1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.77 2003/04/27 00:49:13 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_guid = -1;
43 static int hf_netlogon_rc = -1;
44 static int hf_netlogon_len = -1;
45 static int hf_netlogon_sensitive_data_flag = -1;
46 static int hf_netlogon_sensitive_data_len = -1;
47 static int hf_netlogon_sensitive_data = -1;
48 static int hf_netlogon_security_information = -1;
49 static int hf_netlogon_dummy = -1;
50 static int hf_netlogon_neg_flags = -1;
51 static int hf_netlogon_minworkingsetsize = -1;
52 static int hf_netlogon_maxworkingsetsize = -1;
53 static int hf_netlogon_pagedpoollimit = -1;
54 static int hf_netlogon_pagefilelimit = -1;
55 static int hf_netlogon_timelimit = -1;
56 static int hf_netlogon_nonpagedpoollimit = -1;
57 static int hf_netlogon_pac_size = -1;
58 static int hf_netlogon_pac_data = -1;
59 static int hf_netlogon_auth_size = -1;
60 static int hf_netlogon_auth_data = -1;
61 static int hf_netlogon_cipher_len = -1;
62 static int hf_netlogon_cipher_maxlen = -1;
63 static int hf_netlogon_cipher_current_data = -1;
64 static int hf_netlogon_cipher_current_set_time = -1;
65 static int hf_netlogon_cipher_old_data = -1;
66 static int hf_netlogon_cipher_old_set_time = -1;
67 static int hf_netlogon_priv = -1;
68 static int hf_netlogon_privilege_entries = -1;
69 static int hf_netlogon_privilege_control = -1;
70 static int hf_netlogon_privilege_name = -1;
71 static int hf_netlogon_systemflags = -1;
72 static int hf_netlogon_pdc_connection_status = -1;
73 static int hf_netlogon_tc_connection_status = -1;
74 static int hf_netlogon_restart_state = -1;
75 static int hf_netlogon_attrs = -1;
76 static int hf_netlogon_count = -1;
77 static int hf_netlogon_entries = -1;
78 static int hf_netlogon_minpasswdlen = -1;
79 static int hf_netlogon_passwdhistorylen = -1;
80 static int hf_netlogon_level16 = -1;
81 static int hf_netlogon_validation_level = -1;
82 static int hf_netlogon_reference = -1;
83 static int hf_netlogon_next_reference = -1;
84 static int hf_netlogon_timestamp = -1;
85 static int hf_netlogon_level = -1;
86 static int hf_netlogon_challenge = -1;
87 static int hf_netlogon_reserved = -1;
88 static int hf_netlogon_audit_retention_period = -1;
89 static int hf_netlogon_auditing_mode = -1;
90 static int hf_netlogon_max_audit_event_count = -1;
91 static int hf_netlogon_event_audit_option = -1;
92 static int hf_netlogon_unknown_string = -1;
93 static int hf_netlogon_unknown_long = -1;
94 static int hf_netlogon_unknown_short = -1;
95 static int hf_netlogon_unknown_char = -1;
96 static int hf_netlogon_logon_time = -1;
97 static int hf_netlogon_logoff_time = -1;
98 static int hf_netlogon_kickoff_time = -1;
99 static int hf_netlogon_pwd_last_set_time = -1;
100 static int hf_netlogon_pwd_can_change_time = -1;
101 static int hf_netlogon_pwd_must_change_time = -1;
102 static int hf_netlogon_nt_chal_resp = -1;
103 static int hf_netlogon_lm_chal_resp = -1;
104 static int hf_netlogon_credential = -1;
105 static int hf_netlogon_acct_name = -1;
106 static int hf_netlogon_acct_desc = -1;
107 static int hf_netlogon_group_desc = -1;
108 static int hf_netlogon_full_name = -1;
109 static int hf_netlogon_comment = -1;
110 static int hf_netlogon_parameters = -1;
111 static int hf_netlogon_logon_script = -1;
112 static int hf_netlogon_profile_path = -1;
113 static int hf_netlogon_home_dir = -1;
114 static int hf_netlogon_dir_drive = -1;
115 static int hf_netlogon_logon_count = -1;
116 static int hf_netlogon_logon_count16 = -1;
117 static int hf_netlogon_bad_pw_count = -1;
118 static int hf_netlogon_bad_pw_count16 = -1;
119 static int hf_netlogon_user_rid = -1;
120 static int hf_netlogon_alias_rid = -1;
121 static int hf_netlogon_group_rid = -1;
122 static int hf_netlogon_logon_srv = -1;
123 static int hf_netlogon_principal = -1;
124 static int hf_netlogon_logon_dom = -1;
125 static int hf_netlogon_downlevel_domain_name = -1;
126 static int hf_netlogon_dns_domain_name = -1;
127 static int hf_netlogon_domain_name = -1;
128 static int hf_netlogon_domain_create_time = -1;
129 static int hf_netlogon_domain_modify_time = -1;
130 static int hf_netlogon_modify_count = -1;
131 static int hf_netlogon_db_modify_time = -1;
132 static int hf_netlogon_db_create_time = -1;
133 static int hf_netlogon_oem_info = -1;
134 static int hf_netlogon_serial_number = -1;
135 static int hf_netlogon_num_rids = -1;
136 static int hf_netlogon_num_trusts = -1;
137 static int hf_netlogon_num_controllers = -1;
138 static int hf_netlogon_num_other_groups = -1;
139 static int hf_netlogon_computer_name = -1;
140 static int hf_netlogon_site_name = -1;
141 static int hf_netlogon_trusted_dc_name = -1;
142 static int hf_netlogon_dc_name = -1;
143 static int hf_netlogon_dc_site_name = -1;
144 static int hf_netlogon_dns_forest_name = -1;
145 static int hf_netlogon_dc_address = -1;
146 static int hf_netlogon_dc_address_type = -1;
147 static int hf_netlogon_client_site_name = -1;
148 static int hf_netlogon_workstation = -1;
149 static int hf_netlogon_workstation_site_name = -1;
150 static int hf_netlogon_workstation_os = -1;
151 static int hf_netlogon_workstations = -1;
152 static int hf_netlogon_workstation_fqdn = -1;
153 static int hf_netlogon_group_name = -1;
154 static int hf_netlogon_alias_name = -1;
155 static int hf_netlogon_country = -1;
156 static int hf_netlogon_codepage = -1;
157 static int hf_netlogon_flags = -1;
158 static int hf_netlogon_trust_attribs = -1;
159 static int hf_netlogon_trust_type = -1;
160 static int hf_netlogon_trust_flags = -1;
161 static int hf_netlogon_trust_flags_inbound = -1;
162 static int hf_netlogon_trust_flags_outbound = -1;
163 static int hf_netlogon_trust_flags_in_forest = -1;
164 static int hf_netlogon_trust_flags_native_mode = -1;
165 static int hf_netlogon_trust_flags_primary = -1;
166 static int hf_netlogon_trust_flags_tree_root = -1;
167 static int hf_netlogon_trust_parent_index = -1;
168 static int hf_netlogon_user_flags = -1;
169 static int hf_netlogon_auth_flags = -1;
170 static int hf_netlogon_pwd_expired = -1;
171 static int hf_netlogon_nt_pwd_present = -1;
172 static int hf_netlogon_lm_pwd_present = -1;
173 static int hf_netlogon_code = -1;
174 static int hf_netlogon_database_id = -1;
175 static int hf_netlogon_sync_context = -1;
176 static int hf_netlogon_max_size = -1;
177 static int hf_netlogon_max_log_size = -1;
178 static int hf_netlogon_dns_host = -1;
179 static int hf_netlogon_acct_expiry_time = -1;
180 static int hf_netlogon_encrypted_lm_owf_password = -1;
181 static int hf_netlogon_lm_owf_password = -1;
182 static int hf_netlogon_nt_owf_password = -1;
183 static int hf_netlogon_param_ctrl = -1;
184 static int hf_netlogon_logon_id = -1;
185 static int hf_netlogon_num_deltas = -1;
186 static int hf_netlogon_user_session_key = -1;
187 static int hf_netlogon_blob_size = -1;
188 static int hf_netlogon_blob = -1;
189 static int hf_netlogon_logon_attempts = -1;
190 static int hf_netlogon_authoritative = -1;
191 static int hf_netlogon_secure_channel_type = -1;
192 static int hf_netlogon_logonsrv_handle = -1;
193 static int hf_netlogon_delta_type = -1;
194 static int hf_netlogon_get_dcname_request_flags = -1;
195 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
196 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
197 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
198 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
199 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
200 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
201 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
202 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
203 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
204 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
205 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
206 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
207 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
208 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
209 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
210 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
211 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
212 static int hf_netlogon_dc_flags = -1;
213 static int hf_netlogon_dc_flags_pdc_flag = -1;
214 static int hf_netlogon_dc_flags_gc_flag = -1;
215 static int hf_netlogon_dc_flags_ldap_flag = -1;
216 static int hf_netlogon_dc_flags_ds_flag = -1;
217 static int hf_netlogon_dc_flags_kdc_flag = -1;
218 static int hf_netlogon_dc_flags_timeserv_flag = -1;
219 static int hf_netlogon_dc_flags_closest_flag = -1;
220 static int hf_netlogon_dc_flags_writable_flag = -1;
221 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
222 static int hf_netlogon_dc_flags_ndnc_flag = -1;
223 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
224 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
225 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
227 static gint ett_dcerpc_netlogon = -1;
228 static gint ett_QUOTA_LIMITS = -1;
229 static gint ett_IDENTITY_INFO = -1;
230 static gint ett_DELTA_ENUM = -1;
231 static gint ett_CYPHER_VALUE = -1;
232 static gint ett_UNICODE_MULTI = -1;
233 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
234 static gint ett_UNICODE_STRING_512 = -1;
235 static gint ett_TYPE_50 = -1;
236 static gint ett_TYPE_52 = -1;
237 static gint ett_DELTA_ID_UNION = -1;
238 static gint ett_TYPE_44 = -1;
239 static gint ett_DELTA_UNION = -1;
240 static gint ett_LM_OWF_PASSWORD = -1;
241 static gint ett_NT_OWF_PASSWORD = -1;
242 static gint ett_GROUP_MEMBERSHIP = -1;
243 static gint ett_BLOB = -1;
244 static gint ett_DS_DOMAIN_TRUSTS = -1;
245 static gint ett_DOMAIN_TRUST_INFO = -1;
246 static gint ett_trust_flags = -1;
247 static gint ett_get_dcname_request_flags = -1;
248 static gint ett_dc_flags = -1;
250 static e_uuid_t uuid_dcerpc_netlogon = {
251 0x12345678, 0x1234, 0xabcd,
252 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
255 static guint16 ver_dcerpc_netlogon = 1;
260 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
261 packet_info *pinfo, proto_tree *tree,
264 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
265 NDR_POINTER_UNIQUE, "Server Handle",
266 hf_netlogon_logonsrv_handle, 0);
272 * IDL typedef struct {
273 * IDL [unique][string] wchar_t *effective_name;
275 * IDL long auth_flags;
276 * IDL long logon_count;
277 * IDL long bad_pw_count;
278 * IDL long last_logon;
279 * IDL long last_logoff;
280 * IDL long logoff_time;
281 * IDL long kickoff_time;
282 * IDL long password_age;
283 * IDL long pw_can_change;
284 * IDL long pw_must_change;
285 * IDL [unique][string] wchar_t *computer;
286 * IDL [unique][string] wchar_t *domain;
287 * IDL [unique][string] wchar_t *script_path;
291 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
292 packet_info *pinfo, proto_tree *tree,
297 di=pinfo->private_data;
298 if(di->conformant_run){
299 /*just a run to handle conformant arrays, nothing to dissect */
303 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
304 NDR_POINTER_UNIQUE, "Effective Account",
305 hf_netlogon_acct_name, 0);
307 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
308 hf_netlogon_priv, NULL);
310 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
311 hf_netlogon_auth_flags, NULL);
313 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
314 hf_netlogon_logon_count, NULL);
316 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
317 hf_netlogon_bad_pw_count, NULL);
319 /* XXX - are these all UNIX "time_t"s, like the time stamps in
322 Or are they, as per some RAP-based operations, UTIMEs? */
323 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
326 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
329 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
332 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
335 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
338 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
341 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
344 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
345 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
347 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
348 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
350 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
351 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
353 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
354 hf_netlogon_reserved, NULL);
360 * IDL long NetLogonUasLogon(
361 * IDL [in][unique][string] wchar_t *ServerName,
362 * IDL [in][ref][string] wchar_t *UserName,
363 * IDL [in][ref][string] wchar_t *Workstation,
364 * IDL [out][unique] VALIDATION_UAS_INFO *info
368 netlogon_dissect_netlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
369 packet_info *pinfo, proto_tree *tree, char *drep)
371 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
374 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
375 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
377 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
378 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
385 netlogon_dissect_netlogonuaslogon_reply(tvbuff_t *tvb, int offset,
386 packet_info *pinfo, proto_tree *tree, char *drep)
388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
389 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
390 "VALIDATION_UAS_INFO", -1);
392 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
393 hf_netlogon_rc, NULL);
399 * IDL typedef struct {
401 * IDL short logon_count;
402 * IDL } LOGOFF_UAS_INFO;
405 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
406 packet_info *pinfo, proto_tree *tree,
411 di=pinfo->private_data;
412 if(di->conformant_run){
413 /*just a run to handle conformant arrays, nothing to dissect */
417 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
420 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
421 hf_netlogon_logon_count16, NULL);
427 * IDL long NetLogonUasLogoff(
428 * IDL [in][unique][string] wchar_t *ServerName,
429 * IDL [in][ref][string] wchar_t *UserName,
430 * IDL [in][ref][string] wchar_t *Workstation,
431 * IDL [out][ref] LOGOFF_UAS_INFO *info
435 netlogon_dissect_netlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
436 packet_info *pinfo, proto_tree *tree, char *drep)
438 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
441 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
442 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
444 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
445 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
452 netlogon_dissect_netlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
453 packet_info *pinfo, proto_tree *tree, char *drep)
455 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
456 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
457 "LOGOFF_UAS_INFO", -1);
459 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
460 hf_netlogon_rc, NULL);
469 * IDL typedef struct {
470 * IDL UNICODESTRING LogonDomainName;
471 * IDL long ParameterControl;
472 * IDL uint64 LogonID;
473 * IDL UNICODESTRING UserName;
474 * IDL UNICODESTRING Workstation;
475 * IDL } LOGON_IDENTITY_INFO;
478 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
479 packet_info *pinfo, proto_tree *parent_tree,
482 proto_item *item=NULL;
483 proto_tree *tree=NULL;
484 int old_offset=offset;
487 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
489 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
492 /* XXX: It would be nice to get the domain and account name
493 displayed in COL_INFO. */
495 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
496 hf_netlogon_logon_dom, 0);
498 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
499 hf_netlogon_param_ctrl, NULL);
501 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
502 hf_netlogon_logon_id, NULL);
504 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
505 hf_netlogon_acct_name, 0);
507 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
508 hf_netlogon_workstation, 0);
511 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
512 /* XXX 8 extra bytes here */
513 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
514 the idl file. Could be a bug in either the NETLOGON implementation or in the
517 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
520 proto_item_set_len(item, offset-old_offset);
526 * IDL typedef struct {
527 * IDL char password[16];
528 * IDL } LM_OWF_PASSWORD;
531 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
532 packet_info *pinfo, proto_tree *parent_tree,
535 proto_item *item=NULL;
536 proto_tree *tree=NULL;
539 di=pinfo->private_data;
540 if(di->conformant_run){
541 /*just a run to handle conformant arrays, nothing to dissect.*/
546 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
548 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
551 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
559 * IDL typedef struct {
560 * IDL char password[16];
561 * IDL } NT_OWF_PASSWORD;
564 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
565 packet_info *pinfo, proto_tree *parent_tree,
568 proto_item *item=NULL;
569 proto_tree *tree=NULL;
572 di=pinfo->private_data;
573 if(di->conformant_run){
574 /*just a run to handle conformant arrays, nothing to dissect.*/
579 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
581 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
584 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
593 * IDL typedef struct {
594 * IDL LOGON_IDENTITY_INFO identity_info;
595 * IDL LM_OWF_PASSWORD lmpassword;
596 * IDL NT_OWF_PASSWORD ntpassword;
597 * IDL } INTERACTIVE_INFO;
600 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
601 packet_info *pinfo, proto_tree *tree,
604 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
607 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
610 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
617 * IDL typedef struct {
622 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
623 packet_info *pinfo, proto_tree *tree,
628 di=pinfo->private_data;
629 if(di->conformant_run){
630 /*just a run to handle conformant arrays, nothing to dissect.*/
634 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
642 * IDL typedef struct {
643 * IDL LOGON_IDENTITY_INFO logon_info;
644 * IDL CHALLENGE chal;
645 * IDL STRING ntchallengeresponse;
646 * IDL STRING lmchallengeresponse;
647 * IDL } NETWORK_INFO;
650 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
651 packet_info *pinfo, proto_tree *tree,
654 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
657 offset = netlogon_dissect_CHALLENGE(tvb, offset,
660 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
661 hf_netlogon_nt_chal_resp);
663 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
664 hf_netlogon_lm_chal_resp);
670 * IDL typedef struct {
671 * IDL LOGON_IDENTITY_INFO logon_info;
672 * IDL LM_OWF_PASSWORD lmpassword;
673 * IDL NT_OWF_PASSWORD ntpassword;
674 * IDL } SERVICE_INFO;
677 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
678 packet_info *pinfo, proto_tree *tree,
681 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
684 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
687 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
694 * IDL typedef [switch_type(short)] union {
695 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
696 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
697 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
701 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
702 packet_info *pinfo, proto_tree *tree,
707 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
708 hf_netlogon_level16, &level);
713 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
714 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
715 "INTERACTIVE_INFO:", -1);
718 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
719 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
720 "NETWORK_INFO:", -1);
723 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
724 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
725 "SERVICE_INFO:", -1);
733 * IDL typedef struct {
738 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
739 packet_info *pinfo, proto_tree *tree,
744 di=pinfo->private_data;
745 if(di->conformant_run){
746 /*just a run to handle conformant arrays, nothing to dissect.*/
750 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
759 * IDL typedef struct {
760 * IDL CREDENTIAL cred;
761 * IDL long timestamp;
762 * IDL } AUTHENTICATOR;
765 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
766 packet_info *pinfo, proto_tree *tree,
772 di=pinfo->private_data;
773 if(di->conformant_run){
774 /*just a run to handle conformant arrays, nothing to dissect */
778 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
782 * XXX - this appears to be a UNIX time_t in some credentials, but
783 * appears to be random junk in other credentials.
784 * For example, it looks like a UNIX time_t in "credential"
785 * AUTHENTICATORs, but like random junk in "return_authenticator"
789 ts.secs = tvb_get_letohl(tvb, offset);
791 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
799 * IDL typedef struct {
801 * IDL long attributes;
802 * IDL } GROUP_MEMBERSHIP;
805 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
806 packet_info *pinfo, proto_tree *parent_tree,
809 proto_item *item=NULL;
810 proto_tree *tree=NULL;
813 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
814 "GROUP_MEMBERSHIP:");
815 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
818 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
819 hf_netlogon_user_rid, NULL);
821 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
822 hf_netlogon_attrs, NULL);
828 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
829 packet_info *pinfo, proto_tree *tree,
832 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
833 netlogon_dissect_GROUP_MEMBERSHIP);
839 * IDL typedef struct {
840 * IDL char user_session_key[16];
841 * IDL } USER_SESSION_KEY;
844 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
845 packet_info *pinfo, proto_tree *tree,
850 di=pinfo->private_data;
851 if(di->conformant_run){
852 /*just a run to handle conformant arrays, nothing to dissect.*/
856 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
864 * IDL typedef struct {
865 * IDL uint64 LogonTime;
866 * IDL uint64 LogoffTime;
867 * IDL uint64 KickOffTime;
868 * IDL uint64 PasswdLastSet;
869 * IDL uint64 PasswdCanChange;
870 * IDL uint64 PasswdMustChange;
871 * IDL unicodestring effectivename;
872 * IDL unicodestring fullname;
873 * IDL unicodestring logonscript;
874 * IDL unicodestring profilepath;
875 * IDL unicodestring homedirectory;
876 * IDL unicodestring homedirectorydrive;
877 * IDL short LogonCount;
878 * IDL short BadPasswdCount;
880 * IDL long primarygroup;
881 * IDL long groupcount;
882 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
883 * IDL long userflags;
884 * IDL USER_SESSION_KEY key;
885 * IDL unicodestring logonserver;
886 * IDL unicodestring domainname;
887 * IDL [unique] SID logondomainid;
888 * IDL long expansionroom[10];
889 * IDL } VALIDATION_SAM_INFO;
892 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
893 packet_info *pinfo, proto_tree *tree,
898 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
899 hf_netlogon_logon_time);
901 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
902 hf_netlogon_logoff_time);
904 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
905 hf_netlogon_kickoff_time);
907 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
908 hf_netlogon_pwd_last_set_time);
910 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
911 hf_netlogon_pwd_can_change_time);
913 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
914 hf_netlogon_pwd_must_change_time);
916 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
917 hf_netlogon_acct_name, 0);
919 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
920 hf_netlogon_full_name, 0);
922 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
923 hf_netlogon_logon_script, 0);
925 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
926 hf_netlogon_profile_path, 0);
928 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
929 hf_netlogon_home_dir, 0);
931 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
932 hf_netlogon_dir_drive, 0);
934 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
935 hf_netlogon_logon_count16, NULL);
937 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
938 hf_netlogon_bad_pw_count16, NULL);
940 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
941 hf_netlogon_user_rid, NULL);
943 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
944 hf_netlogon_group_rid, NULL);
946 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
947 hf_netlogon_num_rids, NULL);
949 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
950 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
951 "GROUP_MEMBERSHIP_ARRAY", -1);
953 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
954 hf_netlogon_user_flags, NULL);
956 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
959 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
960 hf_netlogon_logon_srv, 0);
962 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
963 hf_netlogon_logon_dom, 0);
965 offset = dissect_ndr_nt_PSID(tvb, offset,
969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
970 hf_netlogon_reserved, NULL);
979 * IDL typedef struct {
980 * IDL uint64 LogonTime;
981 * IDL uint64 LogoffTime;
982 * IDL uint64 KickOffTime;
983 * IDL uint64 PasswdLastSet;
984 * IDL uint64 PasswdCanChange;
985 * IDL uint64 PasswdMustChange;
986 * IDL unicodestring effectivename;
987 * IDL unicodestring fullname;
988 * IDL unicodestring logonscript;
989 * IDL unicodestring profilepath;
990 * IDL unicodestring homedirectory;
991 * IDL unicodestring homedirectorydrive;
992 * IDL short LogonCount;
993 * IDL short BadPasswdCount;
995 * IDL long primarygroup;
996 * IDL long groupcount;
997 * IDL [unique] GROUP_MEMBERSHIP *groupids;
998 * IDL long userflags;
999 * IDL USER_SESSION_KEY key;
1000 * IDL unicodestring logonserver;
1001 * IDL unicodestring domainname;
1002 * IDL [unique] SID logondomainid;
1003 * IDL long expansionroom[10];
1004 * IDL long sidcount;
1005 * IDL [unique] SID_AND_ATTRIBS;
1006 * IDL } VALIDATION_SAM_INFO2;
1009 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1010 packet_info *pinfo, proto_tree *tree,
1015 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1016 hf_netlogon_logon_time);
1018 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1019 hf_netlogon_logoff_time);
1021 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1022 hf_netlogon_kickoff_time);
1024 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1025 hf_netlogon_pwd_last_set_time);
1027 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1028 hf_netlogon_pwd_can_change_time);
1030 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1031 hf_netlogon_pwd_must_change_time);
1033 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1034 hf_netlogon_acct_name, 0);
1036 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1037 hf_netlogon_full_name, 0);
1039 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1040 hf_netlogon_logon_script, 0);
1042 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1043 hf_netlogon_profile_path, 0);
1045 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1046 hf_netlogon_home_dir, 0);
1048 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1049 hf_netlogon_dir_drive, 0);
1051 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1052 hf_netlogon_logon_count16, NULL);
1054 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1055 hf_netlogon_bad_pw_count16, NULL);
1057 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1058 hf_netlogon_user_rid, NULL);
1060 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1061 hf_netlogon_group_rid, NULL);
1063 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1064 hf_netlogon_num_rids, NULL);
1066 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1067 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1068 "GROUP_MEMBERSHIP_ARRAY", -1);
1070 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1071 hf_netlogon_user_flags, NULL);
1073 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1076 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1077 hf_netlogon_logon_srv, 0);
1079 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1080 hf_netlogon_logon_dom, 0);
1082 offset = dissect_ndr_nt_PSID(tvb, offset,
1086 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1087 hf_netlogon_unknown_long, NULL);
1090 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1091 hf_netlogon_num_other_groups, NULL);
1093 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1094 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1095 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1103 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1104 packet_info *pinfo, proto_tree *tree,
1110 di=pinfo->private_data;
1111 if(di->conformant_run){
1112 /*just a run to handle conformant arrays, nothing to dissect */
1116 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1117 hf_netlogon_pac_size, &pac_size);
1119 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1127 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1128 packet_info *pinfo, proto_tree *tree,
1134 di=pinfo->private_data;
1135 if(di->conformant_run){
1136 /*just a run to handle conformant arrays, nothing to dissect */
1140 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1141 hf_netlogon_auth_size, &auth_size);
1143 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1145 offset += auth_size;
1152 * IDL typedef struct {
1154 * IDL [unique][size_is(pac_size)] char *pac;
1155 * IDL UNICODESTRING logondomain;
1156 * IDL UNICODESTRING logonserver;
1157 * IDL UNICODESTRING principalname;
1158 * IDL long auth_size;
1159 * IDL [unique][size_is(auth_size)] char *auth;
1160 * IDL USER_SESSION_KEY user_session_key;
1161 * IDL long expansionroom[10];
1162 * IDL UNICODESTRING dummy1;
1163 * IDL UNICODESTRING dummy2;
1164 * IDL UNICODESTRING dummy3;
1165 * IDL UNICODESTRING dummy4;
1166 * IDL } VALIDATION_PAC_INFO;
1169 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1170 packet_info *pinfo, proto_tree *tree,
1175 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1176 hf_netlogon_pac_size, NULL);
1178 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1179 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1181 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1182 hf_netlogon_logon_dom, 0);
1184 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1185 hf_netlogon_logon_srv, 0);
1187 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1188 hf_netlogon_principal, 0);
1190 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1191 hf_netlogon_auth_size, NULL);
1193 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1194 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1196 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1200 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1201 hf_netlogon_unknown_long, NULL);
1204 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1205 hf_netlogon_dummy, 0);
1207 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1208 hf_netlogon_dummy, 0);
1210 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1211 hf_netlogon_dummy, 0);
1213 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1214 hf_netlogon_dummy, 0);
1221 * IDL typedef [switch_type(short)] union {
1222 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1223 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1224 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1225 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1229 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1230 packet_info *pinfo, proto_tree *tree,
1235 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1236 hf_netlogon_validation_level, &level);
1241 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1242 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1243 "VALIDATION_SAM_INFO:", -1);
1246 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1247 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1248 "VALIDATION_SAM_INFO2:", -1);
1251 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1252 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1253 "VALIDATION_PAC_INFO:", -1);
1256 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1257 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1258 "VALIDATION_PAC_INFO:", -1);
1267 * IDL long NetLogonSamLogon(
1268 * IDL [in][unique][string] wchar_t *ServerName,
1269 * IDL [in][unique][string] wchar_t *Workstation,
1270 * IDL [in][unique] AUTHENTICATOR *credential,
1271 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1272 * IDL [in] short LogonLevel,
1273 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1274 * IDL [in] short ValidationLevel,
1275 * IDL [out][ref] VALIDATION *validation,
1276 * IDL [out][ref] boolean Authorative
1280 netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1281 packet_info *pinfo, proto_tree *tree, char *drep)
1283 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1286 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1287 NDR_POINTER_UNIQUE, "Computer Name",
1288 hf_netlogon_computer_name, 0);
1290 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1291 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1292 "AUTHENTICATOR: credential", -1);
1294 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1295 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1296 "AUTHENTICATOR: return_authenticator", -1);
1298 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1299 hf_netlogon_level16, NULL);
1301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1302 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1303 "LEVEL: LogonLevel", -1);
1305 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1306 hf_netlogon_validation_level, NULL);
1312 netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1313 packet_info *pinfo, proto_tree *tree, char *drep)
1315 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1316 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1317 "AUTHENTICATOR: return_authenticator", -1);
1319 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1320 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1323 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1324 hf_netlogon_authoritative, NULL);
1326 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1327 hf_netlogon_rc, NULL);
1334 * IDL long NetLogonSamLogoff(
1335 * IDL [in][unique][string] wchar_t *ServerName,
1336 * IDL [in][unique][string] wchar_t *ComputerName,
1337 * IDL [in][unique] AUTHENTICATOR credential,
1338 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1339 * IDL [in] short logon_level,
1340 * IDL [in][ref] LEVEL logoninformation
1344 netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1345 packet_info *pinfo, proto_tree *tree, char *drep)
1347 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1350 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1351 NDR_POINTER_UNIQUE, "Computer Name",
1352 hf_netlogon_computer_name, 0);
1354 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1355 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1356 "AUTHENTICATOR: credential", -1);
1358 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1359 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1360 "AUTHENTICATOR: return_authenticator", -1);
1362 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1363 hf_netlogon_level16, NULL);
1365 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1366 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1367 "LEVEL: logoninformation", -1);
1372 netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1373 packet_info *pinfo, proto_tree *tree, char *drep)
1376 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1377 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1378 "AUTHENTICATOR: return_authenticator", -1);
1380 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1381 hf_netlogon_rc, NULL);
1388 * IDL long NetServerReqChallenge(
1389 * IDL [in][unique][string] wchar_t *ServerName,
1390 * IDL [in][ref][string] wchar_t *ComputerName,
1391 * IDL [in][ref] CREDENTIAL client_credential,
1392 * IDL [out][ref] CREDENTIAL server_credential
1396 netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1397 packet_info *pinfo, proto_tree *tree, char *drep)
1399 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1402 offset = dissect_ndr_pointer_cb(
1403 tvb, offset, pinfo, tree, drep,
1404 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
1405 "Computer Name", hf_netlogon_computer_name,
1406 cb_wstr_postprocess,
1407 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1409 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1410 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1411 "CREDENTIAL: client challenge", -1);
1416 netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1417 packet_info *pinfo, proto_tree *tree, char *drep)
1419 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1420 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1421 "CREDENTIAL: server credential", -1);
1423 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1424 hf_netlogon_rc, NULL);
1431 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1432 packet_info *pinfo, proto_tree *tree,
1435 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1436 hf_netlogon_secure_channel_type, NULL);
1443 * IDL long NetServerAuthenticate(
1444 * IDL [in][unique][string] wchar_t *ServerName,
1445 * IDL [in][ref][string] wchar_t *UserName,
1446 * IDL [in] short secure_challenge_type,
1447 * IDL [in][ref][string] wchar_t *ComputerName,
1448 * IDL [in][ref] CREDENTIAL client_challenge,
1449 * IDL [out][ref] CREDENTIAL server_challenge
1453 netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1454 packet_info *pinfo, proto_tree *tree, char *drep)
1456 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1459 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1460 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1462 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1465 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1466 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1468 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1469 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1470 "CREDENTIAL: client challenge", -1);
1475 netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
1476 packet_info *pinfo, proto_tree *tree, char *drep)
1478 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1479 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1480 "CREDENTIAL: server challenge", -1);
1482 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1483 hf_netlogon_rc, NULL);
1491 * IDL typedef struct {
1492 * IDL char encrypted_password[16];
1493 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1496 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1497 packet_info *pinfo, proto_tree *tree,
1502 di=pinfo->private_data;
1503 if(di->conformant_run){
1504 /*just a run to handle conformant arrays, nothing to dissect.*/
1508 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1516 * IDL long NetServerPasswordSet(
1517 * IDL [in][unique][string] wchar_t *ServerName,
1518 * IDL [in][ref][string] wchar_t *UserName,
1519 * IDL [in] short secure_challenge_type,
1520 * IDL [in][ref][string] wchar_t *ComputerName,
1521 * IDL [in][ref] AUTHENTICATOR credential,
1522 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1523 * IDL [out][ref] AUTHENTICATOR return_authenticator
1527 netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1528 packet_info *pinfo, proto_tree *tree, char *drep)
1530 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1533 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1534 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1536 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1539 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1540 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1542 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1543 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1544 "AUTHENTICATOR: credential", -1);
1546 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1547 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1548 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
1553 netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
1554 packet_info *pinfo, proto_tree *tree, char *drep)
1556 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1557 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1558 "AUTHENTICATOR: return_authenticator", -1);
1560 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1561 hf_netlogon_rc, NULL);
1568 * IDL typedef struct {
1569 * IDL [unique][string] wchar_t *UserName;
1570 * IDL UNICODESTRING dummy1;
1571 * IDL UNICODESTRING dummy2;
1572 * IDL UNICODESTRING dummy3;
1573 * IDL UNICODESTRING dummy4;
1578 * IDL } DELTA_DELETE_USER;
1581 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1582 packet_info *pinfo, proto_tree *tree,
1585 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1586 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
1588 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1589 hf_netlogon_dummy, 0);
1591 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1592 hf_netlogon_dummy, 0);
1594 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1595 hf_netlogon_dummy, 0);
1597 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1598 hf_netlogon_dummy, 0);
1600 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1601 hf_netlogon_reserved, NULL);
1603 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1604 hf_netlogon_reserved, NULL);
1606 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1607 hf_netlogon_reserved, NULL);
1609 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1610 hf_netlogon_reserved, NULL);
1617 * IDL typedef struct {
1618 * IDL bool SensitiveDataFlag;
1619 * IDL long DataLength;
1620 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1621 * IDL } USER_PRIVATE_INFO;
1624 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1625 packet_info *pinfo, proto_tree *tree,
1631 di=pinfo->private_data;
1632 if(di->conformant_run){
1633 /*just a run to handle conformant arrays, nothing to dissect */
1637 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1638 hf_netlogon_sensitive_data_len, &data_len);
1640 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1647 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1648 packet_info *pinfo, proto_tree *tree,
1651 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1652 hf_netlogon_sensitive_data_flag, NULL);
1654 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1655 hf_netlogon_sensitive_data_len, NULL);
1657 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1658 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1659 "SENSITIVE_DATA", -1);
1665 * IDL typedef struct {
1666 * IDL UNICODESTRING UserName;
1667 * IDL UNICODESTRING FullName;
1669 * IDL long PrimaryGroupID;
1670 * IDL UNICODESTRING HomeDir;
1671 * IDL UNICODESTRING HomeDirDrive;
1672 * IDL UNICODESTRING LogonScript;
1673 * IDL UNICODESTRING Comment;
1674 * IDL UNICODESTRING Workstations;
1675 * IDL NTTIME LastLogon;
1676 * IDL NTTIME LastLogoff;
1677 * IDL LOGON_HOURS logonhours;
1678 * IDL short BadPwCount;
1679 * IDL short LogonCount;
1680 * IDL NTTIME PwLastSet;
1681 * IDL NTTIME AccountExpires;
1682 * IDL long AccountControl;
1683 * IDL LM_OWF_PASSWORD lmpw;
1684 * IDL NT_OWF_PASSWORD ntpw;
1685 * IDL bool NTPwPresent;
1686 * IDL bool LMPwPresent;
1687 * IDL bool PwExpired;
1688 * IDL UNICODESTRING UserComment;
1689 * IDL UNICODESTRING Parameters;
1690 * IDL short CountryCode;
1691 * IDL short CodePage;
1692 * IDL USER_PRIVATE_INFO user_private_info;
1693 * IDL long SecurityInformation;
1694 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1695 * IDL UNICODESTRING dummy1;
1696 * IDL UNICODESTRING dummy2;
1697 * IDL UNICODESTRING dummy3;
1698 * IDL UNICODESTRING dummy4;
1706 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1707 packet_info *pinfo, proto_tree *tree,
1710 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1711 hf_netlogon_acct_name, 0);
1713 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1714 hf_netlogon_full_name, 0);
1716 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1717 hf_netlogon_user_rid, NULL);
1719 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1720 hf_netlogon_group_rid, NULL);
1722 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1723 hf_netlogon_home_dir, 0);
1725 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1726 hf_netlogon_dir_drive, 0);
1728 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1729 hf_netlogon_logon_script, 0);
1731 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1732 hf_netlogon_acct_desc, 0);
1734 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1735 hf_netlogon_workstations, 0);
1737 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1738 hf_netlogon_logon_time);
1740 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1741 hf_netlogon_logoff_time);
1743 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1745 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1746 hf_netlogon_bad_pw_count16, NULL);
1748 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1749 hf_netlogon_logon_count16, NULL);
1751 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1752 hf_netlogon_pwd_last_set_time);
1754 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1755 hf_netlogon_acct_expiry_time);
1757 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1759 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1762 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1765 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1766 hf_netlogon_nt_pwd_present, NULL);
1768 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1769 hf_netlogon_lm_pwd_present, NULL);
1771 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1772 hf_netlogon_pwd_expired, NULL);
1774 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1775 hf_netlogon_comment, 0);
1777 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1778 hf_netlogon_parameters, 0);
1780 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1781 hf_netlogon_country, NULL);
1783 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1784 hf_netlogon_codepage, NULL);
1786 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1789 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1790 hf_netlogon_security_information, NULL);
1792 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1795 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1796 hf_netlogon_dummy, 0);
1798 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1799 hf_netlogon_dummy, 0);
1801 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1802 hf_netlogon_dummy, 0);
1804 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1805 hf_netlogon_dummy, 0);
1807 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1808 hf_netlogon_reserved, NULL);
1810 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1811 hf_netlogon_reserved, NULL);
1813 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1814 hf_netlogon_reserved, NULL);
1816 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1817 hf_netlogon_reserved, NULL);
1824 * IDL typedef struct {
1825 * IDL UNICODESTRING DomainName;
1826 * IDL UNICODESTRING OEMInfo;
1827 * IDL NTTIME forcedlogoff;
1828 * IDL short minpasswdlen;
1829 * IDL short passwdhistorylen;
1830 * IDL NTTIME pwd_must_change_time;
1831 * IDL NTTIME pwd_can_change_time;
1832 * IDL NTTIME domain_modify_time;
1833 * IDL NTTIME domain_create_time;
1834 * IDL long SecurityInformation;
1835 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1836 * IDL UNICODESTRING dummy1;
1837 * IDL UNICODESTRING dummy2;
1838 * IDL UNICODESTRING dummy3;
1839 * IDL UNICODESTRING dummy4;
1844 * IDL } DELTA_DOMAIN;
1847 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
1848 packet_info *pinfo, proto_tree *tree,
1851 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1852 hf_netlogon_domain_name, 1);
1854 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1855 hf_netlogon_oem_info, 0);
1857 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1858 hf_netlogon_kickoff_time);
1860 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1861 hf_netlogon_minpasswdlen, NULL);
1863 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1864 hf_netlogon_passwdhistorylen, NULL);
1866 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1867 hf_netlogon_pwd_must_change_time);
1869 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1870 hf_netlogon_pwd_can_change_time);
1872 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1873 hf_netlogon_domain_modify_time);
1875 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1876 hf_netlogon_domain_create_time);
1878 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1879 hf_netlogon_security_information, NULL);
1881 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1884 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1885 hf_netlogon_dummy, 0);
1887 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1888 hf_netlogon_dummy, 0);
1890 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1891 hf_netlogon_dummy, 0);
1893 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1894 hf_netlogon_dummy, 0);
1896 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1897 hf_netlogon_reserved, NULL);
1899 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1900 hf_netlogon_reserved, NULL);
1902 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1903 hf_netlogon_reserved, NULL);
1905 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1906 hf_netlogon_reserved, NULL);
1913 * IDL typedef struct {
1914 * IDL UNICODESTRING groupname;
1915 * IDL GROUP_MEMBERSHIP group_membership;
1916 * IDL UNICODESTRING comment;
1917 * IDL long SecurityInformation;
1918 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1919 * IDL UNICODESTRING dummy1;
1920 * IDL UNICODESTRING dummy2;
1921 * IDL UNICODESTRING dummy3;
1922 * IDL UNICODESTRING dummy4;
1927 * IDL } DELTA_GROUP;
1930 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
1931 packet_info *pinfo, proto_tree *tree,
1934 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1935 hf_netlogon_group_name, 0);
1937 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
1940 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1941 hf_netlogon_group_desc, 0);
1943 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1944 hf_netlogon_security_information, NULL);
1946 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1949 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1950 hf_netlogon_dummy, 0);
1952 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1953 hf_netlogon_dummy, 0);
1955 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1956 hf_netlogon_dummy, 0);
1958 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1959 hf_netlogon_dummy, 0);
1961 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1962 hf_netlogon_reserved, NULL);
1964 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1965 hf_netlogon_reserved, NULL);
1967 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1968 hf_netlogon_reserved, NULL);
1970 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1971 hf_netlogon_reserved, NULL);
1978 * IDL typedef struct {
1979 * IDL UNICODESTRING OldName;
1980 * IDL UNICODESTRING NewName;
1981 * IDL UNICODESTRING dummy1;
1982 * IDL UNICODESTRING dummy2;
1983 * IDL UNICODESTRING dummy3;
1984 * IDL UNICODESTRING dummy4;
1989 * IDL } DELTA_RENAME;
1992 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
1993 packet_info *pinfo, proto_tree *tree,
1998 di=pinfo->private_data;
2000 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2003 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2006 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2007 hf_netlogon_dummy, 0);
2009 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2010 hf_netlogon_dummy, 0);
2012 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2013 hf_netlogon_dummy, 0);
2015 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2016 hf_netlogon_dummy, 0);
2018 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2019 hf_netlogon_reserved, NULL);
2021 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2022 hf_netlogon_reserved, NULL);
2024 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2025 hf_netlogon_reserved, NULL);
2027 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2028 hf_netlogon_reserved, NULL);
2035 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2036 packet_info *pinfo, proto_tree *tree,
2039 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2040 hf_netlogon_user_rid, NULL);
2046 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2047 packet_info *pinfo, proto_tree *tree,
2050 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2051 netlogon_dissect_RID);
2057 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2058 packet_info *pinfo, proto_tree *tree,
2061 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2062 hf_netlogon_attrs, NULL);
2068 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2069 packet_info *pinfo, proto_tree *tree,
2072 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2073 netlogon_dissect_ATTRIB);
2079 * IDL typedef struct {
2080 * IDL [unique][size_is(num_rids)] long *rids;
2081 * IDL [unique][size_is(num_rids)] long *attribs;
2082 * IDL long num_rids;
2087 * IDL } DELTA_GROUP_MEMBER;
2090 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2091 packet_info *pinfo, proto_tree *tree,
2094 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2095 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2098 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2099 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2102 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2103 hf_netlogon_num_rids, NULL);
2105 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2106 hf_netlogon_reserved, NULL);
2108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2109 hf_netlogon_reserved, NULL);
2111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2112 hf_netlogon_reserved, NULL);
2114 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2115 hf_netlogon_reserved, NULL);
2122 * IDL typedef struct {
2123 * IDL UNICODESTRING alias_name;
2125 * IDL long SecurityInformation;
2126 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2127 * IDL UNICODESTRING dummy1;
2128 * IDL UNICODESTRING dummy2;
2129 * IDL UNICODESTRING dummy3;
2130 * IDL UNICODESTRING dummy4;
2135 * IDL } DELTA_ALIAS;
2138 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2139 packet_info *pinfo, proto_tree *tree,
2142 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2143 hf_netlogon_alias_name, 0);
2145 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2146 hf_netlogon_alias_rid, NULL);
2148 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2149 hf_netlogon_security_information, NULL);
2151 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2154 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2155 hf_netlogon_dummy, 0);
2157 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2158 hf_netlogon_dummy, 0);
2160 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2161 hf_netlogon_dummy, 0);
2163 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2164 hf_netlogon_dummy, 0);
2166 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2167 hf_netlogon_reserved, NULL);
2169 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2170 hf_netlogon_reserved, NULL);
2172 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2173 hf_netlogon_reserved, NULL);
2175 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2176 hf_netlogon_reserved, NULL);
2183 * IDL typedef struct {
2184 * IDL [unique] SID_ARRAY sids;
2189 * IDL } DELTA_ALIAS_MEMBER;
2192 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2193 packet_info *pinfo, proto_tree *tree,
2196 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2198 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2199 hf_netlogon_reserved, NULL);
2201 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2202 hf_netlogon_reserved, NULL);
2204 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2205 hf_netlogon_reserved, NULL);
2207 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2208 hf_netlogon_reserved, NULL);
2215 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2216 packet_info *pinfo, proto_tree *tree,
2219 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2220 hf_netlogon_event_audit_option, NULL);
2226 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2227 packet_info *pinfo, proto_tree *tree,
2230 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2231 netlogon_dissect_EVENT_AUDIT_OPTION);
2238 * IDL typedef struct {
2239 * IDL long pagedpoollimit;
2240 * IDL long nonpagedpoollimit;
2241 * IDL long minimumworkingsetsize;
2242 * IDL long maximumworkingsetsize;
2243 * IDL long pagefilelimit;
2244 * IDL NTTIME timelimit;
2245 * IDL } QUOTA_LIMITS;
2248 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2249 packet_info *pinfo, proto_tree *parent_tree,
2252 proto_item *item=NULL;
2253 proto_tree *tree=NULL;
2254 int old_offset=offset;
2257 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2259 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2262 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2263 hf_netlogon_pagedpoollimit, NULL);
2265 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2266 hf_netlogon_nonpagedpoollimit, NULL);
2268 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2269 hf_netlogon_minworkingsetsize, NULL);
2271 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2272 hf_netlogon_maxworkingsetsize, NULL);
2274 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2275 hf_netlogon_pagefilelimit, NULL);
2277 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2278 hf_netlogon_timelimit);
2280 proto_item_set_len(item, offset-old_offset);
2286 * IDL typedef struct {
2287 * IDL long maxlogsize;
2288 * IDL NTTIME auditretentionperiod;
2289 * IDL bool auditingmode;
2290 * IDL long maxauditeventcount;
2291 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2292 * IDL UNICODESTRING primarydomainname;
2293 * IDL [unique] SID *sid;
2294 * IDL QUOTA_LIMITS quota_limits;
2295 * IDL NTTIME db_modify_time;
2296 * IDL NTTIME db_create_time;
2297 * IDL long SecurityInformation;
2298 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2299 * IDL UNICODESTRING dummy1;
2300 * IDL UNICODESTRING dummy2;
2301 * IDL UNICODESTRING dummy3;
2302 * IDL UNICODESTRING dummy4;
2307 * IDL } DELTA_POLICY;
2310 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2311 packet_info *pinfo, proto_tree *tree,
2314 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2315 hf_netlogon_max_log_size, NULL);
2317 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2318 hf_netlogon_audit_retention_period);
2320 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2321 hf_netlogon_auditing_mode, NULL);
2323 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2324 hf_netlogon_max_audit_event_count, NULL);
2326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2327 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2328 "Event Audit Options:", -1);
2330 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2331 hf_netlogon_domain_name, 0);
2333 offset = dissect_ndr_nt_PSID(tvb, offset,
2336 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2339 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2340 hf_netlogon_db_modify_time);
2342 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2343 hf_netlogon_db_create_time);
2345 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2346 hf_netlogon_security_information, NULL);
2348 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2351 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2352 hf_netlogon_dummy, 0);
2354 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2355 hf_netlogon_dummy, 0);
2357 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2358 hf_netlogon_dummy, 0);
2360 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2361 hf_netlogon_dummy, 0);
2363 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2364 hf_netlogon_reserved, NULL);
2366 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2367 hf_netlogon_reserved, NULL);
2369 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2370 hf_netlogon_reserved, NULL);
2372 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2373 hf_netlogon_reserved, NULL);
2380 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2381 packet_info *pinfo, proto_tree *tree,
2384 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2385 hf_netlogon_dc_name, 0);
2391 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2392 packet_info *pinfo, proto_tree *tree,
2395 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2396 netlogon_dissect_CONTROLLER);
2403 * IDL typedef struct {
2404 * IDL UNICODESTRING DomainName;
2405 * IDL long num_controllers;
2406 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2407 * IDL long SecurityInformation;
2408 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2409 * IDL UNICODESTRING dummy1;
2410 * IDL UNICODESTRING dummy2;
2411 * IDL UNICODESTRING dummy3;
2412 * IDL UNICODESTRING dummy4;
2417 * IDL } DELTA_TRUSTED_DOMAINS;
2420 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2421 packet_info *pinfo, proto_tree *tree,
2424 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2425 hf_netlogon_domain_name, 0);
2427 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2428 hf_netlogon_num_controllers, NULL);
2430 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2431 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2432 "Domain Controllers:", -1);
2434 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2435 hf_netlogon_security_information, NULL);
2437 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2440 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2441 hf_netlogon_dummy, 0);
2443 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2444 hf_netlogon_dummy, 0);
2446 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2447 hf_netlogon_dummy, 0);
2449 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2450 hf_netlogon_dummy, 0);
2452 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2453 hf_netlogon_reserved, NULL);
2455 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2456 hf_netlogon_reserved, NULL);
2458 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2459 hf_netlogon_reserved, NULL);
2461 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2462 hf_netlogon_reserved, NULL);
2469 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2470 packet_info *pinfo, proto_tree *tree,
2473 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2474 hf_netlogon_attrs, NULL);
2480 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2481 packet_info *pinfo, proto_tree *tree,
2484 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2485 netlogon_dissect_PRIV_ATTR);
2491 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2492 packet_info *pinfo, proto_tree *tree,
2495 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2496 hf_netlogon_privilege_name, 1);
2502 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2503 packet_info *pinfo, proto_tree *tree,
2506 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2507 netlogon_dissect_PRIV_NAME);
2515 * IDL typedef struct {
2516 * IDL long privilegeentries;
2517 * IDL long provolegecontrol;
2518 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2519 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2520 * IDL QUOTALIMITS quotalimits;
2521 * IDL long SecurityInformation;
2522 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2523 * IDL UNICODESTRING dummy1;
2524 * IDL UNICODESTRING dummy2;
2525 * IDL UNICODESTRING dummy3;
2526 * IDL UNICODESTRING dummy4;
2531 * IDL } DELTA_ACCOUNTS;
2534 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2535 packet_info *pinfo, proto_tree *tree,
2538 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2539 hf_netlogon_privilege_entries, NULL);
2541 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2542 hf_netlogon_privilege_control, NULL);
2544 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2545 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2546 "PRIV_ATTR_ARRAY:", -1);
2548 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2549 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2550 "PRIV_NAME_ARRAY:", -1);
2552 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2555 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2556 hf_netlogon_systemflags, NULL);
2558 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2559 hf_netlogon_security_information, NULL);
2561 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2564 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2565 hf_netlogon_dummy, 0);
2567 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2568 hf_netlogon_dummy, 0);
2570 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2571 hf_netlogon_dummy, 0);
2573 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2574 hf_netlogon_dummy, 0);
2576 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2577 hf_netlogon_reserved, NULL);
2579 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2580 hf_netlogon_reserved, NULL);
2582 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2583 hf_netlogon_reserved, NULL);
2585 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2586 hf_netlogon_reserved, NULL);
2592 * IDL typedef struct {
2595 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2596 * IDL } CIPHER_VALUE;
2599 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2600 packet_info *pinfo, proto_tree *tree,
2606 di=pinfo->private_data;
2607 if(di->conformant_run){
2608 /*just a run to handle conformant arrays, nothing to dissect */
2612 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2613 hf_netlogon_cipher_maxlen, NULL);
2618 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2619 hf_netlogon_cipher_len, &data_len);
2621 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2628 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2629 packet_info *pinfo, proto_tree *parent_tree,
2630 char *drep, char *name, int hf_index)
2632 proto_item *item=NULL;
2633 proto_tree *tree=NULL;
2634 int old_offset=offset;
2637 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2639 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2642 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2643 hf_netlogon_cipher_len, NULL);
2645 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2646 hf_netlogon_cipher_maxlen, NULL);
2648 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2649 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2652 proto_item_set_len(item, offset-old_offset);
2657 * IDL typedef struct {
2658 * IDL CIPHER_VALUE current_cipher;
2659 * IDL NTTIME current_cipher_set_time;
2660 * IDL CIPHER_VALUE old_cipher;
2661 * IDL NTTIME old_cipher_set_time;
2662 * IDL long SecurityInformation;
2663 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2664 * IDL UNICODESTRING dummy1;
2665 * IDL UNICODESTRING dummy2;
2666 * IDL UNICODESTRING dummy3;
2667 * IDL UNICODESTRING dummy4;
2672 * IDL } DELTA_SECRET;
2675 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2676 packet_info *pinfo, proto_tree *tree,
2679 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2681 "CIPHER_VALUE: current cipher value",
2682 hf_netlogon_cipher_current_data);
2684 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2685 hf_netlogon_cipher_current_set_time);
2687 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2689 "CIPHER_VALUE: old cipher value",
2690 hf_netlogon_cipher_old_data);
2692 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2693 hf_netlogon_cipher_old_set_time);
2695 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2696 hf_netlogon_security_information, NULL);
2698 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2701 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2702 hf_netlogon_dummy, 0);
2704 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2705 hf_netlogon_dummy, 0);
2707 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2708 hf_netlogon_dummy, 0);
2710 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2711 hf_netlogon_dummy, 0);
2713 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2714 hf_netlogon_reserved, NULL);
2716 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2717 hf_netlogon_reserved, NULL);
2719 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2720 hf_netlogon_reserved, NULL);
2722 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2723 hf_netlogon_reserved, NULL);
2729 * IDL typedef struct {
2730 * IDL long low_value;
2731 * IDL long high_value;
2735 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2736 packet_info *pinfo, proto_tree *tree,
2739 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2740 hf_netlogon_modify_count, NULL);
2746 #define DT_DELTA_DOMAIN 1
2747 #define DT_DELTA_GROUP 2
2748 #define DT_DELTA_RENAME_GROUP 4
2749 #define DT_DELTA_USER 5
2750 #define DT_DELTA_RENAME_USER 7
2751 #define DT_DELTA_GROUP_MEMBER 8
2752 #define DT_DELTA_ALIAS 9
2753 #define DT_DELTA_RENAME_ALIAS 11
2754 #define DT_DELTA_ALIAS_MEMBER 12
2755 #define DT_DELTA_POLICY 13
2756 #define DT_DELTA_TRUSTED_DOMAINS 14
2757 #define DT_DELTA_ACCOUNTS 16
2758 #define DT_DELTA_SECRET 18
2759 #define DT_DELTA_DELETE_GROUP 20
2760 #define DT_DELTA_DELETE_USER 21
2761 #define DT_MODIFIED_COUNT 22
2762 static const value_string delta_type_vals[] = {
2763 { DT_DELTA_DOMAIN, "Domain" },
2764 { DT_DELTA_GROUP, "Group" },
2765 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2766 { DT_DELTA_USER, "User" },
2767 { DT_DELTA_RENAME_USER, "Rename User" },
2768 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2769 { DT_DELTA_ALIAS, "Alias" },
2770 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2771 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2772 { DT_DELTA_POLICY, "Policy" },
2773 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2774 { DT_DELTA_ACCOUNTS, "Accounts" },
2775 { DT_DELTA_SECRET, "Secret" },
2776 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2777 { DT_DELTA_DELETE_USER, "Delete User" },
2778 { DT_MODIFIED_COUNT, "Modified Count" },
2782 * IDL typedef [switch_type(short)] union {
2783 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2784 * IDL [case(2)][unique] DELTA_GROUP *group;
2785 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2786 * IDL [case(5)][unique] DELTA_USER *user;
2787 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2788 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2789 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2790 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2791 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2792 * IDL [case(13)][unique] DELTA_POLICY *policy;
2793 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2794 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2795 * IDL [case(18)][unique] DELTA_SECRET *secret;
2796 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2797 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2798 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2799 * IDL } DELTA_UNION;
2802 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2803 packet_info *pinfo, proto_tree *parent_tree,
2806 proto_item *item=NULL;
2807 proto_tree *tree=NULL;
2808 int old_offset=offset;
2812 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2814 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2817 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2818 hf_netlogon_delta_type, &level);
2823 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2824 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2825 "DELTA_DOMAIN:", -1);
2828 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2829 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2830 "DELTA_GROUP:", -1);
2833 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2834 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2835 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
2838 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2839 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
2843 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2844 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2845 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
2848 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2849 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
2850 "DELTA_GROUP_MEMBER:", -1);
2853 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2854 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
2855 "DELTA_ALIAS:", -1);
2858 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2859 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2860 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
2863 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2864 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
2865 "DELTA_ALIAS_MEMBER:", -1);
2868 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2869 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
2870 "DELTA_POLICY:", -1);
2873 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2874 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
2875 "DELTA_TRUSTED_DOMAINS:", -1);
2878 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2879 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
2880 "DELTA_ACCOUNTS:", -1);
2883 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2884 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
2885 "DELTA_SECRET:", -1);
2888 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2889 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2890 "DELTA_DELETE_GROUP:", -1);
2893 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2894 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2895 "DELTA_DELETE_USER:", -1);
2898 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2899 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
2900 "MODIFIED_COUNT:", -1);
2904 proto_item_set_len(item, offset-old_offset);
2910 /* IDL XXX must verify this one, especially 13-19
2911 * IDL typedef [switch_type(short)] union {
2912 * IDL [case(1)] long rid;
2913 * IDL [case(2)] long rid;
2914 * IDL [case(3)] long rid;
2915 * IDL [case(4)] long rid;
2916 * IDL [case(5)] long rid;
2917 * IDL [case(6)] long rid;
2918 * IDL [case(7)] long rid;
2919 * IDL [case(8)] long rid;
2920 * IDL [case(9)] long rid;
2921 * IDL [case(10)] long rid;
2922 * IDL [case(11)] long rid;
2923 * IDL [case(12)] long rid;
2924 * IDL [case(13)] [unique] SID *sid;
2925 * IDL [case(14)] [unique] SID *sid;
2926 * IDL [case(15)] [unique] SID *sid;
2927 * IDL [case(16)] [unique] SID *sid;
2928 * IDL [case(17)] [unique] SID *sid;
2929 * IDL [case(18)] [unique][string] wchar_t *Name ;
2930 * IDL [case(19)] [unique][string] wchar_t *Name ;
2931 * IDL [case(20)] long rid;
2932 * IDL [case(21)] long rid;
2933 * IDL } DELTA_ID_UNION;
2936 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
2937 packet_info *pinfo, proto_tree *parent_tree,
2940 proto_item *item=NULL;
2941 proto_tree *tree=NULL;
2942 int old_offset=offset;
2946 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2948 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
2951 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2952 hf_netlogon_level16, &level);
2957 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2958 hf_netlogon_user_rid, NULL);
2961 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2962 hf_netlogon_user_rid, NULL);
2965 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2966 hf_netlogon_user_rid, NULL);
2969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2970 hf_netlogon_user_rid, NULL);
2973 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2974 hf_netlogon_user_rid, NULL);
2977 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2978 hf_netlogon_user_rid, NULL);
2981 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2982 hf_netlogon_user_rid, NULL);
2985 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2986 hf_netlogon_user_rid, NULL);
2989 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2990 hf_netlogon_user_rid, NULL);
2993 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2994 hf_netlogon_user_rid, NULL);
2997 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2998 hf_netlogon_user_rid, NULL);
3001 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3002 hf_netlogon_user_rid, NULL);
3005 offset = dissect_ndr_nt_PSID(tvb, offset,
3009 offset = dissect_ndr_nt_PSID(tvb, offset,
3013 offset = dissect_ndr_nt_PSID(tvb, offset,
3017 offset = dissect_ndr_nt_PSID(tvb, offset,
3021 offset = dissect_ndr_nt_PSID(tvb, offset,
3025 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3026 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3027 hf_netlogon_unknown_string, 0);
3030 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3031 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3032 hf_netlogon_unknown_string, 0);
3035 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3036 hf_netlogon_user_rid, NULL);
3039 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3040 hf_netlogon_user_rid, NULL);
3044 proto_item_set_len(item, offset-old_offset);
3049 * IDL typedef struct {
3050 * IDL short delta_type;
3051 * IDL DELTA_ID_UNION delta_id_union;
3052 * IDL DELTA_UNION delta_union;
3056 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3057 packet_info *pinfo, proto_tree *parent_tree,
3060 proto_item *item=NULL;
3061 proto_tree *tree=NULL;
3062 int old_offset=offset;
3065 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3067 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3070 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3071 hf_netlogon_delta_type, NULL);
3073 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3076 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3079 proto_item_set_len(item, offset-old_offset);
3084 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3085 packet_info *pinfo, proto_tree *tree,
3088 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3089 netlogon_dissect_DELTA_ENUM);
3095 * IDL typedef struct {
3096 * IDL long num_deltas;
3097 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3098 * IDL } DELTA_ENUM_ARRAY;
3101 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3102 packet_info *pinfo, proto_tree *tree,
3105 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3106 hf_netlogon_num_deltas, NULL);
3108 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3109 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3110 "DELTA_ENUM: deltas", -1);
3117 * IDL long NetDatabaseDeltas(
3118 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3119 * IDL [in][string][ref] wchar_t *computername,
3120 * IDL [in][ref] AUTHENTICATOR credential,
3121 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3122 * IDL [in] long database_id,
3123 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3124 * IDL [in] long preferredmaximumlength,
3125 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3129 netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
3130 packet_info *pinfo, proto_tree *tree, char *drep)
3132 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3133 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3135 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3136 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3138 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3139 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3140 "AUTHENTICATOR: credential", -1);
3142 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3143 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3144 "AUTHENTICATOR: return_authenticator", -1);
3146 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3147 hf_netlogon_database_id, NULL);
3149 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3150 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3151 "MODIFIED_COUNT: domain modified count", -1);
3153 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3154 hf_netlogon_max_size, NULL);
3159 netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
3160 packet_info *pinfo, proto_tree *tree, char *drep)
3162 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3163 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3164 "AUTHENTICATOR: return_authenticator", -1);
3166 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3167 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3168 "MODIFIED_COUNT: domain modified count", -1);
3170 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3171 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3172 "DELTA_ENUM_ARRAY: deltas", -1);
3174 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3175 hf_netlogon_rc, NULL);
3182 * IDL long NetDatabaseSync(
3183 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3184 * IDL [in][string][ref] wchar_t *computername,
3185 * IDL [in][ref] AUTHENTICATOR credential,
3186 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3187 * IDL [in] long database_id,
3188 * IDL [in][out][ref] long sync_context,
3189 * IDL [in] long preferredmaximumlength,
3190 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3194 netlogon_dissect_netlogondatabasesync_rqst(tvbuff_t *tvb, int offset,
3195 packet_info *pinfo, proto_tree *tree, char *drep)
3197 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3198 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3200 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3201 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3203 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3204 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3205 "AUTHENTICATOR: credential", -1);
3207 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3208 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3209 "AUTHENTICATOR: return_authenticator", -1);
3211 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3212 hf_netlogon_database_id, NULL);
3214 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3215 hf_netlogon_sync_context, NULL);
3217 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3218 hf_netlogon_max_size, NULL);
3225 netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset,
3226 packet_info *pinfo, proto_tree *tree, char *drep)
3228 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3229 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3230 "AUTHENTICATOR: return_authenticator", -1);
3232 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3233 hf_netlogon_sync_context, NULL);
3235 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3236 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3237 "DELTA_ENUM_ARRAY: deltas", -1);
3239 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3240 hf_netlogon_rc, NULL);
3246 * IDL typedef struct {
3247 * IDL char computer_name[16];
3248 * IDL long timecreated;
3249 * IDL long serial_number;
3253 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3254 packet_info *pinfo, proto_tree *tree,
3259 di=pinfo->private_data;
3260 if(di->conformant_run){
3261 /*just a run to handle conformant arrays, nothing to dissect */
3265 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3268 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3271 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3272 hf_netlogon_serial_number, NULL);
3279 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3280 packet_info *pinfo, proto_tree *tree,
3283 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3284 hf_netlogon_unknown_char, NULL);
3290 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3291 packet_info *pinfo, proto_tree *tree,
3294 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3295 netlogon_dissect_BYTE_byte);
3301 * IDL long NetAccountDelta(
3302 * IDL [in][string][unique] wchar_t *logonserver,
3303 * IDL [in][string][ref] wchar_t *computername,
3304 * IDL [in][ref] AUTHENTICATOR credential,
3305 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3306 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3307 * IDL [out][ref] long count_returned,
3308 * IDL [out][ref] long total_entries,
3309 * IDL [in][out][ref] UAS_INFO_0 recordid,
3310 * IDL [in][long] count,
3311 * IDL [in][long] level,
3312 * IDL [in][long] buffersize,
3316 netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset,
3317 packet_info *pinfo, proto_tree *tree, char *drep)
3319 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3322 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3323 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3325 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3326 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3327 "AUTHENTICATOR: credential", -1);
3329 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3330 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3331 "AUTHENTICATOR: return_authenticator", -1);
3333 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3334 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3335 "UAS_INFO_0: RecordID", -1);
3337 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3338 hf_netlogon_count, NULL);
3340 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3341 hf_netlogon_level, NULL);
3343 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3344 hf_netlogon_max_size, NULL);
3349 netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset,
3350 packet_info *pinfo, proto_tree *tree, char *drep)
3352 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3353 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3354 "AUTHENTICATOR: return_authenticator", -1);
3356 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3357 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3358 "BYTE_array: Buffer", -1);
3360 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3361 hf_netlogon_count, NULL);
3363 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3364 hf_netlogon_entries, NULL);
3366 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3367 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3368 "UAS_INFO_0: RecordID", -1);
3370 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3371 hf_netlogon_rc, NULL);
3378 * IDL long NetAccountDelta(
3379 * IDL [in][string][unique] wchar_t *logonserver,
3380 * IDL [in][string][ref] wchar_t *computername,
3381 * IDL [in][ref] AUTHENTICATOR credential,
3382 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3383 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3384 * IDL [out][ref] long count_returned,
3385 * IDL [out][ref] long total_entries,
3386 * IDL [out][ref] long next_reference,
3387 * IDL [in][long] reference,
3388 * IDL [in][long] level,
3389 * IDL [in][long] buffersize,
3390 * IDL [in][out][ref] UAS_INFO_0 recordid,
3394 netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset,
3395 packet_info *pinfo, proto_tree *tree, char *drep)
3397 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3400 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3401 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3403 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3404 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3405 "AUTHENTICATOR: credential", -1);
3407 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3408 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3409 "AUTHENTICATOR: return_authenticator", -1);
3411 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3412 hf_netlogon_reference, NULL);
3414 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3415 hf_netlogon_level, NULL);
3417 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3418 hf_netlogon_max_size, NULL);
3423 netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset,
3424 packet_info *pinfo, proto_tree *tree, char *drep)
3426 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3427 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3428 "AUTHENTICATOR: return_authenticator", -1);
3430 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3431 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3432 "BYTE_array: Buffer", -1);
3434 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3435 hf_netlogon_count, NULL);
3437 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3438 hf_netlogon_entries, NULL);
3440 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3441 hf_netlogon_next_reference, NULL);
3443 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3444 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3445 "UAS_INFO_0: RecordID", -1);
3447 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3448 hf_netlogon_rc, NULL);
3455 * IDL long NetGetDCName(
3456 * IDL [in][ref][string] wchar_t *logon_server,
3457 * IDL [in][unique][string] wchar_t *domainname,
3458 * IDL [out][unique][string] wchar_t *dcname,
3462 netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset,
3463 packet_info *pinfo, proto_tree *tree, char *drep)
3465 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3466 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3468 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3469 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3474 netlogon_dissect_netlogongetdcname_reply(tvbuff_t *tvb, int offset,
3475 packet_info *pinfo, proto_tree *tree, char *drep)
3477 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3478 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3480 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3481 hf_netlogon_rc, NULL);
3489 * IDL typedef struct {
3491 * IDL long pdc_connection_status;
3492 * IDL } NETLOGON_INFO_1;
3495 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3496 packet_info *pinfo, proto_tree *tree,
3499 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3500 hf_netlogon_flags, NULL);
3502 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3503 hf_netlogon_pdc_connection_status, NULL);
3510 * IDL typedef struct {
3512 * IDL long pdc_connection_status;
3513 * IDL [unique][string] wchar_t trusted_dc_name;
3514 * IDL long tc_connection_status;
3515 * IDL } NETLOGON_INFO_2;
3518 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3519 packet_info *pinfo, proto_tree *tree,
3522 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3523 hf_netlogon_flags, NULL);
3525 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3526 hf_netlogon_pdc_connection_status, NULL);
3528 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3529 NDR_POINTER_UNIQUE, "Trusted DC Name",
3530 hf_netlogon_trusted_dc_name, 0);
3532 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3533 hf_netlogon_tc_connection_status, NULL);
3540 * IDL typedef struct {
3542 * IDL long logon_attempts;
3543 * IDL long reserved;
3544 * IDL long reserved;
3545 * IDL long reserved;
3546 * IDL long reserved;
3547 * IDL long reserved;
3548 * IDL } NETLOGON_INFO_3;
3551 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3552 packet_info *pinfo, proto_tree *tree,
3555 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3556 hf_netlogon_flags, NULL);
3558 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3559 hf_netlogon_logon_attempts, NULL);
3561 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3562 hf_netlogon_reserved, NULL);
3564 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3565 hf_netlogon_reserved, NULL);
3567 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3568 hf_netlogon_reserved, NULL);
3570 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3571 hf_netlogon_reserved, NULL);
3573 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3574 hf_netlogon_reserved, NULL);
3581 * IDL typedef [switch_type(long)] union {
3582 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
3583 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
3584 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
3585 * IDL } CONTROL_QUERY_INFORMATION;
3588 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
3589 packet_info *pinfo, proto_tree *tree,
3594 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3595 hf_netlogon_level, &level);
3600 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3601 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
3602 "NETLOGON_INFO_1:", -1);
3605 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3606 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
3607 "NETLOGON_INFO_2:", -1);
3610 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3611 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
3612 "NETLOGON_INFO_3:", -1);
3621 * IDL long NetLogonControl(
3622 * IDL [in][string][unique] wchar_t *logonserver,
3623 * IDL [in] long function_code,
3624 * IDL [in] long level,
3625 * IDL [out][ref] CONTROL_QUERY_INFORMATION
3629 netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
3630 packet_info *pinfo, proto_tree *tree, char *drep)
3632 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3635 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3636 hf_netlogon_code, NULL);
3638 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3639 hf_netlogon_level, NULL);
3644 netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
3645 packet_info *pinfo, proto_tree *tree, char *drep)
3647 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3648 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3649 "CONTROL_QUERY_INFORMATION:", -1);
3651 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3652 hf_netlogon_rc, NULL);
3659 * IDL long NetGetDCName(
3660 * IDL [in][unique][string] wchar_t *logon_server,
3661 * IDL [in][unique][string] wchar_t *domainname,
3662 * IDL [out][unique][string] wchar_t *dcname,
3666 netlogon_dissect_netlogongetanydcname_rqst(tvbuff_t *tvb, int offset,
3667 packet_info *pinfo, proto_tree *tree, char *drep)
3669 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3670 NDR_POINTER_UNIQUE, "Server Handle",
3671 hf_netlogon_logonsrv_handle, 0);
3673 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3674 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3679 netlogon_dissect_netlogongetanydcname_reply(tvbuff_t *tvb, int offset,
3680 packet_info *pinfo, proto_tree *tree, char *drep)
3682 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3683 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3685 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3686 hf_netlogon_rc, NULL);
3693 * IDL typedef [switch_type(long)] union {
3694 * IDL [case(5)] [unique][string] wchar_t *unknown;
3695 * IDL [case(6)] [unique][string] wchar_t *unknown;
3696 * IDL [case(0xfffe)] long unknown;
3697 * IDL [case(7)] [unique][string] wchar_t *unknown;
3698 * IDL } CONTROL_DATA_INFORMATION;
3701 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
3702 * to look like. However NetMon does not recognize any such informationlevels.
3704 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
3705 * until someone has any source of better authority to call upon.
3708 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
3709 packet_info *pinfo, proto_tree *tree,
3714 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3715 hf_netlogon_level, &level);
3720 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3721 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3722 hf_netlogon_unknown_string, 0);
3725 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3726 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3727 hf_netlogon_unknown_string, 0);
3730 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3731 hf_netlogon_unknown_long, NULL);
3734 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3735 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3736 hf_netlogon_unknown_string, 0);
3745 * IDL long NetLogonControl2(
3746 * IDL [in][string][unique] wchar_t *logonserver,
3747 * IDL [in] long function_code,
3748 * IDL [in] long level,
3749 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3750 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3754 netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
3755 packet_info *pinfo, proto_tree *tree, char *drep)
3757 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3760 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3761 hf_netlogon_code, NULL);
3763 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3764 hf_netlogon_level, NULL);
3766 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3767 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3768 "CONTROL_DATA_INFORMATION: ", -1);
3774 netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
3775 packet_info *pinfo, proto_tree *tree, char *drep)
3777 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3778 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3779 "CONTROL_QUERY_INFORMATION:", -1);
3781 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3782 hf_netlogon_rc, NULL);
3789 * IDL long NetServerAuthenticate2(
3790 * IDL [in][string][unique] wchar_t *logonserver,
3791 * IDL [in][ref][string] wchar_t *username,
3792 * IDL [in] short secure_channel_type,
3793 * IDL [in][ref][string] wchar_t *computername,
3794 * IDL [in][ref] CREDENTIAL *client_chal,
3795 * IDL [out][ref] CREDENTIAL *server_chal,
3796 * IDL [in][out][ref] long *negotiate_flags,
3800 netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
3801 packet_info *pinfo, proto_tree *tree, char *drep)
3803 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3806 offset = dissect_ndr_pointer_cb(
3807 tvb, offset, pinfo, tree, drep,
3808 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
3809 "User Name", hf_netlogon_acct_name,
3810 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
3812 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3815 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3816 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3818 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3819 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3820 "CREDENTIAL: client_chal", -1);
3822 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3823 hf_netlogon_neg_flags, NULL);
3829 netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
3830 packet_info *pinfo, proto_tree *tree, char *drep)
3832 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3833 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3834 "CREDENTIAL: server_chal", -1);
3836 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3837 hf_netlogon_neg_flags, NULL);
3839 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3840 hf_netlogon_rc, NULL);
3847 * IDL long NetDatabaseSync2(
3848 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3849 * IDL [in][string][ref] wchar_t *computername,
3850 * IDL [in][ref] AUTHENTICATOR credential,
3851 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3852 * IDL [in] long database_id,
3853 * IDL [in] short restart_state,
3854 * IDL [in][out][ref] long *sync_context,
3855 * IDL [in] long preferredmaximumlength,
3856 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3860 netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
3861 packet_info *pinfo, proto_tree *tree, char *drep)
3863 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3864 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3866 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3867 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3869 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3870 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3871 "AUTHENTICATOR: credential", -1);
3873 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3874 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3875 "AUTHENTICATOR: return_authenticator", -1);
3877 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3878 hf_netlogon_database_id, NULL);
3880 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3881 hf_netlogon_restart_state, NULL);
3883 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3884 hf_netlogon_sync_context, NULL);
3886 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3887 hf_netlogon_max_size, NULL);
3893 netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
3894 packet_info *pinfo, proto_tree *tree, char *drep)
3896 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3897 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3898 "AUTHENTICATOR: return_authenticator", -1);
3900 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3901 hf_netlogon_sync_context, NULL);
3903 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3904 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3905 "DELTA_ENUM_ARRAY: deltas", -1);
3907 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3908 hf_netlogon_rc, NULL);
3915 * IDL long NetDatabaseRedo(
3916 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3917 * IDL [in][string][ref] wchar_t *computername,
3918 * IDL [in][ref] AUTHENTICATOR credential,
3919 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3920 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
3921 * IDL [in] long change_log_entry_size,
3922 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3926 netlogon_dissect_netlogondatabaseredo_rqst(tvbuff_t *tvb, int offset,
3927 packet_info *pinfo, proto_tree *tree, char *drep)
3929 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3930 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3932 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3933 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3935 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3936 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3937 "AUTHENTICATOR: credential", -1);
3939 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3940 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3941 "AUTHENTICATOR: return_authenticator", -1);
3943 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3944 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3945 "Change log entry: ", -1);
3947 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3948 hf_netlogon_max_log_size, NULL);
3954 netlogon_dissect_netlogondatabaseredo_reply(tvbuff_t *tvb, int offset,
3955 packet_info *pinfo, proto_tree *tree, char *drep)
3957 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3958 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3959 "AUTHENTICATOR: return_authenticator", -1);
3961 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3962 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3963 "DELTA_ENUM_ARRAY: deltas", -1);
3965 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3966 hf_netlogon_rc, NULL);
3972 /* XXX NetMon does not recognize this as a valid function. Muddle however
3973 * tells us what parameters it takes but not their names.
3974 * It looks similar to logoncontrol2. perhaps it is logoncontrol3?
3977 * IDL long NetFunction_12(
3978 * IDL [in][string][unique] wchar_t *logonserver,
3979 * IDL [in] long function_code,
3980 * IDL [in] long level,
3981 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3982 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3986 netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
3987 packet_info *pinfo, proto_tree *tree, char *drep)
3989 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3992 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3993 hf_netlogon_code, NULL);
3995 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3996 hf_netlogon_level, NULL);
3998 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3999 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4000 "CONTROL_DATA_INFORMATION: ", -1);
4005 netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
4006 packet_info *pinfo, proto_tree *tree, char *drep)
4008 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4009 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4010 "CONTROL_QUERY_INFORMATION:", -1);
4012 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4013 hf_netlogon_rc, NULL);
4022 /* Updated above this line */
4024 static const value_string trust_type_vals[] = {
4032 #define DS_INET_ADDRESS 1
4033 #define DS_NETBIOS_ADDRESS 2
4034 static const value_string dc_address_types[] = {
4035 { DS_INET_ADDRESS, "IP/DNS name" },
4036 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
4041 #define DS_DOMAIN_IN_FOREST 0x0001
4042 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
4043 #define DS_DOMAIN_TREE_ROOT 0x0004
4044 #define DS_DOMAIN_PRIMARY 0x0008
4045 #define DS_DOMAIN_NATIVE_MODE 0x0010
4046 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
4047 static const true_false_string trust_inbound = {
4048 "There is a DIRECT INBOUND trust for the servers domain",
4049 "There is NO direct inbound trust for the servers domain"
4051 static const true_false_string trust_outbound = {
4052 "There is a DIRECT OUTBOUND trust for this domain",
4053 "There is NO direct outbound trust for this domain"
4055 static const true_false_string trust_in_forest = {
4056 "The domain is a member IN the same FOREST as the queried server",
4057 "The domain is NOT a member of the queried servers domain"
4059 static const true_false_string trust_native_mode = {
4060 "The primary domain is a NATIVE MODE w2k domain",
4061 "The primary is NOT a native mode w2k domain"
4063 static const true_false_string trust_primary = {
4064 "The domain is the PRIMARY domain of the queried server",
4065 "The domain is NOT the primary domain of the queried server"
4067 static const true_false_string trust_tree_root = {
4068 "The domain is the ROOT of a domain TREE",
4069 "The domain is NOT a root of a domain tree"
4072 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4073 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4076 proto_item *item = NULL;
4077 proto_tree *tree = NULL;
4080 di=pinfo->private_data;
4081 if(di->conformant_run){
4082 /*just a run to handle conformant arrays, nothing to dissect */
4086 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4087 hf_netlogon_trust_flags, &mask);
4090 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4091 tvb, offset-4, 4, mask);
4092 tree = proto_item_add_subtree(item, ett_trust_flags);
4095 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4096 tvb, offset-4, 4, mask);
4097 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4098 tvb, offset-4, 4, mask);
4099 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4100 tvb, offset-4, 4, mask);
4101 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4102 tvb, offset-4, 4, mask);
4103 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4104 tvb, offset-4, 4, mask);
4105 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4106 tvb, offset-4, 4, mask);
4112 #define DS_FORCE_REDISCOVERY 0x00000001
4113 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
4114 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
4115 #define DS_GC_SERVER_REQUIRED 0x00000040
4116 #define DS_PDC_REQUIRED 0x00000080
4117 #define DS_BACKGROUND_ONLY 0x00000100
4118 #define DS_IP_REQUIRED 0x00000200
4119 #define DS_KDC_REQUIRED 0x00000400
4120 #define DS_TIMESERV_REQUIRED 0x00000800
4121 #define DS_WRITABLE_REQUIRED 0x00001000
4122 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
4123 #define DS_AVOID_SELF 0x00004000
4124 #define DS_ONLY_LDAP_NEEDED 0x00008000
4125 #define DS_IS_FLAT_NAME 0x00010000
4126 #define DS_IS_DNS_NAME 0x00020000
4127 #define DS_RETURN_DNS_NAME 0x40000000
4128 #define DS_RETURN_FLAT_NAME 0x80000000
4129 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4130 "FORCE REDISCOVERY of any cached data",
4131 "You may return cached data"
4133 static const true_false_string get_dcname_request_flags_directory_service_required = {
4134 "DIRECRTORY SERVICE is REQUIRED on the server",
4135 "We do NOT require directory service servers"
4137 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4138 "DIRECTORY SERVICE servers are PREFERRED",
4139 "We do NOT have a preference for directory service servers"
4141 static const true_false_string get_dcname_request_flags_gc_server_required = {
4142 "GC SERVER is REQUIRED",
4143 "gc server is NOT required"
4145 static const true_false_string get_dcname_request_flags_pdc_required = {
4146 "PDC SERVER is REQUIRED",
4147 "pdc server is NOT required"
4149 static const true_false_string get_dcname_request_flags_background_only = {
4150 "Only returned cahced data, even if it has expired",
4151 "Return cached data unless it has expired"
4153 static const true_false_string get_dcname_request_flags_ip_required = {
4154 "IP address is REQUIRED",
4155 "ip address is NOT required"
4157 static const true_false_string get_dcname_request_flags_kdc_required = {
4158 "KDC server is REQUIRED",
4159 "kdc server is NOT required"
4161 static const true_false_string get_dcname_request_flags_timeserv_required = {
4162 "TIMESERV service is REQUIRED",
4163 "timeserv service is NOT required"
4165 static const true_false_string get_dcname_request_flags_writable_required = {
4166 "the requrned dc MUST be WRITEABLE",
4167 "a read-only dc may be returned"
4169 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4170 "GOOD TIMESERV servers are PREFERRED",
4171 "we do NOT have a preference for good timeserv servers"
4173 static const true_false_string get_dcname_request_flags_avoid_self = {
4174 "do NOT return self as dc, return someone else",
4175 "you may return yourSELF as the dc"
4177 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4178 "we ONLY NEED LDAP, you dont have to return a dc",
4179 "we need a normal dc, an ldap only server will not do"
4181 static const true_false_string get_dcname_request_flags_is_flat_name = {
4182 "the name we specify is a NetBIOS name",
4183 "the name we specify is NOT a NetBIOS name"
4185 static const true_false_string get_dcname_request_flags_is_dns_name = {
4186 "the name we specify is a DNS name",
4187 "ther name we specify is NOT a dns name"
4189 static const true_false_string get_dcname_request_flags_return_dns_name = {
4190 "return a DNS name",
4191 "you may return a NON-dns name"
4193 static const true_false_string get_dcname_request_flags_return_flat_name = {
4194 "return a NetBIOS name",
4195 "you may return a NON-NetBIOS name"
4198 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4199 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4202 proto_item *item = NULL;
4203 proto_tree *tree = NULL;
4206 di=pinfo->private_data;
4207 if(di->conformant_run){
4208 /*just a run to handle conformant arrays, nothing to dissect */
4212 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4213 hf_netlogon_get_dcname_request_flags, &mask);
4216 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4217 tvb, offset-4, 4, mask);
4218 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4221 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4222 tvb, offset-4, 4, mask);
4223 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4224 tvb, offset-4, 4, mask);
4225 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4226 tvb, offset-4, 4, mask);
4227 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4228 tvb, offset-4, 4, mask);
4229 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4230 tvb, offset-4, 4, mask);
4231 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4232 tvb, offset-4, 4, mask);
4233 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4234 tvb, offset-4, 4, mask);
4235 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4236 tvb, offset-4, 4, mask);
4237 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4238 tvb, offset-4, 4, mask);
4239 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4240 tvb, offset-4, 4, mask);
4241 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4242 tvb, offset-4, 4, mask);
4243 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4244 tvb, offset-4, 4, mask);
4245 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4246 tvb, offset-4, 4, mask);
4247 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4248 tvb, offset-4, 4, mask);
4249 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4250 tvb, offset-4, 4, mask);
4251 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4252 tvb, offset-4, 4, mask);
4253 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4254 tvb, offset-4, 4, mask);
4261 #define DS_PDC_FLAG 0x00000001
4262 #define DS_GC_FLAG 0x00000004
4263 #define DS_LDAP_FLAG 0x00000008
4264 #define DS_DS_FLAG 0x00000010
4265 #define DS_KDC_FLAG 0x00000020
4266 #define DS_TIMESERV_FLAG 0x00000040
4267 #define DS_CLOSEST_FLAG 0x00000080
4268 #define DS_WRITABLE_FLAG 0x00000100
4269 #define DS_GOOD_TIMESERV_FLAG 0x00000200
4270 #define DS_NDNC_FLAG 0x00000400
4271 #define DS_DNS_CONTROLLER_FLAG 0x20000000
4272 #define DS_DNS_DOMAIN_FLAG 0x40000000
4273 #define DS_DNS_FOREST_FLAG 0x80000000
4274 static const true_false_string dc_flags_pdc_flag = {
4275 "this is the PDC of the domain",
4276 "this is NOT the pdc of the domain"
4278 static const true_false_string dc_flags_gc_flag = {
4279 "this is the GC of the forest",
4280 "this is NOT the gc of the forest"
4282 static const true_false_string dc_flags_ldap_flag = {
4283 "this is an LDAP server",
4284 "this is NOT an ldap server"
4286 static const true_false_string dc_flags_ds_flag = {
4287 "this is a DS server",
4288 "this is NOT a ds server"
4290 static const true_false_string dc_flags_kdc_flag = {
4291 "this is a KDC server",
4292 "this is NOT a kdc server"
4294 static const true_false_string dc_flags_timeserv_flag = {
4295 "this is a TIMESERV server",
4296 "this is NOT a timeserv server"
4298 static const true_false_string dc_flags_closest_flag = {
4299 "this is the CLOSEST server",
4300 "this is NOT the closest server"
4302 static const true_false_string dc_flags_writable_flag = {
4303 "this server has a WRITABLE ds database",
4304 "this server has a READ-ONLY ds database"
4306 static const true_false_string dc_flags_good_timeserv_flag = {
4307 "this server is a GOOD TIMESERV server",
4308 "this is NOT a good timeserv server"
4310 static const true_false_string dc_flags_ndnc_flag = {
4314 static const true_false_string dc_flags_dns_controller_flag = {
4315 "DomainControllerName is a DNS name",
4316 "DomainControllerName is NOT a dns name"
4318 static const true_false_string dc_flags_dns_domain_flag = {
4319 "DomainName is a DNS name",
4320 "DomainName is NOT a dns name"
4322 static const true_false_string dc_flags_dns_forest_flag = {
4323 "DnsForestName is a DNS name",
4324 "DnsForestName is NOT a dns name"
4327 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4328 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4331 proto_item *item = NULL;
4332 proto_tree *tree = NULL;
4335 di=pinfo->private_data;
4336 if(di->conformant_run){
4337 /*just a run to handle conformant arrays, nothing to dissect */
4341 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4342 hf_netlogon_dc_flags, &mask);
4345 item = proto_tree_add_uint_format(parent_tree, hf_netlogon_dc_flags,
4346 tvb, offset-4, 4, mask, "Domain Controller Flags: 0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
4347 tree = proto_item_add_subtree(item, ett_dc_flags);
4350 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4351 tvb, offset-4, 4, mask);
4352 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4353 tvb, offset-4, 4, mask);
4354 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4355 tvb, offset-4, 4, mask);
4356 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4357 tvb, offset-4, 4, mask);
4358 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4359 tvb, offset-4, 4, mask);
4360 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4361 tvb, offset-4, 4, mask);
4362 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4363 tvb, offset-4, 4, mask);
4364 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4365 tvb, offset-4, 4, mask);
4366 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4367 tvb, offset-4, 4, mask);
4368 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4369 tvb, offset-4, 4, mask);
4370 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4371 tvb, offset-4, 4, mask);
4372 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4373 tvb, offset-4, 4, mask);
4374 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4375 tvb, offset-4, 4, mask);
4383 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4384 packet_info *pinfo, proto_tree *tree,
4389 di=pinfo->private_data;
4390 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4391 di->hf_index, NULL);
4396 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4397 packet_info *pinfo, proto_tree *tree,
4402 di=pinfo->private_data;
4403 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4404 di->hf_index, NULL);
4409 netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
4410 packet_info *pinfo, proto_tree *parent_tree,
4411 char *drep, int type, int hf_index, dcerpc_callback_fnct_t *callback)
4413 proto_item *item=NULL;
4414 proto_tree *tree=NULL;
4415 int old_offset=offset;
4419 di=pinfo->private_data;
4420 if(di->conformant_run){
4421 /*just a run to handle conformant arrays, nothing to dissect */
4425 name = proto_registrar_get_name(hf_index);
4427 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4429 tree = proto_item_add_subtree(item, ett_nt_unicode_string);
4432 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
4433 dissect_ndr_wchar_cvstring, type,
4434 name, hf_index, callback, NULL);
4436 proto_item_set_len(item, offset-old_offset);
4442 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4443 packet_info *pinfo, proto_tree *tree,
4446 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4447 hf_netlogon_unknown_char, NULL);
4453 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4454 packet_info *pinfo, proto_tree *tree,
4457 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4458 netlogon_dissect_UNICODE_MULTI_byte);
4464 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4465 packet_info *pinfo, proto_tree *parent_tree,
4468 proto_item *item=NULL;
4469 proto_tree *tree=NULL;
4470 int old_offset=offset;
4473 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4475 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4478 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4479 hf_netlogon_len, NULL);
4481 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4482 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4483 "unknown", hf_netlogon_unknown_string);
4485 proto_item_set_len(item, offset-old_offset);
4490 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4491 packet_info *pinfo, proto_tree *tree,
4494 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4500 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4501 packet_info *pinfo, proto_tree *parent_tree,
4504 proto_item *item=NULL;
4505 proto_tree *tree=NULL;
4506 int old_offset=offset;
4509 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4510 "DOMAIN_CONTROLLER_INFO:");
4511 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4514 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4515 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
4517 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4518 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
4520 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4521 hf_netlogon_dc_address_type, NULL);
4523 offset = dissect_nt_GUID(tvb, offset,
4526 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4527 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
4529 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4530 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
4532 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
4534 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4535 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
4537 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4538 NDR_POINTER_UNIQUE, "Client Site",
4539 hf_netlogon_client_site_name, 0);
4541 proto_item_set_len(item, offset-old_offset);
4546 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4547 packet_info *pinfo, proto_tree *tree,
4553 di=pinfo->private_data;
4554 if(di->conformant_run){
4555 /*just a run to handle conformant arrays, nothing to dissect.*/
4559 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4560 hf_netlogon_blob_size, &len);
4562 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4570 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4571 packet_info *pinfo, proto_tree *parent_tree,
4574 proto_item *item=NULL;
4575 proto_tree *tree=NULL;
4578 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4580 tree = proto_item_add_subtree(item, ett_BLOB);
4583 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4584 hf_netlogon_blob_size, NULL);
4586 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4587 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4594 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
4595 packet_info *pinfo, proto_tree *parent_tree,
4598 proto_item *item=NULL;
4599 proto_tree *tree=NULL;
4600 int old_offset=offset;
4603 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4604 "DOMAIN_TRUST_INFO:");
4605 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
4609 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
4611 /* Guesses at best. */
4612 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4613 hf_netlogon_unknown_string, 0);
4615 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4616 hf_netlogon_unknown_string, 0);
4618 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4619 hf_netlogon_unknown_string, 0);
4621 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4622 hf_netlogon_unknown_string, 0);
4624 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4625 hf_netlogon_unknown_long, NULL);
4627 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4628 hf_netlogon_unknown_long, NULL);
4630 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4631 hf_netlogon_unknown_long, NULL);
4633 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4634 hf_netlogon_unknown_long, NULL);
4636 proto_item_set_len(item, offset-old_offset);
4641 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
4642 packet_info *pinfo, proto_tree *tree,
4645 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4646 netlogon_dissect_DOMAIN_TRUST_INFO);
4652 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
4653 packet_info *pinfo, proto_tree *tree,
4656 offset = netlogon_dissect_BLOB(tvb, offset,
4659 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4660 NDR_POINTER_UNIQUE, "Workstation FQDN",
4661 hf_netlogon_workstation_fqdn, 0);
4663 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4664 NDR_POINTER_UNIQUE, "Workstation Site",
4665 hf_netlogon_workstation_site_name, 0);
4667 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4668 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4670 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4671 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4673 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4674 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4676 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4677 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4679 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4680 hf_netlogon_unknown_string, 0);
4682 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4683 hf_netlogon_workstation_os, 0);
4685 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4686 hf_netlogon_unknown_string, 0);
4688 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4689 hf_netlogon_unknown_string, 0);
4691 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4692 hf_netlogon_unknown_long, NULL);
4694 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4695 hf_netlogon_unknown_long, NULL);
4697 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4698 hf_netlogon_unknown_long, NULL);
4700 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4701 hf_netlogon_unknown_long, NULL);
4707 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
4708 packet_info *pinfo, proto_tree *tree,
4711 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
4713 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4714 hf_netlogon_num_trusts, NULL);
4716 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4717 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4718 "DOMAIN_TRUST_ARRAY: Trusts", -1);
4720 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4721 hf_netlogon_num_trusts, NULL);
4723 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4724 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4725 "DOMAIN_TRUST_ARRAY:", -1);
4727 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4728 hf_netlogon_dns_domain_name, 0);
4730 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4731 hf_netlogon_unknown_string, 0);
4733 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4734 hf_netlogon_unknown_string, 0);
4736 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4737 hf_netlogon_unknown_string, 0);
4739 /* These four integers appear to mirror the last four in the query. */
4740 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4741 hf_netlogon_unknown_long, NULL);
4743 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4744 hf_netlogon_unknown_long, NULL);
4746 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4747 hf_netlogon_unknown_long, NULL);
4749 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4750 hf_netlogon_unknown_long, NULL);
4757 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
4758 packet_info *pinfo, proto_tree *tree,
4763 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4764 hf_netlogon_level, &level);
4769 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4770 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
4771 "DOMAIN_INFO_1:", -1);
4779 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
4780 packet_info *pinfo, proto_tree *parent_tree,
4783 proto_item *item=NULL;
4784 proto_tree *tree=NULL;
4785 int old_offset=offset;
4789 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4790 "UNICODE_STRING_512:");
4791 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
4795 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4796 hf_netlogon_unknown_short, NULL);
4799 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4800 hf_netlogon_unknown_long, NULL);
4802 proto_item_set_len(item, offset-old_offset);
4807 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
4808 packet_info *pinfo, proto_tree *tree,
4811 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4812 hf_netlogon_unknown_char, NULL);
4818 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
4819 packet_info *pinfo, proto_tree *tree,
4822 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4823 netlogon_dissect_element_844_byte);
4829 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
4830 packet_info *pinfo, proto_tree *parent_tree,
4833 proto_item *item=NULL;
4834 proto_tree *tree=NULL;
4835 int old_offset=offset;
4838 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4840 tree = proto_item_add_subtree(item, ett_TYPE_50);
4843 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4844 hf_netlogon_unknown_long, NULL);
4846 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4847 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
4848 "unknown", hf_netlogon_unknown_string);
4850 proto_item_set_len(item, offset-old_offset);
4855 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
4856 packet_info *pinfo, proto_tree *tree,
4859 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4860 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
4861 "TYPE_50 pointer: unknown_TYPE_50", -1);
4867 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
4868 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4871 proto_item *item=NULL;
4872 proto_tree *tree=NULL;
4873 int old_offset=offset;
4876 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4877 "DS_DOMAIN_TRUSTS");
4878 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
4882 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4883 NDR_POINTER_UNIQUE, "NetBIOS Name",
4884 hf_netlogon_downlevel_domain_name, 0);
4887 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4888 NDR_POINTER_UNIQUE, "DNS Domain Name",
4889 hf_netlogon_dns_domain_name, 0);
4891 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
4893 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4894 hf_netlogon_trust_parent_index, &tmp);
4896 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4897 hf_netlogon_trust_type, &tmp);
4899 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4900 hf_netlogon_trust_attribs, &tmp);
4903 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4906 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
4908 proto_item_set_len(item, offset-old_offset);
4913 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
4914 packet_info *pinfo, proto_tree *tree,
4917 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4918 netlogon_dissect_DS_DOMAIN_TRUSTS);
4924 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
4925 packet_info *pinfo, proto_tree *tree,
4928 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4929 hf_netlogon_unknown_char, NULL);
4935 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
4936 packet_info *pinfo, proto_tree *tree,
4939 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4940 netlogon_dissect_element_865_byte);
4946 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
4947 packet_info *pinfo, proto_tree *tree,
4950 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4951 hf_netlogon_unknown_char, NULL);
4957 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
4958 packet_info *pinfo, proto_tree *tree,
4961 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4962 netlogon_dissect_element_866_byte);
4968 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
4969 packet_info *pinfo, proto_tree *parent_tree,
4972 proto_item *item=NULL;
4973 proto_tree *tree=NULL;
4974 int old_offset=offset;
4977 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4979 tree = proto_item_add_subtree(item, ett_TYPE_52);
4982 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4983 hf_netlogon_unknown_long, NULL);
4985 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4986 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
4987 "unknown", hf_netlogon_unknown_string);
4989 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4990 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
4991 "unknown", hf_netlogon_unknown_string);
4993 proto_item_set_len(item, offset-old_offset);
4998 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
4999 packet_info *pinfo, proto_tree *tree,
5002 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5003 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
5004 "TYPE_52 pointer: unknown_TYPE_52", -1);
5010 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5011 packet_info *pinfo, proto_tree *parent_tree,
5014 proto_item *item=NULL;
5015 proto_tree *tree=NULL;
5016 int old_offset=offset;
5020 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5022 tree = proto_item_add_subtree(item, ett_TYPE_44);
5025 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5026 hf_netlogon_level, &level);
5031 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5032 hf_netlogon_unknown_long, NULL);
5036 proto_item_set_len(item, offset-old_offset);
5041 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5042 packet_info *pinfo, proto_tree *tree,
5047 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5048 hf_netlogon_level, &level);
5053 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5054 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5055 "DOMAIN_QUERY_1:", -1);
5058 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5059 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5060 "DOMAIN_QUERY_1:", -1);
5068 netlogon_dissect_nettrusteddomainlist_rqst(tvbuff_t *tvb, int offset,
5069 packet_info *pinfo, proto_tree *tree, char *drep)
5071 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5079 netlogon_dissect_nettrusteddomainlist_reply(tvbuff_t *tvb, int offset,
5080 packet_info *pinfo, proto_tree *tree, char *drep)
5082 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5083 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5084 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5086 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5087 hf_netlogon_rc, NULL);
5093 netlogon_dissect_dsrgetdcname2_rqst(tvbuff_t *tvb, int offset,
5094 packet_info *pinfo, proto_tree *tree, char *drep)
5096 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5099 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5100 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5102 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5103 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5104 "GUID pointer: domain_guid", -1);
5106 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5107 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5108 "GUID pointer: site_guid", -1);
5110 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5111 hf_netlogon_flags, NULL);
5118 netlogon_dissect_dsrgetdcname2_reply(tvbuff_t *tvb, int offset,
5119 packet_info *pinfo, proto_tree *tree, char *drep)
5121 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5122 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5123 "DOMAIN_CONTROLLER_INFO:", -1);
5125 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5126 hf_netlogon_rc, NULL);
5132 netlogon_dissect_function_15_rqst(tvbuff_t *tvb, int offset,
5133 packet_info *pinfo, proto_tree *tree, char *drep)
5135 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5138 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5139 NDR_POINTER_UNIQUE, "unknown string",
5140 hf_netlogon_unknown_string, 0);
5142 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5143 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5144 "AUTHENTICATOR: credential", -1);
5146 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5147 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5148 "AUTHENTICATOR: return_authenticator", -1);
5150 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5151 hf_netlogon_unknown_long, NULL);
5158 netlogon_dissect_function_15_reply(tvbuff_t *tvb, int offset,
5159 packet_info *pinfo, proto_tree *tree, char *drep)
5161 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5162 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5163 "AUTHENTICATOR: return_authenticator", -1);
5165 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5166 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5167 "TYPE_44 pointer: unknown_TYPE_44", -1);
5169 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5170 hf_netlogon_rc, NULL);
5176 netlogon_dissect_function_16_rqst(tvbuff_t *tvb, int offset,
5177 packet_info *pinfo, proto_tree *tree, char *drep)
5179 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5182 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5183 hf_netlogon_unknown_long, NULL);
5185 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5186 hf_netlogon_unknown_long, NULL);
5193 netlogon_dissect_function_16_reply(tvbuff_t *tvb, int offset,
5194 packet_info *pinfo, proto_tree *tree, char *drep)
5196 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5197 hf_netlogon_rc, NULL);
5203 netlogon_dissect_function_17_rqst(tvbuff_t *tvb, int offset,
5204 packet_info *pinfo, proto_tree *tree, char *drep)
5206 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5209 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5210 NDR_POINTER_UNIQUE, "unknown string",
5211 hf_netlogon_unknown_string, 0);
5218 netlogon_dissect_function_17_reply(tvbuff_t *tvb, int offset,
5219 packet_info *pinfo, proto_tree *tree, char *drep)
5221 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5222 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5223 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5225 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5226 hf_netlogon_rc, NULL);
5232 netlogon_dissect_function_18_rqst(tvbuff_t *tvb, int offset,
5233 packet_info *pinfo, proto_tree *tree, char *drep)
5235 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5238 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5239 hf_netlogon_unknown_long, NULL);
5241 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5242 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5243 "BYTE pointer: unknown_BYTE", -1);
5245 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5246 hf_netlogon_unknown_long, NULL);
5252 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5253 packet_info *pinfo, proto_tree *tree, char *drep)
5258 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5259 hf_netlogon_unknown_char, NULL);
5266 netlogon_dissect_function_18_reply(tvbuff_t *tvb, int offset,
5267 packet_info *pinfo, proto_tree *tree, char *drep)
5269 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5270 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5271 "BYTE pointer: unknown_BYTE", -1);
5273 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5274 hf_netlogon_rc, NULL);
5280 netlogon_dissect_function_19_rqst(tvbuff_t *tvb, int offset,
5281 packet_info *pinfo, proto_tree *tree, char *drep)
5283 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5286 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5287 NDR_POINTER_UNIQUE, "unknown string",
5288 hf_netlogon_unknown_string, 0);
5290 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5291 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5292 "BYTE pointer: unknown_BYTE", -1);
5294 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5295 hf_netlogon_unknown_long, NULL);
5302 netlogon_dissect_function_19_reply(tvbuff_t *tvb, int offset,
5303 packet_info *pinfo, proto_tree *tree, char *drep)
5305 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5306 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5307 "BYTE pointer: unknown_BYTE", -1);
5309 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5310 hf_netlogon_rc, NULL);
5316 netlogon_dissect_netserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5317 packet_info *pinfo, proto_tree *tree, char *drep)
5319 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5322 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5323 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5325 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5328 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5329 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5331 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5332 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5333 "CREDENTIAL: authenticator", -1);
5335 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5336 hf_netlogon_neg_flags, NULL);
5343 netlogon_dissect_netserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5344 packet_info *pinfo, proto_tree *tree, char *drep)
5346 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5347 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5348 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5350 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5351 hf_netlogon_neg_flags, NULL);
5353 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5354 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5355 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5357 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5358 hf_netlogon_rc, NULL);
5364 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5365 packet_info *pinfo, proto_tree *tree, char *drep)
5367 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5370 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5371 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5373 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5374 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5375 "GUID pointer: domain_guid", -1);
5377 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5378 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5380 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5387 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5388 packet_info *pinfo, proto_tree *tree, char *drep)
5390 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5391 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5392 "DOMAIN_CONTROLLER_INFO:", -1);
5394 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5395 hf_netlogon_rc, NULL);
5401 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5402 packet_info *pinfo, proto_tree *tree, char *drep)
5404 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5412 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5413 packet_info *pinfo, proto_tree *tree, char *drep)
5416 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
5417 NDR_POINTER_REF, hf_netlogon_site_name, 0);
5419 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5420 hf_netlogon_rc, NULL);
5426 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5427 packet_info *pinfo, proto_tree *tree, char *drep)
5429 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5430 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5431 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5433 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5434 NDR_POINTER_UNIQUE, "Computer Name",
5435 hf_netlogon_computer_name, 0);
5437 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5438 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5439 "AUTHENTICATOR: credential", -1);
5441 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5442 hf_netlogon_unknown_long, NULL);
5444 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5445 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5446 "AUTHENTICATOR: return_authenticator", -1);
5448 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5449 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5450 "DOMAIN_QUERY: ", -1);
5457 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5458 packet_info *pinfo, proto_tree *tree, char *drep)
5460 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5461 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5462 "AUTHENTICATOR: return_authenticator", -1);
5464 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5465 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5466 "DOMAIN_INFO: ", -1);
5468 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5469 hf_netlogon_rc, NULL);
5475 netlogon_dissect_function_1e_rqst(tvbuff_t *tvb, int offset,
5476 packet_info *pinfo, proto_tree *tree, char *drep)
5478 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5481 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5482 NDR_POINTER_UNIQUE, "unknown string",
5483 hf_netlogon_unknown_string, 0);
5485 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5486 hf_netlogon_unknown_short, NULL);
5488 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5489 NDR_POINTER_UNIQUE, "unknown string",
5490 hf_netlogon_unknown_string, 0);
5492 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5493 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5494 "AUTHENTICATOR: credential", -1);
5496 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5504 netlogon_dissect_function_1e_reply(tvbuff_t *tvb, int offset,
5505 packet_info *pinfo, proto_tree *tree, char *drep)
5507 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5508 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5509 "AUTHENTICATOR: return_authenticator", -1);
5511 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5512 hf_netlogon_rc, NULL);
5518 netlogon_dissect_netserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5519 packet_info *pinfo, proto_tree *tree, char *drep)
5521 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5524 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5525 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
5527 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5530 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5531 NDR_POINTER_UNIQUE, "Computer Name",
5532 hf_netlogon_computer_name, 0);
5534 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5535 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5536 "AUTHENTICATOR: credential", -1);
5543 netlogon_dissect_netserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5544 packet_info *pinfo, proto_tree *tree, char *drep)
5546 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5547 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5548 "AUTHENTICATOR: return_authenticator", -1);
5550 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5551 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5552 "LM_OWF_PASSWORD pointer: server_pwd", -1);
5554 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5555 hf_netlogon_rc, NULL);
5561 netlogon_dissect_function_20_rqst(tvbuff_t *tvb, int offset,
5562 packet_info *pinfo, proto_tree *tree, char *drep)
5564 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5567 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5568 NDR_POINTER_UNIQUE, "unknown string",
5569 hf_netlogon_unknown_string, 0);
5571 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5572 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5573 "AUTHENTICATOR: credential", -1);
5575 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5576 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5577 "BYTE pointer: unknown_BYTE", -1);
5579 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5580 hf_netlogon_unknown_long, NULL);
5587 netlogon_dissect_function_20_reply(tvbuff_t *tvb, int offset,
5588 packet_info *pinfo, proto_tree *tree, char *drep)
5590 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5591 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5592 "AUTHENTICATOR: return_authenticator", -1);
5594 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5595 hf_netlogon_rc, NULL);
5601 netlogon_dissect_function_21_rqst(tvbuff_t *tvb, int offset,
5602 packet_info *pinfo, proto_tree *tree, char *drep)
5604 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5607 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5608 hf_netlogon_unknown_long, NULL);
5610 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5611 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5612 "BYTE pointer: unknown_BYTE", -1);
5619 netlogon_dissect_function_21_reply(tvbuff_t *tvb, int offset,
5620 packet_info *pinfo, proto_tree *tree, char *drep)
5622 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5623 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5624 "TYPE_50** pointer: unknown_TYPE_50", -1);
5626 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5627 hf_netlogon_rc, NULL);
5633 netlogon_dissect_function_22_rqst(tvbuff_t *tvb, int offset,
5634 packet_info *pinfo, proto_tree *tree, char *drep)
5636 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5639 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5640 NDR_POINTER_UNIQUE, "unknown string",
5641 hf_netlogon_unknown_string, 0);
5643 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5644 hf_netlogon_unknown_long, NULL);
5646 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5647 NDR_POINTER_UNIQUE, "unknown string",
5648 hf_netlogon_unknown_string, 0);
5650 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5651 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5652 "GUID pointer: unknown_GUID", -1);
5654 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5655 NDR_POINTER_UNIQUE, "unknown string",
5656 hf_netlogon_unknown_string, 0);
5658 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5659 hf_netlogon_unknown_long, NULL);
5666 netlogon_dissect_function_22_reply(tvbuff_t *tvb, int offset,
5667 packet_info *pinfo, proto_tree *tree, char *drep)
5669 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5670 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5671 "DOMAIN_CONTROLLER_INFO:", -1);
5673 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5674 hf_netlogon_rc, NULL);
5680 netlogon_dissect_function_23_rqst(tvbuff_t *tvb, int offset,
5681 packet_info *pinfo, proto_tree *tree, char *drep)
5683 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5691 netlogon_dissect_function_23_reply(tvbuff_t *tvb, int offset,
5692 packet_info *pinfo, proto_tree *tree, char *drep)
5694 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5695 NDR_POINTER_UNIQUE, "unknown string",
5696 hf_netlogon_unknown_string, 0);
5698 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5699 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5700 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5702 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5703 hf_netlogon_rc, NULL);
5709 netlogon_dissect_function_24_rqst(tvbuff_t *tvb, int offset,
5710 packet_info *pinfo, proto_tree *tree, char *drep)
5712 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5719 netlogon_dissect_function_24_reply(tvbuff_t *tvb, int offset,
5720 packet_info *pinfo, proto_tree *tree, char *drep)
5722 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5723 hf_netlogon_entries, NULL);
5725 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5726 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5727 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5729 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5730 hf_netlogon_rc, NULL);
5736 netlogon_dissect_function_25_rqst(tvbuff_t *tvb, int offset,
5737 packet_info *pinfo, proto_tree *tree, char *drep)
5739 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5742 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5743 hf_netlogon_unknown_long, NULL);
5745 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5746 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5747 "BYTE pointer: unknown_BYTE", -1);
5754 netlogon_dissect_function_25_reply(tvbuff_t *tvb, int offset,
5755 packet_info *pinfo, proto_tree *tree, char *drep)
5757 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5758 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
5759 "TYPE_52 pointer: unknown_TYPE_52", -1);
5761 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5762 hf_netlogon_rc, NULL);
5769 netlogon_dissect_function_26_rqst(tvbuff_t *tvb, int offset,
5770 packet_info *pinfo, proto_tree *tree, char *drep)
5772 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5773 NDR_POINTER_UNIQUE, "unknown string",
5774 hf_netlogon_unknown_string, 0);
5781 netlogon_dissect_function_26_reply(tvbuff_t *tvb, int offset,
5782 packet_info *pinfo, proto_tree *tree, char *drep)
5784 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5785 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5786 "TYPE_50** pointer: unknown_TYPE_50", -1);
5788 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5789 hf_netlogon_rc, NULL);
5795 netlogon_dissect_logonsamlogonex_rqst(tvbuff_t *tvb, int offset,
5796 packet_info *pinfo, proto_tree *tree, char *drep)
5798 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5799 NDR_POINTER_UNIQUE, "unknown string",
5800 hf_netlogon_unknown_string, 0);
5802 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5803 NDR_POINTER_UNIQUE, "unknown string",
5804 hf_netlogon_unknown_string, 0);
5806 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5807 hf_netlogon_unknown_short, NULL);
5809 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5810 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
5811 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
5813 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5814 hf_netlogon_unknown_short, NULL);
5816 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5817 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5818 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5824 netlogon_dissect_logonsamlogonex_reply(tvbuff_t *tvb, int offset,
5825 packet_info *pinfo, proto_tree *tree, char *drep)
5827 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5828 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
5829 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
5831 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5832 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
5833 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
5835 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5836 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5837 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5839 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5840 hf_netlogon_rc, NULL);
5847 netlogon_dissect_dsenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5848 packet_info *pinfo, proto_tree *tree, char *drep)
5850 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5853 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5860 netlogon_dissect_dsenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5861 packet_info *pinfo, proto_tree *tree, char *drep)
5863 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5864 hf_netlogon_entries, NULL);
5866 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5867 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5868 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5870 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5871 hf_netlogon_rc, NULL);
5877 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
5878 packet_info *pinfo, proto_tree *tree, char *drep)
5880 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5883 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5884 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5886 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5887 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5888 "GUID pointer: domain_guid", -1);
5890 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5891 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5892 "GUID pointer: dsa_guid", -1);
5894 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5895 NDR_POINTER_UNIQUE, "dns_host", hf_netlogon_dns_host, 0);
5902 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
5903 packet_info *pinfo, proto_tree *tree, char *drep)
5905 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5906 hf_netlogon_rc, NULL);
5913 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
5914 { NETLOGON_UASLOGON, "UasLogon",
5915 netlogon_dissect_netlogonuaslogon_rqst,
5916 netlogon_dissect_netlogonuaslogon_reply },
5917 { NETLOGON_UASLOGOFF, "UasLogoff",
5918 netlogon_dissect_netlogonuaslogoff_rqst,
5919 netlogon_dissect_netlogonuaslogoff_reply },
5920 { NETLOGON_NETLOGONSAMLOGON, "SamLogon",
5921 netlogon_dissect_netlogonsamlogon_rqst,
5922 netlogon_dissect_netlogonsamlogon_reply },
5923 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff",
5924 netlogon_dissect_netlogonsamlogoff_rqst,
5925 netlogon_dissect_netlogonsamlogoff_reply },
5926 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge",
5927 netlogon_dissect_netserverreqchallenge_rqst,
5928 netlogon_dissect_netserverreqchallenge_reply },
5929 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate",
5930 netlogon_dissect_netserverauthenticate_rqst,
5931 netlogon_dissect_netserverauthenticate_reply },
5932 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet",
5933 netlogon_dissect_netserverpasswordset_rqst,
5934 netlogon_dissect_netserverpasswordset_reply },
5935 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas",
5936 netlogon_dissect_netsamdeltas_rqst,
5937 netlogon_dissect_netsamdeltas_reply },
5938 { NETLOGON_DATABASESYNC, "DatabaseSync",
5939 netlogon_dissect_netlogondatabasesync_rqst,
5940 netlogon_dissect_netlogondatabasesync_reply },
5941 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas",
5942 netlogon_dissect_netlogonaccountdeltas_rqst,
5943 netlogon_dissect_netlogonaccountdeltas_reply },
5944 { NETLOGON_ACCOUNTSYNC, "AccountSync",
5945 netlogon_dissect_netlogonaccountsync_rqst,
5946 netlogon_dissect_netlogonaccountsync_reply },
5947 { NETLOGON_GETDCNAME, "GetDCName",
5948 netlogon_dissect_netlogongetdcname_rqst,
5949 netlogon_dissect_netlogongetdcname_reply },
5950 { NETLOGON_NETLOGONCONTROL, "LogonControl",
5951 netlogon_dissect_netlogoncontrol_rqst,
5952 netlogon_dissect_netlogoncontrol_reply },
5953 { NETLOGON_GETANYDCNAME, "GetAnyDCName",
5954 netlogon_dissect_netlogongetanydcname_rqst,
5955 netlogon_dissect_netlogongetanydcname_reply },
5956 { NETLOGON_NETLOGONCONTROL2, "LogonControl2",
5957 netlogon_dissect_netlogoncontrol2_rqst,
5958 netlogon_dissect_netlogoncontrol2_reply },
5959 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2",
5960 netlogon_dissect_netserverauthenticate2_rqst,
5961 netlogon_dissect_netserverauthenticate2_reply },
5962 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2",
5963 netlogon_dissect_netdatabasesync2_rqst,
5964 netlogon_dissect_netdatabasesync2_reply },
5965 { NETLOGON_DATABASEREDO, "DatabaseRedo",
5966 netlogon_dissect_netlogondatabaseredo_rqst,
5967 netlogon_dissect_netlogondatabaseredo_reply },
5968 { NETLOGON_FUNCTION_12, "Function_0x12",
5969 netlogon_dissect_function_12_rqst,
5970 netlogon_dissect_function_12_reply },
5971 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList",
5972 netlogon_dissect_nettrusteddomainlist_rqst,
5973 netlogon_dissect_nettrusteddomainlist_reply },
5974 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2",
5975 netlogon_dissect_dsrgetdcname2_rqst,
5976 netlogon_dissect_dsrgetdcname2_reply },
5977 { NETLOGON_FUNCTION_15, "Function 0x15",
5978 netlogon_dissect_function_15_rqst,
5979 netlogon_dissect_function_15_reply },
5980 { NETLOGON_FUNCTION_16, "Function 0x16",
5981 netlogon_dissect_function_16_rqst,
5982 netlogon_dissect_function_16_reply },
5983 { NETLOGON_FUNCTION_17, "Function 0x17",
5984 netlogon_dissect_function_17_rqst,
5985 netlogon_dissect_function_17_reply },
5986 { NETLOGON_FUNCTION_18, "Function 0x18",
5987 netlogon_dissect_function_18_rqst,
5988 netlogon_dissect_function_18_reply },
5989 { NETLOGON_FUNCTION_19, "Function 0x19",
5990 netlogon_dissect_function_19_rqst,
5991 netlogon_dissect_function_19_reply },
5992 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3",
5993 netlogon_dissect_netserverauthenticate3_rqst,
5994 netlogon_dissect_netserverauthenticate3_reply },
5995 { NETLOGON_DSRGETDCNAME, "DsrGetDCName",
5996 netlogon_dissect_dsrgetdcname_rqst,
5997 netlogon_dissect_dsrgetdcname_reply },
5998 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
5999 netlogon_dissect_dsrgetsitename_rqst,
6000 netlogon_dissect_dsrgetsitename_reply },
6001 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6002 netlogon_dissect_netrlogongetdomaininfo_rqst,
6003 netlogon_dissect_netrlogongetdomaininfo_reply },
6004 { NETLOGON_FUNCTION_1E, "Function_0x1E",
6005 netlogon_dissect_function_1e_rqst,
6006 netlogon_dissect_function_1e_reply },
6007 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2",
6008 netlogon_dissect_netserverpasswordset2_rqst,
6009 netlogon_dissect_netserverpasswordset2_reply },
6010 { NETLOGON_FUNCTION_20, "Function_0x20",
6011 netlogon_dissect_function_20_rqst,
6012 netlogon_dissect_function_20_reply },
6013 { NETLOGON_FUNCTION_21, "Function_0x21",
6014 netlogon_dissect_function_21_rqst,
6015 netlogon_dissect_function_21_reply },
6016 { NETLOGON_FUNCTION_22, "Function_0x22",
6017 netlogon_dissect_function_22_rqst,
6018 netlogon_dissect_function_22_reply },
6019 { NETLOGON_FUNCTION_23, "Function_0x23",
6020 netlogon_dissect_function_23_rqst,
6021 netlogon_dissect_function_23_reply },
6022 { NETLOGON_FUNCTION_24, "Function_0x24",
6023 netlogon_dissect_function_24_rqst,
6024 netlogon_dissect_function_24_reply },
6025 { NETLOGON_FUNCTION_25, "Function_0x25",
6026 netlogon_dissect_function_25_rqst,
6027 netlogon_dissect_function_25_reply },
6028 { NETLOGON_FUNCTION_26, "Function_0x26",
6029 netlogon_dissect_function_26_rqst,
6030 netlogon_dissect_function_26_reply },
6031 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx",
6032 netlogon_dissect_logonsamlogonex_rqst,
6033 netlogon_dissect_logonsamlogonex_reply },
6034 { NETLOGON_DSENUMERATETRUSTEDDOMAINS, "DSEnumerateTrustedDomains",
6035 netlogon_dissect_dsenumeratetrusteddomains_rqst,
6036 netlogon_dissect_dsenumeratetrusteddomains_reply },
6037 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords",
6038 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6039 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6040 {0, NULL, NULL, NULL }
6043 static const value_string netlogon_opnum_vals[] = {
6044 { NETLOGON_UASLOGON, "UasLogon" },
6045 { NETLOGON_UASLOGOFF, "UasLogoff" },
6046 { NETLOGON_NETLOGONSAMLOGON, "SamLogon" },
6047 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff" },
6048 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge" },
6049 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate" },
6050 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet" },
6051 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas" },
6052 { NETLOGON_DATABASESYNC, "DatabaseSync" },
6053 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas" },
6054 { NETLOGON_ACCOUNTSYNC, "AccountSync" },
6055 { NETLOGON_GETDCNAME, "GetDCName" },
6056 { NETLOGON_NETLOGONCONTROL, "LogonControl" },
6057 { NETLOGON_GETANYDCNAME, "GetAnyDCName" },
6058 { NETLOGON_NETLOGONCONTROL2, "LogonControl2" },
6059 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2" },
6060 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2" },
6061 { NETLOGON_DATABASEREDO, "DatabaseRedo" },
6062 { NETLOGON_FUNCTION_12, "Function_0x12" },
6063 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList" },
6064 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2" },
6065 { NETLOGON_FUNCTION_15, "Function_0x15" },
6066 { NETLOGON_FUNCTION_16, "Function_0x16" },
6067 { NETLOGON_FUNCTION_17, "Function_0x17" },
6068 { NETLOGON_FUNCTION_18, "Function_0x18" },
6069 { NETLOGON_FUNCTION_19, "Function_0x19" },
6070 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3" },
6071 { NETLOGON_DSRGETDCNAME, "DsrGetDCName" },
6072 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName" },
6073 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo" },
6074 { NETLOGON_FUNCTION_1E, "Function_0x1E" },
6075 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2" },
6076 { NETLOGON_FUNCTION_20, "Function_0x20" },
6077 { NETLOGON_FUNCTION_21, "Function_0x21" },
6078 { NETLOGON_FUNCTION_22, "Function_0x22" },
6079 { NETLOGON_FUNCTION_23, "Function_0x23" },
6080 { NETLOGON_FUNCTION_24, "Function_0x24" },
6081 { NETLOGON_FUNCTION_25, "Function_0x25" },
6082 { NETLOGON_FUNCTION_26, "Function_0x26" },
6083 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx" },
6084 { NETLOGON_DSENUMERATETRUSTEDDOMAINS, "DSEnumerateTrustedDomains" },
6085 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords" },
6089 /* Secure channel types */
6091 static const value_string sec_chan_type_vals[] = {
6092 { SEC_CHAN_WKSTA, "Workstation" },
6093 { SEC_CHAN_DOMAIN, "Domain trust" },
6094 { SEC_CHAN_BDC, "Backup domain controller" },
6099 proto_register_dcerpc_netlogon(void)
6102 static hf_register_info hf[] = {
6103 { &hf_netlogon_opnum,
6104 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6105 VALS(netlogon_opnum_vals), 0x0, "Operation", HFILL }},
6107 { &hf_netlogon_rc, {
6108 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6109 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6111 { &hf_netlogon_param_ctrl, {
6112 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6113 NULL, 0x0, "Param ctrl", HFILL }},
6115 { &hf_netlogon_logon_id, {
6116 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6117 NULL, 0x0, "Logon ID", HFILL }},
6119 { &hf_netlogon_modify_count, {
6120 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6121 NULL, 0x0, "How many times the object has been modified", HFILL }},
6123 { &hf_netlogon_security_information, {
6124 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6125 NULL, 0x0, "Security Information", HFILL }},
6127 { &hf_netlogon_count, {
6128 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6129 NULL, 0x0, "", HFILL }},
6131 { &hf_netlogon_entries, {
6132 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6133 NULL, 0x0, "", HFILL }},
6135 { &hf_netlogon_credential, {
6136 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6137 NULL, 0x0, "Netlogon credential", HFILL }},
6139 { &hf_netlogon_challenge, {
6140 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6141 NULL, 0x0, "Netlogon challenge", HFILL }},
6143 { &hf_netlogon_lm_owf_password, {
6144 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6145 NULL, 0x0, "LanManager OWF Password", HFILL }},
6147 { &hf_netlogon_user_session_key, {
6148 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6149 NULL, 0x0, "User Session Key", HFILL }},
6151 { &hf_netlogon_encrypted_lm_owf_password, {
6152 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6153 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6155 { &hf_netlogon_nt_owf_password, {
6156 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6157 NULL, 0x0, "NT OWF Password", HFILL }},
6159 { &hf_netlogon_blob, {
6160 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6161 NULL, 0x0, "BLOB", HFILL }},
6163 { &hf_netlogon_len, {
6164 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6165 NULL, 0, "Length", HFILL }},
6167 { &hf_netlogon_priv, {
6168 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6169 NULL, 0, "", HFILL }},
6171 { &hf_netlogon_privilege_entries, {
6172 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6173 NULL, 0, "", HFILL }},
6175 { &hf_netlogon_privilege_control, {
6176 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6177 NULL, 0, "", HFILL }},
6179 { &hf_netlogon_privilege_name, {
6180 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6181 NULL, 0, "", HFILL }},
6183 { &hf_netlogon_pdc_connection_status, {
6184 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6185 NULL, 0, "PDC Connection Status", HFILL }},
6187 { &hf_netlogon_tc_connection_status, {
6188 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6189 NULL, 0, "TC Connection Status", HFILL }},
6191 { &hf_netlogon_attrs, {
6192 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6193 NULL, 0, "Attributes", HFILL }},
6195 { &hf_netlogon_unknown_string,
6196 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6197 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
6198 { &hf_netlogon_unknown_long,
6199 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6200 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
6201 { &hf_netlogon_reserved,
6202 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6203 NULL, 0x0, "Reserved", HFILL }},
6204 { &hf_netlogon_unknown_short,
6205 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6206 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
6208 { &hf_netlogon_unknown_char,
6209 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6210 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
6212 { &hf_netlogon_acct_expiry_time,
6213 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6214 NULL, 0x0, "When this account will expire", HFILL }},
6216 { &hf_netlogon_nt_pwd_present,
6217 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6218 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6220 { &hf_netlogon_lm_pwd_present,
6221 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6222 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6224 { &hf_netlogon_pwd_expired,
6225 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6226 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6228 { &hf_netlogon_authoritative,
6229 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6230 NULL, 0x0, "", HFILL }},
6232 { &hf_netlogon_sensitive_data_flag,
6233 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6234 NULL, 0x0, "Sensitive data flag", HFILL }},
6236 { &hf_netlogon_auditing_mode,
6237 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6238 NULL, 0x0, "Auditing Mode", HFILL }},
6240 { &hf_netlogon_max_audit_event_count,
6241 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6242 NULL, 0x0, "Max audit event count", HFILL }},
6244 { &hf_netlogon_event_audit_option,
6245 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6246 NULL, 0x0, "Event audit option", HFILL }},
6248 { &hf_netlogon_sensitive_data_len,
6249 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6250 NULL, 0x0, "Length of sensitive data", HFILL }},
6252 { &hf_netlogon_nt_chal_resp,
6253 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6254 NULL, 0, "Challenge response for NT authentication", HFILL }},
6256 { &hf_netlogon_lm_chal_resp,
6257 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6258 NULL, 0, "Challenge response for LM authentication", HFILL }},
6260 { &hf_netlogon_cipher_len,
6261 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6262 NULL, 0, "", HFILL }},
6264 { &hf_netlogon_cipher_maxlen,
6265 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6266 NULL, 0, "", HFILL }},
6268 { &hf_netlogon_pac_data,
6269 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6270 NULL, 0, "Pac Data", HFILL }},
6272 { &hf_netlogon_sensitive_data,
6273 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6274 NULL, 0, "Sensitive Data", HFILL }},
6276 { &hf_netlogon_auth_data,
6277 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6278 NULL, 0, "Auth Data", HFILL }},
6280 { &hf_netlogon_cipher_current_data,
6281 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6282 NULL, 0, "", HFILL }},
6284 { &hf_netlogon_cipher_old_data,
6285 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6286 NULL, 0, "", HFILL }},
6288 { &hf_netlogon_acct_name,
6289 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6290 NULL, 0, "Account Name", HFILL }},
6292 { &hf_netlogon_acct_desc,
6293 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6294 NULL, 0, "Account Description", HFILL }},
6296 { &hf_netlogon_group_desc,
6297 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6298 NULL, 0, "Group Description", HFILL }},
6300 { &hf_netlogon_full_name,
6301 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6302 NULL, 0, "Full Name", HFILL }},
6304 { &hf_netlogon_comment,
6305 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6306 NULL, 0, "Comment", HFILL }},
6308 { &hf_netlogon_parameters,
6309 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6310 NULL, 0, "Parameters", HFILL }},
6312 { &hf_netlogon_logon_script,
6313 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6314 NULL, 0, "Logon Script", HFILL }},
6316 { &hf_netlogon_profile_path,
6317 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6318 NULL, 0, "Profile Path", HFILL }},
6320 { &hf_netlogon_home_dir,
6321 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6322 NULL, 0, "Home Directory", HFILL }},
6324 { &hf_netlogon_dir_drive,
6325 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6326 NULL, 0, "Drive letter for home directory", HFILL }},
6328 { &hf_netlogon_logon_srv,
6329 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6330 NULL, 0, "Server", HFILL }},
6332 { &hf_netlogon_principal,
6333 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6334 NULL, 0, "Principal", HFILL }},
6336 { &hf_netlogon_logon_dom,
6337 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6338 NULL, 0, "Domain", HFILL }},
6340 { &hf_netlogon_computer_name,
6341 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6342 NULL, 0, "Computer Name", HFILL }},
6344 { &hf_netlogon_site_name,
6345 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6346 NULL, 0, "Site Name", HFILL }},
6348 { &hf_netlogon_dc_name,
6349 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6350 NULL, 0, "DC Name", HFILL }},
6352 { &hf_netlogon_dc_site_name,
6353 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6354 NULL, 0, "DC Site Name", HFILL }},
6356 { &hf_netlogon_dns_forest_name,
6357 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6358 NULL, 0, "DNS Forest Name", HFILL }},
6360 { &hf_netlogon_dc_address,
6361 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6362 NULL, 0, "DC Address", HFILL }},
6364 { &hf_netlogon_dc_address_type,
6365 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6366 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
6368 { &hf_netlogon_client_site_name,
6369 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6370 NULL, 0, "Client Site Name", HFILL }},
6372 { &hf_netlogon_workstation_site_name,
6373 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6374 NULL, 0, "Workstation Site Name", HFILL }},
6376 { &hf_netlogon_workstation,
6377 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6378 NULL, 0, "Workstation Name", HFILL }},
6380 { &hf_netlogon_workstation_os,
6381 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6382 NULL, 0, "Workstation OS", HFILL }},
6384 { &hf_netlogon_workstations,
6385 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6386 NULL, 0, "Workstations", HFILL }},
6388 { &hf_netlogon_workstation_fqdn,
6389 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6390 NULL, 0, "Workstation FQDN", HFILL }},
6392 { &hf_netlogon_group_name,
6393 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6394 NULL, 0, "Group Name", HFILL }},
6396 { &hf_netlogon_alias_name,
6397 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6398 NULL, 0, "Alias Name", HFILL }},
6400 { &hf_netlogon_dns_host,
6401 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6402 NULL, 0, "DNS Host", HFILL }},
6404 { &hf_netlogon_downlevel_domain_name,
6405 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6406 NULL, 0, "Downlevel Domain Name", HFILL }},
6408 { &hf_netlogon_dns_domain_name,
6409 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6410 NULL, 0, "DNS Domain Name", HFILL }},
6412 { &hf_netlogon_domain_name,
6413 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6414 NULL, 0, "Domain Name", HFILL }},
6416 { &hf_netlogon_oem_info,
6417 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6418 NULL, 0, "OEM Info", HFILL }},
6420 { &hf_netlogon_trusted_dc_name,
6421 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6422 NULL, 0, "Trusted DC", HFILL }},
6424 { &hf_netlogon_logonsrv_handle,
6425 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6426 NULL, 0, "Logon Srv Handle", HFILL }},
6428 { &hf_netlogon_dummy,
6429 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6430 NULL, 0, "Dummy string", HFILL }},
6432 { &hf_netlogon_logon_count16,
6433 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6434 NULL, 0x0, "Number of successful logins", HFILL }},
6436 { &hf_netlogon_logon_count,
6437 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6438 NULL, 0x0, "Number of successful logins", HFILL }},
6440 { &hf_netlogon_bad_pw_count16,
6441 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6442 NULL, 0x0, "Number of failed logins", HFILL }},
6444 { &hf_netlogon_bad_pw_count,
6445 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6446 NULL, 0x0, "Number of failed logins", HFILL }},
6448 { &hf_netlogon_country,
6449 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6450 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6452 { &hf_netlogon_codepage,
6453 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6454 NULL, 0x0, "Codepage setting for this account", HFILL }},
6456 { &hf_netlogon_level16,
6457 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6458 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6460 { &hf_netlogon_validation_level,
6461 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6462 NULL, 0x0, "Requested level of validation", HFILL }},
6464 { &hf_netlogon_minpasswdlen,
6465 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6466 NULL, 0x0, "Minimum length of password", HFILL }},
6468 { &hf_netlogon_passwdhistorylen,
6469 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6470 NULL, 0x0, "Length of password history", HFILL }},
6472 { &hf_netlogon_secure_channel_type,
6473 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
6474 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
6476 { &hf_netlogon_restart_state,
6477 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
6478 NULL, 0x0, "Restart State", HFILL }},
6480 { &hf_netlogon_delta_type,
6481 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6482 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6484 { &hf_netlogon_blob_size,
6485 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6486 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6488 { &hf_netlogon_code,
6489 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6490 NULL, 0x0, "Code", HFILL }},
6492 { &hf_netlogon_level,
6493 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6494 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6496 { &hf_netlogon_reference,
6497 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
6498 NULL, 0x0, "", HFILL }},
6500 { &hf_netlogon_next_reference,
6501 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
6502 NULL, 0x0, "", HFILL }},
6504 { &hf_netlogon_timestamp,
6505 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
6506 NULL, 0, "", HFILL }},
6508 { &hf_netlogon_user_rid,
6509 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6510 NULL, 0x0, "", HFILL }},
6512 { &hf_netlogon_alias_rid,
6513 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6514 NULL, 0x0, "", HFILL }},
6516 { &hf_netlogon_group_rid,
6517 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6518 NULL, 0x0, "", HFILL }},
6520 { &hf_netlogon_num_rids,
6521 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6522 NULL, 0x0, "Number of RIDs", HFILL }},
6524 { &hf_netlogon_num_controllers,
6525 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6526 NULL, 0x0, "Number of domain controllers", HFILL }},
6528 { &hf_netlogon_num_other_groups,
6529 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6530 NULL, 0x0, "", HFILL }},
6532 { &hf_netlogon_flags,
6533 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6534 NULL, 0x0, "", HFILL }},
6536 { &hf_netlogon_user_flags,
6537 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6538 NULL, 0x0, "", HFILL }},
6540 { &hf_netlogon_auth_flags,
6541 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6542 NULL, 0x0, "", HFILL }},
6544 { &hf_netlogon_systemflags,
6545 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6546 NULL, 0x0, "", HFILL }},
6548 { &hf_netlogon_database_id,
6549 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6550 NULL, 0x0, "Database Id", HFILL }},
6552 { &hf_netlogon_sync_context,
6553 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6554 NULL, 0x0, "Sync Context", HFILL }},
6556 { &hf_netlogon_max_size,
6557 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6558 NULL, 0x0, "Max Size of database", HFILL }},
6560 { &hf_netlogon_max_log_size,
6561 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6562 NULL, 0x0, "Max Size of log", HFILL }},
6564 { &hf_netlogon_pac_size,
6565 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6566 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6568 { &hf_netlogon_auth_size,
6569 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6570 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6572 { &hf_netlogon_num_deltas,
6573 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6574 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6576 { &hf_netlogon_num_trusts,
6577 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
6578 NULL, 0x0, "", HFILL }},
6580 { &hf_netlogon_logon_attempts,
6581 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6582 NULL, 0x0, "Number of logon attempts", HFILL }},
6584 { &hf_netlogon_pagefilelimit,
6585 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6586 NULL, 0x0, "", HFILL }},
6588 { &hf_netlogon_pagedpoollimit,
6589 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6590 NULL, 0x0, "", HFILL }},
6592 { &hf_netlogon_nonpagedpoollimit,
6593 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6594 NULL, 0x0, "", HFILL }},
6596 { &hf_netlogon_minworkingsetsize,
6597 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6598 NULL, 0x0, "", HFILL }},
6600 { &hf_netlogon_maxworkingsetsize,
6601 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6602 NULL, 0x0, "", HFILL }},
6604 { &hf_netlogon_serial_number,
6605 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
6606 NULL, 0x0, "", HFILL }},
6608 { &hf_netlogon_neg_flags,
6609 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
6610 NULL, 0x0, "Negotiation Flags", HFILL }},
6612 { &hf_netlogon_dc_flags,
6613 { "Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
6614 NULL, 0x0, "Domain Controller Flags", HFILL }},
6616 { &hf_netlogon_dc_flags_pdc_flag,
6617 { "PDC", "netlogon.dc.flags.pdc",
6618 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
6619 "If this server is a PDC", HFILL }},
6621 { &hf_netlogon_dc_flags_gc_flag,
6622 { "GC", "netlogon.dc.flags.gc",
6623 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
6624 "If this server is a GC", HFILL }},
6626 { &hf_netlogon_dc_flags_ldap_flag,
6627 { "LDAP", "netlogon.dc.flags.ldap",
6628 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
6629 "If this is an LDAP server", HFILL }},
6631 { &hf_netlogon_dc_flags_ds_flag,
6632 { "DS", "netlogon.dc.flags.ds",
6633 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
6634 "If this server is a DS", HFILL }},
6636 { &hf_netlogon_dc_flags_kdc_flag,
6637 { "KDC", "netlogon.dc.flags.kdc",
6638 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
6639 "If this is a KDC", HFILL }},
6641 { &hf_netlogon_dc_flags_timeserv_flag,
6642 { "Timeserv", "netlogon.dc.flags.timeserv",
6643 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
6644 "If this server is a TimeServer", HFILL }},
6646 { &hf_netlogon_dc_flags_closest_flag,
6647 { "Closest", "netlogon.dc.flags.closest",
6648 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
6649 "If this is the closest server", HFILL }},
6651 { &hf_netlogon_dc_flags_writable_flag,
6652 { "Writable", "netlogon.dc.flags.writable",
6653 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
6654 "If this server can do updates to the database", HFILL }},
6656 { &hf_netlogon_dc_flags_good_timeserv_flag,
6657 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
6658 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
6659 "If this is a Good TimeServer", HFILL }},
6661 { &hf_netlogon_dc_flags_ndnc_flag,
6662 { "NDNC", "netlogon.dc.flags.ndnc",
6663 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
6664 "If this is an NDNC server", HFILL }},
6666 { &hf_netlogon_dc_flags_dns_controller_flag,
6667 { "DNS Controller", "netlogon.dc.flags.dns_controller",
6668 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
6669 "If this server is a DNS Controller", HFILL }},
6671 { &hf_netlogon_dc_flags_dns_domain_flag,
6672 { "DNS Domain", "netlogon.dc.flags.dns_domain",
6673 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
6676 { &hf_netlogon_dc_flags_dns_forest_flag,
6677 { "DNS Forest", "netlogon.dc.flags.dns_forest",
6678 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
6681 { &hf_netlogon_get_dcname_request_flags,
6682 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
6683 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
6685 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
6686 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
6687 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
6688 "Whether to allow the server to returned cached information or not", HFILL }},
6690 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
6691 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
6692 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
6693 "Whether we require that the returned DC supports w2k or not", HFILL }},
6695 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
6696 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
6697 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
6698 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
6700 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
6701 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
6702 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
6703 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
6705 { &hf_netlogon_get_dcname_request_flags_pdc_required,
6706 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
6707 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
6708 "Whether we require the returned DC to be the PDC", HFILL }},
6710 { &hf_netlogon_get_dcname_request_flags_background_only,
6711 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
6712 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
6713 "If we want cached data, even if it may have expired", HFILL }},
6715 { &hf_netlogon_get_dcname_request_flags_ip_required,
6716 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
6717 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
6718 "If we requre the IP of the DC in the reply", HFILL }},
6720 { &hf_netlogon_get_dcname_request_flags_kdc_required,
6721 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
6722 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
6723 "If we require that the returned server is a KDC", HFILL }},
6725 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
6726 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
6727 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
6728 "If we require the retruned server to be a NTP serveruns WindowsTimeServicer", HFILL }},
6730 { &hf_netlogon_get_dcname_request_flags_writable_required,
6731 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
6732 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
6733 "If we require that the return server is writable", HFILL }},
6735 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
6736 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
6737 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
6738 "If we prefer Windows Time Servers", HFILL }},
6740 { &hf_netlogon_get_dcname_request_flags_avoid_self,
6741 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
6742 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
6743 "Return another DC than the one we ask", HFILL }},
6745 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
6746 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
6747 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
6748 "We just want an LDAP server, it does not have to be a DC", HFILL }},
6750 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
6751 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
6752 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
6753 "If the specified domain name is a NetBIOS name", HFILL }},
6755 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
6756 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
6757 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
6758 "If the specified domain name is a DNS name", HFILL }},
6760 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
6761 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
6762 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
6763 "Only return a DNS name (or an error)", HFILL }},
6765 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
6766 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
6767 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
6768 "Only return a NetBIOS name (or an error)", HFILL }},
6770 { &hf_netlogon_trust_attribs,
6771 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
6772 NULL, 0x0, "Trust Attributes", HFILL }},
6774 { &hf_netlogon_trust_type,
6775 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
6776 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
6778 { &hf_netlogon_trust_flags,
6779 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
6780 NULL, 0x0, "Trust Flags", HFILL }},
6782 { &hf_netlogon_trust_flags_inbound,
6783 { "Inbound Trust", "netlogon.trust.flags.inbound",
6784 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
6785 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
6787 { &hf_netlogon_trust_flags_outbound,
6788 { "Outbound Trust", "netlogon.trust.flags.outbound",
6789 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
6790 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
6792 { &hf_netlogon_trust_flags_in_forest,
6793 { "In Forest", "netlogon.trust.flags.in_forest",
6794 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
6795 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
6797 { &hf_netlogon_trust_flags_native_mode,
6798 { "Native Mode", "netlogon.trust.flags.native_mode",
6799 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
6800 "Whether the domain is a w2k native mode domain or not", HFILL }},
6802 { &hf_netlogon_trust_flags_primary,
6803 { "Primary", "netlogon.trust.flags.primary",
6804 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
6805 "Whether the domain is the primary domain for the queried server or not", HFILL }},
6807 { &hf_netlogon_trust_flags_tree_root,
6808 { "Tree Root", "netlogon.trust.flags.tree_root",
6809 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
6810 "Whether the domain is the root of the tree for the queried server", HFILL }},
6812 { &hf_netlogon_trust_parent_index,
6813 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
6814 NULL, 0x0, "Parent Index", HFILL }},
6816 { &hf_netlogon_logon_time,
6817 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
6818 NULL, 0, "Time for last time this user logged on", HFILL }},
6820 { &hf_netlogon_kickoff_time,
6821 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6822 NULL, 0, "Time when this user will be kicked off", HFILL }},
6824 { &hf_netlogon_logoff_time,
6825 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6826 NULL, 0, "Time for last time this user logged off", HFILL }},
6828 { &hf_netlogon_pwd_last_set_time,
6829 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6830 NULL, 0, "Last time this users password was changed", HFILL }},
6832 { &hf_netlogon_pwd_can_change_time,
6833 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6834 NULL, 0, "When this users password may be changed", HFILL }},
6836 { &hf_netlogon_pwd_must_change_time,
6837 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6838 NULL, 0, "When this users password must be changed", HFILL }},
6840 { &hf_netlogon_domain_create_time,
6841 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6842 NULL, 0, "Time when this domain was created", HFILL }},
6844 { &hf_netlogon_domain_modify_time,
6845 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6846 NULL, 0, "Time when this domain was last modified", HFILL }},
6848 { &hf_netlogon_db_modify_time,
6849 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6850 NULL, 0, "Time when last modified", HFILL }},
6852 { &hf_netlogon_db_create_time,
6853 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6854 NULL, 0, "Time when created", HFILL }},
6856 { &hf_netlogon_cipher_current_set_time,
6857 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6858 NULL, 0, "Time when current cipher was initiated", HFILL }},
6860 { &hf_netlogon_cipher_old_set_time,
6861 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6862 NULL, 0, "Time when previous cipher was initiated", HFILL }},
6864 { &hf_netlogon_audit_retention_period,
6865 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
6866 NULL, 0, "Audit retention period", HFILL }},
6868 { &hf_netlogon_guid,
6869 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
6870 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
6872 { &hf_netlogon_timelimit,
6873 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
6874 NULL, 0, "", HFILL }}
6878 static gint *ett[] = {
6879 &ett_dcerpc_netlogon,
6885 &ett_DOMAIN_CONTROLLER_INFO,
6886 &ett_UNICODE_STRING_512,
6889 &ett_DELTA_ID_UNION,
6892 &ett_LM_OWF_PASSWORD,
6893 &ett_NT_OWF_PASSWORD,
6894 &ett_GROUP_MEMBERSHIP,
6895 &ett_DS_DOMAIN_TRUSTS,
6897 &ett_DOMAIN_TRUST_INFO,
6899 &ett_get_dcname_request_flags,
6903 proto_dcerpc_netlogon = proto_register_protocol(
6904 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
6906 proto_register_field_array(proto_dcerpc_netlogon, hf,
6908 proto_register_subtree_array(ett, array_length(ett));
6912 proto_reg_handoff_dcerpc_netlogon(void)
6914 /* Register protocol as dcerpc */
6916 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
6917 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
6918 dcerpc_netlogon_dissectors, hf_netlogon_opnum);