1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.97 2004/03/05 23:12:09 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_guid = -1;
43 static int hf_netlogon_rc = -1;
44 static int hf_netlogon_len = -1;
45 static int hf_netlogon_sensitive_data_flag = -1;
46 static int hf_netlogon_sensitive_data_len = -1;
47 static int hf_netlogon_sensitive_data = -1;
48 static int hf_netlogon_security_information = -1;
49 static int hf_netlogon_dummy = -1;
50 static int hf_netlogon_neg_flags = -1;
51 static int hf_netlogon_minworkingsetsize = -1;
52 static int hf_netlogon_maxworkingsetsize = -1;
53 static int hf_netlogon_pagedpoollimit = -1;
54 static int hf_netlogon_pagefilelimit = -1;
55 static int hf_netlogon_timelimit = -1;
56 static int hf_netlogon_nonpagedpoollimit = -1;
57 static int hf_netlogon_pac_size = -1;
58 static int hf_netlogon_pac_data = -1;
59 static int hf_netlogon_auth_size = -1;
60 static int hf_netlogon_auth_data = -1;
61 static int hf_netlogon_cipher_len = -1;
62 static int hf_netlogon_cipher_maxlen = -1;
63 static int hf_netlogon_cipher_current_data = -1;
64 static int hf_netlogon_cipher_current_set_time = -1;
65 static int hf_netlogon_cipher_old_data = -1;
66 static int hf_netlogon_cipher_old_set_time = -1;
67 static int hf_netlogon_priv = -1;
68 static int hf_netlogon_privilege_entries = -1;
69 static int hf_netlogon_privilege_control = -1;
70 static int hf_netlogon_privilege_name = -1;
71 static int hf_netlogon_systemflags = -1;
72 static int hf_netlogon_pdc_connection_status = -1;
73 static int hf_netlogon_tc_connection_status = -1;
74 static int hf_netlogon_restart_state = -1;
75 static int hf_netlogon_attrs = -1;
76 static int hf_netlogon_count = -1;
77 static int hf_netlogon_entries = -1;
78 static int hf_netlogon_minpasswdlen = -1;
79 static int hf_netlogon_passwdhistorylen = -1;
80 static int hf_netlogon_level16 = -1;
81 static int hf_netlogon_validation_level = -1;
82 static int hf_netlogon_reference = -1;
83 static int hf_netlogon_next_reference = -1;
84 static int hf_netlogon_timestamp = -1;
85 static int hf_netlogon_level = -1;
86 static int hf_netlogon_challenge = -1;
87 static int hf_netlogon_reserved = -1;
88 static int hf_netlogon_audit_retention_period = -1;
89 static int hf_netlogon_auditing_mode = -1;
90 static int hf_netlogon_max_audit_event_count = -1;
91 static int hf_netlogon_event_audit_option = -1;
92 static int hf_netlogon_unknown_string = -1;
93 static int hf_netlogon_unknown_long = -1;
94 static int hf_netlogon_unknown_short = -1;
95 static int hf_netlogon_unknown_char = -1;
96 static int hf_netlogon_logon_time = -1;
97 static int hf_netlogon_logoff_time = -1;
98 static int hf_netlogon_kickoff_time = -1;
99 static int hf_netlogon_pwd_last_set_time = -1;
100 static int hf_netlogon_pwd_can_change_time = -1;
101 static int hf_netlogon_pwd_must_change_time = -1;
102 static int hf_netlogon_nt_chal_resp = -1;
103 static int hf_netlogon_lm_chal_resp = -1;
104 static int hf_netlogon_credential = -1;
105 static int hf_netlogon_acct_name = -1;
106 static int hf_netlogon_acct_desc = -1;
107 static int hf_netlogon_group_desc = -1;
108 static int hf_netlogon_full_name = -1;
109 static int hf_netlogon_comment = -1;
110 static int hf_netlogon_parameters = -1;
111 static int hf_netlogon_logon_script = -1;
112 static int hf_netlogon_profile_path = -1;
113 static int hf_netlogon_home_dir = -1;
114 static int hf_netlogon_dir_drive = -1;
115 static int hf_netlogon_logon_count = -1;
116 static int hf_netlogon_logon_count16 = -1;
117 static int hf_netlogon_bad_pw_count = -1;
118 static int hf_netlogon_bad_pw_count16 = -1;
119 static int hf_netlogon_user_rid = -1;
120 static int hf_netlogon_alias_rid = -1;
121 static int hf_netlogon_group_rid = -1;
122 static int hf_netlogon_logon_srv = -1;
123 static int hf_netlogon_principal = -1;
124 static int hf_netlogon_logon_dom = -1;
125 static int hf_netlogon_resourcegroupdomainsid = -1;
126 static int hf_netlogon_resourcegroupcount = -1;
127 static int hf_netlogon_downlevel_domain_name = -1;
128 static int hf_netlogon_dns_domain_name = -1;
129 static int hf_netlogon_domain_name = -1;
130 static int hf_netlogon_domain_create_time = -1;
131 static int hf_netlogon_domain_modify_time = -1;
132 static int hf_netlogon_modify_count = -1;
133 static int hf_netlogon_db_modify_time = -1;
134 static int hf_netlogon_db_create_time = -1;
135 static int hf_netlogon_oem_info = -1;
136 static int hf_netlogon_serial_number = -1;
137 static int hf_netlogon_num_rids = -1;
138 static int hf_netlogon_num_trusts = -1;
139 static int hf_netlogon_num_controllers = -1;
140 static int hf_netlogon_num_other_groups = -1;
141 static int hf_netlogon_computer_name = -1;
142 static int hf_netlogon_site_name = -1;
143 static int hf_netlogon_trusted_dc_name = -1;
144 static int hf_netlogon_dc_name = -1;
145 static int hf_netlogon_dc_site_name = -1;
146 static int hf_netlogon_dns_forest_name = -1;
147 static int hf_netlogon_dc_address = -1;
148 static int hf_netlogon_dc_address_type = -1;
149 static int hf_netlogon_client_site_name = -1;
150 static int hf_netlogon_workstation = -1;
151 static int hf_netlogon_workstation_site_name = -1;
152 static int hf_netlogon_workstation_os = -1;
153 static int hf_netlogon_workstations = -1;
154 static int hf_netlogon_workstation_fqdn = -1;
155 static int hf_netlogon_group_name = -1;
156 static int hf_netlogon_alias_name = -1;
157 static int hf_netlogon_country = -1;
158 static int hf_netlogon_codepage = -1;
159 static int hf_netlogon_flags = -1;
160 static int hf_netlogon_trust_attribs = -1;
161 static int hf_netlogon_trust_type = -1;
162 static int hf_netlogon_trust_flags = -1;
163 static int hf_netlogon_trust_flags_inbound = -1;
164 static int hf_netlogon_trust_flags_outbound = -1;
165 static int hf_netlogon_trust_flags_in_forest = -1;
166 static int hf_netlogon_trust_flags_native_mode = -1;
167 static int hf_netlogon_trust_flags_primary = -1;
168 static int hf_netlogon_trust_flags_tree_root = -1;
169 static int hf_netlogon_trust_parent_index = -1;
170 static int hf_netlogon_user_flags = -1;
171 static int hf_netlogon_auth_flags = -1;
172 static int hf_netlogon_pwd_expired = -1;
173 static int hf_netlogon_nt_pwd_present = -1;
174 static int hf_netlogon_lm_pwd_present = -1;
175 static int hf_netlogon_code = -1;
176 static int hf_netlogon_database_id = -1;
177 static int hf_netlogon_sync_context = -1;
178 static int hf_netlogon_max_size = -1;
179 static int hf_netlogon_max_log_size = -1;
180 static int hf_netlogon_dns_host = -1;
181 static int hf_netlogon_acct_expiry_time = -1;
182 static int hf_netlogon_encrypted_lm_owf_password = -1;
183 static int hf_netlogon_lm_owf_password = -1;
184 static int hf_netlogon_nt_owf_password = -1;
185 static int hf_netlogon_param_ctrl = -1;
186 static int hf_netlogon_logon_id = -1;
187 static int hf_netlogon_num_deltas = -1;
188 static int hf_netlogon_user_session_key = -1;
189 static int hf_netlogon_blob_size = -1;
190 static int hf_netlogon_blob = -1;
191 static int hf_netlogon_logon_attempts = -1;
192 static int hf_netlogon_authoritative = -1;
193 static int hf_netlogon_secure_channel_type = -1;
194 static int hf_netlogon_logonsrv_handle = -1;
195 static int hf_netlogon_delta_type = -1;
196 static int hf_netlogon_get_dcname_request_flags = -1;
197 static int hf_netlogon_get_dcname_request_flags_force_rediscovery = -1;
198 static int hf_netlogon_get_dcname_request_flags_directory_service_required = -1;
199 static int hf_netlogon_get_dcname_request_flags_directory_service_preferred = -1;
200 static int hf_netlogon_get_dcname_request_flags_gc_server_required = -1;
201 static int hf_netlogon_get_dcname_request_flags_pdc_required = -1;
202 static int hf_netlogon_get_dcname_request_flags_background_only = -1;
203 static int hf_netlogon_get_dcname_request_flags_ip_required = -1;
204 static int hf_netlogon_get_dcname_request_flags_kdc_required = -1;
205 static int hf_netlogon_get_dcname_request_flags_timeserv_required = -1;
206 static int hf_netlogon_get_dcname_request_flags_writable_required = -1;
207 static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred = -1;
208 static int hf_netlogon_get_dcname_request_flags_avoid_self = -1;
209 static int hf_netlogon_get_dcname_request_flags_only_ldap_needed = -1;
210 static int hf_netlogon_get_dcname_request_flags_is_flat_name = -1;
211 static int hf_netlogon_get_dcname_request_flags_is_dns_name = -1;
212 static int hf_netlogon_get_dcname_request_flags_return_dns_name = -1;
213 static int hf_netlogon_get_dcname_request_flags_return_flat_name = -1;
214 static int hf_netlogon_dc_flags = -1;
215 static int hf_netlogon_dc_flags_pdc_flag = -1;
216 static int hf_netlogon_dc_flags_gc_flag = -1;
217 static int hf_netlogon_dc_flags_ldap_flag = -1;
218 static int hf_netlogon_dc_flags_ds_flag = -1;
219 static int hf_netlogon_dc_flags_kdc_flag = -1;
220 static int hf_netlogon_dc_flags_timeserv_flag = -1;
221 static int hf_netlogon_dc_flags_closest_flag = -1;
222 static int hf_netlogon_dc_flags_writable_flag = -1;
223 static int hf_netlogon_dc_flags_good_timeserv_flag = -1;
224 static int hf_netlogon_dc_flags_ndnc_flag = -1;
225 static int hf_netlogon_dc_flags_dns_controller_flag = -1;
226 static int hf_netlogon_dc_flags_dns_domain_flag = -1;
227 static int hf_netlogon_dc_flags_dns_forest_flag = -1;
229 static gint ett_dcerpc_netlogon = -1;
230 static gint ett_QUOTA_LIMITS = -1;
231 static gint ett_IDENTITY_INFO = -1;
232 static gint ett_DELTA_ENUM = -1;
233 static gint ett_CYPHER_VALUE = -1;
234 static gint ett_UNICODE_MULTI = -1;
235 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
236 static gint ett_UNICODE_STRING_512 = -1;
237 static gint ett_TYPE_50 = -1;
238 static gint ett_TYPE_52 = -1;
239 static gint ett_DELTA_ID_UNION = -1;
240 static gint ett_TYPE_44 = -1;
241 static gint ett_DELTA_UNION = -1;
242 static gint ett_LM_OWF_PASSWORD = -1;
243 static gint ett_NT_OWF_PASSWORD = -1;
244 static gint ett_GROUP_MEMBERSHIP = -1;
245 static gint ett_BLOB = -1;
246 static gint ett_DS_DOMAIN_TRUSTS = -1;
247 static gint ett_DOMAIN_TRUST_INFO = -1;
248 static gint ett_trust_flags = -1;
249 static gint ett_get_dcname_request_flags = -1;
250 static gint ett_dc_flags = -1;
252 static e_uuid_t uuid_dcerpc_netlogon = {
253 0x12345678, 0x1234, 0xabcd,
254 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
257 static guint16 ver_dcerpc_netlogon = 1;
262 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
263 packet_info *pinfo, proto_tree *tree,
266 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
267 NDR_POINTER_UNIQUE, "Server Handle",
268 hf_netlogon_logonsrv_handle, 0);
274 * IDL typedef struct {
275 * IDL [unique][string] wchar_t *effective_name;
277 * IDL long auth_flags;
278 * IDL long logon_count;
279 * IDL long bad_pw_count;
280 * IDL long last_logon;
281 * IDL long last_logoff;
282 * IDL long logoff_time;
283 * IDL long kickoff_time;
284 * IDL long password_age;
285 * IDL long pw_can_change;
286 * IDL long pw_must_change;
287 * IDL [unique][string] wchar_t *computer;
288 * IDL [unique][string] wchar_t *domain;
289 * IDL [unique][string] wchar_t *script_path;
293 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
294 packet_info *pinfo, proto_tree *tree,
299 di=pinfo->private_data;
300 if(di->conformant_run){
301 /*just a run to handle conformant arrays, nothing to dissect */
305 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
306 NDR_POINTER_UNIQUE, "Effective Account",
307 hf_netlogon_acct_name, 0);
309 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
310 hf_netlogon_priv, NULL);
312 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
313 hf_netlogon_auth_flags, NULL);
315 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
316 hf_netlogon_logon_count, NULL);
318 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
319 hf_netlogon_bad_pw_count, NULL);
321 /* XXX - are these all UNIX "time_t"s, like the time stamps in
324 Or are they, as per some RAP-based operations, UTIMEs? */
325 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
328 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
331 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
334 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
337 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
340 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
343 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
346 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
347 NDR_POINTER_UNIQUE, "Computer", hf_netlogon_computer_name, 0);
349 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
350 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
352 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
353 NDR_POINTER_UNIQUE, "Script", hf_netlogon_logon_script, 0);
355 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
356 hf_netlogon_reserved, NULL);
362 * IDL long NetrLogonUasLogon(
363 * IDL [in][unique][string] wchar_t *ServerName,
364 * IDL [in][ref][string] wchar_t *UserName,
365 * IDL [in][ref][string] wchar_t *Workstation,
366 * IDL [out][unique] VALIDATION_UAS_INFO *info
370 netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
371 packet_info *pinfo, proto_tree *tree, guint8 *drep)
373 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
376 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
377 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
379 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
380 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
387 netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
388 packet_info *pinfo, proto_tree *tree, guint8 *drep)
390 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
391 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
392 "VALIDATION_UAS_INFO", -1);
394 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
395 hf_netlogon_rc, NULL);
401 * IDL typedef struct {
403 * IDL short logon_count;
404 * IDL } LOGOFF_UAS_INFO;
407 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
408 packet_info *pinfo, proto_tree *tree,
413 di=pinfo->private_data;
414 if(di->conformant_run){
415 /*just a run to handle conformant arrays, nothing to dissect */
419 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
422 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
423 hf_netlogon_logon_count16, NULL);
429 * IDL long NetrLogonUasLogoff(
430 * IDL [in][unique][string] wchar_t *ServerName,
431 * IDL [in][ref][string] wchar_t *UserName,
432 * IDL [in][ref][string] wchar_t *Workstation,
433 * IDL [out][ref] LOGOFF_UAS_INFO *info
437 netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
438 packet_info *pinfo, proto_tree *tree, guint8 *drep)
440 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
443 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
444 NDR_POINTER_REF, "Account", hf_netlogon_acct_name, 0);
446 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
447 NDR_POINTER_REF, "Workstation", hf_netlogon_workstation, 0);
454 netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
455 packet_info *pinfo, proto_tree *tree, guint8 *drep)
457 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
458 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
459 "LOGOFF_UAS_INFO", -1);
461 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
462 hf_netlogon_rc, NULL);
471 * IDL typedef struct {
472 * IDL UNICODESTRING LogonDomainName;
473 * IDL long ParameterControl;
474 * IDL uint64 LogonID;
475 * IDL UNICODESTRING UserName;
476 * IDL UNICODESTRING Workstation;
477 * IDL } LOGON_IDENTITY_INFO;
480 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
481 packet_info *pinfo, proto_tree *parent_tree,
484 proto_item *item=NULL;
485 proto_tree *tree=NULL;
486 int old_offset=offset;
489 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
491 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
494 /* XXX: It would be nice to get the domain and account name
495 displayed in COL_INFO. */
497 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
498 hf_netlogon_logon_dom, 0);
500 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
501 hf_netlogon_param_ctrl, NULL);
503 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
504 hf_netlogon_logon_id, NULL);
506 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
507 hf_netlogon_acct_name, 0);
509 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
510 hf_netlogon_workstation, 0);
513 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
514 /* XXX 8 extra bytes here */
515 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
516 the idl file. Could be a bug in either the NETLOGON implementation or in the
519 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
522 proto_item_set_len(item, offset-old_offset);
528 * IDL typedef struct {
529 * IDL char password[16];
530 * IDL } LM_OWF_PASSWORD;
533 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
534 packet_info *pinfo, proto_tree *parent_tree,
537 proto_item *item=NULL;
538 proto_tree *tree=NULL;
541 di=pinfo->private_data;
542 if(di->conformant_run){
543 /*just a run to handle conformant arrays, nothing to dissect.*/
548 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
550 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
553 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
561 * IDL typedef struct {
562 * IDL char password[16];
563 * IDL } NT_OWF_PASSWORD;
566 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
567 packet_info *pinfo, proto_tree *parent_tree,
570 proto_item *item=NULL;
571 proto_tree *tree=NULL;
574 di=pinfo->private_data;
575 if(di->conformant_run){
576 /*just a run to handle conformant arrays, nothing to dissect.*/
581 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
583 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
586 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
595 * IDL typedef struct {
596 * IDL LOGON_IDENTITY_INFO identity_info;
597 * IDL LM_OWF_PASSWORD lmpassword;
598 * IDL NT_OWF_PASSWORD ntpassword;
599 * IDL } INTERACTIVE_INFO;
602 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
603 packet_info *pinfo, proto_tree *tree,
606 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
609 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
612 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
619 * IDL typedef struct {
624 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
625 packet_info *pinfo, proto_tree *tree,
630 di=pinfo->private_data;
631 if(di->conformant_run){
632 /*just a run to handle conformant arrays, nothing to dissect.*/
636 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
644 * IDL typedef struct {
645 * IDL LOGON_IDENTITY_INFO logon_info;
646 * IDL CHALLENGE chal;
647 * IDL STRING ntchallengeresponse;
648 * IDL STRING lmchallengeresponse;
649 * IDL } NETWORK_INFO;
652 static void dissect_nt_chal_resp_cb(packet_info *pinfo _U_, proto_tree *tree,
653 proto_item *item _U_, tvbuff_t *tvb,
654 int start_offset, int end_offset,
655 void *callback_args _U_)
659 /* Skip over 3 guint32's in NDR format */
661 if (start_offset % 4)
662 start_offset += 4 - (start_offset % 4);
665 len = end_offset - start_offset;
667 /* Call ntlmv2 response dissector */
670 dissect_ntlmv2_response(tvb, tree, start_offset, len);
674 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
675 packet_info *pinfo, proto_tree *tree,
678 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
681 offset = netlogon_dissect_CHALLENGE(tvb, offset,
684 offset = dissect_ndr_counted_byte_array_cb(
685 tvb, offset, pinfo, tree, drep, hf_netlogon_nt_chal_resp,
686 dissect_nt_chal_resp_cb, NULL);
688 offset = dissect_ndr_counted_byte_array(tvb, offset, pinfo, tree, drep,
689 hf_netlogon_lm_chal_resp);
695 * IDL typedef struct {
696 * IDL LOGON_IDENTITY_INFO logon_info;
697 * IDL LM_OWF_PASSWORD lmpassword;
698 * IDL NT_OWF_PASSWORD ntpassword;
699 * IDL } SERVICE_INFO;
702 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
703 packet_info *pinfo, proto_tree *tree,
706 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
709 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
712 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
719 * IDL typedef [switch_type(short)] union {
720 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
721 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
722 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
726 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
727 packet_info *pinfo, proto_tree *tree,
732 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
733 hf_netlogon_level16, &level);
738 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
739 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
740 "INTERACTIVE_INFO:", -1);
743 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
744 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
745 "NETWORK_INFO:", -1);
748 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
749 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
750 "SERVICE_INFO:", -1);
758 * IDL typedef struct {
763 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
764 packet_info *pinfo, proto_tree *tree,
769 di=pinfo->private_data;
770 if(di->conformant_run){
771 /*just a run to handle conformant arrays, nothing to dissect.*/
775 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
784 * IDL typedef struct {
785 * IDL CREDENTIAL cred;
786 * IDL long timestamp;
787 * IDL } AUTHENTICATOR;
790 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
791 packet_info *pinfo, proto_tree *tree,
797 di=pinfo->private_data;
798 if(di->conformant_run){
799 /*just a run to handle conformant arrays, nothing to dissect */
803 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
807 * XXX - this appears to be a UNIX time_t in some credentials, but
808 * appears to be random junk in other credentials.
809 * For example, it looks like a UNIX time_t in "credential"
810 * AUTHENTICATORs, but like random junk in "return_authenticator"
814 ts.secs = tvb_get_letohl(tvb, offset);
816 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
824 * IDL typedef struct {
826 * IDL long attributes;
827 * IDL } GROUP_MEMBERSHIP;
830 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
831 packet_info *pinfo, proto_tree *parent_tree,
834 proto_item *item=NULL;
835 proto_tree *tree=NULL;
838 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
839 "GROUP_MEMBERSHIP:");
840 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
843 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
844 hf_netlogon_group_rid, NULL);
846 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
847 hf_netlogon_attrs, NULL);
853 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
854 packet_info *pinfo, proto_tree *tree,
857 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
858 netlogon_dissect_GROUP_MEMBERSHIP);
864 * IDL typedef struct {
865 * IDL char user_session_key[16];
866 * IDL } USER_SESSION_KEY;
869 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
870 packet_info *pinfo, proto_tree *tree,
875 di=pinfo->private_data;
876 if(di->conformant_run){
877 /*just a run to handle conformant arrays, nothing to dissect.*/
881 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
889 * IDL typedef struct {
890 * IDL uint64 LogonTime;
891 * IDL uint64 LogoffTime;
892 * IDL uint64 KickOffTime;
893 * IDL uint64 PasswdLastSet;
894 * IDL uint64 PasswdCanChange;
895 * IDL uint64 PasswdMustChange;
896 * IDL unicodestring effectivename;
897 * IDL unicodestring fullname;
898 * IDL unicodestring logonscript;
899 * IDL unicodestring profilepath;
900 * IDL unicodestring homedirectory;
901 * IDL unicodestring homedirectorydrive;
902 * IDL short LogonCount;
903 * IDL short BadPasswdCount;
905 * IDL long primarygroup;
906 * IDL long groupcount;
907 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
908 * IDL long userflags;
909 * IDL USER_SESSION_KEY key;
910 * IDL unicodestring logonserver;
911 * IDL unicodestring domainname;
912 * IDL [unique] SID logondomainid;
913 * IDL long expansionroom[10];
914 * IDL } VALIDATION_SAM_INFO;
917 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
918 packet_info *pinfo, proto_tree *tree,
923 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
924 hf_netlogon_logon_time);
926 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
927 hf_netlogon_logoff_time);
929 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
930 hf_netlogon_kickoff_time);
932 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
933 hf_netlogon_pwd_last_set_time);
935 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
936 hf_netlogon_pwd_can_change_time);
938 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
939 hf_netlogon_pwd_must_change_time);
941 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
942 hf_netlogon_acct_name, 0);
944 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
945 hf_netlogon_full_name, 0);
947 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
948 hf_netlogon_logon_script, 0);
950 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
951 hf_netlogon_profile_path, 0);
953 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
954 hf_netlogon_home_dir, 0);
956 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
957 hf_netlogon_dir_drive, 0);
959 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
960 hf_netlogon_logon_count16, NULL);
962 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
963 hf_netlogon_bad_pw_count16, NULL);
965 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
966 hf_netlogon_user_rid, NULL);
968 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
969 hf_netlogon_group_rid, NULL);
971 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
972 hf_netlogon_num_rids, NULL);
974 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
975 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
976 "GROUP_MEMBERSHIP_ARRAY", -1);
978 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
979 hf_netlogon_user_flags, NULL);
981 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
984 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
985 hf_netlogon_logon_srv, 0);
987 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
988 hf_netlogon_logon_dom, 0);
990 offset = dissect_ndr_nt_PSID(tvb, offset,
991 pinfo, tree, drep, -1);
994 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
995 hf_netlogon_reserved, NULL);
1004 * IDL typedef struct {
1005 * IDL uint64 LogonTime;
1006 * IDL uint64 LogoffTime;
1007 * IDL uint64 KickOffTime;
1008 * IDL uint64 PasswdLastSet;
1009 * IDL uint64 PasswdCanChange;
1010 * IDL uint64 PasswdMustChange;
1011 * IDL unicodestring effectivename;
1012 * IDL unicodestring fullname;
1013 * IDL unicodestring logonscript;
1014 * IDL unicodestring profilepath;
1015 * IDL unicodestring homedirectory;
1016 * IDL unicodestring homedirectorydrive;
1017 * IDL short LogonCount;
1018 * IDL short BadPasswdCount;
1020 * IDL long primarygroup;
1021 * IDL long groupcount;
1022 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1023 * IDL long userflags;
1024 * IDL USER_SESSION_KEY key;
1025 * IDL unicodestring logonserver;
1026 * IDL unicodestring domainname;
1027 * IDL [unique] SID logondomainid;
1028 * IDL long expansionroom[10];
1029 * IDL long sidcount;
1030 * IDL [unique] SID_AND_ATTRIBS;
1031 * IDL } VALIDATION_SAM_INFO2;
1034 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1035 packet_info *pinfo, proto_tree *tree,
1040 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1041 hf_netlogon_logon_time);
1043 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1044 hf_netlogon_logoff_time);
1046 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1047 hf_netlogon_kickoff_time);
1049 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1050 hf_netlogon_pwd_last_set_time);
1052 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1053 hf_netlogon_pwd_can_change_time);
1055 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1056 hf_netlogon_pwd_must_change_time);
1058 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1059 hf_netlogon_acct_name, 0);
1061 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1062 hf_netlogon_full_name, 0);
1064 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1065 hf_netlogon_logon_script, 0);
1067 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1068 hf_netlogon_profile_path, 0);
1070 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1071 hf_netlogon_home_dir, 0);
1073 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1074 hf_netlogon_dir_drive, 0);
1076 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1077 hf_netlogon_logon_count16, NULL);
1079 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1080 hf_netlogon_bad_pw_count16, NULL);
1082 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1083 hf_netlogon_user_rid, NULL);
1085 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1086 hf_netlogon_group_rid, NULL);
1088 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1089 hf_netlogon_num_rids, NULL);
1091 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1092 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1093 "GROUP_MEMBERSHIP_ARRAY", -1);
1095 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1096 hf_netlogon_user_flags, NULL);
1098 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1101 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1102 hf_netlogon_logon_srv, 0);
1104 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1105 hf_netlogon_logon_dom, 0);
1107 offset = dissect_ndr_nt_PSID(tvb, offset,
1108 pinfo, tree, drep, -1);
1111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1112 hf_netlogon_unknown_long, NULL);
1115 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1116 hf_netlogon_num_other_groups, NULL);
1118 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1119 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1120 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1130 * IDL typedef struct {
1131 * IDL uint64 LogonTime;
1132 * IDL uint64 LogoffTime;
1133 * IDL uint64 KickOffTime;
1134 * IDL uint64 PasswdLastSet;
1135 * IDL uint64 PasswdCanChange;
1136 * IDL uint64 PasswdMustChange;
1137 * IDL unicodestring effectivename;
1138 * IDL unicodestring fullname;
1139 * IDL unicodestring logonscript;
1140 * IDL unicodestring profilepath;
1141 * IDL unicodestring homedirectory;
1142 * IDL unicodestring homedirectorydrive;
1143 * IDL short LogonCount;
1144 * IDL short BadPasswdCount;
1146 * IDL long primarygroup;
1147 * IDL long groupcount;
1148 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1149 * IDL long userflags;
1150 * IDL USER_SESSION_KEY key;
1151 * IDL unicodestring logonserver;
1152 * IDL unicodestring domainname;
1153 * IDL [unique] SID logondomainid;
1154 * IDL long expansionroom[10];
1155 * IDL long sidcount;
1156 * IDL [unique] SID_AND_ATTRIBS;
1157 * IDL [unique] SID resourcegroupdomainsid;
1158 * IDL long resourcegroupcount;
1160 * IDL } PAC_LOGON_INFO;
1163 netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
1164 packet_info *pinfo, proto_tree *tree,
1170 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1171 hf_netlogon_logon_time);
1173 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1174 hf_netlogon_logoff_time);
1176 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1177 hf_netlogon_kickoff_time);
1179 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1180 hf_netlogon_pwd_last_set_time);
1182 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1183 hf_netlogon_pwd_can_change_time);
1185 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1186 hf_netlogon_pwd_must_change_time);
1188 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1189 hf_netlogon_acct_name, 0);
1191 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1192 hf_netlogon_full_name, 0);
1194 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1195 hf_netlogon_logon_script, 0);
1197 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1198 hf_netlogon_profile_path, 0);
1200 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1201 hf_netlogon_home_dir, 0);
1203 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1204 hf_netlogon_dir_drive, 0);
1206 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1207 hf_netlogon_logon_count16, NULL);
1209 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1210 hf_netlogon_bad_pw_count16, NULL);
1212 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1213 hf_netlogon_user_rid, NULL);
1215 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1216 hf_netlogon_group_rid, NULL);
1218 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1219 hf_netlogon_num_rids, NULL);
1221 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1222 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1223 "GROUP_MEMBERSHIP_ARRAY", -1);
1225 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1226 hf_netlogon_user_flags, NULL);
1228 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1231 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1232 hf_netlogon_logon_srv, 0);
1234 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1235 hf_netlogon_logon_dom, 0);
1237 offset = dissect_ndr_nt_PSID(tvb, offset,
1238 pinfo, tree, drep, -1);
1241 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1242 hf_netlogon_unknown_long, NULL);
1245 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1246 hf_netlogon_num_other_groups, NULL);
1248 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1249 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1250 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1252 offset = dissect_ndr_nt_PSID(tvb, offset,
1253 pinfo, tree, drep, hf_netlogon_resourcegroupdomainsid);
1255 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1256 hf_netlogon_resourcegroupcount, &rgc);
1258 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1259 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1260 "ResourceGroupIDs", -1);
1268 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1269 packet_info *pinfo, proto_tree *tree,
1275 di=pinfo->private_data;
1276 if(di->conformant_run){
1277 /*just a run to handle conformant arrays, nothing to dissect */
1281 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1282 hf_netlogon_pac_size, &pac_size);
1284 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1292 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1293 packet_info *pinfo, proto_tree *tree,
1299 di=pinfo->private_data;
1300 if(di->conformant_run){
1301 /*just a run to handle conformant arrays, nothing to dissect */
1305 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1306 hf_netlogon_auth_size, &auth_size);
1308 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1310 offset += auth_size;
1317 * IDL typedef struct {
1319 * IDL [unique][size_is(pac_size)] char *pac;
1320 * IDL UNICODESTRING logondomain;
1321 * IDL UNICODESTRING logonserver;
1322 * IDL UNICODESTRING principalname;
1323 * IDL long auth_size;
1324 * IDL [unique][size_is(auth_size)] char *auth;
1325 * IDL USER_SESSION_KEY user_session_key;
1326 * IDL long expansionroom[10];
1327 * IDL UNICODESTRING dummy1;
1328 * IDL UNICODESTRING dummy2;
1329 * IDL UNICODESTRING dummy3;
1330 * IDL UNICODESTRING dummy4;
1331 * IDL } VALIDATION_PAC_INFO;
1334 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1335 packet_info *pinfo, proto_tree *tree,
1340 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1341 hf_netlogon_pac_size, NULL);
1343 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1344 netlogon_dissect_PAC, NDR_POINTER_UNIQUE, "PAC:", -1);
1346 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1347 hf_netlogon_logon_dom, 0);
1349 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1350 hf_netlogon_logon_srv, 0);
1352 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1353 hf_netlogon_principal, 0);
1355 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1356 hf_netlogon_auth_size, NULL);
1358 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1359 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE, "AUTH:", -1);
1361 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1365 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1366 hf_netlogon_unknown_long, NULL);
1369 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1370 hf_netlogon_dummy, 0);
1372 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1373 hf_netlogon_dummy, 0);
1375 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1376 hf_netlogon_dummy, 0);
1378 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1379 hf_netlogon_dummy, 0);
1386 * IDL typedef [switch_type(short)] union {
1387 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1388 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1389 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1390 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1394 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1395 packet_info *pinfo, proto_tree *tree,
1400 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1401 hf_netlogon_validation_level, &level);
1406 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1407 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1408 "VALIDATION_SAM_INFO:", -1);
1411 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1412 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1413 "VALIDATION_SAM_INFO2:", -1);
1416 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1417 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1418 "VALIDATION_PAC_INFO:", -1);
1421 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1422 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1423 "VALIDATION_PAC_INFO:", -1);
1432 * IDL long NetrLogonSamLogon(
1433 * IDL [in][unique][string] wchar_t *ServerName,
1434 * IDL [in][unique][string] wchar_t *Workstation,
1435 * IDL [in][unique] AUTHENTICATOR *credential,
1436 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1437 * IDL [in] short LogonLevel,
1438 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1439 * IDL [in] short ValidationLevel,
1440 * IDL [out][ref] VALIDATION *validation,
1441 * IDL [out][ref] boolean Authorative
1445 netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1446 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1448 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1451 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1452 NDR_POINTER_UNIQUE, "Computer Name",
1453 hf_netlogon_computer_name, 0);
1455 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1456 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1457 "AUTHENTICATOR: credential", -1);
1459 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1460 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1461 "AUTHENTICATOR: return_authenticator", -1);
1463 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1464 hf_netlogon_level16, NULL);
1466 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1467 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1468 "LEVEL: LogonLevel", -1);
1470 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1471 hf_netlogon_validation_level, NULL);
1477 netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1478 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1480 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1481 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1482 "AUTHENTICATOR: return_authenticator", -1);
1484 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1485 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1488 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1489 hf_netlogon_authoritative, NULL);
1491 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1492 hf_netlogon_rc, NULL);
1499 * IDL long NetrLogonSamLogoff(
1500 * IDL [in][unique][string] wchar_t *ServerName,
1501 * IDL [in][unique][string] wchar_t *ComputerName,
1502 * IDL [in][unique] AUTHENTICATOR credential,
1503 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1504 * IDL [in] short logon_level,
1505 * IDL [in][ref] LEVEL logoninformation
1509 netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1510 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1512 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1515 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1516 NDR_POINTER_UNIQUE, "Computer Name",
1517 hf_netlogon_computer_name, 0);
1519 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1520 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1521 "AUTHENTICATOR: credential", -1);
1523 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1524 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1525 "AUTHENTICATOR: return_authenticator", -1);
1527 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1528 hf_netlogon_level16, NULL);
1530 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1531 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1532 "LEVEL: logoninformation", -1);
1537 netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1538 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1541 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1542 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1543 "AUTHENTICATOR: return_authenticator", -1);
1545 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1546 hf_netlogon_rc, NULL);
1553 * IDL long NetrServerReqChallenge(
1554 * IDL [in][unique][string] wchar_t *ServerName,
1555 * IDL [in][ref][string] wchar_t *ComputerName,
1556 * IDL [in][ref] CREDENTIAL client_credential,
1557 * IDL [out][ref] CREDENTIAL server_credential
1561 netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1562 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1564 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1567 offset = dissect_ndr_pointer_cb(
1568 tvb, offset, pinfo, tree, drep,
1569 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
1570 "Computer Name", hf_netlogon_computer_name,
1571 cb_wstr_postprocess,
1572 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
1574 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1575 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1576 "CREDENTIAL: client challenge", -1);
1581 netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1582 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1584 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1585 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1586 "CREDENTIAL: server credential", -1);
1588 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1589 hf_netlogon_rc, NULL);
1596 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1597 packet_info *pinfo, proto_tree *tree,
1600 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1601 hf_netlogon_secure_channel_type, NULL);
1608 * IDL long NetrServerAuthenticate(
1609 * IDL [in][unique][string] wchar_t *ServerName,
1610 * IDL [in][ref][string] wchar_t *UserName,
1611 * IDL [in] short secure_challenge_type,
1612 * IDL [in][ref][string] wchar_t *ComputerName,
1613 * IDL [in][ref] CREDENTIAL client_challenge,
1614 * IDL [out][ref] CREDENTIAL server_challenge
1618 netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1619 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1621 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1624 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1625 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1627 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1630 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1631 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1633 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1634 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1635 "CREDENTIAL: client challenge", -1);
1640 netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
1641 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1643 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1644 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1645 "CREDENTIAL: server challenge", -1);
1647 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1648 hf_netlogon_rc, NULL);
1656 * IDL typedef struct {
1657 * IDL char encrypted_password[16];
1658 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1661 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1662 packet_info *pinfo, proto_tree *tree,
1667 di=pinfo->private_data;
1668 if(di->conformant_run){
1669 /*just a run to handle conformant arrays, nothing to dissect.*/
1673 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1681 * IDL long NetrServerPasswordSet(
1682 * IDL [in][unique][string] wchar_t *ServerName,
1683 * IDL [in][ref][string] wchar_t *UserName,
1684 * IDL [in] short secure_challenge_type,
1685 * IDL [in][ref][string] wchar_t *ComputerName,
1686 * IDL [in][ref] AUTHENTICATOR credential,
1687 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1688 * IDL [out][ref] AUTHENTICATOR return_authenticator
1692 netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1693 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1695 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1698 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1699 NDR_POINTER_REF, "User Name", hf_netlogon_acct_name, 0);
1701 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1704 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1705 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
1707 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1708 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1709 "AUTHENTICATOR: credential", -1);
1711 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1712 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1713 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
1718 netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
1719 packet_info *pinfo, proto_tree *tree, guint8 *drep)
1721 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1722 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1723 "AUTHENTICATOR: return_authenticator", -1);
1725 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1726 hf_netlogon_rc, NULL);
1733 * IDL typedef struct {
1734 * IDL [unique][string] wchar_t *UserName;
1735 * IDL UNICODESTRING dummy1;
1736 * IDL UNICODESTRING dummy2;
1737 * IDL UNICODESTRING dummy3;
1738 * IDL UNICODESTRING dummy4;
1743 * IDL } DELTA_DELETE_USER;
1746 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1747 packet_info *pinfo, proto_tree *tree,
1750 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
1751 NDR_POINTER_UNIQUE, "Account Name", hf_netlogon_acct_name, 0);
1753 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1754 hf_netlogon_dummy, 0);
1756 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1757 hf_netlogon_dummy, 0);
1759 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1760 hf_netlogon_dummy, 0);
1762 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1763 hf_netlogon_dummy, 0);
1765 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1766 hf_netlogon_reserved, NULL);
1768 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1769 hf_netlogon_reserved, NULL);
1771 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1772 hf_netlogon_reserved, NULL);
1774 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1775 hf_netlogon_reserved, NULL);
1782 * IDL typedef struct {
1783 * IDL bool SensitiveDataFlag;
1784 * IDL long DataLength;
1785 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1786 * IDL } USER_PRIVATE_INFO;
1789 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1790 packet_info *pinfo, proto_tree *tree,
1796 di=pinfo->private_data;
1797 if(di->conformant_run){
1798 /*just a run to handle conformant arrays, nothing to dissect */
1802 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1803 hf_netlogon_sensitive_data_len, &data_len);
1805 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1812 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1813 packet_info *pinfo, proto_tree *tree,
1816 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1817 hf_netlogon_sensitive_data_flag, NULL);
1819 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1820 hf_netlogon_sensitive_data_len, NULL);
1822 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1823 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1824 "SENSITIVE_DATA", -1);
1830 * IDL typedef struct {
1831 * IDL UNICODESTRING UserName;
1832 * IDL UNICODESTRING FullName;
1834 * IDL long PrimaryGroupID;
1835 * IDL UNICODESTRING HomeDir;
1836 * IDL UNICODESTRING HomeDirDrive;
1837 * IDL UNICODESTRING LogonScript;
1838 * IDL UNICODESTRING Comment;
1839 * IDL UNICODESTRING Workstations;
1840 * IDL NTTIME LastLogon;
1841 * IDL NTTIME LastLogoff;
1842 * IDL LOGON_HOURS logonhours;
1843 * IDL short BadPwCount;
1844 * IDL short LogonCount;
1845 * IDL NTTIME PwLastSet;
1846 * IDL NTTIME AccountExpires;
1847 * IDL long AccountControl;
1848 * IDL LM_OWF_PASSWORD lmpw;
1849 * IDL NT_OWF_PASSWORD ntpw;
1850 * IDL bool NTPwPresent;
1851 * IDL bool LMPwPresent;
1852 * IDL bool PwExpired;
1853 * IDL UNICODESTRING UserComment;
1854 * IDL UNICODESTRING Parameters;
1855 * IDL short CountryCode;
1856 * IDL short CodePage;
1857 * IDL USER_PRIVATE_INFO user_private_info;
1858 * IDL long SecurityInformation;
1859 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1860 * IDL UNICODESTRING dummy1;
1861 * IDL UNICODESTRING dummy2;
1862 * IDL UNICODESTRING dummy3;
1863 * IDL UNICODESTRING dummy4;
1871 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1872 packet_info *pinfo, proto_tree *tree,
1875 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1876 hf_netlogon_acct_name, 3);
1878 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1879 hf_netlogon_full_name, 0);
1881 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1882 hf_netlogon_user_rid, NULL);
1884 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1885 hf_netlogon_group_rid, NULL);
1887 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1888 hf_netlogon_home_dir, 0);
1890 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1891 hf_netlogon_dir_drive, 0);
1893 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1894 hf_netlogon_logon_script, 0);
1896 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1897 hf_netlogon_acct_desc, 0);
1899 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1900 hf_netlogon_workstations, 0);
1902 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1903 hf_netlogon_logon_time);
1905 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1906 hf_netlogon_logoff_time);
1908 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1910 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1911 hf_netlogon_bad_pw_count16, NULL);
1913 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1914 hf_netlogon_logon_count16, NULL);
1916 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1917 hf_netlogon_pwd_last_set_time);
1919 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1920 hf_netlogon_acct_expiry_time);
1922 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1924 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1927 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1930 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1931 hf_netlogon_nt_pwd_present, NULL);
1933 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1934 hf_netlogon_lm_pwd_present, NULL);
1936 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1937 hf_netlogon_pwd_expired, NULL);
1939 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1940 hf_netlogon_comment, 0);
1942 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1943 hf_netlogon_parameters, 0);
1945 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1946 hf_netlogon_country, NULL);
1948 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1949 hf_netlogon_codepage, NULL);
1951 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1954 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1955 hf_netlogon_security_information, NULL);
1957 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1960 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1961 hf_netlogon_dummy, 0);
1963 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1964 hf_netlogon_dummy, 0);
1966 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1967 hf_netlogon_dummy, 0);
1969 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
1970 hf_netlogon_dummy, 0);
1972 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1973 hf_netlogon_reserved, NULL);
1975 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1976 hf_netlogon_reserved, NULL);
1978 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1979 hf_netlogon_reserved, NULL);
1981 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1982 hf_netlogon_reserved, NULL);
1989 * IDL typedef struct {
1990 * IDL UNICODESTRING DomainName;
1991 * IDL UNICODESTRING OEMInfo;
1992 * IDL NTTIME forcedlogoff;
1993 * IDL short minpasswdlen;
1994 * IDL short passwdhistorylen;
1995 * IDL NTTIME pwd_must_change_time;
1996 * IDL NTTIME pwd_can_change_time;
1997 * IDL NTTIME domain_modify_time;
1998 * IDL NTTIME domain_create_time;
1999 * IDL long SecurityInformation;
2000 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2001 * IDL UNICODESTRING dummy1;
2002 * IDL UNICODESTRING dummy2;
2003 * IDL UNICODESTRING dummy3;
2004 * IDL UNICODESTRING dummy4;
2009 * IDL } DELTA_DOMAIN;
2012 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
2013 packet_info *pinfo, proto_tree *tree,
2016 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2017 hf_netlogon_domain_name, 3);
2019 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2020 hf_netlogon_oem_info, 0);
2022 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2023 hf_netlogon_kickoff_time);
2025 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2026 hf_netlogon_minpasswdlen, NULL);
2028 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2029 hf_netlogon_passwdhistorylen, NULL);
2031 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2032 hf_netlogon_pwd_must_change_time);
2034 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2035 hf_netlogon_pwd_can_change_time);
2037 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2038 hf_netlogon_domain_modify_time);
2040 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2041 hf_netlogon_domain_create_time);
2043 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2044 hf_netlogon_security_information, NULL);
2046 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2049 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2050 hf_netlogon_dummy, 0);
2052 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2053 hf_netlogon_dummy, 0);
2055 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2056 hf_netlogon_dummy, 0);
2058 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2059 hf_netlogon_dummy, 0);
2061 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2062 hf_netlogon_reserved, NULL);
2064 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2065 hf_netlogon_reserved, NULL);
2067 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2068 hf_netlogon_reserved, NULL);
2070 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2071 hf_netlogon_reserved, NULL);
2078 * IDL typedef struct {
2079 * IDL UNICODESTRING groupname;
2080 * IDL GROUP_MEMBERSHIP group_membership;
2081 * IDL UNICODESTRING comment;
2082 * IDL long SecurityInformation;
2083 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2084 * IDL UNICODESTRING dummy1;
2085 * IDL UNICODESTRING dummy2;
2086 * IDL UNICODESTRING dummy3;
2087 * IDL UNICODESTRING dummy4;
2092 * IDL } DELTA_GROUP;
2095 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
2096 packet_info *pinfo, proto_tree *tree,
2099 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2100 hf_netlogon_group_name, 3);
2102 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
2105 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2106 hf_netlogon_group_desc, 0);
2108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2109 hf_netlogon_security_information, NULL);
2111 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2114 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2115 hf_netlogon_dummy, 0);
2117 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2118 hf_netlogon_dummy, 0);
2120 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2121 hf_netlogon_dummy, 0);
2123 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2124 hf_netlogon_dummy, 0);
2126 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2127 hf_netlogon_reserved, NULL);
2129 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2130 hf_netlogon_reserved, NULL);
2132 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2133 hf_netlogon_reserved, NULL);
2135 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2136 hf_netlogon_reserved, NULL);
2143 * IDL typedef struct {
2144 * IDL UNICODESTRING OldName;
2145 * IDL UNICODESTRING NewName;
2146 * IDL UNICODESTRING dummy1;
2147 * IDL UNICODESTRING dummy2;
2148 * IDL UNICODESTRING dummy3;
2149 * IDL UNICODESTRING dummy4;
2154 * IDL } DELTA_RENAME;
2157 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
2158 packet_info *pinfo, proto_tree *tree,
2163 di=pinfo->private_data;
2165 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2168 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2171 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2172 hf_netlogon_dummy, 0);
2174 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2175 hf_netlogon_dummy, 0);
2177 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2178 hf_netlogon_dummy, 0);
2180 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2181 hf_netlogon_dummy, 0);
2183 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2184 hf_netlogon_reserved, NULL);
2186 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2187 hf_netlogon_reserved, NULL);
2189 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2190 hf_netlogon_reserved, NULL);
2192 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2193 hf_netlogon_reserved, NULL);
2200 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
2201 packet_info *pinfo, proto_tree *tree,
2204 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2205 hf_netlogon_user_rid, NULL);
2211 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2212 packet_info *pinfo, proto_tree *tree,
2215 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2216 netlogon_dissect_RID);
2222 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2223 packet_info *pinfo, proto_tree *tree,
2226 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2227 hf_netlogon_attrs, NULL);
2233 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2234 packet_info *pinfo, proto_tree *tree,
2237 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2238 netlogon_dissect_ATTRIB);
2244 * IDL typedef struct {
2245 * IDL [unique][size_is(num_rids)] long *rids;
2246 * IDL [unique][size_is(num_rids)] long *attribs;
2247 * IDL long num_rids;
2252 * IDL } DELTA_GROUP_MEMBER;
2255 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2256 packet_info *pinfo, proto_tree *tree,
2259 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2260 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2263 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2264 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2267 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2268 hf_netlogon_num_rids, NULL);
2270 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2271 hf_netlogon_reserved, NULL);
2273 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2274 hf_netlogon_reserved, NULL);
2276 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2277 hf_netlogon_reserved, NULL);
2279 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2280 hf_netlogon_reserved, NULL);
2287 * IDL typedef struct {
2288 * IDL UNICODESTRING alias_name;
2290 * IDL long SecurityInformation;
2291 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2292 * IDL UNICODESTRING dummy1;
2293 * IDL UNICODESTRING dummy2;
2294 * IDL UNICODESTRING dummy3;
2295 * IDL UNICODESTRING dummy4;
2300 * IDL } DELTA_ALIAS;
2303 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2304 packet_info *pinfo, proto_tree *tree,
2307 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2308 hf_netlogon_alias_name, 0);
2310 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2311 hf_netlogon_alias_rid, NULL);
2313 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2314 hf_netlogon_security_information, NULL);
2316 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2319 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2320 hf_netlogon_dummy, 0);
2322 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2323 hf_netlogon_dummy, 0);
2325 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2326 hf_netlogon_dummy, 0);
2328 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2329 hf_netlogon_dummy, 0);
2331 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2332 hf_netlogon_reserved, NULL);
2334 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2335 hf_netlogon_reserved, NULL);
2337 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2338 hf_netlogon_reserved, NULL);
2340 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2341 hf_netlogon_reserved, NULL);
2348 * IDL typedef struct {
2349 * IDL [unique] SID_ARRAY sids;
2354 * IDL } DELTA_ALIAS_MEMBER;
2357 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2358 packet_info *pinfo, proto_tree *tree,
2361 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2363 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2364 hf_netlogon_reserved, NULL);
2366 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2367 hf_netlogon_reserved, NULL);
2369 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2370 hf_netlogon_reserved, NULL);
2372 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2373 hf_netlogon_reserved, NULL);
2380 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2381 packet_info *pinfo, proto_tree *tree,
2384 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2385 hf_netlogon_event_audit_option, NULL);
2391 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2392 packet_info *pinfo, proto_tree *tree,
2395 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2396 netlogon_dissect_EVENT_AUDIT_OPTION);
2403 * IDL typedef struct {
2404 * IDL long pagedpoollimit;
2405 * IDL long nonpagedpoollimit;
2406 * IDL long minimumworkingsetsize;
2407 * IDL long maximumworkingsetsize;
2408 * IDL long pagefilelimit;
2409 * IDL NTTIME timelimit;
2410 * IDL } QUOTA_LIMITS;
2413 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2414 packet_info *pinfo, proto_tree *parent_tree,
2417 proto_item *item=NULL;
2418 proto_tree *tree=NULL;
2419 int old_offset=offset;
2422 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2424 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2427 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2428 hf_netlogon_pagedpoollimit, NULL);
2430 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2431 hf_netlogon_nonpagedpoollimit, NULL);
2433 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2434 hf_netlogon_minworkingsetsize, NULL);
2436 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2437 hf_netlogon_maxworkingsetsize, NULL);
2439 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2440 hf_netlogon_pagefilelimit, NULL);
2442 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2443 hf_netlogon_timelimit);
2445 proto_item_set_len(item, offset-old_offset);
2451 * IDL typedef struct {
2452 * IDL long maxlogsize;
2453 * IDL NTTIME auditretentionperiod;
2454 * IDL bool auditingmode;
2455 * IDL long maxauditeventcount;
2456 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2457 * IDL UNICODESTRING primarydomainname;
2458 * IDL [unique] SID *sid;
2459 * IDL QUOTA_LIMITS quota_limits;
2460 * IDL NTTIME db_modify_time;
2461 * IDL NTTIME db_create_time;
2462 * IDL long SecurityInformation;
2463 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2464 * IDL UNICODESTRING dummy1;
2465 * IDL UNICODESTRING dummy2;
2466 * IDL UNICODESTRING dummy3;
2467 * IDL UNICODESTRING dummy4;
2472 * IDL } DELTA_POLICY;
2475 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2476 packet_info *pinfo, proto_tree *tree,
2479 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2480 hf_netlogon_max_log_size, NULL);
2482 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2483 hf_netlogon_audit_retention_period);
2485 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2486 hf_netlogon_auditing_mode, NULL);
2488 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2489 hf_netlogon_max_audit_event_count, NULL);
2491 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2492 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2493 "Event Audit Options:", -1);
2495 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2496 hf_netlogon_domain_name, 0);
2498 offset = dissect_ndr_nt_PSID(tvb, offset,
2499 pinfo, tree, drep, -1);
2501 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2504 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2505 hf_netlogon_db_modify_time);
2507 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2508 hf_netlogon_db_create_time);
2510 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2511 hf_netlogon_security_information, NULL);
2513 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2516 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2517 hf_netlogon_dummy, 0);
2519 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2520 hf_netlogon_dummy, 0);
2522 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2523 hf_netlogon_dummy, 0);
2525 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2526 hf_netlogon_dummy, 0);
2528 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2529 hf_netlogon_reserved, NULL);
2531 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2532 hf_netlogon_reserved, NULL);
2534 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2535 hf_netlogon_reserved, NULL);
2537 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2538 hf_netlogon_reserved, NULL);
2545 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2546 packet_info *pinfo, proto_tree *tree,
2549 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2550 hf_netlogon_dc_name, 0);
2556 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2557 packet_info *pinfo, proto_tree *tree,
2560 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2561 netlogon_dissect_CONTROLLER);
2568 * IDL typedef struct {
2569 * IDL UNICODESTRING DomainName;
2570 * IDL long num_controllers;
2571 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2572 * IDL long SecurityInformation;
2573 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2574 * IDL UNICODESTRING dummy1;
2575 * IDL UNICODESTRING dummy2;
2576 * IDL UNICODESTRING dummy3;
2577 * IDL UNICODESTRING dummy4;
2582 * IDL } DELTA_TRUSTED_DOMAINS;
2585 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2586 packet_info *pinfo, proto_tree *tree,
2589 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2590 hf_netlogon_domain_name, 0);
2592 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2593 hf_netlogon_num_controllers, NULL);
2595 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2596 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2597 "Domain Controllers:", -1);
2599 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2600 hf_netlogon_security_information, NULL);
2602 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2605 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2606 hf_netlogon_dummy, 0);
2608 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2609 hf_netlogon_dummy, 0);
2611 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2612 hf_netlogon_dummy, 0);
2614 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2615 hf_netlogon_dummy, 0);
2617 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2618 hf_netlogon_reserved, NULL);
2620 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2621 hf_netlogon_reserved, NULL);
2623 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2624 hf_netlogon_reserved, NULL);
2626 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2627 hf_netlogon_reserved, NULL);
2634 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2635 packet_info *pinfo, proto_tree *tree,
2638 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2639 hf_netlogon_attrs, NULL);
2645 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2646 packet_info *pinfo, proto_tree *tree,
2649 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2650 netlogon_dissect_PRIV_ATTR);
2656 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2657 packet_info *pinfo, proto_tree *tree,
2660 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2661 hf_netlogon_privilege_name, 1);
2667 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2668 packet_info *pinfo, proto_tree *tree,
2671 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2672 netlogon_dissect_PRIV_NAME);
2680 * IDL typedef struct {
2681 * IDL long privilegeentries;
2682 * IDL long provolegecontrol;
2683 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2684 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2685 * IDL QUOTALIMITS quotalimits;
2686 * IDL long SecurityInformation;
2687 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2688 * IDL UNICODESTRING dummy1;
2689 * IDL UNICODESTRING dummy2;
2690 * IDL UNICODESTRING dummy3;
2691 * IDL UNICODESTRING dummy4;
2696 * IDL } DELTA_ACCOUNTS;
2699 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2700 packet_info *pinfo, proto_tree *tree,
2703 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2704 hf_netlogon_privilege_entries, NULL);
2706 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2707 hf_netlogon_privilege_control, NULL);
2709 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2710 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2711 "PRIV_ATTR_ARRAY:", -1);
2713 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2714 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2715 "PRIV_NAME_ARRAY:", -1);
2717 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2720 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2721 hf_netlogon_systemflags, NULL);
2723 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2724 hf_netlogon_security_information, NULL);
2726 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2729 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2730 hf_netlogon_dummy, 0);
2732 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2733 hf_netlogon_dummy, 0);
2735 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2736 hf_netlogon_dummy, 0);
2738 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2739 hf_netlogon_dummy, 0);
2741 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2742 hf_netlogon_reserved, NULL);
2744 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2745 hf_netlogon_reserved, NULL);
2747 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2748 hf_netlogon_reserved, NULL);
2750 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2751 hf_netlogon_reserved, NULL);
2757 * IDL typedef struct {
2760 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2761 * IDL } CIPHER_VALUE;
2764 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2765 packet_info *pinfo, proto_tree *tree,
2771 di=pinfo->private_data;
2772 if(di->conformant_run){
2773 /*just a run to handle conformant arrays, nothing to dissect */
2777 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2778 hf_netlogon_cipher_maxlen, NULL);
2783 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2784 hf_netlogon_cipher_len, &data_len);
2786 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2793 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2794 packet_info *pinfo, proto_tree *parent_tree,
2795 guint8 *drep, char *name, int hf_index)
2797 proto_item *item=NULL;
2798 proto_tree *tree=NULL;
2799 int old_offset=offset;
2802 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2804 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2807 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2808 hf_netlogon_cipher_len, NULL);
2810 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2811 hf_netlogon_cipher_maxlen, NULL);
2813 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2814 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2817 proto_item_set_len(item, offset-old_offset);
2822 * IDL typedef struct {
2823 * IDL CIPHER_VALUE current_cipher;
2824 * IDL NTTIME current_cipher_set_time;
2825 * IDL CIPHER_VALUE old_cipher;
2826 * IDL NTTIME old_cipher_set_time;
2827 * IDL long SecurityInformation;
2828 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2829 * IDL UNICODESTRING dummy1;
2830 * IDL UNICODESTRING dummy2;
2831 * IDL UNICODESTRING dummy3;
2832 * IDL UNICODESTRING dummy4;
2837 * IDL } DELTA_SECRET;
2840 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2841 packet_info *pinfo, proto_tree *tree,
2844 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2846 "CIPHER_VALUE: current cipher value",
2847 hf_netlogon_cipher_current_data);
2849 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2850 hf_netlogon_cipher_current_set_time);
2852 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2854 "CIPHER_VALUE: old cipher value",
2855 hf_netlogon_cipher_old_data);
2857 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2858 hf_netlogon_cipher_old_set_time);
2860 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2861 hf_netlogon_security_information, NULL);
2863 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2866 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2867 hf_netlogon_dummy, 0);
2869 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2870 hf_netlogon_dummy, 0);
2872 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2873 hf_netlogon_dummy, 0);
2875 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
2876 hf_netlogon_dummy, 0);
2878 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2879 hf_netlogon_reserved, NULL);
2881 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2882 hf_netlogon_reserved, NULL);
2884 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2885 hf_netlogon_reserved, NULL);
2887 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2888 hf_netlogon_reserved, NULL);
2894 * IDL typedef struct {
2895 * IDL long low_value;
2896 * IDL long high_value;
2900 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2901 packet_info *pinfo, proto_tree *tree,
2904 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2905 hf_netlogon_modify_count, NULL);
2911 #define DT_DELTA_DOMAIN 1
2912 #define DT_DELTA_GROUP 2
2913 #define DT_DELTA_RENAME_GROUP 4
2914 #define DT_DELTA_USER 5
2915 #define DT_DELTA_RENAME_USER 7
2916 #define DT_DELTA_GROUP_MEMBER 8
2917 #define DT_DELTA_ALIAS 9
2918 #define DT_DELTA_RENAME_ALIAS 11
2919 #define DT_DELTA_ALIAS_MEMBER 12
2920 #define DT_DELTA_POLICY 13
2921 #define DT_DELTA_TRUSTED_DOMAINS 14
2922 #define DT_DELTA_ACCOUNTS 16
2923 #define DT_DELTA_SECRET 18
2924 #define DT_DELTA_DELETE_GROUP 20
2925 #define DT_DELTA_DELETE_USER 21
2926 #define DT_MODIFIED_COUNT 22
2927 static const value_string delta_type_vals[] = {
2928 { DT_DELTA_DOMAIN, "Domain" },
2929 { DT_DELTA_GROUP, "Group" },
2930 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2931 { DT_DELTA_USER, "User" },
2932 { DT_DELTA_RENAME_USER, "Rename User" },
2933 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2934 { DT_DELTA_ALIAS, "Alias" },
2935 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2936 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2937 { DT_DELTA_POLICY, "Policy" },
2938 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2939 { DT_DELTA_ACCOUNTS, "Accounts" },
2940 { DT_DELTA_SECRET, "Secret" },
2941 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2942 { DT_DELTA_DELETE_USER, "Delete User" },
2943 { DT_MODIFIED_COUNT, "Modified Count" },
2947 * IDL typedef [switch_type(short)] union {
2948 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2949 * IDL [case(2)][unique] DELTA_GROUP *group;
2950 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2951 * IDL [case(5)][unique] DELTA_USER *user;
2952 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2953 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2954 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2955 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2956 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2957 * IDL [case(13)][unique] DELTA_POLICY *policy;
2958 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2959 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2960 * IDL [case(18)][unique] DELTA_SECRET *secret;
2961 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2962 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2963 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2964 * IDL } DELTA_UNION;
2967 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2968 packet_info *pinfo, proto_tree *parent_tree,
2971 proto_item *item=NULL;
2972 proto_tree *tree=NULL;
2973 int old_offset=offset;
2977 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2979 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2982 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2983 hf_netlogon_delta_type, &level);
2988 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2989 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2990 "DELTA_DOMAIN:", -1);
2993 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2994 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2995 "DELTA_GROUP:", -1);
2998 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2999 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3000 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
3003 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3004 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
3008 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3009 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3010 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
3013 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3014 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
3015 "DELTA_GROUP_MEMBER:", -1);
3018 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3019 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
3020 "DELTA_ALIAS:", -1);
3023 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3024 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
3025 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
3028 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3029 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
3030 "DELTA_ALIAS_MEMBER:", -1);
3033 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3034 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
3035 "DELTA_POLICY:", -1);
3038 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3039 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
3040 "DELTA_TRUSTED_DOMAINS:", -1);
3043 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3044 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
3045 "DELTA_ACCOUNTS:", -1);
3048 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3049 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
3050 "DELTA_SECRET:", -1);
3053 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3054 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3055 "DELTA_DELETE_GROUP:", -1);
3058 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3059 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
3060 "DELTA_DELETE_USER:", -1);
3063 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3064 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
3065 "MODIFIED_COUNT:", -1);
3069 proto_item_set_len(item, offset-old_offset);
3075 /* IDL XXX must verify this one, especially 13-19
3076 * IDL typedef [switch_type(short)] union {
3077 * IDL [case(1)] long rid;
3078 * IDL [case(2)] long rid;
3079 * IDL [case(3)] long rid;
3080 * IDL [case(4)] long rid;
3081 * IDL [case(5)] long rid;
3082 * IDL [case(6)] long rid;
3083 * IDL [case(7)] long rid;
3084 * IDL [case(8)] long rid;
3085 * IDL [case(9)] long rid;
3086 * IDL [case(10)] long rid;
3087 * IDL [case(11)] long rid;
3088 * IDL [case(12)] long rid;
3089 * IDL [case(13)] [unique] SID *sid;
3090 * IDL [case(14)] [unique] SID *sid;
3091 * IDL [case(15)] [unique] SID *sid;
3092 * IDL [case(16)] [unique] SID *sid;
3093 * IDL [case(17)] [unique] SID *sid;
3094 * IDL [case(18)] [unique][string] wchar_t *Name ;
3095 * IDL [case(19)] [unique][string] wchar_t *Name ;
3096 * IDL [case(20)] long rid;
3097 * IDL [case(21)] long rid;
3098 * IDL } DELTA_ID_UNION;
3101 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
3102 packet_info *pinfo, proto_tree *parent_tree,
3105 proto_item *item=NULL;
3106 proto_tree *tree=NULL;
3107 int old_offset=offset;
3111 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3113 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
3116 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3117 hf_netlogon_delta_type, &level);
3122 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3123 hf_netlogon_group_rid, NULL);
3126 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3127 hf_netlogon_user_rid, NULL);
3130 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3131 hf_netlogon_user_rid, NULL);
3134 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3135 hf_netlogon_user_rid, NULL);
3138 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3139 hf_netlogon_user_rid, NULL);
3142 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3143 hf_netlogon_user_rid, NULL);
3146 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3147 hf_netlogon_user_rid, NULL);
3150 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3151 hf_netlogon_user_rid, NULL);
3154 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3155 hf_netlogon_user_rid, NULL);
3158 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3159 hf_netlogon_user_rid, NULL);
3162 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3163 hf_netlogon_user_rid, NULL);
3166 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3167 hf_netlogon_user_rid, NULL);
3170 offset = dissect_ndr_nt_PSID(tvb, offset,
3171 pinfo, tree, drep, -1);
3174 offset = dissect_ndr_nt_PSID(tvb, offset,
3175 pinfo, tree, drep, -1);
3178 offset = dissect_ndr_nt_PSID(tvb, offset,
3179 pinfo, tree, drep, -1);
3182 offset = dissect_ndr_nt_PSID(tvb, offset,
3183 pinfo, tree, drep, -1);
3186 offset = dissect_ndr_nt_PSID(tvb, offset,
3187 pinfo, tree, drep, -1);
3190 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3191 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3192 hf_netlogon_unknown_string, 0);
3195 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3196 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3197 hf_netlogon_unknown_string, 0);
3200 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3201 hf_netlogon_user_rid, NULL);
3204 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3205 hf_netlogon_user_rid, NULL);
3209 proto_item_set_len(item, offset-old_offset);
3214 * IDL typedef struct {
3215 * IDL short delta_type;
3216 * IDL DELTA_ID_UNION delta_id_union;
3217 * IDL DELTA_UNION delta_union;
3221 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3222 packet_info *pinfo, proto_tree *parent_tree,
3225 proto_item *item=NULL;
3226 proto_tree *tree=NULL;
3227 int old_offset=offset;
3231 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3233 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3236 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3237 hf_netlogon_delta_type, &type);
3239 proto_item_append_text(item, val_to_str(
3240 type, delta_type_vals, "Unknown"));
3242 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3245 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3248 proto_item_set_len(item, offset-old_offset);
3253 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3254 packet_info *pinfo, proto_tree *tree,
3257 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3258 netlogon_dissect_DELTA_ENUM);
3264 * IDL typedef struct {
3265 * IDL long num_deltas;
3266 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3267 * IDL } DELTA_ENUM_ARRAY;
3270 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3271 packet_info *pinfo, proto_tree *tree,
3274 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3275 hf_netlogon_num_deltas, NULL);
3277 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3278 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3279 "DELTA_ENUM: deltas", -1);
3286 * IDL long NetrDatabaseDeltas(
3287 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3288 * IDL [in][string][ref] wchar_t *computername,
3289 * IDL [in][ref] AUTHENTICATOR credential,
3290 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3291 * IDL [in] long database_id,
3292 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3293 * IDL [in] long preferredmaximumlength,
3294 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3298 netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
3299 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3301 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3302 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3304 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3305 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3307 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3308 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3309 "AUTHENTICATOR: credential", -1);
3311 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3312 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3313 "AUTHENTICATOR: return_authenticator", -1);
3315 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3316 hf_netlogon_database_id, NULL);
3318 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3319 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3320 "MODIFIED_COUNT: domain modified count", -1);
3322 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3323 hf_netlogon_max_size, NULL);
3328 netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
3329 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3331 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3332 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3333 "AUTHENTICATOR: return_authenticator", -1);
3335 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3336 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3337 "MODIFIED_COUNT: domain modified count", -1);
3339 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3340 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3341 "DELTA_ENUM_ARRAY: deltas", -1);
3343 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3344 hf_netlogon_rc, NULL);
3351 * IDL long NetrDatabaseSync(
3352 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3353 * IDL [in][string][ref] wchar_t *computername,
3354 * IDL [in][ref] AUTHENTICATOR credential,
3355 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3356 * IDL [in] long database_id,
3357 * IDL [in][out][ref] long sync_context,
3358 * IDL [in] long preferredmaximumlength,
3359 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3363 netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
3364 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3366 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3367 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3369 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3370 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3372 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3373 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3374 "AUTHENTICATOR: credential", -1);
3376 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3377 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3378 "AUTHENTICATOR: return_authenticator", -1);
3380 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3381 hf_netlogon_database_id, NULL);
3383 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3384 hf_netlogon_sync_context, NULL);
3386 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3387 hf_netlogon_max_size, NULL);
3394 netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
3395 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3397 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3398 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3399 "AUTHENTICATOR: return_authenticator", -1);
3401 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3402 hf_netlogon_sync_context, NULL);
3404 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3405 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3406 "DELTA_ENUM_ARRAY: deltas", -1);
3408 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3409 hf_netlogon_rc, NULL);
3415 * IDL typedef struct {
3416 * IDL char computer_name[16];
3417 * IDL long timecreated;
3418 * IDL long serial_number;
3422 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3423 packet_info *pinfo, proto_tree *tree,
3428 di=pinfo->private_data;
3429 if(di->conformant_run){
3430 /*just a run to handle conformant arrays, nothing to dissect */
3434 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3437 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3440 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3441 hf_netlogon_serial_number, NULL);
3448 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3449 packet_info *pinfo, proto_tree *tree,
3452 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3453 hf_netlogon_unknown_char, NULL);
3459 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3460 packet_info *pinfo, proto_tree *tree,
3463 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3464 netlogon_dissect_BYTE_byte);
3470 * IDL long NetrAccountDeltas(
3471 * IDL [in][string][unique] wchar_t *logonserver,
3472 * IDL [in][string][ref] wchar_t *computername,
3473 * IDL [in][ref] AUTHENTICATOR credential,
3474 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3475 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3476 * IDL [out][ref] long count_returned,
3477 * IDL [out][ref] long total_entries,
3478 * IDL [in][out][ref] UAS_INFO_0 recordid,
3479 * IDL [in][long] count,
3480 * IDL [in][long] level,
3481 * IDL [in][long] buffersize,
3485 netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
3486 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3488 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3491 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3492 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3494 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3495 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3496 "AUTHENTICATOR: credential", -1);
3498 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3499 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3500 "AUTHENTICATOR: return_authenticator", -1);
3502 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3503 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3504 "UAS_INFO_0: RecordID", -1);
3506 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3507 hf_netlogon_count, NULL);
3509 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3510 hf_netlogon_level, NULL);
3512 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3513 hf_netlogon_max_size, NULL);
3518 netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
3519 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3521 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3522 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3523 "AUTHENTICATOR: return_authenticator", -1);
3525 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3526 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3527 "BYTE_array: Buffer", -1);
3529 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3530 hf_netlogon_count, NULL);
3532 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3533 hf_netlogon_entries, NULL);
3535 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3536 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3537 "UAS_INFO_0: RecordID", -1);
3539 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3540 hf_netlogon_rc, NULL);
3547 * IDL long NetrAccountSync(
3548 * IDL [in][string][unique] wchar_t *logonserver,
3549 * IDL [in][string][ref] wchar_t *computername,
3550 * IDL [in][ref] AUTHENTICATOR credential,
3551 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3552 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3553 * IDL [out][ref] long count_returned,
3554 * IDL [out][ref] long total_entries,
3555 * IDL [out][ref] long next_reference,
3556 * IDL [in][long] reference,
3557 * IDL [in][long] level,
3558 * IDL [in][long] buffersize,
3559 * IDL [in][out][ref] UAS_INFO_0 recordid,
3563 netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
3564 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3566 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3569 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3570 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3572 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3573 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3574 "AUTHENTICATOR: credential", -1);
3576 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3577 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3578 "AUTHENTICATOR: return_authenticator", -1);
3580 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3581 hf_netlogon_reference, NULL);
3583 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3584 hf_netlogon_level, NULL);
3586 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3587 hf_netlogon_max_size, NULL);
3592 netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
3593 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3595 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3596 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3597 "AUTHENTICATOR: return_authenticator", -1);
3599 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3600 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3601 "BYTE_array: Buffer", -1);
3603 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3604 hf_netlogon_count, NULL);
3606 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3607 hf_netlogon_entries, NULL);
3609 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3610 hf_netlogon_next_reference, NULL);
3612 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3613 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3614 "UAS_INFO_0: RecordID", -1);
3616 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3617 hf_netlogon_rc, NULL);
3624 * IDL long NetrGetDcName(
3625 * IDL [in][ref][string] wchar_t *logon_server,
3626 * IDL [in][unique][string] wchar_t *domainname,
3627 * IDL [out][unique][string] wchar_t *dcname,
3631 netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
3632 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3634 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3635 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
3637 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3638 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3643 netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
3644 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3646 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3647 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3649 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3650 hf_netlogon_rc, NULL);
3658 * IDL typedef struct {
3660 * IDL long pdc_connection_status;
3661 * IDL } NETLOGON_INFO_1;
3664 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3665 packet_info *pinfo, proto_tree *tree,
3668 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3669 hf_netlogon_flags, NULL);
3671 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3672 hf_netlogon_pdc_connection_status, NULL);
3679 * IDL typedef struct {
3681 * IDL long pdc_connection_status;
3682 * IDL [unique][string] wchar_t trusted_dc_name;
3683 * IDL long tc_connection_status;
3684 * IDL } NETLOGON_INFO_2;
3687 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3688 packet_info *pinfo, proto_tree *tree,
3691 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3692 hf_netlogon_flags, NULL);
3694 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3695 hf_netlogon_pdc_connection_status, NULL);
3697 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3698 NDR_POINTER_UNIQUE, "Trusted DC Name",
3699 hf_netlogon_trusted_dc_name, 0);
3701 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3702 hf_netlogon_tc_connection_status, NULL);
3709 * IDL typedef struct {
3711 * IDL long logon_attempts;
3712 * IDL long reserved;
3713 * IDL long reserved;
3714 * IDL long reserved;
3715 * IDL long reserved;
3716 * IDL long reserved;
3717 * IDL } NETLOGON_INFO_3;
3720 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3721 packet_info *pinfo, proto_tree *tree,
3724 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3725 hf_netlogon_flags, NULL);
3727 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3728 hf_netlogon_logon_attempts, NULL);
3730 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3731 hf_netlogon_reserved, NULL);
3733 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3734 hf_netlogon_reserved, NULL);
3736 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3737 hf_netlogon_reserved, NULL);
3739 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3740 hf_netlogon_reserved, NULL);
3742 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3743 hf_netlogon_reserved, NULL);
3750 * IDL typedef [switch_type(long)] union {
3751 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
3752 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
3753 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
3754 * IDL } CONTROL_QUERY_INFORMATION;
3757 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
3758 packet_info *pinfo, proto_tree *tree,
3763 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3764 hf_netlogon_level, &level);
3769 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3770 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
3771 "NETLOGON_INFO_1:", -1);
3774 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3775 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
3776 "NETLOGON_INFO_2:", -1);
3779 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3780 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
3781 "NETLOGON_INFO_3:", -1);
3790 * IDL long NetrLogonControl(
3791 * IDL [in][string][unique] wchar_t *logonserver,
3792 * IDL [in] long function_code,
3793 * IDL [in] long level,
3794 * IDL [out][ref] CONTROL_QUERY_INFORMATION
3798 netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
3799 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3801 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3804 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3805 hf_netlogon_code, NULL);
3807 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3808 hf_netlogon_level, NULL);
3813 netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
3814 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3816 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3817 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3818 "CONTROL_QUERY_INFORMATION:", -1);
3820 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3821 hf_netlogon_rc, NULL);
3828 * IDL long NetrGetAnyDCName(
3829 * IDL [in][unique][string] wchar_t *logon_server,
3830 * IDL [in][unique][string] wchar_t *domainname,
3831 * IDL [out][unique][string] wchar_t *dcname,
3835 netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
3836 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3838 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3839 NDR_POINTER_UNIQUE, "Server Handle",
3840 hf_netlogon_logonsrv_handle, 0);
3842 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3843 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_domain_name, 0);
3848 netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
3849 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3851 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3852 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_dc_name, 0);
3854 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3855 hf_netlogon_rc, NULL);
3862 * IDL typedef [switch_type(long)] union {
3863 * IDL [case(5)] [unique][string] wchar_t *unknown;
3864 * IDL [case(6)] [unique][string] wchar_t *unknown;
3865 * IDL [case(0xfffe)] long unknown;
3866 * IDL [case(7)] [unique][string] wchar_t *unknown;
3867 * IDL } CONTROL_DATA_INFORMATION;
3870 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
3871 * to look like. However NetMon does not recognize any such informationlevels.
3873 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
3874 * until someone has any source of better authority to call upon.
3877 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
3878 packet_info *pinfo, proto_tree *tree,
3883 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3884 hf_netlogon_level, &level);
3889 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3890 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3891 hf_netlogon_unknown_string, 0);
3894 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3895 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3896 hf_netlogon_unknown_string, 0);
3899 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3900 hf_netlogon_unknown_long, NULL);
3903 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
3904 tree, drep, NDR_POINTER_UNIQUE, "unknown",
3905 hf_netlogon_unknown_string, 0);
3914 * IDL long NetrLogonControl2(
3915 * IDL [in][string][unique] wchar_t *logonserver,
3916 * IDL [in] long function_code,
3917 * IDL [in] long level,
3918 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3919 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3923 netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
3924 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3926 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3929 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3930 hf_netlogon_code, NULL);
3932 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3933 hf_netlogon_level, NULL);
3935 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3936 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3937 "CONTROL_DATA_INFORMATION: ", -1);
3943 netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
3944 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3946 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3947 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3948 "CONTROL_QUERY_INFORMATION:", -1);
3950 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3951 hf_netlogon_rc, NULL);
3958 * IDL long NetrServerAuthenticate2(
3959 * IDL [in][string][unique] wchar_t *logonserver,
3960 * IDL [in][ref][string] wchar_t *username,
3961 * IDL [in] short secure_channel_type,
3962 * IDL [in][ref][string] wchar_t *computername,
3963 * IDL [in][ref] CREDENTIAL *client_chal,
3964 * IDL [out][ref] CREDENTIAL *server_chal,
3965 * IDL [in][out][ref] long *negotiate_flags,
3969 netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
3970 packet_info *pinfo, proto_tree *tree, guint8 *drep)
3972 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3975 offset = dissect_ndr_pointer_cb(
3976 tvb, offset, pinfo, tree, drep,
3977 dissect_ndr_wchar_cvstring, NDR_POINTER_REF,
3978 "User Name", hf_netlogon_acct_name,
3979 cb_wstr_postprocess, GINT_TO_POINTER(CB_STR_COL_INFO | 1));
3981 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3984 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
3985 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
3987 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3988 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3989 "CREDENTIAL: client_chal", -1);
3991 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3992 hf_netlogon_neg_flags, NULL);
3998 netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
3999 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4001 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4002 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4003 "CREDENTIAL: server_chal", -1);
4005 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4006 hf_netlogon_neg_flags, NULL);
4008 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4009 hf_netlogon_rc, NULL);
4016 * IDL long NetrDatabaseSync2(
4017 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4018 * IDL [in][string][ref] wchar_t *computername,
4019 * IDL [in][ref] AUTHENTICATOR credential,
4020 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4021 * IDL [in] long database_id,
4022 * IDL [in] short restart_state,
4023 * IDL [in][out][ref] long *sync_context,
4024 * IDL [in] long preferredmaximumlength,
4025 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4029 netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
4030 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4032 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4033 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4035 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4036 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4038 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4039 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4040 "AUTHENTICATOR: credential", -1);
4042 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4043 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4044 "AUTHENTICATOR: return_authenticator", -1);
4046 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4047 hf_netlogon_database_id, NULL);
4049 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4050 hf_netlogon_restart_state, NULL);
4052 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4053 hf_netlogon_sync_context, NULL);
4055 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4056 hf_netlogon_max_size, NULL);
4062 netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
4063 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4065 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4066 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4067 "AUTHENTICATOR: return_authenticator", -1);
4069 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4070 hf_netlogon_sync_context, NULL);
4072 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4073 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4074 "DELTA_ENUM_ARRAY: deltas", -1);
4076 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4077 hf_netlogon_rc, NULL);
4084 * IDL long NetrDatabaseRedo(
4085 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4086 * IDL [in][string][ref] wchar_t *computername,
4087 * IDL [in][ref] AUTHENTICATOR credential,
4088 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4089 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
4090 * IDL [in] long change_log_entry_size,
4091 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4095 netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
4096 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4098 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4099 NDR_POINTER_REF, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4101 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4102 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
4104 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4105 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4106 "AUTHENTICATOR: credential", -1);
4108 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4109 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4110 "AUTHENTICATOR: return_authenticator", -1);
4112 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4113 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4114 "Change log entry: ", -1);
4116 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4117 hf_netlogon_max_log_size, NULL);
4123 netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
4124 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4126 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4127 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4128 "AUTHENTICATOR: return_authenticator", -1);
4130 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4131 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4132 "DELTA_ENUM_ARRAY: deltas", -1);
4134 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4135 hf_netlogon_rc, NULL);
4142 * IDL long NetrLogonControl2Ex(
4143 * IDL [in][string][unique] wchar_t *logonserver,
4144 * IDL [in] long function_code,
4145 * IDL [in] long level,
4146 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
4147 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
4151 netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
4152 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4154 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4157 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4158 hf_netlogon_code, NULL);
4160 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4161 hf_netlogon_level, NULL);
4163 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4164 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
4165 "CONTROL_DATA_INFORMATION: ", -1);
4170 netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
4171 packet_info *pinfo, proto_tree *tree, guint8 *drep)
4173 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4174 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
4175 "CONTROL_QUERY_INFORMATION:", -1);
4177 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4178 hf_netlogon_rc, NULL);
4186 static const value_string trust_type_vals[] = {
4194 #define DS_INET_ADDRESS 1
4195 #define DS_NETBIOS_ADDRESS 2
4196 static const value_string dc_address_types[] = {
4197 { DS_INET_ADDRESS, "IP/DNS name" },
4198 { DS_NETBIOS_ADDRESS, "NetBIOS name" },
4203 #define DS_DOMAIN_IN_FOREST 0x0001
4204 #define DS_DOMAIN_DIRECT_OUTBOUND 0x0002
4205 #define DS_DOMAIN_TREE_ROOT 0x0004
4206 #define DS_DOMAIN_PRIMARY 0x0008
4207 #define DS_DOMAIN_NATIVE_MODE 0x0010
4208 #define DS_DOMAIN_DIRECT_INBOUND 0x0020
4209 static const true_false_string trust_inbound = {
4210 "There is a DIRECT INBOUND trust for the servers domain",
4211 "There is NO direct inbound trust for the servers domain"
4213 static const true_false_string trust_outbound = {
4214 "There is a DIRECT OUTBOUND trust for this domain",
4215 "There is NO direct outbound trust for this domain"
4217 static const true_false_string trust_in_forest = {
4218 "The domain is a member IN the same FOREST as the queried server",
4219 "The domain is NOT a member of the queried servers domain"
4221 static const true_false_string trust_native_mode = {
4222 "The primary domain is a NATIVE MODE w2k domain",
4223 "The primary is NOT a native mode w2k domain"
4225 static const true_false_string trust_primary = {
4226 "The domain is the PRIMARY domain of the queried server",
4227 "The domain is NOT the primary domain of the queried server"
4229 static const true_false_string trust_tree_root = {
4230 "The domain is the ROOT of a domain TREE",
4231 "The domain is NOT a root of a domain tree"
4234 netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
4235 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4238 proto_item *item = NULL;
4239 proto_tree *tree = NULL;
4242 di=pinfo->private_data;
4243 if(di->conformant_run){
4244 /*just a run to handle conformant arrays, nothing to dissect */
4248 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4249 hf_netlogon_trust_flags, &mask);
4252 item = proto_tree_add_uint(parent_tree, hf_netlogon_trust_flags,
4253 tvb, offset-4, 4, mask);
4254 tree = proto_item_add_subtree(item, ett_trust_flags);
4257 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_inbound,
4258 tvb, offset-4, 4, mask);
4259 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_native_mode,
4260 tvb, offset-4, 4, mask);
4261 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_primary,
4262 tvb, offset-4, 4, mask);
4263 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_tree_root,
4264 tvb, offset-4, 4, mask);
4265 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_outbound,
4266 tvb, offset-4, 4, mask);
4267 proto_tree_add_boolean(tree, hf_netlogon_trust_flags_in_forest,
4268 tvb, offset-4, 4, mask);
4274 #define DS_FORCE_REDISCOVERY 0x00000001
4275 #define DS_DIRECTORY_SERVICE_REQUIRED 0x00000010
4276 #define DS_DIRECTORY_SERVICE_PREFERRED 0x00000020
4277 #define DS_GC_SERVER_REQUIRED 0x00000040
4278 #define DS_PDC_REQUIRED 0x00000080
4279 #define DS_BACKGROUND_ONLY 0x00000100
4280 #define DS_IP_REQUIRED 0x00000200
4281 #define DS_KDC_REQUIRED 0x00000400
4282 #define DS_TIMESERV_REQUIRED 0x00000800
4283 #define DS_WRITABLE_REQUIRED 0x00001000
4284 #define DS_GOOD_TIMESERV_PREFERRED 0x00002000
4285 #define DS_AVOID_SELF 0x00004000
4286 #define DS_ONLY_LDAP_NEEDED 0x00008000
4287 #define DS_IS_FLAT_NAME 0x00010000
4288 #define DS_IS_DNS_NAME 0x00020000
4289 #define DS_RETURN_DNS_NAME 0x40000000
4290 #define DS_RETURN_FLAT_NAME 0x80000000
4291 static const true_false_string get_dcname_request_flags_force_rediscovery = {
4292 "FORCE REDISCOVERY of any cached data",
4293 "You may return cached data"
4295 static const true_false_string get_dcname_request_flags_directory_service_required = {
4296 "DIRECRTORY SERVICE is REQUIRED on the server",
4297 "We do NOT require directory service servers"
4299 static const true_false_string get_dcname_request_flags_directory_service_preferred = {
4300 "DIRECTORY SERVICE servers are PREFERRED",
4301 "We do NOT have a preference for directory service servers"
4303 static const true_false_string get_dcname_request_flags_gc_server_required = {
4304 "GC SERVER is REQUIRED",
4305 "gc server is NOT required"
4307 static const true_false_string get_dcname_request_flags_pdc_required = {
4308 "PDC SERVER is REQUIRED",
4309 "pdc server is NOT required"
4311 static const true_false_string get_dcname_request_flags_background_only = {
4312 "Only returned cahced data, even if it has expired",
4313 "Return cached data unless it has expired"
4315 static const true_false_string get_dcname_request_flags_ip_required = {
4316 "IP address is REQUIRED",
4317 "ip address is NOT required"
4319 static const true_false_string get_dcname_request_flags_kdc_required = {
4320 "KDC server is REQUIRED",
4321 "kdc server is NOT required"
4323 static const true_false_string get_dcname_request_flags_timeserv_required = {
4324 "TIMESERV service is REQUIRED",
4325 "timeserv service is NOT required"
4327 static const true_false_string get_dcname_request_flags_writable_required = {
4328 "the requrned dc MUST be WRITEABLE",
4329 "a read-only dc may be returned"
4331 static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
4332 "GOOD TIMESERV servers are PREFERRED",
4333 "we do NOT have a preference for good timeserv servers"
4335 static const true_false_string get_dcname_request_flags_avoid_self = {
4336 "do NOT return self as dc, return someone else",
4337 "you may return yourSELF as the dc"
4339 static const true_false_string get_dcname_request_flags_only_ldap_needed = {
4340 "we ONLY NEED LDAP, you dont have to return a dc",
4341 "we need a normal dc, an ldap only server will not do"
4343 static const true_false_string get_dcname_request_flags_is_flat_name = {
4344 "the name we specify is a NetBIOS name",
4345 "the name we specify is NOT a NetBIOS name"
4347 static const true_false_string get_dcname_request_flags_is_dns_name = {
4348 "the name we specify is a DNS name",
4349 "ther name we specify is NOT a dns name"
4351 static const true_false_string get_dcname_request_flags_return_dns_name = {
4352 "return a DNS name",
4353 "you may return a NON-dns name"
4355 static const true_false_string get_dcname_request_flags_return_flat_name = {
4356 "return a NetBIOS name",
4357 "you may return a NON-NetBIOS name"
4360 netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
4361 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4364 proto_item *item = NULL;
4365 proto_tree *tree = NULL;
4368 di=pinfo->private_data;
4369 if(di->conformant_run){
4370 /*just a run to handle conformant arrays, nothing to dissect */
4374 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4375 hf_netlogon_get_dcname_request_flags, &mask);
4378 item = proto_tree_add_uint(parent_tree, hf_netlogon_get_dcname_request_flags,
4379 tvb, offset-4, 4, mask);
4380 tree = proto_item_add_subtree(item, ett_get_dcname_request_flags);
4383 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_flat_name,
4384 tvb, offset-4, 4, mask);
4385 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_return_dns_name,
4386 tvb, offset-4, 4, mask);
4387 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_flat_name,
4388 tvb, offset-4, 4, mask);
4389 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_is_dns_name,
4390 tvb, offset-4, 4, mask);
4391 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_only_ldap_needed,
4392 tvb, offset-4, 4, mask);
4393 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_avoid_self,
4394 tvb, offset-4, 4, mask);
4395 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
4396 tvb, offset-4, 4, mask);
4397 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_writable_required,
4398 tvb, offset-4, 4, mask);
4399 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_timeserv_required,
4400 tvb, offset-4, 4, mask);
4401 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_kdc_required,
4402 tvb, offset-4, 4, mask);
4403 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_ip_required,
4404 tvb, offset-4, 4, mask);
4405 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_background_only,
4406 tvb, offset-4, 4, mask);
4407 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_pdc_required,
4408 tvb, offset-4, 4, mask);
4409 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_gc_server_required,
4410 tvb, offset-4, 4, mask);
4411 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_preferred,
4412 tvb, offset-4, 4, mask);
4413 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_directory_service_required,
4414 tvb, offset-4, 4, mask);
4415 proto_tree_add_boolean(tree, hf_netlogon_get_dcname_request_flags_force_rediscovery,
4416 tvb, offset-4, 4, mask);
4423 #define DS_PDC_FLAG 0x00000001
4424 #define DS_GC_FLAG 0x00000004
4425 #define DS_LDAP_FLAG 0x00000008
4426 #define DS_DS_FLAG 0x00000010
4427 #define DS_KDC_FLAG 0x00000020
4428 #define DS_TIMESERV_FLAG 0x00000040
4429 #define DS_CLOSEST_FLAG 0x00000080
4430 #define DS_WRITABLE_FLAG 0x00000100
4431 #define DS_GOOD_TIMESERV_FLAG 0x00000200
4432 #define DS_NDNC_FLAG 0x00000400
4433 #define DS_DNS_CONTROLLER_FLAG 0x20000000
4434 #define DS_DNS_DOMAIN_FLAG 0x40000000
4435 #define DS_DNS_FOREST_FLAG 0x80000000
4436 static const true_false_string dc_flags_pdc_flag = {
4437 "this is the PDC of the domain",
4438 "this is NOT the pdc of the domain"
4440 static const true_false_string dc_flags_gc_flag = {
4441 "this is the GC of the forest",
4442 "this is NOT the gc of the forest"
4444 static const true_false_string dc_flags_ldap_flag = {
4445 "this is an LDAP server",
4446 "this is NOT an ldap server"
4448 static const true_false_string dc_flags_ds_flag = {
4449 "this is a DS server",
4450 "this is NOT a ds server"
4452 static const true_false_string dc_flags_kdc_flag = {
4453 "this is a KDC server",
4454 "this is NOT a kdc server"
4456 static const true_false_string dc_flags_timeserv_flag = {
4457 "this is a TIMESERV server",
4458 "this is NOT a timeserv server"
4460 static const true_false_string dc_flags_closest_flag = {
4461 "this is the CLOSEST server",
4462 "this is NOT the closest server"
4464 static const true_false_string dc_flags_writable_flag = {
4465 "this server has a WRITABLE ds database",
4466 "this server has a READ-ONLY ds database"
4468 static const true_false_string dc_flags_good_timeserv_flag = {
4469 "this server is a GOOD TIMESERV server",
4470 "this is NOT a good timeserv server"
4472 static const true_false_string dc_flags_ndnc_flag = {
4476 static const true_false_string dc_flags_dns_controller_flag = {
4477 "DomainControllerName is a DNS name",
4478 "DomainControllerName is NOT a dns name"
4480 static const true_false_string dc_flags_dns_domain_flag = {
4481 "DomainName is a DNS name",
4482 "DomainName is NOT a dns name"
4484 static const true_false_string dc_flags_dns_forest_flag = {
4485 "DnsForestName is a DNS name",
4486 "DnsForestName is NOT a dns name"
4489 netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
4490 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
4493 proto_item *item = NULL;
4494 proto_tree *tree = NULL;
4497 di=pinfo->private_data;
4498 if(di->conformant_run){
4499 /*just a run to handle conformant arrays, nothing to dissect */
4503 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep,
4504 hf_netlogon_dc_flags, &mask);
4507 item = proto_tree_add_uint_format(parent_tree, hf_netlogon_dc_flags,
4508 tvb, offset-4, 4, mask, "Domain Controller Flags: 0x%08x%s", mask, (mask==0x0000ffff)?" PING (mask==0x0000ffff)":"");
4509 tree = proto_item_add_subtree(item, ett_dc_flags);
4512 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_forest_flag,
4513 tvb, offset-4, 4, mask);
4514 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_domain_flag,
4515 tvb, offset-4, 4, mask);
4516 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_dns_controller_flag,
4517 tvb, offset-4, 4, mask);
4518 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ndnc_flag,
4519 tvb, offset-4, 4, mask);
4520 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_good_timeserv_flag,
4521 tvb, offset-4, 4, mask);
4522 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_writable_flag,
4523 tvb, offset-4, 4, mask);
4524 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_closest_flag,
4525 tvb, offset-4, 4, mask);
4526 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_timeserv_flag,
4527 tvb, offset-4, 4, mask);
4528 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_kdc_flag,
4529 tvb, offset-4, 4, mask);
4530 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ds_flag,
4531 tvb, offset-4, 4, mask);
4532 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_ldap_flag,
4533 tvb, offset-4, 4, mask);
4534 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_gc_flag,
4535 tvb, offset-4, 4, mask);
4536 proto_tree_add_boolean(tree, hf_netlogon_dc_flags_pdc_flag,
4537 tvb, offset-4, 4, mask);
4545 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4546 packet_info *pinfo, proto_tree *tree,
4551 di=pinfo->private_data;
4552 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4553 di->hf_index, NULL);
4558 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4559 packet_info *pinfo, proto_tree *tree,
4564 di=pinfo->private_data;
4565 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4566 di->hf_index, NULL);
4571 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4572 packet_info *pinfo, proto_tree *tree,
4575 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4576 hf_netlogon_unknown_char, NULL);
4582 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4583 packet_info *pinfo, proto_tree *tree,
4586 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4587 netlogon_dissect_UNICODE_MULTI_byte);
4593 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4594 packet_info *pinfo, proto_tree *parent_tree,
4597 proto_item *item=NULL;
4598 proto_tree *tree=NULL;
4599 int old_offset=offset;
4602 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4604 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4607 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4608 hf_netlogon_len, NULL);
4610 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4611 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4612 "unknown", hf_netlogon_unknown_string);
4614 proto_item_set_len(item, offset-old_offset);
4619 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4620 packet_info *pinfo, proto_tree *tree,
4623 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4629 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4630 packet_info *pinfo, proto_tree *parent_tree,
4633 proto_item *item=NULL;
4634 proto_tree *tree=NULL;
4635 int old_offset=offset;
4638 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4639 "DOMAIN_CONTROLLER_INFO:");
4640 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4643 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4644 NDR_POINTER_UNIQUE, "DC Name", hf_netlogon_dc_name, 0);
4646 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4647 NDR_POINTER_UNIQUE, "DC Address", hf_netlogon_dc_address, 0);
4649 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4650 hf_netlogon_dc_address_type, NULL);
4652 offset = dissect_nt_GUID(tvb, offset,
4655 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4656 NDR_POINTER_UNIQUE, "Logon Domain", hf_netlogon_logon_dom, 0);
4658 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4659 NDR_POINTER_UNIQUE, "DNS Forest", hf_netlogon_dns_forest_name, 0);
4661 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, drep);
4663 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4664 NDR_POINTER_UNIQUE, "DC Site", hf_netlogon_dc_site_name, 0);
4666 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4667 NDR_POINTER_UNIQUE, "Client Site",
4668 hf_netlogon_client_site_name, 0);
4670 proto_item_set_len(item, offset-old_offset);
4675 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4676 packet_info *pinfo, proto_tree *tree,
4682 di=pinfo->private_data;
4683 if(di->conformant_run){
4684 /*just a run to handle conformant arrays, nothing to dissect.*/
4688 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4689 hf_netlogon_blob_size, &len);
4691 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4699 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4700 packet_info *pinfo, proto_tree *parent_tree,
4703 proto_item *item=NULL;
4704 proto_tree *tree=NULL;
4707 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4709 tree = proto_item_add_subtree(item, ett_BLOB);
4712 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4713 hf_netlogon_blob_size, NULL);
4715 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4716 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4723 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
4724 packet_info *pinfo, proto_tree *parent_tree,
4727 proto_item *item=NULL;
4728 proto_tree *tree=NULL;
4729 int old_offset=offset;
4732 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4733 "DOMAIN_TRUST_INFO:");
4734 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
4738 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
4740 /* Guesses at best. */
4741 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4742 hf_netlogon_unknown_string, 0);
4744 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4745 hf_netlogon_unknown_string, 0);
4747 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4748 hf_netlogon_unknown_string, 0);
4750 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4751 hf_netlogon_unknown_string, 0);
4753 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4754 hf_netlogon_unknown_long, NULL);
4756 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4757 hf_netlogon_unknown_long, NULL);
4759 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4760 hf_netlogon_unknown_long, NULL);
4762 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4763 hf_netlogon_unknown_long, NULL);
4765 proto_item_set_len(item, offset-old_offset);
4770 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
4771 packet_info *pinfo, proto_tree *tree,
4774 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4775 netlogon_dissect_DOMAIN_TRUST_INFO);
4781 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
4782 packet_info *pinfo, proto_tree *tree,
4785 offset = netlogon_dissect_BLOB(tvb, offset,
4788 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4789 NDR_POINTER_UNIQUE, "Workstation FQDN",
4790 hf_netlogon_workstation_fqdn, 0);
4792 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4793 NDR_POINTER_UNIQUE, "Workstation Site",
4794 hf_netlogon_workstation_site_name, 0);
4796 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4797 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4799 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4800 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4802 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4803 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4805 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
4806 NDR_POINTER_UNIQUE, "unknown", hf_netlogon_unknown_string, 0);
4808 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4809 hf_netlogon_unknown_string, 0);
4811 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4812 hf_netlogon_workstation_os, 0);
4814 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4815 hf_netlogon_unknown_string, 0);
4817 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4818 hf_netlogon_unknown_string, 0);
4820 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4821 hf_netlogon_unknown_long, NULL);
4823 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4824 hf_netlogon_unknown_long, NULL);
4826 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4827 hf_netlogon_unknown_long, NULL);
4829 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4830 hf_netlogon_unknown_long, NULL);
4836 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
4837 packet_info *pinfo, proto_tree *tree,
4840 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
4842 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4843 hf_netlogon_num_trusts, NULL);
4845 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4846 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4847 "DOMAIN_TRUST_ARRAY: Trusts", -1);
4849 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4850 hf_netlogon_num_trusts, NULL);
4852 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4853 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4854 "DOMAIN_TRUST_ARRAY:", -1);
4856 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4857 hf_netlogon_dns_domain_name, 0);
4859 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4860 hf_netlogon_unknown_string, 0);
4862 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4863 hf_netlogon_unknown_string, 0);
4865 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
4866 hf_netlogon_unknown_string, 0);
4868 /* These four integers appear to mirror the last four in the query. */
4869 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4870 hf_netlogon_unknown_long, NULL);
4872 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4873 hf_netlogon_unknown_long, NULL);
4875 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4876 hf_netlogon_unknown_long, NULL);
4878 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4879 hf_netlogon_unknown_long, NULL);
4886 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
4887 packet_info *pinfo, proto_tree *tree,
4892 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4893 hf_netlogon_level, &level);
4898 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4899 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
4900 "DOMAIN_INFO_1:", -1);
4908 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
4909 packet_info *pinfo, proto_tree *parent_tree,
4912 proto_item *item=NULL;
4913 proto_tree *tree=NULL;
4914 int old_offset=offset;
4918 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4919 "UNICODE_STRING_512:");
4920 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
4924 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4925 hf_netlogon_unknown_short, NULL);
4928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4929 hf_netlogon_unknown_long, NULL);
4931 proto_item_set_len(item, offset-old_offset);
4936 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
4937 packet_info *pinfo, proto_tree *tree,
4940 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4941 hf_netlogon_unknown_char, NULL);
4947 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
4948 packet_info *pinfo, proto_tree *tree,
4951 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4952 netlogon_dissect_element_844_byte);
4958 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
4959 packet_info *pinfo, proto_tree *parent_tree,
4962 proto_item *item=NULL;
4963 proto_tree *tree=NULL;
4964 int old_offset=offset;
4967 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4969 tree = proto_item_add_subtree(item, ett_TYPE_50);
4972 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4973 hf_netlogon_unknown_long, NULL);
4975 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4976 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
4977 "unknown", hf_netlogon_unknown_string);
4979 proto_item_set_len(item, offset-old_offset);
4984 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
4985 packet_info *pinfo, proto_tree *tree,
4988 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4989 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
4990 "TYPE_50 pointer: unknown_TYPE_50", -1);
4996 netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
4997 packet_info *pinfo, proto_tree *parent_tree, guint8 *drep)
5000 proto_item *item=NULL;
5001 proto_tree *tree=NULL;
5002 int old_offset=offset;
5005 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5006 "DS_DOMAIN_TRUSTS");
5007 tree = proto_item_add_subtree(item, ett_DS_DOMAIN_TRUSTS);
5011 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5012 NDR_POINTER_UNIQUE, "NetBIOS Name",
5013 hf_netlogon_downlevel_domain_name, 0);
5016 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5017 NDR_POINTER_UNIQUE, "DNS Domain Name",
5018 hf_netlogon_dns_domain_name, 0);
5020 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
5022 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5023 hf_netlogon_trust_parent_index, &tmp);
5025 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5026 hf_netlogon_trust_type, &tmp);
5028 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5029 hf_netlogon_trust_attribs, &tmp);
5032 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep, -1);
5035 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
5037 proto_item_set_len(item, offset-old_offset);
5042 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
5043 packet_info *pinfo, proto_tree *tree,
5046 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5047 netlogon_dissect_DS_DOMAIN_TRUSTS);
5053 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
5054 packet_info *pinfo, proto_tree *tree,
5057 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5058 hf_netlogon_unknown_char, NULL);
5064 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
5065 packet_info *pinfo, proto_tree *tree,
5068 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5069 netlogon_dissect_element_865_byte);
5075 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
5076 packet_info *pinfo, proto_tree *tree,
5079 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5080 hf_netlogon_unknown_char, NULL);
5086 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
5087 packet_info *pinfo, proto_tree *tree,
5090 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5091 netlogon_dissect_element_866_byte);
5097 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
5098 packet_info *pinfo, proto_tree *parent_tree,
5101 proto_item *item=NULL;
5102 proto_tree *tree=NULL;
5103 int old_offset=offset;
5106 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5108 tree = proto_item_add_subtree(item, ett_TYPE_52);
5111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5112 hf_netlogon_unknown_long, NULL);
5114 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5115 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
5116 "unknown", hf_netlogon_unknown_string);
5118 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5119 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
5120 "unknown", hf_netlogon_unknown_string);
5122 proto_item_set_len(item, offset-old_offset);
5127 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
5128 packet_info *pinfo, proto_tree *tree,
5131 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5132 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
5133 "TYPE_52 pointer: unknown_TYPE_52", -1);
5139 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
5140 packet_info *pinfo, proto_tree *parent_tree,
5143 proto_item *item=NULL;
5144 proto_tree *tree=NULL;
5145 int old_offset=offset;
5149 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
5151 tree = proto_item_add_subtree(item, ett_TYPE_44);
5154 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5155 hf_netlogon_level, &level);
5160 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5161 hf_netlogon_unknown_long, NULL);
5165 proto_item_set_len(item, offset-old_offset);
5170 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
5171 packet_info *pinfo, proto_tree *tree,
5176 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5177 hf_netlogon_level, &level);
5182 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5183 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5184 "DOMAIN_QUERY_1:", -1);
5187 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5188 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
5189 "DOMAIN_QUERY_1:", -1);
5197 netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
5198 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5200 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5208 netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
5209 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5211 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5212 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
5213 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
5215 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5216 hf_netlogon_rc, NULL);
5222 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5223 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5225 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5228 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5229 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5231 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5232 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5233 "GUID pointer: domain_guid", -1);
5235 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5236 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5237 "GUID pointer: site_guid", -1);
5239 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5240 hf_netlogon_flags, NULL);
5247 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5248 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5250 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5251 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5252 "DOMAIN_CONTROLLER_INFO:", -1);
5254 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5255 hf_netlogon_rc, NULL);
5261 netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
5262 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5264 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5267 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5268 NDR_POINTER_UNIQUE, "unknown string",
5269 hf_netlogon_unknown_string, 0);
5271 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5272 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5273 "AUTHENTICATOR: credential", -1);
5275 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5276 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5277 "AUTHENTICATOR: return_authenticator", -1);
5279 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5280 hf_netlogon_unknown_long, NULL);
5287 netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
5288 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5290 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5291 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5292 "AUTHENTICATOR: return_authenticator", -1);
5294 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5295 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
5296 "TYPE_44 pointer: unknown_TYPE_44", -1);
5298 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5299 hf_netlogon_rc, NULL);
5305 netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
5306 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5308 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5312 hf_netlogon_unknown_long, NULL);
5314 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5315 hf_netlogon_unknown_long, NULL);
5322 netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
5323 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5325 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5326 hf_netlogon_rc, NULL);
5333 netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
5334 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5336 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5339 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5340 NDR_POINTER_UNIQUE, "unknown string",
5341 hf_netlogon_unknown_string, 0);
5348 netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
5349 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5351 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5352 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5353 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5355 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5356 hf_netlogon_rc, NULL);
5363 netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
5364 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5366 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5369 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5370 hf_netlogon_unknown_long, NULL);
5372 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5373 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5374 "BYTE pointer: unknown_BYTE", -1);
5376 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5377 hf_netlogon_unknown_long, NULL);
5383 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
5384 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5389 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
5390 hf_netlogon_unknown_char, NULL);
5397 netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
5398 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5400 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5401 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5402 "BYTE pointer: unknown_BYTE", -1);
5404 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5405 hf_netlogon_rc, NULL);
5411 netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
5412 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5414 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5417 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5418 NDR_POINTER_UNIQUE, "unknown string",
5419 hf_netlogon_unknown_string, 0);
5421 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5422 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5423 "BYTE pointer: unknown_BYTE", -1);
5425 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5426 hf_netlogon_unknown_long, NULL);
5433 netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
5434 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5436 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5437 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
5438 "BYTE pointer: unknown_BYTE", -1);
5440 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5441 hf_netlogon_rc, NULL);
5447 netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
5448 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5450 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5453 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5454 NDR_POINTER_REF, "Acct Name", hf_netlogon_acct_name, 0);
5456 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5459 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5460 NDR_POINTER_REF, "Computer Name", hf_netlogon_computer_name, 0);
5462 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5463 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5464 "CREDENTIAL: authenticator", -1);
5466 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5467 hf_netlogon_neg_flags, NULL);
5474 netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5475 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5477 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5478 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5479 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1);
5481 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5482 hf_netlogon_neg_flags, NULL);
5484 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5485 netlogon_dissect_pointer_long, NDR_POINTER_REF,
5486 "ULONG: unknown_ULONG", hf_netlogon_unknown_long);
5488 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5489 hf_netlogon_rc, NULL);
5495 netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
5496 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5498 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5501 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5502 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
5504 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5505 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5506 "GUID pointer: domain_guid", -1);
5508 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5509 NDR_POINTER_UNIQUE, "Site Name", hf_netlogon_site_name, 0);
5511 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, drep);
5518 netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
5519 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5521 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5522 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5523 "DOMAIN_CONTROLLER_INFO:", -1);
5525 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5526 hf_netlogon_rc, NULL);
5532 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5533 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5535 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5543 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5544 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5547 /* XXX hmmm this does not really look like a UNIQUE pointer but
5548 will do for now. I think it is really a 32bit integer followed by
5549 a REF pointer to a unicode string */
5550 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, drep,
5551 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE, "Site Name",
5552 hf_netlogon_site_name, cb_wstr_postprocess,
5553 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
5555 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5556 hf_netlogon_rc, NULL);
5562 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5563 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5565 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5566 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5567 NDR_POINTER_REF, "Server Handle", hf_netlogon_computer_name, 0);
5569 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5570 NDR_POINTER_UNIQUE, "Computer Name",
5571 hf_netlogon_computer_name, 0);
5573 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5574 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5575 "AUTHENTICATOR: credential", -1);
5577 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5578 hf_netlogon_unknown_long, NULL);
5580 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5581 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5582 "AUTHENTICATOR: return_authenticator", -1);
5584 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5585 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5586 "DOMAIN_QUERY: ", -1);
5593 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5594 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5596 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5597 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5598 "AUTHENTICATOR: return_authenticator", -1);
5600 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5601 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5602 "DOMAIN_INFO: ", -1);
5604 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5605 hf_netlogon_rc, NULL);
5611 netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5612 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5614 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5617 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5618 NDR_POINTER_UNIQUE, "unknown string",
5619 hf_netlogon_unknown_string, 0);
5621 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5622 hf_netlogon_unknown_short, NULL);
5624 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5625 NDR_POINTER_UNIQUE, "unknown string",
5626 hf_netlogon_unknown_string, 0);
5628 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5629 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5630 "AUTHENTICATOR: credential", -1);
5632 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5640 netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5641 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5643 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5644 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5645 "AUTHENTICATOR: return_authenticator", -1);
5647 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5648 hf_netlogon_rc, NULL);
5654 netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
5655 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5657 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5660 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5661 NDR_POINTER_UNIQUE, "Acct Name", hf_netlogon_acct_name, 0);
5663 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5666 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5667 NDR_POINTER_UNIQUE, "Computer Name",
5668 hf_netlogon_computer_name, 0);
5670 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5671 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5672 "AUTHENTICATOR: credential", -1);
5679 netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
5680 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5682 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5683 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5684 "AUTHENTICATOR: return_authenticator", -1);
5686 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5687 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5688 "LM_OWF_PASSWORD pointer: server_pwd", -1);
5690 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5691 hf_netlogon_rc, NULL);
5697 netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
5698 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5700 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5703 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5704 NDR_POINTER_UNIQUE, "unknown string",
5705 hf_netlogon_unknown_string, 0);
5707 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5708 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5709 "AUTHENTICATOR: credential", -1);
5711 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5712 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5713 "BYTE pointer: unknown_BYTE", -1);
5715 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5716 hf_netlogon_unknown_long, NULL);
5723 netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
5724 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5726 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5727 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5728 "AUTHENTICATOR: return_authenticator", -1);
5730 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5731 hf_netlogon_rc, NULL);
5737 netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
5738 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5740 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5743 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5744 hf_netlogon_unknown_long, NULL);
5746 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5747 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5748 "BYTE pointer: unknown_BYTE", -1);
5755 netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
5756 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5758 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5759 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5760 "TYPE_50** pointer: unknown_TYPE_50", -1);
5762 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5763 hf_netlogon_rc, NULL);
5769 netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
5770 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5772 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5775 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5776 NDR_POINTER_UNIQUE, "unknown string",
5777 hf_netlogon_unknown_string, 0);
5779 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5780 hf_netlogon_unknown_long, NULL);
5782 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5783 NDR_POINTER_UNIQUE, "unknown string",
5784 hf_netlogon_unknown_string, 0);
5786 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5787 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5788 "GUID pointer: unknown_GUID", -1);
5790 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5791 NDR_POINTER_UNIQUE, "unknown string",
5792 hf_netlogon_unknown_string, 0);
5794 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5795 hf_netlogon_unknown_long, NULL);
5802 netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
5803 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5805 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5806 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5807 "DOMAIN_CONTROLLER_INFO:", -1);
5809 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5810 hf_netlogon_rc, NULL);
5816 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
5817 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5819 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5827 netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
5828 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5830 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5831 NDR_POINTER_UNIQUE, "unknown string",
5832 hf_netlogon_unknown_string, 0);
5834 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5835 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5836 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5838 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5839 hf_netlogon_rc, NULL);
5845 netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
5846 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5848 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5855 netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
5856 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5858 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5859 hf_netlogon_entries, NULL);
5861 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5862 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
5863 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
5865 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5866 hf_netlogon_rc, NULL);
5872 netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
5873 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5875 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5878 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5879 hf_netlogon_unknown_long, NULL);
5881 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5882 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5883 "BYTE pointer: unknown_BYTE", -1);
5890 netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
5891 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5893 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5894 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
5895 "TYPE_52 pointer: unknown_TYPE_52", -1);
5897 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5898 hf_netlogon_rc, NULL);
5905 netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
5906 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5908 offset = dissect_ndr_counted_string_cb(
5909 tvb, offset, pinfo, tree, drep, hf_netlogon_site_name,
5910 cb_wstr_postprocess,
5911 GINT_TO_POINTER(CB_STR_COL_INFO | 1));
5916 netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
5917 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5919 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
5920 netlogon_dissect_site_name_item);
5926 netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
5927 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5929 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5930 hf_netlogon_count, NULL);
5932 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5933 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE,
5934 "Site name array", -1);
5940 netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
5941 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5943 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5951 netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
5952 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5954 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5955 netlogon_dissect_site_names, NDR_POINTER_UNIQUE,
5958 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5959 hf_netlogon_rc, NULL);
5965 netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
5966 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5968 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5969 NDR_POINTER_UNIQUE, "unknown string",
5970 hf_netlogon_unknown_string, 0);
5972 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
5973 NDR_POINTER_UNIQUE, "unknown string",
5974 hf_netlogon_unknown_string, 0);
5976 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5977 hf_netlogon_unknown_short, NULL);
5979 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5980 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
5981 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
5983 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5984 hf_netlogon_unknown_short, NULL);
5986 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5987 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5988 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
5994 netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
5995 packet_info *pinfo, proto_tree *tree, guint8 *drep)
5997 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5998 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
5999 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
6001 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6002 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
6003 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
6005 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6006 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
6007 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
6009 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6010 hf_netlogon_rc, NULL);
6017 netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
6018 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6020 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6023 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, drep);
6030 netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
6031 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6033 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
6034 hf_netlogon_entries, NULL);
6036 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6037 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE,
6038 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
6040 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6041 hf_netlogon_rc, NULL);
6047 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
6048 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6050 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6053 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6054 NDR_POINTER_UNIQUE, "Domain", hf_netlogon_logon_dom, 0);
6056 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6057 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6058 "GUID pointer: domain_guid", -1);
6060 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
6061 dissect_nt_GUID, NDR_POINTER_UNIQUE,
6062 "GUID pointer: dsa_guid", -1);
6064 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, drep,
6065 NDR_POINTER_REF, "dns_host", hf_netlogon_dns_host, 0);
6072 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
6073 packet_info *pinfo, proto_tree *tree, guint8 *drep)
6075 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
6076 hf_netlogon_rc, NULL);
6081 /* Dissect secure channel stuff */
6083 static int hf_netlogon_secchan_bind_unknown1 = -1;
6084 static int hf_netlogon_secchan_bind_unknown2 = -1;
6085 static int hf_netlogon_secchan_domain = -1;
6086 static int hf_netlogon_secchan_host = -1;
6087 static int hf_netlogon_secchan_bind_ack_unknown1 = -1;
6088 static int hf_netlogon_secchan_bind_ack_unknown2 = -1;
6089 static int hf_netlogon_secchan_bind_ack_unknown3 = -1;
6091 static gint ett_secchan_verf = -1;
6092 static gint ett_secchan_bind_creds = -1;
6093 static gint ett_secchan_bind_ack_creds = -1;
6095 static int dissect_secchan_bind_creds(tvbuff_t *tvb, int offset,
6097 proto_tree *tree, guint8 *drep)
6099 proto_item *item = NULL;
6100 proto_tree *subtree = NULL;
6104 item = proto_tree_add_text(
6105 tree, tvb, offset, -1,
6106 "Secure Channel Bind Credentials");
6107 subtree = proto_item_add_subtree(
6108 item, ett_secchan_bind_creds);
6111 /* We can't use the NDR routines as the DCERPC call data hasn't
6112 been initialised since we haven't made a DCERPC call yet, just
6115 offset = dissect_dcerpc_uint32(
6116 tvb, offset, pinfo, subtree, drep,
6117 hf_netlogon_secchan_bind_unknown1, NULL);
6119 offset = dissect_dcerpc_uint32(
6120 tvb, offset, pinfo, subtree, drep,
6121 hf_netlogon_secchan_bind_unknown2, NULL);
6123 len = tvb_strsize(tvb, offset);
6125 proto_tree_add_item(
6126 subtree, hf_netlogon_secchan_domain, tvb, offset, len, FALSE);
6130 len = tvb_strsize(tvb, offset);
6132 proto_tree_add_item(
6133 subtree, hf_netlogon_secchan_host, tvb, offset, len, FALSE);
6140 static int dissect_secchan_bind_ack_creds(tvbuff_t *tvb, int offset,
6142 proto_tree *tree, guint8 *drep)
6144 proto_item *item = NULL;
6145 proto_tree *subtree = NULL;
6148 item = proto_tree_add_text(
6149 tree, tvb, offset, -1,
6150 "Secure Channel Bind ACK Credentials");
6151 subtree = proto_item_add_subtree(
6152 item, ett_secchan_bind_ack_creds);
6155 /* Don't use NDR routines here */
6157 offset = dissect_dcerpc_uint32(
6158 tvb, offset, pinfo, subtree, drep,
6159 hf_netlogon_secchan_bind_ack_unknown1, NULL);
6161 offset = dissect_dcerpc_uint32(
6162 tvb, offset, pinfo, subtree, drep,
6163 hf_netlogon_secchan_bind_ack_unknown2, NULL);
6165 offset = dissect_dcerpc_uint32(
6166 tvb, offset, pinfo, subtree, drep,
6167 hf_netlogon_secchan_bind_ack_unknown3, NULL);
6174 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
6175 { NETLOGON_NETRLOGONUASLOGON, "NetrLogonUasLogon",
6176 netlogon_dissect_netrlogonuaslogon_rqst,
6177 netlogon_dissect_netrlogonuaslogon_reply },
6178 { NETLOGON_NETRLOGONUASLOGOFF, "NetrLogonUasLogoff",
6179 netlogon_dissect_netrlogonuaslogoff_rqst,
6180 netlogon_dissect_netrlogonuaslogoff_reply },
6181 { NETLOGON_NETRLOGONSAMLOGON, "NetrLogonSamLogon",
6182 netlogon_dissect_netrlogonsamlogon_rqst,
6183 netlogon_dissect_netrlogonsamlogon_reply },
6184 { NETLOGON_NETRLOGONSAMLOGOFF, "NetrLogonSamLogoff",
6185 netlogon_dissect_netrlogonsamlogoff_rqst,
6186 netlogon_dissect_netrlogonsamlogoff_reply },
6187 { NETLOGON_NETRSERVERREQCHALLENGE, "NetrServerReqChallenge",
6188 netlogon_dissect_netrserverreqchallenge_rqst,
6189 netlogon_dissect_netrserverreqchallenge_reply },
6190 { NETLOGON_NETRSERVERAUTHENTICATE, "NetrServerAuthenticate",
6191 netlogon_dissect_netrserverauthenticate_rqst,
6192 netlogon_dissect_netrserverauthenticate_reply },
6193 { NETLOGON_NETRSERVERPASSWORDSET, "NetrServerPasswordSet",
6194 netlogon_dissect_netrserverpasswordset_rqst,
6195 netlogon_dissect_netrserverpasswordset_reply },
6196 { NETLOGON_NETRDATABASEDELTAS, "NetrDatabaseDeltas",
6197 netlogon_dissect_netrdatabasedeltas_rqst,
6198 netlogon_dissect_netrdatabasedeltas_reply },
6199 { NETLOGON_NETRDATABASESYNC, "NetrDatabaseSync",
6200 netlogon_dissect_netrdatabasesync_rqst,
6201 netlogon_dissect_netrdatabasesync_reply },
6202 { NETLOGON_NETRACCOUNTDELTAS, "NetrAccountDeltas",
6203 netlogon_dissect_netraccountdeltas_rqst,
6204 netlogon_dissect_netraccountdeltas_reply },
6205 { NETLOGON_NETRACCOUNTSYNC, "NetrAccountSync",
6206 netlogon_dissect_netraccountsync_rqst,
6207 netlogon_dissect_netraccountsync_reply },
6208 { NETLOGON_NETRGETDCNAME, "NetrGetDCName",
6209 netlogon_dissect_netrgetdcname_rqst,
6210 netlogon_dissect_netrgetdcname_reply },
6211 { NETLOGON_NETRLOGONCONTROL, "NetrLogonControl",
6212 netlogon_dissect_netrlogoncontrol_rqst,
6213 netlogon_dissect_netrlogoncontrol_reply },
6214 { NETLOGON_NETRGETANYDCNAME, "NetrGetAnyDCName",
6215 netlogon_dissect_netrgetanydcname_rqst,
6216 netlogon_dissect_netrgetanydcname_reply },
6217 { NETLOGON_NETRLOGONCONTROL2, "NetrLogonControl2",
6218 netlogon_dissect_netrlogoncontrol2_rqst,
6219 netlogon_dissect_netrlogoncontrol2_reply },
6220 { NETLOGON_NETRSERVERAUTHENTICATE2, "NetrServerAuthenticate2",
6221 netlogon_dissect_netrserverauthenticate2_rqst,
6222 netlogon_dissect_netrserverauthenticate2_reply },
6223 { NETLOGON_NETRDATABASESYNC2, "NetrDatabaseSync2",
6224 netlogon_dissect_netrdatabasesync2_rqst,
6225 netlogon_dissect_netrdatabasesync2_reply },
6226 { NETLOGON_NETRDATABASEREDO, "NetrDatabaseRedo",
6227 netlogon_dissect_netrdatabaseredo_rqst,
6228 netlogon_dissect_netrdatabaseredo_reply },
6229 { NETLOGON_NETRLOGONCONTROL2EX, "NetrLogonControl2Ex",
6230 netlogon_dissect_netrlogoncontrol2ex_rqst,
6231 netlogon_dissect_netrlogoncontrol2ex_reply },
6232 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS, "NetrEnumerateTrustedDomains",
6233 netlogon_dissect_netrenumeratetrusteddomains_rqst,
6234 netlogon_dissect_netrenumeratetrusteddomains_reply },
6235 { NETLOGON_DSRGETDCNAME, "DsrGetDcName",
6236 netlogon_dissect_dsrgetdcname_rqst,
6237 netlogon_dissect_dsrgetdcname_reply },
6238 { NETLOGON_NETRLOGONDUMMYROUTINE1, "NetrLogonDummyRoutine1",
6239 netlogon_dissect_netrlogondummyroutine1_rqst,
6240 netlogon_dissect_netrlogondummyroutine1_reply },
6241 { NETLOGON_NETRLOGONSETSERVICEBITS, "NetrLogonSetServiceBits",
6242 netlogon_dissect_netrlogonsetservicebits_rqst,
6243 netlogon_dissect_netrlogonsetservicebits_reply },
6244 { NETLOGON_NETRLOGONGETTRUSTRID, "NetrLogonGetTrustRid",
6245 netlogon_dissect_netrlogongettrustrid_rqst,
6246 netlogon_dissect_netrlogongettrustrid_reply },
6247 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST, "NetrLogonComputeServerDigest",
6248 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
6249 netlogon_dissect_netrlogoncomputeserverdigest_reply },
6250 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST, "NetrLogonComputeClientDigest",
6251 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
6252 netlogon_dissect_netrlogoncomputeclientdigest_reply },
6253 { NETLOGON_NETRSERVERAUTHENTICATE3, "NetrServerAuthenticate3",
6254 netlogon_dissect_netrserverauthenticate3_rqst,
6255 netlogon_dissect_netrserverauthenticate3_reply },
6256 { NETLOGON_DSRGETDCNAMEX, "DsrGetDcNameEx",
6257 netlogon_dissect_dsrgetdcnameex_rqst,
6258 netlogon_dissect_dsrgetdcnameex_reply },
6259 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
6260 netlogon_dissect_dsrgetsitename_rqst,
6261 netlogon_dissect_dsrgetsitename_reply },
6262 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
6263 netlogon_dissect_netrlogongetdomaininfo_rqst,
6264 netlogon_dissect_netrlogongetdomaininfo_reply },
6265 { NETLOGON_NETRSERVERPASSWORDSET2, "NetrServerPasswordSet2",
6266 netlogon_dissect_netrserverpasswordset2_rqst,
6267 netlogon_dissect_netrserverpasswordset2_reply },
6268 { NETLOGON_NETRSERVERPASSWORDGET, "NetrServerPasswordGet",
6269 netlogon_dissect_netrserverpasswordget_rqst,
6270 netlogon_dissect_netrserverpasswordget_reply },
6271 { NETLOGON_NETRLOGONSENDTOSAM, "NetrLogonSendToSam",
6272 netlogon_dissect_netrlogonsendtosam_rqst,
6273 netlogon_dissect_netrlogonsendtosam_reply },
6274 { NETLOGON_DSRADDRESSTOSITENAMESW, "DsrAddressToSiteNamesW",
6275 netlogon_dissect_dsraddresstositenamesw_rqst,
6276 netlogon_dissect_dsraddresstositenamesw_reply },
6277 { NETLOGON_DSRGETDCNAMEEX2, "DsrGetDcNameEx2",
6278 netlogon_dissect_dsrgetdcnameex2_rqst,
6279 netlogon_dissect_dsrgetdcnameex2_reply },
6280 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN,
6281 "NetrLogonGetTimeServiceParentDomain",
6282 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
6283 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
6284 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX, "NetrEnumerateTrustedDomainsEx",
6285 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
6286 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
6287 { NETLOGON_DSRADDRESSTOSITENAMESEXW, "DsrAddressToSiteNamesExW",
6288 netlogon_dissect_dsraddresstositenamesexw_rqst,
6289 netlogon_dissect_dsraddresstositenamesexw_reply },
6290 { NETLOGON_DSRGETDCSITECOVERAGEW, "DsrGetDcSiteCoverageW",
6291 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
6292 netlogon_dissect_dsrgetdcsitecoveragew_reply },
6293 { NETLOGON_NETRLOGONSAMLOGONEX, "NetrLogonSamLogonEx",
6294 netlogon_dissect_netrlogonsamlogonex_rqst,
6295 netlogon_dissect_netrlogonsamlogonex_reply },
6296 { NETLOGON_DSRENUMERATEDOMAINTRUSTS, "DsrEnumerateDomainTrusts",
6297 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
6298 netlogon_dissect_dsrenumeratedomaintrusts_reply },
6299 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDnsHostRecords",
6300 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
6301 netlogon_dissect_dsrderegisterdnshostrecords_reply },
6302 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET, "NetrServerTrustPasswordsGet",
6304 { NETLOGON_DSRGETFORESTTRUSTINFORMATION, "DsrGetForestTrustInformation",
6306 { NETLOGON_NETRGETFORESTTRUSTINFORMATION, "NetrGetForestTrustInformation",
6308 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS, "NetrLogonSamLogonWithFlags",
6310 { NETLOGON_NETRSERVERGETTRUSTINFO, "NetrServerGetTrustInfo",
6312 {0, NULL, NULL, NULL }
6315 static int hf_netlogon_secchan_verf = -1;
6316 static int hf_netlogon_secchan_verf_sig = -1;
6317 static int hf_netlogon_secchan_verf_unk = -1;
6318 static int hf_netlogon_secchan_verf_seq = -1;
6319 static int hf_netlogon_secchan_verf_nonce = -1;
6322 dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo _U_,
6323 proto_tree *tree, guint8 *drep _U_)
6325 proto_item *vf = NULL;
6326 proto_tree *subtree = NULL;
6329 * Create a new tree, and split into 4 components ...
6331 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
6333 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
6335 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sig, tvb,
6339 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_unk, tvb,
6343 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_seq, tvb,
6347 /* In some cases the nonce isn't present although it isn't clear
6350 if (tvb_bytes_exist(tvb, offset, 8)) {
6351 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_nonce,
6352 tvb, offset, 8, FALSE);
6359 /* Secure channel types */
6361 static const value_string sec_chan_type_vals[] = {
6362 { SEC_CHAN_WKSTA, "Workstation" },
6363 { SEC_CHAN_DOMAIN, "Domain trust" },
6364 { SEC_CHAN_BDC, "Backup domain controller" },
6369 proto_register_dcerpc_netlogon(void)
6372 static hf_register_info hf[] = {
6373 { &hf_netlogon_opnum,
6374 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
6375 NULL, 0x0, "Operation", HFILL }},
6377 { &hf_netlogon_rc, {
6378 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
6379 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
6381 { &hf_netlogon_param_ctrl, {
6382 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
6383 NULL, 0x0, "Param ctrl", HFILL }},
6385 { &hf_netlogon_logon_id, {
6386 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
6387 NULL, 0x0, "Logon ID", HFILL }},
6389 { &hf_netlogon_modify_count, {
6390 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
6391 NULL, 0x0, "How many times the object has been modified", HFILL }},
6393 { &hf_netlogon_security_information, {
6394 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
6395 NULL, 0x0, "Security Information", HFILL }},
6397 { &hf_netlogon_count, {
6398 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
6399 NULL, 0x0, "", HFILL }},
6401 { &hf_netlogon_entries, {
6402 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
6403 NULL, 0x0, "", HFILL }},
6405 { &hf_netlogon_credential, {
6406 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
6407 NULL, 0x0, "Netlogon Credential", HFILL }},
6409 { &hf_netlogon_challenge, {
6410 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
6411 NULL, 0x0, "Netlogon challenge", HFILL }},
6413 { &hf_netlogon_lm_owf_password, {
6414 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
6415 NULL, 0x0, "LanManager OWF Password", HFILL }},
6417 { &hf_netlogon_user_session_key, {
6418 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
6419 NULL, 0x0, "User Session Key", HFILL }},
6421 { &hf_netlogon_encrypted_lm_owf_password, {
6422 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
6423 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
6425 { &hf_netlogon_nt_owf_password, {
6426 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
6427 NULL, 0x0, "NT OWF Password", HFILL }},
6429 { &hf_netlogon_blob, {
6430 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
6431 NULL, 0x0, "BLOB", HFILL }},
6433 { &hf_netlogon_len, {
6434 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
6435 NULL, 0, "Length", HFILL }},
6437 { &hf_netlogon_priv, {
6438 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
6439 NULL, 0, "", HFILL }},
6441 { &hf_netlogon_privilege_entries, {
6442 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
6443 NULL, 0, "", HFILL }},
6445 { &hf_netlogon_privilege_control, {
6446 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
6447 NULL, 0, "", HFILL }},
6449 { &hf_netlogon_privilege_name, {
6450 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
6451 NULL, 0, "", HFILL }},
6453 { &hf_netlogon_pdc_connection_status, {
6454 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
6455 NULL, 0, "PDC Connection Status", HFILL }},
6457 { &hf_netlogon_tc_connection_status, {
6458 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
6459 NULL, 0, "TC Connection Status", HFILL }},
6461 { &hf_netlogon_attrs, {
6462 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
6463 NULL, 0, "Attributes", HFILL }},
6465 { &hf_netlogon_unknown_string,
6466 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
6467 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
6468 { &hf_netlogon_unknown_long,
6469 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
6470 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
6471 { &hf_netlogon_reserved,
6472 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
6473 NULL, 0x0, "Reserved", HFILL }},
6474 { &hf_netlogon_unknown_short,
6475 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
6476 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
6478 { &hf_netlogon_unknown_char,
6479 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
6480 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
6482 { &hf_netlogon_acct_expiry_time,
6483 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
6484 NULL, 0x0, "When this account will expire", HFILL }},
6486 { &hf_netlogon_nt_pwd_present,
6487 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
6488 NULL, 0x0, "Is NT password present for this account?", HFILL }},
6490 { &hf_netlogon_lm_pwd_present,
6491 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
6492 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
6494 { &hf_netlogon_pwd_expired,
6495 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
6496 NULL, 0x0, "Whether this password has expired or not", HFILL }},
6498 { &hf_netlogon_authoritative,
6499 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
6500 NULL, 0x0, "", HFILL }},
6502 { &hf_netlogon_sensitive_data_flag,
6503 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
6504 NULL, 0x0, "Sensitive data flag", HFILL }},
6506 { &hf_netlogon_auditing_mode,
6507 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
6508 NULL, 0x0, "Auditing Mode", HFILL }},
6510 { &hf_netlogon_max_audit_event_count,
6511 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
6512 NULL, 0x0, "Max audit event count", HFILL }},
6514 { &hf_netlogon_event_audit_option,
6515 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
6516 NULL, 0x0, "Event audit option", HFILL }},
6518 { &hf_netlogon_sensitive_data_len,
6519 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
6520 NULL, 0x0, "Length of sensitive data", HFILL }},
6522 { &hf_netlogon_nt_chal_resp,
6523 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
6524 NULL, 0, "Challenge response for NT authentication", HFILL }},
6526 { &hf_netlogon_lm_chal_resp,
6527 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
6528 NULL, 0, "Challenge response for LM authentication", HFILL }},
6530 { &hf_netlogon_cipher_len,
6531 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
6532 NULL, 0, "", HFILL }},
6534 { &hf_netlogon_cipher_maxlen,
6535 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
6536 NULL, 0, "", HFILL }},
6538 { &hf_netlogon_pac_data,
6539 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
6540 NULL, 0, "Pac Data", HFILL }},
6542 { &hf_netlogon_sensitive_data,
6543 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
6544 NULL, 0, "Sensitive Data", HFILL }},
6546 { &hf_netlogon_auth_data,
6547 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
6548 NULL, 0, "Auth Data", HFILL }},
6550 { &hf_netlogon_cipher_current_data,
6551 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
6552 NULL, 0, "", HFILL }},
6554 { &hf_netlogon_cipher_old_data,
6555 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
6556 NULL, 0, "", HFILL }},
6558 { &hf_netlogon_acct_name,
6559 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
6560 NULL, 0, "Account Name", HFILL }},
6562 { &hf_netlogon_acct_desc,
6563 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
6564 NULL, 0, "Account Description", HFILL }},
6566 { &hf_netlogon_group_desc,
6567 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
6568 NULL, 0, "Group Description", HFILL }},
6570 { &hf_netlogon_full_name,
6571 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
6572 NULL, 0, "Full Name", HFILL }},
6574 { &hf_netlogon_comment,
6575 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
6576 NULL, 0, "Comment", HFILL }},
6578 { &hf_netlogon_parameters,
6579 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
6580 NULL, 0, "Parameters", HFILL }},
6582 { &hf_netlogon_logon_script,
6583 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
6584 NULL, 0, "Logon Script", HFILL }},
6586 { &hf_netlogon_profile_path,
6587 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
6588 NULL, 0, "Profile Path", HFILL }},
6590 { &hf_netlogon_home_dir,
6591 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
6592 NULL, 0, "Home Directory", HFILL }},
6594 { &hf_netlogon_dir_drive,
6595 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
6596 NULL, 0, "Drive letter for home directory", HFILL }},
6598 { &hf_netlogon_logon_srv,
6599 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
6600 NULL, 0, "Server", HFILL }},
6602 { &hf_netlogon_principal,
6603 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
6604 NULL, 0, "Principal", HFILL }},
6606 { &hf_netlogon_logon_dom,
6607 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6608 NULL, 0, "Domain", HFILL }},
6610 { &hf_netlogon_resourcegroupdomainsid,
6611 { "ResourceGroupDomainSID", "netlogon.resourcegroupdomainsid", FT_STRING, BASE_NONE,
6612 NULL, 0, "Resource Group Domain SID", HFILL }},
6614 { &hf_netlogon_resourcegroupcount,
6615 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
6616 NULL, 0, "Number of Resource Groups", HFILL }},
6618 { &hf_netlogon_computer_name,
6619 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6620 NULL, 0, "Computer Name", HFILL }},
6622 { &hf_netlogon_site_name,
6623 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6624 NULL, 0, "Site Name", HFILL }},
6626 { &hf_netlogon_dc_name,
6627 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6628 NULL, 0, "DC Name", HFILL }},
6630 { &hf_netlogon_dc_site_name,
6631 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6632 NULL, 0, "DC Site Name", HFILL }},
6634 { &hf_netlogon_dns_forest_name,
6635 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6636 NULL, 0, "DNS Forest Name", HFILL }},
6638 { &hf_netlogon_dc_address,
6639 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6640 NULL, 0, "DC Address", HFILL }},
6642 { &hf_netlogon_dc_address_type,
6643 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6644 VALS(dc_address_types), 0, "DC Address Type", HFILL }},
6646 { &hf_netlogon_client_site_name,
6647 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6648 NULL, 0, "Client Site Name", HFILL }},
6650 { &hf_netlogon_workstation_site_name,
6651 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6652 NULL, 0, "Workstation Site Name", HFILL }},
6654 { &hf_netlogon_workstation,
6655 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6656 NULL, 0, "Workstation Name", HFILL }},
6658 { &hf_netlogon_workstation_os,
6659 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6660 NULL, 0, "Workstation OS", HFILL }},
6662 { &hf_netlogon_workstations,
6663 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6664 NULL, 0, "Workstations", HFILL }},
6666 { &hf_netlogon_workstation_fqdn,
6667 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6668 NULL, 0, "Workstation FQDN", HFILL }},
6670 { &hf_netlogon_group_name,
6671 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6672 NULL, 0, "Group Name", HFILL }},
6674 { &hf_netlogon_alias_name,
6675 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6676 NULL, 0, "Alias Name", HFILL }},
6678 { &hf_netlogon_dns_host,
6679 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6680 NULL, 0, "DNS Host", HFILL }},
6682 { &hf_netlogon_downlevel_domain_name,
6683 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6684 NULL, 0, "Downlevel Domain Name", HFILL }},
6686 { &hf_netlogon_dns_domain_name,
6687 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6688 NULL, 0, "DNS Domain Name", HFILL }},
6690 { &hf_netlogon_domain_name,
6691 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6692 NULL, 0, "Domain Name", HFILL }},
6694 { &hf_netlogon_oem_info,
6695 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6696 NULL, 0, "OEM Info", HFILL }},
6698 { &hf_netlogon_trusted_dc_name,
6699 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6700 NULL, 0, "Trusted DC", HFILL }},
6702 { &hf_netlogon_logonsrv_handle,
6703 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6704 NULL, 0, "Logon Srv Handle", HFILL }},
6706 { &hf_netlogon_dummy,
6707 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6708 NULL, 0, "Dummy string", HFILL }},
6710 { &hf_netlogon_logon_count16,
6711 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6712 NULL, 0x0, "Number of successful logins", HFILL }},
6714 { &hf_netlogon_logon_count,
6715 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6716 NULL, 0x0, "Number of successful logins", HFILL }},
6718 { &hf_netlogon_bad_pw_count16,
6719 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6720 NULL, 0x0, "Number of failed logins", HFILL }},
6722 { &hf_netlogon_bad_pw_count,
6723 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6724 NULL, 0x0, "Number of failed logins", HFILL }},
6726 { &hf_netlogon_country,
6727 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6728 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6730 { &hf_netlogon_codepage,
6731 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6732 NULL, 0x0, "Codepage setting for this account", HFILL }},
6734 { &hf_netlogon_level16,
6735 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6736 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6738 { &hf_netlogon_validation_level,
6739 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6740 NULL, 0x0, "Requested level of validation", HFILL }},
6742 { &hf_netlogon_minpasswdlen,
6743 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6744 NULL, 0x0, "Minimum length of password", HFILL }},
6746 { &hf_netlogon_passwdhistorylen,
6747 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6748 NULL, 0x0, "Length of password history", HFILL }},
6750 { &hf_netlogon_secure_channel_type,
6751 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
6752 VALS(sec_chan_type_vals), 0x0, "Secure Channel Type", HFILL }},
6754 { &hf_netlogon_restart_state,
6755 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
6756 NULL, 0x0, "Restart State", HFILL }},
6758 { &hf_netlogon_delta_type,
6759 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6760 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6762 { &hf_netlogon_blob_size,
6763 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6764 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6766 { &hf_netlogon_code,
6767 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6768 NULL, 0x0, "Code", HFILL }},
6770 { &hf_netlogon_level,
6771 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6772 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6774 { &hf_netlogon_reference,
6775 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
6776 NULL, 0x0, "", HFILL }},
6778 { &hf_netlogon_next_reference,
6779 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
6780 NULL, 0x0, "", HFILL }},
6782 { &hf_netlogon_timestamp,
6783 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
6784 NULL, 0, "", HFILL }},
6786 { &hf_netlogon_user_rid,
6787 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6788 NULL, 0x0, "", HFILL }},
6790 { &hf_netlogon_alias_rid,
6791 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6792 NULL, 0x0, "", HFILL }},
6794 { &hf_netlogon_group_rid,
6795 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6796 NULL, 0x0, "", HFILL }},
6798 { &hf_netlogon_num_rids,
6799 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6800 NULL, 0x0, "Number of RIDs", HFILL }},
6802 { &hf_netlogon_num_controllers,
6803 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6804 NULL, 0x0, "Number of domain controllers", HFILL }},
6806 { &hf_netlogon_num_other_groups,
6807 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6808 NULL, 0x0, "", HFILL }},
6810 { &hf_netlogon_flags,
6811 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6812 NULL, 0x0, "", HFILL }},
6814 { &hf_netlogon_user_flags,
6815 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6816 NULL, 0x0, "", HFILL }},
6818 { &hf_netlogon_auth_flags,
6819 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6820 NULL, 0x0, "", HFILL }},
6822 { &hf_netlogon_systemflags,
6823 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6824 NULL, 0x0, "", HFILL }},
6826 { &hf_netlogon_database_id,
6827 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6828 NULL, 0x0, "Database Id", HFILL }},
6830 { &hf_netlogon_sync_context,
6831 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6832 NULL, 0x0, "Sync Context", HFILL }},
6834 { &hf_netlogon_max_size,
6835 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6836 NULL, 0x0, "Max Size of database", HFILL }},
6838 { &hf_netlogon_max_log_size,
6839 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6840 NULL, 0x0, "Max Size of log", HFILL }},
6842 { &hf_netlogon_pac_size,
6843 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6844 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6846 { &hf_netlogon_auth_size,
6847 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6848 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6850 { &hf_netlogon_num_deltas,
6851 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6852 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6854 { &hf_netlogon_num_trusts,
6855 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
6856 NULL, 0x0, "", HFILL }},
6858 { &hf_netlogon_logon_attempts,
6859 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6860 NULL, 0x0, "Number of logon attempts", HFILL }},
6862 { &hf_netlogon_pagefilelimit,
6863 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6864 NULL, 0x0, "", HFILL }},
6866 { &hf_netlogon_pagedpoollimit,
6867 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6868 NULL, 0x0, "", HFILL }},
6870 { &hf_netlogon_nonpagedpoollimit,
6871 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6872 NULL, 0x0, "", HFILL }},
6874 { &hf_netlogon_minworkingsetsize,
6875 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6876 NULL, 0x0, "", HFILL }},
6878 { &hf_netlogon_maxworkingsetsize,
6879 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6880 NULL, 0x0, "", HFILL }},
6882 { &hf_netlogon_serial_number,
6883 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
6884 NULL, 0x0, "", HFILL }},
6886 { &hf_netlogon_neg_flags,
6887 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
6888 NULL, 0x0, "Negotiation Flags", HFILL }},
6890 { &hf_netlogon_dc_flags,
6891 { "Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
6892 NULL, 0x0, "Domain Controller Flags", HFILL }},
6894 { &hf_netlogon_dc_flags_pdc_flag,
6895 { "PDC", "netlogon.dc.flags.pdc",
6896 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag), DS_PDC_FLAG,
6897 "If this server is a PDC", HFILL }},
6899 { &hf_netlogon_dc_flags_gc_flag,
6900 { "GC", "netlogon.dc.flags.gc",
6901 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag), DS_GC_FLAG,
6902 "If this server is a GC", HFILL }},
6904 { &hf_netlogon_dc_flags_ldap_flag,
6905 { "LDAP", "netlogon.dc.flags.ldap",
6906 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag), DS_LDAP_FLAG,
6907 "If this is an LDAP server", HFILL }},
6909 { &hf_netlogon_dc_flags_ds_flag,
6910 { "DS", "netlogon.dc.flags.ds",
6911 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag), DS_DS_FLAG,
6912 "If this server is a DS", HFILL }},
6914 { &hf_netlogon_dc_flags_kdc_flag,
6915 { "KDC", "netlogon.dc.flags.kdc",
6916 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag), DS_KDC_FLAG,
6917 "If this is a KDC", HFILL }},
6919 { &hf_netlogon_dc_flags_timeserv_flag,
6920 { "Timeserv", "netlogon.dc.flags.timeserv",
6921 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag), DS_TIMESERV_FLAG,
6922 "If this server is a TimeServer", HFILL }},
6924 { &hf_netlogon_dc_flags_closest_flag,
6925 { "Closest", "netlogon.dc.flags.closest",
6926 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag), DS_CLOSEST_FLAG,
6927 "If this is the closest server", HFILL }},
6929 { &hf_netlogon_dc_flags_writable_flag,
6930 { "Writable", "netlogon.dc.flags.writable",
6931 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag), DS_WRITABLE_FLAG,
6932 "If this server can do updates to the database", HFILL }},
6934 { &hf_netlogon_dc_flags_good_timeserv_flag,
6935 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
6936 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag), DS_GOOD_TIMESERV_FLAG,
6937 "If this is a Good TimeServer", HFILL }},
6939 { &hf_netlogon_dc_flags_ndnc_flag,
6940 { "NDNC", "netlogon.dc.flags.ndnc",
6941 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag), DS_NDNC_FLAG,
6942 "If this is an NDNC server", HFILL }},
6944 { &hf_netlogon_dc_flags_dns_controller_flag,
6945 { "DNS Controller", "netlogon.dc.flags.dns_controller",
6946 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag), DS_DNS_CONTROLLER_FLAG,
6947 "If this server is a DNS Controller", HFILL }},
6949 { &hf_netlogon_dc_flags_dns_domain_flag,
6950 { "DNS Domain", "netlogon.dc.flags.dns_domain",
6951 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag), DS_DNS_DOMAIN_FLAG,
6954 { &hf_netlogon_dc_flags_dns_forest_flag,
6955 { "DNS Forest", "netlogon.dc.flags.dns_forest",
6956 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag), DS_DNS_FOREST_FLAG,
6959 { &hf_netlogon_get_dcname_request_flags,
6960 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
6961 NULL, 0x0, "Flags for DSGetDCName request", HFILL }},
6963 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
6964 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
6965 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery), DS_FORCE_REDISCOVERY,
6966 "Whether to allow the server to returned cached information or not", HFILL }},
6968 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
6969 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
6970 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required), DS_DIRECTORY_SERVICE_REQUIRED,
6971 "Whether we require that the returned DC supports w2k or not", HFILL }},
6973 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
6974 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
6975 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred), DS_DIRECTORY_SERVICE_PREFERRED,
6976 "Whether we prefer the call to return a w2k server (if available)", HFILL }},
6978 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
6979 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
6980 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required), DS_GC_SERVER_REQUIRED,
6981 "Whether we require that the returned DC is a Global Catalog server", HFILL }},
6983 { &hf_netlogon_get_dcname_request_flags_pdc_required,
6984 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
6985 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required), DS_PDC_REQUIRED,
6986 "Whether we require the returned DC to be the PDC", HFILL }},
6988 { &hf_netlogon_get_dcname_request_flags_background_only,
6989 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
6990 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only), DS_BACKGROUND_ONLY,
6991 "If we want cached data, even if it may have expired", HFILL }},
6993 { &hf_netlogon_get_dcname_request_flags_ip_required,
6994 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
6995 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required), DS_IP_REQUIRED,
6996 "If we requre the IP of the DC in the reply", HFILL }},
6998 { &hf_netlogon_get_dcname_request_flags_kdc_required,
6999 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
7000 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required), DS_KDC_REQUIRED,
7001 "If we require that the returned server is a KDC", HFILL }},
7003 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
7004 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
7005 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required), DS_TIMESERV_REQUIRED,
7006 "If we require the retruned server to be a NTP serveruns WindowsTimeServicer", HFILL }},
7008 { &hf_netlogon_get_dcname_request_flags_writable_required,
7009 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
7010 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required), DS_WRITABLE_REQUIRED,
7011 "If we require that the return server is writable", HFILL }},
7013 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
7014 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
7015 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred), DS_GOOD_TIMESERV_PREFERRED,
7016 "If we prefer Windows Time Servers", HFILL }},
7018 { &hf_netlogon_get_dcname_request_flags_avoid_self,
7019 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
7020 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self), DS_AVOID_SELF,
7021 "Return another DC than the one we ask", HFILL }},
7023 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
7024 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
7025 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed), DS_ONLY_LDAP_NEEDED,
7026 "We just want an LDAP server, it does not have to be a DC", HFILL }},
7028 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
7029 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
7030 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name), DS_IS_FLAT_NAME,
7031 "If the specified domain name is a NetBIOS name", HFILL }},
7033 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
7034 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
7035 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name), DS_IS_DNS_NAME,
7036 "If the specified domain name is a DNS name", HFILL }},
7038 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
7039 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
7040 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name), DS_RETURN_DNS_NAME,
7041 "Only return a DNS name (or an error)", HFILL }},
7043 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
7044 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
7045 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name), DS_RETURN_FLAT_NAME,
7046 "Only return a NetBIOS name (or an error)", HFILL }},
7048 { &hf_netlogon_trust_attribs,
7049 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
7050 NULL, 0x0, "Trust Attributes", HFILL }},
7052 { &hf_netlogon_trust_type,
7053 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
7054 VALS(trust_type_vals), 0x0, "Trust Type", HFILL }},
7056 { &hf_netlogon_trust_flags,
7057 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
7058 NULL, 0x0, "Trust Flags", HFILL }},
7060 { &hf_netlogon_trust_flags_inbound,
7061 { "Inbound Trust", "netlogon.trust.flags.inbound",
7062 FT_BOOLEAN, 32, TFS(&trust_inbound), DS_DOMAIN_DIRECT_INBOUND,
7063 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL }},
7065 { &hf_netlogon_trust_flags_outbound,
7066 { "Outbound Trust", "netlogon.trust.flags.outbound",
7067 FT_BOOLEAN, 32, TFS(&trust_outbound), DS_DOMAIN_DIRECT_OUTBOUND,
7068 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL }},
7070 { &hf_netlogon_trust_flags_in_forest,
7071 { "In Forest", "netlogon.trust.flags.in_forest",
7072 FT_BOOLEAN, 32, TFS(&trust_in_forest), DS_DOMAIN_IN_FOREST,
7073 "Whether this domain is a member of the same forest as the servers domain", HFILL }},
7075 { &hf_netlogon_trust_flags_native_mode,
7076 { "Native Mode", "netlogon.trust.flags.native_mode",
7077 FT_BOOLEAN, 32, TFS(&trust_native_mode), DS_DOMAIN_NATIVE_MODE,
7078 "Whether the domain is a w2k native mode domain or not", HFILL }},
7080 { &hf_netlogon_trust_flags_primary,
7081 { "Primary", "netlogon.trust.flags.primary",
7082 FT_BOOLEAN, 32, TFS(&trust_primary), DS_DOMAIN_PRIMARY,
7083 "Whether the domain is the primary domain for the queried server or not", HFILL }},
7085 { &hf_netlogon_trust_flags_tree_root,
7086 { "Tree Root", "netlogon.trust.flags.tree_root",
7087 FT_BOOLEAN, 32, TFS(&trust_tree_root), DS_DOMAIN_TREE_ROOT,
7088 "Whether the domain is the root of the tree for the queried server", HFILL }},
7090 { &hf_netlogon_trust_parent_index,
7091 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
7092 NULL, 0x0, "Parent Index", HFILL }},
7094 { &hf_netlogon_logon_time,
7095 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
7096 NULL, 0, "Time for last time this user logged on", HFILL }},
7098 { &hf_netlogon_kickoff_time,
7099 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7100 NULL, 0, "Time when this user will be kicked off", HFILL }},
7102 { &hf_netlogon_logoff_time,
7103 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
7104 NULL, 0, "Time for last time this user logged off", HFILL }},
7106 { &hf_netlogon_pwd_last_set_time,
7107 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7108 NULL, 0, "Last time this users password was changed", HFILL }},
7110 { &hf_netlogon_pwd_can_change_time,
7111 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7112 NULL, 0, "When this users password may be changed", HFILL }},
7114 { &hf_netlogon_pwd_must_change_time,
7115 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
7116 NULL, 0, "When this users password must be changed", HFILL }},
7118 { &hf_netlogon_domain_create_time,
7119 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7120 NULL, 0, "Time when this domain was created", HFILL }},
7122 { &hf_netlogon_domain_modify_time,
7123 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7124 NULL, 0, "Time when this domain was last modified", HFILL }},
7126 { &hf_netlogon_db_modify_time,
7127 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
7128 NULL, 0, "Time when last modified", HFILL }},
7130 { &hf_netlogon_db_create_time,
7131 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
7132 NULL, 0, "Time when created", HFILL }},
7134 { &hf_netlogon_cipher_current_set_time,
7135 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7136 NULL, 0, "Time when current cipher was initiated", HFILL }},
7138 { &hf_netlogon_cipher_old_set_time,
7139 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
7140 NULL, 0, "Time when previous cipher was initiated", HFILL }},
7142 { &hf_netlogon_audit_retention_period,
7143 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
7144 NULL, 0, "Audit retention period", HFILL }},
7146 { &hf_netlogon_guid,
7147 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
7148 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
7150 { &hf_netlogon_timelimit,
7151 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
7152 NULL, 0, "", HFILL }},
7154 /* Secure channel dissection */
7156 { &hf_netlogon_secchan_bind_unknown1,
7157 { "Unknown1", "netlogon.secchan.bind.unknown1", FT_UINT32, BASE_HEX,
7158 NULL, 0x0, "", HFILL }},
7160 { &hf_netlogon_secchan_bind_unknown2,
7161 { "Unknown2", "netlogon.secchan.bind.unknown2", FT_UINT32, BASE_HEX,
7162 NULL, 0x0, "", HFILL }},
7164 { &hf_netlogon_secchan_domain,
7165 { "Domain", "netlogon.secchan.domain", FT_STRING, BASE_NONE,
7166 NULL, 0, "", HFILL }},
7168 { &hf_netlogon_secchan_host,
7169 { "Host", "netlogon.secchan.host", FT_STRING, BASE_NONE,
7170 NULL, 0, "", HFILL }},
7172 { &hf_netlogon_secchan_bind_ack_unknown1,
7173 { "Unknown1", "netlogon.secchan.bind_ack.unknown1", FT_UINT32,
7174 BASE_HEX, NULL, 0x0, "", HFILL }},
7176 { &hf_netlogon_secchan_bind_ack_unknown2,
7177 { "Unknown2", "netlogon.secchan.bind_ack.unknown2", FT_UINT32,
7178 BASE_HEX, NULL, 0x0, "", HFILL }},
7180 { &hf_netlogon_secchan_bind_ack_unknown3,
7181 { "Unknown3", "netlogon.secchan.bind_ack.unknown3", FT_UINT32,
7182 BASE_HEX, NULL, 0x0, "", HFILL }},
7184 { &hf_netlogon_secchan_verf,
7185 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
7186 NULL, 0x0, "Verifier", HFILL }},
7188 { &hf_netlogon_secchan_verf_sig,
7189 { "Signature", "netlogon.secchan.sig", FT_BYTES, BASE_HEX, NULL,
7190 0x0, "Signature", HFILL }},
7192 { &hf_netlogon_secchan_verf_unk,
7193 { "Unknown", "netlogon.secchan.unk", FT_BYTES, BASE_HEX, NULL,
7194 0x0, "Unknown", HFILL }},
7196 { &hf_netlogon_secchan_verf_seq,
7197 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_HEX, NULL,
7198 0x0, "Sequence No", HFILL }},
7200 { &hf_netlogon_secchan_verf_nonce,
7201 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_HEX, NULL,
7202 0x0, "Nonce", HFILL }},
7205 static gint *ett[] = {
7206 &ett_dcerpc_netlogon,
7212 &ett_DOMAIN_CONTROLLER_INFO,
7213 &ett_UNICODE_STRING_512,
7216 &ett_DELTA_ID_UNION,
7219 &ett_LM_OWF_PASSWORD,
7220 &ett_NT_OWF_PASSWORD,
7221 &ett_GROUP_MEMBERSHIP,
7222 &ett_DS_DOMAIN_TRUSTS,
7224 &ett_DOMAIN_TRUST_INFO,
7226 &ett_get_dcname_request_flags,
7228 &ett_secchan_bind_creds,
7229 &ett_secchan_bind_ack_creds,
7233 proto_dcerpc_netlogon = proto_register_protocol(
7234 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
7236 proto_register_field_array(proto_dcerpc_netlogon, hf,
7238 proto_register_subtree_array(ett, array_length(ett));
7241 static dcerpc_auth_subdissector_fns secchan_auth_fns = {
7242 dissect_secchan_bind_creds, /* Bind */
7243 dissect_secchan_bind_ack_creds, /* Bind ACK */
7245 dissect_secchan_verf, /* Request verifier */
7246 dissect_secchan_verf, /* Response verifier */
7247 NULL, /* Request data */
7248 NULL /* Response data */
7252 proto_reg_handoff_dcerpc_netlogon(void)
7254 /* Register protocol as dcerpc */
7256 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
7257 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
7258 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
7260 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY,
7261 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,
7263 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY,
7264 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN,