1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
34 #include <epan/packet.h>
35 #include "packet-dcerpc.h"
36 #include "packet-dcerpc-nt.h"
37 #include "packet-dcerpc-netlogon.h"
38 #include "packet-windows-common.h"
39 #include "packet-ntlmssp.h"
40 #include "packet-dcerpc-lsa.h"
41 /* for keytab format */
42 #include <epan/asn1.h>
43 #include "packet-kerberos.h"
45 #include <epan/crypt/crypt-rc4.h>
46 #include <epan/crypt/crypt-md4.h>
47 #include <epan/crypt/crypt-md5.h>
48 #include <epan/crypt/crypt-des.h>
52 #define debugfprintf(...) fprintf(stderr,__VA_ARGS__)
53 static void printnbyte(const guint8* tab,int nb,char* txt,char* txt2)
56 debugprintf("%s ",txt);
59 debugprintf("%02hhX ",*(tab+i));
61 debugprintf("%s",txt2);
64 #define debugprintf(...)
65 static void printnbyte(const guint8* tab _U_,int nb _U_,char* txt _U_,char* txt2 _U_) {}
68 #define NETLOGON_FLAG_80000000 0x80000000
69 #define NETLOGON_FLAG_40000000 0x40000000
70 #define NETLOGON_FLAG_20000000 0x20000000
71 #define NETLOGON_FLAG_10000000 0x10000000
72 #define NETLOGON_FLAG_8000000 0x8000000
73 #define NETLOGON_FLAG_4000000 0x4000000
74 #define NETLOGON_FLAG_2000000 0x2000000
75 #define NETLOGON_FLAG_1000000 0x1000000
76 #define NETLOGON_FLAG_800000 0x800000
77 #define NETLOGON_FLAG_USEAES 0x400000
78 #define NETLOGON_FLAG_200000 0x200000
79 #define NETLOGON_FLAG_100000 0x100000
80 #define NETLOGON_FLAG_80000 0x80000
81 #define NETLOGON_FLAG_40000 0x40000
82 #define NETLOGON_FLAG_20000 0x20000
83 #define NETLOGON_FLAG_10000 0x10000
84 #define NETLOGON_FLAG_8000 0x8000
85 #define NETLOGON_FLAG_STRONGKEY 0x4000
86 #define NETLOGON_FLAG_2000 0x2000
87 #define NETLOGON_FLAG_1000 0x1000
88 #define NETLOGON_FLAG_800 0x800
89 #define NETLOGON_FLAG_400 0x400
90 #define NETLOGON_FLAG_200 0x200
91 #define NETLOGON_FLAG_100 0x100
92 #define NETLOGON_FLAG_80 0x80
93 #define NETLOGON_FLAG_40 0x40
94 #define NETLOGON_FLAG_20 0x20
95 #define NETLOGON_FLAG_10 0x10
96 #define NETLOGON_FLAG_8 0x8
97 #define NETLOGON_FLAG_4 0x4
98 #define NETLOGON_FLAG_2 0x2
99 #define NETLOGON_FLAG_1 0x1
100 static GHashTable *netlogon_auths=NULL;
101 static GHashTable *schannel_auths;
103 static gint DomainInfo_sid = -1;
104 static gint DnsDomainInfo_sid = -1;
105 static gint DnsDomainInfo_domain_guid = -1;
106 static gint DnsDomainInfo_dns_domain = -1;
107 static gint DnsDomainInfo_dns_forest = -1;
108 static gint DnsDomainInfo_name = -1;
109 static int hf_client_challenge = -1;
110 static int hf_server_rid = -1;
111 static int hf_server_challenge = -1;
112 static int hf_client_credential = -1;
113 static int hf_server_credential = -1;
114 static int proto_dcerpc_netlogon = -1;
115 static int hf_netlogon_logon_dnslogondomainname = -1;
116 static int hf_netlogon_logon_upn = -1;
117 static int hf_netlogon_group_attrs_mandatory = -1;
118 static int hf_netlogon_group_attrs_enabled_by_default = -1;
119 static int hf_netlogon_group_attrs_enabled = -1;
120 static int hf_netlogon_opnum = -1;
121 static int hf_netlogon_data_length = -1;
122 static int hf_netlogon_extraflags = -1;
123 static int hf_netlogon_extra_flags_root_forest = -1;
124 static int hf_netlogon_trust_flags_dc_firsthop = -1;
125 static int hf_netlogon_trust_flags_rodc_to_dc = -1;
126 static int hf_netlogon_trust_flags_rodc_ntlm = -1;
127 static int hf_netlogon_package_name = -1;
128 static int hf_netlogon_rc = -1;
129 static int hf_netlogon_dos_rc = -1;
130 static int hf_netlogon_werr_rc = -1;
131 static int hf_netlogon_len = -1;
132 static int hf_netlogon_sensitive_data_flag = -1;
133 static int hf_netlogon_sensitive_data_len = -1;
134 static int hf_netlogon_sensitive_data = -1;
135 static int hf_netlogon_security_information = -1;
136 static int hf_netlogon_dummy = -1;
137 static int hf_netlogon_neg_flags = -1;
138 static int hf_netlogon_neg_flags_80000000 = -1;
139 static int hf_netlogon_neg_flags_40000000 = -1;
140 static int hf_netlogon_neg_flags_20000000 = -1;
141 static int hf_netlogon_neg_flags_10000000 = -1;
142 static int hf_netlogon_neg_flags_8000000 = -1;
143 static int hf_netlogon_neg_flags_4000000 = -1;
144 static int hf_netlogon_neg_flags_2000000 = -1;
145 static int hf_netlogon_neg_flags_1000000 = -1;
146 static int hf_netlogon_neg_flags_800000 = -1;
147 static int hf_netlogon_neg_flags_400000 = -1;
148 static int hf_netlogon_neg_flags_200000 = -1;
149 static int hf_netlogon_neg_flags_100000 = -1;
150 static int hf_netlogon_neg_flags_80000 = -1;
151 static int hf_netlogon_neg_flags_40000 = -1;
152 static int hf_netlogon_neg_flags_20000 = -1;
153 static int hf_netlogon_neg_flags_10000 = -1;
154 static int hf_netlogon_neg_flags_8000 = -1;
155 static int hf_netlogon_neg_flags_4000 = -1;
156 static int hf_netlogon_neg_flags_2000 = -1;
157 static int hf_netlogon_neg_flags_1000 = -1;
158 static int hf_netlogon_neg_flags_800 = -1;
159 static int hf_netlogon_neg_flags_400 = -1;
160 static int hf_netlogon_neg_flags_200 = -1;
161 static int hf_netlogon_neg_flags_100 = -1;
162 static int hf_netlogon_neg_flags_80 = -1;
163 static int hf_netlogon_neg_flags_40 = -1;
164 static int hf_netlogon_neg_flags_20 = -1;
165 static int hf_netlogon_neg_flags_10 = -1;
166 static int hf_netlogon_neg_flags_8 = -1;
167 static int hf_netlogon_neg_flags_4 = -1;
168 static int hf_netlogon_neg_flags_2 = -1;
169 static int hf_netlogon_neg_flags_1 = -1;
170 static int hf_netlogon_minworkingsetsize = -1;
171 static int hf_netlogon_maxworkingsetsize = -1;
172 static int hf_netlogon_pagedpoollimit = -1;
173 static int hf_netlogon_pagefilelimit = -1;
174 static int hf_netlogon_timelimit = -1;
175 static int hf_netlogon_nonpagedpoollimit = -1;
176 static int hf_netlogon_pac_size = -1;
177 static int hf_netlogon_pac_data = -1;
178 static int hf_netlogon_auth_size = -1;
179 static int hf_netlogon_auth_data = -1;
180 static int hf_netlogon_cipher_len = -1;
181 static int hf_netlogon_cipher_maxlen = -1;
182 static int hf_netlogon_cipher_current_data = -1;
183 static int hf_netlogon_cipher_current_set_time = -1;
184 static int hf_netlogon_cipher_old_data = -1;
185 static int hf_netlogon_cipher_old_set_time = -1;
186 static int hf_netlogon_priv = -1;
187 static int hf_netlogon_privilege_entries = -1;
188 static int hf_netlogon_privilege_control = -1;
189 static int hf_netlogon_privilege_name = -1;
190 static int hf_netlogon_systemflags = -1;
191 static int hf_netlogon_pdc_connection_status = -1;
192 static int hf_netlogon_tc_connection_status = -1;
193 static int hf_netlogon_restart_state = -1;
194 static int hf_netlogon_attrs = -1;
195 static int hf_netlogon_lsapolicy_len = -1;
196 static int hf_netlogon_lsapolicy_referentid = -1;
197 static int hf_netlogon_lsapolicy_pointer = -1;
198 static int hf_netlogon_count = -1;
199 static int hf_netlogon_entries = -1;
200 static int hf_netlogon_minpasswdlen = -1;
201 static int hf_netlogon_passwdhistorylen = -1;
202 static int hf_netlogon_level16 = -1;
203 static int hf_netlogon_validation_level = -1;
204 static int hf_netlogon_reference = -1;
205 static int hf_netlogon_next_reference = -1;
206 static int hf_netlogon_timestamp = -1;
207 static int hf_netlogon_level = -1;
208 static int hf_netlogon_challenge = -1;
209 static int hf_netlogon_reserved = -1;
210 static int hf_netlogon_audit_retention_period = -1;
211 static int hf_netlogon_auditing_mode = -1;
212 static int hf_netlogon_max_audit_event_count = -1;
213 static int hf_netlogon_event_audit_option = -1;
214 static int hf_netlogon_unknown_string = -1;
215 static int hf_netlogon_trust_extention = -1;
216 static int hf_netlogon_trust_max = -1;
217 static int hf_netlogon_trust_offset = -1;
218 static int hf_netlogon_trust_len = -1;
219 static int hf_netlogon_dummy_string = -1;
220 static int hf_netlogon_dummy_string2 = -1;
221 static int hf_netlogon_dummy_string3 = -1;
222 static int hf_netlogon_dummy_string4 = -1;
223 static int hf_netlogon_dummy_string5 = -1;
224 static int hf_netlogon_dummy_string6 = -1;
225 static int hf_netlogon_dummy_string7 = -1;
226 static int hf_netlogon_dummy_string8 = -1;
227 static int hf_netlogon_dummy_string9 = -1;
228 static int hf_netlogon_dummy_string10 = -1;
229 static int hf_netlogon_unknown_short = -1;
230 static int hf_netlogon_unknown_long = -1;
231 static int hf_netlogon_dummy1_long = -1;
232 static int hf_netlogon_dummy2_long = -1;
233 static int hf_netlogon_dummy3_long = -1;
234 static int hf_netlogon_dummy4_long = -1;
235 static int hf_netlogon_dummy5_long = -1;
236 static int hf_netlogon_dummy6_long = -1;
237 static int hf_netlogon_dummy7_long = -1;
238 static int hf_netlogon_dummy8_long = -1;
239 static int hf_netlogon_dummy9_long = -1;
240 static int hf_netlogon_dummy10_long = -1;
241 static int hf_netlogon_unknown_char = -1;
242 static int hf_netlogon_logon_time = -1;
243 static int hf_netlogon_logoff_time = -1;
244 static int hf_netlogon_last_logoff_time = -1;
245 static int hf_netlogon_kickoff_time = -1;
246 static int hf_netlogon_pwd_age = -1;
247 static int hf_netlogon_pwd_last_set_time = -1;
248 static int hf_netlogon_pwd_can_change_time = -1;
249 static int hf_netlogon_pwd_must_change_time = -1;
250 static int hf_netlogon_nt_chal_resp = -1;
251 static int hf_netlogon_lm_chal_resp = -1;
252 static int hf_netlogon_credential = -1;
253 static int hf_netlogon_acct_name = -1;
254 static int hf_netlogon_acct_desc = -1;
255 static int hf_netlogon_group_desc = -1;
256 static int hf_netlogon_full_name = -1;
257 static int hf_netlogon_comment = -1;
258 static int hf_netlogon_parameters = -1;
259 static int hf_netlogon_logon_script = -1;
260 static int hf_netlogon_profile_path = -1;
261 static int hf_netlogon_home_dir = -1;
262 static int hf_netlogon_dir_drive = -1;
263 static int hf_netlogon_logon_count = -1;
264 static int hf_netlogon_logon_count16 = -1;
265 static int hf_netlogon_bad_pw_count = -1;
266 static int hf_netlogon_bad_pw_count16 = -1;
267 static int hf_netlogon_user_rid = -1;
268 static int hf_netlogon_alias_rid = -1;
269 static int hf_netlogon_group_rid = -1;
270 static int hf_netlogon_logon_srv = -1;
271 static int hf_netlogon_principal = -1;
272 static int hf_netlogon_logon_dom = -1;
273 static int hf_netlogon_resourcegroupcount = -1;
274 static int hf_netlogon_downlevel_domain_name = -1;
275 static int hf_netlogon_dns_domain_name = -1;
276 static int hf_netlogon_ad_client_dns_name = -1;
277 static int hf_netlogon_domain_name = -1;
278 static int hf_netlogon_domain_create_time = -1;
279 static int hf_netlogon_domain_modify_time = -1;
280 static int hf_netlogon_modify_count = -1;
281 static int hf_netlogon_db_modify_time = -1;
282 static int hf_netlogon_db_create_time = -1;
283 static int hf_netlogon_oem_info = -1;
284 static int hf_netlogon_serial_number = -1;
285 static int hf_netlogon_num_rids = -1;
286 static int hf_netlogon_num_trusts = -1;
287 static int hf_netlogon_num_controllers = -1;
288 static int hf_netlogon_num_sid = -1;
289 static int hf_netlogon_computer_name = -1;
290 static int hf_netlogon_site_name = -1;
291 static int hf_netlogon_trusted_dc_name = -1;
292 static int hf_netlogon_dc_name = -1;
293 static int hf_netlogon_dc_site_name = -1;
294 static int hf_netlogon_dns_forest_name = -1;
295 static int hf_netlogon_dc_address = -1;
296 static int hf_netlogon_dc_address_type = -1;
297 static int hf_netlogon_client_site_name = -1;
298 static int hf_netlogon_workstation = -1;
299 static int hf_netlogon_workstation_site_name = -1;
300 static int hf_netlogon_os_version = -1;
301 static int hf_netlogon_workstation_os = -1;
302 static int hf_netlogon_workstation_flags = -1;
303 static int hf_netlogon_supportedenctypes = -1;
305 static int hf_netlogon_workstations = -1;
306 static int hf_netlogon_workstation_fqdn = -1;
307 static int hf_netlogon_group_name = -1;
308 static int hf_netlogon_alias_name = -1;
309 static int hf_netlogon_country = -1;
310 static int hf_netlogon_codepage = -1;
311 static int hf_netlogon_flags = -1;
312 static int hf_netlogon_trust_attribs = -1;
313 static int hf_netlogon_trust_attribs_non_transitive = -1;
314 static int hf_netlogon_trust_attribs_uplevel_only = -1;
315 static int hf_netlogon_trust_attribs_quarantined_domain = -1;
316 static int hf_netlogon_trust_attribs_forest_transitive = -1;
317 static int hf_netlogon_trust_attribs_cross_organization = -1;
318 static int hf_netlogon_trust_attribs_within_forest = -1;
319 static int hf_netlogon_trust_attribs_treat_as_external = -1;
320 static int hf_netlogon_trust_type = -1;
321 static int hf_netlogon_trust_flags = -1;
322 static int hf_netlogon_trust_flags_inbound = -1;
323 static int hf_netlogon_trust_flags_outbound = -1;
324 static int hf_netlogon_trust_flags_in_forest = -1;
325 static int hf_netlogon_trust_flags_native_mode = -1;
326 static int hf_netlogon_trust_flags_primary = -1;
327 static int hf_netlogon_trust_flags_tree_root = -1;
328 static int hf_netlogon_trust_parent_index = -1;
329 static int hf_netlogon_user_account_control = -1;
330 static int hf_netlogon_user_account_control_dont_require_preauth = -1;
331 static int hf_netlogon_user_account_control_use_des_key_only = -1;
332 static int hf_netlogon_user_account_control_not_delegated = -1;
333 static int hf_netlogon_user_account_control_trusted_for_delegation = -1;
334 static int hf_netlogon_user_account_control_smartcard_required = -1;
335 static int hf_netlogon_user_account_control_encrypted_text_password_allowed = -1;
336 static int hf_netlogon_user_account_control_account_auto_locked = -1;
337 static int hf_netlogon_user_account_control_dont_expire_password = -1;
338 static int hf_netlogon_user_account_control_server_trust_account = -1;
339 static int hf_netlogon_user_account_control_workstation_trust_account = -1;
340 static int hf_netlogon_user_account_control_interdomain_trust_account = -1;
341 static int hf_netlogon_user_account_control_mns_logon_account = -1;
342 static int hf_netlogon_user_account_control_normal_account = -1;
343 static int hf_netlogon_user_account_control_temp_duplicate_account = -1;
344 static int hf_netlogon_user_account_control_password_not_required = -1;
345 static int hf_netlogon_user_account_control_home_directory_required = -1;
346 static int hf_netlogon_user_account_control_account_disabled = -1;
347 static int hf_netlogon_user_flags = -1;
348 static int hf_netlogon_user_flags_extra_sids = -1;
349 static int hf_netlogon_user_flags_resource_groups = -1;
350 static int hf_netlogon_auth_flags = -1;
351 static int hf_netlogon_pwd_expired = -1;
352 static int hf_netlogon_nt_pwd_present = -1;
353 static int hf_netlogon_lm_pwd_present = -1;
354 static int hf_netlogon_code = -1;
355 static int hf_netlogon_database_id = -1;
356 static int hf_netlogon_sync_context = -1;
357 static int hf_netlogon_max_size = -1;
358 static int hf_netlogon_max_log_size = -1;
359 static int hf_netlogon_dns_host = -1;
360 static int hf_netlogon_acct_expiry_time = -1;
361 static int hf_netlogon_encrypted_lm_owf_password = -1;
362 static int hf_netlogon_lm_owf_password = -1;
363 static int hf_netlogon_nt_owf_password = -1;
364 static int hf_netlogon_param_ctrl = -1;
365 static int hf_netlogon_logon_id = -1;
366 static int hf_netlogon_num_deltas = -1;
367 static int hf_netlogon_user_session_key = -1;
368 static int hf_netlogon_blob_size = -1;
369 static int hf_netlogon_blob = -1;
370 static int hf_netlogon_logon_attempts = -1;
371 static int hf_netlogon_authoritative = -1;
372 static int hf_netlogon_secure_channel_type = -1;
373 static int hf_netlogon_logonsrv_handle = -1;
374 static int hf_netlogon_delta_type = -1;
375 static int hf_netlogon_get_dcname_request_flags = -1;
376 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
377 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
378 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
379 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
380 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
381 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
382 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
383 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
384 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
385 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
386 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
387 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
388 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
389 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
390 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
391 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
392 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
393 static int hf_netlogon_dc_flags = -1;
394 static int hf_netlogon_dc_flags_pdc_flag = -1;
395 static int hf_netlogon_dc_flags_gc_flag = -1;
396 static int hf_netlogon_dc_flags_ldap_flag = -1;
397 static int hf_netlogon_dc_flags_ds_flag = -1;
398 static int hf_netlogon_dc_flags_kdc_flag = -1;
399 static int hf_netlogon_dc_flags_timeserv_flag = -1;
400 static int hf_netlogon_dc_flags_closest_flag = -1;
401 static int hf_netlogon_dc_flags_writable_flag = -1;
402 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
403 static int hf_netlogon_dc_flags_ndnc_flag = -1;
404 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
405 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
406 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
407 static int hf_netlogon_dnsdomaininfo = -1;
409 static gint ett_nt_counted_longs_as_string = -1;
410 static gint ett_dcerpc_netlogon = -1;
411 static gint ett_group_attrs = -1;
412 static gint ett_user_flags = -1;
413 static gint ett_user_account_control = -1;
414 static gint ett_QUOTA_LIMITS = -1;
415 static gint ett_IDENTITY_INFO = -1;
416 static gint ett_DELTA_ENUM = -1;
417 static gint ett_authenticate_flags = -1;
418 static gint ett_CYPHER_VALUE = -1;
419 static gint ett_UNICODE_MULTI = -1;
420 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
421 static gint ett_UNICODE_STRING_512 = -1;
422 static gint ett_TYPE_50 = -1;
423 static gint ett_TYPE_52 = -1;
424 static gint ett_DELTA_ID_UNION = -1;
425 static gint ett_TYPE_44 = -1;
426 static gint ett_DELTA_UNION = -1;
427 static gint ett_LM_OWF_PASSWORD = -1;
428 static gint ett_NT_OWF_PASSWORD = -1;
429 static gint ett_GROUP_MEMBERSHIP = -1;
430 static gint ett_BLOB = -1;
431 static gint ett_DS_DOMAIN_TRUSTS = -1;
432 static gint ett_LSA_POLICY_INFO = -1;
433 static gint ett_DOMAIN_TRUST_INFO = -1;
434 static gint ett_trust_flags = -1;
435 static gint ett_trust_attribs = -1;
436 static gint ett_get_dcname_request_flags = -1;
437 static gint ett_dc_flags = -1;
439 typedef struct _netlogon_auth_vars {
440 guint64 client_challenge;
441 guint64 server_challenge;
442 guint8 session_key[16];
443 guint8 encryption_key[16];
449 gboolean can_decrypt;
454 struct _netlogon_auth_vars *next;
455 } netlogon_auth_vars;
457 typedef struct _md4_pass {
461 typedef struct _seen_packet {
466 static seen_packet seen;
468 netlogon_auth_hash (gconstpointer k);
469 static e_uuid_t uuid_dcerpc_netlogon = {
470 0x12345678, 0x1234, 0xabcd,
471 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
474 static guint16 ver_dcerpc_netlogon = 1;
476 static gint dissect_dcerpc_8bytes (tvbuff_t *tvb, gint offset, packet_info *pinfo _U_,
477 proto_tree *tree, guint8 *drep,
478 int hfindex, guint64 *pdata)
482 data = ((drep[0] & 0x10)
483 ? tvb_get_letoh64 (tvb, offset)
484 : tvb_get_ntoh64 (tvb, offset));
487 proto_tree_add_item(tree, hfindex, tvb, offset, 8, (drep[0] & 0x10));
494 static const true_false_string user_account_control_dont_require_preauth= {
495 "This account DOESN'T_REQUIRE_PREAUTHENTICATION",
496 "This account REQUIRES preauthentication",
498 static const true_false_string user_account_control_use_des_key_only= {
499 "This account must USE_DES_KEY_ONLY for passwords",
500 "This account does NOT have to use_des_key_only",
502 static const true_false_string user_account_control_not_delegated= {
503 "This account is NOT_DELEGATED",
504 "This might have been delegated",
506 static const true_false_string user_account_control_trusted_for_delegation= {
507 "This account is TRUSTED_FOR_DELEGATION",
508 "This account is NOT trusted_for_delegation",
510 static const true_false_string user_account_control_smartcard_required= {
511 "This account REQUIRES_SMARTCARD to authenticate",
512 "This account does NOT require_smartcard to authenticate",
514 static const true_false_string user_account_control_encrypted_text_password_allowed= {
515 "This account allows ENCRYPTED_TEXT_PASSWORD",
516 "This account does NOT allow encrypted_text_password",
518 static const true_false_string user_account_control_account_auto_locked= {
519 "This account is AUTO_LOCKED",
520 "This account is NOT auto_locked",
522 static const true_false_string user_account_control_dont_expire_password= {
523 "This account DOESN'T_EXPIRE_PASSWORDs",
524 "This account might expire_passwords",
526 static const true_false_string user_account_control_server_trust_account= {
527 "This account is a SERVER_TRUST_ACCOUNT",
528 "This account is NOT a server_trust_account",
530 static const true_false_string user_account_control_workstation_trust_account= {
531 "This account is a WORKSTATION_TRUST_ACCOUNT",
532 "This account is NOT a workstation_trust_account",
534 static const true_false_string user_account_control_interdomain_trust_account= {
535 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
536 "This account is NOT an interdomain_trust_account",
538 static const true_false_string user_account_control_mns_logon_account= {
539 "This account is a MNS_LOGON_ACCOUNT",
540 "This account is NOT a mns_logon_account",
542 static const true_false_string user_account_control_normal_account= {
543 "This account is a NORMAL_ACCOUNT",
544 "This account is NOT a normal_account",
546 static const true_false_string user_account_control_temp_duplicate_account= {
547 "This account is a TEMP_DUPLICATE_ACCOUNT",
548 "This account is NOT a temp_duplicate_account",
550 static const true_false_string user_account_control_password_not_required= {
551 "This account REQUIRES_NO_PASSWORD",
552 "This account REQUIRES a password",
554 static const true_false_string user_account_control_home_directory_required= {
555 "This account REQUIRES_HOME_DIRECTORY",
556 "This account does NOT require_home_directory",
558 static const true_false_string user_account_control_account_disabled= {
559 "This account is DISABLED",
560 "This account is NOT disabled",
563 typedef struct _netlogon_auth_key {
571 netlogon_auth_equal (gconstpointer k1, gconstpointer k2)
573 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k1;
574 const netlogon_auth_key *key2 = (const netlogon_auth_key *)k2;
575 if(key1->name == NULL || key2->name ==NULL)
576 return ((key1->dstport == key2->dstport) && ADDRESSES_EQUAL(&key1->src,&key2->src) &&
577 ADDRESSES_EQUAL(&key1->dst,&key2->dst));
579 return ((strcmp(key1->name,key2->name)==0) && ADDRESSES_EQUAL(&key1->src,&key2->src) &&
580 ADDRESSES_EQUAL(&key1->dst,&key2->dst));
584 netlogon_auth_hash (gconstpointer k)
586 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k;
588 if(key1->name == NULL) {
589 hash_val1 = key1->dstport;
594 for(i=0; i<strlen(key1->name);i++) {
595 hash_val1 += key1->name[i];
599 ADD_ADDRESS_TO_HASH(hash_val1, &key1->src);
600 ADD_ADDRESS_TO_HASH(hash_val1, &key1->dst);
604 netlogon_dissect_EXTRA_FLAGS(tvbuff_t *tvb, int offset,
605 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
608 proto_item *item = NULL;
609 proto_tree *tree = NULL;
612 di=pinfo->private_data;
613 if(di->conformant_run){
614 /*just a run to handle conformant arrays, nothing to dissect */
618 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
619 hf_netlogon_extraflags, &mask);
622 item = proto_tree_add_uint(parent_tree, hf_netlogon_extraflags,
623 tvb, offset-4, 4, mask);
624 tree = proto_item_add_subtree(item, ett_trust_flags);
627 proto_tree_add_boolean(tree, hf_netlogon_extra_flags_root_forest,
628 tvb, offset-4, 4, mask);
629 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_dc_firsthop,
630 tvb, offset-4, 4, mask);
631 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_rodc_to_dc,
632 tvb, offset-4, 4, mask);
633 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_rodc_ntlm,
634 tvb, offset-4, 4, mask);
639 dissect_ndr_lm_nt_hash_cb(tvbuff_t *tvb, int offset,
640 packet_info *pinfo, proto_tree *tree,
641 guint8 *drep, int hf_index,
642 dcerpc_callback_fnct_t *callback,
645 dcerpc_info *di = pinfo->private_data;
648 /* Structure starts with short, but is aligned for longs */
652 if (di->conformant_run)
659 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
664 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
667 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
668 hf_nt_cs_size, &size);
670 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
671 dissect_ndr_char_cvstring, NDR_POINTER_UNIQUE,
672 "Bytes Array", hf_index, callback, callback_args);
677 dissect_ndr_lm_nt_hash_helper(tvbuff_t *tvb, int offset,
678 packet_info *pinfo, proto_tree *tree,
679 guint8 *drep, int hf_index, int levels _U_,
680 gboolean add_subtree)
683 proto_tree *subtree = tree;
687 item = proto_tree_add_text(
688 tree, tvb, offset, 0, "%s",
689 proto_registrar_get_name(hf_index));
691 subtree = proto_item_add_subtree(item,ett_LM_OWF_PASSWORD);
694 return dissect_ndr_lm_nt_hash_cb(
695 tvb, offset, pinfo, subtree, drep, hf_index,
697 /*cb_wstr_postprocess, GINT_TO_POINTER(2 + levels));*/
700 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
701 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
704 proto_item *item = NULL;
705 proto_tree *tree = NULL;
708 di=pinfo->private_data;
709 if(di->conformant_run){
710 /*just a run to handle conformant arrays, nothing to dissect */
714 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
715 hf_netlogon_user_account_control, &mask);
718 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_account_control,
719 tvb, offset-4, 4, mask);
720 tree = proto_item_add_subtree(item, ett_user_account_control);
723 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_require_preauth,
724 tvb, offset-4, 4, mask);
725 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_use_des_key_only,
726 tvb, offset-4, 4, mask);
727 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_not_delegated,
728 tvb, offset-4, 4, mask);
729 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_trusted_for_delegation,
730 tvb, offset-4, 4, mask);
731 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_smartcard_required,
732 tvb, offset-4, 4, mask);
733 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_encrypted_text_password_allowed,
734 tvb, offset-4, 4, mask);
735 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_auto_locked,
736 tvb, offset-4, 4, mask);
737 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_expire_password,
738 tvb, offset-4, 4, mask);
739 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_server_trust_account,
740 tvb, offset-4, 4, mask);
741 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_workstation_trust_account,
742 tvb, offset-4, 4, mask);
743 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_interdomain_trust_account,
744 tvb, offset-4, 4, mask);
745 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_mns_logon_account,
746 tvb, offset-4, 4, mask);
747 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_normal_account,
748 tvb, offset-4, 4, mask);
749 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_temp_duplicate_account,
750 tvb, offset-4, 4, mask);
751 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_password_not_required,
752 tvb, offset-4, 4, mask);
753 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_home_directory_required,
754 tvb, offset-4, 4, mask);
755 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_disabled,
756 tvb, offset-4, 4, mask);
762 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
763 packet_info *pinfo, proto_tree *tree,
766 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
767 NDR_POINTER_UNIQUE, "Server Handle",
768 hf_netlogon_logonsrv_handle, 0);
774 * IDL typedef struct {
775 * IDL [unique][string] wchar_t *effective_name;
777 * IDL long auth_flags;
778 * IDL long logon_count;
779 * IDL long bad_pw_count;
780 * IDL long last_logon;
781 * IDL long last_logoff;
782 * IDL long logoff_time;
783 * IDL long kickoff_time;
784 * IDL long password_age;
785 * IDL long pw_can_change;
786 * IDL long pw_must_change;
787 * IDL [unique][string] wchar_t *computer;
788 * IDL [unique][string] wchar_t *domain;
789 * IDL [unique][string] wchar_t *script_path;
793 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
794 packet_info *pinfo, proto_tree *tree,
799 di=pinfo->private_data;
800 if(di->conformant_run){
801 /*just a run to handle conformant arrays, nothing to dissect */
805 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
806 NDR_POINTER_UNIQUE, "Effective Account",
807 hf_netlogon_acct_name, 0);
809 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
810 hf_netlogon_priv, NULL);
812 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
813 hf_netlogon_auth_flags, NULL);
815 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
816 hf_netlogon_logon_count, NULL);
818 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
819 hf_netlogon_bad_pw_count, NULL);
822 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_logon_time, NULL);
824 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_last_logoff_time, NULL);
826 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_logoff_time, NULL);
828 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_kickoff_time, NULL);
830 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_age, NULL);
832 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_can_change_time, NULL);
834 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_must_change_time, NULL);
836 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
837 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
839 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
840 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
842 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
843 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
845 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
846 hf_netlogon_reserved, NULL);
852 * IDL long NetrLogonUasLogon(
853 * IDL [in][unique][string] wchar_t *ServerName,
854 * IDL [in][ref][string] wchar_t *UserName,
855 * IDL [in][ref][string] wchar_t *Workstation,
856 * IDL [out][unique] VALIDATION_UAS_INFO *info
860 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
861 packet_info *pinfo, proto_tree *tree, guint8 *drep)
863 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
866 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
867 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
869 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
870 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
877 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
878 packet_info *pinfo, proto_tree *tree, guint8 *drep)
880 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
881 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
882 "VALIDATION_UAS_INFO", -1);
884 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
885 hf_netlogon_dos_rc, NULL);
891 * IDL typedef struct {
893 * IDL short logon_count;
894 * IDL } LOGOFF_UAS_INFO;
897 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
898 packet_info *pinfo, proto_tree *tree,
903 di=pinfo->private_data;
904 if(di->conformant_run){
905 /*just a run to handle conformant arrays, nothing to dissect */
909 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
912 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
913 hf_netlogon_logon_count16, NULL);
919 * IDL long NetrLogonUasLogoff(
920 * IDL [in][unique][string] wchar_t *ServerName,
921 * IDL [in][ref][string] wchar_t *UserName,
922 * IDL [in][ref][string] wchar_t *Workstation,
923 * IDL [out][ref] LOGOFF_UAS_INFO *info
927 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
928 packet_info *pinfo, proto_tree *tree, guint8 *drep)
930 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
933 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
934 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
936 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
937 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
944 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
945 packet_info *pinfo, proto_tree *tree, guint8 *drep)
947 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
948 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
949 "LOGOFF_UAS_INFO", -1);
951 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
952 hf_netlogon_dos_rc, NULL);
958 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
959 packet_info *pinfo, proto_tree *tree,
962 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
963 hf_netlogon_unknown_char, NULL);
969 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
970 packet_info *pinfo, proto_tree *tree,
973 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
974 netlogon_dissect_BYTE_byte);
983 * IDL typedef struct {
984 * IDL UNICODESTRING LogonDomainName;
985 * IDL long ParameterControl;
986 * IDL uint64 LogonID;
987 * IDL UNICODESTRING UserName;
988 * IDL UNICODESTRING Workstation;
989 * IDL } LOGON_IDENTITY_INFO;
992 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
993 packet_info *pinfo, proto_tree *parent_tree,
996 proto_item *item=NULL;
997 proto_tree *tree=NULL;
998 int old_offset=offset;
1001 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1003 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
1006 /* XXX: It would be nice to get the domain and account name
1007 displayed in COL_INFO. */
1009 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1010 hf_netlogon_logon_dom, 0);
1012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1013 hf_netlogon_param_ctrl, NULL);
1015 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, drep,
1016 hf_netlogon_logon_id, NULL);
1018 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1019 hf_netlogon_acct_name, 1);
1021 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1022 hf_netlogon_workstation, 0);
1025 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
1026 /* XXX 8 extra bytes here */
1027 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
1028 the idl file. Could be a bug in either the NETLOGON implementation or in the
1031 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
1034 proto_item_set_len(item, offset-old_offset);
1040 * IDL typedef struct {
1041 * IDL char password[16];
1042 * IDL } LM_OWF_PASSWORD;
1045 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1046 packet_info *pinfo, proto_tree *parent_tree,
1049 proto_item *item=NULL;
1050 proto_tree *tree=NULL;
1053 di=pinfo->private_data;
1054 if(di->conformant_run){
1055 /*just a run to handle conformant arrays, nothing to dissect.*/
1060 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
1061 "LM_OWF_PASSWORD:");
1062 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
1065 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
1073 * IDL typedef struct {
1074 * IDL char password[16];
1075 * IDL } NT_OWF_PASSWORD;
1078 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1079 packet_info *pinfo, proto_tree *parent_tree,
1082 proto_item *item=NULL;
1083 proto_tree *tree=NULL;
1086 di=pinfo->private_data;
1087 if(di->conformant_run){
1088 /*just a run to handle conformant arrays, nothing to dissect.*/
1093 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
1094 "NT_OWF_PASSWORD:");
1095 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
1098 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
1107 * IDL typedef struct {
1108 * IDL LOGON_IDENTITY_INFO identity_info;
1109 * IDL LM_OWF_PASSWORD lmpassword;
1110 * IDL NT_OWF_PASSWORD ntpassword;
1111 * IDL } INTERACTIVE_INFO;
1114 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
1115 packet_info *pinfo, proto_tree *tree,
1118 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1121 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1124 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1131 * IDL typedef struct {
1136 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
1137 packet_info *pinfo, proto_tree *tree,
1142 di=pinfo->private_data;
1143 if(di->conformant_run){
1144 /*just a run to handle conformant arrays, nothing to dissect.*/
1148 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
1156 * IDL typedef struct {
1157 * IDL LOGON_IDENTITY_INFO logon_info;
1158 * IDL CHALLENGE chal;
1159 * IDL STRING ntchallengeresponse;
1160 * IDL STRING lmchallengeresponse;
1161 * IDL } NETWORK_INFO;
1164 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
1165 proto_item *item _U_, tvbuff_t *tvb,
1166 int start_offset, int end_offset,
1167 void *callback_args )
1170 gint options = GPOINTER_TO_INT(callback_args);
1171 gint levels = CB_STR_ITEM_LEVELS(options);
1175 / * Skip over 3 guint32's in NDR format * /
1177 if (start_offset % 4)
1178 start_offset += 4 - (start_offset % 4);
1181 len = end_offset - start_offset;
1183 s = tvb_bytes_to_str(
1184 tvb, start_offset , len );
1186 / * Append string to upper-level proto_items * /
1188 if (levels > 0 && item && s && s[0]) {
1189 proto_item_append_text(item, ": %s", s);
1190 item = item->parent;
1193 proto_item_append_text(item, ": %s", s);
1194 item = item->parent;
1196 while (levels > 0) {
1197 proto_item_append_text(item, " %s", s);
1198 item = item->parent;
1203 / * Call ntlmv2 response dissector * /
1206 dissect_ntlmv2_response(tvb, tree, start_offset, len);
1210 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
1211 packet_info *pinfo, proto_tree *tree,
1215 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1217 offset = netlogon_dissect_CHALLENGE(tvb, offset,
1220 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1221 NDR_POINTER_UNIQUE, "NT ",
1222 hf_netlogon_nt_owf_password, 0);
1223 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1224 hf_netlogon_data_length, NULL);*/
1225 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, drep, hf_netlogon_lm_chal_resp, 0,TRUE);
1226 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, drep, hf_netlogon_lm_chal_resp, 0,TRUE);
1227 /* Not really sure that it really works with NTLM v2 ....*/
1229 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1232 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1236 /*offset = dissect_ndr_counted_byte_array_cb(
1237 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
1238 dissect_nt_chal_resp_cb,GINT_TO_POINTER(2));
1239 hf_netlogon_nt_chal_resp, 0);
1241 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
1242 hf_netlogon_lm_chal_resp, 0);
1249 * IDL typedef struct {
1250 * IDL LOGON_IDENTITY_INFO logon_info;
1251 * IDL LM_OWF_PASSWORD lmpassword;
1252 * IDL NT_OWF_PASSWORD ntpassword;
1253 * IDL } SERVICE_INFO;
1256 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
1257 packet_info *pinfo, proto_tree *tree,
1260 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1263 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1266 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1272 netlogon_dissect_GENERIC_INFO(tvbuff_t *tvb, int offset,
1273 packet_info *pinfo, proto_tree *tree,
1277 dcerpc_call_value *dcv;
1278 di=pinfo->private_data;
1279 dcv = (dcerpc_call_value *)di->call_data;
1281 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1284 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1285 hf_netlogon_package_name, 0|CB_STR_SAVE);
1287 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1288 hf_netlogon_data_length, NULL);
1290 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1291 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
1296 * IDL typedef [switch_type(short)] union {
1297 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
1298 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
1299 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
1303 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
1304 packet_info *pinfo, proto_tree *tree,
1309 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1310 hf_netlogon_level16, &level);
1314 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1315 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1316 "INTERACTIVE_INFO:", -1);
1319 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1320 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1321 "NETWORK_INFO:", -1);
1324 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1325 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1326 "SERVICE_INFO:", -1);
1328 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1329 netlogon_dissect_GENERIC_INFO, NDR_POINTER_UNIQUE,
1330 "GENERIC_INFO:", -1);
1333 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1334 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
1335 "INTERACTIVE_TRANSITIVE_INFO:", -1);
1338 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1339 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
1340 "NETWORK_TRANSITIVE_INFO", -1);
1343 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1344 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
1345 "SERVICE_TRANSITIVE_INFO", -1);
1352 * IDL typedef struct {
1357 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
1358 packet_info *pinfo, proto_tree *tree,
1363 di=pinfo->private_data;
1364 if(di->conformant_run){
1365 /*just a run to handle conformant arrays, nothing to dissect.*/
1369 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
1378 * IDL typedef struct {
1379 * IDL CREDENTIAL cred;
1380 * IDL long timestamp;
1381 * IDL } AUTHENTICATOR;
1384 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
1385 packet_info *pinfo, proto_tree *tree,
1391 di=pinfo->private_data;
1392 if(di->conformant_run){
1393 /*just a run to handle conformant arrays, nothing to dissect */
1397 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
1401 * XXX - this appears to be a UNIX time_t in some credentials, but
1402 * appears to be random junk in other credentials.
1403 * For example, it looks like a UNIX time_t in "credential"
1404 * AUTHENTICATORs, but like random junk in "return_authenticator"
1408 ts.secs = tvb_get_letohl(tvb, offset);
1410 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
1417 static const true_false_string group_attrs_mandatory = {
1418 "The MANDATORY bit is SET",
1419 "The mandatory bit is NOT set",
1421 static const true_false_string group_attrs_enabled_by_default = {
1422 "The ENABLED_BY_DEFAULT bit is SET",
1423 "The enabled_by_default bit is NOT set",
1425 static const true_false_string group_attrs_enabled = {
1426 "The enabled bit is SET",
1427 "The enabled bit is NOT set",
1430 netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvbuff_t *tvb, int offset,
1431 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
1434 proto_item *item = NULL;
1435 proto_tree *tree = NULL;
1438 di=pinfo->private_data;
1439 if(di->conformant_run){
1440 /*just a run to handle conformant arrays, nothing to dissect */
1444 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1445 hf_netlogon_attrs, &mask);
1448 item = proto_tree_add_uint(parent_tree, hf_netlogon_attrs,
1449 tvb, offset-4, 4, mask);
1450 tree = proto_item_add_subtree(item, ett_group_attrs);
1453 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled,
1454 tvb, offset-4, 4, mask);
1455 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled_by_default,
1456 tvb, offset-4, 4, mask);
1457 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_mandatory,
1458 tvb, offset-4, 4, mask);
1464 * IDL typedef struct {
1466 * IDL long attributes;
1467 * IDL } GROUP_MEMBERSHIP;
1470 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1471 packet_info *pinfo, proto_tree *parent_tree,
1474 proto_item *item=NULL;
1475 proto_tree *tree=NULL;
1478 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1479 "GROUP_MEMBERSHIP:");
1480 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
1483 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1484 hf_netlogon_group_rid, NULL);
1486 offset = netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvb, offset,
1493 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1494 packet_info *pinfo, proto_tree *tree,
1497 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
1498 netlogon_dissect_GROUP_MEMBERSHIP);
1504 * IDL typedef struct {
1505 * IDL char user_session_key[16];
1506 * IDL } USER_SESSION_KEY;
1509 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1510 packet_info *pinfo, proto_tree *tree,
1515 di=pinfo->private_data;
1516 if(di->conformant_run){
1517 /*just a run to handle conformant arrays, nothing to dissect.*/
1521 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1530 static const true_false_string user_flags_extra_sids= {
1531 "The EXTRA_SIDS bit is SET",
1532 "The extra_sids is NOT set",
1534 static const true_false_string user_flags_resource_groups= {
1535 "The RESOURCE_GROUPS bit is SET",
1536 "The resource_groups is NOT set",
1539 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1540 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
1543 proto_item *item = NULL;
1544 proto_tree *tree = NULL;
1547 di=pinfo->private_data;
1548 if(di->conformant_run){
1549 /*just a run to handle conformant arrays, nothing to dissect */
1553 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1554 hf_netlogon_user_flags, &mask);
1557 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_flags,
1558 tvb, offset-4, 4, mask);
1559 tree = proto_item_add_subtree(item, ett_user_flags);
1562 proto_tree_add_boolean(tree, hf_netlogon_user_flags_resource_groups,
1563 tvb, offset-4, 4, mask);
1564 proto_tree_add_boolean(tree, hf_netlogon_user_flags_extra_sids,
1565 tvb, offset-4, 4, mask);
1571 * IDL typedef struct {
1572 * IDL uint64 LogonTime;
1573 * IDL uint64 LogoffTime;
1574 * IDL uint64 KickOffTime;
1575 * IDL uint64 PasswdLastSet;
1576 * IDL uint64 PasswdCanChange;
1577 * IDL uint64 PasswdMustChange;
1578 * IDL unicodestring effectivename;
1579 * IDL unicodestring fullname;
1580 * IDL unicodestring logonscript;
1581 * IDL unicodestring profilepath;
1582 * IDL unicodestring homedirectory;
1583 * IDL unicodestring homedirectorydrive;
1584 * IDL short LogonCount;
1585 * IDL short BadPasswdCount;
1587 * IDL long primarygroup;
1588 * IDL long groupcount;
1589 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1590 * IDL long userflags;
1591 * IDL USER_SESSION_KEY key;
1592 * IDL unicodestring logonserver;
1593 * IDL unicodestring domainname;
1594 * IDL [unique] SID logondomainid;
1595 * IDL long expansionroom[2];
1596 * IDL long useraccountcontrol;
1597 * IDL long expansionroom[7];
1598 * IDL } VALIDATION_SAM_INFO;
1601 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1602 packet_info *pinfo, proto_tree *tree,
1606 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1607 hf_netlogon_logon_time);
1609 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1610 hf_netlogon_logoff_time);
1612 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1613 hf_netlogon_kickoff_time);
1615 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1616 hf_netlogon_pwd_last_set_time);
1618 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1619 hf_netlogon_pwd_can_change_time);
1621 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1622 hf_netlogon_pwd_must_change_time);
1624 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1625 hf_netlogon_acct_name, 0);
1627 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1628 hf_netlogon_full_name, 0);
1630 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1631 hf_netlogon_logon_script, 0);
1633 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1634 hf_netlogon_profile_path, 0);
1636 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1637 hf_netlogon_home_dir, 0);
1639 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1640 hf_netlogon_dir_drive, 0);
1642 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1643 hf_netlogon_logon_count16, NULL);
1645 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1646 hf_netlogon_bad_pw_count16, NULL);
1648 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1649 hf_netlogon_user_rid, NULL);
1651 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1652 hf_netlogon_group_rid, NULL);
1654 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1655 hf_netlogon_num_rids, NULL);
1657 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1658 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1659 "GROUP_MEMBERSHIP_ARRAY", -1);
1661 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1664 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1667 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1668 hf_netlogon_logon_srv, 0);
1670 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1671 hf_netlogon_logon_dom, 0);
1673 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1675 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1676 hf_netlogon_dummy1_long, NULL);
1678 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1679 hf_netlogon_dummy2_long, NULL);
1681 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1684 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1685 hf_netlogon_dummy4_long, NULL);
1687 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1688 hf_netlogon_dummy5_long, NULL);
1690 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1691 hf_netlogon_dummy6_long, NULL);
1693 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1694 hf_netlogon_dummy7_long, NULL);
1696 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1697 hf_netlogon_dummy8_long, NULL);
1699 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1700 hf_netlogon_dummy9_long, NULL);
1702 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1703 hf_netlogon_dummy10_long, NULL);
1711 * IDL typedef struct {
1712 * IDL uint64 LogonTime;
1713 * IDL uint64 LogoffTime;
1714 * IDL uint64 KickOffTime;
1715 * IDL uint64 PasswdLastSet;
1716 * IDL uint64 PasswdCanChange;
1717 * IDL uint64 PasswdMustChange;
1718 * IDL unicodestring effectivename;
1719 * IDL unicodestring fullname;
1720 * IDL unicodestring logonscript;
1721 * IDL unicodestring profilepath;
1722 * IDL unicodestring homedirectory;
1723 * IDL unicodestring homedirectorydrive;
1724 * IDL short LogonCount;
1725 * IDL short BadPasswdCount;
1727 * IDL long primarygroup;
1728 * IDL long groupcount;
1729 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1730 * IDL long userflags;
1731 * IDL USER_SESSION_KEY key;
1732 * IDL unicodestring logonserver;
1733 * IDL unicodestring domainname;
1734 * IDL [unique] SID logondomainid;
1735 * IDL long expansionroom[2];
1736 * IDL long useraccountcontrol;
1737 * IDL long expansionroom[7];
1738 * IDL long sidcount;
1739 * IDL [unique] SID_AND_ATTRIBS;
1740 * IDL } VALIDATION_SAM_INFO2;
1743 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1744 packet_info *pinfo, proto_tree *tree,
1747 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,drep);
1751 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1752 hf_netlogon_logon_time);
1754 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1755 hf_netlogon_logoff_time);
1757 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1758 hf_netlogon_kickoff_time);
1760 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1761 hf_netlogon_pwd_last_set_time);
1763 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1764 hf_netlogon_pwd_can_change_time);
1766 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1767 hf_netlogon_pwd_must_change_time);
1769 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1770 hf_netlogon_acct_name, 0);
1772 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1773 hf_netlogon_full_name, 0);
1775 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1776 hf_netlogon_logon_script, 0);
1778 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1779 hf_netlogon_profile_path, 0);
1781 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1782 hf_netlogon_home_dir, 0);
1784 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1785 hf_netlogon_dir_drive, 0);
1787 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1788 hf_netlogon_logon_count16, NULL);
1790 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1791 hf_netlogon_bad_pw_count16, NULL);
1793 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1794 hf_netlogon_user_rid, NULL);
1796 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1797 hf_netlogon_group_rid, NULL);
1799 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1800 hf_netlogon_num_rids, NULL);
1802 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1803 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1804 "GROUP_MEMBERSHIP_ARRAY", -1);
1806 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1809 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1812 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1813 hf_netlogon_logon_srv, 0);
1815 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1816 hf_netlogon_logon_dom, 0);
1818 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1821 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1822 hf_netlogon_unknown_long, NULL);
1824 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1828 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1829 hf_netlogon_unknown_long, NULL);
1832 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1833 hf_netlogon_num_sid, NULL);
1835 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1836 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1837 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1844 netlogon_dissect_VALIDATION_SAM_INFO4(tvbuff_t *tvb, int offset,
1845 packet_info *pinfo, proto_tree *tree,
1848 offset = netlogon_dissect_VALIDATION_SAM_INFO2(tvb,offset,pinfo,tree,drep);
1850 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1851 hf_netlogon_logon_dnslogondomainname, 0);
1853 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1854 hf_netlogon_logon_upn, 0);
1856 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1857 hf_netlogon_dummy_string, 0);
1859 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1860 hf_netlogon_dummy_string2, 0);
1862 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1863 hf_netlogon_dummy_string3, 0);
1865 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1866 hf_netlogon_dummy_string4, 0);
1868 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1869 hf_netlogon_dummy_string5, 0);
1871 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1872 hf_netlogon_dummy_string6, 0);
1874 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1875 hf_netlogon_dummy_string7, 0);
1877 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1878 hf_netlogon_dummy_string8, 0);
1880 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1881 hf_netlogon_dummy_string9, 0);
1883 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1884 hf_netlogon_dummy_string10, 0);
1888 * IDL typedef struct {
1889 * IDL uint64 LogonTime;
1890 * IDL uint64 LogoffTime;
1891 * IDL uint64 KickOffTime;
1892 * IDL uint64 PasswdLastSet;
1893 * IDL uint64 PasswdCanChange;
1894 * IDL uint64 PasswdMustChange;
1895 * IDL unicodestring effectivename;
1896 * IDL unicodestring fullname;
1897 * IDL unicodestring logonscript;
1898 * IDL unicodestring profilepath;
1899 * IDL unicodestring homedirectory;
1900 * IDL unicodestring homedirectorydrive;
1901 * IDL short LogonCount;
1902 * IDL short BadPasswdCount;
1904 * IDL long primarygroup;
1905 * IDL long groupcount;
1906 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1907 * IDL long userflags;
1908 * IDL USER_SESSION_KEY key;
1909 * IDL unicodestring logonserver;
1910 * IDL unicodestring domainname;
1911 * IDL [unique] SID logondomainid;
1912 * IDL long expansionroom[2];
1913 * IDL long useraccountcontrol;
1914 * IDL long expansionroom[7];
1915 * IDL long sidcount;
1916 * IDL [unique] SID_AND_ATTRIBS;
1917 * IDL [unique] SID resourcegroupdomainsid;
1918 * IDL long resourcegroupcount;
1920 * IDL } PAC_LOGON_INFO;
1923 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
1924 packet_info *pinfo, proto_tree *tree,
1928 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,drep);
1931 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1932 hf_netlogon_logon_time);
1934 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1935 hf_netlogon_logoff_time);
1937 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1938 hf_netlogon_kickoff_time);
1940 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1941 hf_netlogon_pwd_last_set_time);
1943 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1944 hf_netlogon_pwd_can_change_time);
1946 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1947 hf_netlogon_pwd_must_change_time);
1949 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1950 hf_netlogon_acct_name, 0);
1952 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1953 hf_netlogon_full_name, 0);
1955 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1956 hf_netlogon_logon_script, 0);
1958 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1959 hf_netlogon_profile_path, 0);
1961 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1962 hf_netlogon_home_dir, 0);
1964 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1965 hf_netlogon_dir_drive, 0);
1967 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1968 hf_netlogon_logon_count16, NULL);
1970 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1971 hf_netlogon_bad_pw_count16, NULL);
1973 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1974 hf_netlogon_user_rid, NULL);
1976 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1977 hf_netlogon_group_rid, NULL);
1979 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1980 hf_netlogon_num_rids, NULL);
1982 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1983 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1984 "GROUP_MEMBERSHIP_ARRAY", -1);
1986 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1989 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1992 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1993 hf_netlogon_logon_srv, 0);
1995 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1996 hf_netlogon_logon_dom, 0);
1998 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
2001 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2002 hf_netlogon_unknown_long, NULL);
2004 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2008 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2009 hf_netlogon_unknown_long, NULL);
2012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2013 hf_netlogon_num_sid, NULL);
2015 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2016 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
2017 "SID_AND_ATTRIBUTES_ARRAY:", -1);
2020 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
2022 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2023 hf_netlogon_resourcegroupcount, &rgc);
2025 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2026 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
2027 "ResourceGroupIDs", -1);
2033 netlogon_dissect_CONSTRAINED_DELEGATION_name(tvbuff_t *tvb, int offset,
2034 packet_info *pinfo, proto_tree *tree,
2037 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2038 hf_netlogon_unknown_string, 0);
2044 netlogon_dissect_CONSTRAINED_DELEGATION_array(tvbuff_t *tvb, int offset,
2045 packet_info *pinfo, proto_tree *tree,
2048 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2049 netlogon_dissect_CONSTRAINED_DELEGATION_name);
2055 netlogon_dissect_PAC_CONSTRAINED_DELEGATION(tvbuff_t *tvb, int offset,
2056 packet_info *pinfo, proto_tree *tree,
2059 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2060 hf_netlogon_unknown_string, 0);
2062 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2063 hf_netlogon_unknown_long, NULL);
2065 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2066 netlogon_dissect_CONSTRAINED_DELEGATION_array, NDR_POINTER_UNIQUE,
2073 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
2074 packet_info *pinfo, proto_tree *tree,
2080 di=pinfo->private_data;
2081 if(di->conformant_run){
2085 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2086 hf_netlogon_pac_size, &pac_size);
2088 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
2096 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
2097 packet_info *pinfo, proto_tree *tree,
2103 di=pinfo->private_data;
2104 if(di->conformant_run){
2108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2109 hf_netlogon_auth_size, &auth_size);
2111 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
2113 offset += auth_size;
2119 netlogon_dissect_VALIDATION_GENERIC_INFO2 (tvbuff_t *tvb, int offset,
2120 packet_info *pinfo, proto_tree *tree,
2123 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2124 hf_netlogon_data_length, NULL);
2126 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2127 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
2128 "Validation Data", -1);
2133 * IDL typedef struct {
2135 * IDL [unique][size_is(pac_size)] char *pac;
2136 * IDL UNICODESTRING logondomain;
2137 * IDL UNICODESTRING logonserver;
2138 * IDL UNICODESTRING principalname;
2139 * IDL long auth_size;
2140 * IDL [unique][size_is(auth_size)] char *auth;
2141 * IDL USER_SESSION_KEY user_session_key;
2142 * IDL long expansionroom[2];
2143 * IDL long useraccountcontrol;
2144 * IDL long expansionroom[7];
2145 * IDL UNICODESTRING dummy1;
2146 * IDL UNICODESTRING dummy2;
2147 * IDL UNICODESTRING dummy3;
2148 * IDL UNICODESTRING dummy4;
2149 * IDL } VALIDATION_PAC_INFO;
2151 /* Not used (anymore ?)
2153 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
2154 packet_info *pinfo, proto_tree *tree,
2159 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2160 hf_netlogon_pac_size, NULL);
2162 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2163 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
2165 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2166 hf_netlogon_logon_dom, 0);
2168 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2169 hf_netlogon_logon_srv, 0);
2171 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2172 hf_netlogon_principal, 0);
2174 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2175 hf_netlogon_auth_size, NULL);
2177 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2178 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
2180 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
2184 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2185 hf_netlogon_unknown_long, NULL);
2187 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2191 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2192 hf_netlogon_unknown_long, NULL);
2195 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2196 hf_netlogon_dummy, 0);
2198 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2199 hf_netlogon_dummy, 0);
2201 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2202 hf_netlogon_dummy, 0);
2204 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2205 hf_netlogon_dummy, 0);
2211 * IDL typedef [switch_type(short)] union {
2212 * IDL [case(1)][unique] VALIDATION_UAS *uas;
2213 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
2214 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
2215 * IDL [case(4)][unique] VALIDATION_GENERIC_INFO *generic;
2216 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2217 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2218 * IDL [case(6)][unique] VALIDATION_SAM_INFO4 *sam4;
2222 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
2223 packet_info *pinfo, proto_tree *tree,
2228 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2229 hf_netlogon_validation_level, &level);
2234 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2235 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
2236 "VALIDATION_UAS_INFO:", -1);
2239 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2240 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
2241 "VALIDATION_SAM_INFO:", -1);
2244 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2245 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
2246 "VALIDATION_SAM_INFO2:", -1);
2249 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2250 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2251 "VALIDATION_INFO:", -1);
2254 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2255 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE,
2256 "VALIDATION_INFO2:", -1);
2259 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2260 netlogon_dissect_VALIDATION_SAM_INFO4, NDR_POINTER_UNIQUE,
2261 "VALIDATION_SAM_INFO4:", -1);
2267 * IDL long NetrLogonSamLogonWithFlags(
2268 * IDL [in][unique][string] wchar_t *ServerName,
2269 * IDL [in][unique][string] wchar_t *Workstation,
2270 * IDL [in][unique] AUTHENTICATOR *credential,
2271 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2272 * IDL [in] short LogonLevel,
2273 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2274 * IDL [in] short ValidationLevel,
2275 * IDL [out][ref] VALIDATION *validation,
2276 * IDL [out][ref] boolean Authorative
2277 * IDL [in][out] unsigned long ExtraFlags
2281 netlogon_dissect_netrlogonsamlogonflags_rqst(tvbuff_t *tvb, int offset,
2282 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2284 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2287 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2288 NDR_POINTER_UNIQUE, "Computer Name",
2289 hf_netlogon_computer_name, 0);
2291 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2292 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2293 "AUTHENTICATOR: credential", -1);
2295 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2296 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2297 "AUTHENTICATOR: return_authenticator", -1);
2299 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2300 hf_netlogon_level16, NULL);
2302 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2303 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2304 "LEVEL: LogonLevel", -1);
2306 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2307 hf_netlogon_validation_level, NULL);
2309 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, drep);
2315 netlogon_dissect_netrlogonsamlogonflags_reply(tvbuff_t *tvb, int offset,
2316 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2318 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2319 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2320 "AUTHENTICATOR: return_authenticator", -1);
2322 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2323 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2326 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2327 hf_netlogon_authoritative, NULL);
2329 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, drep);
2331 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2332 hf_netlogon_rc, NULL);
2340 * IDL long NetrLogonSamLogon(
2341 * IDL [in][unique][string] wchar_t *ServerName,
2342 * IDL [in][unique][string] wchar_t *Workstation,
2343 * IDL [in][unique] AUTHENTICATOR *credential,
2344 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2345 * IDL [in] short LogonLevel,
2346 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2347 * IDL [in] short ValidationLevel,
2348 * IDL [out][ref] VALIDATION *validation,
2349 * IDL [out][ref] boolean Authorative
2353 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
2354 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2356 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2359 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2360 NDR_POINTER_UNIQUE, "Computer Name",
2361 hf_netlogon_computer_name, 0);
2363 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2364 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2365 "AUTHENTICATOR: credential", -1);
2367 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2368 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2369 "AUTHENTICATOR: return_authenticator", -1);
2371 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2372 hf_netlogon_level16, NULL);
2374 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2375 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2376 "LEVEL: LogonLevel", -1);
2378 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2379 hf_netlogon_validation_level, NULL);
2385 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
2386 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2389 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2390 "AUTHENTICATOR: return_authenticator", -1);
2392 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2393 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
2396 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2397 hf_netlogon_authoritative, NULL);
2399 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2400 hf_netlogon_rc, NULL);
2407 * IDL long NetrLogonSamLogoff(
2408 * IDL [in][unique][string] wchar_t *ServerName,
2409 * IDL [in][unique][string] wchar_t *ComputerName,
2410 * IDL [in][unique] AUTHENTICATOR credential,
2411 * IDL [in][unique] AUTHENTICATOR return_authenticator,
2412 * IDL [in] short logon_level,
2413 * IDL [in][ref] LEVEL logoninformation
2417 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
2418 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2420 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2423 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2424 NDR_POINTER_UNIQUE, "Computer Name",
2425 hf_netlogon_computer_name, 0);
2427 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2428 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2429 "AUTHENTICATOR: credential", -1);
2431 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2432 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2433 "AUTHENTICATOR: return_authenticator", -1);
2435 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2436 hf_netlogon_level16, NULL);
2438 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2439 netlogon_dissect_LEVEL, NDR_POINTER_REF,
2440 "LEVEL: logoninformation", -1);
2445 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
2446 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2449 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2450 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
2451 "AUTHENTICATOR: return_authenticator", -1);
2453 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2454 hf_netlogon_rc, NULL);
2459 static void generate_hash_key(packet_info *pinfo,unsigned char is_server,netlogon_auth_key *key,char* name)
2462 key->dstport = pinfo->srcport;
2463 COPY_ADDRESS(&key->dst,&pinfo->src);
2464 COPY_ADDRESS(&key->src,&pinfo->dst);
2465 /* name has been durably allocated */
2469 COPY_ADDRESS(&key->dst,&pinfo->dst);
2470 COPY_ADDRESS(&key->src,&pinfo->src);
2471 key->dstport = pinfo->destport;
2472 /* name has been durably allocated */
2479 * IDL long NetrServerReqChallenge(
2480 * IDL [in][unique][string] wchar_t *ServerName,
2481 * IDL [in][ref][string] wchar_t *ComputerName,
2482 * IDL [in][ref] CREDENTIAL client_credential,
2483 * IDL [out][ref] CREDENTIAL server_credential
2487 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
2488 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2490 /*int oldoffset = offset;*/
2492 netlogon_auth_vars *vars;
2493 netlogon_auth_vars *existing_vars;
2494 netlogon_auth_key *key = se_alloc(sizeof(netlogon_auth_key));
2495 guint8 tab[8] = { 0,0,0,0,0,0,0,0};
2496 dcerpc_info *di = (dcerpc_info *)pinfo->private_data;
2497 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2499 /* As we are not always keeping this it could be more intelligent to g_malloc it
2500 and if we decide to keep it then transform it into se_alloc */
2501 vars = se_alloc(sizeof(netlogon_auth_vars));
2502 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2504 offset = dissect_ndr_pointer_cb(
2505 tvb, offset, pinfo, tree, drep,
2506 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
2507 "Computer Name", hf_netlogon_computer_name,
2508 cb_wstr_postprocess,
2509 GINT_TO_POINTER(CB_STR_COL_INFO |CB_STR_SAVE | 1));
2511 txt_len = strlen(dcv->private_data);
2512 debugprintf("1)Len %d offset %d txt %s\n",txt_len,offset,(char*)dcv->private_data);
2513 vars->client_name = se_strdup(dcv->private_data);
2514 debugprintf("2)Len %d offset %d txt %s\n",txt_len,offset,vars->client_name);
2516 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2517 hf_client_challenge,&vars->client_challenge);
2518 memcpy(tab,&vars->client_challenge,8);
2520 vars->start = pinfo->fd->num;
2521 vars->next_start = -1;
2524 generate_hash_key(pinfo,0,key,NULL);
2525 existing_vars = NULL;
2526 existing_vars = g_hash_table_lookup(netlogon_auths, key);
2527 if (!existing_vars) {
2528 g_hash_table_insert(netlogon_auths, key, vars);
2531 while(existing_vars->next != NULL && existing_vars->start <= vars->start) {
2532 existing_vars = existing_vars->next;
2534 if(existing_vars->next != NULL || existing_vars == vars) {
2535 debugprintf("It seems that I already record this vars %d\n",vars->start);
2538 existing_vars->next_start = pinfo->fd->num;
2539 existing_vars->next = vars;
2542 /* used by other rpc that use schannel ie lsa */
2544 generate_hash_key(pinfo,0,key,vars->client_name);
2545 existing_vars = NULL;
2546 existing_vars = g_hash_table_lookup(schannel_auths, key);
2549 g_hash_table_insert(schannel_auths, key, vars);
2553 while(existing_vars->next != NULL && existing_vars->start <= vars->start) {
2554 existing_vars = existing_vars->next;
2556 if(existing_vars->next != NULL || existing_vars == vars) {
2557 debugprintf("It seems that I already record this vars (schannel hash)%d\n",vars->start);
2560 existing_vars->next_start = pinfo->fd->num;
2561 existing_vars->next = vars;
2569 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
2570 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2572 netlogon_auth_vars *vars;
2573 netlogon_auth_key key;
2574 guint64 server_challenge;
2576 generate_hash_key(pinfo,1,&key,NULL);
2577 vars = g_hash_table_lookup(netlogon_auths,(gconstpointer*) &key);
2579 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2580 hf_server_challenge, &server_challenge);
2581 /*offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2582 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2583 "CREDENTIAL: server credential", -1);*/
2585 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2586 hf_netlogon_rc, NULL);
2588 while(vars !=NULL && vars->next_start != -1 && vars->next_start < (int)pinfo->fd->num )
2591 debugprintf("looping challenge reply... %d %d \n",vars->next_start,pinfo->fd->num);
2595 debugprintf("Something strange happened while searching for challenge_reply\n");
2599 vars->server_challenge = server_challenge;
2605 debugprintf("Vars not found in challenge reply\n");
2613 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
2614 packet_info *pinfo, proto_tree *tree,
2617 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2618 hf_netlogon_secure_channel_type, NULL);
2625 * IDL long NetrServerAuthenticate(
2626 * IDL [in][unique][string] wchar_t *ServerName,
2627 * IDL [in][ref][string] wchar_t *UserName,
2628 * IDL [in] short secure_challenge_type,
2629 * IDL [in][ref][string] wchar_t *ComputerName,
2630 * IDL [in][ref] CREDENTIAL client_challenge,
2631 * IDL [out][ref] CREDENTIAL server_challenge
2635 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
2636 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2638 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2641 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2642 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO);
2644 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
2647 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2648 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO);
2650 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2651 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2652 "CREDENTIAL: client challenge", -1);
2657 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
2658 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2660 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2661 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2662 "CREDENTIAL: server challenge", -1);
2664 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2665 hf_netlogon_rc, NULL);
2673 * IDL typedef struct {
2674 * IDL char encrypted_password[16];
2675 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
2678 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
2679 packet_info *pinfo, proto_tree *tree,
2684 di=pinfo->private_data;
2685 if(di->conformant_run){
2686 /*just a run to handle conformant arrays, nothing to dissect.*/
2690 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
2698 * IDL long NetrServerPasswordSet(
2699 * IDL [in][unique][string] wchar_t *ServerName,
2700 * IDL [in][ref][string] wchar_t *UserName,
2701 * IDL [in] short secure_challenge_type,
2702 * IDL [in][ref][string] wchar_t *ComputerName,
2703 * IDL [in][ref] AUTHENTICATOR credential,
2704 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
2705 * IDL [out][ref] AUTHENTICATOR return_authenticator
2709 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
2710 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2712 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2715 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2716 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
2718 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
2721 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2722 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
2724 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2725 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2726 "AUTHENTICATOR: credential", -1);
2728 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2729 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
2730 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
2735 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
2736 packet_info *pinfo, proto_tree *tree, guint8 *drep)
2738 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2739 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
2740 "AUTHENTICATOR: return_authenticator", -1);
2742 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
2743 hf_netlogon_rc, NULL);
2750 * IDL typedef struct {
2751 * IDL [unique][string] wchar_t *UserName;
2752 * IDL UNICODESTRING dummy1;
2753 * IDL UNICODESTRING dummy2;
2754 * IDL UNICODESTRING dummy3;
2755 * IDL UNICODESTRING dummy4;
2760 * IDL } DELTA_DELETE_USER;
2763 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
2764 packet_info *pinfo, proto_tree *tree,
2767 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2768 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
2770 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2771 hf_netlogon_dummy, 0);
2773 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2774 hf_netlogon_dummy, 0);
2776 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2777 hf_netlogon_dummy, 0);
2779 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2780 hf_netlogon_dummy, 0);
2782 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2783 hf_netlogon_reserved, NULL);
2785 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2786 hf_netlogon_reserved, NULL);
2788 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2789 hf_netlogon_reserved, NULL);
2791 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2792 hf_netlogon_reserved, NULL);
2799 * IDL typedef struct {
2800 * IDL bool SensitiveDataFlag;
2801 * IDL long DataLength;
2802 * IDL [unique][size_is(DataLength)] char *SensitiveData;
2803 * IDL } USER_PRIVATE_INFO;
2806 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
2807 packet_info *pinfo, proto_tree *tree,
2813 di=pinfo->private_data;
2814 if(di->conformant_run){
2815 /*just a run to handle conformant arrays, nothing to dissect */
2819 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2820 hf_netlogon_sensitive_data_len, &data_len);
2822 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
2829 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
2830 packet_info *pinfo, proto_tree *tree,
2833 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2834 hf_netlogon_sensitive_data_flag, NULL);
2836 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2837 hf_netlogon_sensitive_data_len, NULL);
2839 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2840 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
2841 "SENSITIVE_DATA", -1);
2847 lsarpc_dissect_sec_desc_buf(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep);
2850 * IDL typedef struct {
2851 * IDL UNICODESTRING UserName;
2852 * IDL UNICODESTRING FullName;
2854 * IDL long PrimaryGroupID;
2855 * IDL UNICODESTRING HomeDir;
2856 * IDL UNICODESTRING HomeDirDrive;
2857 * IDL UNICODESTRING LogonScript;
2858 * IDL UNICODESTRING Comment;
2859 * IDL UNICODESTRING Workstations;
2860 * IDL NTTIME LastLogon;
2861 * IDL NTTIME LastLogoff;
2862 * IDL LOGON_HOURS logonhours;
2863 * IDL short BadPwCount;
2864 * IDL short LogonCount;
2865 * IDL NTTIME PwLastSet;
2866 * IDL NTTIME AccountExpires;
2867 * IDL long AccountControl;
2868 * IDL LM_OWF_PASSWORD lmpw;
2869 * IDL NT_OWF_PASSWORD ntpw;
2870 * IDL bool NTPwPresent;
2871 * IDL bool LMPwPresent;
2872 * IDL bool PwExpired;
2873 * IDL UNICODESTRING UserComment;
2874 * IDL UNICODESTRING Parameters;
2875 * IDL short CountryCode;
2876 * IDL short CodePage;
2877 * IDL USER_PRIVATE_INFO user_private_info;
2878 * IDL long SecurityInformation;
2879 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2880 * IDL UNICODESTRING dummy1;
2881 * IDL UNICODESTRING dummy2;
2882 * IDL UNICODESTRING dummy3;
2883 * IDL UNICODESTRING dummy4;
2891 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
2892 packet_info *pinfo, proto_tree *tree,
2895 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2896 hf_netlogon_acct_name, 3);
2898 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2899 hf_netlogon_full_name, 0);
2901 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2902 hf_netlogon_user_rid, NULL);
2904 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2905 hf_netlogon_group_rid, NULL);
2907 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2908 hf_netlogon_home_dir, 0);
2910 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2911 hf_netlogon_dir_drive, 0);
2913 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2914 hf_netlogon_logon_script, 0);
2916 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2917 hf_netlogon_acct_desc, 0);
2919 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2920 hf_netlogon_workstations, 0);
2922 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2923 hf_netlogon_logon_time);
2925 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2926 hf_netlogon_logoff_time);
2928 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
2930 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2931 hf_netlogon_bad_pw_count16, NULL);
2933 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2934 hf_netlogon_logon_count16, NULL);
2936 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2937 hf_netlogon_pwd_last_set_time);
2939 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2940 hf_netlogon_acct_expiry_time);
2942 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
2944 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
2947 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
2950 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2951 hf_netlogon_nt_pwd_present, NULL);
2953 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2954 hf_netlogon_lm_pwd_present, NULL);
2956 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2957 hf_netlogon_pwd_expired, NULL);
2959 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2960 hf_netlogon_comment, 0);
2962 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2963 hf_netlogon_parameters, 0);
2965 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2966 hf_netlogon_country, NULL);
2968 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2969 hf_netlogon_codepage, NULL);
2971 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
2974 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2975 hf_netlogon_security_information, NULL);
2977 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, drep);
2979 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2980 hf_netlogon_dummy, 0);
2982 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2983 hf_netlogon_dummy, 0);
2985 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2986 hf_netlogon_dummy, 0);
2988 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2989 hf_netlogon_dummy, 0);
2991 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2992 hf_netlogon_reserved, NULL);
2994 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2995 hf_netlogon_reserved, NULL);
2997 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2998 hf_netlogon_reserved, NULL);
3000 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3001 hf_netlogon_reserved, NULL);
3008 * IDL typedef struct {
3009 * IDL UNICODESTRING DomainName;
3010 * IDL UNICODESTRING OEMInfo;
3011 * IDL NTTIME forcedlogoff;
3012 * IDL short minpasswdlen;
3013 * IDL short passwdhistorylen;
3014 * IDL NTTIME pwd_must_change_time;
3015 * IDL NTTIME pwd_can_change_time;
3016 * IDL NTTIME domain_modify_time;
3017 * IDL NTTIME domain_create_time;
3018 * IDL long SecurityInformation;
3019 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3020 * IDL UNICODESTRING dummy1;
3021 * IDL UNICODESTRING dummy2;
3022 * IDL UNICODESTRING dummy3;
3023 * IDL UNICODESTRING dummy4;
3028 * IDL } DELTA_DOMAIN;
3031 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
3032 packet_info *pinfo, proto_tree *tree,
3035 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3036 hf_netlogon_domain_name, 3);
3038 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3039 hf_netlogon_oem_info, 0);
3041 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3042 hf_netlogon_kickoff_time);
3044 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3045 hf_netlogon_minpasswdlen, NULL);
3047 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3048 hf_netlogon_passwdhistorylen, NULL);
3050 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3051 hf_netlogon_pwd_must_change_time);
3053 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3054 hf_netlogon_pwd_can_change_time);
3056 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3057 hf_netlogon_domain_modify_time);
3059 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3060 hf_netlogon_domain_create_time);
3062 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3063 hf_netlogon_security_information, NULL);
3065 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, drep);
3067 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3068 hf_netlogon_dummy, 0);
3070 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3071 hf_netlogon_dummy, 0);
3073 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3074 hf_netlogon_dummy, 0);
3076 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3077 hf_netlogon_dummy, 0);
3079 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3080 hf_netlogon_reserved, NULL);
3082 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3083 hf_netlogon_reserved, NULL);
3085 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3086 hf_netlogon_reserved, NULL);
3088 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3089 hf_netlogon_reserved, NULL);
3096 * IDL typedef struct {
3097 * IDL UNICODESTRING groupname;
3098 * IDL GROUP_MEMBERSHIP group_membership;
3099 * IDL UNICODESTRING comment;
3100 * IDL long SecurityInformation;
3101 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3102 * IDL UNICODESTRING dummy1;
3103 * IDL UNICODESTRING dummy2;
3104 * IDL UNICODESTRING dummy3;
3105 * IDL UNICODESTRING dummy4;
3110 * IDL } DELTA_GROUP;
3113 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
3114 packet_info *pinfo, proto_tree *tree,
3117 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3118 hf_netlogon_group_name, 3);
3120 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
3123 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3124 hf_netlogon_group_desc, 0);
3126 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3127 hf_netlogon_security_information, NULL);
3129 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, drep);
3131 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3132 hf_netlogon_dummy, 0);
3134 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3135 hf_netlogon_dummy, 0);
3137 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3138 hf_netlogon_dummy, 0);
3140 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3141 hf_netlogon_dummy, 0);
3143 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3144 hf_netlogon_reserved, NULL);
3146 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3147 hf_netlogon_reserved, NULL);
3149 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3150 hf_netlogon_reserved, NULL);
3152 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3153 hf_netlogon_reserved, NULL);
3160 * IDL typedef struct {
3161 * IDL UNICODESTRING OldName;
3162 * IDL UNICODESTRING NewName;
3163 * IDL UNICODESTRING dummy1;
3164 * IDL UNICODESTRING dummy2;
3165 * IDL UNICODESTRING dummy3;
3166 * IDL UNICODESTRING dummy4;
3171 * IDL } DELTA_RENAME;
3174 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
3175 packet_info *pinfo, proto_tree *tree,
3180 di=pinfo->private_data;
3182 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3185 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3188 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3189 hf_netlogon_dummy, 0);
3191 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3192 hf_netlogon_dummy, 0);
3194 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3195 hf_netlogon_dummy, 0);
3197 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3198 hf_netlogon_dummy, 0);
3200 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3201 hf_netlogon_reserved, NULL);
3203 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3204 hf_netlogon_reserved, NULL);
3206 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3207 hf_netlogon_reserved, NULL);
3209 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3210 hf_netlogon_reserved, NULL);
3217 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
3218 packet_info *pinfo, proto_tree *tree,
3221 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3222 hf_netlogon_user_rid, NULL);
3228 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
3229 packet_info *pinfo, proto_tree *tree,
3232 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3233 netlogon_dissect_RID);
3239 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
3240 packet_info *pinfo, proto_tree *tree,
3243 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3244 hf_netlogon_attrs, NULL);
3250 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
3251 packet_info *pinfo, proto_tree *tree,
3254 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3255 netlogon_dissect_ATTRIB);
3261 * IDL typedef struct {
3262 * IDL [unique][size_is(num_rids)] long *rids;
3263 * IDL [unique][size_is(num_rids)] long *attribs;
3264 * IDL long num_rids;
3269 * IDL } DELTA_GROUP_MEMBER;
3272 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
3273 packet_info *pinfo, proto_tree *tree,
3276 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3277 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
3280 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3281 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
3284 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3285 hf_netlogon_num_rids, NULL);
3287 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3288 hf_netlogon_reserved, NULL);
3290 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3291 hf_netlogon_reserved, NULL);
3293 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3294 hf_netlogon_reserved, NULL);
3296 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3297 hf_netlogon_reserved, NULL);
3304 * IDL typedef struct {
3305 * IDL UNICODESTRING alias_name;
3307 * IDL long SecurityInformation;
3308 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3309 * IDL UNICODESTRING dummy1;
3310 * IDL UNICODESTRING dummy2;
3311 * IDL UNICODESTRING dummy3;
3312 * IDL UNICODESTRING dummy4;
3317 * IDL } DELTA_ALIAS;
3320 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
3321 packet_info *pinfo, proto_tree *tree,
3324 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3325 hf_netlogon_alias_name, 0);
3327 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3328 hf_netlogon_alias_rid, NULL);
3330 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3331 hf_netlogon_security_information, NULL);
3333 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, drep);
3335 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3336 hf_netlogon_dummy, 0);
3338 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3339 hf_netlogon_dummy, 0);
3341 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3342 hf_netlogon_dummy, 0);
3344 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3345 hf_netlogon_dummy, 0);
3347 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3348 hf_netlogon_reserved, NULL);
3350 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3351 hf_netlogon_reserved, NULL);
3353 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3354 hf_netlogon_reserved, NULL);
3356 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3357 hf_netlogon_reserved, NULL);
3364 * IDL typedef struct {
3365 * IDL [unique] SID_ARRAY sids;
3370 * IDL } DELTA_ALIAS_MEMBER;
3373 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
3374 packet_info *pinfo, proto_tree *tree,
3377 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
3379 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3380 hf_netlogon_reserved, NULL);
3382 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3383 hf_netlogon_reserved, NULL);
3385 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3386 hf_netlogon_reserved, NULL);
3388 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3389 hf_netlogon_reserved, NULL);
3396 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
3397 packet_info *pinfo, proto_tree *tree,
3400 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3401 hf_netlogon_event_audit_option, NULL);
3407 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
3408 packet_info *pinfo, proto_tree *tree,
3411 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3412 netlogon_dissect_EVENT_AUDIT_OPTION);
3419 * IDL typedef struct {
3420 * IDL long pagedpoollimit;
3421 * IDL long nonpagedpoollimit;
3422 * IDL long minimumworkingsetsize;
3423 * IDL long maximumworkingsetsize;
3424 * IDL long pagefilelimit;
3425 * IDL NTTIME timelimit;
3426 * IDL } QUOTA_LIMITS;
3429 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
3430 packet_info *pinfo, proto_tree *parent_tree,
3433 proto_item *item=NULL;
3434 proto_tree *tree=NULL;
3435 int old_offset=offset;
3438 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3440 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
3443 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3444 hf_netlogon_pagedpoollimit, NULL);
3446 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3447 hf_netlogon_nonpagedpoollimit, NULL);
3449 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3450 hf_netlogon_minworkingsetsize, NULL);
3452 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3453 hf_netlogon_maxworkingsetsize, NULL);
3455 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3456 hf_netlogon_pagefilelimit, NULL);
3458 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3459 hf_netlogon_timelimit);
3461 proto_item_set_len(item, offset-old_offset);
3467 * IDL typedef struct {
3468 * IDL long maxlogsize;
3469 * IDL NTTIME auditretentionperiod;
3470 * IDL bool auditingmode;
3471 * IDL long maxauditeventcount;
3472 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
3473 * IDL UNICODESTRING primarydomainname;
3474 * IDL [unique] SID *sid;
3475 * IDL QUOTA_LIMITS quota_limits;
3476 * IDL NTTIME db_modify_time;
3477 * IDL NTTIME db_create_time;
3478 * IDL long SecurityInformation;
3479 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3480 * IDL UNICODESTRING dummy1;
3481 * IDL UNICODESTRING dummy2;
3482 * IDL UNICODESTRING dummy3;
3483 * IDL UNICODESTRING dummy4;
3488 * IDL } DELTA_POLICY;
3491 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
3492 packet_info *pinfo, proto_tree *tree,
3495 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3496 hf_netlogon_max_log_size, NULL);
3498 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3499 hf_netlogon_audit_retention_period);
3501 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3502 hf_netlogon_auditing_mode, NULL);
3504 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3505 hf_netlogon_max_audit_event_count, NULL);
3507 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3508 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
3509 "Event Audit Options:", -1);
3511 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3512 hf_netlogon_domain_name, 0);
3514 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3516 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3519 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3520 hf_netlogon_db_modify_time);
3522 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3523 hf_netlogon_db_create_time);
3525 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3526 hf_netlogon_security_information, NULL);
3528 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, drep);
3530 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3531 hf_netlogon_dummy, 0);
3533 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3534 hf_netlogon_dummy, 0);
3536 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3537 hf_netlogon_dummy, 0);
3539 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3540 hf_netlogon_dummy, 0);
3542 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3543 hf_netlogon_reserved, NULL);
3545 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3546 hf_netlogon_reserved, NULL);
3548 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3549 hf_netlogon_reserved, NULL);
3551 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3552 hf_netlogon_reserved, NULL);
3559 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
3560 packet_info *pinfo, proto_tree *tree,
3563 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3564 hf_netlogon_dc_name, 0);
3570 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
3571 packet_info *pinfo, proto_tree *tree,
3574 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3575 netlogon_dissect_CONTROLLER);
3582 * IDL typedef struct {
3583 * IDL UNICODESTRING DomainName;
3584 * IDL long num_controllers;
3585 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
3586 * IDL long SecurityInformation;
3587 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3588 * IDL UNICODESTRING dummy1;
3589 * IDL UNICODESTRING dummy2;
3590 * IDL UNICODESTRING dummy3;
3591 * IDL UNICODESTRING dummy4;
3596 * IDL } DELTA_TRUSTED_DOMAINS;
3599 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
3600 packet_info *pinfo, proto_tree *tree,
3603 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3604 hf_netlogon_domain_name, 0);
3606 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3607 hf_netlogon_num_controllers, NULL);
3609 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3610 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
3611 "Domain Controllers:", -1);
3613 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3614 hf_netlogon_security_information, NULL);
3616 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, drep);
3618 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3619 hf_netlogon_dummy, 0);
3621 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3622 hf_netlogon_dummy, 0);
3624 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3625 hf_netlogon_dummy, 0);
3627 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3628 hf_netlogon_dummy, 0);
3630 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3631 hf_netlogon_reserved, NULL);
3633 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3634 hf_netlogon_reserved, NULL);
3636 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3637 hf_netlogon_reserved, NULL);
3639 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3640 hf_netlogon_reserved, NULL);
3647 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
3648 packet_info *pinfo, proto_tree *tree,
3651 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3652 hf_netlogon_attrs, NULL);
3658 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
3659 packet_info *pinfo, proto_tree *tree,
3662 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3663 netlogon_dissect_PRIV_ATTR);
3669 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
3670 packet_info *pinfo, proto_tree *tree,
3673 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3674 hf_netlogon_privilege_name, 1);
3680 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
3681 packet_info *pinfo, proto_tree *tree,
3684 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3685 netlogon_dissect_PRIV_NAME);
3693 * IDL typedef struct {
3694 * IDL long privilegeentries;
3695 * IDL long provolegecontrol;
3696 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
3697 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
3698 * IDL QUOTALIMITS quotalimits;
3699 * IDL long SecurityInformation;
3700 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3701 * IDL UNICODESTRING dummy1;
3702 * IDL UNICODESTRING dummy2;
3703 * IDL UNICODESTRING dummy3;
3704 * IDL UNICODESTRING dummy4;
3709 * IDL } DELTA_ACCOUNTS;
3712 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
3713 packet_info *pinfo, proto_tree *tree,
3716 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3717 hf_netlogon_privilege_entries, NULL);
3719 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3720 hf_netlogon_privilege_control, NULL);
3722 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3723 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
3724 "PRIV_ATTR_ARRAY:", -1);
3726 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3727 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
3728 "PRIV_NAME_ARRAY:", -1);
3730 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3733 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3734 hf_netlogon_systemflags, NULL);
3736 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3737 hf_netlogon_security_information, NULL);
3739 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, drep);
3741 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3742 hf_netlogon_dummy, 0);
3744 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3745 hf_netlogon_dummy, 0);
3747 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3748 hf_netlogon_dummy, 0);
3750 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3751 hf_netlogon_dummy, 0);
3753 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3754 hf_netlogon_reserved, NULL);
3756 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3757 hf_netlogon_reserved, NULL);
3759 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3760 hf_netlogon_reserved, NULL);
3762 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3763 hf_netlogon_reserved, NULL);
3769 * IDL typedef struct {
3772 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
3773 * IDL } CIPHER_VALUE;
3776 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
3777 packet_info *pinfo, proto_tree *tree,
3783 di=pinfo->private_data;
3784 if(di->conformant_run){
3785 /*just a run to handle conformant arrays, nothing to dissect */
3789 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3790 hf_netlogon_cipher_maxlen, NULL);
3795 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3796 hf_netlogon_cipher_len, &data_len);
3798 proto_tree_add_item(tree, di->hf_index, tvb, offset,
3805 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
3806 packet_info *pinfo, proto_tree *parent_tree,
3807 guint8 *drep, const char *name, int hf_index)
3809 proto_item *item=NULL;
3810 proto_tree *tree=NULL;
3811 int old_offset=offset;
3814 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3816 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
3819 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3820 hf_netlogon_cipher_len, NULL);
3822 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3823 hf_netlogon_cipher_maxlen, NULL);
3825 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3826 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
3829 proto_item_set_len(item, offset-old_offset);
3834 * IDL typedef struct {
3835 * IDL CIPHER_VALUE current_cipher;
3836 * IDL NTTIME current_cipher_set_time;
3837 * IDL CIPHER_VALUE old_cipher;
3838 * IDL NTTIME old_cipher_set_time;
3839 * IDL long SecurityInformation;
3840 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3841 * IDL UNICODESTRING dummy1;
3842 * IDL UNICODESTRING dummy2;
3843 * IDL UNICODESTRING dummy3;
3844 * IDL UNICODESTRING dummy4;
3849 * IDL } DELTA_SECRET;
3852 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
3853 packet_info *pinfo, proto_tree *tree,
3856 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3858 "CIPHER_VALUE: current cipher value",
3859 hf_netlogon_cipher_current_data);
3861 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3862 hf_netlogon_cipher_current_set_time);
3864 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3866 "CIPHER_VALUE: old cipher value",
3867 hf_netlogon_cipher_old_data);
3869 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3870 hf_netlogon_cipher_old_set_time);
3872 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3873 hf_netlogon_security_information, NULL);
3875 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, drep);
3877 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3878 hf_netlogon_dummy, 0);
3880 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3881 hf_netlogon_dummy, 0);
3883 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3884 hf_netlogon_dummy, 0);
3886 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3887 hf_netlogon_dummy, 0);
3889 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3890 hf_netlogon_reserved, NULL);
3892 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3893 hf_netlogon_reserved, NULL);
3895 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3896 hf_netlogon_reserved, NULL);
3898 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3899 hf_netlogon_reserved, NULL);
3905 * IDL typedef struct {
3906 * IDL long low_value;
3907 * IDL long high_value;
3911 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
3912 packet_info *pinfo, proto_tree *tree,
3915 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, drep,
3916 hf_netlogon_modify_count, NULL);
3922 #define DT_DELTA_DOMAIN 1
3923 #define DT_DELTA_GROUP 2
3924 #define DT_DELTA_DELETE_GROUP 3
3925 #define DT_DELTA_RENAME_GROUP 4
3926 #define DT_DELTA_USER 5
3927 #define DT_DELTA_DELETE_USER 6
3928 #define DT_DELTA_RENAME_USER 7
3929 #define DT_DELTA_GROUP_MEMBER 8
3930 #define DT_DELTA_ALIAS 9
3931 #define DT_DELTA_DELETE_ALIAS 10
3932 #define DT_DELTA_RENAME_ALIAS 11
3933 #define DT_DELTA_ALIAS_MEMBER 12
3934 #define DT_DELTA_POLICY 13
3935 #define DT_DELTA_TRUSTED_DOMAINS 14
3936 #define DT_DELTA_DELETE_TRUST 15
3937 #define DT_DELTA_ACCOUNTS 16
3938 #define DT_DELTA_DELETE_ACCOUNT 17
3939 #define DT_DELTA_SECRET 18
3940 #define DT_DELTA_DELETE_SECRET 19
3941 #define DT_DELTA_DELETE_GROUP2 20
3942 #define DT_DELTA_DELETE_USER2 21
3943 #define DT_MODIFIED_COUNT 22
3944 static const value_string delta_type_vals[] = {
3945 { DT_DELTA_DOMAIN, "Domain" },
3946 { DT_DELTA_GROUP, "Group" },
3947 { DT_DELTA_DELETE_GROUP, "Delete Group" },
3948 { DT_DELTA_RENAME_GROUP, "Rename Group" },
3949 { DT_DELTA_USER, "User" },
3950 { DT_DELTA_DELETE_USER, "Delete User" },
3951 { DT_DELTA_RENAME_USER, "Rename User" },
3952 { DT_DELTA_GROUP_MEMBER, "Group Member" },
3953 { DT_DELTA_ALIAS, "Alias" },
3954 { DT_DELTA_DELETE_ALIAS, "Delete Alias" },
3955 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
3956 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
3957 { DT_DELTA_POLICY, "Policy" },
3958 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
3959 { DT_DELTA_DELETE_TRUST, "Delete Trust" },
3960 { DT_DELTA_ACCOUNTS, "Accounts" },
3961 { DT_DELTA_DELETE_ACCOUNT, "Delete Account" },
3962 { DT_DELTA_SECRET, "Secret" },
3963 { DT_DELTA_DELETE_SECRET, "Delete Secret" },
3964 { DT_DELTA_DELETE_GROUP2, "Delete Group2" },
3965 { DT_DELTA_DELETE_USER2, "Delete User2" },
3966 { DT_MODIFIED_COUNT, "Modified Count" },
3970 * IDL typedef [switch_type(short)] union {
3971 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
3972 * IDL [case(2)][unique] DELTA_GROUP *group;
3973 * IDL [case(3)][unique] rid only ;
3974 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
3975 * IDL [case(5)][unique] DELTA_USER *user;
3976 * IDL [case(6)][unique] rid only ;
3977 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
3978 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
3979 * IDL [case(9)][unique] DELTA_ALIAS *alias;
3980 * IDL [case(10)][unique] rid only ;
3981 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
3982 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
3983 * IDL [case(13)][unique] DELTA_POLICY *policy;
3984 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
3985 * IDL [case(15)][unique] PSID ;
3986 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
3987 * IDL [case(17)][unique] PSID ;
3988 * IDL [case(18)][unique] DELTA_SECRET *secret;
3989 * IDL [case(19)][unique] string;
3990 * IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
3991 * IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
3992 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
3993 * IDL } DELTA_UNION;
3996 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
3997 packet_info *pinfo, proto_tree *parent_tree,
4000 proto_item *item=NULL;
4001 proto_tree *tree=NULL;
4002 int old_offset=offset;
4006 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4008 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
4011 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4012 hf_netlogon_delta_type, &level);
4017 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4018 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
4019 "DELTA_DOMAIN:", -1);
4022 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4023 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
4024 "DELTA_GROUP:", -1);
4027 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4028 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4029 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
4032 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4033 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
4037 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4038 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4039 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
4042 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4043 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
4044 "DELTA_GROUP_MEMBER:", -1);
4047 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4048 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
4049 "DELTA_ALIAS:", -1);
4052 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4053 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
4054 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
4057 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4058 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
4059 "DELTA_ALIAS_MEMBER:", -1);
4062 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4063 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
4064 "DELTA_POLICY:", -1);
4067 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4068 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
4069 "DELTA_TRUSTED_DOMAINS:", -1);
4072 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4073 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
4074 "DELTA_ACCOUNTS:", -1);
4077 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4078 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
4079 "DELTA_SECRET:", -1);
4082 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4083 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4084 "DELTA_DELETE_GROUP:", -1);
4087 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4088 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
4089 "DELTA_DELETE_USER:", -1);
4092 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4093 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
4094 "MODIFIED_COUNT:", -1);
4098 proto_item_set_len(item, offset-old_offset);
4104 /* IDL XXX must verify this one, especially 13-19
4105 * IDL typedef [switch_type(short)] union {
4106 * IDL [case(1)] long rid;
4107 * IDL [case(2)] long rid;
4108 * IDL [case(3)] long rid;
4109 * IDL [case(4)] long rid;
4110 * IDL [case(5)] long rid;
4111 * IDL [case(6)] long rid;
4112 * IDL [case(7)] long rid;
4113 * IDL [case(8)] long rid;
4114 * IDL [case(9)] long rid;
4115 * IDL [case(10)] long rid;
4116 * IDL [case(11)] long rid;
4117 * IDL [case(12)] long rid;
4118 * IDL [case(13)] [unique] SID *sid;
4119 * IDL [case(14)] [unique] SID *sid;
4120 * IDL [case(15)] [unique] SID *sid;
4121 * IDL [case(16)] [unique] SID *sid;
4122 * IDL [case(17)] [unique] SID *sid;
4123 * IDL [case(18)] [unique][string] wchar_t *Name ;
4124 * IDL [case(19)] [unique][string] wchar_t *Name ;
4125 * IDL [case(20)] long rid;
4126 * IDL [case(21)] long rid;
4127 * IDL } DELTA_ID_UNION;
4130 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
4131 packet_info *pinfo, proto_tree *parent_tree,
4134 proto_item *item=NULL;
4135 proto_tree *tree=NULL;
4136 int old_offset=offset;
4140 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4142 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
4145 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4146 hf_netlogon_delta_type, &level);
4151 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4152 hf_netlogon_group_rid, NULL);
4155 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4156 hf_netlogon_user_rid, NULL);
4159 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4160 hf_netlogon_user_rid, NULL);
4163 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4164 hf_netlogon_user_rid, NULL);
4167 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4168 hf_netlogon_user_rid, NULL);
4171 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4172 hf_netlogon_user_rid, NULL);
4175 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4176 hf_netlogon_user_rid, NULL);
4179 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4180 hf_netlogon_user_rid, NULL);
4183 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4184 hf_netlogon_user_rid, NULL);
4187 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4188 hf_netlogon_user_rid, NULL);
4191 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4192 hf_netlogon_user_rid, NULL);
4195 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4196 hf_netlogon_user_rid, NULL);
4199 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4202 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4205 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4208 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4211 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4214 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4215 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4216 hf_netlogon_unknown_string, 0);
4219 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4220 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4221 hf_netlogon_unknown_string, 0);
4224 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4225 hf_netlogon_user_rid, NULL);
4228 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4229 hf_netlogon_user_rid, NULL);
4233 proto_item_set_len(item, offset-old_offset);
4238 * IDL typedef struct {
4239 * IDL short delta_type;
4240 * IDL DELTA_ID_UNION delta_id_union;
4241 * IDL DELTA_UNION delta_union;
4245 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
4246 packet_info *pinfo, proto_tree *parent_tree,
4249 proto_item *item=NULL;
4250 proto_tree *tree=NULL;
4251 int old_offset=offset;
4255 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4257 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
4260 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4261 hf_netlogon_delta_type, &type);
4263 proto_item_append_text(item, "%s", val_to_str(
4264 type, delta_type_vals, "Unknown"));
4266 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
4269 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
4272 proto_item_set_len(item, offset-old_offset);
4277 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
4278 packet_info *pinfo, proto_tree *tree,
4281 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4282 netlogon_dissect_DELTA_ENUM);
4288 * IDL typedef struct {
4289 * IDL long num_deltas;
4290 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
4291 * IDL } DELTA_ENUM_ARRAY;
4294 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
4295 packet_info *pinfo, proto_tree *tree,
4298 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4299 hf_netlogon_num_deltas, NULL);
4301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4302 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
4303 "DELTA_ENUM: deltas", -1);
4310 * IDL long NetrDatabaseDeltas(
4311 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4312 * IDL [in][string][ref] wchar_t *computername,
4313 * IDL [in][ref] AUTHENTICATOR credential,
4314 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4315 * IDL [in] long database_id,
4316 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
4317 * IDL [in] long preferredmaximumlength,
4318 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4322 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
4323 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4325 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4326 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4328 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4329 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4331 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4332 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4333 "AUTHENTICATOR: credential", -1);
4335 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4336 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4337 "AUTHENTICATOR: return_authenticator", -1);
4339 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4340 hf_netlogon_database_id, NULL);
4342 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4343 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4344 "MODIFIED_COUNT: domain modified count", -1);
4346 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4347 hf_netlogon_max_size, NULL);
4352 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
4353 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4355 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4356 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4357 "AUTHENTICATOR: return_authenticator", -1);
4359 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4360 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
4361 "MODIFIED_COUNT: domain modified count", -1);
4363 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4364 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4365 "DELTA_ENUM_ARRAY: deltas", -1);
4367 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4368 hf_netlogon_rc, NULL);
4375 * IDL long NetrDatabaseSync(
4376 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4377 * IDL [in][string][ref] wchar_t *computername,
4378 * IDL [in][ref] AUTHENTICATOR credential,
4379 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4380 * IDL [in] long database_id,
4381 * IDL [in][out][ref] long sync_context,
4382 * IDL [in] long preferredmaximumlength,
4383 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4387 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
4388 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4390 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4391 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4393 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4394 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4396 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4397 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4398 "AUTHENTICATOR: credential", -1);
4400 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4401 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4402 "AUTHENTICATOR: return_authenticator", -1);
4404 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4405 hf_netlogon_database_id, NULL);
4407 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4408 hf_netlogon_sync_context, NULL);
4410 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4411 hf_netlogon_max_size, NULL);
4418 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
4419 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4421 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4422 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4423 "AUTHENTICATOR: return_authenticator", -1);
4425 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4426 hf_netlogon_sync_context, NULL);
4428 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4429 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4430 "DELTA_ENUM_ARRAY: deltas", -1);
4432 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4433 hf_netlogon_rc, NULL);
4439 * IDL typedef struct {
4440 * IDL char computer_name[16];
4441 * IDL long timecreated;
4442 * IDL long serial_number;
4446 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
4447 packet_info *pinfo, proto_tree *tree,
4452 di=pinfo->private_data;
4453 if(di->conformant_run){
4454 /*just a run to handle conformant arrays, nothing to dissect */
4458 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
4461 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
4464 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4465 hf_netlogon_serial_number, NULL);
4472 * IDL long NetrAccountDeltas(
4473 * IDL [in][string][unique] wchar_t *logonserver,
4474 * IDL [in][string][ref] wchar_t *computername,
4475 * IDL [in][ref] AUTHENTICATOR credential,
4476 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4477 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4478 * IDL [out][ref] long count_returned,
4479 * IDL [out][ref] long total_entries,
4480 * IDL [in][out][ref] UAS_INFO_0 recordid,
4481 * IDL [in][long] count,
4482 * IDL [in][long] level,
4483 * IDL [in][long] buffersize,
4487 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
4488 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4490 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4493 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4494 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4496 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4497 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4498 "AUTHENTICATOR: credential", -1);
4500 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4501 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4502 "AUTHENTICATOR: return_authenticator", -1);
4504 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4505 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4506 "UAS_INFO_0: RecordID", -1);
4508 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4509 hf_netlogon_count, NULL);
4511 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4512 hf_netlogon_level, NULL);
4514 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4515 hf_netlogon_max_size, NULL);
4520 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
4521 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4523 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4524 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4525 "AUTHENTICATOR: return_authenticator", -1);
4527 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4528 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4529 "BYTE_array: Buffer", -1);
4531 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4532 hf_netlogon_count, NULL);
4534 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4535 hf_netlogon_entries, NULL);
4537 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4538 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4539 "UAS_INFO_0: RecordID", -1);
4541 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4542 hf_netlogon_rc, NULL);
4549 * IDL long NetrAccountSync(
4550 * IDL [in][string][unique] wchar_t *logonserver,
4551 * IDL [in][string][ref] wchar_t *computername,
4552 * IDL [in][ref] AUTHENTICATOR credential,
4553 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4554 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4555 * IDL [out][ref] long count_returned,
4556 * IDL [out][ref] long total_entries,
4557 * IDL [out][ref] long next_reference,
4558 * IDL [in][long] reference,
4559 * IDL [in][long] level,
4560 * IDL [in][long] buffersize,
4561 * IDL [in][out][ref] UAS_INFO_0 recordid,
4565 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
4566 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4568 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4571 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4572 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4574 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4575 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4576 "AUTHENTICATOR: credential", -1);
4578 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4579 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4580 "AUTHENTICATOR: return_authenticator", -1);
4582 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4583 hf_netlogon_reference, NULL);
4585 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4586 hf_netlogon_level, NULL);
4588 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4589 hf_netlogon_max_size, NULL);
4594 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
4595 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4597 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4598 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4599 "AUTHENTICATOR: return_authenticator", -1);
4601 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4602 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4603 "BYTE_array: Buffer", -1);
4605 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4606 hf_netlogon_count, NULL);
4608 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4609 hf_netlogon_entries, NULL);
4611 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4612 hf_netlogon_next_reference, NULL);
4614 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4615 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
4616 "UAS_INFO_0: RecordID", -1);
4618 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4619 hf_netlogon_rc, NULL);
4626 * IDL long NetrGetDcName(
4627 * IDL [in][ref][string] wchar_t *logon_server,
4628 * IDL [in][unique][string] wchar_t *domainname,
4629 * IDL [out][unique][string] wchar_t *dcname,
4633 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
4634 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4636 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4637 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4639 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4640 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4645 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
4646 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4648 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4649 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4651 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4652 hf_netlogon_rc, NULL);
4660 * IDL typedef struct {
4662 * IDL long pdc_connection_status;
4663 * IDL } NETLOGON_INFO_1;
4666 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
4667 packet_info *pinfo, proto_tree *tree,
4670 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4671 hf_netlogon_flags, NULL);
4673 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4674 hf_netlogon_pdc_connection_status, NULL);
4681 * IDL typedef struct {
4683 * IDL long pdc_connection_status;
4684 * IDL [unique][string] wchar_t trusted_dc_name;
4685 * IDL long tc_connection_status;
4686 * IDL } NETLOGON_INFO_2;
4689 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
4690 packet_info *pinfo, proto_tree *tree,
4693 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4694 hf_netlogon_flags, NULL);
4696 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4697 hf_netlogon_pdc_connection_status, NULL);
4699 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4700 NDR_POINTER_UNIQUE, "Trusted DC Name",
4701 hf_netlogon_trusted_dc_name, 0);
4703 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4704 hf_netlogon_tc_connection_status, NULL);
4711 * IDL typedef struct {
4713 * IDL long logon_attempts;
4714 * IDL long reserved;
4715 * IDL long reserved;
4716 * IDL long reserved;
4717 * IDL long reserved;
4718 * IDL long reserved;
4719 * IDL } NETLOGON_INFO_3;
4722 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
4723 packet_info *pinfo, proto_tree *tree,
4726 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4727 hf_netlogon_flags, NULL);
4729 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4730 hf_netlogon_logon_attempts, NULL);
4732 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4733 hf_netlogon_reserved, NULL);
4735 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4736 hf_netlogon_reserved, NULL);
4738 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4739 hf_netlogon_reserved, NULL);
4741 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4742 hf_netlogon_reserved, NULL);
4744 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4745 hf_netlogon_reserved, NULL);
4752 * IDL typedef [switch_type(long)] union {
4753 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
4754 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
4755 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
4756 * IDL } CONTROL_QUERY_INFORMATION;
4759 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
4760 packet_info *pinfo, proto_tree *tree,
4765 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4766 hf_netlogon_level, &level);
4771 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4772 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
4773 "NETLOGON_INFO_1:", -1);
4776 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4777 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
4778 "NETLOGON_INFO_2:", -1);
4781 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4782 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
4783 "NETLOGON_INFO_3:", -1);
4792 * IDL long NetrLogonControl(
4793 * IDL [in][string][unique] wchar_t *logonserver,
4794 * IDL [in] long function_code,
4795 * IDL [in] long level,
4796 * IDL [out][ref] CONTROL_QUERY_INFORMATION
4800 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
4801 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4803 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4806 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4807 hf_netlogon_code, NULL);
4809 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4810 hf_netlogon_level, NULL);
4815 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
4816 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4818 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4819 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4820 "CONTROL_QUERY_INFORMATION:", -1);
4822 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4823 hf_netlogon_dos_rc, NULL);
4830 * IDL long NetrGetAnyDCName(
4831 * IDL [in][unique][string] wchar_t *logon_server,
4832 * IDL [in][unique][string] wchar_t *domainname,
4833 * IDL [out][unique][string] wchar_t *dcname,
4837 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
4838 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4840 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4841 NDR_POINTER_UNIQUE, "Server Handle",
4842 hf_netlogon_logonsrv_handle, 0);
4844 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4845 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4850 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
4851 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4853 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4854 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4856 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4857 hf_netlogon_dos_rc, NULL);
4864 * IDL typedef [switch_type(long)] union {
4865 * IDL [case(5)] [unique][string] wchar_t *unknown;
4866 * IDL [case(6)] [unique][string] wchar_t *unknown;
4867 * IDL [case(0xfffe)] long unknown;
4868 * IDL [case(7)] [unique][string] wchar_t *unknown;
4869 * IDL } CONTROL_DATA_INFORMATION;
4872 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
4873 * to look like. However NetMon does not recognize any such informationlevels.
4875 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
4876 * until someone has any source of better authority to call upon.
4879 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
4880 packet_info *pinfo, proto_tree *tree,
4885 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4886 hf_netlogon_level, &level);
4891 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4892 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4893 hf_netlogon_unknown_string, 0);
4896 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4897 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4898 hf_netlogon_unknown_string, 0);
4901 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4902 hf_netlogon_unknown_long, NULL);
4905 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4906 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4907 hf_netlogon_unknown_string, 0);
4916 * IDL long NetrLogonControl2(
4917 * IDL [in][string][unique] wchar_t *logonserver,
4918 * IDL [in] long function_code,
4919 * IDL [in] long level,
4920 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4921 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4925 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
4926 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4928 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4931 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4932 hf_netlogon_code, NULL);
4934 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4935 hf_netlogon_level, NULL);
4937 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4938 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4939 "CONTROL_DATA_INFORMATION: ", -1);
4945 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
4946 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4950 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4951 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4952 "CONTROL_QUERY_INFORMATION:", -1);
4954 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_netlogon_werr_rc, &status);
4956 if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
4957 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, WERR_errors, "Unknown WERR error 0x%08x"));
4965 * IDL long NetrServerAuthenticate2(
4966 * IDL [in][string][unique] wchar_t *logonserver,
4967 * IDL [in][ref][string] wchar_t *username,
4968 * IDL [in] short secure_channel_type,
4969 * IDL [in][ref][string] wchar_t *computername,
4970 * IDL [in][ref] CREDENTIAL *client_chal,
4971 * IDL [out][ref] CREDENTIAL *server_chal,
4972 * IDL [in][out][ref] long *negotiate_flags,
4976 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
4977 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4979 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4982 offset = dissect_ndr_pointer_cb(
4983 tvb, offset, pinfo, tree, drep,
4984 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
4985 "User Name", hf_netlogon_acct_name,
4986 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
4988 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4991 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4992 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4994 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4995 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4996 "CREDENTIAL: client_chal", -1);
4998 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4999 hf_netlogon_neg_flags, NULL);
5005 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
5006 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5008 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5009 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5010 "CREDENTIAL: server_chal", -1);
5012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5013 hf_netlogon_neg_flags, NULL);
5015 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5016 hf_netlogon_rc, NULL);
5023 * IDL long NetrDatabaseSync2(
5024 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5025 * IDL [in][string][ref] wchar_t *computername,
5026 * IDL [in][ref] AUTHENTICATOR credential,
5027 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5028 * IDL [in] long database_id,
5029 * IDL [in] short restart_state,
5030 * IDL [in][out][ref] long *sync_context,
5031 * IDL [in] long preferredmaximumlength,
5032 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5036 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
5037 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5039 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5040 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5042 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5043 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5045 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5046 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5047 "AUTHENTICATOR: credential", -1);
5049 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5050 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5051 "AUTHENTICATOR: return_authenticator", -1);
5053 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5054 hf_netlogon_database_id, NULL);
5056 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5057 hf_netlogon_restart_state, NULL);
5059 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5060 hf_netlogon_sync_context, NULL);
5062 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5063 hf_netlogon_max_size, NULL);
5069 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
5070 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5072 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5073 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5074 "AUTHENTICATOR: return_authenticator", -1);
5076 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5077 hf_netlogon_sync_context, NULL);
5079 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5080 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
5081 "DELTA_ENUM_ARRAY: deltas", -1);
5083 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5084 hf_netlogon_rc, NULL);
5091 * IDL long NetrDatabaseRedo(
5092 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5093 * IDL [in][string][ref] wchar_t *computername,
5094 * IDL [in][ref] AUTHENTICATOR credential,
5095 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5096 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
5097 * IDL [in] long change_log_entry_size,
5098 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5102 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
5103 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5105 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5106 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5108 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5109 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5111 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5112 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5113 "AUTHENTICATOR: credential", -1);
5115 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5116 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5117 "AUTHENTICATOR: return_authenticator", -1);
5119 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5120 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
5121 "Change log entry: ", -1);
5123 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5124 hf_netlogon_max_log_size, NULL);
5130 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
5131 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5133 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5134 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5135 "AUTHENTICATOR: return_authenticator", -1);
5137 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5138 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
5139 "DELTA_ENUM_ARRAY: deltas", -1);
5141 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5142 hf_netlogon_rc, NULL);
5149 * IDL long NetrLogonControl2Ex(
5150 * IDL [in][string][unique] wchar_t *logonserver,
5151 * IDL [in] long function_code,
5152 * IDL [in] long level,
5153 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5154 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5158 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
5159 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5161 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5164 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5165 hf_netlogon_code, NULL);
5167 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5168 hf_netlogon_level, NULL);
5170 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5171 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
5172 "CONTROL_DATA_INFORMATION: ", -1);
5177 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
5178 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5180 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5181 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
5182 "CONTROL_QUERY_INFORMATION:", -1);
5184 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5185 hf_netlogon_dos_rc, NULL);
5193 static const value_string trust_type_vals[] = {
5194 { 1, "NT4 Domain" },
5196 { 3, "MIT Kerberos realm" },
5201 #define DS_INET_ADDRESS 1
5202 #define DS_NETBIOS_ADDRESS 2
5203 static const value_string dc_address_types[] = {
5204 { DS_INET_ADDRESS, "IP/DNS name" },
5205 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
5210 #define RQ_ROOT_FOREST 0x0001
5211 #define RQ_DC_XFOREST 0x0002
5212 #define RQ_RODC_DIF_DOMAIN 0x0004
5213 #define RQ_NTLM_FROM_RODC 0x0008
5215 #define DS_DOMAIN_IN_FOREST 0x0001
5216 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
5217 #define DS_DOMAIN_TREE_ROOT 0x0004
5218 #define DS_DOMAIN_PRIMARY 0x0008
5219 #define DS_DOMAIN_NATIVE_MODE 0x0010
5220 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
5221 static const true_false_string trust_inbound = {
5222 "There is a DIRECT INBOUND trust for the servers domain",
5223 "There is NO direct inbound trust for the servers domain"
5225 static const true_false_string trust_outbound = {
5226 "There is a DIRECT OUTBOUND trust for this domain",
5227 "There is NO direct outbound trust for this domain"
5229 static const true_false_string trust_in_forest = {
5230 "The domain is a member IN the same FOREST as the queried server",
5231 "The domain is NOT a member of the queried servers domain"
5233 static const true_false_string trust_native_mode = {
5234 "The primary domain is a NATIVE MODE w2k domain",
5235 "The primary is NOT a native mode w2k domain"
5237 static const true_false_string trust_primary = {
5238 "The domain is the PRIMARY domain of the queried server",
5239 "The domain is NOT the primary domain of the queried server"
5241 static const true_false_string trust_tree_root = {
5242 "The domain is the ROOT of a domain TREE",
5243 "The domain is NOT a root of a domain tree"
5248 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
5249 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5252 proto_item *item = NULL;
5253 proto_tree *tree = NULL;
5256 di=pinfo->private_data;
5257 if(di->conformant_run){
5258 /*just a run to handle conformant arrays, nothing to dissect */
5262 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
5263 hf_netlogon_trust_flags, &mask);
5266 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
5267 tvb, offset-4, 4, mask);
5268 tree = proto_item_add_subtree(item, ett_trust_flags);
5271 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
5272 tvb, offset-4, 4, mask);
5273 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
5274 tvb, offset-4, 4, mask);
5275 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
5276 tvb, offset-4, 4, mask);
5277 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
5278 tvb, offset-4, 4, mask);
5279 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
5280 tvb, offset-4, 4, mask);
5281 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
5282 tvb, offset-4, 4, mask);
5289 static const true_false_string trust_attribs_non_transitive = {
5290 "This is a NON TRANSITIVE trust relation",
5291 "This is a normal trust"
5293 static const true_false_string trust_attribs_uplevel_only = {
5294 "This is an UPLEVEL ONLY trust relation",
5295 "This is a normal trust"
5297 static const true_false_string trust_attribs_quarantined_domain = {
5298 "This is a QUARANTINED DOMAIN (so don't expect lookupsids to work)",
5299 "This is a normal trust"
5301 static const true_false_string trust_attribs_forest_transitive = {
5302 "This is a FOREST TRANSITIVE trust",
5303 "This is a normal trust"
5305 static const true_false_string trust_attribs_cross_organization = {
5306 "This is a CROSS ORGANIZATION trust",
5307 "This is a normal trust"
5309 static const true_false_string trust_attribs_within_forest = {
5310 "This is a WITHIN FOREST trust",
5311 "This is a normal trust"
5313 static const true_false_string trust_attribs_treat_as_external = {
5314 "TREAT this trust AS an EXTERNAL trust",
5315 "This is a normal trust"
5319 netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t *tvb, int offset,
5320 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5323 proto_item *item = NULL;
5324 proto_tree *tree = NULL;
5327 di=pinfo->private_data;
5328 if(di->conformant_run){
5329 /*just a run to handle conformant arrays, nothing to dissect */
5333 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
5334 hf_netlogon_trust_attribs, &mask);
5337 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_attribs,
5338 tvb, offset-4, 4, mask);
5339 tree = proto_item_add_subtree(item, ett_trust_attribs);
5342 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_treat_as_external,
5343 tvb, offset-4, 4, mask);
5344 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_within_forest,
5345 tvb, offset-4, 4, mask);
5346 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_cross_organization,
5347 tvb, offset-4, 4, mask);
5348 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_forest_transitive,
5349 tvb, offset-4, 4, mask);
5350 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_quarantined_domain,
5351 tvb, offset-4, 4, mask);
5352 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_uplevel_only,
5353 tvb, offset-4, 4, mask);
5354 proto_tree_add_boolean(tree, hf_netlogon_trust_attribs_non_transitive,
5355 tvb, offset-4, 4, mask);
5362 #define DS_FORCE_REDISCOVERY 0x00000001
5363 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
5364 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
5365 #define DS_GC_SERVER_REQUIRED 0x00000040
5366 #define DS_PDC_REQUIRED 0x00000080
5367 #define DS_BACKGROUND_ONLY 0x00000100
5368 #define DS_IP_REQUIRED 0x00000200
5369 #define DS_KDC_REQUIRED 0x00000400
5370 #define DS_TIMESERV_REQUIRED 0x00000800
5371 #define DS_WRITABLE_REQUIRED 0x00001000
5372 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
5373 #define DS_AVOID_SELF 0x00004000
5374 #define DS_ONLY_LDAP_NEEDED 0x00008000
5375 #define DS_IS_FLAT_NAME 0x00010000
5376 #define DS_IS_DNS_NAME 0x00020000
5377 #define DS_RETURN_DNS_NAME 0x40000000
5378 #define DS_RETURN_FLAT_NAME 0x80000000
5379 static const true_false_string get_dcname_request_flags_force_rediscovery = {
5380 "FORCE REDISCOVERY of any cached data",
5381 "You may return cached data"
5383 static const true_false_string get_dcname_request_flags_directory_service_required = {
5384 "DIRECTORY SERVICE is REQUIRED on the server",
5385 "We do NOT require directory service servers"
5387 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
5388 "DIRECTORY SERVICE servers are PREFERRED",
5389 "We do NOT have a preference for directory service servers"
5391 static const true_false_string get_dcname_request_flags_gc_server_required = {
5392 "GC SERVER is REQUIRED",
5393 "gc server is NOT required"
5395 static const true_false_string get_dcname_request_flags_pdc_required = {
5396 "PDC SERVER is REQUIRED",
5397 "pdc server is NOT required"
5399 static const true_false_string get_dcname_request_flags_background_only = {
5400 "Only return cached data, even if it has expired",
5401 "Return cached data unless it has expired"
5403 static const true_false_string get_dcname_request_flags_ip_required = {
5404 "IP address is REQUIRED",
5405 "ip address is NOT required"
5407 static const true_false_string get_dcname_request_flags_kdc_required = {
5408 "KDC server is REQUIRED",
5409 "kdc server is NOT required"
5411 static const true_false_string get_dcname_request_flags_timeserv_required = {
5412 "TIMESERV service is REQUIRED",
5413 "timeserv service is NOT required"
5415 static const true_false_string get_dcname_request_flags_writable_required = {
5416 "the returned dc MUST be WRITEABLE",
5417 "a read-only dc may be returned"
5419 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
5420 "GOOD TIMESERV servers are PREFERRED",
5421 "we do NOT have a preference for good timeserv servers"
5423 static const true_false_string get_dcname_request_flags_avoid_self = {
5424 "do NOT return self as dc; return someone else",
5425 "you may return yourSELF as the dc"
5427 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
5428 "we ONLY NEED LDAP; you don't have to return a dc",
5429 "we need a normal dc; an ldap only server will not do"
5431 static const true_false_string get_dcname_request_flags_is_flat_name = {
5432 "the name we specify is a NetBIOS name",
5433 "the name we specify is NOT a NetBIOS name"
5435 static const true_false_string get_dcname_request_flags_is_dns_name = {
5436 "the name we specify is a DNS name",
5437 "ther name we specify is NOT a dns name"
5439 static const true_false_string get_dcname_request_flags_return_dns_name = {
5440 "return a DNS name",
5441 "you may return a NON-dns name"
5443 static const true_false_string get_dcname_request_flags_return_flat_name = {
5444 "return a NetBIOS name",
5445 "you may return a NON-NetBIOS name"
5448 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
5449 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5452 proto_item *item = NULL;
5453 proto_tree *tree = NULL;
5456 di=pinfo->private_data;
5457 if(di->conformant_run){
5458 /*just a run to handle conformant arrays, nothing to dissect */
5462 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
5463 hf_netlogon_get_dcname_request_flags, &mask);
5466 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
5467 tvb, offset-4, 4, mask);
5468 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
5471 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
5472 tvb, offset-4, 4, mask);
5473 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
5474 tvb, offset-4, 4, mask);
5475 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
5476 tvb, offset-4, 4, mask);
5477 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
5478 tvb, offset-4, 4, mask);
5479 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
5480 tvb, offset-4, 4, mask);
5481 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
5482 tvb, offset-4, 4, mask);
5483 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
5484 tvb, offset-4, 4, mask);
5485 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
5486 tvb, offset-4, 4, mask);
5487 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
5488 tvb, offset-4, 4, mask);
5489 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
5490 tvb, offset-4, 4, mask);
5491 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
5492 tvb, offset-4, 4, mask);
5493 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
5494 tvb, offset-4, 4, mask);
5495 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
5496 tvb, offset-4, 4, mask);
5497 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
5498 tvb, offset-4, 4, mask);
5499 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
5500 tvb, offset-4, 4, mask);
5501 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
5502 tvb, offset-4, 4, mask);
5503 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
5504 tvb, offset-4, 4, mask);
5511 #define DS_PDC_FLAG 0x00000001
5512 #define DS_GC_FLAG 0x00000004
5513 #define DS_LDAP_FLAG 0x00000008
5514 #define DS_DS_FLAG 0x00000010
5515 #define DS_KDC_FLAG 0x00000020
5516 #define DS_TIMESERV_FLAG 0x00000040
5517 #define DS_CLOSEST_FLAG 0x00000080
5518 #define DS_WRITABLE_FLAG 0x00000100
5519 #define DS_GOOD_TIMESERV_FLAG 0x00000200
5520 #define DS_NDNC_FLAG 0x00000400
5521 #define DS_DNS_CONTROLLER_FLAG 0x20000000
5522 #define DS_DNS_DOMAIN_FLAG 0x40000000
5523 #define DS_DNS_FOREST_FLAG 0x80000000
5524 static const true_false_string dc_flags_pdc_flag = {
5525 "this is the PDC of the domain",
5526 "this is NOT the pdc of the domain"
5528 static const true_false_string dc_flags_gc_flag = {
5529 "this is the GC of the forest",
5530 "this is NOT the gc of the forest"
5532 static const true_false_string dc_flags_ldap_flag = {
5533 "this is an LDAP server",
5534 "this is NOT an ldap server"
5536 static const true_false_string dc_flags_ds_flag = {
5537 "this is a DS server",
5538 "this is NOT a ds server"
5540 static const true_false_string dc_flags_kdc_flag = {
5541 "this is a KDC server",
5542 "this is NOT a kdc server"
5544 static const true_false_string dc_flags_timeserv_flag = {
5545 "this is a TIMESERV server",
5546 "this is NOT a timeserv server"
5548 static const true_false_string dc_flags_closest_flag = {
5549 "this is the CLOSEST server",
5550 "this is NOT the closest server"
5552 static const true_false_string dc_flags_writable_flag = {
5553 "this server has a WRITABLE ds database",
5554 "this server has a READ-ONLY ds database"
5556 static const true_false_string dc_flags_good_timeserv_flag = {
5557 "this server is a GOOD TIMESERV server",
5558 "this is NOT a good timeserv server"
5560 static const true_false_string dc_flags_ndnc_flag = {
5564 static const true_false_string dc_flags_dns_controller_flag = {
5565 "DomainControllerName is a DNS name",
5566 "DomainControllerName is NOT a dns name"
5568 static const true_false_string dc_flags_dns_domain_flag = {
5569 "DomainName is a DNS name",
5570 "DomainName is NOT a dns name"
5572 static const true_false_string dc_flags_dns_forest_flag = {
5573 "DnsForestName is a DNS name",
5574 "DnsForestName is NOT a dns name"
5577 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
5578 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5581 proto_item *item = NULL;
5582 proto_tree *tree = NULL;
5585 di=pinfo->private_data;
5586 if(di->conformant_run){
5587 /*just a run to handle conformant arrays, nothing to dissect */
5591 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
5592 hf_netlogon_dc_flags, &mask);
5595 item = proto_tree_add_uint_format_value(parent_tree, hf_netlogon_dc_flags,
5596 tvb, offset-4, 4, mask, "0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
5597 tree = proto_item_add_subtree(item, ett_dc_flags);
5600 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
5601 tvb, offset-4, 4, mask);
5602 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
5603 tvb, offset-4, 4, mask);
5604 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
5605 tvb, offset-4, 4, mask);
5606 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
5607 tvb, offset-4, 4, mask);
5608 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
5609 tvb, offset-4, 4, mask);
5610 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
5611 tvb, offset-4, 4, mask);
5612 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
5613 tvb, offset-4, 4, mask);
5614 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
5615 tvb, offset-4, 4, mask);
5616 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
5617 tvb, offset-4, 4, mask);
5618 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
5619 tvb, offset-4, 4, mask);
5620 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
5621 tvb, offset-4, 4, mask);
5622 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
5623 tvb, offset-4, 4, mask);
5624 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
5625 tvb, offset-4, 4, mask);
5633 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
5634 packet_info *pinfo, proto_tree *tree,
5639 di=pinfo->private_data;
5640 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
5641 di->hf_index, NULL);
5646 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
5647 packet_info *pinfo, proto_tree *tree,
5652 di=pinfo->private_data;
5653 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5654 di->hf_index, NULL);
5659 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
5660 packet_info *pinfo, proto_tree *tree,
5663 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5664 hf_netlogon_unknown_char, NULL);
5670 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
5671 packet_info *pinfo, proto_tree *tree,
5674 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5675 netlogon_dissect_UNICODE_MULTI_byte);
5681 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
5682 packet_info *pinfo, proto_tree *parent_tree,
5685 proto_item *item=NULL;
5686 proto_tree *tree=NULL;
5687 int old_offset=offset;
5690 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5692 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
5695 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5696 hf_netlogon_len, NULL);
5698 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5699 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
5700 "unknown", hf_netlogon_unknown_string);
5702 proto_item_set_len(item, offset-old_offset);
5707 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
5708 packet_info *pinfo, proto_tree *parent_tree,
5711 proto_item *item=NULL;
5712 proto_tree *tree=NULL;
5713 int old_offset=offset;
5716 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5717 "DOMAIN_CONTROLLER_INFO:");
5718 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
5721 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5722 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
5724 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5725 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
5727 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5728 hf_netlogon_dc_address_type, NULL);
5730 offset = dissect_nt_GUID(tvb, offset,
5733 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5734 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
5736 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5737 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
5739 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
5741 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5742 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
5744 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5745 NDR_POINTER_UNIQUE, "Client Site",
5746 hf_netlogon_client_site_name, 0);
5748 proto_item_set_len(item, offset-old_offset);
5755 dissect_ndr_trust_extension(tvbuff_t *tvb, int offset,
5756 packet_info *pinfo, proto_tree *tree,
5762 di=pinfo->private_data;
5763 if(di->conformant_run){
5766 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5767 hf_netlogon_trust_max, &max);
5769 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5770 hf_netlogon_trust_offset, NULL);
5772 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5773 hf_netlogon_trust_len, &len);
5775 if( max * 2 == 16 ) {
5776 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5778 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5779 hf_netlogon_trust_parent_index, NULL);
5781 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5782 hf_netlogon_trust_type, NULL);
5784 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, drep);
5786 /* else do something scream shout .... */
5792 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
5793 packet_info *pinfo, proto_tree *tree,
5799 di=pinfo->private_data;
5800 if(di->conformant_run){
5804 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5805 hf_netlogon_blob_size, &len);
5807 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
5814 dissect_ndr_ulongs_as_counted_string(tvbuff_t *tvb, int offset,
5815 packet_info *pinfo, proto_tree *tree,
5816 guint8 *drep, int hf_index)
5818 dcerpc_info *di = pinfo->private_data;
5820 gboolean add_subtree = TRUE; /* Manage room for evolution*/
5822 proto_tree *subtree = tree;
5826 item = proto_tree_add_text(
5827 tree, tvb, offset, 0, "%s",
5828 proto_registrar_get_name(hf_index));
5830 subtree = proto_item_add_subtree(item, ett_nt_counted_longs_as_string);
5832 /* Structure starts with short, but is aligned for longs */
5835 if (di->conformant_run)
5842 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
5847 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, drep,
5848 hf_nt_cs_len, &len);
5849 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, drep,
5850 hf_nt_cs_size, &size);
5851 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, subtree, drep,
5852 dissect_ndr_trust_extension, NDR_POINTER_UNIQUE,
5853 "Buffer", hf_index,NULL,NULL);
5858 lsarpc_dissect_struct_dom_sid2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_, int unused1 _U_, int unused2 _U_);
5861 DomainInfo_sid_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
5863 offset = lsarpc_dissect_struct_dom_sid2(tvb,offset,pinfo,tree,drep,DomainInfo_sid,0);
5868 dissect_element_lsa_DnsDomainInfo_sid(tvbuff_t *tvb , int offset , packet_info *pinfo , proto_tree *tree , guint8 *drep )
5870 offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, drep, DomainInfo_sid_, NDR_POINTER_UNIQUE, "Pointer to Sid (dom_sid2)",DnsDomainInfo_sid);
5875 dissect_element_lsa_DnsDomainInfo_domain_guid(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep )
5877 offset = dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, DnsDomainInfo_domain_guid, NULL);
5883 static int dissect_part_DnsDomainInfo(tvbuff_t *tvb , int offset, packet_info *pinfo, proto_tree *tree , guint8 *drep, int hf_index _U_, guint32 param _U_)
5886 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset,pinfo,tree,drep,DnsDomainInfo_name,0);
5888 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset,pinfo,tree,drep,DnsDomainInfo_dns_domain,0);
5890 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset,pinfo,tree,drep,DnsDomainInfo_dns_forest,0);
5892 offset = dissect_element_lsa_DnsDomainInfo_domain_guid(tvb, offset, pinfo, tree, drep);
5894 offset = dissect_element_lsa_DnsDomainInfo_sid(tvb, offset, pinfo, tree, drep);
5902 netlogon_dissect_ONE_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5903 packet_info *pinfo, proto_tree *parent_tree,
5906 proto_item *item=NULL;
5907 proto_tree *tree=NULL;
5908 int old_offset=offset;
5911 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5913 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
5915 /*hf_netlogon_dnsdomaininfo*/
5916 offset = dissect_part_DnsDomainInfo(tvb, offset, pinfo, tree, drep, 0, 0);
5919 /* It is structed as a string but it's not ... it's 4 ulong */
5920 offset = dissect_ndr_ulongs_as_counted_string(tvb, offset, pinfo, tree, drep,
5921 hf_netlogon_trust_extention);
5923 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5924 hf_netlogon_dummy_string2, 0);
5926 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5927 hf_netlogon_dummy_string3, 0);
5929 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5930 hf_netlogon_dummy_string4, 0);
5932 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5933 hf_netlogon_dummy1_long, NULL);
5935 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5936 hf_netlogon_dummy2_long, NULL);
5938 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5939 hf_netlogon_dummy3_long, NULL);
5941 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5942 hf_netlogon_dummy4_long, NULL);
5944 proto_item_set_len(item, offset-old_offset);
5949 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
5950 packet_info *pinfo, proto_tree *tree,
5953 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5954 netlogon_dissect_ONE_DOMAIN_INFO);
5961 netlogon_dissect_LSA_POLICY_INFO(tvbuff_t *tvb _U_, int offset,
5962 packet_info *pinfo _U_, proto_tree *tree _U_,
5965 proto_item *item=NULL;
5966 proto_tree *subtree=NULL;
5970 di=pinfo->private_data;
5971 if(di->conformant_run){
5976 item = proto_tree_add_text(tree, tvb, offset, 0,
5978 subtree = proto_item_add_subtree(item, ett_LSA_POLICY_INFO);
5980 offset = dissect_ndr_uint32(tvb, offset, pinfo, subtree, drep,
5981 hf_netlogon_lsapolicy_len, &len);
5983 offset = dissect_ndr_pointer(tvb, offset, pinfo, subtree, drep,
5984 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
5994 netlogon_dissect_WORKSTATION_INFO(tvbuff_t *tvb , int offset ,
5995 packet_info *pinfo , proto_tree *tree ,
5998 /* This is not the good way to do it ... it stinks ...
5999 * but after half of a day fighting against wireshark and ndr ...
6000 * I decided to keep this hack ...
6001 * At least data are correctly displayed without invented ints ...
6003 offset = netlogon_dissect_LSA_POLICY_INFO(tvb, offset,
6006 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6007 NDR_POINTER_UNIQUE, "Workstation FQDN",
6008 hf_netlogon_workstation_fqdn, 0);
6010 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6011 NDR_POINTER_UNIQUE, "Workstation Site",
6012 hf_netlogon_workstation_site_name, 0);
6014 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6015 NDR_POINTER_UNIQUE, "Dummy 1", hf_netlogon_dummy_string, 0);
6017 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6018 NDR_POINTER_UNIQUE, "Dummy 2", hf_netlogon_dummy_string2, 0);
6020 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6021 NDR_POINTER_UNIQUE, "Dummy 3", hf_netlogon_dummy_string3, 0);
6023 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6024 NDR_POINTER_UNIQUE, "Dummy 4", hf_netlogon_dummy_string4, 0);
6026 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
6027 hf_netlogon_os_version, 0);
6029 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
6030 hf_netlogon_workstation_os, 0);
6032 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
6033 hf_netlogon_dummy_string3, 0);
6035 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
6036 hf_netlogon_dummy_string4, 0);
6038 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6039 hf_netlogon_workstation_flags, NULL);
6041 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6042 hf_netlogon_dummy2_long, NULL);
6044 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6045 hf_netlogon_dummy3_long, NULL);
6047 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6048 hf_netlogon_dummy4_long, NULL);
6053 netlogon_dissect_WORKSTATION_INFORMATION(tvbuff_t *tvb , int offset ,
6054 packet_info *pinfo , proto_tree *tree ,
6057 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6058 netlogon_dissect_WORKSTATION_INFO, NDR_POINTER_UNIQUE,
6059 "WORKSTATION INFO", -1);
6063 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
6064 packet_info *pinfo, proto_tree *tree,
6067 offset = netlogon_dissect_ONE_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
6069 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6070 hf_netlogon_num_trusts, NULL);
6072 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6073 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
6074 "DOMAIN_TRUST_ARRAY: Trusted domains", -1);
6076 offset = netlogon_dissect_LSA_POLICY_INFO(tvb,offset,pinfo, tree,drep);
6078 /* offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6079 hf_netlogon_num_trusts, NULL);
6081 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6082 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
6085 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
6086 hf_netlogon_ad_client_dns_name, 0);
6088 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
6089 hf_netlogon_dummy_string2, 0);
6091 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
6092 hf_netlogon_dummy_string3, 0);
6094 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
6095 hf_netlogon_dummy_string4, 0);
6097 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6098 hf_netlogon_workstation_flags, NULL);
6100 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6101 hf_netlogon_supportedenctypes, NULL);
6103 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6104 hf_netlogon_dummy3_long, NULL);
6106 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6107 hf_netlogon_dummy4_long, NULL);
6114 netlogon_dissect_DOMAIN_INFORMATION(tvbuff_t *tvb, int offset,
6115 packet_info *pinfo, proto_tree *tree,
6120 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6121 hf_netlogon_level, &level);
6126 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6127 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
6136 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
6137 packet_info *pinfo, proto_tree *parent_tree,
6140 proto_item *item=NULL;
6141 proto_tree *tree=NULL;
6142 int old_offset=offset;
6146 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6147 "UNICODE_STRING_512:");
6148 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
6152 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6153 hf_netlogon_unknown_short, NULL);
6156 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6157 hf_netlogon_unknown_long, NULL);
6159 proto_item_set_len(item, offset-old_offset);
6164 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
6165 packet_info *pinfo, proto_tree *tree,
6168 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
6169 hf_netlogon_unknown_char, NULL);
6175 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
6176 packet_info *pinfo, proto_tree *tree,
6179 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
6180 netlogon_dissect_element_844_byte);
6186 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
6187 packet_info *pinfo, proto_tree *parent_tree,
6190 proto_item *item=NULL;
6191 proto_tree *tree=NULL;
6192 int old_offset=offset;
6195 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6197 tree = proto_item_add_subtree(item, ett_TYPE_50);
6200 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6201 hf_netlogon_unknown_long, NULL);
6203 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6204 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
6205 "unknown", hf_netlogon_unknown_string);
6207 proto_item_set_len(item, offset-old_offset);
6212 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
6213 packet_info *pinfo, proto_tree *tree,
6216 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6217 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
6218 "TYPE_50 pointer: unknown_TYPE_50", -1);
6224 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
6225 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
6228 proto_item *item=NULL;
6229 proto_tree *tree=NULL;
6230 int old_offset=offset;
6233 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6234 "DS_DOMAIN_TRUSTS");
6235 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
6239 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6240 NDR_POINTER_UNIQUE, "NetBIOS Name",
6241 hf_netlogon_downlevel_domain_name, 0);
6244 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6245 NDR_POINTER_UNIQUE, "DNS Domain Name",
6246 hf_netlogon_dns_domain_name, 0);
6248 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
6250 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6251 hf_netlogon_trust_parent_index, &tmp);
6253 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6254 hf_netlogon_trust_type, &tmp);
6256 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, drep);
6259 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
6262 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
6264 proto_item_set_len(item, offset-old_offset);
6269 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
6270 packet_info *pinfo, proto_tree *tree,
6273 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
6274 netlogon_dissect_DS_DOMAIN_TRUSTS);
6280 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
6281 packet_info *pinfo, proto_tree *tree,
6284 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
6285 hf_netlogon_unknown_char, NULL);
6291 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
6292 packet_info *pinfo, proto_tree *tree,
6295 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
6296 netlogon_dissect_element_865_byte);
6302 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
6303 packet_info *pinfo, proto_tree *tree,
6306 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
6307 hf_netlogon_unknown_char, NULL);
6313 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
6314 packet_info *pinfo, proto_tree *tree,
6317 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
6318 netlogon_dissect_element_866_byte);
6324 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
6325 packet_info *pinfo, proto_tree *parent_tree,
6328 proto_item *item=NULL;
6329 proto_tree *tree=NULL;
6330 int old_offset=offset;
6333 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6335 tree = proto_item_add_subtree(item, ett_TYPE_52);
6338 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6339 hf_netlogon_unknown_long, NULL);
6341 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6342 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
6343 "unknown", hf_netlogon_unknown_string);
6345 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6346 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
6347 "unknown", hf_netlogon_unknown_string);
6349 proto_item_set_len(item, offset-old_offset);
6354 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
6355 packet_info *pinfo, proto_tree *tree,
6358 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6359 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
6360 "TYPE_52 pointer: unknown_TYPE_52", -1);
6366 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
6367 packet_info *pinfo, proto_tree *parent_tree,
6370 proto_item *item=NULL;
6371 proto_tree *tree=NULL;
6372 int old_offset=offset;
6376 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
6378 tree = proto_item_add_subtree(item, ett_TYPE_44);
6381 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6382 hf_netlogon_level, &level);
6387 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6388 hf_netlogon_unknown_long, NULL);
6392 proto_item_set_len(item, offset-old_offset);
6397 netlogon_dissect_WORKSTATION_BUFFER(tvbuff_t *tvb, int offset,
6398 packet_info *pinfo, proto_tree *tree,
6403 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6404 hf_netlogon_level, &level);
6406 /* Specs are not very clear (as usual ...) it seems that the
6407 * structure in both case is a NETLOGON_WORKSTATION_INFO
6408 * but in this case only the LSA POLICY INFO will contain
6411 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6412 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
6413 "LSA POLICY INFO", -1);
6417 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6418 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
6419 "WORKSTATION INFORMATION", -1);}
6425 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
6426 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6428 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6436 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
6437 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6439 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6440 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
6441 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
6443 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6444 hf_netlogon_dos_rc, NULL);
6450 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
6451 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6453 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6456 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6457 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6459 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6460 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6461 "GUID pointer: domain_guid", -1);
6463 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6464 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6465 "GUID pointer: site_guid", -1);
6467 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6468 hf_netlogon_flags, NULL);
6475 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
6476 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6478 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6479 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6480 "DOMAIN_CONTROLLER_INFO:", -1);
6482 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6483 hf_netlogon_dos_rc, NULL);
6489 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
6490 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6492 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6495 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6496 NDR_POINTER_UNIQUE, "unknown string",
6497 hf_netlogon_unknown_string, 0);
6499 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6500 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
6501 "AUTHENTICATOR: credential", -1);
6503 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6504 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6505 "AUTHENTICATOR: return_authenticator", -1);
6507 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6508 hf_netlogon_unknown_long, NULL);
6515 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
6516 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6519 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6520 "AUTHENTICATOR: return_authenticator", -1);
6522 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6523 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
6524 "TYPE_44 pointer: unknown_TYPE_44", -1);
6526 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6527 hf_netlogon_rc, NULL);
6533 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
6534 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6536 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6539 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6540 hf_netlogon_unknown_long, NULL);
6542 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6543 hf_netlogon_unknown_long, NULL);
6550 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
6551 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6553 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6554 hf_netlogon_rc, NULL);
6561 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
6562 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6564 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6567 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6568 NDR_POINTER_UNIQUE, "unknown string",
6569 hf_netlogon_unknown_string, 0);
6576 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
6577 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6579 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6580 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6581 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6583 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6584 hf_netlogon_rc, NULL);
6591 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
6592 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6594 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6597 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6598 hf_netlogon_unknown_long, NULL);
6600 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6601 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6602 "BYTE pointer: unknown_BYTE", -1);
6604 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6605 hf_netlogon_unknown_long, NULL);
6611 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
6612 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6617 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
6618 hf_netlogon_unknown_char, NULL);
6625 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
6626 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6628 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6629 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
6630 "BYTE pointer: unknown_BYTE", -1);
6632 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6633 hf_netlogon_rc, NULL);
6639 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
6640 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6642 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6645 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6646 NDR_POINTER_UNIQUE, "unknown string",
6647 hf_netlogon_unknown_string, 0);
6649 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6650 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6651 "BYTE pointer: unknown_BYTE", -1);
6653 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6654 hf_netlogon_unknown_long, NULL);
6661 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
6662 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6664 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6665 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
6666 "BYTE pointer: unknown_BYTE", -1);
6668 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6669 hf_netlogon_rc, NULL);
6673 static int netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,guint32 flags,int offset)
6676 proto_tree *negotiate_flags_tree = NULL;
6677 proto_item *tf = NULL;
6678 tf = proto_tree_add_uint (tree,
6679 hf_netlogon_neg_flags,
6680 tvb, offset, 4,flags);
6681 negotiate_flags_tree = proto_item_add_subtree (tf,ett_authenticate_flags);
6683 /*proto_tree_add_boolean (negotiate_flags_tree,
6684 hf_netlogon_neg_flags_80000000,
6685 tvb, offset, 4, flags);*/
6686 proto_tree_add_boolean (negotiate_flags_tree,
6687 hf_netlogon_neg_flags_40000000,
6688 tvb, offset, 4, flags);
6689 proto_tree_add_boolean (negotiate_flags_tree,
6690 hf_netlogon_neg_flags_20000000,
6691 tvb, offset, 4, flags);
6693 proto_tree_add_boolean (negotiate_flags_tree,
6694 hf_netlogon_neg_flags_10000000,
6695 tvb, offset, 4, flags);
6696 proto_tree_add_boolean (negotiate_flags_tree,
6697 hf_netlogon_neg_flags_8000000,
6698 tvb, offset, 4, flags);
6699 proto_tree_add_boolean (negotiate_flags_tree,
6700 hf_netlogon_neg_flags_4000000,
6701 tvb, offset, 4, flags);
6702 proto_tree_add_boolean (negotiate_flags_tree,
6703 hf_netlogon_neg_flags_2000000,
6704 tvb, offset, 4, flags);
6705 proto_tree_add_boolean (negotiate_flags_tree,
6706 hf_netlogon_neg_flags_1000000,
6707 tvb, offset, 4, flags);
6708 proto_tree_add_boolean (negotiate_flags_tree,
6709 hf_netlogon_neg_flags_800000,
6710 tvb, offset, 4, flags);*/
6711 proto_tree_add_boolean (negotiate_flags_tree,
6712 hf_netlogon_neg_flags_400000,
6713 tvb, offset, 4, flags);
6714 proto_tree_add_boolean (negotiate_flags_tree,
6715 hf_netlogon_neg_flags_200000,
6716 tvb, offset, 4, flags);
6717 proto_tree_add_boolean (negotiate_flags_tree,
6718 hf_netlogon_neg_flags_100000,
6719 tvb, offset, 4, flags);
6720 proto_tree_add_boolean (negotiate_flags_tree,
6721 hf_netlogon_neg_flags_80000,
6722 tvb, offset, 4, flags);
6723 proto_tree_add_boolean (negotiate_flags_tree,
6724 hf_netlogon_neg_flags_40000,
6725 tvb, offset, 4, flags);
6726 proto_tree_add_boolean (negotiate_flags_tree,
6727 hf_netlogon_neg_flags_20000,
6728 tvb, offset, 4, flags);
6729 proto_tree_add_boolean (negotiate_flags_tree,
6730 hf_netlogon_neg_flags_10000,
6731 tvb, offset, 4, flags);
6732 proto_tree_add_boolean (negotiate_flags_tree,
6733 hf_netlogon_neg_flags_8000,
6734 tvb, offset, 4, flags);
6735 proto_tree_add_boolean (negotiate_flags_tree,
6736 hf_netlogon_neg_flags_4000,
6737 tvb, offset, 4, flags);
6738 proto_tree_add_boolean (negotiate_flags_tree,
6739 hf_netlogon_neg_flags_2000,
6740 tvb, offset, 4, flags);
6741 proto_tree_add_boolean (negotiate_flags_tree,
6742 hf_netlogon_neg_flags_1000,
6743 tvb, offset, 4, flags);
6744 proto_tree_add_boolean (negotiate_flags_tree,
6745 hf_netlogon_neg_flags_800,
6746 tvb, offset, 4, flags);
6747 proto_tree_add_boolean (negotiate_flags_tree,
6748 hf_netlogon_neg_flags_400,
6749 tvb, offset, 4, flags);
6750 proto_tree_add_boolean (negotiate_flags_tree,
6751 hf_netlogon_neg_flags_200,
6752 tvb, offset, 4, flags);
6753 proto_tree_add_boolean (negotiate_flags_tree,
6754 hf_netlogon_neg_flags_100,
6755 tvb, offset, 4, flags);
6756 proto_tree_add_boolean (negotiate_flags_tree,
6757 hf_netlogon_neg_flags_80,
6758 tvb, offset, 4, flags);
6759 proto_tree_add_boolean (negotiate_flags_tree,
6760 hf_netlogon_neg_flags_40,
6761 tvb, offset, 4, flags);
6762 proto_tree_add_boolean (negotiate_flags_tree,
6763 hf_netlogon_neg_flags_20,
6764 tvb, offset, 4, flags);
6765 proto_tree_add_boolean (negotiate_flags_tree,
6766 hf_netlogon_neg_flags_10,
6767 tvb, offset, 4, flags);
6768 proto_tree_add_boolean (negotiate_flags_tree,
6769 hf_netlogon_neg_flags_8,
6770 tvb, offset, 4, flags);
6771 proto_tree_add_boolean (negotiate_flags_tree,
6772 hf_netlogon_neg_flags_4,
6773 tvb, offset, 4, flags);
6774 proto_tree_add_boolean (negotiate_flags_tree,
6775 hf_netlogon_neg_flags_2,
6776 tvb, offset, 4, flags);
6777 proto_tree_add_boolean (negotiate_flags_tree,
6778 hf_netlogon_neg_flags_1,
6779 tvb, offset, 4, flags);
6784 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
6785 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6788 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6790 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6791 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
6793 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
6796 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6797 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
6799 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
6800 hf_client_credential, NULL);
6802 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6803 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
6804 "Client Challenge", -1);*/
6806 /*offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6807 hf_netlogon_neg_flags, NULL);*/
6810 flags = tvb_get_letohl (tvb, offset);
6811 netlogon_dissect_neg_options(tvb,tree,flags,offset);
6812 seen.isseen = FALSE;
6818 static guint32 get_keytab_as_list(md4_pass **p_pass_list)
6820 #ifdef HAVE_KERBEROS
6822 md4_pass* pass_list;
6824 guint32 nb_pass = 0;
6830 read_keytab_file_from_preferences();
6832 for(ek=enc_key_list;ek;ek=ek->next){
6833 if( ek->keylength == 16 ) {
6837 *p_pass_list = ep_alloc(nb_pass*sizeof(md4_pass));
6838 pass_list=*p_pass_list;
6840 for(ek=enc_key_list;ek;ek=ek->next){
6841 /*debugprintf("Type %x, len %d, orig: %s\n",ek->keytype,ek->keylength,ek->key_origin);*/
6842 if( ek->keylength == 16 ) {
6843 memcpy(pass_list[i].md4,ek->keyvalue,16);
6849 *p_pass_list = NULL;
6855 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
6856 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6859 netlogon_auth_vars *vars;
6860 netlogon_auth_key key;
6861 guint64 server_cred;
6863 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
6864 hf_server_credential, &server_cred);
6866 flags = tvb_get_letohl (tvb, offset);
6867 netlogon_dissect_neg_options(tvb,tree,flags,offset);
6871 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
6872 hf_server_rid, NULL);
6874 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6875 hf_netlogon_rc, NULL);
6877 generate_hash_key(pinfo,1,&key,NULL);
6879 vars = g_hash_table_lookup(netlogon_auths, &key);
6881 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int) pinfo->fd->num ) {
6882 debugprintf("looping auth reply...\n");
6886 debugprintf("Something strange happened while searching for authenticate_reply\n");
6889 md4_pass *pass_list=NULL;
6890 guint32 list_size = 0;
6891 guint8 session_key[16];
6896 vars->flags = flags;
6897 vars->can_decrypt = FALSE;
6898 list_size = get_keytab_as_list(&pass_list);
6899 debugprintf("Found %d passwords \n",list_size);
6900 if( flags & NETLOGON_FLAG_STRONGKEY ) {
6903 md5_state_t md5state;
6905 guint64 calculated_cred;
6909 md5_init(&md5state);
6910 md5_append(&md5state,zeros,4);
6911 md5_append(&md5state,(unsigned char*)&vars->client_challenge,8);
6912 md5_append(&md5state,(unsigned char*)&vars->server_challenge,8);
6913 md5_finish(&md5state,md5);
6914 /*printnbyte(md5,8,"MD5:","\n");*/
6915 printnbyte((guint8*)&server_cred,8,"Server creds:","\n");
6916 for(i=0;i<list_size;i++)
6918 password = pass_list[i];
6919 md5_hmac(md5,16,(guint8*) &password,16,session_key);
6920 crypt_des_ecb(buf,(unsigned char*)&vars->server_challenge,session_key,1);
6921 crypt_des_ecb((unsigned char*)&calculated_cred,buf,session_key+7,1);
6922 /*printnbyte((guint8*)&calculated_cred,8,"Calculated creds:","\n");*/
6923 if(calculated_cred==server_cred) {
6929 else if( flags&NETLOGON_FLAG_USEAES)
6932 memset(session_key,0,16);
6937 memset(session_key,0,16);
6940 memcpy(&vars->session_key,session_key,16);
6941 debugprintf("Found the good session key !\n");
6944 memset(&vars->session_key,0,16);
6952 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
6953 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6955 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6958 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6959 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6961 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6962 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6963 "GUID pointer: domain_guid", -1);
6965 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6966 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
6968 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
6975 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
6976 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6978 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6979 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6980 "DOMAIN_CONTROLLER_INFO:", -1);
6982 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6983 hf_netlogon_rc, NULL);
6989 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
6990 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6992 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7000 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
7001 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7004 /* XXX hmmm this does not really look like a UNIQUE pointer but
7005 will do for now. I think it is really a 32bit integer followed by
7006 a REF pointer to a unicode string */
7007 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
7008 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
7009 hf_netlogon_site_name, cb_wstr_postprocess,
7010 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
7012 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7013 hf_netlogon_dos_rc, NULL);
7019 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
7020 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7022 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
7023 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7024 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
7025 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7026 NDR_POINTER_UNIQUE, "Computer Name",
7027 hf_netlogon_computer_name, 0);
7029 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7030 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7031 "AUTHENTICATOR: client", -1);
7033 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7034 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7035 "AUTHENTICATOR: return_authenticator", -1);
7036 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7037 netlogon_dissect_WORKSTATION_BUFFER, NDR_POINTER_REF,
7038 "WORKSTATION_BUFFER", -1);
7044 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
7045 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7047 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7048 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7049 "AUTHENTICATOR: return_authenticator", -1);
7051 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7052 netlogon_dissect_DOMAIN_INFORMATION, NDR_POINTER_REF,
7053 "DOMAIN_INFORMATION", -1);
7055 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7056 hf_netlogon_rc, NULL);
7062 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
7063 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7065 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7068 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7069 NDR_POINTER_UNIQUE, "unknown string",
7070 hf_netlogon_unknown_string, 0);
7072 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
7073 hf_netlogon_unknown_short, NULL);
7075 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7076 NDR_POINTER_UNIQUE, "unknown string",
7077 hf_netlogon_unknown_string, 0);
7079 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7080 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7081 "AUTHENTICATOR: credential", -1);
7083 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
7091 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
7092 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7094 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7095 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
7096 "AUTHENTICATOR: return_authenticator", -1);
7098 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7099 hf_netlogon_rc, NULL);
7105 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
7106 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7108 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7111 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7112 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
7114 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7117 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7118 NDR_POINTER_UNIQUE, "Computer Name",
7119 hf_netlogon_computer_name, 0);
7121 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7122 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7123 "AUTHENTICATOR: credential", -1);
7130 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
7131 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7133 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7134 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7135 "AUTHENTICATOR: return_authenticator", -1);
7137 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7138 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
7139 "LM_OWF_PASSWORD pointer: server_pwd", -1);
7141 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7142 hf_netlogon_rc, NULL);
7148 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
7149 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7151 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7154 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7155 NDR_POINTER_UNIQUE, "unknown string",
7156 hf_netlogon_unknown_string, 0);
7158 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7159 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
7160 "AUTHENTICATOR: credential", -1);
7162 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7163 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7164 "BYTE pointer: unknown_BYTE", -1);
7166 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
7167 hf_netlogon_unknown_long, NULL);
7174 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
7175 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7177 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7178 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
7179 "AUTHENTICATOR: return_authenticator", -1);
7181 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7182 hf_netlogon_rc, NULL);
7188 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
7189 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7191 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7194 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
7195 hf_netlogon_unknown_long, NULL);
7197 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7198 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7199 "BYTE pointer: unknown_BYTE", -1);
7206 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
7207 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7209 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7210 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
7211 "TYPE_50** pointer: unknown_TYPE_50", -1);
7213 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7214 hf_netlogon_rc, NULL);
7220 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
7221 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7223 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7226 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7227 NDR_POINTER_UNIQUE, "Client Account",
7228 hf_netlogon_acct_name, 0);
7230 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
7231 hf_netlogon_unknown_long, NULL);
7233 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7234 NDR_POINTER_UNIQUE, "Client Account",
7235 hf_netlogon_logon_dom, 0);
7237 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7238 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7239 "Domain GUID:", -1);
7241 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7242 NDR_POINTER_UNIQUE, "Client Site",
7243 hf_netlogon_site_name, 0);
7245 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
7246 hf_netlogon_unknown_long, NULL);
7253 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
7254 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7256 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7257 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
7258 "DOMAIN_CONTROLLER_INFO:", -1);
7260 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7261 hf_netlogon_dos_rc, NULL);
7267 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
7268 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7270 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7278 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
7279 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7281 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7282 NDR_POINTER_UNIQUE, "unknown string",
7283 hf_netlogon_unknown_string, 0);
7285 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7286 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7287 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7289 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7290 hf_netlogon_rc, NULL);
7296 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
7297 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7299 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7306 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
7307 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7309 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
7310 hf_netlogon_entries, NULL);
7312 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7313 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
7314 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
7316 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7317 hf_netlogon_rc, NULL);
7323 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
7324 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7326 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7329 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
7330 hf_netlogon_unknown_long, NULL);
7332 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7333 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
7334 "BYTE pointer: unknown_BYTE", -1);
7341 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
7342 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7344 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7345 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
7346 "TYPE_52 pointer: unknown_TYPE_52", -1);
7348 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7349 hf_netlogon_rc, NULL);
7356 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
7357 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7359 offset = dissect_ndr_counted_string_cb(
7360 tvb, offset, pinfo, tree, drep, hf_netlogon_site_name,
7361 cb_wstr_postprocess,
7362 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
7367 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
7368 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7370 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
7371 netlogon_dissect_site_name_item);
7377 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
7378 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7380 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
7381 hf_netlogon_count, NULL);
7383 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7384 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
7385 "Site name array", -1);
7391 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
7392 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7394 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7402 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
7403 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7405 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7406 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
7409 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7410 hf_netlogon_rc, NULL);
7416 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
7417 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7420 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7421 NDR_POINTER_UNIQUE, "LogonServer",
7422 hf_netlogon_computer_name, 0);
7423 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7424 NDR_POINTER_UNIQUE, "Computer Name",
7425 hf_netlogon_computer_name, 0);
7426 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
7427 hf_netlogon_level16, NULL);
7428 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7429 netlogon_dissect_LEVEL, NDR_POINTER_REF,
7430 "LEVEL: LogonLevel", -1);
7432 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
7433 hf_netlogon_validation_level, NULL);
7435 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, drep);
7438 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7439 NDR_POINTER_UNIQUE, "unknown string",
7440 hf_netlogon_unknown_string, 0);
7442 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7443 NDR_POINTER_UNIQUE, "unknown string",
7444 hf_netlogon_unknown_string, 0);
7446 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
7447 hf_netlogon_unknown_short, NULL);
7449 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7450 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
7451 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
7453 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
7454 hf_netlogon_unknown_short, NULL);
7456 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7457 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7458 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);*/
7464 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
7465 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7467 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7468 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
7471 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
7472 hf_netlogon_authoritative, NULL);
7474 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, drep);
7476 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7477 hf_netlogon_rc, NULL);
7479 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7480 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
7481 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
7483 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7484 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
7485 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
7487 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7488 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
7489 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7491 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7492 hf_netlogon_rc, NULL);
7499 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
7500 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7502 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7505 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
7512 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
7513 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7515 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
7516 hf_netlogon_entries, NULL);
7518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7519 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
7520 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
7522 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7523 hf_netlogon_dos_rc, NULL);
7529 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
7530 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7532 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7535 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7536 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
7538 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7539 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7540 "GUID pointer: domain_guid", -1);
7542 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
7543 dissect_nt_GUID, NDR_POINTER_UNIQUE,
7544 "GUID pointer: dsa_guid", -1);
7546 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
7547 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
7554 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
7555 packet_info *pinfo, proto_tree *tree, guint8 *drep)
7557 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
7558 hf_netlogon_rc, NULL);
7563 /* Dissect secure channel stuff */
7565 static int hf_netlogon_secchan_bind_unknown1 = -1;
7566 static int hf_netlogon_secchan_bind_unknown2 = -1;
7567 static int hf_netlogon_secchan_domain = -1;
7568 static int hf_netlogon_secchan_host = -1;
7569 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
7570 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
7571 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
7573 static gint ett_secchan_verf = -1;
7574 static gint ett_secchan_bind_creds = -1;
7575 static gint ett_secchan_bind_ack_creds = -1;
7577 static int dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
7579 proto_tree *tree, guint8 *drep)
7581 proto_item *item = NULL;
7582 proto_tree *subtree = NULL;
7586 item = proto_tree_add_text(
7587 tree, tvb, offset, -1,
7588 "Secure Channel Bind Credentials");
7589 subtree = proto_item_add_subtree(
7590 item, ett_secchan_bind_creds);
7593 /* We can't use the NDR routines as the DCERPC call data hasn't
7594 been initialised since we haven't made a DCERPC call yet, just
7597 offset = dissect_dcerpc_uint32(
7598 tvb, offset, pinfo, subtree, drep,
7599 hf_netlogon_secchan_bind_unknown1, NULL);
7601 offset = dissect_dcerpc_uint32(
7602 tvb, offset, pinfo, subtree, drep,
7603 hf_netlogon_secchan_bind_unknown2, NULL);
7605 len = tvb_strsize(tvb, offset);
7607 proto_tree_add_item(
7608 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
7612 len = tvb_strsize(tvb, offset);
7614 proto_tree_add_item(
7615 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
7622 static int dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
7624 proto_tree *tree, guint8 *drep)
7626 proto_item *item = NULL;
7627 proto_tree *subtree = NULL;
7630 item = proto_tree_add_text(
7631 tree, tvb, offset, -1,
7632 "Secure Channel Bind ACK Credentials");
7633 subtree = proto_item_add_subtree(
7634 item, ett_secchan_bind_ack_creds);
7637 /* Don't use NDR routines here */
7639 offset = dissect_dcerpc_uint32(
7640 tvb, offset, pinfo, subtree, drep,
7641 hf_netlogon_secchan_bind_ack_unknown1, NULL);
7643 offset = dissect_dcerpc_uint32(
7644 tvb, offset, pinfo, subtree, drep,
7645 hf_netlogon_secchan_bind_ack_unknown2, NULL);
7647 offset = dissect_dcerpc_uint32(
7648 tvb, offset, pinfo, subtree, drep,
7649 hf_netlogon_secchan_bind_ack_unknown3, NULL);
7656 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
7657 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
7658 netlogon_dissect_netrlogonuaslogon_rqst,
7659 netlogon_dissect_netrlogonuaslogon_reply },
7660 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
7661 netlogon_dissect_netrlogonuaslogoff_rqst,
7662 netlogon_dissect_netrlogonuaslogoff_reply },
7663 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
7664 netlogon_dissect_netrlogonsamlogon_rqst,
7665 netlogon_dissect_netrlogonsamlogon_reply },
7666 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
7667 netlogon_dissect_netrlogonsamlogoff_rqst,
7668 netlogon_dissect_netrlogonsamlogoff_reply },
7669 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
7670 netlogon_dissect_netrserverreqchallenge_rqst,
7671 netlogon_dissect_netrserverreqchallenge_reply },
7672 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
7673 netlogon_dissect_netrserverauthenticate_rqst,
7674 netlogon_dissect_netrserverauthenticate_reply },
7675 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
7676 netlogon_dissect_netrserverpasswordset_rqst,
7677 netlogon_dissect_netrserverpasswordset_reply },
7678 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
7679 netlogon_dissect_netrdatabasedeltas_rqst,
7680 netlogon_dissect_netrdatabasedeltas_reply },
7681 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
7682 netlogon_dissect_netrdatabasesync_rqst,
7683 netlogon_dissect_netrdatabasesync_reply },
7684 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
7685 netlogon_dissect_netraccountdeltas_rqst,
7686 netlogon_dissect_netraccountdeltas_reply },
7687 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
7688 netlogon_dissect_netraccountsync_rqst,
7689 netlogon_dissect_netraccountsync_reply },
7690 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
7691 netlogon_dissect_netrgetdcname_rqst,
7692 netlogon_dissect_netrgetdcname_reply },
7693 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
7694 netlogon_dissect_netrlogoncontrol_rqst,
7695 netlogon_dissect_netrlogoncontrol_reply },
7696 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
7697 netlogon_dissect_netrgetanydcname_rqst,
7698 netlogon_dissect_netrgetanydcname_reply },
7699 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
7700 netlogon_dissect_netrlogoncontrol2_rqst,
7701 netlogon_dissect_netrlogoncontrol2_reply },
7702 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
7703 netlogon_dissect_netrserverauthenticate2_rqst,
7704 netlogon_dissect_netrserverauthenticate2_reply },
7705 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
7706 netlogon_dissect_netrdatabasesync2_rqst,
7707 netlogon_dissect_netrdatabasesync2_reply },
7708 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
7709 netlogon_dissect_netrdatabaseredo_rqst,
7710 netlogon_dissect_netrdatabaseredo_reply },
7711 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
7712 netlogon_dissect_netrlogoncontrol2ex_rqst,
7713 netlogon_dissect_netrlogoncontrol2ex_reply },
7714 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
7715 netlogon_dissect_netrenumeratetrusteddomains_rqst,
7716 netlogon_dissect_netrenumeratetrusteddomains_reply },
7717 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
7718 netlogon_dissect_dsrgetdcname_rqst,
7719 netlogon_dissect_dsrgetdcname_reply },
7720 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
7721 netlogon_dissect_netrlogondummyroutine1_rqst,
7722 netlogon_dissect_netrlogondummyroutine1_reply },
7723 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
7724 netlogon_dissect_netrlogonsetservicebits_rqst,
7725 netlogon_dissect_netrlogonsetservicebits_reply },
7726 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
7727 netlogon_dissect_netrlogongettrustrid_rqst,
7728 netlogon_dissect_netrlogongettrustrid_reply },
7729 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
7730 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
7731 netlogon_dissect_netrlogoncomputeserverdigest_reply },
7732 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
7733 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
7734 netlogon_dissect_netrlogoncomputeclientdigest_reply },
7735 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
7736 netlogon_dissect_netrserverauthenticate3_rqst,
7737 netlogon_dissect_netrserverauthenticate3_reply },
7738 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
7739 netlogon_dissect_dsrgetdcnameex_rqst,
7740 netlogon_dissect_dsrgetdcnameex_reply },
7741 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
7742 netlogon_dissect_dsrgetsitename_rqst,
7743 netlogon_dissect_dsrgetsitename_reply },
7744 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
7745 netlogon_dissect_netrlogongetdomaininfo_rqst,
7746 netlogon_dissect_netrlogongetdomaininfo_reply },
7747 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
7748 netlogon_dissect_netrserverpasswordset2_rqst,
7749 netlogon_dissect_netrserverpasswordset2_reply },
7750 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
7751 netlogon_dissect_netrserverpasswordget_rqst,
7752 netlogon_dissect_netrserverpasswordget_reply },
7753 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
7754 netlogon_dissect_netrlogonsendtosam_rqst,
7755 netlogon_dissect_netrlogonsendtosam_reply },
7756 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
7757 netlogon_dissect_dsraddresstositenamesw_rqst,
7758 netlogon_dissect_dsraddresstositenamesw_reply },
7759 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
7760 netlogon_dissect_dsrgetdcnameex2_rqst,
7761 netlogon_dissect_dsrgetdcnameex2_reply },
7762 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
7763 "NetrLogonGetTimeServiceParentDomain",
7764 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
7765 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
7766 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
7767 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
7768 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
7769 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
7770 netlogon_dissect_dsraddresstositenamesexw_rqst,
7771 netlogon_dissect_dsraddresstositenamesexw_reply },
7772 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
7773 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
7774 netlogon_dissect_dsrgetdcsitecoveragew_reply },
7775 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
7776 netlogon_dissect_netrlogonsamlogonex_rqst,
7777 netlogon_dissect_netrlogonsamlogonex_reply },
7778 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
7779 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
7780 netlogon_dissect_dsrenumeratedomaintrusts_reply },
7781 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
7782 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
7783 netlogon_dissect_dsrderegisterdnshostrecords_reply },
7784 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
7786 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
7788 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
7790 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
7791 netlogon_dissect_netrlogonsamlogonflags_rqst,
7792 netlogon_dissect_netrlogonsamlogonflags_reply },
7793 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
7795 {0, NULL, NULL, NULL }
7798 static int hf_netlogon_secchan_verf = -1;
7799 static int hf_netlogon_secchan_verf_sigalg = -1;
7800 static int hf_netlogon_secchan_verf_sealalg = -1;
7801 static int hf_netlogon_secchan_verf_pad = -1;
7802 static int hf_netlogon_secchan_verf_flag = -1;
7803 static int hf_netlogon_secchan_verf_digest = -1;
7804 static int hf_netlogon_secchan_verf_seq = -1;
7805 static int hf_netlogon_secchan_verf_nonce = -1;
7807 static int get_seal_key(const guint8 *session_key,int key_len,guint64 sequence,guint8* seal_key)
7810 guint8 *buf = g_malloc(key_len);
7814 memset(zero_sk,0,16);
7815 memset(seal_key,0,16);
7816 if(memcmp(session_key,zero_sk,16)) {
7818 for(i=0;i<key_len;i++) {
7819 buf[i] = session_key[i] ^ 0xF0;
7821 md5_hmac(zeros,4,buf,key_len,buf2);
7822 md5_hmac((guint8*)&sequence,8,buf2,16,seal_key);
7833 static guint64 uncrypt_sequence(guint8* session_key,guint64 checksum,guint64 enc_seq,unsigned char is_server _U_)
7838 rc4_state_struct rc4state;
7839 guint8 *p_seq = (guint8*) &enc_seq;
7843 md5_hmac(zeros,4,session_key,16,buf);
7844 md5_hmac((guint8*)&checksum,8,buf,16,key);
7846 crypt_rc4_init(&rc4state,key,16);
7847 crypt_rc4(&rc4state,p_seq,8);
7848 /*temp = *((guint32*)p_seq);
7849 *((guint32*)p_seq) = *((guint32*)p_seq+1);
7850 *((guint32*)p_seq+1) = temp;
7853 *p_seq = *p_seq & 0x7F;
7860 dissect_packet_data(tvbuff_t *tvb ,tvbuff_t *auth_tvb _U_,
7861 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info _U_,unsigned char is_server)
7864 tvbuff_t *buf = NULL;
7866 netlogon_auth_vars *vars;
7867 netlogon_auth_key key;
7868 /*debugprintf("Dissection of request data offset %d len=%d on packet %d\n",offset,tvb_length_remaining(tvb,offset),pinfo->fd->num);*/
7870 generate_hash_key(pinfo,is_server,&key,NULL);
7871 vars = g_hash_table_lookup(netlogon_auths, &key);
7874 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int) pinfo->fd->num ) {
7878 debugprintf("Vars not found %d (packet_data)\n",g_hash_table_size(netlogon_auths));
7882 if(vars->can_decrypt == TRUE) {
7883 rc4_state_struct rc4state;
7884 int data_len = tvb_length_remaining(tvb,offset);
7885 guint64 copyconfounder = vars->confounder;
7887 crypt_rc4_init(&rc4state,vars->encryption_key,16);
7888 crypt_rc4(&rc4state,(guint8*)©confounder,8);
7889 decrypted = tvb_memdup(tvb, offset,data_len);
7890 crypt_rc4_init(&rc4state,vars->encryption_key,16);
7891 crypt_rc4(&rc4state,decrypted,data_len);
7892 buf = tvb_new_real_data(decrypted, data_len, data_len);
7895 debugprintf("Session key not found can't decrypt ...\n");
7900 debugprintf("Vars not found %d (packet_data)\n",g_hash_table_size(netlogon_auths));
7907 static tvbuff_t* dissect_request_data( tvbuff_t *tvb ,tvbuff_t *auth_tvb ,
7908 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info )
7910 return dissect_packet_data(tvb,auth_tvb,offset,pinfo,auth_info,0);
7912 static tvbuff_t* dissect_response_data( tvbuff_t *tvb ,tvbuff_t *auth_tvb ,
7913 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info )
7915 return dissect_packet_data(tvb,auth_tvb,offset,pinfo,auth_info,1);
7919 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
7920 proto_tree *tree, guint8 *drep _U_, unsigned char is_server)
7922 netlogon_auth_vars *vars;
7923 netlogon_auth_key key;
7924 proto_item *vf = NULL;
7925 proto_tree *subtree = NULL;
7926 guint64 encrypted_seq;
7929 int update_vars = 0;
7931 generate_hash_key(pinfo,is_server,&key,NULL);
7932 vars = g_hash_table_lookup(netlogon_auths,(gconstpointer*) &key);
7933 if( ! (seen.isseen && seen.num == pinfo->fd->num) ) {
7935 * Create a new tree, and split into x components ...
7937 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
7939 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
7941 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sigalg, tvb,
7943 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sealalg, tvb,
7945 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_pad, tvb,
7946 offset+4, 2, FALSE);
7947 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_flag, tvb,
7948 offset+6, 2, FALSE);
7951 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
7952 hf_netlogon_secchan_verf_seq, &encrypted_seq);
7954 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
7955 hf_netlogon_secchan_verf_digest, &digest);
7957 /* In some cases the nonce if the data/signture are encrypted ("integrity/seal in MS language")*/
7959 if (tvb_bytes_exist(tvb, offset, 8)) {
7960 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
7961 hf_netlogon_secchan_verf_nonce, &confounder);
7965 if( vars != NULL ) {
7966 while(vars != NULL && vars->next_start != -1 && vars->next_start < (int)pinfo->fd->num ) {
7970 debugprintf("Vars not found %d (packet_data)\n",g_hash_table_size(netlogon_auths));
7975 vars->confounder = confounder;
7976 vars->seq = uncrypt_sequence(vars->session_key,digest,encrypted_seq,is_server);
7979 if(get_seal_key(vars->session_key,16,vars->seq,vars->encryption_key))
7981 vars->can_decrypt = TRUE;
7985 debugprintf("get seal key returned 0\n");
7991 debugprintf("Vars not found (is null %d) %d (dissect_verf)\n",vars==NULL,g_hash_table_size(netlogon_auths));
7993 /*debugprintf("Setting isseen to true, old packet %d new %d\n",seen.num,pinfo->fd->num);*/
7995 seen.num = pinfo->fd->num;
8000 dissect_request_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
8001 proto_tree *tree, guint8 *drep )
8003 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep,0);
8006 dissect_response_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
8007 proto_tree *tree, guint8 *drep )
8009 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep,1);
8012 /* Secure channel types */
8014 static const value_string sec_chan_type_vals[] = {
8015 { SEC_CHAN_WKSTA, "Workstation" },
8016 { SEC_CHAN_DOMAIN, "Domain trust" },
8017 { SEC_CHAN_BDC, "Backup domain controller" },
8021 netlogon_reassemble_init(void)
8023 if (netlogon_auths){
8024 g_hash_table_destroy (netlogon_auths);
8026 netlogon_auths = g_hash_table_new (netlogon_auth_hash, netlogon_auth_equal);
8027 if (schannel_auths){
8028 g_hash_table_destroy (schannel_auths);
8030 schannel_auths = g_hash_table_new (netlogon_auth_hash, netlogon_auth_equal);
8035 proto_register_dcerpc_netlogon(void)
8038 static hf_register_info hf[] = {
8039 { &hf_netlogon_opnum,
8040 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
8041 NULL, 0x0, NULL, HFILL }},
8043 { &hf_netlogon_rc, {
8044 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
8045 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
8047 { &hf_netlogon_dos_rc,
8048 { "DOS error code", "netlogon.dos.rc", FT_UINT32,
8049 BASE_HEX, VALS(DOS_errors), 0x0, "DOS Error Code", HFILL}},
8051 { &hf_netlogon_werr_rc,
8052 { "WERR error code", "netlogon.werr.rc", FT_UINT32,
8053 BASE_HEX, VALS(WERR_errors), 0x0, "WERR Error Code", HFILL}},
8055 { &hf_netlogon_param_ctrl, {
8056 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
8057 NULL, 0x0, "Param ctrl", HFILL }},
8059 { &hf_netlogon_logon_id, {
8060 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
8061 NULL, 0x0, NULL, HFILL }},
8063 { &hf_netlogon_modify_count, {
8064 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
8065 NULL, 0x0, "How many times the object has been modified", HFILL }},
8067 { &hf_netlogon_security_information, {
8068 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
8069 NULL, 0x0, NULL, HFILL }},
8071 { &hf_netlogon_count, {
8072 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
8073 NULL, 0x0, NULL, HFILL }},
8075 { &hf_netlogon_entries, {
8076 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
8077 NULL, 0x0, NULL, HFILL }},
8079 { &hf_netlogon_credential, {
8080 "Credential", "netlogon.credential", FT_BYTES, BASE_NONE,
8081 NULL, 0x0, "Netlogon Credential", HFILL }},
8083 { &hf_netlogon_challenge, {
8084 "Challenge", "netlogon.challenge", FT_BYTES, BASE_NONE,
8085 NULL, 0x0, "Netlogon challenge", HFILL }},
8087 { &hf_netlogon_lm_owf_password, {
8088 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_NONE,
8089 NULL, 0x0, "LanManager OWF Password", HFILL }},
8091 { &hf_netlogon_user_session_key, {
8092 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_NONE,
8093 NULL, 0x0, NULL, HFILL }},
8095 { &hf_netlogon_encrypted_lm_owf_password, {
8096 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_NONE,
8097 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
8099 { &hf_netlogon_nt_owf_password, {
8100 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_NONE,
8101 NULL, 0x0, "NT OWF Password", HFILL }},
8103 { &hf_netlogon_blob, {
8104 "BLOB", "netlogon.blob", FT_BYTES, BASE_NONE,
8105 NULL, 0x0, NULL, HFILL }},
8107 { &hf_netlogon_len, {
8108 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
8109 NULL, 0, "Length", HFILL }},
8111 { &hf_netlogon_priv, {
8112 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
8113 NULL, 0, NULL, HFILL }},
8115 { &hf_netlogon_privilege_entries, {
8116 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
8117 NULL, 0, NULL, HFILL }},
8119 { &hf_netlogon_privilege_control, {
8120 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
8121 NULL, 0, NULL, HFILL }},
8123 { &hf_netlogon_privilege_name, {
8124 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_NONE,
8125 NULL, 0, NULL, HFILL }},
8127 { &hf_netlogon_pdc_connection_status, {
8128 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
8129 NULL, 0, NULL, HFILL }},
8131 { &hf_netlogon_tc_connection_status, {
8132 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
8133 NULL, 0, NULL, HFILL }},
8135 { &hf_netlogon_attrs, {
8136 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
8137 NULL, 0, NULL, HFILL }},
8139 { &hf_netlogon_lsapolicy_referentid,
8140 { "Referent ID", "netlogon.lsapolicy.referentID", FT_UINT32, BASE_HEX,
8141 NULL, 0x0, "Referent ID", HFILL }},
8143 { &hf_netlogon_lsapolicy_len,
8144 { "Length", "netlogon.lsapolicy.length", FT_UINT32, BASE_DEC,
8145 NULL, 0x0, "Length of the policy buffer", HFILL }},
8147 { &hf_netlogon_lsapolicy_pointer,
8148 { "Pointer", "netlogon.lsapolicy.pointer", FT_BYTES, BASE_NONE,
8149 NULL, 0x0, "Pointer to LSA POLICY", HFILL }},
8151 { &hf_netlogon_unknown_string,
8152 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
8153 NULL, 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL }},
8155 { &hf_netlogon_dummy_string,
8156 { "Dummy String", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8157 NULL, 0, "Dummy String. Used is reserved for next evolutions.", HFILL }},
8159 { &hf_netlogon_trust_extention,
8160 { "Trust extension", "netlogon.trust.extention", FT_STRING, BASE_NONE,
8161 NULL, 0, "Trusts extension.", HFILL }},
8163 { &hf_netlogon_trust_offset,
8164 { "Offset", "netlogon.trust.extention_offset", FT_UINT32, BASE_DEC,
8165 NULL, 0, "Trusts extension.", HFILL }},
8167 { &hf_netlogon_trust_len,
8168 { "Length", "netlogon.trust.extention_length", FT_UINT32, BASE_DEC,
8169 NULL, 0, "Length", HFILL }},
8171 { &hf_netlogon_trust_max,
8172 { "Max Count", "netlogon.trust.extention.maxcount", FT_UINT32, BASE_DEC,
8173 NULL, 0, "Max Count", HFILL }},
8175 { &hf_netlogon_dummy_string2,
8176 { "Dummy String2", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8177 NULL, 0, "Dummy String 2. Used is reserved for next evolutions.", HFILL }},
8179 { &hf_netlogon_dummy_string3,
8180 { "Dummy String3", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8181 NULL, 0, "Dummy String 3. Used is reserved for next evolutions.", HFILL }},
8183 { &hf_netlogon_dummy_string4,
8184 { "Dummy String4", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8185 NULL, 0, "Dummy String 4. Used is reserved for next evolutions.", HFILL }},
8187 { &hf_netlogon_dummy_string5,
8188 { "Dummy String5", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8189 NULL, 0, "Dummy String 5. Used is reserved for next evolutions.", HFILL }},
8191 { &hf_netlogon_dummy_string6,
8192 { "Dummy String6", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8193 NULL, 0, "Dummy String 6. Used is reserved for next evolutions.", HFILL }},
8195 { &hf_netlogon_dummy_string7,
8196 { "Dummy String7", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8197 NULL, 0, "Dummy String 7. Used is reserved for next evolutions.", HFILL }},
8199 { &hf_netlogon_dummy_string8,
8200 { "Dummy String8", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8201 NULL, 0, "Dummy String 8. Used is reserved for next evolutions.", HFILL }},
8203 { &hf_netlogon_dummy_string9,
8204 { "Dummy String9", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8205 NULL, 0, "Dummy String 9. Used is reserved for next evolutions.", HFILL }},
8207 { &hf_netlogon_dummy_string10,
8208 { "Dummy String10", "netlogon.dummy_string", FT_STRING, BASE_NONE,
8209 NULL, 0, "Dummy String 10. Used is reserved for next evolutions.", HFILL }},
8211 { &hf_netlogon_unknown_long,
8212 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
8213 NULL, 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL }},
8215 { &hf_netlogon_dummy1_long,
8216 { "Dummy1 Long", "netlogon.dummy.long1", FT_UINT32, BASE_HEX,
8217 NULL, 0x0, "Dummy long 1. Used is reserved for next evolutions.", HFILL }},
8219 { &hf_netlogon_dummy2_long,
8220 { "Dummy2 Long", "netlogon.dummy.long2", FT_UINT32, BASE_HEX,
8221 NULL, 0x0, "Dummy long 2. Used is reserved for next evolutions.", HFILL }},
8223 { &hf_netlogon_dummy3_long,
8224 { "Dummy3 Long", "netlogon.dummy.long3", FT_UINT32, BASE_HEX,
8225 NULL, 0x0, "Dummy long 3. Used is reserved for next evolutions.", HFILL }},
8227 { &hf_netlogon_dummy4_long,
8228 { "Dummy4 Long", "netlogon.dummy.long4", FT_UINT32, BASE_HEX,
8229 NULL, 0x0, "Dummy long 4. Used is reserved for next evolutions.", HFILL }},
8231 { &hf_netlogon_dummy5_long,
8232 { "Dummy5 Long", "netlogon.dummy.long5", FT_UINT32, BASE_HEX,
8233 NULL, 0x0, "Dummy long 5. Used is reserved for next evolutions.", HFILL }},
8235 { &hf_netlogon_dummy6_long,
8236 { "Dummy6 Long", "netlogon.dummy.long6", FT_UINT32, BASE_HEX,
8237 NULL, 0x0, "Dummy long 6. Used is reserved for next evolutions.", HFILL }},
8239 { &hf_netlogon_dummy7_long,
8240 { "Dummy7 Long", "netlogon.dummy.long7", FT_UINT32, BASE_HEX,
8241 NULL, 0x0, "Dummy long 7. Used is reserved for next evolutions.", HFILL }},
8243 { &hf_netlogon_dummy8_long,
8244 { "Dummy8 Long", "netlogon.dummy.long8", FT_UINT32, BASE_HEX,
8245 NULL, 0x0, "Dummy long 8. Used is reserved for next evolutions.", HFILL }},
8247 { &hf_netlogon_dummy9_long,
8248 { "Dummy9 Long", "netlogon.dummy.long9", FT_UINT32, BASE_HEX,
8249 NULL, 0x0, "Dummy long 9. Used is reserved for next evolutions.", HFILL }},
8251 { &hf_netlogon_dummy10_long,
8252 { "Dummy10 Long", "netlogon.dummy.long10", FT_UINT32, BASE_HEX,
8253 NULL, 0x0, "Dummy long 10. Used is reserved for next evolutions.", HFILL }},
8256 { &hf_netlogon_supportedenctypes,
8257 { "Supported Encryption Types", "netlogon.encryption.types", FT_UINT32, BASE_HEX,
8258 NULL, 0x0, "Encryption types", HFILL }},
8260 { &hf_netlogon_workstation_flags,
8261 { "Workstation Flags", "netlogon.workstation.flags", FT_UINT32, BASE_HEX,
8262 NULL, 0x0, "Flags", HFILL }},
8264 { &hf_netlogon_reserved,
8265 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
8266 NULL, 0x0, NULL, HFILL }},
8267 { &hf_netlogon_unknown_short,
8268 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
8269 NULL, 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL }},
8271 { &hf_netlogon_unknown_char,
8272 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
8273 NULL, 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL }},
8275 { &hf_netlogon_acct_expiry_time,
8276 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8277 NULL, 0x0, "When this account will expire", HFILL }},
8279 { &hf_netlogon_nt_pwd_present,
8280 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
8281 NULL, 0x0, "Is NT password present for this account?", HFILL }},
8283 { &hf_netlogon_lm_pwd_present,
8284 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
8285 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
8287 { &hf_netlogon_pwd_expired,
8288 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
8289 NULL, 0x0, "Whether this password has expired or not", HFILL }},
8291 { &hf_netlogon_authoritative,
8292 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
8293 NULL, 0x0, NULL, HFILL }},
8295 { &hf_netlogon_sensitive_data_flag,
8296 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
8297 NULL, 0x0, "Sensitive data flag", HFILL }},
8299 { &hf_netlogon_auditing_mode,
8300 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
8301 NULL, 0x0, NULL, HFILL }},
8303 { &hf_netlogon_max_audit_event_count,
8304 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
8305 NULL, 0x0, "Max audit event count", HFILL }},
8307 { &hf_netlogon_event_audit_option,
8308 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
8309 NULL, 0x0, "Event audit option", HFILL }},
8311 { &hf_netlogon_sensitive_data_len,
8312 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
8313 NULL, 0x0, "Length of sensitive data", HFILL }},
8315 { &hf_netlogon_nt_chal_resp,
8316 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_NONE,
8317 NULL, 0, "Challenge response for NT authentication", HFILL }},
8319 { &hf_netlogon_lm_chal_resp,
8320 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_NONE,
8321 NULL, 0, "Challenge response for LM authentication", HFILL }},
8323 { &hf_netlogon_cipher_len,
8324 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
8325 NULL, 0, NULL, HFILL }},
8327 { &hf_netlogon_cipher_maxlen,
8328 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
8329 NULL, 0, NULL, HFILL }},
8331 { &hf_netlogon_pac_data,
8332 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_NONE,
8333 NULL, 0, NULL, HFILL }},
8335 { &hf_netlogon_sensitive_data,
8336 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_NONE,
8337 NULL, 0, "Sensitive Data", HFILL }},
8339 { &hf_netlogon_auth_data,
8340 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_NONE,
8341 NULL, 0, NULL, HFILL }},
8343 { &hf_netlogon_cipher_current_data,
8344 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_NONE,
8345 NULL, 0, NULL, HFILL }},
8347 { &hf_netlogon_cipher_old_data,
8348 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_NONE,
8349 NULL, 0, NULL, HFILL }},
8351 { &hf_netlogon_acct_name,
8352 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
8353 NULL, 0, "Account Name", HFILL }},
8355 { &hf_netlogon_acct_desc,
8356 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
8357 NULL, 0, "Account Description", HFILL }},
8359 { &hf_netlogon_group_desc,
8360 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
8361 NULL, 0, "Group Description", HFILL }},
8363 { &hf_netlogon_full_name,
8364 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
8365 NULL, 0, NULL, HFILL }},
8367 { &hf_netlogon_comment,
8368 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
8369 NULL, 0, NULL, HFILL }},
8371 { &hf_netlogon_parameters,
8372 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
8373 NULL, 0, NULL, HFILL }},
8375 { &hf_netlogon_logon_script,
8376 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
8377 NULL, 0, NULL, HFILL }},
8379 { &hf_netlogon_profile_path,
8380 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
8381 NULL, 0, NULL, HFILL }},
8383 { &hf_netlogon_home_dir,
8384 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
8385 NULL, 0, "Home Directory", HFILL }},
8387 { &hf_netlogon_dir_drive,
8388 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
8389 NULL, 0, "Drive letter for home directory", HFILL }},
8391 { &hf_netlogon_logon_srv,
8392 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
8393 NULL, 0, NULL, HFILL }},
8395 { &hf_netlogon_principal,
8396 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
8397 NULL, 0, NULL, HFILL }},
8399 { &hf_netlogon_logon_dom,
8400 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
8401 NULL, 0, NULL, HFILL }},
8403 { &hf_netlogon_resourcegroupcount,
8404 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
8405 NULL, 0, "Number of Resource Groups", HFILL }},
8407 { &hf_netlogon_computer_name,
8408 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
8409 NULL, 0, NULL, HFILL }},
8411 { &hf_netlogon_site_name,
8412 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
8413 NULL, 0, NULL, HFILL }},
8415 { &hf_netlogon_dc_name,
8416 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
8417 NULL, 0, NULL, HFILL }},
8419 { &hf_netlogon_dc_site_name,
8420 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
8421 NULL, 0, NULL, HFILL }},
8423 { &hf_netlogon_dns_forest_name,
8424 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
8425 NULL, 0, NULL, HFILL }},
8427 { &hf_netlogon_dc_address,
8428 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
8429 NULL, 0, NULL, HFILL }},
8431 { &hf_netlogon_dc_address_type,
8432 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
8433 VALS(dc_address_types), 0, NULL, HFILL }},
8435 { &hf_netlogon_client_site_name,
8436 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
8437 NULL, 0, NULL, HFILL }},
8439 { &hf_netlogon_workstation_site_name,
8440 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
8441 NULL, 0, "Workstation Site Name", HFILL }},
8443 { &hf_netlogon_workstation,
8444 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
8445 NULL, 0, "Workstation Name", HFILL }},
8447 { &hf_netlogon_os_version,
8448 { "OS version", "netlogon.os.version", FT_STRING, BASE_NONE,
8449 NULL, 0, "OS Version", HFILL }},
8451 { &hf_netlogon_workstation_os,
8452 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
8453 NULL, 0, "Workstation OS", HFILL }},
8455 { &hf_netlogon_workstations,
8456 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
8457 NULL, 0, NULL, HFILL }},
8459 { &hf_netlogon_workstation_fqdn,
8460 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
8461 NULL, 0, "Workstation FQDN", HFILL }},
8463 { &hf_netlogon_group_name,
8464 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
8465 NULL, 0, NULL, HFILL }},
8467 { &hf_netlogon_alias_name,
8468 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
8469 NULL, 0, NULL, HFILL }},
8471 { &hf_netlogon_dns_host,
8472 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
8473 NULL, 0, NULL, HFILL }},
8475 { &hf_netlogon_downlevel_domain_name,
8476 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
8477 NULL, 0, "Downlevel Domain Name", HFILL }},
8479 { &hf_netlogon_dns_domain_name,
8480 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
8481 NULL, 0, "DNS Domain Name", HFILL }},
8483 { &hf_netlogon_ad_client_dns_name,
8484 { "Client DNS Name", "netlogon.client_dns_name", FT_STRING, BASE_NONE,
8485 NULL, 0, "Client DNS Name", HFILL }},
8487 { &hf_netlogon_domain_name,
8488 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
8489 NULL, 0, "Domain Name", HFILL }},
8491 { &hf_netlogon_oem_info,
8492 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
8493 NULL, 0, NULL, HFILL }},
8495 { &hf_netlogon_trusted_dc_name,
8496 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
8497 NULL, 0, NULL, HFILL }},
8499 { &hf_netlogon_logon_dnslogondomainname,
8500 { "DNS Logon Domain name", "netlogon.logon.dnslogondomainname", FT_STRING, BASE_NONE,
8501 NULL, 0, "DNS Name of the logon domain", HFILL }},
8503 { &hf_netlogon_logon_upn,
8504 { "UPN", "netlogon.logon.upn", FT_STRING, BASE_NONE,
8505 NULL, 0, "User Principal Name", HFILL }},
8507 { &hf_netlogon_logonsrv_handle,
8508 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
8509 NULL, 0, "Logon Srv Handle", HFILL }},
8511 { &hf_netlogon_dummy,
8512 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
8513 NULL, 0, "Dummy string", HFILL }},
8515 { &hf_netlogon_logon_count16,
8516 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
8517 NULL, 0x0, "Number of successful logins", HFILL }},
8519 { &hf_netlogon_logon_count,
8520 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
8521 NULL, 0x0, "Number of successful logins", HFILL }},
8523 { &hf_netlogon_bad_pw_count16,
8524 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
8525 NULL, 0x0, "Number of failed logins", HFILL }},
8527 { &hf_netlogon_bad_pw_count,
8528 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
8529 NULL, 0x0, "Number of failed logins", HFILL }},
8531 { &hf_netlogon_country,
8532 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
8533 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
8535 { &hf_netlogon_codepage,
8536 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
8537 NULL, 0x0, "Codepage setting for this account", HFILL }},
8539 { &hf_netlogon_level16,
8540 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
8541 NULL, 0x0, "Which option of the union is represented here", HFILL }},
8543 { &hf_netlogon_validation_level,
8544 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
8545 NULL, 0x0, "Requested level of validation", HFILL }},
8547 { &hf_netlogon_minpasswdlen,
8548 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
8549 NULL, 0x0, "Minimum length of password", HFILL }},
8551 { &hf_netlogon_passwdhistorylen,
8552 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
8553 NULL, 0x0, "Length of password history", HFILL }},
8555 { &hf_netlogon_secure_channel_type,
8556 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
8557 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
8559 { &hf_netlogon_restart_state,
8560 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
8561 NULL, 0x0, NULL, HFILL }},
8563 { &hf_netlogon_delta_type,
8564 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
8565 VALS(delta_type_vals), 0x0, NULL, HFILL }},
8567 { &hf_netlogon_blob_size,
8568 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
8569 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
8571 { &hf_netlogon_code,
8572 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
8573 NULL, 0x0, NULL, HFILL }},
8575 { &hf_netlogon_level,
8576 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
8577 NULL, 0x0, "Which option of the union is represented here", HFILL }},
8579 { &hf_netlogon_reference,
8580 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
8581 NULL, 0x0, NULL, HFILL }},
8583 { &hf_netlogon_next_reference,
8584 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
8585 NULL, 0x0, NULL, HFILL }},
8587 { &hf_netlogon_timestamp,
8588 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
8589 NULL, 0, NULL, HFILL }},
8591 { &hf_netlogon_user_rid,
8592 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
8593 NULL, 0x0, NULL, HFILL }},
8595 { &hf_netlogon_alias_rid,
8596 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
8597 NULL, 0x0, NULL, HFILL }},
8599 { &hf_netlogon_group_rid,
8600 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
8601 NULL, 0x0, NULL, HFILL }},
8603 { &hf_netlogon_num_rids,
8604 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
8605 NULL, 0x0, "Number of RIDs", HFILL }},
8607 { &hf_netlogon_num_controllers,
8608 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
8609 NULL, 0x0, "Number of domain controllers", HFILL }},
8611 { &hf_netlogon_num_sid,
8612 { "Num Extra SID", "netlogon.num_sid", FT_UINT32, BASE_DEC,
8613 NULL, 0x0, "", HFILL }},
8615 { &hf_netlogon_flags,
8616 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
8617 NULL, 0x0, NULL, HFILL }},
8619 { &hf_netlogon_user_account_control,
8620 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
8621 NULL, 0x0, "User Account control", HFILL }},
8623 { &hf_netlogon_user_flags,
8624 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
8625 NULL, 0x0, "User flags", HFILL }},
8627 { &hf_netlogon_auth_flags,
8628 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
8629 NULL, 0x0, NULL, HFILL }},
8631 { &hf_netlogon_systemflags,
8632 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
8633 NULL, 0x0, NULL, HFILL }},
8635 { &hf_netlogon_database_id,
8636 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
8637 NULL, 0x0, NULL, HFILL }},
8639 { &hf_netlogon_sync_context,
8640 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
8641 NULL, 0x0, NULL, HFILL }},
8643 { &hf_netlogon_max_size,
8644 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
8645 NULL, 0x0, "Max Size of database", HFILL }},
8647 { &hf_netlogon_max_log_size,
8648 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
8649 NULL, 0x0, "Max Size of log", HFILL }},
8651 { &hf_netlogon_pac_size,
8652 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
8653 NULL, 0x0, "Size of PacData in bytes", HFILL }},
8655 { &hf_netlogon_auth_size,
8656 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
8657 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
8659 { &hf_netlogon_num_deltas,
8660 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
8661 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
8663 { &hf_netlogon_num_trusts,
8664 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
8665 NULL, 0x0, NULL, HFILL }},
8667 { &hf_netlogon_logon_attempts,
8668 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
8669 NULL, 0x0, "Number of logon attempts", HFILL }},
8671 { &hf_netlogon_pagefilelimit,
8672 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
8673 NULL, 0x0, NULL, HFILL }},
8675 { &hf_netlogon_pagedpoollimit,
8676 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
8677 NULL, 0x0, NULL, HFILL }},
8679 { &hf_netlogon_nonpagedpoollimit,
8680 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
8681 NULL, 0x0, NULL, HFILL }},
8683 { &hf_netlogon_minworkingsetsize,
8684 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
8685 NULL, 0x0, NULL, HFILL }},
8687 { &hf_netlogon_maxworkingsetsize,
8688 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
8689 NULL, 0x0, NULL, HFILL }},
8691 { &hf_netlogon_serial_number,
8692 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
8693 NULL, 0x0, NULL, HFILL }},
8695 { &hf_netlogon_neg_flags,
8696 { "Negotiation options", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
8697 NULL, 0x0, "Negotiation Flags", HFILL }},
8699 { &hf_netlogon_neg_flags_80000000,
8700 { "Not used 80000000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000000, "Not used", HFILL }},
8702 { &hf_netlogon_neg_flags_40000000,
8703 { "Authenticated RPC supported", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000000, "Authenticated RPC supported", HFILL }},
8705 { &hf_netlogon_neg_flags_20000000,
8706 { "Authenticated RPC via lsass supported", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000000, "rpc via lsass", HFILL }},
8708 { &hf_netlogon_neg_flags_10000000,
8709 { "Not used 10000000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000000, "Not used", HFILL }},
8711 { &hf_netlogon_neg_flags_8000000,
8712 { "Not used 8000000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000000, "Not used", HFILL }},
8714 { &hf_netlogon_neg_flags_4000000,
8715 { "Not used 4000000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4000000, "Not used", HFILL }},
8717 { &hf_netlogon_neg_flags_2000000,
8718 { "Not used 2000000", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000000, "Not used", HFILL }},
8720 { &hf_netlogon_neg_flags_1000000,
8721 { "Not used 1000000", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1000000, "Not used", HFILL }},
8723 { &hf_netlogon_neg_flags_800000,
8724 { "Not used 800000", "ntlmssp.neg_flags.na8000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800000, "Not used", HFILL }},
8726 { &hf_netlogon_neg_flags_400000,
8727 { "AES & SHA2 supported", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_USEAES, "AES&SHA2", HFILL }},
8729 { &hf_netlogon_neg_flags_200000,
8730 { "RODC pass-through", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200000, "rodc pt", HFILL }},
8732 { &hf_netlogon_neg_flags_100000,
8733 { "NO NT4 emulation", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100000, "No NT4 emu", HFILL }},
8735 { &hf_netlogon_neg_flags_80000,
8736 { "Cross forest trust", "ntlmssp.neg_flags.na80000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80000, "Cross forest trust", HFILL }},
8738 { &hf_netlogon_neg_flags_40000,
8739 { "GetDomainInfo supported", "ntlmssp.neg_flags.na40000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40000, "GetDomainInfo", HFILL }},
8741 { &hf_netlogon_neg_flags_20000,
8742 { "ServerPasswordSet2 supported", "ntlmssp.neg_flags.na20000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20000, "PasswordSet2", HFILL }},
8744 { &hf_netlogon_neg_flags_10000,
8745 { "DNS trusts supported", "ntlmssp.neg_flags.na10000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10000, "DNS Trusts", HFILL }},
8747 { &hf_netlogon_neg_flags_8000,
8748 { "Transitive trusts", "ntlmssp.neg_flags.na8000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8000, "Transitive trust", HFILL }},
8750 { &hf_netlogon_neg_flags_4000,
8751 { "Strong key", "ntlmssp.neg_flags.na4000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_STRONGKEY, "Strong key", HFILL }},
8753 { &hf_netlogon_neg_flags_2000,
8754 { "Avoid replication Auth database", "ntlmssp.neg_flags.na2000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2000, "Avoid replication auth database", HFILL }},
8756 { &hf_netlogon_neg_flags_1000,
8757 { "Avoid replication account database", "ntlmssp.neg_flags.na1000", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1000, "Avoid replication account database", HFILL }},
8759 { &hf_netlogon_neg_flags_800,
8760 { "Concurent RPC", "ntlmssp.neg_flags.na800", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_800, "Concurent RPC", HFILL }},
8762 { &hf_netlogon_neg_flags_400,
8763 { "Generic pass-through", "ntlmssp.neg_flags.na400", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_400, "Generic pass-through", HFILL }},
8765 { &hf_netlogon_neg_flags_200,
8766 { "SendToSam", "ntlmssp.neg_flags.na200", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_200, "SendToSam", HFILL }},
8768 { &hf_netlogon_neg_flags_100,
8769 { "Refusal of password change", "ntlmssp.neg_flags.na100", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_100, "PWD change refusal", HFILL }},
8771 { &hf_netlogon_neg_flags_80,
8772 { "DatabaseRedo call", "ntlmssp.neg_flags.na80", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_80, "DatabaseRedo call", HFILL }},
8774 { &hf_netlogon_neg_flags_40,
8775 { "Handle multiple SIDs", "ntlmssp.neg_flags.na40", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_40, "Handle multiple SIDs", HFILL }},
8777 { &hf_netlogon_neg_flags_20,
8778 { "Restarting full DC sync", "ntlmssp.neg_flags.na20", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_20, "Restarting full DC sync", HFILL }},
8780 { &hf_netlogon_neg_flags_10,
8781 { "BDC handling Changelogs", "ntlmssp.neg_flags.na10", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_10, "BDC Changelog", HFILL }},
8783 { &hf_netlogon_neg_flags_8,
8784 { "Promotion count(deprecated)", "ntlmssp.neg_flags.na8", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_8, "Promotion count", HFILL }},
8786 { &hf_netlogon_neg_flags_4,
8787 { "RC4 encryption", "ntlmssp.neg_flags.na4", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_4, "RC4", HFILL }},
8789 { &hf_netlogon_neg_flags_2,
8790 { "NT3.5 BDC continious update", "ntlmssp.neg_flags.na2", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_2, "NT3.5", HFILL }},
8792 { &hf_netlogon_neg_flags_1,
8793 { "Account lockout", "ntlmssp.neg_flags.na1", FT_BOOLEAN, 32, TFS(&tfs_set_notset), NETLOGON_FLAG_1, "Account lockout", HFILL }},
8795 { &hf_netlogon_dc_flags,
8796 { "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
8797 NULL, 0x0, NULL, HFILL }},
8799 { &hf_netlogon_dc_flags_pdc_flag,
8800 { "PDC", "netlogon.dc.flags.pdc",
8801 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
8802 "If this server is a PDC", HFILL }},
8804 { &hf_netlogon_dc_flags_gc_flag,
8805 { "GC", "netlogon.dc.flags.gc",
8806 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
8807 "If this server is a GC", HFILL }},
8809 { &hf_netlogon_dc_flags_ldap_flag,
8810 { "LDAP", "netlogon.dc.flags.ldap",
8811 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
8812 "If this is an LDAP server", HFILL }},
8814 { &hf_netlogon_dc_flags_ds_flag,
8815 { "DS", "netlogon.dc.flags.ds",
8816 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
8817 "If this server is a DS", HFILL }},
8819 { &hf_netlogon_dc_flags_kdc_flag,
8820 { "KDC", "netlogon.dc.flags.kdc",
8821 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
8822 "If this is a KDC", HFILL }},
8824 { &hf_netlogon_dc_flags_timeserv_flag,
8825 { "Timeserv", "netlogon.dc.flags.timeserv",
8826 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
8827 "If this server is a TimeServer", HFILL }},
8829 { &hf_netlogon_dc_flags_closest_flag,
8830 { "Closest", "netlogon.dc.flags.closest",
8831 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
8832 "If this is the closest server", HFILL }},
8834 { &hf_netlogon_dc_flags_writable_flag,
8835 { "Writable", "netlogon.dc.flags.writable",
8836 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
8837 "If this server can do updates to the database", HFILL }},
8839 { &hf_netlogon_dc_flags_good_timeserv_flag,
8840 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
8841 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
8842 "If this is a Good TimeServer", HFILL }},
8844 { &hf_netlogon_dc_flags_ndnc_flag,
8845 { "NDNC", "netlogon.dc.flags.ndnc",
8846 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
8847 "If this is an NDNC server", HFILL }},
8849 { &hf_netlogon_dc_flags_dns_controller_flag,
8850 { "DNS Controller", "netlogon.dc.flags.dns_controller",
8851 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
8852 "If this server is a DNS Controller", HFILL }},
8854 { &hf_netlogon_dc_flags_dns_domain_flag,
8855 { "DNS Domain", "netlogon.dc.flags.dns_domain",
8856 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
8859 { &hf_netlogon_dc_flags_dns_forest_flag,
8860 { "DNS Forest", "netlogon.dc.flags.dns_forest",
8861 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
8864 { &hf_netlogon_get_dcname_request_flags,
8865 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
8866 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
8868 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
8869 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
8870 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
8871 "Whether to allow the server to returned cached information or not", HFILL }},
8873 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
8874 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
8875 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
8876 "Whether we require that the returned DC supports w2k or not", HFILL }},
8878 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
8879 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
8880 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
8881 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
8883 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
8884 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
8885 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
8886 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
8888 { &hf_netlogon_get_dcname_request_flags_pdc_required,
8889 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
8890 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
8891 "Whether we require the returned DC to be the PDC", HFILL }},
8893 { &hf_netlogon_get_dcname_request_flags_background_only,
8894 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
8895 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
8896 "If we want cached data, even if it may have expired", HFILL }},
8898 { &hf_netlogon_get_dcname_request_flags_ip_required,
8899 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
8900 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
8901 "If we requre the IP of the DC in the reply", HFILL }},
8903 { &hf_netlogon_get_dcname_request_flags_kdc_required,
8904 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
8905 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
8906 "If we require that the returned server is a KDC", HFILL }},
8908 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
8909 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
8910 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
8911 "If we require the returned server to be a WindowsTimeServ server", HFILL }},
8913 { &hf_netlogon_get_dcname_request_flags_writable_required,
8914 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
8915 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
8916 "If we require that the returned server is writable", HFILL }},
8918 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
8919 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
8920 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
8921 "If we prefer Windows Time Servers", HFILL }},
8923 { &hf_netlogon_get_dcname_request_flags_avoid_self,
8924 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
8925 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
8926 "Return another DC than the one we ask", HFILL }},
8928 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
8929 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
8930 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
8931 "We just want an LDAP server, it does not have to be a DC", HFILL }},
8933 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
8934 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
8935 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
8936 "If the specified domain name is a NetBIOS name", HFILL }},
8938 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
8939 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
8940 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
8941 "If the specified domain name is a DNS name", HFILL }},
8943 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
8944 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
8945 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
8946 "Only return a DNS name (or an error)", HFILL }},
8948 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
8949 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
8950 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
8951 "Only return a NetBIOS name (or an error)", HFILL }},
8953 { &hf_netlogon_trust_attribs,
8954 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
8955 NULL, 0x0, NULL, HFILL }},
8957 { &hf_netlogon_trust_attribs_non_transitive,
8958 { "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN, 32,
8959 TFS(&trust_attribs_non_transitive), 0x00000001, NULL, HFILL }},
8961 { &hf_netlogon_trust_attribs_uplevel_only,
8962 { "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN, 32,
8963 TFS(&trust_attribs_uplevel_only), 0x00000002, NULL, HFILL }},
8965 { &hf_netlogon_trust_attribs_quarantined_domain,
8966 { "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN, 32,
8967 TFS(&trust_attribs_quarantined_domain), 0x00000004, NULL, HFILL }},
8969 { &hf_netlogon_trust_attribs_forest_transitive,
8970 { "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN, 32,
8971 TFS(&trust_attribs_forest_transitive), 0x00000008, NULL, HFILL }},
8973 { &hf_netlogon_trust_attribs_cross_organization,
8974 { "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN, 32,
8975 TFS(&trust_attribs_cross_organization), 0x00000010, NULL, HFILL }},
8977 { &hf_netlogon_trust_attribs_within_forest,
8978 { "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN, 32,
8979 TFS(&trust_attribs_within_forest), 0x00000020, NULL, HFILL }},
8981 { &hf_netlogon_trust_attribs_treat_as_external,
8982 { "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN, 32,
8983 TFS(&trust_attribs_treat_as_external), 0x00000040, NULL, HFILL }},
8985 { &hf_netlogon_trust_type,
8986 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
8987 VALS(trust_type_vals), 0x0, NULL, HFILL }},
8989 { &hf_netlogon_extraflags,
8990 { "Extra Flags", "netlogon.extra_flags", FT_UINT32, BASE_HEX,
8991 NULL, 0x0, NULL, HFILL }},
8993 { &hf_netlogon_extra_flags_root_forest,
8994 { "Request passed to DC of root forest", "netlogon.extra.flags.rootdc",
8995 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_ROOT_FOREST,
8998 { &hf_netlogon_trust_flags_dc_firsthop,
8999 { " DC at the end of the first hop of cross forest", "netlogon.extra.flags.dc_firsthop",
9000 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_DC_XFOREST,
9003 { &hf_netlogon_trust_flags_rodc_to_dc,
9004 { "Request from a RODC to a DC from another domain", "netlogon.extra.flags.rodc_to_dc",
9005 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_RODC_DIF_DOMAIN,
9008 { &hf_netlogon_trust_flags_rodc_ntlm,
9009 { "Request is a NTLM auth passed by a RODC", "netlogon.extra.flags.rodc_ntlm",
9010 FT_BOOLEAN, 32, TFS(&tfs_set_notset), RQ_NTLM_FROM_RODC,
9013 { &hf_netlogon_trust_flags,
9014 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
9015 NULL, 0x0, NULL, HFILL }},
9017 { &hf_netlogon_trust_flags_inbound,
9018 { "Inbound Trust", "netlogon.trust.flags.inbound",
9019 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
9020 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
9022 { &hf_netlogon_trust_flags_outbound,
9023 { "Outbound Trust", "netlogon.trust.flags.outbound",
9024 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
9025 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
9027 { &hf_netlogon_trust_flags_in_forest,
9028 { "In Forest", "netlogon.trust.flags.in_forest",
9029 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
9030 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
9032 { &hf_netlogon_trust_flags_native_mode,
9033 { "Native Mode", "netlogon.trust.flags.native_mode",
9034 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
9035 "Whether the domain is a w2k native mode domain or not", HFILL }},
9037 { &hf_netlogon_trust_flags_primary,
9038 { "Primary", "netlogon.trust.flags.primary",
9039 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
9040 "Whether the domain is the primary domain for the queried server or not", HFILL }},
9042 { &hf_netlogon_trust_flags_tree_root,
9043 { "Tree Root", "netlogon.trust.flags.tree_root",
9044 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
9045 "Whether the domain is the root of the tree for the queried server", HFILL }},
9047 { &hf_netlogon_trust_parent_index,
9048 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
9049 NULL, 0x0, NULL, HFILL }},
9051 { &hf_netlogon_logon_time,
9052 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9053 NULL, 0, "Time for last time this user logged on", HFILL }},
9055 { &hf_netlogon_kickoff_time,
9056 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9057 NULL, 0, "Time when this user will be kicked off", HFILL }},
9059 { &hf_netlogon_logoff_time,
9060 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9061 NULL, 0, "Time for last time this user logged off", HFILL }},
9063 { &hf_netlogon_last_logoff_time,
9064 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9065 NULL, 0, "Time for last time this user logged off", HFILL }},
9067 { &hf_netlogon_pwd_last_set_time,
9068 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9069 NULL, 0, "Last time this users password was changed", HFILL }},
9071 { &hf_netlogon_pwd_age,
9072 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
9073 NULL, 0, "Time since this users password was changed", HFILL }},
9075 { &hf_netlogon_pwd_can_change_time,
9076 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9077 NULL, 0, "When this users password may be changed", HFILL }},
9079 { &hf_netlogon_pwd_must_change_time,
9080 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9081 NULL, 0, "When this users password must be changed", HFILL }},
9083 { &hf_netlogon_domain_create_time,
9084 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9085 NULL, 0, "Time when this domain was created", HFILL }},
9087 { &hf_netlogon_domain_modify_time,
9088 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9089 NULL, 0, "Time when this domain was last modified", HFILL }},
9091 { &hf_netlogon_db_modify_time,
9092 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9093 NULL, 0, "Time when last modified", HFILL }},
9095 { &hf_netlogon_db_create_time,
9096 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9097 NULL, 0, "Time when created", HFILL }},
9099 { &hf_netlogon_cipher_current_set_time,
9100 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9101 NULL, 0, "Time when current cipher was initiated", HFILL }},
9103 { &hf_netlogon_cipher_old_set_time,
9104 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9105 NULL, 0, "Time when previous cipher was initiated", HFILL }},
9107 { &hf_netlogon_audit_retention_period,
9108 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
9109 NULL, 0, "Audit retention period", HFILL }},
9111 { &hf_netlogon_timelimit,
9112 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
9113 NULL, 0, NULL, HFILL }},
9116 { &hf_client_credential,
9117 { "Client Credential", "netlogon.clientcred", FT_BYTES, BASE_NONE,
9118 NULL, 0x0, "", HFILL }},
9120 { &hf_server_credential,
9121 { "Server Credential", "netlogon.servercred", FT_BYTES, BASE_NONE,
9122 NULL, 0x0, "", HFILL }},
9125 { "Account RID", "netlogon.serverrid", FT_UINT32, BASE_DEC,
9126 NULL, 0x0, "", HFILL }},
9128 { &hf_client_challenge,
9129 { "Client Challenge", "netlogon.clientchallenge", FT_BYTES, BASE_NONE,
9130 NULL, 0x0, "", HFILL }},
9132 { &hf_server_challenge,
9133 { "Server Challenge", "netlogon.serverchallenge", FT_BYTES, BASE_NONE,
9134 NULL, 0x0, "", HFILL }},
9136 { &hf_netlogon_secchan_bind_unknown1,
9137 { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
9138 NULL, 0x0, NULL, HFILL }},
9140 { &hf_netlogon_secchan_bind_unknown2,
9141 { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
9142 NULL, 0x0, NULL, HFILL }},
9144 { &hf_netlogon_secchan_domain,
9145 { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
9146 NULL, 0, NULL, HFILL }},
9148 { &hf_netlogon_secchan_host,
9149 { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
9150 NULL, 0, NULL, HFILL }},
9152 { &hf_netlogon_data_length,
9153 { "Length of Data", "netlogon.data.length", FT_UINT32, BASE_DEC,
9154 NULL, 0, "", HFILL }},
9156 { &hf_netlogon_package_name,
9157 { "SSP Package Name", "netlogon.data.package_name", FT_STRING, BASE_NONE,
9158 NULL, 0, "", HFILL }},
9160 { &hf_netlogon_secchan_bind_ack_unknown1,
9161 { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32,
9162 BASE_HEX, NULL, 0x0, NULL, HFILL }},
9164 { &hf_netlogon_secchan_bind_ack_unknown2,
9165 { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32,
9166 BASE_HEX, NULL, 0x0, NULL, HFILL }},
9168 { &hf_netlogon_secchan_bind_ack_unknown3,
9169 { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32,
9170 BASE_HEX, NULL, 0x0, "", HFILL }},
9172 { &hf_netlogon_secchan_verf,
9173 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
9174 NULL, 0x0, "Verifier", HFILL }},
9176 { &hf_netlogon_secchan_verf_sigalg,
9177 { "Sign algorithm", "netlogon.secchan.sigalg", FT_UINT16, BASE_HEX, NULL,
9178 0x0, "Signature", HFILL }},
9180 { &hf_netlogon_secchan_verf_sealalg,
9181 { "Sign algorithm", "netlogon.secchan.sigalg", FT_UINT16, BASE_HEX, NULL,
9182 0x0, "Signature", HFILL }},
9184 { &hf_netlogon_secchan_verf_pad,
9185 { "Padding", "netlogon.secchan.padding", FT_BYTES, BASE_NONE, NULL,
9186 0x0, NULL, HFILL }},
9188 { &hf_netlogon_secchan_verf_flag,
9189 { "Flags", "netlogon.secchan.flags", FT_BYTES, BASE_NONE, NULL,
9190 0x0, NULL, HFILL }},
9192 { &hf_netlogon_secchan_verf_digest,
9193 { "Packet Digest", "netlogon.secchan.digest", FT_BYTES, BASE_NONE, NULL,
9194 0x0, NULL, HFILL }},
9196 { &hf_netlogon_secchan_verf_seq,
9197 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_NONE, NULL,
9198 0x0, NULL, HFILL }},
9200 { &hf_netlogon_secchan_verf_nonce,
9201 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_NONE, NULL,
9202 0x0, NULL, HFILL }},
9204 { &hf_netlogon_group_attrs_mandatory,
9205 { "Mandatory", "netlogon.groups.attrs.mandatory",
9206 FT_BOOLEAN, 32, TFS(&group_attrs_mandatory), 0x00000001,
9207 "The group attributes MANDATORY flag", HFILL }},
9209 { &hf_netlogon_group_attrs_enabled_by_default,
9210 { "Enabled By Default", "netlogon.groups.attrs.enabled_by_default",
9211 FT_BOOLEAN, 32, TFS(&group_attrs_enabled_by_default), 0x00000002,
9212 "The group attributes ENABLED_BY_DEFAULT flag", HFILL }},
9214 { &hf_netlogon_group_attrs_enabled,
9215 { "Enabled", "netlogon.groups.attrs.enabled",
9216 FT_BOOLEAN, 32, TFS(&group_attrs_enabled), 0x00000004,
9217 "The group attributes ENABLED flag", HFILL }},
9219 { &hf_netlogon_user_flags_extra_sids,
9220 { "Extra SIDs", "netlogon.user.flags.extra_sids",
9221 FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
9222 "The user flags EXTRA_SIDS", HFILL }},
9224 { &hf_netlogon_user_flags_resource_groups,
9225 { "Resource Groups", "netlogon.user.flags.resource_groups",
9226 FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
9227 "The user flags RESOURCE_GROUPS", HFILL }},
9229 { &hf_netlogon_user_account_control_dont_require_preauth,
9230 { "Don't Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
9231 FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
9232 "The user account control DONT_REQUIRE_PREAUTH flag", HFILL }},
9234 { &hf_netlogon_user_account_control_use_des_key_only,
9235 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
9236 FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
9237 "The user account control use_des_key_only flag", HFILL }},
9239 { &hf_netlogon_user_account_control_not_delegated,
9240 { "Not Delegated", "netlogon.user.account_control.not_delegated",
9241 FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
9242 "The user account control not_delegated flag", HFILL }},
9244 { &hf_netlogon_user_account_control_trusted_for_delegation,
9245 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
9246 FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
9247 "The user account control trusted_for_delegation flag", HFILL }},
9249 { &hf_netlogon_user_account_control_smartcard_required,
9250 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
9251 FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
9252 "The user account control smartcard_required flag", HFILL }},
9254 { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
9255 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
9256 FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
9257 "The user account control encrypted_text_password_allowed flag", HFILL }},
9259 { &hf_netlogon_user_account_control_account_auto_locked,
9260 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
9261 FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
9262 "The user account control account_auto_locked flag", HFILL }},
9264 { &hf_netlogon_user_account_control_dont_expire_password,
9265 { "Don't Expire Password", "netlogon.user.account_control.dont_expire_password",
9266 FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
9267 "The user account control dont_expire_password flag", HFILL }},
9269 { &hf_netlogon_user_account_control_server_trust_account,
9270 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
9271 FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
9272 "The user account control server_trust_account flag", HFILL }},
9274 { &hf_netlogon_user_account_control_workstation_trust_account,
9275 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
9276 FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
9277 "The user account control workstation_trust_account flag", HFILL }},
9279 { &hf_netlogon_user_account_control_interdomain_trust_account,
9280 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
9281 FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
9282 "The user account control interdomain_trust_account flag", HFILL }},
9284 { &hf_netlogon_user_account_control_mns_logon_account,
9285 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
9286 FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
9287 "The user account control mns_logon_account flag", HFILL }},
9289 { &hf_netlogon_user_account_control_normal_account,
9290 { "Normal Account", "netlogon.user.account_control.normal_account",
9291 FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
9292 "The user account control normal_account flag", HFILL }},
9294 { &hf_netlogon_user_account_control_temp_duplicate_account,
9295 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
9296 FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
9297 "The user account control temp_duplicate_account flag", HFILL }},
9299 { &hf_netlogon_user_account_control_password_not_required,
9300 { "Password Not Required", "netlogon.user.account_control.password_not_required",
9301 FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
9302 "The user account control password_not_required flag", HFILL }},
9304 { &hf_netlogon_user_account_control_home_directory_required,
9305 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
9306 FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
9307 "The user account control home_directory_required flag", HFILL }},
9309 { &hf_netlogon_user_account_control_account_disabled,
9310 { "Account Disabled", "netlogon.user.account_control.account_disabled",
9311 FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
9312 "The user account control account_disabled flag", HFILL }},
9314 { &hf_netlogon_dnsdomaininfo,
9315 { "DnsDomainInfo", "netlogon.dnsdomaininfo", FT_NONE, BASE_NONE,
9316 NULL, 0x0, NULL, HFILL }},
9318 { &DnsDomainInfo_sid,
9319 { "Sid", "lsarpc.lsa_DnsDomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9321 { "Sid", "lsarpc.lsa_DomainInfo.sid", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9322 { &DnsDomainInfo_domain_guid,
9323 { "Domain Guid", "lsarpc.lsa_DnsDomainInfo.domain_guid", FT_GUID, BASE_NONE, NULL, 0, NULL, HFILL }},
9324 { &DnsDomainInfo_dns_forest,
9325 { "Dns Forest", "lsarpc.lsa_DnsDomainInfo.dns_forest", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9326 { &DnsDomainInfo_dns_domain,
9327 { "Dns Domain", "lsarpc.lsa_DnsDomainInfo.dns_domain", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9328 { &DnsDomainInfo_name,
9329 { "Name", "lsarpc.lsa_DnsDomainInfo.name", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }},
9332 static gint *ett[] = {
9333 &ett_dcerpc_netlogon,
9334 &ett_authenticate_flags,
9340 &ett_DOMAIN_CONTROLLER_INFO,
9341 &ett_UNICODE_STRING_512,
9344 &ett_DELTA_ID_UNION,
9347 &ett_LM_OWF_PASSWORD,
9348 &ett_NT_OWF_PASSWORD,
9349 &ett_GROUP_MEMBERSHIP,
9350 &ett_DS_DOMAIN_TRUSTS,
9352 &ett_DOMAIN_TRUST_INFO,
9353 &ett_LSA_POLICY_INFO,
9356 &ett_get_dcname_request_flags,
9358 &ett_secchan_bind_creds,
9359 &ett_secchan_bind_ack_creds,
9363 &ett_nt_counted_longs_as_string,
9364 &ett_user_account_control
9367 proto_dcerpc_netlogon = proto_register_protocol(
9368 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
9370 proto_register_field_array(proto_dcerpc_netlogon, hf,
9372 proto_register_subtree_array(ett, array_length(ett));
9373 register_init_routine(netlogon_reassemble_init);
9377 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
9378 dissect_secchan_bind_creds, /* Bind */
9379 dissect_secchan_bind_ack_creds, /* Bind ACK */
9381 dissect_request_secchan_verf, /* Request verifier */
9382 dissect_response_secchan_verf, /* Response verifier */
9383 dissect_request_data, /* Request data */
9384 dissect_response_data /* Response data */
9388 proto_reg_handoff_dcerpc_netlogon(void)
9390 /* Register protocol as dcerpc */
9391 seen.isseen = FALSE;
9393 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
9394 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
9395 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
9398 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
9399 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
9401 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
9402 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,