2 * Routines for smb net logon packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
5 * $Id: packet-smb-logon.c,v 1.3 2000/02/21 23:50:15 sharpe Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
11 * Copied from packet-pop.c
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
28 #include "packet-smb-common.h"
30 static int proto_smb_logon = -1;
32 static int ett_smb_logon = -1;
33 static int ett_smb_account_flags = -1;
37 dissect_account_control( const u_char *pd, int offset, frame_data *fd,
40 /* display the Allowable Account control bits */
42 proto_tree *flags_tree;
44 guint32 flags = GWORD( pd, offset);
46 struct flag_array_type flag_info[] = {
47 { 0x400, "User account ", "", "not ", "auto-locked"},
48 { 0x200, "User password will ", "not ", "", "expire"},
49 { 0x100, "", "", "Not a ", "Server Trust user account"},
50 { 0x080, "", "", "Not a ", "Workstation Trust user account"},
51 { 0x040, "", "", "Not an ", "Inter-domain Trust user account"},
52 { 0x020, "", "", "Not a ", "MNS Logon user account"},
53 { 0x010, "", "", "Not a ", "Normal user account"},
54 { 0x008, "", "", "Not a ", "temp duplicate user account"},
55 { 0x004, "", "No", "", "User password required"},
56 { 0x002, "", "No", "", "User home directory required"},
57 { 0x001, "User account ", "enabled", "disabled", ""},
62 ti = proto_tree_add_text( tree, offset, 4,
63 "Account control = 0x%04x", flags);
65 flags_tree = proto_item_add_subtree( ti, ett_smb_account_flags);
67 display_flags( flag_info, 4, pd, offset, flags_tree);
73 display_LM_token( const u_char *pd, int *offset, frame_data *fd,
76 /* decode and display the LanMan token */
78 guint16 Token = GSHORT( pd, *offset);
81 proto_tree_add_text( tree, *offset, 2,
82 "LM20 Token: 0x%x (LanMan 2.0 or higher)", Token);
84 proto_tree_add_text( tree, *offset, 2,
85 "LM10 Token: 0x%x (WFW Networking)", Token);
87 if (( *offset + 2) > fd->cap_len)
88 proto_tree_add_text(tree, *offset, 0,"****FRAME TOO SHORT***");
95 display_NT_version( const u_char *pd, int *offset, frame_data *fd,
96 proto_tree *tree, int length) {
98 /* display the NT version */
103 Version = GSHORT( pd, *offset);
105 Version = GWORD( pd, *offset);
107 proto_tree_add_text( tree, *offset, length, "NT Version: 0x%x ",
110 if (( *offset + length) > fd->cap_len)
111 proto_tree_add_text(tree, *offset, 0, "****FRAME TOO SHORT***");
119 void dissect_smb_logon_request( const u_char *pd, int offset, frame_data *fd,
122 /*** 0x00 (LM1.0/LM2.0 LOGON Request) ***/
124 MoveAndCheckOffset( display_ms_string( "Computer Name", pd, offset, fd,
127 MoveAndCheckOffset( display_ms_string( "User Name", pd, offset, fd,
130 MoveAndCheckOffset( display_ms_string( "Mailslot Name", pd, offset, fd,
133 /*$$$$$ here add the Mailslot to the response list (if needed) */
135 MoveAndCheckOffset( display_ms_value( "Request Count", 1, pd, offset,
138 display_NT_version( pd, &offset, fd, tree,2);
139 display_LM_token( pd, &offset, fd, tree);
145 dissect_smb_logon_LM10_resp(const u_char *pd, int offset, frame_data *fd,
148 /*** 0x01 LanMan 1.0 Logon response ***/
150 MoveAndCheckOffset( display_ms_string( "User Name", pd, offset, fd,
152 MoveAndCheckOffset( display_ms_string( "Script Name", pd, offset, fd,
158 void dissect_smb_logon_2(const u_char *pd, int offset, frame_data *fd,
161 /*** 0x02 LM1.0 Query - Centralized Initialization ***/
162 /*** 0x03 LM1.0 Query - Distributed Initialization ***/
163 /*** 0x04 LM1.0 Query - Centralized Query Response ***/
164 /*** 0x04 LM1.0 Query - Distributed Query Response ***/
166 MoveAndCheckOffset( display_ms_string( "Computer Name", pd, offset, fd, tree));
168 MoveAndCheckOffset( display_ms_string( "Mailslot Name", pd, offset, fd, tree));
170 display_NT_version( pd, &offset, fd, tree, 2);
171 display_LM_token( pd, &offset, fd, tree);
176 void dissect_smb_logon_LM20_resp(const u_char *pd, int offset, frame_data *fd,
179 /*** 0x06 (LM2.0 LOGON Response) ***/
181 ++offset; /* move to the server name */
183 MoveAndCheckOffset( display_ms_string( "Logon Server Name", pd, offset,
186 display_LM_token( pd, &offset, fd, tree);
193 dissect_smb_pdc_query(const u_char *pd, int offset, frame_data *fd,
196 /*** 0x07 Query for Primary PDC ***/
199 MoveAndCheckOffset( display_ms_string( "Computer Name", pd, offset,
202 MoveAndCheckOffset( display_ms_string( "Mailslot Name", pd, offset,
205 MoveAndCheckOffset( display_ms_string( "OEM Computer Name", pd, offset,
208 display_NT_version( pd, &offset, fd, tree, 4);
210 proto_tree_add_text( tree, offset, 2, "LMNT Token: 0x%x",
212 MoveAndCheckOffset( 2);
214 display_LM_token( pd, &offset, fd, tree);
219 void dissect_smb_pdc_startup(const u_char *pd, int offset, frame_data *fd,
222 /*** 0x08 Announce startup of PDC ***/
225 display_ms_string( "PDC Name", pd, offset, fd, tree));
227 /* A short Announce will not have the rest */
229 if (END_OF_FRAME > 0) {
231 if (offset % 2) offset++; /* word align ... */
234 display_unicode_string("Unicode PDC Name", pd, offset, fd, tree));
236 if (offset % 2) offset++;
239 display_unicode_string("Unicode Domain Name", pd, offset, fd, tree));
241 display_NT_version( pd, &offset, fd, tree, 4);
243 display_LM_token( pd, &offset, fd, tree);
250 dissect_smb_pdc_failure( const u_char *pd, int offset, frame_data *fd,
253 /*** 0x09 Announce failure of the PDC ***/
254 /*** 0x0F LM2.0 Resp. during LOGON pause ***/
255 /*** 0x10 (LM 2.0 Unknown user response) ***/
257 display_NT_version( pd, &offset, fd, tree, 4);
258 display_LM_token( pd, &offset, fd, tree);
262 void dissect_announce_change( const u_char *pd, int offset,
263 frame_data *fd,proto_tree *tree) {
265 /*** 0x0A ( Announce change to UAS or SAM ) ***/
268 MoveAndCheckOffset( display_ms_value( "Low serial number", 4, pd,
270 MoveAndCheckOffset( display_ms_value( "Date/Time", 4, pd, offset, fd,
273 display_ms_value( "Pulse", 4, pd, offset, fd, tree));
275 display_ms_value( "Random", 4, pd, offset, fd, tree));
277 display_ms_string( "PDC Name", pd, offset, fd, tree));
279 display_ms_string( "Domain Name", pd, offset, fd, tree));
281 /*???? is this needed ??? */
282 if ( !( offset & 0x1)) /* add padding if needed */
285 MoveAndCheckOffset( display_unicode_string( "Unicode PDC Name", pd,
288 MoveAndCheckOffset( display_unicode_string( "Unicode Domain Name", pd,
291 MoveAndCheckOffset( display_ms_value( "DB Count", 4, pd, offset, fd,
294 MoveAndCheckOffset( display_ms_value( "NT Version ", 4, pd, offset, fd,
297 MoveAndCheckOffset( display_ms_value( "LMNT Token ", 2, pd, offset, fd,
300 MoveAndCheckOffset( display_ms_value( "Unknown Token ", 2, pd, offset,
306 dissect_smb_sam_logon_req(const u_char *pd, int offset, frame_data *fd,
309 /*** Netlogon command 0x12 - decode the SAM logon request from client ***/
312 proto_tree_add_text( tree, offset, 2, "Request Count = %x",
315 MoveAndCheckOffset( 2);
317 MoveAndCheckOffset( display_unicode_string( "Unicode Computer Name",
318 pd, offset, fd, tree));
320 MoveAndCheckOffset( display_unicode_string( "Unicode User Name",
321 pd, offset, fd, tree));
323 MoveAndCheckOffset( display_ms_string( "Mailslot Name", pd, offset, fd,
326 dissect_account_control( pd, offset, fd, tree);
328 proto_tree_add_text( tree, offset, 2, "Domain SID Size = %x",
336 dissect_smb_no_user( const u_char *pd, int offset, frame_data *fd,
339 {/* 0x0B (Announce no user on machine) */
341 display_ms_string( "Computer Name", pd, offset, fd, tree);
347 dissect_smb_relogon_resp( const u_char *pd, int offset, frame_data *fd,
350 /*** 0x0d LanMan Response to relogon request ***/
352 MoveAndCheckOffset( display_ms_value( "Workstation major version", 1,
353 pd, offset, fd, tree));
355 MoveAndCheckOffset( display_ms_value( "Workstation minor version", 1,
356 pd, offset, fd, tree));
358 MoveAndCheckOffset( display_ms_value( "Workstation OS version", 1,
359 pd, offset, fd, tree));
361 display_NT_version( pd, &offset, fd, tree, 4);
363 display_LM_token( pd, &offset, fd, tree);
369 dissect_smb_acc_update( const u_char *pd, int offset, frame_data *fd,
372 /*** 0x11 LM2.1 Announce Acc updates ***/
374 guint32 Temp1, Temp2;
376 Temp1 = GWORD( pd, offset);
378 Temp2 = GWORD( pd, offset + 4);
380 proto_tree_add_text( tree, offset, 2, "Signature: 0x%04x%04x",
383 MoveAndCheckOffset( 8);
385 MoveAndCheckOffset( display_ms_value( "Time/Date:", 4,
386 pd, offset, fd, tree));
388 MoveAndCheckOffset( display_ms_string( "Computer name:",
389 pd, offset, fd, tree));
391 MoveAndCheckOffset( display_ms_string( "User name:",
392 pd, offset, fd, tree));
394 MoveAndCheckOffset( display_ms_value( "Update Type:", 2,
395 pd, offset, fd, tree));
397 display_NT_version( pd, &offset, fd, tree, 4);
399 display_LM_token( pd, &offset, fd, tree);
405 dissect_smb_inter_resp( const u_char *pd, int offset, frame_data *fd,
408 /* 0x0e LanMan Response to interrogate request */
410 MoveAndCheckOffset( display_ms_value( "Workstation major version", 1,
411 pd, offset, fd, tree));
413 MoveAndCheckOffset( display_ms_value( "Workstation minor version", 1,
414 pd, offset, fd, tree));
416 MoveAndCheckOffset( display_ms_value( "Workstation OS version", 1, pd,
419 display_NT_version( pd, &offset, fd, tree, 4);
421 MoveAndCheckOffset( display_ms_value( "LMNT Token ", 2, pd, offset, fd,
426 void dissect_smb_sam_logon_resp(const u_char *pd, int offset, frame_data *fd,
429 /* Netlogon command 0x13 - decode the SAM logon response from server */
432 MoveAndCheckOffset( display_unicode_string( "Server Name", pd, offset,
435 MoveAndCheckOffset( display_unicode_string( "User Name", pd, offset,
438 MoveAndCheckOffset( display_unicode_string( "Domain Name", pd, offset,
441 display_NT_version( pd, &offset, fd, tree, 4);
443 proto_tree_add_text( tree, offset, 2, "LMNT Token: 0x%x",
445 MoveAndCheckOffset( 2);
447 display_LM_token( pd, &offset, fd, tree);
452 dissect_smb_logon(const u_char *pd, int offset, frame_data *fd,
453 proto_tree *parent, proto_tree *tree, struct smb_info si,
454 int max_data, int SMB_offset, int errcode, int dirn,
455 const u_char *command, int DataOffset, int DataCount){
458 /* decode the Microsoft netlogon protocol */
460 static char* CommandName[] = {
462 "LM1.0/LM2.0 LOGON Request", /* 0x00 */
463 "LM1.0 LOGON Response", /* 0x01 */
464 "LM1.0 Query - Centralized Initialization", /* 0x02 */
465 "LM1.0 Query - Distributed Initialization", /* 0x03 */
466 "LM1.0 Response - Centralized Query", /* 0x04 */
467 "LM1.0 Response - Distributed Initialization", /* 0x05 */
468 "LM2.0 Response to LOGON Request", /* 0x06 */
469 "Query for PDC", /* 0x07 */
470 "Announce Startup of PDC", /* 0x08 */
471 "Announce Failed PDC", /* 0x09 */
472 "Announce Change to UAS or SAM", /* 0x0A */
473 "Announce no user on machine", /* 0x0B */
474 "Response from PDC", /* 0x0C */
475 "LM1.0/LM2.0 Response to re-LOGON Request", /* 0x0D */
476 "LM1.0/LM2.0 Response to Interrogate Request", /* 0x0E */
477 "LM2.0 Response during LOGON pause", /* 0x0F */
478 "LM2.0 Response - user unknown", /* 0x10 */
479 "LM2.0 Announce account updates ", /* 0x11 */
480 "SAM LOGON request from client ", /* 0x12 */
481 "Response to SAM LOGON request", /* 0x13 */
482 "SAM Response during LOGON pause", /* 0x14 */
483 "SAM Response - user unknown", /* 0x15 */
484 "SAM Response to Interrogate Request", /* 0x16 */
488 /* Array of functions to dissect the ms logon commands */
490 static void (*dissect_smb_logon_cmds[])(const u_char *, int, frame_data *,
493 dissect_smb_logon_request, /* 0x00 (LM1.0/LM2.0 LOGON Request) */
494 dissect_smb_logon_LM10_resp, /* 0x01 (LM1.0 LOGON Response) */
495 dissect_smb_logon_2, /* 0x02 (LM1.0 Query Centralized Init.) */
496 dissect_smb_logon_2, /* 0x03 (LM1.0 Query Distributed Init.) */
497 dissect_smb_logon_2, /* 0x04 (LM1.0 Centralized Query Resp.) */
498 dissect_smb_logon_2, /* 0x05 (LM1.0 Distributed Query Resp.) */
499 dissect_smb_logon_LM20_resp, /* 0x06 (LM2.0 LOGON Response) */
500 dissect_smb_pdc_query, /* 0x07 (Query for PDC) */
501 dissect_smb_pdc_startup, /* 0x08 (Announce PDC startup) */
502 dissect_smb_pdc_failure, /* 0x09 (Announce Failed PDC) */
503 dissect_announce_change, /* 0x0A (Announce change to UAS or SAM) */
504 dissect_smb_no_user, /* 0x0B (Announce no user on machine) */
505 dissect_smb_pdc_startup, /* 0x0C (Response from PDC) */
506 dissect_smb_relogon_resp, /* 0x0D (Relogon response) */
507 dissect_smb_inter_resp, /* 0x0E (Interrogate response) */
508 dissect_smb_pdc_failure, /* 0x0F (LM2.0 Resp. during LOGON pause */
509 dissect_smb_pdc_failure, /* 0x10 (LM 2.0 Unknown user response) */
510 dissect_smb_acc_update, /* 0x11 (LM2.1 Announce Acc updates) */
511 dissect_smb_sam_logon_req, /* 0x12 (SAM LOGON request ) */
512 dissect_smb_sam_logon_resp, /* 0x13 (SAM LOGON response) */
513 dissect_smb_unknown, /* 0x14 (LM2.1 Announce Acc updates) */
519 proto_tree *smb_logon_tree;
522 /* get the Command field */
523 cmd = MIN( GBYTE(pd, offset), array_length(dissect_smb_logon_cmds)-1);
525 if (check_col(fd, COL_PROTOCOL))
526 col_add_str(fd, COL_PROTOCOL, "NETLOGON");
529 if (check_col(fd, COL_INFO))
530 col_add_fstr(fd, COL_INFO, "%s", CommandName[ cmd]);
533 ti = proto_tree_add_item( parent, proto_smb_logon, offset,
535 smb_logon_tree = proto_item_add_subtree(ti, ett_smb_logon);
537 proto_tree_add_text(smb_logon_tree, offset, 1,
538 "Command: %u (%s)", cmd, CommandName[ cmd]);
540 offset += 2; /* skip to name field */
542 /* vector to handle commands */
543 (dissect_smb_logon_cmds[ cmd]) (pd, offset, fd,smb_logon_tree);
552 register_proto_smb_logon( void){
554 /*** Prep the logon protocol, for now, just register it */
556 static gint *ett[] = {
558 &ett_smb_account_flags
561 proto_smb_logon = proto_register_protocol(
562 "Microsoft Windows Logon Protocol", "netlogon");
564 proto_register_subtree_array(ett, array_length(ett));