3571 * IDL long reserved;
3572 * IDL long reserved;
3573 * IDL long reserved;
3574 * IDL long reserved;
3575 * IDL } NETLOGON_INFO_3;
3578 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3579 packet_info *pinfo, proto_tree *tree,
3582 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3583 hf_netlogon_flags, NULL);
3585 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3586 hf_netlogon_logon_attempts, NULL);
3588 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3589 hf_netlogon_reserved, NULL);
3591 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3592 hf_netlogon_reserved, NULL);
3594 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3595 hf_netlogon_reserved, NULL);
3597 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3598 hf_netlogon_reserved, NULL);
3600 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3601 hf_netlogon_reserved, NULL);
3608 * IDL typedef [switch_type(long)] union {
3609 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
3610 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
3611 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
3612 * IDL } CONTROL_QUERY_INFORMATION;
3615 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
3616 packet_info *pinfo, proto_tree *tree,
3621 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3622 hf_netlogon_level, &level);
3627 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3628 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
3629 "NETLOGON_INFO_1:", -1);
3632 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3633 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
3634 "NETLOGON_INFO_2:", -1);
3637 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3638 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
3639 "NETLOGON_INFO_3:", -1);
3648 * IDL long NetrLogonControl(
3649 * IDL [in][string][unique] wchar_t *logonserver,
3650 * IDL [in] long function_code,
3651 * IDL [in] long level,
3652 * IDL [out][ref] CONTROL_QUERY_INFORMATION
3656 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
3657 packet_info *pinfo, proto_tree *tree, char *drep)
3659 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3662 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3663 hf_netlogon_code, NULL);
3665 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3666 hf_netlogon_level, NULL);
3671 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
3672 packet_info *pinfo, proto_tree *tree, char *drep)
3674 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3675 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3676 "CONTROL_QUERY_INFORMATION:", -1);
3678 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3679 hf_netlogon_rc, NULL);
3686 * IDL long NetrGetAnyDCName(
3687 * IDL [in][unique][string] wchar_t *logon_server,
3688 * IDL [in][unique][string] wchar_t *domainname,
3689 * IDL [out][unique][string] wchar_t *dcname,
3693 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
3694 packet_info *pinfo, proto_tree *tree, char *drep)
3696 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3697 NDR_POINTER_UNIQUE, "Server Handle",
3698 hf_netlogon_logonsrv_handle, 0);
3700 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3701 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3706 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
3707 packet_info *pinfo, proto_tree *tree, char *drep)
3709 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3710 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3712 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3713 hf_netlogon_rc, NULL);
3720 * IDL typedef [switch_type(long)] union {
3721 * IDL [case(5)] [unique][string] wchar_t *unknown;
3722 * IDL [case(6)] [unique][string] wchar_t *unknown;
3723 * IDL [case(0xfffe)] long unknown;
3724 * IDL [case(7)] [unique][string] wchar_t *unknown;
3725 * IDL } CONTROL_DATA_INFORMATION;
3728 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
3729 * to look like. However NetMon does not recognize any such informationlevels.
3731 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
3732 * until someone has any source of better authority to call upon.
3735 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
3736 packet_info *pinfo, proto_tree *tree,
3741 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3742 hf_netlogon_level, &level);
3747 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3748 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3749 hf_netlogon_unknown_string, 0);
3752 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3753 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3754 hf_netlogon_unknown_string, 0);
3757 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3758 hf_netlogon_unknown_long, NULL);
3761 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3762 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3763 hf_netlogon_unknown_string, 0);
3772 * IDL long NetrLogonControl2(
3773 * IDL [in][string][unique] wchar_t *logonserver,
3774 * IDL [in] long function_code,
3775 * IDL [in] long level,
3776 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3777 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3781 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
3782 packet_info *pinfo, proto_tree *tree, char *drep)
3784 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3787 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3788 hf_netlogon_code, NULL);
3790 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3791 hf_netlogon_level, NULL);
3793 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3794 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3795 "CONTROL_DATA_INFORMATION: ", -1);
3801 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
3802 packet_info *pinfo, proto_tree *tree, char *drep)
3804 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3805 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3806 "CONTROL_QUERY_INFORMATION:", -1);
3808 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3809 hf_netlogon_rc, NULL);
3816 * IDL long NetrServerAuthenticate2(
3817 * IDL [in][string][unique] wchar_t *logonserver,
3818 * IDL [in][ref][string] wchar_t *username,
3819 * IDL [in] short secure_channel_type,
3820 * IDL [in][ref][string] wchar_t *computername,
3821 * IDL [in][ref] CREDENTIAL *client_chal,
3822 * IDL [out][ref] CREDENTIAL *server_chal,
3823 * IDL [in][out][ref] long *negotiate_flags,
3827 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
3828 packet_info *pinfo, proto_tree *tree, char *drep)
3830 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3833 offset = dissect_ndr_pointer_cb(
3834 tvb, offset, pinfo, tree, drep,
3835 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
3836 "User Name", hf_netlogon_acct_name,
3837 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
3839 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3842 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3843 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3845 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3846 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3847 "CREDENTIAL: client_chal", -1);
3849 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3850 hf_netlogon_neg_flags, NULL);
3856 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
3857 packet_info *pinfo, proto_tree *tree, char *drep)
3859 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3860 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3861 "CREDENTIAL: server_chal", -1);
3863 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3864 hf_netlogon_neg_flags, NULL);
3866 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3867 hf_netlogon_rc, NULL);
3874 * IDL long NetrDatabaseSync2(
3875 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3876 * IDL [in][string][ref] wchar_t *computername,
3877 * IDL [in][ref] AUTHENTICATOR credential,
3878 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3879 * IDL [in] long database_id,
3880 * IDL [in] short restart_state,
3881 * IDL [in][out][ref] long *sync_context,
3882 * IDL [in] long preferredmaximumlength,
3883 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3887 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
3888 packet_info *pinfo, proto_tree *tree, char *drep)
3890 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3891 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3893 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3894 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3896 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3897 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3898 "AUTHENTICATOR: credential", -1);
3900 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3901 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3902 "AUTHENTICATOR: return_authenticator", -1);
3904 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3905 hf_netlogon_database_id, NULL);
3907 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3908 hf_netlogon_restart_state, NULL);
3910 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3911 hf_netlogon_sync_context, NULL);
3913 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3914 hf_netlogon_max_size, NULL);
3920 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
3921 packet_info *pinfo, proto_tree *tree, char *drep)
3923 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3924 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3925 "AUTHENTICATOR: return_authenticator", -1);
3927 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3928 hf_netlogon_sync_context, NULL);
3930 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3931 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3932 "DELTA_ENUM_ARRAY: deltas", -1);
3934 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3935 hf_netlogon_rc, NULL);
3942 * IDL long NetrDatabaseRedo(
3943 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3944 * IDL [in][string][ref] wchar_t *computername,
3945 * IDL [in][ref] AUTHENTICATOR credential,
3946 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3947 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
3948 * IDL [in] long change_log_entry_size,
3949 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3953 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
3954 packet_info *pinfo, proto_tree *tree, char *drep)
3956 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3957 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3959 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3960 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3962 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3963 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3964 "AUTHENTICATOR: credential", -1);
3966 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3967 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3968 "AUTHENTICATOR: return_authenticator", -1);
3970 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3971 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3972 "Change log entry: ", -1);
3974 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3975 hf_netlogon_max_log_size, NULL);
3981 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
3982 packet_info *pinfo, proto_tree *tree, char *drep)
3984 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3985 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3986 "AUTHENTICATOR: return_authenticator", -1);
3988 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3989 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3990 "DELTA_ENUM_ARRAY: deltas", -1);
3992 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3993 hf_netlogon_rc, NULL);
4000 * IDL long NetrLogonControl2Ex(
4001 * IDL [in][string][unique] wchar_t *logonserver,
4002 * IDL [in] long function_code,
4003 * IDL [in] long level,
4004 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4005 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4009 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
4010 packet_info *pinfo, proto_tree *tree, char *drep)
4012 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4015 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4016 hf_netlogon_code, NULL);
4018 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4019 hf_netlogon_level, NULL);
4021 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4022 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4023 "CONTROL_DATA_INFORMATION: ", -1);
4028 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
4029 packet_info *pinfo, proto_tree *tree, char *drep)
4031 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4032 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4033 "CONTROL_QUERY_INFORMATION:", -1);
4035 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4036 hf_netlogon_rc, NULL);
4044 static const value_string trust_type_vals[] = {
4052 #define DS_INET_ADDRESS 1
4053 #define DS_NETBIOS_ADDRESS 2
4054 static const value_string dc_address_types[] = {
4055 { DS_INET_ADDRESS, "IP/DNS name" },
4056 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
4061 #define DS_DOMAIN_IN_FOREST 0x0001
4062 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
4063 #define DS_DOMAIN_TREE_ROOT 0x0004
4064 #define DS_DOMAIN_PRIMARY 0x0008
4065 #define DS_DOMAIN_NATIVE_MODE 0x0010
4066 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
4067 static const true_false_string trust_inbound = {
4068 "There is a DIRECT INBOUND trust for the servers domain",
4069 "There is NO direct inbound trust for the servers domain"
4071 static const true_false_string trust_outbound = {
4072 "There is a DIRECT OUTBOUND trust for this domain",
4073 "There is NO direct outbound trust for this domain"
4075 static const true_false_string trust_in_forest = {
4076 "The domain is a member IN the same FOREST as the queried server",
4077 "The domain is NOT a member of the queried servers domain"
4079 static const true_false_string trust_native_mode = {
4080 "The primary domain is a NATIVE MODE w2k domain",
4081 "The primary is NOT a native mode w2k domain"
4083 static const true_false_string trust_primary = {
4084 "The domain is the PRIMARY domain of the queried server",
4085 "The domain is NOT the primary domain of the queried server"
4087 static const true_false_string trust_tree_root = {
4088 "The domain is the ROOT of a domain TREE",
4089 "The domain is NOT a root of a domain tree"
4092 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4093 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4096 proto_item *item = NULL;
4097 proto_tree *tree = NULL;
4100 di=pinfo->private_data;
4101 if(di->conformant_run){
4102 /*just a run to handle conformant arrays, nothing to dissect */
4106 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4107 hf_netlogon_trust_flags, &mask);
4110 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4111 tvb, offset-4, 4, mask);
4112 tree = proto_item_add_subtree(item, ett_trust_flags);
4115 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4116 tvb, offset-4, 4, mask);
4117 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4118 tvb, offset-4, 4, mask);
4119 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4120 tvb, offset-4, 4, mask);
4121 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4122 tvb, offset-4, 4, mask);
4123 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4124 tvb, offset-4, 4, mask);
4125 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4126 tvb, offset-4, 4, mask);
4132 #define DS_FORCE_REDISCOVERY 0x00000001
4133 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
4134 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
4135 #define DS_GC_SERVER_REQUIRED 0x00000040
4136 #define DS_PDC_REQUIRED 0x00000080
4137 #define DS_BACKGROUND_ONLY 0x00000100
4138 #define DS_IP_REQUIRED 0x00000200
4139 #define DS_KDC_REQUIRED 0x00000400
4140 #define DS_TIMESERV_REQUIRED 0x00000800
4141 #define DS_WRITABLE_REQUIRED 0x00001000
4142 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
4143 #define DS_AVOID_SELF 0x00004000
4144 #define DS_ONLY_LDAP_NEEDED 0x00008000
4145 #define DS_IS_FLAT_NAME 0x00010000
4146 #define DS_IS_DNS_NAME 0x00020000
4147 #define DS_RETURN_DNS_NAME 0x40000000
4148 #define DS_RETURN_FLAT_NAME 0x80000000
4149 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4150 "FORCE REDISCOVERY of any cached data",
4151 "You may return cached data"
4153 static const true_false_string get_dcname_request_flags_directory_service_required = {
4154 "DIRECRTORY SERVICE is REQUIRED on the server",
4155 "We do NOT require directory service servers"
4157 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4158 "DIRECTORY SERVICE servers are PREFERRED",
4159 "We do NOT have a preference for directory service servers"
4161 static const true_false_string get_dcname_request_flags_gc_server_required = {
4162 "GC SERVER is REQUIRED",
4163 "gc server is NOT required"
4165 static const true_false_string get_dcname_request_flags_pdc_required = {
4166 "PDC SERVER is REQUIRED",
4167 "pdc server is NOT required"
4169 static const true_false_string get_dcname_request_flags_background_only = {
4170 "Only returned cahced data, even if it has expired",
4171 "Return cached data unless it has expired"
4173 static const true_false_string get_dcname_request_flags_ip_required = {
4174 "IP address is REQUIRED",
4175 "ip address is NOT required"
4177 static const true_false_string get_dcname_request_flags_kdc_required = {
4178 "KDC server is REQUIRED",
4179 "kdc server is NOT required"
4181 static const true_false_string get_dcname_request_flags_timeserv_required = {
4182 "TIMESERV service is REQUIRED",
4183 "timeserv service is NOT required"
4185 static const true_false_string get_dcname_request_flags_writable_required = {
4186 "the requrned dc MUST be WRITEABLE",
4187 "a read-only dc may be returned"
4189 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4190 "GOOD TIMESERV servers are PREFERRED",
4191 "we do NOT have a preference for good timeserv servers"
4193 static const true_false_string get_dcname_request_flags_avoid_self = {
4194 "do NOT return self as dc, return someone else",
4195 "you may return yourSELF as the dc"
4197 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4198 "we ONLY NEED LDAP, you dont have to return a dc",
4199 "we need a normal dc, an ldap only server will not do"
4201 static const true_false_string get_dcname_request_flags_is_flat_name = {
4202 "the name we specify is a NetBIOS name",
4203 "the name we specify is NOT a NetBIOS name"
4205 static const true_false_string get_dcname_request_flags_is_dns_name = {
4206 "the name we specify is a DNS name",
4207 "ther name we specify is NOT a dns name"
4209 static const true_false_string get_dcname_request_flags_return_dns_name = {
4210 "return a DNS name",
4211 "you may return a NON-dns name"
4213 static const true_false_string get_dcname_request_flags_return_flat_name = {
4214 "return a NetBIOS name",
4215 "you may return a NON-NetBIOS name"
4218 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4219 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4222 proto_item *item = NULL;
4223 proto_tree *tree = NULL;
4226 di=pinfo->private_data;
4227 if(di->conformant_run){
4228 /*just a run to handle conformant arrays, nothing to dissect */
4232 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4233 hf_netlogon_get_dcname_request_flags, &mask);
4236 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4237 tvb, offset-4, 4, mask);
4238 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4241 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4242 tvb, offset-4, 4, mask);
4243 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4244 tvb, offset-4, 4, mask);
4245 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4246 tvb, offset-4, 4, mask);
4247 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4248 tvb, offset-4, 4, mask);
4249 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4250 tvb, offset-4, 4, mask);
4251 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4252 tvb, offset-4, 4, mask);
4253 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4254 tvb, offset-4, 4, mask);
4255 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4256 tvb, offset-4, 4, mask);
4257 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4258 tvb, offset-4, 4, mask);
4259 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4260 tvb, offset-4, 4, mask);
4261 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4262 tvb, offset-4, 4, mask);
4263 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4264 tvb, offset-4, 4, mask);
4265 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4266 tvb, offset-4, 4, mask);
4267 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4268 tvb, offset-4, 4, mask);
4269 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4270 tvb, offset-4, 4, mask);
4271 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4272 tvb, offset-4, 4, mask);
4273 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4274 tvb, offset-4, 4, mask);
4281 #define DS_PDC_FLAG 0x00000001
4282 #define DS_GC_FLAG 0x00000004
4283 #define DS_LDAP_FLAG 0x00000008
4284 #define DS_DS_FLAG 0x00000010
4285 #define DS_KDC_FLAG 0x00000020
4286 #define DS_TIMESERV_FLAG 0x00000040
4287 #define DS_CLOSEST_FLAG 0x00000080
4288 #define DS_WRITABLE_FLAG 0x00000100
4289 #define DS_GOOD_TIMESERV_FLAG 0x00000200
4290 #define DS_NDNC_FLAG 0x00000400
4291 #define DS_DNS_CONTROLLER_FLAG 0x20000000
4292 #define DS_DNS_DOMAIN_FLAG 0x40000000
4293 #define DS_DNS_FOREST_FLAG 0x80000000
4294 static const true_false_string dc_flags_pdc_flag = {
4295 "this is the PDC of the domain",
4296 "this is NOT the pdc of the domain"
4298 static const true_false_string dc_flags_gc_flag = {
4299 "this is the GC of the forest",
4300 "this is NOT the gc of the forest"
4302 static const true_false_string dc_flags_ldap_flag = {
4303 "this is an LDAP server",
4304 "this is NOT an ldap server"
4306 static const true_false_string dc_flags_ds_flag = {
4307 "this is a DS server",
4308 "this is NOT a ds server"
4310 static const true_false_string dc_flags_kdc_flag = {
4311 "this is a KDC server",
4312 "this is NOT a kdc server"
4314 static const true_false_string dc_flags_timeserv_flag = {
4315 "this is a TIMESERV server",
4316 "this is NOT a timeserv server"
4318 static const true_false_string dc_flags_closest_flag = {
4319 "this is the CLOSEST server",
4320 "this is NOT the closest server"
4322 static const true_false_string dc_flags_writable_flag = {
4323 "this server has a WRITABLE ds database",
4324 "this server has a READ-ONLY ds database"
4326 static const true_false_string dc_flags_good_timeserv_flag = {
4327 "this server is a GOOD TIMESERV server",
4328 "this is NOT a good timeserv server"
4330 static const true_false_string dc_flags_ndnc_flag = {
4334 static const true_false_string dc_flags_dns_controller_flag = {
4335 "DomainControllerName is a DNS name",
4336 "DomainControllerName is NOT a dns name"
4338 static const true_false_string dc_flags_dns_domain_flag = {
4339 "DomainName is a DNS name",
4340 "DomainName is NOT a dns name"
4342 static const true_false_string dc_flags_dns_forest_flag = {
4343 "DnsForestName is a DNS name",
4344 "DnsForestName is NOT a dns name"
4347 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4348 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4351 proto_item *item = NULL;
4352 proto_tree *tree = NULL;
4355 di=pinfo->private_data;
4356 if(di->conformant_run){
4357 /*just a run to handle conformant arrays, nothing to dissect */
4361 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4362 hf_netlogon_dc_flags, &mask);
4365 item = proto_tree_add_uint_format(parent_tree, hf_netlogon_dc_flags,
4366 tvb, offset-4, 4, mask, "Domain Controller Flags: 0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
4367 tree = proto_item_add_subtree(item, ett_dc_flags);
4370 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4371 tvb, offset-4, 4, mask);
4372 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4373 tvb, offset-4, 4, mask);
4374 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4375 tvb, offset-4, 4, mask);
4376 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4377 tvb, offset-4, 4, mask);
4378 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4379 tvb, offset-4, 4, mask);
4380 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4381 tvb, offset-4, 4, mask);
4382 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4383 tvb, offset-4, 4, mask);
4384 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4385 tvb, offset-4, 4, mask);
4386 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4387 tvb, offset-4, 4, mask);
4388 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4389 tvb, offset-4, 4, mask);
4390 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4391 tvb, offset-4, 4, mask);
4392 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4393 tvb, offset-4, 4, mask);
4394 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4395 tvb, offset-4, 4, mask);
4403 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4404 packet_info *pinfo, proto_tree *tree,
4409 di=pinfo->private_data;
4410 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4411 di->hf_index, NULL);
4416 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4417 packet_info *pinfo, proto_tree *tree,
4422 di=pinfo->private_data;
4423 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4424 di->hf_index, NULL);
4429 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4430 packet_info *pinfo, proto_tree *tree,
4433 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4434 hf_netlogon_unknown_char, NULL);
4440 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4441 packet_info *pinfo, proto_tree *tree,
4444 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4445 netlogon_dissect_UNICODE_MULTI_byte);
4451 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4452 packet_info *pinfo, proto_tree *parent_tree,
4455 proto_item *item=NULL;
4456 proto_tree *tree=NULL;
4457 int old_offset=offset;
4460 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4462 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4465 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4466 hf_netlogon_len, NULL);
4468 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4469 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4470 "unknown", hf_netlogon_unknown_string);
4472 proto_item_set_len(item, offset-old_offset);
4477 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4478 packet_info *pinfo, proto_tree *tree,
4481 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4487 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4488 packet_info *pinfo, proto_tree *parent_tree,
4491 proto_item *item=NULL;
4492 proto_tree *tree=NULL;
4493 int old_offset=offset;
4496 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4497 "DOMAIN_CONTROLLER_INFO:");
4498 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4501 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4502 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
4504 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4505 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
4507 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4508 hf_netlogon_dc_address_type, NULL);
4510 offset = dissect_nt_GUID(tvb, offset,
4513 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4514 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
4516 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4517 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
4519 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
4521 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4522 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
4524 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4525 NDR_POINTER_UNIQUE, "Client Site",
4526 hf_netlogon_client_site_name, 0);
4528 proto_item_set_len(item, offset-old_offset);
4533 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4534 packet_info *pinfo, proto_tree *tree,
4540 di=pinfo->private_data;
4541 if(di->conformant_run){
4542 /*just a run to handle conformant arrays, nothing to dissect.*/
4546 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4547 hf_netlogon_blob_size, &len);
4549 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4557 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4558 packet_info *pinfo, proto_tree *parent_tree,
4561 proto_item *item=NULL;
4562 proto_tree *tree=NULL;
4565 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4567 tree = proto_item_add_subtree(item, ett_BLOB);
4570 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4571 hf_netlogon_blob_size, NULL);
4573 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4574 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4581 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
4582 packet_info *pinfo, proto_tree *parent_tree,
4585 proto_item *item=NULL;
4586 proto_tree *tree=NULL;
4587 int old_offset=offset;
4590 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4591 "DOMAIN_TRUST_INFO:");
4592 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
4596 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
4598 /* Guesses at best. */
4599 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4600 hf_netlogon_unknown_string, 0);
4602 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4603 hf_netlogon_unknown_string, 0);
4605 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4606 hf_netlogon_unknown_string, 0);
4608 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4609 hf_netlogon_unknown_string, 0);
4611 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4612 hf_netlogon_unknown_long, NULL);
4614 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4615 hf_netlogon_unknown_long, NULL);
4617 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4618 hf_netlogon_unknown_long, NULL);
4620 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4621 hf_netlogon_unknown_long, NULL);
4623 proto_item_set_len(item, offset-old_offset);
4628 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
4629 packet_info *pinfo, proto_tree *tree,
4632 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4633 netlogon_dissect_DOMAIN_TRUST_INFO);
4639 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
4640 packet_info *pinfo, proto_tree *tree,
4643 offset = netlogon_dissect_BLOB(tvb, offset,
4646 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4647 NDR_POINTER_UNIQUE, "Workstation FQDN",
4648 hf_netlogon_workstation_fqdn, 0);
4650 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4651 NDR_POINTER_UNIQUE, "Workstation Site",
4652 hf_netlogon_workstation_site_name, 0);
4654 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4655 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4657 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4658 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4660 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4661 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4663 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4664 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4666 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4667 hf_netlogon_unknown_string, 0);
4669 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4670 hf_netlogon_workstation_os, 0);
4672 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4673 hf_netlogon_unknown_string, 0);
4675 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4676 hf_netlogon_unknown_string, 0);
4678 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4679 hf_netlogon_unknown_long, NULL);
4681 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4682 hf_netlogon_unknown_long, NULL);
4684 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4685 hf_netlogon_unknown_long, NULL);
4687 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4688 hf_netlogon_unknown_long, NULL);
4694 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
4695 packet_info *pinfo, proto_tree *tree,
4698 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
4700 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4701 hf_netlogon_num_trusts, NULL);
4703 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4704 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4705 "DOMAIN_TRUST_ARRAY: Trusts", -1);
4707 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4708 hf_netlogon_num_trusts, NULL);
4710 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4711 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4712 "DOMAIN_TRUST_ARRAY:", -1);
4714 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4715 hf_netlogon_dns_domain_name, 0);
4717 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4718 hf_netlogon_unknown_string, 0);
4720 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4721 hf_netlogon_unknown_string, 0);
4723 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4724 hf_netlogon_unknown_string, 0);
4726 /* These four integers appear to mirror the last four in the query. */
4727 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4728 hf_netlogon_unknown_long, NULL);
4730 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4731 hf_netlogon_unknown_long, NULL);
4733 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4734 hf_netlogon_unknown_long, NULL);
4736 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4737 hf_netlogon_unknown_long, NULL);
4744 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
4745 packet_info *pinfo, proto_tree *tree,
4750 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4751 hf_netlogon_level, &level);
4756 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4757 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
4758 "DOMAIN_INFO_1:", -1);
4766 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
4767 packet_info *pinfo, proto_tree *parent_tree,
4770 proto_item *item=NULL;
4771 proto_tree *tree=NULL;
4772 int old_offset=offset;
4776 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4777 "UNICODE_STRING_512:");
4778 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
4782 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4783 hf_netlogon_unknown_short, NULL);
4786 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4787 hf_netlogon_unknown_long, NULL);
4789 proto_item_set_len(item, offset-old_offset);
4794 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
4795 packet_info *pinfo, proto_tree *tree,
4798 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4799 hf_netlogon_unknown_char, NULL);
4805 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
4806 packet_info *pinfo, proto_tree *tree,
4809 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4810 netlogon_dissect_element_844_byte);
4816 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
4817 packet_info *pinfo, proto_tree *parent_tree,
4820 proto_item *item=NULL;
4821 proto_tree *tree=NULL;
4822 int old_offset=offset;
4825 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4827 tree = proto_item_add_subtree(item, ett_TYPE_50);
4830 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4831 hf_netlogon_unknown_long, NULL);
4833 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4834 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
4835 "unknown", hf_netlogon_unknown_string);
4837 proto_item_set_len(item, offset-old_offset);
4842 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
4843 packet_info *pinfo, proto_tree *tree,
4846 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4847 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
4848 "TYPE_50 pointer: unknown_TYPE_50", -1);
4854 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
4855 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4858 proto_item *item=NULL;
4859 proto_tree *tree=NULL;
4860 int old_offset=offset;
4863 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4864 "DS_DOMAIN_TRUSTS");
4865 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
4869 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4870 NDR_POINTER_UNIQUE, "NetBIOS Name",
4871 hf_netlogon_downlevel_domain_name, 0);
4874 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4875 NDR_POINTER_UNIQUE, "DNS Domain Name",
4876 hf_netlogon_dns_domain_name, 0);
4878 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
4880 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4881 hf_netlogon_trust_parent_index, &tmp);
4883 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4884 hf_netlogon_trust_type, &tmp);
4886 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4887 hf_netlogon_trust_attribs, &tmp);
4890 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep, -1);
4893 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
4895 proto_item_set_len(item, offset-old_offset);
4900 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
4901 packet_info *pinfo, proto_tree *tree,
4904 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4905 netlogon_dissect_DS_DOMAIN_TRUSTS);
4911 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
4912 packet_info *pinfo, proto_tree *tree,
4915 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4916 hf_netlogon_unknown_char, NULL);
4922 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
4923 packet_info *pinfo, proto_tree *tree,
4926 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4927 netlogon_dissect_element_865_byte);
4933 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
4934 packet_info *pinfo, proto_tree *tree,
4937 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4938 hf_netlogon_unknown_char, NULL);
4944 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
4945 packet_info *pinfo, proto_tree *tree,
4948 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4949 netlogon_dissect_element_866_byte);
4955 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
4956 packet_info *pinfo, proto_tree *parent_tree,
4959 proto_item *item=NULL;
4960 proto_tree *tree=NULL;
4961 int old_offset=offset;
4964 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4966 tree = proto_item_add_subtree(item, ett_TYPE_52);
4969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4970 hf_netlogon_unknown_long, NULL);
4972 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4973 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
4974 "unknown", hf_netlogon_unknown_string);
4976 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4977 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
4978 "unknown", hf_netlogon_unknown_string);
4980 proto_item_set_len(item, offset-old_offset);
4985 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
4986 packet_info *pinfo, proto_tree *tree,
4989 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4990 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
4991 "TYPE_52 pointer: unknown_TYPE_52", -1);
4997 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
4998 packet_info *pinfo, proto_tree *parent_tree,
5001 proto_item *item=NULL;
5002 proto_tree *tree=NULL;
5003 int old_offset=offset;
5007 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5009 tree = proto_item_add_subtree(item, ett_TYPE_44);
5012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5013 hf_netlogon_level, &level);
5018 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5019 hf_netlogon_unknown_long, NULL);
5023 proto_item_set_len(item, offset-old_offset);
5028 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5029 packet_info *pinfo, proto_tree *tree,
5034 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5035 hf_netlogon_level, &level);
5040 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5041 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5042 "DOMAIN_QUERY_1:", -1);
5045 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5046 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5047 "DOMAIN_QUERY_1:", -1);
5055 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5056 packet_info *pinfo, proto_tree *tree, char *drep)
5058 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5066 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5067 packet_info *pinfo, proto_tree *tree, char *drep)
5069 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5070 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5071 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5073 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5074 hf_netlogon_rc, NULL);
5080 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5081 packet_info *pinfo, proto_tree *tree, char *drep)
5083 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5086 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5087 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5089 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5090 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5091 "GUID pointer: domain_guid", -1);
5093 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5094 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5095 "GUID pointer: site_guid", -1);
5097 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5098 hf_netlogon_flags, NULL);
5105 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5106 packet_info *pinfo, proto_tree *tree, char *drep)
5108 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5109 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5110 "DOMAIN_CONTROLLER_INFO:", -1);
5112 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5113 hf_netlogon_rc, NULL);
5119 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
5120 packet_info *pinfo, proto_tree *tree, char *drep)
5122 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5125 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5126 NDR_POINTER_UNIQUE, "unknown string",
5127 hf_netlogon_unknown_string, 0);
5129 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5130 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5131 "AUTHENTICATOR: credential", -1);
5133 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5134 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5135 "AUTHENTICATOR: return_authenticator", -1);
5137 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5138 hf_netlogon_unknown_long, NULL);
5145 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
5146 packet_info *pinfo, proto_tree *tree, char *drep)
5148 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5149 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5150 "AUTHENTICATOR: return_authenticator", -1);
5152 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5153 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5154 "TYPE_44 pointer: unknown_TYPE_44", -1);
5156 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5157 hf_netlogon_rc, NULL);
5163 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
5164 packet_info *pinfo, proto_tree *tree, char *drep)
5166 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5169 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5170 hf_netlogon_unknown_long, NULL);
5172 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5173 hf_netlogon_unknown_long, NULL);
5180 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
5181 packet_info *pinfo, proto_tree *tree, char *drep)
5183 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5184 hf_netlogon_rc, NULL);
5191 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
5192 packet_info *pinfo, proto_tree *tree, char *drep)
5194 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5197 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5198 NDR_POINTER_UNIQUE, "unknown string",
5199 hf_netlogon_unknown_string, 0);
5206 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
5207 packet_info *pinfo, proto_tree *tree, char *drep)
5209 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5210 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5211 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5213 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5214 hf_netlogon_rc, NULL);
5221 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
5222 packet_info *pinfo, proto_tree *tree, char *drep)
5224 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5227 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5228 hf_netlogon_unknown_long, NULL);
5230 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5231 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5232 "BYTE pointer: unknown_BYTE", -1);
5234 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5235 hf_netlogon_unknown_long, NULL);
5241 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5242 packet_info *pinfo, proto_tree *tree, char *drep)
5247 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5248 hf_netlogon_unknown_char, NULL);
5255 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
5256 packet_info *pinfo, proto_tree *tree, char *drep)
5258 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5259 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5260 "BYTE pointer: unknown_BYTE", -1);
5262 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5263 hf_netlogon_rc, NULL);
5269 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
5270 packet_info *pinfo, proto_tree *tree, char *drep)
5272 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5275 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5276 NDR_POINTER_UNIQUE, "unknown string",
5277 hf_netlogon_unknown_string, 0);
5279 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5280 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5281 "BYTE pointer: unknown_BYTE", -1);
5283 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5284 hf_netlogon_unknown_long, NULL);
5291 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
5292 packet_info *pinfo, proto_tree *tree, char *drep)
5294 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5295 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5296 "BYTE pointer: unknown_BYTE", -1);
5298 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5299 hf_netlogon_rc, NULL);
5305 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5306 packet_info *pinfo, proto_tree *tree, char *drep)
5308 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5311 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5312 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5314 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5317 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5318 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5320 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5321 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5322 "CREDENTIAL: authenticator", -1);
5324 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5325 hf_netlogon_neg_flags, NULL);
5332 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5333 packet_info *pinfo, proto_tree *tree, char *drep)
5335 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5336 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5337 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5339 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5340 hf_netlogon_neg_flags, NULL);
5342 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5343 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5344 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5346 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5347 hf_netlogon_rc, NULL);
5353 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
5354 packet_info *pinfo, proto_tree *tree, char *drep)
5356 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5359 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5360 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5362 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5363 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5364 "GUID pointer: domain_guid", -1);
5366 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5367 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5369 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5376 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
5377 packet_info *pinfo, proto_tree *tree, char *drep)
5379 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5380 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5381 "DOMAIN_CONTROLLER_INFO:", -1);
5383 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5384 hf_netlogon_rc, NULL);
5390 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5391 packet_info *pinfo, proto_tree *tree, char *drep)
5393 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5401 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5402 packet_info *pinfo, proto_tree *tree, char *drep)
5405 /* XXX hmmm this does not really look like a UNIQUE pointer but
5406 will do for now. I think it is really a 32bit integer followed by
5407 a REF pointer to a unicode string */
5408 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
5409 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
5410 hf_netlogon_site_name, cb_wstr_postprocess,
5411 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
5413 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5414 hf_netlogon_rc, NULL);
5420 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5421 packet_info *pinfo, proto_tree *tree, char *drep)
5423 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5424 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5425 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5427 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5428 NDR_POINTER_UNIQUE, "Computer Name",
5429 hf_netlogon_computer_name, 0);
5431 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5432 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5433 "AUTHENTICATOR: credential", -1);
5435 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5436 hf_netlogon_unknown_long, NULL);
5438 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5439 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5440 "AUTHENTICATOR: return_authenticator", -1);
5442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5443 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5444 "DOMAIN_QUERY: ", -1);
5451 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5452 packet_info *pinfo, proto_tree *tree, char *drep)
5454 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5455 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5456 "AUTHENTICATOR: return_authenticator", -1);
5458 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5459 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5460 "DOMAIN_INFO: ", -1);
5462 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5463 hf_netlogon_rc, NULL);
5469 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5470 packet_info *pinfo, proto_tree *tree, char *drep)
5472 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5475 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5476 NDR_POINTER_UNIQUE, "unknown string",
5477 hf_netlogon_unknown_string, 0);
5479 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5480 hf_netlogon_unknown_short, NULL);
5482 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5483 NDR_POINTER_UNIQUE, "unknown string",
5484 hf_netlogon_unknown_string, 0);
5486 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5487 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5488 "AUTHENTICATOR: credential", -1);
5490 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5498 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5499 packet_info *pinfo, proto_tree *tree, char *drep)
5501 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5502 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5503 "AUTHENTICATOR: return_authenticator", -1);
5505 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5506 hf_netlogon_rc, NULL);
5512 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
5513 packet_info *pinfo, proto_tree *tree, char *drep)
5515 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5518 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5519 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
5521 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5524 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5525 NDR_POINTER_UNIQUE, "Computer Name",
5526 hf_netlogon_computer_name, 0);
5528 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5529 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5530 "AUTHENTICATOR: credential", -1);
5537 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
5538 packet_info *pinfo, proto_tree *tree, char *drep)
5540 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5541 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5542 "AUTHENTICATOR: return_authenticator", -1);
5544 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5545 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5546 "LM_OWF_PASSWORD pointer: server_pwd", -1);
5548 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5549 hf_netlogon_rc, NULL);
5555 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
5556 packet_info *pinfo, proto_tree *tree, char *drep)
5558 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5561 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5562 NDR_POINTER_UNIQUE, "unknown string",
5563 hf_netlogon_unknown_string, 0);
5565 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5566 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5567 "AUTHENTICATOR: credential", -1);
5569 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5570 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5571 "BYTE pointer: unknown_BYTE", -1);
5573 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5574 hf_netlogon_unknown_long, NULL);
5581 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
5582 packet_info *pinfo, proto_tree *tree, char *drep)
5584 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5585 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5586 "AUTHENTICATOR: return_authenticator", -1);
5588 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5589 hf_netlogon_rc, NULL);
5595 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
5596 packet_info *pinfo, proto_tree *tree, char *drep)
5598 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5601 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5602 hf_netlogon_unknown_long, NULL);
5604 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5605 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5606 "BYTE pointer: unknown_BYTE", -1);
5613 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
5614 packet_info *pinfo, proto_tree *tree, char *drep)
5616 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5617 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5618 "TYPE_50** pointer: unknown_TYPE_50", -1);
5620 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5621 hf_netlogon_rc, NULL);
5627 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
5628 packet_info *pinfo, proto_tree *tree, char *drep)
5630 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5633 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5634 NDR_POINTER_UNIQUE, "unknown string",
5635 hf_netlogon_unknown_string, 0);
5637 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5638 hf_netlogon_unknown_long, NULL);
5640 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5641 NDR_POINTER_UNIQUE, "unknown string",
5642 hf_netlogon_unknown_string, 0);
5644 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5645 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5646 "GUID pointer: unknown_GUID", -1);
5648 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5649 NDR_POINTER_UNIQUE, "unknown string",
5650 hf_netlogon_unknown_string, 0);
5652 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5653 hf_netlogon_unknown_long, NULL);
5660 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
5661 packet_info *pinfo, proto_tree *tree, char *drep)
5663 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5664 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5665 "DOMAIN_CONTROLLER_INFO:", -1);
5667 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5668 hf_netlogon_rc, NULL);
5674 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
5675 packet_info *pinfo, proto_tree *tree, char *drep)
5677 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5685 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
5686 packet_info *pinfo, proto_tree *tree, char *drep)
5688 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5689 NDR_POINTER_UNIQUE, "unknown string",
5690 hf_netlogon_unknown_string, 0);
5692 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5693 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5694 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5696 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5697 hf_netlogon_rc, NULL);
5703 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
5704 packet_info *pinfo, proto_tree *tree, char *drep)
5706 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5713 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
5714 packet_info *pinfo, proto_tree *tree, char *drep)
5716 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5717 hf_netlogon_entries, NULL);
5719 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5720 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5721 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5723 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5724 hf_netlogon_rc, NULL);
5730 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
5731 packet_info *pinfo, proto_tree *tree, char *drep)
5733 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5736 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5737 hf_netlogon_unknown_long, NULL);
5739 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5740 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5741 "BYTE pointer: unknown_BYTE", -1);
5748 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
5749 packet_info *pinfo, proto_tree *tree, char *drep)
5751 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5752 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
5753 "TYPE_52 pointer: unknown_TYPE_52", -1);
5755 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5756 hf_netlogon_rc, NULL);
5763 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
5764 packet_info *pinfo, proto_tree *tree, char *drep)
5766 offset = dissect_ndr_counted_string_cb(
5767 tvb, offset, pinfo, tree, drep, hf_netlogon_site_name,
5768 cb_wstr_postprocess,
5769 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
5774 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
5775 packet_info *pinfo, proto_tree *tree, char *drep)
5777 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5778 netlogon_dissect_site_name_item);
5784 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
5785 packet_info *pinfo, proto_tree *tree, char *drep)
5787 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5788 hf_netlogon_count, NULL);
5790 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5791 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
5792 "Site name array", -1);
5798 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
5799 packet_info *pinfo, proto_tree *tree, char *drep)
5801 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5809 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
5810 packet_info *pinfo, proto_tree *tree, char *drep)
5812 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5813 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
5816 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5817 hf_netlogon_rc, NULL);
5823 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
5824 packet_info *pinfo, proto_tree *tree, char *drep)
5826 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5827 NDR_POINTER_UNIQUE, "unknown string",
5828 hf_netlogon_unknown_string, 0);
5830 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5831 NDR_POINTER_UNIQUE, "unknown string",
5832 hf_netlogon_unknown_string, 0);
5834 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5835 hf_netlogon_unknown_short, NULL);
5837 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5838 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
5839 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
5841 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5842 hf_netlogon_unknown_short, NULL);
5844 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5845 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5846 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5852 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
5853 packet_info *pinfo, proto_tree *tree, char *drep)
5855 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5856 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
5857 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
5859 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5860 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
5861 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
5863 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5864 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5865 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5867 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5868 hf_netlogon_rc, NULL);
5875 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
5876 packet_info *pinfo, proto_tree *tree, char *drep)
5878 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5881 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5888 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
5889 packet_info *pinfo, proto_tree *tree, char *drep)
5891 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5892 hf_netlogon_entries, NULL);
5894 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5895 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5896 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5898 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5899 hf_netlogon_rc, NULL);
5905 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
5906 packet_info *pinfo, proto_tree *tree, char *drep)
5908 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5911 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5912 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5914 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5915 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5916 "GUID pointer: domain_guid", -1);
5918 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5919 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5920 "GUID pointer: dsa_guid", -1);
5922 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5923 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
5930 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
5931 packet_info *pinfo, proto_tree *tree, char *drep)
5933 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5934 hf_netlogon_rc, NULL);
5939 /* Dissect secure channel stuff */
5941 static int hf_netlogon_secchan_bind_unknown1 = -1;
5942 static int hf_netlogon_secchan_bind_unknown2 = -1;
5943 static int hf_netlogon_secchan_domain = -1;
5944 static int hf_netlogon_secchan_host = -1;
5945 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
5946 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
5947 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
5949 static gint ett_secchan_verf = -1;
5950 static gint ett_secchan_bind_creds = -1;
5951 static gint ett_secchan_bind_ack_creds = -1;
5953 static int dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
5955 proto_tree *tree, char *drep)
5957 proto_item *item = NULL;
5958 proto_tree *subtree = NULL;
5962 item = proto_tree_add_text(
5963 tree, tvb, offset, tvb_length(tvb),
5964 "Secure Channel Bind Credentials");
5965 subtree = proto_item_add_subtree(
5966 item, ett_secchan_bind_creds);
5969 /* We can't use the NDR routines as the DCERPC call data hasn't
5970 been initialised since we haven't made a DCERPC call yet, just
5973 offset = dissect_dcerpc_uint32(
5974 tvb, offset, pinfo, subtree, drep,
5975 hf_netlogon_secchan_bind_unknown1, NULL);
5977 offset = dissect_dcerpc_uint32(
5978 tvb, offset, pinfo, subtree, drep,
5979 hf_netlogon_secchan_bind_unknown2, NULL);
5981 len = tvb_strsize(tvb, offset);
5983 proto_tree_add_item(
5984 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
5988 len = tvb_strsize(tvb, offset);
5990 proto_tree_add_item(
5991 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
5998 static int dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
6000 proto_tree *tree, char *drep)
6002 proto_item *item = NULL;
6003 proto_tree *subtree = NULL;
6006 item = proto_tree_add_text(
6007 tree, tvb, offset, 0,
6008 "Secure Channel Bind ACK Credentials");
6009 subtree = proto_item_add_subtree(
6010 item, ett_secchan_bind_ack_creds);
6013 /* Don't use NDR routines here */
6015 offset = dissect_dcerpc_uint32(
6016 tvb, offset, pinfo, subtree, drep,
6017 hf_netlogon_secchan_bind_ack_unknown1, NULL);
6019 offset = dissect_dcerpc_uint32(
6020 tvb, offset, pinfo, subtree, drep,
6021 hf_netlogon_secchan_bind_ack_unknown2, NULL);
6023 offset = dissect_dcerpc_uint32(
6024 tvb, offset, pinfo, subtree, drep,
6025 hf_netlogon_secchan_bind_ack_unknown3, NULL);
6032 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
6033 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
6034 netlogon_dissect_netrlogonuaslogon_rqst,
6035 netlogon_dissect_netrlogonuaslogon_reply },
6036 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
6037 netlogon_dissect_netrlogonuaslogoff_rqst,
6038 netlogon_dissect_netrlogonuaslogoff_reply },
6039 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
6040 netlogon_dissect_netrlogonsamlogon_rqst,
6041 netlogon_dissect_netrlogonsamlogon_reply },
6042 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
6043 netlogon_dissect_netrlogonsamlogoff_rqst,
6044 netlogon_dissect_netrlogonsamlogoff_reply },
6045 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
6046 netlogon_dissect_netrserverreqchallenge_rqst,
6047 netlogon_dissect_netrserverreqchallenge_reply },
6048 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
6049 netlogon_dissect_netrserverauthenticate_rqst,
6050 netlogon_dissect_netrserverauthenticate_reply },
6051 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
6052 netlogon_dissect_netrserverpasswordset_rqst,
6053 netlogon_dissect_netrserverpasswordset_reply },
6054 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
6055 netlogon_dissect_netrdatabasedeltas_rqst,
6056 netlogon_dissect_netrdatabasedeltas_reply },
6057 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
6058 netlogon_dissect_netrdatabasesync_rqst,
6059 netlogon_dissect_netrdatabasesync_reply },
6060 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
6061 netlogon_dissect_netraccountdeltas_rqst,
6062 netlogon_dissect_netraccountdeltas_reply },
6063 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
6064 netlogon_dissect_netraccountsync_rqst,
6065 netlogon_dissect_netraccountsync_reply },
6066 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
6067 netlogon_dissect_netrgetdcname_rqst,
6068 netlogon_dissect_netrgetdcname_reply },
6069 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
6070 netlogon_dissect_netrlogoncontrol_rqst,
6071 netlogon_dissect_netrlogoncontrol_reply },
6072 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
6073 netlogon_dissect_netrgetanydcname_rqst,
6074 netlogon_dissect_netrgetanydcname_reply },
6075 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
6076 netlogon_dissect_netrlogoncontrol2_rqst,
6077 netlogon_dissect_netrlogoncontrol2_reply },
6078 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
6079 netlogon_dissect_netrserverauthenticate2_rqst,
6080 netlogon_dissect_netrserverauthenticate2_reply },
6081 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
6082 netlogon_dissect_netrdatabasesync2_rqst,
6083 netlogon_dissect_netrdatabasesync2_reply },
6084 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
6085 netlogon_dissect_netrdatabaseredo_rqst,
6086 netlogon_dissect_netrdatabaseredo_reply },
6087 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
6088 netlogon_dissect_netrlogoncontrol2ex_rqst,
6089 netlogon_dissect_netrlogoncontrol2ex_reply },
6090 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
6091 netlogon_dissect_netrenumeratetrusteddomains_rqst,
6092 netlogon_dissect_netrenumeratetrusteddomains_reply },
6093 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
6094 netlogon_dissect_dsrgetdcname_rqst,
6095 netlogon_dissect_dsrgetdcname_reply },
6096 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
6097 netlogon_dissect_netrlogondummyroutine1_rqst,
6098 netlogon_dissect_netrlogondummyroutine1_reply },
6099 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
6100 netlogon_dissect_netrlogonsetservicebits_rqst,
6101 netlogon_dissect_netrlogonsetservicebits_reply },
6102 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
6103 netlogon_dissect_netrlogongettrustrid_rqst,
6104 netlogon_dissect_netrlogongettrustrid_reply },
6105 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
6106 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
6107 netlogon_dissect_netrlogoncomputeserverdigest_reply },
6108 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
6109 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
6110 netlogon_dissect_netrlogoncomputeclientdigest_reply },
6111 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
6112 netlogon_dissect_netrserverauthenticate3_rqst,
6113 netlogon_dissect_netrserverauthenticate3_reply },
6114 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
6115 netlogon_dissect_dsrgetdcnameex_rqst,
6116 netlogon_dissect_dsrgetdcnameex_reply },
6117 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
6118 netlogon_dissect_dsrgetsitename_rqst,
6119 netlogon_dissect_dsrgetsitename_reply },
6120 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6121 netlogon_dissect_netrlogongetdomaininfo_rqst,
6122 netlogon_dissect_netrlogongetdomaininfo_reply },
6123 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
6124 netlogon_dissect_netrserverpasswordset2_rqst,
6125 netlogon_dissect_netrserverpasswordset2_reply },
6126 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
6127 netlogon_dissect_netrserverpasswordget_rqst,
6128 netlogon_dissect_netrserverpasswordget_reply },
6129 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
6130 netlogon_dissect_netrlogonsendtosam_rqst,
6131 netlogon_dissect_netrlogonsendtosam_reply },
6132 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
6133 netlogon_dissect_dsraddresstositenamesw_rqst,
6134 netlogon_dissect_dsraddresstositenamesw_reply },
6135 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
6136 netlogon_dissect_dsrgetdcnameex2_rqst,
6137 netlogon_dissect_dsrgetdcnameex2_reply },
6138 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
6139 "NetrLogonGetTimeServiceParentDomain",
6140 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
6141 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
6142 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
6143 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
6144 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
6145 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
6146 netlogon_dissect_dsraddresstositenamesexw_rqst,
6147 netlogon_dissect_dsraddresstositenamesexw_reply },
6148 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
6149 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
6150 netlogon_dissect_dsrgetdcsitecoveragew_reply },
6151 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
6152 netlogon_dissect_netrlogonsamlogonex_rqst,
6153 netlogon_dissect_netrlogonsamlogonex_reply },
6154 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
6155 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
6156 netlogon_dissect_dsrenumeratedomaintrusts_reply },
6157 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
6158 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6159 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6160 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
6162 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
6164 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
6166 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
6168 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
6170 {0, NULL, NULL, NULL }
6173 static int hf_netlogon_secchan_verf = -1;
6174 static int hf_netlogon_secchan_verf_sig = -1;
6175 static int hf_netlogon_secchan_verf_unk = -1;
6176 static int hf_netlogon_secchan_verf_seq = -1;
6177 static int hf_netlogon_secchan_verf_nonce = -1;
6180 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
6181 proto_tree *tree, char *drep _U_)
6183 proto_item *vf = NULL;
6184 proto_tree *subtree = NULL;
6187 * Create a new tree, and split into 4 components ...
6189 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
6191 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
6193 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sig, tvb,
6197 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_unk, tvb,
6201 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_seq, tvb,
6205 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_nonce, tvb,
6212 /* Secure channel types */
6214 static const value_string sec_chan_type_vals[] = {
6215 { SEC_CHAN_WKSTA, "Workstation" },
6216 { SEC_CHAN_DOMAIN, "Domain trust" },
6217 { SEC_CHAN_BDC, "Backup domain controller" },
6222 proto_register_dcerpc_netlogon(void)
6225 static hf_register_info hf[] = {
6226 { &hf_netlogon_opnum,
6227 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6228 NULL, 0x0, "Operation", HFILL }},
6230 { &hf_netlogon_rc, {
6231 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6232 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6234 { &hf_netlogon_param_ctrl, {
6235 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6236 NULL, 0x0, "Param ctrl", HFILL }},
6238 { &hf_netlogon_logon_id, {
6239 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6240 NULL, 0x0, "Logon ID", HFILL }},
6242 { &hf_netlogon_modify_count, {
6243 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6244 NULL, 0x0, "How many times the object has been modified", HFILL }},
6246 { &hf_netlogon_security_information, {
6247 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6248 NULL, 0x0, "Security Information", HFILL }},
6250 { &hf_netlogon_count, {
6251 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6252 NULL, 0x0, "", HFILL }},
6254 { &hf_netlogon_entries, {
6255 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6256 NULL, 0x0, "", HFILL }},
6258 { &hf_netlogon_credential, {
6259 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6260 NULL, 0x0, "Netlogon Credential", HFILL }},
6262 { &hf_netlogon_challenge, {
6263 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6264 NULL, 0x0, "Netlogon challenge", HFILL }},
6266 { &hf_netlogon_lm_owf_password, {
6267 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6268 NULL, 0x0, "LanManager OWF Password", HFILL }},
6270 { &hf_netlogon_user_session_key, {
6271 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6272 NULL, 0x0, "User Session Key", HFILL }},
6274 { &hf_netlogon_encrypted_lm_owf_password, {
6275 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6276 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6278 { &hf_netlogon_nt_owf_password, {
6279 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6280 NULL, 0x0, "NT OWF Password", HFILL }},
6282 { &hf_netlogon_blob, {
6283 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6284 NULL, 0x0, "BLOB", HFILL }},
6286 { &hf_netlogon_len, {
6287 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6288 NULL, 0, "Length", HFILL }},
6290 { &hf_netlogon_priv, {
6291 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6292 NULL, 0, "", HFILL }},
6294 { &hf_netlogon_privilege_entries, {
6295 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6296 NULL, 0, "", HFILL }},
6298 { &hf_netlogon_privilege_control, {
6299 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6300 NULL, 0, "", HFILL }},
6302 { &hf_netlogon_privilege_name, {
6303 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6304 NULL, 0, "", HFILL }},
6306 { &hf_netlogon_pdc_connection_status, {
6307 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6308 NULL, 0, "PDC Connection Status", HFILL }},
6310 { &hf_netlogon_tc_connection_status, {
6311 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6312 NULL, 0, "TC Connection Status", HFILL }},
6314 { &hf_netlogon_attrs, {
6315 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6316 NULL, 0, "Attributes", HFILL }},
6318 { &hf_netlogon_unknown_string,
6319 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6320 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
6321 { &hf_netlogon_unknown_long,
6322 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6323 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
6324 { &hf_netlogon_reserved,
6325 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6326 NULL, 0x0, "Reserved", HFILL }},
6327 { &hf_netlogon_unknown_short,
6328 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6329 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
6331 { &hf_netlogon_unknown_char,
6332 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6333 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
6335 { &hf_netlogon_acct_expiry_time,
6336 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6337 NULL, 0x0, "When this account will expire", HFILL }},
6339 { &hf_netlogon_nt_pwd_present,
6340 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6341 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6343 { &hf_netlogon_lm_pwd_present,
6344 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6345 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6347 { &hf_netlogon_pwd_expired,
6348 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6349 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6351 { &hf_netlogon_authoritative,
6352 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6353 NULL, 0x0, "", HFILL }},
6355 { &hf_netlogon_sensitive_data_flag,
6356 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6357 NULL, 0x0, "Sensitive data flag", HFILL }},
6359 { &hf_netlogon_auditing_mode,
6360 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6361 NULL, 0x0, "Auditing Mode", HFILL }},
6363 { &hf_netlogon_max_audit_event_count,
6364 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6365 NULL, 0x0, "Max audit event count", HFILL }},
6367 { &hf_netlogon_event_audit_option,
6368 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6369 NULL, 0x0, "Event audit option", HFILL }},
6371 { &hf_netlogon_sensitive_data_len,
6372 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6373 NULL, 0x0, "Length of sensitive data", HFILL }},
6375 { &hf_netlogon_nt_chal_resp,
6376 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6377 NULL, 0, "Challenge response for NT authentication", HFILL }},
6379 { &hf_netlogon_lm_chal_resp,
6380 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6381 NULL, 0, "Challenge response for LM authentication", HFILL }},
6383 { &hf_netlogon_cipher_len,
6384 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6385 NULL, 0, "", HFILL }},
6387 { &hf_netlogon_cipher_maxlen,
6388 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6389 NULL, 0, "", HFILL }},
6391 { &hf_netlogon_pac_data,
6392 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6393 NULL, 0, "Pac Data", HFILL }},
6395 { &hf_netlogon_sensitive_data,
6396 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6397 NULL, 0, "Sensitive Data", HFILL }},
6399 { &hf_netlogon_auth_data,
6400 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6401 NULL, 0, "Auth Data", HFILL }},
6403 { &hf_netlogon_cipher_current_data,
6404 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6405 NULL, 0, "", HFILL }},
6407 { &hf_netlogon_cipher_old_data,
6408 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6409 NULL, 0, "", HFILL }},
6411 { &hf_netlogon_acct_name,
6412 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6413 NULL, 0, "Account Name", HFILL }},
6415 { &hf_netlogon_acct_desc,
6416 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6417 NULL, 0, "Account Description", HFILL }},
6419 { &hf_netlogon_group_desc,
6420 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6421 NULL, 0, "Group Description", HFILL }},
6423 { &hf_netlogon_full_name,
6424 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6425 NULL, 0, "Full Name", HFILL }},
6427 { &hf_netlogon_comment,
6428 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6429 NULL, 0, "Comment", HFILL }},
6431 { &hf_netlogon_parameters,
6432 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6433 NULL, 0, "Parameters", HFILL }},
6435 { &hf_netlogon_logon_script,
6436 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6437 NULL, 0, "Logon Script", HFILL }},
6439 { &hf_netlogon_profile_path,
6440 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6441 NULL, 0, "Profile Path", HFILL }},
6443 { &hf_netlogon_home_dir,
6444 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6445 NULL, 0, "Home Directory", HFILL }},
6447 { &hf_netlogon_dir_drive,
6448 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6449 NULL, 0, "Drive letter for home directory", HFILL }},
6451 { &hf_netlogon_logon_srv,
6452 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6453 NULL, 0, "Server", HFILL }},
6455 { &hf_netlogon_principal,
6456 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6457 NULL, 0, "Principal", HFILL }},
6459 { &hf_netlogon_logon_dom,
6460 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6461 NULL, 0, "Domain", HFILL }},
6463 { &hf_netlogon_computer_name,
6464 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6465 NULL, 0, "Computer Name", HFILL }},
6467 { &hf_netlogon_site_name,
6468 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6469 NULL, 0, "Site Name", HFILL }},
6471 { &hf_netlogon_dc_name,
6472 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6473 NULL, 0, "DC Name", HFILL }},
6475 { &hf_netlogon_dc_site_name,
6476 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6477 NULL, 0, "DC Site Name", HFILL }},
6479 { &hf_netlogon_dns_forest_name,
6480 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6481 NULL, 0, "DNS Forest Name", HFILL }},
6483 { &hf_netlogon_dc_address,
6484 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6485 NULL, 0, "DC Address", HFILL }},
6487 { &hf_netlogon_dc_address_type,
6488 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6489 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
6491 { &hf_netlogon_client_site_name,
6492 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6493 NULL, 0, "Client Site Name", HFILL }},
6495 { &hf_netlogon_workstation_site_name,
6496 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6497 NULL, 0, "Workstation Site Name", HFILL }},
6499 { &hf_netlogon_workstation,
6500 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6501 NULL, 0, "Workstation Name", HFILL }},
6503 { &hf_netlogon_workstation_os,
6504 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6505 NULL, 0, "Workstation OS", HFILL }},
6507 { &hf_netlogon_workstations,
6508 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6509 NULL, 0, "Workstations", HFILL }},
6511 { &hf_netlogon_workstation_fqdn,
6512 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6513 NULL, 0, "Workstation FQDN", HFILL }},
6515 { &hf_netlogon_group_name,
6516 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6517 NULL, 0, "Group Name", HFILL }},
6519 { &hf_netlogon_alias_name,
6520 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6521 NULL, 0, "Alias Name", HFILL }},
6523 { &hf_netlogon_dns_host,
6524 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6525 NULL, 0, "DNS Host", HFILL }},
6527 { &hf_netlogon_downlevel_domain_name,
6528 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6529 NULL, 0, "Downlevel Domain Name", HFILL }},
6531 { &hf_netlogon_dns_domain_name,
6532 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6533 NULL, 0, "DNS Domain Name", HFILL }},
6535 { &hf_netlogon_domain_name,
6536 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6537 NULL, 0, "Domain Name", HFILL }},
6539 { &hf_netlogon_oem_info,
6540 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6541 NULL, 0, "OEM Info", HFILL }},
6543 { &hf_netlogon_trusted_dc_name,
6544 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6545 NULL, 0, "Trusted DC", HFILL }},
6547 { &hf_netlogon_logonsrv_handle,
6548 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6549 NULL, 0, "Logon Srv Handle", HFILL }},
6551 { &hf_netlogon_dummy,
6552 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6553 NULL, 0, "Dummy string", HFILL }},
6555 { &hf_netlogon_logon_count16,
6556 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6557 NULL, 0x0, "Number of successful logins", HFILL }},
6559 { &hf_netlogon_logon_count,
6560 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6561 NULL, 0x0, "Number of successful logins", HFILL }},
6563 { &hf_netlogon_bad_pw_count16,
6564 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6565 NULL, 0x0, "Number of failed logins", HFILL }},
6567 { &hf_netlogon_bad_pw_count,
6568 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6569 NULL, 0x0, "Number of failed logins", HFILL }},
6571 { &hf_netlogon_country,
6572 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6573 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6575 { &hf_netlogon_codepage,
6576 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6577 NULL, 0x0, "Codepage setting for this account", HFILL }},
6579 { &hf_netlogon_level16,
6580 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6581 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6583 { &hf_netlogon_validation_level,
6584 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6585 NULL, 0x0, "Requested level of validation", HFILL }},
6587 { &hf_netlogon_minpasswdlen,
6588 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6589 NULL, 0x0, "Minimum length of password", HFILL }},
6591 { &hf_netlogon_passwdhistorylen,
6592 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6593 NULL, 0x0, "Length of password history", HFILL }},
6595 { &hf_netlogon_secure_channel_type,
6596 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
6597 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
6599 { &hf_netlogon_restart_state,
6600 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
6601 NULL, 0x0, "Restart State", HFILL }},
6603 { &hf_netlogon_delta_type,
6604 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6605 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6607 { &hf_netlogon_blob_size,
6608 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6609 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6611 { &hf_netlogon_code,
6612 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6613 NULL, 0x0, "Code", HFILL }},
6615 { &hf_netlogon_level,
6616 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6617 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6619 { &hf_netlogon_reference,
6620 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
6621 NULL, 0x0, "", HFILL }},
6623 { &hf_netlogon_next_reference,
6624 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
6625 NULL, 0x0, "", HFILL }},
6627 { &hf_netlogon_timestamp,
6628 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
6629 NULL, 0, "", HFILL }},
6631 { &hf_netlogon_user_rid,
6632 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6633 NULL, 0x0, "", HFILL }},
6635 { &hf_netlogon_alias_rid,
6636 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6637 NULL, 0x0, "", HFILL }},
6639 { &hf_netlogon_group_rid,
6640 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6641 NULL, 0x0, "", HFILL }},
6643 { &hf_netlogon_num_rids,
6644 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6645 NULL, 0x0, "Number of RIDs", HFILL }},
6647 { &hf_netlogon_num_controllers,
6648 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6649 NULL, 0x0, "Number of domain controllers", HFILL }},
6651 { &hf_netlogon_num_other_groups,
6652 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6653 NULL, 0x0, "", HFILL }},
6655 { &hf_netlogon_flags,
6656 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6657 NULL, 0x0, "", HFILL }},
6659 { &hf_netlogon_user_flags,
6660 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6661 NULL, 0x0, "", HFILL }},
6663 { &hf_netlogon_auth_flags,
6664 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6665 NULL, 0x0, "", HFILL }},
6667 { &hf_netlogon_systemflags,
6668 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6669 NULL, 0x0, "", HFILL }},
6671 { &hf_netlogon_database_id,
6672 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6673 NULL, 0x0, "Database Id", HFILL }},
6675 { &hf_netlogon_sync_context,
6676 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6677 NULL, 0x0, "Sync Context", HFILL }},
6679 { &hf_netlogon_max_size,
6680 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6681 NULL, 0x0, "Max Size of database", HFILL }},
6683 { &hf_netlogon_max_log_size,
6684 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6685 NULL, 0x0, "Max Size of log", HFILL }},
6687 { &hf_netlogon_pac_size,
6688 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6689 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6691 { &hf_netlogon_auth_size,
6692 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6693 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6695 { &hf_netlogon_num_deltas,
6696 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6697 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6699 { &hf_netlogon_num_trusts,
6700 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
6701 NULL, 0x0, "", HFILL }},
6703 { &hf_netlogon_logon_attempts,
6704 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6705 NULL, 0x0, "Number of logon attempts", HFILL }},
6707 { &hf_netlogon_pagefilelimit,
6708 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6709 NULL, 0x0, "", HFILL }},
6711 { &hf_netlogon_pagedpoollimit,
6712 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6713 NULL, 0x0, "", HFILL }},
6715 { &hf_netlogon_nonpagedpoollimit,
6716 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6717 NULL, 0x0, "", HFILL }},
6719 { &hf_netlogon_minworkingsetsize,
6720 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6721 NULL, 0x0, "", HFILL }},
6723 { &hf_netlogon_maxworkingsetsize,
6724 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6725 NULL, 0x0, "", HFILL }},
6727 { &hf_netlogon_serial_number,
6728 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
6729 NULL, 0x0, "", HFILL }},
6731 { &hf_netlogon_neg_flags,
6732 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
6733 NULL, 0x0, "Negotiation Flags", HFILL }},
6735 { &hf_netlogon_dc_flags,
6736 { "Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
6737 NULL, 0x0, "Domain Controller Flags", HFILL }},
6739 { &hf_netlogon_dc_flags_pdc_flag,
6740 { "PDC", "netlogon.dc.flags.pdc",
6741 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
6742 "If this server is a PDC", HFILL }},
6744 { &hf_netlogon_dc_flags_gc_flag,
6745 { "GC", "netlogon.dc.flags.gc",
6746 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
6747 "If this server is a GC", HFILL }},
6749 { &hf_netlogon_dc_flags_ldap_flag,
6750 { "LDAP", "netlogon.dc.flags.ldap",
6751 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
6752 "If this is an LDAP server", HFILL }},
6754 { &hf_netlogon_dc_flags_ds_flag,
6755 { "DS", "netlogon.dc.flags.ds",
6756 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
6757 "If this server is a DS", HFILL }},
6759 { &hf_netlogon_dc_flags_kdc_flag,
6760 { "KDC", "netlogon.dc.flags.kdc",
6761 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
6762 "If this is a KDC", HFILL }},
6764 { &hf_netlogon_dc_flags_timeserv_flag,
6765 { "Timeserv", "netlogon.dc.flags.timeserv",
6766 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
6767 "If this server is a TimeServer", HFILL }},
6769 { &hf_netlogon_dc_flags_closest_flag,
6770 { "Closest", "netlogon.dc.flags.closest",
6771 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
6772 "If this is the closest server", HFILL }},
6774 { &hf_netlogon_dc_flags_writable_flag,
6775 { "Writable", "netlogon.dc.flags.writable",
6776 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
6777 "If this server can do updates to the database", HFILL }},
6779 { &hf_netlogon_dc_flags_good_timeserv_flag,
6780 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
6781 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
6782 "If this is a Good TimeServer", HFILL }},
6784 { &hf_netlogon_dc_flags_ndnc_flag,
6785 { "NDNC", "netlogon.dc.flags.ndnc",
6786 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
6787 "If this is an NDNC server", HFILL }},
6789 { &hf_netlogon_dc_flags_dns_controller_flag,
6790 { "DNS Controller", "netlogon.dc.flags.dns_controller",
6791 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
6792 "If this server is a DNS Controller", HFILL }},
6794 { &hf_netlogon_dc_flags_dns_domain_flag,
6795 { "DNS Domain", "netlogon.dc.flags.dns_domain",
6796 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
6799 { &hf_netlogon_dc_flags_dns_forest_flag,
6800 { "DNS Forest", "netlogon.dc.flags.dns_forest",
6801 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
6804 { &hf_netlogon_get_dcname_request_flags,
6805 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
6806 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
6808 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
6809 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
6810 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
6811 "Whether to allow the server to returned cached information or not", HFILL }},
6813 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
6814 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
6815 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
6816 "Whether we require that the returned DC supports w2k or not", HFILL }},
6818 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
6819 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
6820 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
6821 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
6823 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
6824 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
6825 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
6826 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
6828 { &hf_netlogon_get_dcname_request_flags_pdc_required,
6829 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
6830 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
6831 "Whether we require the returned DC to be the PDC", HFILL }},
6833 { &hf_netlogon_get_dcname_request_flags_background_only,
6834 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
6835 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
6836 "If we want cached data, even if it may have expired", HFILL }},
6838 { &hf_netlogon_get_dcname_request_flags_ip_required,
6839 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
6840 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
6841 "If we requre the IP of the DC in the reply", HFILL }},
6843 { &hf_netlogon_get_dcname_request_flags_kdc_required,
6844 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
6845 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
6846 "If we require that the returned server is a KDC", HFILL }},
6848 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
6849 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
6850 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
6851 "If we require the retruned server to be a NTP serveruns WindowsTimeServicer", HFILL }},
6853 { &hf_netlogon_get_dcname_request_flags_writable_required,
6854 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
6855 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
6856 "If we require that the return server is writable", HFILL }},
6858 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
6859 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
6860 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
6861 "If we prefer Windows Time Servers", HFILL }},
6863 { &hf_netlogon_get_dcname_request_flags_avoid_self,
6864 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
6865 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
6866 "Return another DC than the one we ask", HFILL }},
6868 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
6869 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
6870 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
6871 "We just want an LDAP server, it does not have to be a DC", HFILL }},
6873 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
6874 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
6875 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
6876 "If the specified domain name is a NetBIOS name", HFILL }},
6878 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
6879 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
6880 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
6881 "If the specified domain name is a DNS name", HFILL }},
6883 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
6884 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
6885 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
6886 "Only return a DNS name (or an error)", HFILL }},
6888 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
6889 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
6890 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
6891 "Only return a NetBIOS name (or an error)", HFILL }},
6893 { &hf_netlogon_trust_attribs,
6894 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
6895 NULL, 0x0, "Trust Attributes", HFILL }},
6897 { &hf_netlogon_trust_type,
6898 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
6899 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
6901 { &hf_netlogon_trust_flags,
6902 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
6903 NULL, 0x0, "Trust Flags", HFILL }},
6905 { &hf_netlogon_trust_flags_inbound,
6906 { "Inbound Trust", "netlogon.trust.flags.inbound",
6907 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
6908 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
6910 { &hf_netlogon_trust_flags_outbound,
6911 { "Outbound Trust", "netlogon.trust.flags.outbound",
6912 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
6913 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
6915 { &hf_netlogon_trust_flags_in_forest,
6916 { "In Forest", "netlogon.trust.flags.in_forest",
6917 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
6918 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
6920 { &hf_netlogon_trust_flags_native_mode,
6921 { "Native Mode", "netlogon.trust.flags.native_mode",
6922 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
6923 "Whether the domain is a w2k native mode domain or not", HFILL }},
6925 { &hf_netlogon_trust_flags_primary,
6926 { "Primary", "netlogon.trust.flags.primary",
6927 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
6928 "Whether the domain is the primary domain for the queried server or not", HFILL }},
6930 { &hf_netlogon_trust_flags_tree_root,
6931 { "Tree Root", "netlogon.trust.flags.tree_root",
6932 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
6933 "Whether the domain is the root of the tree for the queried server", HFILL }},
6935 { &hf_netlogon_trust_parent_index,
6936 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
6937 NULL, 0x0, "Parent Index", HFILL }},
6939 { &hf_netlogon_logon_time,
6940 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
6941 NULL, 0, "Time for last time this user logged on", HFILL }},
6943 { &hf_netlogon_kickoff_time,
6944 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6945 NULL, 0, "Time when this user will be kicked off", HFILL }},
6947 { &hf_netlogon_logoff_time,
6948 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6949 NULL, 0, "Time for last time this user logged off", HFILL }},
6951 { &hf_netlogon_pwd_last_set_time,
6952 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6953 NULL, 0, "Last time this users password was changed", HFILL }},
6955 { &hf_netlogon_pwd_can_change_time,
6956 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6957 NULL, 0, "When this users password may be changed", HFILL }},
6959 { &hf_netlogon_pwd_must_change_time,
6960 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6961 NULL, 0, "When this users password must be changed", HFILL }},
6963 { &hf_netlogon_domain_create_time,
6964 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6965 NULL, 0, "Time when this domain was created", HFILL }},
6967 { &hf_netlogon_domain_modify_time,
6968 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6969 NULL, 0, "Time when this domain was last modified", HFILL }},
6971 { &hf_netlogon_db_modify_time,
6972 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6973 NULL, 0, "Time when last modified", HFILL }},
6975 { &hf_netlogon_db_create_time,
6976 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6977 NULL, 0, "Time when created", HFILL }},
6979 { &hf_netlogon_cipher_current_set_time,
6980 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6981 NULL, 0, "Time when current cipher was initiated", HFILL }},
6983 { &hf_netlogon_cipher_old_set_time,
6984 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6985 NULL, 0, "Time when previous cipher was initiated", HFILL }},
6987 { &hf_netlogon_audit_retention_period,
6988 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
6989 NULL, 0, "Audit retention period", HFILL }},
6991 { &hf_netlogon_guid,
6992 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
6993 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
6995 { &hf_netlogon_timelimit,
6996 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
6997 NULL, 0, "", HFILL }},
6999 /* Secure channel dissection */
7001 { &hf_netlogon_secchan_bind_unknown1,
7002 { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
7003 NULL, 0x0, "", HFILL }},
7005 { &hf_netlogon_secchan_bind_unknown2,
7006 { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
7007 NULL, 0x0, "", HFILL }},
7009 { &hf_netlogon_secchan_domain,
7010 { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
7011 NULL, 0, "", HFILL }},
7013 { &hf_netlogon_secchan_host,
7014 { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
7015 NULL, 0, "", HFILL }},
7017 { &hf_netlogon_secchan_bind_ack_unknown1,
7018 { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32,
7019 BASE_HEX, NULL, 0x0, "", HFILL }},
7021 { &hf_netlogon_secchan_bind_ack_unknown2,
7022 { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32,
7023 BASE_HEX, NULL, 0x0, "", HFILL }},
7025 { &hf_netlogon_secchan_bind_ack_unknown3,
7026 { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32,
7027 BASE_HEX, NULL, 0x0, "", HFILL }},
7029 { &hf_netlogon_secchan_verf,
7030 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
7031 NULL, 0x0, "Verifier", HFILL }},
7033 { &hf_netlogon_secchan_verf_sig,
7034 { "Signature", "netlogon.secchan.sig", FT_BYTES, BASE_HEX, NULL,
7035 0x0, "Signature", HFILL }},
7037 { &hf_netlogon_secchan_verf_unk,
7038 { "Unknown", "netlogon.secchan.unk", FT_BYTES, BASE_HEX, NULL,
7039 0x0, "Unknown", HFILL }},
7041 { &hf_netlogon_secchan_verf_seq,
7042 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_HEX, NULL,
7043 0x0, "Sequence No", HFILL }},
7045 { &hf_netlogon_secchan_verf_nonce,
7046 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_HEX, NULL,
7047 0x0, "Nonce", HFILL }},
7050 static gint *ett[] = {
7051 &ett_dcerpc_netlogon,
7057 &ett_DOMAIN_CONTROLLER_INFO,
7058 &ett_UNICODE_STRING_512,
7061 &ett_DELTA_ID_UNION,
7064 &ett_LM_OWF_PASSWORD,
7065 &ett_NT_OWF_PASSWORD,
7066 &ett_GROUP_MEMBERSHIP,
7067 &ett_DS_DOMAIN_TRUSTS,
7069 &ett_DOMAIN_TRUST_INFO,
7071 &ett_get_dcname_request_flags,
7073 &ett_secchan_bind_creds,
7074 &ett_secchan_bind_ack_creds,
7078 proto_dcerpc_netlogon = proto_register_protocol(
7079 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
7081 proto_register_field_array(proto_dcerpc_netlogon, hf,
7083 proto_register_subtree_array(ett, array_length(ett));
7086 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
7087 dissect_secchan_bind_creds, /* Bind */
7088 dissect_secchan_bind_ack_creds, /* Bind ACK */
7090 dissect_secchan_verf, /* Request verifier */
7091 dissect_secchan_verf, /* Response verifier */
7092 NULL, /* Request data */
7093 NULL /* Response data */
7097 proto_reg_handoff_dcerpc_netlogon(void)
7099 /* Register protocol as dcerpc */
7101 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
7102 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
7103 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
7105 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
7106 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7108 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
7109 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
git.samba.org / obnox / wireshark / wip.git / blob