1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \\PIPE\\NETLOGON packet disassembly
3 * Copyright 2001, Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.41 2002/07/08 12:53:28 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_rc = -1;
43 static int hf_netlogon_len = -1;
44 static int hf_netlogon_sensitive_data_flag = -1;
45 static int hf_netlogon_sensitive_data_len = -1;
46 static int hf_netlogon_sensitive_data = -1;
47 static int hf_netlogon_security_information = -1;
48 static int hf_netlogon_dummy = -1;
49 static int hf_netlogon_minworkingsetsize = -1;
50 static int hf_netlogon_maxworkingsetsize = -1;
51 static int hf_netlogon_pagedpoollimit = -1;
52 static int hf_netlogon_pagefilelimit = -1;
53 static int hf_netlogon_timelimit = -1;
54 static int hf_netlogon_nonpagedpoollimit = -1;
55 static int hf_netlogon_pac_size = -1;
56 static int hf_netlogon_pac_data = -1;
57 static int hf_netlogon_auth_size = -1;
58 static int hf_netlogon_auth_data = -1;
59 static int hf_netlogon_cipher_len = -1;
60 static int hf_netlogon_cipher_maxlen = -1;
61 static int hf_netlogon_cipher_current_data = -1;
62 static int hf_netlogon_cipher_current_set_time = -1;
63 static int hf_netlogon_cipher_old_data = -1;
64 static int hf_netlogon_cipher_old_set_time = -1;
65 static int hf_netlogon_priv = -1;
66 static int hf_netlogon_privilege_entries = -1;
67 static int hf_netlogon_privilege_control = -1;
68 static int hf_netlogon_privilege_name = -1;
69 static int hf_netlogon_systemflags = -1;
70 static int hf_netlogon_status = -1;
71 static int hf_netlogon_attrs = -1;
72 static int hf_netlogon_count = -1;
73 static int hf_netlogon_minpasswdlen = -1;
74 static int hf_netlogon_passwdhistorylen = -1;
75 static int hf_netlogon_level16 = -1;
76 static int hf_netlogon_validation_level = -1;
77 static int hf_netlogon_level = -1;
78 static int hf_netlogon_challenge = -1;
79 static int hf_netlogon_reserved = -1;
80 static int hf_netlogon_audit_retention_period = -1;
81 static int hf_netlogon_auditing_mode = -1;
82 static int hf_netlogon_max_audit_event_count = -1;
83 static int hf_netlogon_event_audit_option = -1;
84 static int hf_netlogon_unknown_time = -1;
85 static int hf_netlogon_unknown_string = -1;
86 static int hf_netlogon_unknown_long = -1;
87 static int hf_netlogon_unknown_short = -1;
88 static int hf_netlogon_unknown_char = -1;
89 static int hf_netlogon_logon_time = -1;
90 static int hf_netlogon_logoff_time = -1;
91 static int hf_netlogon_kickoff_time = -1;
92 static int hf_netlogon_pwd_last_set_time = -1;
93 static int hf_netlogon_pwd_can_change_time = -1;
94 static int hf_netlogon_pwd_must_change_time = -1;
95 static int hf_netlogon_timestamp = -1;
96 static int hf_netlogon_nt_chal_resp = -1;
97 static int hf_netlogon_lm_chal_resp = -1;
98 static int hf_netlogon_credential = -1;
99 static int hf_netlogon_acct_name = -1;
100 static int hf_netlogon_acct_desc = -1;
101 static int hf_netlogon_group_desc = -1;
102 static int hf_netlogon_full_name = -1;
103 static int hf_netlogon_comment = -1;
104 static int hf_netlogon_parameters = -1;
105 static int hf_netlogon_logon_script = -1;
106 static int hf_netlogon_profile_path = -1;
107 static int hf_netlogon_home_dir = -1;
108 static int hf_netlogon_dir_drive = -1;
109 static int hf_netlogon_last_logon = -1;
110 static int hf_netlogon_last_logoff = -1;
111 static int hf_netlogon_logon_count = -1;
112 static int hf_netlogon_logon_count16 = -1;
113 static int hf_netlogon_bad_pw_count = -1;
114 static int hf_netlogon_bad_pw_count16 = -1;
115 static int hf_netlogon_user_rid = -1;
116 static int hf_netlogon_alias_rid = -1;
117 static int hf_netlogon_group_rid = -1;
118 static int hf_netlogon_logon_srv = -1;
119 static int hf_netlogon_principal = -1;
120 static int hf_netlogon_logon_dom = -1;
121 static int hf_netlogon_domain_name = -1;
122 static int hf_netlogon_domain_create_time = -1;
123 static int hf_netlogon_domain_modify_time = -1;
124 static int hf_netlogon_modify_count = -1;
125 static int hf_netlogon_db_modify_time = -1;
126 static int hf_netlogon_db_create_time = -1;
127 static int hf_netlogon_oem_info = -1;
128 static int hf_netlogon_trusted_domain_name = -1;
129 static int hf_netlogon_num_rids = -1;
130 static int hf_netlogon_num_controllers = -1;
131 static int hf_netlogon_num_other_groups = -1;
132 static int hf_netlogon_computer_name = -1;
133 static int hf_netlogon_site_name = -1;
134 static int hf_netlogon_trusted_dc_name = -1;
135 static int hf_netlogon_dc_name = -1;
136 static int hf_netlogon_dc_site_name = -1;
137 static int hf_netlogon_dns_forest_name = -1;
138 static int hf_netlogon_dc_address = -1;
139 static int hf_netlogon_dc_address_type = -1;
140 static int hf_netlogon_client_name = -1;
141 static int hf_netlogon_client_site_name = -1;
142 static int hf_netlogon_workstation = -1;
143 static int hf_netlogon_workstation_site_name = -1;
144 static int hf_netlogon_workstation_os = -1;
145 static int hf_netlogon_workstations = -1;
146 static int hf_netlogon_workstation_fqdn = -1;
147 static int hf_netlogon_group_name = -1;
148 static int hf_netlogon_alias_name = -1;
149 static int hf_netlogon_country = -1;
150 static int hf_netlogon_codepage = -1;
151 static int hf_netlogon_flags = -1;
152 static int hf_netlogon_user_flags = -1;
153 static int hf_netlogon_auth_flags = -1;
154 static int hf_netlogon_pwd_expired = -1;
155 static int hf_netlogon_nt_pwd_present = -1;
156 static int hf_netlogon_lm_pwd_present = -1;
157 static int hf_netlogon_code = -1;
158 static int hf_netlogon_database_id = -1;
159 static int hf_netlogon_sync_context = -1;
160 static int hf_netlogon_max_size = -1;
161 static int hf_netlogon_max_log_size = -1;
162 static int hf_netlogon_dns_host = -1;
163 static int hf_netlogon_num_pwd_pairs = -1;
164 static int hf_netlogon_acct_expiry_time = -1;
165 static int hf_netlogon_encrypted_lm_owf_password = -1;
166 static int hf_netlogon_lm_owf_password = -1;
167 static int hf_netlogon_nt_owf_password = -1;
168 static int hf_netlogon_param_ctrl = -1;
169 static int hf_netlogon_logon_id = -1;
170 static int hf_netlogon_num_deltas = -1;
171 static int hf_netlogon_user_session_key = -1;
172 static int hf_netlogon_blob_size = -1;
173 static int hf_netlogon_blob = -1;
174 static int hf_netlogon_logon_attempts = -1;
175 static int hf_netlogon_authoritative = -1;
176 static int hf_netlogon_secure_channel_type = -1;
177 static int hf_netlogon_logonsrv_handle = -1;
178 static int hf_netlogon_delta_type = -1;
180 static gint ett_dcerpc_netlogon = -1;
181 static gint ett_QUOTA_LIMITS = -1;
182 static gint ett_IDENTITY_INFO = -1;
183 static gint ett_DELTA_ENUM = -1;
184 static gint ett_CYPHER_VALUE = -1;
185 static gint ett_TYPE_36 = -1;
186 static gint ett_NETLOGON_INFO_1 = -1;
187 static gint ett_NETLOGON_INFO_2 = -1;
188 static gint ett_NETLOGON_INFO_3 = -1;
189 static gint ett_NETLOGON_INFO_4 = -1;
190 static gint ett_UNICODE_MULTI = -1;
191 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
192 static gint ett_TYPE_46 = -1;
193 static gint ett_TYPE_48 = -1;
194 static gint ett_UNICODE_STRING_512 = -1;
195 static gint ett_TYPE_50 = -1;
196 static gint ett_TYPE_51 = -1;
197 static gint ett_TYPE_52 = -1;
198 static gint ett_DELTA_ID_UNION = -1;
199 static gint ett_NETLOGON_CONTROL_QUERY_INFO = -1;
200 static gint ett_TYPE_44 = -1;
201 static gint ett_DELTA_UNION = -1;
202 static gint ett_NETLOGON_INFO = -1;
203 static gint ett_TYPE_45 = -1;
204 static gint ett_TYPE_47 = -1;
205 static gint ett_GUID = -1;
206 static gint ett_LM_OWF_PASSWORD = -1;
207 static gint ett_NT_OWF_PASSWORD = -1;
208 static gint ett_GROUP_MEMBERSHIP = -1;
209 static gint ett_BLOB = -1;
211 static e_uuid_t uuid_dcerpc_netlogon = {
212 0x12345678, 0x1234, 0xabcd,
213 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
216 static guint16 ver_dcerpc_netlogon = 1;
221 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
222 packet_info *pinfo, proto_tree *tree,
225 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
226 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
227 "Server Handle", hf_netlogon_logonsrv_handle, 0);
233 * IDL typedef struct {
234 * IDL [unique][string] wchar_t *effective_name;
236 * IDL long auth_flags;
237 * IDL long logon_count;
238 * IDL long bad_pw_count;
239 * IDL long last_logon;
240 * IDL long last_logoff;
241 * IDL long logoff_time;
242 * IDL long kickoff_time;
243 * IDL long password_age;
244 * IDL long pw_can_change;
245 * IDL long pw_must_change;
246 * IDL [unique][string] wchar_t *computer;
247 * IDL [unique][string] wchar_t *domain;
248 * IDL [unique][string] wchar_t *script_path;
252 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
253 packet_info *pinfo, proto_tree *tree,
258 di=pinfo->private_data;
259 if(di->conformant_run){
260 /*just a run to handle conformant arrays, nothing to dissect */
264 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
265 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
266 "Effective Account", hf_netlogon_acct_name, 0);
268 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
269 hf_netlogon_priv, NULL);
271 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
272 hf_netlogon_auth_flags, NULL);
274 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
275 hf_netlogon_logon_count, NULL);
277 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
278 hf_netlogon_bad_pw_count, NULL);
280 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
283 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
286 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
289 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
292 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
295 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
298 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
302 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
303 "Computer", hf_netlogon_computer_name, 0);
305 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
306 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
307 "Domain", hf_netlogon_domain_name, 0);
309 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
310 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
311 "Script", hf_netlogon_logon_script, 0);
313 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
314 hf_netlogon_reserved, NULL);
320 * IDL long NetLogonUasLogon(
321 * IDL [in][unique][string] wchar_t *ServerName,
322 * IDL [in][ref][string] wchar_t *UserName,
323 * IDL [in][ref][string] wchar_t *Workstation,
324 * IDL [out][unique] VALIDATION_UAS_INFO *info
328 netlogon_dissect_netlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
329 packet_info *pinfo, proto_tree *tree, char *drep)
331 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
334 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
335 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
336 "Account", hf_netlogon_acct_name, 0);
338 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
339 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
340 "Workstation", hf_netlogon_workstation, 0);
347 netlogon_dissect_netlogonuaslogon_reply(tvbuff_t *tvb, int offset,
348 packet_info *pinfo, proto_tree *tree, char *drep)
350 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
351 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
352 "VALIDATION_UAS_INFO", -1, 0);
354 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
355 hf_netlogon_rc, NULL);
361 * IDL typedef struct {
363 * IDL short logon_count;
364 * IDL } LOGOFF_UAS_INFO;
367 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
368 packet_info *pinfo, proto_tree *tree,
373 di=pinfo->private_data;
374 if(di->conformant_run){
375 /*just a run to handle conformant arrays, nothing to dissect */
379 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
382 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
383 hf_netlogon_logon_count16, NULL);
389 * IDL long NetLogonUasLogoff(
390 * IDL [in][unique][string] wchar_t *ServerName,
391 * IDL [in][ref][string] wchar_t *UserName,
392 * IDL [in][ref][string] wchar_t *Workstation,
393 * IDL [out][ref] LOGOFF_UAS_INFO *info
397 netlogon_dissect_netlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
398 packet_info *pinfo, proto_tree *tree, char *drep)
400 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
403 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
404 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
405 "Account", hf_netlogon_acct_name, 0);
407 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
408 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
409 "Workstation", hf_netlogon_workstation, 0);
416 netlogon_dissect_netlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
417 packet_info *pinfo, proto_tree *tree, char *drep)
419 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
420 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
421 "LOGOFF_UAS_INFO", -1, 0);
423 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
424 hf_netlogon_rc, NULL);
433 * IDL typedef struct {
434 * IDL UNICODESTRING LogonDomainName;
435 * IDL long ParameterControl;
436 * IDL uint64 LogonID;
437 * IDL UNICODESTRING UserName;
438 * IDL UNICODESTRING Workstation;
439 * IDL } LOGON_IDENTITY_INFO;
442 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
443 packet_info *pinfo, proto_tree *parent_tree,
446 proto_item *item=NULL;
447 proto_tree *tree=NULL;
448 int old_offset=offset;
451 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
453 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
456 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
457 hf_netlogon_logon_dom, 0);
459 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
460 hf_netlogon_param_ctrl, NULL);
462 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
463 hf_netlogon_logon_id, NULL);
465 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
466 hf_netlogon_acct_name, 0);
468 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
469 hf_netlogon_workstation, 0);
472 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
473 /* XXX 8 extra bytes here */
474 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
475 the idl file. Could be a bug in either the NETLOGON implementation or in the
478 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
481 proto_item_set_len(item, offset-old_offset);
487 * IDL typedef struct {
488 * IDL char password[16];
489 * IDL } LM_OWF_PASSWORD;
492 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
493 packet_info *pinfo, proto_tree *parent_tree,
496 proto_item *item=NULL;
497 proto_tree *tree=NULL;
500 di=pinfo->private_data;
501 if(di->conformant_run){
502 /*just a run to handle conformant arrays, nothing to dissect.*/
507 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
509 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
512 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
520 * IDL typedef struct {
521 * IDL char password[16];
522 * IDL } NT_OWF_PASSWORD;
525 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
526 packet_info *pinfo, proto_tree *parent_tree,
529 proto_item *item=NULL;
530 proto_tree *tree=NULL;
533 di=pinfo->private_data;
534 if(di->conformant_run){
535 /*just a run to handle conformant arrays, nothing to dissect.*/
540 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
542 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
545 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
554 * IDL typedef struct {
555 * IDL LOGON_IDENTITY_INFO identity_info;
556 * IDL LM_OWF_PASSWORD lmpassword;
557 * IDL NT_OWF_PASSWORD ntpassword;
558 * IDL } INTERACTIVE_INFO;
561 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
562 packet_info *pinfo, proto_tree *tree,
565 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
568 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
571 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
578 * IDL typedef struct {
583 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
584 packet_info *pinfo, proto_tree *tree,
589 di=pinfo->private_data;
590 if(di->conformant_run){
591 /*just a run to handle conformant arrays, nothing to dissect.*/
595 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
603 * IDL typedef struct {
604 * IDL LOGON_IDENTITY_INFO logon_info;
605 * IDL CHALLENGE chal;
606 * IDL STRING ntchallengeresponse;
607 * IDL STRING lmchallengeresponse;
608 * IDL } NETWORK_INFO;
611 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
612 packet_info *pinfo, proto_tree *tree,
615 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
618 offset = netlogon_dissect_CHALLENGE(tvb, offset,
621 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
622 hf_netlogon_nt_chal_resp, 0);
624 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
625 hf_netlogon_lm_chal_resp, 0);
631 * IDL typedef struct {
632 * IDL LOGON_IDENTITY_INFO logon_info;
633 * IDL LM_OWF_PASSWORD lmpassword;
634 * IDL NT_OWF_PASSWORD ntpassword;
635 * IDL } SERVICE_INFO;
638 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
639 packet_info *pinfo, proto_tree *tree,
642 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
645 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
648 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
655 * IDL typedef [switch_type(short)] union {
656 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
657 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
658 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
662 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
663 packet_info *pinfo, proto_tree *tree,
668 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
669 hf_netlogon_level16, &level);
674 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
675 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
676 "INTERACTIVE_INFO:", -1, 0);
679 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
680 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
681 "NETWORK_INFO:", -1, 0);
684 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
685 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
686 "SERVICE_INFO:", -1, 0);
694 * IDL typedef struct {
699 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
700 packet_info *pinfo, proto_tree *tree,
705 di=pinfo->private_data;
706 if(di->conformant_run){
707 /*just a run to handle conformant arrays, nothing to dissect.*/
711 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
720 * IDL typedef struct {
721 * IDL CREDENTIAL cred;
722 * IDL long timestamp;
723 * IDL } AUTHENTICATOR;
726 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
727 packet_info *pinfo, proto_tree *tree,
730 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
733 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
734 hf_netlogon_timestamp, NULL);
741 * IDL typedef struct {
743 * IDL long attributes;
744 * IDL } GROUP_MEMBERSHIP;
747 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
748 packet_info *pinfo, proto_tree *parent_tree,
751 proto_item *item=NULL;
752 proto_tree *tree=NULL;
755 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
756 "GROUP_MEMBERSHIP:");
757 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
760 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
761 hf_netlogon_user_rid, NULL);
763 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
764 hf_netlogon_attrs, NULL);
770 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
771 packet_info *pinfo, proto_tree *tree,
774 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
775 netlogon_dissect_GROUP_MEMBERSHIP);
781 * IDL typedef struct {
782 * IDL char user_session_key[16];
783 * IDL } USER_SESSION_KEY;
786 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
787 packet_info *pinfo, proto_tree *tree,
792 di=pinfo->private_data;
793 if(di->conformant_run){
794 /*just a run to handle conformant arrays, nothing to dissect.*/
798 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
806 * IDL typedef struct {
807 * IDL uint64 LogonTime;
808 * IDL uint64 LogoffTime;
809 * IDL uint64 KickOffTime;
810 * IDL uint64 PasswdLastSet;
811 * IDL uint64 PasswdCanChange;
812 * IDL uint64 PasswdMustChange;
813 * IDL unicodestring effectivename;
814 * IDL unicodestring fullname;
815 * IDL unicodestring logonscript;
816 * IDL unicodestring profilepath;
817 * IDL unicodestring homedirectory;
818 * IDL unicodestring homedirectorydrive;
819 * IDL short LogonCount;
820 * IDL short BadPasswdCount;
822 * IDL long primarygroup;
823 * IDL long groupcount;
824 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
825 * IDL long userflags;
826 * IDL USER_SESSION_KEY key;
827 * IDL unicodestring logonserver;
828 * IDL unicodestring domainname;
829 * IDL [unique] SID logondomainid;
830 * IDL long expansionroom[10];
831 * IDL } VALIDATION_SAM_INFO;
834 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
835 packet_info *pinfo, proto_tree *tree,
840 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
841 hf_netlogon_logon_time);
843 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
844 hf_netlogon_logoff_time);
846 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
847 hf_netlogon_kickoff_time);
849 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
850 hf_netlogon_pwd_last_set_time);
852 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
853 hf_netlogon_pwd_can_change_time);
855 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
856 hf_netlogon_pwd_must_change_time);
858 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
859 hf_netlogon_acct_name, 0);
861 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
862 hf_netlogon_full_name, 0);
864 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
865 hf_netlogon_logon_script, 0);
867 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
868 hf_netlogon_profile_path, 0);
870 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
871 hf_netlogon_home_dir, 0);
873 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
874 hf_netlogon_dir_drive, 0);
876 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
877 hf_netlogon_logon_count16, NULL);
879 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
880 hf_netlogon_bad_pw_count16, NULL);
882 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
883 hf_netlogon_user_rid, NULL);
885 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
886 hf_netlogon_group_rid, NULL);
888 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
889 hf_netlogon_num_rids, NULL);
891 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
892 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
893 "GROUP_MEMBERSHIP_ARRAY", -1, 0);
895 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
896 hf_netlogon_user_flags, NULL);
898 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
901 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
902 hf_netlogon_logon_srv, 0);
904 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
905 hf_netlogon_logon_dom, 0);
907 offset = dissect_ndr_nt_PSID(tvb, offset,
911 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
912 hf_netlogon_reserved, NULL);
921 * IDL typedef struct {
922 * IDL uint64 LogonTime;
923 * IDL uint64 LogoffTime;
924 * IDL uint64 KickOffTime;
925 * IDL uint64 PasswdLastSet;
926 * IDL uint64 PasswdCanChange;
927 * IDL uint64 PasswdMustChange;
928 * IDL unicodestring effectivename;
929 * IDL unicodestring fullname;
930 * IDL unicodestring logonscript;
931 * IDL unicodestring profilepath;
932 * IDL unicodestring homedirectory;
933 * IDL unicodestring homedirectorydrive;
934 * IDL short LogonCount;
935 * IDL short BadPasswdCount;
937 * IDL long primarygroup;
938 * IDL long groupcount;
939 * IDL [unique] GROUP_MEMBERSHIP *groupids;
940 * IDL long userflags;
941 * IDL USER_SESSION_KEY key;
942 * IDL unicodestring logonserver;
943 * IDL unicodestring domainname;
944 * IDL [unique] SID logondomainid;
945 * IDL long expansionroom[10];
947 * IDL [unique] SID_AND_ATTRIBS;
948 * IDL } VALIDATION_SAM_INFO2;
951 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
952 packet_info *pinfo, proto_tree *tree,
957 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
958 hf_netlogon_logon_time);
960 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
961 hf_netlogon_logoff_time);
963 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
964 hf_netlogon_kickoff_time);
966 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
967 hf_netlogon_pwd_last_set_time);
969 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
970 hf_netlogon_pwd_can_change_time);
972 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
973 hf_netlogon_pwd_must_change_time);
975 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
976 hf_netlogon_acct_name, 0);
978 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
979 hf_netlogon_full_name, 0);
981 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
982 hf_netlogon_logon_script, 0);
984 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
985 hf_netlogon_profile_path, 0);
987 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
988 hf_netlogon_home_dir, 0);
990 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
991 hf_netlogon_dir_drive, 0);
993 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
994 hf_netlogon_logon_count16, NULL);
996 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
997 hf_netlogon_bad_pw_count16, NULL);
999 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1000 hf_netlogon_user_rid, NULL);
1002 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1003 hf_netlogon_group_rid, NULL);
1005 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1006 hf_netlogon_num_rids, NULL);
1008 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1009 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1010 "GROUP_MEMBERSHIP_ARRAY", -1, 0);
1012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1013 hf_netlogon_user_flags, NULL);
1015 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1018 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1019 hf_netlogon_logon_srv, 0);
1021 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1022 hf_netlogon_logon_dom, 0);
1024 offset = dissect_ndr_nt_PSID(tvb, offset,
1028 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1029 hf_netlogon_unknown_long, NULL);
1032 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1033 hf_netlogon_num_other_groups, NULL);
1035 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1036 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1037 "SID_AND_ATTRIBUTES_ARRAY:", -1, 0);
1045 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1046 packet_info *pinfo, proto_tree *tree,
1052 di=pinfo->private_data;
1053 if(di->conformant_run){
1054 /*just a run to handle conformant arrays, nothing to dissect */
1058 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1059 hf_netlogon_pac_size, &pac_size);
1061 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1069 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1070 packet_info *pinfo, proto_tree *tree,
1076 di=pinfo->private_data;
1077 if(di->conformant_run){
1078 /*just a run to handle conformant arrays, nothing to dissect */
1082 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1083 hf_netlogon_auth_size, &auth_size);
1085 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1087 offset += auth_size;
1094 * IDL typedef struct {
1096 * IDL [unique][size_is(pac_size)] char *pac;
1097 * IDL UNICODESTRING logondomain;
1098 * IDL UNICODESTRING logonserver;
1099 * IDL UNICODESTRING principalname;
1100 * IDL long auth_size;
1101 * IDL [unique][size_is(auth_size)] char *auth;
1102 * IDL USER_SESSION_KEY user_session_key;
1103 * IDL long expansionroom[10];
1104 * IDL UNICODESTRING dummy1;
1105 * IDL UNICODESTRING dummy2;
1106 * IDL UNICODESTRING dummy3;
1107 * IDL UNICODESTRING dummy4;
1108 * IDL } VALIDATION_PAC_INFO;
1111 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1112 packet_info *pinfo, proto_tree *tree,
1117 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1118 hf_netlogon_pac_size, NULL);
1120 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1121 netlogon_dissect_PAC, NDR_POINTER_UNIQUE,
1124 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1125 hf_netlogon_logon_dom, 0);
1127 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1128 hf_netlogon_logon_srv, 0);
1130 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1131 hf_netlogon_principal, 0);
1133 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1134 hf_netlogon_auth_size, NULL);
1136 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1137 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE,
1140 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1144 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1145 hf_netlogon_unknown_long, NULL);
1148 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1149 hf_netlogon_dummy, 0);
1151 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1152 hf_netlogon_dummy, 0);
1154 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1155 hf_netlogon_dummy, 0);
1157 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1158 hf_netlogon_dummy, 0);
1165 * IDL typedef [switch_type(short)] union {
1166 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1167 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1168 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1169 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1173 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1174 packet_info *pinfo, proto_tree *tree,
1179 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1180 hf_netlogon_validation_level, &level);
1185 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1186 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1187 "VALIDATION_SAM_INFO:", -1, 0);
1190 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1191 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1192 "VALIDATION_SAM_INFO2:", -1, 0);
1195 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1196 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1197 "VALIDATION_PAC_INFO:", -1, 0);
1200 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1201 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1202 "VALIDATION_PAC_INFO:", -1, 0);
1211 * IDL long NetLogonSamLogon(
1212 * IDL [in][unique][string] wchar_t *ServerName,
1213 * IDL [in][unique][string] wchar_t *Workstation,
1214 * IDL [in][unique] AUTHENTICATOR *credential,
1215 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1216 * IDL [in] short LogonLevel,
1217 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1218 * IDL [in] short ValidationLevel,
1219 * IDL [out][ref] VALIDATION *validation,
1220 * IDL [out][ref] boolean Authorative
1224 netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1225 packet_info *pinfo, proto_tree *tree, char *drep)
1227 if (check_col(pinfo->cinfo, COL_INFO))
1228 col_set_str(pinfo->cinfo, COL_INFO, "SamLogon request");
1230 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1233 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1234 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1235 "Computer Name", hf_netlogon_computer_name, 0);
1237 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1238 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1239 "AUTHENTICATOR: credential", -1, 0);
1241 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1242 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1243 "AUTHENTICATOR: return_authenticator", -1, 0);
1245 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1246 hf_netlogon_level16, NULL);
1248 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1249 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1250 "LEVEL: LogonLevel", -1, 0);
1252 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1253 hf_netlogon_validation_level, NULL);
1259 netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1260 packet_info *pinfo, proto_tree *tree, char *drep)
1262 if (check_col(pinfo->cinfo, COL_INFO))
1263 col_set_str(pinfo->cinfo, COL_INFO, "SamLogon response");
1265 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1266 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1267 "AUTHENTICATOR: return_authenticator", -1, 0);
1269 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1270 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1271 "VALIDATION:", -1, 0);
1273 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1274 hf_netlogon_authoritative, NULL);
1276 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1277 hf_netlogon_rc, NULL);
1284 * IDL long NetLogonSamLogoff(
1285 * IDL [in][unique][string] wchar_t *ServerName,
1286 * IDL [in][unique][string] wchar_t *ComputerName,
1287 * IDL [in][unique] AUTHENTICATOR credential,
1288 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1289 * IDL [in] short logon_level,
1290 * IDL [in][ref] LEVEL logoninformation
1294 netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1295 packet_info *pinfo, proto_tree *tree, char *drep)
1297 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1300 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1301 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1302 "Computer Name", hf_netlogon_computer_name, 0);
1304 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1305 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1306 "AUTHENTICATOR: credential", -1, 0);
1308 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1309 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1310 "AUTHENTICATOR: return_authenticator", -1, 0);
1312 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1313 hf_netlogon_level16, NULL);
1315 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1316 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1317 "LEVEL: logoninformation", -1, 0);
1322 netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1323 packet_info *pinfo, proto_tree *tree, char *drep)
1326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1327 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1328 "AUTHENTICATOR: return_authenticator", -1, 0);
1330 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1331 hf_netlogon_rc, NULL);
1338 * IDL long NetServerReqChallenge(
1339 * IDL [in][unique][string] wchar_t *ServerName,
1340 * IDL [in][ref][string] wchar_t *ComputerName,
1341 * IDL [in][ref] CREDENTIAL client_credential,
1342 * IDL [out][ref] CREDENTIAL server_credential
1346 netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1347 packet_info *pinfo, proto_tree *tree, char *drep)
1349 if (check_col(pinfo->cinfo, COL_INFO))
1350 col_set_str(pinfo->cinfo, COL_INFO,
1351 "RequestChallenge request");
1353 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1356 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1357 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1358 "Computer Name", hf_netlogon_computer_name, 0);
1360 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1361 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1362 "CREDENTIAL: client challenge", -1, 0);
1367 netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1368 packet_info *pinfo, proto_tree *tree, char *drep)
1370 if (check_col(pinfo->cinfo, COL_INFO))
1371 col_set_str(pinfo->cinfo, COL_INFO,
1372 "RequestChallenge response");
1374 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1375 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1376 "CREDENTIAL: server credential", -1, 0);
1378 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1379 hf_netlogon_rc, NULL);
1386 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1387 packet_info *pinfo, proto_tree *tree,
1390 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1391 hf_netlogon_secure_channel_type, NULL);
1398 * IDL long NetServerAuthenticate(
1399 * IDL [in][unique][string] wchar_t *ServerName,
1400 * IDL [in][ref][string] wchar_t *UserName,
1401 * IDL [in] short secure_challenge_type,
1402 * IDL [in][ref][string] wchar_t *ComputerName,
1403 * IDL [in][ref] CREDENTIAL client_challenge,
1404 * IDL [out][ref] CREDENTIAL server_challenge
1408 netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1409 packet_info *pinfo, proto_tree *tree, char *drep)
1411 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1414 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1415 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1416 "User Name", hf_netlogon_acct_name, 0);
1418 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1421 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1422 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1423 "Computer Name", hf_netlogon_computer_name, 0);
1425 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1426 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1427 "CREDENTIAL: client challenge", -1, 0);
1432 netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
1433 packet_info *pinfo, proto_tree *tree, char *drep)
1435 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1436 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1437 "CREDENTIAL: server challenge", -1, 0);
1439 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1440 hf_netlogon_rc, NULL);
1448 * IDL typedef struct {
1449 * IDL char encrypted_password[16];
1450 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1453 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1454 packet_info *pinfo, proto_tree *tree,
1459 di=pinfo->private_data;
1460 if(di->conformant_run){
1461 /*just a run to handle conformant arrays, nothing to dissect.*/
1465 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1473 * IDL long NetServerPasswordSet(
1474 * IDL [in][unique][string] wchar_t *ServerName,
1475 * IDL [in][ref][string] wchar_t *UserName,
1476 * IDL [in] short secure_challenge_type,
1477 * IDL [in][ref][string] wchar_t *ComputerName,
1478 * IDL [in][ref] AUTHENTICATOR credential,
1479 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1480 * IDL [out][ref] AUTHENTICATOR return_authenticator
1484 netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1485 packet_info *pinfo, proto_tree *tree, char *drep)
1487 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1490 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1491 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1492 "User Name", hf_netlogon_acct_name, 0);
1494 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1497 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1498 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1499 "Computer Name", hf_netlogon_computer_name, 0);
1501 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1502 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1503 "AUTHENTICATOR: credential", -1, 0);
1505 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1506 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1507 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1, 0);
1512 netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
1513 packet_info *pinfo, proto_tree *tree, char *drep)
1515 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1516 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1517 "AUTHENTICATOR: return_authenticator", -1, 0);
1519 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1520 hf_netlogon_rc, NULL);
1527 * IDL typedef struct {
1528 * IDL [unique][string] wchar_t *UserName;
1529 * IDL UNICODESTRING dummy1;
1530 * IDL UNICODESTRING dummy2;
1531 * IDL UNICODESTRING dummy3;
1532 * IDL UNICODESTRING dummy4;
1537 * IDL } DELTA_DELETE_USER;
1540 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1541 packet_info *pinfo, proto_tree *tree,
1544 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1545 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1546 "Account Name", hf_netlogon_acct_name, -1);
1548 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1549 hf_netlogon_dummy, 0);
1551 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1552 hf_netlogon_dummy, 0);
1554 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1555 hf_netlogon_dummy, 0);
1557 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1558 hf_netlogon_dummy, 0);
1560 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1561 hf_netlogon_reserved, NULL);
1563 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1564 hf_netlogon_reserved, NULL);
1566 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1567 hf_netlogon_reserved, NULL);
1569 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1570 hf_netlogon_reserved, NULL);
1577 * IDL typedef struct {
1578 * IDL bool SensitiveDataFlag;
1579 * IDL long DataLength;
1580 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1581 * IDL } USER_PRIVATE_INFO;
1584 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1585 packet_info *pinfo, proto_tree *tree,
1591 di=pinfo->private_data;
1592 if(di->conformant_run){
1593 /*just a run to handle conformant arrays, nothing to dissect */
1597 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1598 hf_netlogon_sensitive_data_len, &data_len);
1600 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1607 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1608 packet_info *pinfo, proto_tree *tree,
1611 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1612 hf_netlogon_sensitive_data_flag, NULL);
1614 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1615 hf_netlogon_sensitive_data_len, NULL);
1617 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1618 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1619 "SENSITIVE_DATA", -1, 0);
1625 * IDL typedef struct {
1626 * IDL UNICODESTRING UserName;
1627 * IDL UNICODESTRING FullName;
1629 * IDL long PrimaryGroupID;
1630 * IDL UNICODESTRING HomeDir;
1631 * IDL UNICODESTRING HomeDirDrive;
1632 * IDL UNICODESTRING LogonScript;
1633 * IDL UNICODESTRING Comment;
1634 * IDL UNICODESTRING Workstations;
1635 * IDL NTTIME LastLogon;
1636 * IDL NTTIME LastLogoff;
1637 * IDL LOGON_HOURS logonhours;
1638 * IDL short BadPwCount;
1639 * IDL short LogonCount;
1640 * IDL NTTIME PwLastSet;
1641 * IDL NTTIME AccountExpires;
1642 * IDL long AccountControl;
1643 * IDL LM_OWF_PASSWORD lmpw;
1644 * IDL NT_OWF_PASSWORD ntpw;
1645 * IDL bool NTPwPresent;
1646 * IDL bool LMPwPresent;
1647 * IDL bool PwExpired;
1648 * IDL UNICODESTRING UserComment;
1649 * IDL UNICODESTRING Parameters;
1650 * IDL short CountryCode;
1651 * IDL short CodePage;
1652 * IDL USER_PRIVATE_INFO user_private_info;
1653 * IDL long SecurityInformation;
1654 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1655 * IDL UNICODESTRING dummy1;
1656 * IDL UNICODESTRING dummy2;
1657 * IDL UNICODESTRING dummy3;
1658 * IDL UNICODESTRING dummy4;
1666 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1667 packet_info *pinfo, proto_tree *tree,
1670 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1671 hf_netlogon_acct_name, 0);
1673 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1674 hf_netlogon_full_name, 0);
1676 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1677 hf_netlogon_user_rid, NULL);
1679 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1680 hf_netlogon_group_rid, NULL);
1682 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1683 hf_netlogon_home_dir, 0);
1685 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1686 hf_netlogon_dir_drive, 0);
1688 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1689 hf_netlogon_logon_script, 0);
1691 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1692 hf_netlogon_acct_desc, 0);
1694 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1695 hf_netlogon_workstations, 0);
1697 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1698 hf_netlogon_logon_time);
1700 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1701 hf_netlogon_logoff_time);
1703 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1705 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1706 hf_netlogon_bad_pw_count16, NULL);
1708 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1709 hf_netlogon_logon_count16, NULL);
1711 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1712 hf_netlogon_pwd_last_set_time);
1714 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1715 hf_netlogon_acct_expiry_time);
1717 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1719 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1722 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1725 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1726 hf_netlogon_nt_pwd_present, NULL);
1728 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1729 hf_netlogon_lm_pwd_present, NULL);
1731 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1732 hf_netlogon_pwd_expired, NULL);
1734 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1735 hf_netlogon_comment, 0);
1737 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1738 hf_netlogon_parameters, 0);
1740 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1741 hf_netlogon_country, NULL);
1743 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1744 hf_netlogon_codepage, NULL);
1746 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1749 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1750 hf_netlogon_security_information, NULL);
1752 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1755 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1756 hf_netlogon_dummy, 0);
1758 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1759 hf_netlogon_dummy, 0);
1761 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1762 hf_netlogon_dummy, 0);
1764 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1765 hf_netlogon_dummy, 0);
1767 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1768 hf_netlogon_reserved, NULL);
1770 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1771 hf_netlogon_reserved, NULL);
1773 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1774 hf_netlogon_reserved, NULL);
1776 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1777 hf_netlogon_reserved, NULL);
1784 * IDL typedef struct {
1785 * IDL UNICODESTRING DomainName;
1786 * IDL UNICODESTRING OEMInfo;
1787 * IDL NTTIME forcedlogoff;
1788 * IDL short minpasswdlen;
1789 * IDL short passwdhistorylen;
1790 * IDL NTTIME pwd_must_change_time;
1791 * IDL NTTIME pwd_can_change_time;
1792 * IDL NTTIME domain_modify_time;
1793 * IDL NTTIME domain_create_time;
1794 * IDL long SecurityInformation;
1795 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1796 * IDL UNICODESTRING dummy1;
1797 * IDL UNICODESTRING dummy2;
1798 * IDL UNICODESTRING dummy3;
1799 * IDL UNICODESTRING dummy4;
1804 * IDL } DELTA_DOMAIN;
1807 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
1808 packet_info *pinfo, proto_tree *tree,
1811 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1812 hf_netlogon_domain_name, 1);
1814 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1815 hf_netlogon_oem_info, 0);
1817 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1818 hf_netlogon_kickoff_time);
1820 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1821 hf_netlogon_minpasswdlen, NULL);
1823 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1824 hf_netlogon_passwdhistorylen, NULL);
1826 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1827 hf_netlogon_pwd_must_change_time);
1829 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1830 hf_netlogon_pwd_can_change_time);
1832 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1833 hf_netlogon_domain_modify_time);
1835 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1836 hf_netlogon_domain_create_time);
1838 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1839 hf_netlogon_security_information, NULL);
1841 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1844 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1845 hf_netlogon_dummy, 0);
1847 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1848 hf_netlogon_dummy, 0);
1850 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1851 hf_netlogon_dummy, 0);
1853 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1854 hf_netlogon_dummy, 0);
1856 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1857 hf_netlogon_reserved, NULL);
1859 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1860 hf_netlogon_reserved, NULL);
1862 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1863 hf_netlogon_reserved, NULL);
1865 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1866 hf_netlogon_reserved, NULL);
1873 * IDL typedef struct {
1874 * IDL UNICODESTRING groupname;
1875 * IDL GROUP_MEMBERSHIP group_membership;
1876 * IDL UNICODESTRING comment;
1877 * IDL long SecurityInformation;
1878 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1879 * IDL UNICODESTRING dummy1;
1880 * IDL UNICODESTRING dummy2;
1881 * IDL UNICODESTRING dummy3;
1882 * IDL UNICODESTRING dummy4;
1887 * IDL } DELTA_GROUP;
1890 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
1891 packet_info *pinfo, proto_tree *tree,
1894 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1895 hf_netlogon_group_name, 1);
1897 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
1900 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1901 hf_netlogon_group_desc, 0);
1903 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1904 hf_netlogon_security_information, NULL);
1906 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1909 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1910 hf_netlogon_dummy, 0);
1912 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1913 hf_netlogon_dummy, 0);
1915 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1916 hf_netlogon_dummy, 0);
1918 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1919 hf_netlogon_dummy, 0);
1921 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1922 hf_netlogon_reserved, NULL);
1924 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1925 hf_netlogon_reserved, NULL);
1927 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1928 hf_netlogon_reserved, NULL);
1930 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1931 hf_netlogon_reserved, NULL);
1938 * IDL typedef struct {
1939 * IDL UNICODESTRING OldName;
1940 * IDL UNICODESTRING NewName;
1941 * IDL UNICODESTRING dummy1;
1942 * IDL UNICODESTRING dummy2;
1943 * IDL UNICODESTRING dummy3;
1944 * IDL UNICODESTRING dummy4;
1949 * IDL } DELTA_RENAME;
1952 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
1953 packet_info *pinfo, proto_tree *tree,
1958 di=pinfo->private_data;
1960 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1963 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1966 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1967 hf_netlogon_dummy, 0);
1969 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1970 hf_netlogon_dummy, 0);
1972 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1973 hf_netlogon_dummy, 0);
1975 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1976 hf_netlogon_dummy, 0);
1978 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1979 hf_netlogon_reserved, NULL);
1981 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1982 hf_netlogon_reserved, NULL);
1984 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1985 hf_netlogon_reserved, NULL);
1987 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1988 hf_netlogon_reserved, NULL);
1995 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
1996 packet_info *pinfo, proto_tree *tree,
1999 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2000 hf_netlogon_user_rid, NULL);
2006 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2007 packet_info *pinfo, proto_tree *tree,
2010 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2011 netlogon_dissect_RID);
2017 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2018 packet_info *pinfo, proto_tree *tree,
2021 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2022 hf_netlogon_attrs, NULL);
2028 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2029 packet_info *pinfo, proto_tree *tree,
2032 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2033 netlogon_dissect_ATTRIB);
2039 * IDL typedef struct {
2040 * IDL [unique][size_is(num_rids)] long *rids;
2041 * IDL [unique][size_is(num_rids)] long *attribs;
2042 * IDL long num_rids;
2047 * IDL } DELTA_GROUP_MEMBER;
2050 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2051 packet_info *pinfo, proto_tree *tree,
2054 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2055 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2058 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2059 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2062 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2063 hf_netlogon_num_rids, NULL);
2065 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2066 hf_netlogon_reserved, NULL);
2068 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2069 hf_netlogon_reserved, NULL);
2071 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2072 hf_netlogon_reserved, NULL);
2074 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2075 hf_netlogon_reserved, NULL);
2082 * IDL typedef struct {
2083 * IDL UNICODESTRING alias_name;
2085 * IDL long SecurityInformation;
2086 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2087 * IDL UNICODESTRING dummy1;
2088 * IDL UNICODESTRING dummy2;
2089 * IDL UNICODESTRING dummy3;
2090 * IDL UNICODESTRING dummy4;
2095 * IDL } DELTA_ALIAS;
2098 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2099 packet_info *pinfo, proto_tree *tree,
2102 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2103 hf_netlogon_alias_name, 1);
2105 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2106 hf_netlogon_alias_rid, NULL);
2108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2109 hf_netlogon_security_information, NULL);
2111 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2114 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2115 hf_netlogon_dummy, 0);
2117 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2118 hf_netlogon_dummy, 0);
2120 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2121 hf_netlogon_dummy, 0);
2123 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2124 hf_netlogon_dummy, 0);
2126 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2127 hf_netlogon_reserved, NULL);
2129 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2130 hf_netlogon_reserved, NULL);
2132 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2133 hf_netlogon_reserved, NULL);
2135 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2136 hf_netlogon_reserved, NULL);
2143 * IDL typedef struct {
2144 * IDL [unique] SID_ARRAY sids;
2149 * IDL } DELTA_ALIAS_MEMBER;
2152 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2153 packet_info *pinfo, proto_tree *tree,
2156 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2158 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2159 hf_netlogon_reserved, NULL);
2161 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2162 hf_netlogon_reserved, NULL);
2164 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2165 hf_netlogon_reserved, NULL);
2167 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2168 hf_netlogon_reserved, NULL);
2175 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2176 packet_info *pinfo, proto_tree *tree,
2179 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2180 hf_netlogon_event_audit_option, NULL);
2186 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2187 packet_info *pinfo, proto_tree *tree,
2190 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2191 netlogon_dissect_EVENT_AUDIT_OPTION);
2198 * IDL typedef struct {
2199 * IDL long pagedpoollimit;
2200 * IDL long nonpagedpoollimit;
2201 * IDL long minimumworkingsetsize;
2202 * IDL long maximumworkingsetsize;
2203 * IDL long pagefilelimit;
2204 * IDL NTTIME timelimit;
2205 * IDL } QUOTA_LIMITS;
2208 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2209 packet_info *pinfo, proto_tree *parent_tree,
2212 proto_item *item=NULL;
2213 proto_tree *tree=NULL;
2214 int old_offset=offset;
2217 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2219 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2222 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2223 hf_netlogon_pagedpoollimit, NULL);
2225 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2226 hf_netlogon_nonpagedpoollimit, NULL);
2228 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2229 hf_netlogon_minworkingsetsize, NULL);
2231 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2232 hf_netlogon_maxworkingsetsize, NULL);
2234 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2235 hf_netlogon_pagefilelimit, NULL);
2237 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2238 hf_netlogon_timelimit);
2240 proto_item_set_len(item, offset-old_offset);
2246 * IDL typedef struct {
2247 * IDL long maxlogsize;
2248 * IDL NTTIME auditretentionperiod;
2249 * IDL bool auditingmode;
2250 * IDL long maxauditeventcount;
2251 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2252 * IDL UNICODESTRING primarydomainname;
2253 * IDL [unique] SID *sid;
2254 * IDL QUOTA_LIMITS quota_limits;
2255 * IDL NTTIME db_modify_time;
2256 * IDL NTTIME db_create_time;
2257 * IDL long SecurityInformation;
2258 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2259 * IDL UNICODESTRING dummy1;
2260 * IDL UNICODESTRING dummy2;
2261 * IDL UNICODESTRING dummy3;
2262 * IDL UNICODESTRING dummy4;
2267 * IDL } DELTA_POLICY;
2270 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2271 packet_info *pinfo, proto_tree *tree,
2274 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2275 hf_netlogon_max_log_size, NULL);
2277 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2278 hf_netlogon_audit_retention_period);
2280 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2281 hf_netlogon_auditing_mode, NULL);
2283 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2284 hf_netlogon_max_audit_event_count, NULL);
2286 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2287 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2288 "Event Audit Options:", -1, 0);
2290 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2291 hf_netlogon_domain_name, 0);
2293 offset = dissect_ndr_nt_PSID(tvb, offset,
2296 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2299 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2300 hf_netlogon_db_modify_time);
2302 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2303 hf_netlogon_db_create_time);
2305 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2306 hf_netlogon_security_information, NULL);
2308 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2311 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2312 hf_netlogon_dummy, 0);
2314 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2315 hf_netlogon_dummy, 0);
2317 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2318 hf_netlogon_dummy, 0);
2320 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2321 hf_netlogon_dummy, 0);
2323 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2324 hf_netlogon_reserved, NULL);
2326 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2327 hf_netlogon_reserved, NULL);
2329 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2330 hf_netlogon_reserved, NULL);
2332 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2333 hf_netlogon_reserved, NULL);
2340 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2341 packet_info *pinfo, proto_tree *tree,
2344 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2345 hf_netlogon_dc_name, 1);
2351 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2352 packet_info *pinfo, proto_tree *tree,
2355 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2356 netlogon_dissect_CONTROLLER);
2363 * IDL typedef struct {
2364 * IDL UNICODESTRING DomainName;
2365 * IDL long num_controllers;
2366 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2367 * IDL long SecurityInformation;
2368 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2369 * IDL UNICODESTRING dummy1;
2370 * IDL UNICODESTRING dummy2;
2371 * IDL UNICODESTRING dummy3;
2372 * IDL UNICODESTRING dummy4;
2377 * IDL } DELTA_TRUSTED_DOMAINS;
2380 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2381 packet_info *pinfo, proto_tree *tree,
2384 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2385 hf_netlogon_domain_name, 0);
2387 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2388 hf_netlogon_num_controllers, NULL);
2390 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2391 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2392 "Domain Controllers:", -1, 0);
2394 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2395 hf_netlogon_security_information, NULL);
2397 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2400 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2401 hf_netlogon_dummy, 0);
2403 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2404 hf_netlogon_dummy, 0);
2406 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2407 hf_netlogon_dummy, 0);
2409 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2410 hf_netlogon_dummy, 0);
2412 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2413 hf_netlogon_reserved, NULL);
2415 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2416 hf_netlogon_reserved, NULL);
2418 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2419 hf_netlogon_reserved, NULL);
2421 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2422 hf_netlogon_reserved, NULL);
2429 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2430 packet_info *pinfo, proto_tree *tree,
2433 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2434 hf_netlogon_attrs, NULL);
2440 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2441 packet_info *pinfo, proto_tree *tree,
2444 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2445 netlogon_dissect_PRIV_ATTR);
2451 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2452 packet_info *pinfo, proto_tree *tree,
2455 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2456 hf_netlogon_privilege_name, 1);
2462 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2463 packet_info *pinfo, proto_tree *tree,
2466 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2467 netlogon_dissect_PRIV_NAME);
2475 * IDL typedef struct {
2476 * IDL long privilegeentries;
2477 * IDL long provolegecontrol;
2478 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2479 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2480 * IDL QUOTALIMITS quotalimits;
2481 * IDL long SecurityInformation;
2482 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2483 * IDL UNICODESTRING dummy1;
2484 * IDL UNICODESTRING dummy2;
2485 * IDL UNICODESTRING dummy3;
2486 * IDL UNICODESTRING dummy4;
2491 * IDL } DELTA_ACCOUNTS;
2494 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2495 packet_info *pinfo, proto_tree *tree,
2498 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2499 hf_netlogon_privilege_entries, NULL);
2501 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2502 hf_netlogon_privilege_control, NULL);
2504 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2505 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2506 "PRIV_ATTR_ARRAY:", -1, 0);
2508 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2509 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2510 "PRIV_NAME_ARRAY:", -1, 0);
2512 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2515 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2516 hf_netlogon_systemflags, NULL);
2518 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2519 hf_netlogon_security_information, NULL);
2521 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2524 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2525 hf_netlogon_dummy, 0);
2527 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2528 hf_netlogon_dummy, 0);
2530 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2531 hf_netlogon_dummy, 0);
2533 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2534 hf_netlogon_dummy, 0);
2536 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2537 hf_netlogon_reserved, NULL);
2539 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2540 hf_netlogon_reserved, NULL);
2542 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2543 hf_netlogon_reserved, NULL);
2545 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2546 hf_netlogon_reserved, NULL);
2552 * IDL typedef struct {
2555 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2556 * IDL } CIPHER_VALUE;
2559 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2560 packet_info *pinfo, proto_tree *tree,
2566 di=pinfo->private_data;
2567 if(di->conformant_run){
2568 /*just a run to handle conformant arrays, nothing to dissect */
2572 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2573 hf_netlogon_cipher_maxlen, NULL);
2578 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2579 hf_netlogon_cipher_len, &data_len);
2581 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2588 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2589 packet_info *pinfo, proto_tree *parent_tree,
2590 char *drep, char *name, int hf_index)
2592 proto_item *item=NULL;
2593 proto_tree *tree=NULL;
2594 int old_offset=offset;
2597 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2599 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2602 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2603 hf_netlogon_cipher_len, NULL);
2605 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2606 hf_netlogon_cipher_maxlen, NULL);
2608 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2609 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2612 proto_item_set_len(item, offset-old_offset);
2617 * IDL typedef struct {
2618 * IDL CIPHER_VALUE current_cipher;
2619 * IDL NTTIME current_cipher_set_time;
2620 * IDL CIPHER_VALUE old_cipher;
2621 * IDL NTTIME old_cipher_set_time;
2622 * IDL long SecurityInformation;
2623 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2624 * IDL UNICODESTRING dummy1;
2625 * IDL UNICODESTRING dummy2;
2626 * IDL UNICODESTRING dummy3;
2627 * IDL UNICODESTRING dummy4;
2632 * IDL } DELTA_SECRET;
2635 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2636 packet_info *pinfo, proto_tree *tree,
2639 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2641 "CIPHER_VALUE: current cipher value",
2642 hf_netlogon_cipher_current_data);
2644 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2645 hf_netlogon_cipher_current_set_time);
2647 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2649 "CIPHER_VALUE: old cipher value",
2650 hf_netlogon_cipher_old_data);
2652 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2653 hf_netlogon_cipher_old_set_time);
2655 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2656 hf_netlogon_security_information, NULL);
2658 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2661 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2662 hf_netlogon_dummy, 0);
2664 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2665 hf_netlogon_dummy, 0);
2667 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2668 hf_netlogon_dummy, 0);
2670 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2671 hf_netlogon_dummy, 0);
2673 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2674 hf_netlogon_reserved, NULL);
2676 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2677 hf_netlogon_reserved, NULL);
2679 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2680 hf_netlogon_reserved, NULL);
2682 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2683 hf_netlogon_reserved, NULL);
2689 * IDL typedef struct {
2690 * IDL long low_value;
2691 * IDL long high_value;
2695 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2696 packet_info *pinfo, proto_tree *tree,
2699 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2700 hf_netlogon_modify_count, NULL);
2706 #define DT_DELTA_DOMAIN 1
2707 #define DT_DELTA_GROUP 2
2708 #define DT_DELTA_RENAME_GROUP 4
2709 #define DT_DELTA_USER 5
2710 #define DT_DELTA_RENAME_USER 7
2711 #define DT_DELTA_GROUP_MEMBER 8
2712 #define DT_DELTA_ALIAS 9
2713 #define DT_DELTA_RENAME_ALIAS 11
2714 #define DT_DELTA_ALIAS_MEMBER 12
2715 #define DT_DELTA_POLICY 13
2716 #define DT_DELTA_TRUSTED_DOMAINS 14
2717 #define DT_DELTA_ACCOUNTS 16
2718 #define DT_DELTA_SECRET 18
2719 #define DT_DELTA_DELETE_GROUP 20
2720 #define DT_DELTA_DELETE_USER 21
2721 #define DT_MODIFIED_COUNT 22
2722 static const value_string delta_type_vals[] = {
2723 { DT_DELTA_DOMAIN, "Domain" },
2724 { DT_DELTA_GROUP, "Group" },
2725 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2726 { DT_DELTA_USER, "User" },
2727 { DT_DELTA_RENAME_USER, "Rename User" },
2728 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2729 { DT_DELTA_ALIAS, "Alias" },
2730 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2731 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2732 { DT_DELTA_POLICY, "Policy" },
2733 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2734 { DT_DELTA_ACCOUNTS, "Accounts" },
2735 { DT_DELTA_SECRET, "Secret" },
2736 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2737 { DT_DELTA_DELETE_USER, "Delete User" },
2738 { DT_MODIFIED_COUNT, "Modified Count" },
2742 * IDL typedef [switch_type(short)] union {
2743 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2744 * IDL [case(2)][unique] DELTA_GROUP *group;
2745 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2746 * IDL [case(5)][unique] DELTA_USER *user;
2747 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2748 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2749 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2750 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2751 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2752 * IDL [case(13)][unique] DELTA_POLICY *policy;
2753 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2754 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2755 * IDL [case(18)][unique] DELTA_SECRET *secret;
2756 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2757 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2758 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2759 * IDL } DELTA_UNION;
2762 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2763 packet_info *pinfo, proto_tree *parent_tree,
2766 proto_item *item=NULL;
2767 proto_tree *tree=NULL;
2768 int old_offset=offset;
2772 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2774 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2777 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2778 hf_netlogon_delta_type, &level);
2783 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2784 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2785 "DELTA_DOMAIN:", -1, 0);
2788 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2789 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2790 "DELTA_GROUP:", -1, 0);
2793 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2794 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2795 "DELTA_RENAME_GROUP:", hf_netlogon_group_name, 0);
2798 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2799 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
2800 "DELTA_USER:", -1, 0);
2803 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2804 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2805 "DELTA_RENAME_USER:", hf_netlogon_acct_name, 0);
2808 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2809 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
2810 "DELTA_GROUP_MEMBER:", -1, 0);
2813 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2814 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
2815 "DELTA_ALIAS:", -1, 0);
2818 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2819 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2820 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name, 0);
2823 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2824 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
2825 "DELTA_ALIAS_MEMBER:", -1, 0);
2828 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2829 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
2830 "DELTA_POLICY:", -1, 0);
2833 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2834 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
2835 "DELTA_TRUSTED_DOMAINS:", -1, 0);
2838 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2839 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
2840 "DELTA_ACCOUNTS:", -1, 0);
2843 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2844 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
2845 "DELTA_SECRET:", -1, 0);
2848 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2849 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2850 "DELTA_DELETE_GROUP:", -1, 0);
2853 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2854 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2855 "DELTA_DELETE_USER:", -1, 0);
2858 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2859 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
2860 "MODIFIED_COUNT:", -1, 0);
2864 proto_item_set_len(item, offset-old_offset);
2870 /* IDL XXX must verify this one, especially 13-19
2871 * IDL typedef [switch_type(short)] union {
2872 * IDL [case(1)] long rid;
2873 * IDL [case(2)] long rid;
2874 * IDL [case(3)] long rid;
2875 * IDL [case(4)] long rid;
2876 * IDL [case(5)] long rid;
2877 * IDL [case(6)] long rid;
2878 * IDL [case(7)] long rid;
2879 * IDL [case(8)] long rid;
2880 * IDL [case(9)] long rid;
2881 * IDL [case(10)] long rid;
2882 * IDL [case(11)] long rid;
2883 * IDL [case(12)] long rid;
2884 * IDL [case(13)] [unique] SID *sid;
2885 * IDL [case(14)] [unique] SID *sid;
2886 * IDL [case(15)] [unique] SID *sid;
2887 * IDL [case(16)] [unique] SID *sid;
2888 * IDL [case(17)] [unique] SID *sid;
2889 * IDL [case(18)] [unique][string] wchar_t *Name ;
2890 * IDL [case(19)] [unique][string] wchar_t *Name ;
2891 * IDL [case(20)] long rid;
2892 * IDL [case(21)] long rid;
2893 * IDL } DELTA_ID_UNION;
2896 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
2897 packet_info *pinfo, proto_tree *parent_tree,
2900 proto_item *item=NULL;
2901 proto_tree *tree=NULL;
2902 int old_offset=offset;
2906 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2908 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
2911 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2912 hf_netlogon_level16, &level);
2917 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2918 hf_netlogon_user_rid, NULL);
2921 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2922 hf_netlogon_user_rid, NULL);
2925 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2926 hf_netlogon_user_rid, NULL);
2929 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2930 hf_netlogon_user_rid, NULL);
2933 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2934 hf_netlogon_user_rid, NULL);
2937 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2938 hf_netlogon_user_rid, NULL);
2941 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2942 hf_netlogon_user_rid, NULL);
2945 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2946 hf_netlogon_user_rid, NULL);
2949 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2950 hf_netlogon_user_rid, NULL);
2953 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2954 hf_netlogon_user_rid, NULL);
2957 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2958 hf_netlogon_user_rid, NULL);
2961 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2962 hf_netlogon_user_rid, NULL);
2965 offset = dissect_ndr_nt_PSID(tvb, offset,
2969 offset = dissect_ndr_nt_PSID(tvb, offset,
2973 offset = dissect_ndr_nt_PSID(tvb, offset,
2977 offset = dissect_ndr_nt_PSID(tvb, offset,
2981 offset = dissect_ndr_nt_PSID(tvb, offset,
2985 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2986 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
2987 "unknown", hf_netlogon_unknown_string, -1);
2990 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2991 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
2992 "unknown", hf_netlogon_unknown_string, -1);
2995 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2996 hf_netlogon_user_rid, NULL);
2999 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3000 hf_netlogon_user_rid, NULL);
3004 proto_item_set_len(item, offset-old_offset);
3009 * IDL typedef struct {
3010 * IDL short delta_type;
3011 * IDL DELTA_ID_UNION delta_id_union;
3012 * IDL DELTA_UNION delta_union;
3016 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3017 packet_info *pinfo, proto_tree *parent_tree,
3020 proto_item *item=NULL;
3021 proto_tree *tree=NULL;
3022 int old_offset=offset;
3025 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3027 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3030 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3031 hf_netlogon_delta_type, NULL);
3033 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3036 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3039 proto_item_set_len(item, offset-old_offset);
3044 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3045 packet_info *pinfo, proto_tree *tree,
3048 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3049 netlogon_dissect_DELTA_ENUM);
3055 * IDL typedef struct {
3056 * IDL long num_deltas;
3057 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3058 * IDL } DELTA_ENUM_ARRAY;
3061 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3062 packet_info *pinfo, proto_tree *tree,
3065 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3066 hf_netlogon_num_deltas, NULL);
3068 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3069 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3070 "DELTA_ENUM: deltas", -1, 0);
3077 * IDL long NetDatabaseDeltas(
3078 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3079 * IDL [in][string][ref] wchar_t *computername,
3080 * IDL [in][ref] AUTHENTICATOR credential,
3081 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3082 * IDL [in] long database_id,
3083 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3084 * IDL [in] long preferredmaximumlength,
3085 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3089 netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
3090 packet_info *pinfo, proto_tree *tree, char *drep)
3092 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3093 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3094 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3096 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3097 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3098 "Computer Name", hf_netlogon_computer_name, 0);
3100 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3101 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3102 "AUTHENTICATOR: credential", -1, 0);
3104 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3105 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3106 "AUTHENTICATOR: return_authenticator", -1, 0);
3108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3109 hf_netlogon_database_id, NULL);
3111 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3112 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3113 "MODIFIED_COUNT: domain modified count", -1, 0);
3115 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3116 hf_netlogon_max_size, NULL);
3121 netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
3122 packet_info *pinfo, proto_tree *tree, char *drep)
3124 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3125 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3126 "AUTHENTICATOR: return_authenticator", -1, 0);
3128 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3129 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3130 "MODIFIED_COUNT: domain modified count", -1, 0);
3132 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3133 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3134 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3136 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3137 hf_netlogon_rc, NULL);
3144 * IDL long NetDatabaseSync(
3145 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3146 * IDL [in][string][ref] wchar_t *computername,
3147 * IDL [in][ref] AUTHENTICATOR credential,
3148 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3149 * IDL [in] long database_id,
3150 * IDL [in][out][ref] long sync_context,
3151 * IDL [in] long preferredmaximumlength,
3152 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3156 netlogon_dissect_netlogondatabasesync_rqst(tvbuff_t *tvb, int offset,
3157 packet_info *pinfo, proto_tree *tree, char *drep)
3159 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3160 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3161 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3163 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3164 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3165 "Computer Name", hf_netlogon_computer_name, 0);
3167 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3168 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3169 "AUTHENTICATOR: credential", -1, 0);
3171 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3172 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3173 "AUTHENTICATOR: return_authenticator", -1, 0);
3175 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3176 hf_netlogon_database_id, NULL);
3178 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3179 hf_netlogon_sync_context, NULL);
3181 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3182 hf_netlogon_max_size, NULL);
3189 netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset,
3190 packet_info *pinfo, proto_tree *tree, char *drep)
3192 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3193 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3194 "AUTHENTICATOR: return_authenticator", -1, 0);
3196 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3197 hf_netlogon_sync_context, NULL);
3199 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3200 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3201 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3203 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3204 hf_netlogon_rc, NULL);
3216 /* Updated above this line */
3224 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
3225 packet_info *pinfo, proto_tree *tree,
3230 di=pinfo->private_data;
3231 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
3232 di->hf_index, NULL);
3237 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
3238 packet_info *pinfo, proto_tree *tree,
3243 di=pinfo->private_data;
3244 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3245 di->hf_index, NULL);
3250 netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
3251 packet_info *pinfo, proto_tree *parent_tree,
3252 char *drep, int type, int hf_index, int levels)
3254 proto_item *item=NULL;
3255 proto_tree *tree=NULL;
3256 int old_offset=offset;
3260 di=pinfo->private_data;
3261 if(di->conformant_run){
3262 /*just a run to handle conformant arrays, nothing to dissect */
3266 name = proto_registrar_get_name(hf_index);
3268 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
3270 tree = proto_item_add_subtree(item, ett_nt_unicode_string);
3273 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3274 dissect_ndr_nt_UNICODE_STRING_str, type,
3275 name, hf_index, levels);
3277 proto_item_set_len(item, offset-old_offset);
3283 netlogon_dissect_WCHAR_ptr(tvbuff_t *tvb, int offset,
3284 packet_info *pinfo, proto_tree *tree,
3287 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3288 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3289 "unknown string", hf_netlogon_unknown_string, -1);
3295 netlogon_dissect_TYPE_36(tvbuff_t *tvb, int offset,
3296 packet_info *pinfo, proto_tree *parent_tree,
3299 proto_item *item=NULL;
3300 proto_tree *tree=NULL;
3301 int old_offset=offset;
3305 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3307 tree = proto_item_add_subtree(item, ett_TYPE_36);
3311 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3312 hf_netlogon_unknown_char, NULL);
3315 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3316 hf_netlogon_unknown_long, NULL);
3318 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3319 hf_netlogon_unknown_long, NULL);
3321 proto_item_set_len(item, offset-old_offset);
3326 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3327 packet_info *pinfo, proto_tree *parent_tree,
3330 proto_item *item=NULL;
3331 proto_tree *tree=NULL;
3332 int old_offset=offset;
3335 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3336 "NETLOGON_INFO_1:");
3337 tree = proto_item_add_subtree(item, ett_NETLOGON_INFO_1);
3340 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3341 hf_netlogon_flags, NULL);
3343 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3344 hf_netlogon_status, NULL);
3346 proto_item_set_len(item, offset-old_offset);
3351 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3352 packet_info *pinfo, proto_tree *parent_tree,
3355 proto_item *item=NULL;
3356 proto_tree *tree=NULL;
3357 int old_offset=offset;
3360 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3361 "NETLOGON_INFO_2:");
3362 tree = proto_item_add_subtree(item, ett_NETLOGON_INFO_2);
3365 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3366 hf_netlogon_unknown_long, NULL);
3368 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3369 hf_netlogon_unknown_long, NULL);
3371 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3372 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3373 "unknown", hf_netlogon_unknown_string, -1);
3375 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3376 hf_netlogon_unknown_long, NULL);
3378 proto_item_set_len(item, offset-old_offset);
3383 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3384 packet_info *pinfo, proto_tree *parent_tree,
3387 proto_item *item=NULL;
3388 proto_tree *tree=NULL;
3389 int old_offset=offset;
3392 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3393 "NETLOGON_INFO_3:");
3394 tree = proto_item_add_subtree(item, ett_NETLOGON_INFO_3);
3397 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3398 hf_netlogon_flags, NULL);
3400 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3401 hf_netlogon_logon_attempts, NULL);
3403 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3404 hf_netlogon_unknown_long, NULL);
3406 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3407 hf_netlogon_unknown_long, NULL);
3409 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3410 hf_netlogon_unknown_long, NULL);
3412 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3413 hf_netlogon_unknown_long, NULL);
3415 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3416 hf_netlogon_unknown_long, NULL);
3418 proto_item_set_len(item, offset-old_offset);
3423 netlogon_dissect_NETLOGON_INFO_4(tvbuff_t *tvb, int offset,
3424 packet_info *pinfo, proto_tree *parent_tree,
3427 proto_item *item=NULL;
3428 proto_tree *tree=NULL;
3429 int old_offset=offset;
3432 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3433 "NETLOGON_INFO_4:");
3434 tree = proto_item_add_subtree(item, ett_NETLOGON_INFO_4);
3437 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3438 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3439 "unknown", hf_netlogon_trusted_dc_name, -1);
3441 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3442 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3443 "unknown", hf_netlogon_trusted_domain_name, -1);
3445 proto_item_set_len(item, offset-old_offset);
3450 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
3451 packet_info *pinfo, proto_tree *tree,
3454 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3455 hf_netlogon_unknown_char, NULL);
3461 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
3462 packet_info *pinfo, proto_tree *tree,
3465 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3466 netlogon_dissect_UNICODE_MULTI_byte);
3472 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3473 packet_info *pinfo, proto_tree *tree,
3476 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3477 hf_netlogon_unknown_char, NULL);
3483 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3484 packet_info *pinfo, proto_tree *tree,
3487 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3488 netlogon_dissect_BYTE_byte);
3494 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
3495 packet_info *pinfo, proto_tree *parent_tree,
3498 proto_item *item=NULL;
3499 proto_tree *tree=NULL;
3500 int old_offset=offset;
3503 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3505 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
3508 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3509 hf_netlogon_len, NULL);
3511 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3512 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_PTR,
3513 "unknown", hf_netlogon_unknown_string, 0);
3515 proto_item_set_len(item, offset-old_offset);
3520 dissect_nt_GUID(tvbuff_t *tvb, int offset,
3521 packet_info *pinfo, proto_tree *parent_tree,
3524 proto_item *item=NULL;
3525 proto_tree *tree=NULL;
3526 int old_offset=offset;
3530 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3532 tree = proto_item_add_subtree(item, ett_GUID);
3535 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3536 hf_netlogon_unknown_long, NULL);
3538 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3539 hf_netlogon_unknown_short, NULL);
3541 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3542 hf_netlogon_unknown_short, NULL);
3545 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3546 hf_netlogon_unknown_char, NULL);
3549 proto_item_set_len(item, offset-old_offset);
3554 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
3555 packet_info *pinfo, proto_tree *parent_tree,
3558 proto_item *item=NULL;
3559 proto_tree *tree=NULL;
3560 int old_offset=offset;
3563 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3564 "DOMAIN_CONTROLLER_INFO:");
3565 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
3568 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3569 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3570 "unknown", hf_netlogon_dc_name, -1);
3572 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3573 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3574 "unknown", hf_netlogon_dc_address, -1);
3576 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3577 hf_netlogon_dc_address_type, NULL);
3579 offset = dissect_nt_GUID(tvb, offset,
3582 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3583 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3584 "unknown", hf_netlogon_logon_dom, -1);
3586 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3587 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3588 "unknown", hf_netlogon_dns_forest_name, -1);
3590 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3591 hf_netlogon_flags, NULL);
3593 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3594 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3595 "unknown", hf_netlogon_dc_site_name, -1);
3597 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3598 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3599 "unknown", hf_netlogon_client_site_name, -1);
3601 proto_item_set_len(item, offset-old_offset);
3606 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr(tvbuff_t *tvb, int offset,
3607 packet_info *pinfo, proto_tree *tree,
3610 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3611 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_PTR,
3612 "DOMAIN_CONTROLLER_INFO pointer: info", -1, 0);
3618 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr_ptr(tvbuff_t *tvb, int offset,
3619 packet_info *pinfo, proto_tree *tree,
3622 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3623 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_PTR,
3624 "DOMAIN_CONTROLLER_INFO pointer: info", -1, 0);
3630 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
3631 packet_info *pinfo, proto_tree *tree,
3637 di=pinfo->private_data;
3638 if(di->conformant_run){
3639 /*just a run to handle conformant arrays, nothing to dissect.*/
3643 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3644 hf_netlogon_blob_size, &len);
3646 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
3654 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
3655 packet_info *pinfo, proto_tree *parent_tree,
3658 proto_item *item=NULL;
3659 proto_tree *tree=NULL;
3662 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3664 tree = proto_item_add_subtree(item, ett_BLOB);
3667 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3668 hf_netlogon_blob_size, NULL);
3670 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3671 netlogon_dissect_BLOB_array, NDR_POINTER_PTR,
3678 netlogon_dissect_TYPE_46(tvbuff_t *tvb, int offset,
3679 packet_info *pinfo, proto_tree *parent_tree,
3682 proto_item *item=NULL;
3683 proto_tree *tree=NULL;
3684 int old_offset=offset;
3687 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3689 tree = proto_item_add_subtree(item, ett_TYPE_46);
3692 offset = netlogon_dissect_BLOB(tvb, offset,
3695 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3696 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3697 "unknown", hf_netlogon_workstation_fqdn, -1);
3699 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3700 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3701 "unknown", hf_netlogon_workstation_site_name, -1);
3703 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3704 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3705 "unknown", hf_netlogon_workstation_os, -1);
3707 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3708 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3709 "unknown", hf_netlogon_unknown_string, -1);
3711 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3712 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3713 "unknown", hf_netlogon_unknown_string, -1);
3715 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3716 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
3717 "unknown", hf_netlogon_unknown_string, -1);
3719 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3720 hf_netlogon_unknown_string, 0);
3722 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3723 hf_netlogon_unknown_string, 0);
3725 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3726 hf_netlogon_unknown_string, 0);
3728 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3729 hf_netlogon_unknown_string, 0);
3731 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3732 hf_netlogon_unknown_long, NULL);
3734 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3735 hf_netlogon_unknown_long, NULL);
3737 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3738 hf_netlogon_unknown_long, NULL);
3740 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3741 hf_netlogon_unknown_long, NULL);
3743 proto_item_set_len(item, offset-old_offset);
3748 netlogon_dissect_TYPE_48(tvbuff_t *tvb, int offset,
3749 packet_info *pinfo, proto_tree *parent_tree,
3752 proto_item *item=NULL;
3753 proto_tree *tree=NULL;
3754 int old_offset=offset;
3757 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3759 tree = proto_item_add_subtree(item, ett_TYPE_48);
3762 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3763 hf_netlogon_unknown_string, 0);
3765 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3766 hf_netlogon_unknown_string, 0);
3768 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3769 hf_netlogon_unknown_string, 0);
3771 offset = dissect_nt_GUID(tvb, offset,
3774 offset = dissect_ndr_nt_PSID(tvb, offset,
3777 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3778 hf_netlogon_unknown_string, 0);
3780 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3781 hf_netlogon_unknown_string, 0);
3783 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3784 hf_netlogon_unknown_string, 0);
3786 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3787 hf_netlogon_unknown_string, 0);
3789 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3790 hf_netlogon_unknown_long, NULL);
3792 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3793 hf_netlogon_unknown_long, NULL);
3795 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3796 hf_netlogon_unknown_long, NULL);
3798 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3799 hf_netlogon_unknown_long, NULL);
3801 offset = netlogon_dissect_BLOB(tvb, offset,
3804 offset = netlogon_dissect_BLOB(tvb, offset,
3807 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3808 hf_netlogon_unknown_string, 0);
3810 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3811 hf_netlogon_unknown_string, 0);
3813 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3814 hf_netlogon_unknown_string, 0);
3816 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
3817 hf_netlogon_unknown_string, 0);
3819 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3820 hf_netlogon_unknown_long, NULL);
3822 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3823 hf_netlogon_unknown_long, NULL);
3825 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3826 hf_netlogon_unknown_long, NULL);
3828 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3829 hf_netlogon_unknown_long, NULL);
3831 proto_item_set_len(item, offset-old_offset);
3836 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
3837 packet_info *pinfo, proto_tree *parent_tree,
3840 proto_item *item=NULL;
3841 proto_tree *tree=NULL;
3842 int old_offset=offset;
3846 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3847 "UNICODE_STRING_512:");
3848 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
3852 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3853 hf_netlogon_unknown_short, NULL);
3856 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3857 hf_netlogon_unknown_long, NULL);
3859 proto_item_set_len(item, offset-old_offset);
3864 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
3865 packet_info *pinfo, proto_tree *tree,
3868 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3869 hf_netlogon_unknown_char, NULL);
3875 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
3876 packet_info *pinfo, proto_tree *tree,
3879 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3880 netlogon_dissect_element_844_byte);
3886 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
3887 packet_info *pinfo, proto_tree *parent_tree,
3890 proto_item *item=NULL;
3891 proto_tree *tree=NULL;
3892 int old_offset=offset;
3895 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3897 tree = proto_item_add_subtree(item, ett_TYPE_50);
3900 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3901 hf_netlogon_unknown_long, NULL);
3903 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3904 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
3905 "unknown", hf_netlogon_unknown_string, 0);
3907 proto_item_set_len(item, offset-old_offset);
3912 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
3913 packet_info *pinfo, proto_tree *tree,
3916 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3917 netlogon_dissect_TYPE_50, NDR_POINTER_PTR,
3918 "TYPE_50 pointer: unknown_TYPE_50", -1, 0);
3924 netlogon_dissect_TYPE_50_ptr_ptr(tvbuff_t *tvb, int offset,
3925 packet_info *pinfo, proto_tree *tree,
3928 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3929 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_PTR,
3930 "TYPE_50* pointer: unknown_TYPE_50", -1, 0);
3936 netlogon_dissect_element_861_byte(tvbuff_t *tvb, int offset,
3937 packet_info *pinfo, proto_tree *tree,
3940 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3941 hf_netlogon_unknown_char, NULL);
3947 netlogon_dissect_element_861_array(tvbuff_t *tvb, int offset,
3948 packet_info *pinfo, proto_tree *tree,
3951 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3952 netlogon_dissect_element_861_byte);
3958 netlogon_dissect_TYPE_51(tvbuff_t *tvb, int offset,
3959 packet_info *pinfo, proto_tree *parent_tree,
3962 proto_item *item=NULL;
3963 proto_tree *tree=NULL;
3964 int old_offset=offset;
3967 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3969 tree = proto_item_add_subtree(item, ett_TYPE_51);
3972 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3973 hf_netlogon_unknown_long, NULL);
3975 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3976 netlogon_dissect_element_861_array, NDR_POINTER_UNIQUE,
3977 "unknown", hf_netlogon_unknown_string, 0);
3979 proto_item_set_len(item, offset-old_offset);
3984 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
3985 packet_info *pinfo, proto_tree *tree,
3988 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3989 hf_netlogon_unknown_char, NULL);
3995 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
3996 packet_info *pinfo, proto_tree *tree,
3999 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4000 netlogon_dissect_element_865_byte);
4006 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
4007 packet_info *pinfo, proto_tree *tree,
4010 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4011 hf_netlogon_unknown_char, NULL);
4017 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
4018 packet_info *pinfo, proto_tree *tree,
4021 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4022 netlogon_dissect_element_866_byte);
4028 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
4029 packet_info *pinfo, proto_tree *parent_tree,
4032 proto_item *item=NULL;
4033 proto_tree *tree=NULL;
4034 int old_offset=offset;
4037 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4039 tree = proto_item_add_subtree(item, ett_TYPE_52);
4042 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4043 hf_netlogon_unknown_long, NULL);
4045 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4046 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
4047 "unknown", hf_netlogon_unknown_string, 0);
4049 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4050 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
4051 "unknown", hf_netlogon_unknown_string, 0);
4053 proto_item_set_len(item, offset-old_offset);
4058 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
4059 packet_info *pinfo, proto_tree *tree,
4062 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4063 netlogon_dissect_TYPE_52, NDR_POINTER_PTR,
4064 "TYPE_52 pointer: unknown_TYPE_52", -1, 0);
4069 netlogon_dissect_TYPE_52_ptr_ptr(tvbuff_t *tvb, int offset,
4070 packet_info *pinfo, proto_tree *tree,
4073 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4074 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_PTR,
4075 "TYPE_52* pointer: unknown_TYPE_52", -1, 0);
4081 netlogon_dissect_NETLOGON_CONTROL_QUERY_INFO(tvbuff_t *tvb, int offset,
4082 packet_info *pinfo, proto_tree *parent_tree,
4085 proto_item *item=NULL;
4086 proto_tree *tree=NULL;
4087 int old_offset=offset;
4091 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4092 "NETLOGON_CONTROL_QUERY_INFO:");
4093 tree = proto_item_add_subtree(item, ett_NETLOGON_CONTROL_QUERY_INFO);
4096 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4097 hf_netlogon_level, &level);
4102 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4103 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
4104 "unknown", hf_netlogon_unknown_string, -1);
4107 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4108 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
4109 "unknown", hf_netlogon_unknown_string, -1);
4112 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4113 hf_netlogon_unknown_long, NULL);
4116 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4117 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
4118 "unknown", hf_netlogon_unknown_string, -1);
4122 proto_item_set_len(item, offset-old_offset);
4128 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
4129 packet_info *pinfo, proto_tree *parent_tree,
4132 proto_item *item=NULL;
4133 proto_tree *tree=NULL;
4134 int old_offset=offset;
4138 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4140 tree = proto_item_add_subtree(item, ett_TYPE_44);
4143 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4144 hf_netlogon_level, &level);
4149 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4150 hf_netlogon_unknown_long, NULL);
4154 proto_item_set_len(item, offset-old_offset);
4159 netlogon_dissect_NETLOGON_INFO(tvbuff_t *tvb, int offset,
4160 packet_info *pinfo, proto_tree *parent_tree,
4163 proto_item *item=NULL;
4164 proto_tree *tree=NULL;
4165 int old_offset=offset;
4169 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4171 tree = proto_item_add_subtree(item, ett_NETLOGON_INFO);
4174 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4175 hf_netlogon_level, &level);
4180 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4181 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_PTR,
4182 "NETLOGON_INFO_1 pointer:", -1, 0);
4185 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4186 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_PTR,
4187 "NETLOGON_INFO_2 pointer:", -1, 0);
4190 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4191 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_PTR,
4192 "NETLOGON_INFO_3 pointer:", -1, 0);
4195 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4196 netlogon_dissect_NETLOGON_INFO_4, NDR_POINTER_PTR,
4197 "NETLOGON_INFO_4 pointer:", -1, 0);
4201 proto_item_set_len(item, offset-old_offset);
4206 netlogon_dissect_TYPE_45(tvbuff_t *tvb, int offset,
4207 packet_info *pinfo, proto_tree *parent_tree,
4210 proto_item *item=NULL;
4211 proto_tree *tree=NULL;
4212 int old_offset=offset;
4216 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4218 tree = proto_item_add_subtree(item, ett_TYPE_45);
4221 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4222 hf_netlogon_level, &level);
4227 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4228 netlogon_dissect_TYPE_46, NDR_POINTER_PTR,
4229 "TYPE_46 pointer:", -1, 0);
4232 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4233 netlogon_dissect_TYPE_46, NDR_POINTER_PTR,
4234 "TYPE_46 pointer:", -1, 0);
4238 proto_item_set_len(item, offset-old_offset);
4243 netlogon_dissect_TYPE_47(tvbuff_t *tvb, int offset,
4244 packet_info *pinfo, proto_tree *parent_tree,
4247 proto_item *item=NULL;
4248 proto_tree *tree=NULL;
4249 int old_offset=offset;
4253 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4255 tree = proto_item_add_subtree(item, ett_TYPE_47);
4258 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4259 hf_netlogon_level, &level);
4264 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4265 netlogon_dissect_TYPE_48, NDR_POINTER_PTR,
4266 "TYPE_48 pointer:", -1, 0);
4269 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4270 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_PTR,
4271 "UNICODE_MULTI pointer:", -1, 0);
4275 proto_item_set_len(item, offset-old_offset);
4281 netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset,
4282 packet_info *pinfo, proto_tree *tree, char *drep)
4284 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4287 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4288 NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
4290 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4291 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4292 "AUTHENTICATOR: credential", -1, 0);
4294 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4295 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4296 "AUTHENTICATOR: return_authenticator", -1, 0);
4298 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4299 netlogon_dissect_TYPE_36, NDR_POINTER_REF,
4300 "TYPE_36 pointer: unknown_TYPE_36", -1, 0);
4302 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4303 hf_netlogon_unknown_long, NULL);
4305 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4306 hf_netlogon_unknown_long, NULL);
4308 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4309 hf_netlogon_unknown_long, NULL);
4315 netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset,
4316 packet_info *pinfo, proto_tree *tree, char *drep)
4318 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4319 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4320 "AUTHENTICATOR: return_authenticator", -1, 0);
4322 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4323 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4324 "BYTE_array pointer: unknown_BYTE", -1, 0);
4326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4327 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4328 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4330 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4331 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4332 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4334 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4335 netlogon_dissect_TYPE_36, NDR_POINTER_REF,
4336 "TYPE_36 pointer: unknown_TYPE_36", -1, 0);
4338 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4339 hf_netlogon_rc, NULL);
4345 netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset,
4346 packet_info *pinfo, proto_tree *tree, char *drep)
4348 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4351 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4352 NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
4354 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4355 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4356 "AUTHENTICATOR: credential", -1, 0);
4358 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4359 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4360 "AUTHENTICATOR: return_authenticator", -1, 0);
4362 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4363 hf_netlogon_unknown_long, NULL);
4365 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4366 hf_netlogon_unknown_long, NULL);
4368 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4369 hf_netlogon_unknown_long, NULL);
4376 netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset,
4377 packet_info *pinfo, proto_tree *tree, char *drep)
4379 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4380 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4381 "AUTHENTICATOR: return_authenticator", -1, 0);
4383 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4384 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4385 "BYTE_array pointer: unknown_BYTE", -1, 0);
4387 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4388 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4389 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4391 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4392 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4393 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4395 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4396 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4397 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4399 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4400 netlogon_dissect_TYPE_36, NDR_POINTER_REF,
4401 "TYPE_36 pointer: unknown_TYPE_36", -1, 0);
4403 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4404 hf_netlogon_rc, NULL);
4410 netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset,
4411 packet_info *pinfo, proto_tree *tree, char *drep)
4414 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4415 NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
4417 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4418 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4419 "unknown string", hf_netlogon_unknown_string, 0);
4421 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4422 netlogon_dissect_WCHAR_ptr, NDR_POINTER_REF,
4423 "WCHAR* pointer: unknown string", -1, 0);
4429 netlogon_dissect_netlogongetdcname_reply(tvbuff_t *tvb, int offset,
4430 packet_info *pinfo, proto_tree *tree, char *drep)
4432 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4433 netlogon_dissect_WCHAR_ptr, NDR_POINTER_REF,
4434 "WCHAR* pointer: unknown string", -1, 0);
4436 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4437 hf_netlogon_rc, NULL);
4443 netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
4444 packet_info *pinfo, proto_tree *tree, char *drep)
4446 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4449 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4450 hf_netlogon_code, NULL);
4452 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4453 hf_netlogon_level, NULL);
4460 netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
4461 packet_info *pinfo, proto_tree *tree, char *drep)
4463 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4464 netlogon_dissect_NETLOGON_INFO, NDR_POINTER_REF,
4465 "NETLOGON_INFO pointer: unknown_NETLOGON_INFO", -1, 0);
4467 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4468 hf_netlogon_rc, NULL);
4474 netlogon_dissect_netlogongetanydcname_rqst(tvbuff_t *tvb, int offset,
4475 packet_info *pinfo, proto_tree *tree, char *drep)
4477 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4480 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4481 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4482 "unknown string", hf_netlogon_unknown_string, 0);
4484 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4485 netlogon_dissect_WCHAR_ptr, NDR_POINTER_REF,
4486 "WCHAR* pointer: unknown string", -1, 0);
4492 netlogon_dissect_netlogongetanydcname_reply(tvbuff_t *tvb, int offset,
4493 packet_info *pinfo, proto_tree *tree, char *drep)
4495 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4496 netlogon_dissect_WCHAR_ptr, NDR_POINTER_REF,
4497 "WCHAR* pointer: unknown string", -1, 0);
4499 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4500 hf_netlogon_rc, NULL);
4506 netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
4507 packet_info *pinfo, proto_tree *tree, char *drep)
4509 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4512 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4513 hf_netlogon_code, NULL);
4515 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4516 hf_netlogon_level, NULL);
4518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4519 netlogon_dissect_NETLOGON_CONTROL_QUERY_INFO, NDR_POINTER_REF,
4520 "NETLOGON_CONTROL_QUERY_INFO pointer: unknown_NETLOGON_CONTROL_QUERY_INFO", -1, 0);
4527 netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
4528 packet_info *pinfo, proto_tree *tree, char *drep)
4530 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4531 netlogon_dissect_NETLOGON_INFO, NDR_POINTER_REF,
4532 "NETLOGON_INFO pointer: unknown_NETLOGON_INFO", -1, 0);
4534 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4535 hf_netlogon_rc, NULL);
4541 netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
4542 packet_info *pinfo, proto_tree *tree, char *drep)
4544 if (check_col(pinfo->cinfo, COL_INFO))
4545 col_set_str(pinfo->cinfo, COL_INFO, "Auth2 request");
4547 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4550 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4551 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
4552 "User Name", hf_netlogon_acct_name, 0);
4554 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4557 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4558 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
4559 "Computer Name", hf_netlogon_computer_name, 0);
4561 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4562 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4563 "CREDENTIAL pointer: client_chal", -1, 0);
4565 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4566 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4567 "ULONG pointer: neg_flags", hf_netlogon_unknown_long, 0);
4573 netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
4574 packet_info *pinfo, proto_tree *tree, char *drep)
4576 if (check_col(pinfo->cinfo, COL_INFO))
4577 col_set_str(pinfo->cinfo, COL_INFO, "Auth2 response");
4579 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4580 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4581 "CREDENTIAL pointer: server_chal", -1, 0);
4583 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4584 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4585 "ULONG pointer: neg_flags", hf_netlogon_unknown_long, 0);
4587 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4588 hf_netlogon_rc, NULL);
4594 netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
4595 packet_info *pinfo, proto_tree *tree, char *drep)
4597 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4600 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4601 NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
4603 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4604 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4605 "AUTHENTICATOR: credential", -1, 0);
4607 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4608 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4609 "AUTHENTICATOR: return_authenticator", -1, 0);
4611 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4612 hf_netlogon_unknown_long, NULL);
4614 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4615 hf_netlogon_unknown_short, NULL);
4617 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4618 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4619 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4621 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4622 hf_netlogon_unknown_long, NULL);
4629 netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
4630 packet_info *pinfo, proto_tree *tree, char *drep)
4632 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4633 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4634 "AUTHENTICATOR: return_authenticator", -1, 0);
4636 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4637 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4638 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4640 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4641 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4642 "DELTA_ENUM_ARRAY: deltas", -1, 0);
4644 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4645 hf_netlogon_rc, NULL);
4651 netlogon_dissect_netlogondatabaseredo_rqst(tvbuff_t *tvb, int offset,
4652 packet_info *pinfo, proto_tree *tree, char *drep)
4654 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4655 NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
4657 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4658 NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
4660 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4661 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4662 "AUTHENTICATOR: credential", -1, 0);
4664 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4665 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4666 "AUTHENTICATOR: return_authenticator", -1, 0);
4668 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4669 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
4670 "BYTE pointer: unknown_BYTE", -1, 0);
4672 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4673 hf_netlogon_unknown_long, NULL);
4680 netlogon_dissect_netlogondatabaseredo_reply(tvbuff_t *tvb, int offset,
4681 packet_info *pinfo, proto_tree *tree, char *drep)
4683 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4684 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4685 "AUTHENTICATOR: return_authenticator", -1, 0);
4687 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4688 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
4689 "DELTA_ENUM_ARRAY: deltas", -1, 0);
4691 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4692 hf_netlogon_rc, NULL);
4698 netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
4699 packet_info *pinfo, proto_tree *tree, char *drep)
4701 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4704 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4705 hf_netlogon_unknown_long, NULL);
4707 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4708 hf_netlogon_level, NULL);
4710 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4711 netlogon_dissect_NETLOGON_CONTROL_QUERY_INFO, NDR_POINTER_REF,
4712 "NETLOGON_CONTROL_QUERY_INFO pointer: unknown_NETLOGON_CONTROL_QUERY_INFO", -1, 0);
4719 netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
4720 packet_info *pinfo, proto_tree *tree, char *drep)
4722 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4723 netlogon_dissect_NETLOGON_INFO, NDR_POINTER_REF,
4724 "NETLOGON_INFO pointer: unknown_NETLOGON_INFO", -1, 0);
4726 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4727 hf_netlogon_rc, NULL);
4733 netlogon_dissect_nettrusteddomainlist_rqst(tvbuff_t *tvb, int offset,
4734 packet_info *pinfo, proto_tree *tree, char *drep)
4736 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4744 netlogon_dissect_nettrusteddomainlist_reply(tvbuff_t *tvb, int offset,
4745 packet_info *pinfo, proto_tree *tree, char *drep)
4747 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4748 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
4749 "UNICODE_MULTI pointer: trust_dom_name_list", -1, 0);
4751 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4752 hf_netlogon_rc, NULL);
4758 netlogon_dissect_dsrgetdcname2_rqst(tvbuff_t *tvb, int offset,
4759 packet_info *pinfo, proto_tree *tree, char *drep)
4761 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4764 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4765 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4766 "Domain", hf_netlogon_logon_dom, 0);
4768 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4769 dissect_nt_GUID, NDR_POINTER_UNIQUE,
4770 "GUID pointer: domain_guid", -1, 0);
4772 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4773 dissect_nt_GUID, NDR_POINTER_UNIQUE,
4774 "GUID pointer: site_guid", -1, 0);
4776 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4777 hf_netlogon_flags, NULL);
4784 netlogon_dissect_dsrgetdcname2_reply(tvbuff_t *tvb, int offset,
4785 packet_info *pinfo, proto_tree *tree, char *drep)
4787 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4788 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_REF,
4789 "DOMAIN_CONTROLLER_INFO* pointer: info", -1, 0);
4791 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4792 hf_netlogon_rc, NULL);
4798 netlogon_dissect_function_15_rqst(tvbuff_t *tvb, int offset,
4799 packet_info *pinfo, proto_tree *tree, char *drep)
4801 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4804 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4805 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4806 "unknown string", hf_netlogon_unknown_string, 0);
4808 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4809 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4810 "AUTHENTICATOR: credential", -1, 0);
4812 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4813 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_PTR,
4814 "AUTHENTICATOR: return_authenticator", -1, 0);
4816 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4817 hf_netlogon_unknown_long, NULL);
4824 netlogon_dissect_function_15_reply(tvbuff_t *tvb, int offset,
4825 packet_info *pinfo, proto_tree *tree, char *drep)
4827 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4828 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_PTR,
4829 "AUTHENTICATOR: return_authenticator", -1, 0);
4831 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4832 netlogon_dissect_TYPE_44, NDR_POINTER_PTR,
4833 "TYPE_44 pointer: unknown_TYPE_44", -1, 0);
4835 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4836 hf_netlogon_rc, NULL);
4842 netlogon_dissect_function_16_rqst(tvbuff_t *tvb, int offset,
4843 packet_info *pinfo, proto_tree *tree, char *drep)
4845 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4848 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4849 hf_netlogon_unknown_long, NULL);
4851 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4852 hf_netlogon_unknown_long, NULL);
4859 netlogon_dissect_function_16_reply(tvbuff_t *tvb, int offset,
4860 packet_info *pinfo, proto_tree *tree, char *drep)
4862 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4863 hf_netlogon_rc, NULL);
4869 netlogon_dissect_function_17_rqst(tvbuff_t *tvb, int offset,
4870 packet_info *pinfo, proto_tree *tree, char *drep)
4872 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4875 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4876 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4877 "unknown string", hf_netlogon_unknown_string, 0);
4884 netlogon_dissect_function_17_reply(tvbuff_t *tvb, int offset,
4885 packet_info *pinfo, proto_tree *tree, char *drep)
4887 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4888 netlogon_dissect_pointer_long, NDR_POINTER_PTR,
4889 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4891 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4892 hf_netlogon_rc, NULL);
4898 netlogon_dissect_function_18_rqst(tvbuff_t *tvb, int offset,
4899 packet_info *pinfo, proto_tree *tree, char *drep)
4901 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4904 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4905 hf_netlogon_unknown_long, NULL);
4907 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4908 netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
4909 "BYTE pointer: unknown_BYTE", -1, 0);
4911 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4912 hf_netlogon_unknown_long, NULL);
4918 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
4919 packet_info *pinfo, proto_tree *tree, char *drep)
4924 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4925 hf_netlogon_unknown_char, NULL);
4932 netlogon_dissect_function_18_reply(tvbuff_t *tvb, int offset,
4933 packet_info *pinfo, proto_tree *tree, char *drep)
4935 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4936 netlogon_dissect_BYTE_16_array, NDR_POINTER_PTR,
4937 "BYTE pointer: unknown_BYTE", -1, 0);
4939 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4940 hf_netlogon_rc, NULL);
4946 netlogon_dissect_function_19_rqst(tvbuff_t *tvb, int offset,
4947 packet_info *pinfo, proto_tree *tree, char *drep)
4949 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4952 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4953 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4954 "unknown string", hf_netlogon_unknown_string, 0);
4956 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4957 netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
4958 "BYTE pointer: unknown_BYTE", -1, 0);
4960 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4961 hf_netlogon_unknown_long, NULL);
4968 netlogon_dissect_function_19_reply(tvbuff_t *tvb, int offset,
4969 packet_info *pinfo, proto_tree *tree, char *drep)
4971 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4972 netlogon_dissect_BYTE_16_array, NDR_POINTER_PTR,
4973 "BYTE pointer: unknown_BYTE", -1, 0);
4975 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4976 hf_netlogon_rc, NULL);
4982 netlogon_dissect_netserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
4983 packet_info *pinfo, proto_tree *tree, char *drep)
4985 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4988 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4989 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4990 "Acct Name", hf_netlogon_acct_name, 0);
4992 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4995 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4996 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4997 "Computer Name", hf_netlogon_computer_name, 0);
4999 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5000 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5001 "CREDENTIAL pointer: authenticator", -1, 0);
5003 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5004 netlogon_dissect_pointer_long, NDR_POINTER_PTR,
5005 "ULONG pointer: negotiate_flags", hf_netlogon_unknown_long, 0);
5012 netlogon_dissect_netserverauthenticate3_reply(tvbuff_t *tvb, int offset,
5013 packet_info *pinfo, proto_tree *tree, char *drep)
5015 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5016 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
5017 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1, 0);
5019 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5020 netlogon_dissect_pointer_long, NDR_POINTER_PTR,
5021 "ULONG pointer: negotiate_flags", hf_netlogon_unknown_long, 0);
5023 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5024 netlogon_dissect_pointer_long, NDR_POINTER_PTR,
5025 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5027 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5028 hf_netlogon_rc, NULL);
5034 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5035 packet_info *pinfo, proto_tree *tree, char *drep)
5037 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5040 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5041 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5042 "Domain", hf_netlogon_logon_dom, 0);
5044 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5045 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5046 "GUID pointer: domain_guid", -1, 0);
5048 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5049 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5050 "Site Name", hf_netlogon_site_name, 0);
5052 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5053 hf_netlogon_flags, NULL);
5060 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5061 packet_info *pinfo, proto_tree *tree, char *drep)
5063 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5064 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_REF,
5065 "DOMAIN_CONTROLLER_INFO* pointer: info", -1, 0);
5067 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5068 hf_netlogon_rc, NULL);
5074 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5075 packet_info *pinfo, proto_tree *tree, char *drep)
5077 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5085 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5086 packet_info *pinfo, proto_tree *tree, char *drep)
5089 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
5090 NDR_POINTER_REF, hf_netlogon_site_name, 0);
5092 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5093 hf_netlogon_rc, NULL);
5099 netlogon_dissect_function_1d_rqst(tvbuff_t *tvb, int offset,
5100 packet_info *pinfo, proto_tree *tree, char *drep)
5102 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5105 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5106 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5107 "Computer Name", hf_netlogon_computer_name, 0);
5109 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5110 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5111 "AUTHENTICATOR: credential", -1, 0);
5113 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5114 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_PTR,
5115 "AUTHENTICATOR: return_authenticator", -1, 0);
5117 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5118 hf_netlogon_unknown_long, NULL);
5120 offset = netlogon_dissect_TYPE_45(tvb, offset,
5128 netlogon_dissect_function_1d_reply(tvbuff_t *tvb, int offset,
5129 packet_info *pinfo, proto_tree *tree, char *drep)
5131 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5132 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_PTR,
5133 "AUTHENTICATOR: return_authenticator", -1, 0);
5135 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5136 netlogon_dissect_TYPE_47, NDR_POINTER_PTR,
5137 "TYPE_47 pointer: unknown_TYPE_47", -1, 0);
5139 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5140 hf_netlogon_rc, NULL);
5146 netlogon_dissect_function_1e_rqst(tvbuff_t *tvb, int offset,
5147 packet_info *pinfo, proto_tree *tree, char *drep)
5149 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5152 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5153 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5154 "unknown string", hf_netlogon_unknown_string, 0);
5156 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5157 hf_netlogon_unknown_short, NULL);
5159 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5160 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5161 "unknown string", hf_netlogon_unknown_string, 0);
5163 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5164 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5165 "AUTHENTICATOR: credential", -1, 0);
5167 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5175 netlogon_dissect_function_1e_reply(tvbuff_t *tvb, int offset,
5176 packet_info *pinfo, proto_tree *tree, char *drep)
5178 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5179 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_PTR,
5180 "AUTHENTICATOR: return_authenticator", -1, 0);
5182 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5183 hf_netlogon_rc, NULL);
5189 netlogon_dissect_netserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5190 packet_info *pinfo, proto_tree *tree, char *drep)
5192 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5195 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5196 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5197 "Acct Name", hf_netlogon_acct_name, 0);
5199 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5202 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5203 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5204 "Computer Name", hf_netlogon_computer_name, 0);
5206 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5207 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5208 "AUTHENTICATOR: credential", -1, 0);
5215 netlogon_dissect_netserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5216 packet_info *pinfo, proto_tree *tree, char *drep)
5218 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5219 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5220 "AUTHENTICATOR: return_authenticator", -1, 0);
5222 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5223 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5224 "LM_OWF_PASSWORD pointer: server_pwd", -1, 0);
5226 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5227 hf_netlogon_rc, NULL);
5233 netlogon_dissect_function_20_rqst(tvbuff_t *tvb, int offset,
5234 packet_info *pinfo, proto_tree *tree, char *drep)
5236 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5239 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5240 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
5241 "unknown string", hf_netlogon_unknown_string, -1);
5243 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5244 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5245 "AUTHENTICATOR: credential", -1, 0);
5247 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5248 netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
5249 "BYTE pointer: unknown_BYTE", -1, 0);
5251 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5252 hf_netlogon_unknown_long, NULL);
5259 netlogon_dissect_function_20_reply(tvbuff_t *tvb, int offset,
5260 packet_info *pinfo, proto_tree *tree, char *drep)
5262 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5263 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_PTR,
5264 "AUTHENTICATOR: return_authenticator", -1, 0);
5266 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5267 hf_netlogon_rc, NULL);
5273 netlogon_dissect_function_21_rqst(tvbuff_t *tvb, int offset,
5274 packet_info *pinfo, proto_tree *tree, char *drep)
5276 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5279 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5280 hf_netlogon_unknown_long, NULL);
5282 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5283 netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
5284 "BYTE pointer: unknown_BYTE", -1, 0);
5291 netlogon_dissect_function_21_reply(tvbuff_t *tvb, int offset,
5292 packet_info *pinfo, proto_tree *tree, char *drep)
5294 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5295 netlogon_dissect_TYPE_50_ptr_ptr, NDR_POINTER_REF,
5296 "TYPE_50** pointer: unknown_TYPE_50", -1, 0);
5298 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5299 hf_netlogon_rc, NULL);
5305 netlogon_dissect_function_22_rqst(tvbuff_t *tvb, int offset,
5306 packet_info *pinfo, proto_tree *tree, char *drep)
5308 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5311 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5312 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5313 "unknown string", hf_netlogon_unknown_string, 0);
5315 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5316 hf_netlogon_unknown_long, NULL);
5318 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5319 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5320 "unknown string", hf_netlogon_unknown_string, 0);
5322 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5323 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5324 "GUID pointer: unknown_GUID", -1, 0);
5326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5327 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5328 "unknown string", hf_netlogon_unknown_string, 0);
5330 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5331 hf_netlogon_unknown_long, NULL);
5338 netlogon_dissect_function_22_reply(tvbuff_t *tvb, int offset,
5339 packet_info *pinfo, proto_tree *tree, char *drep)
5341 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5342 netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr_ptr, NDR_POINTER_REF,
5343 "DOMAIN_CONTROLLER_INFO** pointer: unknown_DOMAIN_CONTROLLER_INFO", -1, 0);
5345 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5346 hf_netlogon_rc, NULL);
5352 netlogon_dissect_function_23_rqst(tvbuff_t *tvb, int offset,
5353 packet_info *pinfo, proto_tree *tree, char *drep)
5355 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5363 netlogon_dissect_function_23_reply(tvbuff_t *tvb, int offset,
5364 packet_info *pinfo, proto_tree *tree, char *drep)
5366 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5367 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
5368 "unknown string", hf_netlogon_unknown_string, -1);
5370 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5371 netlogon_dissect_pointer_long, NDR_POINTER_PTR,
5372 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5374 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5375 hf_netlogon_rc, NULL);
5381 netlogon_dissect_function_24_rqst(tvbuff_t *tvb, int offset,
5382 packet_info *pinfo, proto_tree *tree, char *drep)
5384 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5392 netlogon_dissect_function_24_reply(tvbuff_t *tvb, int offset,
5393 packet_info *pinfo, proto_tree *tree, char *drep)
5395 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5396 netlogon_dissect_TYPE_51, NDR_POINTER_PTR,
5397 "TYPE_51 pointer: unknown_TYPE_51", -1, 0);
5399 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5400 hf_netlogon_rc, NULL);
5406 netlogon_dissect_function_25_rqst(tvbuff_t *tvb, int offset,
5407 packet_info *pinfo, proto_tree *tree, char *drep)
5409 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5412 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5413 hf_netlogon_unknown_long, NULL);
5415 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5416 netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
5417 "BYTE pointer: unknown_BYTE", -1, 0);
5424 netlogon_dissect_function_25_reply(tvbuff_t *tvb, int offset,
5425 packet_info *pinfo, proto_tree *tree, char *drep)
5427 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5428 netlogon_dissect_TYPE_52_ptr_ptr, NDR_POINTER_REF,
5429 "TYPE_52** pointer: unknown_TYPE_52", -1, 0);
5431 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5432 hf_netlogon_rc, NULL);
5439 netlogon_dissect_function_26_rqst(tvbuff_t *tvb, int offset,
5440 packet_info *pinfo, proto_tree *tree, char *drep)
5442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5443 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5444 "unknown string", hf_netlogon_unknown_string, 0);
5451 netlogon_dissect_function_26_reply(tvbuff_t *tvb, int offset,
5452 packet_info *pinfo, proto_tree *tree, char *drep)
5454 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5455 netlogon_dissect_TYPE_50_ptr_ptr, NDR_POINTER_REF,
5456 "TYPE_50** pointer: unknown_TYPE_50", -1, 0);
5458 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5459 hf_netlogon_rc, NULL);
5465 netlogon_dissect_function_27_rqst(tvbuff_t *tvb, int offset,
5466 packet_info *pinfo, proto_tree *tree, char *drep)
5468 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5469 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5470 "unknown string", hf_netlogon_unknown_string, 0);
5472 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5473 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5474 "unknown string", hf_netlogon_unknown_string, 0);
5476 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5477 hf_netlogon_unknown_short, NULL);
5479 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5480 netlogon_dissect_LEVEL, NDR_POINTER_PTR,
5481 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1, 0);
5483 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5484 hf_netlogon_unknown_short, NULL);
5486 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5487 netlogon_dissect_pointer_long, NDR_POINTER_PTR,
5488 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5494 netlogon_dissect_function_27_reply(tvbuff_t *tvb, int offset,
5495 packet_info *pinfo, proto_tree *tree, char *drep)
5497 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5498 netlogon_dissect_VALIDATION, NDR_POINTER_PTR,
5499 "VALIDATION: unknown_NETLOGON_VALIDATION", -1, 0);
5501 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5502 netlogon_dissect_pointer_char, NDR_POINTER_PTR,
5503 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char, 0);
5505 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5506 netlogon_dissect_pointer_long, NDR_POINTER_PTR,
5507 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5509 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5510 hf_netlogon_rc, NULL);
5516 netlogon_dissect_dsrrolegetprimarydomaininformation_rqst(tvbuff_t *tvb, int offset,
5517 packet_info *pinfo, proto_tree *tree, char *drep)
5519 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5522 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5523 hf_netlogon_unknown_long, NULL);
5530 netlogon_dissect_dsrrolegetprimarydomaininformation_reply(tvbuff_t *tvb, int offset,
5531 packet_info *pinfo, proto_tree *tree, char *drep)
5533 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5534 netlogon_dissect_TYPE_51, NDR_POINTER_PTR,
5535 "TYPE_51 pointer: unknown_TYPE_51", -1, 0);
5537 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5538 hf_netlogon_rc, NULL);
5544 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
5545 packet_info *pinfo, proto_tree *tree, char *drep)
5547 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5550 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5551 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5552 "Domain", hf_netlogon_logon_dom, 0);
5554 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5555 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5556 "GUID pointer: domain_guid", -1, 0);
5558 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5559 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5560 "GUID pointer: dsa_guid", -1, 0);
5562 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5563 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
5564 "dns_host", hf_netlogon_dns_host, -1);
5571 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
5572 packet_info *pinfo, proto_tree *tree, char *drep)
5574 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5575 hf_netlogon_rc, NULL);
5582 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
5583 { NETLOGON_UASLOGON, "UasLogon",
5584 netlogon_dissect_netlogonuaslogon_rqst,
5585 netlogon_dissect_netlogonuaslogon_reply },
5586 { NETLOGON_UASLOGOFF, "UasLogoff",
5587 netlogon_dissect_netlogonuaslogoff_rqst,
5588 netlogon_dissect_netlogonuaslogoff_reply },
5589 { NETLOGON_NETLOGONSAMLOGON, "SamLogon",
5590 netlogon_dissect_netlogonsamlogon_rqst,
5591 netlogon_dissect_netlogonsamlogon_reply },
5592 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff",
5593 netlogon_dissect_netlogonsamlogoff_rqst,
5594 netlogon_dissect_netlogonsamlogoff_reply },
5595 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge",
5596 netlogon_dissect_netserverreqchallenge_rqst,
5597 netlogon_dissect_netserverreqchallenge_reply },
5598 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate",
5599 netlogon_dissect_netserverauthenticate_rqst,
5600 netlogon_dissect_netserverauthenticate_reply },
5601 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet",
5602 netlogon_dissect_netserverpasswordset_rqst,
5603 netlogon_dissect_netserverpasswordset_reply },
5604 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas",
5605 netlogon_dissect_netsamdeltas_rqst,
5606 netlogon_dissect_netsamdeltas_reply },
5607 { NETLOGON_DATABASESYNC, "DatabaseSync",
5608 netlogon_dissect_netlogondatabasesync_rqst,
5609 netlogon_dissect_netlogondatabasesync_reply },
5610 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas",
5611 netlogon_dissect_netlogonaccountdeltas_rqst,
5612 netlogon_dissect_netlogonaccountdeltas_reply },
5613 { NETLOGON_ACCOUNTSYNC, "AccountSync",
5614 netlogon_dissect_netlogonaccountsync_rqst,
5615 netlogon_dissect_netlogonaccountsync_reply },
5616 { NETLOGON_GETDCNAME, "GetDCName",
5617 netlogon_dissect_netlogongetdcname_rqst,
5618 netlogon_dissect_netlogongetdcname_reply },
5619 { NETLOGON_NETLOGONCONTROL, "NETLOGONCONTROL",
5620 netlogon_dissect_netlogoncontrol_rqst,
5621 netlogon_dissect_netlogoncontrol_reply },
5622 { NETLOGON_GETANYDCNAME, "GetAnyDCName",
5623 netlogon_dissect_netlogongetanydcname_rqst,
5624 netlogon_dissect_netlogongetanydcname_reply },
5625 { NETLOGON_NETLOGONCONTROL2, "NETLOGONCONTROL2",
5626 netlogon_dissect_netlogoncontrol2_rqst,
5627 netlogon_dissect_netlogoncontrol2_reply },
5628 { NETLOGON_NETSERVERAUTHENTICATE2, "NETSERVERAUTHENTICATE2",
5629 netlogon_dissect_netserverauthenticate2_rqst,
5630 netlogon_dissect_netserverauthenticate2_reply },
5631 { NETLOGON_NETDATABASESYNC2, "NETDATABASESYNC2",
5632 netlogon_dissect_netdatabasesync2_rqst,
5633 netlogon_dissect_netdatabasesync2_reply },
5634 { NETLOGON_DATABASEREDO, "DatabaseRedo",
5635 netlogon_dissect_netlogondatabaseredo_rqst,
5636 netlogon_dissect_netlogondatabaseredo_reply },
5637 { NETLOGON_FUNCTION_12, "FUNCTION_12",
5638 netlogon_dissect_function_12_rqst,
5639 netlogon_dissect_function_12_reply },
5640 { NETLOGON_NETTRUSTEDDOMAINLIST, "NETTRUSTEDDOMAINLIST",
5641 netlogon_dissect_nettrusteddomainlist_rqst,
5642 netlogon_dissect_nettrusteddomainlist_reply },
5643 { NETLOGON_DSRGETDCNAME2, "DSRGETDCNAME2",
5644 netlogon_dissect_dsrgetdcname2_rqst,
5645 netlogon_dissect_dsrgetdcname2_reply },
5646 { NETLOGON_FUNCTION_15, "FUNCTION_15",
5647 netlogon_dissect_function_15_rqst,
5648 netlogon_dissect_function_15_reply },
5649 { NETLOGON_FUNCTION_16, "FUNCTION_16",
5650 netlogon_dissect_function_16_rqst,
5651 netlogon_dissect_function_16_reply },
5652 { NETLOGON_FUNCTION_17, "FUNCTION_17",
5653 netlogon_dissect_function_17_rqst,
5654 netlogon_dissect_function_17_reply },
5655 { NETLOGON_FUNCTION_18, "FUNCTION_18",
5656 netlogon_dissect_function_18_rqst,
5657 netlogon_dissect_function_18_reply },
5658 { NETLOGON_FUNCTION_19, "FUNCTION_19",
5659 netlogon_dissect_function_19_rqst,
5660 netlogon_dissect_function_19_reply },
5661 { NETLOGON_NETSERVERAUTHENTICATE3, "NETSERVERAUTHENTICATE3",
5662 netlogon_dissect_netserverauthenticate3_rqst,
5663 netlogon_dissect_netserverauthenticate3_reply },
5664 { NETLOGON_DSRGETDCNAME, "DSRGETDCNAME",
5665 netlogon_dissect_dsrgetdcname_rqst,
5666 netlogon_dissect_dsrgetdcname_reply },
5667 { NETLOGON_DSRGETSITENAME, "DSRGETSITENAME",
5668 netlogon_dissect_dsrgetsitename_rqst,
5669 netlogon_dissect_dsrgetsitename_reply },
5670 { NETLOGON_FUNCTION_1D, "FUNCTION_1D",
5671 netlogon_dissect_function_1d_rqst,
5672 netlogon_dissect_function_1d_reply },
5673 { NETLOGON_FUNCTION_1E, "FUNCTION_1E",
5674 netlogon_dissect_function_1e_rqst,
5675 netlogon_dissect_function_1e_reply },
5676 { NETLOGON_NETSERVERPASSWORDSET2, "NETSERVERPASSWORDSET2",
5677 netlogon_dissect_netserverpasswordset2_rqst,
5678 netlogon_dissect_netserverpasswordset2_reply },
5679 { NETLOGON_FUNCTION_20, "FUNCTION_20",
5680 netlogon_dissect_function_20_rqst,
5681 netlogon_dissect_function_20_reply },
5682 { NETLOGON_FUNCTION_21, "FUNCTION_21",
5683 netlogon_dissect_function_21_rqst,
5684 netlogon_dissect_function_21_reply },
5685 { NETLOGON_FUNCTION_22, "FUNCTION_22",
5686 netlogon_dissect_function_22_rqst,
5687 netlogon_dissect_function_22_reply },
5688 { NETLOGON_FUNCTION_23, "FUNCTION_23",
5689 netlogon_dissect_function_23_rqst,
5690 netlogon_dissect_function_23_reply },
5691 { NETLOGON_FUNCTION_24, "FUNCTION_24",
5692 netlogon_dissect_function_24_rqst,
5693 netlogon_dissect_function_24_reply },
5694 { NETLOGON_FUNCTION_25, "FUNCTION_25",
5695 netlogon_dissect_function_25_rqst,
5696 netlogon_dissect_function_25_reply },
5697 { NETLOGON_FUNCTION_26, "FUNCTION_26",
5698 netlogon_dissect_function_26_rqst,
5699 netlogon_dissect_function_26_reply },
5700 { NETLOGON_FUNCTION_27, "FUNCTION_27",
5701 netlogon_dissect_function_27_rqst,
5702 netlogon_dissect_function_27_reply },
5703 { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DSRROLEGETPRIMARYDOMAININFORMATION",
5704 netlogon_dissect_dsrrolegetprimarydomaininformation_rqst,
5705 netlogon_dissect_dsrrolegetprimarydomaininformation_reply },
5706 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DSRDEREGISTERDNSHOSTRECORDS",
5707 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
5708 netlogon_dissect_dsrderegisterdnshostrecords_reply },
5709 {0, NULL, NULL, NULL }
5712 static const value_string netlogon_opnum_vals[] = {
5713 { NETLOGON_UASLOGON, "UasLogon" },
5714 { NETLOGON_UASLOGOFF, "UasLogoff" },
5715 { NETLOGON_NETLOGONSAMLOGON, "SamLogon" },
5716 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff" },
5717 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge" },
5718 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate" },
5719 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet" },
5720 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas" },
5721 { NETLOGON_DATABASESYNC, "DatabaseSync" },
5722 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas" },
5723 { NETLOGON_ACCOUNTSYNC, "AccountSync" },
5724 { NETLOGON_GETDCNAME, "GetDCName" },
5725 { NETLOGON_NETLOGONCONTROL, "NETLOGONCONTROL" },
5726 { NETLOGON_GETANYDCNAME, "GetAnyDCName" },
5727 { NETLOGON_NETLOGONCONTROL2, "NETLOGONCONTROL2" },
5728 { NETLOGON_NETSERVERAUTHENTICATE2, "NETSERVERAUTHENTICATE2" },
5729 { NETLOGON_NETDATABASESYNC2, "NETDATABASESYNC2" },
5730 { NETLOGON_DATABASEREDO, "DatabaseRedo" },
5731 { NETLOGON_FUNCTION_12, "FUNCTION_12" },
5732 { NETLOGON_NETTRUSTEDDOMAINLIST, "NETTRUSTEDDOMAINLIST" },
5733 { NETLOGON_DSRGETDCNAME2, "DSRGETDCNAME2" },
5734 { NETLOGON_FUNCTION_15, "FUNCTION_15" },
5735 { NETLOGON_FUNCTION_16, "FUNCTION_16" },
5736 { NETLOGON_FUNCTION_17, "FUNCTION_17" },
5737 { NETLOGON_FUNCTION_18, "FUNCTION_18" },
5738 { NETLOGON_FUNCTION_19, "FUNCTION_19" },
5739 { NETLOGON_NETSERVERAUTHENTICATE3, "NETSERVERAUTHENTICATE3" },
5740 { NETLOGON_DSRGETDCNAME, "DSRGETDCNAME" },
5741 { NETLOGON_DSRGETSITENAME, "DSRGETSITENAME" },
5742 { NETLOGON_FUNCTION_1D, "FUNCTION_1D" },
5743 { NETLOGON_FUNCTION_1E, "FUNCTION_1E" },
5744 { NETLOGON_NETSERVERPASSWORDSET2, "NETSERVERPASSWORDSET2" },
5745 { NETLOGON_FUNCTION_20, "FUNCTION_20" },
5746 { NETLOGON_FUNCTION_21, "FUNCTION_21" },
5747 { NETLOGON_FUNCTION_22, "FUNCTION_22" },
5748 { NETLOGON_FUNCTION_23, "FUNCTION_23" },
5749 { NETLOGON_FUNCTION_24, "FUNCTION_24" },
5750 { NETLOGON_FUNCTION_25, "FUNCTION_25" },
5751 { NETLOGON_FUNCTION_26, "FUNCTION_26" },
5752 { NETLOGON_FUNCTION_27, "FUNCTION_27" },
5753 { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DSRROLEGETPRIMARYDOMAININFORMATION" },
5754 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DSRDEREGISTERDNSHOSTRECORDS" },
5759 proto_register_dcerpc_netlogon(void)
5762 static hf_register_info hf[] = {
5763 { &hf_netlogon_opnum,
5764 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
5765 VALS(netlogon_opnum_vals), 0x0, "Operation", HFILL }},
5767 { &hf_netlogon_rc, {
5768 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
5769 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
5771 { &hf_netlogon_param_ctrl, {
5772 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
5773 NULL, 0x0, "Param ctrl", HFILL }},
5775 { &hf_netlogon_logon_id, {
5776 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
5777 NULL, 0x0, "Logon ID", HFILL }},
5779 { &hf_netlogon_modify_count, {
5780 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
5781 NULL, 0x0, "How many times the object has been modified", HFILL }},
5783 { &hf_netlogon_security_information, {
5784 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
5785 NULL, 0x0, "Security Information", HFILL }},
5787 { &hf_netlogon_count, {
5788 "Count", "netlogon.count", FT_UINT16, BASE_DEC,
5789 NULL, 0x0, "", HFILL }},
5791 { &hf_netlogon_credential, {
5792 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
5793 NULL, 0x0, "Netlogon credential", HFILL }},
5795 { &hf_netlogon_challenge, {
5796 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
5797 NULL, 0x0, "Netlogon challenge", HFILL }},
5799 { &hf_netlogon_lm_owf_password, {
5800 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
5801 NULL, 0x0, "LanManager OWF Password", HFILL }},
5803 { &hf_netlogon_user_session_key, {
5804 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
5805 NULL, 0x0, "User Session Key", HFILL }},
5807 { &hf_netlogon_encrypted_lm_owf_password, {
5808 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
5809 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
5811 { &hf_netlogon_nt_owf_password, {
5812 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
5813 NULL, 0x0, "NT OWF Password", HFILL }},
5815 { &hf_netlogon_blob, {
5816 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
5817 NULL, 0x0, "BLOB", HFILL }},
5819 { &hf_netlogon_len, {
5820 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
5821 NULL, 0, "Length", HFILL }},
5823 { &hf_netlogon_priv, {
5824 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
5825 NULL, 0, "", HFILL }},
5827 { &hf_netlogon_privilege_entries, {
5828 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
5829 NULL, 0, "", HFILL }},
5831 { &hf_netlogon_privilege_control, {
5832 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
5833 NULL, 0, "", HFILL }},
5835 { &hf_netlogon_privilege_name, {
5836 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
5837 NULL, 0, "", HFILL }},
5839 { &hf_netlogon_status, {
5840 "Status", "netlogon.status", FT_UINT32, BASE_DEC,
5841 NULL, 0, "Status", HFILL }},
5843 { &hf_netlogon_attrs, {
5844 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
5845 NULL, 0, "Attributes", HFILL }},
5847 { &hf_netlogon_unknown_string,
5848 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
5849 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
5850 { &hf_netlogon_unknown_long,
5851 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
5852 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
5853 { &hf_netlogon_reserved,
5854 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
5855 NULL, 0x0, "Reserved", HFILL }},
5856 { &hf_netlogon_unknown_short,
5857 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
5858 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
5860 { &hf_netlogon_unknown_char,
5861 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
5862 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
5864 { &hf_netlogon_unknown_time,
5865 { "Unknown time", "netlogon.unknown.time", FT_ABSOLUTE_TIME, BASE_NONE,
5866 NULL, 0x0, "Unknown time. If you know what this is, contact ethereal developers.", HFILL }},
5868 { &hf_netlogon_acct_expiry_time,
5869 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
5870 NULL, 0x0, "When this account will expire", HFILL }},
5872 { &hf_netlogon_nt_pwd_present,
5873 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
5874 NULL, 0x0, "Is NT password present for this account?", HFILL }},
5876 { &hf_netlogon_lm_pwd_present,
5877 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
5878 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
5880 { &hf_netlogon_pwd_expired,
5881 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
5882 NULL, 0x0, "Whether this password has expired or not", HFILL }},
5884 { &hf_netlogon_num_pwd_pairs,
5885 { "Num PWD Pairs", "netlogon.num_pwd_pairs", FT_UINT8, BASE_DEC,
5886 NULL, 0x0, "Number of password pairs. Password history length?", HFILL }},
5888 { &hf_netlogon_authoritative,
5889 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
5890 NULL, 0x0, "", HFILL }},
5892 { &hf_netlogon_sensitive_data_flag,
5893 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
5894 NULL, 0x0, "Sensitive data flag", HFILL }},
5896 { &hf_netlogon_auditing_mode,
5897 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
5898 NULL, 0x0, "Auditing Mode", HFILL }},
5900 { &hf_netlogon_max_audit_event_count,
5901 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
5902 NULL, 0x0, "Max audit event count", HFILL }},
5904 { &hf_netlogon_event_audit_option,
5905 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
5906 NULL, 0x0, "Event audit option", HFILL }},
5908 { &hf_netlogon_sensitive_data_len,
5909 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
5910 NULL, 0x0, "Length of sensitive data", HFILL }},
5912 { &hf_netlogon_nt_chal_resp,
5913 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
5914 NULL, 0, "Challenge response for NT authentication", HFILL }},
5916 { &hf_netlogon_lm_chal_resp,
5917 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
5918 NULL, 0, "Challenge response for LM authentication", HFILL }},
5920 { &hf_netlogon_cipher_len,
5921 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
5922 NULL, 0, "", HFILL }},
5924 { &hf_netlogon_cipher_maxlen,
5925 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
5926 NULL, 0, "", HFILL }},
5928 { &hf_netlogon_pac_data,
5929 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
5930 NULL, 0, "Pac Data", HFILL }},
5932 { &hf_netlogon_sensitive_data,
5933 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
5934 NULL, 0, "Sensitive Data", HFILL }},
5936 { &hf_netlogon_auth_data,
5937 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
5938 NULL, 0, "Auth Data", HFILL }},
5940 { &hf_netlogon_cipher_current_data,
5941 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
5942 NULL, 0, "", HFILL }},
5944 { &hf_netlogon_cipher_old_data,
5945 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
5946 NULL, 0, "", HFILL }},
5948 { &hf_netlogon_acct_name,
5949 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
5950 NULL, 0, "Account Name", HFILL }},
5952 { &hf_netlogon_acct_desc,
5953 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
5954 NULL, 0, "Account Description", HFILL }},
5956 { &hf_netlogon_group_desc,
5957 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
5958 NULL, 0, "Group Description", HFILL }},
5960 { &hf_netlogon_full_name,
5961 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
5962 NULL, 0, "Full Name", HFILL }},
5964 { &hf_netlogon_comment,
5965 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
5966 NULL, 0, "Comment", HFILL }},
5968 { &hf_netlogon_parameters,
5969 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
5970 NULL, 0, "Parameters", HFILL }},
5972 { &hf_netlogon_logon_script,
5973 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
5974 NULL, 0, "Logon Script", HFILL }},
5976 { &hf_netlogon_profile_path,
5977 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
5978 NULL, 0, "Profile Path", HFILL }},
5980 { &hf_netlogon_home_dir,
5981 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
5982 NULL, 0, "Home Directory", HFILL }},
5984 { &hf_netlogon_dir_drive,
5985 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
5986 NULL, 0, "Drive letter for home directory", HFILL }},
5988 { &hf_netlogon_logon_srv,
5989 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
5990 NULL, 0, "Server", HFILL }},
5992 { &hf_netlogon_principal,
5993 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
5994 NULL, 0, "Principal", HFILL }},
5996 { &hf_netlogon_logon_dom,
5997 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
5998 NULL, 0, "Domain", HFILL }},
6000 { &hf_netlogon_computer_name,
6001 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
6002 NULL, 0, "Computer Name", HFILL }},
6004 { &hf_netlogon_site_name,
6005 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
6006 NULL, 0, "Site Name", HFILL }},
6008 { &hf_netlogon_dc_name,
6009 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
6010 NULL, 0, "DC Name", HFILL }},
6012 { &hf_netlogon_dc_site_name,
6013 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
6014 NULL, 0, "DC Site Name", HFILL }},
6016 { &hf_netlogon_dns_forest_name,
6017 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
6018 NULL, 0, "DNS Forest Name", HFILL }},
6020 { &hf_netlogon_dc_address,
6021 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
6022 NULL, 0, "DC Address", HFILL }},
6024 { &hf_netlogon_dc_address_type,
6025 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6026 NULL, 0, "DC Address Type", HFILL }},
6028 { &hf_netlogon_client_name,
6029 { "Client Name", "netlogon.client.name", FT_STRING, BASE_NONE,
6030 NULL, 0, "Client Name", HFILL }},
6032 { &hf_netlogon_client_site_name,
6033 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6034 NULL, 0, "Client Site Name", HFILL }},
6036 { &hf_netlogon_workstation_site_name,
6037 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6038 NULL, 0, "Workstation Site Name", HFILL }},
6040 { &hf_netlogon_workstation,
6041 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6042 NULL, 0, "Workstation Name", HFILL }},
6044 { &hf_netlogon_workstation_os,
6045 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6046 NULL, 0, "Workstation OS", HFILL }},
6048 { &hf_netlogon_workstations,
6049 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6050 NULL, 0, "Workstations", HFILL }},
6052 { &hf_netlogon_workstation_fqdn,
6053 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6054 NULL, 0, "Workstation FQDN", HFILL }},
6056 { &hf_netlogon_group_name,
6057 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6058 NULL, 0, "Group Name", HFILL }},
6060 { &hf_netlogon_alias_name,
6061 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6062 NULL, 0, "Alias Name", HFILL }},
6064 { &hf_netlogon_dns_host,
6065 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6066 NULL, 0, "DNS Host", HFILL }},
6068 { &hf_netlogon_trusted_domain_name,
6069 { "Trusted Domain", "netlogon.trusted_domain", FT_STRING, BASE_NONE,
6070 NULL, 0, "Trusted Domain Name", HFILL }},
6072 { &hf_netlogon_domain_name,
6073 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6074 NULL, 0, "Domain Name", HFILL }},
6076 { &hf_netlogon_oem_info,
6077 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6078 NULL, 0, "OEM Info", HFILL }},
6080 { &hf_netlogon_trusted_dc_name,
6081 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6082 NULL, 0, "Trusted DC", HFILL }},
6084 { &hf_netlogon_logonsrv_handle,
6085 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6086 NULL, 0, "Logon Srv Handle", HFILL }},
6088 { &hf_netlogon_dummy,
6089 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6090 NULL, 0, "Dummy string", HFILL }},
6092 { &hf_netlogon_logon_count16,
6093 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6094 NULL, 0x0, "Number of successful logins", HFILL }},
6096 { &hf_netlogon_logon_count,
6097 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6098 NULL, 0x0, "Number of successful logins", HFILL }},
6100 { &hf_netlogon_last_logon,
6101 { "Last Logon", "netlogon.last_logon", FT_UINT32, BASE_DEC,
6102 NULL, 0x0, "Last Logon", HFILL }},
6104 { &hf_netlogon_last_logoff,
6105 { "Last Logoff", "netlogon.last_logoff", FT_UINT32, BASE_DEC,
6106 NULL, 0x0, "Last Logoff", HFILL }},
6108 { &hf_netlogon_bad_pw_count16,
6109 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6110 NULL, 0x0, "Number of failed logins", HFILL }},
6112 { &hf_netlogon_bad_pw_count,
6113 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6114 NULL, 0x0, "Number of failed logins", HFILL }},
6116 { &hf_netlogon_country,
6117 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6118 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6120 { &hf_netlogon_codepage,
6121 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6122 NULL, 0x0, "Codepage setting for this account", HFILL }},
6124 { &hf_netlogon_level16,
6125 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6126 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6128 { &hf_netlogon_validation_level,
6129 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6130 NULL, 0x0, "Requested level of validation", HFILL }},
6132 { &hf_netlogon_minpasswdlen,
6133 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6134 NULL, 0x0, "Minimum length of password", HFILL }},
6136 { &hf_netlogon_passwdhistorylen,
6137 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6138 NULL, 0x0, "Length of password history", HFILL }},
6140 { &hf_netlogon_secure_channel_type,
6141 { "Sec Chn Type", "netlogon.sec_chn_type", FT_UINT16, BASE_DEC,
6142 NULL, 0x0, "Secure Channel Type", HFILL }},
6144 { &hf_netlogon_delta_type,
6145 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6146 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6148 { &hf_netlogon_blob_size,
6149 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6150 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6152 { &hf_netlogon_code,
6153 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6154 NULL, 0x0, "Code", HFILL }},
6156 { &hf_netlogon_level,
6157 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6158 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6160 { &hf_netlogon_timestamp,
6161 { "Timestamp", "netlogon.timestamp", FT_UINT32, BASE_HEX,
6162 NULL, 0x0, "Some sort of timestamp", HFILL }},
6164 { &hf_netlogon_user_rid,
6165 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6166 NULL, 0x0, "", HFILL }},
6168 { &hf_netlogon_alias_rid,
6169 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6170 NULL, 0x0, "", HFILL }},
6172 { &hf_netlogon_group_rid,
6173 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6174 NULL, 0x0, "", HFILL }},
6176 { &hf_netlogon_num_rids,
6177 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6178 NULL, 0x0, "Number of RIDs", HFILL }},
6180 { &hf_netlogon_num_controllers,
6181 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6182 NULL, 0x0, "Number of domain controllers", HFILL }},
6184 { &hf_netlogon_num_other_groups,
6185 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6186 NULL, 0x0, "", HFILL }},
6188 { &hf_netlogon_flags,
6189 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6190 NULL, 0x0, "", HFILL }},
6192 { &hf_netlogon_user_flags,
6193 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6194 NULL, 0x0, "", HFILL }},
6196 { &hf_netlogon_auth_flags,
6197 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6198 NULL, 0x0, "", HFILL }},
6200 { &hf_netlogon_systemflags,
6201 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6202 NULL, 0x0, "", HFILL }},
6204 { &hf_netlogon_database_id,
6205 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6206 NULL, 0x0, "Database Id", HFILL }},
6208 { &hf_netlogon_sync_context,
6209 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6210 NULL, 0x0, "Sync Context", HFILL }},
6212 { &hf_netlogon_max_size,
6213 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6214 NULL, 0x0, "Max Size of database", HFILL }},
6216 { &hf_netlogon_max_log_size,
6217 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6218 NULL, 0x0, "Max Size of log", HFILL }},
6220 { &hf_netlogon_pac_size,
6221 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6222 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6224 { &hf_netlogon_auth_size,
6225 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6226 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6228 { &hf_netlogon_num_deltas,
6229 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6230 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6232 { &hf_netlogon_logon_attempts,
6233 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6234 NULL, 0x0, "Number of logon attempts", HFILL }},
6236 { &hf_netlogon_pagefilelimit,
6237 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6238 NULL, 0x0, "", HFILL }},
6240 { &hf_netlogon_pagedpoollimit,
6241 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6242 NULL, 0x0, "", HFILL }},
6244 { &hf_netlogon_nonpagedpoollimit,
6245 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6246 NULL, 0x0, "", HFILL }},
6248 { &hf_netlogon_minworkingsetsize,
6249 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6250 NULL, 0x0, "", HFILL }},
6252 { &hf_netlogon_maxworkingsetsize,
6253 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6254 NULL, 0x0, "", HFILL }},
6256 { &hf_netlogon_logon_time,
6257 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
6258 NULL, 0, "Time for last time this user logged on", HFILL }},
6260 { &hf_netlogon_kickoff_time,
6261 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6262 NULL, 0, "Time when this user will be kicked off", HFILL }},
6264 { &hf_netlogon_logoff_time,
6265 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6266 NULL, 0, "Time for last time this user logged off", HFILL }},
6268 { &hf_netlogon_pwd_last_set_time,
6269 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6270 NULL, 0, "Last time this users password was changed", HFILL }},
6272 { &hf_netlogon_pwd_can_change_time,
6273 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6274 NULL, 0, "When this users password may be changed", HFILL }},
6276 { &hf_netlogon_pwd_must_change_time,
6277 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6278 NULL, 0, "When this users password must be changed", HFILL }},
6280 { &hf_netlogon_domain_create_time,
6281 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6282 NULL, 0, "Time when this domain was created", HFILL }},
6284 { &hf_netlogon_domain_modify_time,
6285 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6286 NULL, 0, "Time when this domain was last modified", HFILL }},
6288 { &hf_netlogon_db_modify_time,
6289 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6290 NULL, 0, "Time when last modified", HFILL }},
6292 { &hf_netlogon_db_create_time,
6293 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6294 NULL, 0, "Time when created", HFILL }},
6296 { &hf_netlogon_cipher_current_set_time,
6297 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6298 NULL, 0, "Time when current cipher was initiated", HFILL }},
6300 { &hf_netlogon_cipher_old_set_time,
6301 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6302 NULL, 0, "Time when previous cipher was initiated", HFILL }},
6304 { &hf_netlogon_audit_retention_period,
6305 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
6306 NULL, 0, "Audit retention period", HFILL }},
6308 { &hf_netlogon_timelimit,
6309 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
6310 NULL, 0, "", HFILL }}
6314 static gint *ett[] = {
6315 &ett_dcerpc_netlogon,
6321 &ett_NETLOGON_INFO_1,
6322 &ett_NETLOGON_INFO_2,
6323 &ett_NETLOGON_INFO_3,
6324 &ett_NETLOGON_INFO_4,
6326 &ett_DOMAIN_CONTROLLER_INFO,
6329 &ett_UNICODE_STRING_512,
6333 &ett_DELTA_ID_UNION,
6334 &ett_NETLOGON_CONTROL_QUERY_INFO,
6341 &ett_LM_OWF_PASSWORD,
6342 &ett_NT_OWF_PASSWORD,
6343 &ett_GROUP_MEMBERSHIP,
6347 proto_dcerpc_netlogon = proto_register_protocol(
6348 "Microsoft Network Logon", "NETLOGON", "rpc_netlogon");
6350 proto_register_field_array(proto_dcerpc_netlogon, hf,
6352 proto_register_subtree_array(ett, array_length(ett));
6356 proto_reg_handoff_dcerpc_netlogon(void)
6358 /* Register protocol as dcerpc */
6360 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
6361 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
6362 dcerpc_netlogon_dissectors, hf_netlogon_opnum);