* Copyright 2001, Tim Potter <tpot@samba.org>
* 2002 structure and command dissectors by Ronnie Sahlberg
*
- * $Id: packet-dcerpc-netlogon.c,v 1.15 2002/04/17 09:32:48 sahlberg Exp $
+ * $Id: packet-dcerpc-netlogon.c,v 1.53 2002/08/27 12:33:14 sahlberg Exp $
*
* Ethereal - Network traffic analyzer
* By Gerald Combs <gerald@ethereal.com>
#include "packet-dcerpc-lsa.h"
static int proto_dcerpc_netlogon = -1;
+static int hf_netlogon_opnum = -1;
static int hf_netlogon_rc = -1;
static int hf_netlogon_len = -1;
-static int hf_netlogon_status = -1;
+static int hf_netlogon_sensitive_data_flag = -1;
+static int hf_netlogon_sensitive_data_len = -1;
+static int hf_netlogon_sensitive_data = -1;
+static int hf_netlogon_security_information = -1;
+static int hf_netlogon_dummy = -1;
+static int hf_netlogon_neg_flags = -1;
+static int hf_netlogon_minworkingsetsize = -1;
+static int hf_netlogon_maxworkingsetsize = -1;
+static int hf_netlogon_pagedpoollimit = -1;
+static int hf_netlogon_pagefilelimit = -1;
+static int hf_netlogon_timelimit = -1;
+static int hf_netlogon_nonpagedpoollimit = -1;
+static int hf_netlogon_pac_size = -1;
+static int hf_netlogon_pac_data = -1;
+static int hf_netlogon_auth_size = -1;
+static int hf_netlogon_auth_data = -1;
+static int hf_netlogon_cipher_len = -1;
+static int hf_netlogon_cipher_maxlen = -1;
+static int hf_netlogon_cipher_current_data = -1;
+static int hf_netlogon_cipher_current_set_time = -1;
+static int hf_netlogon_cipher_old_data = -1;
+static int hf_netlogon_cipher_old_set_time = -1;
+static int hf_netlogon_priv = -1;
+static int hf_netlogon_privilege_entries = -1;
+static int hf_netlogon_privilege_control = -1;
+static int hf_netlogon_privilege_name = -1;
+static int hf_netlogon_systemflags = -1;
+static int hf_netlogon_pdc_connection_status = -1;
+static int hf_netlogon_tc_connection_status = -1;
+static int hf_netlogon_restart_state = -1;
static int hf_netlogon_attrs = -1;
static int hf_netlogon_count = -1;
+static int hf_netlogon_entries = -1;
+static int hf_netlogon_minpasswdlen = -1;
+static int hf_netlogon_passwdhistorylen = -1;
+static int hf_netlogon_level16 = -1;
+static int hf_netlogon_validation_level = -1;
+static int hf_netlogon_reference = -1;
+static int hf_netlogon_next_reference = -1;
+static int hf_netlogon_timestamp = -1;
static int hf_netlogon_level = -1;
-static int hf_netlogon_level_long = -1;
-static int hf_netlogon_unknown_time = -1;
+static int hf_netlogon_challenge = -1;
+static int hf_netlogon_reserved = -1;
+static int hf_netlogon_audit_retention_period = -1;
+static int hf_netlogon_auditing_mode = -1;
+static int hf_netlogon_max_audit_event_count = -1;
+static int hf_netlogon_event_audit_option = -1;
static int hf_netlogon_unknown_string = -1;
static int hf_netlogon_unknown_long = -1;
static int hf_netlogon_unknown_short = -1;
static int hf_netlogon_pwd_last_set_time = -1;
static int hf_netlogon_pwd_can_change_time = -1;
static int hf_netlogon_pwd_must_change_time = -1;
-static int hf_netlogon_timestamp = -1;
static int hf_netlogon_nt_chal_resp = -1;
static int hf_netlogon_lm_chal_resp = -1;
static int hf_netlogon_credential = -1;
-static int hf_netlogon_cypher_block = -1;
static int hf_netlogon_acct_name = -1;
static int hf_netlogon_acct_desc = -1;
static int hf_netlogon_group_desc = -1;
static int hf_netlogon_home_dir = -1;
static int hf_netlogon_dir_drive = -1;
static int hf_netlogon_logon_count = -1;
+static int hf_netlogon_logon_count16 = -1;
static int hf_netlogon_bad_pw_count = -1;
+static int hf_netlogon_bad_pw_count16 = -1;
static int hf_netlogon_user_rid = -1;
static int hf_netlogon_alias_rid = -1;
static int hf_netlogon_group_rid = -1;
static int hf_netlogon_logon_srv = -1;
+static int hf_netlogon_principal = -1;
static int hf_netlogon_logon_dom = -1;
-static int hf_netlogon_trusted_domain_name = -1;
+static int hf_netlogon_downlevel_domain_name = -1;
+static int hf_netlogon_dns_domain_name = -1;
+static int hf_netlogon_domain_name = -1;
+static int hf_netlogon_domain_create_time = -1;
+static int hf_netlogon_domain_modify_time = -1;
+static int hf_netlogon_modify_count = -1;
+static int hf_netlogon_db_modify_time = -1;
+static int hf_netlogon_db_create_time = -1;
+static int hf_netlogon_oem_info = -1;
+static int hf_netlogon_serial_number = -1;
static int hf_netlogon_num_rids = -1;
+static int hf_netlogon_num_controllers = -1;
static int hf_netlogon_num_other_groups = -1;
static int hf_netlogon_computer_name = -1;
static int hf_netlogon_site_name = -1;
static int hf_netlogon_dns_forest_name = -1;
static int hf_netlogon_dc_address = -1;
static int hf_netlogon_dc_address_type = -1;
-static int hf_netlogon_client_name = -1;
static int hf_netlogon_client_site_name = -1;
+static int hf_netlogon_workstation = -1;
static int hf_netlogon_workstation_site_name = -1;
static int hf_netlogon_workstation_os = -1;
static int hf_netlogon_workstations = -1;
static int hf_netlogon_workstation_fqdn = -1;
static int hf_netlogon_group_name = -1;
static int hf_netlogon_alias_name = -1;
-static int hf_netlogon_cli_name = -1;
static int hf_netlogon_country = -1;
static int hf_netlogon_codepage = -1;
static int hf_netlogon_flags = -1;
static int hf_netlogon_user_flags = -1;
+static int hf_netlogon_auth_flags = -1;
static int hf_netlogon_pwd_expired = -1;
static int hf_netlogon_nt_pwd_present = -1;
static int hf_netlogon_lm_pwd_present = -1;
static int hf_netlogon_code = -1;
static int hf_netlogon_database_id = -1;
+static int hf_netlogon_sync_context = -1;
static int hf_netlogon_max_size = -1;
+static int hf_netlogon_max_log_size = -1;
static int hf_netlogon_dns_host = -1;
-static int hf_netlogon_num_pwd_pairs = -1;
static int hf_netlogon_acct_expiry_time = -1;
static int hf_netlogon_encrypted_lm_owf_password = -1;
static int hf_netlogon_lm_owf_password = -1;
static int hf_netlogon_authoritative = -1;
static int hf_netlogon_secure_channel_type = -1;
static int hf_netlogon_logonsrv_handle = -1;
+static int hf_netlogon_delta_type = -1;
static gint ett_dcerpc_netlogon = -1;
-static gint ett_NETLOGON_SECURITY_DESCRIPTOR = -1;
-static gint ett_TYPE_1 = -1;
-static gint ett_TYPE_2 = -1;
-static gint ett_CYPHER_BLOCK = -1;
-static gint ett_NETLOGON_AUTHENTICATOR = -1;
-static gint ett_NETLOGON_LOGON_IDENTITY_INFO = -1;
-static gint ett_NETLOGON_INTERACTIVE_INFO = -1;
-static gint ett_NETLOGON_NETWORK_INFO = -1;
-static gint ett_NETLOGON_VALIDATION_SAM_INFO1 = -1;
-static gint ett_NETLOGON_VALIDATION_SAM_INFO2 = -1;
-static gint ett_TYPE_16 = -1;
-static gint ett_NETLOGON_SAM_DOMAIN_INFO = -1;
-static gint ett_NETLOGON_SAM_GROUP_INFO = -1;
-static gint ett_TYPE_23 = -1;
-static gint ett_NETLOGON_SAM_ACCOUNT_INFO = -1;
-static gint ett_NETLOGON_SAM_GROUP_MEM_INFO = -1;
-static gint ett_NETLOGON_SAM_ALIAS_INFO = -1;
-static gint ett_NETLOGON_SAM_ALIAS_MEM_INFO = -1;
-static gint ett_TYPE_30 = -1;
-static gint ett_TYPE_29 = -1;
-static gint ett_TYPE_31 = -1;
-static gint ett_TYPE_32 = -1;
-static gint ett_TYPE_33 = -1;
-static gint ett_TYPE_34 = -1;
-static gint ett_TYPE_35 = -1;
-static gint ett_SAM_DELTA = -1;
-static gint ett_SAM_DELTA_ARRAY = -1;
-static gint ett_TYPE_36 = -1;
-static gint ett_NETLOGON_INFO_1 = -1;
-static gint ett_NETLOGON_INFO_2 = -1;
-static gint ett_NETLOGON_INFO_3 = -1;
-static gint ett_NETLOGON_INFO_4 = -1;
+static gint ett_QUOTA_LIMITS = -1;
+static gint ett_IDENTITY_INFO = -1;
+static gint ett_DELTA_ENUM = -1;
+static gint ett_CYPHER_VALUE = -1;
static gint ett_UNICODE_MULTI = -1;
static gint ett_DOMAIN_CONTROLLER_INFO = -1;
-static gint ett_TYPE_46 = -1;
-static gint ett_TYPE_48 = -1;
static gint ett_UNICODE_STRING_512 = -1;
static gint ett_TYPE_50 = -1;
static gint ett_TYPE_51 = -1;
static gint ett_TYPE_52 = -1;
-static gint ett_NETLOGON_LEVEL = -1;
-static gint ett_NETLOGON_VALIDATION = -1;
-static gint ett_TYPE_19 = -1;
-static gint ett_NETLOGON_CONTROL_QUERY_INFO = -1;
+static gint ett_DELTA_ID_UNION = -1;
static gint ett_TYPE_44 = -1;
-static gint ett_TYPE_20 = -1;
-static gint ett_NETLOGON_INFO = -1;
-static gint ett_TYPE_45 = -1;
-static gint ett_TYPE_47 = -1;
-static gint ett_NETLOGON_CREDENTIAL = -1;
+static gint ett_DELTA_UNION = -1;
static gint ett_GUID = -1;
-static gint ett_ENC_LM_OWF_PASSWORD = -1;
static gint ett_LM_OWF_PASSWORD = -1;
static gint ett_NT_OWF_PASSWORD = -1;
static gint ett_GROUP_MEMBERSHIP = -1;
-static gint ett_USER_SESSION_KEY = -1;
static gint ett_BLOB = -1;
-static gint ett_rid_array = -1;
-static gint ett_attrib_array = -1;
-
-extern gint ett_nt_unicode_string;
static e_uuid_t uuid_dcerpc_netlogon = {
0x12345678, 0x1234, 0xabcd,
static guint16 ver_dcerpc_netlogon = 1;
-static int
-netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- dcerpc_info *di;
-
- di=pinfo->private_data;
- offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
- di->hf_index, NULL);
- return offset;
-}
static int
-netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- dcerpc_info *di;
-
- di=pinfo->private_data;
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- di->hf_index, NULL);
- return offset;
-}
-
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Server Handle", hf_netlogon_logonsrv_handle, 0);
+
+ return offset;
+}
+
+/*
+ * IDL typedef struct {
+ * IDL [unique][string] wchar_t *effective_name;
+ * IDL long priv;
+ * IDL long auth_flags;
+ * IDL long logon_count;
+ * IDL long bad_pw_count;
+ * IDL long last_logon;
+ * IDL long last_logoff;
+ * IDL long logoff_time;
+ * IDL long kickoff_time;
+ * IDL long password_age;
+ * IDL long pw_can_change;
+ * IDL long pw_must_change;
+ * IDL [unique][string] wchar_t *computer;
+ * IDL [unique][string] wchar_t *domain;
+ * IDL [unique][string] wchar_t *script_path;
+ * IDL long reserved;
+ */
static int
-netlogon_dissect_pointer_STRING(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
dcerpc_info *di;
return offset;
}
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- di->hf_index, 0);
- return offset;
-}
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Effective Account", hf_netlogon_acct_name, 0);
-int
-netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep, int type, int hf_index, int levels)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- dcerpc_info *di;
- char *name;
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_priv, NULL);
- di=pinfo->private_data;
- if(di->conformant_run){
- /*just a run to handle conformant arrays, nothing to dissect */
- return offset;
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_auth_flags, NULL);
- name = proto_registrar_get_name(hf_index);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, -1,
- "%s", name);
- tree = proto_item_add_subtree(item, ett_nt_unicode_string);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_logon_count, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, type,
- name, hf_index, levels);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_bad_pw_count, NULL);
- proto_item_set_len(item, offset-old_offset);
- return offset;
-}
+ /* XXX - are these all UNIX "time_t"s, like the time stamps in
+ credentials?
+ Or are they, as per some RAP-based operations, UTIMEs? */
+ proto_tree_add_text(tree, tvb, offset, 4, "Last Logon: unknown time format");
+ offset+= 4;
-static int
-netlogon_dissect_NETLOGON_SECURITY_DESCRIPTOR(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ proto_tree_add_text(tree, tvb, offset, 4, "Last Logoff: unknown time format");
+ offset+= 4;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_SECURITY_DESCRIPTOR:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_SECURITY_DESCRIPTOR);
- }
+ proto_tree_add_text(tree, tvb, offset, 4, "Logoff Time: unknown time format");
+ offset+= 4;
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_len, NULL);
+ proto_tree_add_text(tree, tvb, offset, 4, "Kickoff Time: unknown time format");
+ offset+= 4;
- offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
- pinfo, tree, drep);
+ proto_tree_add_text(tree, tvb, offset, 4, "Password Age: unknown time format");
+ offset+= 4;
+
+ proto_tree_add_text(tree, tvb, offset, 4, "PW Can Change: unknown time format");
+ offset+= 4;
+
+ proto_tree_add_text(tree, tvb, offset, 4, "PW Must Change: unknown time format");
+ offset+= 4;
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Computer", hf_netlogon_computer_name, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Domain", hf_netlogon_domain_name, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Script", hf_netlogon_logon_script, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL long NetLogonUasLogon(
+ * IDL [in][unique][string] wchar_t *ServerName,
+ * IDL [in][ref][string] wchar_t *UserName,
+ * IDL [in][ref][string] wchar_t *Workstation,
+ * IDL [out][unique] VALIDATION_UAS_INFO *info
+ * IDL );
+ */
static int
-netlogon_dissect_TYPE_1(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_1:");
- tree = proto_item_add_subtree(item, ett_TYPE_1);
- }
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Account", hf_netlogon_acct_name, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Workstation", hf_netlogon_workstation, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ return offset;
+}
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+static int
+netlogon_dissect_netlogonuaslogon_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE,
+ "VALIDATION_UAS_INFO", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ return offset;
+}
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+/*
+ * IDL typedef struct {
+ * IDL long duration;
+ * IDL short logon_count;
+ * IDL } LOGOFF_UAS_INFO;
+ */
+static int
+netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ dcerpc_info *di;
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect */
+ return offset;
+ }
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ proto_tree_add_text(tree, tvb, offset, 4, "Duration: unknown time format");
+ offset+= 4;
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_logon_count16, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ return offset;
+}
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
+/*
+ * IDL long NetLogonUasLogoff(
+ * IDL [in][unique][string] wchar_t *ServerName,
+ * IDL [in][ref][string] wchar_t *UserName,
+ * IDL [in][ref][string] wchar_t *Workstation,
+ * IDL [out][ref] LOGOFF_UAS_INFO *info
+ * IDL );
+ */
+static int
+netlogon_dissect_netlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Account", hf_netlogon_acct_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Workstation", hf_netlogon_workstation, 0);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
static int
-netlogon_dissect_TYPE_1_ptr(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_netlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_1, NDR_POINTER_PTR,
- "TYPE_1 pointer: ", -1, 0);
+ netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF,
+ "LOGOFF_UAS_INFO", -1, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
+
return offset;
}
+
+
+
+/*
+ * IDL typedef struct {
+ * IDL UNICODESTRING LogonDomainName;
+ * IDL long ParameterControl;
+ * IDL uint64 LogonID;
+ * IDL UNICODESTRING UserName;
+ * IDL UNICODESTRING Workstation;
+ * IDL } LOGON_IDENTITY_INFO;
+ */
static int
-netlogon_dissect_TYPE_2(tvbuff_t *tvb, int offset,
+netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
char *drep)
{
if(parent_tree){
item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_2:");
- tree = proto_item_add_subtree(item, ett_TYPE_2);
+ "IDENTITY_INFO:");
+ tree = proto_item_add_subtree(item, ett_IDENTITY_INFO);
}
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_logon_dom, 0);
+
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_param_ctrl, NULL);
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_short, NULL);
+ offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_logon_id, NULL);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_acct_name, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_workstation, 0);
+
+#ifdef REMOVED
+ /* NetMon does not recognize these bytes. Ill comment them out until someone complains */
+ /* XXX 8 extra bytes here */
+ /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
+ the idl file. Could be a bug in either the NETLOGON implementation or in the
+ idl file.
+ */
+ offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
+#endif
proto_item_set_len(item, offset-old_offset);
return offset;
}
+
+/*
+ * IDL typedef struct {
+ * IDL char password[16];
+ * IDL } LM_OWF_PASSWORD;
+ */
static int
-netlogon_dissect_CYPHER_BLOCK(tvbuff_t *tvb, int offset,
+netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+ char *drep _U_)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
- int i;
dcerpc_info *di;
di=pinfo->private_data;
}
if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 8,
- "CYPHER_BLOCK:");
- tree = proto_item_add_subtree(item, ett_CYPHER_BLOCK);
+ item = proto_tree_add_text(parent_tree, tvb, offset, 16,
+ "LM_OWF_PASSWORD:");
+ tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
}
- proto_tree_add_item(tree, hf_netlogon_cypher_block, tvb, offset, 8,
+ proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
FALSE);
- offset += 8;
+ offset += 16;
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL char password[16];
+ * IDL } NT_OWF_PASSWORD;
+ */
static int
-netlogon_dissect_8_unknown_bytes(tvbuff_t *tvb, int offset,
+netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+ char *drep _U_)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
- int i;
dcerpc_info *di;
di=pinfo->private_data;
}
if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 8,
- "unknown bytes not in IDL:");
- tree = proto_item_add_subtree(item, ett_CYPHER_BLOCK);
+ item = proto_tree_add_text(parent_tree, tvb, offset, 16,
+ "NT_OWF_PASSWORD:");
+ tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
}
- offset += 8;
+ proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
+ FALSE);
+ offset += 16;
return offset;
}
+
+/*
+ * IDL typedef struct {
+ * IDL LOGON_IDENTITY_INFO identity_info;
+ * IDL LM_OWF_PASSWORD lmpassword;
+ * IDL NT_OWF_PASSWORD ntpassword;
+ * IDL } INTERACTIVE_INFO;
+ */
static int
-netlogon_dissect_NETLOGON_CREDENTIAL(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int i;
+ offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
+ pinfo, tree, drep);
+
+ return offset;
+}
+
+/*
+ * IDL typedef struct {
+ * IDL char chl[8];
+ * IDL } CHALLENGE;
+ */
+static int
+netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep _U_)
+{
dcerpc_info *di;
di=pinfo->private_data;
return offset;
}
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 8,
- "NETLOGON_CREDENTIAL:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_CREDENTIAL);
- }
-
- proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
+ proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
FALSE);
offset += 8;
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL LOGON_IDENTITY_INFO logon_info;
+ * IDL CHALLENGE chal;
+ * IDL STRING ntchallengeresponse;
+ * IDL STRING lmchallengeresponse;
+ * IDL } NETWORK_INFO;
+ */
static int
-netlogon_dissect_NETLOGON_AUTHENTICATOR(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_AUTHENTICATOR:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_AUTHENTICATOR);
- }
+ offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
+ pinfo, tree, drep);
- offset = netlogon_dissect_NETLOGON_CREDENTIAL(tvb, offset,
+ offset = netlogon_dissect_CHALLENGE(tvb, offset,
pinfo, tree, drep);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_timestamp, NULL);
+ offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_nt_chal_resp, 0);
+
+ offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_lm_chal_resp, 0);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL LOGON_IDENTITY_INFO logon_info;
+ * IDL LM_OWF_PASSWORD lmpassword;
+ * IDL NT_OWF_PASSWORD ntpassword;
+ * IDL } SERVICE_INFO;
+ */
static int
-netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- dcerpc_info *di;
-
- di=pinfo->private_data;
- if(di->conformant_run){
- /*just a run to handle conformant arrays, nothing to dissect.*/
- return offset;
- }
+ offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
+ pinfo, tree, drep);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 16,
- "USER_SESSION_KEY:");
- tree = proto_item_add_subtree(item, ett_USER_SESSION_KEY);
- }
+ offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
+ pinfo, tree, drep);
- proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
- FALSE);
- offset += 16;
+ offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
+ pinfo, tree, drep);
return offset;
}
+/*
+ * IDL typedef [switch_type(short)] union {
+ * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
+ * IDL [case(2)][unique] NETWORK_INFO *ninfo;
+ * IDL [case(3)][unique] SERVICE_INFO *sinfo;
+ * IDL } LEVEL;
+ */
static int
-netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- dcerpc_info *di;
+ guint16 level;
- di=pinfo->private_data;
- if(di->conformant_run){
- /*just a run to handle conformant arrays, nothing to dissect.*/
- return offset;
- }
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_level16, &level);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 16,
- "ENCRYPTED_LM_OWF_PASSWORD:");
- tree = proto_item_add_subtree(item, ett_ENC_LM_OWF_PASSWORD);
+ ALIGN_TO_4_BYTES;
+ switch(level){
+ case 1:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE,
+ "INTERACTIVE_INFO:", -1, 0);
+ break;
+ case 2:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE,
+ "NETWORK_INFO:", -1, 0);
+ break;
+ case 3:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE,
+ "SERVICE_INFO:", -1, 0);
+ break;
}
- proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
- FALSE);
- offset += 16;
-
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL char cred[8];
+ * IDL } CREDENTIAL;
+ */
static int
-netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep _U_)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
dcerpc_info *di;
di=pinfo->private_data;
return offset;
}
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 16,
- "LM_OWF_PASSWORD:");
- tree = proto_item_add_subtree(item, ett_LM_OWF_PASSWORD);
- }
-
- proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
+ proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
FALSE);
- offset += 16;
+ offset += 8;
return offset;
}
+
+/*
+ * IDL typedef struct {
+ * IDL CREDENTIAL cred;
+ * IDL long timestamp;
+ * IDL } AUTHENTICATOR;
+ */
static int
-netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
dcerpc_info *di;
+ nstime_t ts;
di=pinfo->private_data;
if(di->conformant_run){
- /*just a run to handle conformant arrays, nothing to dissect.*/
+ /*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 16,
- "NT_OWF_PASSWORD:");
- tree = proto_item_add_subtree(item, ett_NT_OWF_PASSWORD);
- }
-
- proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
- FALSE);
- offset += 16;
-
- return offset;
-}
-
-
-static int
-netlogon_dissect_NETLOGON_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_LOGON_IDENTITY_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_LOGON_IDENTITY_INFO);
- }
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_logon_dom, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_param_ctrl, NULL);
-
- offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
- hf_netlogon_logon_id, NULL);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_acct_name, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_computer_name, 0);
-
- /* XXX 8 extra bytes here */
- /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
- the idl file. Could be a bug in either the NETLOGON implementation or in the
- idl file.
- */
- offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, drep);
-
- return offset;
-}
-
-static int
-netlogon_dissect_NETLOGON_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_INTERACTIVE_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_INTERACTIVE_INFO);
- }
-
- offset = netlogon_dissect_NETLOGON_LOGON_IDENTITY_INFO(tvb, offset,
+ offset = netlogon_dissect_CREDENTIAL(tvb, offset,
pinfo, tree, drep);
- offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
- pinfo, tree, drep);
+ /*
+ * XXX - this appears to be a UNIX time_t in some credentials, but
+ * appears to be random junk in other credentials.
+ * For example, it looks like a UNIX time_t in "credential"
+ * AUTHENTICATORs, but like random junk in "return_authenticator"
+ * AUTHENTICATORs.
+ */
+ ALIGN_TO_4_BYTES;
+ ts.secs = tvb_get_letohl(tvb, offset);
+ ts.nsecs = 0;
+ proto_tree_add_time(tree, hf_netlogon_timestamp, tvb, offset, 4, &ts);
+ offset+= 4;
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-static int
-netlogon_dissect_NETLOGON_NETWORK_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_NETWORK_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_NETWORK_INFO);
- }
-
- offset = netlogon_dissect_NETLOGON_LOGON_IDENTITY_INFO(tvb, offset,
- pinfo, tree, drep);
-
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_nt_chal_resp, 0);
-
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_lm_chal_resp, 0);
-
- proto_item_set_len(item, offset-old_offset);
- return offset;
-}
+/*
+ * IDL typedef struct {
+ * IDL long user_id;
+ * IDL long attributes;
+ * IDL } GROUP_MEMBERSHIP;
+ */
static int
netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
{
proto_item *item=NULL;
proto_tree *tree=NULL;
- int old_offset=offset;
if(parent_tree){
item = proto_tree_add_text(parent_tree, tvb, offset, 0,
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL char user_session_key[16];
+ * IDL } USER_SESSION_KEY;
+ */
static int
-netlogon_dissect_NETLOGON_VALIDATION_SAM_INFO1(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep _U_)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- int i;
+ dcerpc_info *di;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_VALIDATION_SAM_INFO1:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_VALIDATION_SAM_INFO1);
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect.*/
+ return offset;
}
+ proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
+ FALSE);
+ offset += 16;
+
+ return offset;
+}
+
+/*
+ * IDL typedef struct {
+ * IDL uint64 LogonTime;
+ * IDL uint64 LogoffTime;
+ * IDL uint64 KickOffTime;
+ * IDL uint64 PasswdLastSet;
+ * IDL uint64 PasswdCanChange;
+ * IDL uint64 PasswdMustChange;
+ * IDL unicodestring effectivename;
+ * IDL unicodestring fullname;
+ * IDL unicodestring logonscript;
+ * IDL unicodestring profilepath;
+ * IDL unicodestring homedirectory;
+ * IDL unicodestring homedirectorydrive;
+ * IDL short LogonCount;
+ * IDL short BadPasswdCount;
+ * IDL long userid;
+ * IDL long primarygroup;
+ * IDL long groupcount;
+ * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
+ * IDL long userflags;
+ * IDL USER_SESSION_KEY key;
+ * IDL unicodestring logonserver;
+ * IDL unicodestring domainname;
+ * IDL [unique] SID logondomainid;
+ * IDL long expansionroom[10];
+ * IDL } VALIDATION_SAM_INFO;
+ */
+static int
+netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ int i;
+
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
hf_netlogon_logon_time);
hf_netlogon_dir_drive, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_logon_count, NULL);
+ hf_netlogon_logon_count16, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_bad_pw_count, NULL);
+ hf_netlogon_bad_pw_count16, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_user_rid, NULL);
hf_netlogon_num_rids, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_PTR,
+ netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
"GROUP_MEMBERSHIP_ARRAY", -1, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
for(i=0;i<10;i++){
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
}
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-static int
-netlogon_dissect_NETLOGON_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+
+
+/*
+ * IDL typedef struct {
+ * IDL uint64 LogonTime;
+ * IDL uint64 LogoffTime;
+ * IDL uint64 KickOffTime;
+ * IDL uint64 PasswdLastSet;
+ * IDL uint64 PasswdCanChange;
+ * IDL uint64 PasswdMustChange;
+ * IDL unicodestring effectivename;
+ * IDL unicodestring fullname;
+ * IDL unicodestring logonscript;
+ * IDL unicodestring profilepath;
+ * IDL unicodestring homedirectory;
+ * IDL unicodestring homedirectorydrive;
+ * IDL short LogonCount;
+ * IDL short BadPasswdCount;
+ * IDL long userid;
+ * IDL long primarygroup;
+ * IDL long groupcount;
+ * IDL [unique] GROUP_MEMBERSHIP *groupids;
+ * IDL long userflags;
+ * IDL USER_SESSION_KEY key;
+ * IDL unicodestring logonserver;
+ * IDL unicodestring domainname;
+ * IDL [unique] SID logondomainid;
+ * IDL long expansionroom[10];
+ * IDL long sidcount;
+ * IDL [unique] SID_AND_ATTRIBS;
+ * IDL } VALIDATION_SAM_INFO2;
+ */
+static int
+netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
int i;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_VALIDATION_SAM_INFO2:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_VALIDATION_SAM_INFO2);
- }
-
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
hf_netlogon_logon_time);
hf_netlogon_dir_drive, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_logon_count, NULL);
+ hf_netlogon_logon_count16, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_bad_pw_count, NULL);
+ hf_netlogon_bad_pw_count16, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_user_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_num_rids, NULL);
- /* XXX i am not sure about this pointer being UNIQUE, though I am
- pretty convinced that it is NOT PTR as the idl file suggests.
- */
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE,
"GROUP_MEMBERSHIP_ARRAY", -1, 0);
hf_netlogon_num_other_groups, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_PTR,
+ dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE,
"SID_AND_ATTRIBUTES_ARRAY:", -1, 0);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
+
static int
-netlogon_dissect_TYPE_16(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep _U_)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ dcerpc_info *di;
+ guint32 pac_size;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_16:");
- tree = proto_item_add_subtree(item, ett_TYPE_16);
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect */
+ return offset;
}
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_pac_size, &pac_size);
+
+ proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
+ FALSE);
+ offset += pac_size;
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-
static int
-netlogon_dissect_NETLOGON_SAM_DOMAIN_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep _U_)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ dcerpc_info *di;
+ guint32 auth_size;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_SAM_DOMAIN_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_SAM_DOMAIN_INFO);
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect */
+ return offset;
}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_auth_size, &auth_size);
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_short, NULL);
+ proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
+ FALSE);
+ offset += auth_size;
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_short, NULL);
+ return offset;
+}
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+/*
+ * IDL typedef struct {
+ * IDL long pac_size
+ * IDL [unique][size_is(pac_size)] char *pac;
+ * IDL UNICODESTRING logondomain;
+ * IDL UNICODESTRING logonserver;
+ * IDL UNICODESTRING principalname;
+ * IDL long auth_size;
+ * IDL [unique][size_is(auth_size)] char *auth;
+ * IDL USER_SESSION_KEY user_session_key;
+ * IDL long expansionroom[10];
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL } VALIDATION_PAC_INFO;
+ */
+static int
+netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ int i;
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_pac_size, NULL);
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_PAC, NDR_POINTER_UNIQUE,
+ "PAC:", -1, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_logon_dom, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_logon_srv, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_principal, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_auth_size, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTH, NDR_POINTER_UNIQUE,
+ "AUTH:", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
+ pinfo, tree, drep);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ for(i=0;i<10;i++){
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_long, NULL);
+ }
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL typedef [switch_type(short)] union {
+ * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
+ * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
+ * IDL [case(4)][unique] VALIDATION_PAC_INFO *pac;
+ * IDL [case(5)][unique] VALIDATION_PAC_INFO *pac2;
+ * IDL } VALIDATION;
+ */
static int
-netlogon_dissect_NETLOGON_SAM_GROUP_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ guint16 level;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_SAM_GROUP_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_SAM_GROUP_INFO);
- }
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_validation_level, &level);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_group_name, 0);
+ ALIGN_TO_4_BYTES;
+ switch(level){
+ case 2:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE,
+ "VALIDATION_SAM_INFO:", -1, 0);
+ break;
+ case 3:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
+ "VALIDATION_SAM_INFO2:", -1, 0);
+ break;
+ case 4:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
+ "VALIDATION_PAC_INFO:", -1, 0);
+ break;
+ case 5:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_VALIDATION_PAC_INFO, NDR_POINTER_UNIQUE,
+ "VALIDATION_PAC_INFO:", -1, 0);
+ break;
+ }
- offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
- pinfo, tree, drep);
+ return offset;
+}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_group_desc, 0);
- offset = netlogon_dissect_NETLOGON_SECURITY_DESCRIPTOR(tvb, offset,
+/*
+ * IDL long NetLogonSamLogon(
+ * IDL [in][unique][string] wchar_t *ServerName,
+ * IDL [in][unique][string] wchar_t *Workstation,
+ * IDL [in][unique] AUTHENTICATOR *credential,
+ * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
+ * IDL [in] short LogonLevel,
+ * IDL [in][ref] LOGON_LEVEL *logonlevel,
+ * IDL [in] short ValidationLevel,
+ * IDL [out][ref] VALIDATION *validation,
+ * IDL [out][ref] boolean Authorative
+ * IDL );
+ */
+static int
+netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, drep);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Computer Name", hf_netlogon_computer_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: credential", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_level16, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_LEVEL, NDR_POINTER_REF,
+ "LEVEL: LogonLevel", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_validation_level, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-
static int
-netlogon_dissect_TYPE_23(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_23:");
- tree = proto_item_add_subtree(item, ett_TYPE_23);
- }
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_VALIDATION, NDR_POINTER_REF,
+ "VALIDATION:", -1, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_authoritative, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ return offset;
+}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+/*
+ * IDL long NetLogonSamLogoff(
+ * IDL [in][unique][string] wchar_t *ServerName,
+ * IDL [in][unique][string] wchar_t *ComputerName,
+ * IDL [in][unique] AUTHENTICATOR credential,
+ * IDL [in][unique] AUTHENTICATOR return_authenticator,
+ * IDL [in] short logon_level,
+ * IDL [in][ref] LEVEL logoninformation
+ * IDL );
+ */
+static int
+netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Computer Name", hf_netlogon_computer_name, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: credential", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_level16, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_LEVEL, NDR_POINTER_REF,
+ "LEVEL: logoninformation", -1, 0);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-
-
static int
-netlogon_dissect_NETLOGON_SAM_ACCOUNT_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_SAM_ACCOUNT_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_SAM_ACCOUNT_INFO);
- }
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_acct_name, 0);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_full_name, 0);
+ return offset;
+}
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_user_rid, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_group_rid, NULL);
+/*
+ * IDL long NetServerReqChallenge(
+ * IDL [in][unique][string] wchar_t *ServerName,
+ * IDL [in][ref][string] wchar_t *ComputerName,
+ * IDL [in][ref] CREDENTIAL client_credential,
+ * IDL [out][ref] CREDENTIAL server_credential
+ * IDL );
+ */
+static int
+netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_home_dir, 0);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_dir_drive, 0);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
+ "CREDENTIAL: client challenge", -1, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_logon_script, 0);
+ return offset;
+}
+static int
+netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
+ "CREDENTIAL: server credential", -1, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_acct_desc, 0);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_workstations, 0);
+ return offset;
+}
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_logon_time);
-
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_logoff_time);
-
- offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
-
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_bad_pw_count, NULL);
+static int
+netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_logon_count, NULL);
-
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_pwd_last_set_time);
-
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_acct_expiry_time);
+ hf_netlogon_secure_channel_type, NULL);
- offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
+ return offset;
+}
- offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
- pinfo, tree, drep);
- offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
+/*
+ * IDL long NetServerAuthenticate(
+ * IDL [in][unique][string] wchar_t *ServerName,
+ * IDL [in][ref][string] wchar_t *UserName,
+ * IDL [in] short secure_challenge_type,
+ * IDL [in][ref][string] wchar_t *ComputerName,
+ * IDL [in][ref] CREDENTIAL client_challenge,
+ * IDL [out][ref] CREDENTIAL server_challenge
+ * IDL );
+ */
+static int
+netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
pinfo, tree, drep);
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_nt_pwd_present, NULL);
-
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_lm_pwd_present, NULL);
-
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_pwd_expired, NULL);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_comment, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_parameters, 0);
-
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_country, NULL);
-
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_codepage, NULL);
-
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_num_pwd_pairs, NULL);
-
- offset = lsa_dissect_LSA_SECRET(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "User Name", hf_netlogon_acct_name, 0);
- offset = netlogon_dissect_NETLOGON_SECURITY_DESCRIPTOR(tvb, offset,
+ offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
pinfo, tree, drep);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_profile_path, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- proto_item_set_len(item, offset-old_offset);
- return offset;
-}
-
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
-static int
-netlogon_dissect_rid(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_user_rid, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
+ "CREDENTIAL: client challenge", -1, 0);
return offset;
}
-
static int
-netlogon_dissect_rids_array(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "RID array:");
- tree = proto_item_add_subtree(item, ett_rid_array);
- }
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
+ "CREDENTIAL: server challenge", -1, 0);
- offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_rid);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-static int
-netlogon_dissect_attrib(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_attrs, NULL);
- return offset;
-}
+/*
+ * IDL typedef struct {
+ * IDL char encrypted_password[16];
+ * IDL } ENCRYPTED_LM_OWF_PASSWORD;
+ */
static int
-netlogon_dissect_attribs_array(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep _U_)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ dcerpc_info *di;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "Attrib array:");
- tree = proto_item_add_subtree(item, ett_attrib_array);
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect.*/
+ return offset;
}
- offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_attrib);
+ proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
+ FALSE);
+ offset += 16;
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL long NetServerPasswordSet(
+ * IDL [in][unique][string] wchar_t *ServerName,
+ * IDL [in][ref][string] wchar_t *UserName,
+ * IDL [in] short secure_challenge_type,
+ * IDL [in][ref][string] wchar_t *ComputerName,
+ * IDL [in][ref] AUTHENTICATOR credential,
+ * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
+ * IDL [out][ref] AUTHENTICATOR return_authenticator
+ * IDL );
+ */
static int
-netlogon_dissect_NETLOGON_SAM_GROUP_MEM_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_SAM_GROUP_MEM_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_SAM_GROUP_MEM_INFO);
- }
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_rids_array, NDR_POINTER_PTR,
- "RIDs:", -1, 0);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "User Name", hf_netlogon_acct_name, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_attribs_array, NDR_POINTER_PTR,
- "Attribs:", -1, 0);
+ offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
+ pinfo, tree, drep);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_num_rids, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
+ "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ return offset;
+}
+static int
+netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL [unique][string] wchar_t *UserName;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_DELETE_USER;
+ */
static int
-netlogon_dissect_NETLOGON_SAM_ALIAS_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_SAM_ALIAS_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_SAM_ALIAS_INFO);
- }
-
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_alias_name, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_alias_rid, NULL);
-
- offset = netlogon_dissect_NETLOGON_SECURITY_DESCRIPTOR(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Account Name", hf_netlogon_acct_name, -1);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_acct_desc, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL bool SensitiveDataFlag;
+ * IDL long DataLength;
+ * IDL [unique][size_is(DataLength)] char *SensitiveData;
+ * IDL } USER_PRIVATE_INFO;
+ */
static int
-netlogon_dissect_NETLOGON_SAM_ALIAS_MEM_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ dcerpc_info *di;
+ guint32 data_len;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_SAM_ALIAS_MEM_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_SAM_ALIAS_MEM_INFO);
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect */
+ return offset;
}
- offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_sensitive_data_len, &data_len);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
+ data_len, FALSE);
+ offset += data_len;
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-
static int
-netlogon_dissect_TYPE_30(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_30:");
- tree = proto_item_add_subtree(item, ett_TYPE_30);
- }
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_sensitive_data_flag, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_sensitive_data_len, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE,
+ "SENSITIVE_DATA", -1, 0);
+
+ return offset;
+}
+
+/*
+ * IDL typedef struct {
+ * IDL UNICODESTRING UserName;
+ * IDL UNICODESTRING FullName;
+ * IDL long UserID;
+ * IDL long PrimaryGroupID;
+ * IDL UNICODESTRING HomeDir;
+ * IDL UNICODESTRING HomeDirDrive;
+ * IDL UNICODESTRING LogonScript;
+ * IDL UNICODESTRING Comment;
+ * IDL UNICODESTRING Workstations;
+ * IDL NTTIME LastLogon;
+ * IDL NTTIME LastLogoff;
+ * IDL LOGON_HOURS logonhours;
+ * IDL short BadPwCount;
+ * IDL short LogonCount;
+ * IDL NTTIME PwLastSet;
+ * IDL NTTIME AccountExpires;
+ * IDL long AccountControl;
+ * IDL LM_OWF_PASSWORD lmpw;
+ * IDL NT_OWF_PASSWORD ntpw;
+ * IDL bool NTPwPresent;
+ * IDL bool LMPwPresent;
+ * IDL bool PwExpired;
+ * IDL UNICODESTRING UserComment;
+ * IDL UNICODESTRING Parameters;
+ * IDL short CountryCode;
+ * IDL short CodePage;
+ * IDL USER_PRIVATE_INFO user_private_info;
+ * IDL long SecurityInformation;
+ * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_USER;
+ */
+static int
+netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_acct_name, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_full_name, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_user_rid, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_group_rid, NULL);
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_home_dir, 0);
- proto_item_set_len(item, offset-old_offset);
- return offset;
-}
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dir_drive, 0);
-static int
-netlogon_dissect_element_422(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_logon_script, 0);
- return offset;
-}
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_acct_desc, 0);
-static int
-netlogon_dissect_element_422_array(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_422);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_workstations, 0);
- return offset;
-}
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_logon_time);
+
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_logoff_time);
+ offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, drep);
-static int
-netlogon_dissect_TYPE_29(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_bad_pw_count16, NULL);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_29:");
- tree = proto_item_add_subtree(item, ett_TYPE_29);
- }
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_logon_count16, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_pwd_last_set_time);
offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+ hf_netlogon_acct_expiry_time);
+
+ offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, drep);
+
+ offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
+ pinfo, tree, drep);
offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_char, NULL);
+ hf_netlogon_nt_pwd_present, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_lm_pwd_present, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_422_array, NDR_POINTER_PTR,
- "unknown", -1, 0);
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_pwd_expired, NULL);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_comment, 0);
- offset = dissect_ndr_nt_PSID(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_parameters, 0);
- offset = netlogon_dissect_TYPE_30(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_country, NULL);
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_codepage, NULL);
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+ offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
+ drep);
- offset = netlogon_dissect_NETLOGON_SECURITY_DESCRIPTOR(tvb, offset,
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_security_information, NULL);
+
+ offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
pinfo, tree, drep);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL UNICODESTRING DomainName;
+ * IDL UNICODESTRING OEMInfo;
+ * IDL NTTIME forcedlogoff;
+ * IDL short minpasswdlen;
+ * IDL short passwdhistorylen;
+ * IDL NTTIME pwd_must_change_time;
+ * IDL NTTIME pwd_can_change_time;
+ * IDL NTTIME domain_modify_time;
+ * IDL NTTIME domain_create_time;
+ * IDL long SecurityInformation;
+ * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_DOMAIN;
+ */
static int
-netlogon_dissect_TYPE_31(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_31:");
- tree = proto_item_add_subtree(item, ett_TYPE_31);
- }
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_domain_name, 1);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_oem_info, 0);
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_kickoff_time);
+
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_minpasswdlen, NULL);
+
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_passwdhistorylen, NULL);
+
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_pwd_must_change_time);
+
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_pwd_can_change_time);
+
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_domain_modify_time);
+
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_domain_create_time);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_security_information, NULL);
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
+ pinfo, tree, drep);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL UNICODESTRING groupname;
+ * IDL GROUP_MEMBERSHIP group_membership;
+ * IDL UNICODESTRING comment;
+ * IDL long SecurityInformation;
+ * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_GROUP;
+ */
static int
-netlogon_dissect_TYPE_32(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_32:");
- tree = proto_item_add_subtree(item, ett_TYPE_32);
- }
-
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_group_name, 1);
- proto_item_set_len(item, offset-old_offset);
- return offset;
-}
+ offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
+ pinfo, tree, drep);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_group_desc, 0);
-static int
-netlogon_dissect_attrs(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_attrs, NULL);
+ hf_netlogon_security_information, NULL);
- return offset;
-}
+ offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
+ pinfo, tree, drep);
-static int
-netlogon_dissect_attrs_array(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_attrs);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
- return offset;
-}
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
-static int
-netlogon_dissect_TYPE_33(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_33:");
- tree = proto_item_add_subtree(item, ett_TYPE_33);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_count, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_attrs_array, NDR_POINTER_PTR,
- "ATTRS_ARRAY:", -1, 0);
+ return offset;
+}
- offset = netlogon_dissect_TYPE_30(tvb, offset,
- pinfo, tree, drep);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+/*
+ * IDL typedef struct {
+ * IDL UNICODESTRING OldName;
+ * IDL UNICODESTRING NewName;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_RENAME;
+ */
+static int
+netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ dcerpc_info *di;
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ di=pinfo->private_data;
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ di->hf_index, 1);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ di->hf_index, 1);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
-netlogon_dissect_TYPE_34(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_RID(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_34:");
- tree = proto_item_add_subtree(item, ett_TYPE_34);
- }
+ return offset;
+}
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+static int
+netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_RID);
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
-
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_time);
+ return offset;
+}
+static int
+netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_attrs, NULL);
- offset = dissect_ndr_nt_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ return offset;
+}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+static int
+netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_ATTRIB);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ return offset;
+}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+/*
+ * IDL typedef struct {
+ * IDL [unique][size_is(num_rids)] long *rids;
+ * IDL [unique][size_is(num_rids)] long *attribs;
+ * IDL long num_rids;
+ * IDL long dummy1;
+ * IDL long dummy2;
+ * IDL long dummy3;
+ * IDL long dummy4;
+ * IDL } DELTA_GROUP_MEMBER;
+ */
+static int
+netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_RID_array, NDR_POINTER_UNIQUE,
+ "RIDs:", -1, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE,
+ "Attribs:", -1, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_num_rids, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
+/*
+ * IDL typedef struct {
+ * IDL UNICODESTRING alias_name;
+ * IDL long rid;
+ * IDL long SecurityInformation;
+ * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_ALIAS;
+ */
static int
-netlogon_dissect_TYPE_35(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_alias_name, 1);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_35:");
- tree = proto_item_add_subtree(item, ett_TYPE_35);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_alias_rid, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_security_information, NULL);
+
+ offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
+ pinfo, tree, drep);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-static int
-netlogon_dissect_WCHAR_ptr(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown string", hf_netlogon_unknown_string, -1);
-
- return offset;
-}
+/*
+ * IDL typedef struct {
+ * IDL [unique] SID_ARRAY sids;
+ * IDL long dummy1;
+ * IDL long dummy2;
+ * IDL long dummy3;
+ * IDL long dummy4;
+ * IDL } DELTA_ALIAS_MEMBER;
+ */
static int
-netlogon_dissect_TYPE_36(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- int i;
+ offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, drep);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_36:");
- tree = proto_item_add_subtree(item, ett_TYPE_36);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
- for(i=0;i<16;i++){
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_char, NULL);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
static int
-netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_INFO_1:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_INFO_1);
- }
-
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_flags, NULL);
+ hf_netlogon_event_audit_option, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_status, NULL);
+ return offset;
+}
+
+static int
+netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_EVENT_AUDIT_OPTION);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
+/*
+ * IDL typedef struct {
+ * IDL long pagedpoollimit;
+ * IDL long nonpagedpoollimit;
+ * IDL long minimumworkingsetsize;
+ * IDL long maximumworkingsetsize;
+ * IDL long pagefilelimit;
+ * IDL NTTIME timelimit;
+ * IDL } QUOTA_LIMITS;
+ */
static int
-netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
+netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
char *drep)
{
if(parent_tree){
item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_INFO_2:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_INFO_2);
+ "QUOTA_LIMTS:");
+ tree = proto_item_add_subtree(item, ett_QUOTA_LIMITS);
}
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_pagedpoollimit, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_nonpagedpoollimit, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_minworkingsetsize, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_maxworkingsetsize, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_pagefilelimit, NULL);
+
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_timelimit);
proto_item_set_len(item, offset-old_offset);
return offset;
}
+
+/*
+ * IDL typedef struct {
+ * IDL long maxlogsize;
+ * IDL NTTIME auditretentionperiod;
+ * IDL bool auditingmode;
+ * IDL long maxauditeventcount;
+ * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
+ * IDL UNICODESTRING primarydomainname;
+ * IDL [unique] SID *sid;
+ * IDL QUOTA_LIMITS quota_limits;
+ * IDL NTTIME db_modify_time;
+ * IDL NTTIME db_create_time;
+ * IDL long SecurityInformation;
+ * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_POLICY;
+ */
static int
-netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_max_log_size, NULL);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_INFO_3:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_INFO_3);
- }
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_audit_retention_period);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_flags, NULL);
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_auditing_mode, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_logon_attempts, NULL);
+ hf_netlogon_max_audit_event_count, NULL);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE,
+ "Event Audit Options:", -1, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_domain_name, 0);
+
+ offset = dissect_ndr_nt_PSID(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_db_modify_time);
+
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_db_create_time);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_security_information, NULL);
+
+ offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
static int
-netlogon_dissect_NETLOGON_INFO_4(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_INFO_4:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_INFO_4);
- }
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_trusted_dc_name, -1);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_trusted_domain_name, -1);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dc_name, 1);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
-netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
+netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_char, NULL);
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CONTROLLER);
return offset;
}
+
+/*
+ * IDL typedef struct {
+ * IDL UNICODESTRING DomainName;
+ * IDL long num_controllers;
+ * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
+ * IDL long SecurityInformation;
+ * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_TRUSTED_DOMAINS;
+ */
static int
-netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
+netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_UNICODE_MULTI_byte);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_domain_name, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_num_controllers, NULL);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE,
+ "Domain Controllers:", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_security_information, NULL);
+
+ offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
return offset;
}
+
static int
-netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
+netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_char, NULL);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_attrs, NULL);
return offset;
}
static int
-netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
+netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_byte);
+ netlogon_dissect_PRIV_ATTR);
return offset;
}
static int
-netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_privilege_name, 1);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "UNICODE_MULTI:");
- tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
- }
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_len, NULL);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, 0);
-
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-int
-dissect_nt_GUID(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+static int
+netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- int i;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "GUID:");
- tree = proto_item_add_subtree(item, ett_GUID);
- }
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_short, NULL);
-
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_short, NULL);
-
- for(i=0;i<8;i++){
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_char, NULL);
- }
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_PRIV_NAME);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
+
+/*
+ * IDL typedef struct {
+ * IDL long privilegeentries;
+ * IDL long provolegecontrol;
+ * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
+ * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
+ * IDL QUOTALIMITS quotalimits;
+ * IDL long SecurityInformation;
+ * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_ACCOUNTS;
+ */
static int
-netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_privilege_entries, NULL);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "DOMAIN_CONTROLLER_INFO:");
- tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_privilege_control, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_dc_name, -1);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE,
+ "PRIV_ATTR_ARRAY:", -1, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_dc_address, -1);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE,
+ "PRIV_NAME_ARRAY:", -1, 0);
+
+ offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
+ pinfo, tree, drep);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_dc_address_type, NULL);
+ hf_netlogon_systemflags, NULL);
- offset = dissect_nt_GUID(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_security_information, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_logon_dom, -1);
+ offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
+ pinfo, tree, drep);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_dns_forest_name, -1);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_flags, NULL);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_dc_site_name, -1);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_client_site_name, -1);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dummy, 0);
- proto_item_set_len(item, offset-old_offset);
- return offset;
-}
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
-static int
-netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_PTR,
- "DOMAIN_CONTROLLER_INFO pointer: info", -1, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
- return offset;
-}
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
-static int
-netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr_ptr(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_PTR,
- "DOMAIN_CONTROLLER_INFO pointer: info", -1, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL long len;
+ * IDL long maxlen;
+ * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
+ * IDL } CIPHER_VALUE;
+ */
static int
-netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
+netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- guint32 len;
dcerpc_info *di;
+ guint32 data_len;
di=pinfo->private_data;
if(di->conformant_run){
- /*just a run to handle conformant arrays, nothing to dissect.*/
+ /*just a run to handle conformant arrays, nothing to dissect */
return offset;
}
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_blob_size, &len);
+ offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
+ hf_netlogon_cipher_maxlen, NULL);
- proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
- FALSE);
- offset += len;
+ /* skip offset */
+ offset += 4;
+
+ offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
+ hf_netlogon_cipher_len, &data_len);
+
+ proto_tree_add_item(tree, di->hf_index, tvb, offset,
+ data_len, FALSE);
+ offset += data_len;
return offset;
}
-
static int
-netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
+netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+ char *drep, char *name, int hf_index)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
if(parent_tree){
item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "BLOB:");
- tree = proto_item_add_subtree(item, ett_BLOB);
+ name);
+ tree = proto_item_add_subtree(item, ett_CYPHER_VALUE);
}
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_blob_size, NULL);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BLOB_array, NDR_POINTER_PTR,
- "BLOB:", -1, 0);
+ offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
+ hf_netlogon_cipher_len, NULL);
- return offset;
-}
+ offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
+ hf_netlogon_cipher_maxlen, NULL);
-static int
-netlogon_dissect_BLOB_ptr(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BLOB, NDR_POINTER_PTR,
- "BLOB pointer:", -1, 0);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE,
+ name, hf_index, 0);
+ proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL CIPHER_VALUE current_cipher;
+ * IDL NTTIME current_cipher_set_time;
+ * IDL CIPHER_VALUE old_cipher;
+ * IDL NTTIME old_cipher_set_time;
+ * IDL long SecurityInformation;
+ * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
+ * IDL UNICODESTRING dummy1;
+ * IDL UNICODESTRING dummy2;
+ * IDL UNICODESTRING dummy3;
+ * IDL UNICODESTRING dummy4;
+ * IDL long dummy5;
+ * IDL long dummy6;
+ * IDL long dummy7;
+ * IDL long dummy8;
+ * IDL } DELTA_SECRET;
+ */
static int
-netlogon_dissect_TYPE_46(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_46:");
- tree = proto_item_add_subtree(item, ett_TYPE_46);
- }
-
- offset = netlogon_dissect_BLOB(tvb, offset,
- pinfo, tree, drep);
+ offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
+ pinfo, tree, drep,
+ "CIPHER_VALUE: current cipher value",
+ hf_netlogon_cipher_current_data);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_workstation_fqdn, -1);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_workstation_site_name, -1);
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_cipher_current_set_time);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_workstation_os, -1);
+ offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
+ pinfo, tree, drep,
+ "CIPHER_VALUE: old cipher value",
+ hf_netlogon_cipher_old_data);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
+ offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_cipher_old_set_time);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_security_information, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
+ offset = lsa_dissect_LSA_SECURITY_DESCRIPTOR(tvb, offset,
+ pinfo, tree, drep);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ hf_netlogon_dummy, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL long low_value;
+ * IDL long high_value;
+ * } MODIFIED_COUNT;
+ */
+static int
+netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ offset = dissect_ndr_uint64(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_modify_count, NULL);
+
+ return offset;
+}
+
+
+#define DT_DELTA_DOMAIN 1
+#define DT_DELTA_GROUP 2
+#define DT_DELTA_RENAME_GROUP 4
+#define DT_DELTA_USER 5
+#define DT_DELTA_RENAME_USER 7
+#define DT_DELTA_GROUP_MEMBER 8
+#define DT_DELTA_ALIAS 9
+#define DT_DELTA_RENAME_ALIAS 11
+#define DT_DELTA_ALIAS_MEMBER 12
+#define DT_DELTA_POLICY 13
+#define DT_DELTA_TRUSTED_DOMAINS 14
+#define DT_DELTA_ACCOUNTS 16
+#define DT_DELTA_SECRET 18
+#define DT_DELTA_DELETE_GROUP 20
+#define DT_DELTA_DELETE_USER 21
+#define DT_MODIFIED_COUNT 22
+static const value_string delta_type_vals[] = {
+ { DT_DELTA_DOMAIN, "Domain" },
+ { DT_DELTA_GROUP, "Group" },
+ { DT_DELTA_RENAME_GROUP, "Rename Group" },
+ { DT_DELTA_USER, "User" },
+ { DT_DELTA_RENAME_USER, "Rename User" },
+ { DT_DELTA_GROUP_MEMBER, "Group Member" },
+ { DT_DELTA_ALIAS, "Alias" },
+ { DT_DELTA_RENAME_ALIAS, "Rename Alias" },
+ { DT_DELTA_ALIAS_MEMBER, "Alias Member" },
+ { DT_DELTA_POLICY, "Policy" },
+ { DT_DELTA_TRUSTED_DOMAINS, "Trusted Domains" },
+ { DT_DELTA_ACCOUNTS, "Accounts" },
+ { DT_DELTA_SECRET, "Secret" },
+ { DT_DELTA_DELETE_GROUP, "Delete Group" },
+ { DT_DELTA_DELETE_USER, "Delete User" },
+ { DT_MODIFIED_COUNT, "Modified Count" },
+ { 0, NULL }
+};
+/*
+ * IDL typedef [switch_type(short)] union {
+ * IDL [case(1)][unique] DELTA_DOMAIN *domain;
+ * IDL [case(2)][unique] DELTA_GROUP *group;
+ * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
+ * IDL [case(5)][unique] DELTA_USER *user;
+ * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
+ * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
+ * IDL [case(9)][unique] DELTA_ALIAS *alias;
+ * IDL [case(11)][unique] DELTA_RENAME_ALIAS *rename_alias;
+ * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
+ * IDL [case(13)][unique] DELTA_POLICY *policy;
+ * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
+ * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
+ * IDL [case(18)][unique] DELTA_SECRET *secret;
+ * IDL [case(20)][unique] DELTA_DELETE_USER *delete_group;
+ * IDL [case(21)][unique] DELTA_DELETE_USER *delete_user;
+ * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
+ * IDL } DELTA_UNION;
+ */
static int
-netlogon_dissect_TYPE_48(tvbuff_t *tvb, int offset,
+netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
char *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
+ guint16 level;
if(parent_tree){
item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_48:");
- tree = proto_item_add_subtree(item, ett_TYPE_48);
+ "DELTA_UNION:");
+ tree = proto_item_add_subtree(item, ett_DELTA_UNION);
}
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_delta_type, &level);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
+ ALIGN_TO_4_BYTES;
+ switch(level){
+ case 1:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE,
+ "DELTA_DOMAIN:", -1, 0);
+ break;
+ case 2:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE,
+ "DELTA_GROUP:", -1, 0);
+ break;
+ case 4:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
+ "DELTA_RENAME_GROUP:", hf_netlogon_group_name, 0);
+ break;
+ case 5:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE,
+ "DELTA_USER:", -1, 0);
+ break;
+ case 7:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
+ "DELTA_RENAME_USER:", hf_netlogon_acct_name, 0);
+ break;
+ case 8:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE,
+ "DELTA_GROUP_MEMBER:", -1, 0);
+ break;
+ case 9:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE,
+ "DELTA_ALIAS:", -1, 0);
+ break;
+ case 11:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE,
+ "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name, 0);
+ break;
+ case 12:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE,
+ "DELTA_ALIAS_MEMBER:", -1, 0);
+ break;
+ case 13:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE,
+ "DELTA_POLICY:", -1, 0);
+ break;
+ case 14:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE,
+ "DELTA_TRUSTED_DOMAINS:", -1, 0);
+ break;
+ case 16:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE,
+ "DELTA_ACCOUNTS:", -1, 0);
+ break;
+ case 18:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE,
+ "DELTA_SECRET:", -1, 0);
+ break;
+ case 20:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
+ "DELTA_DELETE_GROUP:", -1, 0);
+ break;
+ case 21:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE,
+ "DELTA_DELETE_USER:", -1, 0);
+ break;
+ case 22:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE,
+ "MODIFIED_COUNT:", -1, 0);
+ break;
+ }
- offset = dissect_nt_GUID(tvb, offset,
- pinfo, tree, drep);
+ proto_item_set_len(item, offset-old_offset);
+ return offset;
+}
- offset = dissect_ndr_nt_PSID(tvb, offset,
- pinfo, tree, drep);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = netlogon_dissect_BLOB(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_BLOB(tvb, offset,
- pinfo, tree, drep);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+/* IDL XXX must verify this one, especially 13-19
+ * IDL typedef [switch_type(short)] union {
+ * IDL [case(1)] long rid;
+ * IDL [case(2)] long rid;
+ * IDL [case(3)] long rid;
+ * IDL [case(4)] long rid;
+ * IDL [case(5)] long rid;
+ * IDL [case(6)] long rid;
+ * IDL [case(7)] long rid;
+ * IDL [case(8)] long rid;
+ * IDL [case(9)] long rid;
+ * IDL [case(10)] long rid;
+ * IDL [case(11)] long rid;
+ * IDL [case(12)] long rid;
+ * IDL [case(13)] [unique] SID *sid;
+ * IDL [case(14)] [unique] SID *sid;
+ * IDL [case(15)] [unique] SID *sid;
+ * IDL [case(16)] [unique] SID *sid;
+ * IDL [case(17)] [unique] SID *sid;
+ * IDL [case(18)] [unique][string] wchar_t *Name ;
+ * IDL [case(19)] [unique][string] wchar_t *Name ;
+ * IDL [case(20)] long rid;
+ * IDL [case(21)] long rid;
+ * IDL } DELTA_ID_UNION;
+ */
+static int
+netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
+{
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
+ guint16 level;
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "DELTA_ID_UNION:");
+ tree = proto_item_add_subtree(item, ett_DELTA_ID_UNION);
+ }
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_level16, &level);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ ALIGN_TO_4_BYTES;
+ switch(level){
+ case 1:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 2:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 3:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 4:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 5:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 6:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 7:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 8:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 9:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 10:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 11:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 12:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 13:
+ offset = dissect_ndr_nt_PSID(tvb, offset,
+ pinfo, tree, drep);
+ break;
+ case 14:
+ offset = dissect_ndr_nt_PSID(tvb, offset,
+ pinfo, tree, drep);
+ break;
+ case 15:
+ offset = dissect_ndr_nt_PSID(tvb, offset,
+ pinfo, tree, drep);
+ break;
+ case 16:
+ offset = dissect_ndr_nt_PSID(tvb, offset,
+ pinfo, tree, drep);
+ break;
+ case 17:
+ offset = dissect_ndr_nt_PSID(tvb, offset,
+ pinfo, tree, drep);
+ break;
+ case 18:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, -1);
+ break;
+ case 19:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, -1);
+ break;
+ case 20:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ case 21:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_user_rid, NULL);
+ break;
+ }
proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL short delta_type;
+ * IDL DELTA_ID_UNION delta_id_union;
+ * IDL DELTA_UNION delta_union;
+ * IDL } DELTA_ENUM;
+ */
static int
-netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
+netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *parent_tree,
char *drep)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
int old_offset=offset;
- int i;
if(parent_tree){
item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "UNICODE_STRING_512:");
- tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
+ "DELTA_ENUM:");
+ tree = proto_item_add_subtree(item, ett_DELTA_ENUM);
}
- for(i=0;i<512;i++){
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_short, NULL);
- }
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_delta_type, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = netlogon_dissect_DELTA_UNION(tvb, offset,
+ pinfo, tree, drep);
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
-netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
+netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_secure_channel_type, NULL);
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_ENUM);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL long num_deltas;
+ * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
+ * IDL } DELTA_ENUM_ARRAY;
+ */
static int
-netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
+netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_char, NULL);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_num_deltas, NULL);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE,
+ "DELTA_ENUM: deltas", -1, 0);
return offset;
}
+
+/*
+ * IDL long NetDatabaseDeltas(
+ * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
+ * IDL [in][string][ref] wchar_t *computername,
+ * IDL [in][ref] AUTHENTICATOR credential,
+ * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
+ * IDL [in] long database_id,
+ * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
+ * IDL [in] long preferredmaximumlength,
+ * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
+ * IDL );
+ */
static int
-netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_844_byte);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Server Handle", hf_netlogon_logonsrv_handle, 0);
- return offset;
-}
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
-static int
-netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_50:");
- tree = proto_item_add_subtree(item, ett_TYPE_50);
- }
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_database_id, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
- "unknown", hf_netlogon_unknown_string, 0);
+ netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
+ "MODIFIED_COUNT: domain modified count", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_max_size, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-
static int
-netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_50, NDR_POINTER_PTR,
- "TYPE_50 pointer: unknown_TYPE_50", -1, 0);
-
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF,
+ "MODIFIED_COUNT: domain modified count", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
+ "DELTA_ENUM_ARRAY: deltas", -1, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
+
return offset;
}
+
+/*
+ * IDL long NetDatabaseSync(
+ * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
+ * IDL [in][string][ref] wchar_t *computername,
+ * IDL [in][ref] AUTHENTICATOR credential,
+ * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
+ * IDL [in] long database_id,
+ * IDL [in][out][ref] long sync_context,
+ * IDL [in] long preferredmaximumlength,
+ * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
+ * IDL );
+ */
static int
-netlogon_dissect_TYPE_50_ptr_ptr(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_netlogondatabasesync_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_50_ptr, NDR_POINTER_PTR,
- "TYPE_50* pointer: unknown_TYPE_50", -1, 0);
-
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Server Handle", hf_netlogon_logonsrv_handle, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_database_id, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_sync_context, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_max_size, NULL);
+
return offset;
}
+
static int
-netlogon_dissect_element_861_byte(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_netlogondatabasesync_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_char, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_sync_context, NULL);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
+ "DELTA_ENUM_ARRAY: deltas", -1, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
+/*
+ * IDL typedef struct {
+ * IDL char computer_name[16];
+ * IDL long timecreated;
+ * IDL long serial_number;
+ * IDL } UAS_INFO_0;
+ */
static int
-netlogon_dissect_element_861_array(tvbuff_t *tvb, int offset,
+netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_861_byte);
+ dcerpc_info *di;
- return offset;
-}
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect */
+ return offset;
+ }
-static int
-netlogon_dissect_TYPE_51(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, FALSE);
+ offset += 16;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_51:");
- tree = proto_item_add_subtree(item, ett_TYPE_51);
- }
+ proto_tree_add_text(tree, tvb, offset, 4, "Time Created: unknown time format");
+ offset+= 4;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_861_array, NDR_POINTER_UNIQUE,
- "unknown", hf_netlogon_unknown_string, 0);
+ hf_netlogon_serial_number, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
static int
-netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
+netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
}
static int
-netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
+netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_865_byte);
+ netlogon_dissect_BYTE_byte);
return offset;
}
+/*
+ * IDL long NetAccountDelta(
+ * IDL [in][string][unique] wchar_t *logonserver,
+ * IDL [in][string][ref] wchar_t *computername,
+ * IDL [in][ref] AUTHENTICATOR credential,
+ * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
+ * IDL [out][ref][size_is(count_returned)] char *Buffer,
+ * IDL [out][ref] long count_returned,
+ * IDL [out][ref] long total_entries,
+ * IDL [in][out][ref] UAS_INFO_0 recordid,
+ * IDL [in][long] count,
+ * IDL [in][long] level,
+ * IDL [in][long] buffersize,
+ * IDL );
+ */
static int
-netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_netlogonaccountdeltas_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_char, NULL);
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
+ "UAS_INFO_0: RecordID", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_count, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_level, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_max_size, NULL);
return offset;
}
-
static int
-netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_netlogonaccountdeltas_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_866_byte);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_BYTE_array, NDR_POINTER_REF,
+ "BYTE_array: Buffer", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_count, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_entries, NULL);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
+ "UAS_INFO_0: RecordID", -1, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
+
+/*
+ * IDL long NetAccountDelta(
+ * IDL [in][string][unique] wchar_t *logonserver,
+ * IDL [in][string][ref] wchar_t *computername,
+ * IDL [in][ref] AUTHENTICATOR credential,
+ * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
+ * IDL [out][ref][size_is(count_returned)] char *Buffer,
+ * IDL [out][ref] long count_returned,
+ * IDL [out][ref] long total_entries,
+ * IDL [out][ref] long next_reference,
+ * IDL [in][long] reference,
+ * IDL [in][long] level,
+ * IDL [in][long] buffersize,
+ * IDL [in][out][ref] UAS_INFO_0 recordid,
+ * IDL );
+ */
static int
-netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netlogonaccountsync_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_52:");
- tree = proto_item_add_subtree(item, ett_TYPE_52);
- }
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ hf_netlogon_reference, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_level, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_max_size, NULL);
+ return offset;
+}
+static int
+netlogon_dissect_netlogonaccountsync_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
- "unknown", hf_netlogon_unknown_string, 0);
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
- "unknown", hf_netlogon_unknown_string, 0);
+ netlogon_dissect_BYTE_array, NDR_POINTER_REF,
+ "BYTE_array: Buffer", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_count, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_entries, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_next_reference, NULL);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF,
+ "UAS_INFO_0: RecordID", -1, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
+/*
+ * IDL long NetGetDCName(
+ * IDL [in][ref][string] wchar_t *logon_server,
+ * IDL [in][unique][string] wchar_t *domainname,
+ * IDL [out][unique][string] wchar_t *dcname,
+ * IDL };
+ */
static int
-netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
+netlogon_dissect_netlogongetdcname_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Server Handle", hf_netlogon_logonsrv_handle, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Domain", hf_netlogon_domain_name, 0);
+
+ return offset;
+}
+static int
+netlogon_dissect_netlogongetdcname_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Domain", hf_netlogon_dc_name, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
+
+ return offset;
+}
+
+
+
+/*
+ * IDL typedef struct {
+ * IDL long flags;
+ * IDL long pdc_connection_status;
+ * IDL } NETLOGON_INFO_1;
+ */
+static int
+netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_52, NDR_POINTER_PTR,
- "TYPE_52 pointer: unknown_TYPE_52", -1, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_flags, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_pdc_connection_status, NULL);
+
return offset;
}
+
+/*
+ * IDL typedef struct {
+ * IDL long flags;
+ * IDL long pdc_connection_status;
+ * IDL [unique][string] wchar_t trusted_dc_name;
+ * IDL long tc_connection_status;
+ * IDL } NETLOGON_INFO_2;
+ */
static int
-netlogon_dissect_TYPE_52_ptr_ptr(tvbuff_t *tvb, int offset,
+netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree,
char *drep)
{
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_flags, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_pdc_connection_status, NULL);
+
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_52_ptr, NDR_POINTER_PTR,
- "TYPE_52* pointer: unknown_TYPE_52", -1, 0);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Trusted DC Name", hf_netlogon_trusted_dc_name, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_tc_connection_status, NULL);
+
return offset;
}
+
+/*
+ * IDL typedef struct {
+ * IDL long flags;
+ * IDL long logon_attempts;
+ * IDL long reserved;
+ * IDL long reserved;
+ * IDL long reserved;
+ * IDL long reserved;
+ * IDL long reserved;
+ * IDL } NETLOGON_INFO_3;
+ */
static int
-netlogon_dissect_NETLOGON_LEVEL(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- guint16 level;
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_flags, NULL);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_LEVEL:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_LEVEL);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_logon_attempts, NULL);
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level, &level);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
- ALIGN_TO_4_BYTES;
- switch(level){
- case 1:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INTERACTIVE_INFO, NDR_POINTER_PTR,
- "INTERACTIVE_INFO pointer:", -1, 0);
- break;
- case 2:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_NETWORK_INFO, NDR_POINTER_PTR,
- "NETWORK_INFO pointer:", -1, 0);
- break;
- case 3:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INTERACTIVE_INFO, NDR_POINTER_PTR,
- "INTERACTIVE_INFO pointer:", -1, 0);
- break;
- case 5:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INTERACTIVE_INFO, NDR_POINTER_PTR,
- "INTERACTIVE_INFO pointer:", -1, 0);
- break;
- case 6:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_NETWORK_INFO, NDR_POINTER_PTR,
- "NETWORK_INFO pointer:", -1, 0);
- break;
- case 7:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INTERACTIVE_INFO, NDR_POINTER_PTR,
- "INTERACTIVE_INFO pointer:", -1, 0);
- break;
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_reserved, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
+/*
+ * IDL typedef [switch_type(long)] union {
+ * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
+ * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
+ * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
+ * IDL } CONTROL_QUERY_INFORMATION;
+ */
static int
-netlogon_dissect_NETLOGON_VALIDATION(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- guint16 level;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_VALIDATION:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_VALIDATION);
- }
+ guint32 level;
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_level, &level);
- /* XXX i am not sure about these pointers being UNIQUE, though I am
- pretty convinced that they are NOT PTR as the idl file suggests.
- */
ALIGN_TO_4_BYTES;
switch(level){
- case 2:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_VALIDATION_SAM_INFO1, NDR_POINTER_UNIQUE,
- "NETLOGON_VALIDATION_SAM_INFO1 pointer:", -1, 0);
- break;
- case 3:
+ case 1:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE,
- "NETLOGON_VALIDATION_SAM_INFO2 pointer:", -1, 0);
+ netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE,
+ "NETLOGON_INFO_1:", -1, 0);
break;
- case 4:
+ case 2:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_STRING, NDR_POINTER_UNIQUE,
- "STRING pointer:", -1, 0);
+ netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE,
+ "NETLOGON_INFO_2:", -1, 0);
break;
- case 5:
+ case 3:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BLOB_ptr, NDR_POINTER_UNIQUE,
- "BLOB pointer:", -1, 0);
+ netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE,
+ "NETLOGON_INFO_3:", -1, 0);
break;
}
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL long NetLogonControl(
+ * IDL [in][string][unique] wchar_t *logonserver,
+ * IDL [in] long function_code,
+ * IDL [in] long level,
+ * IDL [out][ref] CONTROL_QUERY_INFORMATION
+ * IDL );
+ */
static int
-netlogon_dissect_TYPE_19(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- guint16 level;
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_19:");
- tree = proto_item_add_subtree(item, ett_TYPE_19);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_code, NULL);
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level, &level);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_level, NULL);
- ALIGN_TO_4_BYTES;
- switch(level){
- case 1:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 2:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 3:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 4:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 5:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 6:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 7:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 8:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 9:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 10:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 11:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 12:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 20:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 21:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- case 13:
- offset = dissect_ndr_nt_PSID(tvb, offset,
- pinfo, tree, drep);
- break;
- case 14:
- offset = dissect_ndr_nt_PSID(tvb, offset,
- pinfo, tree, drep);
- break;
- case 15:
- offset = dissect_ndr_nt_PSID(tvb, offset,
- pinfo, tree, drep);
- break;
- case 16:
- offset = dissect_ndr_nt_PSID(tvb, offset,
- pinfo, tree, drep);
- break;
- case 17:
- offset = dissect_ndr_nt_PSID(tvb, offset,
- pinfo, tree, drep);
- break;
- case 18:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
- break;
- case 19:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
- "unknown", hf_netlogon_unknown_string, -1);
- break;
- }
+ return offset;
+}
+static int
+netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
+ "CONTROL_QUERY_INFORMATION:", -1, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL long NetGetDCName(
+ * IDL [in][unique][string] wchar_t *logon_server,
+ * IDL [in][unique][string] wchar_t *domainname,
+ * IDL [out][unique][string] wchar_t *dcname,
+ * IDL };
+ */
static int
-netlogon_dissect_NETLOGON_CONTROL_QUERY_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
+netlogon_dissect_netlogongetanydcname_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Server Handle", hf_netlogon_logonsrv_handle, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Domain", hf_netlogon_domain_name, 0);
+
+ return offset;
+}
+static int
+netlogon_dissect_netlogongetanydcname_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "Domain", hf_netlogon_dc_name, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
+
+ return offset;
+}
+
+
+/*
+ * IDL typedef [switch_type(long)] union {
+ * IDL [case(5)] [unique][string] wchar_t *unknown;
+ * IDL [case(6)] [unique][string] wchar_t *unknown;
+ * IDL [case(0xfffe)] long unknown;
+ * IDL [case(7)] [unique][string] wchar_t *unknown;
+ * IDL } CONTROL_DATA_INFORMATION;
+ */
+/* XXX
+ * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
+ * to look like. However NetMon does not recognize any such informationlevels.
+ *
+ * Ill leave it as CONTROL_DATA_INFORMATION with no informationlevels
+ * until someone has any source of better authority to call upon.
+ */
+static int
+netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
guint32 level;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_CONTROL_QUERY_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_CONTROL_QUERY_INFO);
- }
-
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level_long, &level);
+ hf_netlogon_level, &level);
ALIGN_TO_4_BYTES;
switch(level){
case 5:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
"unknown", hf_netlogon_unknown_string, -1);
break;
case 6:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
"unknown", hf_netlogon_unknown_string, -1);
break;
case 0xfffe:
break;
case 8:
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
"unknown", hf_netlogon_unknown_string, -1);
break;
}
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+/*
+ * IDL long NetLogonControl2(
+ * IDL [in][string][unique] wchar_t *logonserver,
+ * IDL [in] long function_code,
+ * IDL [in] long level,
+ * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
+ * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
+ * IDL );
+ */
static int
-netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- guint32 level;
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_44:");
- tree = proto_item_add_subtree(item, ett_TYPE_44);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_code, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level_long, &level);
+ hf_netlogon_level, NULL);
- ALIGN_TO_4_BYTES;
- switch(level){
- case 1:
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
- break;
- }
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
+ "CONTROL_DATA_INFORMATION: ", -1, 0);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
-netlogon_dissect_TYPE_20(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- guint16 level;
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
+ "CONTROL_QUERY_INFORMATION:", -1, 0);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_20:");
- tree = proto_item_add_subtree(item, ett_TYPE_20);
- }
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
+
+ return offset;
+}
+
+
+/*
+ * IDL long NetServerAuthenticate2(
+ * IDL [in][string][unique] wchar_t *logonserver,
+ * IDL [in][ref][string] wchar_t *username,
+ * IDL [in] short secure_channel_type,
+ * IDL [in][ref][string] wchar_t *computername,
+ * IDL [in][ref] CREDENTIAL *client_chal,
+ * IDL [out][ref] CREDENTIAL *server_chal,
+ * IDL [in][out][ref] long *negotiate_flags,
+ * IDL );
+ */
+static int
+netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "User Name", hf_netlogon_acct_name, 0);
+
+ offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
+ pinfo, tree, drep);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
+ "CREDENTIAL: client_chal", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_neg_flags, NULL);
+
+ return offset;
+}
+
+static int
+netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
+ "CREDENTIAL: server_chal", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_neg_flags, NULL);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
+
+ return offset;
+}
+
+
+/*
+ * IDL long NetDatabaseSync2(
+ * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
+ * IDL [in][string][ref] wchar_t *computername,
+ * IDL [in][ref] AUTHENTICATOR credential,
+ * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
+ * IDL [in] long database_id,
+ * IDL [in] short restart_state,
+ * IDL [in][out][ref] long *sync_context,
+ * IDL [in] long preferredmaximumlength,
+ * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
+ * IDL );
+ */
+static int
+netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Server Handle", hf_netlogon_logonsrv_handle, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_database_id, NULL);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level, &level);
+ hf_netlogon_restart_state, NULL);
- ALIGN_TO_4_BYTES;
- switch(level){
- case 1:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_SAM_DOMAIN_INFO, NDR_POINTER_PTR,
- "NETLOGON_SAM_DOMAIN_INFO pointer:", -1, 0);
- break;
- case 2:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_SAM_GROUP_INFO, NDR_POINTER_PTR,
- "NETLOGON_SAM_GROUP_INFO pointer:", -1, 0);
- break;
- case 4:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_23, NDR_POINTER_PTR,
- "TYPE_23 pointer:", -1, 0);
- break;
- case 5:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_SAM_ACCOUNT_INFO, NDR_POINTER_PTR,
- "NETLOGON_SAM_ACCOUNT_INFO pointer:", -1, 0);
- break;
- case 7:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_23, NDR_POINTER_PTR,
- "TYPE_23 pointer:", -1, 0);
- break;
- case 8:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_SAM_GROUP_MEM_INFO, NDR_POINTER_PTR,
- "NETLOGON_SAM_GROUP_MEM_INFO pointer:", -1, 0);
- break;
- case 9:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_SAM_ALIAS_INFO, NDR_POINTER_PTR,
- "NETLOGON_SAM_ALIAS_INFO pointer:", -1, 0);
- break;
- case 11:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_23, NDR_POINTER_PTR,
- "TYPE_23 pointer:", -1, 0);
- break;
- case 12:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_SAM_ALIAS_MEM_INFO, NDR_POINTER_PTR,
- "NETLOGON_SAM_ALIAS_MEM_INFO pointer:", -1, 0);
- break;
- case 13:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_29, NDR_POINTER_PTR,
- "TYPE_29 pointer:", -1, 0);
- break;
- case 14:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_31, NDR_POINTER_PTR,
- "TYPE_31 pointer:", -1, 0);
- break;
- case 16:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_33, NDR_POINTER_PTR,
- "TYPE_33 pointer:", -1, 0);
- break;
- case 18:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_34, NDR_POINTER_PTR,
- "TYPE_34 pointer:", -1, 0);
- break;
- case 20:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_35, NDR_POINTER_PTR,
- "TYPE_35 pointer:", -1, 0);
- break;
- case 21:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_35, NDR_POINTER_PTR,
- "TYPE_35 pointer:", -1, 0);
- break;
- case 22:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_16, NDR_POINTER_PTR,
- "TYPE_16 pointer:", -1, 0);
- break;
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_sync_context, NULL);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_max_size, NULL);
+
+ return offset;
+}
+
+static int
+netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
+{
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_sync_context, NULL);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
+ "DELTA_ENUM_ARRAY: deltas", -1, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
+
+/*
+ * IDL long NetDatabaseRedo(
+ * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
+ * IDL [in][string][ref] wchar_t *computername,
+ * IDL [in][ref] AUTHENTICATOR credential,
+ * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
+ * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
+ * IDL [in] long change_log_entry_size,
+ * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
+ * IDL );
+ */
static int
-netlogon_dissect_SAM_DELTA(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_netlogondatabaseredo_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Server Handle", hf_netlogon_logonsrv_handle, 0);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "SAM_DELTA:");
- tree = proto_item_add_subtree(item, ett_SAM_DELTA);
- }
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
+ "Computer Name", hf_netlogon_computer_name, 0);
- offset = netlogon_dissect_TYPE_19(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
- offset = netlogon_dissect_TYPE_20(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_BYTE_array, NDR_POINTER_REF,
+ "Change log entry: ", -1, 0);
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_max_log_size, NULL);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
-netlogon_dissect_SAM_DELTA_array(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_netlogondatabaseredo_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_SAM_DELTA);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE,
+ "DELTA_ENUM_ARRAY: deltas", -1, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
+
+/* XXX NetMon does not recognize this as a valid function. Muddle however
+ * tells us what parameters it takes but not their names.
+ * It looks similar to logoncontrol2. perhaps it is logoncontrol3?
+ */
+/*
+ * IDL long NetFunction_12(
+ * IDL [in][string][unique] wchar_t *logonserver,
+ * IDL [in] long function_code,
+ * IDL [in] long level,
+ * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
+ * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
+ * IDL );
+ */
static int
-netlogon_dissect_SAM_DELTA_ARRAY(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
+ offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ pinfo, tree, drep);
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "SAM_DELTA_ARRAY:");
- tree = proto_item_add_subtree(item, ett_SAM_DELTA_ARRAY);
- }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_code, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_num_deltas, NULL);
+ hf_netlogon_level, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_SAM_DELTA_array, NDR_POINTER_UNIQUE,
- "unknown", -1, 0);
+ netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF,
+ "CONTROL_DATA_INFORMATION: ", -1, 0);
- proto_item_set_len(item, offset-old_offset);
return offset;
}
-
static int
-netlogon_dissect_SAM_DELTA_ARRAY_ptr(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
+netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_SAM_DELTA_ARRAY, NDR_POINTER_PTR,
- "SAM_DELTA_ARRAY pointer: deltas", -1, 0);
+ netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF,
+ "CONTROL_QUERY_INFORMATION:", -1, 0);
+
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
-static int
-netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree,
- char *drep)
-{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
- "Handle", hf_netlogon_logonsrv_handle, 0);
- return offset;
-}
-static int
-netlogon_dissect_NETLOGON_INFO(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
-{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- guint32 level;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "NETLOGON_INFO:");
- tree = proto_item_add_subtree(item, ett_NETLOGON_INFO);
- }
+/*qqq*/
+/* Updated above this line */
+
+
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level_long, &level);
- ALIGN_TO_4_BYTES;
- switch(level){
- case 1:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_PTR,
- "NETLOGON_INFO_1 pointer:", -1, 0);
- break;
- case 2:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_PTR,
- "NETLOGON_INFO_2 pointer:", -1, 0);
- break;
- case 3:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_PTR,
- "NETLOGON_INFO_3 pointer:", -1, 0);
- break;
- case 4:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INFO_4, NDR_POINTER_PTR,
- "NETLOGON_INFO_4 pointer:", -1, 0);
- break;
- }
- proto_item_set_len(item, offset-old_offset);
- return offset;
-}
static int
-netlogon_dissect_TYPE_45(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- proto_item *item=NULL;
- proto_tree *tree=NULL;
- int old_offset=offset;
- guint32 level;
-
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_45:");
- tree = proto_item_add_subtree(item, ett_TYPE_45);
- }
+ dcerpc_info *di;
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level_long, &level);
+ di=pinfo->private_data;
+ offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
+ di->hf_index, NULL);
+ return offset;
+}
- ALIGN_TO_4_BYTES;
- switch(level){
- case 1:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_46, NDR_POINTER_PTR,
- "TYPE_46 pointer:", -1, 0);
- break;
- case 2:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_46, NDR_POINTER_PTR,
- "TYPE_46 pointer:", -1, 0);
- break;
- }
+static int
+netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ dcerpc_info *di;
- proto_item_set_len(item, offset-old_offset);
+ di=pinfo->private_data;
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ di->hf_index, NULL);
return offset;
}
static int
-netlogon_dissect_TYPE_47(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *parent_tree,
- char *drep)
+netlogon_dissect_UNICODE_STRING(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep, int type, int hf_index, int levels)
{
proto_item *item=NULL;
proto_tree *tree=NULL;
- int old_offset=offset;
- guint32 level;
+ int old_offset=offset;
+ dcerpc_info *di;
+ char *name;
- if(parent_tree){
- item = proto_tree_add_text(parent_tree, tvb, offset, 0,
- "TYPE_47:");
- tree = proto_item_add_subtree(item, ett_TYPE_47);
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect */
+ return offset;
}
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level_long, &level);
-
- ALIGN_TO_4_BYTES;
- switch(level){
- case 1:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_48, NDR_POINTER_PTR,
- "TYPE_48 pointer:", -1, 0);
- break;
- case 2:
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_UNICODE_MULTI, NDR_POINTER_PTR,
- "UNICODE_MULTI pointer:", -1, 0);
- break;
+ name = proto_registrar_get_name(hf_index);
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, -1,
+ "%s", name);
+ tree = proto_item_add_subtree(item, ett_nt_unicode_string);
}
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ dissect_ndr_nt_UNICODE_STRING_str, type,
+ name, hf_index, levels);
+
proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
-netlogon_dissect_function_00_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
- "unknown string", hf_netlogon_unknown_string, -1);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
- "unknown string", hf_netlogon_unknown_string, -1);
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_char, NULL);
return offset;
}
-
static int
-netlogon_dissect_function_00_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_1_ptr, NDR_POINTER_REF,
- "TYPE_1* pointer: unknown_TYPE_1", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_UNICODE_MULTI_byte);
return offset;
}
static int
-netlogon_dissect_function_01_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
- "unknown string", hf_netlogon_unknown_string, -1);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
- "unknown string", hf_netlogon_unknown_string, -1);
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
- return offset;
-}
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "UNICODE_MULTI:");
+ tree = proto_item_add_subtree(item, ett_UNICODE_MULTI);
+ }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_len, NULL);
-static int
-netlogon_dissect_function_01_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_2, NDR_POINTER_REF,
- "TYPE_2 pointer: unknown_TYPE_2", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, 0);
+ proto_item_set_len(item, offset-old_offset);
return offset;
}
-static int
-netlogon_dissect_netlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+int
+dissect_nt_GUID(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
+ int i;
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
- "Computer Name", hf_netlogon_computer_name, 0);
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "GUID:");
+ tree = proto_item_add_subtree(item, ett_GUID);
+ }
+
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_long, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_UNIQUE,
- "NETLOGON_AUTHENTICATOR pointer: client_cred", -1, 0);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_short, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_UNIQUE,
- "NETLOGON_AUTHENTICATOR pointer: server_cred", -1, 0);
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_short, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_LEVEL, NDR_POINTER_REF,
- "NETLOGON_LEVEL pointer: id_ctr", -1, 0);
+ for(i=0;i<8;i++){
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_char, NULL);
+ }
+ proto_item_set_len(item, offset-old_offset);
return offset;
}
-
static int
-netlogon_dissect_netlogonsamlogon_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_UNIQUE,
- "NETLOGON_AUTHENTICATOR pointer: server_cred", -1, 0);
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
+
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "DOMAIN_CONTROLLER_INFO:");
+ tree = proto_item_add_subtree(item, ett_DOMAIN_CONTROLLER_INFO);
+ }
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_VALIDATION, NDR_POINTER_REF,
- "NETLOGON_VALIDATION pointer: ctr", -1, 0);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_dc_name, -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_char, NDR_POINTER_REF,
- "BOOLEAN pointer: Authoritative", hf_netlogon_authoritative, 0);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_dc_address, -1);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
-
- return offset;
-}
+ hf_netlogon_dc_address_type, NULL);
-static int
-netlogon_dissect_netlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ offset = dissect_nt_GUID(tvb, offset,
pinfo, tree, drep);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
- "unknown string", hf_netlogon_unknown_string, 0);
+ "unknown", hf_netlogon_logon_dom, -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_UNIQUE,
- "NETLOGON_AUTHENTICATOR pointer: client_cred", -1, 0);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_dns_forest_name, -1);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_UNIQUE,
- "NETLOGON_AUTHENTICATOR pointer: server_cred", -1, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_flags, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_LEVEL, NDR_POINTER_REF,
- "NETLOGON_LEVEL pointer: id_ctr", -1, 0);
-
- return offset;
-}
-
-
-static int
-netlogon_dissect_netlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_dc_site_name, -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_UNIQUE,
- "NETLOGON_AUTHENTICATOR pointer: server_cred", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_client_site_name, -1);
+ proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
-netlogon_dissect_netserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_client_name, 0);
-
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CREDENTIAL, NDR_POINTER_REF,
- "NETLOGON_CREDENTIAL pointer: client_chal", -1, 0);
+ netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE,
+ "DOMAIN_CONTROLLER_INFO pointer: info", -1, 0);
return offset;
}
-
static int
-netlogon_dissect_netserverreqchallenge_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr_ptr(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CREDENTIAL, NDR_POINTER_REF,
- "NETLOGON_CREDENTIAL pointer: server_chal", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_UNIQUE,
+ "DOMAIN_CONTROLLER_INFO pointer: info", -1, 0);
return offset;
}
static int
-netlogon_dissect_netserverauthenticate_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_acct_name, 0);
-
- offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_computer_name, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CREDENTIAL, NDR_POINTER_REF,
- "NETLOGON_CREDENTIAL pointer: client_chal", -1, 0);
-
- return offset;
-}
-
+ guint32 len;
+ dcerpc_info *di;
-static int
-netlogon_dissect_netserverauthenticate_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CREDENTIAL, NDR_POINTER_REF,
- "NETLOGON_CREDENTIAL pointer: server_chal", -1, 0);
+ di=pinfo->private_data;
+ if(di->conformant_run){
+ /*just a run to handle conformant arrays, nothing to dissect.*/
+ return offset;
+ }
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ hf_netlogon_blob_size, &len);
+
+ proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
+ FALSE);
+ offset += len;
return offset;
}
static int
-netlogon_dissect_netserverpasswordset_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_BLOB(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_acct_name, 0);
-
- offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_computer_name, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: client_cred", -1, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF,
- "ENCRYPTED_LM_OWF_PASSWORD pointer: hashed_pwd", -1, 0);
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
- return offset;
-}
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "BLOB:");
+ tree = proto_item_add_subtree(item, ett_BLOB);
+ }
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_blob_size, NULL);
-static int
-netlogon_dissect_netserverpasswordset_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: server_cred", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE,
+ "BLOB:", -1, 0);
return offset;
}
static int
-netlogon_dissect_netsamdeltas_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_DOMAIN_QUERY_1(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- /* XXX idl file has LOGONSRV_HANDLE here, ms capture has string srv_name */
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_logon_srv, 0);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_cli_name, 0);
+ offset = netlogon_dissect_BLOB(tvb, offset,
+ pinfo, tree, drep);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: client_creds", -1, 0);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_workstation_fqdn, -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: server_creds", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_database_id, NULL);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_workstation_site_name, -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_16, NDR_POINTER_REF,
- "TYPE_16 pointer: dom_mod_count", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_max_size, NULL);
- return offset;
-}
-
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_workstation_os, -1);
-static int
-netlogon_dissect_netsamdeltas_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: server_creds", -1, 0);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_16, NDR_POINTER_REF,
- "TYPE_16 pointer: dom_mod_count", -1, 0);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_SAM_DELTA_ARRAY_ptr, NDR_POINTER_REF,
- "SAM_DELTA_ARRAY_ptr pointer: deltas", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, -1);
- return offset;
-}
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
-static int
-netlogon_dissect_function_08_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_logon_srv, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_cli_name, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: client_creds", -1, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: server_creds", -1, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_unknown_long, NULL);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_unknown_long, NULL);
+
return offset;
}
-
static int
-netlogon_dissect_function_08_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_DOMAIN_INFO_1(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: server_creds", -1, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_SAM_DELTA_ARRAY_ptr, NDR_POINTER_REF,
- "SAM_DELTA_ARRAY* pointer: unknown_SAM_DELTA_ARRAY", -1, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
- return offset;
-}
+ offset = dissect_nt_GUID(tvb, offset,
+ pinfo, tree, drep);
-static int
-netlogon_dissect_function_09_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
+ offset = dissect_ndr_nt_PSID(tvb, offset,
pinfo, tree, drep);
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
+
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_36, NDR_POINTER_REF,
- "TYPE_36 pointer: unknown_TYPE_36", -1, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_unknown_long, NULL);
- return offset;
-}
+ offset = netlogon_dissect_BLOB(tvb, offset,
+ pinfo, tree, drep);
-static int
-netlogon_dissect_function_09_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ offset = netlogon_dissect_BLOB(tvb, offset,
+ pinfo, tree, drep);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_array, NDR_POINTER_REF,
- "BYTE_array pointer: unknown_BYTE", -1, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_downlevel_domain_name, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_dns_domain_name, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_domain_name, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_36, NDR_POINTER_REF,
- "TYPE_36 pointer: unknown_TYPE_36", -1, 0);
+ offset = dissect_ndr_nt_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_string, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
-
- return offset;
-}
-
-static int
-netlogon_dissect_function_0a_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
-{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_unknown_long, NULL);
return offset;
}
-
static int
-netlogon_dissect_function_0a_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_UNICODE_STRING_512(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_array, NDR_POINTER_REF,
- "BYTE_array pointer: unknown_BYTE", -1, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
+ int i;
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "UNICODE_STRING_512:");
+ tree = proto_item_add_subtree(item, ett_UNICODE_STRING_512);
+ }
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_36, NDR_POINTER_REF,
- "TYPE_36 pointer: unknown_TYPE_36", -1, 0);
+ for(i=0;i<512;i++){
+ offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_short, NULL);
+ }
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ hf_netlogon_unknown_long, NULL);
+ proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
-netlogon_dissect_function_0b_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_char, NULL);
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
- "unknown string", hf_netlogon_unknown_string, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_WCHAR_ptr, NDR_POINTER_REF,
- "WCHAR* pointer: unknown string", -1, 0);
return offset;
}
-
static int
-netlogon_dissect_function_0b_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_WCHAR_ptr, NDR_POINTER_REF,
- "WCHAR* pointer: unknown string", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_element_844_byte);
return offset;
}
static int
-netlogon_dissect_netlogoncontrol_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_code, NULL);
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "TYPE_50:");
+ tree = proto_item_add_subtree(item, ett_TYPE_50);
+ }
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level, NULL);
+ hf_netlogon_unknown_long, NULL);
+
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, 0);
+ proto_item_set_len(item, offset-old_offset);
return offset;
}
-
static int
-netlogon_dissect_netlogoncontrol_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INFO, NDR_POINTER_REF,
- "NETLOGON_INFO pointer: unknown_NETLOGON_INFO", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
-
+ netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE,
+ "TYPE_50 pointer: unknown_TYPE_50", -1, 0);
+
return offset;
}
static int
-netlogon_dissect_function_0d_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_TYPE_50_ptr_ptr(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
- "unknown string", hf_netlogon_unknown_string, 0);
-
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_WCHAR_ptr, NDR_POINTER_REF,
- "WCHAR* pointer: unknown string", -1, 0);
+ netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE,
+ "TYPE_50* pointer: unknown_TYPE_50", -1, 0);
+
return offset;
}
-
static int
-netlogon_dissect_function_0d_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_element_861_byte(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_WCHAR_ptr, NDR_POINTER_REF,
- "WCHAR* pointer: unknown string", -1, 0);
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_char, NULL);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ return offset;
+}
+
+static int
+netlogon_dissect_element_861_array(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
+{
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_element_861_byte);
return offset;
}
static int
-netlogon_dissect_netlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_TYPE_51(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_code, NULL);
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "TYPE_51:");
+ tree = proto_item_add_subtree(item, ett_TYPE_51);
+ }
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level, NULL);
+ hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CONTROL_QUERY_INFO, NDR_POINTER_REF,
- "NETLOGON_CONTROL_QUERY_INFO pointer: unknown_NETLOGON_CONTROL_QUERY_INFO", -1, 0);
+ netlogon_dissect_element_861_array, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, 0);
+ proto_item_set_len(item, offset-old_offset);
return offset;
}
-
static int
-netlogon_dissect_netlogoncontrol2_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INFO, NDR_POINTER_REF,
- "NETLOGON_INFO pointer: unknown_NETLOGON_INFO", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_char, NULL);
return offset;
}
static int
-netlogon_dissect_netserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_acct_name, 0);
-
- offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
- pinfo, tree, drep);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_computer_name, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CREDENTIAL, NDR_POINTER_REF,
- "NETLOGON_CREDENTIAL pointer: client_chal", -1, 0);
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_element_865_byte);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: neg_flags", hf_netlogon_unknown_long, 0);
return offset;
}
-
static int
-netlogon_dissect_netserverauthenticate2_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CREDENTIAL, NDR_POINTER_REF,
- "NETLOGON_CREDENTIAL pointer: server_chal", -1, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: neg_flags", hf_netlogon_unknown_long, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_char, NULL);
return offset;
}
static int
-netlogon_dissect_netdatabasesync2_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_element_866_byte);
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
+ return offset;
+}
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+static int
+netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
+{
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "TYPE_52:");
+ tree = proto_item_add_subtree(item, ett_TYPE_52);
+ }
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_unknown_long, NULL);
- offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_short, NULL);
-
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
+ netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE,
+ "unknown", hf_netlogon_unknown_string, 0);
+ proto_item_set_len(item, offset-old_offset);
return offset;
}
-
static int
-netlogon_dissect_netdatabasesync2_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_REF,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_SAM_DELTA_ARRAY_ptr, NDR_POINTER_REF,
- "SAM_DELTA_ARRAY* pointer: unknown_SAM_DELTA_ARRAY", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
-
+ netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE,
+ "TYPE_52 pointer: unknown_TYPE_52", -1, 0);
return offset;
}
static int
-netlogon_dissect_function_11_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_TYPE_52_ptr_ptr(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
-
- offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
- NDR_POINTER_REF, hf_netlogon_unknown_string, 0);
-
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
-
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_array, NDR_POINTER_REF,
- "BYTE pointer: unknown_BYTE", -1, 0);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
-
+ netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE,
+ "TYPE_52* pointer: unknown_TYPE_52", -1, 0);
return offset;
}
static int
-netlogon_dissect_function_11_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_TYPE_44(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *parent_tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ proto_item *item=NULL;
+ proto_tree *tree=NULL;
+ int old_offset=offset;
+ guint32 level;
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_SAM_DELTA_ARRAY_ptr, NDR_POINTER_REF,
- "SAM_DELTA_ARRAY* pointer: unknown_SAM_DELTA_ARRAY", -1, 0);
+ if(parent_tree){
+ item = proto_tree_add_text(parent_tree, tvb, offset, 0,
+ "TYPE_44:");
+ tree = proto_item_add_subtree(item, ett_TYPE_44);
+ }
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ hf_netlogon_level, &level);
+
+ ALIGN_TO_4_BYTES;
+ switch(level){
+ case 1:
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_unknown_long, NULL);
+ break;
+ }
+ proto_item_set_len(item, offset-old_offset);
return offset;
}
static int
-netlogon_dissect_function_12_rqst(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_DOMAIN_QUERY(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
- pinfo, tree, drep);
-
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ guint32 level;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_level, NULL);
+ hf_netlogon_level, &level);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CONTROL_QUERY_INFO, NDR_POINTER_REF,
- "NETLOGON_CONTROL_QUERY_INFO pointer: unknown_NETLOGON_CONTROL_QUERY_INFO", -1, 0);
+ ALIGN_TO_4_BYTES;
+ switch(level){
+ case 1:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
+ "DOMAIN_QUERY_1:", -1, 0);
+ break;
+ case 2:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DOMAIN_QUERY_1, NDR_POINTER_UNIQUE,
+ "DOMAIN_QUERY_1:", -1, 0);
+ break;
+ }
return offset;
}
-
static int
-netlogon_dissect_function_12_reply(tvbuff_t *tvb, int offset,
- packet_info *pinfo, proto_tree *tree, char *drep)
+netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
+ packet_info *pinfo, proto_tree *tree,
+ char *drep)
{
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_INFO, NDR_POINTER_REF,
- "NETLOGON_INFO pointer: unknown_NETLOGON_INFO", -1, 0);
+ guint32 level;
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ hf_netlogon_level, &level);
+
+ ALIGN_TO_4_BYTES;
+ switch(level){
+ case 1:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DOMAIN_INFO_1, NDR_POINTER_UNIQUE,
+ "DOMAIN_INFO_1:", -1, 0);
+ break;
+ case 2:
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_UNICODE_MULTI, NDR_POINTER_UNIQUE,
+ "UNICODE_MULTI:", -1, 0);
+ break;
+ }
return offset;
}
netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF,
"UNICODE_MULTI pointer: trust_dom_name_list", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_REF,
"DOMAIN_CONTROLLER_INFO* pointer: info", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
"unknown string", hf_netlogon_unknown_string, 0);
- offset = netlogon_dissect_NETLOGON_AUTHENTICATOR(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_PTR,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
hf_netlogon_unknown_long, NULL);
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_PTR,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_44, NDR_POINTER_PTR,
+ netlogon_dissect_TYPE_44, NDR_POINTER_UNIQUE,
"TYPE_44 pointer: unknown_TYPE_44", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
netlogon_dissect_function_16_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, char *drep)
{
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_PTR,
+ netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
"ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
+ netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_16_array, NDR_POINTER_PTR,
+ netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
"unknown string", hf_netlogon_unknown_string, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
+ netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_16_array, NDR_POINTER_PTR,
+ netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
pinfo, tree, drep);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
"Acct Name", hf_netlogon_acct_name, 0);
offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
pinfo, tree, drep);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_REF,
"Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CREDENTIAL, NDR_POINTER_REF,
- "NETLOGON_CREDENTIAL pointer: authenticator", -1, 0);
+ netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
+ "CREDENTIAL: authenticator", -1, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_PTR,
- "ULONG pointer: negotiate_flags", hf_netlogon_unknown_long, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_neg_flags, NULL);
return offset;
}
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_CREDENTIAL, NDR_POINTER_REF,
- "NETLOGON_CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1, 0);
+ netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
+ "CREDENTIAL pointer: unknown_NETLOGON_CREDENTIAL", -1, 0);
- offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_PTR,
- "ULONG pointer: negotiate_flags", hf_netlogon_unknown_long, 0);
+ offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_neg_flags, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_PTR,
- "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
+ netlogon_dissect_pointer_long, NDR_POINTER_REF,
+ "ULONG: unknown_ULONG", hf_netlogon_unknown_long, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr, NDR_POINTER_REF,
"DOMAIN_CONTROLLER_INFO* pointer: info", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
offset = netlogon_dissect_UNICODE_STRING(tvb, offset, pinfo, tree, drep,
NDR_POINTER_REF, hf_netlogon_site_name, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
static int
-netlogon_dissect_function_1d_rqst(tvbuff_t *tvb, int offset,
+netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
"Computer Name", hf_netlogon_computer_name, 0);
- offset = netlogon_dissect_NETLOGON_AUTHENTICATOR(tvb, offset,
- pinfo, tree, drep);
-
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_PTR,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_unknown_long, NULL);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
- offset = netlogon_dissect_TYPE_45(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_DOMAIN_QUERY, NDR_POINTER_REF,
+ "DOMAIN_QUERY: ", -1, 0);
return offset;
}
static int
-netlogon_dissect_function_1d_reply(tvbuff_t *tvb, int offset,
+netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_PTR,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_47, NDR_POINTER_PTR,
- "TYPE_47 pointer: unknown_TYPE_47", -1, 0);
+ netlogon_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE,
+ "DOMAIN_INFO: ", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
"unknown string", hf_netlogon_unknown_string, 0);
- offset = netlogon_dissect_NETLOGON_AUTHENTICATOR(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
offset = netlogon_dissect_UNICODE_STRING_512(tvb, offset,
pinfo, tree, drep);
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_PTR,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
"Computer Name", hf_netlogon_computer_name, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: client_cred", -1, 0);
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
return offset;
}
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_REF,
- "NETLOGON_AUTHENTICATOR pointer: server_cred", -1, 0);
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF,
"LM_OWF_PASSWORD pointer: server_pwd", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
pinfo, tree, drep);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
"unknown string", hf_netlogon_unknown_string, -1);
- offset = netlogon_dissect_NETLOGON_AUTHENTICATOR(tvb, offset,
- pinfo, tree, drep);
+ offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF,
+ "AUTHENTICATOR: credential", -1, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
+ netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1, 0);
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_AUTHENTICATOR, NDR_POINTER_PTR,
- "NETLOGON_AUTHENTICATOR pointer: unknown_NETLOGON_AUTHENTICATOR", -1, 0);
+ netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE,
+ "AUTHENTICATOR: return_authenticator", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
+ netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1, 0);
return offset;
netlogon_dissect_TYPE_50_ptr_ptr, NDR_POINTER_REF,
"TYPE_50** pointer: unknown_TYPE_50", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
netlogon_dissect_DOMAIN_CONTROLLER_INFO_ptr_ptr, NDR_POINTER_REF,
"DOMAIN_CONTROLLER_INFO** pointer: unknown_DOMAIN_CONTROLLER_INFO", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
"unknown string", hf_netlogon_unknown_string, -1);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_PTR,
+ netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
"ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_51, NDR_POINTER_PTR,
+ netlogon_dissect_TYPE_51, NDR_POINTER_UNIQUE,
"TYPE_51 pointer: unknown_TYPE_51", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
hf_netlogon_unknown_long, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_BYTE_array, NDR_POINTER_PTR,
+ netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE,
"BYTE pointer: unknown_BYTE", -1, 0);
return offset;
netlogon_dissect_TYPE_52_ptr_ptr, NDR_POINTER_REF,
"TYPE_52** pointer: unknown_TYPE_52", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
netlogon_dissect_TYPE_50_ptr_ptr, NDR_POINTER_REF,
"TYPE_50** pointer: unknown_TYPE_50", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
static int
-netlogon_dissect_function_27_rqst(tvbuff_t *tvb, int offset,
+netlogon_dissect_logonsamlogonex_rqst(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
hf_netlogon_unknown_short, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_LEVEL, NDR_POINTER_PTR,
- "NETLOGON_LEVEL pointer: unknown_NETLOGON_LEVEL", -1, 0);
+ netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE,
+ "LEVEL pointer: unknown_NETLOGON_LEVEL", -1, 0);
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep,
hf_netlogon_unknown_short, NULL);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_PTR,
+ netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
"ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
return offset;
}
static int
-netlogon_dissect_function_27_reply(tvbuff_t *tvb, int offset,
+netlogon_dissect_logonsamlogonex_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_NETLOGON_VALIDATION, NDR_POINTER_PTR,
- "NETLOGON_VALIDATION pointer: unknown_NETLOGON_VALIDATION", -1, 0);
+ netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE,
+ "VALIDATION: unknown_NETLOGON_VALIDATION", -1, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_char, NDR_POINTER_PTR,
+ netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE,
"BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_pointer_long, NDR_POINTER_PTR,
+ netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE,
"ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
packet_info *pinfo, proto_tree *tree, char *drep)
{
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- netlogon_dissect_TYPE_51, NDR_POINTER_PTR,
+ netlogon_dissect_TYPE_51, NDR_POINTER_UNIQUE,
"TYPE_51 pointer: unknown_TYPE_51", -1, 0);
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
"GUID pointer: dsa_guid", -1, 0);
offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep,
- dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_PTR,
+ dissect_ndr_nt_UNICODE_STRING_str, NDR_POINTER_UNIQUE,
"dns_host", hf_netlogon_dns_host, -1);
return offset;
netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
packet_info *pinfo, proto_tree *tree, char *drep)
{
- offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep,
- hf_netlogon_rc, NULL);
+ offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep,
+ hf_netlogon_rc, NULL);
return offset;
}
static dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
- { NETLOGON_FUNCTION_00, "FUNCTION_00",
- netlogon_dissect_function_00_rqst,
- netlogon_dissect_function_00_reply },
- { NETLOGON_FUNCTION_01, "FUNCTION_01",
- netlogon_dissect_function_01_rqst,
- netlogon_dissect_function_01_reply },
- { NETLOGON_NETLOGONSAMLOGON, "NETLOGONSAMLOGON",
+ { NETLOGON_UASLOGON, "UasLogon",
+ netlogon_dissect_netlogonuaslogon_rqst,
+ netlogon_dissect_netlogonuaslogon_reply },
+ { NETLOGON_UASLOGOFF, "UasLogoff",
+ netlogon_dissect_netlogonuaslogoff_rqst,
+ netlogon_dissect_netlogonuaslogoff_reply },
+ { NETLOGON_NETLOGONSAMLOGON, "SamLogon",
netlogon_dissect_netlogonsamlogon_rqst,
netlogon_dissect_netlogonsamlogon_reply },
- { NETLOGON_NETLOGONSAMLOGOFF, "NETLOGONSAMLOGOFF",
+ { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff",
netlogon_dissect_netlogonsamlogoff_rqst,
netlogon_dissect_netlogonsamlogoff_reply },
- { NETLOGON_NETSERVERREQCHALLENGE, "NETSERVERREQCHALLENGE",
+ { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge",
netlogon_dissect_netserverreqchallenge_rqst,
netlogon_dissect_netserverreqchallenge_reply },
- { NETLOGON_NETSERVERAUTHENTICATE, "NETSERVERAUTHENTICATE",
+ { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate",
netlogon_dissect_netserverauthenticate_rqst,
netlogon_dissect_netserverauthenticate_reply },
- { NETLOGON_NETSERVERPASSWORDSET, "NETSERVERPASSWORDSET",
+ { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet",
netlogon_dissect_netserverpasswordset_rqst,
netlogon_dissect_netserverpasswordset_reply },
- { NETLOGON_NETSAMDELTAS, "NETSAMDELTAS",
+ { NETLOGON_NETSAMDELTAS, "DatabaseDeltas",
netlogon_dissect_netsamdeltas_rqst,
netlogon_dissect_netsamdeltas_reply },
- { NETLOGON_FUNCTION_08, "FUNCTION_08",
- netlogon_dissect_function_08_rqst,
- netlogon_dissect_function_08_reply },
- { NETLOGON_FUNCTION_09, "FUNCTION_09",
- netlogon_dissect_function_09_rqst,
- netlogon_dissect_function_09_reply },
- { NETLOGON_FUNCTION_0A, "FUNCTION_0A",
- netlogon_dissect_function_0a_rqst,
- netlogon_dissect_function_0a_reply },
- { NETLOGON_FUNCTION_0B, "FUNCTION_0B",
- netlogon_dissect_function_0b_rqst,
- netlogon_dissect_function_0b_reply },
- { NETLOGON_NETLOGONCONTROL, "NETLOGONCONTROL",
+ { NETLOGON_DATABASESYNC, "DatabaseSync",
+ netlogon_dissect_netlogondatabasesync_rqst,
+ netlogon_dissect_netlogondatabasesync_reply },
+ { NETLOGON_ACCOUNTDELTAS, "AccountDeltas",
+ netlogon_dissect_netlogonaccountdeltas_rqst,
+ netlogon_dissect_netlogonaccountdeltas_reply },
+ { NETLOGON_ACCOUNTSYNC, "AccountSync",
+ netlogon_dissect_netlogonaccountsync_rqst,
+ netlogon_dissect_netlogonaccountsync_reply },
+ { NETLOGON_GETDCNAME, "GetDCName",
+ netlogon_dissect_netlogongetdcname_rqst,
+ netlogon_dissect_netlogongetdcname_reply },
+ { NETLOGON_NETLOGONCONTROL, "LogonControl",
netlogon_dissect_netlogoncontrol_rqst,
netlogon_dissect_netlogoncontrol_reply },
- { NETLOGON_FUNCTION_0D, "FUNCTION_0D",
- netlogon_dissect_function_0d_rqst,
- netlogon_dissect_function_0d_reply },
- { NETLOGON_NETLOGONCONTROL2, "NETLOGONCONTROL2",
+ { NETLOGON_GETANYDCNAME, "GetAnyDCName",
+ netlogon_dissect_netlogongetanydcname_rqst,
+ netlogon_dissect_netlogongetanydcname_reply },
+ { NETLOGON_NETLOGONCONTROL2, "LogonControl2",
netlogon_dissect_netlogoncontrol2_rqst,
netlogon_dissect_netlogoncontrol2_reply },
- { NETLOGON_NETSERVERAUTHENTICATE2, "NETSERVERAUTHENTICATE2",
+ { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2",
netlogon_dissect_netserverauthenticate2_rqst,
netlogon_dissect_netserverauthenticate2_reply },
- { NETLOGON_NETDATABASESYNC2, "NETDATABASESYNC2",
+ { NETLOGON_NETDATABASESYNC2, "DatabaseSync2",
netlogon_dissect_netdatabasesync2_rqst,
netlogon_dissect_netdatabasesync2_reply },
- { NETLOGON_FUNCTION_11, "FUNCTION_11",
- netlogon_dissect_function_11_rqst,
- netlogon_dissect_function_11_reply },
- { NETLOGON_FUNCTION_12, "FUNCTION_12",
+ { NETLOGON_DATABASEREDO, "DatabaseRedo",
+ netlogon_dissect_netlogondatabaseredo_rqst,
+ netlogon_dissect_netlogondatabaseredo_reply },
+ { NETLOGON_FUNCTION_12, "Function_0x12",
netlogon_dissect_function_12_rqst,
netlogon_dissect_function_12_reply },
- { NETLOGON_NETTRUSTEDDOMAINLIST, "NETTRUSTEDDOMAINLIST",
+ { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList",
netlogon_dissect_nettrusteddomainlist_rqst,
netlogon_dissect_nettrusteddomainlist_reply },
- { NETLOGON_DSRGETDCNAME2, "DSRGETDCNAME2",
+ { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2",
netlogon_dissect_dsrgetdcname2_rqst,
netlogon_dissect_dsrgetdcname2_reply },
- { NETLOGON_FUNCTION_15, "FUNCTION_15",
+ { NETLOGON_FUNCTION_15, "Function 0x15",
netlogon_dissect_function_15_rqst,
netlogon_dissect_function_15_reply },
- { NETLOGON_FUNCTION_16, "FUNCTION_16",
+ { NETLOGON_FUNCTION_16, "Function 0x16",
netlogon_dissect_function_16_rqst,
netlogon_dissect_function_16_reply },
- { NETLOGON_FUNCTION_17, "FUNCTION_17",
+ { NETLOGON_FUNCTION_17, "Function 0x17",
netlogon_dissect_function_17_rqst,
netlogon_dissect_function_17_reply },
- { NETLOGON_FUNCTION_18, "FUNCTION_18",
+ { NETLOGON_FUNCTION_18, "Function 0x18",
netlogon_dissect_function_18_rqst,
netlogon_dissect_function_18_reply },
- { NETLOGON_FUNCTION_19, "FUNCTION_19",
+ { NETLOGON_FUNCTION_19, "Function 0x19",
netlogon_dissect_function_19_rqst,
netlogon_dissect_function_19_reply },
- { NETLOGON_NETSERVERAUTHENTICATE3, "NETSERVERAUTHENTICATE3",
+ { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3",
netlogon_dissect_netserverauthenticate3_rqst,
netlogon_dissect_netserverauthenticate3_reply },
- { NETLOGON_DSRGETDCNAME, "DSRGETDCNAME",
+ { NETLOGON_DSRGETDCNAME, "DsrGetDCName",
netlogon_dissect_dsrgetdcname_rqst,
netlogon_dissect_dsrgetdcname_reply },
- { NETLOGON_DSRGETSITENAME, "DSRGETSITENAME",
+ { NETLOGON_DSRGETSITENAME, "DsrGetSiteName",
netlogon_dissect_dsrgetsitename_rqst,
netlogon_dissect_dsrgetsitename_reply },
- { NETLOGON_FUNCTION_1D, "FUNCTION_1D",
- netlogon_dissect_function_1d_rqst,
- netlogon_dissect_function_1d_reply },
- { NETLOGON_FUNCTION_1E, "FUNCTION_1E",
+ { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo",
+ netlogon_dissect_netrlogongetdomaininfo_rqst,
+ netlogon_dissect_netrlogongetdomaininfo_reply },
+ { NETLOGON_FUNCTION_1E, "Function_0x1E",
netlogon_dissect_function_1e_rqst,
netlogon_dissect_function_1e_reply },
- { NETLOGON_NETSERVERPASSWORDSET2, "NETSERVERPASSWORDSET2",
+ { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2",
netlogon_dissect_netserverpasswordset2_rqst,
netlogon_dissect_netserverpasswordset2_reply },
- { NETLOGON_FUNCTION_20, "FUNCTION_20",
+ { NETLOGON_FUNCTION_20, "Function_0x20",
netlogon_dissect_function_20_rqst,
netlogon_dissect_function_20_reply },
- { NETLOGON_FUNCTION_21, "FUNCTION_21",
+ { NETLOGON_FUNCTION_21, "Function_0x21",
netlogon_dissect_function_21_rqst,
netlogon_dissect_function_21_reply },
- { NETLOGON_FUNCTION_22, "FUNCTION_22",
+ { NETLOGON_FUNCTION_22, "Function_0x22",
netlogon_dissect_function_22_rqst,
netlogon_dissect_function_22_reply },
- { NETLOGON_FUNCTION_23, "FUNCTION_23",
+ { NETLOGON_FUNCTION_23, "Function_0x23",
netlogon_dissect_function_23_rqst,
netlogon_dissect_function_23_reply },
- { NETLOGON_FUNCTION_24, "FUNCTION_24",
+ { NETLOGON_FUNCTION_24, "Function_0x24",
netlogon_dissect_function_24_rqst,
netlogon_dissect_function_24_reply },
- { NETLOGON_FUNCTION_25, "FUNCTION_25",
+ { NETLOGON_FUNCTION_25, "Function_0x25",
netlogon_dissect_function_25_rqst,
netlogon_dissect_function_25_reply },
- { NETLOGON_FUNCTION_26, "FUNCTION_26",
+ { NETLOGON_FUNCTION_26, "Function_0x26",
netlogon_dissect_function_26_rqst,
netlogon_dissect_function_26_reply },
- { NETLOGON_FUNCTION_27, "FUNCTION_27",
- netlogon_dissect_function_27_rqst,
- netlogon_dissect_function_27_reply },
- { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DSRROLEGETPRIMARYDOMAININFORMATION",
+ { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx",
+ netlogon_dissect_logonsamlogonex_rqst,
+ netlogon_dissect_logonsamlogonex_reply },
+ { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DsrRoleGetPrimaryDomainInformation",
netlogon_dissect_dsrrolegetprimarydomaininformation_rqst,
netlogon_dissect_dsrrolegetprimarydomaininformation_reply },
- { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DSRDEREGISTERDNSHOSTRECORDS",
+ { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords",
netlogon_dissect_dsrderegisterdnshostrecords_rqst,
netlogon_dissect_dsrderegisterdnshostrecords_reply },
- {0, NULL, NULL, NULL },
+ {0, NULL, NULL, NULL }
};
-static void netlogon_init(void)
-{
- /* Initialise DCERPC/SMB data structures */
-
- dcerpc_smb_init();
-}
+static const value_string netlogon_opnum_vals[] = {
+ { NETLOGON_UASLOGON, "UasLogon" },
+ { NETLOGON_UASLOGOFF, "UasLogoff" },
+ { NETLOGON_NETLOGONSAMLOGON, "SamLogon" },
+ { NETLOGON_NETLOGONSAMLOGOFF, "SamLogoff" },
+ { NETLOGON_NETSERVERREQCHALLENGE, "ServerReqChallenge" },
+ { NETLOGON_NETSERVERAUTHENTICATE, "ServerAuthenticate" },
+ { NETLOGON_NETSERVERPASSWORDSET, "ServerPasswdSet" },
+ { NETLOGON_NETSAMDELTAS, "DatabaseDeltas" },
+ { NETLOGON_DATABASESYNC, "DatabaseSync" },
+ { NETLOGON_ACCOUNTDELTAS, "AccountDeltas" },
+ { NETLOGON_ACCOUNTSYNC, "AccountSync" },
+ { NETLOGON_GETDCNAME, "GetDCName" },
+ { NETLOGON_NETLOGONCONTROL, "LogonControl" },
+ { NETLOGON_GETANYDCNAME, "GetAnyDCName" },
+ { NETLOGON_NETLOGONCONTROL2, "LogonControl2" },
+ { NETLOGON_NETSERVERAUTHENTICATE2, "ServerAuthenticate2" },
+ { NETLOGON_NETDATABASESYNC2, "DatabaseSync2" },
+ { NETLOGON_DATABASEREDO, "DatabaseRedo" },
+ { NETLOGON_FUNCTION_12, "Function_0x12" },
+ { NETLOGON_NETTRUSTEDDOMAINLIST, "TrustedDomainList" },
+ { NETLOGON_DSRGETDCNAME2, "DsrGetDCName2" },
+ { NETLOGON_FUNCTION_15, "Function_0x15" },
+ { NETLOGON_FUNCTION_16, "Function_0x16" },
+ { NETLOGON_FUNCTION_17, "Function_0x17" },
+ { NETLOGON_FUNCTION_18, "Function_0x18" },
+ { NETLOGON_FUNCTION_19, "Function_0x19" },
+ { NETLOGON_NETSERVERAUTHENTICATE3, "ServerAuthenticate3" },
+ { NETLOGON_DSRGETDCNAME, "DsrGetDCName" },
+ { NETLOGON_DSRGETSITENAME, "DsrGetSiteName" },
+ { NETLOGON_NETRLOGONGETDOMAININFO, "NetrLogonGetDomainInfo" },
+ { NETLOGON_FUNCTION_1E, "Function_0x1E" },
+ { NETLOGON_NETSERVERPASSWORDSET2, "ServerPasswordSet2" },
+ { NETLOGON_FUNCTION_20, "Function_0x20" },
+ { NETLOGON_FUNCTION_21, "Function_0x21" },
+ { NETLOGON_FUNCTION_22, "Function_0x22" },
+ { NETLOGON_FUNCTION_23, "Function_0x23" },
+ { NETLOGON_FUNCTION_24, "Function_0x24" },
+ { NETLOGON_FUNCTION_25, "Function_0x25" },
+ { NETLOGON_FUNCTION_26, "Function_0x26" },
+ { NETLOGON_LOGONSAMLOGONEX, "LogonSamLogonEx" },
+ { NETLOGON_DSRROLEGETPRIMARYDOMAININFORMATION, "DsrRoleGetPrimaryDomainInformation" },
+ { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS, "DsrDeregisterDNSHostRecords" },
+ { 0, NULL }
+};
void
proto_register_dcerpc_netlogon(void)
{
static hf_register_info hf[] = {
+ { &hf_netlogon_opnum,
+ { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
+ VALS(netlogon_opnum_vals), 0x0, "Operation", HFILL }},
+
{ &hf_netlogon_rc, {
"Return code", "netlogon.rc", FT_UINT32, BASE_HEX,
VALS(NT_errors), 0x0, "Netlogon return code", HFILL }},
"Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
NULL, 0x0, "Logon ID", HFILL }},
+ { &hf_netlogon_modify_count, {
+ "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
+ NULL, 0x0, "How many times the object has been modified", HFILL }},
+
+ { &hf_netlogon_security_information, {
+ "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Security Information", HFILL }},
+
{ &hf_netlogon_count, {
- "Count", "netlogon.count", FT_UINT16, BASE_DEC,
+ "Count", "netlogon.count", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_netlogon_entries, {
+ "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
NULL, 0x0, "", HFILL }},
{ &hf_netlogon_credential, {
"Credential", "netlogon.credential", FT_BYTES, BASE_HEX,
NULL, 0x0, "Netlogon credential", HFILL }},
- { &hf_netlogon_cypher_block, {
- "Cypher Block", "netlogon.cypher_block", FT_BYTES, BASE_HEX,
- NULL, 0x0, "Netlogon cypher block", HFILL }},
+ { &hf_netlogon_challenge, {
+ "Challenge", "netlogon.challenge", FT_BYTES, BASE_HEX,
+ NULL, 0x0, "Netlogon challenge", HFILL }},
{ &hf_netlogon_lm_owf_password, {
"LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_HEX,
"Len", "netlogon.len", FT_UINT32, BASE_DEC,
NULL, 0, "Length", HFILL }},
- { &hf_netlogon_status, {
- "Status", "netlogon.status", FT_UINT32, BASE_DEC,
- NULL, 0, "Status", HFILL }},
+ { &hf_netlogon_priv, {
+ "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
+ { &hf_netlogon_privilege_entries, {
+ "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
+ { &hf_netlogon_privilege_control, {
+ "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
+ NULL, 0, "", HFILL }},
+
+ { &hf_netlogon_privilege_name, {
+ "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_HEX,
+ NULL, 0, "", HFILL }},
+
+ { &hf_netlogon_pdc_connection_status, {
+ "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
+ NULL, 0, "PDC Connection Status", HFILL }},
+
+ { &hf_netlogon_tc_connection_status, {
+ "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
+ NULL, 0, "TC Connection Status", HFILL }},
{ &hf_netlogon_attrs, {
"Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
{ &hf_netlogon_unknown_long,
{ "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
NULL, 0x0, "Unknown long. If you know what this is, contact ethereal developers.", HFILL }},
+ { &hf_netlogon_reserved,
+ { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Reserved", HFILL }},
{ &hf_netlogon_unknown_short,
{ "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
NULL, 0x0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }},
{ "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
NULL, 0x0, "Unknown char. If you know what this is, contact ethereal developers.", HFILL }},
- { &hf_netlogon_unknown_time,
- { "Unknown time", "netlogon.unknown.time", FT_ABSOLUTE_TIME, BASE_NONE,
- NULL, 0x0, "Unknown time. If you know what this is, contact ethereal developers.", HFILL }},
-
{ &hf_netlogon_acct_expiry_time,
{ "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, BASE_NONE,
NULL, 0x0, "When this account will expire", HFILL }},
{ "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
NULL, 0x0, "Whether this password has expired or not", HFILL }},
- { &hf_netlogon_num_pwd_pairs,
- { "Num PWD Pairs", "netlogon.num_pwd_pairs", FT_UINT8, BASE_DEC,
- NULL, 0x0, "Number of password pairs. Password history length?", HFILL }},
-
{ &hf_netlogon_authoritative,
{ "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
NULL, 0x0, "", HFILL }},
+ { &hf_netlogon_sensitive_data_flag,
+ { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
+ NULL, 0x0, "Sensitive data flag", HFILL }},
+
+ { &hf_netlogon_auditing_mode,
+ { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
+ NULL, 0x0, "Auditing Mode", HFILL }},
+
+ { &hf_netlogon_max_audit_event_count,
+ { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Max audit event count", HFILL }},
+
+ { &hf_netlogon_event_audit_option,
+ { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Event audit option", HFILL }},
+
+ { &hf_netlogon_sensitive_data_len,
+ { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Length of sensitive data", HFILL }},
+
{ &hf_netlogon_nt_chal_resp,
{ "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_HEX,
NULL, 0, "Challenge response for NT authentication", HFILL }},
{ "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_HEX,
NULL, 0, "Challenge response for LM authentication", HFILL }},
+ { &hf_netlogon_cipher_len,
+ { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
+ { &hf_netlogon_cipher_maxlen,
+ { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
+ NULL, 0, "", HFILL }},
+
+ { &hf_netlogon_pac_data,
+ { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_HEX,
+ NULL, 0, "Pac Data", HFILL }},
+
+ { &hf_netlogon_sensitive_data,
+ { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_HEX,
+ NULL, 0, "Sensitive Data", HFILL }},
+
+ { &hf_netlogon_auth_data,
+ { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_HEX,
+ NULL, 0, "Auth Data", HFILL }},
+
+ { &hf_netlogon_cipher_current_data,
+ { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_HEX,
+ NULL, 0, "", HFILL }},
+
+ { &hf_netlogon_cipher_old_data,
+ { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_HEX,
+ NULL, 0, "", HFILL }},
+
{ &hf_netlogon_acct_name,
{ "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
NULL, 0, "Account Name", HFILL }},
{ "Server", "netlogon.server", FT_STRING, BASE_NONE,
NULL, 0, "Server", HFILL }},
+ { &hf_netlogon_principal,
+ { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
+ NULL, 0, "Principal", HFILL }},
+
{ &hf_netlogon_logon_dom,
{ "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
NULL, 0, "Domain", HFILL }},
{ "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
NULL, 0, "DC Address Type", HFILL }},
- { &hf_netlogon_client_name,
- { "Client Name", "netlogon.client.name", FT_STRING, BASE_NONE,
- NULL, 0, "Client Name", HFILL }},
-
{ &hf_netlogon_client_site_name,
{ "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
NULL, 0, "Client Site Name", HFILL }},
{ "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
NULL, 0, "Workstation Site Name", HFILL }},
+ { &hf_netlogon_workstation,
+ { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
+ NULL, 0, "Workstation Name", HFILL }},
+
{ &hf_netlogon_workstation_os,
{ "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
NULL, 0, "Workstation OS", HFILL }},
{ "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
NULL, 0, "Alias Name", HFILL }},
- { &hf_netlogon_cli_name,
- { "CLI Name", "netlogon.cli_name", FT_STRING, BASE_NONE,
- NULL, 0, "CLI Name", HFILL }},
-
{ &hf_netlogon_dns_host,
{ "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
NULL, 0, "DNS Host", HFILL }},
- { &hf_netlogon_trusted_domain_name,
- { "Trusted Domain", "netlogon.trusted_domain", FT_STRING, BASE_NONE,
- NULL, 0, "Trusted Domain Name", HFILL }},
+ { &hf_netlogon_downlevel_domain_name,
+ { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
+ NULL, 0, "Downlevel Domain Name", HFILL }},
+
+ { &hf_netlogon_dns_domain_name,
+ { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
+ NULL, 0, "DNS Domain Name", HFILL }},
+
+ { &hf_netlogon_domain_name,
+ { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
+ NULL, 0, "Domain Name", HFILL }},
+
+ { &hf_netlogon_oem_info,
+ { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
+ NULL, 0, "OEM Info", HFILL }},
{ &hf_netlogon_trusted_dc_name,
{ "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
{ "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
NULL, 0, "Logon Srv Handle", HFILL }},
+ { &hf_netlogon_dummy,
+ { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
+ NULL, 0, "Dummy string", HFILL }},
+
+ { &hf_netlogon_logon_count16,
+ { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
+ NULL, 0x0, "Number of successful logins", HFILL }},
+
{ &hf_netlogon_logon_count,
- { "Logon Count", "netlogon.logon_count", FT_UINT16, BASE_DEC,
+ { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of successful logins", HFILL }},
+ { &hf_netlogon_bad_pw_count16,
+ { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
+ NULL, 0x0, "Number of failed logins", HFILL }},
+
{ &hf_netlogon_bad_pw_count,
- { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT16, BASE_DEC,
+ { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of failed logins", HFILL }},
{ &hf_netlogon_country,
{ "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
NULL, 0x0, "Codepage setting for this account", HFILL }},
- { &hf_netlogon_level,
- { "Level", "netlogon.level", FT_UINT16, BASE_DEC,
+ { &hf_netlogon_level16,
+ { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
NULL, 0x0, "Which option of the union is represented here", HFILL }},
+ { &hf_netlogon_validation_level,
+ { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
+ NULL, 0x0, "Requested level of validation", HFILL }},
+
+ { &hf_netlogon_minpasswdlen,
+ { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
+ NULL, 0x0, "Minimum length of password", HFILL }},
+
+ { &hf_netlogon_passwdhistorylen,
+ { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
+ NULL, 0x0, "Length of password history", HFILL }},
+
{ &hf_netlogon_secure_channel_type,
{ "Sec Chn Type", "netlogon.sec_chn_type", FT_UINT16, BASE_DEC,
NULL, 0x0, "Secure Channel Type", HFILL }},
+ { &hf_netlogon_restart_state,
+ { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
+ NULL, 0x0, "Restart State", HFILL }},
+
+ { &hf_netlogon_delta_type,
+ { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
+ VALS(delta_type_vals), 0x0, "Delta Type", HFILL }},
+
{ &hf_netlogon_blob_size,
{ "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
NULL, 0x0, "Size in bytes of BLOB", HFILL }},
{ "Code", "netlogon.code", FT_UINT32, BASE_HEX,
NULL, 0x0, "Code", HFILL }},
- { &hf_netlogon_level_long,
- { "Level", "netlogon.level32", FT_UINT32, BASE_DEC,
+ { &hf_netlogon_level,
+ { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
NULL, 0x0, "Which option of the union is represented here", HFILL }},
+ { &hf_netlogon_reference,
+ { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_netlogon_next_reference,
+ { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "", HFILL }},
+
{ &hf_netlogon_timestamp,
- { "Timestamp", "netlogon.timestamp", FT_UINT32, BASE_HEX,
- NULL, 0x0, "Some sort of timestamp", HFILL }},
+ { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "", HFILL }},
{ &hf_netlogon_user_rid,
{ "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
{ "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of RIDs", HFILL }},
+ { &hf_netlogon_num_controllers,
+ { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Number of domain controllers", HFILL }},
+
{ &hf_netlogon_num_other_groups,
{ "Num Other Groups", "netlogon.num_other_groups", FT_UINT32, BASE_DEC,
NULL, 0x0, "", HFILL }},
{ "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
NULL, 0x0, "", HFILL }},
+ { &hf_netlogon_auth_flags,
+ { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_netlogon_systemflags,
+ { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "", HFILL }},
+
{ &hf_netlogon_database_id,
{ "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
NULL, 0x0, "Database Id", HFILL }},
+ { &hf_netlogon_sync_context,
+ { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Sync Context", HFILL }},
+
{ &hf_netlogon_max_size,
{ "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
NULL, 0x0, "Max Size of database", HFILL }},
+ { &hf_netlogon_max_log_size,
+ { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Max Size of log", HFILL }},
+
+ { &hf_netlogon_pac_size,
+ { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Size of PacData in bytes", HFILL }},
+
+ { &hf_netlogon_auth_size,
+ { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "Size of AuthData in bytes", HFILL }},
+
{ &hf_netlogon_num_deltas,
{ "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of SAM Deltas in array", HFILL }},
{ "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
NULL, 0x0, "Number of logon attempts", HFILL }},
+ { &hf_netlogon_pagefilelimit,
+ { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_netlogon_pagedpoollimit,
+ { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_netlogon_nonpagedpoollimit,
+ { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_netlogon_minworkingsetsize,
+ { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_netlogon_maxworkingsetsize,
+ { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_netlogon_serial_number,
+ { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
+ NULL, 0x0, "", HFILL }},
+
+ { &hf_netlogon_neg_flags,
+ { "Neg Flags", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
+ NULL, 0x0, "Negotiation Flags", HFILL }},
+
{ &hf_netlogon_logon_time,
{ "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, BASE_NONE,
NULL, 0, "Time for last time this user logged on", HFILL }},
{ "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, BASE_NONE,
NULL, 0, "When this users password must be changed", HFILL }},
+ { &hf_netlogon_domain_create_time,
+ { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "Time when this domain was created", HFILL }},
+
+ { &hf_netlogon_domain_modify_time,
+ { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "Time when this domain was last modified", HFILL }},
+
+ { &hf_netlogon_db_modify_time,
+ { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "Time when last modified", HFILL }},
+
+ { &hf_netlogon_db_create_time,
+ { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "Time when created", HFILL }},
+
+ { &hf_netlogon_cipher_current_set_time,
+ { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "Time when current cipher was initiated", HFILL }},
+
+ { &hf_netlogon_cipher_old_set_time,
+ { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, BASE_NONE,
+ NULL, 0, "Time when previous cipher was initiated", HFILL }},
+
+ { &hf_netlogon_audit_retention_period,
+ { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
+ NULL, 0, "Audit retention period", HFILL }},
+
+ { &hf_netlogon_timelimit,
+ { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
+ NULL, 0, "", HFILL }}
+
};
static gint *ett[] = {
&ett_dcerpc_netlogon,
- &ett_NETLOGON_SECURITY_DESCRIPTOR,
- &ett_TYPE_1,
- &ett_TYPE_2,
- &ett_CYPHER_BLOCK,
- &ett_NETLOGON_AUTHENTICATOR,
- &ett_NETLOGON_LOGON_IDENTITY_INFO,
- &ett_NETLOGON_INTERACTIVE_INFO,
- &ett_NETLOGON_NETWORK_INFO,
- &ett_NETLOGON_VALIDATION_SAM_INFO1,
- &ett_NETLOGON_VALIDATION_SAM_INFO2,
- &ett_TYPE_16,
- &ett_NETLOGON_SAM_DOMAIN_INFO,
- &ett_NETLOGON_SAM_GROUP_INFO,
- &ett_TYPE_23,
- &ett_NETLOGON_SAM_ACCOUNT_INFO,
- &ett_NETLOGON_SAM_GROUP_MEM_INFO,
- &ett_NETLOGON_SAM_ALIAS_INFO,
- &ett_NETLOGON_SAM_ALIAS_MEM_INFO,
- &ett_TYPE_30,
- &ett_TYPE_29,
- &ett_TYPE_31,
- &ett_TYPE_32,
- &ett_TYPE_33,
- &ett_TYPE_34,
- &ett_TYPE_35,
- &ett_SAM_DELTA,
- &ett_SAM_DELTA_ARRAY,
- &ett_TYPE_36,
- &ett_NETLOGON_INFO_1,
- &ett_NETLOGON_INFO_2,
- &ett_NETLOGON_INFO_3,
- &ett_NETLOGON_INFO_4,
+ &ett_CYPHER_VALUE,
+ &ett_QUOTA_LIMITS,
+ &ett_IDENTITY_INFO,
+ &ett_DELTA_ENUM,
&ett_UNICODE_MULTI,
&ett_DOMAIN_CONTROLLER_INFO,
- &ett_TYPE_46,
- &ett_TYPE_48,
&ett_UNICODE_STRING_512,
&ett_TYPE_50,
&ett_TYPE_51,
&ett_TYPE_52,
- &ett_NETLOGON_LEVEL,
- &ett_NETLOGON_VALIDATION,
- &ett_TYPE_19,
- &ett_NETLOGON_CONTROL_QUERY_INFO,
+ &ett_DELTA_ID_UNION,
&ett_TYPE_44,
- &ett_TYPE_20,
- &ett_NETLOGON_INFO,
- &ett_TYPE_45,
- &ett_TYPE_47,
- &ett_NETLOGON_CREDENTIAL,
+ &ett_DELTA_UNION,
&ett_GUID,
- &ett_ENC_LM_OWF_PASSWORD,
&ett_LM_OWF_PASSWORD,
&ett_NT_OWF_PASSWORD,
&ett_GROUP_MEMBERSHIP,
- &ett_USER_SESSION_KEY,
- &ett_BLOB,
- &ett_rid_array,
- &ett_attrib_array,
+ &ett_BLOB
};
proto_dcerpc_netlogon = proto_register_protocol(
proto_register_field_array(proto_dcerpc_netlogon, hf,
array_length(hf));
proto_register_subtree_array(ett, array_length(ett));
-
- register_init_routine(netlogon_init);
}
void
dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
&uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
- dcerpc_netlogon_dissectors);
+ dcerpc_netlogon_dissectors, hf_netlogon_opnum);
}