1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-ntlmssp.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_group_attrs_mandatory = -1;
42 static int hf_netlogon_group_attrs_enabled_by_default = -1;
43 static int hf_netlogon_group_attrs_enabled = -1;
44 static int hf_netlogon_opnum = -1;
45 static int hf_netlogon_guid = -1;
46 static int hf_netlogon_rc = -1;
47 static int hf_netlogon_len = -1;
48 static int hf_netlogon_sensitive_data_flag = -1;
49 static int hf_netlogon_sensitive_data_len = -1;
50 static int hf_netlogon_sensitive_data = -1;
51 static int hf_netlogon_security_information = -1;
52 static int hf_netlogon_dummy = -1;
53 static int hf_netlogon_neg_flags = -1;
54 static int hf_netlogon_minworkingsetsize = -1;
55 static int hf_netlogon_maxworkingsetsize = -1;
56 static int hf_netlogon_pagedpoollimit = -1;
57 static int hf_netlogon_pagefilelimit = -1;
58 static int hf_netlogon_timelimit = -1;
59 static int hf_netlogon_nonpagedpoollimit = -1;
60 static int hf_netlogon_pac_size = -1;
61 static int hf_netlogon_pac_data = -1;
62 static int hf_netlogon_auth_size = -1;
63 static int hf_netlogon_auth_data = -1;
64 static int hf_netlogon_cipher_len = -1;
65 static int hf_netlogon_cipher_maxlen = -1;
66 static int hf_netlogon_cipher_current_data = -1;
67 static int hf_netlogon_cipher_current_set_time = -1;
68 static int hf_netlogon_cipher_old_data = -1;
69 static int hf_netlogon_cipher_old_set_time = -1;
70 static int hf_netlogon_priv = -1;
71 static int hf_netlogon_privilege_entries = -1;
72 static int hf_netlogon_privilege_control = -1;
73 static int hf_netlogon_privilege_name = -1;
74 static int hf_netlogon_systemflags = -1;
75 static int hf_netlogon_pdc_connection_status = -1;
76 static int hf_netlogon_tc_connection_status = -1;
77 static int hf_netlogon_restart_state = -1;
78 static int hf_netlogon_attrs = -1;
79 static int hf_netlogon_count = -1;
80 static int hf_netlogon_entries = -1;
81 static int hf_netlogon_minpasswdlen = -1;
82 static int hf_netlogon_passwdhistorylen = -1;
83 static int hf_netlogon_level16 = -1;
84 static int hf_netlogon_validation_level = -1;
85 static int hf_netlogon_reference = -1;
86 static int hf_netlogon_next_reference = -1;
87 static int hf_netlogon_timestamp = -1;
88 static int hf_netlogon_level = -1;
89 static int hf_netlogon_challenge = -1;
90 static int hf_netlogon_reserved = -1;
91 static int hf_netlogon_audit_retention_period = -1;
92 static int hf_netlogon_auditing_mode = -1;
93 static int hf_netlogon_max_audit_event_count = -1;
94 static int hf_netlogon_event_audit_option = -1;
95 static int hf_netlogon_unknown_string = -1;
96 static int hf_netlogon_unknown_long = -1;
97 static int hf_netlogon_unknown_short = -1;
98 static int hf_netlogon_unknown_char = -1;
99 static int hf_netlogon_logon_time = -1;
100 static int hf_netlogon_logoff_time = -1;
101 static int hf_netlogon_last_logoff_time = -1;
102 static int hf_netlogon_kickoff_time = -1;
103 static int hf_netlogon_pwd_age = -1;
104 static int hf_netlogon_pwd_last_set_time = -1;
105 static int hf_netlogon_pwd_can_change_time = -1;
106 static int hf_netlogon_pwd_must_change_time = -1;
107 static int hf_netlogon_nt_chal_resp = -1;
108 static int hf_netlogon_lm_chal_resp = -1;
109 static int hf_netlogon_credential = -1;
110 static int hf_netlogon_acct_name = -1;
111 static int hf_netlogon_acct_desc = -1;
112 static int hf_netlogon_group_desc = -1;
113 static int hf_netlogon_full_name = -1;
114 static int hf_netlogon_comment = -1;
115 static int hf_netlogon_parameters = -1;
116 static int hf_netlogon_logon_script = -1;
117 static int hf_netlogon_profile_path = -1;
118 static int hf_netlogon_home_dir = -1;
119 static int hf_netlogon_dir_drive = -1;
120 static int hf_netlogon_logon_count = -1;
121 static int hf_netlogon_logon_count16 = -1;
122 static int hf_netlogon_bad_pw_count = -1;
123 static int hf_netlogon_bad_pw_count16 = -1;
124 static int hf_netlogon_user_rid = -1;
125 static int hf_netlogon_alias_rid = -1;
126 static int hf_netlogon_group_rid = -1;
127 static int hf_netlogon_logon_srv = -1;
128 static int hf_netlogon_principal = -1;
129 static int hf_netlogon_logon_dom = -1;
130 static int hf_netlogon_resourcegroupcount = -1;
131 static int hf_netlogon_downlevel_domain_name = -1;
132 static int hf_netlogon_dns_domain_name = -1;
133 static int hf_netlogon_domain_name = -1;
134 static int hf_netlogon_domain_create_time = -1;
135 static int hf_netlogon_domain_modify_time = -1;
136 static int hf_netlogon_modify_count = -1;
137 static int hf_netlogon_db_modify_time = -1;
138 static int hf_netlogon_db_create_time = -1;
139 static int hf_netlogon_oem_info = -1;
140 static int hf_netlogon_serial_number = -1;
141 static int hf_netlogon_num_rids = -1;
142 static int hf_netlogon_num_trusts = -1;
143 static int hf_netlogon_num_controllers = -1;
144 static int hf_netlogon_num_other_groups = -1;
145 static int hf_netlogon_computer_name = -1;
146 static int hf_netlogon_site_name = -1;
147 static int hf_netlogon_trusted_dc_name = -1;
148 static int hf_netlogon_dc_name = -1;
149 static int hf_netlogon_dc_site_name = -1;
150 static int hf_netlogon_dns_forest_name = -1;
151 static int hf_netlogon_dc_address = -1;
152 static int hf_netlogon_dc_address_type = -1;
153 static int hf_netlogon_client_site_name = -1;
154 static int hf_netlogon_workstation = -1;
155 static int hf_netlogon_workstation_site_name = -1;
156 static int hf_netlogon_workstation_os = -1;
157 static int hf_netlogon_workstations = -1;
158 static int hf_netlogon_workstation_fqdn = -1;
159 static int hf_netlogon_group_name = -1;
160 static int hf_netlogon_alias_name = -1;
161 static int hf_netlogon_country = -1;
162 static int hf_netlogon_codepage = -1;
163 static int hf_netlogon_flags = -1;
164 static int hf_netlogon_trust_attribs = -1;
165 static int hf_netlogon_trust_type = -1;
166 static int hf_netlogon_trust_flags = -1;
167 static int hf_netlogon_trust_flags_inbound = -1;
168 static int hf_netlogon_trust_flags_outbound = -1;
169 static int hf_netlogon_trust_flags_in_forest = -1;
170 static int hf_netlogon_trust_flags_native_mode = -1;
171 static int hf_netlogon_trust_flags_primary = -1;
172 static int hf_netlogon_trust_flags_tree_root = -1;
173 static int hf_netlogon_trust_parent_index = -1;
174 static int hf_netlogon_user_account_control = -1;
175 static int hf_netlogon_user_account_control_dont_require_preauth = -1;
176 static int hf_netlogon_user_account_control_use_des_key_only = -1;
177 static int hf_netlogon_user_account_control_not_delegated = -1;
178 static int hf_netlogon_user_account_control_trusted_for_delegation = -1;
179 static int hf_netlogon_user_account_control_smartcard_required = -1;
180 static int hf_netlogon_user_account_control_encrypted_text_password_allowed = -1;
181 static int hf_netlogon_user_account_control_account_auto_locked = -1;
182 static int hf_netlogon_user_account_control_dont_expire_password = -1;
183 static int hf_netlogon_user_account_control_server_trust_account = -1;
184 static int hf_netlogon_user_account_control_workstation_trust_account = -1;
185 static int hf_netlogon_user_account_control_interdomain_trust_account = -1;
186 static int hf_netlogon_user_account_control_mns_logon_account = -1;
187 static int hf_netlogon_user_account_control_normal_account = -1;
188 static int hf_netlogon_user_account_control_temp_duplicate_account = -1;
189 static int hf_netlogon_user_account_control_password_not_required = -1;
190 static int hf_netlogon_user_account_control_home_directory_required = -1;
191 static int hf_netlogon_user_account_control_account_disabled = -1;
192 static int hf_netlogon_user_flags = -1;
193 static int hf_netlogon_user_flags_extra_sids = -1;
194 static int hf_netlogon_user_flags_resource_groups = -1;
195 static int hf_netlogon_auth_flags = -1;
196 static int hf_netlogon_pwd_expired = -1;
197 static int hf_netlogon_nt_pwd_present = -1;
198 static int hf_netlogon_lm_pwd_present = -1;
199 static int hf_netlogon_code = -1;
200 static int hf_netlogon_database_id = -1;
201 static int hf_netlogon_sync_context = -1;
202 static int hf_netlogon_max_size = -1;
203 static int hf_netlogon_max_log_size = -1;
204 static int hf_netlogon_dns_host = -1;
205 static int hf_netlogon_acct_expiry_time = -1;
206 static int hf_netlogon_encrypted_lm_owf_password = -1;
207 static int hf_netlogon_lm_owf_password = -1;
208 static int hf_netlogon_nt_owf_password = -1;
209 static int hf_netlogon_param_ctrl = -1;
210 static int hf_netlogon_logon_id = -1;
211 static int hf_netlogon_num_deltas = -1;
212 static int hf_netlogon_user_session_key = -1;
213 static int hf_netlogon_blob_size = -1;
214 static int hf_netlogon_blob = -1;
215 static int hf_netlogon_logon_attempts = -1;
216 static int hf_netlogon_authoritative = -1;
217 static int hf_netlogon_secure_channel_type = -1;
218 static int hf_netlogon_logonsrv_handle = -1;
219 static int hf_netlogon_delta_type = -1;
220 static int hf_netlogon_get_dcname_request_flags = -1;
221 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
222 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
223 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
224 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
225 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
226 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
227 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
228 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
229 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
230 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
231 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
232 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
233 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
234 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
235 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
236 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
237 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
238 static int hf_netlogon_dc_flags = -1;
239 static int hf_netlogon_dc_flags_pdc_flag = -1;
240 static int hf_netlogon_dc_flags_gc_flag = -1;
241 static int hf_netlogon_dc_flags_ldap_flag = -1;
242 static int hf_netlogon_dc_flags_ds_flag = -1;
243 static int hf_netlogon_dc_flags_kdc_flag = -1;
244 static int hf_netlogon_dc_flags_timeserv_flag = -1;
245 static int hf_netlogon_dc_flags_closest_flag = -1;
246 static int hf_netlogon_dc_flags_writable_flag = -1;
247 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
248 static int hf_netlogon_dc_flags_ndnc_flag = -1;
249 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
250 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
251 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
253 static gint ett_dcerpc_netlogon = -1;
254 static gint ett_group_attrs = -1;
255 static gint ett_user_flags = -1;
256 static gint ett_user_account_control = -1;
257 static gint ett_QUOTA_LIMITS = -1;
258 static gint ett_IDENTITY_INFO = -1;
259 static gint ett_DELTA_ENUM = -1;
260 static gint ett_CYPHER_VALUE = -1;
261 static gint ett_UNICODE_MULTI = -1;
262 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
263 static gint ett_UNICODE_STRING_512 = -1;
264 static gint ett_TYPE_50 = -1;
265 static gint ett_TYPE_52 = -1;
266 static gint ett_DELTA_ID_UNION = -1;
267 static gint ett_TYPE_44 = -1;
268 static gint ett_DELTA_UNION = -1;
269 static gint ett_LM_OWF_PASSWORD = -1;
270 static gint ett_NT_OWF_PASSWORD = -1;
271 static gint ett_GROUP_MEMBERSHIP = -1;
272 static gint ett_BLOB = -1;
273 static gint ett_DS_DOMAIN_TRUSTS = -1;
274 static gint ett_DOMAIN_TRUST_INFO = -1;
275 static gint ett_trust_flags = -1;
276 static gint ett_get_dcname_request_flags = -1;
277 static gint ett_dc_flags = -1;
279 static e_uuid_t uuid_dcerpc_netlogon = {
280 0x12345678, 0x1234, 0xabcd,
281 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
284 static guint16 ver_dcerpc_netlogon = 1;
287 static const true_false_string user_account_control_dont_require_preauth= {
288 "This account DONT_REQUIRE_PREAUTHENTICATION",
289 "This account REQUIRES preauthentication",
291 static const true_false_string user_account_control_use_des_key_only= {
292 "This account must USE_DES_KEY_ONLY for passwords",
293 "This account does NOT have to use_des_key_only",
295 static const true_false_string user_account_control_not_delegated= {
296 "This account is NOT_DELEGATED",
297 "This might have been delegated",
299 static const true_false_string user_account_control_trusted_for_delegation= {
300 "This account is TRUSTED_FOR_DELEGATION",
301 "This account is NOT trusted_for_delegation",
303 static const true_false_string user_account_control_smartcard_required= {
304 "This account REQUIRES_SMARTCARD to authenticate",
305 "This account does NOT require_smartcard to authenticate",
307 static const true_false_string user_account_control_encrypted_text_password_allowed= {
308 "This account allows ENCRYPTED_TEXT_PASSWORD",
309 "This account does NOT allow encrypted_text_password",
311 static const true_false_string user_account_control_account_auto_locked= {
312 "This account is AUTO_LOCKED",
313 "This account is NOT auto_locked",
315 static const true_false_string user_account_control_dont_expire_password= {
316 "This account DONT_EXPIRE_PASSWORDs",
317 "This account might expire_passwords",
319 static const true_false_string user_account_control_server_trust_account= {
320 "This account is a SERVER_TRUST_ACCOUNT",
321 "This account is NOT a server_trust_account",
323 static const true_false_string user_account_control_workstation_trust_account= {
324 "This account is a WORKSTATION_TRUST_ACCOUNT",
325 "This account is NOT a workstation_trust_account",
327 static const true_false_string user_account_control_interdomain_trust_account= {
328 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
329 "This account is NOT an interdomain_trust_account",
331 static const true_false_string user_account_control_mns_logon_account= {
332 "This account is a MNS_LOGON_ACCOUNT",
333 "This account is NOT a mns_logon_account",
335 static const true_false_string user_account_control_normal_account= {
336 "This account is a NORMAL_ACCOUNT",
337 "This account is NOT a normal_account",
339 static const true_false_string user_account_control_temp_duplicate_account= {
340 "This account is a TEMP_DUPLICATE_ACCOUNT",
341 "This account is NOT a temp_duplicate_account",
343 static const true_false_string user_account_control_password_not_required= {
344 "This account REQUIRES_NO_PASSWORD",
345 "This account REQUIRES a password",
347 static const true_false_string user_account_control_home_directory_required= {
348 "This account REQUIRES_HOME_DIRECTORY",
349 "This account does NOT require_home_directory",
351 static const true_false_string user_account_control_account_disabled= {
352 "This account is DISABLED",
353 "This account is NOT disabled",
356 netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
357 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
360 proto_item *item = NULL;
361 proto_tree *tree = NULL;
364 di=pinfo->private_data;
365 if(di->conformant_run){
366 /*just a run to handle conformant arrays, nothing to dissect */
370 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
371 hf_netlogon_user_account_control, &mask);
374 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_account_control,
375 tvb, offset-4, 4, mask);
376 tree = proto_item_add_subtree(item, ett_user_account_control);
379 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_require_preauth,
380 tvb, offset-4, 4, mask);
381 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_use_des_key_only,
382 tvb, offset-4, 4, mask);
383 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_not_delegated,
384 tvb, offset-4, 4, mask);
385 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_trusted_for_delegation,
386 tvb, offset-4, 4, mask);
387 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_smartcard_required,
388 tvb, offset-4, 4, mask);
389 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_encrypted_text_password_allowed,
390 tvb, offset-4, 4, mask);
391 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_auto_locked,
392 tvb, offset-4, 4, mask);
393 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_dont_expire_password,
394 tvb, offset-4, 4, mask);
395 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_server_trust_account,
396 tvb, offset-4, 4, mask);
397 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_workstation_trust_account,
398 tvb, offset-4, 4, mask);
399 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_interdomain_trust_account,
400 tvb, offset-4, 4, mask);
401 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_mns_logon_account,
402 tvb, offset-4, 4, mask);
403 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_normal_account,
404 tvb, offset-4, 4, mask);
405 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_temp_duplicate_account,
406 tvb, offset-4, 4, mask);
407 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_password_not_required,
408 tvb, offset-4, 4, mask);
409 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_home_directory_required,
410 tvb, offset-4, 4, mask);
411 proto_tree_add_boolean(tree, hf_netlogon_user_account_control_account_disabled,
412 tvb, offset-4, 4, mask);
418 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
419 packet_info *pinfo, proto_tree *tree,
422 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
423 NDR_POINTER_UNIQUE, "Server Handle",
424 hf_netlogon_logonsrv_handle, 0);
430 * IDL typedef struct {
431 * IDL [unique][string] wchar_t *effective_name;
433 * IDL long auth_flags;
434 * IDL long logon_count;
435 * IDL long bad_pw_count;
436 * IDL long last_logon;
437 * IDL long last_logoff;
438 * IDL long logoff_time;
439 * IDL long kickoff_time;
440 * IDL long password_age;
441 * IDL long pw_can_change;
442 * IDL long pw_must_change;
443 * IDL [unique][string] wchar_t *computer;
444 * IDL [unique][string] wchar_t *domain;
445 * IDL [unique][string] wchar_t *script_path;
449 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
450 packet_info *pinfo, proto_tree *tree,
455 di=pinfo->private_data;
456 if(di->conformant_run){
457 /*just a run to handle conformant arrays, nothing to dissect */
461 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
462 NDR_POINTER_UNIQUE, "Effective Account",
463 hf_netlogon_acct_name, 0);
465 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
466 hf_netlogon_priv, NULL);
468 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
469 hf_netlogon_auth_flags, NULL);
471 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
472 hf_netlogon_logon_count, NULL);
474 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
475 hf_netlogon_bad_pw_count, NULL);
478 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_logon_time, NULL);
480 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_last_logoff_time, NULL);
482 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_logoff_time, NULL);
484 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_kickoff_time, NULL);
486 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_age, NULL);
488 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_can_change_time, NULL);
490 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, drep, hf_netlogon_pwd_must_change_time, NULL);
492 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
493 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
495 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
496 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
498 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
499 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
501 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
502 hf_netlogon_reserved, NULL);
508 * IDL long NetrLogonUasLogon(
509 * IDL [in][unique][string] wchar_t *ServerName,
510 * IDL [in][ref][string] wchar_t *UserName,
511 * IDL [in][ref][string] wchar_t *Workstation,
512 * IDL [out][unique] VALIDATION_UAS_INFO *info
516 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
517 packet_info *pinfo, proto_tree *tree, guint8 *drep)
519 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
522 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
523 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
525 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
526 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
533 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
534 packet_info *pinfo, proto_tree *tree, guint8 *drep)
536 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
537 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
538 "VALIDATION_UAS_INFO", -1);
540 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
541 hf_netlogon_rc, NULL);
547 * IDL typedef struct {
549 * IDL short logon_count;
550 * IDL } LOGOFF_UAS_INFO;
553 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
554 packet_info *pinfo, proto_tree *tree,
559 di=pinfo->private_data;
560 if(di->conformant_run){
561 /*just a run to handle conformant arrays, nothing to dissect */
565 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
568 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
569 hf_netlogon_logon_count16, NULL);
575 * IDL long NetrLogonUasLogoff(
576 * IDL [in][unique][string] wchar_t *ServerName,
577 * IDL [in][ref][string] wchar_t *UserName,
578 * IDL [in][ref][string] wchar_t *Workstation,
579 * IDL [out][ref] LOGOFF_UAS_INFO *info
583 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
584 packet_info *pinfo, proto_tree *tree, guint8 *drep)
586 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
589 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
590 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO);
592 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
593 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
600 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
601 packet_info *pinfo, proto_tree *tree, guint8 *drep)
603 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
604 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
605 "LOGOFF_UAS_INFO", -1);
607 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
608 hf_netlogon_rc, NULL);
617 * IDL typedef struct {
618 * IDL UNICODESTRING LogonDomainName;
619 * IDL long ParameterControl;
620 * IDL uint64 LogonID;
621 * IDL UNICODESTRING UserName;
622 * IDL UNICODESTRING Workstation;
623 * IDL } LOGON_IDENTITY_INFO;
626 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
627 packet_info *pinfo, proto_tree *parent_tree,
630 proto_item *item=NULL;
631 proto_tree *tree=NULL;
632 int old_offset=offset;
635 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
637 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
640 /* XXX: It would be nice to get the domain and account name
641 displayed in COL_INFO. */
643 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
644 hf_netlogon_logon_dom, 0);
646 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
647 hf_netlogon_param_ctrl, NULL);
649 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
650 hf_netlogon_logon_id, NULL);
652 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
653 hf_netlogon_acct_name, CB_STR_COL_INFO|3);
655 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
656 hf_netlogon_workstation, 0);
659 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
660 /* XXX 8 extra bytes here */
661 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
662 the idl file. Could be a bug in either the NETLOGON implementation or in the
665 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
668 proto_item_set_len(item, offset-old_offset);
674 * IDL typedef struct {
675 * IDL char password[16];
676 * IDL } LM_OWF_PASSWORD;
679 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
680 packet_info *pinfo, proto_tree *parent_tree,
683 proto_item *item=NULL;
684 proto_tree *tree=NULL;
687 di=pinfo->private_data;
688 if(di->conformant_run){
689 /*just a run to handle conformant arrays, nothing to dissect.*/
694 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
696 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
699 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
707 * IDL typedef struct {
708 * IDL char password[16];
709 * IDL } NT_OWF_PASSWORD;
712 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
713 packet_info *pinfo, proto_tree *parent_tree,
716 proto_item *item=NULL;
717 proto_tree *tree=NULL;
720 di=pinfo->private_data;
721 if(di->conformant_run){
722 /*just a run to handle conformant arrays, nothing to dissect.*/
727 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
729 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
732 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
741 * IDL typedef struct {
742 * IDL LOGON_IDENTITY_INFO identity_info;
743 * IDL LM_OWF_PASSWORD lmpassword;
744 * IDL NT_OWF_PASSWORD ntpassword;
745 * IDL } INTERACTIVE_INFO;
748 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
749 packet_info *pinfo, proto_tree *tree,
752 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
755 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
758 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
765 * IDL typedef struct {
770 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
771 packet_info *pinfo, proto_tree *tree,
776 di=pinfo->private_data;
777 if(di->conformant_run){
778 /*just a run to handle conformant arrays, nothing to dissect.*/
782 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
790 * IDL typedef struct {
791 * IDL LOGON_IDENTITY_INFO logon_info;
792 * IDL CHALLENGE chal;
793 * IDL STRING ntchallengeresponse;
794 * IDL STRING lmchallengeresponse;
795 * IDL } NETWORK_INFO;
798 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
799 proto_item *item _U_, tvbuff_t *tvb,
800 int start_offset, int end_offset,
801 void *callback_args _U_)
805 /* Skip over 3 guint32's in NDR format */
807 if (start_offset % 4)
808 start_offset += 4 - (start_offset % 4);
811 len = end_offset - start_offset;
813 /* Call ntlmv2 response dissector */
816 dissect_ntlmv2_response(tvb, tree, start_offset, len);
820 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
821 packet_info *pinfo, proto_tree *tree,
824 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
827 offset = netlogon_dissect_CHALLENGE(tvb, offset,
830 offset = dissect_ndr_counted_byte_array_cb(
831 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
832 dissect_nt_chal_resp_cb, NULL);
834 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
835 hf_netlogon_lm_chal_resp);
841 * IDL typedef struct {
842 * IDL LOGON_IDENTITY_INFO logon_info;
843 * IDL LM_OWF_PASSWORD lmpassword;
844 * IDL NT_OWF_PASSWORD ntpassword;
845 * IDL } SERVICE_INFO;
848 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
849 packet_info *pinfo, proto_tree *tree,
852 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
855 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
858 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
865 * IDL typedef [switch_type(short)] union {
866 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
867 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
868 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
872 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
873 packet_info *pinfo, proto_tree *tree,
878 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
879 hf_netlogon_level16, &level);
884 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
885 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
886 "INTERACTIVE_INFO:", -1);
889 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
890 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
891 "NETWORK_INFO:", -1);
894 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
895 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
896 "SERVICE_INFO:", -1);
904 * IDL typedef struct {
909 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
910 packet_info *pinfo, proto_tree *tree,
915 di=pinfo->private_data;
916 if(di->conformant_run){
917 /*just a run to handle conformant arrays, nothing to dissect.*/
921 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
930 * IDL typedef struct {
931 * IDL CREDENTIAL cred;
932 * IDL long timestamp;
933 * IDL } AUTHENTICATOR;
936 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
937 packet_info *pinfo, proto_tree *tree,
943 di=pinfo->private_data;
944 if(di->conformant_run){
945 /*just a run to handle conformant arrays, nothing to dissect */
949 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
953 * XXX - this appears to be a UNIX time_t in some credentials, but
954 * appears to be random junk in other credentials.
955 * For example, it looks like a UNIX time_t in "credential"
956 * AUTHENTICATORs, but like random junk in "return_authenticator"
960 ts.secs = tvb_get_letohl(tvb, offset);
962 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
969 static const true_false_string group_attrs_mandatory = {
970 "The MANDATORY bit is SET",
971 "The mandatory bit is NOT set",
973 static const true_false_string group_attrs_enabled_by_default = {
974 "The ENABLED_BY_DEFAULT bit is SET",
975 "The enabled_by_default bit is NOT set",
977 static const true_false_string group_attrs_enabled = {
978 "The enabled bit is SET",
979 "The enabled bit is NOT set",
982 netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvbuff_t *tvb, int offset,
983 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
986 proto_item *item = NULL;
987 proto_tree *tree = NULL;
990 di=pinfo->private_data;
991 if(di->conformant_run){
992 /*just a run to handle conformant arrays, nothing to dissect */
996 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
997 hf_netlogon_attrs, &mask);
1000 item = proto_tree_add_uint(parent_tree, hf_netlogon_attrs,
1001 tvb, offset-4, 4, mask);
1002 tree = proto_item_add_subtree(item, ett_group_attrs);
1005 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled,
1006 tvb, offset-4, 4, mask);
1007 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_enabled_by_default,
1008 tvb, offset-4, 4, mask);
1009 proto_tree_add_boolean(tree, hf_netlogon_group_attrs_mandatory,
1010 tvb, offset-4, 4, mask);
1016 * IDL typedef struct {
1018 * IDL long attributes;
1019 * IDL } GROUP_MEMBERSHIP;
1022 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1023 packet_info *pinfo, proto_tree *parent_tree,
1026 proto_item *item=NULL;
1027 proto_tree *tree=NULL;
1030 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
1031 "GROUP_MEMBERSHIP:");
1032 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
1035 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1036 hf_netlogon_group_rid, NULL);
1038 offset = netlogon_dissect_GROUP_MEMBERSHIP_ATTRIBUTES(tvb, offset,
1045 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1046 packet_info *pinfo, proto_tree *tree,
1049 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
1050 netlogon_dissect_GROUP_MEMBERSHIP);
1056 * IDL typedef struct {
1057 * IDL char user_session_key[16];
1058 * IDL } USER_SESSION_KEY;
1061 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1062 packet_info *pinfo, proto_tree *tree,
1067 di=pinfo->private_data;
1068 if(di->conformant_run){
1069 /*just a run to handle conformant arrays, nothing to dissect.*/
1073 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1082 static const true_false_string user_flags_extra_sids= {
1083 "The EXTRA_SIDS bit is SET",
1084 "The extra_sids is NOT set",
1086 static const true_false_string user_flags_resource_groups= {
1087 "The RESOURCE_GROUPS bit is SET",
1088 "The resource_groups is NOT set",
1091 netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1092 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
1095 proto_item *item = NULL;
1096 proto_tree *tree = NULL;
1099 di=pinfo->private_data;
1100 if(di->conformant_run){
1101 /*just a run to handle conformant arrays, nothing to dissect */
1105 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
1106 hf_netlogon_user_flags, &mask);
1109 item = proto_tree_add_uint(parent_tree, hf_netlogon_user_flags,
1110 tvb, offset-4, 4, mask);
1111 tree = proto_item_add_subtree(item, ett_user_flags);
1114 proto_tree_add_boolean(tree, hf_netlogon_user_flags_resource_groups,
1115 tvb, offset-4, 4, mask);
1116 proto_tree_add_boolean(tree, hf_netlogon_user_flags_extra_sids,
1117 tvb, offset-4, 4, mask);
1123 * IDL typedef struct {
1124 * IDL uint64 LogonTime;
1125 * IDL uint64 LogoffTime;
1126 * IDL uint64 KickOffTime;
1127 * IDL uint64 PasswdLastSet;
1128 * IDL uint64 PasswdCanChange;
1129 * IDL uint64 PasswdMustChange;
1130 * IDL unicodestring effectivename;
1131 * IDL unicodestring fullname;
1132 * IDL unicodestring logonscript;
1133 * IDL unicodestring profilepath;
1134 * IDL unicodestring homedirectory;
1135 * IDL unicodestring homedirectorydrive;
1136 * IDL short LogonCount;
1137 * IDL short BadPasswdCount;
1139 * IDL long primarygroup;
1140 * IDL long groupcount;
1141 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1142 * IDL long userflags;
1143 * IDL USER_SESSION_KEY key;
1144 * IDL unicodestring logonserver;
1145 * IDL unicodestring domainname;
1146 * IDL [unique] SID logondomainid;
1147 * IDL long expansionroom[2];
1148 * IDL long useraccountcontrol;
1149 * IDL long expansionroom[7];
1150 * IDL } VALIDATION_SAM_INFO;
1153 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1154 packet_info *pinfo, proto_tree *tree,
1159 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1160 hf_netlogon_logon_time);
1162 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1163 hf_netlogon_logoff_time);
1165 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1166 hf_netlogon_kickoff_time);
1168 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1169 hf_netlogon_pwd_last_set_time);
1171 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1172 hf_netlogon_pwd_can_change_time);
1174 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1175 hf_netlogon_pwd_must_change_time);
1177 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1178 hf_netlogon_acct_name, 0);
1180 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1181 hf_netlogon_full_name, 0);
1183 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1184 hf_netlogon_logon_script, 0);
1186 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1187 hf_netlogon_profile_path, 0);
1189 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1190 hf_netlogon_home_dir, 0);
1192 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1193 hf_netlogon_dir_drive, 0);
1195 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1196 hf_netlogon_logon_count16, NULL);
1198 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1199 hf_netlogon_bad_pw_count16, NULL);
1201 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1202 hf_netlogon_user_rid, NULL);
1204 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1205 hf_netlogon_group_rid, NULL);
1207 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1208 hf_netlogon_num_rids, NULL);
1210 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1211 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1212 "GROUP_MEMBERSHIP_ARRAY", -1);
1214 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1217 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1220 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1221 hf_netlogon_logon_srv, 0);
1223 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1224 hf_netlogon_logon_dom, 0);
1226 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1229 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1230 hf_netlogon_unknown_long, NULL);
1232 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1236 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1237 hf_netlogon_unknown_long, NULL);
1246 * IDL typedef struct {
1247 * IDL uint64 LogonTime;
1248 * IDL uint64 LogoffTime;
1249 * IDL uint64 KickOffTime;
1250 * IDL uint64 PasswdLastSet;
1251 * IDL uint64 PasswdCanChange;
1252 * IDL uint64 PasswdMustChange;
1253 * IDL unicodestring effectivename;
1254 * IDL unicodestring fullname;
1255 * IDL unicodestring logonscript;
1256 * IDL unicodestring profilepath;
1257 * IDL unicodestring homedirectory;
1258 * IDL unicodestring homedirectorydrive;
1259 * IDL short LogonCount;
1260 * IDL short BadPasswdCount;
1262 * IDL long primarygroup;
1263 * IDL long groupcount;
1264 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1265 * IDL long userflags;
1266 * IDL USER_SESSION_KEY key;
1267 * IDL unicodestring logonserver;
1268 * IDL unicodestring domainname;
1269 * IDL [unique] SID logondomainid;
1270 * IDL long expansionroom[2];
1271 * IDL long useraccountcontrol;
1272 * IDL long expansionroom[7];
1273 * IDL long sidcount;
1274 * IDL [unique] SID_AND_ATTRIBS;
1275 * IDL } VALIDATION_SAM_INFO2;
1278 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1279 packet_info *pinfo, proto_tree *tree,
1284 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1285 hf_netlogon_logon_time);
1287 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1288 hf_netlogon_logoff_time);
1290 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1291 hf_netlogon_kickoff_time);
1293 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1294 hf_netlogon_pwd_last_set_time);
1296 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1297 hf_netlogon_pwd_can_change_time);
1299 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1300 hf_netlogon_pwd_must_change_time);
1302 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1303 hf_netlogon_acct_name, 0);
1305 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1306 hf_netlogon_full_name, 0);
1308 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1309 hf_netlogon_logon_script, 0);
1311 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1312 hf_netlogon_profile_path, 0);
1314 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1315 hf_netlogon_home_dir, 0);
1317 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1318 hf_netlogon_dir_drive, 0);
1320 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1321 hf_netlogon_logon_count16, NULL);
1323 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1324 hf_netlogon_bad_pw_count16, NULL);
1326 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1327 hf_netlogon_user_rid, NULL);
1329 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1330 hf_netlogon_group_rid, NULL);
1332 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1333 hf_netlogon_num_rids, NULL);
1335 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1336 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1337 "GROUP_MEMBERSHIP_ARRAY", -1);
1339 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1342 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1345 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1346 hf_netlogon_logon_srv, 0);
1348 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1349 hf_netlogon_logon_dom, 0);
1351 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1354 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1355 hf_netlogon_unknown_long, NULL);
1357 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1361 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1362 hf_netlogon_unknown_long, NULL);
1365 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1366 hf_netlogon_num_other_groups, NULL);
1368 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1369 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1370 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1380 * IDL typedef struct {
1381 * IDL uint64 LogonTime;
1382 * IDL uint64 LogoffTime;
1383 * IDL uint64 KickOffTime;
1384 * IDL uint64 PasswdLastSet;
1385 * IDL uint64 PasswdCanChange;
1386 * IDL uint64 PasswdMustChange;
1387 * IDL unicodestring effectivename;
1388 * IDL unicodestring fullname;
1389 * IDL unicodestring logonscript;
1390 * IDL unicodestring profilepath;
1391 * IDL unicodestring homedirectory;
1392 * IDL unicodestring homedirectorydrive;
1393 * IDL short LogonCount;
1394 * IDL short BadPasswdCount;
1396 * IDL long primarygroup;
1397 * IDL long groupcount;
1398 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1399 * IDL long userflags;
1400 * IDL USER_SESSION_KEY key;
1401 * IDL unicodestring logonserver;
1402 * IDL unicodestring domainname;
1403 * IDL [unique] SID logondomainid;
1404 * IDL long expansionroom[2];
1405 * IDL long useraccountcontrol;
1406 * IDL long expansionroom[7];
1407 * IDL long sidcount;
1408 * IDL [unique] SID_AND_ATTRIBS;
1409 * IDL [unique] SID resourcegroupdomainsid;
1410 * IDL long resourcegroupcount;
1412 * IDL } PAC_LOGON_INFO;
1415 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
1416 packet_info *pinfo, proto_tree *tree,
1422 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1423 hf_netlogon_logon_time);
1425 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1426 hf_netlogon_logoff_time);
1428 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1429 hf_netlogon_kickoff_time);
1431 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1432 hf_netlogon_pwd_last_set_time);
1434 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1435 hf_netlogon_pwd_can_change_time);
1437 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1438 hf_netlogon_pwd_must_change_time);
1440 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1441 hf_netlogon_acct_name, 0);
1443 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1444 hf_netlogon_full_name, 0);
1446 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1447 hf_netlogon_logon_script, 0);
1449 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1450 hf_netlogon_profile_path, 0);
1452 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1453 hf_netlogon_home_dir, 0);
1455 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1456 hf_netlogon_dir_drive, 0);
1458 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1459 hf_netlogon_logon_count16, NULL);
1461 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1462 hf_netlogon_bad_pw_count16, NULL);
1464 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1465 hf_netlogon_user_rid, NULL);
1467 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1468 hf_netlogon_group_rid, NULL);
1470 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1471 hf_netlogon_num_rids, NULL);
1473 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1474 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1475 "GROUP_MEMBERSHIP_ARRAY", -1);
1477 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1480 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1483 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1484 hf_netlogon_logon_srv, 0);
1486 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1487 hf_netlogon_logon_dom, 0);
1489 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1492 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1493 hf_netlogon_unknown_long, NULL);
1495 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1499 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1500 hf_netlogon_unknown_long, NULL);
1503 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1504 hf_netlogon_num_other_groups, NULL);
1506 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1507 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1508 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1510 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
1512 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1513 hf_netlogon_resourcegroupcount, &rgc);
1515 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1516 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1517 "ResourceGroupIDs", -1);
1525 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1526 packet_info *pinfo, proto_tree *tree,
1532 di=pinfo->private_data;
1533 if(di->conformant_run){
1534 /*just a run to handle conformant arrays, nothing to dissect */
1538 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1539 hf_netlogon_pac_size, &pac_size);
1541 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1549 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1550 packet_info *pinfo, proto_tree *tree,
1556 di=pinfo->private_data;
1557 if(di->conformant_run){
1558 /*just a run to handle conformant arrays, nothing to dissect */
1562 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1563 hf_netlogon_auth_size, &auth_size);
1565 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1567 offset += auth_size;
1574 * IDL typedef struct {
1576 * IDL [unique][size_is(pac_size)] char *pac;
1577 * IDL UNICODESTRING logondomain;
1578 * IDL UNICODESTRING logonserver;
1579 * IDL UNICODESTRING principalname;
1580 * IDL long auth_size;
1581 * IDL [unique][size_is(auth_size)] char *auth;
1582 * IDL USER_SESSION_KEY user_session_key;
1583 * IDL long expansionroom[2];
1584 * IDL long useraccountcontrol;
1585 * IDL long expansionroom[7];
1586 * IDL UNICODESTRING dummy1;
1587 * IDL UNICODESTRING dummy2;
1588 * IDL UNICODESTRING dummy3;
1589 * IDL UNICODESTRING dummy4;
1590 * IDL } VALIDATION_PAC_INFO;
1593 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1594 packet_info *pinfo, proto_tree *tree,
1599 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1600 hf_netlogon_pac_size, NULL);
1602 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1603 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1605 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1606 hf_netlogon_logon_dom, 0);
1608 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1609 hf_netlogon_logon_srv, 0);
1611 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1612 hf_netlogon_principal, 0);
1614 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1615 hf_netlogon_auth_size, NULL);
1617 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1618 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1620 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1624 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1625 hf_netlogon_unknown_long, NULL);
1627 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1631 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1632 hf_netlogon_unknown_long, NULL);
1635 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1636 hf_netlogon_dummy, 0);
1638 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1639 hf_netlogon_dummy, 0);
1641 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1642 hf_netlogon_dummy, 0);
1644 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1645 hf_netlogon_dummy, 0);
1652 * IDL typedef [switch_type(short)] union {
1653 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1654 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1655 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1656 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1660 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1661 packet_info *pinfo, proto_tree *tree,
1666 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1667 hf_netlogon_validation_level, &level);
1672 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1673 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1674 "VALIDATION_SAM_INFO:", -1);
1677 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1678 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1679 "VALIDATION_SAM_INFO2:", -1);
1682 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1683 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1684 "VALIDATION_PAC_INFO:", -1);
1687 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1688 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1689 "VALIDATION_PAC_INFO:", -1);
1698 * IDL long NetrLogonSamLogon(
1699 * IDL [in][unique][string] wchar_t *ServerName,
1700 * IDL [in][unique][string] wchar_t *Workstation,
1701 * IDL [in][unique] AUTHENTICATOR *credential,
1702 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1703 * IDL [in] short LogonLevel,
1704 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1705 * IDL [in] short ValidationLevel,
1706 * IDL [out][ref] VALIDATION *validation,
1707 * IDL [out][ref] boolean Authorative
1711 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1712 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1714 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1717 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1718 NDR_POINTER_UNIQUE, "Computer Name",
1719 hf_netlogon_computer_name, 0);
1721 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1722 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1723 "AUTHENTICATOR: credential", -1);
1725 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1726 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1727 "AUTHENTICATOR: return_authenticator", -1);
1729 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1730 hf_netlogon_level16, NULL);
1732 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1733 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1734 "LEVEL: LogonLevel", -1);
1736 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1737 hf_netlogon_validation_level, NULL);
1743 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1744 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1746 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1747 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1748 "AUTHENTICATOR: return_authenticator", -1);
1750 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1751 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1754 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1755 hf_netlogon_authoritative, NULL);
1757 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1758 hf_netlogon_rc, NULL);
1765 * IDL long NetrLogonSamLogoff(
1766 * IDL [in][unique][string] wchar_t *ServerName,
1767 * IDL [in][unique][string] wchar_t *ComputerName,
1768 * IDL [in][unique] AUTHENTICATOR credential,
1769 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1770 * IDL [in] short logon_level,
1771 * IDL [in][ref] LEVEL logoninformation
1775 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1776 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1778 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1781 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1782 NDR_POINTER_UNIQUE, "Computer Name",
1783 hf_netlogon_computer_name, 0);
1785 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1786 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1787 "AUTHENTICATOR: credential", -1);
1789 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1790 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1791 "AUTHENTICATOR: return_authenticator", -1);
1793 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1794 hf_netlogon_level16, NULL);
1796 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1797 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1798 "LEVEL: logoninformation", -1);
1803 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1804 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1807 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1808 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1809 "AUTHENTICATOR: return_authenticator", -1);
1811 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1812 hf_netlogon_rc, NULL);
1819 * IDL long NetrServerReqChallenge(
1820 * IDL [in][unique][string] wchar_t *ServerName,
1821 * IDL [in][ref][string] wchar_t *ComputerName,
1822 * IDL [in][ref] CREDENTIAL client_credential,
1823 * IDL [out][ref] CREDENTIAL server_credential
1827 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1828 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1830 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1833 offset = dissect_ndr_pointer_cb(
1834 tvb, offset, pinfo, tree, drep,
1835 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
1836 "Computer Name", hf_netlogon_computer_name,
1837 cb_wstr_postprocess,
1838 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1840 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1841 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1842 "CREDENTIAL: client challenge", -1);
1847 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1848 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1850 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1851 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1852 "CREDENTIAL: server credential", -1);
1854 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1855 hf_netlogon_rc, NULL);
1862 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1863 packet_info *pinfo, proto_tree *tree,
1866 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1867 hf_netlogon_secure_channel_type, NULL);
1874 * IDL long NetrServerAuthenticate(
1875 * IDL [in][unique][string] wchar_t *ServerName,
1876 * IDL [in][ref][string] wchar_t *UserName,
1877 * IDL [in] short secure_challenge_type,
1878 * IDL [in][ref][string] wchar_t *ComputerName,
1879 * IDL [in][ref] CREDENTIAL client_challenge,
1880 * IDL [out][ref] CREDENTIAL server_challenge
1884 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1885 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1887 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1890 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1891 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO);
1893 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1896 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1897 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO);
1899 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1900 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1901 "CREDENTIAL: client challenge", -1);
1906 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
1907 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1909 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1910 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1911 "CREDENTIAL: server challenge", -1);
1913 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1914 hf_netlogon_rc, NULL);
1922 * IDL typedef struct {
1923 * IDL char encrypted_password[16];
1924 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1927 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1928 packet_info *pinfo, proto_tree *tree,
1933 di=pinfo->private_data;
1934 if(di->conformant_run){
1935 /*just a run to handle conformant arrays, nothing to dissect.*/
1939 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1947 * IDL long NetrServerPasswordSet(
1948 * IDL [in][unique][string] wchar_t *ServerName,
1949 * IDL [in][ref][string] wchar_t *UserName,
1950 * IDL [in] short secure_challenge_type,
1951 * IDL [in][ref][string] wchar_t *ComputerName,
1952 * IDL [in][ref] AUTHENTICATOR credential,
1953 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1954 * IDL [out][ref] AUTHENTICATOR return_authenticator
1958 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1959 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1961 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1964 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1965 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1967 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1970 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1971 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1973 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1974 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1975 "AUTHENTICATOR: credential", -1);
1977 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1978 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1979 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
1984 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
1985 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1987 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1988 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1989 "AUTHENTICATOR: return_authenticator", -1);
1991 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1992 hf_netlogon_rc, NULL);
1999 * IDL typedef struct {
2000 * IDL [unique][string] wchar_t *UserName;
2001 * IDL UNICODESTRING dummy1;
2002 * IDL UNICODESTRING dummy2;
2003 * IDL UNICODESTRING dummy3;
2004 * IDL UNICODESTRING dummy4;
2009 * IDL } DELTA_DELETE_USER;
2012 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
2013 packet_info *pinfo, proto_tree *tree,
2016 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
2017 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
2019 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2020 hf_netlogon_dummy, 0);
2022 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2023 hf_netlogon_dummy, 0);
2025 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2026 hf_netlogon_dummy, 0);
2028 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2029 hf_netlogon_dummy, 0);
2031 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2032 hf_netlogon_reserved, NULL);
2034 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2035 hf_netlogon_reserved, NULL);
2037 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2038 hf_netlogon_reserved, NULL);
2040 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2041 hf_netlogon_reserved, NULL);
2048 * IDL typedef struct {
2049 * IDL bool SensitiveDataFlag;
2050 * IDL long DataLength;
2051 * IDL [unique][size_is(DataLength)] char *SensitiveData;
2052 * IDL } USER_PRIVATE_INFO;
2055 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
2056 packet_info *pinfo, proto_tree *tree,
2062 di=pinfo->private_data;
2063 if(di->conformant_run){
2064 /*just a run to handle conformant arrays, nothing to dissect */
2068 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2069 hf_netlogon_sensitive_data_len, &data_len);
2071 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
2078 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
2079 packet_info *pinfo, proto_tree *tree,
2082 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2083 hf_netlogon_sensitive_data_flag, NULL);
2085 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2086 hf_netlogon_sensitive_data_len, NULL);
2088 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2089 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
2090 "SENSITIVE_DATA", -1);
2096 * IDL typedef struct {
2097 * IDL UNICODESTRING UserName;
2098 * IDL UNICODESTRING FullName;
2100 * IDL long PrimaryGroupID;
2101 * IDL UNICODESTRING HomeDir;
2102 * IDL UNICODESTRING HomeDirDrive;
2103 * IDL UNICODESTRING LogonScript;
2104 * IDL UNICODESTRING Comment;
2105 * IDL UNICODESTRING Workstations;
2106 * IDL NTTIME LastLogon;
2107 * IDL NTTIME LastLogoff;
2108 * IDL LOGON_HOURS logonhours;
2109 * IDL short BadPwCount;
2110 * IDL short LogonCount;
2111 * IDL NTTIME PwLastSet;
2112 * IDL NTTIME AccountExpires;
2113 * IDL long AccountControl;
2114 * IDL LM_OWF_PASSWORD lmpw;
2115 * IDL NT_OWF_PASSWORD ntpw;
2116 * IDL bool NTPwPresent;
2117 * IDL bool LMPwPresent;
2118 * IDL bool PwExpired;
2119 * IDL UNICODESTRING UserComment;
2120 * IDL UNICODESTRING Parameters;
2121 * IDL short CountryCode;
2122 * IDL short CodePage;
2123 * IDL USER_PRIVATE_INFO user_private_info;
2124 * IDL long SecurityInformation;
2125 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2126 * IDL UNICODESTRING dummy1;
2127 * IDL UNICODESTRING dummy2;
2128 * IDL UNICODESTRING dummy3;
2129 * IDL UNICODESTRING dummy4;
2137 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
2138 packet_info *pinfo, proto_tree *tree,
2141 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2142 hf_netlogon_acct_name, 3);
2144 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2145 hf_netlogon_full_name, 0);
2147 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2148 hf_netlogon_user_rid, NULL);
2150 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2151 hf_netlogon_group_rid, NULL);
2153 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2154 hf_netlogon_home_dir, 0);
2156 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2157 hf_netlogon_dir_drive, 0);
2159 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2160 hf_netlogon_logon_script, 0);
2162 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2163 hf_netlogon_acct_desc, 0);
2165 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2166 hf_netlogon_workstations, 0);
2168 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2169 hf_netlogon_logon_time);
2171 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2172 hf_netlogon_logoff_time);
2174 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
2176 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2177 hf_netlogon_bad_pw_count16, NULL);
2179 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2180 hf_netlogon_logon_count16, NULL);
2182 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2183 hf_netlogon_pwd_last_set_time);
2185 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2186 hf_netlogon_acct_expiry_time);
2188 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
2190 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
2193 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
2196 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2197 hf_netlogon_nt_pwd_present, NULL);
2199 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2200 hf_netlogon_lm_pwd_present, NULL);
2202 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2203 hf_netlogon_pwd_expired, NULL);
2205 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2206 hf_netlogon_comment, 0);
2208 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2209 hf_netlogon_parameters, 0);
2211 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2212 hf_netlogon_country, NULL);
2214 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2215 hf_netlogon_codepage, NULL);
2217 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
2220 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2221 hf_netlogon_security_information, NULL);
2223 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2226 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2227 hf_netlogon_dummy, 0);
2229 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2230 hf_netlogon_dummy, 0);
2232 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2233 hf_netlogon_dummy, 0);
2235 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2236 hf_netlogon_dummy, 0);
2238 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2239 hf_netlogon_reserved, NULL);
2241 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2242 hf_netlogon_reserved, NULL);
2244 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2245 hf_netlogon_reserved, NULL);
2247 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2248 hf_netlogon_reserved, NULL);
2255 * IDL typedef struct {
2256 * IDL UNICODESTRING DomainName;
2257 * IDL UNICODESTRING OEMInfo;
2258 * IDL NTTIME forcedlogoff;
2259 * IDL short minpasswdlen;
2260 * IDL short passwdhistorylen;
2261 * IDL NTTIME pwd_must_change_time;
2262 * IDL NTTIME pwd_can_change_time;
2263 * IDL NTTIME domain_modify_time;
2264 * IDL NTTIME domain_create_time;
2265 * IDL long SecurityInformation;
2266 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2267 * IDL UNICODESTRING dummy1;
2268 * IDL UNICODESTRING dummy2;
2269 * IDL UNICODESTRING dummy3;
2270 * IDL UNICODESTRING dummy4;
2275 * IDL } DELTA_DOMAIN;
2278 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
2279 packet_info *pinfo, proto_tree *tree,
2282 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2283 hf_netlogon_domain_name, 3);
2285 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2286 hf_netlogon_oem_info, 0);
2288 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2289 hf_netlogon_kickoff_time);
2291 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2292 hf_netlogon_minpasswdlen, NULL);
2294 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2295 hf_netlogon_passwdhistorylen, NULL);
2297 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2298 hf_netlogon_pwd_must_change_time);
2300 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2301 hf_netlogon_pwd_can_change_time);
2303 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2304 hf_netlogon_domain_modify_time);
2306 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2307 hf_netlogon_domain_create_time);
2309 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2310 hf_netlogon_security_information, NULL);
2312 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2315 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2316 hf_netlogon_dummy, 0);
2318 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2319 hf_netlogon_dummy, 0);
2321 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2322 hf_netlogon_dummy, 0);
2324 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2325 hf_netlogon_dummy, 0);
2327 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2328 hf_netlogon_reserved, NULL);
2330 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2331 hf_netlogon_reserved, NULL);
2333 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2334 hf_netlogon_reserved, NULL);
2336 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2337 hf_netlogon_reserved, NULL);
2344 * IDL typedef struct {
2345 * IDL UNICODESTRING groupname;
2346 * IDL GROUP_MEMBERSHIP group_membership;
2347 * IDL UNICODESTRING comment;
2348 * IDL long SecurityInformation;
2349 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2350 * IDL UNICODESTRING dummy1;
2351 * IDL UNICODESTRING dummy2;
2352 * IDL UNICODESTRING dummy3;
2353 * IDL UNICODESTRING dummy4;
2358 * IDL } DELTA_GROUP;
2361 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
2362 packet_info *pinfo, proto_tree *tree,
2365 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2366 hf_netlogon_group_name, 3);
2368 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
2371 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2372 hf_netlogon_group_desc, 0);
2374 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2375 hf_netlogon_security_information, NULL);
2377 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2380 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2381 hf_netlogon_dummy, 0);
2383 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2384 hf_netlogon_dummy, 0);
2386 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2387 hf_netlogon_dummy, 0);
2389 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2390 hf_netlogon_dummy, 0);
2392 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2393 hf_netlogon_reserved, NULL);
2395 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2396 hf_netlogon_reserved, NULL);
2398 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2399 hf_netlogon_reserved, NULL);
2401 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2402 hf_netlogon_reserved, NULL);
2409 * IDL typedef struct {
2410 * IDL UNICODESTRING OldName;
2411 * IDL UNICODESTRING NewName;
2412 * IDL UNICODESTRING dummy1;
2413 * IDL UNICODESTRING dummy2;
2414 * IDL UNICODESTRING dummy3;
2415 * IDL UNICODESTRING dummy4;
2420 * IDL } DELTA_RENAME;
2423 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
2424 packet_info *pinfo, proto_tree *tree,
2429 di=pinfo->private_data;
2431 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2434 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2437 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2438 hf_netlogon_dummy, 0);
2440 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2441 hf_netlogon_dummy, 0);
2443 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2444 hf_netlogon_dummy, 0);
2446 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2447 hf_netlogon_dummy, 0);
2449 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2450 hf_netlogon_reserved, NULL);
2452 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2453 hf_netlogon_reserved, NULL);
2455 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2456 hf_netlogon_reserved, NULL);
2458 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2459 hf_netlogon_reserved, NULL);
2466 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2467 packet_info *pinfo, proto_tree *tree,
2470 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2471 hf_netlogon_user_rid, NULL);
2477 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2478 packet_info *pinfo, proto_tree *tree,
2481 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2482 netlogon_dissect_RID);
2488 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2489 packet_info *pinfo, proto_tree *tree,
2492 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2493 hf_netlogon_attrs, NULL);
2499 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2500 packet_info *pinfo, proto_tree *tree,
2503 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2504 netlogon_dissect_ATTRIB);
2510 * IDL typedef struct {
2511 * IDL [unique][size_is(num_rids)] long *rids;
2512 * IDL [unique][size_is(num_rids)] long *attribs;
2513 * IDL long num_rids;
2518 * IDL } DELTA_GROUP_MEMBER;
2521 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2522 packet_info *pinfo, proto_tree *tree,
2525 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2526 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2529 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2530 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2533 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2534 hf_netlogon_num_rids, NULL);
2536 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2537 hf_netlogon_reserved, NULL);
2539 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2540 hf_netlogon_reserved, NULL);
2542 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2543 hf_netlogon_reserved, NULL);
2545 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2546 hf_netlogon_reserved, NULL);
2553 * IDL typedef struct {
2554 * IDL UNICODESTRING alias_name;
2556 * IDL long SecurityInformation;
2557 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2558 * IDL UNICODESTRING dummy1;
2559 * IDL UNICODESTRING dummy2;
2560 * IDL UNICODESTRING dummy3;
2561 * IDL UNICODESTRING dummy4;
2566 * IDL } DELTA_ALIAS;
2569 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2570 packet_info *pinfo, proto_tree *tree,
2573 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2574 hf_netlogon_alias_name, 0);
2576 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2577 hf_netlogon_alias_rid, NULL);
2579 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2580 hf_netlogon_security_information, NULL);
2582 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2585 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2586 hf_netlogon_dummy, 0);
2588 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2589 hf_netlogon_dummy, 0);
2591 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2592 hf_netlogon_dummy, 0);
2594 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2595 hf_netlogon_dummy, 0);
2597 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2598 hf_netlogon_reserved, NULL);
2600 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2601 hf_netlogon_reserved, NULL);
2603 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2604 hf_netlogon_reserved, NULL);
2606 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2607 hf_netlogon_reserved, NULL);
2614 * IDL typedef struct {
2615 * IDL [unique] SID_ARRAY sids;
2620 * IDL } DELTA_ALIAS_MEMBER;
2623 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2624 packet_info *pinfo, proto_tree *tree,
2627 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2629 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2630 hf_netlogon_reserved, NULL);
2632 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2633 hf_netlogon_reserved, NULL);
2635 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2636 hf_netlogon_reserved, NULL);
2638 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2639 hf_netlogon_reserved, NULL);
2646 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2647 packet_info *pinfo, proto_tree *tree,
2650 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2651 hf_netlogon_event_audit_option, NULL);
2657 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2658 packet_info *pinfo, proto_tree *tree,
2661 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2662 netlogon_dissect_EVENT_AUDIT_OPTION);
2669 * IDL typedef struct {
2670 * IDL long pagedpoollimit;
2671 * IDL long nonpagedpoollimit;
2672 * IDL long minimumworkingsetsize;
2673 * IDL long maximumworkingsetsize;
2674 * IDL long pagefilelimit;
2675 * IDL NTTIME timelimit;
2676 * IDL } QUOTA_LIMITS;
2679 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2680 packet_info *pinfo, proto_tree *parent_tree,
2683 proto_item *item=NULL;
2684 proto_tree *tree=NULL;
2685 int old_offset=offset;
2688 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2690 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2693 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2694 hf_netlogon_pagedpoollimit, NULL);
2696 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2697 hf_netlogon_nonpagedpoollimit, NULL);
2699 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2700 hf_netlogon_minworkingsetsize, NULL);
2702 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2703 hf_netlogon_maxworkingsetsize, NULL);
2705 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2706 hf_netlogon_pagefilelimit, NULL);
2708 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2709 hf_netlogon_timelimit);
2711 proto_item_set_len(item, offset-old_offset);
2717 * IDL typedef struct {
2718 * IDL long maxlogsize;
2719 * IDL NTTIME auditretentionperiod;
2720 * IDL bool auditingmode;
2721 * IDL long maxauditeventcount;
2722 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2723 * IDL UNICODESTRING primarydomainname;
2724 * IDL [unique] SID *sid;
2725 * IDL QUOTA_LIMITS quota_limits;
2726 * IDL NTTIME db_modify_time;
2727 * IDL NTTIME db_create_time;
2728 * IDL long SecurityInformation;
2729 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2730 * IDL UNICODESTRING dummy1;
2731 * IDL UNICODESTRING dummy2;
2732 * IDL UNICODESTRING dummy3;
2733 * IDL UNICODESTRING dummy4;
2738 * IDL } DELTA_POLICY;
2741 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2742 packet_info *pinfo, proto_tree *tree,
2745 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2746 hf_netlogon_max_log_size, NULL);
2748 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2749 hf_netlogon_audit_retention_period);
2751 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2752 hf_netlogon_auditing_mode, NULL);
2754 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2755 hf_netlogon_max_audit_event_count, NULL);
2757 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2758 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2759 "Event Audit Options:", -1);
2761 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2762 hf_netlogon_domain_name, 0);
2764 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
2766 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2769 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2770 hf_netlogon_db_modify_time);
2772 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2773 hf_netlogon_db_create_time);
2775 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2776 hf_netlogon_security_information, NULL);
2778 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2781 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2782 hf_netlogon_dummy, 0);
2784 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2785 hf_netlogon_dummy, 0);
2787 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2788 hf_netlogon_dummy, 0);
2790 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2791 hf_netlogon_dummy, 0);
2793 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2794 hf_netlogon_reserved, NULL);
2796 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2797 hf_netlogon_reserved, NULL);
2799 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2800 hf_netlogon_reserved, NULL);
2802 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2803 hf_netlogon_reserved, NULL);
2810 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2811 packet_info *pinfo, proto_tree *tree,
2814 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2815 hf_netlogon_dc_name, 0);
2821 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2822 packet_info *pinfo, proto_tree *tree,
2825 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2826 netlogon_dissect_CONTROLLER);
2833 * IDL typedef struct {
2834 * IDL UNICODESTRING DomainName;
2835 * IDL long num_controllers;
2836 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2837 * IDL long SecurityInformation;
2838 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2839 * IDL UNICODESTRING dummy1;
2840 * IDL UNICODESTRING dummy2;
2841 * IDL UNICODESTRING dummy3;
2842 * IDL UNICODESTRING dummy4;
2847 * IDL } DELTA_TRUSTED_DOMAINS;
2850 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2851 packet_info *pinfo, proto_tree *tree,
2854 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2855 hf_netlogon_domain_name, 0);
2857 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2858 hf_netlogon_num_controllers, NULL);
2860 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2861 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2862 "Domain Controllers:", -1);
2864 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2865 hf_netlogon_security_information, NULL);
2867 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2870 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2871 hf_netlogon_dummy, 0);
2873 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2874 hf_netlogon_dummy, 0);
2876 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2877 hf_netlogon_dummy, 0);
2879 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2880 hf_netlogon_dummy, 0);
2882 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2883 hf_netlogon_reserved, NULL);
2885 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2886 hf_netlogon_reserved, NULL);
2888 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2889 hf_netlogon_reserved, NULL);
2891 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2892 hf_netlogon_reserved, NULL);
2899 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2900 packet_info *pinfo, proto_tree *tree,
2903 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2904 hf_netlogon_attrs, NULL);
2910 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2911 packet_info *pinfo, proto_tree *tree,
2914 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2915 netlogon_dissect_PRIV_ATTR);
2921 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2922 packet_info *pinfo, proto_tree *tree,
2925 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2926 hf_netlogon_privilege_name, 1);
2932 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2933 packet_info *pinfo, proto_tree *tree,
2936 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2937 netlogon_dissect_PRIV_NAME);
2945 * IDL typedef struct {
2946 * IDL long privilegeentries;
2947 * IDL long provolegecontrol;
2948 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2949 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2950 * IDL QUOTALIMITS quotalimits;
2951 * IDL long SecurityInformation;
2952 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2953 * IDL UNICODESTRING dummy1;
2954 * IDL UNICODESTRING dummy2;
2955 * IDL UNICODESTRING dummy3;
2956 * IDL UNICODESTRING dummy4;
2961 * IDL } DELTA_ACCOUNTS;
2964 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2965 packet_info *pinfo, proto_tree *tree,
2968 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2969 hf_netlogon_privilege_entries, NULL);
2971 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2972 hf_netlogon_privilege_control, NULL);
2974 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2975 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2976 "PRIV_ATTR_ARRAY:", -1);
2978 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2979 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2980 "PRIV_NAME_ARRAY:", -1);
2982 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2985 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2986 hf_netlogon_systemflags, NULL);
2988 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2989 hf_netlogon_security_information, NULL);
2991 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2994 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2995 hf_netlogon_dummy, 0);
2997 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2998 hf_netlogon_dummy, 0);
3000 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3001 hf_netlogon_dummy, 0);
3003 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3004 hf_netlogon_dummy, 0);
3006 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3007 hf_netlogon_reserved, NULL);
3009 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3010 hf_netlogon_reserved, NULL);
3012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3013 hf_netlogon_reserved, NULL);
3015 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3016 hf_netlogon_reserved, NULL);
3022 * IDL typedef struct {
3025 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
3026 * IDL } CIPHER_VALUE;
3029 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
3030 packet_info *pinfo, proto_tree *tree,
3036 di=pinfo->private_data;
3037 if(di->conformant_run){
3038 /*just a run to handle conformant arrays, nothing to dissect */
3042 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3043 hf_netlogon_cipher_maxlen, NULL);
3048 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3049 hf_netlogon_cipher_len, &data_len);
3051 proto_tree_add_item(tree, di->hf_index, tvb, offset,
3058 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
3059 packet_info *pinfo, proto_tree *parent_tree,
3060 guint8 *drep, char *name, int hf_index)
3062 proto_item *item=NULL;
3063 proto_tree *tree=NULL;
3064 int old_offset=offset;
3067 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3069 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
3072 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3073 hf_netlogon_cipher_len, NULL);
3075 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3076 hf_netlogon_cipher_maxlen, NULL);
3078 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3079 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
3082 proto_item_set_len(item, offset-old_offset);
3087 * IDL typedef struct {
3088 * IDL CIPHER_VALUE current_cipher;
3089 * IDL NTTIME current_cipher_set_time;
3090 * IDL CIPHER_VALUE old_cipher;
3091 * IDL NTTIME old_cipher_set_time;
3092 * IDL long SecurityInformation;
3093 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3094 * IDL UNICODESTRING dummy1;
3095 * IDL UNICODESTRING dummy2;
3096 * IDL UNICODESTRING dummy3;
3097 * IDL UNICODESTRING dummy4;
3102 * IDL } DELTA_SECRET;
3105 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
3106 packet_info *pinfo, proto_tree *tree,
3109 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3111 "CIPHER_VALUE: current cipher value",
3112 hf_netlogon_cipher_current_data);
3114 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3115 hf_netlogon_cipher_current_set_time);
3117 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
3119 "CIPHER_VALUE: old cipher value",
3120 hf_netlogon_cipher_old_data);
3122 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
3123 hf_netlogon_cipher_old_set_time);
3125 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3126 hf_netlogon_security_information, NULL);
3128 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
3131 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3132 hf_netlogon_dummy, 0);
3134 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3135 hf_netlogon_dummy, 0);
3137 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3138 hf_netlogon_dummy, 0);
3140 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
3141 hf_netlogon_dummy, 0);
3143 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3144 hf_netlogon_reserved, NULL);
3146 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3147 hf_netlogon_reserved, NULL);
3149 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3150 hf_netlogon_reserved, NULL);
3152 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3153 hf_netlogon_reserved, NULL);
3159 * IDL typedef struct {
3160 * IDL long low_value;
3161 * IDL long high_value;
3165 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
3166 packet_info *pinfo, proto_tree *tree,
3169 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
3170 hf_netlogon_modify_count, NULL);
3176 #define DT_DELTA_DOMAIN 1
3177 #define DT_DELTA_GROUP 2
3178 #define DT_DELTA_DELETE_GROUP 3
3179 #define DT_DELTA_RENAME_GROUP 4
3180 #define DT_DELTA_USER 5
3181 #define DT_DELTA_DELETE_USER 6
3182 #define DT_DELTA_RENAME_USER 7
3183 #define DT_DELTA_GROUP_MEMBER 8
3184 #define DT_DELTA_ALIAS 9
3185 #define DT_DELTA_DELETE_ALIAS 10
3186 #define DT_DELTA_RENAME_ALIAS 11
3187 #define DT_DELTA_ALIAS_MEMBER 12
3188 #define DT_DELTA_POLICY 13
3189 #define DT_DELTA_TRUSTED_DOMAINS 14
3190 #define DT_DELTA_DELETE_TRUST 15
3191 #define DT_DELTA_ACCOUNTS 16
3192 #define DT_DELTA_DELETE_ACCOUNT 17
3193 #define DT_DELTA_SECRET 18
3194 #define DT_DELTA_DELETE_SECRET 19
3195 #define DT_DELTA_DELETE_GROUP2 20
3196 #define DT_DELTA_DELETE_USER2 21
3197 #define DT_MODIFIED_COUNT 22
3198 static const value_string delta_type_vals[] = {
3199 { DT_DELTA_DOMAIN, "Domain" },
3200 { DT_DELTA_GROUP, "Group" },
3201 { DT_DELTA_DELETE_GROUP, "Delete Group" },
3202 { DT_DELTA_RENAME_GROUP, "Rename Group" },
3203 { DT_DELTA_USER, "User" },
3204 { DT_DELTA_DELETE_USER, "Delete User" },
3205 { DT_DELTA_RENAME_USER, "Rename User" },
3206 { DT_DELTA_GROUP_MEMBER, "Group Member" },
3207 { DT_DELTA_ALIAS, "Alias" },
3208 { DT_DELTA_DELETE_ALIAS, "Delete Alias" },
3209 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
3210 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
3211 { DT_DELTA_POLICY, "Policy" },
3212 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
3213 { DT_DELTA_DELETE_TRUST, "Delete Trust" },
3214 { DT_DELTA_ACCOUNTS, "Accounts" },
3215 { DT_DELTA_DELETE_ACCOUNT, "Delete Account" },
3216 { DT_DELTA_SECRET, "Secret" },
3217 { DT_DELTA_DELETE_SECRET, "Delete Secret" },
3218 { DT_DELTA_DELETE_GROUP2, "Delete Group2" },
3219 { DT_DELTA_DELETE_USER2, "Delete User2" },
3220 { DT_MODIFIED_COUNT, "Modified Count" },
3224 * IDL typedef [switch_type(short)] union {
3225 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
3226 * IDL [case(2)][unique] DELTA_GROUP *group;
3227 * IDL [case(3)][unique] rid only ;
3228 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
3229 * IDL [case(5)][unique] DELTA_USER *user;
3230 * IDL [case(6)][unique] rid only ;
3231 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
3232 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
3233 * IDL [case(9)][unique] DELTA_ALIAS *alias;
3234 * IDL [case(10)][unique] rid only ;
3235 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
3236 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
3237 * IDL [case(13)][unique] DELTA_POLICY *policy;
3238 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
3239 * IDL [case(15)][unique] PSID ;
3240 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
3241 * IDL [case(17)][unique] PSID ;
3242 * IDL [case(18)][unique] DELTA_SECRET *secret;
3243 * IDL [case(19)][unique] string;
3244 * IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
3245 * IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
3246 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
3247 * IDL } DELTA_UNION;
3250 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
3251 packet_info *pinfo, proto_tree *parent_tree,
3254 proto_item *item=NULL;
3255 proto_tree *tree=NULL;
3256 int old_offset=offset;
3260 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3262 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
3265 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3266 hf_netlogon_delta_type, &level);
3271 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3272 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
3273 "DELTA_DOMAIN:", -1);
3276 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3277 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
3278 "DELTA_GROUP:", -1);
3281 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3282 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3283 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
3286 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3287 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
3291 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3292 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3293 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
3296 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3297 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
3298 "DELTA_GROUP_MEMBER:", -1);
3301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3302 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
3303 "DELTA_ALIAS:", -1);
3306 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3307 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3308 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
3311 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3312 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
3313 "DELTA_ALIAS_MEMBER:", -1);
3316 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3317 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
3318 "DELTA_POLICY:", -1);
3321 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3322 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
3323 "DELTA_TRUSTED_DOMAINS:", -1);
3326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3327 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
3328 "DELTA_ACCOUNTS:", -1);
3331 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3332 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
3333 "DELTA_SECRET:", -1);
3336 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3337 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3338 "DELTA_DELETE_GROUP:", -1);
3341 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3342 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3343 "DELTA_DELETE_USER:", -1);
3346 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3347 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
3348 "MODIFIED_COUNT:", -1);
3352 proto_item_set_len(item, offset-old_offset);
3358 /* IDL XXX must verify this one, especially 13-19
3359 * IDL typedef [switch_type(short)] union {
3360 * IDL [case(1)] long rid;
3361 * IDL [case(2)] long rid;
3362 * IDL [case(3)] long rid;
3363 * IDL [case(4)] long rid;
3364 * IDL [case(5)] long rid;
3365 * IDL [case(6)] long rid;
3366 * IDL [case(7)] long rid;
3367 * IDL [case(8)] long rid;
3368 * IDL [case(9)] long rid;
3369 * IDL [case(10)] long rid;
3370 * IDL [case(11)] long rid;
3371 * IDL [case(12)] long rid;
3372 * IDL [case(13)] [unique] SID *sid;
3373 * IDL [case(14)] [unique] SID *sid;
3374 * IDL [case(15)] [unique] SID *sid;
3375 * IDL [case(16)] [unique] SID *sid;
3376 * IDL [case(17)] [unique] SID *sid;
3377 * IDL [case(18)] [unique][string] wchar_t *Name ;
3378 * IDL [case(19)] [unique][string] wchar_t *Name ;
3379 * IDL [case(20)] long rid;
3380 * IDL [case(21)] long rid;
3381 * IDL } DELTA_ID_UNION;
3384 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
3385 packet_info *pinfo, proto_tree *parent_tree,
3388 proto_item *item=NULL;
3389 proto_tree *tree=NULL;
3390 int old_offset=offset;
3394 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3396 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
3399 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3400 hf_netlogon_delta_type, &level);
3405 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3406 hf_netlogon_group_rid, NULL);
3409 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3410 hf_netlogon_user_rid, NULL);
3413 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3414 hf_netlogon_user_rid, NULL);
3417 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3418 hf_netlogon_user_rid, NULL);
3421 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3422 hf_netlogon_user_rid, NULL);
3425 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3426 hf_netlogon_user_rid, NULL);
3429 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3430 hf_netlogon_user_rid, NULL);
3433 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3434 hf_netlogon_user_rid, NULL);
3437 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3438 hf_netlogon_user_rid, NULL);
3441 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3442 hf_netlogon_user_rid, NULL);
3445 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3446 hf_netlogon_user_rid, NULL);
3449 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3450 hf_netlogon_user_rid, NULL);
3453 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3456 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3459 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3462 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3465 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
3468 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3469 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3470 hf_netlogon_unknown_string, 0);
3473 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3474 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3475 hf_netlogon_unknown_string, 0);
3478 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3479 hf_netlogon_user_rid, NULL);
3482 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3483 hf_netlogon_user_rid, NULL);
3487 proto_item_set_len(item, offset-old_offset);
3492 * IDL typedef struct {
3493 * IDL short delta_type;
3494 * IDL DELTA_ID_UNION delta_id_union;
3495 * IDL DELTA_UNION delta_union;
3499 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3500 packet_info *pinfo, proto_tree *parent_tree,
3503 proto_item *item=NULL;
3504 proto_tree *tree=NULL;
3505 int old_offset=offset;
3509 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3511 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3514 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3515 hf_netlogon_delta_type, &type);
3517 proto_item_append_text(item, val_to_str(
3518 type, delta_type_vals, "Unknown"));
3520 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3523 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3526 proto_item_set_len(item, offset-old_offset);
3531 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3532 packet_info *pinfo, proto_tree *tree,
3535 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3536 netlogon_dissect_DELTA_ENUM);
3542 * IDL typedef struct {
3543 * IDL long num_deltas;
3544 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3545 * IDL } DELTA_ENUM_ARRAY;
3548 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3549 packet_info *pinfo, proto_tree *tree,
3552 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3553 hf_netlogon_num_deltas, NULL);
3555 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3556 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3557 "DELTA_ENUM: deltas", -1);
3564 * IDL long NetrDatabaseDeltas(
3565 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3566 * IDL [in][string][ref] wchar_t *computername,
3567 * IDL [in][ref] AUTHENTICATOR credential,
3568 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3569 * IDL [in] long database_id,
3570 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3571 * IDL [in] long preferredmaximumlength,
3572 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3576 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
3577 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3579 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3580 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3582 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3583 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3585 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3586 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3587 "AUTHENTICATOR: credential", -1);
3589 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3590 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3591 "AUTHENTICATOR: return_authenticator", -1);
3593 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3594 hf_netlogon_database_id, NULL);
3596 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3597 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3598 "MODIFIED_COUNT: domain modified count", -1);
3600 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3601 hf_netlogon_max_size, NULL);
3606 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
3607 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3609 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3610 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3611 "AUTHENTICATOR: return_authenticator", -1);
3613 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3614 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3615 "MODIFIED_COUNT: domain modified count", -1);
3617 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3618 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3619 "DELTA_ENUM_ARRAY: deltas", -1);
3621 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3622 hf_netlogon_rc, NULL);
3629 * IDL long NetrDatabaseSync(
3630 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3631 * IDL [in][string][ref] wchar_t *computername,
3632 * IDL [in][ref] AUTHENTICATOR credential,
3633 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3634 * IDL [in] long database_id,
3635 * IDL [in][out][ref] long sync_context,
3636 * IDL [in] long preferredmaximumlength,
3637 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3641 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
3642 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3644 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3645 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3647 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3648 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3650 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3651 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3652 "AUTHENTICATOR: credential", -1);
3654 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3655 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3656 "AUTHENTICATOR: return_authenticator", -1);
3658 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3659 hf_netlogon_database_id, NULL);
3661 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3662 hf_netlogon_sync_context, NULL);
3664 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3665 hf_netlogon_max_size, NULL);
3672 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
3673 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3675 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3676 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3677 "AUTHENTICATOR: return_authenticator", -1);
3679 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3680 hf_netlogon_sync_context, NULL);
3682 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3683 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3684 "DELTA_ENUM_ARRAY: deltas", -1);
3686 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3687 hf_netlogon_rc, NULL);
3693 * IDL typedef struct {
3694 * IDL char computer_name[16];
3695 * IDL long timecreated;
3696 * IDL long serial_number;
3700 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3701 packet_info *pinfo, proto_tree *tree,
3706 di=pinfo->private_data;
3707 if(di->conformant_run){
3708 /*just a run to handle conformant arrays, nothing to dissect */
3712 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3715 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3718 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3719 hf_netlogon_serial_number, NULL);
3726 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3727 packet_info *pinfo, proto_tree *tree,
3730 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3731 hf_netlogon_unknown_char, NULL);
3737 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3738 packet_info *pinfo, proto_tree *tree,
3741 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3742 netlogon_dissect_BYTE_byte);
3748 * IDL long NetrAccountDeltas(
3749 * IDL [in][string][unique] wchar_t *logonserver,
3750 * IDL [in][string][ref] wchar_t *computername,
3751 * IDL [in][ref] AUTHENTICATOR credential,
3752 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3753 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3754 * IDL [out][ref] long count_returned,
3755 * IDL [out][ref] long total_entries,
3756 * IDL [in][out][ref] UAS_INFO_0 recordid,
3757 * IDL [in][long] count,
3758 * IDL [in][long] level,
3759 * IDL [in][long] buffersize,
3763 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
3764 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3766 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3769 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3770 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3772 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3773 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3774 "AUTHENTICATOR: credential", -1);
3776 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3777 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3778 "AUTHENTICATOR: return_authenticator", -1);
3780 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3781 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3782 "UAS_INFO_0: RecordID", -1);
3784 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3785 hf_netlogon_count, NULL);
3787 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3788 hf_netlogon_level, NULL);
3790 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3791 hf_netlogon_max_size, NULL);
3796 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
3797 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3799 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3800 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3801 "AUTHENTICATOR: return_authenticator", -1);
3803 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3804 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3805 "BYTE_array: Buffer", -1);
3807 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3808 hf_netlogon_count, NULL);
3810 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3811 hf_netlogon_entries, NULL);
3813 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3814 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3815 "UAS_INFO_0: RecordID", -1);
3817 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3818 hf_netlogon_rc, NULL);
3825 * IDL long NetrAccountSync(
3826 * IDL [in][string][unique] wchar_t *logonserver,
3827 * IDL [in][string][ref] wchar_t *computername,
3828 * IDL [in][ref] AUTHENTICATOR credential,
3829 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3830 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3831 * IDL [out][ref] long count_returned,
3832 * IDL [out][ref] long total_entries,
3833 * IDL [out][ref] long next_reference,
3834 * IDL [in][long] reference,
3835 * IDL [in][long] level,
3836 * IDL [in][long] buffersize,
3837 * IDL [in][out][ref] UAS_INFO_0 recordid,
3841 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
3842 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3844 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3847 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3848 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3850 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3851 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3852 "AUTHENTICATOR: credential", -1);
3854 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3855 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3856 "AUTHENTICATOR: return_authenticator", -1);
3858 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3859 hf_netlogon_reference, NULL);
3861 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3862 hf_netlogon_level, NULL);
3864 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3865 hf_netlogon_max_size, NULL);
3870 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
3871 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3873 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3874 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3875 "AUTHENTICATOR: return_authenticator", -1);
3877 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3878 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3879 "BYTE_array: Buffer", -1);
3881 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3882 hf_netlogon_count, NULL);
3884 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3885 hf_netlogon_entries, NULL);
3887 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3888 hf_netlogon_next_reference, NULL);
3890 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3891 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3892 "UAS_INFO_0: RecordID", -1);
3894 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3895 hf_netlogon_rc, NULL);
3902 * IDL long NetrGetDcName(
3903 * IDL [in][ref][string] wchar_t *logon_server,
3904 * IDL [in][unique][string] wchar_t *domainname,
3905 * IDL [out][unique][string] wchar_t *dcname,
3909 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
3910 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3912 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3913 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3915 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3916 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3921 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
3922 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3924 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3925 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3927 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3928 hf_netlogon_rc, NULL);
3936 * IDL typedef struct {
3938 * IDL long pdc_connection_status;
3939 * IDL } NETLOGON_INFO_1;
3942 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3943 packet_info *pinfo, proto_tree *tree,
3946 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3947 hf_netlogon_flags, NULL);
3949 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3950 hf_netlogon_pdc_connection_status, NULL);
3957 * IDL typedef struct {
3959 * IDL long pdc_connection_status;
3960 * IDL [unique][string] wchar_t trusted_dc_name;
3961 * IDL long tc_connection_status;
3962 * IDL } NETLOGON_INFO_2;
3965 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3966 packet_info *pinfo, proto_tree *tree,
3969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3970 hf_netlogon_flags, NULL);
3972 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3973 hf_netlogon_pdc_connection_status, NULL);
3975 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3976 NDR_POINTER_UNIQUE, "Trusted DC Name",
3977 hf_netlogon_trusted_dc_name, 0);
3979 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3980 hf_netlogon_tc_connection_status, NULL);
3987 * IDL typedef struct {
3989 * IDL long logon_attempts;
3990 * IDL long reserved;
3991 * IDL long reserved;
3992 * IDL long reserved;
3993 * IDL long reserved;
3994 * IDL long reserved;
3995 * IDL } NETLOGON_INFO_3;
3998 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3999 packet_info *pinfo, proto_tree *tree,
4002 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4003 hf_netlogon_flags, NULL);
4005 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4006 hf_netlogon_logon_attempts, NULL);
4008 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4009 hf_netlogon_reserved, NULL);
4011 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4012 hf_netlogon_reserved, NULL);
4014 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4015 hf_netlogon_reserved, NULL);
4017 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4018 hf_netlogon_reserved, NULL);
4020 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4021 hf_netlogon_reserved, NULL);
4028 * IDL typedef [switch_type(long)] union {
4029 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
4030 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
4031 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
4032 * IDL } CONTROL_QUERY_INFORMATION;
4035 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
4036 packet_info *pinfo, proto_tree *tree,
4041 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4042 hf_netlogon_level, &level);
4047 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4048 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
4049 "NETLOGON_INFO_1:", -1);
4052 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4053 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
4054 "NETLOGON_INFO_2:", -1);
4057 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4058 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
4059 "NETLOGON_INFO_3:", -1);
4068 * IDL long NetrLogonControl(
4069 * IDL [in][string][unique] wchar_t *logonserver,
4070 * IDL [in] long function_code,
4071 * IDL [in] long level,
4072 * IDL [out][ref] CONTROL_QUERY_INFORMATION
4076 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
4077 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4079 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4082 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4083 hf_netlogon_code, NULL);
4085 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4086 hf_netlogon_level, NULL);
4091 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
4092 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4094 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4095 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4096 "CONTROL_QUERY_INFORMATION:", -1);
4098 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4099 hf_netlogon_rc, NULL);
4106 * IDL long NetrGetAnyDCName(
4107 * IDL [in][unique][string] wchar_t *logon_server,
4108 * IDL [in][unique][string] wchar_t *domainname,
4109 * IDL [out][unique][string] wchar_t *dcname,
4113 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
4114 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4116 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4117 NDR_POINTER_UNIQUE, "Server Handle",
4118 hf_netlogon_logonsrv_handle, 0);
4120 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4121 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
4126 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
4127 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4129 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4130 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
4132 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4133 hf_netlogon_rc, NULL);
4140 * IDL typedef [switch_type(long)] union {
4141 * IDL [case(5)] [unique][string] wchar_t *unknown;
4142 * IDL [case(6)] [unique][string] wchar_t *unknown;
4143 * IDL [case(0xfffe)] long unknown;
4144 * IDL [case(7)] [unique][string] wchar_t *unknown;
4145 * IDL } CONTROL_DATA_INFORMATION;
4148 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
4149 * to look like. However NetMon does not recognize any such informationlevels.
4151 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
4152 * until someone has any source of better authority to call upon.
4155 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
4156 packet_info *pinfo, proto_tree *tree,
4161 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4162 hf_netlogon_level, &level);
4167 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4168 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4169 hf_netlogon_unknown_string, 0);
4172 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4173 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4174 hf_netlogon_unknown_string, 0);
4177 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4178 hf_netlogon_unknown_long, NULL);
4181 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4182 tree, drep, NDR_POINTER_UNIQUE, "unknown",
4183 hf_netlogon_unknown_string, 0);
4192 * IDL long NetrLogonControl2(
4193 * IDL [in][string][unique] wchar_t *logonserver,
4194 * IDL [in] long function_code,
4195 * IDL [in] long level,
4196 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4197 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4201 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
4202 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4204 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4207 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4208 hf_netlogon_code, NULL);
4210 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4211 hf_netlogon_level, NULL);
4213 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4214 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4215 "CONTROL_DATA_INFORMATION: ", -1);
4221 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
4222 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4224 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4225 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4226 "CONTROL_QUERY_INFORMATION:", -1);
4228 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4229 hf_netlogon_rc, NULL);
4236 * IDL long NetrServerAuthenticate2(
4237 * IDL [in][string][unique] wchar_t *logonserver,
4238 * IDL [in][ref][string] wchar_t *username,
4239 * IDL [in] short secure_channel_type,
4240 * IDL [in][ref][string] wchar_t *computername,
4241 * IDL [in][ref] CREDENTIAL *client_chal,
4242 * IDL [out][ref] CREDENTIAL *server_chal,
4243 * IDL [in][out][ref] long *negotiate_flags,
4247 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
4248 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4250 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4253 offset = dissect_ndr_pointer_cb(
4254 tvb, offset, pinfo, tree, drep,
4255 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
4256 "User Name", hf_netlogon_acct_name,
4257 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
4259 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4262 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4263 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4265 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4266 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4267 "CREDENTIAL: client_chal", -1);
4269 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4270 hf_netlogon_neg_flags, NULL);
4276 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
4277 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4279 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4280 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4281 "CREDENTIAL: server_chal", -1);
4283 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4284 hf_netlogon_neg_flags, NULL);
4286 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4287 hf_netlogon_rc, NULL);
4294 * IDL long NetrDatabaseSync2(
4295 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4296 * IDL [in][string][ref] wchar_t *computername,
4297 * IDL [in][ref] AUTHENTICATOR credential,
4298 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4299 * IDL [in] long database_id,
4300 * IDL [in] short restart_state,
4301 * IDL [in][out][ref] long *sync_context,
4302 * IDL [in] long preferredmaximumlength,
4303 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4307 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
4308 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4310 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4311 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4313 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4314 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4316 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4317 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4318 "AUTHENTICATOR: credential", -1);
4320 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4321 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4322 "AUTHENTICATOR: return_authenticator", -1);
4324 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4325 hf_netlogon_database_id, NULL);
4327 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4328 hf_netlogon_restart_state, NULL);
4330 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4331 hf_netlogon_sync_context, NULL);
4333 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4334 hf_netlogon_max_size, NULL);
4340 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
4341 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4343 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4344 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4345 "AUTHENTICATOR: return_authenticator", -1);
4347 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4348 hf_netlogon_sync_context, NULL);
4350 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4351 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4352 "DELTA_ENUM_ARRAY: deltas", -1);
4354 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4355 hf_netlogon_rc, NULL);
4362 * IDL long NetrDatabaseRedo(
4363 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4364 * IDL [in][string][ref] wchar_t *computername,
4365 * IDL [in][ref] AUTHENTICATOR credential,
4366 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4367 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
4368 * IDL [in] long change_log_entry_size,
4369 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4373 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
4374 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4376 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4377 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4379 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4380 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4382 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4383 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4384 "AUTHENTICATOR: credential", -1);
4386 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4387 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4388 "AUTHENTICATOR: return_authenticator", -1);
4390 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4391 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4392 "Change log entry: ", -1);
4394 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4395 hf_netlogon_max_log_size, NULL);
4401 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
4402 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4404 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4405 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4406 "AUTHENTICATOR: return_authenticator", -1);
4408 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4409 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4410 "DELTA_ENUM_ARRAY: deltas", -1);
4412 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4413 hf_netlogon_rc, NULL);
4420 * IDL long NetrLogonControl2Ex(
4421 * IDL [in][string][unique] wchar_t *logonserver,
4422 * IDL [in] long function_code,
4423 * IDL [in] long level,
4424 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4425 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4429 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
4430 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4432 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4435 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4436 hf_netlogon_code, NULL);
4438 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4439 hf_netlogon_level, NULL);
4441 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4442 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4443 "CONTROL_DATA_INFORMATION: ", -1);
4448 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
4449 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4451 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4452 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4453 "CONTROL_QUERY_INFORMATION:", -1);
4455 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4456 hf_netlogon_rc, NULL);
4464 static const value_string trust_type_vals[] = {
4472 #define DS_INET_ADDRESS 1
4473 #define DS_NETBIOS_ADDRESS 2
4474 static const value_string dc_address_types[] = {
4475 { DS_INET_ADDRESS, "IP/DNS name" },
4476 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
4481 #define DS_DOMAIN_IN_FOREST 0x0001
4482 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
4483 #define DS_DOMAIN_TREE_ROOT 0x0004
4484 #define DS_DOMAIN_PRIMARY 0x0008
4485 #define DS_DOMAIN_NATIVE_MODE 0x0010
4486 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
4487 static const true_false_string trust_inbound = {
4488 "There is a DIRECT INBOUND trust for the servers domain",
4489 "There is NO direct inbound trust for the servers domain"
4491 static const true_false_string trust_outbound = {
4492 "There is a DIRECT OUTBOUND trust for this domain",
4493 "There is NO direct outbound trust for this domain"
4495 static const true_false_string trust_in_forest = {
4496 "The domain is a member IN the same FOREST as the queried server",
4497 "The domain is NOT a member of the queried servers domain"
4499 static const true_false_string trust_native_mode = {
4500 "The primary domain is a NATIVE MODE w2k domain",
4501 "The primary is NOT a native mode w2k domain"
4503 static const true_false_string trust_primary = {
4504 "The domain is the PRIMARY domain of the queried server",
4505 "The domain is NOT the primary domain of the queried server"
4507 static const true_false_string trust_tree_root = {
4508 "The domain is the ROOT of a domain TREE",
4509 "The domain is NOT a root of a domain tree"
4512 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4513 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4516 proto_item *item = NULL;
4517 proto_tree *tree = NULL;
4520 di=pinfo->private_data;
4521 if(di->conformant_run){
4522 /*just a run to handle conformant arrays, nothing to dissect */
4526 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4527 hf_netlogon_trust_flags, &mask);
4530 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4531 tvb, offset-4, 4, mask);
4532 tree = proto_item_add_subtree(item, ett_trust_flags);
4535 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4536 tvb, offset-4, 4, mask);
4537 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4538 tvb, offset-4, 4, mask);
4539 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4540 tvb, offset-4, 4, mask);
4541 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4542 tvb, offset-4, 4, mask);
4543 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4544 tvb, offset-4, 4, mask);
4545 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4546 tvb, offset-4, 4, mask);
4552 #define DS_FORCE_REDISCOVERY 0x00000001
4553 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
4554 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
4555 #define DS_GC_SERVER_REQUIRED 0x00000040
4556 #define DS_PDC_REQUIRED 0x00000080
4557 #define DS_BACKGROUND_ONLY 0x00000100
4558 #define DS_IP_REQUIRED 0x00000200
4559 #define DS_KDC_REQUIRED 0x00000400
4560 #define DS_TIMESERV_REQUIRED 0x00000800
4561 #define DS_WRITABLE_REQUIRED 0x00001000
4562 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
4563 #define DS_AVOID_SELF 0x00004000
4564 #define DS_ONLY_LDAP_NEEDED 0x00008000
4565 #define DS_IS_FLAT_NAME 0x00010000
4566 #define DS_IS_DNS_NAME 0x00020000
4567 #define DS_RETURN_DNS_NAME 0x40000000
4568 #define DS_RETURN_FLAT_NAME 0x80000000
4569 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4570 "FORCE REDISCOVERY of any cached data",
4571 "You may return cached data"
4573 static const true_false_string get_dcname_request_flags_directory_service_required = {
4574 "DIRECRTORY SERVICE is REQUIRED on the server",
4575 "We do NOT require directory service servers"
4577 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4578 "DIRECTORY SERVICE servers are PREFERRED",
4579 "We do NOT have a preference for directory service servers"
4581 static const true_false_string get_dcname_request_flags_gc_server_required = {
4582 "GC SERVER is REQUIRED",
4583 "gc server is NOT required"
4585 static const true_false_string get_dcname_request_flags_pdc_required = {
4586 "PDC SERVER is REQUIRED",
4587 "pdc server is NOT required"
4589 static const true_false_string get_dcname_request_flags_background_only = {
4590 "Only returned cahced data, even if it has expired",
4591 "Return cached data unless it has expired"
4593 static const true_false_string get_dcname_request_flags_ip_required = {
4594 "IP address is REQUIRED",
4595 "ip address is NOT required"
4597 static const true_false_string get_dcname_request_flags_kdc_required = {
4598 "KDC server is REQUIRED",
4599 "kdc server is NOT required"
4601 static const true_false_string get_dcname_request_flags_timeserv_required = {
4602 "TIMESERV service is REQUIRED",
4603 "timeserv service is NOT required"
4605 static const true_false_string get_dcname_request_flags_writable_required = {
4606 "the requrned dc MUST be WRITEABLE",
4607 "a read-only dc may be returned"
4609 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4610 "GOOD TIMESERV servers are PREFERRED",
4611 "we do NOT have a preference for good timeserv servers"
4613 static const true_false_string get_dcname_request_flags_avoid_self = {
4614 "do NOT return self as dc, return someone else",
4615 "you may return yourSELF as the dc"
4617 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4618 "we ONLY NEED LDAP, you dont have to return a dc",
4619 "we need a normal dc, an ldap only server will not do"
4621 static const true_false_string get_dcname_request_flags_is_flat_name = {
4622 "the name we specify is a NetBIOS name",
4623 "the name we specify is NOT a NetBIOS name"
4625 static const true_false_string get_dcname_request_flags_is_dns_name = {
4626 "the name we specify is a DNS name",
4627 "ther name we specify is NOT a dns name"
4629 static const true_false_string get_dcname_request_flags_return_dns_name = {
4630 "return a DNS name",
4631 "you may return a NON-dns name"
4633 static const true_false_string get_dcname_request_flags_return_flat_name = {
4634 "return a NetBIOS name",
4635 "you may return a NON-NetBIOS name"
4638 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4639 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4642 proto_item *item = NULL;
4643 proto_tree *tree = NULL;
4646 di=pinfo->private_data;
4647 if(di->conformant_run){
4648 /*just a run to handle conformant arrays, nothing to dissect */
4652 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4653 hf_netlogon_get_dcname_request_flags, &mask);
4656 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4657 tvb, offset-4, 4, mask);
4658 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4661 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4662 tvb, offset-4, 4, mask);
4663 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4664 tvb, offset-4, 4, mask);
4665 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4666 tvb, offset-4, 4, mask);
4667 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4668 tvb, offset-4, 4, mask);
4669 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4670 tvb, offset-4, 4, mask);
4671 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4672 tvb, offset-4, 4, mask);
4673 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4674 tvb, offset-4, 4, mask);
4675 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4676 tvb, offset-4, 4, mask);
4677 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4678 tvb, offset-4, 4, mask);
4679 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4680 tvb, offset-4, 4, mask);
4681 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4682 tvb, offset-4, 4, mask);
4683 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4684 tvb, offset-4, 4, mask);
4685 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4686 tvb, offset-4, 4, mask);
4687 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4688 tvb, offset-4, 4, mask);
4689 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4690 tvb, offset-4, 4, mask);
4691 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4692 tvb, offset-4, 4, mask);
4693 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4694 tvb, offset-4, 4, mask);
4701 #define DS_PDC_FLAG 0x00000001
4702 #define DS_GC_FLAG 0x00000004
4703 #define DS_LDAP_FLAG 0x00000008
4704 #define DS_DS_FLAG 0x00000010
4705 #define DS_KDC_FLAG 0x00000020
4706 #define DS_TIMESERV_FLAG 0x00000040
4707 #define DS_CLOSEST_FLAG 0x00000080
4708 #define DS_WRITABLE_FLAG 0x00000100
4709 #define DS_GOOD_TIMESERV_FLAG 0x00000200
4710 #define DS_NDNC_FLAG 0x00000400
4711 #define DS_DNS_CONTROLLER_FLAG 0x20000000
4712 #define DS_DNS_DOMAIN_FLAG 0x40000000
4713 #define DS_DNS_FOREST_FLAG 0x80000000
4714 static const true_false_string dc_flags_pdc_flag = {
4715 "this is the PDC of the domain",
4716 "this is NOT the pdc of the domain"
4718 static const true_false_string dc_flags_gc_flag = {
4719 "this is the GC of the forest",
4720 "this is NOT the gc of the forest"
4722 static const true_false_string dc_flags_ldap_flag = {
4723 "this is an LDAP server",
4724 "this is NOT an ldap server"
4726 static const true_false_string dc_flags_ds_flag = {
4727 "this is a DS server",
4728 "this is NOT a ds server"
4730 static const true_false_string dc_flags_kdc_flag = {
4731 "this is a KDC server",
4732 "this is NOT a kdc server"
4734 static const true_false_string dc_flags_timeserv_flag = {
4735 "this is a TIMESERV server",
4736 "this is NOT a timeserv server"
4738 static const true_false_string dc_flags_closest_flag = {
4739 "this is the CLOSEST server",
4740 "this is NOT the closest server"
4742 static const true_false_string dc_flags_writable_flag = {
4743 "this server has a WRITABLE ds database",
4744 "this server has a READ-ONLY ds database"
4746 static const true_false_string dc_flags_good_timeserv_flag = {
4747 "this server is a GOOD TIMESERV server",
4748 "this is NOT a good timeserv server"
4750 static const true_false_string dc_flags_ndnc_flag = {
4754 static const true_false_string dc_flags_dns_controller_flag = {
4755 "DomainControllerName is a DNS name",
4756 "DomainControllerName is NOT a dns name"
4758 static const true_false_string dc_flags_dns_domain_flag = {
4759 "DomainName is a DNS name",
4760 "DomainName is NOT a dns name"
4762 static const true_false_string dc_flags_dns_forest_flag = {
4763 "DnsForestName is a DNS name",
4764 "DnsForestName is NOT a dns name"
4767 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4768 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4771 proto_item *item = NULL;
4772 proto_tree *tree = NULL;
4775 di=pinfo->private_data;
4776 if(di->conformant_run){
4777 /*just a run to handle conformant arrays, nothing to dissect */
4781 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4782 hf_netlogon_dc_flags, &mask);
4785 item = proto_tree_add_uint_format(parent_tree, hf_netlogon_dc_flags,
4786 tvb, offset-4, 4, mask, "Domain Controller Flags: 0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
4787 tree = proto_item_add_subtree(item, ett_dc_flags);
4790 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4791 tvb, offset-4, 4, mask);
4792 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4793 tvb, offset-4, 4, mask);
4794 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4795 tvb, offset-4, 4, mask);
4796 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4797 tvb, offset-4, 4, mask);
4798 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4799 tvb, offset-4, 4, mask);
4800 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4801 tvb, offset-4, 4, mask);
4802 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4803 tvb, offset-4, 4, mask);
4804 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4805 tvb, offset-4, 4, mask);
4806 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4807 tvb, offset-4, 4, mask);
4808 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4809 tvb, offset-4, 4, mask);
4810 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4811 tvb, offset-4, 4, mask);
4812 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4813 tvb, offset-4, 4, mask);
4814 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4815 tvb, offset-4, 4, mask);
4823 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4824 packet_info *pinfo, proto_tree *tree,
4829 di=pinfo->private_data;
4830 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4831 di->hf_index, NULL);
4836 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4837 packet_info *pinfo, proto_tree *tree,
4842 di=pinfo->private_data;
4843 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4844 di->hf_index, NULL);
4849 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4850 packet_info *pinfo, proto_tree *tree,
4853 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4854 hf_netlogon_unknown_char, NULL);
4860 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4861 packet_info *pinfo, proto_tree *tree,
4864 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4865 netlogon_dissect_UNICODE_MULTI_byte);
4871 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4872 packet_info *pinfo, proto_tree *parent_tree,
4875 proto_item *item=NULL;
4876 proto_tree *tree=NULL;
4877 int old_offset=offset;
4880 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4882 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4885 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4886 hf_netlogon_len, NULL);
4888 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4889 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4890 "unknown", hf_netlogon_unknown_string);
4892 proto_item_set_len(item, offset-old_offset);
4897 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4898 packet_info *pinfo, proto_tree *tree,
4901 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4907 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4908 packet_info *pinfo, proto_tree *parent_tree,
4911 proto_item *item=NULL;
4912 proto_tree *tree=NULL;
4913 int old_offset=offset;
4916 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4917 "DOMAIN_CONTROLLER_INFO:");
4918 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4921 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4922 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
4924 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4925 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
4927 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4928 hf_netlogon_dc_address_type, NULL);
4930 offset = dissect_nt_GUID(tvb, offset,
4933 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4934 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
4936 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4937 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
4939 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
4941 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4942 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
4944 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4945 NDR_POINTER_UNIQUE, "Client Site",
4946 hf_netlogon_client_site_name, 0);
4948 proto_item_set_len(item, offset-old_offset);
4953 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4954 packet_info *pinfo, proto_tree *tree,
4960 di=pinfo->private_data;
4961 if(di->conformant_run){
4962 /*just a run to handle conformant arrays, nothing to dissect.*/
4966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4967 hf_netlogon_blob_size, &len);
4969 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4977 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4978 packet_info *pinfo, proto_tree *parent_tree,
4981 proto_item *item=NULL;
4982 proto_tree *tree=NULL;
4985 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4987 tree = proto_item_add_subtree(item, ett_BLOB);
4990 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4991 hf_netlogon_blob_size, NULL);
4993 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4994 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
5001 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
5002 packet_info *pinfo, proto_tree *parent_tree,
5005 proto_item *item=NULL;
5006 proto_tree *tree=NULL;
5007 int old_offset=offset;
5010 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5011 "DOMAIN_TRUST_INFO:");
5012 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
5016 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
5018 /* Guesses at best. */
5019 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5020 hf_netlogon_unknown_string, 0);
5022 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5023 hf_netlogon_unknown_string, 0);
5025 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5026 hf_netlogon_unknown_string, 0);
5028 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5029 hf_netlogon_unknown_string, 0);
5031 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5032 hf_netlogon_unknown_long, NULL);
5034 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5035 hf_netlogon_unknown_long, NULL);
5037 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5038 hf_netlogon_unknown_long, NULL);
5040 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5041 hf_netlogon_unknown_long, NULL);
5043 proto_item_set_len(item, offset-old_offset);
5048 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
5049 packet_info *pinfo, proto_tree *tree,
5052 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5053 netlogon_dissect_DOMAIN_TRUST_INFO);
5059 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
5060 packet_info *pinfo, proto_tree *tree,
5063 offset = netlogon_dissect_BLOB(tvb, offset,
5066 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5067 NDR_POINTER_UNIQUE, "Workstation FQDN",
5068 hf_netlogon_workstation_fqdn, 0);
5070 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5071 NDR_POINTER_UNIQUE, "Workstation Site",
5072 hf_netlogon_workstation_site_name, 0);
5074 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5075 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5077 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5078 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5080 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5081 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5083 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5084 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
5086 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5087 hf_netlogon_unknown_string, 0);
5089 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5090 hf_netlogon_workstation_os, 0);
5092 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5093 hf_netlogon_unknown_string, 0);
5095 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5096 hf_netlogon_unknown_string, 0);
5098 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5099 hf_netlogon_unknown_long, NULL);
5101 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5102 hf_netlogon_unknown_long, NULL);
5104 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5105 hf_netlogon_unknown_long, NULL);
5107 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5108 hf_netlogon_unknown_long, NULL);
5114 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
5115 packet_info *pinfo, proto_tree *tree,
5118 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
5120 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5121 hf_netlogon_num_trusts, NULL);
5123 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5124 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5125 "DOMAIN_TRUST_ARRAY: Trusts", -1);
5127 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5128 hf_netlogon_num_trusts, NULL);
5130 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5131 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
5132 "DOMAIN_TRUST_ARRAY:", -1);
5134 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5135 hf_netlogon_dns_domain_name, 0);
5137 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5138 hf_netlogon_unknown_string, 0);
5140 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5141 hf_netlogon_unknown_string, 0);
5143 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
5144 hf_netlogon_unknown_string, 0);
5146 /* These four integers appear to mirror the last four in the query. */
5147 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5148 hf_netlogon_unknown_long, NULL);
5150 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5151 hf_netlogon_unknown_long, NULL);
5153 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5154 hf_netlogon_unknown_long, NULL);
5156 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5157 hf_netlogon_unknown_long, NULL);
5164 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
5165 packet_info *pinfo, proto_tree *tree,
5170 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5171 hf_netlogon_level, &level);
5176 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5177 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
5178 "DOMAIN_INFO_1:", -1);
5186 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
5187 packet_info *pinfo, proto_tree *parent_tree,
5190 proto_item *item=NULL;
5191 proto_tree *tree=NULL;
5192 int old_offset=offset;
5196 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5197 "UNICODE_STRING_512:");
5198 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
5202 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5203 hf_netlogon_unknown_short, NULL);
5206 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5207 hf_netlogon_unknown_long, NULL);
5209 proto_item_set_len(item, offset-old_offset);
5214 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
5215 packet_info *pinfo, proto_tree *tree,
5218 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5219 hf_netlogon_unknown_char, NULL);
5225 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
5226 packet_info *pinfo, proto_tree *tree,
5229 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5230 netlogon_dissect_element_844_byte);
5236 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
5237 packet_info *pinfo, proto_tree *parent_tree,
5240 proto_item *item=NULL;
5241 proto_tree *tree=NULL;
5242 int old_offset=offset;
5245 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5247 tree = proto_item_add_subtree(item, ett_TYPE_50);
5250 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5251 hf_netlogon_unknown_long, NULL);
5253 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5254 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
5255 "unknown", hf_netlogon_unknown_string);
5257 proto_item_set_len(item, offset-old_offset);
5262 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
5263 packet_info *pinfo, proto_tree *tree,
5266 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5267 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
5268 "TYPE_50 pointer: unknown_TYPE_50", -1);
5274 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
5275 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5278 proto_item *item=NULL;
5279 proto_tree *tree=NULL;
5280 int old_offset=offset;
5283 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5284 "DS_DOMAIN_TRUSTS");
5285 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
5289 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5290 NDR_POINTER_UNIQUE, "NetBIOS Name",
5291 hf_netlogon_downlevel_domain_name, 0);
5294 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5295 NDR_POINTER_UNIQUE, "DNS Domain Name",
5296 hf_netlogon_dns_domain_name, 0);
5298 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5300 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5301 hf_netlogon_trust_parent_index, &tmp);
5303 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5304 hf_netlogon_trust_type, &tmp);
5306 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5307 hf_netlogon_trust_attribs, &tmp);
5310 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
5313 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
5315 proto_item_set_len(item, offset-old_offset);
5320 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
5321 packet_info *pinfo, proto_tree *tree,
5324 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5325 netlogon_dissect_DS_DOMAIN_TRUSTS);
5331 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
5332 packet_info *pinfo, proto_tree *tree,
5335 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5336 hf_netlogon_unknown_char, NULL);
5342 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
5343 packet_info *pinfo, proto_tree *tree,
5346 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5347 netlogon_dissect_element_865_byte);
5353 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
5354 packet_info *pinfo, proto_tree *tree,
5357 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5358 hf_netlogon_unknown_char, NULL);
5364 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
5365 packet_info *pinfo, proto_tree *tree,
5368 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5369 netlogon_dissect_element_866_byte);
5375 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
5376 packet_info *pinfo, proto_tree *parent_tree,
5379 proto_item *item=NULL;
5380 proto_tree *tree=NULL;
5381 int old_offset=offset;
5384 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5386 tree = proto_item_add_subtree(item, ett_TYPE_52);
5389 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5390 hf_netlogon_unknown_long, NULL);
5392 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5393 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
5394 "unknown", hf_netlogon_unknown_string);
5396 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5397 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
5398 "unknown", hf_netlogon_unknown_string);
5400 proto_item_set_len(item, offset-old_offset);
5405 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
5406 packet_info *pinfo, proto_tree *tree,
5409 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5410 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
5411 "TYPE_52 pointer: unknown_TYPE_52", -1);
5417 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5418 packet_info *pinfo, proto_tree *parent_tree,
5421 proto_item *item=NULL;
5422 proto_tree *tree=NULL;
5423 int old_offset=offset;
5427 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5429 tree = proto_item_add_subtree(item, ett_TYPE_44);
5432 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5433 hf_netlogon_level, &level);
5438 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5439 hf_netlogon_unknown_long, NULL);
5443 proto_item_set_len(item, offset-old_offset);
5448 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5449 packet_info *pinfo, proto_tree *tree,
5454 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5455 hf_netlogon_level, &level);
5460 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5461 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5462 "DOMAIN_QUERY_1:", -1);
5465 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5466 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5467 "DOMAIN_QUERY_1:", -1);
5475 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5476 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5478 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5486 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5487 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5489 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5490 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5491 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5493 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5494 hf_netlogon_rc, NULL);
5500 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5501 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5503 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5506 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5507 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5509 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5510 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5511 "GUID pointer: domain_guid", -1);
5513 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5514 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5515 "GUID pointer: site_guid", -1);
5517 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5518 hf_netlogon_flags, NULL);
5525 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5526 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5528 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5529 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5530 "DOMAIN_CONTROLLER_INFO:", -1);
5532 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5533 hf_netlogon_rc, NULL);
5539 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
5540 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5542 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5545 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5546 NDR_POINTER_UNIQUE, "unknown string",
5547 hf_netlogon_unknown_string, 0);
5549 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5550 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5551 "AUTHENTICATOR: credential", -1);
5553 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5554 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5555 "AUTHENTICATOR: return_authenticator", -1);
5557 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5558 hf_netlogon_unknown_long, NULL);
5565 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
5566 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5568 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5569 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5570 "AUTHENTICATOR: return_authenticator", -1);
5572 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5573 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5574 "TYPE_44 pointer: unknown_TYPE_44", -1);
5576 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5577 hf_netlogon_rc, NULL);
5583 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
5584 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5586 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5589 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5590 hf_netlogon_unknown_long, NULL);
5592 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5593 hf_netlogon_unknown_long, NULL);
5600 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
5601 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5603 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5604 hf_netlogon_rc, NULL);
5611 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
5612 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5614 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5617 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5618 NDR_POINTER_UNIQUE, "unknown string",
5619 hf_netlogon_unknown_string, 0);
5626 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
5627 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5629 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5630 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5631 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5633 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5634 hf_netlogon_rc, NULL);
5641 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
5642 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5644 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5647 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5648 hf_netlogon_unknown_long, NULL);
5650 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5651 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5652 "BYTE pointer: unknown_BYTE", -1);
5654 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5655 hf_netlogon_unknown_long, NULL);
5661 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5662 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5667 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5668 hf_netlogon_unknown_char, NULL);
5675 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
5676 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5678 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5679 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5680 "BYTE pointer: unknown_BYTE", -1);
5682 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5683 hf_netlogon_rc, NULL);
5689 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
5690 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5692 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5695 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5696 NDR_POINTER_UNIQUE, "unknown string",
5697 hf_netlogon_unknown_string, 0);
5699 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5700 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5701 "BYTE pointer: unknown_BYTE", -1);
5703 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5704 hf_netlogon_unknown_long, NULL);
5711 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
5712 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5714 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5715 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5716 "BYTE pointer: unknown_BYTE", -1);
5718 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5719 hf_netlogon_rc, NULL);
5725 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5726 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5728 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5731 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5732 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5734 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5737 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5738 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5740 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5741 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5742 "CREDENTIAL: authenticator", -1);
5744 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5745 hf_netlogon_neg_flags, NULL);
5752 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5753 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5755 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5756 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5757 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5759 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5760 hf_netlogon_neg_flags, NULL);
5762 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5763 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5764 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5766 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5767 hf_netlogon_rc, NULL);
5773 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
5774 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5776 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5779 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5780 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5782 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5783 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5784 "GUID pointer: domain_guid", -1);
5786 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5787 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5789 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5796 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
5797 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5799 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5800 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5801 "DOMAIN_CONTROLLER_INFO:", -1);
5803 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5804 hf_netlogon_rc, NULL);
5810 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5811 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5813 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5821 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5822 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5825 /* XXX hmmm this does not really look like a UNIQUE pointer but
5826 will do for now. I think it is really a 32bit integer followed by
5827 a REF pointer to a unicode string */
5828 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
5829 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
5830 hf_netlogon_site_name, cb_wstr_postprocess,
5831 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
5833 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5834 hf_netlogon_rc, NULL);
5840 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5841 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5843 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5844 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5845 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5847 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5848 NDR_POINTER_UNIQUE, "Computer Name",
5849 hf_netlogon_computer_name, 0);
5851 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5852 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5853 "AUTHENTICATOR: credential", -1);
5855 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5856 hf_netlogon_unknown_long, NULL);
5858 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5859 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5860 "AUTHENTICATOR: return_authenticator", -1);
5862 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5863 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5864 "DOMAIN_QUERY: ", -1);
5871 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5872 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5874 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5875 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5876 "AUTHENTICATOR: return_authenticator", -1);
5878 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5879 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5880 "DOMAIN_INFO: ", -1);
5882 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5883 hf_netlogon_rc, NULL);
5889 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5890 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5892 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5895 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5896 NDR_POINTER_UNIQUE, "unknown string",
5897 hf_netlogon_unknown_string, 0);
5899 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5900 hf_netlogon_unknown_short, NULL);
5902 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5903 NDR_POINTER_UNIQUE, "unknown string",
5904 hf_netlogon_unknown_string, 0);
5906 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5907 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5908 "AUTHENTICATOR: credential", -1);
5910 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5918 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5919 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5921 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5922 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5923 "AUTHENTICATOR: return_authenticator", -1);
5925 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5926 hf_netlogon_rc, NULL);
5932 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
5933 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5935 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5938 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5939 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
5941 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5944 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5945 NDR_POINTER_UNIQUE, "Computer Name",
5946 hf_netlogon_computer_name, 0);
5948 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5949 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5950 "AUTHENTICATOR: credential", -1);
5957 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
5958 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5960 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5961 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5962 "AUTHENTICATOR: return_authenticator", -1);
5964 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5965 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5966 "LM_OWF_PASSWORD pointer: server_pwd", -1);
5968 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5969 hf_netlogon_rc, NULL);
5975 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
5976 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5978 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5981 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5982 NDR_POINTER_UNIQUE, "unknown string",
5983 hf_netlogon_unknown_string, 0);
5985 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5986 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5987 "AUTHENTICATOR: credential", -1);
5989 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5990 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5991 "BYTE pointer: unknown_BYTE", -1);
5993 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5994 hf_netlogon_unknown_long, NULL);
6001 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
6002 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6004 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6005 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
6006 "AUTHENTICATOR: return_authenticator", -1);
6008 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6009 hf_netlogon_rc, NULL);
6015 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
6016 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6018 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6021 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6022 hf_netlogon_unknown_long, NULL);
6024 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6025 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6026 "BYTE pointer: unknown_BYTE", -1);
6033 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
6034 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6036 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6037 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
6038 "TYPE_50** pointer: unknown_TYPE_50", -1);
6040 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6041 hf_netlogon_rc, NULL);
6047 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
6048 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6050 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6053 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6054 NDR_POINTER_UNIQUE, "Client Account",
6055 hf_netlogon_acct_name, 0);
6057 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6058 hf_netlogon_unknown_long, NULL);
6060 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6061 NDR_POINTER_UNIQUE, "Client Account",
6062 hf_netlogon_logon_dom, 0);
6064 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6065 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6066 "Domain GUID:", -1);
6068 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6069 NDR_POINTER_UNIQUE, "Client Site",
6070 hf_netlogon_site_name, 0);
6072 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6073 hf_netlogon_unknown_long, NULL);
6080 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
6081 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6083 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6084 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
6085 "DOMAIN_CONTROLLER_INFO:", -1);
6087 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6088 hf_netlogon_rc, NULL);
6094 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
6095 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6097 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6105 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
6106 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6108 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6109 NDR_POINTER_UNIQUE, "unknown string",
6110 hf_netlogon_unknown_string, 0);
6112 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6113 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6114 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6116 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6117 hf_netlogon_rc, NULL);
6123 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
6124 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6126 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6133 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
6134 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6136 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6137 hf_netlogon_entries, NULL);
6139 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6140 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6141 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6143 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6144 hf_netlogon_rc, NULL);
6150 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
6151 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6153 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6156 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6157 hf_netlogon_unknown_long, NULL);
6159 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6160 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
6161 "BYTE pointer: unknown_BYTE", -1);
6168 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
6169 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6171 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6172 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
6173 "TYPE_52 pointer: unknown_TYPE_52", -1);
6175 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6176 hf_netlogon_rc, NULL);
6183 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
6184 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6186 offset = dissect_ndr_counted_string_cb(
6187 tvb, offset, pinfo, tree, drep, hf_netlogon_site_name,
6188 cb_wstr_postprocess,
6189 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
6194 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
6195 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6197 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
6198 netlogon_dissect_site_name_item);
6204 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
6205 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6207 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6208 hf_netlogon_count, NULL);
6210 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6211 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
6212 "Site name array", -1);
6218 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
6219 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6221 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6229 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
6230 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6232 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6233 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
6236 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6237 hf_netlogon_rc, NULL);
6243 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
6244 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6246 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6247 NDR_POINTER_UNIQUE, "unknown string",
6248 hf_netlogon_unknown_string, 0);
6250 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6251 NDR_POINTER_UNIQUE, "unknown string",
6252 hf_netlogon_unknown_string, 0);
6254 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6255 hf_netlogon_unknown_short, NULL);
6257 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6258 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
6259 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
6261 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
6262 hf_netlogon_unknown_short, NULL);
6264 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6265 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6266 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6272 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
6273 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6275 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6276 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
6277 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
6279 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6280 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
6281 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
6283 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6284 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6285 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6287 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6288 hf_netlogon_rc, NULL);
6295 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
6296 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6298 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6301 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
6308 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
6309 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6312 hf_netlogon_entries, NULL);
6314 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6315 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6316 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6318 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6319 hf_netlogon_rc, NULL);
6325 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
6326 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6328 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6331 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6332 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6334 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6335 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6336 "GUID pointer: domain_guid", -1);
6338 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6339 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6340 "GUID pointer: dsa_guid", -1);
6342 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6343 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
6350 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
6351 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6353 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6354 hf_netlogon_rc, NULL);
6359 /* Dissect secure channel stuff */
6361 static int hf_netlogon_secchan_bind_unknown1 = -1;
6362 static int hf_netlogon_secchan_bind_unknown2 = -1;
6363 static int hf_netlogon_secchan_domain = -1;
6364 static int hf_netlogon_secchan_host = -1;
6365 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
6366 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
6367 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
6369 static gint ett_secchan_verf = -1;
6370 static gint ett_secchan_bind_creds = -1;
6371 static gint ett_secchan_bind_ack_creds = -1;
6373 static int dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
6375 proto_tree *tree, guint8 *drep)
6377 proto_item *item = NULL;
6378 proto_tree *subtree = NULL;
6382 item = proto_tree_add_text(
6383 tree, tvb, offset, -1,
6384 "Secure Channel Bind Credentials");
6385 subtree = proto_item_add_subtree(
6386 item, ett_secchan_bind_creds);
6389 /* We can't use the NDR routines as the DCERPC call data hasn't
6390 been initialised since we haven't made a DCERPC call yet, just
6393 offset = dissect_dcerpc_uint32(
6394 tvb, offset, pinfo, subtree, drep,
6395 hf_netlogon_secchan_bind_unknown1, NULL);
6397 offset = dissect_dcerpc_uint32(
6398 tvb, offset, pinfo, subtree, drep,
6399 hf_netlogon_secchan_bind_unknown2, NULL);
6401 len = tvb_strsize(tvb, offset);
6403 proto_tree_add_item(
6404 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
6408 len = tvb_strsize(tvb, offset);
6410 proto_tree_add_item(
6411 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
6418 static int dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
6420 proto_tree *tree, guint8 *drep)
6422 proto_item *item = NULL;
6423 proto_tree *subtree = NULL;
6426 item = proto_tree_add_text(
6427 tree, tvb, offset, -1,
6428 "Secure Channel Bind ACK Credentials");
6429 subtree = proto_item_add_subtree(
6430 item, ett_secchan_bind_ack_creds);
6433 /* Don't use NDR routines here */
6435 offset = dissect_dcerpc_uint32(
6436 tvb, offset, pinfo, subtree, drep,
6437 hf_netlogon_secchan_bind_ack_unknown1, NULL);
6439 offset = dissect_dcerpc_uint32(
6440 tvb, offset, pinfo, subtree, drep,
6441 hf_netlogon_secchan_bind_ack_unknown2, NULL);
6443 offset = dissect_dcerpc_uint32(
6444 tvb, offset, pinfo, subtree, drep,
6445 hf_netlogon_secchan_bind_ack_unknown3, NULL);
6452 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
6453 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
6454 netlogon_dissect_netrlogonuaslogon_rqst,
6455 netlogon_dissect_netrlogonuaslogon_reply },
6456 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
6457 netlogon_dissect_netrlogonuaslogoff_rqst,
6458 netlogon_dissect_netrlogonuaslogoff_reply },
6459 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
6460 netlogon_dissect_netrlogonsamlogon_rqst,
6461 netlogon_dissect_netrlogonsamlogon_reply },
6462 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
6463 netlogon_dissect_netrlogonsamlogoff_rqst,
6464 netlogon_dissect_netrlogonsamlogoff_reply },
6465 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
6466 netlogon_dissect_netrserverreqchallenge_rqst,
6467 netlogon_dissect_netrserverreqchallenge_reply },
6468 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
6469 netlogon_dissect_netrserverauthenticate_rqst,
6470 netlogon_dissect_netrserverauthenticate_reply },
6471 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
6472 netlogon_dissect_netrserverpasswordset_rqst,
6473 netlogon_dissect_netrserverpasswordset_reply },
6474 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
6475 netlogon_dissect_netrdatabasedeltas_rqst,
6476 netlogon_dissect_netrdatabasedeltas_reply },
6477 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
6478 netlogon_dissect_netrdatabasesync_rqst,
6479 netlogon_dissect_netrdatabasesync_reply },
6480 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
6481 netlogon_dissect_netraccountdeltas_rqst,
6482 netlogon_dissect_netraccountdeltas_reply },
6483 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
6484 netlogon_dissect_netraccountsync_rqst,
6485 netlogon_dissect_netraccountsync_reply },
6486 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
6487 netlogon_dissect_netrgetdcname_rqst,
6488 netlogon_dissect_netrgetdcname_reply },
6489 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
6490 netlogon_dissect_netrlogoncontrol_rqst,
6491 netlogon_dissect_netrlogoncontrol_reply },
6492 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
6493 netlogon_dissect_netrgetanydcname_rqst,
6494 netlogon_dissect_netrgetanydcname_reply },
6495 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
6496 netlogon_dissect_netrlogoncontrol2_rqst,
6497 netlogon_dissect_netrlogoncontrol2_reply },
6498 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
6499 netlogon_dissect_netrserverauthenticate2_rqst,
6500 netlogon_dissect_netrserverauthenticate2_reply },
6501 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
6502 netlogon_dissect_netrdatabasesync2_rqst,
6503 netlogon_dissect_netrdatabasesync2_reply },
6504 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
6505 netlogon_dissect_netrdatabaseredo_rqst,
6506 netlogon_dissect_netrdatabaseredo_reply },
6507 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
6508 netlogon_dissect_netrlogoncontrol2ex_rqst,
6509 netlogon_dissect_netrlogoncontrol2ex_reply },
6510 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
6511 netlogon_dissect_netrenumeratetrusteddomains_rqst,
6512 netlogon_dissect_netrenumeratetrusteddomains_reply },
6513 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
6514 netlogon_dissect_dsrgetdcname_rqst,
6515 netlogon_dissect_dsrgetdcname_reply },
6516 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
6517 netlogon_dissect_netrlogondummyroutine1_rqst,
6518 netlogon_dissect_netrlogondummyroutine1_reply },
6519 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
6520 netlogon_dissect_netrlogonsetservicebits_rqst,
6521 netlogon_dissect_netrlogonsetservicebits_reply },
6522 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
6523 netlogon_dissect_netrlogongettrustrid_rqst,
6524 netlogon_dissect_netrlogongettrustrid_reply },
6525 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
6526 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
6527 netlogon_dissect_netrlogoncomputeserverdigest_reply },
6528 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
6529 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
6530 netlogon_dissect_netrlogoncomputeclientdigest_reply },
6531 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
6532 netlogon_dissect_netrserverauthenticate3_rqst,
6533 netlogon_dissect_netrserverauthenticate3_reply },
6534 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
6535 netlogon_dissect_dsrgetdcnameex_rqst,
6536 netlogon_dissect_dsrgetdcnameex_reply },
6537 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
6538 netlogon_dissect_dsrgetsitename_rqst,
6539 netlogon_dissect_dsrgetsitename_reply },
6540 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6541 netlogon_dissect_netrlogongetdomaininfo_rqst,
6542 netlogon_dissect_netrlogongetdomaininfo_reply },
6543 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
6544 netlogon_dissect_netrserverpasswordset2_rqst,
6545 netlogon_dissect_netrserverpasswordset2_reply },
6546 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
6547 netlogon_dissect_netrserverpasswordget_rqst,
6548 netlogon_dissect_netrserverpasswordget_reply },
6549 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
6550 netlogon_dissect_netrlogonsendtosam_rqst,
6551 netlogon_dissect_netrlogonsendtosam_reply },
6552 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
6553 netlogon_dissect_dsraddresstositenamesw_rqst,
6554 netlogon_dissect_dsraddresstositenamesw_reply },
6555 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
6556 netlogon_dissect_dsrgetdcnameex2_rqst,
6557 netlogon_dissect_dsrgetdcnameex2_reply },
6558 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
6559 "NetrLogonGetTimeServiceParentDomain",
6560 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
6561 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
6562 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
6563 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
6564 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
6565 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
6566 netlogon_dissect_dsraddresstositenamesexw_rqst,
6567 netlogon_dissect_dsraddresstositenamesexw_reply },
6568 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
6569 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
6570 netlogon_dissect_dsrgetdcsitecoveragew_reply },
6571 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
6572 netlogon_dissect_netrlogonsamlogonex_rqst,
6573 netlogon_dissect_netrlogonsamlogonex_reply },
6574 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
6575 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
6576 netlogon_dissect_dsrenumeratedomaintrusts_reply },
6577 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
6578 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6579 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6580 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
6582 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
6584 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
6586 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
6588 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
6590 {0, NULL, NULL, NULL }
6593 static int hf_netlogon_secchan_verf = -1;
6594 static int hf_netlogon_secchan_verf_sig = -1;
6595 static int hf_netlogon_secchan_verf_unk = -1;
6596 static int hf_netlogon_secchan_verf_seq = -1;
6597 static int hf_netlogon_secchan_verf_nonce = -1;
6600 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
6601 proto_tree *tree, guint8 *drep _U_)
6603 proto_item *vf = NULL;
6604 proto_tree *subtree = NULL;
6607 * Create a new tree, and split into 4 components ...
6609 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
6611 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
6613 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sig, tvb,
6617 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_unk, tvb,
6621 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_seq, tvb,
6625 /* In some cases the nonce isn't present although it isn't clear
6628 if (tvb_bytes_exist(tvb, offset, 8)) {
6629 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_nonce,
6630 tvb, offset, 8, FALSE);
6637 /* Secure channel types */
6639 static const value_string sec_chan_type_vals[] = {
6640 { SEC_CHAN_WKSTA, "Workstation" },
6641 { SEC_CHAN_DOMAIN, "Domain trust" },
6642 { SEC_CHAN_BDC, "Backup domain controller" },
6647 proto_register_dcerpc_netlogon(void)
6650 static hf_register_info hf[] = {
6651 { &hf_netlogon_opnum,
6652 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6653 NULL, 0x0, "Operation", HFILL }},
6655 { &hf_netlogon_rc, {
6656 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6657 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6659 { &hf_netlogon_param_ctrl, {
6660 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6661 NULL, 0x0, "Param ctrl", HFILL }},
6663 { &hf_netlogon_logon_id, {
6664 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6665 NULL, 0x0, "Logon ID", HFILL }},
6667 { &hf_netlogon_modify_count, {
6668 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6669 NULL, 0x0, "How many times the object has been modified", HFILL }},
6671 { &hf_netlogon_security_information, {
6672 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6673 NULL, 0x0, "Security Information", HFILL }},
6675 { &hf_netlogon_count, {
6676 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6677 NULL, 0x0, "", HFILL }},
6679 { &hf_netlogon_entries, {
6680 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6681 NULL, 0x0, "", HFILL }},
6683 { &hf_netlogon_credential, {
6684 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6685 NULL, 0x0, "Netlogon Credential", HFILL }},
6687 { &hf_netlogon_challenge, {
6688 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6689 NULL, 0x0, "Netlogon challenge", HFILL }},
6691 { &hf_netlogon_lm_owf_password, {
6692 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6693 NULL, 0x0, "LanManager OWF Password", HFILL }},
6695 { &hf_netlogon_user_session_key, {
6696 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6697 NULL, 0x0, "User Session Key", HFILL }},
6699 { &hf_netlogon_encrypted_lm_owf_password, {
6700 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6701 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6703 { &hf_netlogon_nt_owf_password, {
6704 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6705 NULL, 0x0, "NT OWF Password", HFILL }},
6707 { &hf_netlogon_blob, {
6708 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6709 NULL, 0x0, "BLOB", HFILL }},
6711 { &hf_netlogon_len, {
6712 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6713 NULL, 0, "Length", HFILL }},
6715 { &hf_netlogon_priv, {
6716 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6717 NULL, 0, "", HFILL }},
6719 { &hf_netlogon_privilege_entries, {
6720 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6721 NULL, 0, "", HFILL }},
6723 { &hf_netlogon_privilege_control, {
6724 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6725 NULL, 0, "", HFILL }},
6727 { &hf_netlogon_privilege_name, {
6728 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6729 NULL, 0, "", HFILL }},
6731 { &hf_netlogon_pdc_connection_status, {
6732 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6733 NULL, 0, "PDC Connection Status", HFILL }},
6735 { &hf_netlogon_tc_connection_status, {
6736 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6737 NULL, 0, "TC Connection Status", HFILL }},
6739 { &hf_netlogon_attrs, {
6740 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6741 NULL, 0, "Attributes", HFILL }},
6743 { &hf_netlogon_unknown_string,
6744 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6745 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
6746 { &hf_netlogon_unknown_long,
6747 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6748 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
6749 { &hf_netlogon_reserved,
6750 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6751 NULL, 0x0, "Reserved", HFILL }},
6752 { &hf_netlogon_unknown_short,
6753 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6754 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
6756 { &hf_netlogon_unknown_char,
6757 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6758 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
6760 { &hf_netlogon_acct_expiry_time,
6761 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6762 NULL, 0x0, "When this account will expire", HFILL }},
6764 { &hf_netlogon_nt_pwd_present,
6765 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6766 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6768 { &hf_netlogon_lm_pwd_present,
6769 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6770 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6772 { &hf_netlogon_pwd_expired,
6773 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6774 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6776 { &hf_netlogon_authoritative,
6777 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6778 NULL, 0x0, "", HFILL }},
6780 { &hf_netlogon_sensitive_data_flag,
6781 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6782 NULL, 0x0, "Sensitive data flag", HFILL }},
6784 { &hf_netlogon_auditing_mode,
6785 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6786 NULL, 0x0, "Auditing Mode", HFILL }},
6788 { &hf_netlogon_max_audit_event_count,
6789 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6790 NULL, 0x0, "Max audit event count", HFILL }},
6792 { &hf_netlogon_event_audit_option,
6793 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6794 NULL, 0x0, "Event audit option", HFILL }},
6796 { &hf_netlogon_sensitive_data_len,
6797 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6798 NULL, 0x0, "Length of sensitive data", HFILL }},
6800 { &hf_netlogon_nt_chal_resp,
6801 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6802 NULL, 0, "Challenge response for NT authentication", HFILL }},
6804 { &hf_netlogon_lm_chal_resp,
6805 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6806 NULL, 0, "Challenge response for LM authentication", HFILL }},
6808 { &hf_netlogon_cipher_len,
6809 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6810 NULL, 0, "", HFILL }},
6812 { &hf_netlogon_cipher_maxlen,
6813 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6814 NULL, 0, "", HFILL }},
6816 { &hf_netlogon_pac_data,
6817 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6818 NULL, 0, "Pac Data", HFILL }},
6820 { &hf_netlogon_sensitive_data,
6821 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6822 NULL, 0, "Sensitive Data", HFILL }},
6824 { &hf_netlogon_auth_data,
6825 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6826 NULL, 0, "Auth Data", HFILL }},
6828 { &hf_netlogon_cipher_current_data,
6829 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6830 NULL, 0, "", HFILL }},
6832 { &hf_netlogon_cipher_old_data,
6833 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6834 NULL, 0, "", HFILL }},
6836 { &hf_netlogon_acct_name,
6837 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6838 NULL, 0, "Account Name", HFILL }},
6840 { &hf_netlogon_acct_desc,
6841 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6842 NULL, 0, "Account Description", HFILL }},
6844 { &hf_netlogon_group_desc,
6845 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6846 NULL, 0, "Group Description", HFILL }},
6848 { &hf_netlogon_full_name,
6849 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6850 NULL, 0, "Full Name", HFILL }},
6852 { &hf_netlogon_comment,
6853 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6854 NULL, 0, "Comment", HFILL }},
6856 { &hf_netlogon_parameters,
6857 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6858 NULL, 0, "Parameters", HFILL }},
6860 { &hf_netlogon_logon_script,
6861 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6862 NULL, 0, "Logon Script", HFILL }},
6864 { &hf_netlogon_profile_path,
6865 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6866 NULL, 0, "Profile Path", HFILL }},
6868 { &hf_netlogon_home_dir,
6869 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6870 NULL, 0, "Home Directory", HFILL }},
6872 { &hf_netlogon_dir_drive,
6873 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6874 NULL, 0, "Drive letter for home directory", HFILL }},
6876 { &hf_netlogon_logon_srv,
6877 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6878 NULL, 0, "Server", HFILL }},
6880 { &hf_netlogon_principal,
6881 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6882 NULL, 0, "Principal", HFILL }},
6884 { &hf_netlogon_logon_dom,
6885 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6886 NULL, 0, "Domain", HFILL }},
6888 { &hf_netlogon_resourcegroupcount,
6889 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
6890 NULL, 0, "Number of Resource Groups", HFILL }},
6892 { &hf_netlogon_computer_name,
6893 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6894 NULL, 0, "Computer Name", HFILL }},
6896 { &hf_netlogon_site_name,
6897 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6898 NULL, 0, "Site Name", HFILL }},
6900 { &hf_netlogon_dc_name,
6901 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6902 NULL, 0, "DC Name", HFILL }},
6904 { &hf_netlogon_dc_site_name,
6905 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6906 NULL, 0, "DC Site Name", HFILL }},
6908 { &hf_netlogon_dns_forest_name,
6909 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6910 NULL, 0, "DNS Forest Name", HFILL }},
6912 { &hf_netlogon_dc_address,
6913 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6914 NULL, 0, "DC Address", HFILL }},
6916 { &hf_netlogon_dc_address_type,
6917 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6918 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
6920 { &hf_netlogon_client_site_name,
6921 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6922 NULL, 0, "Client Site Name", HFILL }},
6924 { &hf_netlogon_workstation_site_name,
6925 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6926 NULL, 0, "Workstation Site Name", HFILL }},
6928 { &hf_netlogon_workstation,
6929 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6930 NULL, 0, "Workstation Name", HFILL }},
6932 { &hf_netlogon_workstation_os,
6933 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6934 NULL, 0, "Workstation OS", HFILL }},
6936 { &hf_netlogon_workstations,
6937 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6938 NULL, 0, "Workstations", HFILL }},
6940 { &hf_netlogon_workstation_fqdn,
6941 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6942 NULL, 0, "Workstation FQDN", HFILL }},
6944 { &hf_netlogon_group_name,
6945 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6946 NULL, 0, "Group Name", HFILL }},
6948 { &hf_netlogon_alias_name,
6949 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6950 NULL, 0, "Alias Name", HFILL }},
6952 { &hf_netlogon_dns_host,
6953 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6954 NULL, 0, "DNS Host", HFILL }},
6956 { &hf_netlogon_downlevel_domain_name,
6957 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6958 NULL, 0, "Downlevel Domain Name", HFILL }},
6960 { &hf_netlogon_dns_domain_name,
6961 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6962 NULL, 0, "DNS Domain Name", HFILL }},
6964 { &hf_netlogon_domain_name,
6965 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6966 NULL, 0, "Domain Name", HFILL }},
6968 { &hf_netlogon_oem_info,
6969 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6970 NULL, 0, "OEM Info", HFILL }},
6972 { &hf_netlogon_trusted_dc_name,
6973 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6974 NULL, 0, "Trusted DC", HFILL }},
6976 { &hf_netlogon_logonsrv_handle,
6977 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6978 NULL, 0, "Logon Srv Handle", HFILL }},
6980 { &hf_netlogon_dummy,
6981 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6982 NULL, 0, "Dummy string", HFILL }},
6984 { &hf_netlogon_logon_count16,
6985 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6986 NULL, 0x0, "Number of successful logins", HFILL }},
6988 { &hf_netlogon_logon_count,
6989 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6990 NULL, 0x0, "Number of successful logins", HFILL }},
6992 { &hf_netlogon_bad_pw_count16,
6993 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6994 NULL, 0x0, "Number of failed logins", HFILL }},
6996 { &hf_netlogon_bad_pw_count,
6997 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6998 NULL, 0x0, "Number of failed logins", HFILL }},
7000 { &hf_netlogon_country,
7001 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
7002 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
7004 { &hf_netlogon_codepage,
7005 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
7006 NULL, 0x0, "Codepage setting for this account", HFILL }},
7008 { &hf_netlogon_level16,
7009 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
7010 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7012 { &hf_netlogon_validation_level,
7013 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
7014 NULL, 0x0, "Requested level of validation", HFILL }},
7016 { &hf_netlogon_minpasswdlen,
7017 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
7018 NULL, 0x0, "Minimum length of password", HFILL }},
7020 { &hf_netlogon_passwdhistorylen,
7021 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
7022 NULL, 0x0, "Length of password history", HFILL }},
7024 { &hf_netlogon_secure_channel_type,
7025 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
7026 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
7028 { &hf_netlogon_restart_state,
7029 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
7030 NULL, 0x0, "Restart State", HFILL }},
7032 { &hf_netlogon_delta_type,
7033 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
7034 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
7036 { &hf_netlogon_blob_size,
7037 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
7038 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
7040 { &hf_netlogon_code,
7041 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
7042 NULL, 0x0, "Code", HFILL }},
7044 { &hf_netlogon_level,
7045 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
7046 NULL, 0x0, "Which option of the union is represented here", HFILL }},
7048 { &hf_netlogon_reference,
7049 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
7050 NULL, 0x0, "", HFILL }},
7052 { &hf_netlogon_next_reference,
7053 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
7054 NULL, 0x0, "", HFILL }},
7056 { &hf_netlogon_timestamp,
7057 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
7058 NULL, 0, "", HFILL }},
7060 { &hf_netlogon_user_rid,
7061 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
7062 NULL, 0x0, "", HFILL }},
7064 { &hf_netlogon_alias_rid,
7065 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
7066 NULL, 0x0, "", HFILL }},
7068 { &hf_netlogon_group_rid,
7069 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
7070 NULL, 0x0, "", HFILL }},
7072 { &hf_netlogon_num_rids,
7073 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
7074 NULL, 0x0, "Number of RIDs", HFILL }},
7076 { &hf_netlogon_num_controllers,
7077 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
7078 NULL, 0x0, "Number of domain controllers", HFILL }},
7080 { &hf_netlogon_num_other_groups,
7081 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
7082 NULL, 0x0, "", HFILL }},
7084 { &hf_netlogon_flags,
7085 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
7086 NULL, 0x0, "", HFILL }},
7088 { &hf_netlogon_user_account_control,
7089 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
7090 NULL, 0x0, "User Account control", HFILL }},
7092 { &hf_netlogon_user_flags,
7093 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
7094 NULL, 0x0, "User flags", HFILL }},
7096 { &hf_netlogon_auth_flags,
7097 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
7098 NULL, 0x0, "", HFILL }},
7100 { &hf_netlogon_systemflags,
7101 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
7102 NULL, 0x0, "", HFILL }},
7104 { &hf_netlogon_database_id,
7105 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
7106 NULL, 0x0, "Database Id", HFILL }},
7108 { &hf_netlogon_sync_context,
7109 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
7110 NULL, 0x0, "Sync Context", HFILL }},
7112 { &hf_netlogon_max_size,
7113 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
7114 NULL, 0x0, "Max Size of database", HFILL }},
7116 { &hf_netlogon_max_log_size,
7117 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
7118 NULL, 0x0, "Max Size of log", HFILL }},
7120 { &hf_netlogon_pac_size,
7121 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
7122 NULL, 0x0, "Size of PacData in bytes", HFILL }},
7124 { &hf_netlogon_auth_size,
7125 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
7126 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
7128 { &hf_netlogon_num_deltas,
7129 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
7130 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
7132 { &hf_netlogon_num_trusts,
7133 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
7134 NULL, 0x0, "", HFILL }},
7136 { &hf_netlogon_logon_attempts,
7137 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
7138 NULL, 0x0, "Number of logon attempts", HFILL }},
7140 { &hf_netlogon_pagefilelimit,
7141 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
7142 NULL, 0x0, "", HFILL }},
7144 { &hf_netlogon_pagedpoollimit,
7145 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
7146 NULL, 0x0, "", HFILL }},
7148 { &hf_netlogon_nonpagedpoollimit,
7149 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
7150 NULL, 0x0, "", HFILL }},
7152 { &hf_netlogon_minworkingsetsize,
7153 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
7154 NULL, 0x0, "", HFILL }},
7156 { &hf_netlogon_maxworkingsetsize,
7157 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
7158 NULL, 0x0, "", HFILL }},
7160 { &hf_netlogon_serial_number,
7161 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
7162 NULL, 0x0, "", HFILL }},
7164 { &hf_netlogon_neg_flags,
7165 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
7166 NULL, 0x0, "Negotiation Flags", HFILL }},
7168 { &hf_netlogon_dc_flags,
7169 { "Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
7170 NULL, 0x0, "Domain Controller Flags", HFILL }},
7172 { &hf_netlogon_dc_flags_pdc_flag,
7173 { "PDC", "netlogon.dc.flags.pdc",
7174 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
7175 "If this server is a PDC", HFILL }},
7177 { &hf_netlogon_dc_flags_gc_flag,
7178 { "GC", "netlogon.dc.flags.gc",
7179 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
7180 "If this server is a GC", HFILL }},
7182 { &hf_netlogon_dc_flags_ldap_flag,
7183 { "LDAP", "netlogon.dc.flags.ldap",
7184 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
7185 "If this is an LDAP server", HFILL }},
7187 { &hf_netlogon_dc_flags_ds_flag,
7188 { "DS", "netlogon.dc.flags.ds",
7189 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
7190 "If this server is a DS", HFILL }},
7192 { &hf_netlogon_dc_flags_kdc_flag,
7193 { "KDC", "netlogon.dc.flags.kdc",
7194 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
7195 "If this is a KDC", HFILL }},
7197 { &hf_netlogon_dc_flags_timeserv_flag,
7198 { "Timeserv", "netlogon.dc.flags.timeserv",
7199 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
7200 "If this server is a TimeServer", HFILL }},
7202 { &hf_netlogon_dc_flags_closest_flag,
7203 { "Closest", "netlogon.dc.flags.closest",
7204 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
7205 "If this is the closest server", HFILL }},
7207 { &hf_netlogon_dc_flags_writable_flag,
7208 { "Writable", "netlogon.dc.flags.writable",
7209 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
7210 "If this server can do updates to the database", HFILL }},
7212 { &hf_netlogon_dc_flags_good_timeserv_flag,
7213 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
7214 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
7215 "If this is a Good TimeServer", HFILL }},
7217 { &hf_netlogon_dc_flags_ndnc_flag,
7218 { "NDNC", "netlogon.dc.flags.ndnc",
7219 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
7220 "If this is an NDNC server", HFILL }},
7222 { &hf_netlogon_dc_flags_dns_controller_flag,
7223 { "DNS Controller", "netlogon.dc.flags.dns_controller",
7224 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
7225 "If this server is a DNS Controller", HFILL }},
7227 { &hf_netlogon_dc_flags_dns_domain_flag,
7228 { "DNS Domain", "netlogon.dc.flags.dns_domain",
7229 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
7232 { &hf_netlogon_dc_flags_dns_forest_flag,
7233 { "DNS Forest", "netlogon.dc.flags.dns_forest",
7234 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
7237 { &hf_netlogon_get_dcname_request_flags,
7238 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
7239 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
7241 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
7242 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
7243 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
7244 "Whether to allow the server to returned cached information or not", HFILL }},
7246 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
7247 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
7248 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
7249 "Whether we require that the returned DC supports w2k or not", HFILL }},
7251 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
7252 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
7253 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
7254 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
7256 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
7257 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
7258 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
7259 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
7261 { &hf_netlogon_get_dcname_request_flags_pdc_required,
7262 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
7263 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
7264 "Whether we require the returned DC to be the PDC", HFILL }},
7266 { &hf_netlogon_get_dcname_request_flags_background_only,
7267 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
7268 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
7269 "If we want cached data, even if it may have expired", HFILL }},
7271 { &hf_netlogon_get_dcname_request_flags_ip_required,
7272 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
7273 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
7274 "If we requre the IP of the DC in the reply", HFILL }},
7276 { &hf_netlogon_get_dcname_request_flags_kdc_required,
7277 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
7278 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
7279 "If we require that the returned server is a KDC", HFILL }},
7281 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
7282 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
7283 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
7284 "If we require the retruned server to be a NTP serveruns WindowsTimeServicer", HFILL }},
7286 { &hf_netlogon_get_dcname_request_flags_writable_required,
7287 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
7288 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
7289 "If we require that the return server is writable", HFILL }},
7291 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
7292 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
7293 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
7294 "If we prefer Windows Time Servers", HFILL }},
7296 { &hf_netlogon_get_dcname_request_flags_avoid_self,
7297 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
7298 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
7299 "Return another DC than the one we ask", HFILL }},
7301 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
7302 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
7303 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
7304 "We just want an LDAP server, it does not have to be a DC", HFILL }},
7306 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
7307 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
7308 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
7309 "If the specified domain name is a NetBIOS name", HFILL }},
7311 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
7312 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
7313 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
7314 "If the specified domain name is a DNS name", HFILL }},
7316 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
7317 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
7318 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
7319 "Only return a DNS name (or an error)", HFILL }},
7321 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
7322 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
7323 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
7324 "Only return a NetBIOS name (or an error)", HFILL }},
7326 { &hf_netlogon_trust_attribs,
7327 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
7328 NULL, 0x0, "Trust Attributes", HFILL }},
7330 { &hf_netlogon_trust_type,
7331 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
7332 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
7334 { &hf_netlogon_trust_flags,
7335 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
7336 NULL, 0x0, "Trust Flags", HFILL }},
7338 { &hf_netlogon_trust_flags_inbound,
7339 { "Inbound Trust", "netlogon.trust.flags.inbound",
7340 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
7341 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
7343 { &hf_netlogon_trust_flags_outbound,
7344 { "Outbound Trust", "netlogon.trust.flags.outbound",
7345 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
7346 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
7348 { &hf_netlogon_trust_flags_in_forest,
7349 { "In Forest", "netlogon.trust.flags.in_forest",
7350 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
7351 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
7353 { &hf_netlogon_trust_flags_native_mode,
7354 { "Native Mode", "netlogon.trust.flags.native_mode",
7355 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
7356 "Whether the domain is a w2k native mode domain or not", HFILL }},
7358 { &hf_netlogon_trust_flags_primary,
7359 { "Primary", "netlogon.trust.flags.primary",
7360 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
7361 "Whether the domain is the primary domain for the queried server or not", HFILL }},
7363 { &hf_netlogon_trust_flags_tree_root,
7364 { "Tree Root", "netlogon.trust.flags.tree_root",
7365 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
7366 "Whether the domain is the root of the tree for the queried server", HFILL }},
7368 { &hf_netlogon_trust_parent_index,
7369 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
7370 NULL, 0x0, "Parent Index", HFILL }},
7372 { &hf_netlogon_logon_time,
7373 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
7374 NULL, 0, "Time for last time this user logged on", HFILL }},
7376 { &hf_netlogon_kickoff_time,
7377 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7378 NULL, 0, "Time when this user will be kicked off", HFILL }},
7380 { &hf_netlogon_logoff_time,
7381 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7382 NULL, 0, "Time for last time this user logged off", HFILL }},
7384 { &hf_netlogon_last_logoff_time,
7385 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7386 NULL, 0, "Time for last time this user logged off", HFILL }},
7388 { &hf_netlogon_pwd_last_set_time,
7389 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7390 NULL, 0, "Last time this users password was changed", HFILL }},
7392 { &hf_netlogon_pwd_age,
7393 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
7394 NULL, 0, "Time since this users password was changed", HFILL }},
7396 { &hf_netlogon_pwd_can_change_time,
7397 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7398 NULL, 0, "When this users password may be changed", HFILL }},
7400 { &hf_netlogon_pwd_must_change_time,
7401 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7402 NULL, 0, "When this users password must be changed", HFILL }},
7404 { &hf_netlogon_domain_create_time,
7405 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7406 NULL, 0, "Time when this domain was created", HFILL }},
7408 { &hf_netlogon_domain_modify_time,
7409 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7410 NULL, 0, "Time when this domain was last modified", HFILL }},
7412 { &hf_netlogon_db_modify_time,
7413 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7414 NULL, 0, "Time when last modified", HFILL }},
7416 { &hf_netlogon_db_create_time,
7417 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7418 NULL, 0, "Time when created", HFILL }},
7420 { &hf_netlogon_cipher_current_set_time,
7421 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7422 NULL, 0, "Time when current cipher was initiated", HFILL }},
7424 { &hf_netlogon_cipher_old_set_time,
7425 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7426 NULL, 0, "Time when previous cipher was initiated", HFILL }},
7428 { &hf_netlogon_audit_retention_period,
7429 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
7430 NULL, 0, "Audit retention period", HFILL }},
7432 { &hf_netlogon_guid,
7433 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
7434 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
7436 { &hf_netlogon_timelimit,
7437 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
7438 NULL, 0, "", HFILL }},
7440 /* Secure channel dissection */
7442 { &hf_netlogon_secchan_bind_unknown1,
7443 { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
7444 NULL, 0x0, "", HFILL }},
7446 { &hf_netlogon_secchan_bind_unknown2,
7447 { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
7448 NULL, 0x0, "", HFILL }},
7450 { &hf_netlogon_secchan_domain,
7451 { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
7452 NULL, 0, "", HFILL }},
7454 { &hf_netlogon_secchan_host,
7455 { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
7456 NULL, 0, "", HFILL }},
7458 { &hf_netlogon_secchan_bind_ack_unknown1,
7459 { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32,
7460 BASE_HEX, NULL, 0x0, "", HFILL }},
7462 { &hf_netlogon_secchan_bind_ack_unknown2,
7463 { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32,
7464 BASE_HEX, NULL, 0x0, "", HFILL }},
7466 { &hf_netlogon_secchan_bind_ack_unknown3,
7467 { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32,
7468 BASE_HEX, NULL, 0x0, "", HFILL }},
7470 { &hf_netlogon_secchan_verf,
7471 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
7472 NULL, 0x0, "Verifier", HFILL }},
7474 { &hf_netlogon_secchan_verf_sig,
7475 { "Signature", "netlogon.secchan.sig", FT_BYTES, BASE_HEX, NULL,
7476 0x0, "Signature", HFILL }},
7478 { &hf_netlogon_secchan_verf_unk,
7479 { "Unknown", "netlogon.secchan.unk", FT_BYTES, BASE_HEX, NULL,
7480 0x0, "Unknown", HFILL }},
7482 { &hf_netlogon_secchan_verf_seq,
7483 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_HEX, NULL,
7484 0x0, "Sequence No", HFILL }},
7486 { &hf_netlogon_secchan_verf_nonce,
7487 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_HEX, NULL,
7488 0x0, "Nonce", HFILL }},
7490 { &hf_netlogon_group_attrs_mandatory,
7491 { "Mandatory", "netlogon.groups.attrs.mandatory",
7492 FT_BOOLEAN, 32, TFS(&group_attrs_mandatory), 0x00000001,
7493 "The group attributes MANDATORY flag", HFILL }},
7495 { &hf_netlogon_group_attrs_enabled_by_default,
7496 { "Enabled By Default", "netlogon.groups.attrs.enabled_by_default",
7497 FT_BOOLEAN, 32, TFS(&group_attrs_enabled_by_default), 0x00000002,
7498 "The group attributes ENABLED_BY_DEFAULT flag", HFILL }},
7500 { &hf_netlogon_group_attrs_enabled,
7501 { "Enabled", "netlogon.groups.attrs.enabled",
7502 FT_BOOLEAN, 32, TFS(&group_attrs_enabled), 0x00000004,
7503 "The group attributes ENABLED flag", HFILL }},
7505 { &hf_netlogon_user_flags_extra_sids,
7506 { "Extra SIDs", "netlogon.user.flags.extra_sids",
7507 FT_BOOLEAN, 32, TFS(&user_flags_extra_sids), 0x00000020,
7508 "The user flags EXTRA_SIDS", HFILL }},
7510 { &hf_netlogon_user_flags_resource_groups,
7511 { "Resource Groups", "netlogon.user.flags.resource_groups",
7512 FT_BOOLEAN, 32, TFS(&user_flags_resource_groups), 0x00000200,
7513 "The user flags RESOURCE_GROUPS", HFILL }},
7515 { &hf_netlogon_user_account_control_dont_require_preauth,
7516 { "Dont Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
7517 FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth), 0x00010000,
7518 "The user account control DONT_REQUIRE_PREAUTH flag ", HFILL }},
7520 { &hf_netlogon_user_account_control_use_des_key_only,
7521 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
7522 FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only), 0x00008000,
7523 "The user account control use_des_key_only flag ", HFILL }},
7525 { &hf_netlogon_user_account_control_not_delegated,
7526 { "Not Delegated", "netlogon.user.account_control.not_delegated",
7527 FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated), 0x00004000,
7528 "The user account control not_delegated flag ", HFILL }},
7530 { &hf_netlogon_user_account_control_trusted_for_delegation,
7531 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
7532 FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation), 0x00002000,
7533 "The user account control trusted_for_delegation flag ", HFILL }},
7535 { &hf_netlogon_user_account_control_smartcard_required,
7536 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
7537 FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required), 0x00001000,
7538 "The user account control smartcard_required flag ", HFILL }},
7540 { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
7541 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
7542 FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed), 0x00000800,
7543 "The user account control encrypted_text_password_allowed flag ", HFILL }},
7545 { &hf_netlogon_user_account_control_account_auto_locked,
7546 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
7547 FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked), 0x00000400,
7548 "The user account control account_auto_locked flag ", HFILL }},
7550 { &hf_netlogon_user_account_control_dont_expire_password,
7551 { "Dont Expire Password", "netlogon.user.account_control.dont_expire_password",
7552 FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password), 0x00000200,
7553 "The user account control dont_expire_password flag ", HFILL }},
7555 { &hf_netlogon_user_account_control_server_trust_account,
7556 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
7557 FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account), 0x00000100,
7558 "The user account control server_trust_account flag ", HFILL }},
7560 { &hf_netlogon_user_account_control_workstation_trust_account,
7561 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
7562 FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account), 0x00000080,
7563 "The user account control workstation_trust_account flag ", HFILL }},
7565 { &hf_netlogon_user_account_control_interdomain_trust_account,
7566 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
7567 FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account), 0x00000040,
7568 "The user account control interdomain_trust_account flag ", HFILL }},
7570 { &hf_netlogon_user_account_control_mns_logon_account,
7571 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
7572 FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account), 0x00000020,
7573 "The user account control mns_logon_account flag ", HFILL }},
7575 { &hf_netlogon_user_account_control_normal_account,
7576 { "Normal Account", "netlogon.user.account_control.normal_account",
7577 FT_BOOLEAN, 32, TFS(&user_account_control_normal_account), 0x00000010,
7578 "The user account control normal_account flag ", HFILL }},
7580 { &hf_netlogon_user_account_control_temp_duplicate_account,
7581 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
7582 FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account), 0x00000008,
7583 "The user account control temp_duplicate_account flag ", HFILL }},
7585 { &hf_netlogon_user_account_control_password_not_required,
7586 { "Password Not Required", "netlogon.user.account_control.password_not_required",
7587 FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required), 0x00000004,
7588 "The user account control password_not_required flag ", HFILL }},
7590 { &hf_netlogon_user_account_control_home_directory_required,
7591 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
7592 FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required), 0x00000002,
7593 "The user account control home_directory_required flag ", HFILL }},
7595 { &hf_netlogon_user_account_control_account_disabled,
7596 { "Account Disabled", "netlogon.user.account_control.account_disabled",
7597 FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled), 0x00000001,
7598 "The user account control account_disabled flag ", HFILL }},
7602 static gint *ett[] = {
7603 &ett_dcerpc_netlogon,
7609 &ett_DOMAIN_CONTROLLER_INFO,
7610 &ett_UNICODE_STRING_512,
7613 &ett_DELTA_ID_UNION,
7616 &ett_LM_OWF_PASSWORD,
7617 &ett_NT_OWF_PASSWORD,
7618 &ett_GROUP_MEMBERSHIP,
7619 &ett_DS_DOMAIN_TRUSTS,
7621 &ett_DOMAIN_TRUST_INFO,
7623 &ett_get_dcname_request_flags,
7625 &ett_secchan_bind_creds,
7626 &ett_secchan_bind_ack_creds,
7630 &ett_user_account_control
7633 proto_dcerpc_netlogon = proto_register_protocol(
7634 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
7636 proto_register_field_array(proto_dcerpc_netlogon, hf,
7638 proto_register_subtree_array(ett, array_length(ett));
7641 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
7642 dissect_secchan_bind_creds, /* Bind */
7643 dissect_secchan_bind_ack_creds, /* Bind ACK */
7645 dissect_secchan_verf, /* Request verifier */
7646 dissect_secchan_verf, /* Response verifier */
7647 NULL, /* Request data */
7648 NULL /* Response data */
7652 proto_reg_handoff_dcerpc_netlogon(void)
7654 /* Register protocol as dcerpc */
7656 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
7657 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
7658 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
7660 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
7661 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7663 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
7664 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,