1 /* packet-dcerpc-netlogon.c
2 * Routines for SMB \\PIPE\\NETLOGON packet disassembly
3 * Copyright 2001, Tim Potter <tpot@samba.org>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
6 * $Id: packet-dcerpc-netlogon.c,v 1.62 2002/11/29 22:35:54 sahlberg Exp $
8 * Ethereal - Network traffic analyzer
9 * By Gerald Combs <gerald@ethereal.com>
10 * Copyright 1998 Gerald Combs
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
32 #include <epan/packet.h>
33 #include "packet-dcerpc.h"
34 #include "packet-dcerpc-nt.h"
35 #include "packet-dcerpc-netlogon.h"
36 #include "smb.h" /* for "NT_errors[]" */
37 #include "packet-smb-common.h"
38 #include "packet-dcerpc-lsa.h"
40 static int proto_dcerpc_netlogon = -1;
41 static int hf_netlogon_opnum = -1;
42 static int hf_netlogon_guid = -1;
43 static int hf_netlogon_rc = -1;
44 static int hf_netlogon_len = -1;
45 static int hf_netlogon_sensitive_data_flag = -1;
46 static int hf_netlogon_sensitive_data_len = -1;
47 static int hf_netlogon_sensitive_data = -1;
48 static int hf_netlogon_security_information = -1;
49 static int hf_netlogon_dummy = -1;
50 static int hf_netlogon_neg_flags = -1;
51 static int hf_netlogon_minworkingsetsize = -1;
52 static int hf_netlogon_maxworkingsetsize = -1;
53 static int hf_netlogon_pagedpoollimit = -1;
54 static int hf_netlogon_pagefilelimit = -1;
55 static int hf_netlogon_timelimit = -1;
56 static int hf_netlogon_nonpagedpoollimit = -1;
57 static int hf_netlogon_pac_size = -1;
58 static int hf_netlogon_pac_data = -1;
59 static int hf_netlogon_auth_size = -1;
60 static int hf_netlogon_auth_data = -1;
61 static int hf_netlogon_cipher_len = -1;
62 static int hf_netlogon_cipher_maxlen = -1;
63 static int hf_netlogon_cipher_current_data = -1;
64 static int hf_netlogon_cipher_current_set_time = -1;
65 static int hf_netlogon_cipher_old_data = -1;
66 static int hf_netlogon_cipher_old_set_time = -1;
67 static int hf_netlogon_priv = -1;
68 static int hf_netlogon_privilege_entries = -1;
69 static int hf_netlogon_privilege_control = -1;
70 static int hf_netlogon_privilege_name = -1;
71 static int hf_netlogon_systemflags = -1;
72 static int hf_netlogon_pdc_connection_status = -1;
73 static int hf_netlogon_tc_connection_status = -1;
74 static int hf_netlogon_restart_state = -1;
75 static int hf_netlogon_attrs = -1;
76 static int hf_netlogon_count = -1;
77 static int hf_netlogon_entries = -1;
78 static int hf_netlogon_minpasswdlen = -1;
79 static int hf_netlogon_passwdhistorylen = -1;
80 static int hf_netlogon_level16 = -1;
81 static int hf_netlogon_validation_level = -1;
82 static int hf_netlogon_reference = -1;
83 static int hf_netlogon_next_reference = -1;
84 static int hf_netlogon_timestamp = -1;
85 static int hf_netlogon_level = -1;
86 static int hf_netlogon_challenge = -1;
87 static int hf_netlogon_reserved = -1;
88 static int hf_netlogon_audit_retention_period = -1;
89 static int hf_netlogon_auditing_mode = -1;
90 static int hf_netlogon_max_audit_event_count = -1;
91 static int hf_netlogon_event_audit_option = -1;
92 static int hf_netlogon_unknown_string = -1;
93 static int hf_netlogon_unknown_long = -1;
94 static int hf_netlogon_unknown_short = -1;
95 static int hf_netlogon_unknown_char = -1;
96 static int hf_netlogon_logon_time = -1;
97 static int hf_netlogon_logoff_time = -1;
98 static int hf_netlogon_kickoff_time = -1;
99 static int hf_netlogon_pwd_last_set_time = -1;
100 static int hf_netlogon_pwd_can_change_time = -1;
101 static int hf_netlogon_pwd_must_change_time = -1;
102 static int hf_netlogon_nt_chal_resp = -1;
103 static int hf_netlogon_lm_chal_resp = -1;
104 static int hf_netlogon_credential = -1;
105 static int hf_netlogon_acct_name = -1;
106 static int hf_netlogon_acct_desc = -1;
107 static int hf_netlogon_group_desc = -1;
108 static int hf_netlogon_full_name = -1;
109 static int hf_netlogon_comment = -1;
110 static int hf_netlogon_parameters = -1;
111 static int hf_netlogon_logon_script = -1;
112 static int hf_netlogon_profile_path = -1;
113 static int hf_netlogon_home_dir = -1;
114 static int hf_netlogon_dir_drive = -1;
115 static int hf_netlogon_logon_count = -1;
116 static int hf_netlogon_logon_count16 = -1;
117 static int hf_netlogon_bad_pw_count = -1;
118 static int hf_netlogon_bad_pw_count16 = -1;
119 static int hf_netlogon_user_rid = -1;
120 static int hf_netlogon_alias_rid = -1;
121 static int hf_netlogon_group_rid = -1;
122 static int hf_netlogon_logon_srv = -1;
123 static int hf_netlogon_principal = -1;
124 static int hf_netlogon_logon_dom = -1;
125 static int hf_netlogon_downlevel_domain_name = -1;
126 static int hf_netlogon_dns_domain_name = -1;
127 static int hf_netlogon_domain_name = -1;
128 static int hf_netlogon_domain_create_time = -1;
129 static int hf_netlogon_domain_modify_time = -1;
130 static int hf_netlogon_modify_count = -1;
131 static int hf_netlogon_db_modify_time = -1;
132 static int hf_netlogon_db_create_time = -1;
133 static int hf_netlogon_oem_info = -1;
134 static int hf_netlogon_serial_number = -1;
135 static int hf_netlogon_num_rids = -1;
136 static int hf_netlogon_num_trusts = -1;
137 static int hf_netlogon_num_controllers = -1;
138 static int hf_netlogon_num_other_groups = -1;
139 static int hf_netlogon_computer_name = -1;
140 static int hf_netlogon_site_name = -1;
141 static int hf_netlogon_trusted_dc_name = -1;
142 static int hf_netlogon_dc_name = -1;
143 static int hf_netlogon_dc_site_name = -1;
144 static int hf_netlogon_dns_forest_name = -1;
145 static int hf_netlogon_dc_address = -1;
146 static int hf_netlogon_dc_address_type = -1;
147 static int hf_netlogon_client_site_name = -1;
148 static int hf_netlogon_workstation = -1;
149 static int hf_netlogon_workstation_site_name = -1;
150 static int hf_netlogon_workstation_os = -1;
151 static int hf_netlogon_workstations = -1;
152 static int hf_netlogon_workstation_fqdn = -1;
153 static int hf_netlogon_group_name = -1;
154 static int hf_netlogon_alias_name = -1;
155 static int hf_netlogon_country = -1;
156 static int hf_netlogon_codepage = -1;
157 static int hf_netlogon_flags = -1;
158 static int hf_netlogon_user_flags = -1;
159 static int hf_netlogon_auth_flags = -1;
160 static int hf_netlogon_pwd_expired = -1;
161 static int hf_netlogon_nt_pwd_present = -1;
162 static int hf_netlogon_lm_pwd_present = -1;
163 static int hf_netlogon_code = -1;
164 static int hf_netlogon_database_id = -1;
165 static int hf_netlogon_sync_context = -1;
166 static int hf_netlogon_max_size = -1;
167 static int hf_netlogon_max_log_size = -1;
168 static int hf_netlogon_dns_host = -1;
169 static int hf_netlogon_acct_expiry_time = -1;
170 static int hf_netlogon_encrypted_lm_owf_password = -1;
171 static int hf_netlogon_lm_owf_password = -1;
172 static int hf_netlogon_nt_owf_password = -1;
173 static int hf_netlogon_param_ctrl = -1;
174 static int hf_netlogon_logon_id = -1;
175 static int hf_netlogon_num_deltas = -1;
176 static int hf_netlogon_user_session_key = -1;
177 static int hf_netlogon_blob_size = -1;
178 static int hf_netlogon_blob = -1;
179 static int hf_netlogon_logon_attempts = -1;
180 static int hf_netlogon_authoritative = -1;
181 static int hf_netlogon_secure_channel_type = -1;
182 static int hf_netlogon_logonsrv_handle = -1;
183 static int hf_netlogon_delta_type = -1;
185 static gint ett_dcerpc_netlogon = -1;
186 static gint ett_QUOTA_LIMITS = -1;
187 static gint ett_IDENTITY_INFO = -1;
188 static gint ett_DELTA_ENUM = -1;
189 static gint ett_CYPHER_VALUE = -1;
190 static gint ett_UNICODE_MULTI = -1;
191 static gint ett_DOMAIN_CONTROLLER_INFO = -1;
192 static gint ett_UNICODE_STRING_512 = -1;
193 static gint ett_TYPE_50 = -1;
194 static gint ett_TYPE_52 = -1;
195 static gint ett_DELTA_ID_UNION = -1;
196 static gint ett_TYPE_44 = -1;
197 static gint ett_DELTA_UNION = -1;
198 static gint ett_LM_OWF_PASSWORD = -1;
199 static gint ett_NT_OWF_PASSWORD = -1;
200 static gint ett_GROUP_MEMBERSHIP = -1;
201 static gint ett_BLOB = -1;
202 static gint ett_DSROLE_DOMAIN_INFO_EX = -1;
203 static gint ett_DOMAIN_TRUST_INFO = -1;
205 static e_uuid_t uuid_dcerpc_netlogon = {
206 0x12345678, 0x1234, 0xabcd,
207 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
210 static guint16 ver_dcerpc_netlogon = 1;
215 netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
216 packet_info *pinfo, proto_tree *tree,
219 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
220 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
221 "Server Handle", hf_netlogon_logonsrv_handle, 0);
227 * IDL typedef struct {
228 * IDL [unique][string] wchar_t *effective_name;
230 * IDL long auth_flags;
231 * IDL long logon_count;
232 * IDL long bad_pw_count;
233 * IDL long last_logon;
234 * IDL long last_logoff;
235 * IDL long logoff_time;
236 * IDL long kickoff_time;
237 * IDL long password_age;
238 * IDL long pw_can_change;
239 * IDL long pw_must_change;
240 * IDL [unique][string] wchar_t *computer;
241 * IDL [unique][string] wchar_t *domain;
242 * IDL [unique][string] wchar_t *script_path;
246 netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
247 packet_info *pinfo, proto_tree *tree,
252 di=pinfo->private_data;
253 if(di->conformant_run){
254 /*just a run to handle conformant arrays, nothing to dissect */
258 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
259 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
260 "Effective Account", hf_netlogon_acct_name, 0);
262 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
263 hf_netlogon_priv, NULL);
265 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
266 hf_netlogon_auth_flags, NULL);
268 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
269 hf_netlogon_logon_count, NULL);
271 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
272 hf_netlogon_bad_pw_count, NULL);
274 /* XXX - are these all UNIX "time_t"s, like the time stamps in
277 Or are they, as per some RAP-based operations, UTIMEs? */
278 proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
281 proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
284 proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
287 proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
290 proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
293 proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
296 proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
299 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
300 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
301 "Computer", hf_netlogon_computer_name, 0);
303 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
304 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
305 "Domain", hf_netlogon_domain_name, 0);
307 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
308 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
309 "Script", hf_netlogon_logon_script, 0);
311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
312 hf_netlogon_reserved, NULL);
318 * IDL long NetLogonUasLogon(
319 * IDL [in][unique][string] wchar_t *ServerName,
320 * IDL [in][ref][string] wchar_t *UserName,
321 * IDL [in][ref][string] wchar_t *Workstation,
322 * IDL [out][unique] VALIDATION_UAS_INFO *info
326 netlogon_dissect_netlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
327 packet_info *pinfo, proto_tree *tree, char *drep)
329 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
332 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
333 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
334 "Account", hf_netlogon_acct_name, 0);
336 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
337 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
338 "Workstation", hf_netlogon_workstation, 0);
345 netlogon_dissect_netlogonuaslogon_reply(tvbuff_t *tvb, int offset,
346 packet_info *pinfo, proto_tree *tree, char *drep)
348 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
349 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
350 "VALIDATION_UAS_INFO", -1, 0);
352 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
353 hf_netlogon_rc, NULL);
359 * IDL typedef struct {
361 * IDL short logon_count;
362 * IDL } LOGOFF_UAS_INFO;
365 netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
366 packet_info *pinfo, proto_tree *tree,
371 di=pinfo->private_data;
372 if(di->conformant_run){
373 /*just a run to handle conformant arrays, nothing to dissect */
377 proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
380 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
381 hf_netlogon_logon_count16, NULL);
387 * IDL long NetLogonUasLogoff(
388 * IDL [in][unique][string] wchar_t *ServerName,
389 * IDL [in][ref][string] wchar_t *UserName,
390 * IDL [in][ref][string] wchar_t *Workstation,
391 * IDL [out][ref] LOGOFF_UAS_INFO *info
395 netlogon_dissect_netlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
396 packet_info *pinfo, proto_tree *tree, char *drep)
398 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
401 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
402 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
403 "Account", hf_netlogon_acct_name, 0);
405 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
406 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
407 "Workstation", hf_netlogon_workstation, 0);
414 netlogon_dissect_netlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
415 packet_info *pinfo, proto_tree *tree, char *drep)
417 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
418 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
419 "LOGOFF_UAS_INFO", -1, 0);
421 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
422 hf_netlogon_rc, NULL);
431 * IDL typedef struct {
432 * IDL UNICODESTRING LogonDomainName;
433 * IDL long ParameterControl;
434 * IDL uint64 LogonID;
435 * IDL UNICODESTRING UserName;
436 * IDL UNICODESTRING Workstation;
437 * IDL } LOGON_IDENTITY_INFO;
440 netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
441 packet_info *pinfo, proto_tree *parent_tree,
444 proto_item *item=NULL;
445 proto_tree *tree=NULL;
446 int old_offset=offset;
449 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
451 tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
454 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
455 hf_netlogon_logon_dom, 0);
457 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
458 hf_netlogon_param_ctrl, NULL);
460 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
461 hf_netlogon_logon_id, NULL);
463 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
464 hf_netlogon_acct_name, 0);
466 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
467 hf_netlogon_workstation, 0);
470 /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
471 /* XXX 8 extra bytes here */
472 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
473 the idl file. Could be a bug in either the NETLOGON implementation or in the
476 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
479 proto_item_set_len(item, offset-old_offset);
485 * IDL typedef struct {
486 * IDL char password[16];
487 * IDL } LM_OWF_PASSWORD;
490 netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
491 packet_info *pinfo, proto_tree *parent_tree,
494 proto_item *item=NULL;
495 proto_tree *tree=NULL;
498 di=pinfo->private_data;
499 if(di->conformant_run){
500 /*just a run to handle conformant arrays, nothing to dissect.*/
505 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
507 tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
510 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
518 * IDL typedef struct {
519 * IDL char password[16];
520 * IDL } NT_OWF_PASSWORD;
523 netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
524 packet_info *pinfo, proto_tree *parent_tree,
527 proto_item *item=NULL;
528 proto_tree *tree=NULL;
531 di=pinfo->private_data;
532 if(di->conformant_run){
533 /*just a run to handle conformant arrays, nothing to dissect.*/
538 item = proto_tree_add_text(parent_tree, tvb, offset, 16,
540 tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
543 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
552 * IDL typedef struct {
553 * IDL LOGON_IDENTITY_INFO identity_info;
554 * IDL LM_OWF_PASSWORD lmpassword;
555 * IDL NT_OWF_PASSWORD ntpassword;
556 * IDL } INTERACTIVE_INFO;
559 netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
560 packet_info *pinfo, proto_tree *tree,
563 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
566 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
569 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
576 * IDL typedef struct {
581 netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
582 packet_info *pinfo, proto_tree *tree,
587 di=pinfo->private_data;
588 if(di->conformant_run){
589 /*just a run to handle conformant arrays, nothing to dissect.*/
593 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
601 * IDL typedef struct {
602 * IDL LOGON_IDENTITY_INFO logon_info;
603 * IDL CHALLENGE chal;
604 * IDL STRING ntchallengeresponse;
605 * IDL STRING lmchallengeresponse;
606 * IDL } NETWORK_INFO;
609 netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
610 packet_info *pinfo, proto_tree *tree,
613 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
616 offset = netlogon_dissect_CHALLENGE(tvb, offset,
619 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
620 hf_netlogon_nt_chal_resp, 0);
622 offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
623 hf_netlogon_lm_chal_resp, 0);
629 * IDL typedef struct {
630 * IDL LOGON_IDENTITY_INFO logon_info;
631 * IDL LM_OWF_PASSWORD lmpassword;
632 * IDL NT_OWF_PASSWORD ntpassword;
633 * IDL } SERVICE_INFO;
636 netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
637 packet_info *pinfo, proto_tree *tree,
640 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
643 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
646 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
653 * IDL typedef [switch_type(short)] union {
654 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
655 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
656 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
660 netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
661 packet_info *pinfo, proto_tree *tree,
666 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
667 hf_netlogon_level16, &level);
672 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
673 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
674 "INTERACTIVE_INFO:", -1, 0);
677 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
678 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
679 "NETWORK_INFO:", -1, 0);
682 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
683 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
684 "SERVICE_INFO:", -1, 0);
692 * IDL typedef struct {
697 netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
698 packet_info *pinfo, proto_tree *tree,
703 di=pinfo->private_data;
704 if(di->conformant_run){
705 /*just a run to handle conformant arrays, nothing to dissect.*/
709 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
718 * IDL typedef struct {
719 * IDL CREDENTIAL cred;
720 * IDL long timestamp;
721 * IDL } AUTHENTICATOR;
724 netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
725 packet_info *pinfo, proto_tree *tree,
731 di=pinfo->private_data;
732 if(di->conformant_run){
733 /*just a run to handle conformant arrays, nothing to dissect */
737 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
741 * XXX - this appears to be a UNIX time_t in some credentials, but
742 * appears to be random junk in other credentials.
743 * For example, it looks like a UNIX time_t in "credential"
744 * AUTHENTICATORs, but like random junk in "return_authenticator"
748 ts.secs = tvb_get_letohl(tvb, offset);
750 proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
758 * IDL typedef struct {
760 * IDL long attributes;
761 * IDL } GROUP_MEMBERSHIP;
764 netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
765 packet_info *pinfo, proto_tree *parent_tree,
768 proto_item *item=NULL;
769 proto_tree *tree=NULL;
772 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
773 "GROUP_MEMBERSHIP:");
774 tree = proto_item_add_subtree(item, ett_GROUP_MEMBERSHIP);
777 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
778 hf_netlogon_user_rid, NULL);
780 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
781 hf_netlogon_attrs, NULL);
787 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
788 packet_info *pinfo, proto_tree *tree,
791 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
792 netlogon_dissect_GROUP_MEMBERSHIP);
798 * IDL typedef struct {
799 * IDL char user_session_key[16];
800 * IDL } USER_SESSION_KEY;
803 netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
804 packet_info *pinfo, proto_tree *tree,
809 di=pinfo->private_data;
810 if(di->conformant_run){
811 /*just a run to handle conformant arrays, nothing to dissect.*/
815 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
823 * IDL typedef struct {
824 * IDL uint64 LogonTime;
825 * IDL uint64 LogoffTime;
826 * IDL uint64 KickOffTime;
827 * IDL uint64 PasswdLastSet;
828 * IDL uint64 PasswdCanChange;
829 * IDL uint64 PasswdMustChange;
830 * IDL unicodestring effectivename;
831 * IDL unicodestring fullname;
832 * IDL unicodestring logonscript;
833 * IDL unicodestring profilepath;
834 * IDL unicodestring homedirectory;
835 * IDL unicodestring homedirectorydrive;
836 * IDL short LogonCount;
837 * IDL short BadPasswdCount;
839 * IDL long primarygroup;
840 * IDL long groupcount;
841 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
842 * IDL long userflags;
843 * IDL USER_SESSION_KEY key;
844 * IDL unicodestring logonserver;
845 * IDL unicodestring domainname;
846 * IDL [unique] SID logondomainid;
847 * IDL long expansionroom[10];
848 * IDL } VALIDATION_SAM_INFO;
851 netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
852 packet_info *pinfo, proto_tree *tree,
857 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
858 hf_netlogon_logon_time);
860 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
861 hf_netlogon_logoff_time);
863 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
864 hf_netlogon_kickoff_time);
866 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
867 hf_netlogon_pwd_last_set_time);
869 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
870 hf_netlogon_pwd_can_change_time);
872 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
873 hf_netlogon_pwd_must_change_time);
875 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
876 hf_netlogon_acct_name, 0);
878 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
879 hf_netlogon_full_name, 0);
881 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
882 hf_netlogon_logon_script, 0);
884 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
885 hf_netlogon_profile_path, 0);
887 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
888 hf_netlogon_home_dir, 0);
890 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
891 hf_netlogon_dir_drive, 0);
893 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
894 hf_netlogon_logon_count16, NULL);
896 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
897 hf_netlogon_bad_pw_count16, NULL);
899 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
900 hf_netlogon_user_rid, NULL);
902 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
903 hf_netlogon_group_rid, NULL);
905 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
906 hf_netlogon_num_rids, NULL);
908 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
909 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
910 "GROUP_MEMBERSHIP_ARRAY", -1, 0);
912 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
913 hf_netlogon_user_flags, NULL);
915 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
918 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
919 hf_netlogon_logon_srv, 0);
921 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
922 hf_netlogon_logon_dom, 0);
924 offset = dissect_ndr_nt_PSID(tvb, offset,
928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
929 hf_netlogon_reserved, NULL);
938 * IDL typedef struct {
939 * IDL uint64 LogonTime;
940 * IDL uint64 LogoffTime;
941 * IDL uint64 KickOffTime;
942 * IDL uint64 PasswdLastSet;
943 * IDL uint64 PasswdCanChange;
944 * IDL uint64 PasswdMustChange;
945 * IDL unicodestring effectivename;
946 * IDL unicodestring fullname;
947 * IDL unicodestring logonscript;
948 * IDL unicodestring profilepath;
949 * IDL unicodestring homedirectory;
950 * IDL unicodestring homedirectorydrive;
951 * IDL short LogonCount;
952 * IDL short BadPasswdCount;
954 * IDL long primarygroup;
955 * IDL long groupcount;
956 * IDL [unique] GROUP_MEMBERSHIP *groupids;
957 * IDL long userflags;
958 * IDL USER_SESSION_KEY key;
959 * IDL unicodestring logonserver;
960 * IDL unicodestring domainname;
961 * IDL [unique] SID logondomainid;
962 * IDL long expansionroom[10];
964 * IDL [unique] SID_AND_ATTRIBS;
965 * IDL } VALIDATION_SAM_INFO2;
968 netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
969 packet_info *pinfo, proto_tree *tree,
974 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
975 hf_netlogon_logon_time);
977 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
978 hf_netlogon_logoff_time);
980 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
981 hf_netlogon_kickoff_time);
983 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
984 hf_netlogon_pwd_last_set_time);
986 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
987 hf_netlogon_pwd_can_change_time);
989 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
990 hf_netlogon_pwd_must_change_time);
992 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
993 hf_netlogon_acct_name, 0);
995 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
996 hf_netlogon_full_name, 0);
998 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
999 hf_netlogon_logon_script, 0);
1001 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1002 hf_netlogon_profile_path, 0);
1004 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1005 hf_netlogon_home_dir, 0);
1007 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1008 hf_netlogon_dir_drive, 0);
1010 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1011 hf_netlogon_logon_count16, NULL);
1013 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1014 hf_netlogon_bad_pw_count16, NULL);
1016 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1017 hf_netlogon_user_rid, NULL);
1019 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1020 hf_netlogon_group_rid, NULL);
1022 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1023 hf_netlogon_num_rids, NULL);
1025 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1026 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
1027 "GROUP_MEMBERSHIP_ARRAY", -1, 0);
1029 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1030 hf_netlogon_user_flags, NULL);
1032 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1035 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1036 hf_netlogon_logon_srv, 0);
1038 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1039 hf_netlogon_logon_dom, 0);
1041 offset = dissect_ndr_nt_PSID(tvb, offset,
1045 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1046 hf_netlogon_unknown_long, NULL);
1049 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1050 hf_netlogon_num_other_groups, NULL);
1052 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1053 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
1054 "SID_AND_ATTRIBUTES_ARRAY:", -1, 0);
1062 netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
1063 packet_info *pinfo, proto_tree *tree,
1069 di=pinfo->private_data;
1070 if(di->conformant_run){
1071 /*just a run to handle conformant arrays, nothing to dissect */
1075 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1076 hf_netlogon_pac_size, &pac_size);
1078 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
1086 netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
1087 packet_info *pinfo, proto_tree *tree,
1093 di=pinfo->private_data;
1094 if(di->conformant_run){
1095 /*just a run to handle conformant arrays, nothing to dissect */
1099 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1100 hf_netlogon_auth_size, &auth_size);
1102 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
1104 offset += auth_size;
1111 * IDL typedef struct {
1113 * IDL [unique][size_is(pac_size)] char *pac;
1114 * IDL UNICODESTRING logondomain;
1115 * IDL UNICODESTRING logonserver;
1116 * IDL UNICODESTRING principalname;
1117 * IDL long auth_size;
1118 * IDL [unique][size_is(auth_size)] char *auth;
1119 * IDL USER_SESSION_KEY user_session_key;
1120 * IDL long expansionroom[10];
1121 * IDL UNICODESTRING dummy1;
1122 * IDL UNICODESTRING dummy2;
1123 * IDL UNICODESTRING dummy3;
1124 * IDL UNICODESTRING dummy4;
1125 * IDL } VALIDATION_PAC_INFO;
1128 netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
1129 packet_info *pinfo, proto_tree *tree,
1134 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1135 hf_netlogon_pac_size, NULL);
1137 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1138 netlogon_dissect_PAC, NDR_POINTER_UNIQUE,
1141 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1142 hf_netlogon_logon_dom, 0);
1144 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1145 hf_netlogon_logon_srv, 0);
1147 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1148 hf_netlogon_principal, 0);
1150 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1151 hf_netlogon_auth_size, NULL);
1153 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1154 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE,
1157 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1161 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1162 hf_netlogon_unknown_long, NULL);
1165 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1166 hf_netlogon_dummy, 0);
1168 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1169 hf_netlogon_dummy, 0);
1171 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1172 hf_netlogon_dummy, 0);
1174 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1175 hf_netlogon_dummy, 0);
1182 * IDL typedef [switch_type(short)] union {
1183 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
1184 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
1185 * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
1186 * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
1190 netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
1191 packet_info *pinfo, proto_tree *tree,
1196 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1197 hf_netlogon_validation_level, &level);
1202 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1203 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
1204 "VALIDATION_SAM_INFO:", -1, 0);
1207 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1208 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
1209 "VALIDATION_SAM_INFO2:", -1, 0);
1212 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1213 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1214 "VALIDATION_PAC_INFO:", -1, 0);
1217 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1218 netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
1219 "VALIDATION_PAC_INFO:", -1, 0);
1228 * IDL long NetLogonSamLogon(
1229 * IDL [in][unique][string] wchar_t *ServerName,
1230 * IDL [in][unique][string] wchar_t *Workstation,
1231 * IDL [in][unique] AUTHENTICATOR *credential,
1232 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
1233 * IDL [in] short LogonLevel,
1234 * IDL [in][ref] LOGON_LEVEL *logonlevel,
1235 * IDL [in] short ValidationLevel,
1236 * IDL [out][ref] VALIDATION *validation,
1237 * IDL [out][ref] boolean Authorative
1241 netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
1242 packet_info *pinfo, proto_tree *tree, char *drep)
1244 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1247 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1248 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1249 "Computer Name", hf_netlogon_computer_name, 0);
1251 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1252 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1253 "AUTHENTICATOR: credential", -1, 0);
1255 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1256 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1257 "AUTHENTICATOR: return_authenticator", -1, 0);
1259 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1260 hf_netlogon_level16, NULL);
1262 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1263 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1264 "LEVEL: LogonLevel", -1, 0);
1266 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1267 hf_netlogon_validation_level, NULL);
1273 netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
1274 packet_info *pinfo, proto_tree *tree, char *drep)
1276 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1277 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1278 "AUTHENTICATOR: return_authenticator", -1, 0);
1280 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1281 netlogon_dissect_VALIDATION, NDR_POINTER_REF,
1282 "VALIDATION:", -1, 0);
1284 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1285 hf_netlogon_authoritative, NULL);
1287 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1288 hf_netlogon_rc, NULL);
1295 * IDL long NetLogonSamLogoff(
1296 * IDL [in][unique][string] wchar_t *ServerName,
1297 * IDL [in][unique][string] wchar_t *ComputerName,
1298 * IDL [in][unique] AUTHENTICATOR credential,
1299 * IDL [in][unique] AUTHENTICATOR return_authenticator,
1300 * IDL [in] short logon_level,
1301 * IDL [in][ref] LEVEL logoninformation
1305 netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
1306 packet_info *pinfo, proto_tree *tree, char *drep)
1308 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1311 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1312 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1313 "Computer Name", hf_netlogon_computer_name, 0);
1315 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1316 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1317 "AUTHENTICATOR: credential", -1, 0);
1319 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1320 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1321 "AUTHENTICATOR: return_authenticator", -1, 0);
1323 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1324 hf_netlogon_level16, NULL);
1326 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1327 netlogon_dissect_LEVEL, NDR_POINTER_REF,
1328 "LEVEL: logoninformation", -1, 0);
1333 netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
1334 packet_info *pinfo, proto_tree *tree, char *drep)
1337 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1338 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
1339 "AUTHENTICATOR: return_authenticator", -1, 0);
1341 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1342 hf_netlogon_rc, NULL);
1349 * IDL long NetServerReqChallenge(
1350 * IDL [in][unique][string] wchar_t *ServerName,
1351 * IDL [in][ref][string] wchar_t *ComputerName,
1352 * IDL [in][ref] CREDENTIAL client_credential,
1353 * IDL [out][ref] CREDENTIAL server_credential
1357 netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
1358 packet_info *pinfo, proto_tree *tree, char *drep)
1360 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1363 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1364 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1365 "Computer Name", hf_netlogon_computer_name, 0);
1367 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1368 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1369 "CREDENTIAL: client challenge", -1, 0);
1374 netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
1375 packet_info *pinfo, proto_tree *tree, char *drep)
1377 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1378 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1379 "CREDENTIAL: server credential", -1, 0);
1381 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1382 hf_netlogon_rc, NULL);
1389 netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
1390 packet_info *pinfo, proto_tree *tree,
1393 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1394 hf_netlogon_secure_channel_type, NULL);
1401 * IDL long NetServerAuthenticate(
1402 * IDL [in][unique][string] wchar_t *ServerName,
1403 * IDL [in][ref][string] wchar_t *UserName,
1404 * IDL [in] short secure_challenge_type,
1405 * IDL [in][ref][string] wchar_t *ComputerName,
1406 * IDL [in][ref] CREDENTIAL client_challenge,
1407 * IDL [out][ref] CREDENTIAL server_challenge
1411 netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
1412 packet_info *pinfo, proto_tree *tree, char *drep)
1414 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1417 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1418 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1419 "User Name", hf_netlogon_acct_name, 0);
1421 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1424 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1425 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1426 "Computer Name", hf_netlogon_computer_name, 0);
1428 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1429 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1430 "CREDENTIAL: client challenge", -1, 0);
1435 netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
1436 packet_info *pinfo, proto_tree *tree, char *drep)
1438 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1439 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
1440 "CREDENTIAL: server challenge", -1, 0);
1442 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1443 hf_netlogon_rc, NULL);
1451 * IDL typedef struct {
1452 * IDL char encrypted_password[16];
1453 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
1456 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1457 packet_info *pinfo, proto_tree *tree,
1462 di=pinfo->private_data;
1463 if(di->conformant_run){
1464 /*just a run to handle conformant arrays, nothing to dissect.*/
1468 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
1476 * IDL long NetServerPasswordSet(
1477 * IDL [in][unique][string] wchar_t *ServerName,
1478 * IDL [in][ref][string] wchar_t *UserName,
1479 * IDL [in] short secure_challenge_type,
1480 * IDL [in][ref][string] wchar_t *ComputerName,
1481 * IDL [in][ref] AUTHENTICATOR credential,
1482 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
1483 * IDL [out][ref] AUTHENTICATOR return_authenticator
1487 netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
1488 packet_info *pinfo, proto_tree *tree, char *drep)
1490 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1493 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1494 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1495 "User Name", hf_netlogon_acct_name, 0);
1497 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
1500 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1501 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
1502 "Computer Name", hf_netlogon_computer_name, 0);
1504 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1505 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1506 "AUTHENTICATOR: credential", -1, 0);
1508 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1509 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
1510 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1, 0);
1515 netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
1516 packet_info *pinfo, proto_tree *tree, char *drep)
1518 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1519 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
1520 "AUTHENTICATOR: return_authenticator", -1, 0);
1522 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
1523 hf_netlogon_rc, NULL);
1530 * IDL typedef struct {
1531 * IDL [unique][string] wchar_t *UserName;
1532 * IDL UNICODESTRING dummy1;
1533 * IDL UNICODESTRING dummy2;
1534 * IDL UNICODESTRING dummy3;
1535 * IDL UNICODESTRING dummy4;
1540 * IDL } DELTA_DELETE_USER;
1543 netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
1544 packet_info *pinfo, proto_tree *tree,
1547 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1548 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
1549 "Account Name", hf_netlogon_acct_name, -1);
1551 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1552 hf_netlogon_dummy, 0);
1554 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1555 hf_netlogon_dummy, 0);
1557 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1558 hf_netlogon_dummy, 0);
1560 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1561 hf_netlogon_dummy, 0);
1563 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1564 hf_netlogon_reserved, NULL);
1566 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1567 hf_netlogon_reserved, NULL);
1569 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1570 hf_netlogon_reserved, NULL);
1572 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1573 hf_netlogon_reserved, NULL);
1580 * IDL typedef struct {
1581 * IDL bool SensitiveDataFlag;
1582 * IDL long DataLength;
1583 * IDL [unique][size_is(DataLength)] char *SensitiveData;
1584 * IDL } USER_PRIVATE_INFO;
1587 netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
1588 packet_info *pinfo, proto_tree *tree,
1594 di=pinfo->private_data;
1595 if(di->conformant_run){
1596 /*just a run to handle conformant arrays, nothing to dissect */
1600 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1601 hf_netlogon_sensitive_data_len, &data_len);
1603 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
1610 netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
1611 packet_info *pinfo, proto_tree *tree,
1614 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1615 hf_netlogon_sensitive_data_flag, NULL);
1617 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1618 hf_netlogon_sensitive_data_len, NULL);
1620 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
1621 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
1622 "SENSITIVE_DATA", -1, 0);
1628 * IDL typedef struct {
1629 * IDL UNICODESTRING UserName;
1630 * IDL UNICODESTRING FullName;
1632 * IDL long PrimaryGroupID;
1633 * IDL UNICODESTRING HomeDir;
1634 * IDL UNICODESTRING HomeDirDrive;
1635 * IDL UNICODESTRING LogonScript;
1636 * IDL UNICODESTRING Comment;
1637 * IDL UNICODESTRING Workstations;
1638 * IDL NTTIME LastLogon;
1639 * IDL NTTIME LastLogoff;
1640 * IDL LOGON_HOURS logonhours;
1641 * IDL short BadPwCount;
1642 * IDL short LogonCount;
1643 * IDL NTTIME PwLastSet;
1644 * IDL NTTIME AccountExpires;
1645 * IDL long AccountControl;
1646 * IDL LM_OWF_PASSWORD lmpw;
1647 * IDL NT_OWF_PASSWORD ntpw;
1648 * IDL bool NTPwPresent;
1649 * IDL bool LMPwPresent;
1650 * IDL bool PwExpired;
1651 * IDL UNICODESTRING UserComment;
1652 * IDL UNICODESTRING Parameters;
1653 * IDL short CountryCode;
1654 * IDL short CodePage;
1655 * IDL USER_PRIVATE_INFO user_private_info;
1656 * IDL long SecurityInformation;
1657 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1658 * IDL UNICODESTRING dummy1;
1659 * IDL UNICODESTRING dummy2;
1660 * IDL UNICODESTRING dummy3;
1661 * IDL UNICODESTRING dummy4;
1669 netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
1670 packet_info *pinfo, proto_tree *tree,
1673 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1674 hf_netlogon_acct_name, 0);
1676 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1677 hf_netlogon_full_name, 0);
1679 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1680 hf_netlogon_user_rid, NULL);
1682 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1683 hf_netlogon_group_rid, NULL);
1685 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1686 hf_netlogon_home_dir, 0);
1688 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1689 hf_netlogon_dir_drive, 0);
1691 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1692 hf_netlogon_logon_script, 0);
1694 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1695 hf_netlogon_acct_desc, 0);
1697 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1698 hf_netlogon_workstations, 0);
1700 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1701 hf_netlogon_logon_time);
1703 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1704 hf_netlogon_logoff_time);
1706 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
1708 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1709 hf_netlogon_bad_pw_count16, NULL);
1711 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1712 hf_netlogon_logon_count16, NULL);
1714 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1715 hf_netlogon_pwd_last_set_time);
1717 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1718 hf_netlogon_acct_expiry_time);
1720 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
1722 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1725 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1728 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1729 hf_netlogon_nt_pwd_present, NULL);
1731 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1732 hf_netlogon_lm_pwd_present, NULL);
1734 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
1735 hf_netlogon_pwd_expired, NULL);
1737 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1738 hf_netlogon_comment, 0);
1740 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1741 hf_netlogon_parameters, 0);
1743 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1744 hf_netlogon_country, NULL);
1746 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1747 hf_netlogon_codepage, NULL);
1749 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
1752 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1753 hf_netlogon_security_information, NULL);
1755 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1758 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1759 hf_netlogon_dummy, 0);
1761 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1762 hf_netlogon_dummy, 0);
1764 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1765 hf_netlogon_dummy, 0);
1767 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1768 hf_netlogon_dummy, 0);
1770 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1771 hf_netlogon_reserved, NULL);
1773 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1774 hf_netlogon_reserved, NULL);
1776 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1777 hf_netlogon_reserved, NULL);
1779 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1780 hf_netlogon_reserved, NULL);
1787 * IDL typedef struct {
1788 * IDL UNICODESTRING DomainName;
1789 * IDL UNICODESTRING OEMInfo;
1790 * IDL NTTIME forcedlogoff;
1791 * IDL short minpasswdlen;
1792 * IDL short passwdhistorylen;
1793 * IDL NTTIME pwd_must_change_time;
1794 * IDL NTTIME pwd_can_change_time;
1795 * IDL NTTIME domain_modify_time;
1796 * IDL NTTIME domain_create_time;
1797 * IDL long SecurityInformation;
1798 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1799 * IDL UNICODESTRING dummy1;
1800 * IDL UNICODESTRING dummy2;
1801 * IDL UNICODESTRING dummy3;
1802 * IDL UNICODESTRING dummy4;
1807 * IDL } DELTA_DOMAIN;
1810 netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
1811 packet_info *pinfo, proto_tree *tree,
1814 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1815 hf_netlogon_domain_name, 1);
1817 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1818 hf_netlogon_oem_info, 0);
1820 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1821 hf_netlogon_kickoff_time);
1823 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1824 hf_netlogon_minpasswdlen, NULL);
1826 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
1827 hf_netlogon_passwdhistorylen, NULL);
1829 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1830 hf_netlogon_pwd_must_change_time);
1832 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1833 hf_netlogon_pwd_can_change_time);
1835 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1836 hf_netlogon_domain_modify_time);
1838 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
1839 hf_netlogon_domain_create_time);
1841 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1842 hf_netlogon_security_information, NULL);
1844 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1847 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1848 hf_netlogon_dummy, 0);
1850 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1851 hf_netlogon_dummy, 0);
1853 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1854 hf_netlogon_dummy, 0);
1856 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1857 hf_netlogon_dummy, 0);
1859 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1860 hf_netlogon_reserved, NULL);
1862 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1863 hf_netlogon_reserved, NULL);
1865 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1866 hf_netlogon_reserved, NULL);
1868 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1869 hf_netlogon_reserved, NULL);
1876 * IDL typedef struct {
1877 * IDL UNICODESTRING groupname;
1878 * IDL GROUP_MEMBERSHIP group_membership;
1879 * IDL UNICODESTRING comment;
1880 * IDL long SecurityInformation;
1881 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
1882 * IDL UNICODESTRING dummy1;
1883 * IDL UNICODESTRING dummy2;
1884 * IDL UNICODESTRING dummy3;
1885 * IDL UNICODESTRING dummy4;
1890 * IDL } DELTA_GROUP;
1893 netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
1894 packet_info *pinfo, proto_tree *tree,
1897 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1898 hf_netlogon_group_name, 1);
1900 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
1903 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1904 hf_netlogon_group_desc, 0);
1906 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1907 hf_netlogon_security_information, NULL);
1909 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
1912 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1913 hf_netlogon_dummy, 0);
1915 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1916 hf_netlogon_dummy, 0);
1918 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1919 hf_netlogon_dummy, 0);
1921 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1922 hf_netlogon_dummy, 0);
1924 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1925 hf_netlogon_reserved, NULL);
1927 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1928 hf_netlogon_reserved, NULL);
1930 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1931 hf_netlogon_reserved, NULL);
1933 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1934 hf_netlogon_reserved, NULL);
1941 * IDL typedef struct {
1942 * IDL UNICODESTRING OldName;
1943 * IDL UNICODESTRING NewName;
1944 * IDL UNICODESTRING dummy1;
1945 * IDL UNICODESTRING dummy2;
1946 * IDL UNICODESTRING dummy3;
1947 * IDL UNICODESTRING dummy4;
1952 * IDL } DELTA_RENAME;
1955 netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
1956 packet_info *pinfo, proto_tree *tree,
1961 di=pinfo->private_data;
1963 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1966 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1969 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1970 hf_netlogon_dummy, 0);
1972 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1973 hf_netlogon_dummy, 0);
1975 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1976 hf_netlogon_dummy, 0);
1978 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
1979 hf_netlogon_dummy, 0);
1981 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1982 hf_netlogon_reserved, NULL);
1984 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1985 hf_netlogon_reserved, NULL);
1987 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1988 hf_netlogon_reserved, NULL);
1990 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
1991 hf_netlogon_reserved, NULL);
1998 netlogon_dissect_RID(tvbuff_t *tvb, int offset,
1999 packet_info *pinfo, proto_tree *tree,
2002 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2003 hf_netlogon_user_rid, NULL);
2009 netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
2010 packet_info *pinfo, proto_tree *tree,
2013 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2014 netlogon_dissect_RID);
2020 netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
2021 packet_info *pinfo, proto_tree *tree,
2024 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2025 hf_netlogon_attrs, NULL);
2031 netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
2032 packet_info *pinfo, proto_tree *tree,
2035 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2036 netlogon_dissect_ATTRIB);
2042 * IDL typedef struct {
2043 * IDL [unique][size_is(num_rids)] long *rids;
2044 * IDL [unique][size_is(num_rids)] long *attribs;
2045 * IDL long num_rids;
2050 * IDL } DELTA_GROUP_MEMBER;
2053 netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
2054 packet_info *pinfo, proto_tree *tree,
2057 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2058 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
2061 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2062 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
2065 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2066 hf_netlogon_num_rids, NULL);
2068 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2069 hf_netlogon_reserved, NULL);
2071 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2072 hf_netlogon_reserved, NULL);
2074 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2075 hf_netlogon_reserved, NULL);
2077 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2078 hf_netlogon_reserved, NULL);
2085 * IDL typedef struct {
2086 * IDL UNICODESTRING alias_name;
2088 * IDL long SecurityInformation;
2089 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2090 * IDL UNICODESTRING dummy1;
2091 * IDL UNICODESTRING dummy2;
2092 * IDL UNICODESTRING dummy3;
2093 * IDL UNICODESTRING dummy4;
2098 * IDL } DELTA_ALIAS;
2101 netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
2102 packet_info *pinfo, proto_tree *tree,
2105 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2106 hf_netlogon_alias_name, 1);
2108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2109 hf_netlogon_alias_rid, NULL);
2111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2112 hf_netlogon_security_information, NULL);
2114 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2117 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2118 hf_netlogon_dummy, 0);
2120 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2121 hf_netlogon_dummy, 0);
2123 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2124 hf_netlogon_dummy, 0);
2126 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2127 hf_netlogon_dummy, 0);
2129 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2130 hf_netlogon_reserved, NULL);
2132 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2133 hf_netlogon_reserved, NULL);
2135 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2136 hf_netlogon_reserved, NULL);
2138 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2139 hf_netlogon_reserved, NULL);
2146 * IDL typedef struct {
2147 * IDL [unique] SID_ARRAY sids;
2152 * IDL } DELTA_ALIAS_MEMBER;
2155 netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
2156 packet_info *pinfo, proto_tree *tree,
2159 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
2161 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2162 hf_netlogon_reserved, NULL);
2164 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2165 hf_netlogon_reserved, NULL);
2167 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2168 hf_netlogon_reserved, NULL);
2170 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2171 hf_netlogon_reserved, NULL);
2178 netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
2179 packet_info *pinfo, proto_tree *tree,
2182 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2183 hf_netlogon_event_audit_option, NULL);
2189 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
2190 packet_info *pinfo, proto_tree *tree,
2193 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2194 netlogon_dissect_EVENT_AUDIT_OPTION);
2201 * IDL typedef struct {
2202 * IDL long pagedpoollimit;
2203 * IDL long nonpagedpoollimit;
2204 * IDL long minimumworkingsetsize;
2205 * IDL long maximumworkingsetsize;
2206 * IDL long pagefilelimit;
2207 * IDL NTTIME timelimit;
2208 * IDL } QUOTA_LIMITS;
2211 netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
2212 packet_info *pinfo, proto_tree *parent_tree,
2215 proto_item *item=NULL;
2216 proto_tree *tree=NULL;
2217 int old_offset=offset;
2220 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2222 tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
2225 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2226 hf_netlogon_pagedpoollimit, NULL);
2228 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2229 hf_netlogon_nonpagedpoollimit, NULL);
2231 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2232 hf_netlogon_minworkingsetsize, NULL);
2234 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2235 hf_netlogon_maxworkingsetsize, NULL);
2237 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2238 hf_netlogon_pagefilelimit, NULL);
2240 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2241 hf_netlogon_timelimit);
2243 proto_item_set_len(item, offset-old_offset);
2249 * IDL typedef struct {
2250 * IDL long maxlogsize;
2251 * IDL NTTIME auditretentionperiod;
2252 * IDL bool auditingmode;
2253 * IDL long maxauditeventcount;
2254 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
2255 * IDL UNICODESTRING primarydomainname;
2256 * IDL [unique] SID *sid;
2257 * IDL QUOTA_LIMITS quota_limits;
2258 * IDL NTTIME db_modify_time;
2259 * IDL NTTIME db_create_time;
2260 * IDL long SecurityInformation;
2261 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2262 * IDL UNICODESTRING dummy1;
2263 * IDL UNICODESTRING dummy2;
2264 * IDL UNICODESTRING dummy3;
2265 * IDL UNICODESTRING dummy4;
2270 * IDL } DELTA_POLICY;
2273 netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
2274 packet_info *pinfo, proto_tree *tree,
2277 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2278 hf_netlogon_max_log_size, NULL);
2280 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2281 hf_netlogon_audit_retention_period);
2283 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
2284 hf_netlogon_auditing_mode, NULL);
2286 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2287 hf_netlogon_max_audit_event_count, NULL);
2289 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2290 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
2291 "Event Audit Options:", -1, 0);
2293 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2294 hf_netlogon_domain_name, 0);
2296 offset = dissect_ndr_nt_PSID(tvb, offset,
2299 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2302 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2303 hf_netlogon_db_modify_time);
2305 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2306 hf_netlogon_db_create_time);
2308 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2309 hf_netlogon_security_information, NULL);
2311 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2314 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2315 hf_netlogon_dummy, 0);
2317 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2318 hf_netlogon_dummy, 0);
2320 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2321 hf_netlogon_dummy, 0);
2323 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2324 hf_netlogon_dummy, 0);
2326 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2327 hf_netlogon_reserved, NULL);
2329 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2330 hf_netlogon_reserved, NULL);
2332 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2333 hf_netlogon_reserved, NULL);
2335 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2336 hf_netlogon_reserved, NULL);
2343 netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
2344 packet_info *pinfo, proto_tree *tree,
2347 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2348 hf_netlogon_dc_name, 1);
2354 netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
2355 packet_info *pinfo, proto_tree *tree,
2358 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2359 netlogon_dissect_CONTROLLER);
2366 * IDL typedef struct {
2367 * IDL UNICODESTRING DomainName;
2368 * IDL long num_controllers;
2369 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
2370 * IDL long SecurityInformation;
2371 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2372 * IDL UNICODESTRING dummy1;
2373 * IDL UNICODESTRING dummy2;
2374 * IDL UNICODESTRING dummy3;
2375 * IDL UNICODESTRING dummy4;
2380 * IDL } DELTA_TRUSTED_DOMAINS;
2383 netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
2384 packet_info *pinfo, proto_tree *tree,
2387 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2388 hf_netlogon_domain_name, 0);
2390 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2391 hf_netlogon_num_controllers, NULL);
2393 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2394 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
2395 "Domain Controllers:", -1, 0);
2397 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2398 hf_netlogon_security_information, NULL);
2400 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2403 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2404 hf_netlogon_dummy, 0);
2406 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2407 hf_netlogon_dummy, 0);
2409 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2410 hf_netlogon_dummy, 0);
2412 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2413 hf_netlogon_dummy, 0);
2415 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2416 hf_netlogon_reserved, NULL);
2418 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2419 hf_netlogon_reserved, NULL);
2421 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2422 hf_netlogon_reserved, NULL);
2424 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2425 hf_netlogon_reserved, NULL);
2432 netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
2433 packet_info *pinfo, proto_tree *tree,
2436 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2437 hf_netlogon_attrs, NULL);
2443 netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
2444 packet_info *pinfo, proto_tree *tree,
2447 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2448 netlogon_dissect_PRIV_ATTR);
2454 netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
2455 packet_info *pinfo, proto_tree *tree,
2458 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2459 hf_netlogon_privilege_name, 1);
2465 netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
2466 packet_info *pinfo, proto_tree *tree,
2469 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
2470 netlogon_dissect_PRIV_NAME);
2478 * IDL typedef struct {
2479 * IDL long privilegeentries;
2480 * IDL long provolegecontrol;
2481 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
2482 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
2483 * IDL QUOTALIMITS quotalimits;
2484 * IDL long SecurityInformation;
2485 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2486 * IDL UNICODESTRING dummy1;
2487 * IDL UNICODESTRING dummy2;
2488 * IDL UNICODESTRING dummy3;
2489 * IDL UNICODESTRING dummy4;
2494 * IDL } DELTA_ACCOUNTS;
2497 netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
2498 packet_info *pinfo, proto_tree *tree,
2501 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2502 hf_netlogon_privilege_entries, NULL);
2504 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2505 hf_netlogon_privilege_control, NULL);
2507 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2508 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
2509 "PRIV_ATTR_ARRAY:", -1, 0);
2511 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2512 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
2513 "PRIV_NAME_ARRAY:", -1, 0);
2515 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
2518 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2519 hf_netlogon_systemflags, NULL);
2521 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2522 hf_netlogon_security_information, NULL);
2524 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2527 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2528 hf_netlogon_dummy, 0);
2530 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2531 hf_netlogon_dummy, 0);
2533 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2534 hf_netlogon_dummy, 0);
2536 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2537 hf_netlogon_dummy, 0);
2539 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2540 hf_netlogon_reserved, NULL);
2542 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2543 hf_netlogon_reserved, NULL);
2545 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2546 hf_netlogon_reserved, NULL);
2548 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2549 hf_netlogon_reserved, NULL);
2555 * IDL typedef struct {
2558 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
2559 * IDL } CIPHER_VALUE;
2562 netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
2563 packet_info *pinfo, proto_tree *tree,
2569 di=pinfo->private_data;
2570 if(di->conformant_run){
2571 /*just a run to handle conformant arrays, nothing to dissect */
2575 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2576 hf_netlogon_cipher_maxlen, NULL);
2581 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2582 hf_netlogon_cipher_len, &data_len);
2584 proto_tree_add_item(tree, di->hf_index, tvb, offset,
2591 netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
2592 packet_info *pinfo, proto_tree *parent_tree,
2593 char *drep, char *name, int hf_index)
2595 proto_item *item=NULL;
2596 proto_tree *tree=NULL;
2597 int old_offset=offset;
2600 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2602 tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
2605 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2606 hf_netlogon_cipher_len, NULL);
2608 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
2609 hf_netlogon_cipher_maxlen, NULL);
2611 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2612 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
2615 proto_item_set_len(item, offset-old_offset);
2620 * IDL typedef struct {
2621 * IDL CIPHER_VALUE current_cipher;
2622 * IDL NTTIME current_cipher_set_time;
2623 * IDL CIPHER_VALUE old_cipher;
2624 * IDL NTTIME old_cipher_set_time;
2625 * IDL long SecurityInformation;
2626 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
2627 * IDL UNICODESTRING dummy1;
2628 * IDL UNICODESTRING dummy2;
2629 * IDL UNICODESTRING dummy3;
2630 * IDL UNICODESTRING dummy4;
2635 * IDL } DELTA_SECRET;
2638 netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
2639 packet_info *pinfo, proto_tree *tree,
2642 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2644 "CIPHER_VALUE: current cipher value",
2645 hf_netlogon_cipher_current_data);
2647 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2648 hf_netlogon_cipher_current_set_time);
2650 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
2652 "CIPHER_VALUE: old cipher value",
2653 hf_netlogon_cipher_old_data);
2655 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
2656 hf_netlogon_cipher_old_set_time);
2658 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2659 hf_netlogon_security_information, NULL);
2661 offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
2664 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2665 hf_netlogon_dummy, 0);
2667 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2668 hf_netlogon_dummy, 0);
2670 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2671 hf_netlogon_dummy, 0);
2673 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
2674 hf_netlogon_dummy, 0);
2676 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2677 hf_netlogon_reserved, NULL);
2679 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2680 hf_netlogon_reserved, NULL);
2682 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2683 hf_netlogon_reserved, NULL);
2685 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2686 hf_netlogon_reserved, NULL);
2692 * IDL typedef struct {
2693 * IDL long low_value;
2694 * IDL long high_value;
2698 netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
2699 packet_info *pinfo, proto_tree *tree,
2702 offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
2703 hf_netlogon_modify_count, NULL);
2709 #define DT_DELTA_DOMAIN 1
2710 #define DT_DELTA_GROUP 2
2711 #define DT_DELTA_RENAME_GROUP 4
2712 #define DT_DELTA_USER 5
2713 #define DT_DELTA_RENAME_USER 7
2714 #define DT_DELTA_GROUP_MEMBER 8
2715 #define DT_DELTA_ALIAS 9
2716 #define DT_DELTA_RENAME_ALIAS 11
2717 #define DT_DELTA_ALIAS_MEMBER 12
2718 #define DT_DELTA_POLICY 13
2719 #define DT_DELTA_TRUSTED_DOMAINS 14
2720 #define DT_DELTA_ACCOUNTS 16
2721 #define DT_DELTA_SECRET 18
2722 #define DT_DELTA_DELETE_GROUP 20
2723 #define DT_DELTA_DELETE_USER 21
2724 #define DT_MODIFIED_COUNT 22
2725 static const value_string delta_type_vals[] = {
2726 { DT_DELTA_DOMAIN, "Domain" },
2727 { DT_DELTA_GROUP, "Group" },
2728 { DT_DELTA_RENAME_GROUP, "Rename Group" },
2729 { DT_DELTA_USER, "User" },
2730 { DT_DELTA_RENAME_USER, "Rename User" },
2731 { DT_DELTA_GROUP_MEMBER, "Group Member" },
2732 { DT_DELTA_ALIAS, "Alias" },
2733 { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
2734 { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
2735 { DT_DELTA_POLICY, "Policy" },
2736 { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
2737 { DT_DELTA_ACCOUNTS, "Accounts" },
2738 { DT_DELTA_SECRET, "Secret" },
2739 { DT_DELTA_DELETE_GROUP, "Delete Group" },
2740 { DT_DELTA_DELETE_USER, "Delete User" },
2741 { DT_MODIFIED_COUNT, "Modified Count" },
2745 * IDL typedef [switch_type(short)] union {
2746 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
2747 * IDL [case(2)][unique] DELTA_GROUP *group;
2748 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
2749 * IDL [case(5)][unique] DELTA_USER *user;
2750 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
2751 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
2752 * IDL [case(9)][unique] DELTA_ALIAS *alias;
2753 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
2754 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
2755 * IDL [case(13)][unique] DELTA_POLICY *policy;
2756 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
2757 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
2758 * IDL [case(18)][unique] DELTA_SECRET *secret;
2759 * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
2760 * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
2761 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
2762 * IDL } DELTA_UNION;
2765 netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
2766 packet_info *pinfo, proto_tree *parent_tree,
2769 proto_item *item=NULL;
2770 proto_tree *tree=NULL;
2771 int old_offset=offset;
2775 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2777 tree = proto_item_add_subtree(item, ett_DELTA_UNION);
2780 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2781 hf_netlogon_delta_type, &level);
2786 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2787 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
2788 "DELTA_DOMAIN:", -1, 0);
2791 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2792 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
2793 "DELTA_GROUP:", -1, 0);
2796 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2797 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2798 "DELTA_RENAME_GROUP:", hf_netlogon_group_name, 0);
2801 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2802 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
2803 "DELTA_USER:", -1, 0);
2806 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2807 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2808 "DELTA_RENAME_USER:", hf_netlogon_acct_name, 0);
2811 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2812 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
2813 "DELTA_GROUP_MEMBER:", -1, 0);
2816 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2817 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
2818 "DELTA_ALIAS:", -1, 0);
2821 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2822 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
2823 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name, 0);
2826 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2827 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
2828 "DELTA_ALIAS_MEMBER:", -1, 0);
2831 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2832 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
2833 "DELTA_POLICY:", -1, 0);
2836 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2837 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
2838 "DELTA_TRUSTED_DOMAINS:", -1, 0);
2841 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2842 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
2843 "DELTA_ACCOUNTS:", -1, 0);
2846 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2847 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
2848 "DELTA_SECRET:", -1, 0);
2851 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2852 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2853 "DELTA_DELETE_GROUP:", -1, 0);
2856 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2857 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
2858 "DELTA_DELETE_USER:", -1, 0);
2861 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2862 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
2863 "MODIFIED_COUNT:", -1, 0);
2867 proto_item_set_len(item, offset-old_offset);
2873 /* IDL XXX must verify this one, especially 13-19
2874 * IDL typedef [switch_type(short)] union {
2875 * IDL [case(1)] long rid;
2876 * IDL [case(2)] long rid;
2877 * IDL [case(3)] long rid;
2878 * IDL [case(4)] long rid;
2879 * IDL [case(5)] long rid;
2880 * IDL [case(6)] long rid;
2881 * IDL [case(7)] long rid;
2882 * IDL [case(8)] long rid;
2883 * IDL [case(9)] long rid;
2884 * IDL [case(10)] long rid;
2885 * IDL [case(11)] long rid;
2886 * IDL [case(12)] long rid;
2887 * IDL [case(13)] [unique] SID *sid;
2888 * IDL [case(14)] [unique] SID *sid;
2889 * IDL [case(15)] [unique] SID *sid;
2890 * IDL [case(16)] [unique] SID *sid;
2891 * IDL [case(17)] [unique] SID *sid;
2892 * IDL [case(18)] [unique][string] wchar_t *Name ;
2893 * IDL [case(19)] [unique][string] wchar_t *Name ;
2894 * IDL [case(20)] long rid;
2895 * IDL [case(21)] long rid;
2896 * IDL } DELTA_ID_UNION;
2899 netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
2900 packet_info *pinfo, proto_tree *parent_tree,
2903 proto_item *item=NULL;
2904 proto_tree *tree=NULL;
2905 int old_offset=offset;
2909 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
2911 tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
2914 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
2915 hf_netlogon_level16, &level);
2920 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2921 hf_netlogon_user_rid, NULL);
2924 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2925 hf_netlogon_user_rid, NULL);
2928 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2929 hf_netlogon_user_rid, NULL);
2932 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2933 hf_netlogon_user_rid, NULL);
2936 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2937 hf_netlogon_user_rid, NULL);
2940 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2941 hf_netlogon_user_rid, NULL);
2944 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2945 hf_netlogon_user_rid, NULL);
2948 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2949 hf_netlogon_user_rid, NULL);
2952 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2953 hf_netlogon_user_rid, NULL);
2956 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2957 hf_netlogon_user_rid, NULL);
2960 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2961 hf_netlogon_user_rid, NULL);
2964 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2965 hf_netlogon_user_rid, NULL);
2968 offset = dissect_ndr_nt_PSID(tvb, offset,
2972 offset = dissect_ndr_nt_PSID(tvb, offset,
2976 offset = dissect_ndr_nt_PSID(tvb, offset,
2980 offset = dissect_ndr_nt_PSID(tvb, offset,
2984 offset = dissect_ndr_nt_PSID(tvb, offset,
2988 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2989 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
2990 "unknown", hf_netlogon_unknown_string, -1);
2993 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
2994 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
2995 "unknown", hf_netlogon_unknown_string, -1);
2998 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
2999 hf_netlogon_user_rid, NULL);
3002 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3003 hf_netlogon_user_rid, NULL);
3007 proto_item_set_len(item, offset-old_offset);
3012 * IDL typedef struct {
3013 * IDL short delta_type;
3014 * IDL DELTA_ID_UNION delta_id_union;
3015 * IDL DELTA_UNION delta_union;
3019 netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
3020 packet_info *pinfo, proto_tree *parent_tree,
3023 proto_item *item=NULL;
3024 proto_tree *tree=NULL;
3025 int old_offset=offset;
3028 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
3030 tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
3033 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3034 hf_netlogon_delta_type, NULL);
3036 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
3039 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
3042 proto_item_set_len(item, offset-old_offset);
3047 netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
3048 packet_info *pinfo, proto_tree *tree,
3051 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3052 netlogon_dissect_DELTA_ENUM);
3058 * IDL typedef struct {
3059 * IDL long num_deltas;
3060 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
3061 * IDL } DELTA_ENUM_ARRAY;
3064 netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
3065 packet_info *pinfo, proto_tree *tree,
3068 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3069 hf_netlogon_num_deltas, NULL);
3071 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3072 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
3073 "DELTA_ENUM: deltas", -1, 0);
3080 * IDL long NetDatabaseDeltas(
3081 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3082 * IDL [in][string][ref] wchar_t *computername,
3083 * IDL [in][ref] AUTHENTICATOR credential,
3084 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3085 * IDL [in] long database_id,
3086 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
3087 * IDL [in] long preferredmaximumlength,
3088 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3092 netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
3093 packet_info *pinfo, proto_tree *tree, char *drep)
3095 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3096 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3097 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3099 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3100 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3101 "Computer Name", hf_netlogon_computer_name, 0);
3103 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3104 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3105 "AUTHENTICATOR: credential", -1, 0);
3107 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3108 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3109 "AUTHENTICATOR: return_authenticator", -1, 0);
3111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3112 hf_netlogon_database_id, NULL);
3114 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3115 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3116 "MODIFIED_COUNT: domain modified count", -1, 0);
3118 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3119 hf_netlogon_max_size, NULL);
3124 netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
3125 packet_info *pinfo, proto_tree *tree, char *drep)
3127 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3128 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3129 "AUTHENTICATOR: return_authenticator", -1, 0);
3131 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3132 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
3133 "MODIFIED_COUNT: domain modified count", -1, 0);
3135 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3136 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3137 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3139 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3140 hf_netlogon_rc, NULL);
3147 * IDL long NetDatabaseSync(
3148 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3149 * IDL [in][string][ref] wchar_t *computername,
3150 * IDL [in][ref] AUTHENTICATOR credential,
3151 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3152 * IDL [in] long database_id,
3153 * IDL [in][out][ref] long sync_context,
3154 * IDL [in] long preferredmaximumlength,
3155 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3159 netlogon_dissect_netlogondatabasesync_rqst(tvbuff_t *tvb, int offset,
3160 packet_info *pinfo, proto_tree *tree, char *drep)
3162 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3163 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3164 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3166 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3167 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3168 "Computer Name", hf_netlogon_computer_name, 0);
3170 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3171 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3172 "AUTHENTICATOR: credential", -1, 0);
3174 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3175 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3176 "AUTHENTICATOR: return_authenticator", -1, 0);
3178 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3179 hf_netlogon_database_id, NULL);
3181 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3182 hf_netlogon_sync_context, NULL);
3184 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3185 hf_netlogon_max_size, NULL);
3192 netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset,
3193 packet_info *pinfo, proto_tree *tree, char *drep)
3195 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3196 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3197 "AUTHENTICATOR: return_authenticator", -1, 0);
3199 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3200 hf_netlogon_sync_context, NULL);
3202 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3203 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3204 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3206 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3207 hf_netlogon_rc, NULL);
3213 * IDL typedef struct {
3214 * IDL char computer_name[16];
3215 * IDL long timecreated;
3216 * IDL long serial_number;
3220 netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
3221 packet_info *pinfo, proto_tree *tree,
3226 di=pinfo->private_data;
3227 if(di->conformant_run){
3228 /*just a run to handle conformant arrays, nothing to dissect */
3232 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
3235 proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
3238 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3239 hf_netlogon_serial_number, NULL);
3246 netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
3247 packet_info *pinfo, proto_tree *tree,
3250 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
3251 hf_netlogon_unknown_char, NULL);
3257 netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
3258 packet_info *pinfo, proto_tree *tree,
3261 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
3262 netlogon_dissect_BYTE_byte);
3268 * IDL long NetAccountDelta(
3269 * IDL [in][string][unique] wchar_t *logonserver,
3270 * IDL [in][string][ref] wchar_t *computername,
3271 * IDL [in][ref] AUTHENTICATOR credential,
3272 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3273 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3274 * IDL [out][ref] long count_returned,
3275 * IDL [out][ref] long total_entries,
3276 * IDL [in][out][ref] UAS_INFO_0 recordid,
3277 * IDL [in][long] count,
3278 * IDL [in][long] level,
3279 * IDL [in][long] buffersize,
3283 netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset,
3284 packet_info *pinfo, proto_tree *tree, char *drep)
3286 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3289 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3290 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3291 "Computer Name", hf_netlogon_computer_name, 0);
3293 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3294 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3295 "AUTHENTICATOR: credential", -1, 0);
3297 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3298 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3299 "AUTHENTICATOR: return_authenticator", -1, 0);
3301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3302 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3303 "UAS_INFO_0: RecordID", -1, 0);
3305 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3306 hf_netlogon_count, NULL);
3308 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3309 hf_netlogon_level, NULL);
3311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3312 hf_netlogon_max_size, NULL);
3317 netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset,
3318 packet_info *pinfo, proto_tree *tree, char *drep)
3320 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3321 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3322 "AUTHENTICATOR: return_authenticator", -1, 0);
3324 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3325 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3326 "BYTE_array: Buffer", -1, 0);
3328 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3329 hf_netlogon_count, NULL);
3331 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3332 hf_netlogon_entries, NULL);
3334 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3335 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3336 "UAS_INFO_0: RecordID", -1, 0);
3338 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3339 hf_netlogon_rc, NULL);
3346 * IDL long NetAccountDelta(
3347 * IDL [in][string][unique] wchar_t *logonserver,
3348 * IDL [in][string][ref] wchar_t *computername,
3349 * IDL [in][ref] AUTHENTICATOR credential,
3350 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3351 * IDL [out][ref][size_is(count_returned)] char *Buffer,
3352 * IDL [out][ref] long count_returned,
3353 * IDL [out][ref] long total_entries,
3354 * IDL [out][ref] long next_reference,
3355 * IDL [in][long] reference,
3356 * IDL [in][long] level,
3357 * IDL [in][long] buffersize,
3358 * IDL [in][out][ref] UAS_INFO_0 recordid,
3362 netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset,
3363 packet_info *pinfo, proto_tree *tree, char *drep)
3365 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3368 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3369 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3370 "Computer Name", hf_netlogon_computer_name, 0);
3372 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3373 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3374 "AUTHENTICATOR: credential", -1, 0);
3376 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3377 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3378 "AUTHENTICATOR: return_authenticator", -1, 0);
3380 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3381 hf_netlogon_reference, NULL);
3383 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3384 hf_netlogon_level, NULL);
3386 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3387 hf_netlogon_max_size, NULL);
3392 netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset,
3393 packet_info *pinfo, proto_tree *tree, char *drep)
3395 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3396 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3397 "AUTHENTICATOR: return_authenticator", -1, 0);
3399 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3400 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3401 "BYTE_array: Buffer", -1, 0);
3403 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3404 hf_netlogon_count, NULL);
3406 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3407 hf_netlogon_entries, NULL);
3409 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3410 hf_netlogon_next_reference, NULL);
3412 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3413 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
3414 "UAS_INFO_0: RecordID", -1, 0);
3416 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3417 hf_netlogon_rc, NULL);
3424 * IDL long NetGetDCName(
3425 * IDL [in][ref][string] wchar_t *logon_server,
3426 * IDL [in][unique][string] wchar_t *domainname,
3427 * IDL [out][unique][string] wchar_t *dcname,
3431 netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset,
3432 packet_info *pinfo, proto_tree *tree, char *drep)
3434 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3435 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3436 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3438 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3439 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3440 "Domain", hf_netlogon_domain_name, 0);
3445 netlogon_dissect_netlogongetdcname_reply(tvbuff_t *tvb, int offset,
3446 packet_info *pinfo, proto_tree *tree, char *drep)
3448 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3449 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3450 "Domain", hf_netlogon_dc_name, 0);
3452 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3453 hf_netlogon_rc, NULL);
3461 * IDL typedef struct {
3463 * IDL long pdc_connection_status;
3464 * IDL } NETLOGON_INFO_1;
3467 netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
3468 packet_info *pinfo, proto_tree *tree,
3471 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3472 hf_netlogon_flags, NULL);
3474 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3475 hf_netlogon_pdc_connection_status, NULL);
3482 * IDL typedef struct {
3484 * IDL long pdc_connection_status;
3485 * IDL [unique][string] wchar_t trusted_dc_name;
3486 * IDL long tc_connection_status;
3487 * IDL } NETLOGON_INFO_2;
3490 netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
3491 packet_info *pinfo, proto_tree *tree,
3494 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3495 hf_netlogon_flags, NULL);
3497 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3498 hf_netlogon_pdc_connection_status, NULL);
3500 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3501 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3502 "Trusted DC Name", hf_netlogon_trusted_dc_name, 0);
3504 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3505 hf_netlogon_tc_connection_status, NULL);
3512 * IDL typedef struct {
3514 * IDL long logon_attempts;
3515 * IDL long reserved;
3516 * IDL long reserved;
3517 * IDL long reserved;
3518 * IDL long reserved;
3519 * IDL long reserved;
3520 * IDL } NETLOGON_INFO_3;
3523 netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
3524 packet_info *pinfo, proto_tree *tree,
3527 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3528 hf_netlogon_flags, NULL);
3530 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3531 hf_netlogon_logon_attempts, NULL);
3533 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3534 hf_netlogon_reserved, NULL);
3536 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3537 hf_netlogon_reserved, NULL);
3539 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3540 hf_netlogon_reserved, NULL);
3542 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3543 hf_netlogon_reserved, NULL);
3545 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3546 hf_netlogon_reserved, NULL);
3553 * IDL typedef [switch_type(long)] union {
3554 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
3555 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
3556 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
3557 * IDL } CONTROL_QUERY_INFORMATION;
3560 netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
3561 packet_info *pinfo, proto_tree *tree,
3566 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3567 hf_netlogon_level, &level);
3572 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3573 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
3574 "NETLOGON_INFO_1:", -1, 0);
3577 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3578 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
3579 "NETLOGON_INFO_2:", -1, 0);
3582 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3583 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
3584 "NETLOGON_INFO_3:", -1, 0);
3593 * IDL long NetLogonControl(
3594 * IDL [in][string][unique] wchar_t *logonserver,
3595 * IDL [in] long function_code,
3596 * IDL [in] long level,
3597 * IDL [out][ref] CONTROL_QUERY_INFORMATION
3601 netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
3602 packet_info *pinfo, proto_tree *tree, char *drep)
3604 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3607 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3608 hf_netlogon_code, NULL);
3610 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3611 hf_netlogon_level, NULL);
3616 netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
3617 packet_info *pinfo, proto_tree *tree, char *drep)
3619 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3620 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3621 "CONTROL_QUERY_INFORMATION:", -1, 0);
3623 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3624 hf_netlogon_rc, NULL);
3631 * IDL long NetGetDCName(
3632 * IDL [in][unique][string] wchar_t *logon_server,
3633 * IDL [in][unique][string] wchar_t *domainname,
3634 * IDL [out][unique][string] wchar_t *dcname,
3638 netlogon_dissect_netlogongetanydcname_rqst(tvbuff_t *tvb, int offset,
3639 packet_info *pinfo, proto_tree *tree, char *drep)
3641 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3642 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3643 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3645 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3646 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3647 "Domain", hf_netlogon_domain_name, 0);
3652 netlogon_dissect_netlogongetanydcname_reply(tvbuff_t *tvb, int offset,
3653 packet_info *pinfo, proto_tree *tree, char *drep)
3655 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3656 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3657 "Domain", hf_netlogon_dc_name, 0);
3659 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3660 hf_netlogon_rc, NULL);
3667 * IDL typedef [switch_type(long)] union {
3668 * IDL [case(5)] [unique][string] wchar_t *unknown;
3669 * IDL [case(6)] [unique][string] wchar_t *unknown;
3670 * IDL [case(0xfffe)] long unknown;
3671 * IDL [case(7)] [unique][string] wchar_t *unknown;
3672 * IDL } CONTROL_DATA_INFORMATION;
3675 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
3676 * to look like. However NetMon does not recognize any such informationlevels.
3678 * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
3679 * until someone has any source of better authority to call upon.
3682 netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
3683 packet_info *pinfo, proto_tree *tree,
3688 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3689 hf_netlogon_level, &level);
3694 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3695 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3696 "unknown", hf_netlogon_unknown_string, -1);
3699 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3700 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3701 "unknown", hf_netlogon_unknown_string, -1);
3704 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3705 hf_netlogon_unknown_long, NULL);
3708 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3709 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
3710 "unknown", hf_netlogon_unknown_string, -1);
3719 * IDL long NetLogonControl2(
3720 * IDL [in][string][unique] wchar_t *logonserver,
3721 * IDL [in] long function_code,
3722 * IDL [in] long level,
3723 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3724 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3728 netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
3729 packet_info *pinfo, proto_tree *tree, char *drep)
3731 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3734 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3735 hf_netlogon_code, NULL);
3737 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3738 hf_netlogon_level, NULL);
3740 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3741 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3742 "CONTROL_DATA_INFORMATION: ", -1, 0);
3748 netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
3749 packet_info *pinfo, proto_tree *tree, char *drep)
3751 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3752 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3753 "CONTROL_QUERY_INFORMATION:", -1, 0);
3755 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3756 hf_netlogon_rc, NULL);
3763 * IDL long NetServerAuthenticate2(
3764 * IDL [in][string][unique] wchar_t *logonserver,
3765 * IDL [in][ref][string] wchar_t *username,
3766 * IDL [in] short secure_channel_type,
3767 * IDL [in][ref][string] wchar_t *computername,
3768 * IDL [in][ref] CREDENTIAL *client_chal,
3769 * IDL [out][ref] CREDENTIAL *server_chal,
3770 * IDL [in][out][ref] long *negotiate_flags,
3774 netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
3775 packet_info *pinfo, proto_tree *tree, char *drep)
3777 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3780 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3781 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3782 "User Name", hf_netlogon_acct_name, 0);
3784 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3787 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3788 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3789 "Computer Name", hf_netlogon_computer_name, 0);
3791 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3792 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3793 "CREDENTIAL: client_chal", -1, 0);
3795 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3796 hf_netlogon_neg_flags, NULL);
3802 netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
3803 packet_info *pinfo, proto_tree *tree, char *drep)
3805 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3806 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
3807 "CREDENTIAL: server_chal", -1, 0);
3809 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3810 hf_netlogon_neg_flags, NULL);
3812 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3813 hf_netlogon_rc, NULL);
3820 * IDL long NetDatabaseSync2(
3821 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3822 * IDL [in][string][ref] wchar_t *computername,
3823 * IDL [in][ref] AUTHENTICATOR credential,
3824 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3825 * IDL [in] long database_id,
3826 * IDL [in] short restart_state,
3827 * IDL [in][out][ref] long *sync_context,
3828 * IDL [in] long preferredmaximumlength,
3829 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3833 netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
3834 packet_info *pinfo, proto_tree *tree, char *drep)
3836 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3837 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3838 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3840 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3841 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3842 "Computer Name", hf_netlogon_computer_name, 0);
3844 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3845 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3846 "AUTHENTICATOR: credential", -1, 0);
3848 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3849 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3850 "AUTHENTICATOR: return_authenticator", -1, 0);
3852 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3853 hf_netlogon_database_id, NULL);
3855 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
3856 hf_netlogon_restart_state, NULL);
3858 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3859 hf_netlogon_sync_context, NULL);
3861 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3862 hf_netlogon_max_size, NULL);
3868 netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
3869 packet_info *pinfo, proto_tree *tree, char *drep)
3871 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3872 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3873 "AUTHENTICATOR: return_authenticator", -1, 0);
3875 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3876 hf_netlogon_sync_context, NULL);
3878 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3879 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3880 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3882 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3883 hf_netlogon_rc, NULL);
3890 * IDL long NetDatabaseRedo(
3891 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
3892 * IDL [in][string][ref] wchar_t *computername,
3893 * IDL [in][ref] AUTHENTICATOR credential,
3894 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
3895 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
3896 * IDL [in] long change_log_entry_size,
3897 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
3901 netlogon_dissect_netlogondatabaseredo_rqst(tvbuff_t *tvb, int offset,
3902 packet_info *pinfo, proto_tree *tree, char *drep)
3904 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3905 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3906 "Server Handle", hf_netlogon_logonsrv_handle, 0);
3908 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3909 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
3910 "Computer Name", hf_netlogon_computer_name, 0);
3912 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3913 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3914 "AUTHENTICATOR: credential", -1, 0);
3916 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3917 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3918 "AUTHENTICATOR: return_authenticator", -1, 0);
3920 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3921 netlogon_dissect_BYTE_array, NDR_POINTER_REF,
3922 "Change log entry: ", -1, 0);
3924 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3925 hf_netlogon_max_log_size, NULL);
3931 netlogon_dissect_netlogondatabaseredo_reply(tvbuff_t *tvb, int offset,
3932 packet_info *pinfo, proto_tree *tree, char *drep)
3934 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3935 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
3936 "AUTHENTICATOR: return_authenticator", -1, 0);
3938 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3939 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
3940 "DELTA_ENUM_ARRAY: deltas", -1, 0);
3942 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3943 hf_netlogon_rc, NULL);
3949 /* XXX NetMon does not recognize this as a valid function. Muddle however
3950 * tells us what parameters it takes but not their names.
3951 * It looks similar to logoncontrol2. perhaps it is logoncontrol3?
3954 * IDL long NetFunction_12(
3955 * IDL [in][string][unique] wchar_t *logonserver,
3956 * IDL [in] long function_code,
3957 * IDL [in] long level,
3958 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
3959 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
3963 netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
3964 packet_info *pinfo, proto_tree *tree, char *drep)
3966 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3969 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3970 hf_netlogon_code, NULL);
3972 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
3973 hf_netlogon_level, NULL);
3975 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3976 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
3977 "CONTROL_DATA_INFORMATION: ", -1, 0);
3982 netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
3983 packet_info *pinfo, proto_tree *tree, char *drep)
3985 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
3986 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
3987 "CONTROL_QUERY_INFORMATION:", -1, 0);
3989 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
3990 hf_netlogon_rc, NULL);
3999 /* Updated above this line */
4007 netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
4008 packet_info *pinfo, proto_tree *tree,
4013 di=pinfo->private_data;
4014 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
4015 di->hf_index, NULL);
4020 netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
4021 packet_info *pinfo, proto_tree *tree,
4026 di=pinfo->private_data;
4027 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4028 di->hf_index, NULL);
4033 netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
4034 packet_info *pinfo, proto_tree *parent_tree,
4035 char *drep, int type, int hf_index, int levels)
4037 proto_item *item=NULL;
4038 proto_tree *tree=NULL;
4039 int old_offset=offset;
4043 di=pinfo->private_data;
4044 if(di->conformant_run){
4045 /*just a run to handle conformant arrays, nothing to dissect */
4049 name = proto_registrar_get_name(hf_index);
4051 item = proto_tree_add_text(parent_tree, tvb, offset, -1,
4053 tree = proto_item_add_subtree(item, ett_nt_unicode_string);
4056 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4057 dissect_ndr_nt_UNICODE_STRING_str, type,
4058 name, hf_index, levels);
4060 proto_item_set_len(item, offset-old_offset);
4066 netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
4067 packet_info *pinfo, proto_tree *tree,
4070 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4071 hf_netlogon_unknown_char, NULL);
4077 netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
4078 packet_info *pinfo, proto_tree *tree,
4081 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4082 netlogon_dissect_UNICODE_MULTI_byte);
4088 netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
4089 packet_info *pinfo, proto_tree *parent_tree,
4092 proto_item *item=NULL;
4093 proto_tree *tree=NULL;
4094 int old_offset=offset;
4097 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4099 tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
4102 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4103 hf_netlogon_len, NULL);
4105 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4106 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
4107 "unknown", hf_netlogon_unknown_string, 0);
4109 proto_item_set_len(item, offset-old_offset);
4114 dissect_nt_GUID(tvbuff_t *tvb, int offset,
4115 packet_info *pinfo, proto_tree *tree,
4118 offset=dissect_ndr_uuid_t(tvb, offset, pinfo, tree, drep, hf_netlogon_guid, NULL);
4124 netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
4125 packet_info *pinfo, proto_tree *parent_tree,
4128 proto_item *item=NULL;
4129 proto_tree *tree=NULL;
4130 int old_offset=offset;
4133 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4134 "DOMAIN_CONTROLLER_INFO:");
4135 tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
4138 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4139 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4140 "DC Name", hf_netlogon_dc_name, 0);
4142 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4143 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4144 "DC Address", hf_netlogon_dc_address, 0);
4146 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4147 hf_netlogon_dc_address_type, NULL);
4149 offset = dissect_nt_GUID(tvb, offset,
4152 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4153 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4154 "Logon Domain", hf_netlogon_logon_dom, 0);
4156 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4157 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4158 "DNS Forest", hf_netlogon_dns_forest_name, 0);
4160 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4161 hf_netlogon_flags, NULL);
4163 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4164 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4165 "DC Site", hf_netlogon_dc_site_name, 0);
4167 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4168 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4169 "Client Site", hf_netlogon_client_site_name, 0);
4171 proto_item_set_len(item, offset-old_offset);
4176 netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
4177 packet_info *pinfo, proto_tree *tree,
4183 di=pinfo->private_data;
4184 if(di->conformant_run){
4185 /*just a run to handle conformant arrays, nothing to dissect.*/
4189 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4190 hf_netlogon_blob_size, &len);
4192 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
4200 netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
4201 packet_info *pinfo, proto_tree *parent_tree,
4204 proto_item *item=NULL;
4205 proto_tree *tree=NULL;
4208 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4210 tree = proto_item_add_subtree(item, ett_BLOB);
4213 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4214 hf_netlogon_blob_size, NULL);
4216 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4217 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
4224 netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
4225 packet_info *pinfo, proto_tree *parent_tree,
4228 proto_item *item=NULL;
4229 proto_tree *tree=NULL;
4230 int old_offset=offset;
4233 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4234 "DOMAIN_TRUST_INFO:");
4235 tree = proto_item_add_subtree(item, ett_DOMAIN_TRUST_INFO);
4239 offset = lsa_dissect_POLICY_DNS_DOMAIN_INFO(tvb, offset, pinfo, tree, drep);
4241 /* Guesses at best. */
4242 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4243 hf_netlogon_unknown_string, 0);
4245 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4246 hf_netlogon_unknown_string, 0);
4248 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4249 hf_netlogon_unknown_string, 0);
4251 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4252 hf_netlogon_unknown_string, 0);
4254 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4255 hf_netlogon_unknown_long, NULL);
4257 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4258 hf_netlogon_unknown_long, NULL);
4260 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4261 hf_netlogon_unknown_long, NULL);
4263 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4264 hf_netlogon_unknown_long, NULL);
4266 proto_item_set_len(item, offset-old_offset);
4271 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY(tvbuff_t *tvb, int offset,
4272 packet_info *pinfo, proto_tree *tree,
4275 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4276 netlogon_dissect_DOMAIN_TRUST_INFO);
4282 netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
4283 packet_info *pinfo, proto_tree *tree,
4286 offset = netlogon_dissect_BLOB(tvb, offset,
4289 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4290 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4291 "Workstation FQDN", hf_netlogon_workstation_fqdn, 0);
4293 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4294 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4295 "Workstation Site", hf_netlogon_workstation_site_name, -1);
4297 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4298 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4299 "unknown", hf_netlogon_unknown_string, -1);
4301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4302 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4303 "unknown", hf_netlogon_unknown_string, -1);
4305 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4306 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4307 "unknown", hf_netlogon_unknown_string, -1);
4309 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4310 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4311 "unknown", hf_netlogon_unknown_string, -1);
4313 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4314 hf_netlogon_unknown_string, 0);
4316 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4317 hf_netlogon_workstation_os, 0);
4319 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4320 hf_netlogon_unknown_string, 0);
4322 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4323 hf_netlogon_unknown_string, 0);
4325 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4326 hf_netlogon_unknown_long, NULL);
4328 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4329 hf_netlogon_unknown_long, NULL);
4331 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4332 hf_netlogon_unknown_long, NULL);
4334 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4335 hf_netlogon_unknown_long, NULL);
4341 netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
4342 packet_info *pinfo, proto_tree *tree,
4345 offset = netlogon_dissect_DOMAIN_TRUST_INFO(tvb, offset, pinfo, tree, drep);
4347 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4348 hf_netlogon_num_trusts, NULL);
4350 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4351 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4352 "DOMAIN_TRUST_ARRAY: Trusts", -1, 0);
4354 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4355 hf_netlogon_num_trusts, NULL);
4357 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4358 netlogon_dissect_DOMAIN_TRUST_INFO_ARRAY, NDR_POINTER_UNIQUE,
4359 "DOMAIN_TRUST_ARRAY:", -1, 0);
4361 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4362 hf_netlogon_dns_domain_name, 0);
4364 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4365 hf_netlogon_unknown_string, 0);
4367 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4368 hf_netlogon_unknown_string, 0);
4370 offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
4371 hf_netlogon_unknown_string, 0);
4373 /* These four integers appear to mirror the last four in the query. */
4374 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4375 hf_netlogon_unknown_long, NULL);
4377 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4378 hf_netlogon_unknown_long, NULL);
4380 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4381 hf_netlogon_unknown_long, NULL);
4383 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4384 hf_netlogon_unknown_long, NULL);
4391 netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
4392 packet_info *pinfo, proto_tree *tree,
4397 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4398 hf_netlogon_level, &level);
4403 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4404 netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
4405 "DOMAIN_INFO_1:", -1, 0);
4413 netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
4414 packet_info *pinfo, proto_tree *parent_tree,
4417 proto_item *item=NULL;
4418 proto_tree *tree=NULL;
4419 int old_offset=offset;
4423 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4424 "UNICODE_STRING_512:");
4425 tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
4429 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
4430 hf_netlogon_unknown_short, NULL);
4433 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4434 hf_netlogon_unknown_long, NULL);
4436 proto_item_set_len(item, offset-old_offset);
4441 netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
4442 packet_info *pinfo, proto_tree *tree,
4445 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4446 hf_netlogon_unknown_char, NULL);
4452 netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
4453 packet_info *pinfo, proto_tree *tree,
4456 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4457 netlogon_dissect_element_844_byte);
4463 netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
4464 packet_info *pinfo, proto_tree *parent_tree,
4467 proto_item *item=NULL;
4468 proto_tree *tree=NULL;
4469 int old_offset=offset;
4472 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4474 tree = proto_item_add_subtree(item, ett_TYPE_50);
4477 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4478 hf_netlogon_unknown_long, NULL);
4480 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4481 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
4482 "unknown", hf_netlogon_unknown_string, 0);
4484 proto_item_set_len(item, offset-old_offset);
4489 netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
4490 packet_info *pinfo, proto_tree *tree,
4493 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4494 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
4495 "TYPE_50 pointer: unknown_TYPE_50", -1, 0);
4501 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX(tvbuff_t *tvb, int offset,
4502 packet_info *pinfo, proto_tree *parent_tree, char *drep)
4505 proto_item *item=NULL;
4506 proto_tree *tree=NULL;
4507 int old_offset=offset;
4510 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4511 "DSROLE_DOMAIN_INFO_EX");
4512 tree = proto_item_add_subtree(item, ett_DSROLE_DOMAIN_INFO_EX);
4516 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4517 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4518 "NetBIOS Name", hf_netlogon_downlevel_domain_name, 1);
4521 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4522 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4523 "DNS Domain Name", hf_netlogon_dns_domain_name, 1);
4525 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4526 hf_netlogon_unknown_long, &tmp);
4528 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4529 hf_netlogon_unknown_long, &tmp);
4531 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4532 hf_netlogon_unknown_long, &tmp);
4534 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4535 hf_netlogon_unknown_long, &tmp);
4538 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, drep);
4541 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, drep);
4543 proto_item_set_len(item, offset-old_offset);
4548 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY(tvbuff_t *tvb, int offset,
4549 packet_info *pinfo, proto_tree *tree,
4552 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4553 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX);
4559 netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
4560 packet_info *pinfo, proto_tree *tree,
4563 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4564 hf_netlogon_unknown_char, NULL);
4570 netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
4571 packet_info *pinfo, proto_tree *tree,
4574 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4575 netlogon_dissect_element_865_byte);
4581 netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
4582 packet_info *pinfo, proto_tree *tree,
4585 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4586 hf_netlogon_unknown_char, NULL);
4592 netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
4593 packet_info *pinfo, proto_tree *tree,
4596 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
4597 netlogon_dissect_element_866_byte);
4603 netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
4604 packet_info *pinfo, proto_tree *parent_tree,
4607 proto_item *item=NULL;
4608 proto_tree *tree=NULL;
4609 int old_offset=offset;
4612 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4614 tree = proto_item_add_subtree(item, ett_TYPE_52);
4617 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4618 hf_netlogon_unknown_long, NULL);
4620 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4621 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
4622 "unknown", hf_netlogon_unknown_string, 0);
4624 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4625 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
4626 "unknown", hf_netlogon_unknown_string, 0);
4628 proto_item_set_len(item, offset-old_offset);
4633 netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
4634 packet_info *pinfo, proto_tree *tree,
4637 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4638 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
4639 "TYPE_52 pointer: unknown_TYPE_52", -1, 0);
4645 netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
4646 packet_info *pinfo, proto_tree *parent_tree,
4649 proto_item *item=NULL;
4650 proto_tree *tree=NULL;
4651 int old_offset=offset;
4655 item = proto_tree_add_text(parent_tree, tvb, offset, 0,
4657 tree = proto_item_add_subtree(item, ett_TYPE_44);
4660 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4661 hf_netlogon_level, &level);
4666 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4667 hf_netlogon_unknown_long, NULL);
4671 proto_item_set_len(item, offset-old_offset);
4676 netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
4677 packet_info *pinfo, proto_tree *tree,
4682 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4683 hf_netlogon_level, &level);
4688 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4689 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
4690 "DOMAIN_QUERY_1:", -1, 0);
4693 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4694 netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
4695 "DOMAIN_QUERY_1:", -1, 0);
4703 netlogon_dissect_nettrusteddomainlist_rqst(tvbuff_t *tvb, int offset,
4704 packet_info *pinfo, proto_tree *tree, char *drep)
4706 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4714 netlogon_dissect_nettrusteddomainlist_reply(tvbuff_t *tvb, int offset,
4715 packet_info *pinfo, proto_tree *tree, char *drep)
4717 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4718 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
4719 "UNICODE_MULTI pointer: trust_dom_name_list", -1, 0);
4721 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4722 hf_netlogon_rc, NULL);
4728 netlogon_dissect_dsrgetdcname2_rqst(tvbuff_t *tvb, int offset,
4729 packet_info *pinfo, proto_tree *tree, char *drep)
4731 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4734 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4735 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4736 "Domain", hf_netlogon_logon_dom, 0);
4738 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4739 dissect_nt_GUID, NDR_POINTER_UNIQUE,
4740 "GUID pointer: domain_guid", -1, 0);
4742 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4743 dissect_nt_GUID, NDR_POINTER_UNIQUE,
4744 "GUID pointer: site_guid", -1, 0);
4746 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4747 hf_netlogon_flags, NULL);
4754 netlogon_dissect_dsrgetdcname2_reply(tvbuff_t *tvb, int offset,
4755 packet_info *pinfo, proto_tree *tree, char *drep)
4757 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4758 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
4759 "DOMAIN_CONTROLLER_INFO:", -1, 0);
4761 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4762 hf_netlogon_rc, NULL);
4768 netlogon_dissect_function_15_rqst(tvbuff_t *tvb, int offset,
4769 packet_info *pinfo, proto_tree *tree, char *drep)
4771 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4774 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4775 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4776 "unknown string", hf_netlogon_unknown_string, 0);
4778 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4779 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
4780 "AUTHENTICATOR: credential", -1, 0);
4782 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4783 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
4784 "AUTHENTICATOR: return_authenticator", -1, 0);
4786 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4787 hf_netlogon_unknown_long, NULL);
4794 netlogon_dissect_function_15_reply(tvbuff_t *tvb, int offset,
4795 packet_info *pinfo, proto_tree *tree, char *drep)
4797 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4798 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
4799 "AUTHENTICATOR: return_authenticator", -1, 0);
4801 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4802 netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
4803 "TYPE_44 pointer: unknown_TYPE_44", -1, 0);
4805 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4806 hf_netlogon_rc, NULL);
4812 netlogon_dissect_function_16_rqst(tvbuff_t *tvb, int offset,
4813 packet_info *pinfo, proto_tree *tree, char *drep)
4815 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4818 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4819 hf_netlogon_unknown_long, NULL);
4821 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4822 hf_netlogon_unknown_long, NULL);
4829 netlogon_dissect_function_16_reply(tvbuff_t *tvb, int offset,
4830 packet_info *pinfo, proto_tree *tree, char *drep)
4832 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4833 hf_netlogon_rc, NULL);
4839 netlogon_dissect_function_17_rqst(tvbuff_t *tvb, int offset,
4840 packet_info *pinfo, proto_tree *tree, char *drep)
4842 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4845 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4846 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4847 "unknown string", hf_netlogon_unknown_string, 0);
4854 netlogon_dissect_function_17_reply(tvbuff_t *tvb, int offset,
4855 packet_info *pinfo, proto_tree *tree, char *drep)
4857 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4858 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
4859 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
4861 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4862 hf_netlogon_rc, NULL);
4868 netlogon_dissect_function_18_rqst(tvbuff_t *tvb, int offset,
4869 packet_info *pinfo, proto_tree *tree, char *drep)
4871 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4874 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4875 hf_netlogon_unknown_long, NULL);
4877 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4878 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
4879 "BYTE pointer: unknown_BYTE", -1, 0);
4881 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4882 hf_netlogon_unknown_long, NULL);
4888 netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
4889 packet_info *pinfo, proto_tree *tree, char *drep)
4894 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
4895 hf_netlogon_unknown_char, NULL);
4902 netlogon_dissect_function_18_reply(tvbuff_t *tvb, int offset,
4903 packet_info *pinfo, proto_tree *tree, char *drep)
4905 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4906 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
4907 "BYTE pointer: unknown_BYTE", -1, 0);
4909 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4910 hf_netlogon_rc, NULL);
4916 netlogon_dissect_function_19_rqst(tvbuff_t *tvb, int offset,
4917 packet_info *pinfo, proto_tree *tree, char *drep)
4919 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4922 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4923 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
4924 "unknown string", hf_netlogon_unknown_string, 0);
4926 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4927 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
4928 "BYTE pointer: unknown_BYTE", -1, 0);
4930 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4931 hf_netlogon_unknown_long, NULL);
4938 netlogon_dissect_function_19_reply(tvbuff_t *tvb, int offset,
4939 packet_info *pinfo, proto_tree *tree, char *drep)
4941 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4942 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
4943 "BYTE pointer: unknown_BYTE", -1, 0);
4945 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4946 hf_netlogon_rc, NULL);
4952 netlogon_dissect_netserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
4953 packet_info *pinfo, proto_tree *tree, char *drep)
4955 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4958 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4959 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
4960 "Acct Name", hf_netlogon_acct_name, 0);
4962 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
4965 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4966 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
4967 "Computer Name", hf_netlogon_computer_name, 0);
4969 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4970 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4971 "CREDENTIAL: authenticator", -1, 0);
4973 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4974 hf_netlogon_neg_flags, NULL);
4981 netlogon_dissect_netserverauthenticate3_reply(tvbuff_t *tvb, int offset,
4982 packet_info *pinfo, proto_tree *tree, char *drep)
4984 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4985 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
4986 "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1, 0);
4988 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
4989 hf_netlogon_neg_flags, NULL);
4991 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
4992 netlogon_dissect_pointer_long, NDR_POINTER_REF,
4993 "ULONG: unknown_ULONG", hf_netlogon_unknown_long, 0);
4995 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
4996 hf_netlogon_rc, NULL);
5002 netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
5003 packet_info *pinfo, proto_tree *tree, char *drep)
5005 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5008 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5009 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5010 "Domain", hf_netlogon_logon_dom, 0);
5012 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5013 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5014 "GUID pointer: domain_guid", -1, 0);
5016 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5017 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5018 "Site Name", hf_netlogon_site_name, 0);
5020 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5021 hf_netlogon_flags, NULL);
5028 netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
5029 packet_info *pinfo, proto_tree *tree, char *drep)
5031 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5032 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5033 "DOMAIN_CONTROLLER_INFO:", -1, 0);
5035 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5036 hf_netlogon_rc, NULL);
5042 netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
5043 packet_info *pinfo, proto_tree *tree, char *drep)
5045 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5053 netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
5054 packet_info *pinfo, proto_tree *tree, char *drep)
5057 offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
5058 NDR_POINTER_REF, hf_netlogon_site_name, 0);
5060 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5061 hf_netlogon_rc, NULL);
5067 netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
5068 packet_info *pinfo, proto_tree *tree, char *drep)
5070 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
5071 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5072 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
5073 "Server Handle", hf_netlogon_computer_name, 0);
5075 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5076 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5077 "Computer Name", hf_netlogon_computer_name, 0);
5079 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5080 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5081 "AUTHENTICATOR: credential", -1, 0);
5083 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5084 hf_netlogon_unknown_long, NULL);
5086 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5087 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5088 "AUTHENTICATOR: return_authenticator", -1, 0);
5090 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5091 netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
5092 "DOMAIN_QUERY: ", -1, 0);
5099 netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
5100 packet_info *pinfo, proto_tree *tree, char *drep)
5102 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5103 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5104 "AUTHENTICATOR: return_authenticator", -1, 0);
5106 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5107 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_REF,
5108 "DOMAIN_INFO: ", -1, 0);
5110 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5111 hf_netlogon_rc, NULL);
5117 netlogon_dissect_function_1e_rqst(tvbuff_t *tvb, int offset,
5118 packet_info *pinfo, proto_tree *tree, char *drep)
5120 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5123 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5124 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5125 "unknown string", hf_netlogon_unknown_string, 0);
5127 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5128 hf_netlogon_unknown_short, NULL);
5130 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5131 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5132 "unknown string", hf_netlogon_unknown_string, 0);
5134 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5135 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5136 "AUTHENTICATOR: credential", -1, 0);
5138 offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
5146 netlogon_dissect_function_1e_reply(tvbuff_t *tvb, int offset,
5147 packet_info *pinfo, proto_tree *tree, char *drep)
5149 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5150 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5151 "AUTHENTICATOR: return_authenticator", -1, 0);
5153 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5154 hf_netlogon_rc, NULL);
5160 netlogon_dissect_netserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
5161 packet_info *pinfo, proto_tree *tree, char *drep)
5163 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5166 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5167 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5168 "Acct Name", hf_netlogon_acct_name, 0);
5170 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
5173 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5174 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5175 "Computer Name", hf_netlogon_computer_name, 0);
5177 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5178 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5179 "AUTHENTICATOR: credential", -1, 0);
5186 netlogon_dissect_netserverpasswordset2_reply(tvbuff_t *tvb, int offset,
5187 packet_info *pinfo, proto_tree *tree, char *drep)
5189 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5190 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5191 "AUTHENTICATOR: return_authenticator", -1, 0);
5193 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5194 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
5195 "LM_OWF_PASSWORD pointer: server_pwd", -1, 0);
5197 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5198 hf_netlogon_rc, NULL);
5204 netlogon_dissect_function_20_rqst(tvbuff_t *tvb, int offset,
5205 packet_info *pinfo, proto_tree *tree, char *drep)
5207 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5210 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5211 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5212 "unknown string", hf_netlogon_unknown_string, -1);
5214 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5215 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
5216 "AUTHENTICATOR: credential", -1, 0);
5218 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5219 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5220 "BYTE pointer: unknown_BYTE", -1, 0);
5222 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5223 hf_netlogon_unknown_long, NULL);
5230 netlogon_dissect_function_20_reply(tvbuff_t *tvb, int offset,
5231 packet_info *pinfo, proto_tree *tree, char *drep)
5233 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5234 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
5235 "AUTHENTICATOR: return_authenticator", -1, 0);
5237 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5238 hf_netlogon_rc, NULL);
5244 netlogon_dissect_function_21_rqst(tvbuff_t *tvb, int offset,
5245 packet_info *pinfo, proto_tree *tree, char *drep)
5247 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5250 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5251 hf_netlogon_unknown_long, NULL);
5253 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5254 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5255 "BYTE pointer: unknown_BYTE", -1, 0);
5262 netlogon_dissect_function_21_reply(tvbuff_t *tvb, int offset,
5263 packet_info *pinfo, proto_tree *tree, char *drep)
5265 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5266 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5267 "TYPE_50** pointer: unknown_TYPE_50", -1, 0);
5269 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5270 hf_netlogon_rc, NULL);
5276 netlogon_dissect_function_22_rqst(tvbuff_t *tvb, int offset,
5277 packet_info *pinfo, proto_tree *tree, char *drep)
5279 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5282 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5283 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5284 "unknown string", hf_netlogon_unknown_string, 0);
5286 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5287 hf_netlogon_unknown_long, NULL);
5289 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5290 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5291 "unknown string", hf_netlogon_unknown_string, 0);
5293 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5294 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5295 "GUID pointer: unknown_GUID", -1, 0);
5297 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5298 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5299 "unknown string", hf_netlogon_unknown_string, 0);
5301 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5302 hf_netlogon_unknown_long, NULL);
5309 netlogon_dissect_function_22_reply(tvbuff_t *tvb, int offset,
5310 packet_info *pinfo, proto_tree *tree, char *drep)
5312 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5313 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
5314 "DOMAIN_CONTROLLER_INFO:", -1, 0);
5316 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5317 hf_netlogon_rc, NULL);
5323 netlogon_dissect_function_23_rqst(tvbuff_t *tvb, int offset,
5324 packet_info *pinfo, proto_tree *tree, char *drep)
5326 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5334 netlogon_dissect_function_23_reply(tvbuff_t *tvb, int offset,
5335 packet_info *pinfo, proto_tree *tree, char *drep)
5337 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5338 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5339 "unknown string", hf_netlogon_unknown_string, -1);
5341 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5342 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5343 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5345 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5346 hf_netlogon_rc, NULL);
5352 netlogon_dissect_function_24_rqst(tvbuff_t *tvb, int offset,
5353 packet_info *pinfo, proto_tree *tree, char *drep)
5355 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5362 netlogon_dissect_function_24_reply(tvbuff_t *tvb, int offset,
5363 packet_info *pinfo, proto_tree *tree, char *drep)
5365 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5366 hf_netlogon_entries, NULL);
5368 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5369 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY, NDR_POINTER_UNIQUE,
5370 "DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY:", -1, 0);
5372 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5373 hf_netlogon_rc, NULL);
5379 netlogon_dissect_function_25_rqst(tvbuff_t *tvb, int offset,
5380 packet_info *pinfo, proto_tree *tree, char *drep)
5382 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5385 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5386 hf_netlogon_unknown_long, NULL);
5388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5389 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
5390 "BYTE pointer: unknown_BYTE", -1, 0);
5397 netlogon_dissect_function_25_reply(tvbuff_t *tvb, int offset,
5398 packet_info *pinfo, proto_tree *tree, char *drep)
5400 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5401 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
5402 "TYPE_52 pointer: unknown_TYPE_52", -1, 0);
5404 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5405 hf_netlogon_rc, NULL);
5412 netlogon_dissect_function_26_rqst(tvbuff_t *tvb, int offset,
5413 packet_info *pinfo, proto_tree *tree, char *drep)
5415 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5416 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5417 "unknown string", hf_netlogon_unknown_string, 0);
5424 netlogon_dissect_function_26_reply(tvbuff_t *tvb, int offset,
5425 packet_info *pinfo, proto_tree *tree, char *drep)
5427 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5428 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
5429 "TYPE_50** pointer: unknown_TYPE_50", -1, 0);
5431 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5432 hf_netlogon_rc, NULL);
5438 netlogon_dissect_logonsamlogonex_rqst(tvbuff_t *tvb, int offset,
5439 packet_info *pinfo, proto_tree *tree, char *drep)
5441 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5442 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5443 "unknown string", hf_netlogon_unknown_string, 0);
5445 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5446 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5447 "unknown string", hf_netlogon_unknown_string, 0);
5449 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5450 hf_netlogon_unknown_short, NULL);
5452 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5453 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
5454 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1, 0);
5456 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
5457 hf_netlogon_unknown_short, NULL);
5459 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5460 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5461 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5467 netlogon_dissect_logonsamlogonex_reply(tvbuff_t *tvb, int offset,
5468 packet_info *pinfo, proto_tree *tree, char *drep)
5470 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5471 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
5472 "VALIDATION: unknown_NETLOGON_VALIDATION", -1, 0);
5474 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5475 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
5476 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char, 0);
5478 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5479 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
5480 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
5482 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5483 hf_netlogon_rc, NULL);
5489 netlogon_dissect_dsrrolegetprimarydomaininformation_rqst(tvbuff_t *tvb, int offset,
5490 packet_info *pinfo, proto_tree *tree, char *drep)
5492 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5495 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5496 hf_netlogon_unknown_long, NULL);
5503 netlogon_dissect_dsrrolegetprimarydomaininformation_reply(tvbuff_t *tvb, int offset,
5504 packet_info *pinfo, proto_tree *tree, char *drep)
5506 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
5507 hf_netlogon_entries, NULL);
5509 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5510 netlogon_dissect_DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY, NDR_POINTER_UNIQUE,
5511 "DSROLE_PRIMARY_DOMAIN_INFO_EX_ARRAY:", -1, 0);
5513 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5514 hf_netlogon_rc, NULL);
5520 netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
5521 packet_info *pinfo, proto_tree *tree, char *drep)
5523 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5526 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5527 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5528 "Domain", hf_netlogon_logon_dom, 0);
5530 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5531 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5532 "GUID pointer: domain_guid", -1, 0);
5534 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5535 dissect_nt_GUID, NDR_POINTER_UNIQUE,
5536 "GUID pointer: dsa_guid", -1, 0);
5538 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
5539 dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
5540 "dns_host", hf_netlogon_dns_host, -1);
5547 netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
5548 packet_info *pinfo, proto_tree *tree, char *drep)
5550 offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
5551 hf_netlogon_rc, NULL);
5558 static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
5559 { NETLOGON_UASLOGON, "UasLogon",
5560 netlogon_dissect_netlogonuaslogon_rqst,
5561 netlogon_dissect_netlogonuaslogon_reply },
5562 { NETLOGON_UASLOGOFF, "UasLogoff",
5563 netlogon_dissect_netlogonuaslogoff_rqst,
5564 netlogon_dissect_netlogonuaslogoff_reply },
5565 { NETLOGON_NETLOGONSAMLOGON, "SamLogon",
5566 netlogon_dissect_netlogonsamlogon_rqst,
5567 netlogon_dissect_netlogonsamlogon_reply },
5568 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff",
5569 netlogon_dissect_netlogonsamlogoff_rqst,
5570 netlogon_dissect_netlogonsamlogoff_reply },
5571 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge",
5572 netlogon_dissect_netserverreqchallenge_rqst,
5573 netlogon_dissect_netserverreqchallenge_reply },
5574 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate",
5575 netlogon_dissect_netserverauthenticate_rqst,
5576 netlogon_dissect_netserverauthenticate_reply },
5577 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet",
5578 netlogon_dissect_netserverpasswordset_rqst,
5579 netlogon_dissect_netserverpasswordset_reply },
5580 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas",
5581 netlogon_dissect_netsamdeltas_rqst,
5582 netlogon_dissect_netsamdeltas_reply },
5583 { NETLOGON_DATABASESYNC, "DatabaseSync",
5584 netlogon_dissect_netlogondatabasesync_rqst,
5585 netlogon_dissect_netlogondatabasesync_reply },
5586 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas",
5587 netlogon_dissect_netlogonaccountdeltas_rqst,
5588 netlogon_dissect_netlogonaccountdeltas_reply },
5589 { NETLOGON_ACCOUNTSYNC, "AccountSync",
5590 netlogon_dissect_netlogonaccountsync_rqst,
5591 netlogon_dissect_netlogonaccountsync_reply },
5592 { NETLOGON_GETDCNAME, "GetDCName",
5593 netlogon_dissect_netlogongetdcname_rqst,
5594 netlogon_dissect_netlogongetdcname_reply },
5595 { NETLOGON_NETLOGONCONTROL, "LogonControl",
5596 netlogon_dissect_netlogoncontrol_rqst,
5597 netlogon_dissect_netlogoncontrol_reply },
5598 { NETLOGON_GETANYDCNAME, "GetAnyDCName",
5599 netlogon_dissect_netlogongetanydcname_rqst,
5600 netlogon_dissect_netlogongetanydcname_reply },
5601 { NETLOGON_NETLOGONCONTROL2, "LogonControl2",
5602 netlogon_dissect_netlogoncontrol2_rqst,
5603 netlogon_dissect_netlogoncontrol2_reply },
5604 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2",
5605 netlogon_dissect_netserverauthenticate2_rqst,
5606 netlogon_dissect_netserverauthenticate2_reply },
5607 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2",
5608 netlogon_dissect_netdatabasesync2_rqst,
5609 netlogon_dissect_netdatabasesync2_reply },
5610 { NETLOGON_DATABASEREDO, "DatabaseRedo",
5611 netlogon_dissect_netlogondatabaseredo_rqst,
5612 netlogon_dissect_netlogondatabaseredo_reply },
5613 { NETLOGON_FUNCTION_12, "Function_0x12",
5614 netlogon_dissect_function_12_rqst,
5615 netlogon_dissect_function_12_reply },
5616 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList",
5617 netlogon_dissect_nettrusteddomainlist_rqst,
5618 netlogon_dissect_nettrusteddomainlist_reply },
5619 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2",
5620 netlogon_dissect_dsrgetdcname2_rqst,
5621 netlogon_dissect_dsrgetdcname2_reply },
5622 { NETLOGON_FUNCTION_15, "Function 0x15",
5623 netlogon_dissect_function_15_rqst,
5624 netlogon_dissect_function_15_reply },
5625 { NETLOGON_FUNCTION_16, "Function 0x16",
5626 netlogon_dissect_function_16_rqst,
5627 netlogon_dissect_function_16_reply },
5628 { NETLOGON_FUNCTION_17, "Function 0x17",
5629 netlogon_dissect_function_17_rqst,
5630 netlogon_dissect_function_17_reply },
5631 { NETLOGON_FUNCTION_18, "Function 0x18",
5632 netlogon_dissect_function_18_rqst,
5633 netlogon_dissect_function_18_reply },
5634 { NETLOGON_FUNCTION_19, "Function 0x19",
5635 netlogon_dissect_function_19_rqst,
5636 netlogon_dissect_function_19_reply },
5637 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3",
5638 netlogon_dissect_netserverauthenticate3_rqst,
5639 netlogon_dissect_netserverauthenticate3_reply },
5640 { NETLOGON_DSRGETDCNAME, "DsrGetDCName",
5641 netlogon_dissect_dsrgetdcname_rqst,
5642 netlogon_dissect_dsrgetdcname_reply },
5643 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
5644 netlogon_dissect_dsrgetsitename_rqst,
5645 netlogon_dissect_dsrgetsitename_reply },
5646 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
5647 netlogon_dissect_netrlogongetdomaininfo_rqst,
5648 netlogon_dissect_netrlogongetdomaininfo_reply },
5649 { NETLOGON_FUNCTION_1E, "Function_0x1E",
5650 netlogon_dissect_function_1e_rqst,
5651 netlogon_dissect_function_1e_reply },
5652 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2",
5653 netlogon_dissect_netserverpasswordset2_rqst,
5654 netlogon_dissect_netserverpasswordset2_reply },
5655 { NETLOGON_FUNCTION_20, "Function_0x20",
5656 netlogon_dissect_function_20_rqst,
5657 netlogon_dissect_function_20_reply },
5658 { NETLOGON_FUNCTION_21, "Function_0x21",
5659 netlogon_dissect_function_21_rqst,
5660 netlogon_dissect_function_21_reply },
5661 { NETLOGON_FUNCTION_22, "Function_0x22",
5662 netlogon_dissect_function_22_rqst,
5663 netlogon_dissect_function_22_reply },
5664 { NETLOGON_FUNCTION_23, "Function_0x23",
5665 netlogon_dissect_function_23_rqst,
5666 netlogon_dissect_function_23_reply },
5667 { NETLOGON_FUNCTION_24, "Function_0x24",
5668 netlogon_dissect_function_24_rqst,
5669 netlogon_dissect_function_24_reply },
5670 { NETLOGON_FUNCTION_25, "Function_0x25",
5671 netlogon_dissect_function_25_rqst,
5672 netlogon_dissect_function_25_reply },
5673 { NETLOGON_FUNCTION_26, "Function_0x26",
5674 netlogon_dissect_function_26_rqst,
5675 netlogon_dissect_function_26_reply },
5676 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx",
5677 netlogon_dissect_logonsamlogonex_rqst,
5678 netlogon_dissect_logonsamlogonex_reply },
5679 { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DsrRoleGetPrimaryDomainInformation",
5680 netlogon_dissect_dsrrolegetprimarydomaininformation_rqst,
5681 netlogon_dissect_dsrrolegetprimarydomaininformation_reply },
5682 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords",
5683 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
5684 netlogon_dissect_dsrderegisterdnshostrecords_reply },
5685 {0, NULL, NULL, NULL }
5688 static const value_string netlogon_opnum_vals[] = {
5689 { NETLOGON_UASLOGON, "UasLogon" },
5690 { NETLOGON_UASLOGOFF, "UasLogoff" },
5691 { NETLOGON_NETLOGONSAMLOGON, "SamLogon" },
5692 { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff" },
5693 { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge" },
5694 { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate" },
5695 { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet" },
5696 { NETLOGON_NETSAMDELTAS, "DatabaseDeltas" },
5697 { NETLOGON_DATABASESYNC, "DatabaseSync" },
5698 { NETLOGON_ACCOUNTDELTAS, "AccountDeltas" },
5699 { NETLOGON_ACCOUNTSYNC, "AccountSync" },
5700 { NETLOGON_GETDCNAME, "GetDCName" },
5701 { NETLOGON_NETLOGONCONTROL, "LogonControl" },
5702 { NETLOGON_GETANYDCNAME, "GetAnyDCName" },
5703 { NETLOGON_NETLOGONCONTROL2, "LogonControl2" },
5704 { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2" },
5705 { NETLOGON_NETDATABASESYNC2, "DatabaseSync2" },
5706 { NETLOGON_DATABASEREDO, "DatabaseRedo" },
5707 { NETLOGON_FUNCTION_12, "Function_0x12" },
5708 { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList" },
5709 { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2" },
5710 { NETLOGON_FUNCTION_15, "Function_0x15" },
5711 { NETLOGON_FUNCTION_16, "Function_0x16" },
5712 { NETLOGON_FUNCTION_17, "Function_0x17" },
5713 { NETLOGON_FUNCTION_18, "Function_0x18" },
5714 { NETLOGON_FUNCTION_19, "Function_0x19" },
5715 { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3" },
5716 { NETLOGON_DSRGETDCNAME, "DsrGetDCName" },
5717 { NETLOGON_DSRGETSITENAME, "DsrGetSiteName" },
5718 { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo" },
5719 { NETLOGON_FUNCTION_1E, "Function_0x1E" },
5720 { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2" },
5721 { NETLOGON_FUNCTION_20, "Function_0x20" },
5722 { NETLOGON_FUNCTION_21, "Function_0x21" },
5723 { NETLOGON_FUNCTION_22, "Function_0x22" },
5724 { NETLOGON_FUNCTION_23, "Function_0x23" },
5725 { NETLOGON_FUNCTION_24, "Function_0x24" },
5726 { NETLOGON_FUNCTION_25, "Function_0x25" },
5727 { NETLOGON_FUNCTION_26, "Function_0x26" },
5728 { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx" },
5729 { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DsrRoleGetPrimaryDomainInformation" },
5730 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords" },
5735 proto_register_dcerpc_netlogon(void)
5738 static hf_register_info hf[] = {
5739 { &hf_netlogon_opnum,
5740 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
5741 VALS(netlogon_opnum_vals), 0x0, "Operation", HFILL }},
5743 { &hf_netlogon_rc, {
5744 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
5745 VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
5747 { &hf_netlogon_param_ctrl, {
5748 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
5749 NULL, 0x0, "Param ctrl", HFILL }},
5751 { &hf_netlogon_logon_id, {
5752 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
5753 NULL, 0x0, "Logon ID", HFILL }},
5755 { &hf_netlogon_modify_count, {
5756 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
5757 NULL, 0x0, "How many times the object has been modified", HFILL }},
5759 { &hf_netlogon_security_information, {
5760 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
5761 NULL, 0x0, "Security Information", HFILL }},
5763 { &hf_netlogon_count, {
5764 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
5765 NULL, 0x0, "", HFILL }},
5767 { &hf_netlogon_entries, {
5768 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
5769 NULL, 0x0, "", HFILL }},
5771 { &hf_netlogon_credential, {
5772 "Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
5773 NULL, 0x0, "Netlogon credential", HFILL }},
5775 { &hf_netlogon_challenge, {
5776 "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
5777 NULL, 0x0, "Netlogon challenge", HFILL }},
5779 { &hf_netlogon_lm_owf_password, {
5780 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
5781 NULL, 0x0, "LanManager OWF Password", HFILL }},
5783 { &hf_netlogon_user_session_key, {
5784 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_HEX,
5785 NULL, 0x0, "User Session Key", HFILL }},
5787 { &hf_netlogon_encrypted_lm_owf_password, {
5788 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_HEX,
5789 NULL, 0x0, "Encrypted LanManager OWF Password", HFILL }},
5791 { &hf_netlogon_nt_owf_password, {
5792 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_HEX,
5793 NULL, 0x0, "NT OWF Password", HFILL }},
5795 { &hf_netlogon_blob, {
5796 "BLOB", "netlogon.blob", FT_BYTES, BASE_HEX,
5797 NULL, 0x0, "BLOB", HFILL }},
5799 { &hf_netlogon_len, {
5800 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
5801 NULL, 0, "Length", HFILL }},
5803 { &hf_netlogon_priv, {
5804 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
5805 NULL, 0, "", HFILL }},
5807 { &hf_netlogon_privilege_entries, {
5808 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
5809 NULL, 0, "", HFILL }},
5811 { &hf_netlogon_privilege_control, {
5812 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
5813 NULL, 0, "", HFILL }},
5815 { &hf_netlogon_privilege_name, {
5816 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
5817 NULL, 0, "", HFILL }},
5819 { &hf_netlogon_pdc_connection_status, {
5820 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
5821 NULL, 0, "PDC Connection Status", HFILL }},
5823 { &hf_netlogon_tc_connection_status, {
5824 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
5825 NULL, 0, "TC Connection Status", HFILL }},
5827 { &hf_netlogon_attrs, {
5828 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
5829 NULL, 0, "Attributes", HFILL }},
5831 { &hf_netlogon_unknown_string,
5832 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
5833 NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }},
5834 { &hf_netlogon_unknown_long,
5835 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
5836 NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
5837 { &hf_netlogon_reserved,
5838 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
5839 NULL, 0x0, "Reserved", HFILL }},
5840 { &hf_netlogon_unknown_short,
5841 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
5842 NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
5844 { &hf_netlogon_unknown_char,
5845 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
5846 NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
5848 { &hf_netlogon_acct_expiry_time,
5849 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
5850 NULL, 0x0, "When this account will expire", HFILL }},
5852 { &hf_netlogon_nt_pwd_present,
5853 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
5854 NULL, 0x0, "Is NT password present for this account?", HFILL }},
5856 { &hf_netlogon_lm_pwd_present,
5857 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
5858 NULL, 0x0, "Is LanManager password present for this account?", HFILL }},
5860 { &hf_netlogon_pwd_expired,
5861 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
5862 NULL, 0x0, "Whether this password has expired or not", HFILL }},
5864 { &hf_netlogon_authoritative,
5865 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
5866 NULL, 0x0, "", HFILL }},
5868 { &hf_netlogon_sensitive_data_flag,
5869 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
5870 NULL, 0x0, "Sensitive data flag", HFILL }},
5872 { &hf_netlogon_auditing_mode,
5873 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
5874 NULL, 0x0, "Auditing Mode", HFILL }},
5876 { &hf_netlogon_max_audit_event_count,
5877 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
5878 NULL, 0x0, "Max audit event count", HFILL }},
5880 { &hf_netlogon_event_audit_option,
5881 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
5882 NULL, 0x0, "Event audit option", HFILL }},
5884 { &hf_netlogon_sensitive_data_len,
5885 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
5886 NULL, 0x0, "Length of sensitive data", HFILL }},
5888 { &hf_netlogon_nt_chal_resp,
5889 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
5890 NULL, 0, "Challenge response for NT authentication", HFILL }},
5892 { &hf_netlogon_lm_chal_resp,
5893 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
5894 NULL, 0, "Challenge response for LM authentication", HFILL }},
5896 { &hf_netlogon_cipher_len,
5897 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
5898 NULL, 0, "", HFILL }},
5900 { &hf_netlogon_cipher_maxlen,
5901 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
5902 NULL, 0, "", HFILL }},
5904 { &hf_netlogon_pac_data,
5905 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
5906 NULL, 0, "Pac Data", HFILL }},
5908 { &hf_netlogon_sensitive_data,
5909 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
5910 NULL, 0, "Sensitive Data", HFILL }},
5912 { &hf_netlogon_auth_data,
5913 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
5914 NULL, 0, "Auth Data", HFILL }},
5916 { &hf_netlogon_cipher_current_data,
5917 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
5918 NULL, 0, "", HFILL }},
5920 { &hf_netlogon_cipher_old_data,
5921 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
5922 NULL, 0, "", HFILL }},
5924 { &hf_netlogon_acct_name,
5925 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
5926 NULL, 0, "Account Name", HFILL }},
5928 { &hf_netlogon_acct_desc,
5929 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
5930 NULL, 0, "Account Description", HFILL }},
5932 { &hf_netlogon_group_desc,
5933 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
5934 NULL, 0, "Group Description", HFILL }},
5936 { &hf_netlogon_full_name,
5937 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
5938 NULL, 0, "Full Name", HFILL }},
5940 { &hf_netlogon_comment,
5941 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
5942 NULL, 0, "Comment", HFILL }},
5944 { &hf_netlogon_parameters,
5945 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
5946 NULL, 0, "Parameters", HFILL }},
5948 { &hf_netlogon_logon_script,
5949 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
5950 NULL, 0, "Logon Script", HFILL }},
5952 { &hf_netlogon_profile_path,
5953 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
5954 NULL, 0, "Profile Path", HFILL }},
5956 { &hf_netlogon_home_dir,
5957 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
5958 NULL, 0, "Home Directory", HFILL }},
5960 { &hf_netlogon_dir_drive,
5961 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
5962 NULL, 0, "Drive letter for home directory", HFILL }},
5964 { &hf_netlogon_logon_srv,
5965 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
5966 NULL, 0, "Server", HFILL }},
5968 { &hf_netlogon_principal,
5969 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
5970 NULL, 0, "Principal", HFILL }},
5972 { &hf_netlogon_logon_dom,
5973 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
5974 NULL, 0, "Domain", HFILL }},
5976 { &hf_netlogon_computer_name,
5977 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
5978 NULL, 0, "Computer Name", HFILL }},
5980 { &hf_netlogon_site_name,
5981 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
5982 NULL, 0, "Site Name", HFILL }},
5984 { &hf_netlogon_dc_name,
5985 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
5986 NULL, 0, "DC Name", HFILL }},
5988 { &hf_netlogon_dc_site_name,
5989 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
5990 NULL, 0, "DC Site Name", HFILL }},
5992 { &hf_netlogon_dns_forest_name,
5993 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
5994 NULL, 0, "DNS Forest Name", HFILL }},
5996 { &hf_netlogon_dc_address,
5997 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
5998 NULL, 0, "DC Address", HFILL }},
6000 { &hf_netlogon_dc_address_type,
6001 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
6002 NULL, 0, "DC Address Type", HFILL }},
6004 { &hf_netlogon_client_site_name,
6005 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
6006 NULL, 0, "Client Site Name", HFILL }},
6008 { &hf_netlogon_workstation_site_name,
6009 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
6010 NULL, 0, "Workstation Site Name", HFILL }},
6012 { &hf_netlogon_workstation,
6013 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
6014 NULL, 0, "Workstation Name", HFILL }},
6016 { &hf_netlogon_workstation_os,
6017 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
6018 NULL, 0, "Workstation OS", HFILL }},
6020 { &hf_netlogon_workstations,
6021 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
6022 NULL, 0, "Workstations", HFILL }},
6024 { &hf_netlogon_workstation_fqdn,
6025 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
6026 NULL, 0, "Workstation FQDN", HFILL }},
6028 { &hf_netlogon_group_name,
6029 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
6030 NULL, 0, "Group Name", HFILL }},
6032 { &hf_netlogon_alias_name,
6033 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
6034 NULL, 0, "Alias Name", HFILL }},
6036 { &hf_netlogon_dns_host,
6037 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
6038 NULL, 0, "DNS Host", HFILL }},
6040 { &hf_netlogon_downlevel_domain_name,
6041 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
6042 NULL, 0, "Downlevel Domain Name", HFILL }},
6044 { &hf_netlogon_dns_domain_name,
6045 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
6046 NULL, 0, "DNS Domain Name", HFILL }},
6048 { &hf_netlogon_domain_name,
6049 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
6050 NULL, 0, "Domain Name", HFILL }},
6052 { &hf_netlogon_oem_info,
6053 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
6054 NULL, 0, "OEM Info", HFILL }},
6056 { &hf_netlogon_trusted_dc_name,
6057 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
6058 NULL, 0, "Trusted DC", HFILL }},
6060 { &hf_netlogon_logonsrv_handle,
6061 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
6062 NULL, 0, "Logon Srv Handle", HFILL }},
6064 { &hf_netlogon_dummy,
6065 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
6066 NULL, 0, "Dummy string", HFILL }},
6068 { &hf_netlogon_logon_count16,
6069 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
6070 NULL, 0x0, "Number of successful logins", HFILL }},
6072 { &hf_netlogon_logon_count,
6073 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
6074 NULL, 0x0, "Number of successful logins", HFILL }},
6076 { &hf_netlogon_bad_pw_count16,
6077 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
6078 NULL, 0x0, "Number of failed logins", HFILL }},
6080 { &hf_netlogon_bad_pw_count,
6081 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
6082 NULL, 0x0, "Number of failed logins", HFILL }},
6084 { &hf_netlogon_country,
6085 { "Country", "netlogon.country", FT_UINT16, BASE_DEC,
6086 VALS(ms_country_codes), 0x0, "Country setting for this account", HFILL }},
6088 { &hf_netlogon_codepage,
6089 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
6090 NULL, 0x0, "Codepage setting for this account", HFILL }},
6092 { &hf_netlogon_level16,
6093 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
6094 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6096 { &hf_netlogon_validation_level,
6097 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
6098 NULL, 0x0, "Requested level of validation", HFILL }},
6100 { &hf_netlogon_minpasswdlen,
6101 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
6102 NULL, 0x0, "Minimum length of password", HFILL }},
6104 { &hf_netlogon_passwdhistorylen,
6105 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
6106 NULL, 0x0, "Length of password history", HFILL }},
6108 { &hf_netlogon_secure_channel_type,
6109 { "Sec Chn Type", "netlogon.sec_chn_type", FT_UINT16, BASE_DEC,
6110 NULL, 0x0, "Secure Channel Type", HFILL }},
6112 { &hf_netlogon_restart_state,
6113 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
6114 NULL, 0x0, "Restart State", HFILL }},
6116 { &hf_netlogon_delta_type,
6117 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
6118 VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
6120 { &hf_netlogon_blob_size,
6121 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
6122 NULL, 0x0, "Size in bytes of BLOB", HFILL }},
6124 { &hf_netlogon_code,
6125 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
6126 NULL, 0x0, "Code", HFILL }},
6128 { &hf_netlogon_level,
6129 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
6130 NULL, 0x0, "Which option of the union is represented here", HFILL }},
6132 { &hf_netlogon_reference,
6133 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
6134 NULL, 0x0, "", HFILL }},
6136 { &hf_netlogon_next_reference,
6137 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
6138 NULL, 0x0, "", HFILL }},
6140 { &hf_netlogon_timestamp,
6141 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
6142 NULL, 0, "", HFILL }},
6144 { &hf_netlogon_user_rid,
6145 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
6146 NULL, 0x0, "", HFILL }},
6148 { &hf_netlogon_alias_rid,
6149 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
6150 NULL, 0x0, "", HFILL }},
6152 { &hf_netlogon_group_rid,
6153 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
6154 NULL, 0x0, "", HFILL }},
6156 { &hf_netlogon_num_rids,
6157 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
6158 NULL, 0x0, "Number of RIDs", HFILL }},
6160 { &hf_netlogon_num_controllers,
6161 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
6162 NULL, 0x0, "Number of domain controllers", HFILL }},
6164 { &hf_netlogon_num_other_groups,
6165 { "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
6166 NULL, 0x0, "", HFILL }},
6168 { &hf_netlogon_flags,
6169 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
6170 NULL, 0x0, "", HFILL }},
6172 { &hf_netlogon_user_flags,
6173 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
6174 NULL, 0x0, "", HFILL }},
6176 { &hf_netlogon_auth_flags,
6177 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
6178 NULL, 0x0, "", HFILL }},
6180 { &hf_netlogon_systemflags,
6181 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
6182 NULL, 0x0, "", HFILL }},
6184 { &hf_netlogon_database_id,
6185 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
6186 NULL, 0x0, "Database Id", HFILL }},
6188 { &hf_netlogon_sync_context,
6189 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
6190 NULL, 0x0, "Sync Context", HFILL }},
6192 { &hf_netlogon_max_size,
6193 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
6194 NULL, 0x0, "Max Size of database", HFILL }},
6196 { &hf_netlogon_max_log_size,
6197 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
6198 NULL, 0x0, "Max Size of log", HFILL }},
6200 { &hf_netlogon_pac_size,
6201 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
6202 NULL, 0x0, "Size of PacData in bytes", HFILL }},
6204 { &hf_netlogon_auth_size,
6205 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
6206 NULL, 0x0, "Size of AuthData in bytes", HFILL }},
6208 { &hf_netlogon_num_deltas,
6209 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
6210 NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
6212 { &hf_netlogon_num_trusts,
6213 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
6214 NULL, 0x0, "", HFILL }},
6216 { &hf_netlogon_logon_attempts,
6217 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
6218 NULL, 0x0, "Number of logon attempts", HFILL }},
6220 { &hf_netlogon_pagefilelimit,
6221 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
6222 NULL, 0x0, "", HFILL }},
6224 { &hf_netlogon_pagedpoollimit,
6225 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
6226 NULL, 0x0, "", HFILL }},
6228 { &hf_netlogon_nonpagedpoollimit,
6229 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
6230 NULL, 0x0, "", HFILL }},
6232 { &hf_netlogon_minworkingsetsize,
6233 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
6234 NULL, 0x0, "", HFILL }},
6236 { &hf_netlogon_maxworkingsetsize,
6237 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
6238 NULL, 0x0, "", HFILL }},
6240 { &hf_netlogon_serial_number,
6241 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
6242 NULL, 0x0, "", HFILL }},
6244 { &hf_netlogon_neg_flags,
6245 { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
6246 NULL, 0x0, "Negotiation Flags", HFILL }},
6248 { &hf_netlogon_logon_time,
6249 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
6250 NULL, 0, "Time for last time this user logged on", HFILL }},
6252 { &hf_netlogon_kickoff_time,
6253 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6254 NULL, 0, "Time when this user will be kicked off", HFILL }},
6256 { &hf_netlogon_logoff_time,
6257 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, BASE_NONE,
6258 NULL, 0, "Time for last time this user logged off", HFILL }},
6260 { &hf_netlogon_pwd_last_set_time,
6261 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6262 NULL, 0, "Last time this users password was changed", HFILL }},
6264 { &hf_netlogon_pwd_can_change_time,
6265 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6266 NULL, 0, "When this users password may be changed", HFILL }},
6268 { &hf_netlogon_pwd_must_change_time,
6269 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
6270 NULL, 0, "When this users password must be changed", HFILL }},
6272 { &hf_netlogon_domain_create_time,
6273 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6274 NULL, 0, "Time when this domain was created", HFILL }},
6276 { &hf_netlogon_domain_modify_time,
6277 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6278 NULL, 0, "Time when this domain was last modified", HFILL }},
6280 { &hf_netlogon_db_modify_time,
6281 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
6282 NULL, 0, "Time when last modified", HFILL }},
6284 { &hf_netlogon_db_create_time,
6285 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
6286 NULL, 0, "Time when created", HFILL }},
6288 { &hf_netlogon_cipher_current_set_time,
6289 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6290 NULL, 0, "Time when current cipher was initiated", HFILL }},
6292 { &hf_netlogon_cipher_old_set_time,
6293 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
6294 NULL, 0, "Time when previous cipher was initiated", HFILL }},
6296 { &hf_netlogon_audit_retention_period,
6297 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
6298 NULL, 0, "Audit retention period", HFILL }},
6300 { &hf_netlogon_guid,
6301 { "GUID", "netlogon.guid", FT_STRING, BASE_NONE,
6302 NULL, 0x0, "GUID (uuid for groups?)", HFILL }},
6304 { &hf_netlogon_timelimit,
6305 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
6306 NULL, 0, "", HFILL }}
6310 static gint *ett[] = {
6311 &ett_dcerpc_netlogon,
6317 &ett_DOMAIN_CONTROLLER_INFO,
6318 &ett_UNICODE_STRING_512,
6321 &ett_DELTA_ID_UNION,
6324 &ett_LM_OWF_PASSWORD,
6325 &ett_NT_OWF_PASSWORD,
6326 &ett_GROUP_MEMBERSHIP,
6327 &ett_DSROLE_DOMAIN_INFO_EX,
6329 &ett_DOMAIN_TRUST_INFO
6332 proto_dcerpc_netlogon = proto_register_protocol(
6333 "Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
6335 proto_register_field_array(proto_dcerpc_netlogon, hf,
6337 proto_register_subtree_array(ett, array_length(ett));
6341 proto_reg_handoff_dcerpc_netlogon(void)
6343 /* Register protocol as dcerpc */
6345 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
6346 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
6347 dcerpc_netlogon_dissectors, hf_netlogon_opnum);