1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.87 2003/08/04 02:49:02 tpot Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_guid = -1;
43 static int hf_netlogon_rc = -1;
44 static int hf_netlogon_len = -1;
45 static int hf_netlogon_sensitive_data_flag = -1;
46 static int hf_netlogon_sensitive_data_len = -1;
47 static int hf_netlogon_sensitive_data = -1;
48 static int hf_netlogon_security_information = -1;
49 static int hf_netlogon_dummy = -1;
50 static int hf_netlogon_neg_flags = -1;
51 static int hf_netlogon_minworkingsetsize = -1;
52 static int hf_netlogon_maxworkingsetsize = -1;
53 static int hf_netlogon_pagedpoollimit = -1;
54 static int hf_netlogon_pagefilelimit = -1;
55 static int hf_netlogon_timelimit = -1;
56 static int hf_netlogon_nonpagedpoollimit = -1;
57 static int hf_netlogon_pac_size = -1;
58 static int hf_netlogon_pac_data = -1;
59 static int hf_netlogon_auth_size = -1;
60 static int hf_netlogon_auth_data = -1;
61 static int hf_netlogon_cipher_len = -1;
62 static int hf_netlogon_cipher_maxlen = -1;
63 static int hf_netlogon_cipher_current_data = -1;
64 static int hf_netlogon_cipher_current_set_time = -1;
65 static int hf_netlogon_cipher_old_data = -1;
66 static int hf_netlogon_cipher_old_set_time = -1;
67 static int hf_netlogon_priv = -1;
68 static int hf_netlogon_privilege_entries = -1;
69 static int hf_netlogon_privilege_control = -1;
70 static int hf_netlogon_privilege_name = -1;
71 static int hf_netlogon_systemflags = -1;
72 static int hf_netlogon_pdc_connection_status = -1;
73 static int hf_netlogon_tc_connection_status = -1;
74 static int hf_netlogon_restart_state = -1;
75 static int hf_netlogon_attrs = -1;
76 static int hf_netlogon_count = -1;
77 static int hf_netlogon_entries = -1;
78 static int hf_netlogon_minpasswdlen = -1;
79 static int hf_netlogon_passwdhistorylen = -1;
80 static int hf_netlogon_level16 = -1;
81 static int hf_netlogon_validation_level = -1;
82 static int hf_netlogon_reference = -1;
83 static int hf_netlogon_next_reference = -1;
84 static int hf_netlogon_timestamp = -1;
85 static int hf_netlogon_level = -1;
86 static int hf_netlogon_challenge = -1;
87 static int hf_netlogon_reserved = -1;
88 static int hf_netlogon_audit_retention_period = -1;
89 static int hf_netlogon_auditing_mode = -1;
90 static int hf_netlogon_max_audit_event_count = -1;
91 static int hf_netlogon_event_audit_option = -1;
92 static int hf_netlogon_unknown_string = -1;
93 static int hf_netlogon_unknown_long = -1;
94 static int hf_netlogon_unknown_short = -1;
95 static int hf_netlogon_unknown_char = -1;
96 static int hf_netlogon_logon_time = -1;
97 static int hf_netlogon_logoff_time = -1;
98 static int hf_netlogon_kickoff_time = -1;
99 static int hf_netlogon_pwd_last_set_time = -1;
100 static int hf_netlogon_pwd_can_change_time = -1;
101 static int hf_netlogon_pwd_must_change_time = -1;
102 static int hf_netlogon_nt_chal_resp = -1;
103 static int hf_netlogon_lm_chal_resp = -1;
104 static int hf_netlogon_credential = -1;
105 static int hf_netlogon_acct_name = -1;
106 static int hf_netlogon_acct_desc = -1;
107 static int hf_netlogon_group_desc = -1;
108 static int hf_netlogon_full_name = -1;
109 static int hf_netlogon_comment = -1;
110 static int hf_netlogon_parameters = -1;
111 static int hf_netlogon_logon_script = -1;
112 static int hf_netlogon_profile_path = -1;
113 static int hf_netlogon_home_dir = -1;
114 static int hf_netlogon_dir_drive = -1;
115 static int hf_netlogon_logon_count = -1;
116 static int hf_netlogon_logon_count16 = -1;
117 static int hf_netlogon_bad_pw_count = -1;
118 static int hf_netlogon_bad_pw_count16 = -1;
119 static int hf_netlogon_user_rid = -1;
120 static int hf_netlogon_alias_rid = -1;
121 static int hf_netlogon_group_rid = -1;
122 static int hf_netlogon_logon_srv = -1;
123 static int hf_netlogon_principal = -1;
124 static int hf_netlogon_logon_dom = -1;
125 static int hf_netlogon_downlevel_domain_name = -1;
126 static int hf_netlogon_dns_domain_name = -1;
127 static int hf_netlogon_domain_name = -1;
128 static int hf_netlogon_domain_create_time = -1;
129 static int hf_netlogon_domain_modify_time = -1;
130 static int hf_netlogon_modify_count = -1;
131 static int hf_netlogon_db_modify_time = -1;
132 static int hf_netlogon_db_create_time = -1;
133 static int hf_netlogon_oem_info = -1;
134 static int hf_netlogon_serial_number = -1;
135 static int hf_netlogon_num_rids = -1;
136 static int hf_netlogon_num_trusts = -1;
137 static int hf_netlogon_num_controllers = -1;
138 static int hf_netlogon_num_other_groups = -1;
139 static int hf_netlogon_computer_name = -1;
140 static int hf_netlogon_site_name = -1;
141 static int hf_netlogon_trusted_dc_name = -1;
142 static int hf_netlogon_dc_name = -1;
143 static int hf_netlogon_dc_site_name = -1;
144 static int hf_netlogon_dns_forest_name = -1;
145 static int hf_netlogon_dc_address = -1;
146 static int hf_netlogon_dc_address_type = -1;
147 static int hf_netlogon_client_site_name = -1;
148 static int hf_netlogon_workstation = -1;
149 static int hf_netlogon_workstation_site_name = -1;
150 static int hf_netlogon_workstation_os = -1;
151 static int hf_netlogon_workstations = -1;
152 static int hf_netlogon_workstation_fqdn = -1;
153 static int hf_netlogon_group_name = -1;
154 static int hf_netlogon_alias_name = -1;
155 static int hf_netlogon_country = -1;
156 static int hf_netlogon_codepage = -1;
157 static int hf_netlogon_flags = -1;
158 static int hf_netlogon_trust_attribs = -1;
159 static int hf_netlogon_trust_type = -1;
160 static int hf_netlogon_trust_flags = -1;
161 static int hf_netlogon_trust_flags_inbound = -1;
162 static int hf_netlogon_trust_flags_outbound = -1;
163 static int hf_netlogon_trust_flags_in_forest = -1;
164 static int hf_netlogon_trust_flags_native_mode = -1;
165 static int hf_netlogon_trust_flags_primary = -1;
166 static int hf_netlogon_trust_flags_tree_root = -1;
167 static int hf_netlogon_trust_parent_index = -1;
168 static int hf_netlogon_user_flags = -1;
169 static int hf_netlogon_auth_flags = -1;
170 static int hf_netlogon_pwd_expired = -1;
171 static int hf_netlogon_nt_pwd_present = -1;
172 static int hf_netlogon_lm_pwd_present = -1;
173 static int hf_netlogon_code = -1;
174 static int hf_netlogon_database_id = -1;
175 static int hf_netlogon_sync_context = -1;
176 static int hf_netlogon_max_size = -1;
177 static int hf_netlogon_max_log_size = -1;
178 static int hf_netlogon_dns_host = -1;
179 static int hf_netlogon_acct_expiry_time = -1;
180 static int hf_netlogon_encrypted_lm_owf_password = -1;
181 static int hf_netlogon_lm_owf_password = -1;
182 static int hf_netlogon_nt_owf_password = -1;
183 static int hf_netlogon_param_ctrl = -1;
184 static int hf_netlogon_logon_id = -1;
185 static int hf_netlogon_num_deltas = -1;
186 static int hf_netlogon_user_session_key = -1;
187 static int hf_netlogon_blob_size = -1;
188 static int hf_netlogon_blob = -1;
189 static int hf_netlogon_logon_attempts = -1;
190 static int hf_netlogon_authoritative = -1;
191 static int hf_netlogon_secure_channel_type = -1;
192 static int hf_netlogon_logonsrv_handle = -1;
193 static int hf_netlogon_delta_type = -1;
194 static int hf_netlogon_get_dcname_request_flags = -1;
195 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
196 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
197 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
198 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
199 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
200 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
201 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
202 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
203 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
204 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
205 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
206 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
207 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
208 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
209 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
210 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
211 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
212 static int hf_netlogon_dc_flags = -1;
213 static int hf_netlogon_dc_flags_pdc_flag = -1;
214 static int hf_netlogon_dc_flags_gc_flag = -1;
215 static int hf_netlogon_dc_flags_ldap_flag = -1;
216 static int hf_netlogon_dc_flags_ds_flag = -1;
217 static int hf_netlogon_dc_flags_kdc_flag = -1;
218 static int hf_netlogon_dc_flags_timeserv_flag = -1;
219 static int hf_netlogon_dc_flags_closest_flag = -1;
220 static int hf_netlogon_dc_flags_writable_flag = -1;
221 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
222 static int hf_netlogon_dc_flags_ndnc_flag = -1;
223 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
224 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
225 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
227 static gint ett_dcerpc_netlogon = -1;
228 static gint ett_QUOTA_LIMITS = -1;
229 static gint ett_IDENTITY_INFO = -1;
230 static gint ett_DELTA_ENUM = -1;
231 static gint ett_CYPHER_VALUE = -1;
232 static gint ett_UNICODE_MULTI = -1;
233 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
234 static gint ett_UNICODE_STRING_512 = -1;
235 static gint ett_TYPE_50 = -1;
236 static gint ett_TYPE_52 = -1;
237 static gint ett_DELTA_ID_UNION = -1;
238 static gint ett_TYPE_44 = -1;
239 static gint ett_DELTA_UNION = -1;
240 static gint ett_LM_OWF_PASSWORD = -1;
241 static gint ett_NT_OWF_PASSWORD = -1;
242 static gint ett_GROUP_MEMBERSHIP = -1;
243 static gint ett_BLOB = -1;
244 static gint ett_DS_DOMAIN_TRUSTS = -1;
245 static gint ett_DOMAIN_TRUST_INFO = -1;
246 static gint ett_trust_flags = -1;
247 static gint ett_get_dcname_request_flags = -1;
248 static gint ett_dc_flags = -1;
250 static e_uuid_t uuid_dcerpc_netlogon = {
251 0x12345678, 0x1234, 0xabcd,
252 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
255 static guint16 ver_dcerpc_netlogon = 1;
260 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
261 packet_info *pinfo, proto_tree *tree,
264 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
265 NDR_POINTER_UNIQUE, "Server Handle",
266 hf_netlogon_logonsrv_handle, 0);
272 * IDL typedef struct {
273 * IDL [unique][string] wchar_t *effective_name;
275 * IDL long auth_flags;
276 * IDL long logon_count;
277 * IDL long bad_pw_count;
278 * IDL long last_logon;
279 * IDL long last_logoff;
280 * IDL long logoff_time;
281 * IDL long kickoff_time;
282 * IDL long password_age;
283 * IDL long pw_can_change;
284 * IDL long pw_must_change;
285 * IDL [unique][string] wchar_t *computer;
286 * IDL [unique][string] wchar_t *domain;
287 * IDL [unique][string] wchar_t *script_path;
291 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
292 packet_info *pinfo, proto_tree *tree,
297 di=pinfo->private_data;
298 if(di->conformant_run){
299 /*just a run to handle conformant arrays, nothing to dissect */
303 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
304 NDR_POINTER_UNIQUE, "Effective Account",
305 hf_netlogon_acct_name, 0);
307 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
308 hf_netlogon_priv, NULL);
310 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
311 hf_netlogon_auth_flags, NULL);
313 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
314 hf_netlogon_logon_count, NULL);
316 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
317 hf_netlogon_bad_pw_count, NULL);
319 /* XXX - are these all UNIX "time_t"s, like the time stamps in
322 Or are they, as per some RAP-based operations, UTIMEs? */
323 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
326 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
329 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
332 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
335 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
338 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
341 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
344 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
345 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
347 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
348 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
350 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
351 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
353 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
354 hf_netlogon_reserved, NULL);
360 * IDL long NetLogonUasLogon(
361 * IDL [in][unique][string] wchar_t *ServerName,
362 * IDL [in][ref][string] wchar_t *UserName,
363 * IDL [in][ref][string] wchar_t *Workstation,
364 * IDL [out][unique] VALIDATION_UAS_INFO *info
368 netlogon_dissect_netlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
369 packet_info *pinfo, proto_tree *tree, char *drep)
371 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
374 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
375 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
377 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
378 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
385 netlogon_dissect_netlogonuaslogon_reply(tvbuff_t *tvb, int offset,
386 packet_info *pinfo, proto_tree *tree, char *drep)
388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
389 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
390 "VALIDATION_UAS_INFO", -1);
392 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
393 hf_netlogon_rc, NULL);
399 * IDL typedef struct {
401 * IDL short logon_count;
402 * IDL } LOGOFF_UAS_INFO;
405 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
406 packet_info *pinfo, proto_tree *tree,
411 di=pinfo->private_data;
412 if(di->conformant_run){
413 /*just a run to handle conformant arrays, nothing to dissect */
417 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
420 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
421 hf_netlogon_logon_count16, NULL);
427 * IDL long NetLogonUasLogoff(
428 * IDL [in][unique][string] wchar_t *ServerName,
429 * IDL [in][ref][string] wchar_t *UserName,
430 * IDL [in][ref][string] wchar_t *Workstation,
431 * IDL [out][ref] LOGOFF_UAS_INFO *info
435 netlogon_dissect_netlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
436 packet_info *pinfo, proto_tree *tree, char *drep)
438 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
441 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
442 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
444 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
445 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
452 netlogon_dissect_netlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
453 packet_info *pinfo, proto_tree *tree, char *drep)
455 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
456 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
457 "LOGOFF_UAS_INFO", -1);
459 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
460 hf_netlogon_rc, NULL);
469 * IDL typedef struct {
470 * IDL UNICODESTRING LogonDomainName;
471 * IDL long ParameterControl;
472 * IDL uint64 LogonID;
473 * IDL UNICODESTRING UserName;
474 * IDL UNICODESTRING Workstation;
475 * IDL } LOGON_IDENTITY_INFO;
478 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
479 packet_info *pinfo, proto_tree *parent_tree,
482 proto_item *item=NULL;
483 proto_tree *tree=NULL;
484 int old_offset=offset;
487 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
489 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
492 /* XXX: It would be nice to get the domain and account name
493 displayed in COL_INFO. */
495 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
496 hf_netlogon_logon_dom, 0);
498 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
499 hf_netlogon_param_ctrl, NULL);
501 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
502 hf_netlogon_logon_id, NULL);
504 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
505 hf_netlogon_acct_name, 0);
507 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
508 hf_netlogon_workstation, 0);
511 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
512 /* XXX 8 extra bytes here */
513 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
514 the idl file. Could be a bug in either the NETLOGON implementation or in the
517 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
520 proto_item_set_len(item, offset-old_offset);
526 * IDL typedef struct {
527 * IDL char password[16];
528 * IDL } LM_OWF_PASSWORD;
531 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
532 packet_info *pinfo, proto_tree *parent_tree,
535 proto_item *item=NULL;
536 proto_tree *tree=NULL;
539 di=pinfo->private_data;
540 if(di->conformant_run){
541 /*just a run to handle conformant arrays, nothing to dissect.*/
546 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
548 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
551 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
559 * IDL typedef struct {
560 * IDL char password[16];
561 * IDL } NT_OWF_PASSWORD;
564 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
565 packet_info *pinfo, proto_tree *parent_tree,
568 proto_item *item=NULL;
569 proto_tree *tree=NULL;
572 di=pinfo->private_data;
573 if(di->conformant_run){
574 /*just a run to handle conformant arrays, nothing to dissect.*/
579 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
581 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
584 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
593 * IDL typedef struct {
594 * IDL LOGON_IDENTITY_INFO identity_info;
595 * IDL LM_OWF_PASSWORD lmpassword;
596 * IDL NT_OWF_PASSWORD ntpassword;
597 * IDL } INTERACTIVE_INFO;
600 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
601 packet_info *pinfo, proto_tree *tree,
604 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
607 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
610 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
617 * IDL typedef struct {
622 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
623 packet_info *pinfo, proto_tree *tree,
628 di=pinfo->private_data;
629 if(di->conformant_run){
630 /*just a run to handle conformant arrays, nothing to dissect.*/
634 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
642 * IDL typedef struct {
643 * IDL LOGON_IDENTITY_INFO logon_info;
644 * IDL CHALLENGE chal;
645 * IDL STRING ntchallengeresponse;
646 * IDL STRING lmchallengeresponse;
647 * IDL } NETWORK_INFO;
650 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
651 proto_item *item _U_, tvbuff_t *tvb,
652 int start_offset, int end_offset,
653 void *callback_args _U_)
657 /* Skip over 3 guint32's in NDR format */
659 if (start_offset % 4)
660 start_offset += 4 - (start_offset % 4);
663 len = end_offset - start_offset;
665 /* Call ntlmv2 response dissector */
668 dissect_ntlmv2_response(tvb, tree, start_offset, len);
672 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
673 packet_info *pinfo, proto_tree *tree,
676 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
679 offset = netlogon_dissect_CHALLENGE(tvb, offset,
682 offset = dissect_ndr_counted_byte_array_cb(
683 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
684 dissect_nt_chal_resp_cb, NULL);
686 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
687 hf_netlogon_lm_chal_resp);
693 * IDL typedef struct {
694 * IDL LOGON_IDENTITY_INFO logon_info;
695 * IDL LM_OWF_PASSWORD lmpassword;
696 * IDL NT_OWF_PASSWORD ntpassword;
697 * IDL } SERVICE_INFO;
700 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
701 packet_info *pinfo, proto_tree *tree,
704 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
707 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
710 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
717 * IDL typedef [switch_type(short)] union {
718 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
719 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
720 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
724 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
725 packet_info *pinfo, proto_tree *tree,
730 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
731 hf_netlogon_level16, &level);
736 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
737 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
738 "INTERACTIVE_INFO:", -1);
741 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
742 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
743 "NETWORK_INFO:", -1);
746 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
747 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
748 "SERVICE_INFO:", -1);
756 * IDL typedef struct {
761 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
762 packet_info *pinfo, proto_tree *tree,
767 di=pinfo->private_data;
768 if(di->conformant_run){
769 /*just a run to handle conformant arrays, nothing to dissect.*/
773 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
782 * IDL typedef struct {
783 * IDL CREDENTIAL cred;
784 * IDL long timestamp;
785 * IDL } AUTHENTICATOR;
788 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
789 packet_info *pinfo, proto_tree *tree,
795 di=pinfo->private_data;
796 if(di->conformant_run){
797 /*just a run to handle conformant arrays, nothing to dissect */
801 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
805 * XXX - this appears to be a UNIX time_t in some credentials, but
806 * appears to be random junk in other credentials.
807 * For example, it looks like a UNIX time_t in "credential"
808 * AUTHENTICATORs, but like random junk in "return_authenticator"
812 ts.secs = tvb_get_letohl(tvb, offset);
814 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
822 * IDL typedef struct {
824 * IDL long attributes;
825 * IDL } GROUP_MEMBERSHIP;
828 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
829 packet_info *pinfo, proto_tree *parent_tree,
832 proto_item *item=NULL;
833 proto_tree *tree=NULL;
836 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
837 "GROUP_MEMBERSHIP:");
838 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
841 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
842 hf_netlogon_user_rid, NULL);
844 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
845 hf_netlogon_attrs, NULL);
851 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
852 packet_info *pinfo, proto_tree *tree,
855 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
856 netlogon_dissect_GROUP_MEMBERSHIP);
862 * IDL typedef struct {
863 * IDL char user_session_key[16];
864 * IDL } USER_SESSION_KEY;
867 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
868 packet_info *pinfo, proto_tree *tree,
873 di=pinfo->private_data;
874 if(di->conformant_run){
875 /*just a run to handle conformant arrays, nothing to dissect.*/
879 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
887 * IDL typedef struct {
888 * IDL uint64 LogonTime;
889 * IDL uint64 LogoffTime;
890 * IDL uint64 KickOffTime;
891 * IDL uint64 PasswdLastSet;
892 * IDL uint64 PasswdCanChange;
893 * IDL uint64 PasswdMustChange;
894 * IDL unicodestring effectivename;
895 * IDL unicodestring fullname;
896 * IDL unicodestring logonscript;
897 * IDL unicodestring profilepath;
898 * IDL unicodestring homedirectory;
899 * IDL unicodestring homedirectorydrive;
900 * IDL short LogonCount;
901 * IDL short BadPasswdCount;
903 * IDL long primarygroup;
904 * IDL long groupcount;
905 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
906 * IDL long userflags;
907 * IDL USER_SESSION_KEY key;
908 * IDL unicodestring logonserver;
909 * IDL unicodestring domainname;
910 * IDL [unique] SID logondomainid;
911 * IDL long expansionroom[10];
912 * IDL } VALIDATION_SAM_INFO;
915 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
916 packet_info *pinfo, proto_tree *tree,
921 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
922 hf_netlogon_logon_time);
924 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
925 hf_netlogon_logoff_time);
927 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
928 hf_netlogon_kickoff_time);
930 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
931 hf_netlogon_pwd_last_set_time);
933 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
934 hf_netlogon_pwd_can_change_time);
936 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
937 hf_netlogon_pwd_must_change_time);
939 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
940 hf_netlogon_acct_name, 0);
942 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
943 hf_netlogon_full_name, 0);
945 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
946 hf_netlogon_logon_script, 0);
948 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
949 hf_netlogon_profile_path, 0);
951 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
952 hf_netlogon_home_dir, 0);
954 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
955 hf_netlogon_dir_drive, 0);
957 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
958 hf_netlogon_logon_count16, NULL);
960 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
961 hf_netlogon_bad_pw_count16, NULL);
963 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
964 hf_netlogon_user_rid, NULL);
966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
967 hf_netlogon_group_rid, NULL);
969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
970 hf_netlogon_num_rids, NULL);
972 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
973 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
974 "GROUP_MEMBERSHIP_ARRAY", -1);
976 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
977 hf_netlogon_user_flags, NULL);
979 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
982 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
983 hf_netlogon_logon_srv, 0);
985 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
986 hf_netlogon_logon_dom, 0);
988 offset = dissect_ndr_nt_PSID(tvb, offset,
989 pinfo, tree, drep, -1);
992 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
993 hf_netlogon_reserved, NULL);
1002 * IDL typedef struct {
1003 * IDL uint64 LogonTime;
1004 * IDL uint64 LogoffTime;
1005 * IDL uint64 KickOffTime;
1006 * IDL uint64 PasswdLastSet;
1007 * IDL uint64 PasswdCanChange;
1008 * IDL uint64 PasswdMustChange;
1009 * IDL unicodestring effectivename;
1010 * IDL unicodestring fullname;
1011 * IDL unicodestring logonscript;
1012 * IDL unicodestring profilepath;
1013 * IDL unicodestring homedirectory;
1014 * IDL unicodestring homedirectorydrive;
1015 * IDL short LogonCount;
1016 * IDL short BadPasswdCount;
1018 * IDL long primarygroup;
1019 * IDL long groupcount;
1020 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1021 * IDL long userflags;
1022 * IDL USER_SESSION_KEY key;
1023 * IDL unicodestring logonserver;
1024 * IDL unicodestring domainname;
1025 * IDL [unique] SID logondomainid;
1026 * IDL long expansionroom[10];
1027 * IDL long sidcount;
1028 * IDL [unique] SID_AND_ATTRIBS;
1029 * IDL } VALIDATION_SAM_INFO2;
1032 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1033 packet_info *pinfo, proto_tree *tree,
1038 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1039 hf_netlogon_logon_time);
1041 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1042 hf_netlogon_logoff_time);
1044 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1045 hf_netlogon_kickoff_time);
1047 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1048 hf_netlogon_pwd_last_set_time);
1050 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1051 hf_netlogon_pwd_can_change_time);
1053 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1054 hf_netlogon_pwd_must_change_time);
1056 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1057 hf_netlogon_acct_name, 0);
1059 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1060 hf_netlogon_full_name, 0);
1062 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1063 hf_netlogon_logon_script, 0);
1065 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1066 hf_netlogon_profile_path, 0);
1068 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1069 hf_netlogon_home_dir, 0);
1071 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1072 hf_netlogon_dir_drive, 0);
1074 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1075 hf_netlogon_logon_count16, NULL);
1077 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1078 hf_netlogon_bad_pw_count16, NULL);
1080 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1081 hf_netlogon_user_rid, NULL);
1083 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1084 hf_netlogon_group_rid, NULL);
1086 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1087 hf_netlogon_num_rids, NULL);
1089 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1090 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1091 "GROUP_MEMBERSHIP_ARRAY", -1);
1093 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1094 hf_netlogon_user_flags, NULL);
1096 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1099 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1100 hf_netlogon_logon_srv, 0);
1102 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1103 hf_netlogon_logon_dom, 0);
1105 offset = dissect_ndr_nt_PSID(tvb, offset,
1106 pinfo, tree, drep, -1);
1109 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1110 hf_netlogon_unknown_long, NULL);
1113 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1114 hf_netlogon_num_other_groups, NULL);
1116 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1117 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1118 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1126 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1127 packet_info *pinfo, proto_tree *tree,
1133 di=pinfo->private_data;
1134 if(di->conformant_run){
1135 /*just a run to handle conformant arrays, nothing to dissect */
1139 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1140 hf_netlogon_pac_size, &pac_size);
1142 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1150 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1151 packet_info *pinfo, proto_tree *tree,
1157 di=pinfo->private_data;
1158 if(di->conformant_run){
1159 /*just a run to handle conformant arrays, nothing to dissect */
1163 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1164 hf_netlogon_auth_size, &auth_size);
1166 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1168 offset += auth_size;
1175 * IDL typedef struct {
1177 * IDL [unique][size_is(pac_size)] char *pac;
1178 * IDL UNICODESTRING logondomain;
1179 * IDL UNICODESTRING logonserver;
1180 * IDL UNICODESTRING principalname;
1181 * IDL long auth_size;
1182 * IDL [unique][size_is(auth_size)] char *auth;
1183 * IDL USER_SESSION_KEY user_session_key;
1184 * IDL long expansionroom[10];
1185 * IDL UNICODESTRING dummy1;
1186 * IDL UNICODESTRING dummy2;
1187 * IDL UNICODESTRING dummy3;
1188 * IDL UNICODESTRING dummy4;
1189 * IDL } VALIDATION_PAC_INFO;
1192 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1193 packet_info *pinfo, proto_tree *tree,
1198 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1199 hf_netlogon_pac_size, NULL);
1201 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1202 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1204 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1205 hf_netlogon_logon_dom, 0);
1207 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1208 hf_netlogon_logon_srv, 0);
1210 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1211 hf_netlogon_principal, 0);
1213 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1214 hf_netlogon_auth_size, NULL);
1216 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1217 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1219 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1223 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1224 hf_netlogon_unknown_long, NULL);
1227 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1228 hf_netlogon_dummy, 0);
1230 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1231 hf_netlogon_dummy, 0);
1233 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1234 hf_netlogon_dummy, 0);
1236 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1237 hf_netlogon_dummy, 0);
1244 * IDL typedef [switch_type(short)] union {
1245 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1246 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1247 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1248 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1252 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1253 packet_info *pinfo, proto_tree *tree,
1258 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1259 hf_netlogon_validation_level, &level);
1264 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1265 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1266 "VALIDATION_SAM_INFO:", -1);
1269 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1270 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1271 "VALIDATION_SAM_INFO2:", -1);
1274 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1275 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1276 "VALIDATION_PAC_INFO:", -1);
1279 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1280 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1281 "VALIDATION_PAC_INFO:", -1);
1290 * IDL long NetLogonSamLogon(
1291 * IDL [in][unique][string] wchar_t *ServerName,
1292 * IDL [in][unique][string] wchar_t *Workstation,
1293 * IDL [in][unique] AUTHENTICATOR *credential,
1294 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1295 * IDL [in] short LogonLevel,
1296 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1297 * IDL [in] short ValidationLevel,
1298 * IDL [out][ref] VALIDATION *validation,
1299 * IDL [out][ref] boolean Authorative
1303 netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1304 packet_info *pinfo, proto_tree *tree, char *drep)
1306 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1309 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1310 NDR_POINTER_UNIQUE, "Computer Name",
1311 hf_netlogon_computer_name, 0);
1313 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1314 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1315 "AUTHENTICATOR: credential", -1);
1317 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1318 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1319 "AUTHENTICATOR: return_authenticator", -1);
1321 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1322 hf_netlogon_level16, NULL);
1324 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1325 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1326 "LEVEL: LogonLevel", -1);
1328 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1329 hf_netlogon_validation_level, NULL);
1335 netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1336 packet_info *pinfo, proto_tree *tree, char *drep)
1338 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1339 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1340 "AUTHENTICATOR: return_authenticator", -1);
1342 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1343 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1346 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1347 hf_netlogon_authoritative, NULL);
1349 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1350 hf_netlogon_rc, NULL);
1357 * IDL long NetLogonSamLogoff(
1358 * IDL [in][unique][string] wchar_t *ServerName,
1359 * IDL [in][unique][string] wchar_t *ComputerName,
1360 * IDL [in][unique] AUTHENTICATOR credential,
1361 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1362 * IDL [in] short logon_level,
1363 * IDL [in][ref] LEVEL logoninformation
1367 netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1368 packet_info *pinfo, proto_tree *tree, char *drep)
1370 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1373 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1374 NDR_POINTER_UNIQUE, "Computer Name",
1375 hf_netlogon_computer_name, 0);
1377 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1378 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1379 "AUTHENTICATOR: credential", -1);
1381 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1382 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1383 "AUTHENTICATOR: return_authenticator", -1);
1385 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1386 hf_netlogon_level16, NULL);
1388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1389 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1390 "LEVEL: logoninformation", -1);
1395 netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1396 packet_info *pinfo, proto_tree *tree, char *drep)
1399 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1400 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1401 "AUTHENTICATOR: return_authenticator", -1);
1403 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1404 hf_netlogon_rc, NULL);
1411 * IDL long NetServerReqChallenge(
1412 * IDL [in][unique][string] wchar_t *ServerName,
1413 * IDL [in][ref][string] wchar_t *ComputerName,
1414 * IDL [in][ref] CREDENTIAL client_credential,
1415 * IDL [out][ref] CREDENTIAL server_credential
1419 netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1420 packet_info *pinfo, proto_tree *tree, char *drep)
1422 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1425 offset = dissect_ndr_pointer_cb(
1426 tvb, offset, pinfo, tree, drep,
1427 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
1428 "Computer Name", hf_netlogon_computer_name,
1429 cb_wstr_postprocess,
1430 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1432 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1433 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1434 "CREDENTIAL: client challenge", -1);
1439 netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1440 packet_info *pinfo, proto_tree *tree, char *drep)
1442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1443 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1444 "CREDENTIAL: server credential", -1);
1446 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1447 hf_netlogon_rc, NULL);
1454 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1455 packet_info *pinfo, proto_tree *tree,
1458 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1459 hf_netlogon_secure_channel_type, NULL);
1466 * IDL long NetServerAuthenticate(
1467 * IDL [in][unique][string] wchar_t *ServerName,
1468 * IDL [in][ref][string] wchar_t *UserName,
1469 * IDL [in] short secure_challenge_type,
1470 * IDL [in][ref][string] wchar_t *ComputerName,
1471 * IDL [in][ref] CREDENTIAL client_challenge,
1472 * IDL [out][ref] CREDENTIAL server_challenge
1476 netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1477 packet_info *pinfo, proto_tree *tree, char *drep)
1479 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1482 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1483 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1485 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1488 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1489 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1491 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1492 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1493 "CREDENTIAL: client challenge", -1);
1498 netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
1499 packet_info *pinfo, proto_tree *tree, char *drep)
1501 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1502 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1503 "CREDENTIAL: server challenge", -1);
1505 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1506 hf_netlogon_rc, NULL);
1514 * IDL typedef struct {
1515 * IDL char encrypted_password[16];
1516 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1519 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1520 packet_info *pinfo, proto_tree *tree,
1525 di=pinfo->private_data;
1526 if(di->conformant_run){
1527 /*just a run to handle conformant arrays, nothing to dissect.*/
1531 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1539 * IDL long NetServerPasswordSet(
1540 * IDL [in][unique][string] wchar_t *ServerName,
1541 * IDL [in][ref][string] wchar_t *UserName,
1542 * IDL [in] short secure_challenge_type,
1543 * IDL [in][ref][string] wchar_t *ComputerName,
1544 * IDL [in][ref] AUTHENTICATOR credential,
1545 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1546 * IDL [out][ref] AUTHENTICATOR return_authenticator
1550 netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1551 packet_info *pinfo, proto_tree *tree, char *drep)
1553 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1556 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1557 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1559 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1562 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1563 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1565 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1566 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1567 "AUTHENTICATOR: credential", -1);
1569 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1570 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1571 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
1576 netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
1577 packet_info *pinfo, proto_tree *tree, char *drep)
1579 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1580 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1581 "AUTHENTICATOR: return_authenticator", -1);
1583 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1584 hf_netlogon_rc, NULL);
1591 * IDL typedef struct {
1592 * IDL [unique][string] wchar_t *UserName;
1593 * IDL UNICODESTRING dummy1;
1594 * IDL UNICODESTRING dummy2;
1595 * IDL UNICODESTRING dummy3;
1596 * IDL UNICODESTRING dummy4;
1601 * IDL } DELTA_DELETE_USER;
1604 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1605 packet_info *pinfo, proto_tree *tree,
1608 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1609 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
1611 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1612 hf_netlogon_dummy, 0);
1614 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1615 hf_netlogon_dummy, 0);
1617 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1618 hf_netlogon_dummy, 0);
1620 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1621 hf_netlogon_dummy, 0);
1623 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1624 hf_netlogon_reserved, NULL);
1626 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1627 hf_netlogon_reserved, NULL);
1629 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1630 hf_netlogon_reserved, NULL);
1632 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1633 hf_netlogon_reserved, NULL);
1640 * IDL typedef struct {
1641 * IDL bool SensitiveDataFlag;
1642 * IDL long DataLength;
1643 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1644 * IDL } USER_PRIVATE_INFO;
1647 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1648 packet_info *pinfo, proto_tree *tree,
1654 di=pinfo->private_data;
1655 if(di->conformant_run){
1656 /*just a run to handle conformant arrays, nothing to dissect */
1660 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1661 hf_netlogon_sensitive_data_len, &data_len);
1663 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1670 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1671 packet_info *pinfo, proto_tree *tree,
1674 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1675 hf_netlogon_sensitive_data_flag, NULL);
1677 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1678 hf_netlogon_sensitive_data_len, NULL);
1680 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1681 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1682 "SENSITIVE_DATA", -1);
1688 * IDL typedef struct {
1689 * IDL UNICODESTRING UserName;
1690 * IDL UNICODESTRING FullName;
1692 * IDL long PrimaryGroupID;
1693 * IDL UNICODESTRING HomeDir;
1694 * IDL UNICODESTRING HomeDirDrive;
1695 * IDL UNICODESTRING LogonScript;
1696 * IDL UNICODESTRING Comment;
1697 * IDL UNICODESTRING Workstations;
1698 * IDL NTTIME LastLogon;
1699 * IDL NTTIME LastLogoff;
1700 * IDL LOGON_HOURS logonhours;
1701 * IDL short BadPwCount;
1702 * IDL short LogonCount;
1703 * IDL NTTIME PwLastSet;
1704 * IDL NTTIME AccountExpires;
1705 * IDL long AccountControl;
1706 * IDL LM_OWF_PASSWORD lmpw;
1707 * IDL NT_OWF_PASSWORD ntpw;
1708 * IDL bool NTPwPresent;
1709 * IDL bool LMPwPresent;
1710 * IDL bool PwExpired;
1711 * IDL UNICODESTRING UserComment;
1712 * IDL UNICODESTRING Parameters;
1713 * IDL short CountryCode;
1714 * IDL short CodePage;
1715 * IDL USER_PRIVATE_INFO user_private_info;
1716 * IDL long SecurityInformation;
1717 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1718 * IDL UNICODESTRING dummy1;
1719 * IDL UNICODESTRING dummy2;
1720 * IDL UNICODESTRING dummy3;
1721 * IDL UNICODESTRING dummy4;
1729 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1730 packet_info *pinfo, proto_tree *tree,
1733 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1734 hf_netlogon_acct_name, 0);
1736 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1737 hf_netlogon_full_name, 0);
1739 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1740 hf_netlogon_user_rid, NULL);
1742 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1743 hf_netlogon_group_rid, NULL);
1745 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1746 hf_netlogon_home_dir, 0);
1748 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1749 hf_netlogon_dir_drive, 0);
1751 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1752 hf_netlogon_logon_script, 0);
1754 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1755 hf_netlogon_acct_desc, 0);
1757 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1758 hf_netlogon_workstations, 0);
1760 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1761 hf_netlogon_logon_time);
1763 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1764 hf_netlogon_logoff_time);
1766 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1768 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1769 hf_netlogon_bad_pw_count16, NULL);
1771 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1772 hf_netlogon_logon_count16, NULL);
1774 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1775 hf_netlogon_pwd_last_set_time);
1777 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1778 hf_netlogon_acct_expiry_time);
1780 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1782 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1785 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1788 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1789 hf_netlogon_nt_pwd_present, NULL);
1791 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1792 hf_netlogon_lm_pwd_present, NULL);
1794 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1795 hf_netlogon_pwd_expired, NULL);
1797 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1798 hf_netlogon_comment, 0);
1800 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1801 hf_netlogon_parameters, 0);
1803 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1804 hf_netlogon_country, NULL);
1806 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1807 hf_netlogon_codepage, NULL);
1809 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1812 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1813 hf_netlogon_security_information, NULL);
1815 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1818 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1819 hf_netlogon_dummy, 0);
1821 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1822 hf_netlogon_dummy, 0);
1824 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1825 hf_netlogon_dummy, 0);
1827 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1828 hf_netlogon_dummy, 0);
1830 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1831 hf_netlogon_reserved, NULL);
1833 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1834 hf_netlogon_reserved, NULL);
1836 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1837 hf_netlogon_reserved, NULL);
1839 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1840 hf_netlogon_reserved, NULL);
1847 * IDL typedef struct {
1848 * IDL UNICODESTRING DomainName;
1849 * IDL UNICODESTRING OEMInfo;
1850 * IDL NTTIME forcedlogoff;
1851 * IDL short minpasswdlen;
1852 * IDL short passwdhistorylen;
1853 * IDL NTTIME pwd_must_change_time;
1854 * IDL NTTIME pwd_can_change_time;
1855 * IDL NTTIME domain_modify_time;
1856 * IDL NTTIME domain_create_time;
1857 * IDL long SecurityInformation;
1858 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1859 * IDL UNICODESTRING dummy1;
1860 * IDL UNICODESTRING dummy2;
1861 * IDL UNICODESTRING dummy3;
1862 * IDL UNICODESTRING dummy4;
1867 * IDL } DELTA_DOMAIN;
1870 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
1871 packet_info *pinfo, proto_tree *tree,
1874 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1875 hf_netlogon_domain_name, 1);
1877 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1878 hf_netlogon_oem_info, 0);
1880 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1881 hf_netlogon_kickoff_time);
1883 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1884 hf_netlogon_minpasswdlen, NULL);
1886 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1887 hf_netlogon_passwdhistorylen, NULL);
1889 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1890 hf_netlogon_pwd_must_change_time);
1892 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1893 hf_netlogon_pwd_can_change_time);
1895 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1896 hf_netlogon_domain_modify_time);
1898 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1899 hf_netlogon_domain_create_time);
1901 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1902 hf_netlogon_security_information, NULL);
1904 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1907 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1908 hf_netlogon_dummy, 0);
1910 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1911 hf_netlogon_dummy, 0);
1913 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1914 hf_netlogon_dummy, 0);
1916 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1917 hf_netlogon_dummy, 0);
1919 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1920 hf_netlogon_reserved, NULL);
1922 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1923 hf_netlogon_reserved, NULL);
1925 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1926 hf_netlogon_reserved, NULL);
1928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1929 hf_netlogon_reserved, NULL);
1936 * IDL typedef struct {
1937 * IDL UNICODESTRING groupname;
1938 * IDL GROUP_MEMBERSHIP group_membership;
1939 * IDL UNICODESTRING comment;
1940 * IDL long SecurityInformation;
1941 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1942 * IDL UNICODESTRING dummy1;
1943 * IDL UNICODESTRING dummy2;
1944 * IDL UNICODESTRING dummy3;
1945 * IDL UNICODESTRING dummy4;
1950 * IDL } DELTA_GROUP;
1953 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
1954 packet_info *pinfo, proto_tree *tree,
1957 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1958 hf_netlogon_group_name, 0);
1960 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
1963 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1964 hf_netlogon_group_desc, 0);
1966 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1967 hf_netlogon_security_information, NULL);
1969 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1972 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1973 hf_netlogon_dummy, 0);
1975 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1976 hf_netlogon_dummy, 0);
1978 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1979 hf_netlogon_dummy, 0);
1981 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1982 hf_netlogon_dummy, 0);
1984 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1985 hf_netlogon_reserved, NULL);
1987 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1988 hf_netlogon_reserved, NULL);
1990 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1991 hf_netlogon_reserved, NULL);
1993 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1994 hf_netlogon_reserved, NULL);
2001 * IDL typedef struct {
2002 * IDL UNICODESTRING OldName;
2003 * IDL UNICODESTRING NewName;
2004 * IDL UNICODESTRING dummy1;
2005 * IDL UNICODESTRING dummy2;
2006 * IDL UNICODESTRING dummy3;
2007 * IDL UNICODESTRING dummy4;
2012 * IDL } DELTA_RENAME;
2015 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
2016 packet_info *pinfo, proto_tree *tree,
2021 di=pinfo->private_data;
2023 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2026 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2029 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2030 hf_netlogon_dummy, 0);
2032 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2033 hf_netlogon_dummy, 0);
2035 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2036 hf_netlogon_dummy, 0);
2038 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2039 hf_netlogon_dummy, 0);
2041 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2042 hf_netlogon_reserved, NULL);
2044 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2045 hf_netlogon_reserved, NULL);
2047 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2048 hf_netlogon_reserved, NULL);
2050 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2051 hf_netlogon_reserved, NULL);
2058 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2059 packet_info *pinfo, proto_tree *tree,
2062 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2063 hf_netlogon_user_rid, NULL);
2069 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2070 packet_info *pinfo, proto_tree *tree,
2073 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2074 netlogon_dissect_RID);
2080 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2081 packet_info *pinfo, proto_tree *tree,
2084 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2085 hf_netlogon_attrs, NULL);
2091 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2092 packet_info *pinfo, proto_tree *tree,
2095 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2096 netlogon_dissect_ATTRIB);
2102 * IDL typedef struct {
2103 * IDL [unique][size_is(num_rids)] long *rids;
2104 * IDL [unique][size_is(num_rids)] long *attribs;
2105 * IDL long num_rids;
2110 * IDL } DELTA_GROUP_MEMBER;
2113 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2114 packet_info *pinfo, proto_tree *tree,
2117 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2118 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2121 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2122 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2125 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2126 hf_netlogon_num_rids, NULL);
2128 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2129 hf_netlogon_reserved, NULL);
2131 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2132 hf_netlogon_reserved, NULL);
2134 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2135 hf_netlogon_reserved, NULL);
2137 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2138 hf_netlogon_reserved, NULL);
2145 * IDL typedef struct {
2146 * IDL UNICODESTRING alias_name;
2148 * IDL long SecurityInformation;
2149 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2150 * IDL UNICODESTRING dummy1;
2151 * IDL UNICODESTRING dummy2;
2152 * IDL UNICODESTRING dummy3;
2153 * IDL UNICODESTRING dummy4;
2158 * IDL } DELTA_ALIAS;
2161 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2162 packet_info *pinfo, proto_tree *tree,
2165 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2166 hf_netlogon_alias_name, 0);
2168 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2169 hf_netlogon_alias_rid, NULL);
2171 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2172 hf_netlogon_security_information, NULL);
2174 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2177 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2178 hf_netlogon_dummy, 0);
2180 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2181 hf_netlogon_dummy, 0);
2183 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2184 hf_netlogon_dummy, 0);
2186 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2187 hf_netlogon_dummy, 0);
2189 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2190 hf_netlogon_reserved, NULL);
2192 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2193 hf_netlogon_reserved, NULL);
2195 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2196 hf_netlogon_reserved, NULL);
2198 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2199 hf_netlogon_reserved, NULL);
2206 * IDL typedef struct {
2207 * IDL [unique] SID_ARRAY sids;
2212 * IDL } DELTA_ALIAS_MEMBER;
2215 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2216 packet_info *pinfo, proto_tree *tree,
2219 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2221 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2222 hf_netlogon_reserved, NULL);
2224 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2225 hf_netlogon_reserved, NULL);
2227 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2228 hf_netlogon_reserved, NULL);
2230 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2231 hf_netlogon_reserved, NULL);
2238 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2239 packet_info *pinfo, proto_tree *tree,
2242 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2243 hf_netlogon_event_audit_option, NULL);
2249 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2250 packet_info *pinfo, proto_tree *tree,
2253 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2254 netlogon_dissect_EVENT_AUDIT_OPTION);
2261 * IDL typedef struct {
2262 * IDL long pagedpoollimit;
2263 * IDL long nonpagedpoollimit;
2264 * IDL long minimumworkingsetsize;
2265 * IDL long maximumworkingsetsize;
2266 * IDL long pagefilelimit;
2267 * IDL NTTIME timelimit;
2268 * IDL } QUOTA_LIMITS;
2271 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2272 packet_info *pinfo, proto_tree *parent_tree,
2275 proto_item *item=NULL;
2276 proto_tree *tree=NULL;
2277 int old_offset=offset;
2280 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2282 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2285 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2286 hf_netlogon_pagedpoollimit, NULL);
2288 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2289 hf_netlogon_nonpagedpoollimit, NULL);
2291 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2292 hf_netlogon_minworkingsetsize, NULL);
2294 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2295 hf_netlogon_maxworkingsetsize, NULL);
2297 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2298 hf_netlogon_pagefilelimit, NULL);
2300 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2301 hf_netlogon_timelimit);
2303 proto_item_set_len(item, offset-old_offset);
2309 * IDL typedef struct {
2310 * IDL long maxlogsize;
2311 * IDL NTTIME auditretentionperiod;
2312 * IDL bool auditingmode;
2313 * IDL long maxauditeventcount;
2314 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2315 * IDL UNICODESTRING primarydomainname;
2316 * IDL [unique] SID *sid;
2317 * IDL QUOTA_LIMITS quota_limits;
2318 * IDL NTTIME db_modify_time;
2319 * IDL NTTIME db_create_time;
2320 * IDL long SecurityInformation;
2321 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2322 * IDL UNICODESTRING dummy1;
2323 * IDL UNICODESTRING dummy2;
2324 * IDL UNICODESTRING dummy3;
2325 * IDL UNICODESTRING dummy4;
2330 * IDL } DELTA_POLICY;
2333 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2334 packet_info *pinfo, proto_tree *tree,
2337 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2338 hf_netlogon_max_log_size, NULL);
2340 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2341 hf_netlogon_audit_retention_period);
2343 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2344 hf_netlogon_auditing_mode, NULL);
2346 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2347 hf_netlogon_max_audit_event_count, NULL);
2349 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2350 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2351 "Event Audit Options:", -1);
2353 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2354 hf_netlogon_domain_name, 0);
2356 offset = dissect_ndr_nt_PSID(tvb, offset,
2357 pinfo, tree, drep, -1);
2359 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2362 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2363 hf_netlogon_db_modify_time);
2365 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2366 hf_netlogon_db_create_time);
2368 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2369 hf_netlogon_security_information, NULL);
2371 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2374 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2375 hf_netlogon_dummy, 0);
2377 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2378 hf_netlogon_dummy, 0);
2380 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2381 hf_netlogon_dummy, 0);
2383 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2384 hf_netlogon_dummy, 0);
2386 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2387 hf_netlogon_reserved, NULL);
2389 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2390 hf_netlogon_reserved, NULL);
2392 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2393 hf_netlogon_reserved, NULL);
2395 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2396 hf_netlogon_reserved, NULL);
2403 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2404 packet_info *pinfo, proto_tree *tree,
2407 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2408 hf_netlogon_dc_name, 0);
2414 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2415 packet_info *pinfo, proto_tree *tree,
2418 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2419 netlogon_dissect_CONTROLLER);
2426 * IDL typedef struct {
2427 * IDL UNICODESTRING DomainName;
2428 * IDL long num_controllers;
2429 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2430 * IDL long SecurityInformation;
2431 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2432 * IDL UNICODESTRING dummy1;
2433 * IDL UNICODESTRING dummy2;
2434 * IDL UNICODESTRING dummy3;
2435 * IDL UNICODESTRING dummy4;
2440 * IDL } DELTA_TRUSTED_DOMAINS;
2443 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2444 packet_info *pinfo, proto_tree *tree,
2447 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2448 hf_netlogon_domain_name, 0);
2450 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2451 hf_netlogon_num_controllers, NULL);
2453 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2454 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2455 "Domain Controllers:", -1);
2457 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2458 hf_netlogon_security_information, NULL);
2460 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2463 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2464 hf_netlogon_dummy, 0);
2466 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2467 hf_netlogon_dummy, 0);
2469 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2470 hf_netlogon_dummy, 0);
2472 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2473 hf_netlogon_dummy, 0);
2475 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2476 hf_netlogon_reserved, NULL);
2478 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2479 hf_netlogon_reserved, NULL);
2481 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2482 hf_netlogon_reserved, NULL);
2484 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2485 hf_netlogon_reserved, NULL);
2492 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2493 packet_info *pinfo, proto_tree *tree,
2496 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2497 hf_netlogon_attrs, NULL);
2503 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2504 packet_info *pinfo, proto_tree *tree,
2507 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2508 netlogon_dissect_PRIV_ATTR);
2514 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2515 packet_info *pinfo, proto_tree *tree,
2518 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2519 hf_netlogon_privilege_name, 1);
2525 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2526 packet_info *pinfo, proto_tree *tree,
2529 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2530 netlogon_dissect_PRIV_NAME);
2538 * IDL typedef struct {
2539 * IDL long privilegeentries;
2540 * IDL long provolegecontrol;
2541 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2542 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2543 * IDL QUOTALIMITS quotalimits;
2544 * IDL long SecurityInformation;
2545 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2546 * IDL UNICODESTRING dummy1;
2547 * IDL UNICODESTRING dummy2;
2548 * IDL UNICODESTRING dummy3;
2549 * IDL UNICODESTRING dummy4;
2554 * IDL } DELTA_ACCOUNTS;
2557 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2558 packet_info *pinfo, proto_tree *tree,
2561 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2562 hf_netlogon_privilege_entries, NULL);
2564 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2565 hf_netlogon_privilege_control, NULL);
2567 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2568 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2569 "PRIV_ATTR_ARRAY:", -1);
2571 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2572 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2573 "PRIV_NAME_ARRAY:", -1);
2575 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2578 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2579 hf_netlogon_systemflags, NULL);
2581 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2582 hf_netlogon_security_information, NULL);
2584 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2587 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2588 hf_netlogon_dummy, 0);
2590 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2591 hf_netlogon_dummy, 0);
2593 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2594 hf_netlogon_dummy, 0);
2596 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2597 hf_netlogon_dummy, 0);
2599 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2600 hf_netlogon_reserved, NULL);
2602 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2603 hf_netlogon_reserved, NULL);
2605 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2606 hf_netlogon_reserved, NULL);
2608 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2609 hf_netlogon_reserved, NULL);
2615 * IDL typedef struct {
2618 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2619 * IDL } CIPHER_VALUE;
2622 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2623 packet_info *pinfo, proto_tree *tree,
2629 di=pinfo->private_data;
2630 if(di->conformant_run){
2631 /*just a run to handle conformant arrays, nothing to dissect */
2635 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2636 hf_netlogon_cipher_maxlen, NULL);
2641 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2642 hf_netlogon_cipher_len, &data_len);
2644 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2651 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2652 packet_info *pinfo, proto_tree *parent_tree,
2653 char *drep, char *name, int hf_index)
2655 proto_item *item=NULL;
2656 proto_tree *tree=NULL;
2657 int old_offset=offset;
2660 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2662 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2665 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2666 hf_netlogon_cipher_len, NULL);
2668 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2669 hf_netlogon_cipher_maxlen, NULL);
2671 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2672 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2675 proto_item_set_len(item, offset-old_offset);
2680 * IDL typedef struct {
2681 * IDL CIPHER_VALUE current_cipher;
2682 * IDL NTTIME current_cipher_set_time;
2683 * IDL CIPHER_VALUE old_cipher;
2684 * IDL NTTIME old_cipher_set_time;
2685 * IDL long SecurityInformation;
2686 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2687 * IDL UNICODESTRING dummy1;
2688 * IDL UNICODESTRING dummy2;
2689 * IDL UNICODESTRING dummy3;
2690 * IDL UNICODESTRING dummy4;
2695 * IDL } DELTA_SECRET;
2698 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2699 packet_info *pinfo, proto_tree *tree,
2702 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2704 "CIPHER_VALUE: current cipher value",
2705 hf_netlogon_cipher_current_data);
2707 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2708 hf_netlogon_cipher_current_set_time);
2710 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2712 "CIPHER_VALUE: old cipher value",
2713 hf_netlogon_cipher_old_data);
2715 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2716 hf_netlogon_cipher_old_set_time);
2718 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2719 hf_netlogon_security_information, NULL);
2721 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2724 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2725 hf_netlogon_dummy, 0);
2727 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2728 hf_netlogon_dummy, 0);
2730 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2731 hf_netlogon_dummy, 0);
2733 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2734 hf_netlogon_dummy, 0);
2736 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2737 hf_netlogon_reserved, NULL);
2739 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2740 hf_netlogon_reserved, NULL);
2742 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2743 hf_netlogon_reserved, NULL);
2745 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2746 hf_netlogon_reserved, NULL);
2752 * IDL typedef struct {
2753 * IDL long low_value;
2754 * IDL long high_value;
2758 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2759 packet_info *pinfo, proto_tree *tree,
2762 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2763 hf_netlogon_modify_count, NULL);
2769 #define DT_DELTA_DOMAIN 1
2770 #define DT_DELTA_GROUP 2
2771 #define DT_DELTA_RENAME_GROUP 4
2772 #define DT_DELTA_USER 5
2773 #define DT_DELTA_RENAME_USER 7
2774 #define DT_DELTA_GROUP_MEMBER 8
2775 #define DT_DELTA_ALIAS 9
2776 #define DT_DELTA_RENAME_ALIAS 11
2777 #define DT_DELTA_ALIAS_MEMBER 12
2778 #define DT_DELTA_POLICY 13
2779 #define DT_DELTA_TRUSTED_DOMAINS 14
2780 #define DT_DELTA_ACCOUNTS 16
2781 #define DT_DELTA_SECRET 18
2782 #define DT_DELTA_DELETE_GROUP 20
2783 #define DT_DELTA_DELETE_USER 21
2784 #define DT_MODIFIED_COUNT 22
2785 static const value_string delta_type_vals[] = {
2786 { DT_DELTA_DOMAIN, "Domain" },
2787 { DT_DELTA_GROUP, "Group" },
2788 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2789 { DT_DELTA_USER, "User" },
2790 { DT_DELTA_RENAME_USER, "Rename User" },
2791 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2792 { DT_DELTA_ALIAS, "Alias" },
2793 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2794 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2795 { DT_DELTA_POLICY, "Policy" },
2796 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2797 { DT_DELTA_ACCOUNTS, "Accounts" },
2798 { DT_DELTA_SECRET, "Secret" },
2799 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2800 { DT_DELTA_DELETE_USER, "Delete User" },
2801 { DT_MODIFIED_COUNT, "Modified Count" },
2805 * IDL typedef [switch_type(short)] union {
2806 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2807 * IDL [case(2)][unique] DELTA_GROUP *group;
2808 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2809 * IDL [case(5)][unique] DELTA_USER *user;
2810 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2811 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2812 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2813 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2814 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2815 * IDL [case(13)][unique] DELTA_POLICY *policy;
2816 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2817 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2818 * IDL [case(18)][unique] DELTA_SECRET *secret;
2819 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2820 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2821 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2822 * IDL } DELTA_UNION;
2825 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2826 packet_info *pinfo, proto_tree *parent_tree,
2829 proto_item *item=NULL;
2830 proto_tree *tree=NULL;
2831 int old_offset=offset;
2835 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2837 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2840 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2841 hf_netlogon_delta_type, &level);
2846 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2847 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2848 "DELTA_DOMAIN:", -1);
2851 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2852 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2853 "DELTA_GROUP:", -1);
2856 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2857 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2858 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
2861 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2862 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
2866 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2867 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2868 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
2871 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2872 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
2873 "DELTA_GROUP_MEMBER:", -1);
2876 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2877 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
2878 "DELTA_ALIAS:", -1);
2881 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2882 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2883 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
2886 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2887 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
2888 "DELTA_ALIAS_MEMBER:", -1);
2891 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2892 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
2893 "DELTA_POLICY:", -1);
2896 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2897 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
2898 "DELTA_TRUSTED_DOMAINS:", -1);
2901 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2902 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
2903 "DELTA_ACCOUNTS:", -1);
2906 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2907 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
2908 "DELTA_SECRET:", -1);
2911 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2912 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2913 "DELTA_DELETE_GROUP:", -1);
2916 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2917 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2918 "DELTA_DELETE_USER:", -1);
2921 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2922 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
2923 "MODIFIED_COUNT:", -1);
2927 proto_item_set_len(item, offset-old_offset);
2933 /* IDL XXX must verify this one, especially 13-19
2934 * IDL typedef [switch_type(short)] union {
2935 * IDL [case(1)] long rid;
2936 * IDL [case(2)] long rid;
2937 * IDL [case(3)] long rid;
2938 * IDL [case(4)] long rid;
2939 * IDL [case(5)] long rid;
2940 * IDL [case(6)] long rid;
2941 * IDL [case(7)] long rid;
2942 * IDL [case(8)] long rid;
2943 * IDL [case(9)] long rid;
2944 * IDL [case(10)] long rid;
2945 * IDL [case(11)] long rid;
2946 * IDL [case(12)] long rid;
2947 * IDL [case(13)] [unique] SID *sid;
2948 * IDL [case(14)] [unique] SID *sid;
2949 * IDL [case(15)] [unique] SID *sid;
2950 * IDL [case(16)] [unique] SID *sid;
2951 * IDL [case(17)] [unique] SID *sid;
2952 * IDL [case(18)] [unique][string] wchar_t *Name ;
2953 * IDL [case(19)] [unique][string] wchar_t *Name ;
2954 * IDL [case(20)] long rid;
2955 * IDL [case(21)] long rid;
2956 * IDL } DELTA_ID_UNION;
2959 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
2960 packet_info *pinfo, proto_tree *parent_tree,
2963 proto_item *item=NULL;
2964 proto_tree *tree=NULL;
2965 int old_offset=offset;
2969 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2971 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
2974 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2975 hf_netlogon_level16, &level);
2980 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2981 hf_netlogon_user_rid, NULL);
2984 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2985 hf_netlogon_user_rid, NULL);
2988 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2989 hf_netlogon_user_rid, NULL);
2992 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2993 hf_netlogon_user_rid, NULL);
2996 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2997 hf_netlogon_user_rid, NULL);
3000 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3001 hf_netlogon_user_rid, NULL);
3004 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3005 hf_netlogon_user_rid, NULL);
3008 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3009 hf_netlogon_user_rid, NULL);
3012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3013 hf_netlogon_user_rid, NULL);
3016 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3017 hf_netlogon_user_rid, NULL);
3020 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3021 hf_netlogon_user_rid, NULL);
3024 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3025 hf_netlogon_user_rid, NULL);
3028 offset = dissect_ndr_nt_PSID(tvb, offset,
3029 pinfo, tree, drep, -1);
3032 offset = dissect_ndr_nt_PSID(tvb, offset,
3033 pinfo, tree, drep, -1);
3036 offset = dissect_ndr_nt_PSID(tvb, offset,
3037 pinfo, tree, drep, -1);
3040 offset = dissect_ndr_nt_PSID(tvb, offset,
3041 pinfo, tree, drep, -1);
3044 offset = dissect_ndr_nt_PSID(tvb, offset,
3045 pinfo, tree, drep, -1);
3048 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3049 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3050 hf_netlogon_unknown_string, 0);
3053 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3054 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3055 hf_netlogon_unknown_string, 0);
3058 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3059 hf_netlogon_user_rid, NULL);
3062 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3063 hf_netlogon_user_rid, NULL);
3067 proto_item_set_len(item, offset-old_offset);
3072 * IDL typedef struct {
3073 * IDL short delta_type;
3074 * IDL DELTA_ID_UNION delta_id_union;
3075 * IDL DELTA_UNION delta_union;
3079 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3080 packet_info *pinfo, proto_tree *parent_tree,
3083 proto_item *item=NULL;
3084 proto_tree *tree=NULL;
3085 int old_offset=offset;
3088 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3090 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3093 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3094 hf_netlogon_delta_type, NULL);
3096 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3099 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3102 proto_item_set_len(item, offset-old_offset);
3107 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3108 packet_info *pinfo, proto_tree *tree,
3111 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3112 netlogon_dissect_DELTA_ENUM);
3118 * IDL typedef struct {
3119 * IDL long num_deltas;
3120 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3121 * IDL } DELTA_ENUM_ARRAY;
3124 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3125 packet_info *pinfo, proto_tree *tree,
3128 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3129 hf_netlogon_num_deltas, NULL);
3131 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3132 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3133 "DELTA_ENUM: deltas", -1);
3140 * IDL long NetDatabaseDeltas(
3141 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3142 * IDL [in][string][ref] wchar_t *computername,
3143 * IDL [in][ref] AUTHENTICATOR credential,
3144 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3145 * IDL [in] long database_id,
3146 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3147 * IDL [in] long preferredmaximumlength,
3148 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3152 netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
3153 packet_info *pinfo, proto_tree *tree, char *drep)
3155 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3156 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3158 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3159 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3161 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3162 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3163 "AUTHENTICATOR: credential", -1);
3165 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3166 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3167 "AUTHENTICATOR: return_authenticator", -1);
3169 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3170 hf_netlogon_database_id, NULL);
3172 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3173 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3174 "MODIFIED_COUNT: domain modified count", -1);
3176 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3177 hf_netlogon_max_size, NULL);
3182 netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
3183 packet_info *pinfo, proto_tree *tree, char *drep)
3185 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3186 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3187 "AUTHENTICATOR: return_authenticator", -1);
3189 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3190 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3191 "MODIFIED_COUNT: domain modified count", -1);
3193 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3194 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3195 "DELTA_ENUM_ARRAY: deltas", -1);
3197 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3198 hf_netlogon_rc, NULL);
3205 * IDL long NetDatabaseSync(
3206 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3207 * IDL [in][string][ref] wchar_t *computername,
3208 * IDL [in][ref] AUTHENTICATOR credential,
3209 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3210 * IDL [in] long database_id,
3211 * IDL [in][out][ref] long sync_context,
3212 * IDL [in] long preferredmaximumlength,
3213 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3217 netlogon_dissect_netlogondatabasesync_rqst(tvbuff_t *tvb, int offset,
3218 packet_info *pinfo, proto_tree *tree, char *drep)
3220 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3221 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3223 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3224 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3226 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3227 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3228 "AUTHENTICATOR: credential", -1);
3230 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3231 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3232 "AUTHENTICATOR: return_authenticator", -1);
3234 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3235 hf_netlogon_database_id, NULL);
3237 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3238 hf_netlogon_sync_context, NULL);
3240 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3241 hf_netlogon_max_size, NULL);
3248 netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset,
3249 packet_info *pinfo, proto_tree *tree, char *drep)
3251 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3252 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3253 "AUTHENTICATOR: return_authenticator", -1);
3255 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3256 hf_netlogon_sync_context, NULL);
3258 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3259 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3260 "DELTA_ENUM_ARRAY: deltas", -1);
3262 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3263 hf_netlogon_rc, NULL);
3269 * IDL typedef struct {
3270 * IDL char computer_name[16];
3271 * IDL long timecreated;
3272 * IDL long serial_number;
3276 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3277 packet_info *pinfo, proto_tree *tree,
3282 di=pinfo->private_data;
3283 if(di->conformant_run){
3284 /*just a run to handle conformant arrays, nothing to dissect */
3288 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3291 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3294 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3295 hf_netlogon_serial_number, NULL);
3302 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3303 packet_info *pinfo, proto_tree *tree,
3306 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3307 hf_netlogon_unknown_char, NULL);
3313 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3314 packet_info *pinfo, proto_tree *tree,
3317 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3318 netlogon_dissect_BYTE_byte);
3324 * IDL long NetAccountDelta(
3325 * IDL [in][string][unique] wchar_t *logonserver,
3326 * IDL [in][string][ref] wchar_t *computername,
3327 * IDL [in][ref] AUTHENTICATOR credential,
3328 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3329 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3330 * IDL [out][ref] long count_returned,
3331 * IDL [out][ref] long total_entries,
3332 * IDL [in][out][ref] UAS_INFO_0 recordid,
3333 * IDL [in][long] count,
3334 * IDL [in][long] level,
3335 * IDL [in][long] buffersize,
3339 netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset,
3340 packet_info *pinfo, proto_tree *tree, char *drep)
3342 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3345 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3346 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3348 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3349 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3350 "AUTHENTICATOR: credential", -1);
3352 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3353 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3354 "AUTHENTICATOR: return_authenticator", -1);
3356 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3357 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3358 "UAS_INFO_0: RecordID", -1);
3360 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3361 hf_netlogon_count, NULL);
3363 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3364 hf_netlogon_level, NULL);
3366 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3367 hf_netlogon_max_size, NULL);
3372 netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset,
3373 packet_info *pinfo, proto_tree *tree, char *drep)
3375 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3376 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3377 "AUTHENTICATOR: return_authenticator", -1);
3379 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3380 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3381 "BYTE_array: Buffer", -1);
3383 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3384 hf_netlogon_count, NULL);
3386 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3387 hf_netlogon_entries, NULL);
3389 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3390 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3391 "UAS_INFO_0: RecordID", -1);
3393 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3394 hf_netlogon_rc, NULL);
3401 * IDL long NetAccountDelta(
3402 * IDL [in][string][unique] wchar_t *logonserver,
3403 * IDL [in][string][ref] wchar_t *computername,
3404 * IDL [in][ref] AUTHENTICATOR credential,
3405 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3406 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3407 * IDL [out][ref] long count_returned,
3408 * IDL [out][ref] long total_entries,
3409 * IDL [out][ref] long next_reference,
3410 * IDL [in][long] reference,
3411 * IDL [in][long] level,
3412 * IDL [in][long] buffersize,
3413 * IDL [in][out][ref] UAS_INFO_0 recordid,
3417 netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset,
3418 packet_info *pinfo, proto_tree *tree, char *drep)
3420 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3423 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3424 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3426 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3427 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3428 "AUTHENTICATOR: credential", -1);
3430 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3431 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3432 "AUTHENTICATOR: return_authenticator", -1);
3434 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3435 hf_netlogon_reference, NULL);
3437 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3438 hf_netlogon_level, NULL);
3440 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3441 hf_netlogon_max_size, NULL);
3446 netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset,
3447 packet_info *pinfo, proto_tree *tree, char *drep)
3449 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3450 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3451 "AUTHENTICATOR: return_authenticator", -1);
3453 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3454 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3455 "BYTE_array: Buffer", -1);
3457 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3458 hf_netlogon_count, NULL);
3460 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3461 hf_netlogon_entries, NULL);
3463 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3464 hf_netlogon_next_reference, NULL);
3466 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3467 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3468 "UAS_INFO_0: RecordID", -1);
3470 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3471 hf_netlogon_rc, NULL);
3478 * IDL long NetGetDCName(
3479 * IDL [in][ref][string] wchar_t *logon_server,
3480 * IDL [in][unique][string] wchar_t *domainname,
3481 * IDL [out][unique][string] wchar_t *dcname,
3485 netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset,
3486 packet_info *pinfo, proto_tree *tree, char *drep)
3488 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3489 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3491 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3492 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3497 netlogon_dissect_netlogongetdcname_reply(tvbuff_t *tvb, int offset,
3498 packet_info *pinfo, proto_tree *tree, char *drep)
3500 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3501 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3503 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3504 hf_netlogon_rc, NULL);
3512 * IDL typedef struct {
3514 * IDL long pdc_connection_status;
3515 * IDL } NETLOGON_INFO_1;
3518 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3519 packet_info *pinfo, proto_tree *tree,
3522 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3523 hf_netlogon_flags, NULL);
3525 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3526 hf_netlogon_pdc_connection_status, NULL);
3533 * IDL typedef struct {
3535 * IDL long pdc_connection_status;
3536 * IDL [unique][string] wchar_t trusted_dc_name;
3537 * IDL long tc_connection_status;
3538 * IDL } NETLOGON_INFO_2;
3541 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3542 packet_info *pinfo, proto_tree *tree,
3545 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3546 hf_netlogon_flags, NULL);
3548 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3549 hf_netlogon_pdc_connection_status, NULL);
3551 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3552 NDR_POINTER_UNIQUE, "Trusted DC Name",
3553 hf_netlogon_trusted_dc_name, 0);
3555 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3556 hf_netlogon_tc_connection_status, NULL);
3563 * IDL typedef struct {
3565 * IDL long logon_attempts;
3566 * IDL long reserved;
3567 * IDL long reserved;
3568 * IDL long reserved;
3569 * IDL long reserved;
3570 * IDL long reserved;
3571 * IDL } NETLOGON_INFO_3;
3574 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3575 packet_info *pinfo, proto_tree *tree,
3578 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3579 hf_netlogon_flags, NULL);
3581 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3582 hf_netlogon_logon_attempts, NULL);
3584 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3585 hf_netlogon_reserved, NULL);
3587 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3588 hf_netlogon_reserved, NULL);
3590 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3591 hf_netlogon_reserved, NULL);
3593 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3594 hf_netlogon_reserved, NULL);
3596 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3597 hf_netlogon_reserved, NULL);
3604 * IDL typedef [switch_type(long)] union {
3605 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
3606 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
3607 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
3608 * IDL } CONTROL_QUERY_INFORMATION;
3611 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
3612 packet_info *pinfo, proto_tree *tree,
3617 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3618 hf_netlogon_level, &level);
3623 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3624 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
3625 "NETLOGON_INFO_1:", -1);
3628 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3629 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
3630 "NETLOGON_INFO_2:", -1);
3633 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3634 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
3635 "NETLOGON_INFO_3:", -1);
3644 * IDL long NetLogonControl(
3645 * IDL [in][string][unique] wchar_t *logonserver,
3646 * IDL [in] long function_code,
3647 * IDL [in] long level,
3648 * IDL [out][ref] CONTROL_QUERY_INFORMATION
3652 netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
3653 packet_info *pinfo, proto_tree *tree, char *drep)
3655 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3658 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3659 hf_netlogon_code, NULL);
3661 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3662 hf_netlogon_level, NULL);
3667 netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
3668 packet_info *pinfo, proto_tree *tree, char *drep)
3670 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3671 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3672 "CONTROL_QUERY_INFORMATION:", -1);
3674 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3675 hf_netlogon_rc, NULL);
3682 * IDL long NetGetDCName(
3683 * IDL [in][unique][string] wchar_t *logon_server,
3684 * IDL [in][unique][string] wchar_t *domainname,
3685 * IDL [out][unique][string] wchar_t *dcname,
3689 netlogon_dissect_netlogongetanydcname_rqst(tvbuff_t *tvb, int offset,
3690 packet_info *pinfo, proto_tree *tree, char *drep)
3692 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3693 NDR_POINTER_UNIQUE, "Server Handle",
3694 hf_netlogon_logonsrv_handle, 0);
3696 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3697 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3702 netlogon_dissect_netlogongetanydcname_reply(tvbuff_t *tvb, int offset,
3703 packet_info *pinfo, proto_tree *tree, char *drep)
3705 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3706 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3708 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3709 hf_netlogon_rc, NULL);
3716 * IDL typedef [switch_type(long)] union {
3717 * IDL [case(5)] [unique][string] wchar_t *unknown;
3718 * IDL [case(6)] [unique][string] wchar_t *unknown;
3719 * IDL [case(0xfffe)] long unknown;
3720 * IDL [case(7)] [unique][string] wchar_t *unknown;
3721 * IDL } CONTROL_DATA_INFORMATION;
3724 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
3725 * to look like. However NetMon does not recognize any such informationlevels.
3727 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
3728 * until someone has any source of better authority to call upon.
3731 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
3732 packet_info *pinfo, proto_tree *tree,
3737 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3738 hf_netlogon_level, &level);
3743 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3744 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3745 hf_netlogon_unknown_string, 0);
3748 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3749 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3750 hf_netlogon_unknown_string, 0);
3753 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3754 hf_netlogon_unknown_long, NULL);
3757 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3758 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3759 hf_netlogon_unknown_string, 0);
3768 * IDL long NetLogonControl2(
3769 * IDL [in][string][unique] wchar_t *logonserver,
3770 * IDL [in] long function_code,
3771 * IDL [in] long level,
3772 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3773 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3777 netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
3778 packet_info *pinfo, proto_tree *tree, char *drep)
3780 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3783 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3784 hf_netlogon_code, NULL);
3786 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3787 hf_netlogon_level, NULL);
3789 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3790 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3791 "CONTROL_DATA_INFORMATION: ", -1);
3797 netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
3798 packet_info *pinfo, proto_tree *tree, char *drep)
3800 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3801 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3802 "CONTROL_QUERY_INFORMATION:", -1);
3804 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3805 hf_netlogon_rc, NULL);
3812 * IDL long NetServerAuthenticate2(
3813 * IDL [in][string][unique] wchar_t *logonserver,
3814 * IDL [in][ref][string] wchar_t *username,
3815 * IDL [in] short secure_channel_type,
3816 * IDL [in][ref][string] wchar_t *computername,
3817 * IDL [in][ref] CREDENTIAL *client_chal,
3818 * IDL [out][ref] CREDENTIAL *server_chal,
3819 * IDL [in][out][ref] long *negotiate_flags,
3823 netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
3824 packet_info *pinfo, proto_tree *tree, char *drep)
3826 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3829 offset = dissect_ndr_pointer_cb(
3830 tvb, offset, pinfo, tree, drep,
3831 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
3832 "User Name", hf_netlogon_acct_name,
3833 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
3835 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3838 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3839 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3841 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3842 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3843 "CREDENTIAL: client_chal", -1);
3845 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3846 hf_netlogon_neg_flags, NULL);
3852 netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
3853 packet_info *pinfo, proto_tree *tree, char *drep)
3855 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3856 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3857 "CREDENTIAL: server_chal", -1);
3859 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3860 hf_netlogon_neg_flags, NULL);
3862 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3863 hf_netlogon_rc, NULL);
3870 * IDL long NetDatabaseSync2(
3871 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3872 * IDL [in][string][ref] wchar_t *computername,
3873 * IDL [in][ref] AUTHENTICATOR credential,
3874 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3875 * IDL [in] long database_id,
3876 * IDL [in] short restart_state,
3877 * IDL [in][out][ref] long *sync_context,
3878 * IDL [in] long preferredmaximumlength,
3879 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3883 netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
3884 packet_info *pinfo, proto_tree *tree, char *drep)
3886 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3887 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3889 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3890 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3892 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3893 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3894 "AUTHENTICATOR: credential", -1);
3896 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3897 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3898 "AUTHENTICATOR: return_authenticator", -1);
3900 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3901 hf_netlogon_database_id, NULL);
3903 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3904 hf_netlogon_restart_state, NULL);
3906 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3907 hf_netlogon_sync_context, NULL);
3909 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3910 hf_netlogon_max_size, NULL);
3916 netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
3917 packet_info *pinfo, proto_tree *tree, char *drep)
3919 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3920 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3921 "AUTHENTICATOR: return_authenticator", -1);
3923 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3924 hf_netlogon_sync_context, NULL);
3926 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3927 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3928 "DELTA_ENUM_ARRAY: deltas", -1);
3930 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3931 hf_netlogon_rc, NULL);
3938 * IDL long NetDatabaseRedo(
3939 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3940 * IDL [in][string][ref] wchar_t *computername,
3941 * IDL [in][ref] AUTHENTICATOR credential,
3942 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3943 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
3944 * IDL [in] long change_log_entry_size,
3945 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3949 netlogon_dissect_netlogondatabaseredo_rqst(tvbuff_t *tvb, int offset,
3950 packet_info *pinfo, proto_tree *tree, char *drep)
3952 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3953 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3955 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3956 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3958 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3959 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3960 "AUTHENTICATOR: credential", -1);
3962 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3963 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3964 "AUTHENTICATOR: return_authenticator", -1);
3966 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3967 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3968 "Change log entry: ", -1);
3970 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3971 hf_netlogon_max_log_size, NULL);
3977 netlogon_dissect_netlogondatabaseredo_reply(tvbuff_t *tvb, int offset,
3978 packet_info *pinfo, proto_tree *tree, char *drep)
3980 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3981 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3982 "AUTHENTICATOR: return_authenticator", -1);
3984 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3985 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3986 "DELTA_ENUM_ARRAY: deltas", -1);
3988 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3989 hf_netlogon_rc, NULL);
3995 /* XXX NetMon does not recognize this as a valid function. Muddle however
3996 * tells us what parameters it takes but not their names.
3997 * It looks similar to logoncontrol2. perhaps it is logoncontrol3?
4000 * IDL long NetFunction_12(
4001 * IDL [in][string][unique] wchar_t *logonserver,
4002 * IDL [in] long function_code,
4003 * IDL [in] long level,
4004 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4005 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4009 netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
4010 packet_info *pinfo, proto_tree *tree, char *drep)
4012 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4015 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4016 hf_netlogon_code, NULL);
4018 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4019 hf_netlogon_level, NULL);
4021 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4022 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4023 "CONTROL_DATA_INFORMATION: ", -1);
4028 netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
4029 packet_info *pinfo, proto_tree *tree, char *drep)
4031 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4032 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4033 "CONTROL_QUERY_INFORMATION:", -1);
4035 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4036 hf_netlogon_rc, NULL);
4045 /* Updated above this line */
4047 static const value_string trust_type_vals[] = {
4055 #define DS_INET_ADDRESS 1
4056 #define DS_NETBIOS_ADDRESS 2
4057 static const value_string dc_address_types[] = {
4058 { DS_INET_ADDRESS, "IP/DNS name" },
4059 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
4064 #define DS_DOMAIN_IN_FOREST 0x0001
4065 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
4066 #define DS_DOMAIN_TREE_ROOT 0x0004
4067 #define DS_DOMAIN_PRIMARY 0x0008
4068 #define DS_DOMAIN_NATIVE_MODE 0x0010
4069 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
4070 static const true_false_string trust_inbound = {
4071 "There is a DIRECT INBOUND trust for the servers domain",
4072 "There is NO direct inbound trust for the servers domain"
4074 static const true_false_string trust_outbound = {
4075 "There is a DIRECT OUTBOUND trust for this domain",
4076 "There is NO direct outbound trust for this domain"
4078 static const true_false_string trust_in_forest = {
4079 "The domain is a member IN the same FOREST as the queried server",
4080 "The domain is NOT a member of the queried servers domain"
4082 static const true_false_string trust_native_mode = {
4083 "The primary domain is a NATIVE MODE w2k domain",
4084 "The primary is NOT a native mode w2k domain"
4086 static const true_false_string trust_primary = {
4087 "The domain is the PRIMARY domain of the queried server",
4088 "The domain is NOT the primary domain of the queried server"
4090 static const true_false_string trust_tree_root = {
4091 "The domain is the ROOT of a domain TREE",
4092 "The domain is NOT a root of a domain tree"
4095 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4096 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4099 proto_item *item = NULL;
4100 proto_tree *tree = NULL;
4103 di=pinfo->private_data;
4104 if(di->conformant_run){
4105 /*just a run to handle conformant arrays, nothing to dissect */
4109 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4110 hf_netlogon_trust_flags, &mask);
4113 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4114 tvb, offset-4, 4, mask);
4115 tree = proto_item_add_subtree(item, ett_trust_flags);
4118 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4119 tvb, offset-4, 4, mask);
4120 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4121 tvb, offset-4, 4, mask);
4122 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4123 tvb, offset-4, 4, mask);
4124 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4125 tvb, offset-4, 4, mask);
4126 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4127 tvb, offset-4, 4, mask);
4128 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4129 tvb, offset-4, 4, mask);
4135 #define DS_FORCE_REDISCOVERY 0x00000001
4136 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
4137 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
4138 #define DS_GC_SERVER_REQUIRED 0x00000040
4139 #define DS_PDC_REQUIRED 0x00000080
4140 #define DS_BACKGROUND_ONLY 0x00000100
4141 #define DS_IP_REQUIRED 0x00000200
4142 #define DS_KDC_REQUIRED 0x00000400
4143 #define DS_TIMESERV_REQUIRED 0x00000800
4144 #define DS_WRITABLE_REQUIRED 0x00001000
4145 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
4146 #define DS_AVOID_SELF 0x00004000
4147 #define DS_ONLY_LDAP_NEEDED 0x00008000
4148 #define DS_IS_FLAT_NAME 0x00010000
4149 #define DS_IS_DNS_NAME 0x00020000
4150 #define DS_RETURN_DNS_NAME 0x40000000
4151 #define DS_RETURN_FLAT_NAME 0x80000000
4152 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4153 "FORCE REDISCOVERY of any cached data",
4154 "You may return cached data"
4156 static const true_false_string get_dcname_request_flags_directory_service_required = {
4157 "DIRECRTORY SERVICE is REQUIRED on the server",
4158 "We do NOT require directory service servers"
4160 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4161 "DIRECTORY SERVICE servers are PREFERRED",
4162 "We do NOT have a preference for directory service servers"
4164 static const true_false_string get_dcname_request_flags_gc_server_required = {
4165 "GC SERVER is REQUIRED",
4166 "gc server is NOT required"
4168 static const true_false_string get_dcname_request_flags_pdc_required = {
4169 "PDC SERVER is REQUIRED",
4170 "pdc server is NOT required"
4172 static const true_false_string get_dcname_request_flags_background_only = {
4173 "Only returned cahced data, even if it has expired",
4174 "Return cached data unless it has expired"
4176 static const true_false_string get_dcname_request_flags_ip_required = {
4177 "IP address is REQUIRED",
4178 "ip address is NOT required"
4180 static const true_false_string get_dcname_request_flags_kdc_required = {
4181 "KDC server is REQUIRED",
4182 "kdc server is NOT required"
4184 static const true_false_string get_dcname_request_flags_timeserv_required = {
4185 "TIMESERV service is REQUIRED",
4186 "timeserv service is NOT required"
4188 static const true_false_string get_dcname_request_flags_writable_required = {
4189 "the requrned dc MUST be WRITEABLE",
4190 "a read-only dc may be returned"
4192 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4193 "GOOD TIMESERV servers are PREFERRED",
4194 "we do NOT have a preference for good timeserv servers"
4196 static const true_false_string get_dcname_request_flags_avoid_self = {
4197 "do NOT return self as dc, return someone else",
4198 "you may return yourSELF as the dc"
4200 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4201 "we ONLY NEED LDAP, you dont have to return a dc",
4202 "we need a normal dc, an ldap only server will not do"
4204 static const true_false_string get_dcname_request_flags_is_flat_name = {
4205 "the name we specify is a NetBIOS name",
4206 "the name we specify is NOT a NetBIOS name"
4208 static const true_false_string get_dcname_request_flags_is_dns_name = {
4209 "the name we specify is a DNS name",
4210 "ther name we specify is NOT a dns name"
4212 static const true_false_string get_dcname_request_flags_return_dns_name = {
4213 "return a DNS name",
4214 "you may return a NON-dns name"
4216 static const true_false_string get_dcname_request_flags_return_flat_name = {
4217 "return a NetBIOS name",
4218 "you may return a NON-NetBIOS name"
4221 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4222 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4225 proto_item *item = NULL;
4226 proto_tree *tree = NULL;
4229 di=pinfo->private_data;
4230 if(di->conformant_run){
4231 /*just a run to handle conformant arrays, nothing to dissect */
4235 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4236 hf_netlogon_get_dcname_request_flags, &mask);
4239 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4240 tvb, offset-4, 4, mask);
4241 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4244 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4245 tvb, offset-4, 4, mask);
4246 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4247 tvb, offset-4, 4, mask);
4248 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4249 tvb, offset-4, 4, mask);
4250 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4251 tvb, offset-4, 4, mask);
4252 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4253 tvb, offset-4, 4, mask);
4254 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4255 tvb, offset-4, 4, mask);
4256 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4257 tvb, offset-4, 4, mask);
4258 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4259 tvb, offset-4, 4, mask);
4260 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4261 tvb, offset-4, 4, mask);
4262 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4263 tvb, offset-4, 4, mask);
4264 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4265 tvb, offset-4, 4, mask);
4266 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4267 tvb, offset-4, 4, mask);
4268 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4269 tvb, offset-4, 4, mask);
4270 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4271 tvb, offset-4, 4, mask);
4272 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4273 tvb, offset-4, 4, mask);
4274 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4275 tvb, offset-4, 4, mask);
4276 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4277 tvb, offset-4, 4, mask);
4284 #define DS_PDC_FLAG 0x00000001
4285 #define DS_GC_FLAG 0x00000004
4286 #define DS_LDAP_FLAG 0x00000008
4287 #define DS_DS_FLAG 0x00000010
4288 #define DS_KDC_FLAG 0x00000020
4289 #define DS_TIMESERV_FLAG 0x00000040
4290 #define DS_CLOSEST_FLAG 0x00000080
4291 #define DS_WRITABLE_FLAG 0x00000100
4292 #define DS_GOOD_TIMESERV_FLAG 0x00000200
4293 #define DS_NDNC_FLAG 0x00000400
4294 #define DS_DNS_CONTROLLER_FLAG 0x20000000
4295 #define DS_DNS_DOMAIN_FLAG 0x40000000
4296 #define DS_DNS_FOREST_FLAG 0x80000000
4297 static const true_false_string dc_flags_pdc_flag = {
4298 "this is the PDC of the domain",
4299 "this is NOT the pdc of the domain"
4301 static const true_false_string dc_flags_gc_flag = {
4302 "this is the GC of the forest",
4303 "this is NOT the gc of the forest"
4305 static const true_false_string dc_flags_ldap_flag = {
4306 "this is an LDAP server",
4307 "this is NOT an ldap server"
4309 static const true_false_string dc_flags_ds_flag = {
4310 "this is a DS server",
4311 "this is NOT a ds server"
4313 static const true_false_string dc_flags_kdc_flag = {
4314 "this is a KDC server",
4315 "this is NOT a kdc server"
4317 static const true_false_string dc_flags_timeserv_flag = {
4318 "this is a TIMESERV server",
4319 "this is NOT a timeserv server"
4321 static const true_false_string dc_flags_closest_flag = {
4322 "this is the CLOSEST server",
4323 "this is NOT the closest server"
4325 static const true_false_string dc_flags_writable_flag = {
4326 "this server has a WRITABLE ds database",
4327 "this server has a READ-ONLY ds database"
4329 static const true_false_string dc_flags_good_timeserv_flag = {
4330 "this server is a GOOD TIMESERV server",
4331 "this is NOT a good timeserv server"
4333 static const true_false_string dc_flags_ndnc_flag = {
4337 static const true_false_string dc_flags_dns_controller_flag = {
4338 "DomainControllerName is a DNS name",
4339 "DomainControllerName is NOT a dns name"
4341 static const true_false_string dc_flags_dns_domain_flag = {
4342 "DomainName is a DNS name",
4343 "DomainName is NOT a dns name"
4345 static const true_false_string dc_flags_dns_forest_flag = {
4346 "DnsForestName is a DNS name",
4347 "DnsForestName is NOT a dns name"
4350 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4351 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4354 proto_item *item = NULL;
4355 proto_tree *tree = NULL;
4358 di=pinfo->private_data;
4359 if(di->conformant_run){
4360 /*just a run to handle conformant arrays, nothing to dissect */
4364 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4365 hf_netlogon_dc_flags, &mask);
4368 item = proto_tree_add_uint_format(parent_tree, hf_netlogon_dc_flags,
4369 tvb, offset-4, 4, mask, "Domain Controller Flags: 0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
4370 tree = proto_item_add_subtree(item, ett_dc_flags);
4373 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4374 tvb, offset-4, 4, mask);
4375 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4376 tvb, offset-4, 4, mask);
4377 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4378 tvb, offset-4, 4, mask);
4379 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4380 tvb, offset-4, 4, mask);
4381 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4382 tvb, offset-4, 4, mask);
4383 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4384 tvb, offset-4, 4, mask);
4385 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4386 tvb, offset-4, 4, mask);
4387 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4388 tvb, offset-4, 4, mask);
4389 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4390 tvb, offset-4, 4, mask);
4391 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4392 tvb, offset-4, 4, mask);
4393 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4394 tvb, offset-4, 4, mask);
4395 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4396 tvb, offset-4, 4, mask);
4397 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4398 tvb, offset-4, 4, mask);
4406 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4407 packet_info *pinfo, proto_tree *tree,
4412 di=pinfo->private_data;
4413 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4414 di->hf_index, NULL);
4419 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4420 packet_info *pinfo, proto_tree *tree,
4425 di=pinfo->private_data;
4426 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4427 di->hf_index, NULL);
4432 netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
4433 packet_info *pinfo, proto_tree *parent_tree,
4434 char *drep, int type, int hf_index, dcerpc_callback_fnct_t *callback)
4436 proto_item *item=NULL;
4437 proto_tree *tree=NULL;
4438 int old_offset=offset;
4442 di=pinfo->private_data;
4443 if(di->conformant_run){
4444 /*just a run to handle conformant arrays, nothing to dissect */
4448 name = proto_registrar_get_name(hf_index);
4450 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4452 tree = proto_item_add_subtree(item, ett_nt_unicode_string);
4455 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
4456 dissect_ndr_wchar_cvstring, type,
4457 name, hf_index, callback, NULL);
4459 proto_item_set_len(item, offset-old_offset);
4465 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4466 packet_info *pinfo, proto_tree *tree,
4469 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4470 hf_netlogon_unknown_char, NULL);
4476 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4477 packet_info *pinfo, proto_tree *tree,
4480 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4481 netlogon_dissect_UNICODE_MULTI_byte);
4487 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4488 packet_info *pinfo, proto_tree *parent_tree,
4491 proto_item *item=NULL;
4492 proto_tree *tree=NULL;
4493 int old_offset=offset;
4496 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4498 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4501 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4502 hf_netlogon_len, NULL);
4504 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4505 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4506 "unknown", hf_netlogon_unknown_string);
4508 proto_item_set_len(item, offset-old_offset);
4513 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4514 packet_info *pinfo, proto_tree *tree,
4517 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4523 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4524 packet_info *pinfo, proto_tree *parent_tree,
4527 proto_item *item=NULL;
4528 proto_tree *tree=NULL;
4529 int old_offset=offset;
4532 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4533 "DOMAIN_CONTROLLER_INFO:");
4534 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4537 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4538 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
4540 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4541 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
4543 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4544 hf_netlogon_dc_address_type, NULL);
4546 offset = dissect_nt_GUID(tvb, offset,
4549 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4550 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
4552 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4553 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
4555 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
4557 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4558 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
4560 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4561 NDR_POINTER_UNIQUE, "Client Site",
4562 hf_netlogon_client_site_name, 0);
4564 proto_item_set_len(item, offset-old_offset);
4569 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4570 packet_info *pinfo, proto_tree *tree,
4576 di=pinfo->private_data;
4577 if(di->conformant_run){
4578 /*just a run to handle conformant arrays, nothing to dissect.*/
4582 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4583 hf_netlogon_blob_size, &len);
4585 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4593 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4594 packet_info *pinfo, proto_tree *parent_tree,
4597 proto_item *item=NULL;
4598 proto_tree *tree=NULL;
4601 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4603 tree = proto_item_add_subtree(item, ett_BLOB);
4606 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4607 hf_netlogon_blob_size, NULL);
4609 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4610 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4617 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
4618 packet_info *pinfo, proto_tree *parent_tree,
4621 proto_item *item=NULL;
4622 proto_tree *tree=NULL;
4623 int old_offset=offset;
4626 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4627 "DOMAIN_TRUST_INFO:");
4628 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
4632 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
4634 /* Guesses at best. */
4635 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4636 hf_netlogon_unknown_string, 0);
4638 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4639 hf_netlogon_unknown_string, 0);
4641 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4642 hf_netlogon_unknown_string, 0);
4644 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4645 hf_netlogon_unknown_string, 0);
4647 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4648 hf_netlogon_unknown_long, NULL);
4650 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4651 hf_netlogon_unknown_long, NULL);
4653 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4654 hf_netlogon_unknown_long, NULL);
4656 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4657 hf_netlogon_unknown_long, NULL);
4659 proto_item_set_len(item, offset-old_offset);
4664 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
4665 packet_info *pinfo, proto_tree *tree,
4668 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4669 netlogon_dissect_DOMAIN_TRUST_INFO);
4675 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
4676 packet_info *pinfo, proto_tree *tree,
4679 offset = netlogon_dissect_BLOB(tvb, offset,
4682 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4683 NDR_POINTER_UNIQUE, "Workstation FQDN",
4684 hf_netlogon_workstation_fqdn, 0);
4686 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4687 NDR_POINTER_UNIQUE, "Workstation Site",
4688 hf_netlogon_workstation_site_name, 0);
4690 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4691 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4693 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4694 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4696 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4697 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4699 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4700 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4702 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4703 hf_netlogon_unknown_string, 0);
4705 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4706 hf_netlogon_workstation_os, 0);
4708 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4709 hf_netlogon_unknown_string, 0);
4711 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4712 hf_netlogon_unknown_string, 0);
4714 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4715 hf_netlogon_unknown_long, NULL);
4717 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4718 hf_netlogon_unknown_long, NULL);
4720 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4721 hf_netlogon_unknown_long, NULL);
4723 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4724 hf_netlogon_unknown_long, NULL);
4730 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
4731 packet_info *pinfo, proto_tree *tree,
4734 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
4736 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4737 hf_netlogon_num_trusts, NULL);
4739 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4740 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4741 "DOMAIN_TRUST_ARRAY: Trusts", -1);
4743 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4744 hf_netlogon_num_trusts, NULL);
4746 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4747 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4748 "DOMAIN_TRUST_ARRAY:", -1);
4750 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4751 hf_netlogon_dns_domain_name, 0);
4753 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4754 hf_netlogon_unknown_string, 0);
4756 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4757 hf_netlogon_unknown_string, 0);
4759 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4760 hf_netlogon_unknown_string, 0);
4762 /* These four integers appear to mirror the last four in the query. */
4763 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4764 hf_netlogon_unknown_long, NULL);
4766 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4767 hf_netlogon_unknown_long, NULL);
4769 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4770 hf_netlogon_unknown_long, NULL);
4772 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4773 hf_netlogon_unknown_long, NULL);
4780 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
4781 packet_info *pinfo, proto_tree *tree,
4786 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4787 hf_netlogon_level, &level);
4792 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4793 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
4794 "DOMAIN_INFO_1:", -1);
4802 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
4803 packet_info *pinfo, proto_tree *parent_tree,
4806 proto_item *item=NULL;
4807 proto_tree *tree=NULL;
4808 int old_offset=offset;
4812 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4813 "UNICODE_STRING_512:");
4814 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
4818 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4819 hf_netlogon_unknown_short, NULL);
4822 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4823 hf_netlogon_unknown_long, NULL);
4825 proto_item_set_len(item, offset-old_offset);
4830 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
4831 packet_info *pinfo, proto_tree *tree,
4834 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4835 hf_netlogon_unknown_char, NULL);
4841 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
4842 packet_info *pinfo, proto_tree *tree,
4845 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4846 netlogon_dissect_element_844_byte);
4852 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
4853 packet_info *pinfo, proto_tree *parent_tree,
4856 proto_item *item=NULL;
4857 proto_tree *tree=NULL;
4858 int old_offset=offset;
4861 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4863 tree = proto_item_add_subtree(item, ett_TYPE_50);
4866 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4867 hf_netlogon_unknown_long, NULL);
4869 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4870 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
4871 "unknown", hf_netlogon_unknown_string);
4873 proto_item_set_len(item, offset-old_offset);
4878 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
4879 packet_info *pinfo, proto_tree *tree,
4882 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4883 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
4884 "TYPE_50 pointer: unknown_TYPE_50", -1);
4890 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
4891 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4894 proto_item *item=NULL;
4895 proto_tree *tree=NULL;
4896 int old_offset=offset;
4899 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4900 "DS_DOMAIN_TRUSTS");
4901 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
4905 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4906 NDR_POINTER_UNIQUE, "NetBIOS Name",
4907 hf_netlogon_downlevel_domain_name, 0);
4910 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4911 NDR_POINTER_UNIQUE, "DNS Domain Name",
4912 hf_netlogon_dns_domain_name, 0);
4914 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
4916 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4917 hf_netlogon_trust_parent_index, &tmp);
4919 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4920 hf_netlogon_trust_type, &tmp);
4922 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4923 hf_netlogon_trust_attribs, &tmp);
4926 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep, -1);
4929 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
4931 proto_item_set_len(item, offset-old_offset);
4936 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
4937 packet_info *pinfo, proto_tree *tree,
4940 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4941 netlogon_dissect_DS_DOMAIN_TRUSTS);
4947 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
4948 packet_info *pinfo, proto_tree *tree,
4951 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4952 hf_netlogon_unknown_char, NULL);
4958 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
4959 packet_info *pinfo, proto_tree *tree,
4962 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4963 netlogon_dissect_element_865_byte);
4969 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
4970 packet_info *pinfo, proto_tree *tree,
4973 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4974 hf_netlogon_unknown_char, NULL);
4980 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
4981 packet_info *pinfo, proto_tree *tree,
4984 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4985 netlogon_dissect_element_866_byte);
4991 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
4992 packet_info *pinfo, proto_tree *parent_tree,
4995 proto_item *item=NULL;
4996 proto_tree *tree=NULL;
4997 int old_offset=offset;
5000 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5002 tree = proto_item_add_subtree(item, ett_TYPE_52);
5005 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5006 hf_netlogon_unknown_long, NULL);
5008 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5009 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
5010 "unknown", hf_netlogon_unknown_string);
5012 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5013 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
5014 "unknown", hf_netlogon_unknown_string);
5016 proto_item_set_len(item, offset-old_offset);
5021 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
5022 packet_info *pinfo, proto_tree *tree,
5025 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5026 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
5027 "TYPE_52 pointer: unknown_TYPE_52", -1);
5033 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5034 packet_info *pinfo, proto_tree *parent_tree,
5037 proto_item *item=NULL;
5038 proto_tree *tree=NULL;
5039 int old_offset=offset;
5043 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5045 tree = proto_item_add_subtree(item, ett_TYPE_44);
5048 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5049 hf_netlogon_level, &level);
5054 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5055 hf_netlogon_unknown_long, NULL);
5059 proto_item_set_len(item, offset-old_offset);
5064 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5065 packet_info *pinfo, proto_tree *tree,
5070 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5071 hf_netlogon_level, &level);
5076 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5077 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5078 "DOMAIN_QUERY_1:", -1);
5081 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5082 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5083 "DOMAIN_QUERY_1:", -1);
5091 netlogon_dissect_nettrusteddomainlist_rqst(tvbuff_t *tvb, int offset,
5092 packet_info *pinfo, proto_tree *tree, char *drep)
5094 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5102 netlogon_dissect_nettrusteddomainlist_reply(tvbuff_t *tvb, int offset,
5103 packet_info *pinfo, proto_tree *tree, char *drep)
5105 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5106 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5107 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5109 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5110 hf_netlogon_rc, NULL);
5116 netlogon_dissect_dsrgetdcname2_rqst(tvbuff_t *tvb, int offset,
5117 packet_info *pinfo, proto_tree *tree, char *drep)
5119 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5122 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5123 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5125 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5126 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5127 "GUID pointer: domain_guid", -1);
5129 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5130 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5131 "GUID pointer: site_guid", -1);
5133 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5134 hf_netlogon_flags, NULL);
5141 netlogon_dissect_dsrgetdcname2_reply(tvbuff_t *tvb, int offset,
5142 packet_info *pinfo, proto_tree *tree, char *drep)
5144 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5145 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5146 "DOMAIN_CONTROLLER_INFO:", -1);
5148 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5149 hf_netlogon_rc, NULL);
5155 netlogon_dissect_function_15_rqst(tvbuff_t *tvb, int offset,
5156 packet_info *pinfo, proto_tree *tree, char *drep)
5158 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5161 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5162 NDR_POINTER_UNIQUE, "unknown string",
5163 hf_netlogon_unknown_string, 0);
5165 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5166 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5167 "AUTHENTICATOR: credential", -1);
5169 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5170 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5171 "AUTHENTICATOR: return_authenticator", -1);
5173 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5174 hf_netlogon_unknown_long, NULL);
5181 netlogon_dissect_function_15_reply(tvbuff_t *tvb, int offset,
5182 packet_info *pinfo, proto_tree *tree, char *drep)
5184 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5185 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5186 "AUTHENTICATOR: return_authenticator", -1);
5188 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5189 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5190 "TYPE_44 pointer: unknown_TYPE_44", -1);
5192 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5193 hf_netlogon_rc, NULL);
5199 netlogon_dissect_function_16_rqst(tvbuff_t *tvb, int offset,
5200 packet_info *pinfo, proto_tree *tree, char *drep)
5202 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5205 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5206 hf_netlogon_unknown_long, NULL);
5208 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5209 hf_netlogon_unknown_long, NULL);
5216 netlogon_dissect_function_16_reply(tvbuff_t *tvb, int offset,
5217 packet_info *pinfo, proto_tree *tree, char *drep)
5219 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5220 hf_netlogon_rc, NULL);
5226 netlogon_dissect_function_17_rqst(tvbuff_t *tvb, int offset,
5227 packet_info *pinfo, proto_tree *tree, char *drep)
5229 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5232 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5233 NDR_POINTER_UNIQUE, "unknown string",
5234 hf_netlogon_unknown_string, 0);
5241 netlogon_dissect_function_17_reply(tvbuff_t *tvb, int offset,
5242 packet_info *pinfo, proto_tree *tree, char *drep)
5244 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5245 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5246 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5248 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5249 hf_netlogon_rc, NULL);
5255 netlogon_dissect_function_18_rqst(tvbuff_t *tvb, int offset,
5256 packet_info *pinfo, proto_tree *tree, char *drep)
5258 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5261 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5262 hf_netlogon_unknown_long, NULL);
5264 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5265 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5266 "BYTE pointer: unknown_BYTE", -1);
5268 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5269 hf_netlogon_unknown_long, NULL);
5275 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5276 packet_info *pinfo, proto_tree *tree, char *drep)
5281 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5282 hf_netlogon_unknown_char, NULL);
5289 netlogon_dissect_function_18_reply(tvbuff_t *tvb, int offset,
5290 packet_info *pinfo, proto_tree *tree, char *drep)
5292 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5293 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5294 "BYTE pointer: unknown_BYTE", -1);
5296 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5297 hf_netlogon_rc, NULL);
5303 netlogon_dissect_function_19_rqst(tvbuff_t *tvb, int offset,
5304 packet_info *pinfo, proto_tree *tree, char *drep)
5306 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5309 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5310 NDR_POINTER_UNIQUE, "unknown string",
5311 hf_netlogon_unknown_string, 0);
5313 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5314 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5315 "BYTE pointer: unknown_BYTE", -1);
5317 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5318 hf_netlogon_unknown_long, NULL);
5325 netlogon_dissect_function_19_reply(tvbuff_t *tvb, int offset,
5326 packet_info *pinfo, proto_tree *tree, char *drep)
5328 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5329 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5330 "BYTE pointer: unknown_BYTE", -1);
5332 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5333 hf_netlogon_rc, NULL);
5339 netlogon_dissect_netserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5340 packet_info *pinfo, proto_tree *tree, char *drep)
5342 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5345 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5346 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5348 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5351 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5352 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5354 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5355 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5356 "CREDENTIAL: authenticator", -1);
5358 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5359 hf_netlogon_neg_flags, NULL);
5366 netlogon_dissect_netserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5367 packet_info *pinfo, proto_tree *tree, char *drep)
5369 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5370 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5371 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5373 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5374 hf_netlogon_neg_flags, NULL);
5376 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5377 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5378 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5380 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5381 hf_netlogon_rc, NULL);
5387 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5388 packet_info *pinfo, proto_tree *tree, char *drep)
5390 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5393 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5394 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5396 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5397 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5398 "GUID pointer: domain_guid", -1);
5400 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5401 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5403 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5410 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5411 packet_info *pinfo, proto_tree *tree, char *drep)
5413 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5414 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5415 "DOMAIN_CONTROLLER_INFO:", -1);
5417 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5418 hf_netlogon_rc, NULL);
5424 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5425 packet_info *pinfo, proto_tree *tree, char *drep)
5427 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5435 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5436 packet_info *pinfo, proto_tree *tree, char *drep)
5439 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
5440 NDR_POINTER_REF, hf_netlogon_site_name, 0);
5442 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5443 hf_netlogon_rc, NULL);
5449 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5450 packet_info *pinfo, proto_tree *tree, char *drep)
5452 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5453 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5454 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5456 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5457 NDR_POINTER_UNIQUE, "Computer Name",
5458 hf_netlogon_computer_name, 0);
5460 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5461 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5462 "AUTHENTICATOR: credential", -1);
5464 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5465 hf_netlogon_unknown_long, NULL);
5467 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5468 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5469 "AUTHENTICATOR: return_authenticator", -1);
5471 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5472 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5473 "DOMAIN_QUERY: ", -1);
5480 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5481 packet_info *pinfo, proto_tree *tree, char *drep)
5483 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5484 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5485 "AUTHENTICATOR: return_authenticator", -1);
5487 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5488 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5489 "DOMAIN_INFO: ", -1);
5491 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5492 hf_netlogon_rc, NULL);
5498 netlogon_dissect_function_1e_rqst(tvbuff_t *tvb, int offset,
5499 packet_info *pinfo, proto_tree *tree, char *drep)
5501 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5504 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5505 NDR_POINTER_UNIQUE, "unknown string",
5506 hf_netlogon_unknown_string, 0);
5508 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5509 hf_netlogon_unknown_short, NULL);
5511 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5512 NDR_POINTER_UNIQUE, "unknown string",
5513 hf_netlogon_unknown_string, 0);
5515 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5516 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5517 "AUTHENTICATOR: credential", -1);
5519 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5527 netlogon_dissect_function_1e_reply(tvbuff_t *tvb, int offset,
5528 packet_info *pinfo, proto_tree *tree, char *drep)
5530 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5531 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5532 "AUTHENTICATOR: return_authenticator", -1);
5534 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5535 hf_netlogon_rc, NULL);
5541 netlogon_dissect_netserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5542 packet_info *pinfo, proto_tree *tree, char *drep)
5544 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5547 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5548 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
5550 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5553 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5554 NDR_POINTER_UNIQUE, "Computer Name",
5555 hf_netlogon_computer_name, 0);
5557 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5558 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5559 "AUTHENTICATOR: credential", -1);
5566 netlogon_dissect_netserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5567 packet_info *pinfo, proto_tree *tree, char *drep)
5569 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5570 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5571 "AUTHENTICATOR: return_authenticator", -1);
5573 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5574 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5575 "LM_OWF_PASSWORD pointer: server_pwd", -1);
5577 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5578 hf_netlogon_rc, NULL);
5584 netlogon_dissect_function_20_rqst(tvbuff_t *tvb, int offset,
5585 packet_info *pinfo, proto_tree *tree, char *drep)
5587 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5590 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5591 NDR_POINTER_UNIQUE, "unknown string",
5592 hf_netlogon_unknown_string, 0);
5594 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5595 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5596 "AUTHENTICATOR: credential", -1);
5598 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5599 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5600 "BYTE pointer: unknown_BYTE", -1);
5602 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5603 hf_netlogon_unknown_long, NULL);
5610 netlogon_dissect_function_20_reply(tvbuff_t *tvb, int offset,
5611 packet_info *pinfo, proto_tree *tree, char *drep)
5613 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5614 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5615 "AUTHENTICATOR: return_authenticator", -1);
5617 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5618 hf_netlogon_rc, NULL);
5624 netlogon_dissect_function_21_rqst(tvbuff_t *tvb, int offset,
5625 packet_info *pinfo, proto_tree *tree, char *drep)
5627 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5630 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5631 hf_netlogon_unknown_long, NULL);
5633 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5634 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5635 "BYTE pointer: unknown_BYTE", -1);
5642 netlogon_dissect_function_21_reply(tvbuff_t *tvb, int offset,
5643 packet_info *pinfo, proto_tree *tree, char *drep)
5645 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5646 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5647 "TYPE_50** pointer: unknown_TYPE_50", -1);
5649 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5650 hf_netlogon_rc, NULL);
5656 netlogon_dissect_function_22_rqst(tvbuff_t *tvb, int offset,
5657 packet_info *pinfo, proto_tree *tree, char *drep)
5659 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5662 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5663 NDR_POINTER_UNIQUE, "unknown string",
5664 hf_netlogon_unknown_string, 0);
5666 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5667 hf_netlogon_unknown_long, NULL);
5669 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5670 NDR_POINTER_UNIQUE, "unknown string",
5671 hf_netlogon_unknown_string, 0);
5673 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5674 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5675 "GUID pointer: unknown_GUID", -1);
5677 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5678 NDR_POINTER_UNIQUE, "unknown string",
5679 hf_netlogon_unknown_string, 0);
5681 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5682 hf_netlogon_unknown_long, NULL);
5689 netlogon_dissect_function_22_reply(tvbuff_t *tvb, int offset,
5690 packet_info *pinfo, proto_tree *tree, char *drep)
5692 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5693 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5694 "DOMAIN_CONTROLLER_INFO:", -1);
5696 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5697 hf_netlogon_rc, NULL);
5703 netlogon_dissect_function_23_rqst(tvbuff_t *tvb, int offset,
5704 packet_info *pinfo, proto_tree *tree, char *drep)
5706 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5714 netlogon_dissect_function_23_reply(tvbuff_t *tvb, int offset,
5715 packet_info *pinfo, proto_tree *tree, char *drep)
5717 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5718 NDR_POINTER_UNIQUE, "unknown string",
5719 hf_netlogon_unknown_string, 0);
5721 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5722 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5723 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5725 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5726 hf_netlogon_rc, NULL);
5732 netlogon_dissect_function_24_rqst(tvbuff_t *tvb, int offset,
5733 packet_info *pinfo, proto_tree *tree, char *drep)
5735 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5742 netlogon_dissect_function_24_reply(tvbuff_t *tvb, int offset,
5743 packet_info *pinfo, proto_tree *tree, char *drep)
5745 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5746 hf_netlogon_entries, NULL);
5748 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5749 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5750 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5752 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5753 hf_netlogon_rc, NULL);
5759 netlogon_dissect_function_25_rqst(tvbuff_t *tvb, int offset,
5760 packet_info *pinfo, proto_tree *tree, char *drep)
5762 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5765 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5766 hf_netlogon_unknown_long, NULL);
5768 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5769 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5770 "BYTE pointer: unknown_BYTE", -1);
5777 netlogon_dissect_function_25_reply(tvbuff_t *tvb, int offset,
5778 packet_info *pinfo, proto_tree *tree, char *drep)
5780 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5781 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
5782 "TYPE_52 pointer: unknown_TYPE_52", -1);
5784 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5785 hf_netlogon_rc, NULL);
5792 netlogon_dissect_function_26_rqst(tvbuff_t *tvb, int offset,
5793 packet_info *pinfo, proto_tree *tree, char *drep)
5795 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5796 NDR_POINTER_UNIQUE, "unknown string",
5797 hf_netlogon_unknown_string, 0);
5804 netlogon_dissect_function_26_reply(tvbuff_t *tvb, int offset,
5805 packet_info *pinfo, proto_tree *tree, char *drep)
5807 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5808 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5809 "TYPE_50** pointer: unknown_TYPE_50", -1);
5811 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5812 hf_netlogon_rc, NULL);
5818 netlogon_dissect_logonsamlogonex_rqst(tvbuff_t *tvb, int offset,
5819 packet_info *pinfo, proto_tree *tree, char *drep)
5821 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5822 NDR_POINTER_UNIQUE, "unknown string",
5823 hf_netlogon_unknown_string, 0);
5825 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5826 NDR_POINTER_UNIQUE, "unknown string",
5827 hf_netlogon_unknown_string, 0);
5829 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5830 hf_netlogon_unknown_short, NULL);
5832 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5833 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
5834 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
5836 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5837 hf_netlogon_unknown_short, NULL);
5839 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5840 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5841 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5847 netlogon_dissect_logonsamlogonex_reply(tvbuff_t *tvb, int offset,
5848 packet_info *pinfo, proto_tree *tree, char *drep)
5850 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5851 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
5852 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
5854 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5855 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
5856 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
5858 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5859 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5860 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5862 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5863 hf_netlogon_rc, NULL);
5870 netlogon_dissect_dsenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5871 packet_info *pinfo, proto_tree *tree, char *drep)
5873 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5876 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5883 netlogon_dissect_dsenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5884 packet_info *pinfo, proto_tree *tree, char *drep)
5886 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5887 hf_netlogon_entries, NULL);
5889 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5890 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5891 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5893 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5894 hf_netlogon_rc, NULL);
5900 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
5901 packet_info *pinfo, proto_tree *tree, char *drep)
5903 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5906 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5907 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5909 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5910 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5911 "GUID pointer: domain_guid", -1);
5913 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5914 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5915 "GUID pointer: dsa_guid", -1);
5917 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5918 NDR_POINTER_UNIQUE, "dns_host", hf_netlogon_dns_host, 0);
5925 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
5926 packet_info *pinfo, proto_tree *tree, char *drep)
5928 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5929 hf_netlogon_rc, NULL);
5934 /* Dissect secure channel stuff */
5936 static int hf_netlogon_secchan_bind_unknown1 = -1;
5937 static int hf_netlogon_secchan_bind_unknown2 = -1;
5938 static int hf_netlogon_secchan_domain = -1;
5939 static int hf_netlogon_secchan_host = -1;
5940 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
5941 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
5942 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
5944 static gint ett_secchan_verf = -1;
5945 static gint ett_secchan_bind_creds = -1;
5946 static gint ett_secchan_bind_ack_creds = -1;
5948 static int dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
5950 proto_tree *tree, char *drep)
5952 proto_item *item = NULL;
5953 proto_tree *subtree = NULL;
5957 item = proto_tree_add_text(
5958 tree, tvb, offset, tvb_length(tvb),
5959 "Secure Channel Bind Credentials");
5960 subtree = proto_item_add_subtree(
5961 item, ett_secchan_bind_creds);
5964 /* We can't use the NDR routines as the DCERPC call data hasn't
5965 been initialised since we haven't made a DCERPC call yet, just
5968 offset = dissect_dcerpc_uint32(
5969 tvb, offset, pinfo, subtree, drep,
5970 hf_netlogon_secchan_bind_unknown1, NULL);
5972 offset = dissect_dcerpc_uint32(
5973 tvb, offset, pinfo, subtree, drep,
5974 hf_netlogon_secchan_bind_unknown2, NULL);
5976 len = tvb_strsize(tvb, offset);
5978 proto_tree_add_item(
5979 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
5983 len = tvb_strsize(tvb, offset);
5985 proto_tree_add_item(
5986 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
5993 static int dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
5995 proto_tree *tree, char *drep)
5997 proto_item *item = NULL;
5998 proto_tree *subtree = NULL;
6001 item = proto_tree_add_text(
6002 tree, tvb, offset, 0,
6003 "Secure Channel Bind ACK Credentials");
6004 subtree = proto_item_add_subtree(
6005 item, ett_secchan_bind_ack_creds);
6008 /* Don't use NDR routines here */
6010 offset = dissect_dcerpc_uint32(
6011 tvb, offset, pinfo, subtree, drep,
6012 hf_netlogon_secchan_bind_ack_unknown1, NULL);
6014 offset = dissect_dcerpc_uint32(
6015 tvb, offset, pinfo, subtree, drep,
6016 hf_netlogon_secchan_bind_ack_unknown2, NULL);
6018 offset = dissect_dcerpc_uint32(
6019 tvb, offset, pinfo, subtree, drep,
6020 hf_netlogon_secchan_bind_ack_unknown3, NULL);
6027 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
6028 { NETLOGON_UASLOGON, "UasLogon",
6029 netlogon_dissect_netlogonuaslogon_rqst,
6030 netlogon_dissect_netlogonuaslogon_reply },
6031 { NETLOGON_UASLOGOFF, "UasLogoff",
6032 netlogon_dissect_netlogonuaslogoff_rqst,
6033 netlogon_dissect_netlogonuaslogoff_reply },
6034 { NETLOGON_NETLOGONSAMLOGON, "SamLogon",
6035 netlogon_dissect_netlogonsamlogon_rqst,
6036 netlogon_dissect_netlogonsamlogon_reply },
6037 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff",
6038 netlogon_dissect_netlogonsamlogoff_rqst,
6039 netlogon_dissect_netlogonsamlogoff_reply },
6040 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge",
6041 netlogon_dissect_netserverreqchallenge_rqst,
6042 netlogon_dissect_netserverreqchallenge_reply },
6043 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate",
6044 netlogon_dissect_netserverauthenticate_rqst,
6045 netlogon_dissect_netserverauthenticate_reply },
6046 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet",
6047 netlogon_dissect_netserverpasswordset_rqst,
6048 netlogon_dissect_netserverpasswordset_reply },
6049 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas",
6050 netlogon_dissect_netsamdeltas_rqst,
6051 netlogon_dissect_netsamdeltas_reply },
6052 { NETLOGON_DATABASESYNC, "DatabaseSync",
6053 netlogon_dissect_netlogondatabasesync_rqst,
6054 netlogon_dissect_netlogondatabasesync_reply },
6055 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas",
6056 netlogon_dissect_netlogonaccountdeltas_rqst,
6057 netlogon_dissect_netlogonaccountdeltas_reply },
6058 { NETLOGON_ACCOUNTSYNC, "AccountSync",
6059 netlogon_dissect_netlogonaccountsync_rqst,
6060 netlogon_dissect_netlogonaccountsync_reply },
6061 { NETLOGON_GETDCNAME, "GetDCName",
6062 netlogon_dissect_netlogongetdcname_rqst,
6063 netlogon_dissect_netlogongetdcname_reply },
6064 { NETLOGON_NETLOGONCONTROL, "LogonControl",
6065 netlogon_dissect_netlogoncontrol_rqst,
6066 netlogon_dissect_netlogoncontrol_reply },
6067 { NETLOGON_GETANYDCNAME, "GetAnyDCName",
6068 netlogon_dissect_netlogongetanydcname_rqst,
6069 netlogon_dissect_netlogongetanydcname_reply },
6070 { NETLOGON_NETLOGONCONTROL2, "LogonControl2",
6071 netlogon_dissect_netlogoncontrol2_rqst,
6072 netlogon_dissect_netlogoncontrol2_reply },
6073 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2",
6074 netlogon_dissect_netserverauthenticate2_rqst,
6075 netlogon_dissect_netserverauthenticate2_reply },
6076 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2",
6077 netlogon_dissect_netdatabasesync2_rqst,
6078 netlogon_dissect_netdatabasesync2_reply },
6079 { NETLOGON_DATABASEREDO, "DatabaseRedo",
6080 netlogon_dissect_netlogondatabaseredo_rqst,
6081 netlogon_dissect_netlogondatabaseredo_reply },
6082 { NETLOGON_FUNCTION_12, "Function_0x12",
6083 netlogon_dissect_function_12_rqst,
6084 netlogon_dissect_function_12_reply },
6085 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList",
6086 netlogon_dissect_nettrusteddomainlist_rqst,
6087 netlogon_dissect_nettrusteddomainlist_reply },
6088 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2",
6089 netlogon_dissect_dsrgetdcname2_rqst,
6090 netlogon_dissect_dsrgetdcname2_reply },
6091 { NETLOGON_FUNCTION_15, "Function 0x15",
6092 netlogon_dissect_function_15_rqst,
6093 netlogon_dissect_function_15_reply },
6094 { NETLOGON_FUNCTION_16, "Function 0x16",
6095 netlogon_dissect_function_16_rqst,
6096 netlogon_dissect_function_16_reply },
6097 { NETLOGON_FUNCTION_17, "Function 0x17",
6098 netlogon_dissect_function_17_rqst,
6099 netlogon_dissect_function_17_reply },
6100 { NETLOGON_FUNCTION_18, "Function 0x18",
6101 netlogon_dissect_function_18_rqst,
6102 netlogon_dissect_function_18_reply },
6103 { NETLOGON_FUNCTION_19, "Function 0x19",
6104 netlogon_dissect_function_19_rqst,
6105 netlogon_dissect_function_19_reply },
6106 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3",
6107 netlogon_dissect_netserverauthenticate3_rqst,
6108 netlogon_dissect_netserverauthenticate3_reply },
6109 { NETLOGON_DSRGETDCNAME, "DsrGetDCName",
6110 netlogon_dissect_dsrgetdcname_rqst,
6111 netlogon_dissect_dsrgetdcname_reply },
6112 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
6113 netlogon_dissect_dsrgetsitename_rqst,
6114 netlogon_dissect_dsrgetsitename_reply },
6115 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6116 netlogon_dissect_netrlogongetdomaininfo_rqst,
6117 netlogon_dissect_netrlogongetdomaininfo_reply },
6118 { NETLOGON_FUNCTION_1E, "Function_0x1E",
6119 netlogon_dissect_function_1e_rqst,
6120 netlogon_dissect_function_1e_reply },
6121 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2",
6122 netlogon_dissect_netserverpasswordset2_rqst,
6123 netlogon_dissect_netserverpasswordset2_reply },
6124 { NETLOGON_FUNCTION_20, "Function_0x20",
6125 netlogon_dissect_function_20_rqst,
6126 netlogon_dissect_function_20_reply },
6127 { NETLOGON_FUNCTION_21, "Function_0x21",
6128 netlogon_dissect_function_21_rqst,
6129 netlogon_dissect_function_21_reply },
6130 { NETLOGON_FUNCTION_22, "Function_0x22",
6131 netlogon_dissect_function_22_rqst,
6132 netlogon_dissect_function_22_reply },
6133 { NETLOGON_FUNCTION_23, "Function_0x23",
6134 netlogon_dissect_function_23_rqst,
6135 netlogon_dissect_function_23_reply },
6136 { NETLOGON_FUNCTION_24, "Function_0x24",
6137 netlogon_dissect_function_24_rqst,
6138 netlogon_dissect_function_24_reply },
6139 { NETLOGON_FUNCTION_25, "Function_0x25",
6140 netlogon_dissect_function_25_rqst,
6141 netlogon_dissect_function_25_reply },
6142 { NETLOGON_FUNCTION_26, "Function_0x26",
6143 netlogon_dissect_function_26_rqst,
6144 netlogon_dissect_function_26_reply },
6145 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx",
6146 netlogon_dissect_logonsamlogonex_rqst,
6147 netlogon_dissect_logonsamlogonex_reply },
6148 { NETLOGON_DSENUMERATETRUSTEDDOMAINS, "DSEnumerateTrustedDomains",
6149 netlogon_dissect_dsenumeratetrusteddomains_rqst,
6150 netlogon_dissect_dsenumeratetrusteddomains_reply },
6151 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords",
6152 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6153 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6154 {0, NULL, NULL, NULL }
6157 static int hf_netlogon_secchan_verf = -1;
6158 static int hf_netlogon_secchan_verf_sig = -1;
6159 static int hf_netlogon_secchan_verf_unk = -1;
6160 static int hf_netlogon_secchan_verf_seq = -1;
6161 static int hf_netlogon_secchan_verf_nonce = -1;
6164 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
6165 proto_tree *tree, char *drep _U_)
6167 proto_item *vf = NULL;
6168 proto_tree *subtree = NULL;
6171 * Create a new tree, and split into 4 components ...
6173 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
6175 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
6177 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sig, tvb,
6181 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_unk, tvb,
6185 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_seq, tvb,
6189 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_nonce, tvb,
6196 /* Secure channel types */
6198 static const value_string sec_chan_type_vals[] = {
6199 { SEC_CHAN_WKSTA, "Workstation" },
6200 { SEC_CHAN_DOMAIN, "Domain trust" },
6201 { SEC_CHAN_BDC, "Backup domain controller" },
6206 proto_register_dcerpc_netlogon(void)
6209 static hf_register_info hf[] = {
6210 { &hf_netlogon_opnum,
6211 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6212 NULL, 0x0, "Operation", HFILL }},
6214 { &hf_netlogon_rc, {
6215 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6216 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6218 { &hf_netlogon_param_ctrl, {
6219 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6220 NULL, 0x0, "Param ctrl", HFILL }},
6222 { &hf_netlogon_logon_id, {
6223 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6224 NULL, 0x0, "Logon ID", HFILL }},
6226 { &hf_netlogon_modify_count, {
6227 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6228 NULL, 0x0, "How many times the object has been modified", HFILL }},
6230 { &hf_netlogon_security_information, {
6231 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6232 NULL, 0x0, "Security Information", HFILL }},
6234 { &hf_netlogon_count, {
6235 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6236 NULL, 0x0, "", HFILL }},
6238 { &hf_netlogon_entries, {
6239 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6240 NULL, 0x0, "", HFILL }},
6242 { &hf_netlogon_credential, {
6243 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6244 NULL, 0x0, "Netlogon Credential", HFILL }},
6246 { &hf_netlogon_challenge, {
6247 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6248 NULL, 0x0, "Netlogon challenge", HFILL }},
6250 { &hf_netlogon_lm_owf_password, {
6251 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6252 NULL, 0x0, "LanManager OWF Password", HFILL }},
6254 { &hf_netlogon_user_session_key, {
6255 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6256 NULL, 0x0, "User Session Key", HFILL }},
6258 { &hf_netlogon_encrypted_lm_owf_password, {
6259 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6260 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6262 { &hf_netlogon_nt_owf_password, {
6263 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6264 NULL, 0x0, "NT OWF Password", HFILL }},
6266 { &hf_netlogon_blob, {
6267 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6268 NULL, 0x0, "BLOB", HFILL }},
6270 { &hf_netlogon_len, {
6271 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6272 NULL, 0, "Length", HFILL }},
6274 { &hf_netlogon_priv, {
6275 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6276 NULL, 0, "", HFILL }},
6278 { &hf_netlogon_privilege_entries, {
6279 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6280 NULL, 0, "", HFILL }},
6282 { &hf_netlogon_privilege_control, {
6283 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6284 NULL, 0, "", HFILL }},
6286 { &hf_netlogon_privilege_name, {
6287 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6288 NULL, 0, "", HFILL }},
6290 { &hf_netlogon_pdc_connection_status, {
6291 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6292 NULL, 0, "PDC Connection Status", HFILL }},
6294 { &hf_netlogon_tc_connection_status, {
6295 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6296 NULL, 0, "TC Connection Status", HFILL }},
6298 { &hf_netlogon_attrs, {
6299 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6300 NULL, 0, "Attributes", HFILL }},
6302 { &hf_netlogon_unknown_string,
6303 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6304 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
6305 { &hf_netlogon_unknown_long,
6306 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6307 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
6308 { &hf_netlogon_reserved,
6309 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6310 NULL, 0x0, "Reserved", HFILL }},
6311 { &hf_netlogon_unknown_short,
6312 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6313 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
6315 { &hf_netlogon_unknown_char,
6316 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6317 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
6319 { &hf_netlogon_acct_expiry_time,
6320 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6321 NULL, 0x0, "When this account will expire", HFILL }},
6323 { &hf_netlogon_nt_pwd_present,
6324 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6325 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6327 { &hf_netlogon_lm_pwd_present,
6328 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6329 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6331 { &hf_netlogon_pwd_expired,
6332 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6333 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6335 { &hf_netlogon_authoritative,
6336 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6337 NULL, 0x0, "", HFILL }},
6339 { &hf_netlogon_sensitive_data_flag,
6340 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6341 NULL, 0x0, "Sensitive data flag", HFILL }},
6343 { &hf_netlogon_auditing_mode,
6344 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6345 NULL, 0x0, "Auditing Mode", HFILL }},
6347 { &hf_netlogon_max_audit_event_count,
6348 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6349 NULL, 0x0, "Max audit event count", HFILL }},
6351 { &hf_netlogon_event_audit_option,
6352 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6353 NULL, 0x0, "Event audit option", HFILL }},
6355 { &hf_netlogon_sensitive_data_len,
6356 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6357 NULL, 0x0, "Length of sensitive data", HFILL }},
6359 { &hf_netlogon_nt_chal_resp,
6360 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6361 NULL, 0, "Challenge response for NT authentication", HFILL }},
6363 { &hf_netlogon_lm_chal_resp,
6364 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6365 NULL, 0, "Challenge response for LM authentication", HFILL }},
6367 { &hf_netlogon_cipher_len,
6368 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6369 NULL, 0, "", HFILL }},
6371 { &hf_netlogon_cipher_maxlen,
6372 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6373 NULL, 0, "", HFILL }},
6375 { &hf_netlogon_pac_data,
6376 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6377 NULL, 0, "Pac Data", HFILL }},
6379 { &hf_netlogon_sensitive_data,
6380 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6381 NULL, 0, "Sensitive Data", HFILL }},
6383 { &hf_netlogon_auth_data,
6384 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6385 NULL, 0, "Auth Data", HFILL }},
6387 { &hf_netlogon_cipher_current_data,
6388 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6389 NULL, 0, "", HFILL }},
6391 { &hf_netlogon_cipher_old_data,
6392 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6393 NULL, 0, "", HFILL }},
6395 { &hf_netlogon_acct_name,
6396 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6397 NULL, 0, "Account Name", HFILL }},
6399 { &hf_netlogon_acct_desc,
6400 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6401 NULL, 0, "Account Description", HFILL }},
6403 { &hf_netlogon_group_desc,
6404 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6405 NULL, 0, "Group Description", HFILL }},
6407 { &hf_netlogon_full_name,
6408 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6409 NULL, 0, "Full Name", HFILL }},
6411 { &hf_netlogon_comment,
6412 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6413 NULL, 0, "Comment", HFILL }},
6415 { &hf_netlogon_parameters,
6416 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6417 NULL, 0, "Parameters", HFILL }},
6419 { &hf_netlogon_logon_script,
6420 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6421 NULL, 0, "Logon Script", HFILL }},
6423 { &hf_netlogon_profile_path,
6424 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6425 NULL, 0, "Profile Path", HFILL }},
6427 { &hf_netlogon_home_dir,
6428 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6429 NULL, 0, "Home Directory", HFILL }},
6431 { &hf_netlogon_dir_drive,
6432 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6433 NULL, 0, "Drive letter for home directory", HFILL }},
6435 { &hf_netlogon_logon_srv,
6436 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6437 NULL, 0, "Server", HFILL }},
6439 { &hf_netlogon_principal,
6440 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6441 NULL, 0, "Principal", HFILL }},
6443 { &hf_netlogon_logon_dom,
6444 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6445 NULL, 0, "Domain", HFILL }},
6447 { &hf_netlogon_computer_name,
6448 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6449 NULL, 0, "Computer Name", HFILL }},
6451 { &hf_netlogon_site_name,
6452 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6453 NULL, 0, "Site Name", HFILL }},
6455 { &hf_netlogon_dc_name,
6456 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6457 NULL, 0, "DC Name", HFILL }},
6459 { &hf_netlogon_dc_site_name,
6460 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6461 NULL, 0, "DC Site Name", HFILL }},
6463 { &hf_netlogon_dns_forest_name,
6464 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6465 NULL, 0, "DNS Forest Name", HFILL }},
6467 { &hf_netlogon_dc_address,
6468 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6469 NULL, 0, "DC Address", HFILL }},
6471 { &hf_netlogon_dc_address_type,
6472 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6473 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
6475 { &hf_netlogon_client_site_name,
6476 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6477 NULL, 0, "Client Site Name", HFILL }},
6479 { &hf_netlogon_workstation_site_name,
6480 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6481 NULL, 0, "Workstation Site Name", HFILL }},
6483 { &hf_netlogon_workstation,
6484 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6485 NULL, 0, "Workstation Name", HFILL }},
6487 { &hf_netlogon_workstation_os,
6488 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6489 NULL, 0, "Workstation OS", HFILL }},
6491 { &hf_netlogon_workstations,
6492 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6493 NULL, 0, "Workstations", HFILL }},
6495 { &hf_netlogon_workstation_fqdn,
6496 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6497 NULL, 0, "Workstation FQDN", HFILL }},
6499 { &hf_netlogon_group_name,
6500 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6501 NULL, 0, "Group Name", HFILL }},
6503 { &hf_netlogon_alias_name,
6504 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6505 NULL, 0, "Alias Name", HFILL }},
6507 { &hf_netlogon_dns_host,
6508 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6509 NULL, 0, "DNS Host", HFILL }},
6511 { &hf_netlogon_downlevel_domain_name,
6512 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6513 NULL, 0, "Downlevel Domain Name", HFILL }},
6515 { &hf_netlogon_dns_domain_name,
6516 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6517 NULL, 0, "DNS Domain Name", HFILL }},
6519 { &hf_netlogon_domain_name,
6520 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6521 NULL, 0, "Domain Name", HFILL }},
6523 { &hf_netlogon_oem_info,
6524 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6525 NULL, 0, "OEM Info", HFILL }},
6527 { &hf_netlogon_trusted_dc_name,
6528 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6529 NULL, 0, "Trusted DC", HFILL }},
6531 { &hf_netlogon_logonsrv_handle,
6532 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6533 NULL, 0, "Logon Srv Handle", HFILL }},
6535 { &hf_netlogon_dummy,
6536 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6537 NULL, 0, "Dummy string", HFILL }},
6539 { &hf_netlogon_logon_count16,
6540 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6541 NULL, 0x0, "Number of successful logins", HFILL }},
6543 { &hf_netlogon_logon_count,
6544 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6545 NULL, 0x0, "Number of successful logins", HFILL }},
6547 { &hf_netlogon_bad_pw_count16,
6548 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6549 NULL, 0x0, "Number of failed logins", HFILL }},
6551 { &hf_netlogon_bad_pw_count,
6552 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6553 NULL, 0x0, "Number of failed logins", HFILL }},
6555 { &hf_netlogon_country,
6556 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6557 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6559 { &hf_netlogon_codepage,
6560 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6561 NULL, 0x0, "Codepage setting for this account", HFILL }},
6563 { &hf_netlogon_level16,
6564 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6565 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6567 { &hf_netlogon_validation_level,
6568 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6569 NULL, 0x0, "Requested level of validation", HFILL }},
6571 { &hf_netlogon_minpasswdlen,
6572 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6573 NULL, 0x0, "Minimum length of password", HFILL }},
6575 { &hf_netlogon_passwdhistorylen,
6576 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6577 NULL, 0x0, "Length of password history", HFILL }},
6579 { &hf_netlogon_secure_channel_type,
6580 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
6581 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
6583 { &hf_netlogon_restart_state,
6584 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
6585 NULL, 0x0, "Restart State", HFILL }},
6587 { &hf_netlogon_delta_type,
6588 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6589 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6591 { &hf_netlogon_blob_size,
6592 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6593 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6595 { &hf_netlogon_code,
6596 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6597 NULL, 0x0, "Code", HFILL }},
6599 { &hf_netlogon_level,
6600 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6601 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6603 { &hf_netlogon_reference,
6604 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
6605 NULL, 0x0, "", HFILL }},
6607 { &hf_netlogon_next_reference,
6608 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
6609 NULL, 0x0, "", HFILL }},
6611 { &hf_netlogon_timestamp,
6612 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
6613 NULL, 0, "", HFILL }},
6615 { &hf_netlogon_user_rid,
6616 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6617 NULL, 0x0, "", HFILL }},
6619 { &hf_netlogon_alias_rid,
6620 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6621 NULL, 0x0, "", HFILL }},
6623 { &hf_netlogon_group_rid,
6624 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6625 NULL, 0x0, "", HFILL }},
6627 { &hf_netlogon_num_rids,
6628 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6629 NULL, 0x0, "Number of RIDs", HFILL }},
6631 { &hf_netlogon_num_controllers,
6632 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6633 NULL, 0x0, "Number of domain controllers", HFILL }},
6635 { &hf_netlogon_num_other_groups,
6636 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6637 NULL, 0x0, "", HFILL }},
6639 { &hf_netlogon_flags,
6640 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6641 NULL, 0x0, "", HFILL }},
6643 { &hf_netlogon_user_flags,
6644 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6645 NULL, 0x0, "", HFILL }},
6647 { &hf_netlogon_auth_flags,
6648 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6649 NULL, 0x0, "", HFILL }},
6651 { &hf_netlogon_systemflags,
6652 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6653 NULL, 0x0, "", HFILL }},
6655 { &hf_netlogon_database_id,
6656 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6657 NULL, 0x0, "Database Id", HFILL }},
6659 { &hf_netlogon_sync_context,
6660 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6661 NULL, 0x0, "Sync Context", HFILL }},
6663 { &hf_netlogon_max_size,
6664 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6665 NULL, 0x0, "Max Size of database", HFILL }},
6667 { &hf_netlogon_max_log_size,
6668 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6669 NULL, 0x0, "Max Size of log", HFILL }},
6671 { &hf_netlogon_pac_size,
6672 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6673 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6675 { &hf_netlogon_auth_size,
6676 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6677 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6679 { &hf_netlogon_num_deltas,
6680 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6681 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6683 { &hf_netlogon_num_trusts,
6684 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
6685 NULL, 0x0, "", HFILL }},
6687 { &hf_netlogon_logon_attempts,
6688 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6689 NULL, 0x0, "Number of logon attempts", HFILL }},
6691 { &hf_netlogon_pagefilelimit,
6692 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6693 NULL, 0x0, "", HFILL }},
6695 { &hf_netlogon_pagedpoollimit,
6696 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6697 NULL, 0x0, "", HFILL }},
6699 { &hf_netlogon_nonpagedpoollimit,
6700 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6701 NULL, 0x0, "", HFILL }},
6703 { &hf_netlogon_minworkingsetsize,
6704 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6705 NULL, 0x0, "", HFILL }},
6707 { &hf_netlogon_maxworkingsetsize,
6708 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6709 NULL, 0x0, "", HFILL }},
6711 { &hf_netlogon_serial_number,
6712 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
6713 NULL, 0x0, "", HFILL }},
6715 { &hf_netlogon_neg_flags,
6716 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
6717 NULL, 0x0, "Negotiation Flags", HFILL }},
6719 { &hf_netlogon_dc_flags,
6720 { "Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
6721 NULL, 0x0, "Domain Controller Flags", HFILL }},
6723 { &hf_netlogon_dc_flags_pdc_flag,
6724 { "PDC", "netlogon.dc.flags.pdc",
6725 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
6726 "If this server is a PDC", HFILL }},
6728 { &hf_netlogon_dc_flags_gc_flag,
6729 { "GC", "netlogon.dc.flags.gc",
6730 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
6731 "If this server is a GC", HFILL }},
6733 { &hf_netlogon_dc_flags_ldap_flag,
6734 { "LDAP", "netlogon.dc.flags.ldap",
6735 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
6736 "If this is an LDAP server", HFILL }},
6738 { &hf_netlogon_dc_flags_ds_flag,
6739 { "DS", "netlogon.dc.flags.ds",
6740 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
6741 "If this server is a DS", HFILL }},
6743 { &hf_netlogon_dc_flags_kdc_flag,
6744 { "KDC", "netlogon.dc.flags.kdc",
6745 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
6746 "If this is a KDC", HFILL }},
6748 { &hf_netlogon_dc_flags_timeserv_flag,
6749 { "Timeserv", "netlogon.dc.flags.timeserv",
6750 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
6751 "If this server is a TimeServer", HFILL }},
6753 { &hf_netlogon_dc_flags_closest_flag,
6754 { "Closest", "netlogon.dc.flags.closest",
6755 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
6756 "If this is the closest server", HFILL }},
6758 { &hf_netlogon_dc_flags_writable_flag,
6759 { "Writable", "netlogon.dc.flags.writable",
6760 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
6761 "If this server can do updates to the database", HFILL }},
6763 { &hf_netlogon_dc_flags_good_timeserv_flag,
6764 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
6765 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
6766 "If this is a Good TimeServer", HFILL }},
6768 { &hf_netlogon_dc_flags_ndnc_flag,
6769 { "NDNC", "netlogon.dc.flags.ndnc",
6770 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
6771 "If this is an NDNC server", HFILL }},
6773 { &hf_netlogon_dc_flags_dns_controller_flag,
6774 { "DNS Controller", "netlogon.dc.flags.dns_controller",
6775 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
6776 "If this server is a DNS Controller", HFILL }},
6778 { &hf_netlogon_dc_flags_dns_domain_flag,
6779 { "DNS Domain", "netlogon.dc.flags.dns_domain",
6780 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
6783 { &hf_netlogon_dc_flags_dns_forest_flag,
6784 { "DNS Forest", "netlogon.dc.flags.dns_forest",
6785 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
6788 { &hf_netlogon_get_dcname_request_flags,
6789 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
6790 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
6792 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
6793 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
6794 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
6795 "Whether to allow the server to returned cached information or not", HFILL }},
6797 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
6798 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
6799 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
6800 "Whether we require that the returned DC supports w2k or not", HFILL }},
6802 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
6803 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
6804 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
6805 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
6807 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
6808 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
6809 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
6810 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
6812 { &hf_netlogon_get_dcname_request_flags_pdc_required,
6813 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
6814 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
6815 "Whether we require the returned DC to be the PDC", HFILL }},
6817 { &hf_netlogon_get_dcname_request_flags_background_only,
6818 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
6819 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
6820 "If we want cached data, even if it may have expired", HFILL }},
6822 { &hf_netlogon_get_dcname_request_flags_ip_required,
6823 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
6824 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
6825 "If we requre the IP of the DC in the reply", HFILL }},
6827 { &hf_netlogon_get_dcname_request_flags_kdc_required,
6828 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
6829 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
6830 "If we require that the returned server is a KDC", HFILL }},
6832 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
6833 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
6834 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
6835 "If we require the retruned server to be a NTP serveruns WindowsTimeServicer", HFILL }},
6837 { &hf_netlogon_get_dcname_request_flags_writable_required,
6838 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
6839 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
6840 "If we require that the return server is writable", HFILL }},
6842 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
6843 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
6844 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
6845 "If we prefer Windows Time Servers", HFILL }},
6847 { &hf_netlogon_get_dcname_request_flags_avoid_self,
6848 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
6849 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
6850 "Return another DC than the one we ask", HFILL }},
6852 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
6853 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
6854 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
6855 "We just want an LDAP server, it does not have to be a DC", HFILL }},
6857 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
6858 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
6859 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
6860 "If the specified domain name is a NetBIOS name", HFILL }},
6862 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
6863 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
6864 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
6865 "If the specified domain name is a DNS name", HFILL }},
6867 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
6868 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
6869 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
6870 "Only return a DNS name (or an error)", HFILL }},
6872 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
6873 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
6874 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
6875 "Only return a NetBIOS name (or an error)", HFILL }},
6877 { &hf_netlogon_trust_attribs,
6878 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
6879 NULL, 0x0, "Trust Attributes", HFILL }},
6881 { &hf_netlogon_trust_type,
6882 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
6883 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
6885 { &hf_netlogon_trust_flags,
6886 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
6887 NULL, 0x0, "Trust Flags", HFILL }},
6889 { &hf_netlogon_trust_flags_inbound,
6890 { "Inbound Trust", "netlogon.trust.flags.inbound",
6891 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
6892 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
6894 { &hf_netlogon_trust_flags_outbound,
6895 { "Outbound Trust", "netlogon.trust.flags.outbound",
6896 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
6897 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
6899 { &hf_netlogon_trust_flags_in_forest,
6900 { "In Forest", "netlogon.trust.flags.in_forest",
6901 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
6902 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
6904 { &hf_netlogon_trust_flags_native_mode,
6905 { "Native Mode", "netlogon.trust.flags.native_mode",
6906 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
6907 "Whether the domain is a w2k native mode domain or not", HFILL }},
6909 { &hf_netlogon_trust_flags_primary,
6910 { "Primary", "netlogon.trust.flags.primary",
6911 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
6912 "Whether the domain is the primary domain for the queried server or not", HFILL }},
6914 { &hf_netlogon_trust_flags_tree_root,
6915 { "Tree Root", "netlogon.trust.flags.tree_root",
6916 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
6917 "Whether the domain is the root of the tree for the queried server", HFILL }},
6919 { &hf_netlogon_trust_parent_index,
6920 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
6921 NULL, 0x0, "Parent Index", HFILL }},
6923 { &hf_netlogon_logon_time,
6924 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
6925 NULL, 0, "Time for last time this user logged on", HFILL }},
6927 { &hf_netlogon_kickoff_time,
6928 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6929 NULL, 0, "Time when this user will be kicked off", HFILL }},
6931 { &hf_netlogon_logoff_time,
6932 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6933 NULL, 0, "Time for last time this user logged off", HFILL }},
6935 { &hf_netlogon_pwd_last_set_time,
6936 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6937 NULL, 0, "Last time this users password was changed", HFILL }},
6939 { &hf_netlogon_pwd_can_change_time,
6940 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6941 NULL, 0, "When this users password may be changed", HFILL }},
6943 { &hf_netlogon_pwd_must_change_time,
6944 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6945 NULL, 0, "When this users password must be changed", HFILL }},
6947 { &hf_netlogon_domain_create_time,
6948 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6949 NULL, 0, "Time when this domain was created", HFILL }},
6951 { &hf_netlogon_domain_modify_time,
6952 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6953 NULL, 0, "Time when this domain was last modified", HFILL }},
6955 { &hf_netlogon_db_modify_time,
6956 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6957 NULL, 0, "Time when last modified", HFILL }},
6959 { &hf_netlogon_db_create_time,
6960 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6961 NULL, 0, "Time when created", HFILL }},
6963 { &hf_netlogon_cipher_current_set_time,
6964 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6965 NULL, 0, "Time when current cipher was initiated", HFILL }},
6967 { &hf_netlogon_cipher_old_set_time,
6968 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6969 NULL, 0, "Time when previous cipher was initiated", HFILL }},
6971 { &hf_netlogon_audit_retention_period,
6972 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
6973 NULL, 0, "Audit retention period", HFILL }},
6975 { &hf_netlogon_guid,
6976 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
6977 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
6979 { &hf_netlogon_timelimit,
6980 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
6981 NULL, 0, "", HFILL }},
6983 /* Secure channel dissection */
6985 { &hf_netlogon_secchan_bind_unknown1,
6986 { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
6987 NULL, 0x0, "", HFILL }},
6989 { &hf_netlogon_secchan_bind_unknown2,
6990 { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
6991 NULL, 0x0, "", HFILL }},
6993 { &hf_netlogon_secchan_domain,
6994 { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
6995 NULL, 0, "", HFILL }},
6997 { &hf_netlogon_secchan_host,
6998 { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
6999 NULL, 0, "", HFILL }},
7001 { &hf_netlogon_secchan_bind_ack_unknown1,
7002 { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32,
7003 BASE_HEX, NULL, 0x0, "", HFILL }},
7005 { &hf_netlogon_secchan_bind_ack_unknown2,
7006 { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32,
7007 BASE_HEX, NULL, 0x0, "", HFILL }},
7009 { &hf_netlogon_secchan_bind_ack_unknown3,
7010 { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32,
7011 BASE_HEX, NULL, 0x0, "", HFILL }},
7013 { &hf_netlogon_secchan_verf,
7014 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
7015 NULL, 0x0, "Verifier", HFILL }},
7017 { &hf_netlogon_secchan_verf_sig,
7018 { "Signature", "netlogon.secchan.sig", FT_BYTES, BASE_HEX, NULL,
7019 0x0, "Signature", HFILL }},
7021 { &hf_netlogon_secchan_verf_unk,
7022 { "Unknown", "netlogon.secchan.unk", FT_BYTES, BASE_HEX, NULL,
7023 0x0, "Unknown", HFILL }},
7025 { &hf_netlogon_secchan_verf_seq,
7026 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_HEX, NULL,
7027 0x0, "Sequence No", HFILL }},
7029 { &hf_netlogon_secchan_verf_nonce,
7030 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_HEX, NULL,
7031 0x0, "Nonce", HFILL }},
7034 static gint *ett[] = {
7035 &ett_dcerpc_netlogon,
7041 &ett_DOMAIN_CONTROLLER_INFO,
7042 &ett_UNICODE_STRING_512,
7045 &ett_DELTA_ID_UNION,
7048 &ett_LM_OWF_PASSWORD,
7049 &ett_NT_OWF_PASSWORD,
7050 &ett_GROUP_MEMBERSHIP,
7051 &ett_DS_DOMAIN_TRUSTS,
7053 &ett_DOMAIN_TRUST_INFO,
7055 &ett_get_dcname_request_flags,
7057 &ett_secchan_bind_creds,
7058 &ett_secchan_bind_ack_creds,
7062 proto_dcerpc_netlogon = proto_register_protocol(
7063 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
7065 proto_register_field_array(proto_dcerpc_netlogon, hf,
7067 proto_register_subtree_array(ett, array_length(ett));
7070 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
7071 dissect_secchan_bind_creds, /* Bind */
7072 dissect_secchan_bind_ack_creds, /* Bind ACK */
7074 dissect_secchan_verf, /* Request verifier */
7075 dissect_secchan_verf, /* Response verifier */
7076 NULL, /* Request data */
7077 NULL /* Response data */
7081 proto_reg_handoff_dcerpc_netlogon(void)
7083 /* Register protocol as dcerpc */
7085 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
7086 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
7087 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
7089 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
7090 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7092 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
7093 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,