Bug Summary

File:builds/wireshark/wireshark/epan/dissectors/packet-dcerpc-netlogon.c
Warning:line 6569, column 5
Value stored to 'offset' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-dcerpc-netlogon.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-18/lib/clang/18 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-18/lib/clang/18/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-truncation -Wno-format-nonliteral -Wno-pointer-sign -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -dwarf-debug-flags /usr/lib/llvm-18/bin/clang -### --analyze -x c -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/epan -fvisibility=hidden -fexcess-precision=fast -fstrict-flex-arrays=3 -fstack-clash-protection -fcf-protection=full -D _GLIBCXX_ASSERTIONS -fstack-protector-strong -fno-delete-null-pointer-checks -fno-strict-overflow -fno-strict-aliasing -fexceptions -Wno-format-truncation -Wno-format-nonliteral -fdiagnostics-color=always -Wno-pointer-sign -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -std=gnu11 -fPIC /builds/wireshark/wireshark/epan/dissectors/packet-dcerpc-netlogon.c -o /builds/wireshark/wireshark/sbout/2024-12-02-100256-3913-1 -Xclang -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2024-12-02-100256-3913-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-dcerpc-netlogon.c
1/* packet-dcerpc-netlogon.c
2 * Routines for SMB \PIPE\NETLOGON packet disassembly
3 * Copyright 2001,2003 Tim Potter <[email protected]>
4 * 2002 structure and command dissectors by Ronnie Sahlberg
5 *
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <[email protected]>
8 * Copyright 1998 Gerald Combs
9 *
10 * SPDX-License-Identifier: GPL-2.0-or-later
11 */
12
13#include "config.h"
14
15#define WS_LOG_DOMAIN"packet-dcerpc-netlogon" "packet-dcerpc-netlogon"
16
17#include <epan/packet.h>
18#include <epan/expert.h>
19#include <epan/tfs.h>
20
21#include <wsutil/wsgcrypt.h>
22#include <wsutil/wslog.h>
23#include <wsutil/str_util.h>
24
25/* for dissect_mscldap_string */
26#include "packet-ldap.h"
27#include "packet-dcerpc.h"
28#include "packet-dcerpc-nt.h"
29#include "packet-dcerpc-netlogon.h"
30#include "packet-windows-common.h"
31#include "packet-dcerpc-lsa.h"
32#include "packet-ntlmssp.h"
33#include "packet-dcerpc-misc.h"
34/* for keytab format */
35#include <epan/asn1.h>
36
37void proto_register_dcerpc_netlogon(void);
38void proto_reg_handoff_dcerpc_netlogon(void);
39
40static proto_item *
41netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,uint32_t flags,int offset);
42
43#define NETLOGON_FLAG_800000000x80000000 0x80000000
44#define NETLOGON_FLAG_400000000x40000000 0x40000000
45#define NETLOGON_FLAG_200000000x20000000 0x20000000
46#define NETLOGON_FLAG_100000000x10000000 0x10000000
47#define NETLOGON_FLAG_80000000x8000000 0x8000000
48#define NETLOGON_FLAG_40000000x4000000 0x4000000
49#define NETLOGON_FLAG_20000000x2000000 0x2000000
50#define NETLOGON_FLAG_AES0x1000000 0x1000000
51#define NETLOGON_FLAG_8000000x800000 0x800000
52#define NETLOGON_FLAG_4000000x400000 0x400000
53#define NETLOGON_FLAG_2000000x200000 0x200000
54#define NETLOGON_FLAG_1000000x100000 0x100000
55#define NETLOGON_FLAG_800000x80000 0x80000
56#define NETLOGON_FLAG_400000x40000 0x40000
57#define NETLOGON_FLAG_200000x20000 0x20000
58#define NETLOGON_FLAG_100000x10000 0x10000
59#define NETLOGON_FLAG_80000x8000 0x8000
60#define NETLOGON_FLAG_STRONGKEY0x4000 0x4000
61#define NETLOGON_FLAG_20000x2000 0x2000
62#define NETLOGON_FLAG_10000x1000 0x1000
63#define NETLOGON_FLAG_8000x800 0x800
64#define NETLOGON_FLAG_4000x400 0x400
65#define NETLOGON_FLAG_2000x200 0x200
66#define NETLOGON_FLAG_1000x100 0x100
67#define NETLOGON_FLAG_800x80 0x80
68#define NETLOGON_FLAG_400x40 0x40
69#define NETLOGON_FLAG_200x20 0x20
70#define NETLOGON_FLAG_100x10 0x10
71#define NETLOGON_FLAG_80x8 0x8
72#define NETLOGON_FLAG_40x4 0x4
73#define NETLOGON_FLAG_20x2 0x2
74#define NETLOGON_FLAG_10x1 0x1
75
76static wmem_map_t *netlogon_auths;
77static wmem_map_t *schannel_auths;
78static int proto_dcerpc_netlogon;
79
80static int hf_netlogon_TrustedDomainName_string;
81static int hf_netlogon_UserName_string;
82static int hf_domain_info_sid;
83static int hf_dns_domain_info_sid;
84static int hf_dns_domain_info_domain_guid;
85static int hf_dns_domain_info_dns_domain;
86static int hf_dns_domain_info_dns_forest;
87static int hf_dns_domain_info_name;
88static int hf_client_challenge;
89static int hf_server_rid;
90static int hf_server_challenge;
91static int hf_client_credential;
92static int hf_server_credential;
93static int hf_netlogon_logon_dnslogondomainname;
94static int hf_netlogon_logon_upn;
95static int hf_netlogon_opnum;
96static int hf_netlogon_data_length;
97static int hf_netlogon_extraflags;
98static int hf_netlogon_extra_flags_root_forest;
99static int hf_netlogon_trust_flags_dc_firsthop;
100static int hf_netlogon_trust_flags_rodc_to_dc;
101static int hf_netlogon_trust_flags_rodc_ntlm;
102static int hf_netlogon_package_name;
103static int hf_netlogon_rc;
104static int hf_netlogon_dos_rc;
105static int hf_netlogon_werr_rc;
106static int hf_netlogon_len;
107static int hf_netlogon_password_version_reserved;
108static int hf_netlogon_password_version_number;
109static int hf_netlogon_password_version_present;
110static int hf_netlogon_sensitive_data_flag;
111static int hf_netlogon_sensitive_data_len;
112static int hf_netlogon_sensitive_data;
113static int hf_netlogon_security_information;
114static int hf_netlogon_dummy;
115static int hf_netlogon_neg_flags;
116static int hf_netlogon_neg_flags_80000000;
117static int hf_netlogon_neg_flags_40000000;
118static int hf_netlogon_neg_flags_20000000;
119/* static int hf_netlogon_neg_flags_10000000; */
120/* static int hf_netlogon_neg_flags_8000000; */
121/* static int hf_netlogon_neg_flags_4000000; */
122/* static int hf_netlogon_neg_flags_2000000; */
123static int hf_netlogon_neg_flags_1000000;
124/* static int hf_netlogon_neg_flags_800000; */
125/* static int hf_netlogon_neg_flags_400000; */
126static int hf_netlogon_neg_flags_200000;
127static int hf_netlogon_neg_flags_100000;
128static int hf_netlogon_neg_flags_80000;
129static int hf_netlogon_neg_flags_40000;
130static int hf_netlogon_neg_flags_20000;
131static int hf_netlogon_neg_flags_10000;
132static int hf_netlogon_neg_flags_8000;
133static int hf_netlogon_neg_flags_4000;
134static int hf_netlogon_neg_flags_2000;
135static int hf_netlogon_neg_flags_1000;
136static int hf_netlogon_neg_flags_800;
137static int hf_netlogon_neg_flags_400;
138static int hf_netlogon_neg_flags_200;
139static int hf_netlogon_neg_flags_100;
140static int hf_netlogon_neg_flags_80;
141static int hf_netlogon_neg_flags_40;
142static int hf_netlogon_neg_flags_20;
143static int hf_netlogon_neg_flags_10;
144static int hf_netlogon_neg_flags_8;
145static int hf_netlogon_neg_flags_4;
146static int hf_netlogon_neg_flags_2;
147static int hf_netlogon_neg_flags_1;
148static int hf_netlogon_minworkingsetsize;
149static int hf_netlogon_maxworkingsetsize;
150static int hf_netlogon_pagedpoollimit;
151static int hf_netlogon_pagefilelimit;
152static int hf_netlogon_timelimit;
153static int hf_netlogon_nonpagedpoollimit;
154/* static int hf_netlogon_pac_size; */
155/* static int hf_netlogon_pac_data; */
156/* static int hf_netlogon_auth_size; */
157/* static int hf_netlogon_auth_data; */
158static int hf_netlogon_cipher_len;
159static int hf_netlogon_cipher_maxlen;
160static int hf_netlogon_cipher_current_data;
161static int hf_netlogon_cipher_current_set_time;
162static int hf_netlogon_cipher_old_data;
163static int hf_netlogon_cipher_old_set_time;
164static int hf_netlogon_priv;
165static int hf_netlogon_privilege_entries;
166static int hf_netlogon_privilege_control;
167static int hf_netlogon_privilege_name;
168static int hf_netlogon_systemflags;
169static int hf_netlogon_pdc_connection_status;
170static int hf_netlogon_tc_connection_status;
171static int hf_netlogon_restart_state;
172static int hf_netlogon_attrs;
173static int hf_netlogon_lsapolicy_len;
174/* static int hf_netlogon_lsapolicy_referentid; */
175/* static int hf_netlogon_lsapolicy_pointer; */
176static int hf_netlogon_count;
177static int hf_netlogon_entries;
178static int hf_netlogon_minpasswdlen;
179static int hf_netlogon_passwdhistorylen;
180static int hf_netlogon_level16;
181static int hf_netlogon_validation_level;
182static int hf_netlogon_reference;
183static int hf_netlogon_next_reference;
184static int hf_netlogon_timestamp;
185static int hf_netlogon_level;
186static int hf_netlogon_challenge;
187static int hf_netlogon_reserved;
188static int hf_netlogon_audit_retention_period;
189static int hf_netlogon_auditing_mode;
190static int hf_netlogon_max_audit_event_count;
191static int hf_netlogon_event_audit_option;
192static int hf_netlogon_unknown_string;
193static int hf_netlogon_new_password;
194static int hf_netlogon_trust_extension;
195static int hf_netlogon_trust_max;
196static int hf_netlogon_trust_offset;
197static int hf_netlogon_trust_len;
198static int hf_netlogon_opaque_buffer_enc;
199static int hf_netlogon_opaque_buffer_dec;
200static int hf_netlogon_opaque_buffer_size;
201static int hf_netlogon_dummy_string;
202static int hf_netlogon_dummy_string2;
203static int hf_netlogon_dummy_string3;
204static int hf_netlogon_dummy_string4;
205static int hf_netlogon_dummy_string5;
206static int hf_netlogon_dummy_string6;
207static int hf_netlogon_dummy_string7;
208static int hf_netlogon_dummy_string8;
209static int hf_netlogon_dummy_string9;
210static int hf_netlogon_dummy_string10;
211static int hf_netlogon_unknown_short;
212static int hf_netlogon_unknown_long;
213static int hf_netlogon_dummy1_long;
214static int hf_netlogon_dummy2_long;
215static int hf_netlogon_dummy3_long;
216static int hf_netlogon_dummy4_long;
217static int hf_netlogon_dummy5_long;
218static int hf_netlogon_dummy6_long;
219static int hf_netlogon_dummy7_long;
220static int hf_netlogon_dummy8_long;
221static int hf_netlogon_dummy9_long;
222static int hf_netlogon_dummy10_long;
223static int hf_netlogon_unknown_char;
224static int hf_netlogon_logon_time;
225static int hf_netlogon_logoff_time;
226static int hf_netlogon_last_logoff_time;
227static int hf_netlogon_kickoff_time;
228static int hf_netlogon_pwd_age;
229static int hf_netlogon_pwd_last_set_time;
230static int hf_netlogon_pwd_can_change_time;
231static int hf_netlogon_pwd_must_change_time;
232static int hf_netlogon_nt_chal_resp;
233static int hf_netlogon_lm_chal_resp;
234static int hf_netlogon_credential;
235static int hf_netlogon_acct_name;
236static int hf_netlogon_acct_desc;
237static int hf_netlogon_group_desc;
238static int hf_netlogon_full_name;
239static int hf_netlogon_comment;
240static int hf_netlogon_parameters;
241static int hf_netlogon_logon_script;
242static int hf_netlogon_profile_path;
243static int hf_netlogon_home_dir;
244static int hf_netlogon_dir_drive;
245static int hf_netlogon_logon_count;
246static int hf_netlogon_logon_count16;
247static int hf_netlogon_bad_pw_count;
248static int hf_netlogon_bad_pw_count16;
249static int hf_netlogon_user_rid;
250static int hf_netlogon_alias_rid;
251static int hf_netlogon_group_rid;
252static int hf_netlogon_logon_srv;
253/* static int hf_netlogon_principal; */
254static int hf_netlogon_logon_dom;
255static int hf_netlogon_resourcegroupcount;
256static int hf_netlogon_accountdomaingroupcount;
257static int hf_netlogon_domaingroupcount;
258static int hf_netlogon_membership_domains_count;
259static int hf_netlogon_downlevel_domain_name;
260static int hf_netlogon_dns_domain_name;
261static int hf_netlogon_ad_client_dns_name;
262static int hf_netlogon_domain_name;
263static int hf_netlogon_domain_create_time;
264static int hf_netlogon_domain_modify_time;
265static int hf_netlogon_modify_count;
266static int hf_netlogon_db_modify_time;
267static int hf_netlogon_db_create_time;
268static int hf_netlogon_oem_info;
269static int hf_netlogon_serial_number;
270static int hf_netlogon_num_rids;
271static int hf_netlogon_num_trusts;
272static int hf_netlogon_num_controllers;
273static int hf_netlogon_num_sid;
274static int hf_netlogon_computer_name;
275static int hf_netlogon_site_name;
276static int hf_netlogon_trusted_dc_name;
277static int hf_netlogon_dc_name;
278static int hf_netlogon_dc_site_name;
279static int hf_netlogon_dns_forest_name;
280static int hf_netlogon_dc_address;
281static int hf_netlogon_dc_address_type;
282static int hf_netlogon_client_site_name;
283static int hf_netlogon_workstation;
284static int hf_netlogon_workstation_site_name;
285static int hf_netlogon_os_version;
286static int hf_netlogon_workstation_os;
287static int hf_netlogon_workstation_flags;
288static int hf_netlogon_supportedenctypes;
289
290static int hf_netlogon_workstations;
291static int hf_netlogon_workstation_fqdn;
292static int hf_netlogon_group_name;
293static int hf_netlogon_alias_name;
294static int hf_netlogon_country;
295static int hf_netlogon_codepage;
296static int hf_netlogon_flags;
297static int hf_netlogon_trust_attribs;
298static int hf_netlogon_trust_attribs_non_transitive;
299static int hf_netlogon_trust_attribs_uplevel_only;
300static int hf_netlogon_trust_attribs_quarantined_domain;
301static int hf_netlogon_trust_attribs_forest_transitive;
302static int hf_netlogon_trust_attribs_cross_organization;
303static int hf_netlogon_trust_attribs_within_forest;
304static int hf_netlogon_trust_attribs_treat_as_external;
305static int hf_netlogon_trust_type;
306static int hf_netlogon_trust_flags;
307static int hf_netlogon_trust_flags_inbound;
308static int hf_netlogon_trust_flags_outbound;
309static int hf_netlogon_trust_flags_in_forest;
310static int hf_netlogon_trust_flags_native_mode;
311static int hf_netlogon_trust_flags_primary;
312static int hf_netlogon_trust_flags_tree_root;
313static int hf_netlogon_trust_parent_index;
314static int hf_netlogon_user_account_control;
315static int hf_netlogon_user_account_control_dont_require_preauth;
316static int hf_netlogon_user_account_control_use_des_key_only;
317static int hf_netlogon_user_account_control_not_delegated;
318static int hf_netlogon_user_account_control_trusted_for_delegation;
319static int hf_netlogon_user_account_control_smartcard_required;
320static int hf_netlogon_user_account_control_encrypted_text_password_allowed;
321static int hf_netlogon_user_account_control_account_auto_locked;
322static int hf_netlogon_user_account_control_dont_expire_password;
323static int hf_netlogon_user_account_control_server_trust_account;
324static int hf_netlogon_user_account_control_workstation_trust_account;
325static int hf_netlogon_user_account_control_interdomain_trust_account;
326static int hf_netlogon_user_account_control_mns_logon_account;
327static int hf_netlogon_user_account_control_normal_account;
328static int hf_netlogon_user_account_control_temp_duplicate_account;
329static int hf_netlogon_user_account_control_password_not_required;
330static int hf_netlogon_user_account_control_home_directory_required;
331static int hf_netlogon_user_account_control_account_disabled;
332static int hf_netlogon_user_flags;
333static int hf_netlogon_user_flags_extra_sids;
334static int hf_netlogon_user_flags_resource_groups;
335static int hf_netlogon_auth_flags;
336static int hf_netlogon_pwd_expired;
337static int hf_netlogon_nt_pwd_present;
338static int hf_netlogon_lm_pwd_present;
339static int hf_netlogon_code;
340static int hf_netlogon_database_id;
341static int hf_netlogon_sync_context;
342static int hf_netlogon_max_size;
343static int hf_netlogon_max_log_size;
344static int hf_netlogon_dns_host;
345static int hf_netlogon_acct_expiry_time;
346static int hf_netlogon_encrypted_lm_owf_password;
347static int hf_netlogon_lm_owf_password;
348static int hf_netlogon_nt_owf_password;
349static int hf_netlogon_param_ctrl;
350static int hf_netlogon_logon_id;
351static int hf_netlogon_num_deltas;
352static int hf_netlogon_user_session_key;
353static int hf_netlogon_blob_size;
354static int hf_netlogon_blob;
355static int hf_netlogon_logon_attempts;
356static int hf_netlogon_authoritative;
357static int hf_netlogon_secure_channel_type;
358static int hf_netlogon_logonsrv_handle;
359static int hf_netlogon_delta_type;
360static int hf_netlogon_get_dcname_request_flags;
361static int hf_netlogon_get_dcname_request_flags_force_rediscovery;
362static int hf_netlogon_get_dcname_request_flags_directory_service_required;
363static int hf_netlogon_get_dcname_request_flags_directory_service_preferred;
364static int hf_netlogon_get_dcname_request_flags_gc_server_required;
365static int hf_netlogon_get_dcname_request_flags_pdc_required;
366static int hf_netlogon_get_dcname_request_flags_background_only;
367static int hf_netlogon_get_dcname_request_flags_ip_required;
368static int hf_netlogon_get_dcname_request_flags_kdc_required;
369static int hf_netlogon_get_dcname_request_flags_timeserv_required;
370static int hf_netlogon_get_dcname_request_flags_writable_required;
371static int hf_netlogon_get_dcname_request_flags_good_timeserv_preferred;
372static int hf_netlogon_get_dcname_request_flags_avoid_self;
373static int hf_netlogon_get_dcname_request_flags_only_ldap_needed;
374static int hf_netlogon_get_dcname_request_flags_is_flat_name;
375static int hf_netlogon_get_dcname_request_flags_is_dns_name;
376static int hf_netlogon_get_dcname_request_flags_return_dns_name;
377static int hf_netlogon_get_dcname_request_flags_return_flat_name;
378static int hf_netlogon_dc_flags;
379static int hf_netlogon_dc_flags_pdc_flag;
380static int hf_netlogon_dc_flags_gc_flag;
381static int hf_netlogon_dc_flags_ldap_flag;
382static int hf_netlogon_dc_flags_ds_flag;
383static int hf_netlogon_dc_flags_kdc_flag;
384static int hf_netlogon_dc_flags_timeserv_flag;
385static int hf_netlogon_dc_flags_closest_flag;
386static int hf_netlogon_dc_flags_writable_flag;
387static int hf_netlogon_dc_flags_good_timeserv_flag;
388static int hf_netlogon_dc_flags_ndnc_flag;
389static int hf_netlogon_dc_flags_dns_controller_flag;
390static int hf_netlogon_dc_flags_dns_domain_flag;
391static int hf_netlogon_dc_flags_dns_forest_flag;
392/* static int hf_netlogon_dnsdomaininfo; */
393static int hf_netlogon_s4u2proxytarget;
394static int hf_netlogon_transitedlistsize;
395static int hf_netlogon_transited_service;
396static int hf_netlogon_logon_duration;
397static int hf_netlogon_time_created;
398
399static int ett_nt_counted_longs_as_string;
400static int ett_dcerpc_netlogon;
401static int ett_group_attrs;
402static int ett_user_flags;
403static int ett_user_account_control;
404static int ett_QUOTA_LIMITS;
405static int ett_IDENTITY_INFO;
406static int ett_DELTA_ENUM;
407static int ett_authenticate_flags;
408static int ett_CYPHER_VALUE;
409static int ett_UNICODE_MULTI;
410static int ett_DOMAIN_CONTROLLER_INFO;
411static int ett_netr_CryptPassword;
412static int ett_NL_PASSWORD_VERSION;
413static int ett_NL_GENERIC_RPC_DATA;
414static int ett_TYPE_50;
415static int ett_TYPE_52;
416static int ett_DELTA_ID_UNION;
417static int ett_CAPABILITIES;
418static int ett_DELTA_UNION;
419static int ett_LM_OWF_PASSWORD;
420static int ett_NT_OWF_PASSWORD;
421static int ett_GROUP_MEMBERSHIP;
422static int ett_BLOB;
423static int ett_DS_DOMAIN_TRUSTS;
424static int ett_LSA_POLICY_INFO;
425static int ett_DOMAIN_TRUST_INFO;
426static int ett_trust_flags;
427static int ett_trust_attribs;
428static int ett_get_dcname_request_flags;
429static int ett_dc_flags;
430static int ett_wstr_LOGON_IDENTITY_INFO_string;
431static int ett_domain_group_memberships;
432static int ett_domains_group_memberships;
433
434static expert_field ei_netlogon_auth_nthash;
435static expert_field ei_netlogon_session_key;
436
437typedef struct _netlogon_auth_vars {
438 uint64_t client_challenge;
439 uint64_t server_challenge;
440 md4_pass nthash;
441 int auth_fd_num;
442 uint8_t session_key[16];
443 uint8_t encryption_key[16];
444 uint8_t sequence[16];
445 uint32_t flags;
446 uint64_t seq;
447 uint64_t confounder;
448 uint8_t private_type;
449 bool_Bool can_decrypt;
450 char* client_name;
451 int start;
452 int next_start;
453 struct _netlogon_auth_vars *next;
454} netlogon_auth_vars;
455
456static gcry_error_t prepare_session_key_cipher(netlogon_auth_vars *vars,
457 gcry_cipher_hd_t *_cipher_hd);
458
459typedef struct _seen_packet {
460 bool_Bool isseen;
461 uint32_t num;
462} seen_packet;
463
464static seen_packet seen;
465
466static e_guid_t uuid_dcerpc_netlogon = {
467 0x12345678, 0x1234, 0xabcd,
468 { 0xef, 0x00, 0x01, 0x23, 0x45, 0x67, 0xcf, 0xfb }
469};
470
471static uint16_t ver_dcerpc_netlogon = 1;
472
473static int dissect_dcerpc_8bytes (tvbuff_t *tvb, int offset, packet_info *pinfo _U___attribute__((unused)),
474 proto_tree *tree, const uint8_t *drep,
475 int hfindex, uint64_t *pdata)
476{
477 uint64_t data;
478
479 data = ((drep[0] & DREP_LITTLE_ENDIAN0x10)
480 ? tvb_get_letoh64 (tvb, offset)
481 : tvb_get_ntoh64 (tvb, offset));
482
483 /* These fields are FT_BYTES, hence the byte order doesn't matter */
484 if (tree) {
485 proto_tree_add_item(tree, hfindex, tvb, offset, 8, ENC_NA0x00000000);
486 }
487 if (pdata)
488 *pdata = data;
489 return offset+8;
490}
491
492static const true_false_string user_account_control_dont_require_preauth= {
493 "This account DOESN'T_REQUIRE_PREAUTHENTICATION",
494 "This account REQUIRES preauthentication",
495};
496static const true_false_string user_account_control_use_des_key_only= {
497 "This account must USE_DES_KEY_ONLY for passwords",
498 "This account does NOT have to use_des_key_only",
499};
500static const true_false_string user_account_control_not_delegated= {
501 "This account is NOT_DELEGATED",
502 "This might have been delegated",
503};
504static const true_false_string user_account_control_trusted_for_delegation= {
505 "This account is TRUSTED_FOR_DELEGATION",
506 "This account is NOT trusted_for_delegation",
507};
508static const true_false_string user_account_control_smartcard_required= {
509 "This account REQUIRES_SMARTCARD to authenticate",
510 "This account does NOT require_smartcard to authenticate",
511};
512static const true_false_string user_account_control_encrypted_text_password_allowed= {
513 "This account allows ENCRYPTED_TEXT_PASSWORD",
514 "This account does NOT allow encrypted_text_password",
515};
516static const true_false_string user_account_control_account_auto_locked= {
517 "This account is AUTO_LOCKED",
518 "This account is NOT auto_locked",
519};
520static const true_false_string user_account_control_dont_expire_password= {
521 "This account DOESN'T_EXPIRE_PASSWORDs",
522 "This account might expire_passwords",
523};
524static const true_false_string user_account_control_server_trust_account= {
525 "This account is a SERVER_TRUST_ACCOUNT",
526 "This account is NOT a server_trust_account",
527};
528static const true_false_string user_account_control_workstation_trust_account= {
529 "This account is a WORKSTATION_TRUST_ACCOUNT",
530 "This account is NOT a workstation_trust_account",
531};
532static const true_false_string user_account_control_interdomain_trust_account= {
533 "This account is an INTERDOMAIN_TRUST_ACCOUNT",
534 "This account is NOT an interdomain_trust_account",
535};
536static const true_false_string user_account_control_mns_logon_account= {
537 "This account is a MNS_LOGON_ACCOUNT",
538 "This account is NOT a mns_logon_account",
539};
540static const true_false_string user_account_control_normal_account= {
541 "This account is a NORMAL_ACCOUNT",
542 "This account is NOT a normal_account",
543};
544static const true_false_string user_account_control_temp_duplicate_account= {
545 "This account is a TEMP_DUPLICATE_ACCOUNT",
546 "This account is NOT a temp_duplicate_account",
547};
548static const true_false_string user_account_control_password_not_required= {
549 "This account REQUIRES_NO_PASSWORD",
550 "This account REQUIRES a password",
551};
552static const true_false_string user_account_control_home_directory_required= {
553 "This account REQUIRES_HOME_DIRECTORY",
554 "This account does NOT require_home_directory",
555};
556static const true_false_string user_account_control_account_disabled= {
557 "This account is DISABLED",
558 "This account is NOT disabled",
559};
560
561typedef struct _netlogon_auth_key {
562 /*
563 * For now we only match the client and server ip
564 * addresses, as keys can be used across tcp connections.
565 *
566 * Also note that ServerChallenge and ServerAuthenticate
567 * can be on different tcp connections!
568 *
569 * TODO:
570 * * We could have a challenge table indexed by client, server
571 * and computer name
572 * * A good ServerAuthenticate could fill a session key table
573 * indexed by computer name.
574 * * A DCERPC bind/alter context could lookup the session key table
575 * and copy the session key to the DCERPC connection/auth_context.
576 */
577 address client;
578 address server;
579} netlogon_auth_key;
580
581static int
582netlogon_auth_equal (const void *k1, const void *k2)
583{
584 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k1;
585 const netlogon_auth_key *key2 = (const netlogon_auth_key *)k2;
586
587 return (addresses_equal(&key1->client,&key2->client) && addresses_equal(&key1->server,&key2->server));
588}
589
590static unsigned
591netlogon_auth_hash (const void *k)
592{
593 const netlogon_auth_key *key1 = (const netlogon_auth_key *)k;
594 unsigned hash_val1 = 0;
595
596 hash_val1 = add_address_to_hash(hash_val1, &key1->client);
597 hash_val1 = add_address_to_hash(hash_val1, &key1->server);
598 return hash_val1;
599}
600
601typedef struct _dcerpc_auth_schannel_key {
602 conversation_t *conv;
603 uint64_t transport_salt;
604 uint32_t auth_context_id;
605} dcerpc_auth_schannel_key;
606
607static unsigned
608dcerpc_auth_schannel_key_hash(const void *k)
609{
610 const dcerpc_auth_schannel_key *key = (const dcerpc_auth_schannel_key *)k;
611 unsigned hash;
612
613 hash = GPOINTER_TO_UINT(key->conv)((guint) (gulong) (key->conv));
614 /* sizeof(unsigned) might be smaller than sizeof(uint64_t) */
615 hash += (unsigned)key->transport_salt;
616 hash += (unsigned)(key->transport_salt << sizeof(unsigned));
617 hash += key->auth_context_id;
618
619 return hash;
620}
621
622static int
623dcerpc_auth_schannel_key_equal(const void *k1, const void *k2)
624{
625 const dcerpc_auth_schannel_key *key1 = (const dcerpc_auth_schannel_key *)k1;
626 const dcerpc_auth_schannel_key *key2 = (const dcerpc_auth_schannel_key *)k2;
627
628 return ((key1->conv == key2->conv)
629 && (key1->transport_salt == key2->transport_salt)
630 && (key1->auth_context_id == key2->auth_context_id));
631}
632
633static int
634netlogon_dissect_EXTRA_FLAGS(tvbuff_t *tvb, int offset,
635 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
636{
637 uint32_t mask;
638 static int * const extraflags[] = {
639 &hf_netlogon_extra_flags_root_forest,
640 &hf_netlogon_trust_flags_dc_firsthop,
641 &hf_netlogon_trust_flags_rodc_to_dc,
642 &hf_netlogon_trust_flags_rodc_ntlm,
643 NULL((void*)0)
644 };
645
646 if(di->conformant_run){
647 /*just a run to handle conformant arrays, nothing to dissect */
648 return offset;
649 }
650
651 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL((void*)0), di, drep,
652 -1, &mask);
653
654 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_extraflags, ett_trust_flags, extraflags, mask, BMT_NO_APPEND0x01);
655 return offset;
656}
657
658struct LOGON_INFO_STATE;
659
660struct LOGON_INFO_STATE_CB {
661 struct LOGON_INFO_STATE *state;
662 ntlmssp_blob *response;
663 const uint8_t **name_ptr;
664 int name_levels;
665};
666
667struct LOGON_INFO_STATE {
668 packet_info *pinfo;
669 proto_tree *tree;
670 uint8_t server_challenge[8];
671 ntlmssp_blob nt_response;
672 ntlmssp_blob lm_response;
673 ntlmssp_header_t ntlmssph;
674 struct LOGON_INFO_STATE_CB domain_cb, acct_cb, host_cb, nt_cb, lm_cb;
675};
676
677static void dissect_LOGON_INFO_STATE_finish(struct LOGON_INFO_STATE *state)
678{
679 if (state->ntlmssph.acct_name != NULL((void*)0) &&
680 state->nt_response.length >= 24 &&
681 state->lm_response.length >= 24)
682 {
683 if (state->ntlmssph.domain_name == NULL((void*)0)) {
684 state->ntlmssph.domain_name = (const uint8_t *)"";
685 }
686 if (state->ntlmssph.host_name == NULL((void*)0)) {
687 state->ntlmssph.host_name = (const uint8_t *)"";
688 }
689
690 ntlmssp_create_session_key(state->pinfo,
691 state->tree,
692 &state->ntlmssph,
693 0, /* NTLMSSP_ flags */
694 state->server_challenge,
695 NULL((void*)0), /* encryptedsessionkey */
696 &state->nt_response,
697 &state->lm_response);
698 }
699}
700
701static void dissect_ndr_lm_nt_byte_array(packet_info *pinfo,
702 proto_tree *tree,
703 proto_item *item _U___attribute__((unused)),
704 dcerpc_info *di,
705 tvbuff_t *tvb,
706 int start_offset,
707 int end_offset,
708 void *callback_args)
709{
710 struct LOGON_INFO_STATE_CB *cb_ref = (struct LOGON_INFO_STATE_CB *)callback_args;
711 struct LOGON_INFO_STATE *state = NULL((void*)0);
712 int offset = start_offset;
713 uint64_t tmp;
714 uint16_t len;
715
716 if (cb_ref == NULL((void*)0)) {
717 return;
718 }
719 state = cb_ref->state;
720
721 if (di->conformant_run) {
722 /* just a run to handle conformant arrays, no scalars to dissect */
723 return;
724 }
725
726 /* NDR array header */
727 ALIGN_TO_5_BYTES{ if (di->call_data->flags & 0x00000001) { { if(!di
->conformant_run) { if(offset&0x07) { offset=(offset&
0xfffffff8)+8; } } }; } else { { if(!di->conformant_run) {
if(offset&0x03) { offset=(offset&0xfffffffc)+4; } } }
; } }
728 if (di->call_data->flags & DCERPC_IS_NDR640x00000001) {
729 offset += 3 * 8;
730 } else {
731 offset += 3 * 4;
732 }
733
734 tmp = end_offset - offset;
735 if (tmp > NTLMSSP_BLOB_MAX_SIZE10240) {
736 tmp = NTLMSSP_BLOB_MAX_SIZE10240;
737 }
738 len = (uint16_t)tmp;
739 cb_ref->response->length = len;
740 cb_ref->response->contents = (uint8_t *)tvb_memdup(pinfo->pool, tvb, offset, len);
741 if (len > 24) {
742 dissect_ntlmv2_response(tvb, pinfo, tree, offset, len);
743 }
744
745 dissect_LOGON_INFO_STATE_finish(state);
746}
747
748static int
749dissect_ndr_lm_nt_hash_cb(tvbuff_t *tvb, int offset,
750 packet_info *pinfo, proto_tree *tree,
751 dcerpc_info *di, uint8_t *drep, int hf_index,
752 dcerpc_callback_fnct_t *callback,
753 void *callback_args)
754{
755 uint16_t len, size;
756
757 /* Structure starts with short, but is aligned for longs */
758
759 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
760
761 if (di->conformant_run)
762 return offset;
763
764#if 0
765 struct {
766 short len;
767 short size;
768 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
769 } HASH;
770
771#endif
772
773 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
774 hf_nt_cs_len, &len);
775
776 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
777 hf_nt_cs_size, &size);
778
779 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
780 dissect_ndr_byte_array, NDR_POINTER_UNIQUE2,
781 "Bytes Array", hf_index, callback, callback_args);
782
783 return offset;
784}
785
786static int
787dissect_ndr_lm_nt_hash_helper(tvbuff_t *tvb, int offset,
788 packet_info *pinfo, proto_tree *tree,
789 dcerpc_info *di, uint8_t *drep, int hf_index,
790 struct LOGON_INFO_STATE_CB *cb_ref)
791{
792 proto_tree *subtree;
793
794 subtree = proto_tree_add_subtree(
795 tree, tvb, offset, 0, ett_LM_OWF_PASSWORD, NULL((void*)0),
796 proto_registrar_get_name(hf_index));
797
798 return dissect_ndr_lm_nt_hash_cb(
799 tvb, offset, pinfo, subtree, di, drep, hf_index,
800 dissect_ndr_lm_nt_byte_array, cb_ref);
801}
802
803static int
804netlogon_dissect_USER_ACCOUNT_CONTROL(tvbuff_t *tvb, int offset,
805 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
806{
807 uint32_t mask;
808 static int * const uac[] = {
809 &hf_netlogon_user_account_control_dont_require_preauth,
810 &hf_netlogon_user_account_control_use_des_key_only,
811 &hf_netlogon_user_account_control_not_delegated,
812 &hf_netlogon_user_account_control_trusted_for_delegation,
813 &hf_netlogon_user_account_control_smartcard_required,
814 &hf_netlogon_user_account_control_encrypted_text_password_allowed,
815 &hf_netlogon_user_account_control_account_auto_locked,
816 &hf_netlogon_user_account_control_dont_expire_password,
817 &hf_netlogon_user_account_control_server_trust_account,
818 &hf_netlogon_user_account_control_workstation_trust_account,
819 &hf_netlogon_user_account_control_interdomain_trust_account,
820 &hf_netlogon_user_account_control_mns_logon_account,
821 &hf_netlogon_user_account_control_normal_account,
822 &hf_netlogon_user_account_control_temp_duplicate_account,
823 &hf_netlogon_user_account_control_password_not_required,
824 &hf_netlogon_user_account_control_home_directory_required,
825 &hf_netlogon_user_account_control_account_disabled,
826 NULL((void*)0)
827 };
828
829 if(di->conformant_run){
830 /*just a run to handle conformant arrays, nothing to dissect */
831 return offset;
832 }
833
834 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL((void*)0), di, drep,
835 -1, &mask);
836
837 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_user_account_control, ett_user_account_control, uac, mask, BMT_NO_APPEND0x01);
838
839 return offset;
840}
841
842
843static int
844netlogon_dissect_LOGONSRV_HANDLE(tvbuff_t *tvb, int offset,
845 packet_info *pinfo, proto_tree *tree,
846 dcerpc_info *di, uint8_t *drep)
847{
848 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
849 NDR_POINTER_UNIQUE2, "Server Handle",
850 hf_netlogon_logonsrv_handle, 0);
851
852 return offset;
853}
854
855/*
856 * IDL typedef struct {
857 * IDL [unique][string] wchar_t *effective_name;
858 * IDL long priv;
859 * IDL long auth_flags;
860 * IDL long logon_count;
861 * IDL long bad_pw_count;
862 * IDL long last_logon;
863 * IDL long last_logoff;
864 * IDL long logoff_time;
865 * IDL long kickoff_time;
866 * IDL long password_age;
867 * IDL long pw_can_change;
868 * IDL long pw_must_change;
869 * IDL [unique][string] wchar_t *computer;
870 * IDL [unique][string] wchar_t *domain;
871 * IDL [unique][string] wchar_t *script_path;
872 * IDL long reserved;
873 */
874static int
875netlogon_dissect_VALIDATION_UAS_INFO(tvbuff_t *tvb, int offset,
876 packet_info *pinfo, proto_tree *tree,
877 dcerpc_info *di, uint8_t *drep)
878{
879 if(di->conformant_run){
880 /*just a run to handle conformant arrays, nothing to dissect */
881 return offset;
882 }
883
884 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
885 NDR_POINTER_UNIQUE2, "Effective Account",
886 hf_netlogon_acct_name, 0);
887
888 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
889 hf_netlogon_priv, NULL((void*)0));
890
891 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
892 hf_netlogon_auth_flags, NULL((void*)0));
893
894 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
895 hf_netlogon_logon_count, NULL((void*)0));
896
897 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
898 hf_netlogon_bad_pw_count, NULL((void*)0));
899
900
901 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logon_time, NULL((void*)0));
902
903 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_last_logoff_time, NULL((void*)0));
904
905 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_logoff_time, NULL((void*)0));
906
907 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_kickoff_time, NULL((void*)0));
908
909 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_age, NULL((void*)0));
910
911 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_can_change_time, NULL((void*)0));
912
913 offset = dissect_ndr_time_t(tvb, offset, pinfo, tree, di, drep, hf_netlogon_pwd_must_change_time, NULL((void*)0));
914
915 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
916 NDR_POINTER_UNIQUE2, "Computer", hf_netlogon_computer_name, 0);
917
918 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
919 NDR_POINTER_UNIQUE2, "Domain", hf_netlogon_domain_name, 0);
920
921 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
922 NDR_POINTER_UNIQUE2, "Script", hf_netlogon_logon_script, 0);
923
924 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
925 hf_netlogon_reserved, NULL((void*)0));
926
927 return offset;
928}
929
930/*
931 * IDL long NetrLogonUasLogon(
932 * IDL [in][unique][string] wchar_t *ServerName,
933 * IDL [in][ref][string] wchar_t *UserName,
934 * IDL [in][ref][string] wchar_t *Workstation,
935 * IDL [out][unique] VALIDATION_UAS_INFO *info
936 * IDL );
937 */
938static int
939netlogon_dissect_netrlogonuaslogon_rqst(tvbuff_t *tvb, int offset,
940 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
941{
942 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
943 pinfo, tree, di, drep);
944
945 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
946 NDR_POINTER_REF1, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO0x10000000);
947
948 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
949 NDR_POINTER_REF1, "Workstation", hf_netlogon_workstation, 0);
950
951 return offset;
952}
953
954
955static int
956netlogon_dissect_netrlogonuaslogon_reply(tvbuff_t *tvb, int offset,
957 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
958{
959 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
960 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE2,
961 "VALIDATION_UAS_INFO", -1);
962
963 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
964 hf_netlogon_dos_rc, NULL((void*)0));
965
966 return offset;
967}
968
969/*
970 * IDL typedef struct {
971 * IDL long duration;
972 * IDL short logon_count;
973 * IDL } LOGOFF_UAS_INFO;
974 */
975static int
976netlogon_dissect_LOGOFF_UAS_INFO(tvbuff_t *tvb, int offset,
977 packet_info *pinfo, proto_tree *tree,
978 dcerpc_info *di, uint8_t *drep)
979{
980 uint32_t duration;
981
982 if(di->conformant_run){
983 /*just a run to handle conformant arrays, nothing to dissect */
984 return offset;
985 }
986
987 duration = tvb_get_uint32(tvb, offset, DREP_ENC_INTEGER(drep)(((drep)[0] & 0x10) ? 0x80000000 : 0x00000000));
988 proto_tree_add_uint_format_value(tree, hf_netlogon_logon_duration, tvb, offset, 4, duration, "unknown time format");
989 offset+= 4;
990
991 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
992 hf_netlogon_logon_count16, NULL((void*)0));
993
994 return offset;
995}
996
997/*
998 * IDL long NetrLogonUasLogoff(
999 * IDL [in][unique][string] wchar_t *ServerName,
1000 * IDL [in][ref][string] wchar_t *UserName,
1001 * IDL [in][ref][string] wchar_t *Workstation,
1002 * IDL [out][ref] LOGOFF_UAS_INFO *info
1003 * IDL );
1004 */
1005static int
1006netlogon_dissect_netrlogonuaslogoff_rqst(tvbuff_t *tvb, int offset,
1007 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
1008{
1009 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
1010 pinfo, tree, di, drep);
1011
1012 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
1013 NDR_POINTER_REF1, "Account", hf_netlogon_acct_name, CB_STR_COL_INFO0x10000000);
1014
1015 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
1016 NDR_POINTER_REF1, "Workstation", hf_netlogon_workstation, 0);
1017
1018 return offset;
1019}
1020
1021
1022static int
1023netlogon_dissect_netrlogonuaslogoff_reply(tvbuff_t *tvb, int offset,
1024 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
1025{
1026 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1027 netlogon_dissect_LOGOFF_UAS_INFO, NDR_POINTER_REF1,
1028 "LOGOFF_UAS_INFO", -1);
1029
1030 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
1031 hf_netlogon_dos_rc, NULL((void*)0));
1032
1033 return offset;
1034}
1035
1036static int
1037netlogon_dissect_BYTE_byte(tvbuff_t *tvb, int offset,
1038 packet_info *pinfo, proto_tree *tree,
1039 dcerpc_info *di, uint8_t *drep)
1040{
1041 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
1042 hf_netlogon_unknown_char, NULL((void*)0));
1043
1044 return offset;
1045}
1046
1047static int
1048netlogon_dissect_BYTE_array(tvbuff_t *tvb, int offset,
1049 packet_info *pinfo, proto_tree *tree,
1050 dcerpc_info *di, uint8_t *drep)
1051{
1052 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1053 netlogon_dissect_BYTE_byte);
1054
1055 return offset;
1056}
1057
1058
1059static void cb_wstr_LOGON_IDENTITY_INFO(packet_info *pinfo, proto_tree *tree,
1060 proto_item *item, dcerpc_info *di,
1061 tvbuff_t *tvb,
1062 int start_offset, int end_offset,
1063 void *callback_args)
1064{
1065 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
1066 struct LOGON_INFO_STATE_CB *cb_ref =
1067 (struct LOGON_INFO_STATE_CB *)callback_args;
1068 struct LOGON_INFO_STATE *state = cb_ref->state;
1069
1070 cb_wstr_postprocess(pinfo, tree, item, di, tvb, start_offset, end_offset,
1071 GINT_TO_POINTER(cb_ref->name_levels)((gpointer) (glong) (cb_ref->name_levels)));
1072
1073 if (*cb_ref->name_ptr == NULL((void*)0)) {
1074 *cb_ref->name_ptr = (const uint8_t *)dcv->private_data;
1075 }
1076
1077 dissect_LOGON_INFO_STATE_finish(state);
1078}
1079
1080static int
1081dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
1082 packet_info *pinfo, proto_tree *tree,
1083 dcerpc_info *di, uint8_t *drep,
1084 int hf_index, int levels,
1085 struct LOGON_INFO_STATE_CB *cb_ref)
1086{
1087 proto_item *item = NULL((void*)0);
1088 proto_tree *subtree = NULL((void*)0);
1089
1090 if (cb_ref == NULL((void*)0)) {
1091 return dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1092 hf_index, levels);
1093 }
1094
1095 subtree = proto_tree_add_subtree(tree, tvb, offset, 0,
1096 ett_wstr_LOGON_IDENTITY_INFO_string, &item,
1097 proto_registrar_get_name(hf_index));
1098
1099 /*
1100 * Add 2 levels, so that the string gets attached to the
1101 * "Character Array" top-level item and to the top-level item
1102 * added above.
1103 */
1104 cb_ref->name_levels = 2 + levels;
1105 cb_ref->name_levels |= CB_STR_SAVE0x20000000;
1106 return dissect_ndr_counted_string_cb(tvb, offset, pinfo, subtree, di, drep,
1107 hf_index, cb_wstr_LOGON_IDENTITY_INFO, cb_ref);
1108}
1109
1110/*
1111 * IDL typedef struct {
1112 * IDL UNICODESTRING LogonDomainName;
1113 * IDL long ParameterControl;
1114 * IDL uint64 LogonID;
1115 * IDL UNICODESTRING UserName;
1116 * IDL UNICODESTRING Workstation;
1117 * IDL } LOGON_IDENTITY_INFO;
1118 */
1119static int
1120netlogon_dissect_LOGON_IDENTITY_INFO(tvbuff_t *tvb, int offset,
1121 packet_info *pinfo, proto_tree *parent_tree,
1122 dcerpc_info *di, uint8_t *drep,
1123 struct LOGON_INFO_STATE *state)
1124{
1125 struct LOGON_INFO_STATE_CB *domain_cb = NULL((void*)0);
1126 struct LOGON_INFO_STATE_CB *acct_cb = NULL((void*)0);
1127 struct LOGON_INFO_STATE_CB *host_cb = NULL((void*)0);
1128 proto_item *item=NULL((void*)0);
1129 proto_tree *tree=NULL((void*)0);
1130 int old_offset=offset;
1131
1132 if (state != NULL((void*)0)) {
1133 domain_cb = &state->domain_cb;
1134 acct_cb = &state->acct_cb;
1135 host_cb = &state->host_cb;
1136 }
1137
1138 if(parent_tree){
1139 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1140 ett_IDENTITY_INFO, &item, "IDENTITY_INFO:");
1141 }
1142
1143 /* XXX: It would be nice to get the domain and account name
1144 displayed in COL_INFO. */
1145
1146 offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
1147 hf_netlogon_logon_dom, 0, domain_cb);
1148
1149 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1150 hf_netlogon_param_ctrl, NULL((void*)0));
1151
1152 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
1153 hf_netlogon_logon_id, NULL((void*)0));
1154
1155 offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
1156 hf_netlogon_acct_name, 1, acct_cb);
1157
1158 offset = dissect_ndr_wstr_LOGON_IDENTITY_INFO(tvb, offset, pinfo, tree, di, drep,
1159 hf_netlogon_workstation, 0, host_cb);
1160
1161#ifdef REMOVED
1162 /* NetMon does not recognize these bytes. I'll comment them out until someone complains */
1163 /* XXX 8 extra bytes here */
1164 /* there were 8 extra bytes, either here or in NETWORK_INFO that does not match
1165 the idl file. Could be a bug in either the NETLOGON implementation or in the
1166 idl file.
1167 */
1168 offset = netlogon_dissect_8_unknown_bytes(tvb, offset, pinfo, tree, di, drep);
1169#endif
1170
1171 proto_item_set_len(item, offset-old_offset);
1172 return offset;
1173}
1174
1175
1176/*
1177 * IDL typedef struct {
1178 * IDL char password[16];
1179 * IDL } LM_OWF_PASSWORD;
1180 */
1181static int
1182netlogon_dissect_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1183 packet_info *pinfo _U___attribute__((unused)), proto_tree *parent_tree,
1184 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
1185{
1186 proto_item *item=NULL((void*)0);
1187 proto_tree *tree=NULL((void*)0);
1188
1189 if(di->conformant_run){
1190 /*just a run to handle conformant arrays, nothing to dissect.*/
1191 return offset;
1192 }
1193
1194 if(parent_tree){
1195 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16,
1196 ett_LM_OWF_PASSWORD, &item, "LM_OWF_PASSWORD:");
1197 }
1198
1199 proto_tree_add_item(tree, hf_netlogon_lm_owf_password, tvb, offset, 16,
1200 ENC_NA0x00000000);
1201 offset += 16;
1202
1203 return offset;
1204}
1205
1206/*
1207 * IDL typedef struct {
1208 * IDL char password[16];
1209 * IDL } NT_OWF_PASSWORD;
1210 */
1211static int
1212netlogon_dissect_NT_OWF_PASSWORD(tvbuff_t *tvb, int offset,
1213 packet_info *pinfo _U___attribute__((unused)), proto_tree *parent_tree,
1214 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
1215{
1216 proto_item *item=NULL((void*)0);
1217 proto_tree *tree=NULL((void*)0);
1218
1219 if(di->conformant_run){
1220 /*just a run to handle conformant arrays, nothing to dissect.*/
1221 return offset;
1222 }
1223
1224 if(parent_tree){
1225 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 16,
1226 ett_NT_OWF_PASSWORD, &item, "NT_OWF_PASSWORD:");
1227 }
1228
1229 proto_tree_add_item(tree, hf_netlogon_nt_owf_password, tvb, offset, 16,
1230 ENC_NA0x00000000);
1231 offset += 16;
1232
1233 return offset;
1234}
1235
1236
1237/*
1238 * IDL typedef struct {
1239 * IDL LOGON_IDENTITY_INFO identity_info;
1240 * IDL LM_OWF_PASSWORD lmpassword;
1241 * IDL NT_OWF_PASSWORD ntpassword;
1242 * IDL } INTERACTIVE_INFO;
1243 */
1244static int
1245netlogon_dissect_INTERACTIVE_INFO(tvbuff_t *tvb, int offset,
1246 packet_info *pinfo, proto_tree *tree,
1247 dcerpc_info *di, uint8_t *drep)
1248{
1249 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1250 pinfo, tree, di, drep,
1251 NULL((void*)0));
1252
1253 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1254 pinfo, tree, di, drep);
1255
1256 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1257 pinfo, tree, di, drep);
1258
1259 return offset;
1260}
1261
1262/*
1263 * IDL typedef struct {
1264 * IDL char chl[8];
1265 * IDL } CHALLENGE;
1266 */
1267static int
1268netlogon_dissect_CHALLENGE(tvbuff_t *tvb, int offset,
1269 packet_info *pinfo _U___attribute__((unused)), proto_tree *tree,
1270 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
1271{
1272 if(di->conformant_run){
1273 /*just a run to handle conformant arrays, nothing to dissect.*/
1274 return offset;
1275 }
1276
1277 proto_tree_add_item(tree, hf_netlogon_challenge, tvb, offset, 8,
1278 ENC_NA0x00000000);
1279 offset += 8;
1280
1281 return offset;
1282}
1283
1284static int
1285netlogon_dissect_NETWORK_INFO(tvbuff_t *tvb, int offset,
1286 packet_info *pinfo, proto_tree *tree,
1287 dcerpc_info *di, uint8_t *drep)
1288{
1289 struct LOGON_INFO_STATE *state =
1290 (struct LOGON_INFO_STATE *)di->private_data;
1291 int last_offset;
1292 struct LOGON_INFO_STATE_CB *nt_cb = NULL((void*)0);
1293 struct LOGON_INFO_STATE_CB *lm_cb = NULL((void*)0);
1294
1295 if (state == NULL((void*)0)) {
1296 state = wmem_new0(pinfo->pool, struct LOGON_INFO_STATE)((struct LOGON_INFO_STATE*)wmem_alloc0((pinfo->pool), sizeof
(struct LOGON_INFO_STATE)))
;
1297 state->ntlmssph = (ntlmssp_header_t) { .type = NTLMSSP_AUTH3, };
1298 state->domain_cb.state = state;
1299 state->domain_cb.name_ptr = &state->ntlmssph.domain_name;
1300 state->acct_cb.state = state;
1301 state->acct_cb.name_ptr = &state->ntlmssph.acct_name;
1302 state->host_cb.state = state;
1303 state->host_cb.name_ptr = &state->ntlmssph.host_name;
1304 state->nt_cb.state = state;
1305 state->nt_cb.response = &state->nt_response;
1306 state->lm_cb.state = state;
1307 state->lm_cb.response = &state->lm_response;
1308 di->private_data = state;
1309 }
1310 state->pinfo = pinfo;
1311 state->tree = tree;
1312
1313 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1314 pinfo, tree, di, drep,
1315 state);
1316 last_offset = offset;
1317 offset = netlogon_dissect_CHALLENGE(tvb, offset,
1318 pinfo, tree, di, drep);
1319 if (offset == (last_offset + 8)) {
1320 tvb_memcpy(tvb, state->server_challenge, last_offset, 8);
1321 nt_cb = &state->nt_cb;
1322 lm_cb = &state->lm_cb;
1323 }
1324 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep,
1325 hf_netlogon_nt_chal_resp,
1326 nt_cb);
1327 offset = dissect_ndr_lm_nt_hash_helper(tvb,offset,pinfo, tree, di, drep,
1328 hf_netlogon_lm_chal_resp,
1329 lm_cb);
1330 return offset;
1331}
1332
1333
1334/*
1335 * IDL typedef struct {
1336 * IDL LOGON_IDENTITY_INFO logon_info;
1337 * IDL LM_OWF_PASSWORD lmpassword;
1338 * IDL NT_OWF_PASSWORD ntpassword;
1339 * IDL } SERVICE_INFO;
1340 */
1341static int
1342netlogon_dissect_SERVICE_INFO(tvbuff_t *tvb, int offset,
1343 packet_info *pinfo, proto_tree *tree,
1344 dcerpc_info *di, uint8_t *drep)
1345{
1346 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1347 pinfo, tree, di, drep,
1348 NULL((void*)0));
1349
1350 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
1351 pinfo, tree, di, drep);
1352
1353 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
1354 pinfo, tree, di, drep);
1355
1356 return offset;
1357}
1358
1359static int
1360netlogon_dissect_GENERIC_INFO(tvbuff_t *tvb, int offset,
1361 packet_info *pinfo, proto_tree *tree,
1362 dcerpc_info *di, uint8_t *drep)
1363{
1364 offset = netlogon_dissect_LOGON_IDENTITY_INFO(tvb, offset,
1365 pinfo, tree, di, drep,
1366 NULL((void*)0));
1367
1368 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1369 hf_netlogon_package_name, 0|CB_STR_SAVE0x20000000);
1370
1371 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1372 hf_netlogon_data_length, NULL((void*)0));
1373
1374 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1375 netlogon_dissect_BYTE_array, NDR_POINTER_REF1,
1376 "Logon Data", -1);
1377 return offset;
1378}
1379/*
1380 * IDL typedef [switch_type(short)] union {
1381 * IDL [case(1)][unique] INTERACTIVE_INFO *iinfo;
1382 * IDL [case(2)][unique] NETWORK_INFO *ninfo;
1383 * IDL [case(3)][unique] SERVICE_INFO *sinfo;
1384 * IDL } LEVEL;
1385 */
1386static int
1387netlogon_dissect_LEVEL(tvbuff_t *tvb, int offset,
1388 packet_info *pinfo, proto_tree *tree,
1389 dcerpc_info *di, uint8_t *drep)
1390{
1391 uint16_t level = 0;
1392
1393 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1394 hf_netlogon_level16, &level);
1395 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
1396 switch(level){
1397 case 1:
1398 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1399 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE2,
1400 "INTERACTIVE_INFO:", -1);
1401 break;
1402 case 2:
1403 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1404 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE2,
1405 "NETWORK_INFO:", -1);
1406 break;
1407 case 3:
1408 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1409 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE2,
1410 "SERVICE_INFO:", -1);
1411 break;
1412 case 4:
1413 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1414 netlogon_dissect_GENERIC_INFO, NDR_POINTER_UNIQUE2,
1415 "GENERIC_INFO:", -1);
1416 break;
1417 case 5:
1418 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1419 netlogon_dissect_INTERACTIVE_INFO, NDR_POINTER_UNIQUE2,
1420 "INTERACTIVE_TRANSITIVE_INFO:", -1);
1421 break;
1422 case 6:
1423 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1424 netlogon_dissect_NETWORK_INFO, NDR_POINTER_UNIQUE2,
1425 "NETWORK_TRANSITIVE_INFO", -1);
1426 break;
1427 case 7:
1428 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1429 netlogon_dissect_SERVICE_INFO, NDR_POINTER_UNIQUE2,
1430 "SERVICE_TRANSITIVE_INFO", -1);
1431 break;
1432 }
1433 return offset;
1434}
1435
1436/*
1437 * IDL typedef struct {
1438 * IDL char cred[8];
1439 * IDL } CREDENTIAL;
1440 */
1441static int
1442netlogon_dissect_CREDENTIAL(tvbuff_t *tvb, int offset,
1443 packet_info *pinfo _U___attribute__((unused)), proto_tree *tree,
1444 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
1445{
1446 if(di->conformant_run){
1447 /*just a run to handle conformant arrays, nothing to dissect.*/
1448 return offset;
1449 }
1450
1451 proto_tree_add_item(tree, hf_netlogon_credential, tvb, offset, 8,
1452 ENC_NA0x00000000);
1453 offset += 8;
1454
1455 return offset;
1456}
1457
1458
1459/*
1460 * IDL typedef struct {
1461 * IDL CREDENTIAL cred;
1462 * IDL long timestamp;
1463 * IDL } AUTHENTICATOR;
1464 */
1465static int
1466netlogon_dissect_AUTHENTICATOR(tvbuff_t *tvb, int offset,
1467 packet_info *pinfo, proto_tree *tree,
1468 dcerpc_info *di, uint8_t *drep)
1469{
1470 if(di->conformant_run){
1471 /*just a run to handle conformant arrays, nothing to dissect */
1472 return offset;
1473 }
1474
1475 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
1476
1477 offset = netlogon_dissect_CREDENTIAL(tvb, offset,
1478 pinfo, tree, di, drep);
1479
1480 /*
1481 * XXX - this appears to be a UNIX time_t in some credentials, but
1482 * appears to be random junk in other credentials.
1483 * For example, it looks like a UNIX time_t in "credential"
1484 * AUTHENTICATORs, but like random junk in "return_authenticator"
1485 * AUTHENTICATORs.
1486 */
1487 proto_tree_add_item(tree, hf_netlogon_timestamp, tvb, offset, 4, ENC_TIME_SECS0x00000012|ENC_LITTLE_ENDIAN0x80000000);
1488 offset+= 4;
1489
1490 return offset;
1491}
1492
1493
1494/*
1495 * IDL typedef struct {
1496 * IDL long user_id;
1497 * IDL long attributes;
1498 * IDL } GROUP_MEMBERSHIP;
1499 */
1500static int
1501netlogon_dissect_GROUP_MEMBERSHIP(tvbuff_t *tvb, int offset,
1502 packet_info *pinfo, proto_tree *parent_tree,
1503 dcerpc_info *di, uint8_t *drep)
1504{
1505 proto_item *item=NULL((void*)0);
1506 proto_tree *tree=NULL((void*)0);
1507
1508 if(parent_tree){
1509 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1510 ett_GROUP_MEMBERSHIP, &item, "GROUP_MEMBERSHIP:");
1511 }
1512
1513 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1514 hf_netlogon_group_rid, NULL((void*)0));
1515
1516 offset = dissect_ndr_nt_SE_GROUP_ATTRIBUTES(tvb, offset, pinfo, tree, di, drep);
1517
1518 return offset;
1519}
1520
1521static int
1522netlogon_dissect_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1523 packet_info *pinfo, proto_tree *tree,
1524 dcerpc_info *di, uint8_t *drep)
1525{
1526 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1527 netlogon_dissect_GROUP_MEMBERSHIP);
1528
1529 return offset;
1530}
1531
1532/*
1533 * IDL typedef struct {
1534 * IDL char user_session_key[16];
1535 * IDL } USER_SESSION_KEY;
1536 */
1537static int
1538netlogon_dissect_USER_SESSION_KEY(tvbuff_t *tvb, int offset,
1539 packet_info *pinfo _U___attribute__((unused)), proto_tree *tree,
1540 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
1541{
1542 if(di->conformant_run){
1543 /*just a run to handle conformant arrays, nothing to dissect.*/
1544 return offset;
1545 }
1546
1547 proto_tree_add_item(tree, hf_netlogon_user_session_key, tvb, offset, 16,
1548 ENC_NA0x00000000);
1549 offset += 16;
1550
1551 return offset;
1552}
1553
1554
1555
1556static const true_false_string user_flags_extra_sids= {
1557 "The EXTRA_SIDS bit is SET",
1558 "The extra_sids is NOT set",
1559};
1560static const true_false_string user_flags_resource_groups= {
1561 "The RESOURCE_GROUPS bit is SET",
1562 "The resource_groups is NOT set",
1563};
1564static int
1565netlogon_dissect_USER_FLAGS(tvbuff_t *tvb, int offset,
1566 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
1567{
1568 uint32_t mask;
1569 static int * const flags[] = {
1570 &hf_netlogon_user_flags_resource_groups,
1571 &hf_netlogon_user_flags_extra_sids,
1572 NULL((void*)0)
1573 };
1574
1575 if(di->conformant_run){
1576 /*just a run to handle conformant arrays, nothing to dissect */
1577 return offset;
1578 }
1579
1580 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL((void*)0), di, drep,
1581 -1, &mask);
1582
1583 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_user_flags, ett_user_flags, flags, mask, BMT_NO_APPEND0x01);
1584 return offset;
1585}
1586
1587static int
1588netlogon_dissect_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
1589 packet_info *pinfo, proto_tree *tree,
1590 dcerpc_info *di, uint8_t *drep,
1591 int hf_count, const char *array_name)
1592{
1593 uint32_t rgc;
1594
1595 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1596 hf_count, &rgc);
1597
1598 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1599 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE2,
1600 array_name, -1);
1601
1602 return offset;
1603}
1604
1605static int
1606netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
1607 packet_info *pinfo, proto_tree *parent_tree,
1608 dcerpc_info *di, uint8_t *drep,
1609 int hf_count, const char *name)
1610{
1611 proto_item *item=NULL((void*)0);
1612 proto_tree *tree=NULL((void*)0);
1613 int old_offset=offset;
1614
1615 if(parent_tree){
1616 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1617 ett_domain_group_memberships,
1618 &item, name);
1619 }
1620
1621 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1622
1623 offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
1624 pinfo, tree,
1625 di, drep,
1626 hf_count,
1627 "GroupIDs");
1628
1629 proto_item_set_len(item, offset-old_offset);
1630 return offset;
1631}
1632
1633static int
1634netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER(tvbuff_t *tvb, int offset,
1635 packet_info *pinfo, proto_tree *tree,
1636 dcerpc_info *di, uint8_t *drep)
1637{
1638 return netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb, offset,
1639 pinfo, tree,
1640 di, drep,
1641 hf_netlogon_domaingroupcount,
1642 "DomainGroupIDs");
1643}
1644
1645static int
1646netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY(tvbuff_t *tvb, int offset,
1647 packet_info *pinfo, proto_tree *tree,
1648 dcerpc_info *di, uint8_t *drep)
1649{
1650 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
1651 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS_WRAPPER);
1652
1653 return offset;
1654}
1655
1656static int
1657netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvbuff_t *tvb, int offset,
1658 packet_info *pinfo, proto_tree *parent_tree,
1659 dcerpc_info *di, uint8_t *drep,
1660 int hf_count, const char *name)
1661{
1662 proto_item *item=NULL((void*)0);
1663 proto_tree *tree=NULL((void*)0);
1664 int old_offset=offset;
1665 uint32_t rgc;
1666
1667 if(parent_tree){
1668 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
1669 ett_domains_group_memberships,
1670 &item, name);
1671 }
1672
1673 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1674 hf_count, &rgc);
1675
1676 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1677 netlogon_dissect_DOMAIN_GROUP_MEMBERSHIP_ARRAY,
1678 NDR_POINTER_UNIQUE2,
1679 name, -1);
1680
1681 proto_item_set_len(item, offset-old_offset);
1682 return offset;
1683}
1684
1685/*
1686 * IDL typedef struct {
1687 * IDL uint64 LogonTime;
1688 * IDL uint64 LogoffTime;
1689 * IDL uint64 KickOffTime;
1690 * IDL uint64 PasswdLastSet;
1691 * IDL uint64 PasswdCanChange;
1692 * IDL uint64 PasswdMustChange;
1693 * IDL unicodestring effectivename;
1694 * IDL unicodestring fullname;
1695 * IDL unicodestring logonscript;
1696 * IDL unicodestring profilepath;
1697 * IDL unicodestring homedirectory;
1698 * IDL unicodestring homedirectorydrive;
1699 * IDL short LogonCount;
1700 * IDL short BadPasswdCount;
1701 * IDL long userid;
1702 * IDL long primarygroup;
1703 * IDL long groupcount;
1704 * IDL [unique][size_is(groupcount)] GROUP_MEMBERSHIP *groupids;
1705 * IDL long userflags;
1706 * IDL USER_SESSION_KEY key;
1707 * IDL unicodestring logonserver;
1708 * IDL unicodestring domainname;
1709 * IDL [unique] SID logondomainid;
1710 * IDL long expansionroom[2];
1711 * IDL long useraccountcontrol;
1712 * IDL long expansionroom[7];
1713 * IDL } VALIDATION_SAM_INFO;
1714 */
1715static int
1716netlogon_dissect_VALIDATION_SAM_INFO(tvbuff_t *tvb, int offset,
1717 packet_info *pinfo, proto_tree *tree,
1718 dcerpc_info *di, uint8_t *drep)
1719{
1720
1721 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1722 hf_netlogon_logon_time);
1723
1724 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1725 hf_netlogon_logoff_time);
1726
1727 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1728 hf_netlogon_kickoff_time);
1729
1730 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1731 hf_netlogon_pwd_last_set_time);
1732
1733 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1734 hf_netlogon_pwd_can_change_time);
1735
1736 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1737 hf_netlogon_pwd_must_change_time);
1738
1739 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1740 hf_netlogon_acct_name, 0);
1741
1742 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1743 hf_netlogon_full_name, 0);
1744
1745 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1746 hf_netlogon_logon_script, 0);
1747
1748 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1749 hf_netlogon_profile_path, 0);
1750
1751 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1752 hf_netlogon_home_dir, 0);
1753
1754 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1755 hf_netlogon_dir_drive, 0);
1756
1757 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1758 hf_netlogon_logon_count16, NULL((void*)0));
1759
1760 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1761 hf_netlogon_bad_pw_count16, NULL((void*)0));
1762
1763 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1764 hf_netlogon_user_rid, NULL((void*)0));
1765
1766 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1767 hf_netlogon_group_rid, NULL((void*)0));
1768
1769 offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
1770 pinfo, tree, di, drep,
1771 hf_netlogon_num_rids,
1772 "GroupIDs");
1773
1774 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1775 pinfo, tree, di, drep);
1776
1777 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1778 pinfo, tree, di, drep);
1779
1780 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1781 hf_netlogon_logon_srv, 0);
1782
1783 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1784 hf_netlogon_logon_dom, 0);
1785
1786 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1787
1788 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1789 hf_netlogon_dummy1_long, NULL((void*)0));
1790
1791 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1792 hf_netlogon_dummy2_long, NULL((void*)0));
1793
1794 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1795 pinfo, tree, di, drep);
1796
1797 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1798 hf_netlogon_dummy4_long, NULL((void*)0));
1799
1800 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1801 hf_netlogon_dummy5_long, NULL((void*)0));
1802
1803 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1804 hf_netlogon_dummy6_long, NULL((void*)0));
1805
1806 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1807 hf_netlogon_dummy7_long, NULL((void*)0));
1808
1809 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1810 hf_netlogon_dummy8_long, NULL((void*)0));
1811
1812 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1813 hf_netlogon_dummy9_long, NULL((void*)0));
1814
1815 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1816 hf_netlogon_dummy10_long, NULL((void*)0));
1817
1818 return offset;
1819}
1820
1821
1822
1823/*
1824 * IDL typedef struct {
1825 * IDL uint64 LogonTime;
1826 * IDL uint64 LogoffTime;
1827 * IDL uint64 KickOffTime;
1828 * IDL uint64 PasswdLastSet;
1829 * IDL uint64 PasswdCanChange;
1830 * IDL uint64 PasswdMustChange;
1831 * IDL unicodestring effectivename;
1832 * IDL unicodestring fullname;
1833 * IDL unicodestring logonscript;
1834 * IDL unicodestring profilepath;
1835 * IDL unicodestring homedirectory;
1836 * IDL unicodestring homedirectorydrive;
1837 * IDL short LogonCount;
1838 * IDL short BadPasswdCount;
1839 * IDL long userid;
1840 * IDL long primarygroup;
1841 * IDL long groupcount;
1842 * IDL [unique] GROUP_MEMBERSHIP *groupids;
1843 * IDL long userflags;
1844 * IDL USER_SESSION_KEY key;
1845 * IDL unicodestring logonserver;
1846 * IDL unicodestring domainname;
1847 * IDL [unique] SID logondomainid;
1848 * IDL long expansionroom[2];
1849 * IDL long useraccountcontrol;
1850 * IDL long expansionroom[7];
1851 * IDL long sidcount;
1852 * IDL [unique] SID_AND_ATTRIBS;
1853 * IDL } VALIDATION_SAM_INFO2;
1854 */
1855static int
1856netlogon_dissect_VALIDATION_SAM_INFO2(tvbuff_t *tvb, int offset,
1857 packet_info *pinfo, proto_tree *tree,
1858 dcerpc_info *di, uint8_t *drep)
1859{
1860 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di,drep);
1861#if 0
1862 int i;
1863
1864 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1865 hf_netlogon_logon_time);
1866
1867 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1868 hf_netlogon_logoff_time);
1869
1870 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1871 hf_netlogon_kickoff_time);
1872
1873 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1874 hf_netlogon_pwd_last_set_time);
1875
1876 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1877 hf_netlogon_pwd_can_change_time);
1878
1879 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
1880 hf_netlogon_pwd_must_change_time);
1881
1882 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1883 hf_netlogon_acct_name, 0);
1884
1885 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1886 hf_netlogon_full_name, 0);
1887
1888 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1889 hf_netlogon_logon_script, 0);
1890
1891 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1892 hf_netlogon_profile_path, 0);
1893
1894 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1895 hf_netlogon_home_dir, 0);
1896
1897 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1898 hf_netlogon_dir_drive, 0);
1899
1900 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1901 hf_netlogon_logon_count16, NULL((void*)0));
1902
1903 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
1904 hf_netlogon_bad_pw_count16, NULL((void*)0));
1905
1906 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1907 hf_netlogon_user_rid, NULL((void*)0));
1908
1909 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1910 hf_netlogon_group_rid, NULL((void*)0));
1911
1912 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1913 hf_netlogon_num_rids, NULL((void*)0));
1914
1915 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1916 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE2,
1917 "GROUP_MEMBERSHIP_ARRAY", -1);
1918
1919 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
1920 pinfo, tree, di, drep);
1921
1922 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
1923 pinfo, tree, di, drep);
1924
1925 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1926 hf_netlogon_logon_srv, 0);
1927
1928 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1929 hf_netlogon_logon_dom, 0);
1930
1931 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
1932
1933 for(i=0;i<2;i++){
1934 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1935 hf_netlogon_unknown_long, NULL((void*)0));
1936 }
1937 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
1938 pinfo, tree, di, drep);
1939
1940 for(i=0;i<7;i++){
1941 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1942 hf_netlogon_unknown_long, NULL((void*)0));
1943 }
1944#endif
1945 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
1946 hf_netlogon_num_sid, NULL((void*)0));
1947
1948 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
1949 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE2,
1950 "SID_AND_ATTRIBUTES_ARRAY:", -1);
1951
1952 return offset;
1953}
1954
1955
1956static int
1957netlogon_dissect_VALIDATION_SAM_INFO4(tvbuff_t *tvb, int offset,
1958 packet_info *pinfo, proto_tree *tree,
1959 dcerpc_info *di, uint8_t *drep)
1960{
1961 offset = netlogon_dissect_VALIDATION_SAM_INFO2(tvb,offset,pinfo,tree,di,drep);
1962
1963 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1964 hf_netlogon_logon_dnslogondomainname, 0);
1965
1966 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1967 hf_netlogon_logon_upn, 0);
1968
1969 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1970 hf_netlogon_dummy_string, 0);
1971
1972 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1973 hf_netlogon_dummy_string2, 0);
1974
1975 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1976 hf_netlogon_dummy_string3, 0);
1977
1978 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1979 hf_netlogon_dummy_string4, 0);
1980
1981 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1982 hf_netlogon_dummy_string5, 0);
1983
1984 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1985 hf_netlogon_dummy_string6, 0);
1986
1987 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1988 hf_netlogon_dummy_string7, 0);
1989
1990 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1991 hf_netlogon_dummy_string8, 0);
1992
1993 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1994 hf_netlogon_dummy_string9, 0);
1995
1996 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
1997 hf_netlogon_dummy_string10, 0);
1998 return offset;
1999}
2000
2001/*
2002 * IDL typedef struct {
2003 * IDL uint64 LogonTime;
2004 * IDL uint64 LogoffTime;
2005 * IDL uint64 KickOffTime;
2006 * IDL uint64 PasswdLastSet;
2007 * IDL uint64 PasswdCanChange;
2008 * IDL uint64 PasswdMustChange;
2009 * IDL unicodestring effectivename;
2010 * IDL unicodestring fullname;
2011 * IDL unicodestring logonscript;
2012 * IDL unicodestring profilepath;
2013 * IDL unicodestring homedirectory;
2014 * IDL unicodestring homedirectorydrive;
2015 * IDL short LogonCount;
2016 * IDL short BadPasswdCount;
2017 * IDL long userid;
2018 * IDL long primarygroup;
2019 * IDL long groupcount;
2020 * IDL [unique] GROUP_MEMBERSHIP *groupids;
2021 * IDL long userflags;
2022 * IDL USER_SESSION_KEY key;
2023 * IDL unicodestring logonserver;
2024 * IDL unicodestring domainname;
2025 * IDL [unique] SID logondomainid;
2026 * IDL long expansionroom[2];
2027 * IDL long useraccountcontrol;
2028 * IDL long expansionroom[7];
2029 * IDL long sidcount;
2030 * IDL [unique] SID_AND_ATTRIBS;
2031 * IDL [unique] SID resourcegroupdomainsid;
2032 * IDL long resourcegroupcount;
2033 qqq
2034 * IDL } PAC_LOGON_INFO;
2035 */
2036int
2037netlogon_dissect_PAC_LOGON_INFO(tvbuff_t *tvb, int offset,
2038 packet_info *pinfo, proto_tree *tree,
2039 dcerpc_info *di, uint8_t *drep)
2040{
2041 offset = netlogon_dissect_VALIDATION_SAM_INFO(tvb,offset,pinfo,tree,di, drep);
2042#if 0
2043 int i;
2044
2045 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2046 hf_netlogon_logon_time);
2047
2048 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2049 hf_netlogon_logoff_time);
2050
2051 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2052 hf_netlogon_kickoff_time);
2053
2054 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2055 hf_netlogon_pwd_last_set_time);
2056
2057 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2058 hf_netlogon_pwd_can_change_time);
2059
2060 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
2061 hf_netlogon_pwd_must_change_time);
2062
2063 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2064 hf_netlogon_acct_name, 0);
2065
2066 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2067 hf_netlogon_full_name, 0);
2068
2069 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2070 hf_netlogon_logon_script, 0);
2071
2072 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2073 hf_netlogon_profile_path, 0);
2074
2075 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2076 hf_netlogon_home_dir, 0);
2077
2078 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2079 hf_netlogon_dir_drive, 0);
2080
2081 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2082 hf_netlogon_logon_count16, NULL((void*)0));
2083
2084 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2085 hf_netlogon_bad_pw_count16, NULL((void*)0));
2086
2087 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2088 hf_netlogon_user_rid, NULL((void*)0));
2089
2090 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2091 hf_netlogon_group_rid, NULL((void*)0));
2092
2093 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2094 hf_netlogon_num_rids, NULL((void*)0));
2095
2096 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2097 netlogon_dissect_GROUP_MEMBERSHIP_ARRAY, NDR_POINTER_UNIQUE2,
2098 "GROUP_MEMBERSHIP_ARRAY", -1);
2099
2100 offset = netlogon_dissect_USER_FLAGS(tvb, offset,
2101 pinfo, tree, di, drep);
2102
2103 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
2104 pinfo, tree, di, drep);
2105
2106 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2107 hf_netlogon_logon_srv, 0);
2108
2109 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2110 hf_netlogon_logon_dom, 0);
2111
2112 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
2113
2114 for(i=0;i<2;i++){
2115 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2116 hf_netlogon_unknown_long, NULL((void*)0));
2117 }
2118 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2119 pinfo, tree, di, drep);
2120
2121 for(i=0;i<7;i++){
2122 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2123 hf_netlogon_unknown_long, NULL((void*)0));
2124 }
2125#endif
2126
2127 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2128 hf_netlogon_num_sid, NULL((void*)0));
2129
2130 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2131 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE2,
2132 "SID_AND_ATTRIBUTES_ARRAY:", -1);
2133
2134 offset = netlogon_dissect_DOMAIN_GROUP_MEMBERSHIPS(tvb, offset,
2135 pinfo, tree, di, drep,
2136 hf_netlogon_resourcegroupcount,
2137 "ResourceGroupIDs");
2138
2139 return offset;
2140}
2141
2142static int
2143netlogon_dissect_S4U_Transited_Service_name(tvbuff_t *tvb, int offset,
2144 packet_info *pinfo, proto_tree *tree,
2145 dcerpc_info *di, uint8_t *drep)
2146{
2147 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2148 hf_netlogon_transited_service, 1);
2149
2150 return offset;
2151}
2152
2153static int
2154netlogon_dissect_S4U_Transited_Services_array(tvbuff_t *tvb, int offset,
2155 packet_info *pinfo, proto_tree *tree,
2156 dcerpc_info *di, uint8_t *drep)
2157{
2158 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
2159 netlogon_dissect_S4U_Transited_Service_name);
2160
2161 return offset;
2162}
2163
2164int
2165netlogon_dissect_PAC_S4U_DELEGATION_INFO(tvbuff_t *tvb, int offset,
2166 packet_info *pinfo, proto_tree *tree,
2167 dcerpc_info *di, uint8_t *drep)
2168{
2169 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2170 hf_netlogon_s4u2proxytarget, 0);
2171
2172 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2173 hf_netlogon_transitedlistsize, NULL((void*)0));
2174
2175 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2176 netlogon_dissect_S4U_Transited_Services_array, NDR_POINTER_UNIQUE2,
2177 "S4UTransitedServices", -1);
2178
2179 return offset;
2180}
2181
2182struct device_sid_callback_args {
2183 const char **device_sid_ptr;
2184 uint32_t user_rid;
2185 const char *domain_sid;
2186 const char *device_sid;
2187};
2188
2189static void device_sid_callback_fnct(packet_info *pinfo _U___attribute__((unused)),
2190 proto_tree *tree _U___attribute__((unused)),
2191 proto_item *item _U___attribute__((unused)),
2192 dcerpc_info *di,
2193 tvbuff_t *tvb _U___attribute__((unused)),
2194 int start_offset _U___attribute__((unused)),
2195 int end_offset _U___attribute__((unused)),
2196 void *callback_args)
2197{
2198 struct device_sid_callback_args *args =
2199 (struct device_sid_callback_args *)callback_args;
2200 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2201 const char *p = NULL((void*)0);
2202 ptrdiff_t len;
2203
2204 if (di->ptype != UINT8_MAX(255)) {
2205 return;
2206 }
2207
2208 if (dcv == NULL((void*)0)) {
2209 return;
2210 }
2211
2212 if (args == NULL((void*)0)) {
2213 return;
2214 }
2215
2216 args->domain_sid = (const char *)dcv->private_data;
2217 if (args->domain_sid == NULL((void*)0)) {
2218 /* this should not happen... */
2219 return;
2220 }
2221
2222 len = strnlen(args->domain_sid, 64);
2223
2224 /* remove any debug info after the sid */
2225 p = memchr(args->domain_sid, ' ', len);
2226 if (p != NULL((void*)0)) {
2227 ptrdiff_t mlen = p - args->domain_sid;
2228 if (mlen < len) {
2229 len = mlen;
2230 }
2231 }
2232 p = memchr(args->domain_sid, '(', len);
2233 if (p != NULL((void*)0)) {
2234 ptrdiff_t mlen = p - args->domain_sid;
2235 if (mlen < len) {
2236 len = mlen;
2237 }
2238 }
2239
2240 /*
2241 * we know we're called dissect_krb5_PAC_DEVICE_INFO
2242 * so we should allocate the device_sid on wmem_epan_scope()
2243 */
2244 args->device_sid = wmem_strdup_printf(wmem_epan_scope(),
2245 "%*.*s-%" PRIu32"u",
2246 (int)len, (int)len,
2247 args->domain_sid,
2248 args->user_rid);
2249 *args->device_sid_ptr = args->device_sid;
2250}
2251
2252/*
2253 * IDL typedef struct {
2254 * IDL long UserId;
2255 * IDL long PrimaryGroupId;
2256 * IDL SID AccountDomainId;
2257 * IDL long AccountGroupCount;
2258 * IDL [size_is(AccountGroupCount)] PGROUP_MEMBERSHIP AccountGroupIds;
2259 * IDL ULONG SidCount;
2260 * IDL [size_is(SidCount)] PKERB_SID_AND_ATTRIBUTES ExtraSids;
2261 * IDL ULONG DomainGroupCount;
2262 * IDL [size_is(DomainGroupCount)] PDOMAIN_GROUP_MEMBERSHIP DomainGroup;
2263 * IDL } PAC_DEVICE_INFO;
2264 */
2265int
2266netlogon_dissect_PAC_DEVICE_INFO(tvbuff_t *tvb, int offset,
2267 packet_info *pinfo, proto_tree *tree,
2268 dcerpc_info *di, uint8_t *drep)
2269{
2270 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2271 struct device_sid_callback_args *args = NULL((void*)0);
2272 uint32_t *user_rid_ptr = NULL((void*)0);
2273
2274 if (dcv && di->ptype == UINT8_MAX(255) && dcv->private_data) {
2275 args = wmem_new0(pinfo->pool, struct device_sid_callback_args)((struct device_sid_callback_args*)wmem_alloc0((pinfo->pool
), sizeof(struct device_sid_callback_args)))
;
2276 /*
2277 * dissect_krb5_PAC_DEVICE_INFO passes
2278 * a pointer to const char *device_sid
2279 */
2280 args->device_sid_ptr = dcv->private_data;
2281 user_rid_ptr = &args->user_rid;
2282 }
2283
2284 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2285 hf_netlogon_user_rid, user_rid_ptr);
2286
2287 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2288 hf_netlogon_group_rid, NULL((void*)0));
2289
2290 offset = dissect_ndr_nt_PSID_cb(tvb, offset, pinfo, tree, di, drep,
2291 device_sid_callback_fnct, args);
2292
2293 offset = netlogon_dissect_GROUP_MEMBERSHIPS(tvb, offset,
2294 pinfo, tree, di, drep,
2295 hf_netlogon_accountdomaingroupcount,
2296 "AccountDomainGroupIds");
2297
2298 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2299 hf_netlogon_num_sid, NULL((void*)0));
2300
2301 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2302 dissect_ndr_nt_SID_AND_ATTRIBUTES_ARRAY, NDR_POINTER_UNIQUE2,
2303 "ExtraSids:SID_AND_ATTRIBUTES_ARRAY:", -1);
2304
2305 offset = netlogon_dissect_DOMAINS_GROUP_MEMBERSHIPS(tvb, offset,
2306 pinfo, tree, di, drep,
2307 hf_netlogon_membership_domains_count,
2308 "ExtraDomain Membership Array");
2309
2310 return offset;
2311}
2312
2313#if 0
2314static int
2315netlogon_dissect_PAC(tvbuff_t *tvb, int offset,
2316 packet_info *pinfo, proto_tree *tree,
2317 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
2318{
2319 uint32_t pac_size;
2320
2321 if(di->conformant_run){
2322 return offset;
2323 }
2324
2325 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2326 hf_netlogon_pac_size, &pac_size);
2327
2328 proto_tree_add_item(tree, hf_netlogon_pac_data, tvb, offset, pac_size,
2329 ENC_NA0x00000000);
2330 offset += pac_size;
2331
2332 return offset;
2333}
2334
2335static int
2336netlogon_dissect_AUTH(tvbuff_t *tvb, int offset,
2337 packet_info *pinfo, proto_tree *tree,
2338 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
2339{
2340 uint32_t auth_size;
2341
2342 if(di->conformant_run){
2343 return offset;
2344 }
2345
2346 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2347 hf_netlogon_auth_size, &auth_size);
2348
2349 proto_tree_add_item(tree, hf_netlogon_auth_data, tvb, offset, auth_size,
2350 ENC_NA0x00000000);
2351 offset += auth_size;
2352
2353 return offset;
2354}
2355#endif
2356
2357static int
2358netlogon_dissect_VALIDATION_GENERIC_INFO2 (tvbuff_t *tvb, int offset,
2359 packet_info *pinfo, proto_tree *tree,
2360 dcerpc_info *di, uint8_t *drep)
2361{
2362 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2363 hf_netlogon_data_length, NULL((void*)0));
2364
2365 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2366 netlogon_dissect_BYTE_array, NDR_POINTER_REF1,
2367 "Validation Data", -1);
2368
2369 return offset;
2370}
2371/*
2372 * IDL typedef struct {
2373 * IDL long pac_size
2374 * IDL [unique][size_is(pac_size)] char *pac;
2375 * IDL UNICODESTRING logondomain;
2376 * IDL UNICODESTRING logonserver;
2377 * IDL UNICODESTRING principalname;
2378 * IDL long auth_size;
2379 * IDL [unique][size_is(auth_size)] char *auth;
2380 * IDL USER_SESSION_KEY user_session_key;
2381 * IDL long expansionroom[2];
2382 * IDL long useraccountcontrol;
2383 * IDL long expansionroom[7];
2384 * IDL UNICODESTRING dummy1;
2385 * IDL UNICODESTRING dummy2;
2386 * IDL UNICODESTRING dummy3;
2387 * IDL UNICODESTRING dummy4;
2388 * IDL } VALIDATION_PAC_INFO;
2389 */
2390#if 0 /* Not used (anymore ?) */
2391static int
2392netlogon_dissect_VALIDATION_PAC_INFO(tvbuff_t *tvb, int offset,
2393 packet_info *pinfo, proto_tree *tree,
2394 dcerpc_info *di, uint8_t *drep)
2395{
2396 int i;
2397
2398 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2399 hf_netlogon_pac_size, NULL((void*)0));
2400
2401 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2402 netlogon_dissect_PAC, NDR_POINTER_UNIQUE2, "PAC:", -1);
2403
2404 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2405 hf_netlogon_logon_dom, 0);
2406
2407 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2408 hf_netlogon_logon_srv, 0);
2409
2410 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2411 hf_netlogon_principal, 0);
2412
2413 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2414 hf_netlogon_auth_size, NULL((void*)0));
2415
2416 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2417 netlogon_dissect_AUTH, NDR_POINTER_UNIQUE2, "AUTH:", -1);
2418
2419 offset = netlogon_dissect_USER_SESSION_KEY(tvb, offset,
2420 pinfo, tree, di, drep);
2421
2422 for(i=0;i<2;i++){
2423 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2424 hf_netlogon_unknown_long, NULL((void*)0));
2425 }
2426 offset = netlogon_dissect_USER_ACCOUNT_CONTROL(tvb, offset,
2427 pinfo, tree, di, drep);
2428
2429 for(i=0;i<7;i++){
2430 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
2431 hf_netlogon_unknown_long, NULL((void*)0));
2432 }
2433
2434 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2435 hf_netlogon_dummy, 0);
2436
2437 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2438 hf_netlogon_dummy, 0);
2439
2440 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2441 hf_netlogon_dummy, 0);
2442
2443 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
2444 hf_netlogon_dummy, 0);
2445
2446 return offset;
2447}
2448#endif
2449
2450/*
2451 * IDL typedef [switch_type(short)] union {
2452 * IDL [case(1)][unique] VALIDATION_UAS *uas;
2453 * IDL [case(2)][unique] VALIDATION_SAM_INFO *sam;
2454 * IDL [case(3)][unique] VALIDATION_SAM_INFO2 *sam2;
2455 * IDL [case(4)][unique] VALIDATION_GENERIC_INFO *generic;
2456 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2457 * IDL [case(5)][unique] VALIDATION_GENERIC_INFO *generic2;
2458 * IDL [case(6)][unique] VALIDATION_SAM_INFO4 *sam4;
2459 * IDL } VALIDATION;
2460 */
2461static int
2462netlogon_dissect_VALIDATION(tvbuff_t *tvb, int offset,
2463 packet_info *pinfo, proto_tree *tree,
2464 dcerpc_info *di, uint8_t *drep)
2465{
2466 uint16_t level = 0;
2467
2468 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2469 hf_netlogon_validation_level, &level);
2470
2471 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
2472 switch(level){
2473 case 1:
2474 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2475 netlogon_dissect_VALIDATION_UAS_INFO, NDR_POINTER_UNIQUE2,
2476 "VALIDATION_UAS_INFO:", -1);
2477 break;
2478 case 2:
2479 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2480 netlogon_dissect_VALIDATION_SAM_INFO, NDR_POINTER_UNIQUE2,
2481 "VALIDATION_SAM_INFO:", -1);
2482 break;
2483 case 3:
2484 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2485 netlogon_dissect_VALIDATION_SAM_INFO2, NDR_POINTER_UNIQUE2,
2486 "VALIDATION_SAM_INFO2:", -1);
2487 break;
2488 case 4:
2489 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2490 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE2,
2491 "VALIDATION_INFO:", -1);
2492 break;
2493 case 5:
2494 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2495 netlogon_dissect_VALIDATION_GENERIC_INFO2, NDR_POINTER_UNIQUE2,
2496 "VALIDATION_INFO2:", -1);
2497 break;
2498 case 6:
2499 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2500 netlogon_dissect_VALIDATION_SAM_INFO4, NDR_POINTER_UNIQUE2,
2501 "VALIDATION_SAM_INFO4:", -1);
2502 break;
2503 }
2504 return offset;
2505}
2506/*
2507 * IDL long NetrLogonSamLogonWithFlags(
2508 * IDL [in][unique][string] wchar_t *ServerName,
2509 * IDL [in][unique][string] wchar_t *Workstation,
2510 * IDL [in][unique] AUTHENTICATOR *credential,
2511 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2512 * IDL [in] short LogonLevel,
2513 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2514 * IDL [in] short ValidationLevel,
2515 * IDL [out][ref] VALIDATION *validation,
2516 * IDL [out][ref] boolean Authoritative
2517 * IDL [in][out] unsigned long ExtraFlags
2518 * IDL );
2519 */
2520static int
2521netlogon_dissect_netrlogonsamlogonflags_rqst(tvbuff_t *tvb, int offset,
2522 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2523{
2524 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2525 pinfo, tree, di, drep);
2526
2527 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2528 NDR_POINTER_UNIQUE2, "Computer Name",
2529 hf_netlogon_computer_name, 0);
2530
2531 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2532 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE2,
2533 "AUTHENTICATOR: credential", -1);
2534
2535 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2536 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE2,
2537 "AUTHENTICATOR: return_authenticator", -1);
2538
2539 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2540 hf_netlogon_level16, NULL((void*)0));
2541
2542 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2543 netlogon_dissect_LEVEL, NDR_POINTER_REF1,
2544 "LEVEL: LogonLevel", -1);
2545
2546 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2547 hf_netlogon_validation_level, NULL((void*)0));
2548
2549 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2550
2551 return offset;
2552}
2553
2554static int
2555netlogon_dissect_netrlogonsamlogonflags_reply(tvbuff_t *tvb, int offset,
2556 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2557{
2558 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2559 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE2,
2560 "AUTHENTICATOR: return_authenticator", -1);
2561
2562 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2563 netlogon_dissect_VALIDATION, NDR_POINTER_REF1,
2564 "VALIDATION:", -1);
2565
2566 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2567 hf_netlogon_authoritative, NULL((void*)0));
2568
2569 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
2570
2571 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2572 hf_netlogon_rc, NULL((void*)0));
2573
2574 return offset;
2575}
2576
2577
2578
2579/*
2580 * IDL long NetrLogonSamLogon(
2581 * IDL [in][unique][string] wchar_t *ServerName,
2582 * IDL [in][unique][string] wchar_t *Workstation,
2583 * IDL [in][unique] AUTHENTICATOR *credential,
2584 * IDL [in][out][unique] AUTHENTICATOR *returnauthenticator,
2585 * IDL [in] short LogonLevel,
2586 * IDL [in][ref] LOGON_LEVEL *logonlevel,
2587 * IDL [in] short ValidationLevel,
2588 * IDL [out][ref] VALIDATION *validation,
2589 * IDL [out][ref] boolean Authoritative
2590 * IDL );
2591 */
2592static int
2593netlogon_dissect_netrlogonsamlogon_rqst(tvbuff_t *tvb, int offset,
2594 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2595{
2596 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2597 pinfo, tree, di, drep);
2598
2599 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2600 NDR_POINTER_UNIQUE2, "Computer Name",
2601 hf_netlogon_computer_name, 0);
2602
2603 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2604 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE2,
2605 "AUTHENTICATOR: credential", -1);
2606
2607 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2608 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE2,
2609 "AUTHENTICATOR: return_authenticator", -1);
2610
2611 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2612 hf_netlogon_level16, NULL((void*)0));
2613
2614 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2615 netlogon_dissect_LEVEL, NDR_POINTER_REF1,
2616 "LEVEL: LogonLevel", -1);
2617
2618 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2619 hf_netlogon_validation_level, NULL((void*)0));
2620
2621 return offset;
2622}
2623
2624static int
2625netlogon_dissect_netrlogonsamlogon_reply(tvbuff_t *tvb, int offset,
2626 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2627{
2628 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2629 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE2,
2630 "AUTHENTICATOR: return_authenticator", -1);
2631
2632 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2633 netlogon_dissect_VALIDATION, NDR_POINTER_REF1,
2634 "VALIDATION:", -1);
2635
2636 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
2637 hf_netlogon_authoritative, NULL((void*)0));
2638
2639 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2640 hf_netlogon_rc, NULL((void*)0));
2641
2642 return offset;
2643}
2644
2645
2646/*
2647 * IDL long NetrLogonSamLogoff(
2648 * IDL [in][unique][string] wchar_t *ServerName,
2649 * IDL [in][unique][string] wchar_t *ComputerName,
2650 * IDL [in][unique] AUTHENTICATOR credential,
2651 * IDL [in][unique] AUTHENTICATOR return_authenticator,
2652 * IDL [in] short logon_level,
2653 * IDL [in][ref] LEVEL logoninformation
2654 * IDL );
2655 */
2656static int
2657netlogon_dissect_netrlogonsamlogoff_rqst(tvbuff_t *tvb, int offset,
2658 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2659{
2660 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
2661 pinfo, tree, di, drep);
2662
2663 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
2664 NDR_POINTER_UNIQUE2, "Computer Name",
2665 hf_netlogon_computer_name, 0);
2666
2667 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2668 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE2,
2669 "AUTHENTICATOR: credential", -1);
2670
2671 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2672 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE2,
2673 "AUTHENTICATOR: return_authenticator", -1);
2674
2675 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
2676 hf_netlogon_level16, NULL((void*)0));
2677
2678 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2679 netlogon_dissect_LEVEL, NDR_POINTER_REF1,
2680 "LEVEL: logoninformation", -1);
2681
2682 return offset;
2683}
2684static int
2685netlogon_dissect_netrlogonsamlogoff_reply(tvbuff_t *tvb, int offset,
2686 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2687{
2688
2689 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2690 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_UNIQUE2,
2691 "AUTHENTICATOR: return_authenticator", -1);
2692
2693 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2694 hf_netlogon_rc, NULL((void*)0));
2695
2696 return offset;
2697}
2698
2699static void generate_hash_key(packet_info *pinfo,unsigned char is_server,netlogon_auth_key *key)
2700{
2701 if(is_server) {
2702 copy_address_shallow(&key->server,&pinfo->src);
2703 copy_address_shallow(&key->client,&pinfo->dst);
2704 }
2705 else {
2706 copy_address_shallow(&key->server,&pinfo->dst);
2707 copy_address_shallow(&key->client,&pinfo->src);
2708 }
2709
2710}
2711
2712static netlogon_auth_vars *create_global_netlogon_auth_vars(packet_info *pinfo,
2713 const char *computer_name,
2714 unsigned char is_server)
2715{
2716 netlogon_auth_vars *vars = NULL((void*)0);
2717 netlogon_auth_vars *old_vars_head = NULL((void*)0);
2718 netlogon_auth_vars *last = NULL((void*)0);
2719 netlogon_auth_vars *cur = NULL((void*)0);
2720 netlogon_auth_vars *new_vars_head = NULL((void*)0);
2721 netlogon_auth_key key;
2722
2723 vars = wmem_new0(wmem_file_scope(), netlogon_auth_vars)((netlogon_auth_vars*)wmem_alloc0((wmem_file_scope()), sizeof
(netlogon_auth_vars)))
;
2724 vars->client_name = wmem_strdup(wmem_file_scope(), computer_name);
2725 vars->start = pinfo->num;
2726 vars->auth_fd_num = -1;
2727 vars->next_start = -1;
2728 vars->next = NULL((void*)0);
2729
2730 generate_hash_key(pinfo, is_server, &key);
2731 old_vars_head = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &key);
2732 for (cur = old_vars_head; cur != NULL((void*)0); last = cur, cur = cur->next) {
2733 if (cur->start == vars->start) {
2734 ws_debug("It seems that I already record this vars start packet = %d",vars->start)do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 2734, __func__,
"It seems that I already record this vars start packet = %d"
,vars->start); } } while (0)
;
2735 wmem_free(wmem_file_scope(), vars);
2736 return cur;
2737 }
2738
2739 if (cur->start > vars->start) {
2740 vars->next = cur;
2741 vars->next_start = cur->start;
2742 if (last != NULL((void*)0)) {
2743 last->next = vars;
2744 last->next_start = vars->start;
2745 }
2746 break;
2747 }
2748 if (new_vars_head == NULL((void*)0)) {
2749 new_vars_head = cur;
2750 }
2751
2752 if (cur->next == NULL((void*)0)) {
2753 cur->next = vars;
2754 cur->next_start = vars->start;
2755 break;
2756 }
2757 if (cur->next->start > vars->start) {
2758 vars->next = cur->next;
2759 vars->next_start = cur->next_start;
2760 cur->next = vars;
2761 cur->next_start = vars->start;
2762 break;
2763 }
2764 }
2765 if (new_vars_head == NULL((void*)0)) {
2766 new_vars_head = vars;
2767 }
2768
2769 for (cur = new_vars_head; cur != NULL((void*)0); cur = cur->next) {
2770 if (cur->auth_fd_num != -1) {
2771 ws_assert(cur->start <= cur->auth_fd_num)do { if ((1) && !(cur->start <= cur->auth_fd_num
)) ws_log_fatal_full("packet-dcerpc-netlogon", LOG_LEVEL_ERROR
, "epan/dissectors/packet-dcerpc-netlogon.c", 2771, __func__,
"assertion failed: %s", "cur->start <= cur->auth_fd_num"
); } while (0)
;
2772 ws_abort_if_fail(cur->start <= cur->auth_fd_num)do { if ((1) && !(cur->start <= cur->auth_fd_num
)) ws_log_fatal_full("packet-dcerpc-netlogon", LOG_LEVEL_ERROR
, "epan/dissectors/packet-dcerpc-netlogon.c", 2772, __func__,
"assertion failed: %s", "cur->start <= cur->auth_fd_num"
); } while (0)
;
2773 }
2774 if (cur->next == NULL((void*)0)) {
2775 ws_assert(cur->next_start == -1)do { if ((1) && !(cur->next_start == -1)) ws_log_fatal_full
("packet-dcerpc-netlogon", LOG_LEVEL_ERROR, "epan/dissectors/packet-dcerpc-netlogon.c"
, 2775, __func__, "assertion failed: %s", "cur->next_start == -1"
); } while (0)
;
2776 ws_abort_if_fail(cur->next_start == -1)do { if ((1) && !(cur->next_start == -1)) ws_log_fatal_full
("packet-dcerpc-netlogon", LOG_LEVEL_ERROR, "epan/dissectors/packet-dcerpc-netlogon.c"
, 2776, __func__, "assertion failed: %s", "cur->next_start == -1"
); } while (0)
;
2777 continue;
2778 }
2779 ws_assert(cur->start < cur->next->start)do { if ((1) && !(cur->start < cur->next->
start)) ws_log_fatal_full("packet-dcerpc-netlogon", LOG_LEVEL_ERROR
, "epan/dissectors/packet-dcerpc-netlogon.c", 2779, __func__,
"assertion failed: %s", "cur->start < cur->next->start"
); } while (0)
;
2780 ws_abort_if_fail(cur->start < cur->next->start)do { if ((1) && !(cur->start < cur->next->
start)) ws_log_fatal_full("packet-dcerpc-netlogon", LOG_LEVEL_ERROR
, "epan/dissectors/packet-dcerpc-netlogon.c", 2780, __func__,
"assertion failed: %s", "cur->start < cur->next->start"
); } while (0)
;
2781 ws_assert(cur->next_start == cur->next->start)do { if ((1) && !(cur->next_start == cur->next->
start)) ws_log_fatal_full("packet-dcerpc-netlogon", LOG_LEVEL_ERROR
, "epan/dissectors/packet-dcerpc-netlogon.c", 2781, __func__,
"assertion failed: %s", "cur->next_start == cur->next->start"
); } while (0)
;
2782 ws_abort_if_fail(cur->next_start == cur->next->start)do { if ((1) && !(cur->next_start == cur->next->
start)) ws_log_fatal_full("packet-dcerpc-netlogon", LOG_LEVEL_ERROR
, "epan/dissectors/packet-dcerpc-netlogon.c", 2782, __func__,
"assertion failed: %s", "cur->next_start == cur->next->start"
); } while (0)
;
2783 }
2784
2785 if (old_vars_head != new_vars_head) {
2786 netlogon_auth_key *k = (netlogon_auth_key *)wmem_memdup(wmem_file_scope(), &key, sizeof(netlogon_auth_key));
2787 copy_address_wmem(wmem_file_scope(), &k->client, &key.client);
2788 copy_address_wmem(wmem_file_scope(), &k->server, &key.server);
2789 if (old_vars_head != NULL((void*)0)) {
2790 wmem_map_remove(netlogon_auths, &key);
2791 }
2792 wmem_map_insert(netlogon_auths, k, vars);
2793 }
2794
2795 return vars;
2796}
2797
2798static netlogon_auth_vars *find_tmp_netlogon_auth_vars(packet_info *pinfo, unsigned char is_server)
2799{
2800 netlogon_auth_vars *lvars = NULL((void*)0);
2801 netlogon_auth_vars *avars = NULL((void*)0);
2802 netlogon_auth_key akey;
2803
2804 generate_hash_key(pinfo, is_server, &akey);
2805 lvars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &akey);
2806
2807 for (; lvars != NULL((void*)0); lvars = lvars->next) {
2808 int fd_num = (int) pinfo->num;
2809
2810 if (fd_num <= lvars->start) {
2811 /*
2812 * Before it even started,
2813 * can't be used..., keep
2814 * avars if we already found
2815 * one.
2816 */
2817 break;
2818 }
2819 /*
2820 * remember the current match,
2821 * but try to find a better one...
2822 */
2823 avars = lvars;
2824 if (lvars->auth_fd_num == -1) {
2825 /*
2826 * No ServerAuthenticate{,1,3}, keep
2827 * avars if we already found one,
2828 * but try to find a better one...
2829 */
2830 continue;
2831 }
2832 if (fd_num <= lvars->auth_fd_num) {
2833 /*
2834 * Before ServerAuthenticate{,1,3},
2835 * take it...
2836 */
2837 break;
2838 }
2839 /*
2840 * try to find a better one...
2841 */
2842 avars = NULL((void*)0);
2843 }
2844
2845 return avars;
2846}
2847
2848static netlogon_auth_vars *find_global_netlogon_auth_vars(packet_info *pinfo, unsigned char is_server)
2849{
2850 netlogon_auth_vars *lvars = NULL((void*)0);
2851 netlogon_auth_vars *avars = NULL((void*)0);
2852 netlogon_auth_key akey;
2853
2854 generate_hash_key(pinfo, is_server, &akey);
2855 lvars = (netlogon_auth_vars *)wmem_map_lookup(netlogon_auths, &akey);
2856
2857 for (; lvars != NULL((void*)0); lvars = lvars->next) {
2858 int fd_num = (int) pinfo->num;
2859
2860 if (fd_num <= lvars->start) {
2861 /*
2862 * Before it even started,
2863 * can't be used..., keep
2864 * avars if we already found
2865 * one.
2866 */
2867 break;
2868 }
2869 if (lvars->auth_fd_num == -1) {
2870 /*
2871 * No ServerAuthenticate{,1,3},
2872 * no session key available,
2873 * just ignore...
2874 */
2875 continue;
2876 }
2877 if (fd_num <= lvars->auth_fd_num) {
2878 /*
2879 * Before ServerAuthenticate{,1,3}
2880 * can't be used..., keep
2881 * avars if we already found
2882 * one.
2883 */
2884 break;
2885 }
2886 /*
2887 * remember the current match,
2888 * but try to find a better one...
2889 */
2890 avars = lvars;
2891 }
2892
2893 return avars;
2894}
2895
2896static netlogon_auth_vars *find_or_create_schannel_netlogon_auth_vars(packet_info *pinfo,
2897 dcerpc_auth_info *auth_info,
2898 unsigned char is_server)
2899{
2900 dcerpc_auth_schannel_key skey = {
2901 .conv = find_or_create_conversation(pinfo),
2902 .transport_salt = dcerpc_get_transport_salt(pinfo),
2903 .auth_context_id = auth_info->auth_context_id,
2904 };
2905 dcerpc_auth_schannel_key *sk = NULL((void*)0);
2906 netlogon_auth_vars *svars = NULL((void*)0);
2907 netlogon_auth_vars *avars = NULL((void*)0);
2908
2909 svars = (netlogon_auth_vars *)wmem_map_lookup(schannel_auths, &skey);
2910 if (svars != NULL((void*)0)) {
2911 return svars;
2912 }
2913
2914 avars = find_global_netlogon_auth_vars(pinfo, is_server);
2915 if (avars == NULL((void*)0)) {
2916 return NULL((void*)0);
2917 }
2918
2919 sk = wmem_memdup(wmem_file_scope(), &skey, sizeof(dcerpc_auth_schannel_key));
2920 if (sk == NULL((void*)0)) {
2921 return NULL((void*)0);
2922 }
2923
2924 svars = wmem_memdup(wmem_file_scope(), avars, sizeof(netlogon_auth_vars));
2925 if (svars == NULL((void*)0)) {
2926 return NULL((void*)0);
2927 }
2928 svars->client_name = wmem_strdup(wmem_file_scope(), avars->client_name);
2929 if (svars->client_name == NULL((void*)0)) {
2930 return NULL((void*)0);
2931 }
2932 svars->next_start = -1;
2933 svars->next = NULL((void*)0);
2934
2935 wmem_map_insert(schannel_auths, sk, svars);
2936
2937 return svars;
2938}
2939
2940/*
2941 * IDL long NetrServerReqChallenge(
2942 * IDL [in][unique][string] wchar_t *ServerName,
2943 * IDL [in][ref][string] wchar_t *ComputerName,
2944 * IDL [in][ref] CREDENTIAL client_credential,
2945 * IDL [out][ref] CREDENTIAL server_credential
2946 * IDL );
2947 */
2948static int
2949netlogon_dissect_netrserverreqchallenge_rqst(tvbuff_t *tvb, int offset,
2950 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2951{
2952 /*int oldoffset = offset;*/
2953 netlogon_auth_vars *vars;
2954 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
2955
2956 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset, pinfo, tree, di, drep);
2957 offset = dissect_ndr_pointer_cb(
2958 tvb, offset, pinfo, tree, di, drep,
2959 dissect_ndr_wchar_cvstring, NDR_POINTER_REF1,
2960 "Computer Name", hf_netlogon_computer_name,
2961 cb_wstr_postprocess,
2962 GINT_TO_POINTER(CB_STR_COL_INFO |CB_STR_SAVE | 1)((gpointer) (glong) (0x10000000 |0x20000000 | 1)));
2963
2964 ws_debug("1)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,(char*)dcv->private_data)do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 2964, __func__,
"1)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data
),offset,(char*)dcv->private_data); } } while (0)
;
2965 vars = create_global_netlogon_auth_vars(pinfo, (char*)dcv->private_data, 0);
2966 ws_debug("2)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,vars->client_name)do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 2966, __func__,
"2)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data
),offset,vars->client_name); } } while (0)
;
2967
2968 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2969 hf_client_challenge,&vars->client_challenge);
2970
2971 return offset;
2972}
2973
2974static int
2975netlogon_dissect_netrserverreqchallenge_reply(tvbuff_t *tvb, int offset,
2976 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
2977{
2978 netlogon_auth_vars *vars;
2979 uint64_t server_challenge;
2980
2981 vars = find_tmp_netlogon_auth_vars(pinfo, 1);
2982
2983 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
2984 hf_server_challenge, &server_challenge);
2985 /*offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
2986 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF,
2987 "CREDENTIAL: server credential", -1);*/
2988
2989 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
2990 hf_netlogon_rc, NULL((void*)0));
2991 if(vars != NULL((void*)0)) {
2992 vars->server_challenge = server_challenge;
2993 }
2994/*
2995 else
2996 {
2997 ws_debug("Vars not found in challenge reply");
2998 }
2999*/
3000 return offset;
3001}
3002
3003
3004static int
3005netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvbuff_t *tvb, int offset,
3006 packet_info *pinfo, proto_tree *tree,
3007 dcerpc_info *di, uint8_t *drep)
3008{
3009 offset = dissect_ndr_uint1632(tvb, offset, pinfo, tree, di, drep,
3010 hf_netlogon_secure_channel_type, NULL((void*)0));
3011
3012 return offset;
3013}
3014
3015
3016/*
3017 * IDL long NetrServerAuthenticate(
3018 * IDL [in][unique][string] wchar_t *ServerName,
3019 * IDL [in][ref][string] wchar_t *UserName,
3020 * IDL [in] short secure_challenge_type,
3021 * IDL [in][ref][string] wchar_t *ComputerName,
3022 * IDL [in][ref] CREDENTIAL client_challenge,
3023 * IDL [out][ref] CREDENTIAL server_challenge
3024 * IDL );
3025 */
3026static int
3027netlogon_dissect_netrserverauthenticate_rqst(tvbuff_t *tvb, int offset,
3028 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3029{
3030 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3031 pinfo, tree, di, drep);
3032
3033 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3034 NDR_POINTER_REF1, "User Name", hf_netlogon_acct_name, CB_STR_COL_INFO0x10000000);
3035
3036 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3037 pinfo, tree, di, drep);
3038
3039 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3040 NDR_POINTER_REF1, "Computer Name", hf_netlogon_computer_name, CB_STR_COL_INFO0x10000000);
3041
3042 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3043 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF1,
3044 "CREDENTIAL: client challenge", -1);
3045
3046 return offset;
3047}
3048static int
3049netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
3050 packet_info *pinfo,
3051 proto_tree *tree,
3052 dcerpc_info *di,
3053 uint8_t *drep,
3054 int version);
3055static int
3056netlogon_dissect_netrserverauthenticate_reply(tvbuff_t *tvb, int offset,
3057 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3058{
3059 return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,0);
3060}
3061
3062
3063
3064/*
3065 * IDL typedef struct {
3066 * IDL char encrypted_password[16];
3067 * IDL } ENCRYPTED_LM_OWF_PASSWORD;
3068 */
3069static int
3070netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD(tvbuff_t *tvb, int offset,
3071 packet_info *pinfo _U___attribute__((unused)), proto_tree *tree,
3072 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
3073{
3074 if(di->conformant_run){
3075 /*just a run to handle conformant arrays, nothing to dissect.*/
3076 return offset;
3077 }
3078
3079 proto_tree_add_item(tree, hf_netlogon_encrypted_lm_owf_password, tvb, offset, 16,
3080 ENC_NA0x00000000);
3081 offset += 16;
3082
3083 return offset;
3084}
3085
3086/*
3087 * IDL long NetrServerPasswordSet(
3088 * IDL [in][unique][string] wchar_t *ServerName,
3089 * IDL [in][ref][string] wchar_t *UserName,
3090 * IDL [in] short secure_challenge_type,
3091 * IDL [in][ref][string] wchar_t *ComputerName,
3092 * IDL [in][ref] AUTHENTICATOR credential,
3093 * IDL [in][ref] LM_OWF_PASSWORD UasNewPassword,
3094 * IDL [out][ref] AUTHENTICATOR return_authenticator
3095 * IDL );
3096 */
3097static int
3098netlogon_dissect_netrserverpasswordset_rqst(tvbuff_t *tvb, int offset,
3099 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3100{
3101 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
3102 pinfo, tree, di, drep);
3103
3104 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3105 NDR_POINTER_REF1, "User Name", hf_netlogon_acct_name, 0);
3106
3107 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
3108 pinfo, tree, di, drep);
3109
3110 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3111 NDR_POINTER_REF1, "Computer Name", hf_netlogon_computer_name, 0);
3112
3113 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3114 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
3115 "AUTHENTICATOR: credential", -1);
3116
3117 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3118 netlogon_dissect_ENCRYPTED_LM_OWF_PASSWORD, NDR_POINTER_REF1,
3119 "ENCRYPTED_LM_OWF_PASSWORD: hashed_pwd", -1);
3120
3121 return offset;
3122}
3123static int
3124netlogon_dissect_netrserverpasswordset_reply(tvbuff_t *tvb, int offset,
3125 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
3126{
3127 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3128 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
3129 "AUTHENTICATOR: return_authenticator", -1);
3130
3131 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
3132 hf_netlogon_rc, NULL((void*)0));
3133
3134 return offset;
3135}
3136
3137
3138/*
3139 * IDL typedef struct {
3140 * IDL [unique][string] wchar_t *UserName;
3141 * IDL UNICODESTRING dummy1;
3142 * IDL UNICODESTRING dummy2;
3143 * IDL UNICODESTRING dummy3;
3144 * IDL UNICODESTRING dummy4;
3145 * IDL long dummy5;
3146 * IDL long dummy6;
3147 * IDL long dummy7;
3148 * IDL long dummy8;
3149 * IDL } DELTA_DELETE_USER;
3150 */
3151static int
3152netlogon_dissect_DELTA_DELETE_USER(tvbuff_t *tvb, int offset,
3153 packet_info *pinfo, proto_tree *tree,
3154 dcerpc_info *di, uint8_t *drep)
3155{
3156 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
3157 NDR_POINTER_UNIQUE2, "Account Name", hf_netlogon_acct_name, 0);
3158
3159 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3160 hf_netlogon_dummy, 0);
3161
3162 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3163 hf_netlogon_dummy, 0);
3164
3165 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3166 hf_netlogon_dummy, 0);
3167
3168 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3169 hf_netlogon_dummy, 0);
3170
3171 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3172 hf_netlogon_reserved, NULL((void*)0));
3173
3174 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3175 hf_netlogon_reserved, NULL((void*)0));
3176
3177 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3178 hf_netlogon_reserved, NULL((void*)0));
3179
3180 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3181 hf_netlogon_reserved, NULL((void*)0));
3182
3183 return offset;
3184}
3185
3186
3187/*
3188 * IDL typedef struct {
3189 * IDL bool SensitiveDataFlag;
3190 * IDL long DataLength;
3191 * IDL [unique][size_is(DataLength)] char *SensitiveData;
3192 * IDL } USER_PRIVATE_INFO;
3193 */
3194static int
3195netlogon_dissect_SENSITIVE_DATA(tvbuff_t *tvb, int offset,
3196 packet_info *pinfo, proto_tree *tree,
3197 dcerpc_info *di, uint8_t *drep)
3198{
3199 uint32_t data_len;
3200
3201 if(di->conformant_run){
3202 /*just a run to handle conformant arrays, nothing to dissect */
3203 return offset;
3204 }
3205
3206 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3207 hf_netlogon_sensitive_data_len, &data_len);
3208
3209 proto_tree_add_item(tree, hf_netlogon_sensitive_data, tvb, offset,
3210 data_len, ENC_NA0x00000000);
3211 offset += data_len;
3212
3213 return offset;
3214}
3215static int
3216netlogon_dissect_USER_PRIVATE_INFO(tvbuff_t *tvb, int offset,
3217 packet_info *pinfo, proto_tree *tree,
3218 dcerpc_info *di, uint8_t *drep)
3219{
3220 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3221 hf_netlogon_sensitive_data_flag, NULL((void*)0));
3222
3223 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3224 hf_netlogon_sensitive_data_len, NULL((void*)0));
3225
3226 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3227 netlogon_dissect_SENSITIVE_DATA, NDR_POINTER_UNIQUE2,
3228 "SENSITIVE_DATA", -1);
3229
3230 return offset;
3231}
3232
3233/*
3234 * IDL typedef struct {
3235 * IDL UNICODESTRING UserName;
3236 * IDL UNICODESTRING FullName;
3237 * IDL long UserID;
3238 * IDL long PrimaryGroupID;
3239 * IDL UNICODESTRING HomeDir;
3240 * IDL UNICODESTRING HomeDirDrive;
3241 * IDL UNICODESTRING LogonScript;
3242 * IDL UNICODESTRING Comment;
3243 * IDL UNICODESTRING Workstations;
3244 * IDL NTTIME LastLogon;
3245 * IDL NTTIME LastLogoff;
3246 * IDL LOGON_HOURS logonhours;
3247 * IDL short BadPwCount;
3248 * IDL short LogonCount;
3249 * IDL NTTIME PwLastSet;
3250 * IDL NTTIME AccountExpires;
3251 * IDL long AccountControl;
3252 * IDL LM_OWF_PASSWORD lmpw;
3253 * IDL NT_OWF_PASSWORD ntpw;
3254 * IDL bool NTPwPresent;
3255 * IDL bool LMPwPresent;
3256 * IDL bool PwExpired;
3257 * IDL UNICODESTRING UserComment;
3258 * IDL UNICODESTRING Parameters;
3259 * IDL short CountryCode;
3260 * IDL short CodePage;
3261 * IDL USER_PRIVATE_INFO user_private_info;
3262 * IDL long SecurityInformation;
3263 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3264 * IDL UNICODESTRING dummy1;
3265 * IDL UNICODESTRING dummy2;
3266 * IDL UNICODESTRING dummy3;
3267 * IDL UNICODESTRING dummy4;
3268 * IDL long dummy5;
3269 * IDL long dummy6;
3270 * IDL long dummy7;
3271 * IDL long dummy8;
3272 * IDL } DELTA_USER;
3273 */
3274static int
3275netlogon_dissect_DELTA_USER(tvbuff_t *tvb, int offset,
3276 packet_info *pinfo, proto_tree *tree,
3277 dcerpc_info *di, uint8_t *drep)
3278{
3279 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3280 hf_netlogon_acct_name, 3);
3281
3282 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3283 hf_netlogon_full_name, 0);
3284
3285 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3286 hf_netlogon_user_rid, NULL((void*)0));
3287
3288 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3289 hf_netlogon_group_rid, NULL((void*)0));
3290
3291 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3292 hf_netlogon_home_dir, 0);
3293
3294 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3295 hf_netlogon_dir_drive, 0);
3296
3297 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3298 hf_netlogon_logon_script, 0);
3299
3300 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3301 hf_netlogon_acct_desc, 0);
3302
3303 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3304 hf_netlogon_workstations, 0);
3305
3306 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3307 hf_netlogon_logon_time);
3308
3309 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3310 hf_netlogon_logoff_time);
3311
3312 offset = dissect_ndr_nt_LOGON_HOURS(tvb, offset, pinfo, tree, di, drep);
3313
3314 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3315 hf_netlogon_bad_pw_count16, NULL((void*)0));
3316
3317 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3318 hf_netlogon_logon_count16, NULL((void*)0));
3319
3320 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3321 hf_netlogon_pwd_last_set_time);
3322
3323 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3324 hf_netlogon_acct_expiry_time);
3325
3326 offset = dissect_ndr_nt_acct_ctrl(tvb, offset, pinfo, tree, di, drep);
3327
3328 offset = netlogon_dissect_LM_OWF_PASSWORD(tvb, offset,
3329 pinfo, tree, di, drep);
3330
3331 offset = netlogon_dissect_NT_OWF_PASSWORD(tvb, offset,
3332 pinfo, tree, di, drep);
3333
3334 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3335 hf_netlogon_nt_pwd_present, NULL((void*)0));
3336
3337 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3338 hf_netlogon_lm_pwd_present, NULL((void*)0));
3339
3340 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3341 hf_netlogon_pwd_expired, NULL((void*)0));
3342
3343 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3344 hf_netlogon_comment, 0);
3345
3346 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3347 hf_netlogon_parameters, 0);
3348
3349 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3350 hf_netlogon_country, NULL((void*)0));
3351
3352 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3353 hf_netlogon_codepage, NULL((void*)0));
3354
3355 offset = netlogon_dissect_USER_PRIVATE_INFO(tvb, offset, pinfo, tree,
3356 di, drep);
3357
3358 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3359 hf_netlogon_security_information, NULL((void*)0));
3360
3361 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3362
3363 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3364 hf_netlogon_dummy, 0);
3365
3366 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3367 hf_netlogon_dummy, 0);
3368
3369 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3370 hf_netlogon_dummy, 0);
3371
3372 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3373 hf_netlogon_dummy, 0);
3374
3375 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3376 hf_netlogon_reserved, NULL((void*)0));
3377
3378 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3379 hf_netlogon_reserved, NULL((void*)0));
3380
3381 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3382 hf_netlogon_reserved, NULL((void*)0));
3383
3384 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3385 hf_netlogon_reserved, NULL((void*)0));
3386
3387 return offset;
3388}
3389
3390
3391/*
3392 * IDL typedef struct {
3393 * IDL UNICODESTRING DomainName;
3394 * IDL UNICODESTRING OEMInfo;
3395 * IDL NTTIME forcedlogoff;
3396 * IDL short minpasswdlen;
3397 * IDL short passwdhistorylen;
3398 * IDL NTTIME pwd_must_change_time;
3399 * IDL NTTIME pwd_can_change_time;
3400 * IDL NTTIME domain_modify_time;
3401 * IDL NTTIME domain_create_time;
3402 * IDL long SecurityInformation;
3403 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3404 * IDL UNICODESTRING dummy1;
3405 * IDL UNICODESTRING dummy2;
3406 * IDL UNICODESTRING dummy3;
3407 * IDL UNICODESTRING dummy4;
3408 * IDL long dummy5;
3409 * IDL long dummy6;
3410 * IDL long dummy7;
3411 * IDL long dummy8;
3412 * IDL } DELTA_DOMAIN;
3413 */
3414static int
3415netlogon_dissect_DELTA_DOMAIN(tvbuff_t *tvb, int offset,
3416 packet_info *pinfo, proto_tree *tree,
3417 dcerpc_info *di, uint8_t *drep)
3418{
3419 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3420 hf_netlogon_domain_name, 3);
3421
3422 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3423 hf_netlogon_oem_info, 0);
3424
3425 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3426 hf_netlogon_kickoff_time);
3427
3428 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3429 hf_netlogon_minpasswdlen, NULL((void*)0));
3430
3431 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
3432 hf_netlogon_passwdhistorylen, NULL((void*)0));
3433
3434 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3435 hf_netlogon_pwd_must_change_time);
3436
3437 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3438 hf_netlogon_pwd_can_change_time);
3439
3440 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3441 hf_netlogon_domain_modify_time);
3442
3443 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3444 hf_netlogon_domain_create_time);
3445
3446 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3447 hf_netlogon_security_information, NULL((void*)0));
3448
3449 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3450
3451 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3452 hf_netlogon_dummy, 0);
3453
3454 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3455 hf_netlogon_dummy, 0);
3456
3457 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3458 hf_netlogon_dummy, 0);
3459
3460 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3461 hf_netlogon_dummy, 0);
3462
3463 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3464 hf_netlogon_reserved, NULL((void*)0));
3465
3466 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3467 hf_netlogon_reserved, NULL((void*)0));
3468
3469 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3470 hf_netlogon_reserved, NULL((void*)0));
3471
3472 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3473 hf_netlogon_reserved, NULL((void*)0));
3474
3475 return offset;
3476}
3477
3478
3479/*
3480 * IDL typedef struct {
3481 * IDL UNICODESTRING groupname;
3482 * IDL GROUP_MEMBERSHIP group_membership;
3483 * IDL UNICODESTRING comment;
3484 * IDL long SecurityInformation;
3485 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3486 * IDL UNICODESTRING dummy1;
3487 * IDL UNICODESTRING dummy2;
3488 * IDL UNICODESTRING dummy3;
3489 * IDL UNICODESTRING dummy4;
3490 * IDL long dummy5;
3491 * IDL long dummy6;
3492 * IDL long dummy7;
3493 * IDL long dummy8;
3494 * IDL } DELTA_GROUP;
3495 */
3496static int
3497netlogon_dissect_DELTA_GROUP(tvbuff_t *tvb, int offset,
3498 packet_info *pinfo, proto_tree *tree,
3499 dcerpc_info *di, uint8_t *drep)
3500{
3501 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3502 hf_netlogon_group_name, 3);
3503
3504 offset = netlogon_dissect_GROUP_MEMBERSHIP(tvb, offset,
3505 pinfo, tree, di, drep);
3506
3507 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3508 hf_netlogon_group_desc, 0);
3509
3510 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3511 hf_netlogon_security_information, NULL((void*)0));
3512
3513 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3514
3515 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3516 hf_netlogon_dummy, 0);
3517
3518 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3519 hf_netlogon_dummy, 0);
3520
3521 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3522 hf_netlogon_dummy, 0);
3523
3524 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3525 hf_netlogon_dummy, 0);
3526
3527 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3528 hf_netlogon_reserved, NULL((void*)0));
3529
3530 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3531 hf_netlogon_reserved, NULL((void*)0));
3532
3533 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3534 hf_netlogon_reserved, NULL((void*)0));
3535
3536 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3537 hf_netlogon_reserved, NULL((void*)0));
3538
3539 return offset;
3540}
3541
3542
3543/*
3544 * IDL typedef struct {
3545 * IDL UNICODESTRING OldName;
3546 * IDL UNICODESTRING NewName;
3547 * IDL UNICODESTRING dummy1;
3548 * IDL UNICODESTRING dummy2;
3549 * IDL UNICODESTRING dummy3;
3550 * IDL UNICODESTRING dummy4;
3551 * IDL long dummy5;
3552 * IDL long dummy6;
3553 * IDL long dummy7;
3554 * IDL long dummy8;
3555 * IDL } DELTA_RENAME;
3556 */
3557static int
3558netlogon_dissect_DELTA_RENAME(tvbuff_t *tvb, int offset,
3559 packet_info *pinfo, proto_tree *tree,
3560 dcerpc_info *di, uint8_t *drep)
3561{
3562 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3563 di->hf_index, 0);
3564
3565 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3566 di->hf_index, 0);
3567
3568 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3569 hf_netlogon_dummy, 0);
3570
3571 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3572 hf_netlogon_dummy, 0);
3573
3574 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3575 hf_netlogon_dummy, 0);
3576
3577 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3578 hf_netlogon_dummy, 0);
3579
3580 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3581 hf_netlogon_reserved, NULL((void*)0));
3582
3583 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3584 hf_netlogon_reserved, NULL((void*)0));
3585
3586 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3587 hf_netlogon_reserved, NULL((void*)0));
3588
3589 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3590 hf_netlogon_reserved, NULL((void*)0));
3591
3592 return offset;
3593}
3594
3595
3596static int
3597netlogon_dissect_RID(tvbuff_t *tvb, int offset,
3598 packet_info *pinfo, proto_tree *tree,
3599 dcerpc_info *di, uint8_t *drep)
3600{
3601 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3602 hf_netlogon_user_rid, NULL((void*)0));
3603
3604 return offset;
3605}
3606
3607static int
3608netlogon_dissect_RID_array(tvbuff_t *tvb, int offset,
3609 packet_info *pinfo, proto_tree *tree,
3610 dcerpc_info *di, uint8_t *drep)
3611{
3612 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3613 netlogon_dissect_RID);
3614
3615 return offset;
3616}
3617
3618static int
3619netlogon_dissect_ATTRIB(tvbuff_t *tvb, int offset,
3620 packet_info *pinfo, proto_tree *tree,
3621 dcerpc_info *di, uint8_t *drep)
3622{
3623 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3624 hf_netlogon_attrs, NULL((void*)0));
3625
3626 return offset;
3627}
3628
3629static int
3630netlogon_dissect_ATTRIB_array(tvbuff_t *tvb, int offset,
3631 packet_info *pinfo, proto_tree *tree,
3632 dcerpc_info *di, uint8_t *drep)
3633{
3634 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3635 netlogon_dissect_ATTRIB);
3636
3637 return offset;
3638}
3639
3640/*
3641 * IDL typedef struct {
3642 * IDL [unique][size_is(num_rids)] long *rids;
3643 * IDL [unique][size_is(num_rids)] long *attribs;
3644 * IDL long num_rids;
3645 * IDL long dummy1;
3646 * IDL long dummy2;
3647 * IDL long dummy3;
3648 * IDL long dummy4;
3649 * IDL } DELTA_GROUP_MEMBER;
3650 */
3651static int
3652netlogon_dissect_DELTA_GROUP_MEMBER(tvbuff_t *tvb, int offset,
3653 packet_info *pinfo, proto_tree *tree,
3654 dcerpc_info *di, uint8_t *drep)
3655{
3656 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3657 netlogon_dissect_RID_array, NDR_POINTER_UNIQUE2,
3658 "RIDs:", -1);
3659
3660 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3661 netlogon_dissect_ATTRIB_array, NDR_POINTER_UNIQUE2,
3662 "Attribs:", -1);
3663
3664 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3665 hf_netlogon_num_rids, NULL((void*)0));
3666
3667 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3668 hf_netlogon_reserved, NULL((void*)0));
3669
3670 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3671 hf_netlogon_reserved, NULL((void*)0));
3672
3673 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3674 hf_netlogon_reserved, NULL((void*)0));
3675
3676 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3677 hf_netlogon_reserved, NULL((void*)0));
3678
3679 return offset;
3680}
3681
3682
3683/*
3684 * IDL typedef struct {
3685 * IDL UNICODESTRING alias_name;
3686 * IDL long rid;
3687 * IDL long SecurityInformation;
3688 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3689 * IDL UNICODESTRING dummy1;
3690 * IDL UNICODESTRING dummy2;
3691 * IDL UNICODESTRING dummy3;
3692 * IDL UNICODESTRING dummy4;
3693 * IDL long dummy5;
3694 * IDL long dummy6;
3695 * IDL long dummy7;
3696 * IDL long dummy8;
3697 * IDL } DELTA_ALIAS;
3698 */
3699static int
3700netlogon_dissect_DELTA_ALIAS(tvbuff_t *tvb, int offset,
3701 packet_info *pinfo, proto_tree *tree,
3702 dcerpc_info *di, uint8_t *drep)
3703{
3704 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3705 hf_netlogon_alias_name, 0);
3706
3707 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3708 hf_netlogon_alias_rid, NULL((void*)0));
3709
3710 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3711 hf_netlogon_security_information, NULL((void*)0));
3712
3713 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3714
3715 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3716 hf_netlogon_dummy, 0);
3717
3718 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3719 hf_netlogon_dummy, 0);
3720
3721 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3722 hf_netlogon_dummy, 0);
3723
3724 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3725 hf_netlogon_dummy, 0);
3726
3727 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3728 hf_netlogon_reserved, NULL((void*)0));
3729
3730 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3731 hf_netlogon_reserved, NULL((void*)0));
3732
3733 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3734 hf_netlogon_reserved, NULL((void*)0));
3735
3736 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3737 hf_netlogon_reserved, NULL((void*)0));
3738
3739 return offset;
3740}
3741
3742
3743/*
3744 * IDL typedef struct {
3745 * IDL [unique] SID_ARRAY sids;
3746 * IDL long dummy1;
3747 * IDL long dummy2;
3748 * IDL long dummy3;
3749 * IDL long dummy4;
3750 * IDL } DELTA_ALIAS_MEMBER;
3751 */
3752static int
3753netlogon_dissect_DELTA_ALIAS_MEMBER(tvbuff_t *tvb, int offset,
3754 packet_info *pinfo, proto_tree *tree,
3755 dcerpc_info *di, uint8_t *drep)
3756{
3757 offset = dissect_ndr_nt_PSID_ARRAY(tvb, offset, pinfo, tree, di, drep);
3758
3759 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3760 hf_netlogon_reserved, NULL((void*)0));
3761
3762 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3763 hf_netlogon_reserved, NULL((void*)0));
3764
3765 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3766 hf_netlogon_reserved, NULL((void*)0));
3767
3768 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3769 hf_netlogon_reserved, NULL((void*)0));
3770
3771 return offset;
3772}
3773
3774
3775static int
3776netlogon_dissect_EVENT_AUDIT_OPTION(tvbuff_t *tvb, int offset,
3777 packet_info *pinfo, proto_tree *tree,
3778 dcerpc_info *di, uint8_t *drep)
3779{
3780 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3781 hf_netlogon_event_audit_option, NULL((void*)0));
3782
3783 return offset;
3784}
3785
3786static int
3787netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY(tvbuff_t *tvb, int offset,
3788 packet_info *pinfo, proto_tree *tree,
3789 dcerpc_info *di, uint8_t *drep)
3790{
3791 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3792 netlogon_dissect_EVENT_AUDIT_OPTION);
3793
3794 return offset;
3795}
3796
3797
3798/*
3799 * IDL typedef struct {
3800 * IDL long pagedpoollimit;
3801 * IDL long nonpagedpoollimit;
3802 * IDL long minimumworkingsetsize;
3803 * IDL long maximumworkingsetsize;
3804 * IDL long pagefilelimit;
3805 * IDL NTTIME timelimit;
3806 * IDL } QUOTA_LIMITS;
3807 */
3808static int
3809netlogon_dissect_QUOTA_LIMITS(tvbuff_t *tvb, int offset,
3810 packet_info *pinfo, proto_tree *parent_tree,
3811 dcerpc_info *di, uint8_t *drep)
3812{
3813 proto_item *item=NULL((void*)0);
3814 proto_tree *tree=NULL((void*)0);
3815 int old_offset=offset;
3816
3817 if(parent_tree){
3818 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
3819 ett_QUOTA_LIMITS, &item, "QUOTA_LIMTS:");
3820 }
3821
3822 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3823 hf_netlogon_pagedpoollimit, NULL((void*)0));
3824
3825 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3826 hf_netlogon_nonpagedpoollimit, NULL((void*)0));
3827
3828 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3829 hf_netlogon_minworkingsetsize, NULL((void*)0));
3830
3831 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3832 hf_netlogon_maxworkingsetsize, NULL((void*)0));
3833
3834 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3835 hf_netlogon_pagefilelimit, NULL((void*)0));
3836
3837 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3838 hf_netlogon_timelimit);
3839
3840 proto_item_set_len(item, offset-old_offset);
3841 return offset;
3842}
3843
3844
3845/*
3846 * IDL typedef struct {
3847 * IDL long maxlogsize;
3848 * IDL NTTIME auditretentionperiod;
3849 * IDL bool auditingmode;
3850 * IDL long maxauditeventcount;
3851 * IDL [unique][size_is(maxauditeventcount)] long *eventauditoptions;
3852 * IDL UNICODESTRING primarydomainname;
3853 * IDL [unique] SID *sid;
3854 * IDL QUOTA_LIMITS quota_limits;
3855 * IDL NTTIME db_modify_time;
3856 * IDL NTTIME db_create_time;
3857 * IDL long SecurityInformation;
3858 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3859 * IDL UNICODESTRING dummy1;
3860 * IDL UNICODESTRING dummy2;
3861 * IDL UNICODESTRING dummy3;
3862 * IDL UNICODESTRING dummy4;
3863 * IDL long dummy5;
3864 * IDL long dummy6;
3865 * IDL long dummy7;
3866 * IDL long dummy8;
3867 * IDL } DELTA_POLICY;
3868 */
3869static int
3870netlogon_dissect_DELTA_POLICY(tvbuff_t *tvb, int offset,
3871 packet_info *pinfo, proto_tree *tree,
3872 dcerpc_info *di, uint8_t *drep)
3873{
3874 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3875 hf_netlogon_max_log_size, NULL((void*)0));
3876
3877 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3878 hf_netlogon_audit_retention_period);
3879
3880 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
3881 hf_netlogon_auditing_mode, NULL((void*)0));
3882
3883 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3884 hf_netlogon_max_audit_event_count, NULL((void*)0));
3885
3886 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3887 netlogon_dissect_EVENT_AUDIT_OPTIONS_ARRAY, NDR_POINTER_UNIQUE2,
3888 "Event Audit Options:", -1);
3889
3890 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3891 hf_netlogon_domain_name, 0);
3892
3893 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
3894
3895 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
3896 pinfo, tree, di, drep);
3897
3898 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3899 hf_netlogon_db_modify_time);
3900
3901 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
3902 hf_netlogon_db_create_time);
3903
3904 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3905 hf_netlogon_security_information, NULL((void*)0));
3906
3907 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3908
3909 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3910 hf_netlogon_dummy, 0);
3911
3912 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3913 hf_netlogon_dummy, 0);
3914
3915 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3916 hf_netlogon_dummy, 0);
3917
3918 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3919 hf_netlogon_dummy, 0);
3920
3921 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3922 hf_netlogon_reserved, NULL((void*)0));
3923
3924 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3925 hf_netlogon_reserved, NULL((void*)0));
3926
3927 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3928 hf_netlogon_reserved, NULL((void*)0));
3929
3930 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3931 hf_netlogon_reserved, NULL((void*)0));
3932
3933 return offset;
3934}
3935
3936
3937static int
3938netlogon_dissect_CONTROLLER(tvbuff_t *tvb, int offset,
3939 packet_info *pinfo, proto_tree *tree,
3940 dcerpc_info *di, uint8_t *drep)
3941{
3942 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3943 hf_netlogon_dc_name, 0);
3944
3945 return offset;
3946}
3947
3948static int
3949netlogon_dissect_CONTROLLER_ARRAY(tvbuff_t *tvb, int offset,
3950 packet_info *pinfo, proto_tree *tree,
3951 dcerpc_info *di, uint8_t *drep)
3952{
3953 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
3954 netlogon_dissect_CONTROLLER);
3955
3956 return offset;
3957}
3958
3959
3960/*
3961 * IDL typedef struct {
3962 * IDL UNICODESTRING DomainName;
3963 * IDL long num_controllers;
3964 * IDL [unique][size_is(num_controllers)] UNICODESTRING *controller_names;
3965 * IDL long SecurityInformation;
3966 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
3967 * IDL UNICODESTRING dummy1;
3968 * IDL UNICODESTRING dummy2;
3969 * IDL UNICODESTRING dummy3;
3970 * IDL UNICODESTRING dummy4;
3971 * IDL long dummy5;
3972 * IDL long dummy6;
3973 * IDL long dummy7;
3974 * IDL long dummy8;
3975 * IDL } DELTA_TRUSTED_DOMAINS;
3976 */
3977static int
3978netlogon_dissect_DELTA_TRUSTED_DOMAINS(tvbuff_t *tvb, int offset,
3979 packet_info *pinfo, proto_tree *tree,
3980 dcerpc_info *di, uint8_t *drep)
3981{
3982 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3983 hf_netlogon_domain_name, 0);
3984
3985 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3986 hf_netlogon_num_controllers, NULL((void*)0));
3987
3988 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
3989 netlogon_dissect_CONTROLLER_ARRAY, NDR_POINTER_UNIQUE2,
3990 "Domain Controllers:", -1);
3991
3992 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
3993 hf_netlogon_security_information, NULL((void*)0));
3994
3995 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
3996
3997 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
3998 hf_netlogon_dummy, 0);
3999
4000 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4001 hf_netlogon_dummy, 0);
4002
4003 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4004 hf_netlogon_dummy, 0);
4005
4006 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4007 hf_netlogon_dummy, 0);
4008
4009 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4010 hf_netlogon_reserved, NULL((void*)0));
4011
4012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4013 hf_netlogon_reserved, NULL((void*)0));
4014
4015 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4016 hf_netlogon_reserved, NULL((void*)0));
4017
4018 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4019 hf_netlogon_reserved, NULL((void*)0));
4020
4021 return offset;
4022}
4023
4024
4025static int
4026netlogon_dissect_PRIV_ATTR(tvbuff_t *tvb, int offset,
4027 packet_info *pinfo, proto_tree *tree,
4028 dcerpc_info *di, uint8_t *drep)
4029{
4030 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4031 hf_netlogon_attrs, NULL((void*)0));
4032
4033 return offset;
4034}
4035
4036static int
4037netlogon_dissect_PRIV_ATTR_ARRAY(tvbuff_t *tvb, int offset,
4038 packet_info *pinfo, proto_tree *tree,
4039 dcerpc_info *di, uint8_t *drep)
4040{
4041 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4042 netlogon_dissect_PRIV_ATTR);
4043
4044 return offset;
4045}
4046
4047static int
4048netlogon_dissect_PRIV_NAME(tvbuff_t *tvb, int offset,
4049 packet_info *pinfo, proto_tree *tree,
4050 dcerpc_info *di, uint8_t *drep)
4051{
4052 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4053 hf_netlogon_privilege_name, 1);
4054
4055 return offset;
4056}
4057
4058static int
4059netlogon_dissect_PRIV_NAME_ARRAY(tvbuff_t *tvb, int offset,
4060 packet_info *pinfo, proto_tree *tree,
4061 dcerpc_info *di, uint8_t *drep)
4062{
4063 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4064 netlogon_dissect_PRIV_NAME);
4065
4066 return offset;
4067}
4068
4069
4070
4071/*
4072 * IDL typedef struct {
4073 * IDL long privilegeentries;
4074 * IDL long provolegecontrol;
4075 * IDL [unique][size_is(privilege_entries)] long *privilege_attrib;
4076 * IDL [unique][size_is(privilege_entries)] UNICODESTRING *privilege_name;
4077 * IDL QUOTALIMITS quotalimits;
4078 * IDL long SecurityInformation;
4079 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
4080 * IDL UNICODESTRING dummy1;
4081 * IDL UNICODESTRING dummy2;
4082 * IDL UNICODESTRING dummy3;
4083 * IDL UNICODESTRING dummy4;
4084 * IDL long dummy5;
4085 * IDL long dummy6;
4086 * IDL long dummy7;
4087 * IDL long dummy8;
4088 * IDL } DELTA_ACCOUNTS;
4089 */
4090static int
4091netlogon_dissect_DELTA_ACCOUNTS(tvbuff_t *tvb, int offset,
4092 packet_info *pinfo, proto_tree *tree,
4093 dcerpc_info *di, uint8_t *drep)
4094{
4095 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4096 hf_netlogon_privilege_entries, NULL((void*)0));
4097
4098 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4099 hf_netlogon_privilege_control, NULL((void*)0));
4100
4101 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4102 netlogon_dissect_PRIV_ATTR_ARRAY, NDR_POINTER_UNIQUE2,
4103 "PRIV_ATTR_ARRAY:", -1);
4104
4105 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4106 netlogon_dissect_PRIV_NAME_ARRAY, NDR_POINTER_UNIQUE2,
4107 "PRIV_NAME_ARRAY:", -1);
4108
4109 offset = netlogon_dissect_QUOTA_LIMITS(tvb, offset,
4110 pinfo, tree, di, drep);
4111
4112 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4113 hf_netlogon_systemflags, NULL((void*)0));
4114
4115 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4116 hf_netlogon_security_information, NULL((void*)0));
4117
4118 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
4119
4120 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4121 hf_netlogon_dummy, 0);
4122
4123 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4124 hf_netlogon_dummy, 0);
4125
4126 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4127 hf_netlogon_dummy, 0);
4128
4129 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4130 hf_netlogon_dummy, 0);
4131
4132 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4133 hf_netlogon_reserved, NULL((void*)0));
4134
4135 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4136 hf_netlogon_reserved, NULL((void*)0));
4137
4138 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4139 hf_netlogon_reserved, NULL((void*)0));
4140
4141 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4142 hf_netlogon_reserved, NULL((void*)0));
4143
4144 return offset;
4145}
4146
4147/*
4148 * IDL typedef struct {
4149 * IDL long len;
4150 * IDL long maxlen;
4151 * IDL [unique][size_is(maxlen)][length_is(len)] char *cipher_data;
4152 * IDL } CIPHER_VALUE;
4153 */
4154static int
4155netlogon_dissect_CIPHER_VALUE_DATA(tvbuff_t *tvb, int offset,
4156 packet_info *pinfo, proto_tree *tree,
4157 dcerpc_info *di, uint8_t *drep)
4158{
4159 uint32_t data_len;
4160
4161 if(di->conformant_run){
4162 /*just a run to handle conformant arrays, nothing to dissect */
4163 return offset;
4164 }
4165
4166 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4167 hf_netlogon_cipher_maxlen, NULL((void*)0));
4168
4169 /* skip offset */
4170 offset += 4;
4171
4172 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4173 hf_netlogon_cipher_len, &data_len);
4174
4175 proto_tree_add_item(tree, di->hf_index, tvb, offset,
4176 data_len, ENC_NA0x00000000);
4177 offset += data_len;
4178
4179 return offset;
4180}
4181static int
4182netlogon_dissect_CIPHER_VALUE(tvbuff_t *tvb, int offset,
4183 packet_info *pinfo, proto_tree *parent_tree,
4184 dcerpc_info *di, uint8_t *drep, const char *name, int hf_index)
4185{
4186 proto_item *item=NULL((void*)0);
4187 proto_tree *tree=NULL((void*)0);
4188 int old_offset=offset;
4189
4190 if(parent_tree){
4191 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4192 ett_CYPHER_VALUE, &item, name);
4193 }
4194
4195 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4196 hf_netlogon_cipher_len, NULL((void*)0));
4197
4198 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
4199 hf_netlogon_cipher_maxlen, NULL((void*)0));
4200
4201 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4202 netlogon_dissect_CIPHER_VALUE_DATA, NDR_POINTER_UNIQUE2,
4203 name, hf_index);
4204
4205 proto_item_set_len(item, offset-old_offset);
4206 return offset;
4207}
4208
4209/*
4210 * IDL typedef struct {
4211 * IDL CIPHER_VALUE current_cipher;
4212 * IDL NTTIME current_cipher_set_time;
4213 * IDL CIPHER_VALUE old_cipher;
4214 * IDL NTTIME old_cipher_set_time;
4215 * IDL long SecurityInformation;
4216 * IDL LSA_SECURITY_DESCRIPTOR sec_desc;
4217 * IDL UNICODESTRING dummy1;
4218 * IDL UNICODESTRING dummy2;
4219 * IDL UNICODESTRING dummy3;
4220 * IDL UNICODESTRING dummy4;
4221 * IDL long dummy5;
4222 * IDL long dummy6;
4223 * IDL long dummy7;
4224 * IDL long dummy8;
4225 * IDL } DELTA_SECRET;
4226 */
4227static int
4228netlogon_dissect_DELTA_SECRET(tvbuff_t *tvb, int offset,
4229 packet_info *pinfo, proto_tree *tree,
4230 dcerpc_info *di, uint8_t *drep)
4231{
4232 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
4233 pinfo, tree, di, drep,
4234 "CIPHER_VALUE: current cipher value",
4235 hf_netlogon_cipher_current_data);
4236
4237 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
4238 hf_netlogon_cipher_current_set_time);
4239
4240 offset = netlogon_dissect_CIPHER_VALUE(tvb, offset,
4241 pinfo, tree, di, drep,
4242 "CIPHER_VALUE: old cipher value",
4243 hf_netlogon_cipher_old_data);
4244
4245 offset = dissect_ndr_nt_NTTIME(tvb, offset, pinfo, tree, di, drep,
4246 hf_netlogon_cipher_old_set_time);
4247
4248 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4249 hf_netlogon_security_information, NULL((void*)0));
4250
4251 offset = lsarpc_dissect_sec_desc_buf(tvb, offset, pinfo, tree, di, drep);
4252
4253 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4254 hf_netlogon_dummy, 0);
4255
4256 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4257 hf_netlogon_dummy, 0);
4258
4259 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4260 hf_netlogon_dummy, 0);
4261
4262 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
4263 hf_netlogon_dummy, 0);
4264
4265 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4266 hf_netlogon_reserved, NULL((void*)0));
4267
4268 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4269 hf_netlogon_reserved, NULL((void*)0));
4270
4271 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4272 hf_netlogon_reserved, NULL((void*)0));
4273
4274 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4275 hf_netlogon_reserved, NULL((void*)0));
4276
4277 return offset;
4278}
4279
4280/*
4281 * IDL typedef struct {
4282 * IDL long low_value;
4283 * IDL long high_value;
4284 * } MODIFIED_COUNT;
4285 */
4286static int
4287netlogon_dissect_MODIFIED_COUNT(tvbuff_t *tvb, int offset,
4288 packet_info *pinfo, proto_tree *tree,
4289 dcerpc_info *di, uint8_t *drep)
4290{
4291 offset = dissect_ndr_duint32(tvb, offset, pinfo, tree, di, drep,
4292 hf_netlogon_modify_count, NULL((void*)0));
4293
4294 return offset;
4295}
4296
4297
4298#define DT_DELTA_DOMAIN1 1
4299#define DT_DELTA_GROUP2 2
4300#define DT_DELTA_DELETE_GROUP3 3
4301#define DT_DELTA_RENAME_GROUP4 4
4302#define DT_DELTA_USER5 5
4303#define DT_DELTA_DELETE_USER6 6
4304#define DT_DELTA_RENAME_USER7 7
4305#define DT_DELTA_GROUP_MEMBER8 8
4306#define DT_DELTA_ALIAS9 9
4307#define DT_DELTA_DELETE_ALIAS10 10
4308#define DT_DELTA_RENAME_ALIAS11 11
4309#define DT_DELTA_ALIAS_MEMBER12 12
4310#define DT_DELTA_POLICY13 13
4311#define DT_DELTA_TRUSTED_DOMAINS14 14
4312#define DT_DELTA_DELETE_TRUST15 15
4313#define DT_DELTA_ACCOUNTS16 16
4314#define DT_DELTA_DELETE_ACCOUNT17 17
4315#define DT_DELTA_SECRET18 18
4316#define DT_DELTA_DELETE_SECRET19 19
4317#define DT_DELTA_DELETE_GROUP220 20
4318#define DT_DELTA_DELETE_USER221 21
4319#define DT_MODIFIED_COUNT22 22
4320
4321static const value_string delta_type_vals[] = {
4322 { DT_DELTA_DOMAIN1, "Domain" },
4323 { DT_DELTA_GROUP2, "Group" },
4324 { DT_DELTA_DELETE_GROUP3, "Delete Group" },
4325 { DT_DELTA_RENAME_GROUP4, "Rename Group" },
4326 { DT_DELTA_USER5, "User" },
4327 { DT_DELTA_DELETE_USER6, "Delete User" },
4328 { DT_DELTA_RENAME_USER7, "Rename User" },
4329 { DT_DELTA_GROUP_MEMBER8, "Group Member" },
4330 { DT_DELTA_ALIAS9, "Alias" },
4331 { DT_DELTA_DELETE_ALIAS10, "Delete Alias" },
4332 { DT_DELTA_RENAME_ALIAS11, "Rename Alias" },
4333 { DT_DELTA_ALIAS_MEMBER12, "Alias Member" },
4334 { DT_DELTA_POLICY13, "Policy" },
4335 { DT_DELTA_TRUSTED_DOMAINS14, "Trusted Domains" },
4336 { DT_DELTA_DELETE_TRUST15, "Delete Trust" },
4337 { DT_DELTA_ACCOUNTS16, "Accounts" },
4338 { DT_DELTA_DELETE_ACCOUNT17, "Delete Account" },
4339 { DT_DELTA_SECRET18, "Secret" },
4340 { DT_DELTA_DELETE_SECRET19, "Delete Secret" },
4341 { DT_DELTA_DELETE_GROUP220, "Delete Group2" },
4342 { DT_DELTA_DELETE_USER221, "Delete User2" },
4343 { DT_MODIFIED_COUNT22, "Modified Count" },
4344 { 0, NULL((void*)0) }
4345};
4346/*
4347 * IDL typedef [switch_type(short)] union {
4348 * IDL [case(1)][unique] DELTA_DOMAIN *domain;
4349 * IDL [case(2)][unique] DELTA_GROUP *group;
4350 * IDL [case(3)][unique] rid only ;
4351 * IDL [case(4)][unique] DELTA_RENAME_GROUP *rename_group;
4352 * IDL [case(5)][unique] DELTA_USER *user;
4353 * IDL [case(6)][unique] rid only ;
4354 * IDL [case(7)][unique] DELTA_RENAME_USER *rename_user;
4355 * IDL [case(8)][unique] DELTA_GROUP_MEMBER *group_member;
4356 * IDL [case(9)][unique] DELTA_ALIAS *alias;
4357 * IDL [case(10)][unique] rid only ;
4358 * IDL [case(11)][unique] DELTA_RENAME_ALIAS *alias;
4359 * IDL [case(12)][unique] DELTA_ALIAS_MEMBER *alias_member;
4360 * IDL [case(13)][unique] DELTA_POLICY *policy;
4361 * IDL [case(14)][unique] DELTA_TRUSTED_DOMAINS *trusted_domains;
4362 * IDL [case(15)][unique] PSID ;
4363 * IDL [case(16)][unique] DELTA_ACCOUNTS *accounts;
4364 * IDL [case(17)][unique] PSID ;
4365 * IDL [case(18)][unique] DELTA_SECRET *secret;
4366 * IDL [case(19)][unique] string;
4367 * IDL [case(20)][unique] DELTA_DELETE_GROUP2 *delete_group;
4368 * IDL [case(21)][unique] DELTA_DELETE_USER2 *delete_user;
4369 * IDL [case(22)][unique] MODIFIED_COUNT *modified_count;
4370 * IDL } DELTA_UNION;
4371 */
4372static int
4373netlogon_dissect_DELTA_UNION(tvbuff_t *tvb, int offset,
4374 packet_info *pinfo, proto_tree *parent_tree,
4375 dcerpc_info *di, uint8_t *drep)
4376{
4377 proto_item *item=NULL((void*)0);
4378 proto_tree *tree=NULL((void*)0);
4379 int old_offset=offset;
4380 uint16_t level = 0;
4381
4382 if(parent_tree){
4383 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4384 ett_DELTA_UNION, &item, "DELTA_UNION:");
4385 }
4386
4387 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4388 hf_netlogon_delta_type, &level);
4389
4390 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
4391 switch(level){
4392 case 1:
4393 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4394 netlogon_dissect_DELTA_DOMAIN, NDR_POINTER_UNIQUE2,
4395 "DELTA_DOMAIN:", -1);
4396 break;
4397 case 2:
4398 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4399 netlogon_dissect_DELTA_GROUP, NDR_POINTER_UNIQUE2,
4400 "DELTA_GROUP:", -1);
4401 break;
4402 case 4:
4403 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4404 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE2,
4405 "DELTA_RENAME_GROUP:", hf_netlogon_group_name);
4406 break;
4407 case 5:
4408 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4409 netlogon_dissect_DELTA_USER, NDR_POINTER_UNIQUE2,
4410 "DELTA_USER:", -1);
4411 break;
4412 case 7:
4413 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4414 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE2,
4415 "DELTA_RENAME_USER:", hf_netlogon_acct_name);
4416 break;
4417 case 8:
4418 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4419 netlogon_dissect_DELTA_GROUP_MEMBER, NDR_POINTER_UNIQUE2,
4420 "DELTA_GROUP_MEMBER:", -1);
4421 break;
4422 case 9:
4423 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4424 netlogon_dissect_DELTA_ALIAS, NDR_POINTER_UNIQUE2,
4425 "DELTA_ALIAS:", -1);
4426 break;
4427 case 11:
4428 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4429 netlogon_dissect_DELTA_RENAME, NDR_POINTER_UNIQUE2,
4430 "DELTA_RENAME_ALIAS:", hf_netlogon_alias_name);
4431 break;
4432 case 12:
4433 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4434 netlogon_dissect_DELTA_ALIAS_MEMBER, NDR_POINTER_UNIQUE2,
4435 "DELTA_ALIAS_MEMBER:", -1);
4436 break;
4437 case 13:
4438 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4439 netlogon_dissect_DELTA_POLICY, NDR_POINTER_UNIQUE2,
4440 "DELTA_POLICY:", -1);
4441 break;
4442 case 14:
4443 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4444 netlogon_dissect_DELTA_TRUSTED_DOMAINS, NDR_POINTER_UNIQUE2,
4445 "DELTA_TRUSTED_DOMAINS:", -1);
4446 break;
4447 case 16:
4448 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4449 netlogon_dissect_DELTA_ACCOUNTS, NDR_POINTER_UNIQUE2,
4450 "DELTA_ACCOUNTS:", -1);
4451 break;
4452 case 18:
4453 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4454 netlogon_dissect_DELTA_SECRET, NDR_POINTER_UNIQUE2,
4455 "DELTA_SECRET:", -1);
4456 break;
4457 case 20:
4458 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4459 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE2,
4460 "DELTA_DELETE_GROUP:", -1);
4461 break;
4462 case 21:
4463 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4464 netlogon_dissect_DELTA_DELETE_USER, NDR_POINTER_UNIQUE2,
4465 "DELTA_DELETE_USER:", -1);
4466 break;
4467 case 22:
4468 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4469 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_UNIQUE2,
4470 "MODIFIED_COUNT:", -1);
4471 break;
4472 }
4473
4474 proto_item_set_len(item, offset-old_offset);
4475 return offset;
4476}
4477
4478
4479
4480/* IDL XXX must verify this one, especially 13-19
4481 * IDL typedef [switch_type(short)] union {
4482 * IDL [case(1)] long rid;
4483 * IDL [case(2)] long rid;
4484 * IDL [case(3)] long rid;
4485 * IDL [case(4)] long rid;
4486 * IDL [case(5)] long rid;
4487 * IDL [case(6)] long rid;
4488 * IDL [case(7)] long rid;
4489 * IDL [case(8)] long rid;
4490 * IDL [case(9)] long rid;
4491 * IDL [case(10)] long rid;
4492 * IDL [case(11)] long rid;
4493 * IDL [case(12)] long rid;
4494 * IDL [case(13)] [unique] SID *sid;
4495 * IDL [case(14)] [unique] SID *sid;
4496 * IDL [case(15)] [unique] SID *sid;
4497 * IDL [case(16)] [unique] SID *sid;
4498 * IDL [case(17)] [unique] SID *sid;
4499 * IDL [case(18)] [unique][string] wchar_t *Name ;
4500 * IDL [case(19)] [unique][string] wchar_t *Name ;
4501 * IDL [case(20)] long rid;
4502 * IDL [case(21)] long rid;
4503 * IDL } DELTA_ID_UNION;
4504 */
4505static int
4506netlogon_dissect_DELTA_ID_UNION(tvbuff_t *tvb, int offset,
4507 packet_info *pinfo, proto_tree *parent_tree,
4508 dcerpc_info *di, uint8_t *drep)
4509{
4510 proto_item *item=NULL((void*)0);
4511 proto_tree *tree=NULL((void*)0);
4512 int old_offset=offset;
4513 uint16_t level = 0;
4514
4515 if(parent_tree){
4516 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4517 ett_DELTA_ID_UNION, &item, "DELTA_ID_UNION:");
4518 }
4519
4520 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4521 hf_netlogon_delta_type, &level);
4522
4523 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
4524 switch(level){
4525 case 1:
4526 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4527 hf_netlogon_group_rid, NULL((void*)0));
4528 break;
4529 case 2:
4530 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4531 hf_netlogon_user_rid, NULL((void*)0));
4532 break;
4533 case 3:
4534 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4535 hf_netlogon_user_rid, NULL((void*)0));
4536 break;
4537 case 4:
4538 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4539 hf_netlogon_user_rid, NULL((void*)0));
4540 break;
4541 case 5:
4542 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4543 hf_netlogon_user_rid, NULL((void*)0));
4544 break;
4545 case 6:
4546 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4547 hf_netlogon_user_rid, NULL((void*)0));
4548 break;
4549 case 7:
4550 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4551 hf_netlogon_user_rid, NULL((void*)0));
4552 break;
4553 case 8:
4554 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4555 hf_netlogon_user_rid, NULL((void*)0));
4556 break;
4557 case 9:
4558 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4559 hf_netlogon_user_rid, NULL((void*)0));
4560 break;
4561 case 10:
4562 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4563 hf_netlogon_user_rid, NULL((void*)0));
4564 break;
4565 case 11:
4566 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4567 hf_netlogon_user_rid, NULL((void*)0));
4568 break;
4569 case 12:
4570 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4571 hf_netlogon_user_rid, NULL((void*)0));
4572 break;
4573 case 13:
4574 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4575 break;
4576 case 14:
4577 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4578 break;
4579 case 15:
4580 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4581 break;
4582 case 16:
4583 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4584 break;
4585 case 17:
4586 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
4587 break;
4588 case 18:
4589 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4590 tree, di, drep, NDR_POINTER_UNIQUE2, "unknown",
4591 hf_netlogon_unknown_string, 0);
4592 break;
4593 case 19:
4594 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
4595 tree, di, drep, NDR_POINTER_UNIQUE2, "unknown",
4596 hf_netlogon_unknown_string, 0);
4597 break;
4598 case 20:
4599 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4600 hf_netlogon_user_rid, NULL((void*)0));
4601 break;
4602 case 21:
4603 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4604 hf_netlogon_user_rid, NULL((void*)0));
4605 break;
4606 }
4607
4608 proto_item_set_len(item, offset-old_offset);
4609 return offset;
4610}
4611
4612/*
4613 * IDL typedef struct {
4614 * IDL short delta_type;
4615 * IDL DELTA_ID_UNION delta_id_union;
4616 * IDL DELTA_UNION delta_union;
4617 * IDL } DELTA_ENUM;
4618 */
4619static int
4620netlogon_dissect_DELTA_ENUM(tvbuff_t *tvb, int offset,
4621 packet_info *pinfo, proto_tree *parent_tree,
4622 dcerpc_info *di, uint8_t *drep)
4623{
4624 proto_item *item=NULL((void*)0);
4625 proto_tree *tree=NULL((void*)0);
4626 int old_offset=offset;
4627 uint16_t type;
4628
4629 if(parent_tree){
4630 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
4631 ett_DELTA_ENUM, &item, "DELTA_ENUM:");
4632 }
4633
4634 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
4635 hf_netlogon_delta_type, &type);
4636
4637 proto_item_append_text(item, "%s", val_to_str(
4638 type, delta_type_vals, "Unknown"));
4639
4640 offset = netlogon_dissect_DELTA_ID_UNION(tvb, offset,
4641 pinfo, tree, di, drep);
4642
4643 offset = netlogon_dissect_DELTA_UNION(tvb, offset,
4644 pinfo, tree, di, drep);
4645
4646 proto_item_set_len(item, offset-old_offset);
4647 return offset;
4648}
4649
4650static int
4651netlogon_dissect_DELTA_ENUM_array(tvbuff_t *tvb, int offset,
4652 packet_info *pinfo, proto_tree *tree,
4653 dcerpc_info *di, uint8_t *drep)
4654{
4655 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
4656 netlogon_dissect_DELTA_ENUM);
4657
4658 return offset;
4659}
4660
4661/*
4662 * IDL typedef struct {
4663 * IDL long num_deltas;
4664 * IDL [unique][size_is(num_deltas)] DELTA_ENUM *delta_enum;
4665 * IDL } DELTA_ENUM_ARRAY;
4666 */
4667static int
4668netlogon_dissect_DELTA_ENUM_ARRAY(tvbuff_t *tvb, int offset,
4669 packet_info *pinfo, proto_tree *tree,
4670 dcerpc_info *di, uint8_t *drep)
4671{
4672 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4673 hf_netlogon_num_deltas, NULL((void*)0));
4674
4675 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4676 netlogon_dissect_DELTA_ENUM_array, NDR_POINTER_UNIQUE2,
4677 "DELTA_ENUM: deltas", -1);
4678
4679 return offset;
4680}
4681
4682
4683/*
4684 * IDL long NetrDatabaseDeltas(
4685 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4686 * IDL [in][string][ref] wchar_t *computername,
4687 * IDL [in][ref] AUTHENTICATOR credential,
4688 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4689 * IDL [in] long database_id,
4690 * IDL [in][out][ref] MODIFIED_COUNT domain_modify_count,
4691 * IDL [in] long preferredmaximumlength,
4692 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4693 * IDL );
4694 */
4695static int
4696netlogon_dissect_netrdatabasedeltas_rqst(tvbuff_t *tvb, int offset,
4697 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4698{
4699 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4700 NDR_POINTER_REF1, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4701
4702 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4703 NDR_POINTER_REF1, "Computer Name", hf_netlogon_computer_name, 0);
4704
4705 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4706 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4707 "AUTHENTICATOR: credential", -1);
4708
4709 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4710 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4711 "AUTHENTICATOR: return_authenticator", -1);
4712
4713 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4714 hf_netlogon_database_id, NULL((void*)0));
4715
4716 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4717 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF1,
4718 "MODIFIED_COUNT: domain modified count", -1);
4719
4720 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4721 hf_netlogon_max_size, NULL((void*)0));
4722
4723 return offset;
4724}
4725static int
4726netlogon_dissect_netrdatabasedeltas_reply(tvbuff_t *tvb, int offset,
4727 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4728{
4729 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4730 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4731 "AUTHENTICATOR: return_authenticator", -1);
4732
4733 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4734 netlogon_dissect_MODIFIED_COUNT, NDR_POINTER_REF1,
4735 "MODIFIED_COUNT: domain modified count", -1);
4736
4737 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4738 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE2,
4739 "DELTA_ENUM_ARRAY: deltas", -1);
4740
4741 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4742 hf_netlogon_rc, NULL((void*)0));
4743
4744 return offset;
4745}
4746
4747
4748/*
4749 * IDL long NetrDatabaseSync(
4750 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
4751 * IDL [in][string][ref] wchar_t *computername,
4752 * IDL [in][ref] AUTHENTICATOR credential,
4753 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4754 * IDL [in] long database_id,
4755 * IDL [in][out][ref] long sync_context,
4756 * IDL [in] long preferredmaximumlength,
4757 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
4758 * IDL );
4759 */
4760static int
4761netlogon_dissect_netrdatabasesync_rqst(tvbuff_t *tvb, int offset,
4762 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4763{
4764 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4765 NDR_POINTER_REF1, "Server Handle", hf_netlogon_logonsrv_handle, 0);
4766
4767 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4768 NDR_POINTER_REF1, "Computer Name", hf_netlogon_computer_name, 0);
4769
4770 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4771 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4772 "AUTHENTICATOR: credential", -1);
4773
4774 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4775 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4776 "AUTHENTICATOR: return_authenticator", -1);
4777
4778 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4779 hf_netlogon_database_id, NULL((void*)0));
4780
4781 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4782 hf_netlogon_sync_context, NULL((void*)0));
4783
4784 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4785 hf_netlogon_max_size, NULL((void*)0));
4786
4787 return offset;
4788}
4789
4790
4791static int
4792netlogon_dissect_netrdatabasesync_reply(tvbuff_t *tvb, int offset,
4793 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4794{
4795 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4796 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4797 "AUTHENTICATOR: return_authenticator", -1);
4798
4799 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4800 hf_netlogon_sync_context, NULL((void*)0));
4801
4802 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4803 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE2,
4804 "DELTA_ENUM_ARRAY: deltas", -1);
4805
4806 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4807 hf_netlogon_rc, NULL((void*)0));
4808
4809 return offset;
4810}
4811
4812/*
4813 * IDL typedef struct {
4814 * IDL char computer_name[16];
4815 * IDL long timecreated;
4816 * IDL long serial_number;
4817 * IDL } UAS_INFO_0;
4818 */
4819static int
4820netlogon_dissect_UAS_INFO_0(tvbuff_t *tvb, int offset,
4821 packet_info *pinfo, proto_tree *tree,
4822 dcerpc_info *di, uint8_t *drep)
4823{
4824 uint32_t time_created;
4825 if(di->conformant_run){
4826 /*just a run to handle conformant arrays, nothing to dissect */
4827 return offset;
4828 }
4829
4830 proto_tree_add_item(tree, hf_netlogon_computer_name, tvb, offset, 16, ENC_ASCII0x00000000);
4831 offset += 16;
4832
4833 time_created = tvb_get_uint32(tvb, offset, DREP_ENC_INTEGER(drep)(((drep)[0] & 0x10) ? 0x80000000 : 0x00000000));
4834 proto_tree_add_uint_format_value(tree, hf_netlogon_time_created, tvb, offset, 4, time_created, "unknown time format");
4835 offset+= 4;
4836
4837 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4838 hf_netlogon_serial_number, NULL((void*)0));
4839
4840 return offset;
4841}
4842
4843
4844/*
4845 * IDL long NetrAccountDeltas(
4846 * IDL [in][string][unique] wchar_t *logonserver,
4847 * IDL [in][string][ref] wchar_t *computername,
4848 * IDL [in][ref] AUTHENTICATOR credential,
4849 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4850 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4851 * IDL [out][ref] long count_returned,
4852 * IDL [out][ref] long total_entries,
4853 * IDL [in][out][ref] UAS_INFO_0 recordid,
4854 * IDL [in][long] count,
4855 * IDL [in][long] level,
4856 * IDL [in][long] buffersize,
4857 * IDL );
4858 */
4859static int
4860netlogon_dissect_netraccountdeltas_rqst(tvbuff_t *tvb, int offset,
4861 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4862{
4863 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4864 pinfo, tree, di, drep);
4865
4866 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4867 NDR_POINTER_REF1, "Computer Name", hf_netlogon_computer_name, 0);
4868
4869 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4870 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4871 "AUTHENTICATOR: credential", -1);
4872
4873 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4874 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4875 "AUTHENTICATOR: return_authenticator", -1);
4876
4877 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4878 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF1,
4879 "UAS_INFO_0: RecordID", -1);
4880
4881 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4882 hf_netlogon_count, NULL((void*)0));
4883
4884 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4885 hf_netlogon_level, NULL((void*)0));
4886
4887 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4888 hf_netlogon_max_size, NULL((void*)0));
4889
4890 return offset;
4891}
4892static int
4893netlogon_dissect_netraccountdeltas_reply(tvbuff_t *tvb, int offset,
4894 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4895{
4896 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4897 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4898 "AUTHENTICATOR: return_authenticator", -1);
4899
4900 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4901 netlogon_dissect_BYTE_array, NDR_POINTER_REF1,
4902 "BYTE_array: Buffer", -1);
4903
4904 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4905 hf_netlogon_count, NULL((void*)0));
4906
4907 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4908 hf_netlogon_entries, NULL((void*)0));
4909
4910 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4911 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF1,
4912 "UAS_INFO_0: RecordID", -1);
4913
4914 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4915 hf_netlogon_rc, NULL((void*)0));
4916
4917 return offset;
4918}
4919
4920
4921/*
4922 * IDL long NetrAccountSync(
4923 * IDL [in][string][unique] wchar_t *logonserver,
4924 * IDL [in][string][ref] wchar_t *computername,
4925 * IDL [in][ref] AUTHENTICATOR credential,
4926 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
4927 * IDL [out][ref][size_is(count_returned)] char *Buffer,
4928 * IDL [out][ref] long count_returned,
4929 * IDL [out][ref] long total_entries,
4930 * IDL [out][ref] long next_reference,
4931 * IDL [in][long] reference,
4932 * IDL [in][long] level,
4933 * IDL [in][long] buffersize,
4934 * IDL [in][out][ref] UAS_INFO_0 recordid,
4935 * IDL );
4936 */
4937static int
4938netlogon_dissect_netraccountsync_rqst(tvbuff_t *tvb, int offset,
4939 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4940{
4941 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
4942 pinfo, tree, di, drep);
4943
4944 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
4945 NDR_POINTER_REF1, "Computer Name", hf_netlogon_computer_name, 0);
4946
4947 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4948 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4949 "AUTHENTICATOR: credential", -1);
4950
4951 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4952 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4953 "AUTHENTICATOR: return_authenticator", -1);
4954
4955 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4956 hf_netlogon_reference, NULL((void*)0));
4957
4958 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4959 hf_netlogon_level, NULL((void*)0));
4960
4961 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4962 hf_netlogon_max_size, NULL((void*)0));
4963
4964 return offset;
4965}
4966static int
4967netlogon_dissect_netraccountsync_reply(tvbuff_t *tvb, int offset,
4968 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
4969{
4970 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4971 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
4972 "AUTHENTICATOR: return_authenticator", -1);
4973
4974 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4975 netlogon_dissect_BYTE_array, NDR_POINTER_REF1,
4976 "BYTE_array: Buffer", -1);
4977
4978 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4979 hf_netlogon_count, NULL((void*)0));
4980
4981 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4982 hf_netlogon_entries, NULL((void*)0));
4983
4984 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
4985 hf_netlogon_next_reference, NULL((void*)0));
4986
4987 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
4988 netlogon_dissect_UAS_INFO_0, NDR_POINTER_REF1,
4989 "UAS_INFO_0: RecordID", -1);
4990
4991 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
4992 hf_netlogon_rc, NULL((void*)0));
4993
4994 return offset;
4995}
4996
4997
4998/*
4999 * IDL long NetrGetDcName(
5000 * IDL [in][ref][string] wchar_t *logon_server,
5001 * IDL [in][unique][string] wchar_t *domainname,
5002 * IDL [out][unique][string] wchar_t *dcname,
5003 * IDL };
5004 */
5005static int
5006netlogon_dissect_netrgetdcname_rqst(tvbuff_t *tvb, int offset,
5007 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5008{
5009 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5010 NDR_POINTER_REF1, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5011
5012 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5013 NDR_POINTER_UNIQUE2, "Domain", hf_netlogon_domain_name, 0);
5014
5015 return offset;
5016}
5017static int
5018netlogon_dissect_netrgetdcname_reply(tvbuff_t *tvb, int offset,
5019 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5020{
5021 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5022 NDR_POINTER_UNIQUE2, "Domain", hf_netlogon_dc_name, 0);
5023
5024 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5025 hf_netlogon_rc, NULL((void*)0));
5026
5027 return offset;
5028}
5029
5030
5031
5032/*
5033 * IDL typedef struct {
5034 * IDL long flags;
5035 * IDL long pdc_connection_status;
5036 * IDL } NETLOGON_INFO_1;
5037 */
5038static int
5039netlogon_dissect_NETLOGON_INFO_1(tvbuff_t *tvb, int offset,
5040 packet_info *pinfo, proto_tree *tree,
5041 dcerpc_info *di, uint8_t *drep)
5042{
5043 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5044 hf_netlogon_flags, NULL((void*)0));
5045
5046 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5047 hf_netlogon_pdc_connection_status, NULL((void*)0));
5048
5049 return offset;
5050}
5051
5052
5053/*
5054 * IDL typedef struct {
5055 * IDL long flags;
5056 * IDL long pdc_connection_status;
5057 * IDL [unique][string] wchar_t trusted_dc_name;
5058 * IDL long tc_connection_status;
5059 * IDL } NETLOGON_INFO_2;
5060 */
5061static int
5062netlogon_dissect_NETLOGON_INFO_2(tvbuff_t *tvb, int offset,
5063 packet_info *pinfo, proto_tree *tree,
5064 dcerpc_info *di, uint8_t *drep)
5065{
5066 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5067 hf_netlogon_flags, NULL((void*)0));
5068
5069 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5070 hf_netlogon_pdc_connection_status, NULL((void*)0));
5071
5072 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5073 NDR_POINTER_UNIQUE2, "Trusted DC Name",
5074 hf_netlogon_trusted_dc_name, 0);
5075
5076 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5077 hf_netlogon_tc_connection_status, NULL((void*)0));
5078
5079 return offset;
5080}
5081
5082
5083/*
5084 * IDL typedef struct {
5085 * IDL long flags;
5086 * IDL long logon_attempts;
5087 * IDL long reserved;
5088 * IDL long reserved;
5089 * IDL long reserved;
5090 * IDL long reserved;
5091 * IDL long reserved;
5092 * IDL } NETLOGON_INFO_3;
5093 */
5094static int
5095netlogon_dissect_NETLOGON_INFO_3(tvbuff_t *tvb, int offset,
5096 packet_info *pinfo, proto_tree *tree,
5097 dcerpc_info *di, uint8_t *drep)
5098{
5099 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5100 hf_netlogon_flags, NULL((void*)0));
5101
5102 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5103 hf_netlogon_logon_attempts, NULL((void*)0));
5104
5105 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5106 hf_netlogon_reserved, NULL((void*)0));
5107
5108 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5109 hf_netlogon_reserved, NULL((void*)0));
5110
5111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5112 hf_netlogon_reserved, NULL((void*)0));
5113
5114 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5115 hf_netlogon_reserved, NULL((void*)0));
5116
5117 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5118 hf_netlogon_reserved, NULL((void*)0));
5119
5120 return offset;
5121}
5122
5123
5124/*
5125 * IDL typedef [switch_type(long)] union {
5126 * IDL [case(1)] [unique] NETLOGON_INFO_1 *i1;
5127 * IDL [case(2)] [unique] NETLOGON_INFO_2 *i2;
5128 * IDL [case(3)] [unique] NETLOGON_INFO_3 *i3;
5129 * IDL } CONTROL_QUERY_INFORMATION;
5130 */
5131static int
5132netlogon_dissect_CONTROL_QUERY_INFORMATION(tvbuff_t *tvb, int offset,
5133 packet_info *pinfo, proto_tree *tree,
5134 dcerpc_info *di, uint8_t *drep)
5135{
5136 uint32_t level = 0;
5137
5138 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5139 hf_netlogon_level, &level);
5140
5141 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
5142 switch(level){
5143 case 1:
5144 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5145 netlogon_dissect_NETLOGON_INFO_1, NDR_POINTER_UNIQUE2,
5146 "NETLOGON_INFO_1:", -1);
5147 break;
5148 case 2:
5149 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5150 netlogon_dissect_NETLOGON_INFO_2, NDR_POINTER_UNIQUE2,
5151 "NETLOGON_INFO_2:", -1);
5152 break;
5153 case 3:
5154 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5155 netlogon_dissect_NETLOGON_INFO_3, NDR_POINTER_UNIQUE2,
5156 "NETLOGON_INFO_3:", -1);
5157 break;
5158 }
5159
5160 return offset;
5161}
5162
5163
5164/*
5165 * IDL long NetrLogonControl(
5166 * IDL [in][string][unique] wchar_t *logonserver,
5167 * IDL [in] long function_code,
5168 * IDL [in] long level,
5169 * IDL [out][ref] CONTROL_QUERY_INFORMATION
5170 * IDL );
5171 */
5172static int
5173netlogon_dissect_netrlogoncontrol_rqst(tvbuff_t *tvb, int offset,
5174 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5175{
5176 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5177 pinfo, tree, di, drep);
5178
5179 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5180 hf_netlogon_code, NULL((void*)0));
5181
5182 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5183 hf_netlogon_level, NULL((void*)0));
5184
5185 return offset;
5186}
5187static int
5188netlogon_dissect_netrlogoncontrol_reply(tvbuff_t *tvb, int offset,
5189 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5190{
5191 uint32_t status;
5192
5193 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5194 netlogon_dissect_CONTROL_QUERY_INFORMATION, NDR_POINTER_REF1,
5195 "CONTROL_QUERY_INFORMATION:", -1);
5196
5197 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_werr_rc, &status);
5198
5199 if (status != 0)
5200 col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str_ext(status, &WERR_errors_ext, "Unknown WERR error 0x%08x"));
5201
5202 return offset;
5203}
5204
5205
5206/*
5207 * IDL long NetrGetAnyDCName(
5208 * IDL [in][unique][string] wchar_t *logon_server,
5209 * IDL [in][unique][string] wchar_t *domainname,
5210 * IDL [out][unique][string] wchar_t *dcname,
5211 * IDL };
5212 */
5213static int
5214netlogon_dissect_netrgetanydcname_rqst(tvbuff_t *tvb, int offset,
5215 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5216{
5217 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5218 NDR_POINTER_UNIQUE2, "Server Handle",
5219 hf_netlogon_logonsrv_handle, 0);
5220
5221 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5222 NDR_POINTER_UNIQUE2, "Domain", hf_netlogon_domain_name, 0);
5223
5224 return offset;
5225}
5226static int
5227netlogon_dissect_netrgetanydcname_reply(tvbuff_t *tvb, int offset,
5228 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5229{
5230 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5231 NDR_POINTER_UNIQUE2, "Domain", hf_netlogon_dc_name, 0);
5232
5233 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5234 hf_netlogon_dos_rc, NULL((void*)0));
5235
5236 return offset;
5237}
5238
5239
5240/*
5241 * IDL typedef [switch_type(long)] union {
5242 * IDL [case(5)] [unique][string] wchar_t *unknown;
5243 * IDL [case(6)] [unique][string] wchar_t *unknown;
5244 * IDL [case(0xfffe)] long unknown;
5245 * IDL [case(7)] [unique][string] wchar_t *unknown;
5246 * IDL } CONTROL_DATA_INFORMATION;
5247 */
5248/* XXX
5249 * According to muddle this is what CONTROL_DATA_INFORMATION is supposed
5250 * to look like. However NetMon does not recognize any such informationlevels.
5251 *
5252 * I'll leave it as CONTROL_DATA_INFORMATION with no informationlevels
5253 * until someone has any source of better authority to call upon.
5254 */
5255static int
5256netlogon_dissect_CONTROL_DATA_INFORMATION(tvbuff_t *tvb, int offset,
5257 packet_info *pinfo, proto_tree *tree,
5258 dcerpc_info *di, uint8_t *drep)
5259{
5260 uint32_t level = 0;
5261
5262 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5263 hf_netlogon_level, &level);
5264
5265 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
5266 switch(level){
5267 case 5:
5268 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
5269 tree, di, drep, NDR_POINTER_UNIQUE2, "Trusted Domain Name",
5270 hf_netlogon_TrustedDomainName_string, 0);
5271 break;
5272 case 6:
5273 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
5274 tree, di, drep, NDR_POINTER_UNIQUE2, "Trusted Domain Name",
5275 hf_netlogon_TrustedDomainName_string, 0);
5276 break;
5277 case 0xfffe:
5278 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5279 hf_netlogon_unknown_long, NULL((void*)0));
5280 break;
5281 case 8:
5282 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo,
5283 tree, di, drep, NDR_POINTER_UNIQUE2, "UserName",
5284 hf_netlogon_UserName_string, 0);
5285 break;
5286 }
5287
5288 return offset;
5289}
5290
5291
5292/*
5293 * IDL long NetrLogonControl2(
5294 * IDL [in][string][unique] wchar_t *logonserver,
5295 * IDL [in] long function_code,
5296 * IDL [in] long level,
5297 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5298 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5299 * IDL );
5300 */
5301static int
5302netlogon_dissect_netrlogoncontrol2_rqst(tvbuff_t *tvb, int offset,
5303 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5304{
5305 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5306 pinfo, tree, di, drep);
5307
5308 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5309 hf_netlogon_code, NULL((void*)0));
5310
5311 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5312 hf_netlogon_level, NULL((void*)0));
5313
5314 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5315 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF1,
5316 "CONTROL_DATA_INFORMATION: ", -1);
5317
5318 return offset;
5319}
5320
5321static int
5322netlogon_dissect_netrlogoncontrol2_reply(tvbuff_t *tvb, int offset,
5323 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5324{
5325 return netlogon_dissect_netrlogoncontrol_reply(tvb, offset, pinfo, tree, di, drep);
5326}
5327
5328
5329
5330
5331/*
5332 * IDL long NetrDatabaseSync2(
5333 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5334 * IDL [in][string][ref] wchar_t *computername,
5335 * IDL [in][ref] AUTHENTICATOR credential,
5336 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5337 * IDL [in] long database_id,
5338 * IDL [in] short restart_state,
5339 * IDL [in][out][ref] long *sync_context,
5340 * IDL [in] long preferredmaximumlength,
5341 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5342 * IDL );
5343 */
5344static int
5345netlogon_dissect_netrdatabasesync2_rqst(tvbuff_t *tvb, int offset,
5346 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5347{
5348 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5349 NDR_POINTER_REF1, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5350
5351 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5352 NDR_POINTER_REF1, "Computer Name", hf_netlogon_computer_name, 0);
5353
5354 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5355 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
5356 "AUTHENTICATOR: credential", -1);
5357
5358 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5359 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
5360 "AUTHENTICATOR: return_authenticator", -1);
5361
5362 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5363 hf_netlogon_database_id, NULL((void*)0));
5364
5365 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
5366 hf_netlogon_restart_state, NULL((void*)0));
5367
5368 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5369 hf_netlogon_sync_context, NULL((void*)0));
5370
5371 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5372 hf_netlogon_max_size, NULL((void*)0));
5373
5374 return offset;
5375}
5376
5377static int
5378netlogon_dissect_netrdatabasesync2_reply(tvbuff_t *tvb, int offset,
5379 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5380{
5381 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5382 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
5383 "AUTHENTICATOR: return_authenticator", -1);
5384
5385 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5386 hf_netlogon_sync_context, NULL((void*)0));
5387
5388 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5389 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE2,
5390 "DELTA_ENUM_ARRAY: deltas", -1);
5391
5392 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5393 hf_netlogon_rc, NULL((void*)0));
5394
5395 return offset;
5396}
5397
5398
5399/*
5400 * IDL long NetrDatabaseRedo(
5401 * IDL [in][string][ref] wchar_t *logonserver, # REF!!!
5402 * IDL [in][string][ref] wchar_t *computername,
5403 * IDL [in][ref] AUTHENTICATOR credential,
5404 * IDL [in][out][ref] AUTHENTICATOR return_authenticator,
5405 * IDL [in][ref][size_is(change_log_entry_size)] char *change_log_entry,
5406 * IDL [in] long change_log_entry_size,
5407 * IDL [out][unique] DELTA_ENUM_ARRAY *delta_enum_array
5408 * IDL );
5409 */
5410static int
5411netlogon_dissect_netrdatabaseredo_rqst(tvbuff_t *tvb, int offset,
5412 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5413{
5414 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5415 NDR_POINTER_REF1, "Server Handle", hf_netlogon_logonsrv_handle, 0);
5416
5417 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5418 NDR_POINTER_REF1, "Computer Name", hf_netlogon_computer_name, 0);
5419
5420 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5421 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
5422 "AUTHENTICATOR: credential", -1);
5423
5424 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5425 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
5426 "AUTHENTICATOR: return_authenticator", -1);
5427
5428 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5429 netlogon_dissect_BYTE_array, NDR_POINTER_REF1,
5430 "Change log entry: ", -1);
5431
5432 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5433 hf_netlogon_max_log_size, NULL((void*)0));
5434
5435 return offset;
5436}
5437
5438static int
5439netlogon_dissect_netrdatabaseredo_reply(tvbuff_t *tvb, int offset,
5440 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5441{
5442 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5443 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
5444 "AUTHENTICATOR: return_authenticator", -1);
5445
5446 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5447 netlogon_dissect_DELTA_ENUM_ARRAY, NDR_POINTER_UNIQUE2,
5448 "DELTA_ENUM_ARRAY: deltas", -1);
5449
5450 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
5451 hf_netlogon_rc, NULL((void*)0));
5452
5453 return offset;
5454}
5455
5456
5457/*
5458 * IDL long NetrLogonControl2Ex(
5459 * IDL [in][string][unique] wchar_t *logonserver,
5460 * IDL [in] long function_code,
5461 * IDL [in] long level,
5462 * IDL [in][ref] CONTROL_DATA_INFORMATION *data,
5463 * IDL [out][ref] CONTROL_QUERY_INFORMATION *query
5464 * IDL );
5465 */
5466static int
5467netlogon_dissect_netrlogoncontrol2ex_rqst(tvbuff_t *tvb, int offset,
5468 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5469{
5470 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
5471 pinfo, tree, di, drep);
5472
5473 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5474 hf_netlogon_code, NULL((void*)0));
5475
5476 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5477 hf_netlogon_level, NULL((void*)0));
5478
5479 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5480 netlogon_dissect_CONTROL_DATA_INFORMATION, NDR_POINTER_REF1,
5481 "CONTROL_DATA_INFORMATION: ", -1);
5482
5483 return offset;
5484}
5485static int
5486netlogon_dissect_netrlogoncontrol2ex_reply(tvbuff_t *tvb, int offset,
5487 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
5488{
5489 return netlogon_dissect_netrlogoncontrol_reply(tvb, offset, pinfo, tree, di, drep);
5490}
5491
5492
5493
5494
5495static const value_string trust_type_vals[] = {
5496 { 1, "NT4 Domain" },
5497 { 2, "AD Domain" },
5498 { 3, "MIT Kerberos realm" },
5499 { 4, "DCE realm" },
5500 { 0, NULL((void*)0) }
5501};
5502
5503#define DS_INET_ADDRESS1 1
5504#define DS_NETBIOS_ADDRESS2 2
5505
5506static const value_string dc_address_types[] = {
5507 { DS_INET_ADDRESS1, "IP/DNS name" },
5508 { DS_NETBIOS_ADDRESS2, "NetBIOS name" },
5509 { 0, NULL((void*)0)}
5510};
5511
5512
5513#define RQ_ROOT_FOREST0x00000001 0x00000001
5514#define RQ_DC_XFOREST0x00000002 0x00000002
5515#define RQ_RODC_DIF_DOMAIN0x00000004 0x00000004
5516#define RQ_NTLM_FROM_RODC0x00000008 0x00000008
5517
5518#define DS_DOMAIN_IN_FOREST0x00000001 0x00000001
5519#define DS_DOMAIN_DIRECT_OUTBOUND0x00000002 0x00000002
5520#define DS_DOMAIN_TREE_ROOT0x00000004 0x00000004
5521#define DS_DOMAIN_PRIMARY0x00000008 0x00000008
5522#define DS_DOMAIN_NATIVE_MODE0x00000010 0x00000010
5523#define DS_DOMAIN_DIRECT_INBOUND0x00000020 0x00000020
5524
5525static const true_false_string trust_inbound = {
5526 "There is a DIRECT INBOUND trust for the servers domain",
5527 "There is NO direct inbound trust for the servers domain"
5528};
5529static const true_false_string trust_outbound = {
5530 "There is a DIRECT OUTBOUND trust for this domain",
5531 "There is NO direct outbound trust for this domain"
5532};
5533static const true_false_string trust_in_forest = {
5534 "The domain is a member IN the same FOREST as the queried server",
5535 "The domain is NOT a member of the queried servers domain"
5536};
5537static const true_false_string trust_native_mode = {
5538 "The primary domain is a NATIVE MODE w2k domain",
5539 "The primary is NOT a native mode w2k domain"
5540};
5541static const true_false_string trust_primary = {
5542 "The domain is the PRIMARY domain of the queried server",
5543 "The domain is NOT the primary domain of the queried server"
5544};
5545static const true_false_string trust_tree_root = {
5546 "The domain is the ROOT of a domain TREE",
5547 "The domain is NOT a root of a domain tree"
5548};
5549
5550
5551static int
5552netlogon_dissect_DOMAIN_TRUST_FLAGS(tvbuff_t *tvb, int offset,
5553 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5554{
5555 uint32_t mask;
5556 static int * const flags[] = {
5557 &hf_netlogon_trust_flags_inbound,
5558 &hf_netlogon_trust_flags_native_mode,
5559 &hf_netlogon_trust_flags_primary,
5560 &hf_netlogon_trust_flags_tree_root,
5561 &hf_netlogon_trust_flags_outbound,
5562 &hf_netlogon_trust_flags_in_forest,
5563 NULL((void*)0)
5564 };
5565
5566 if(di->conformant_run){
5567 /*just a run to handle conformant arrays, nothing to dissect */
5568 return offset;
5569 }
5570
5571 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL((void*)0), di, drep,
5572 -1, &mask);
5573
5574 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_trust_flags, ett_trust_flags, flags, mask, BMT_NO_APPEND0x01);
5575 return offset;
5576}
5577
5578
5579
5580static const true_false_string trust_attribs_non_transitive = {
5581 "This is a NON TRANSITIVE trust relation",
5582 "This is a normal trust"
5583};
5584static const true_false_string trust_attribs_uplevel_only = {
5585 "This is an UPLEVEL ONLY trust relation",
5586 "This is a normal trust"
5587};
5588static const true_false_string trust_attribs_quarantined_domain = {
5589 "This is a QUARANTINED DOMAIN (so don't expect lookupsids to work)",
5590 "This is a normal trust"
5591};
5592static const true_false_string trust_attribs_forest_transitive = {
5593 "This is a FOREST TRANSITIVE trust",
5594 "This is a normal trust"
5595};
5596static const true_false_string trust_attribs_cross_organization = {
5597 "This is a CROSS ORGANIZATION trust",
5598 "This is a normal trust"
5599};
5600static const true_false_string trust_attribs_within_forest = {
5601 "This is a WITHIN FOREST trust",
5602 "This is a normal trust"
5603};
5604static const true_false_string trust_attribs_treat_as_external = {
5605 "TREAT this trust AS an EXTERNAL trust",
5606 "This is a normal trust"
5607};
5608
5609static int
5610netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvbuff_t *tvb, int offset,
5611 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5612{
5613 uint32_t mask;
5614 static int * const attr[] = {
5615 &hf_netlogon_trust_attribs_treat_as_external,
5616 &hf_netlogon_trust_attribs_within_forest,
5617 &hf_netlogon_trust_attribs_cross_organization,
5618 &hf_netlogon_trust_attribs_forest_transitive,
5619 &hf_netlogon_trust_attribs_quarantined_domain,
5620 &hf_netlogon_trust_attribs_uplevel_only,
5621 &hf_netlogon_trust_attribs_non_transitive,
5622 NULL((void*)0)
5623 };
5624
5625 if(di->conformant_run){
5626 /*just a run to handle conformant arrays, nothing to dissect */
5627 return offset;
5628 }
5629
5630 offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL((void*)0), di, drep,
5631 -1, &mask);
5632
5633 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_trust_attribs, ett_trust_attribs, attr, mask, BMT_NO_APPEND0x01);
5634 return offset;
5635}
5636
5637
5638#define DS_FORCE_REDISCOVERY0x00000001 0x00000001
5639#define DS_DIRECTORY_SERVICE_REQUIRED0x00000010 0x00000010
5640#define DS_DIRECTORY_SERVICE_PREFERRED0x00000020 0x00000020
5641#define DS_GC_SERVER_REQUIRED0x00000040 0x00000040
5642#define DS_PDC_REQUIRED0x00000080 0x00000080
5643#define DS_BACKGROUND_ONLY0x00000100 0x00000100
5644#define DS_IP_REQUIRED0x00000200 0x00000200
5645#define DS_KDC_REQUIRED0x00000400 0x00000400
5646#define DS_TIMESERV_REQUIRED0x00000800 0x00000800
5647#define DS_WRITABLE_REQUIRED0x00001000 0x00001000
5648#define DS_GOOD_TIMESERV_PREFERRED0x00002000 0x00002000
5649#define DS_AVOID_SELF0x00004000 0x00004000
5650#define DS_ONLY_LDAP_NEEDED0x00008000 0x00008000
5651#define DS_IS_FLAT_NAME0x00010000 0x00010000
5652#define DS_IS_DNS_NAME0x00020000 0x00020000
5653#define DS_RETURN_DNS_NAME0x40000000 0x40000000
5654#define DS_RETURN_FLAT_NAME0x80000000 0x80000000
5655
5656static const true_false_string get_dcname_request_flags_force_rediscovery = {
5657 "FORCE REDISCOVERY of any cached data",
5658 "You may return cached data"
5659};
5660static const true_false_string get_dcname_request_flags_directory_service_required = {
5661 "DIRECTORY SERVICE is REQUIRED on the server",
5662 "We do NOT require directory service servers"
5663};
5664static const true_false_string get_dcname_request_flags_directory_service_preferred = {
5665 "DIRECTORY SERVICE servers are PREFERRED",
5666 "We do NOT have a preference for directory service servers"
5667};
5668static const true_false_string get_dcname_request_flags_gc_server_required = {
5669 "GC SERVER is REQUIRED",
5670 "gc server is NOT required"
5671};
5672static const true_false_string get_dcname_request_flags_pdc_required = {
5673 "PDC SERVER is REQUIRED",
5674 "pdc server is NOT required"
5675};
5676static const true_false_string get_dcname_request_flags_background_only = {
5677 "Only return cached data, even if it has expired",
5678 "Return cached data unless it has expired"
5679};
5680static const true_false_string get_dcname_request_flags_ip_required = {
5681 "IP address is REQUIRED",
5682 "ip address is NOT required"
5683};
5684static const true_false_string get_dcname_request_flags_kdc_required = {
5685 "KDC server is REQUIRED",
5686 "kdc server is NOT required"
5687};
5688static const true_false_string get_dcname_request_flags_timeserv_required = {
5689 "TIMESERV service is REQUIRED",
5690 "timeserv service is NOT required"
5691};
5692static const true_false_string get_dcname_request_flags_writable_required = {
5693 "the returned dc MUST be WRITEABLE",
5694 "a read-only dc may be returned"
5695};
5696static const true_false_string get_dcname_request_flags_good_timeserv_preferred = {
5697 "GOOD TIMESERV servers are PREFERRED",
5698 "we do NOT have a preference for good timeserv servers"
5699};
5700static const true_false_string get_dcname_request_flags_avoid_self = {
5701 "do NOT return self as dc; return someone else",
5702 "you may return yourSELF as the dc"
5703};
5704static const true_false_string get_dcname_request_flags_only_ldap_needed = {
5705 "we ONLY NEED LDAP; you don't have to return a dc",
5706 "we need a normal dc; an ldap only server will not do"
5707};
5708static const true_false_string get_dcname_request_flags_is_flat_name = {
5709 "the name we specify is a NetBIOS name",
5710 "the name we specify is NOT a NetBIOS name"
5711};
5712static const true_false_string get_dcname_request_flags_is_dns_name = {
5713 "the name we specify is a DNS name",
5714 "the name we specify is NOT a dns name"
5715};
5716static const true_false_string get_dcname_request_flags_return_dns_name = {
5717 "return a DNS name",
5718 "you may return a NON-dns name"
5719};
5720static const true_false_string get_dcname_request_flags_return_flat_name = {
5721 "return a NetBIOS name",
5722 "you may return a NON-NetBIOS name"
5723};
5724static int
5725netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvbuff_t *tvb, int offset,
5726 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5727{
5728 uint32_t mask;
5729 static int * const flags[] = {
5730 &hf_netlogon_get_dcname_request_flags_return_flat_name,
5731 &hf_netlogon_get_dcname_request_flags_return_dns_name,
5732 &hf_netlogon_get_dcname_request_flags_is_flat_name,
5733 &hf_netlogon_get_dcname_request_flags_is_dns_name,
5734 &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
5735 &hf_netlogon_get_dcname_request_flags_avoid_self,
5736 &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
5737 &hf_netlogon_get_dcname_request_flags_writable_required,
5738 &hf_netlogon_get_dcname_request_flags_timeserv_required,
5739 &hf_netlogon_get_dcname_request_flags_kdc_required,
5740 &hf_netlogon_get_dcname_request_flags_ip_required,
5741 &hf_netlogon_get_dcname_request_flags_background_only,
5742 &hf_netlogon_get_dcname_request_flags_pdc_required,
5743 &hf_netlogon_get_dcname_request_flags_gc_server_required,
5744 &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
5745 &hf_netlogon_get_dcname_request_flags_directory_service_required,
5746 &hf_netlogon_get_dcname_request_flags_force_rediscovery,
5747 NULL((void*)0)
5748 };
5749
5750 if(di->conformant_run){
5751 /*just a run to handle conformant arrays, nothing to dissect */
5752 return offset;
5753 }
5754
5755 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL((void*)0), di, drep, -1, &mask);
5756
5757 proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_get_dcname_request_flags, ett_get_dcname_request_flags, flags, mask, BMT_NO_APPEND0x01);
5758 return offset;
5759}
5760
5761
5762
5763#define DS_PDC_FLAG0x00000001 0x00000001
5764#define DS_GC_FLAG0x00000004 0x00000004
5765#define DS_LDAP_FLAG0x00000008 0x00000008
5766#define DS_DS_FLAG0x00000010 0x00000010
5767#define DS_KDC_FLAG0x00000020 0x00000020
5768#define DS_TIMESERV_FLAG0x00000040 0x00000040
5769#define DS_CLOSEST_FLAG0x00000080 0x00000080
5770#define DS_WRITABLE_FLAG0x00000100 0x00000100
5771#define DS_GOOD_TIMESERV_FLAG0x00000200 0x00000200
5772#define DS_NDNC_FLAG0x00000400 0x00000400
5773#define DS_DNS_CONTROLLER_FLAG0x20000000 0x20000000
5774#define DS_DNS_DOMAIN_FLAG0x40000000 0x40000000
5775#define DS_DNS_FOREST_FLAG0x80000000 0x80000000
5776
5777static const true_false_string dc_flags_pdc_flag = {
5778 "this is the PDC of the domain",
5779 "this is NOT the pdc of the domain"
5780};
5781static const true_false_string dc_flags_gc_flag = {
5782 "this is the GC of the forest",
5783 "this is NOT the gc of the forest"
5784};
5785static const true_false_string dc_flags_ldap_flag = {
5786 "this is an LDAP server",
5787 "this is NOT an ldap server"
5788};
5789static const true_false_string dc_flags_ds_flag = {
5790 "this is a DS server",
5791 "this is NOT a ds server"
5792};
5793static const true_false_string dc_flags_kdc_flag = {
5794 "this is a KDC server",
5795 "this is NOT a kdc server"
5796};
5797static const true_false_string dc_flags_timeserv_flag = {
5798 "this is a TIMESERV server",
5799 "this is NOT a timeserv server"
5800};
5801static const true_false_string dc_flags_closest_flag = {
5802 "this is the CLOSEST server",
5803 "this is NOT the closest server"
5804};
5805static const true_false_string dc_flags_writable_flag = {
5806 "this server has a WRITABLE ds database",
5807 "this server has a READ-ONLY ds database"
5808};
5809static const true_false_string dc_flags_good_timeserv_flag = {
5810 "this server is a GOOD TIMESERV server",
5811 "this is NOT a good timeserv server"
5812};
5813static const true_false_string dc_flags_ndnc_flag = {
5814 "NDNC is set",
5815 "ndnc is NOT set"
5816};
5817static const true_false_string dc_flags_dns_controller_flag = {
5818 "DomainControllerName is a DNS name",
5819 "DomainControllerName is NOT a dns name"
5820};
5821static const true_false_string dc_flags_dns_domain_flag = {
5822 "DomainName is a DNS name",
5823 "DomainName is NOT a dns name"
5824};
5825static const true_false_string dc_flags_dns_forest_flag = {
5826 "DnsForestName is a DNS name",
5827 "DnsForestName is NOT a dns name"
5828};
5829static int
5830netlogon_dissect_DC_FLAGS(tvbuff_t *tvb, int offset,
5831 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
5832{
5833 uint32_t mask;
5834 proto_item *item;
5835 static int * const flags[] = {
5836 &hf_netlogon_dc_flags_dns_forest_flag,
5837 &hf_netlogon_dc_flags_dns_domain_flag,
5838 &hf_netlogon_dc_flags_dns_controller_flag,
5839 &hf_netlogon_dc_flags_ndnc_flag,
5840 &hf_netlogon_dc_flags_good_timeserv_flag,
5841 &hf_netlogon_dc_flags_writable_flag,
5842 &hf_netlogon_dc_flags_closest_flag,
5843 &hf_netlogon_dc_flags_timeserv_flag,
5844 &hf_netlogon_dc_flags_kdc_flag,
5845 &hf_netlogon_dc_flags_ds_flag,
5846 &hf_netlogon_dc_flags_ldap_flag,
5847 &hf_netlogon_dc_flags_gc_flag,
5848 &hf_netlogon_dc_flags_pdc_flag,
5849 NULL((void*)0)
5850 };
5851
5852 if(di->conformant_run){
5853 /*just a run to handle conformant arrays, nothing to dissect */
5854 return offset;
5855 }
5856
5857 offset=dissect_ndr_uint32(tvb, offset, pinfo, NULL((void*)0), di, drep, -1, &mask);
5858
5859 item = proto_tree_add_bitmask_value_with_flags(parent_tree, tvb, offset-4, hf_netlogon_dc_flags, ett_dc_flags, flags, mask, BMT_NO_APPEND0x01);
5860 if (mask==0x0000ffff)
5861 proto_item_append_text(item, " PING (mask==0x0000ffff)");
5862
5863 return offset;
5864}
5865
5866
5867
5868static int
5869netlogon_dissect_pointer_long(tvbuff_t *tvb, int offset,
5870 packet_info *pinfo, proto_tree *tree,
5871 dcerpc_info *di, uint8_t *drep)
5872{
5873 offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, di, drep,
5874 di->hf_index, NULL((void*)0));
5875 return offset;
5876}
5877
5878#if 0
5879static int
5880netlogon_dissect_pointer_char(tvbuff_t *tvb, int offset,
5881 packet_info *pinfo, proto_tree *tree,
5882 dcerpc_info *di, uint8_t *drep)
5883{
5884 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5885 di->hf_index, NULL((void*)0));
5886 return offset;
5887}
5888#endif
5889
5890static int
5891netlogon_dissect_UNICODE_MULTI_byte(tvbuff_t *tvb, int offset,
5892 packet_info *pinfo, proto_tree *tree,
5893 dcerpc_info *di, uint8_t *drep)
5894{
5895 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
5896 hf_netlogon_unknown_char, NULL((void*)0));
5897
5898 return offset;
5899}
5900
5901static int
5902netlogon_dissect_UNICODE_MULTI_array(tvbuff_t *tvb, int offset,
5903 packet_info *pinfo, proto_tree *tree,
5904 dcerpc_info *di, uint8_t *drep)
5905{
5906 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
5907 netlogon_dissect_UNICODE_MULTI_byte);
5908
5909 return offset;
5910}
5911
5912static int
5913netlogon_dissect_UNICODE_MULTI(tvbuff_t *tvb, int offset,
5914 packet_info *pinfo, proto_tree *parent_tree,
5915 dcerpc_info *di, uint8_t *drep)
5916{
5917 proto_item *item=NULL((void*)0);
5918 proto_tree *tree=NULL((void*)0);
5919 int old_offset=offset;
5920
5921 if(parent_tree){
5922 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
5923 ett_UNICODE_MULTI, &item, "UNICODE_MULTI:");
5924 }
5925
5926 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5927 hf_netlogon_len, NULL((void*)0));
5928
5929 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
5930 netlogon_dissect_UNICODE_MULTI_array, NDR_POINTER_UNIQUE2,
5931 "unknown", hf_netlogon_unknown_string);
5932
5933 proto_item_set_len(item, offset-old_offset);
5934 return offset;
5935}
5936
5937static int
5938netlogon_dissect_DOMAIN_CONTROLLER_INFO(tvbuff_t *tvb, int offset,
5939 packet_info *pinfo, proto_tree *parent_tree,
5940 dcerpc_info *di, uint8_t *drep)
5941{
5942 proto_item *item=NULL((void*)0);
5943 proto_tree *tree=NULL((void*)0);
5944 int old_offset=offset;
5945
5946 if(parent_tree){
5947 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
5948 ett_DOMAIN_CONTROLLER_INFO, &item, "DOMAIN_CONTROLLER_INFO:");
5949 }
5950
5951 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5952 NDR_POINTER_UNIQUE2, "DC Name", hf_netlogon_dc_name, 0);
5953
5954 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5955 NDR_POINTER_UNIQUE2, "DC Address", hf_netlogon_dc_address, 0);
5956
5957 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
5958 hf_netlogon_dc_address_type, NULL((void*)0));
5959
5960 offset = dissect_nt_GUID(tvb, offset,
5961 pinfo, tree, di, drep);
5962
5963 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5964 NDR_POINTER_UNIQUE2, "Logon Domain", hf_netlogon_logon_dom, 0);
5965
5966 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5967 NDR_POINTER_UNIQUE2, "DNS Forest", hf_netlogon_dns_forest_name, 0);
5968
5969 offset = netlogon_dissect_DC_FLAGS(tvb, offset, pinfo, tree, di, drep);
5970
5971 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5972 NDR_POINTER_UNIQUE2, "DC Site", hf_netlogon_dc_site_name, 0);
5973
5974 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
5975 NDR_POINTER_UNIQUE2, "Client Site",
5976 hf_netlogon_client_site_name, 0);
5977
5978 proto_item_set_len(item, offset-old_offset);
5979 return offset;
5980}
5981
5982
5983
5984static int
5985dissect_ndr_trust_extension(tvbuff_t *tvb, int offset,
5986 packet_info *pinfo, proto_tree *tree,
5987 dcerpc_info *di, uint8_t *drep)
5988{
5989 uint64_t len,max;
5990
5991 if(di->conformant_run){
5992 return offset;
5993 }
5994 offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep,
5995 hf_netlogon_trust_max, &max);
5996
5997 offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep,
5998 hf_netlogon_trust_offset, NULL((void*)0));
5999
6000 offset = dissect_ndr_uint3264(tvb, offset, pinfo, tree, di, drep,
6001 hf_netlogon_trust_len, &len);
6002
6003 if( max * 2 == 16 ) {
6004 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
6005
6006 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6007 hf_netlogon_trust_parent_index, NULL((void*)0));
6008
6009 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6010 hf_netlogon_trust_type, NULL((void*)0));
6011
6012 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
6013 }
6014 /* else do something scream shout .... */
6015
6016 return offset;
6017}
6018
6019static int
6020netlogon_dissect_BLOB_array(tvbuff_t *tvb, int offset,
6021 packet_info *pinfo, proto_tree *tree,
6022 dcerpc_info *di, uint8_t *drep)
6023{
6024 uint32_t len;
6025
6026 if(di->conformant_run){
6027 return offset;
6028 }
6029
6030 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6031 hf_netlogon_blob_size, &len);
6032
6033 proto_tree_add_item(tree, hf_netlogon_blob, tvb, offset, len,
6034 ENC_NA0x00000000);
6035 offset += len;
6036
6037 return offset;
6038}
6039
6040static int
6041dissect_ndr_ulongs_as_counted_string(tvbuff_t *tvb, int offset,
6042 packet_info *pinfo, proto_tree *tree,
6043 dcerpc_info *di, uint8_t *drep, int hf_index)
6044{
6045 uint16_t len, size;
6046 bool_Bool add_subtree = true1; /* Manage room for evolution*/
6047 proto_item *item;
6048 proto_tree *subtree = tree;
6049
6050 if (add_subtree) {
6051
6052 subtree = proto_tree_add_subtree(
6053 tree, tvb, offset, 0, ett_nt_counted_longs_as_string, &item,
6054 proto_registrar_get_name(hf_index));
6055 }
6056 /* Structure starts with short, but is aligned for longs */
6057 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
6058
6059 if (di->conformant_run)
6060 return offset;
6061
6062 /*
6063 struct {
6064 short len;
6065 short size;
6066 [size_is(size/2), length_is(len/2), ptr] unsigned short *string;
6067 } UNICODE_STRING;
6068
6069 */
6070
6071 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
6072 hf_nt_cs_len, &len);
6073 offset = dissect_ndr_uint16(tvb, offset, pinfo, subtree, di, drep,
6074 hf_nt_cs_size, &size);
6075 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, subtree, di, drep,
6076 dissect_ndr_trust_extension, NDR_POINTER_UNIQUE2,
6077 "Buffer", hf_index,NULL((void*)0),NULL((void*)0));
6078 return offset;
6079}
6080
6081static int
6082DomainInfo_sid_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6083{
6084 offset = lsarpc_dissect_struct_dom_sid2(tvb, offset, pinfo, tree, di, drep, hf_domain_info_sid, 0);
6085
6086 return offset;
6087}
6088static int
6089dissect_element_lsa_DnsDomainInfo_sid(tvbuff_t *tvb , int offset , packet_info *pinfo , proto_tree *tree , dcerpc_info *di, uint8_t *drep )
6090{
6091 offset = dissect_ndr_embedded_pointer(tvb, offset, pinfo, tree, di, drep, DomainInfo_sid_, NDR_POINTER_UNIQUE2, "Pointer to Sid (dom_sid2)", hf_dns_domain_info_sid);
6092
6093 return offset;
6094}
6095static int
6096dissect_element_lsa_DnsDomainInfo_domain_guid(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep )
6097{
6098 offset = dissect_ndr_uuid_t(tvb, offset, pinfo, tree, di, drep, hf_dns_domain_info_domain_guid, NULL((void*)0));
6099
6100 return offset;
6101}
6102
6103
6104static int dissect_part_DnsDomainInfo(tvbuff_t *tvb , int offset, packet_info *pinfo, proto_tree *tree , dcerpc_info *di, uint8_t *drep, int hf_index _U___attribute__((unused)), uint32_t param _U___attribute__((unused)))
6105{
6106
6107 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb, offset, pinfo, tree, di, drep, hf_dns_domain_info_name, 0);
6108
6109 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset, pinfo, tree, di, drep, hf_dns_domain_info_dns_domain, 0);
6110
6111 offset = lsarpc_dissect_struct_lsa_StringLarge(tvb,offset, pinfo, tree, di, drep, hf_dns_domain_info_dns_forest, 0);
6112
6113 offset = dissect_element_lsa_DnsDomainInfo_domain_guid(tvb, offset, pinfo, tree, di, drep);
6114
6115 offset = dissect_element_lsa_DnsDomainInfo_sid(tvb, offset, pinfo, tree, di, drep);
6116
6117
6118 return offset;
6119}
6120
6121
6122static int
6123netlogon_dissect_ONE_DOMAIN_INFO(tvbuff_t *tvb, int offset,
6124 packet_info *pinfo, proto_tree *parent_tree,
6125 dcerpc_info *di, uint8_t *drep)
6126{
6127 proto_item *item=NULL((void*)0);
6128 proto_tree *tree=NULL((void*)0);
6129 int old_offset=offset;
6130
6131 if(parent_tree){
6132 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6133 ett_DOMAIN_TRUST_INFO, &item, "ONE_DOMAIN_INFO");
6134 }
6135/*hf_netlogon_dnsdomaininfo*/
6136 offset = dissect_part_DnsDomainInfo(tvb, offset, pinfo, tree, di, drep, 0, 0);
6137
6138
6139 /* It is structed as a string but it's not ... it's 4 ulong */
6140 offset = dissect_ndr_ulongs_as_counted_string(tvb, offset, pinfo, tree, di, drep,
6141 hf_netlogon_trust_extension);
6142
6143 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6144 hf_netlogon_dummy_string2, 0);
6145
6146 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6147 hf_netlogon_dummy_string3, 0);
6148
6149 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6150 hf_netlogon_dummy_string4, 0);
6151
6152 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6153 hf_netlogon_dummy1_long, NULL((void*)0));
6154
6155 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6156 hf_netlogon_dummy2_long, NULL((void*)0));
6157
6158 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6159 hf_netlogon_dummy3_long, NULL((void*)0));
6160
6161 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6162 hf_netlogon_dummy4_long, NULL((void*)0));
6163
6164 proto_item_set_len(item, offset-old_offset);
6165 return offset;
6166}
6167
6168static int
6169netlogon_dissect_DOMAIN_TRUST_INFO(tvbuff_t *tvb, int offset,
6170 packet_info *pinfo, proto_tree *tree,
6171 dcerpc_info *di, uint8_t *drep)
6172{
6173 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6174 netlogon_dissect_ONE_DOMAIN_INFO);
6175
6176 return offset;
6177}
6178
6179
6180static int
6181netlogon_dissect_LSA_POLICY_INFO(tvbuff_t *tvb, int offset,
6182 packet_info *pinfo, proto_tree *tree,
6183 dcerpc_info *di, uint8_t *drep )
6184{
6185 proto_item *item=NULL((void*)0);
6186 proto_tree *subtree=NULL((void*)0);
6187 uint32_t len;
6188
6189 if(di->conformant_run){
6190 return offset;
6191 }
6192
6193 if(tree){
6194 subtree = proto_tree_add_subtree(tree, tvb, offset, 0,
6195 ett_LSA_POLICY_INFO, &item, "LSA Policy");
6196 }
6197 offset = dissect_ndr_uint32(tvb, offset, pinfo, subtree, di, drep,
6198 hf_netlogon_lsapolicy_len, &len);
6199
6200 offset = dissect_ndr_pointer(tvb, offset, pinfo, subtree, di, drep,
6201 netlogon_dissect_BLOB_array, NDR_POINTER_UNIQUE2,
6202 "Pointer:", -1);
6203
6204 return offset;
6205}
6206
6207
6208
6209
6210static int
6211netlogon_dissect_WORKSTATION_INFO(tvbuff_t *tvb , int offset ,
6212 packet_info *pinfo , proto_tree *tree ,
6213 dcerpc_info *di, uint8_t *drep )
6214{
6215 /* This is not the good way to do it ... it stinks ...
6216 * but after half of a day fighting against wireshark and ndr ...
6217 * I decided to keep this hack ...
6218 * At least data are correctly displayed without invented ints ...
6219 */
6220 offset = netlogon_dissect_LSA_POLICY_INFO(tvb, offset,
6221 pinfo, tree, di, drep);
6222
6223 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6224 NDR_POINTER_UNIQUE2, "Workstation FQDN",
6225 hf_netlogon_workstation_fqdn, 0);
6226
6227 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6228 NDR_POINTER_UNIQUE2, "Workstation Site",
6229 hf_netlogon_workstation_site_name, 0);
6230
6231 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6232 NDR_POINTER_UNIQUE2, "Dummy 1", hf_netlogon_dummy_string, 0);
6233
6234 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6235 NDR_POINTER_UNIQUE2, "Dummy 2", hf_netlogon_dummy_string2, 0);
6236
6237 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6238 NDR_POINTER_UNIQUE2, "Dummy 3", hf_netlogon_dummy_string3, 0);
6239
6240 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6241 NDR_POINTER_UNIQUE2, "Dummy 4", hf_netlogon_dummy_string4, 0);
6242
6243 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6244 hf_netlogon_os_version, 0);
6245
6246 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6247 hf_netlogon_workstation_os, 0);
6248
6249 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6250 hf_netlogon_dummy_string3, 0);
6251
6252 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6253 hf_netlogon_dummy_string4, 0);
6254
6255 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6256 hf_netlogon_workstation_flags, NULL((void*)0));
6257
6258 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6259 hf_netlogon_supportedenctypes, NULL((void*)0));
6260
6261 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6262 hf_netlogon_dummy3_long, NULL((void*)0));
6263
6264 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6265 hf_netlogon_dummy4_long, NULL((void*)0));
6266 return offset;
6267}
6268
6269static int
6270netlogon_dissect_WORKSTATION_INFORMATION(tvbuff_t *tvb , int offset ,
6271 packet_info *pinfo , proto_tree *tree ,
6272 dcerpc_info *di, uint8_t *drep ) {
6273
6274 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6275 netlogon_dissect_WORKSTATION_INFO, NDR_POINTER_UNIQUE2,
6276 "WORKSTATION INFO", -1);
6277 return offset;
6278}
6279
6280static int
6281netlogon_dissect_DOMAIN_INFO(tvbuff_t *tvb, int offset,
6282 packet_info *pinfo, proto_tree *tree,
6283 dcerpc_info *di, uint8_t *drep)
6284{
6285 offset = netlogon_dissect_ONE_DOMAIN_INFO(tvb, offset, pinfo, tree, di, drep);
6286
6287 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6288 hf_netlogon_num_trusts, NULL((void*)0));
6289
6290 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6291 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE2,
6292 "DOMAIN_TRUST_ARRAY: Trusted domains", -1);
6293
6294 offset = netlogon_dissect_LSA_POLICY_INFO(tvb,offset,pinfo, tree,di,drep);
6295
6296/* offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6297 hf_netlogon_num_trusts, NULL);
6298
6299 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6300 netlogon_dissect_DOMAIN_TRUST_INFO, NDR_POINTER_UNIQUE,
6301 "LSA Policy", -1);
6302*/
6303 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6304 hf_netlogon_ad_client_dns_name, 0);
6305
6306 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6307 hf_netlogon_dummy_string2, 0);
6308
6309 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6310 hf_netlogon_dummy_string3, 0);
6311
6312 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
6313 hf_netlogon_dummy_string4, 0);
6314
6315 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6316 hf_netlogon_workstation_flags, NULL((void*)0));
6317
6318 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6319 hf_netlogon_supportedenctypes, NULL((void*)0));
6320
6321 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6322 hf_netlogon_dummy3_long, NULL((void*)0));
6323
6324 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6325 hf_netlogon_dummy4_long, NULL((void*)0));
6326
6327 return offset;
6328}
6329
6330
6331static int
6332netlogon_dissect_DOMAIN_INFORMATION(tvbuff_t *tvb, int offset,
6333 packet_info *pinfo, proto_tree *tree,
6334 dcerpc_info *di, uint8_t *drep)
6335{
6336 uint32_t level;
6337
6338 UNION_ALIGN_TO_5_BYTESdo { if (di->call_data->flags & 0x00000001) { { if (
di->call_data->flags & 0x00000001) { { if(!di->conformant_run
) { if(offset&0x07) { offset=(offset&0xfffffff8)+8; }
} }; } else { { if(!di->conformant_run) { if(offset&0x03
) { offset=(offset&0xfffffffc)+4; } } }; } }; } } while(0
)
;
6339 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_level, &level);
6340 UNION_ALIGN_TO_5_BYTESdo { if (di->call_data->flags & 0x00000001) { { if (
di->call_data->flags & 0x00000001) { { if(!di->conformant_run
) { if(offset&0x07) { offset=(offset&0xfffffff8)+8; }
} }; } else { { if(!di->conformant_run) { if(offset&0x03
) { offset=(offset&0xfffffffc)+4; } } }; } }; } } while(0
)
;
6341
6342 switch (level) {
6343 case 1:
6344 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6345 netlogon_dissect_DOMAIN_INFO, NDR_POINTER_UNIQUE2,
6346 "DOMAIN_INFO", -1);
6347 break;
6348 case 2:
6349 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6350 netlogon_dissect_LSA_POLICY_INFO, NDR_POINTER_UNIQUE2,
6351 "LSA_POLICY_INFO", -1);
6352 break;
6353 }
6354
6355 return offset;
6356}
6357
6358static int
6359netlogon_dissect_netr_CryptPassword(tvbuff_t *tvb, int offset,
6360 packet_info *pinfo, proto_tree *parent_tree,
6361 dcerpc_info *di, uint8_t *drep)
6362{
6363 int ret_offset = offset + 516;
6364 proto_item *item=NULL((void*)0);
6365 proto_tree *tree=NULL((void*)0);
6366 netlogon_auth_vars *vars = NULL((void*)0);
6367 uint32_t pw_len;
6368 char *pw = NULL((void*)0);
6369 uint32_t confounder_len;
6370 bool_Bool version_present = false0;
6371
6372 /*
6373 * We have
6374 * uint16 array[256];
6375 * uint32 length;
6376 *
6377 * All these 516 bytes are potentially encrypted.
6378 *
6379 * The unencrypted length is in bytes in
6380 * instead of uint16 units, so it's a multiple
6381 * of 2 and it should be smaller than 512 -
6382 * SIZEOF(NL_PASSWORD_VERSION), so it's 500
6383 * as SIZEOF(NL_PASSWORD_VERSION) is 12.
6384 * The confounder should also be there with
6385 * a few bytes.
6386 *
6387 * Real clients typically use 28 or 240,
6388 * which means 14 or 120 uint16 characters.
6389 *
6390 * So if the value is larger than 500 or
6391 * bit 1 is set it's very likely an
6392 * encrypted value.
6393 */
6394 tvb_ensure_bytes_exist(tvb, offset, 516);
6395
6396 if(parent_tree){
6397 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 516,
6398 ett_netr_CryptPassword, &item,
6399 "netr_CryptPassword:");
6400 }
6401
6402 vars = find_global_netlogon_auth_vars(pinfo, 0);
6403 pw_len = tvb_get_uint32(tvb, offset+512, DREP_ENC_INTEGER(drep)(((drep)[0] & 0x10) ? 0x80000000 : 0x00000000));
6404 if (pw_len > 500 || pw_len & 0x1) {
6405 gcry_error_t err;
6406 gcry_cipher_hd_t cipher_hd = NULL((void*)0);
6407 uint8_t *buffer = NULL((void*)0);
6408 tvbuff_t *dectvb = NULL((void*)0);
6409
6410 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6411 tvb, offset, 516, NULL((void*)0),
6412 "Encrypted netr_CryptPassword");
6413
6414 if (vars == NULL((void*)0)) {
6415 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6416 &ei_netlogon_session_key,
6417 "No session key found");
6418 return ret_offset;
6419 }
6420
6421 err = prepare_session_key_cipher(vars, &cipher_hd);
6422 if (err != 0) {
6423 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6424 &ei_netlogon_session_key,
6425 "Decryption not possible (%s/%s) with "
6426 "session key learned in frame %d ("
6427 "%02x%02x%02x%02x"
6428 ") from %s",
6429 gcry_strsource(err),
6430 gcry_strerror(err),
6431 vars->auth_fd_num,
6432 vars->session_key[0] & 0xFF,
6433 vars->session_key[1] & 0xFF,
6434 vars->session_key[2] & 0xFF,
6435 vars->session_key[3] & 0xFF,
6436 vars->nthash.key_origin);
6437 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 6438, __func__,
"GCRY: prepare_session_key_cipher %s/%s\n", gcry_strsource(err
), gcry_strerror(err)); } } while (0)
6438 gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 6438, __func__,
"GCRY: prepare_session_key_cipher %s/%s\n", gcry_strsource(err
), gcry_strerror(err)); } } while (0)
;
6439 return ret_offset;
6440 }
6441
6442 buffer = (uint8_t*)tvb_memdup(pinfo->pool, tvb, offset, 516);
6443 if (buffer == NULL((void*)0)) {
6444 gcry_cipher_close(cipher_hd);
6445 return ret_offset;
6446 }
6447
6448 err = gcry_cipher_decrypt(cipher_hd, buffer, 516, NULL((void*)0), 0);
6449 gcry_cipher_close(cipher_hd);
6450 if (err != 0) {
6451 ws_warning("GCRY: gcry_cipher_decrypt %s/%s\n",do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 6452, __func__,
"GCRY: gcry_cipher_decrypt %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
6452 gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 6452, __func__,
"GCRY: gcry_cipher_decrypt %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
;
6453 return ret_offset;
6454 }
6455
6456 dectvb = tvb_new_child_real_data(tvb, buffer, 516, 516);
6457 if (dectvb == NULL((void*)0)) {
6458 return ret_offset;
6459 }
6460
6461 pw_len = tvb_get_uint32(dectvb, 512, DREP_ENC_INTEGER(drep)(((drep)[0] & 0x10) ? 0x80000000 : 0x00000000));
6462 if ((pw_len > 500) || (pw_len & 0x1)) {
6463 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6464 &ei_netlogon_session_key,
6465 "Unusable session key learned in frame %d ("
6466 "%02x%02x%02x%02x"
6467 ") from %s",
6468 vars->auth_fd_num,
6469 vars->session_key[0] & 0xFF,
6470 vars->session_key[1] & 0xFF,
6471 vars->session_key[2] & 0xFF,
6472 vars->session_key[3] & 0xFF,
6473 vars->nthash.key_origin);
6474 return ret_offset;
6475 }
6476
6477 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6478 &ei_netlogon_session_key,
6479 "Used session key learned in frame %d ("
6480 "%02x%02x%02x%02x"
6481 ") from %s",
6482 vars->auth_fd_num,
6483 vars->session_key[0] & 0xFF,
6484 vars->session_key[1] & 0xFF,
6485 vars->session_key[2] & 0xFF,
6486 vars->session_key[3] & 0xFF,
6487 vars->nthash.key_origin);
6488 add_new_data_source(pinfo, dectvb, "netr_CryptPassword (Decrypted)");
6489 tvb = dectvb;
6490 offset = 0;
6491 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6492 tvb, offset, 516, NULL((void*)0),
6493 "Decrypted netr_CryptPassword");
6494 } else {
6495 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6496 tvb, offset, 516, NULL((void*)0),
6497 "Unencryption netr_CryptPassword");
6498 if (vars != NULL((void*)0)) {
6499 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6500 &ei_netlogon_session_key,
6501 "Not encrypted with session key learned in frame %d ("
6502 "%02x%02x%02x%02x"
6503 ") from %s",
6504 vars->auth_fd_num,
6505 vars->session_key[0] & 0xFF,
6506 vars->session_key[1] & 0xFF,
6507 vars->session_key[2] & 0xFF,
6508 vars->session_key[3] & 0xFF,
6509 vars->nthash.key_origin);
6510 } else {
6511 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
6512 &ei_netlogon_session_key,
6513 "Not encrypted and no session key found nor needed");
6514 }
6515 }
6516
6517 confounder_len = 512 - pw_len;
6518 if (confounder_len >= 12) {
6519 uint32_t voffset = confounder_len - 12;
6520 uint32_t rf;
6521 uint32_t vp;
6522
6523 rf = tvb_get_uint32(tvb, voffset+0, DREP_ENC_INTEGER(drep)(((drep)[0] & 0x10) ? 0x80000000 : 0x00000000));
6524 vp = tvb_get_uint32(tvb, voffset+8, DREP_ENC_INTEGER(drep)(((drep)[0] & 0x10) ? 0x80000000 : 0x00000000));
6525 if (rf == 0 && vp == 0x02231968) {
6526 confounder_len -= 12;
6527 version_present = true1;
6528 }
6529 }
6530
6531 if (confounder_len > 0) {
6532 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6533 tvb, offset, confounder_len,
6534 NULL((void*)0), "Confounder: %"PRIu32"u"" byte%s",
6535 confounder_len,
6536 plurality(confounder_len, "", "s")((confounder_len) == 1 ? ("") : ("s")));
6537 offset += confounder_len;
6538 }
6539
6540 if (version_present) {
6541 proto_item *vitem=NULL((void*)0);
6542 proto_tree *vtree=NULL((void*)0);
6543
6544 if (tree) {
6545 vtree = proto_tree_add_subtree(tree, tvb, offset, 12,
6546 ett_NL_PASSWORD_VERSION, &vitem,
6547 "NL_PASSWORD_VERSION:");
6548 }
6549
6550 offset = dissect_ndr_uint32(tvb, offset, pinfo, vtree, di, drep,
6551 hf_netlogon_password_version_reserved, NULL((void*)0));
6552 offset = dissect_ndr_uint32(tvb, offset, pinfo, vtree, di, drep,
6553 hf_netlogon_password_version_number, NULL((void*)0));
6554 offset = dissect_ndr_uint32(tvb, offset, pinfo, vtree, di, drep,
6555 hf_netlogon_password_version_present, NULL((void*)0));
6556 }
6557
6558 proto_tree_add_bytes_format(tree, hf_netlogon_blob,
6559 tvb, offset, pw_len, NULL((void*)0),
6560 "Raw Password Bytes: %"PRIu32"u"" byte%s",
6561 pw_len,
6562 plurality(pw_len, "", "s")((pw_len) == 1 ? ("") : ("s")));
6563 pw = (char *)tvb_get_string_enc(pinfo->pool, tvb, offset, pw_len,
6564 ENC_UTF_160x00000004|DREP_ENC_INTEGER(drep)(((drep)[0] & 0x10) ? 0x80000000 : 0x00000000));
6565 proto_tree_add_string(tree, hf_netlogon_new_password, tvb, offset,
6566 pw_len, pw);
6567 offset += pw_len;
6568
6569 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
Value stored to 'offset' is never read
6570 hf_netlogon_len, NULL((void*)0));
6571
6572 return ret_offset;
6573}
6574
6575static int
6576netlogon_dissect_element_844_byte(tvbuff_t *tvb, int offset,
6577 packet_info *pinfo, proto_tree *tree,
6578 dcerpc_info *di, uint8_t *drep)
6579{
6580 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6581 hf_netlogon_unknown_char, NULL((void*)0));
6582
6583 return offset;
6584}
6585
6586static int
6587netlogon_dissect_element_844_array(tvbuff_t *tvb, int offset,
6588 packet_info *pinfo, proto_tree *tree,
6589 dcerpc_info *di, uint8_t *drep)
6590{
6591 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6592 netlogon_dissect_element_844_byte);
6593
6594 return offset;
6595}
6596
6597static int
6598netlogon_dissect_TYPE_50(tvbuff_t *tvb, int offset,
6599 packet_info *pinfo, proto_tree *parent_tree,
6600 dcerpc_info *di, uint8_t *drep)
6601{
6602 proto_item *item=NULL((void*)0);
6603 proto_tree *tree=NULL((void*)0);
6604 int old_offset=offset;
6605
6606 if(parent_tree){
6607 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6608 ett_TYPE_50, &item, "TYPE_50:");
6609 }
6610
6611 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6612 hf_netlogon_unknown_long, NULL((void*)0));
6613
6614 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6615 netlogon_dissect_element_844_array, NDR_POINTER_UNIQUE2,
6616 "unknown", hf_netlogon_unknown_string);
6617
6618 proto_item_set_len(item, offset-old_offset);
6619 return offset;
6620}
6621
6622static int
6623netlogon_dissect_TYPE_50_ptr(tvbuff_t *tvb, int offset,
6624 packet_info *pinfo, proto_tree *tree,
6625 dcerpc_info *di, uint8_t *drep)
6626{
6627 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6628 netlogon_dissect_TYPE_50, NDR_POINTER_UNIQUE2,
6629 "TYPE_50 pointer: unknown_TYPE_50", -1);
6630
6631 return offset;
6632}
6633
6634static int
6635netlogon_dissect_DS_DOMAIN_TRUSTS(tvbuff_t *tvb, int offset,
6636 packet_info *pinfo, proto_tree *parent_tree, dcerpc_info *di, uint8_t *drep)
6637{
6638 uint32_t tmp;
6639 proto_item *item=NULL((void*)0);
6640 proto_tree *tree=NULL((void*)0);
6641 int old_offset=offset;
6642
6643 if(parent_tree){
6644 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6645 ett_DS_DOMAIN_TRUSTS, NULL((void*)0), "DS_DOMAIN_TRUSTS");
6646 }
6647
6648 /* name */
6649 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6650 NDR_POINTER_UNIQUE2, "NetBIOS Name",
6651 hf_netlogon_downlevel_domain_name, 0);
6652
6653 /* domain */
6654 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6655 NDR_POINTER_UNIQUE2, "DNS Domain Name",
6656 hf_netlogon_dns_domain_name, 0);
6657
6658 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
6659
6660 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6661 hf_netlogon_trust_parent_index, &tmp);
6662
6663 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6664 hf_netlogon_trust_type, &tmp);
6665
6666 offset = netlogon_dissect_DOMAIN_TRUST_ATTRIBS(tvb, offset, pinfo, tree, di, drep);
6667
6668 /* SID pointer */
6669 offset = dissect_ndr_nt_PSID(tvb, offset, pinfo, tree, di, drep);
6670
6671 /* GUID */
6672 offset = dissect_nt_GUID(tvb, offset, pinfo, tree, di, drep);
6673
6674 proto_item_set_len(item, offset-old_offset);
6675 return offset;
6676}
6677
6678static int
6679netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY(tvbuff_t *tvb, int offset,
6680 packet_info *pinfo, proto_tree *tree,
6681 dcerpc_info *di, uint8_t *drep)
6682{
6683 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6684 netlogon_dissect_DS_DOMAIN_TRUSTS);
6685
6686 return offset;
6687}
6688
6689static int
6690netlogon_dissect_element_865_byte(tvbuff_t *tvb, int offset,
6691 packet_info *pinfo, proto_tree *tree,
6692 dcerpc_info *di, uint8_t *drep)
6693{
6694 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6695 hf_netlogon_unknown_char, NULL((void*)0));
6696
6697 return offset;
6698}
6699
6700static int
6701netlogon_dissect_element_865_array(tvbuff_t *tvb, int offset,
6702 packet_info *pinfo, proto_tree *tree,
6703 dcerpc_info *di, uint8_t *drep)
6704{
6705 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6706 netlogon_dissect_element_865_byte);
6707
6708 return offset;
6709}
6710
6711static int
6712netlogon_dissect_element_866_byte(tvbuff_t *tvb, int offset,
6713 packet_info *pinfo, proto_tree *tree,
6714 dcerpc_info *di, uint8_t *drep)
6715{
6716 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
6717 hf_netlogon_unknown_char, NULL((void*)0));
6718
6719 return offset;
6720}
6721
6722static int
6723netlogon_dissect_element_866_array(tvbuff_t *tvb, int offset,
6724 packet_info *pinfo, proto_tree *tree,
6725 dcerpc_info *di, uint8_t *drep)
6726{
6727 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
6728 netlogon_dissect_element_866_byte);
6729
6730 return offset;
6731}
6732
6733static int
6734netlogon_dissect_TYPE_52(tvbuff_t *tvb, int offset,
6735 packet_info *pinfo, proto_tree *parent_tree,
6736 dcerpc_info *di, uint8_t *drep)
6737{
6738 proto_item *item=NULL((void*)0);
6739 proto_tree *tree=NULL((void*)0);
6740 int old_offset=offset;
6741
6742 if(parent_tree){
6743 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6744 ett_TYPE_52, &item, "TYPE_52:");
6745 }
6746
6747 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6748 hf_netlogon_unknown_long, NULL((void*)0));
6749
6750 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6751 netlogon_dissect_element_865_array, NDR_POINTER_UNIQUE2,
6752 "unknown", hf_netlogon_unknown_string);
6753
6754 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6755 netlogon_dissect_element_866_array, NDR_POINTER_UNIQUE2,
6756 "unknown", hf_netlogon_unknown_string);
6757
6758 proto_item_set_len(item, offset-old_offset);
6759 return offset;
6760}
6761
6762static int
6763netlogon_dissect_TYPE_52_ptr(tvbuff_t *tvb, int offset,
6764 packet_info *pinfo, proto_tree *tree,
6765 dcerpc_info *di, uint8_t *drep)
6766{
6767 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6768 netlogon_dissect_TYPE_52, NDR_POINTER_UNIQUE2,
6769 "TYPE_52 pointer: unknown_TYPE_52", -1);
6770 return offset;
6771}
6772
6773
6774static int
6775netlogon_dissect_Capabilities(tvbuff_t *tvb, int offset,
6776 packet_info *pinfo, proto_tree *parent_tree,
6777 dcerpc_info *di, uint8_t *drep)
6778{
6779 proto_item *item=NULL((void*)0);
6780 proto_tree *tree=NULL((void*)0);
6781 proto_item *pitem=NULL((void*)0);
6782 proto_item *nitem=NULL((void*)0);
6783 int old_offset=offset;
6784 uint32_t level = 0;
6785
6786 if(parent_tree){
6787 pitem = proto_tree_get_parent(parent_tree);
6788 tree = proto_tree_add_subtree(parent_tree, tvb, offset, 0,
6789 ett_CAPABILITIES, &item,
6790 "Capabilities");
6791 }
6792
6793 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6794 hf_netlogon_level, &level);
6795
6796 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
6797 switch(level){
6798 case 1: {
6799 uint32_t flags;
6800 dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, -1, &flags);
6801 nitem = netlogon_dissect_neg_options(tvb,tree,flags,offset);
6802 proto_item_set_text(nitem, "NegotiatedFlags: 0x%08x", flags);
6803 proto_item_set_text(item, "ServerCapabilities");
6804 proto_item_append_text(pitem, ": ServerCapabilities");
6805 offset +=4;
6806 }
6807 break;
6808 case 2: {
6809 uint32_t flags;
6810 dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, -1, &flags);
6811 nitem = netlogon_dissect_neg_options(tvb,tree,flags,offset);
6812 proto_item_set_text(nitem, "RequestedFlags: 0x%08x", flags);
6813 proto_item_set_text(item, "RequestedFlags");
6814 proto_item_append_text(pitem, ": RequestedFlags");
6815 offset +=4;
6816 }
6817 break;
6818 }
6819
6820 proto_item_set_len(item, offset-old_offset);
6821 return offset;
6822}
6823
6824static int
6825netlogon_dissect_WORKSTATION_BUFFER(tvbuff_t *tvb, int offset,
6826 packet_info *pinfo, proto_tree *tree,
6827 dcerpc_info *di, uint8_t *drep)
6828{
6829 uint32_t level;
6830
6831 UNION_ALIGN_TO_5_BYTESdo { if (di->call_data->flags & 0x00000001) { { if (
di->call_data->flags & 0x00000001) { { if(!di->conformant_run
) { if(offset&0x07) { offset=(offset&0xfffffff8)+8; }
} }; } else { { if(!di->conformant_run) { if(offset&0x03
) { offset=(offset&0xfffffffc)+4; } } }; } }; } } while(0
)
;
6832 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep, hf_netlogon_level, &level);
6833 UNION_ALIGN_TO_5_BYTESdo { if (di->call_data->flags & 0x00000001) { { if (
di->call_data->flags & 0x00000001) { { if(!di->conformant_run
) { if(offset&0x07) { offset=(offset&0xfffffff8)+8; }
} }; } else { { if(!di->conformant_run) { if(offset&0x03
) { offset=(offset&0xfffffffc)+4; } } }; } }; } } while(0
)
;
6834
6835 switch (level) {
6836 case 1:
6837 case 2:
6838 offset = netlogon_dissect_WORKSTATION_INFORMATION(tvb, offset, pinfo, tree, di, drep);
6839 break;
6840 }
6841
6842 return offset;
6843}
6844
6845static int
6846netlogon_dissect_netrenumeratetrusteddomains_rqst(tvbuff_t *tvb, int offset,
6847 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6848{
6849 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6850 pinfo, tree, di, drep);
6851
6852 return offset;
6853}
6854
6855
6856static int
6857netlogon_dissect_netrenumeratetrusteddomains_reply(tvbuff_t *tvb, int offset,
6858 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6859{
6860 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6861 netlogon_dissect_UNICODE_MULTI, NDR_POINTER_REF1,
6862 "UNICODE_MULTI pointer: trust_dom_name_list", -1);
6863
6864 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6865 hf_netlogon_dos_rc, NULL((void*)0));
6866
6867 return offset;
6868}
6869
6870static int
6871netlogon_dissect_dsrgetdcname_rqst(tvbuff_t *tvb, int offset,
6872 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6873{
6874 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6875 pinfo, tree, di, drep);
6876
6877 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6878 NDR_POINTER_UNIQUE2, "Domain", hf_netlogon_logon_dom, 0);
6879
6880 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6881 dissect_nt_GUID, NDR_POINTER_UNIQUE2,
6882 "GUID pointer: domain_guid", -1);
6883
6884 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6885 dissect_nt_GUID, NDR_POINTER_UNIQUE2,
6886 "GUID pointer: site_guid", -1);
6887
6888 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6889 hf_netlogon_flags, NULL((void*)0));
6890
6891 return offset;
6892}
6893
6894
6895static int
6896netlogon_dissect_dsrgetdcname_reply(tvbuff_t *tvb, int offset,
6897 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6898{
6899 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6900 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE2,
6901 "DOMAIN_CONTROLLER_INFO:", -1);
6902
6903 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6904 hf_netlogon_dos_rc, NULL((void*)0));
6905
6906 return offset;
6907}
6908
6909static int
6910netlogon_dissect_netrlogondummyroutine1_rqst(tvbuff_t *tvb, int offset,
6911 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6912{
6913 uint32_t level = 0;
6914 proto_item *litem = NULL((void*)0);
6915
6916 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6917 NDR_POINTER_REF1, "Server Handle",
6918 hf_netlogon_logonsrv_handle, 0);
6919
6920 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
6921 NDR_POINTER_UNIQUE2, "Computer Name",
6922 hf_netlogon_computer_name, 0);
6923
6924 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6925 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
6926 "AUTHENTICATOR: credential", -1);
6927
6928 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6929 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
6930 "AUTHENTICATOR: return_authenticator", -1);
6931
6932 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6933 -1, &level);
6934 litem = proto_tree_add_item(tree, hf_netlogon_level, tvb, offset-4, 4,
6935 DREP_ENC_INTEGER(drep)(((drep)[0] & 0x10) ? 0x80000000 : 0x00000000));
6936 switch(level){
6937 case 1:
6938 proto_item_append_text(litem, " (ServerCapabilities)");
6939 break;
6940 case 2:
6941 proto_item_append_text(litem, " (RequestedFlags)");
6942 break;
6943 }
6944
6945 return offset;
6946}
6947
6948
6949static int
6950netlogon_dissect_netrlogondummyroutine1_reply(tvbuff_t *tvb, int offset,
6951 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6952{
6953 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6954 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
6955 "AUTHENTICATOR: return_authenticator", -1);
6956
6957 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
6958 netlogon_dissect_Capabilities, NDR_POINTER_REF1,
6959 "Capabilities", -1);
6960
6961 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6962 hf_netlogon_rc, NULL((void*)0));
6963
6964 return offset;
6965}
6966
6967static int
6968netlogon_dissect_netrlogonsetservicebits_rqst(tvbuff_t *tvb, int offset,
6969 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6970{
6971 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
6972 pinfo, tree, di, drep);
6973
6974 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6975 hf_netlogon_unknown_long, NULL((void*)0));
6976
6977 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
6978 hf_netlogon_unknown_long, NULL((void*)0));
6979
6980 return offset;
6981}
6982
6983
6984static int
6985netlogon_dissect_netrlogonsetservicebits_reply(tvbuff_t *tvb, int offset,
6986 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6987{
6988 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
6989 hf_netlogon_rc, NULL((void*)0));
6990
6991 return offset;
6992}
6993
6994
6995static int
6996netlogon_dissect_netrlogongettrustrid_rqst(tvbuff_t *tvb, int offset,
6997 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
6998{
6999 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7000 pinfo, tree, di, drep);
7001
7002 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7003 NDR_POINTER_UNIQUE2, "unknown string",
7004 hf_netlogon_unknown_string, 0);
7005
7006 return offset;
7007}
7008
7009
7010static int
7011netlogon_dissect_netrlogongettrustrid_reply(tvbuff_t *tvb, int offset,
7012 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7013{
7014 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7015 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE2,
7016 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
7017
7018 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7019 hf_netlogon_rc, NULL((void*)0));
7020
7021 return offset;
7022}
7023
7024
7025static int
7026netlogon_dissect_netrlogoncomputeserverdigest_rqst(tvbuff_t *tvb, int offset,
7027 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7028{
7029 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7030 pinfo, tree, di, drep);
7031
7032 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7033 hf_netlogon_unknown_long, NULL((void*)0));
7034
7035 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7036 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE2,
7037 "BYTE pointer: unknown_BYTE", -1);
7038
7039 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7040 hf_netlogon_unknown_long, NULL((void*)0));
7041
7042 return offset;
7043}
7044
7045static int
7046netlogon_dissect_BYTE_16_array(tvbuff_t *tvb, int offset,
7047 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7048{
7049 int i;
7050
7051 for(i=0;i<16;i++){
7052 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
7053 hf_netlogon_unknown_char, NULL((void*)0));
7054 }
7055
7056 return offset;
7057}
7058
7059static int
7060netlogon_dissect_netrlogoncomputeserverdigest_reply(tvbuff_t *tvb, int offset,
7061 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7062{
7063 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7064 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE2,
7065 "BYTE pointer: unknown_BYTE", -1);
7066
7067 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7068 hf_netlogon_rc, NULL((void*)0));
7069
7070 return offset;
7071}
7072
7073static int
7074netlogon_dissect_netrlogoncomputeclientdigest_rqst(tvbuff_t *tvb, int offset,
7075 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7076{
7077 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7078 pinfo, tree, di, drep);
7079
7080 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7081 NDR_POINTER_UNIQUE2, "unknown string",
7082 hf_netlogon_unknown_string, 0);
7083
7084 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7085 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE2,
7086 "BYTE pointer: unknown_BYTE", -1);
7087
7088 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7089 hf_netlogon_unknown_long, NULL((void*)0));
7090
7091 return offset;
7092}
7093
7094
7095static int
7096netlogon_dissect_netrlogoncomputeclientdigest_reply(tvbuff_t *tvb, int offset,
7097 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7098{
7099 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7100 netlogon_dissect_BYTE_16_array, NDR_POINTER_UNIQUE2,
7101 "BYTE pointer: unknown_BYTE", -1);
7102
7103 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7104 hf_netlogon_rc, NULL((void*)0));
7105
7106 return offset;
7107}
7108
7109static proto_item *
7110netlogon_dissect_neg_options(tvbuff_t *tvb,proto_tree *tree,uint32_t flags,int offset)
7111{
7112 static int * const hf_flags[] = {
7113 &hf_netlogon_neg_flags_80000000,
7114 &hf_netlogon_neg_flags_40000000,
7115 &hf_netlogon_neg_flags_20000000,
7116#if 0
7117 &hf_netlogon_neg_flags_10000000,
7118 &hf_netlogon_neg_flags_8000000,
7119 &hf_netlogon_neg_flags_4000000,
7120 &hf_netlogon_neg_flags_2000000,
7121 &hf_netlogon_neg_flags_800000,
7122 &hf_netlogon_neg_flags_400000,
7123#endif
7124 &hf_netlogon_neg_flags_1000000,
7125 &hf_netlogon_neg_flags_200000,
7126 &hf_netlogon_neg_flags_100000,
7127 &hf_netlogon_neg_flags_80000,
7128 &hf_netlogon_neg_flags_40000,
7129 &hf_netlogon_neg_flags_20000,
7130 &hf_netlogon_neg_flags_10000,
7131 &hf_netlogon_neg_flags_8000,
7132 &hf_netlogon_neg_flags_4000,
7133 &hf_netlogon_neg_flags_2000,
7134 &hf_netlogon_neg_flags_1000,
7135 &hf_netlogon_neg_flags_800,
7136 &hf_netlogon_neg_flags_400,
7137 &hf_netlogon_neg_flags_200,
7138 &hf_netlogon_neg_flags_100,
7139 &hf_netlogon_neg_flags_80,
7140 &hf_netlogon_neg_flags_40,
7141 &hf_netlogon_neg_flags_20,
7142 &hf_netlogon_neg_flags_10,
7143 &hf_netlogon_neg_flags_8,
7144 &hf_netlogon_neg_flags_4,
7145 &hf_netlogon_neg_flags_2,
7146 &hf_netlogon_neg_flags_1,
7147 NULL((void*)0)
7148 };
7149
7150 return proto_tree_add_bitmask_value_with_flags(tree, tvb, offset, hf_netlogon_neg_flags, ett_authenticate_flags, hf_flags, flags, BMT_NO_APPEND0x01);
7151}
7152
7153static int
7154netlogon_dissect_netrserverauthenticate3_rqst(tvbuff_t *tvb, int offset,
7155 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7156{
7157 uint32_t flags;
7158 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7159 pinfo, tree, di, drep);
7160 ALIGN_TO_5_BYTES{ if (di->call_data->flags & 0x00000001) { { if(!di
->conformant_run) { if(offset&0x07) { offset=(offset&
0xfffffff8)+8; } } }; } else { { if(!di->conformant_run) {
if(offset&0x03) { offset=(offset&0xfffffffc)+4; } } }
; } }
7161
7162 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7163 NDR_POINTER_REF1, "Acct Name", hf_netlogon_acct_name, 0);
7164
7165 if (di->call_data->flags & DCERPC_IS_NDR640x00000001) {
7166 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
7167 } else {
7168 ALIGN_TO_2_BYTES{ if(!di->conformant_run) { if(offset&0x01) { offset=(
offset&0xfffffffe)+2; } } }
7169 }
7170
7171 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7172 pinfo, tree, di, drep);
7173
7174 ALIGN_TO_5_BYTES{ if (di->call_data->flags & 0x00000001) { { if(!di
->conformant_run) { if(offset&0x07) { offset=(offset&
0xfffffff8)+8; } } }; } else { { if(!di->conformant_run) {
if(offset&0x03) { offset=(offset&0xfffffffc)+4; } } }
; } }
7175
7176 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7177 NDR_POINTER_REF1, "Computer Name", hf_netlogon_computer_name, 0);
7178
7179 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
7180 hf_client_credential, NULL((void*)0));
7181#if 0
7182 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7183 netlogon_dissect_CREDENTIAL, NDR_POINTER_REF1,
7184 "Client Challenge", -1);
7185#endif
7186
7187#if 0
7188 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7189 hf_netlogon_neg_flags, NULL((void*)0));
7190#endif
7191 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
7192
7193 flags = tvb_get_letohl (tvb, offset);
7194 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7195 seen.isseen = false0;
7196 seen.num = 0;
7197 offset +=4;
7198 return offset;
7199}
7200
7201static int
7202netlogon_dissect_netrserverauthenticatekerberos_rqst(tvbuff_t *tvb, int offset,
7203 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7204{
7205 netlogon_auth_vars *vars = NULL((void*)0);
7206 dcerpc_call_value *dcv = (dcerpc_call_value *)di->call_data;
7207 uint32_t flags;
7208 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7209 pinfo, tree, di, drep);
7210 ALIGN_TO_5_BYTES{ if (di->call_data->flags & 0x00000001) { { if(!di
->conformant_run) { if(offset&0x07) { offset=(offset&
0xfffffff8)+8; } } }; } else { { if(!di->conformant_run) {
if(offset&0x03) { offset=(offset&0xfffffffc)+4; } } }
; } }
7211
7212 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7213 NDR_POINTER_REF1, "Acct Name", hf_netlogon_acct_name, 0);
7214
7215 if (di->call_data->flags & DCERPC_IS_NDR640x00000001) {
7216 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
7217 } else {
7218 ALIGN_TO_2_BYTES{ if(!di->conformant_run) { if(offset&0x01) { offset=(
offset&0xfffffffe)+2; } } }
7219 }
7220
7221 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7222 pinfo, tree, di, drep);
7223
7224 ALIGN_TO_5_BYTES{ if (di->call_data->flags & 0x00000001) { { if(!di
->conformant_run) { if(offset&0x07) { offset=(offset&
0xfffffff8)+8; } } }; } else { { if(!di->conformant_run) {
if(offset&0x03) { offset=(offset&0xfffffffc)+4; } } }
; } }
7225
7226 dcv = (dcerpc_call_value *)di->call_data;
7227 offset = dissect_ndr_pointer_cb(
7228 tvb, offset, pinfo, tree, di, drep,
7229 dissect_ndr_wchar_cvstring, NDR_POINTER_REF1,
7230 "Computer Name", hf_netlogon_computer_name,
7231 cb_wstr_postprocess,
7232 GINT_TO_POINTER(CB_STR_COL_INFO |CB_STR_SAVE | 1)((gpointer) (glong) (0x10000000 |0x20000000 | 1)));
7233
7234 ws_debug("1)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,(char*)dcv->private_data)do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7234, __func__,
"1)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data
),offset,(char*)dcv->private_data); } } while (0)
;
7235 vars = create_global_netlogon_auth_vars(pinfo, (char*)dcv->private_data, 0);
7236 ws_debug("2)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data),offset,vars->client_name)do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7236, __func__,
"2)Len %d offset %d txt %s",(int) strlen((char *)dcv->private_data
),offset,vars->client_name); } } while (0)
;
7237
7238 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
7239
7240 flags = tvb_get_letohl (tvb, offset);
7241 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7242 seen.isseen = false0;
7243 seen.num = 0;
7244 offset +=4;
7245
7246 vars->flags = flags;
7247
7248 return offset;
7249}
7250
7251/*
7252 * IDL long NetrServerAuthenticate2(
7253 * IDL [in][string][unique] wchar_t *logonserver,
7254 * IDL [in][ref][string] wchar_t *username,
7255 * IDL [in] short secure_channel_type,
7256 * IDL [in][ref][string] wchar_t *computername,
7257 * IDL [in][ref] CREDENTIAL *client_chal,
7258 * IDL [out][ref] CREDENTIAL *server_chal,
7259 * IDL [in][out][ref] long *negotiate_flags,
7260 * IDL );
7261 */
7262static int
7263netlogon_dissect_netrserverauthenticate2_rqst(tvbuff_t *tvb, int offset,
7264 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7265{
7266 return netlogon_dissect_netrserverauthenticate3_rqst(tvb,offset,pinfo,tree,di,drep);
7267}
7268
7269static int
7270netlogon_dissect_netrserverauthenticate023_reply(tvbuff_t *tvb, int offset,
7271 packet_info *pinfo,
7272 proto_tree *tree,
7273 dcerpc_info *di,
7274 uint8_t *drep,
7275 int version)
7276{
7277 uint32_t flags = 0;
7278 netlogon_auth_vars *vars;
7279 uint64_t server_cred;
7280
7281 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, tree, drep,
7282 hf_server_credential, &server_cred);
7283
7284 if (version >= 2) {
7285 flags = tvb_get_letohl (tvb, offset);
7286 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7287 offset +=4;
7288 }
7289 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
7290 if (version >= 3) {
7291 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
7292 hf_server_rid, NULL((void*)0));
7293 }
7294 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7295 hf_netlogon_rc, NULL((void*)0));
7296
7297 vars = find_tmp_netlogon_auth_vars(pinfo, 1);
7298 if(vars != NULL((void*)0)) {
7299 ws_debug("Found some vars (ie. server/client challenges), let's see if I can get a session key")do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7299, __func__,
"Found some vars (ie. server/client challenges), let's see if I can get a session key"
); } } while (0)
;
7300 {
7301 md4_pass *pass_list=NULL((void*)0);
7302 const md4_pass *used_md4 = NULL((void*)0);
7303 const char *used_method = NULL((void*)0);
7304 uint32_t list_size = 0;
7305 unsigned int i = 0;
7306 md4_pass password;
7307 uint8_t session_key[16];
7308 int found = 0;
7309
7310 vars->flags = flags;
7311 vars->can_decrypt = false0;
7312 list_size = get_md4pass_list(pinfo->pool, &pass_list);
7313 ws_debug("Found %d passwords ",list_size)do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7313, __func__,
"Found %d passwords ",list_size); } } while (0)
;
7314 if( flags & NETLOGON_FLAG_AES0x1000000 )
7315 {
7316 uint8_t salt_buf[16] = { 0 };
7317 uint8_t sha256[HASH_SHA2_256_LENGTH32];
7318 uint64_t calculated_cred;
7319
7320 memcpy(&salt_buf[0], (uint8_t*)&vars->client_challenge, 8);
7321 memcpy(&salt_buf[8], (uint8_t*)&vars->server_challenge, 8);
7322
7323 used_method = "AES";
7324 ws_log_buffer((uint8_t*)&vars->client_challenge, 8, "Client challenge")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7324, __func__,
(uint8_t*)&vars->client_challenge, 8, 36, "Client challenge"
? "Client challenge" : "(uint8_t*)&vars->client_challenge"
); } } while (0)
;
7325 ws_log_buffer((uint8_t*)&vars->server_challenge, 8, "Server challenge")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7325, __func__,
(uint8_t*)&vars->server_challenge, 8, 36, "Server challenge"
? "Server challenge" : "(uint8_t*)&vars->server_challenge"
); } } while (0)
;
7326 ws_log_buffer((uint8_t*)&server_cred, 8, "Server creds")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7326, __func__,
(uint8_t*)&server_cred, 8, 36, "Server creds" ? "Server creds"
: "(uint8_t*)&server_cred"); } } while (0)
;
7327 for(i=0;i<list_size;i++)
7328 {
7329 used_md4 = &pass_list[i];
7330 password = pass_list[i];
7331 ws_log_buffer((uint8_t*)&password, 16, "NTHASH")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7331, __func__,
(uint8_t*)&password, 16, 36, "NTHASH" ? "NTHASH" : "(uint8_t*)&password"
); } } while (0)
;
7332 if (!ws_hmac_buffer(GCRY_MD_SHA256, sha256, salt_buf, sizeof(salt_buf), (uint8_t*) &password, 16)) {
7333 gcry_error_t err;
7334 gcry_cipher_hd_t cipher_hd = NULL((void*)0);
7335 uint8_t iv[16] = { 0 };
7336
7337 /* truncate the session key to 16 bytes */
7338 memcpy(session_key, sha256, 16);
7339 ws_log_buffer((uint8_t*)session_key, 16, "Session Key")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7339, __func__,
(uint8_t*)session_key, 16, 36, "Session Key" ? "Session Key"
: "(uint8_t*)session_key"); } } while (0)
;
7340
7341 /* Open the cipher */
7342 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CFB8, 0);
7343 if (err != 0) {
7344 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7344, __func__,
"GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
;
7345 break;
7346 }
7347
7348 /* Set the initial value */
7349 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
7350 if (err != 0) {
7351 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7351, __func__,
"GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
7352 gcry_cipher_close(cipher_hd);
7353 break;
7354 }
7355
7356 /* Set the key */
7357 err = gcry_cipher_setkey(cipher_hd, session_key, 16);
7358 if (err != 0) {
7359 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7359, __func__,
"GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
7360 gcry_cipher_close(cipher_hd);
7361 break;
7362 }
7363
7364 calculated_cred = 0x1234567812345678;
7365 err = gcry_cipher_encrypt(cipher_hd,
7366 (uint8_t *)&calculated_cred, 8,
7367 (const uint8_t *)&vars->server_challenge, 8);
7368 if (err != 0) {
7369 ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7369, __func__,
"GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(
err)); } } while (0)
;
7370 gcry_cipher_close(cipher_hd);
7371 break;
7372 }
7373
7374 /* Done with the cipher */
7375 gcry_cipher_close(cipher_hd);
7376
7377 ws_log_buffer((uint8_t*)&calculated_cred, 8, "Calculated creds")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7377, __func__,
(uint8_t*)&calculated_cred, 8, 36, "Calculated creds" ? "Calculated creds"
: "(uint8_t*)&calculated_cred"); } } while (0)
;
7378
7379 if(calculated_cred==server_cred) {
7380 found = 1;
7381 break;
7382 }
7383 }
7384 }
7385 } else if ( flags & NETLOGON_FLAG_STRONGKEY0x4000 ) {
7386 uint8_t zeros[4] = { 0 };
7387 uint8_t md5[HASH_MD5_LENGTH16] = { 0 };
7388 gcry_md_hd_t md5_handle;
7389 uint8_t buf[8] = { 0 };
7390 uint64_t calculated_cred;
7391
7392 used_method = "MD5";
7393 if (!gcry_md_open(&md5_handle, GCRY_MD_MD5, 0)) {
7394 gcry_md_write(md5_handle, zeros, 4);
7395 gcry_md_write(md5_handle, (uint8_t*)&vars->client_challenge, 8);
7396 gcry_md_write(md5_handle, (uint8_t*)&vars->server_challenge, 8);
7397 memcpy(md5, gcry_md_read(md5_handle, 0), 16);
7398 gcry_md_close(md5_handle);
7399 }
7400 ws_log_buffer(md5, 8, "MD5")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7400, __func__,
md5, 8, 36, "MD5" ? "MD5" : "md5"); } } while (0)
;
7401 ws_log_buffer((uint8_t*)&vars->client_challenge, 8, "Client challenge")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7401, __func__,
(uint8_t*)&vars->client_challenge, 8, 36, "Client challenge"
? "Client challenge" : "(uint8_t*)&vars->client_challenge"
); } } while (0)
;
7402 ws_log_buffer((uint8_t*)&vars->server_challenge, 8, "Server challenge")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7402, __func__,
(uint8_t*)&vars->server_challenge, 8, 36, "Server challenge"
? "Server challenge" : "(uint8_t*)&vars->server_challenge"
); } } while (0)
;
7403 ws_log_buffer((uint8_t*)&server_cred, 8, "Server creds")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7403, __func__,
(uint8_t*)&server_cred, 8, 36, "Server creds" ? "Server creds"
: "(uint8_t*)&server_cred"); } } while (0)
;
7404 for(i=0;i<list_size;i++)
7405 {
7406 used_md4 = &pass_list[i];
7407 password = pass_list[i];
7408 if (!ws_hmac_buffer(GCRY_MD_MD5, session_key, md5, HASH_MD5_LENGTH16, (uint8_t*) &password, 16)) {
7409 crypt_des_ecb(buf,(unsigned char*)&vars->server_challenge,session_key);
7410 crypt_des_ecb((unsigned char*)&calculated_cred,buf,session_key+7);
7411 ws_log_buffer((uint8_t*)&calculated_cred, 8, "Calculated creds")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7411, __func__,
(uint8_t*)&calculated_cred, 8, 36, "Calculated creds" ? "Calculated creds"
: "(uint8_t*)&calculated_cred"); } } while (0)
;
7412 if(calculated_cred==server_cred) {
7413 found = 1;
7414 break;
7415 }
7416 }
7417 }
7418 }
7419 else
7420 {
7421 uint32_t c1 = (uint32_t)(vars->client_challenge & UINT32_MAX(4294967295U));
7422 uint32_t c2 = (uint32_t)((vars->client_challenge >> 32) & UINT32_MAX(4294967295U));
7423 uint32_t s1 = (uint32_t)(vars->server_challenge & UINT32_MAX(4294967295U));
7424 uint32_t s2 = (uint32_t)((vars->server_challenge >> 32) & UINT32_MAX(4294967295U));
7425 uint32_t sum1 = c1 + s1;
7426 uint32_t sum2 = c2 + s2;
7427 uint64_t sum = (uint64_t)sum1 | ((uint64_t)sum2 << 32);
7428
7429 used_method = "DES";
7430 ws_log_buffer((uint8_t*)&sum, 8,"SUM for DES")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7430, __func__,
(uint8_t*)&sum, 8, 36, "SUM for DES" ? "SUM for DES" : "(uint8_t*)&sum"
); } } while (0)
;
7431 ws_log_buffer((uint8_t*)&vars->client_challenge,8,"Client challenge")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7431, __func__,
(uint8_t*)&vars->client_challenge, 8, 36, "Client challenge"
? "Client challenge" : "(uint8_t*)&vars->client_challenge"
); } } while (0)
;
7432 ws_log_buffer((uint8_t*)&vars->server_challenge,8,"Server challenge")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7432, __func__,
(uint8_t*)&vars->server_challenge, 8, 36, "Server challenge"
? "Server challenge" : "(uint8_t*)&vars->server_challenge"
); } } while (0)
;
7433 ws_log_buffer((uint8_t*)&server_cred,8,"Server creds")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7433, __func__,
(uint8_t*)&server_cred, 8, 36, "Server creds" ? "Server creds"
: "(uint8_t*)&server_cred"); } } while (0)
;
7434 for(i=0;i<list_size;i++)
7435 {
7436 uint8_t buf[8] = { 0 };
7437 uint64_t calculated_cred;
7438
7439 memset(session_key, 0, 16);
7440
7441 used_md4 = &pass_list[i];
7442 crypt_des_ecb(buf, (unsigned char*)&sum, used_md4->md4);
7443 crypt_des_ecb((unsigned char*)session_key, buf, used_md4->md4+9);
7444
7445 crypt_des_ecb(buf,(unsigned char*)&vars->server_challenge,session_key);
7446 crypt_des_ecb((unsigned char*)&calculated_cred,buf,session_key+7);
7447 ws_log_buffer((uint8_t*)&calculated_cred,8,"Calculated creds")do { if (1) { ws_log_buffer_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7447, __func__,
(uint8_t*)&calculated_cred, 8, 36, "Calculated creds" ? "Calculated creds"
: "(uint8_t*)&calculated_cred"); } } while (0)
;
7448 if(calculated_cred==server_cred) {
7449 found = 1;
7450 break;
7451 }
7452 }
7453 }
7454 if(found) {
7455 vars->nthash = *used_md4;
7456 vars->auth_fd_num = pinfo->num;
7457 memcpy(&vars->session_key,session_key,16);
7458 ws_debug("Found the good session key !")do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7458, __func__,
"Found the good session key !"); } } while (0)
;
7459 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7460 &ei_netlogon_auth_nthash,
7461 "%s authenticated using %s (%02x%02x%02x%02x...)",
7462 used_method, used_md4->key_origin,
7463 used_md4->md4[0] & 0xFF, used_md4->md4[1] & 0xFF,
7464 used_md4->md4[2] & 0xFF, used_md4->md4[3] & 0xFF);
7465 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7466 &ei_netlogon_session_key,
7467 "session key ("
7468 "%02x%02x%02x%02x"
7469 "%02x%02x%02x%02x"
7470 "%02x%02x%02x%02x"
7471 "%02x%02x%02x%02x"
7472 ")",
7473 session_key[0] & 0xFF, session_key[1] & 0xFF,
7474 session_key[2] & 0xFF, session_key[3] & 0xFF,
7475 session_key[4] & 0xFF, session_key[5] & 0xFF,
7476 session_key[6] & 0xFF, session_key[7] & 0xFF,
7477 session_key[8] & 0xFF, session_key[9] & 0xFF,
7478 session_key[10] & 0xFF, session_key[11] & 0xFF,
7479 session_key[12] & 0xFF, session_key[13] & 0xFF,
7480 session_key[14] & 0xFF, session_key[15] & 0xFF);
7481 }
7482 else {
7483 ws_debug("Session key not found !")do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7483, __func__,
"Session key not found !"); } } while (0)
;
7484 memset(&vars->session_key,0,16);
7485 }
7486 }
7487 }
7488
7489 return offset;
7490}
7491
7492static int
7493netlogon_dissect_netrserverauthenticate3_reply(tvbuff_t *tvb, int offset,
7494 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7495{
7496 return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,3);
7497}
7498
7499static int
7500netlogon_dissect_netrserverauthenticate2_reply(tvbuff_t *tvb, int offset,
7501 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7502{
7503 return netlogon_dissect_netrserverauthenticate023_reply(tvb,offset,pinfo,tree,di,drep,2);
7504}
7505
7506static int
7507netlogon_dissect_netrserverauthenticatekerberos_reply(tvbuff_t *tvb, int offset,
7508 packet_info *pinfo,
7509 proto_tree *tree,
7510 dcerpc_info *di,
7511 uint8_t *drep)
7512{
7513 netlogon_auth_vars *vars = NULL((void*)0);
7514 uint32_t flags = 0;
7515
7516 flags = tvb_get_letohl (tvb, offset);
7517 netlogon_dissect_neg_options(tvb,tree,flags,offset);
7518 offset +=4;
7519 ALIGN_TO_4_BYTES{ if(!di->conformant_run) { if(offset&0x03) { offset=(
offset&0xfffffffc)+4; } } }
;
7520 offset = dissect_dcerpc_uint32(tvb, offset, pinfo, tree, drep,
7521 hf_server_rid, NULL((void*)0));
7522 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7523 hf_netlogon_rc, NULL((void*)0));
7524
7525 vars = find_tmp_netlogon_auth_vars(pinfo, 1);
7526 if (vars != NULL((void*)0)) {
7527 vars->flags = flags;
7528 snprintf(vars->nthash.key_origin, NTLMSSP_MAX_ORIG_LEN256,
7529 "ServerAuthenticateKerberos(%s) at frame %u",
7530 vars->client_name, pinfo->num);
7531 vars->auth_fd_num = pinfo->num;
7532 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7533 &ei_netlogon_session_key,
7534 "zero session key");
7535 } else {
7536 ws_debug("ServerAuthenticateKerberos request not found !")do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7536, __func__,
"ServerAuthenticateKerberos request not found !"); } } while
(0)
;
7537 }
7538
7539 return offset;
7540}
7541
7542
7543static int
7544netlogon_dissect_dsrgetdcnameex_rqst(tvbuff_t *tvb, int offset,
7545 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7546{
7547 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7548 pinfo, tree, di, drep);
7549
7550 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7551 NDR_POINTER_UNIQUE2, "Domain", hf_netlogon_logon_dom, 0);
7552
7553 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7554 dissect_nt_GUID, NDR_POINTER_UNIQUE2,
7555 "GUID pointer: domain_guid", -1);
7556
7557 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7558 NDR_POINTER_UNIQUE2, "Site Name", hf_netlogon_site_name, 0);
7559
7560 offset = netlogon_dissect_GET_DCNAME_REQUEST_FLAGS(tvb, offset, pinfo, tree, di, drep);
7561
7562 return offset;
7563}
7564
7565
7566static int
7567netlogon_dissect_dsrgetdcnameex_reply(tvbuff_t *tvb, int offset,
7568 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7569{
7570 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7571 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE2,
7572 "DOMAIN_CONTROLLER_INFO:", -1);
7573
7574 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7575 hf_netlogon_rc, NULL((void*)0));
7576
7577 return offset;
7578}
7579
7580static int
7581netlogon_dissect_dsrgetsitename_rqst(tvbuff_t *tvb, int offset,
7582 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7583{
7584 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7585 pinfo, tree, di, drep);
7586
7587 return offset;
7588}
7589
7590
7591static int
7592netlogon_dissect_dsrgetsitename_reply(tvbuff_t *tvb, int offset,
7593 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7594{
7595
7596 /* XXX hmmm this does not really look like a UNIQUE pointer but
7597 will do for now. I think it is really a 32bit integer followed by
7598 a REF pointer to a unicode string */
7599 offset = dissect_ndr_pointer_cb(tvb, offset, pinfo, tree, di, drep,
7600 dissect_ndr_wchar_cvstring, NDR_POINTER_UNIQUE2, "Site Name",
7601 hf_netlogon_site_name, cb_wstr_postprocess,
7602 GINT_TO_POINTER(CB_STR_COL_INFO | 1)((gpointer) (glong) (0x10000000 | 1)));
7603
7604 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7605 hf_netlogon_dos_rc, NULL((void*)0));
7606
7607 return offset;
7608}
7609
7610static int
7611netlogon_dissect_netrlogongetdomaininfo_rqst(tvbuff_t *tvb, int offset,
7612 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7613{
7614 /* Unlike the other NETLOGON RPCs, this is not a unique pointer. */
7615 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7616 NDR_POINTER_REF1, "Server Handle", hf_netlogon_computer_name, 0);
7617 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7618 NDR_POINTER_UNIQUE2, "Computer Name",
7619 hf_netlogon_computer_name, 0);
7620
7621 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7622 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
7623 "AUTHENTICATOR: client", -1);
7624
7625 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7626 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
7627 "AUTHENTICATOR: return_authenticator", -1);
7628 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7629 hf_netlogon_level, NULL((void*)0));
7630 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7631 netlogon_dissect_WORKSTATION_BUFFER, NDR_POINTER_REF1,
7632 "WORKSTATION_BUFFER", -1);
7633 return offset;
7634}
7635
7636
7637static int
7638netlogon_dissect_netrlogongetdomaininfo_reply(tvbuff_t *tvb, int offset,
7639 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7640{
7641 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7642 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
7643 "AUTHENTICATOR: return_authenticator", -1);
7644
7645 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7646 netlogon_dissect_DOMAIN_INFORMATION, NDR_POINTER_REF1,
7647 "DOMAIN_INFORMATION", -1);
7648
7649 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7650 hf_netlogon_rc, NULL((void*)0));
7651
7652 return offset;
7653}
7654
7655static int
7656netlogon_dissect_netrserverpasswordset2_rqst(tvbuff_t *tvb, int offset,
7657 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7658{
7659 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7660 pinfo, tree, di, drep);
7661
7662 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7663 NDR_POINTER_REF1, "Acct Name",
7664 hf_netlogon_acct_name, 0);
7665
7666 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7667 pinfo, tree, di, drep);
7668
7669 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7670 NDR_POINTER_REF1, "Computer Name",
7671 hf_netlogon_computer_name, 0);
7672
7673 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7674 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
7675 "AUTHENTICATOR: credential", -1);
7676
7677 offset = netlogon_dissect_netr_CryptPassword(tvb, offset,
7678 pinfo, tree, di, drep);
7679
7680 return offset;
7681}
7682
7683
7684static int
7685netlogon_dissect_netrserverpasswordset2_reply(tvbuff_t *tvb, int offset,
7686 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7687{
7688 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7689 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
7690 "AUTHENTICATOR: return_authenticator", -1);
7691
7692 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7693 hf_netlogon_rc, NULL((void*)0));
7694
7695 return offset;
7696}
7697
7698static int
7699netlogon_dissect_netrserverpasswordget_rqst(tvbuff_t *tvb, int offset,
7700 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7701{
7702 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7703 pinfo, tree, di, drep);
7704
7705 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7706 NDR_POINTER_UNIQUE2, "Acct Name", hf_netlogon_acct_name, 0);
7707
7708 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
7709 pinfo, tree, di, drep);
7710
7711 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7712 NDR_POINTER_UNIQUE2, "Computer Name",
7713 hf_netlogon_computer_name, 0);
7714
7715 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7716 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
7717 "AUTHENTICATOR: credential", -1);
7718
7719 return offset;
7720}
7721
7722
7723static int
7724netlogon_dissect_netrserverpasswordget_reply(tvbuff_t *tvb, int offset,
7725 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7726{
7727 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7728 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
7729 "AUTHENTICATOR: return_authenticator", -1);
7730
7731 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7732 netlogon_dissect_LM_OWF_PASSWORD, NDR_POINTER_REF1,
7733 "LM_OWF_PASSWORD pointer: server_pwd", -1);
7734
7735 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7736 hf_netlogon_rc, NULL((void*)0));
7737
7738 return offset;
7739}
7740
7741#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010800 /* 1.8.0 */
7742static gcry_error_t prepare_session_key_cipher_aes(netlogon_auth_vars *vars,
7743 gcry_cipher_hd_t *_cipher_hd)
7744{
7745 gcry_error_t err;
7746 gcry_cipher_hd_t cipher_hd = NULL((void*)0);
7747 uint8_t iv[16] = { 0 };
7748
7749 /* Open the cipher */
7750 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CFB8, 0);
7751 if (err != 0) {
7752 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7752, __func__,
"GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
;
7753 return err;
7754 }
7755
7756 /* Set the initial value */
7757 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
7758 if (err != 0) {
7759 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7759, __func__,
"GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
7760 gcry_cipher_close(cipher_hd);
7761 return err;
7762 }
7763
7764 /* Set the key */
7765 err = gcry_cipher_setkey(cipher_hd, vars->session_key, 16);
7766 if (err != 0) {
7767 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7767, __func__,
"GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
7768 gcry_cipher_close(cipher_hd);
7769 return err;
7770 }
7771
7772 *_cipher_hd = cipher_hd;
7773 return 0;
7774}
7775#endif
7776
7777static gcry_error_t prepare_session_key_cipher_strong(netlogon_auth_vars *vars,
7778 gcry_cipher_hd_t *_cipher_hd)
7779{
7780 gcry_error_t err;
7781 gcry_cipher_hd_t cipher_hd = NULL((void*)0);
7782
7783 /* Open the cipher */
7784 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0);
7785 if (err != 0) {
7786 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7786, __func__,
"GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
;
7787 return err;
7788 }
7789
7790 /* Set the key */
7791 err = gcry_cipher_setkey(cipher_hd, vars->session_key, 16);
7792 if (err != 0) {
7793 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7793, __func__,
"GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
7794 gcry_cipher_close(cipher_hd);
7795 return err;
7796 }
7797
7798 *_cipher_hd = cipher_hd;
7799 return 0;
7800}
7801
7802static gcry_error_t prepare_session_key_cipher(netlogon_auth_vars *vars,
7803 gcry_cipher_hd_t *_cipher_hd)
7804{
7805 *_cipher_hd = NULL((void*)0);
7806
7807#if GCRYPT_VERSION_NUMBER0x010a03 >= 0x010800 /* 1.8.0 */
7808 if (vars->flags & NETLOGON_FLAG_AES0x1000000) {
7809 return prepare_session_key_cipher_aes(vars, _cipher_hd);
7810 }
7811#endif
7812
7813 if (vars->flags & NETLOGON_FLAG_STRONGKEY0x4000) {
7814 return prepare_session_key_cipher_strong(vars, _cipher_hd);
7815 }
7816
7817 return GPG_ERR_UNSUPPORTED_ALGORITHM;
7818}
7819
7820static int
7821netlogon_dissect_opaque_buffer_block(tvbuff_t *tvb, int offset, int length,
7822 packet_info *pinfo, proto_tree *tree,
7823 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
7824{
7825 int orig_offset = offset;
7826 unsigned char is_server = 0;
7827 netlogon_auth_vars *vars;
7828 gcry_error_t err;
7829 gcry_cipher_hd_t cipher_hd = NULL((void*)0);
7830 uint8_t *buffer = NULL((void*)0);
7831 tvbuff_t *dectvb = NULL((void*)0);
7832 uint32_t expected_len;
7833 uint32_t decrypted_len;
7834
7835 proto_tree_add_item(tree, di->hf_index, tvb, offset, length, ENC_NA0x00000000);
7836 offset += length;
7837
7838 if (length < 8) {
7839 return offset;
7840 }
7841
7842 vars = find_global_netlogon_auth_vars(pinfo, is_server);
7843 if (vars == NULL((void*)0) ) {
7844 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 7844, __func__,
"Vars not found %d (packet_data)",wmem_map_size(netlogon_auths
)); } } while (0)
;
7845 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7846 &ei_netlogon_session_key,
7847 "No session key found");
7848 return offset;
7849 }
7850
7851 err = prepare_session_key_cipher(vars, &cipher_hd);
7852 if (err != 0) {
7853 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7854, __func__,
"GCRY: prepare_session_key_cipher %s/%s\n", gcry_strsource(err
), gcry_strerror(err)); } } while (0)
7854 gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7854, __func__,
"GCRY: prepare_session_key_cipher %s/%s\n", gcry_strsource(err
), gcry_strerror(err)); } } while (0)
;
7855 return offset;
7856 }
7857
7858 buffer = (uint8_t*)tvb_memdup(pinfo->pool, tvb, orig_offset, length);
7859 if (buffer == NULL((void*)0)) {
7860 gcry_cipher_close(cipher_hd);
7861 return offset;
7862 }
7863
7864 err = gcry_cipher_decrypt(cipher_hd, buffer, length, NULL((void*)0), 0);
7865 gcry_cipher_close(cipher_hd);
7866 if (err != 0) {
7867 ws_warning("GCRY: prepare_session_key_cipher %s/%s\n",do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7868, __func__,
"GCRY: prepare_session_key_cipher %s/%s\n", gcry_strsource(err
), gcry_strerror(err)); } } while (0)
7868 gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 7868, __func__,
"GCRY: prepare_session_key_cipher %s/%s\n", gcry_strsource(err
), gcry_strerror(err)); } } while (0)
;
7869 return offset;
7870 }
7871
7872 dectvb = tvb_new_child_real_data(tvb, buffer, length, length);
7873 if (dectvb == NULL((void*)0)) {
7874 return offset;
7875 }
7876
7877 expected_len = length - 8;
7878 decrypted_len = tvb_get_letohl(dectvb, 4);
7879 if (decrypted_len != expected_len) {
7880 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7881 &ei_netlogon_session_key,
7882 "Unusable session key learned in frame %d ("
7883 "%02x%02x%02x%02x"
7884 ") from %s",
7885 vars->auth_fd_num,
7886 vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
7887 vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
7888 vars->nthash.key_origin);
7889 return offset;
7890 }
7891
7892 expert_add_info_format(pinfo, proto_tree_get_parent(tree),
7893 &ei_netlogon_session_key,
7894 "Using session key learned in frame %d ("
7895 "%02x%02x%02x%02x"
7896 ") from %s",
7897 vars->auth_fd_num,
7898 vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
7899 vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
7900 vars->nthash.key_origin);
7901
7902 add_new_data_source(pinfo, dectvb, "OpaqueBuffer (Decrypted)");
7903
7904 proto_tree_add_item(tree, hf_netlogon_opaque_buffer_dec, dectvb, 0, length, ENC_NA0x00000000);
7905 return offset;
7906}
7907
7908static int
7909netlogon_dissect_opaque_buffer(tvbuff_t *tvb, int offset,
7910 packet_info *pinfo, proto_tree *tree,
7911 dcerpc_info *di, uint8_t *drep)
7912{
7913 offset = dissect_ndr_ucarray_block(tvb, offset, pinfo, tree, di, drep,
7914 netlogon_dissect_opaque_buffer_block);
7915
7916 return offset;
7917}
7918
7919/*
7920 * IDL long NetrLogonSendToSam(
7921 * IDL [in][unique][string] wchar_t *ServerName,
7922 * IDL [in][ref][string] wchar_t *Workstation,
7923 * IDL [in][ref] AUTHENTICATOR *credential,
7924 * IDL [in][out][ref] AUTHENTICATOR *returnauthenticator,
7925 * IDL [in, size_is(OpaqueBufferSize)][ref] UCHAR * OpaqueBuffer,
7926 * IDL [in] ULONG OpaqueBufferSize
7927 * IDL );
7928 */
7929static int
7930netlogon_dissect_netrlogonsendtosam_rqst(tvbuff_t *tvb, int offset,
7931 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7932{
7933 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7934 pinfo, tree, di, drep);
7935
7936 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
7937 NDR_POINTER_REF1, "Computer Name",
7938 hf_netlogon_computer_name, 0);
7939
7940 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7941 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
7942 "AUTHENTICATOR: credential", -1);
7943
7944 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7945 netlogon_dissect_opaque_buffer, NDR_POINTER_REF1,
7946 "OpaqueBuffer", hf_netlogon_opaque_buffer_enc);
7947
7948 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7949 hf_netlogon_opaque_buffer_size, NULL((void*)0));
7950
7951 return offset;
7952}
7953
7954
7955static int
7956netlogon_dissect_netrlogonsendtosam_reply(tvbuff_t *tvb, int offset,
7957 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7958{
7959 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7960 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
7961 "AUTHENTICATOR: return_authenticator", -1);
7962
7963 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7964 hf_netlogon_rc, NULL((void*)0));
7965
7966 return offset;
7967}
7968
7969static int
7970netlogon_dissect_dsraddresstositenamesw_rqst(tvbuff_t *tvb, int offset,
7971 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7972{
7973 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
7974 pinfo, tree, di, drep);
7975
7976 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
7977 hf_netlogon_unknown_long, NULL((void*)0));
7978
7979 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7980 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE2,
7981 "BYTE pointer: unknown_BYTE", -1);
7982
7983 return offset;
7984}
7985
7986
7987static int
7988netlogon_dissect_dsraddresstositenamesw_reply(tvbuff_t *tvb, int offset,
7989 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
7990{
7991 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
7992 netlogon_dissect_TYPE_50_ptr, NDR_POINTER_UNIQUE2,
7993 "TYPE_50** pointer: unknown_TYPE_50", -1);
7994
7995 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
7996 hf_netlogon_rc, NULL((void*)0));
7997
7998 return offset;
7999}
8000
8001static int
8002netlogon_dissect_dsrgetdcnameex2_rqst(tvbuff_t *tvb, int offset,
8003 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8004{
8005 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8006 pinfo, tree, di, drep);
8007
8008 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8009 NDR_POINTER_UNIQUE2, "Client Account",
8010 hf_netlogon_acct_name, 0);
8011
8012 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8013 hf_netlogon_unknown_long, NULL((void*)0));
8014
8015 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8016 NDR_POINTER_UNIQUE2, "Client Account",
8017 hf_netlogon_logon_dom, 0);
8018
8019 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8020 dissect_nt_GUID, NDR_POINTER_UNIQUE2,
8021 "Domain GUID:", -1);
8022
8023 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8024 NDR_POINTER_UNIQUE2, "Client Site",
8025 hf_netlogon_site_name, 0);
8026
8027 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8028 hf_netlogon_unknown_long, NULL((void*)0));
8029
8030 return offset;
8031}
8032
8033
8034static int
8035netlogon_dissect_dsrgetdcnameex2_reply(tvbuff_t *tvb, int offset,
8036 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8037{
8038 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8039 netlogon_dissect_DOMAIN_CONTROLLER_INFO, NDR_POINTER_UNIQUE2,
8040 "DOMAIN_CONTROLLER_INFO:", -1);
8041
8042 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8043 hf_netlogon_dos_rc, NULL((void*)0));
8044
8045 return offset;
8046}
8047
8048static int
8049netlogon_dissect_netrlogongettimeserviceparentdomain_rqst(tvbuff_t *tvb, int offset,
8050 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8051{
8052 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8053 pinfo, tree, di, drep);
8054
8055 return offset;
8056}
8057
8058
8059static int
8060netlogon_dissect_netrlogongettimeserviceparentdomain_reply(tvbuff_t *tvb, int offset,
8061 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8062{
8063 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8064 NDR_POINTER_UNIQUE2, "unknown string",
8065 hf_netlogon_unknown_string, 0);
8066
8067 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8068 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE2,
8069 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
8070
8071 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8072 hf_netlogon_rc, NULL((void*)0));
8073
8074 return offset;
8075}
8076
8077static int
8078netlogon_dissect_netrenumeratetrusteddomainsex_rqst(tvbuff_t *tvb, int offset,
8079 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8080{
8081 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8082 pinfo, tree, di, drep);
8083
8084 return offset;
8085}
8086
8087static int
8088netlogon_dissect_netrenumeratetrusteddomainsex_reply(tvbuff_t *tvb, int offset,
8089 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8090{
8091 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8092 hf_netlogon_entries, NULL((void*)0));
8093
8094 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8095 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE2,
8096 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
8097
8098 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8099 hf_netlogon_rc, NULL((void*)0));
8100
8101 return offset;
8102}
8103
8104static int
8105netlogon_dissect_dsraddresstositenamesexw_rqst(tvbuff_t *tvb, int offset,
8106 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8107{
8108 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8109 pinfo, tree, di, drep);
8110
8111 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8112 hf_netlogon_unknown_long, NULL((void*)0));
8113
8114 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8115 netlogon_dissect_BYTE_array, NDR_POINTER_UNIQUE2,
8116 "BYTE pointer: unknown_BYTE", -1);
8117
8118 return offset;
8119}
8120
8121
8122static int
8123netlogon_dissect_dsraddresstositenamesexw_reply(tvbuff_t *tvb, int offset,
8124 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8125{
8126 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8127 netlogon_dissect_TYPE_52_ptr, NDR_POINTER_UNIQUE2,
8128 "TYPE_52 pointer: unknown_TYPE_52", -1);
8129
8130 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8131 hf_netlogon_rc, NULL((void*)0));
8132
8133 return offset;
8134}
8135
8136
8137static int
8138netlogon_dissect_site_name_item(tvbuff_t *tvb, int offset,
8139 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8140{
8141 offset = dissect_ndr_counted_string_cb(
8142 tvb, offset, pinfo, tree, di, drep, hf_netlogon_site_name,
8143 cb_wstr_postprocess,
8144 GINT_TO_POINTER(CB_STR_COL_INFO | 1)((gpointer) (glong) (0x10000000 | 1)));
8145
8146 return offset;
8147}
8148static int
8149netlogon_dissect_site_name_array(tvbuff_t *tvb, int offset,
8150 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8151{
8152 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
8153 netlogon_dissect_site_name_item);
8154
8155 return offset;
8156}
8157
8158static int
8159netlogon_dissect_site_names(tvbuff_t *tvb, int offset,
8160 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8161{
8162 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8163 hf_netlogon_count, NULL((void*)0));
8164
8165 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8166 netlogon_dissect_site_name_array, NDR_POINTER_UNIQUE2,
8167 "Site name array", -1);
8168
8169 return offset;
8170}
8171
8172static int
8173netlogon_dissect_dsrgetdcsitecoveragew_rqst(tvbuff_t *tvb, int offset,
8174 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8175{
8176 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8177 pinfo, tree, di, drep);
8178
8179 return offset;
8180}
8181
8182
8183static int
8184netlogon_dissect_dsrgetdcsitecoveragew_reply(tvbuff_t *tvb, int offset,
8185 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8186{
8187 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8188 netlogon_dissect_site_names, NDR_POINTER_UNIQUE2,
8189 "Site names", -1);
8190
8191 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8192 hf_netlogon_rc, NULL((void*)0));
8193
8194 return offset;
8195}
8196
8197static int
8198netlogon_dissect_netrlogonsamlogonex_rqst(tvbuff_t *tvb, int offset,
8199 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8200{
8201
8202 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8203 NDR_POINTER_UNIQUE2, "LogonServer",
8204 hf_netlogon_computer_name, 0);
8205 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8206 NDR_POINTER_UNIQUE2, "Computer Name",
8207 hf_netlogon_computer_name, 0);
8208 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8209 hf_netlogon_level16, NULL((void*)0));
8210 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8211 netlogon_dissect_LEVEL, NDR_POINTER_REF1,
8212 "LEVEL: LogonLevel", -1);
8213
8214 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8215 hf_netlogon_validation_level, NULL((void*)0));
8216
8217 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
8218
8219#if 0
8220 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8221 NDR_POINTER_UNIQUE2, "unknown string",
8222 hf_netlogon_unknown_string, 0);
8223
8224 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8225 NDR_POINTER_UNIQUE2, "unknown string",
8226 hf_netlogon_unknown_string, 0);
8227
8228 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8229 hf_netlogon_unknown_short, NULL((void*)0));
8230
8231 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8232 netlogon_dissect_LEVEL, NDR_POINTER_UNIQUE2,
8233 "LEVEL pointer: unknown_NETLOGON_LEVEL", -1);
8234
8235 offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, di, drep,
8236 hf_netlogon_unknown_short, NULL((void*)0));
8237
8238 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8239 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE2,
8240 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
8241#endif
8242 return offset;
8243}
8244
8245
8246static int
8247netlogon_dissect_netrlogonsamlogonex_reply(tvbuff_t *tvb, int offset,
8248 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8249{
8250 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8251 netlogon_dissect_VALIDATION, NDR_POINTER_REF1,
8252 "VALIDATION:", -1);
8253
8254 offset = dissect_ndr_uint8(tvb, offset, pinfo, tree, di, drep,
8255 hf_netlogon_authoritative, NULL((void*)0));
8256
8257 offset = netlogon_dissect_EXTRA_FLAGS(tvb, offset, pinfo, tree, di, drep);
8258
8259 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8260 hf_netlogon_rc, NULL((void*)0));
8261#if 0
8262 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8263 netlogon_dissect_VALIDATION, NDR_POINTER_UNIQUE2,
8264 "VALIDATION: unknown_NETLOGON_VALIDATION", -1);
8265
8266 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8267 netlogon_dissect_pointer_char, NDR_POINTER_UNIQUE2,
8268 "BOOLEAN pointer: unknown_BOOLEAN", hf_netlogon_unknown_char);
8269
8270 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8271 netlogon_dissect_pointer_long, NDR_POINTER_UNIQUE2,
8272 "ULONG pointer: unknown_ULONG", hf_netlogon_unknown_long);
8273
8274 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8275 hf_netlogon_rc, NULL((void*)0));
8276#endif
8277 return offset;
8278}
8279
8280static int
8281netlogon_dissect_netrservertrustpasswordsget_rqst(tvbuff_t *tvb,
8282 int offset,
8283 packet_info *pinfo,
8284 proto_tree *tree,
8285 dcerpc_info *di,
8286 uint8_t *drep)
8287{
8288 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8289 pinfo, tree, di, drep);
8290
8291 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8292 NDR_POINTER_REF1, "Acct Name",
8293 hf_netlogon_acct_name, 0);
8294
8295 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
8296 pinfo, tree, di, drep);
8297
8298 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8299 NDR_POINTER_REF1, "Computer Name",
8300 hf_netlogon_computer_name, 0);
8301
8302 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8303 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
8304 "AUTHENTICATOR: credential", -1);
8305
8306 return offset;
8307}
8308
8309static int
8310netlogon_dissect_netrservertrustpasswordsget_reply(tvbuff_t *tvb,
8311 int offset,
8312 packet_info *pinfo,
8313 proto_tree *tree,
8314 dcerpc_info *di,
8315 uint8_t *drep)
8316{
8317 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8318 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
8319 "AUTHENTICATOR: return_authenticator", -1);
8320
8321 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8322 netlogon_dissect_NT_OWF_PASSWORD, NDR_POINTER_REF1,
8323 "NT_OWF_PASSWORD pointer: new_password", -1);
8324
8325 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8326 netlogon_dissect_NT_OWF_PASSWORD, NDR_POINTER_REF1,
8327 "NT_OWF_PASSWORD pointer: old_password", -1);
8328
8329 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8330 hf_netlogon_rc, NULL((void*)0));
8331
8332 return offset;
8333}
8334
8335
8336static int
8337netlogon_dissect_netrservergettrustinfo_rqst(tvbuff_t *tvb,
8338 int offset,
8339 packet_info *pinfo,
8340 proto_tree *tree,
8341 dcerpc_info *di,
8342 uint8_t *drep)
8343{
8344 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8345 pinfo, tree, di, drep);
8346
8347 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8348 NDR_POINTER_REF1, "Acct Name",
8349 hf_netlogon_acct_name, 0);
8350
8351 offset = netlogon_dissect_NETLOGON_SECURE_CHANNEL_TYPE(tvb, offset,
8352 pinfo, tree, di, drep);
8353
8354 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8355 NDR_POINTER_REF1, "Computer Name",
8356 hf_netlogon_computer_name, 0);
8357
8358 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8359 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
8360 "AUTHENTICATOR: credential", -1);
8361
8362 return offset;
8363}
8364
8365static int
8366netlogon_dissect_NL_GENERIC_RPC_DATA_UINT32_ARRAY(tvbuff_t *tvb, int offset,
8367 packet_info *pinfo _U___attribute__((unused)), proto_tree *tree,
8368 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
8369{
8370 if(di->conformant_run){
8371 /*just a run to handle conformant arrays, nothing to dissect.*/
8372 return offset;
8373 }
8374
8375 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
8376 netlogon_dissect_DOMAIN_TRUST_ATTRIBS);
8377
8378 return offset;
8379}
8380
8381static int
8382netlogon_dissect_NL_GENERIC_RPC_DATA_STRING(tvbuff_t *tvb, int offset,
8383 packet_info *pinfo _U___attribute__((unused)), proto_tree *tree,
8384 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
8385{
8386 if(di->conformant_run){
8387 /*just a run to handle conformant arrays, nothing to dissect.*/
8388 return offset;
8389 }
8390// TODO
8391 offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, di, drep,
8392 hf_netlogon_package_name, 0|CB_STR_SAVE0x20000000);
8393
8394 return offset;
8395}
8396
8397static int
8398netlogon_dissect_NL_GENERIC_RPC_DATA_STRING_ARRAY(tvbuff_t *tvb, int offset,
8399 packet_info *pinfo _U___attribute__((unused)), proto_tree *tree,
8400 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
8401{
8402 if(di->conformant_run){
8403 /*just a run to handle conformant arrays, nothing to dissect.*/
8404 return offset;
8405 }
8406
8407 offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, di, drep,
8408 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING);
8409
8410 return offset;
8411}
8412
8413static int
8414netlogon_dissect_NL_GENERIC_RPC_DATA(tvbuff_t *tvb, int offset,
8415 packet_info *pinfo _U___attribute__((unused)), proto_tree *parent_tree,
8416 dcerpc_info *di, uint8_t *drep _U___attribute__((unused)))
8417{
8418 proto_item *item=NULL((void*)0);
8419 proto_tree *tree=NULL((void*)0);
8420
8421 if(di->conformant_run){
8422 /*just a run to handle conformant arrays, nothing to dissect.*/
8423 return offset;
8424 }
8425
8426 if(parent_tree){
8427 tree = proto_tree_add_subtree(parent_tree, tvb, offset, -1,
8428 ett_NL_GENERIC_RPC_DATA, &item,
8429 "NL_GENERIC_RPC_DATA:");
8430 }
8431
8432 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8433 hf_netlogon_trust_len, NULL((void*)0));
8434
8435 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8436 netlogon_dissect_NL_GENERIC_RPC_DATA_UINT32_ARRAY,
8437 NDR_POINTER_UNIQUE2,
8438 "UINT32 ARRAY pointer: ", -1);
8439
8440 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8441 hf_netlogon_trust_len, NULL((void*)0));
8442
8443 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8444 netlogon_dissect_NL_GENERIC_RPC_DATA_STRING_ARRAY,
8445 NDR_POINTER_UNIQUE2,
8446 "STRING ARRAY pointer: ", -1);
8447
8448 return offset;
8449}
8450
8451static int
8452netlogon_dissect_netrservergettrustinfo_reply(tvbuff_t *tvb,
8453 int offset,
8454 packet_info *pinfo,
8455 proto_tree *tree,
8456 dcerpc_info *di,
8457 uint8_t *drep)
8458{
8459 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8460 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
8461 "AUTHENTICATOR: return_authenticator", -1);
8462
8463 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8464 netlogon_dissect_NT_OWF_PASSWORD, NDR_POINTER_REF1,
8465 "NT_OWF_PASSWORD pointer: new_password", -1);
8466
8467 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8468 netlogon_dissect_NT_OWF_PASSWORD, NDR_POINTER_REF1,
8469 "NT_OWF_PASSWORD pointer: old_password", -1);
8470
8471 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8472 netlogon_dissect_NL_GENERIC_RPC_DATA, NDR_POINTER_UNIQUE2,
8473 "NL_GENERIC_RPC_DATA pointer: trust_info", -1);
8474
8475 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8476 hf_netlogon_rc, NULL((void*)0));
8477
8478 return offset;
8479}
8480
8481static int
8482netlogon_dissect_dsrenumeratedomaintrusts_rqst(tvbuff_t *tvb, int offset,
8483 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8484{
8485 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8486 pinfo, tree, di, drep);
8487
8488 offset = netlogon_dissect_DOMAIN_TRUST_FLAGS(tvb, offset, pinfo, tree, di, drep);
8489
8490 return offset;
8491}
8492
8493
8494static int
8495netlogon_dissect_dsrenumeratedomaintrusts_reply(tvbuff_t *tvb, int offset,
8496 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8497{
8498 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8499 hf_netlogon_entries, NULL((void*)0));
8500
8501 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8502 netlogon_dissect_DS_DOMAIN_TRUSTS_ARRAY, NDR_POINTER_UNIQUE2,
8503 "DS_DOMAIN_TRUSTS_ARRAY:", -1);
8504
8505 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8506 hf_netlogon_dos_rc, NULL((void*)0));
8507
8508 return offset;
8509}
8510
8511static int
8512netlogon_dissect_dsrderegisterdnshostrecords_rqst(tvbuff_t *tvb, int offset,
8513 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8514{
8515 offset = netlogon_dissect_LOGONSRV_HANDLE(tvb, offset,
8516 pinfo, tree, di, drep);
8517
8518 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8519 NDR_POINTER_UNIQUE2, "Domain", hf_netlogon_logon_dom, 0);
8520
8521 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8522 dissect_nt_GUID, NDR_POINTER_UNIQUE2,
8523 "GUID pointer: domain_guid", -1);
8524
8525 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8526 dissect_nt_GUID, NDR_POINTER_UNIQUE2,
8527 "GUID pointer: dsa_guid", -1);
8528
8529 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8530 NDR_POINTER_REF1, "dns_host", hf_netlogon_dns_host, 0);
8531
8532 return offset;
8533}
8534
8535
8536static int
8537netlogon_dissect_dsrderegisterdnshostrecords_reply(tvbuff_t *tvb, int offset,
8538 packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
8539{
8540 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8541 hf_netlogon_rc, NULL((void*)0));
8542
8543 return offset;
8544}
8545
8546/*
8547 * TODO
8548 * IDL long NetrChainSetClientAttributes(
8549 * IDL );
8550
8551NetrChainSetClientAttributes(
8552[in,string,ref] LOGONSRV_HANDLE PrimaryName,
8553[in,string,ref] wchar_t * ChainedFromServerName,
8554[in,string,ref] wchar_t * ChainedForClientName,
8555[in,ref] PNETLOGON_AUTHENTICATOR Authenticator,
8556[in,out,ref] PNETLOGON_AUTHENTICATOR ReturnAuthenticator,
8557[in] DWORD dwInVersion,
8558[in,ref] [switch_is(dwInVersion)]
8559NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES *pmsgIn,
8560[in,out,ref] DWORD * pdwOutVersion,
8561[in,out,ref] [switch_is(*pdwOutVersion)]
8562NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES *pmsgOut
8563);
8564
8565typedef struct _NL_OSVERSIONINFO_V1{
8566DWORD dwOSVersionInfoSize;
8567DWORD dwMajorVersion;
8568DWORD dwMinorVersion;
8569DWORD dwBuildNumber;
8570DWORD dwPlatformId;
8571wchar_t szCSDVersion[128];
8572USHORT wServicePackMajor;
8573USHORT wServicePackMinor;
8574USHORT wSuiteMask;
8575UCHAR wProductType;
8576UCHAR wReserved;
8577} NL_OSVERSIONINFO_V1;
8578typedef struct _NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1{
8579[unique,string] wchar_t * ClientDnsHostName;
8580[unique] NL_OSVERSIONINFO_V1 *OsVersionInfo_V1;
8581[unique,string] wchar_t * OsName;
8582} NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1;
8583typedef [switch_type(DWORD)] union{
8584[case(1)] NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES_V1 V1;
8585} NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES;
8586typedef struct _NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1{
8587[unique,string] wchar_t *HubName;
8588[unique,string] wchar_t **OldDnsHostName;
8589[unique] ULONG * SupportedEncTypes;
8590} NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1;
8591typedef [switch_type(DWORD)] union{
8592[case(1)] NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES_V1 V1;
8593} NL_OUT_CHAIN_SET_CLIENT_ATTRIBUTES;
8594
8595static int
8596netlogon_dissect_NL_IN_CHAIN_SET_CLIENT_ATTRIBUTES(tvbuff_t *tvb, int offset,
8597 packet_info *pinfo, proto_tree *tree,
8598 dcerpc_info *di, uint8_t *drep)
8599{
8600 uint32_t level;
8601
8602 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8603 hf_netlogon_level, &level);
8604 switch (level) {
8605 case 1:
8606 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8607 netlogon_dissect_WORKSTATION_INFORMATION, NDR_POINTER_UNIQUE,
8608 "LSA POLICY INFO", -1);
8609 break;
8610 }
8611 return offset;
8612}
8613 */
8614static int
8615netlogon_dissect_netrchainsetclientattributes_rqst(tvbuff_t *tvb, int offset,
8616 packet_info *pinfo,
8617 proto_tree *tree,
8618 dcerpc_info *di,
8619 uint8_t *drep)
8620{
8621 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8622 NDR_POINTER_REF1, "Server Handle",
8623 hf_netlogon_logonsrv_handle, 0);
8624
8625 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8626 NDR_POINTER_REF1, "ChainedFromServerName",
8627 hf_netlogon_computer_name, 0);
8628
8629 offset = dissect_ndr_str_pointer_item(tvb, offset, pinfo, tree, di, drep,
8630 NDR_POINTER_REF1, "ChainedForClientName",
8631 hf_netlogon_computer_name, 0);
8632
8633 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8634 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
8635 "AUTHENTICATOR: credential", -1);
8636
8637 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8638 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
8639 "AUTHENTICATOR: return_authenticator", -1);
8640
8641 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8642 hf_netlogon_level, NULL((void*)0)); // in_version
8643
8644 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8645 NULL((void*)0), NDR_POINTER_REF1,
8646 "IN_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8647
8648 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8649 hf_netlogon_level, NULL((void*)0)); // out_version
8650
8651 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8652 NULL((void*)0), NDR_POINTER_REF1,
8653 "OUT_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8654
8655 return offset;
8656}
8657
8658static int
8659netlogon_dissect_netrchainsetclientattributes_reply(tvbuff_t *tvb, int offset,
8660 packet_info *pinfo,
8661 proto_tree *tree,
8662 dcerpc_info *di,
8663 uint8_t *drep)
8664{
8665 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8666 netlogon_dissect_AUTHENTICATOR, NDR_POINTER_REF1,
8667 "AUTHENTICATOR: return_authenticator", -1);
8668
8669 offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, di, drep,
8670 hf_netlogon_level, NULL((void*)0)); // out_version
8671
8672 offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, di, drep,
8673 NULL((void*)0), NDR_POINTER_REF1,
8674 "OUT_CHAIN_SET_CLIENT_ATTRIBUTES", -1);
8675
8676 offset = dissect_ntstatus(tvb, offset, pinfo, tree, di, drep,
8677 hf_netlogon_rc, NULL((void*)0));
8678
8679 return offset;
8680}
8681
8682/* Dissect secure channel stuff */
8683
8684static int hf_netlogon_secchan_nl_message_type;
8685static int hf_netlogon_secchan_nl_message_flags;
8686static int hf_netlogon_secchan_nl_message_flags_nb_domain;
8687static int hf_netlogon_secchan_nl_message_flags_nb_host;
8688static int hf_netlogon_secchan_nl_message_flags_dns_domain;
8689static int hf_netlogon_secchan_nl_message_flags_dns_host;
8690static int hf_netlogon_secchan_nl_message_flags_nb_host_utf8;
8691static int hf_netlogon_secchan_nl_nb_domain;
8692static int hf_netlogon_secchan_nl_nb_host;
8693static int hf_netlogon_secchan_nl_dns_domain;
8694static int hf_netlogon_secchan_nl_dns_host;
8695static int hf_netlogon_secchan_nl_nb_host_utf8;
8696
8697static int ett_secchan_verf;
8698static int ett_secchan_nl_auth_message;
8699static int ett_secchan_nl_auth_message_flags;
8700
8701static const value_string nl_auth_types[] = {
8702 { 0x00000000, "Request"},
8703 { 0x00000001, "Response"},
8704 { 0, NULL((void*)0) }
8705};
8706
8707
8708/* MS-NRPC : 2.2.1.3.1 NL_AUTH_MESSAGE */
8709static int dissect_secchan_nl_auth_message(tvbuff_t *tvb, int offset,
8710 packet_info *pinfo,
8711 proto_tree *tree, dcerpc_info *di _U___attribute__((unused)), uint8_t *drep)
8712{
8713 dcerpc_auth_info *auth_info = di->auth_info;
8714 proto_item *item = NULL((void*)0);
8715 proto_tree *subtree = NULL((void*)0);
8716 uint32_t messagetype;
8717 uint64_t messageflags;
8718 static int * const flag_fields[] = {
8719 &hf_netlogon_secchan_nl_message_flags_nb_domain,
8720 &hf_netlogon_secchan_nl_message_flags_nb_host,
8721 &hf_netlogon_secchan_nl_message_flags_dns_domain,
8722 &hf_netlogon_secchan_nl_message_flags_dns_host,
8723 &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
8724 NULL((void*)0)
8725 };
8726 int len;
8727 netlogon_auth_vars *vars = NULL((void*)0);
8728 unsigned char is_server;
8729
8730 if (tree) {
8731 subtree = proto_tree_add_subtree(
8732 tree, tvb, offset, -1, ett_secchan_nl_auth_message, &item,
8733 "Secure Channel NL_AUTH_MESSAGE");
8734 }
8735
8736 /* We can't use the NDR routines as the DCERPC call data hasn't
8737 been initialised since we haven't made a DCERPC call yet, just
8738 a bind request. */
8739
8740 /* Type */
8741 offset = dissect_dcerpc_uint32(
8742 tvb, offset, pinfo, subtree, drep,
8743 hf_netlogon_secchan_nl_message_type, &messagetype);
8744
8745 /* Flags */
8746 proto_tree_add_bitmask_ret_uint64(subtree, tvb, offset,
8747 hf_netlogon_secchan_nl_message_flags,
8748 ett_secchan_nl_auth_message_flags,
8749 flag_fields,
8750 (drep[0] & DREP_LITTLE_ENDIAN0x10) ?
8751 ENC_LITTLE_ENDIAN0x80000000 :
8752 ENC_BIG_ENDIAN0x00000000,
8753 &messageflags);
8754 offset += 4;
8755
8756
8757 /* Buffer */
8758 /* netbios domain name */
8759 if (messageflags&0x00000001) {
8760 len = tvb_strsize(tvb, offset);
8761 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_domain, tvb, offset, len, ENC_ASCII0x00000000);
8762 offset += len;
8763 }
8764
8765 /* netbios host name */
8766 if (messageflags&0x00000002) {
8767 len = tvb_strsize(tvb, offset);
8768 proto_tree_add_item(subtree, hf_netlogon_secchan_nl_nb_host, tvb, offset, len, ENC_ASCII0x00000000);
8769 offset += len;
8770 }
8771
8772 /* DNS domain name */
8773 if (messageflags&0x00000004) {
8774 int old_offset=offset;
8775 char *str;
8776
8777 offset=dissect_mscldap_string(pinfo->pool, tvb, offset, 255, &str);
8778 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_domain, tvb, old_offset, offset-old_offset, str);
8779 }
8780
8781 /* DNS host name */
8782 if (messageflags&0x00000008) {
8783 int old_offset=offset;
8784 char *str;
8785
8786 offset=dissect_mscldap_string(pinfo->pool, tvb, offset, 255, &str);
8787 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_dns_host, tvb, old_offset, offset-old_offset, str);
8788 }
8789
8790 /* NetBios host name (UTF8) */
8791 if (messageflags&0x00000010) {
8792 int old_offset=offset;
8793 char *str;
8794
8795 offset=dissect_mscldap_string(pinfo->pool, tvb, offset, 255, &str);
8796 proto_tree_add_string(subtree, hf_netlogon_secchan_nl_nb_host_utf8, tvb, old_offset, offset-old_offset, str);
8797 }
8798
8799 switch (di->ptype) {
8800 case PDU_BIND11:
8801 case PDU_ALTER14:
8802 case PDU_AUTH316:
8803 is_server = 0;
8804 break;
8805 case PDU_BIND_ACK12:
8806 case PDU_BIND_NAK13:
8807 case PDU_ALTER_ACK15:
8808 case PDU_FAULT3:
8809 is_server = 1;
8810 break;
8811 default:
8812 return offset;
8813 }
8814
8815 vars = find_or_create_schannel_netlogon_auth_vars(pinfo, auth_info, is_server);
8816 if (vars != NULL((void*)0)) {
8817 expert_add_info_format(pinfo, proto_tree_get_parent(subtree),
8818 &ei_netlogon_session_key,
8819 "Using session key learned in frame %d ("
8820 "%02x%02x%02x%02x"
8821 ") from %s",
8822 vars->auth_fd_num,
8823 vars->session_key[0] & 0xFF,
8824 vars->session_key[1] & 0xFF,
8825 vars->session_key[2] & 0xFF,
8826 vars->session_key[3] & 0xFF,
8827 vars->nthash.key_origin);
8828 }
8829 else
8830 {
8831 ws_debug("Vars not found (is null %d) %d (dissect_verf)",vars==NULL,wmem_map_size(netlogon_auths))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 8831, __func__,
"Vars not found (is null %d) %d (dissect_verf)",vars==((void
*)0),wmem_map_size(netlogon_auths)); } } while (0)
;
8832 }
8833
8834 return offset;
8835}
8836
8837/* Subdissectors */
8838
8839static const dcerpc_sub_dissector dcerpc_netlogon_dissectors[] = {
8840 { NETLOGON_NETRLOGONUASLOGON0x00, "NetrLogonUasLogon",
8841 netlogon_dissect_netrlogonuaslogon_rqst,
8842 netlogon_dissect_netrlogonuaslogon_reply },
8843 { NETLOGON_NETRLOGONUASLOGOFF0x01, "NetrLogonUasLogoff",
8844 netlogon_dissect_netrlogonuaslogoff_rqst,
8845 netlogon_dissect_netrlogonuaslogoff_reply },
8846 { NETLOGON_NETRLOGONSAMLOGON0x02, "NetrLogonSamLogon",
8847 netlogon_dissect_netrlogonsamlogon_rqst,
8848 netlogon_dissect_netrlogonsamlogon_reply },
8849 { NETLOGON_NETRLOGONSAMLOGOFF0x03, "NetrLogonSamLogoff",
8850 netlogon_dissect_netrlogonsamlogoff_rqst,
8851 netlogon_dissect_netrlogonsamlogoff_reply },
8852 { NETLOGON_NETRSERVERREQCHALLENGE0x04, "NetrServerReqChallenge",
8853 netlogon_dissect_netrserverreqchallenge_rqst,
8854 netlogon_dissect_netrserverreqchallenge_reply },
8855 { NETLOGON_NETRSERVERAUTHENTICATE0x05, "NetrServerAuthenticate",
8856 netlogon_dissect_netrserverauthenticate_rqst,
8857 netlogon_dissect_netrserverauthenticate_reply },
8858 { NETLOGON_NETRSERVERPASSWORDSET0x06, "NetrServerPasswordSet",
8859 netlogon_dissect_netrserverpasswordset_rqst,
8860 netlogon_dissect_netrserverpasswordset_reply },
8861 { NETLOGON_NETRDATABASEDELTAS0x07, "NetrDatabaseDeltas",
8862 netlogon_dissect_netrdatabasedeltas_rqst,
8863 netlogon_dissect_netrdatabasedeltas_reply },
8864 { NETLOGON_NETRDATABASESYNC0x08, "NetrDatabaseSync",
8865 netlogon_dissect_netrdatabasesync_rqst,
8866 netlogon_dissect_netrdatabasesync_reply },
8867 { NETLOGON_NETRACCOUNTDELTAS0x09, "NetrAccountDeltas",
8868 netlogon_dissect_netraccountdeltas_rqst,
8869 netlogon_dissect_netraccountdeltas_reply },
8870 { NETLOGON_NETRACCOUNTSYNC0x0a, "NetrAccountSync",
8871 netlogon_dissect_netraccountsync_rqst,
8872 netlogon_dissect_netraccountsync_reply },
8873 { NETLOGON_NETRGETDCNAME0x0b, "NetrGetDCName",
8874 netlogon_dissect_netrgetdcname_rqst,
8875 netlogon_dissect_netrgetdcname_reply },
8876 { NETLOGON_NETRLOGONCONTROL0x0c, "NetrLogonControl",
8877 netlogon_dissect_netrlogoncontrol_rqst,
8878 netlogon_dissect_netrlogoncontrol_reply },
8879 { NETLOGON_NETRGETANYDCNAME0x0d, "NetrGetAnyDCName",
8880 netlogon_dissect_netrgetanydcname_rqst,
8881 netlogon_dissect_netrgetanydcname_reply },
8882 { NETLOGON_NETRLOGONCONTROL20x0e, "NetrLogonControl2",
8883 netlogon_dissect_netrlogoncontrol2_rqst,
8884 netlogon_dissect_netrlogoncontrol2_reply },
8885 { NETLOGON_NETRSERVERAUTHENTICATE20x0f, "NetrServerAuthenticate2",
8886 netlogon_dissect_netrserverauthenticate2_rqst,
8887 netlogon_dissect_netrserverauthenticate2_reply },
8888 { NETLOGON_NETRDATABASESYNC20x10, "NetrDatabaseSync2",
8889 netlogon_dissect_netrdatabasesync2_rqst,
8890 netlogon_dissect_netrdatabasesync2_reply },
8891 { NETLOGON_NETRDATABASEREDO0x11, "NetrDatabaseRedo",
8892 netlogon_dissect_netrdatabaseredo_rqst,
8893 netlogon_dissect_netrdatabaseredo_reply },
8894 { NETLOGON_NETRLOGONCONTROL2EX0x12, "NetrLogonControl2Ex",
8895 netlogon_dissect_netrlogoncontrol2ex_rqst,
8896 netlogon_dissect_netrlogoncontrol2ex_reply },
8897 { NETLOGON_NETRENUMERATETRUSTEDDOMAINS0x13, "NetrEnumerateTrustedDomains",
8898 netlogon_dissect_netrenumeratetrusteddomains_rqst,
8899 netlogon_dissect_netrenumeratetrusteddomains_reply },
8900 { NETLOGON_DSRGETDCNAME0x14, "DsrGetDcName",
8901 netlogon_dissect_dsrgetdcname_rqst,
8902 netlogon_dissect_dsrgetdcname_reply },
8903 { NETLOGON_NETRLOGONDUMMYROUTINE10x15, "NetrLogonGetCapabilities",
8904 netlogon_dissect_netrlogondummyroutine1_rqst,
8905 netlogon_dissect_netrlogondummyroutine1_reply },
8906 { NETLOGON_NETRLOGONSETSERVICEBITS0x16, "NetrLogonSetServiceBits",
8907 netlogon_dissect_netrlogonsetservicebits_rqst,
8908 netlogon_dissect_netrlogonsetservicebits_reply },
8909 { NETLOGON_NETRLOGONGETTRUSTRID0x17, "NetrLogonGetTrustRid",
8910 netlogon_dissect_netrlogongettrustrid_rqst,
8911 netlogon_dissect_netrlogongettrustrid_reply },
8912 { NETLOGON_NETRLOGONCOMPUTESERVERDIGEST0x18, "NetrLogonComputeServerDigest",
8913 netlogon_dissect_netrlogoncomputeserverdigest_rqst,
8914 netlogon_dissect_netrlogoncomputeserverdigest_reply },
8915 { NETLOGON_NETRLOGONCOMPUTECLIENTDIGEST0x19, "NetrLogonComputeClientDigest",
8916 netlogon_dissect_netrlogoncomputeclientdigest_rqst,
8917 netlogon_dissect_netrlogoncomputeclientdigest_reply },
8918 { NETLOGON_NETRSERVERAUTHENTICATE30x1a, "NetrServerAuthenticate3",
8919 netlogon_dissect_netrserverauthenticate3_rqst,
8920 netlogon_dissect_netrserverauthenticate3_reply },
8921 { NETLOGON_DSRGETDCNAMEX0x1b, "DsrGetDcNameEx",
8922 netlogon_dissect_dsrgetdcnameex_rqst,
8923 netlogon_dissect_dsrgetdcnameex_reply },
8924 { NETLOGON_DSRGETSITENAME0x1c, "DsrGetSiteName",
8925 netlogon_dissect_dsrgetsitename_rqst,
8926 netlogon_dissect_dsrgetsitename_reply },
8927 { NETLOGON_NETRLOGONGETDOMAININFO0x1d, "NetrLogonGetDomainInfo",
8928 netlogon_dissect_netrlogongetdomaininfo_rqst,
8929 netlogon_dissect_netrlogongetdomaininfo_reply },
8930 { NETLOGON_NETRSERVERPASSWORDSET20x1e, "NetrServerPasswordSet2",
8931 netlogon_dissect_netrserverpasswordset2_rqst,
8932 netlogon_dissect_netrserverpasswordset2_reply },
8933 { NETLOGON_NETRSERVERPASSWORDGET0x1f, "NetrServerPasswordGet",
8934 netlogon_dissect_netrserverpasswordget_rqst,
8935 netlogon_dissect_netrserverpasswordget_reply },
8936 { NETLOGON_NETRLOGONSENDTOSAM0x20, "NetrLogonSendToSam",
8937 netlogon_dissect_netrlogonsendtosam_rqst,
8938 netlogon_dissect_netrlogonsendtosam_reply },
8939 { NETLOGON_DSRADDRESSTOSITENAMESW0x21, "DsrAddressToSiteNamesW",
8940 netlogon_dissect_dsraddresstositenamesw_rqst,
8941 netlogon_dissect_dsraddresstositenamesw_reply },
8942 { NETLOGON_DSRGETDCNAMEEX20x22, "DsrGetDcNameEx2",
8943 netlogon_dissect_dsrgetdcnameex2_rqst,
8944 netlogon_dissect_dsrgetdcnameex2_reply },
8945 { NETLOGON_NETRLOGONGETTIMESERVICEPARENTDOMAIN0x23,
8946 "NetrLogonGetTimeServiceParentDomain",
8947 netlogon_dissect_netrlogongettimeserviceparentdomain_rqst,
8948 netlogon_dissect_netrlogongettimeserviceparentdomain_reply },
8949 { NETLOGON_NETRENUMERATETRUSTEDDOMAINSEX0x24, "NetrEnumerateTrustedDomainsEx",
8950 netlogon_dissect_netrenumeratetrusteddomainsex_rqst,
8951 netlogon_dissect_netrenumeratetrusteddomainsex_reply },
8952 { NETLOGON_DSRADDRESSTOSITENAMESEXW0x25, "DsrAddressToSiteNamesExW",
8953 netlogon_dissect_dsraddresstositenamesexw_rqst,
8954 netlogon_dissect_dsraddresstositenamesexw_reply },
8955 { NETLOGON_DSRGETDCSITECOVERAGEW0x26, "DsrGetDcSiteCoverageW",
8956 netlogon_dissect_dsrgetdcsitecoveragew_rqst,
8957 netlogon_dissect_dsrgetdcsitecoveragew_reply },
8958 { NETLOGON_NETRLOGONSAMLOGONEX0x27, "NetrLogonSamLogonEx",
8959 netlogon_dissect_netrlogonsamlogonex_rqst,
8960 netlogon_dissect_netrlogonsamlogonex_reply },
8961 { NETLOGON_DSRENUMERATEDOMAINTRUSTS0x28, "DsrEnumerateDomainTrusts",
8962 netlogon_dissect_dsrenumeratedomaintrusts_rqst,
8963 netlogon_dissect_dsrenumeratedomaintrusts_reply },
8964 { NETLOGON_DSRDEREGISTERDNSHOSTRECORDS0x29, "DsrDeregisterDnsHostRecords",
8965 netlogon_dissect_dsrderegisterdnshostrecords_rqst,
8966 netlogon_dissect_dsrderegisterdnshostrecords_reply },
8967 { NETLOGON_NETRSERVERTRUSTPASSWORDSGET0x2a, "NetrServerTrustPasswordsGet",
8968 netlogon_dissect_netrservertrustpasswordsget_rqst,
8969 netlogon_dissect_netrservertrustpasswordsget_reply },
8970 { NETLOGON_DSRGETFORESTTRUSTINFORMATION0x2b, "DsrGetForestTrustInformation",
8971 NULL((void*)0), NULL((void*)0) },
8972 { NETLOGON_NETRGETFORESTTRUSTINFORMATION0x2c, "NetrGetForestTrustInformation",
8973 NULL((void*)0), NULL((void*)0) },
8974 { NETLOGON_NETRLOGONSAMLOGONWITHFLAGS0x2d, "NetrLogonSamLogonWithFlags",
8975 netlogon_dissect_netrlogonsamlogonflags_rqst,
8976 netlogon_dissect_netrlogonsamlogonflags_reply },
8977 { NETLOGON_NETRSERVERGETTRUSTINFO0x2e, "NetrServerGetTrustInfo",
8978 netlogon_dissect_netrservergettrustinfo_rqst,
8979 netlogon_dissect_netrservergettrustinfo_reply },
8980 { NETLOGON_DSRUPDATEREADONLYSERVERDNSRECORDS0x30, "DsrUpdateReadOnlyServerDnsRecords",
8981 NULL((void*)0), NULL((void*)0) },
8982 { NETLOGON_NETRCHAINSETCLIENTATTRIBUTES0x36, "NetrChainSetClientAttributes",
8983 netlogon_dissect_netrchainsetclientattributes_rqst,
8984 netlogon_dissect_netrchainsetclientattributes_reply },
8985 { NETLOGON_NETRSERVERAUTHENTICATEKERBEROS0x3B, "NetrServerAuthenticateKerberos",
8986 netlogon_dissect_netrserverauthenticatekerberos_rqst,
8987 netlogon_dissect_netrserverauthenticatekerberos_reply },
8988 {0, NULL((void*)0), NULL((void*)0), NULL((void*)0) }
8989};
8990
8991static int hf_netlogon_secchan_verf;
8992static int hf_netlogon_secchan_verf_signalg;
8993static int hf_netlogon_secchan_verf_sealalg;
8994static int hf_netlogon_secchan_verf_flag;
8995static int hf_netlogon_secchan_verf_digest;
8996static int hf_netlogon_secchan_verf_seq;
8997static int hf_netlogon_secchan_verf_nonce;
8998
8999static const value_string sign_algs[] = {
9000 { 0x0077, "HMAC-MD5"},
9001 { 0x0013, "HMAC-SHA256"},
9002 { 0, NULL((void*)0)}
9003};
9004
9005static const value_string seal_algs[] = {
9006 { 0xFFFF, "Not Encrypted"},
9007 { 0x007A, "RC4"},
9008 { 0x001A, "AES-128"},
9009 { 0, NULL((void*)0)}
9010};
9011
9012static int get_seal_key(const uint8_t *session_key,int key_len,uint8_t* seal_key)
9013{
9014 uint8_t zero_sk[16] = { 0 };
9015
9016 memset(seal_key,0,16);
9017 if(memcmp(session_key,zero_sk,16)) {
9018 for(int i=0;i<key_len;i++) {
9019 seal_key[i] = session_key[i] ^ 0xF0;
9020 }
9021 return 1;
9022 } else {
9023 return 0;
9024 }
9025
9026}
9027
9028static uint64_t uncrypt_sequence_aes(uint8_t* session_key,uint64_t checksum,uint64_t enc_seq,unsigned char is_server _U___attribute__((unused)))
9029{
9030 gcry_error_t err;
9031 gcry_cipher_hd_t cipher_hd = NULL((void*)0);
9032 uint8_t iv[16] = { 0 };
9033
9034 memcpy(&iv[0], (uint8_t*)&checksum, 8);
9035 memcpy(&iv[8], (uint8_t*)&checksum, 8);
9036
9037 /* Open the cipher */
9038 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CFB8, 0);
9039 if (err != 0) {
9040 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9040, __func__,
"GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
;
9041 return 0;
9042 }
9043
9044 /* Set the initial value */
9045 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
9046 if (err != 0) {
9047 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9047, __func__,
"GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
9048 gcry_cipher_close(cipher_hd);
9049 return 0;
9050 }
9051
9052 /* Set the key */
9053 err = gcry_cipher_setkey(cipher_hd, session_key, 16);
9054 if (err != 0) {
9055 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9055, __func__,
"GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
9056 gcry_cipher_close(cipher_hd);
9057 return 0;
9058 }
9059
9060 err = gcry_cipher_decrypt(cipher_hd, (uint8_t*) &enc_seq, 8, NULL((void*)0), 0);
9061 if (err != 0) {
9062 ws_warning("GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9062, __func__,
"GCRY: encrypt %s/%s\n", gcry_strsource(err), gcry_strerror(
err)); } } while (0)
;
9063 gcry_cipher_close(cipher_hd);
9064 return 0;
9065 }
9066 /* Done with the cipher */
9067 gcry_cipher_close(cipher_hd);
9068 return enc_seq;
9069}
9070
9071static uint64_t uncrypt_sequence_md5(uint8_t* session_key,uint64_t checksum,uint64_t enc_seq,unsigned char is_server _U___attribute__((unused)))
9072{
9073 uint8_t zeros[4] = { 0 };
9074 uint8_t buf[HASH_MD5_LENGTH16];
9075 uint8_t key[HASH_MD5_LENGTH16];
9076 gcry_cipher_hd_t rc4_handle;
9077 uint8_t *p_seq = (uint8_t*) &enc_seq;
9078 /*uint32_t temp;*/
9079
9080 if (ws_hmac_buffer(GCRY_MD_MD5, buf, zeros, 4, session_key, 16)) {
9081 return 0;
9082 }
9083
9084 if (ws_hmac_buffer(GCRY_MD_MD5, key, (uint8_t*)&checksum, 8, buf, HASH_MD5_LENGTH16)) {
9085 return 0;
9086 }
9087
9088 if (!gcry_cipher_open (&rc4_handle, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0)) {
9089 if (!gcry_cipher_setkey(rc4_handle, key, HASH_MD5_LENGTH16)) {
9090 gcry_cipher_decrypt(rc4_handle, p_seq, 8, NULL((void*)0), 0);
9091 }
9092 gcry_cipher_close(rc4_handle);
9093 }
9094 /*temp = *((uint32_t*)p_seq);
9095 *((uint32_t*)p_seq) = *((uint32_t*)p_seq+1);
9096 *((uint32_t*)p_seq+1) = temp;
9097
9098 if(!is_server) {
9099 *p_seq = *p_seq & 0x7F;
9100 }
9101 */
9102 return enc_seq;
9103}
9104
9105static uint64_t uncrypt_sequence(uint32_t flags, uint8_t* session_key,uint64_t checksum,uint64_t enc_seq,unsigned char is_server _U___attribute__((unused)))
9106{
9107 if (flags & NETLOGON_FLAG_AES0x1000000) {
9108 return uncrypt_sequence_aes(session_key, checksum, enc_seq, is_server);
9109 }
9110
9111 return uncrypt_sequence_md5(session_key, checksum, enc_seq, is_server);
9112}
9113
9114static gcry_error_t prepare_decryption_cipher_aes(netlogon_auth_vars *vars,
9115 gcry_cipher_hd_t *_cipher_hd)
9116{
9117 gcry_error_t err;
9118 gcry_cipher_hd_t cipher_hd = NULL((void*)0);
9119 uint64_t sequence = vars->seq;
9120
9121 uint8_t iv[16] = { 0 };
9122
9123 memcpy(&iv[0], (uint8_t*)&sequence, 8);
9124 memcpy(&iv[8], (uint8_t*)&sequence, 8);
9125
9126 /* Open the cipher */
9127 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CFB8, 0);
9128 if (err != 0) {
9129 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9129, __func__,
"GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
;
9130 return 0;
9131 }
9132
9133 /* Set the initial value */
9134 err = gcry_cipher_setiv(cipher_hd, iv, sizeof(iv));
9135 if (err != 0) {
9136 ws_warning("GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9136, __func__,
"GCRY: setiv %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
9137 gcry_cipher_close(cipher_hd);
9138 return 0;
9139 }
9140
9141 /* Set the key */
9142 err = gcry_cipher_setkey(cipher_hd, vars->encryption_key, 16);
9143 if (err != 0) {
9144 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9144, __func__,
"GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
9145 gcry_cipher_close(cipher_hd);
9146 return 0;
9147 }
9148
9149 *_cipher_hd = cipher_hd;
9150 return 0;
9151}
9152
9153static gcry_error_t prepare_decryption_cipher_md5(netlogon_auth_vars *vars,
9154 gcry_cipher_hd_t *_cipher_hd)
9155{
9156 gcry_error_t err;
9157 gcry_cipher_hd_t cipher_hd = NULL((void*)0);
9158 uint8_t zeros[4] = { 0 };
9159 uint64_t sequence = vars->seq;
9160 uint8_t tmp[HASH_MD5_LENGTH16] = { 0 };
9161 uint8_t seal_key[16] = { 0 };
9162
9163 err = ws_hmac_buffer(GCRY_MD_MD5, tmp, zeros, 4, vars->encryption_key, 16);
9164 if (err != 0) {
9165 ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9165, __func__,
"GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
;
9166 return err;
9167 }
9168 err = ws_hmac_buffer(GCRY_MD_MD5, seal_key, (uint8_t*)&sequence, 8, tmp, HASH_MD5_LENGTH16);
9169 if (err != 0) {
9170 ws_warning("GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9170, __func__,
"GCRY: GCRY_MD_MD5 %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
;
9171 return err;
9172 }
9173
9174 /* Open the cipher */
9175 err = gcry_cipher_open(&cipher_hd, GCRY_CIPHER_ARCFOUR, GCRY_CIPHER_MODE_STREAM, 0);
9176 if (err != 0) {
9177 ws_warning("GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9177, __func__,
"GCRY: cipher open %s/%s\n", gcry_strsource(err), gcry_strerror
(err)); } } while (0)
;
9178 return err;
9179 }
9180
9181 /* Set the key */
9182 err = gcry_cipher_setkey(cipher_hd, seal_key, 16);
9183 if (err != 0) {
9184 ws_warning("GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9184, __func__,
"GCRY: setkey %s/%s\n", gcry_strsource(err), gcry_strerror(err
)); } } while (0)
;
9185 gcry_cipher_close(cipher_hd);
9186 return err;
9187 }
9188
9189 *_cipher_hd = cipher_hd;
9190 return 0;
9191}
9192
9193static gcry_error_t prepare_decryption_cipher(netlogon_auth_vars *vars,
9194 gcry_cipher_hd_t *_cipher_hd)
9195{
9196 *_cipher_hd = NULL((void*)0);
9197
9198 if (vars->flags & NETLOGON_FLAG_AES0x1000000) {
9199 return prepare_decryption_cipher_aes(vars, _cipher_hd);
9200 }
9201
9202 return prepare_decryption_cipher_md5(vars, _cipher_hd);
9203}
9204
9205static tvbuff_t *
9206dissect_packet_data(tvbuff_t *tvb ,tvbuff_t *auth_tvb _U___attribute__((unused)),
9207 int offset , packet_info *pinfo ,dcerpc_auth_info *auth_info _U___attribute__((unused)),unsigned char is_server)
9208{
9209
9210 tvbuff_t *buf = NULL((void*)0);
9211 uint8_t* decrypted;
9212 netlogon_auth_vars *vars;
9213 /*ws_debug("Dissection of request data offset %d len=%d on packet %d",offset,tvb_length_remaining(tvb,offset),pinfo->num);*/
9214
9215 vars = find_or_create_schannel_netlogon_auth_vars(pinfo, auth_info, is_server);
9216 if (vars == NULL((void*)0)) {
9217 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 9217, __func__,
"Vars not found %d (packet_data)",wmem_map_size(netlogon_auths
)); } } while (0)
;
9218 return(buf);
9219 }
9220
9221 if (vars->can_decrypt == true1) {
9222 gcry_error_t err;
9223 gcry_cipher_hd_t cipher_hd = NULL((void*)0);
9224 int data_len;
9225 uint64_t copyconfounder = vars->confounder;
9226
9227 data_len = tvb_captured_length_remaining(tvb,offset);
9228 if (data_len < 0) {
9229 return NULL((void*)0);
9230 }
9231 err = prepare_decryption_cipher(vars, &cipher_hd);
9232 if (err != 0) {
9233 ws_warning("GCRY: prepare_decryption_cipher %s/%s",do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9234, __func__,
"GCRY: prepare_decryption_cipher %s/%s", gcry_strsource(err)
, gcry_strerror(err)); } } while (0)
9234 gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_WARNING
, "epan/dissectors/packet-dcerpc-netlogon.c", 9234, __func__,
"GCRY: prepare_decryption_cipher %s/%s", gcry_strsource(err)
, gcry_strerror(err)); } } while (0)
;
9235 return NULL((void*)0);
9236 }
9237 gcry_cipher_decrypt(cipher_hd, (uint8_t*)&copyconfounder, 8, NULL((void*)0), 0);
9238 decrypted = (uint8_t*)tvb_memdup(pinfo->pool, tvb, offset,data_len);
9239 if (!(vars->flags & NETLOGON_FLAG_AES0x1000000)) {
9240 gcry_cipher_reset(cipher_hd)gcry_cipher_ctl ((cipher_hd), GCRYCTL_RESET, ((void*)0), 0);
9241 }
9242 gcry_cipher_decrypt(cipher_hd, decrypted, data_len, NULL((void*)0), 0);
9243 gcry_cipher_close(cipher_hd);
9244 buf = tvb_new_child_real_data(tvb, decrypted, data_len, data_len);
9245 /* Note: caller does add_new_data_source(...) */
9246 } else {
9247 ws_debug("Session key not found can't decrypt ...")do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 9247, __func__,
"Session key not found can't decrypt ..."); } } while (0)
;
9248 }
9249
9250 return(buf);
9251}
9252
9253static tvbuff_t* dissect_request_data(tvbuff_t *header_tvb _U___attribute__((unused)),
9254 tvbuff_t *payload_tvb,
9255 tvbuff_t *trailer_tvb _U___attribute__((unused)),
9256 tvbuff_t *auth_tvb,
9257 packet_info *pinfo,
9258 dcerpc_auth_info *auth_info)
9259{
9260 return dissect_packet_data(payload_tvb,auth_tvb,0,pinfo,auth_info,0);
9261}
9262
9263static tvbuff_t* dissect_response_data(tvbuff_t *header_tvb _U___attribute__((unused)),
9264 tvbuff_t *payload_tvb,
9265 tvbuff_t *trailer_tvb _U___attribute__((unused)),
9266 tvbuff_t *auth_tvb,
9267 packet_info *pinfo,
9268 dcerpc_auth_info *auth_info)
9269{
9270 return dissect_packet_data(payload_tvb,auth_tvb,0,pinfo,auth_info,1);
9271}
9272
9273/* MS-NRPC 2.2.1.3.2 */
9274static int
9275dissect_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo,
9276 proto_tree *tree, uint8_t *drep,
9277 dcerpc_auth_info *auth_info,
9278 unsigned char is_server)
9279{
9280 netlogon_auth_vars *vars;
9281 proto_item *vf = NULL((void*)0);
9282 proto_tree *subtree = NULL((void*)0);
9283 uint64_t encrypted_seq;
9284 uint64_t digest = 0;
9285 uint64_t confounder = 0;
9286 int update_vars = 0;
9287
9288 if( ! (seen.isseen && seen.num == pinfo->num) ) {
9289 /*
9290 * Create a new tree, and split into x components ...
9291 */
9292 vf = proto_tree_add_item(tree, hf_netlogon_secchan_verf, tvb,
9293 offset, -1, ENC_NA0x00000000);
9294 subtree = proto_item_add_subtree(vf, ett_secchan_verf);
9295
9296 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_signalg, tvb,
9297 offset, 2, ENC_LITTLE_ENDIAN0x80000000);
9298 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_sealalg, tvb,
9299 offset+2, 2, ENC_LITTLE_ENDIAN0x80000000);
9300 /* 2 pad bytes */
9301 proto_tree_add_item(subtree, hf_netlogon_secchan_verf_flag, tvb,
9302 offset+6, 2, ENC_NA0x00000000);
9303 offset += 8;
9304
9305 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
9306 hf_netlogon_secchan_verf_seq, &encrypted_seq);
9307
9308 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
9309 hf_netlogon_secchan_verf_digest, &digest);
9310
9311 /* In some cases the nonce if the data/signature are encrypted ("integrity/seal in MS language")*/
9312
9313 if (tvb_bytes_exist(tvb, offset, 8)) {
9314 offset = dissect_dcerpc_8bytes(tvb, offset, pinfo, subtree, drep,
9315 hf_netlogon_secchan_verf_nonce, &confounder);
9316 }
9317 update_vars = 1;
9318 }
9319
9320 /*ws_debug("Setting isseen to true, old packet %d new %d",seen.num,pinfo->num);*/
9321 seen.isseen = true1;
9322 seen.num = pinfo->num;
9323
9324 vars = find_or_create_schannel_netlogon_auth_vars(pinfo, auth_info, is_server);
9325 if (vars == NULL((void*)0)) {
9326 ws_debug("Vars not found %d (packet_data)",wmem_map_size(netlogon_auths))do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 9326, __func__,
"Vars not found %d (packet_data)",wmem_map_size(netlogon_auths
)); } } while (0)
;
9327 return(offset);
9328 }
9329 if(update_vars) {
9330 vars->confounder = confounder;
9331 vars->seq = uncrypt_sequence(vars->flags,vars->session_key,digest,encrypted_seq,is_server);
9332 }
9333
9334 if(get_seal_key(vars->session_key,16,vars->encryption_key))
9335 {
9336 vars->can_decrypt = true1;
9337 }
9338 else
9339 {
9340 ws_debug("get seal key returned 0")do { if (1) { ws_log_full("packet-dcerpc-netlogon", LOG_LEVEL_DEBUG
, "epan/dissectors/packet-dcerpc-netlogon.c", 9340, __func__,
"get seal key returned 0"); } } while (0)
;
9341 }
9342
9343 if (vars->can_decrypt) {
9344 expert_add_info_format(pinfo, proto_tree_get_parent(subtree),
9345 &ei_netlogon_session_key,
9346 "Using session key learned in frame %d ("
9347 "%02x%02x%02x%02x"
9348 ") from %s",
9349 vars->auth_fd_num,
9350 vars->session_key[0] & 0xFF, vars->session_key[1] & 0xFF,
9351 vars->session_key[2] & 0xFF, vars->session_key[3] & 0xFF,
9352 vars->nthash.key_origin);
9353 }
9354
9355 return offset;
9356}
9357static int
9358dissect_request_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
9359 proto_tree *tree, dcerpc_info *di _U___attribute__((unused)), uint8_t *drep )
9360{
9361 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep, di->auth_info, 0);
9362}
9363static int
9364dissect_response_secchan_verf(tvbuff_t *tvb, int offset, packet_info *pinfo ,
9365 proto_tree *tree, dcerpc_info *di _U___attribute__((unused)), uint8_t *drep )
9366{
9367 return dissect_secchan_verf(tvb,offset,pinfo,tree,drep, di->auth_info, 1);
9368}
9369
9370void
9371proto_register_dcerpc_netlogon(void)
9372{
9373
9374 static hf_register_info hf[] = {
9375 { &hf_netlogon_opnum,
9376 { "Operation", "netlogon.opnum", FT_UINT16, BASE_DEC,
9377 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9378
9379 { &hf_netlogon_rc, {
9380 "Return code", "netlogon.rc", FT_UINT32, BASE_HEX | BASE_EXT_STRING0x00000200,
9381 &NT_errors_ext, 0x0, "Netlogon return code", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9382
9383 { &hf_netlogon_dos_rc,
9384 { "DOS error code", "netlogon.dos.rc", FT_UINT32,
9385 BASE_HEX | BASE_EXT_STRING0x00000200, &DOS_errors_ext, 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}},
9386
9387 { &hf_netlogon_werr_rc,
9388 { "WERR error code", "netlogon.werr.rc", FT_UINT32,
9389 BASE_HEX | BASE_EXT_STRING0x00000200, &WERR_errors_ext, 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0)}},
9390
9391 { &hf_netlogon_param_ctrl, {
9392 "Param Ctrl", "netlogon.param_ctrl", FT_UINT32, BASE_HEX,
9393 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9394
9395 { &hf_netlogon_logon_id, {
9396 "Logon ID", "netlogon.logon_id", FT_UINT64, BASE_DEC,
9397 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9398
9399 { &hf_netlogon_modify_count, {
9400 "Modify Count", "netlogon.modify_count", FT_UINT64, BASE_DEC,
9401 NULL((void*)0), 0x0, "How many times the object has been modified", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9402
9403 { &hf_netlogon_security_information, {
9404 "Security Information", "netlogon.security_information", FT_UINT32, BASE_DEC,
9405 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9406
9407 { &hf_netlogon_count, {
9408 "Count", "netlogon.count", FT_UINT32, BASE_DEC,
9409 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9410
9411 { &hf_netlogon_entries, {
9412 "Entries", "netlogon.entries", FT_UINT32, BASE_DEC,
9413 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9414
9415 { &hf_netlogon_credential, {
9416 "Credential", "netlogon.credential", FT_BYTES, BASE_NONE,
9417 NULL((void*)0), 0x0, "Netlogon Credential", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9418
9419 { &hf_netlogon_challenge, {
9420 "Challenge", "netlogon.challenge", FT_BYTES, BASE_NONE,
9421 NULL((void*)0), 0x0, "Netlogon challenge", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9422
9423 { &hf_netlogon_lm_owf_password, {
9424 "LM Pwd", "netlogon.lm_owf_pwd", FT_BYTES, BASE_NONE,
9425 NULL((void*)0), 0x0, "LanManager OWF Password", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9426
9427 { &hf_netlogon_user_session_key, {
9428 "User Session Key", "netlogon.user_session_key", FT_BYTES, BASE_NONE,
9429 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9430
9431 { &hf_netlogon_encrypted_lm_owf_password, {
9432 "Encrypted LM Pwd", "netlogon.lm_owf_pwd.encrypted", FT_BYTES, BASE_NONE,
9433 NULL((void*)0), 0x0, "Encrypted LanManager OWF Password", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9434
9435 { &hf_netlogon_nt_owf_password, {
9436 "NT Pwd", "netlogon.nt_owf_pwd", FT_BYTES, BASE_NONE,
9437 NULL((void*)0), 0x0, "NT OWF Password", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9438
9439 { &hf_netlogon_blob, {
9440 "BLOB", "netlogon.blob", FT_BYTES, BASE_NONE,
9441 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9442
9443 { &hf_netlogon_len, {
9444 "Len", "netlogon.len", FT_UINT32, BASE_DEC,
9445 NULL((void*)0), 0, "Length", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9446
9447 { &hf_netlogon_password_version_reserved, {
9448 "ReservedField", "netlogon.password_version.reservedfield", FT_UINT32, BASE_HEX,
9449 NULL((void*)0), 0, "ReservedField zero", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9450
9451 { &hf_netlogon_password_version_number, {
9452 "PasswordVersionNumber", "netlogon.password_version.number", FT_UINT32, BASE_HEX,
9453 NULL((void*)0), 0, "PasswordVersionNumber trust", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9454
9455 { &hf_netlogon_password_version_present, {
9456 "PasswordVersionPresent", "netlogon.password_version.present", FT_UINT32, BASE_HEX,
9457 NULL((void*)0), 0, "PasswordVersionPresent magic", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9458
9459 { &hf_netlogon_priv, {
9460 "Priv", "netlogon.priv", FT_UINT32, BASE_DEC,
9461 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9462
9463 { &hf_netlogon_privilege_entries, {
9464 "Privilege Entries", "netlogon.privilege_entries", FT_UINT32, BASE_DEC,
9465 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9466
9467 { &hf_netlogon_privilege_control, {
9468 "Privilege Control", "netlogon.privilege_control", FT_UINT32, BASE_HEX,
9469 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9470
9471 { &hf_netlogon_privilege_name, {
9472 "Privilege Name", "netlogon.privilege_name", FT_STRING, BASE_NONE,
9473 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9474
9475 { &hf_netlogon_pdc_connection_status, {
9476 "PDC Connection Status", "netlogon.pdc_connection_status", FT_UINT32, BASE_DEC,
9477 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9478
9479 { &hf_netlogon_tc_connection_status, {
9480 "TC Connection Status", "netlogon.tc_connection_status", FT_UINT32, BASE_DEC,
9481 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9482
9483 { &hf_netlogon_attrs, {
9484 "Attributes", "netlogon.attrs", FT_UINT32, BASE_HEX,
9485 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9486
9487#if 0
9488 { &hf_netlogon_lsapolicy_referentid,
9489 { "Referent ID", "netlogon.lsapolicy.referentID", FT_UINT32, BASE_HEX,
9490 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9491#endif
9492
9493 { &hf_netlogon_lsapolicy_len,
9494 { "Length", "netlogon.lsapolicy.length", FT_UINT32, BASE_DEC,
9495 NULL((void*)0), 0x0, "Length of the policy buffer", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9496
9497#if 0
9498 { &hf_netlogon_lsapolicy_pointer,
9499 { "Pointer", "netlogon.lsapolicy.pointer", FT_BYTES, BASE_NONE,
9500 NULL((void*)0), 0x0, "Pointer to LSA POLICY", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9501#endif
9502
9503 { &hf_netlogon_unknown_string,
9504 { "Unknown string", "netlogon.unknown_string", FT_STRING, BASE_NONE,
9505 NULL((void*)0), 0, "Unknown string. If you know what this is, contact wireshark developers.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9506
9507 { &hf_netlogon_new_password,
9508 { "New Password", "netlogon.new_password", FT_STRING, BASE_NONE,
9509 NULL((void*)0), 0, "New Password for Computer or Trust", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9510
9511 { &hf_netlogon_TrustedDomainName_string,
9512 { "TrustedDomainName", "netlogon.TrustedDomainName", FT_STRING, BASE_NONE,
9513 NULL((void*)0), 0, "TrustedDomainName string.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9514
9515 { &hf_netlogon_UserName_string,
9516 { "UserName", "netlogon.UserName", FT_STRING, BASE_NONE,
9517 NULL((void*)0), 0, "UserName string.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9518
9519 { &hf_netlogon_dummy_string,
9520 { "Dummy String", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9521 NULL((void*)0), 0, "Dummy String. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9522
9523 { &hf_netlogon_trust_extension,
9524 { "Trust extension", "netlogon.trust.extension", FT_STRING, BASE_NONE,
9525 NULL((void*)0), 0, "Trusts extension.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9526
9527 { &hf_netlogon_trust_offset,
9528 { "Offset", "netlogon.trust.extension_offset", FT_UINT32, BASE_DEC,
9529 NULL((void*)0), 0, "Trusts extension.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9530
9531 { &hf_netlogon_trust_len,
9532 { "Length", "netlogon.trust.extension_length", FT_UINT32, BASE_DEC,
9533 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9534
9535 { &hf_netlogon_trust_max,
9536 { "Max Count", "netlogon.trust.extension.maxcount", FT_UINT32, BASE_DEC,
9537 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9538
9539 { &hf_netlogon_opaque_buffer_enc,
9540 { "Encrypted", "netlogon.sendtosam.opaquebuffer.enc", FT_BYTES, BASE_NONE,
9541 NULL((void*)0), 0x0, "OpaqueBuffer (Encrypted)", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9542
9543 { &hf_netlogon_opaque_buffer_dec,
9544 { "Decrypted", "netlogon.sendtosam.opaquebuffer.dec", FT_BYTES, BASE_NONE,
9545 NULL((void*)0), 0x0, "OpaqueBuffer (Decrypted)", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9546
9547 { &hf_netlogon_opaque_buffer_size,
9548 { "OpaqueBufferSize", "netlogon.sendtosam.opaquebuffer.size", FT_UINT32, BASE_HEX,
9549 NULL((void*)0), 0x0, "Size of the OpaqueBuffer", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9550
9551 { &hf_netlogon_dummy_string2,
9552 { "Dummy String2", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9553 NULL((void*)0), 0, "Dummy String 2. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9554
9555 { &hf_netlogon_dummy_string3,
9556 { "Dummy String3", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9557 NULL((void*)0), 0, "Dummy String 3. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9558
9559 { &hf_netlogon_dummy_string4,
9560 { "Dummy String4", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9561 NULL((void*)0), 0, "Dummy String 4. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9562
9563 { &hf_netlogon_dummy_string5,
9564 { "Dummy String5", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9565 NULL((void*)0), 0, "Dummy String 5. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9566
9567 { &hf_netlogon_dummy_string6,
9568 { "Dummy String6", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9569 NULL((void*)0), 0, "Dummy String 6. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9570
9571 { &hf_netlogon_dummy_string7,
9572 { "Dummy String7", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9573 NULL((void*)0), 0, "Dummy String 7. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9574
9575 { &hf_netlogon_dummy_string8,
9576 { "Dummy String8", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9577 NULL((void*)0), 0, "Dummy String 8. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9578
9579 { &hf_netlogon_dummy_string9,
9580 { "Dummy String9", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9581 NULL((void*)0), 0, "Dummy String 9. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9582
9583 { &hf_netlogon_dummy_string10,
9584 { "Dummy String10", "netlogon.dummy_string", FT_STRING, BASE_NONE,
9585 NULL((void*)0), 0, "Dummy String 10. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9586
9587 { &hf_netlogon_unknown_long,
9588 { "Unknown long", "netlogon.unknown.long", FT_UINT32, BASE_HEX,
9589 NULL((void*)0), 0x0, "Unknown long. If you know what this is, contact wireshark developers.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9590
9591 { &hf_netlogon_dummy1_long,
9592 { "Dummy1 Long", "netlogon.dummy.long1", FT_UINT32, BASE_HEX,
9593 NULL((void*)0), 0x0, "Dummy long 1. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9594
9595 { &hf_netlogon_dummy2_long,
9596 { "Dummy2 Long", "netlogon.dummy.long2", FT_UINT32, BASE_HEX,
9597 NULL((void*)0), 0x0, "Dummy long 2. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9598
9599 { &hf_netlogon_dummy3_long,
9600 { "Dummy3 Long", "netlogon.dummy.long3", FT_UINT32, BASE_HEX,
9601 NULL((void*)0), 0x0, "Dummy long 3. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9602
9603 { &hf_netlogon_dummy4_long,
9604 { "Dummy4 Long", "netlogon.dummy.long4", FT_UINT32, BASE_HEX,
9605 NULL((void*)0), 0x0, "Dummy long 4. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9606
9607 { &hf_netlogon_dummy5_long,
9608 { "Dummy5 Long", "netlogon.dummy.long5", FT_UINT32, BASE_HEX,
9609 NULL((void*)0), 0x0, "Dummy long 5. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9610
9611 { &hf_netlogon_dummy6_long,
9612 { "Dummy6 Long", "netlogon.dummy.long6", FT_UINT32, BASE_HEX,
9613 NULL((void*)0), 0x0, "Dummy long 6. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9614
9615 { &hf_netlogon_dummy7_long,
9616 { "Dummy7 Long", "netlogon.dummy.long7", FT_UINT32, BASE_HEX,
9617 NULL((void*)0), 0x0, "Dummy long 7. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9618
9619 { &hf_netlogon_dummy8_long,
9620 { "Dummy8 Long", "netlogon.dummy.long8", FT_UINT32, BASE_HEX,
9621 NULL((void*)0), 0x0, "Dummy long 8. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9622
9623 { &hf_netlogon_dummy9_long,
9624 { "Dummy9 Long", "netlogon.dummy.long9", FT_UINT32, BASE_HEX,
9625 NULL((void*)0), 0x0, "Dummy long 9. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9626
9627 { &hf_netlogon_dummy10_long,
9628 { "Dummy10 Long", "netlogon.dummy.long10", FT_UINT32, BASE_HEX,
9629 NULL((void*)0), 0x0, "Dummy long 10. Used is reserved for next evolutions.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9630
9631
9632 { &hf_netlogon_supportedenctypes,
9633 { "Supported Encryption Types", "netlogon.encryption.types", FT_UINT32, BASE_HEX,
9634 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9635
9636 { &hf_netlogon_workstation_flags,
9637 { "Workstation Flags", "netlogon.workstation.flags", FT_UINT32, BASE_HEX,
9638 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9639
9640 { &hf_netlogon_reserved,
9641 { "Reserved", "netlogon.reserved", FT_UINT32, BASE_HEX,
9642 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9643 { &hf_netlogon_unknown_short,
9644 { "Unknown short", "netlogon.unknown.short", FT_UINT16, BASE_HEX,
9645 NULL((void*)0), 0x0, "Unknown short. If you know what this is, contact wireshark developers.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9646
9647 { &hf_netlogon_unknown_char,
9648 { "Unknown char", "netlogon.unknown.char", FT_UINT8, BASE_HEX,
9649 NULL((void*)0), 0x0, "Unknown char. If you know what this is, contact wireshark developers.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9650
9651 { &hf_netlogon_acct_expiry_time,
9652 { "Acct Expiry Time", "netlogon.acct.expiry_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9653 NULL((void*)0), 0x0, "When this account will expire", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9654
9655 { &hf_netlogon_nt_pwd_present,
9656 { "NT PWD Present", "netlogon.nt_pwd_present", FT_UINT8, BASE_HEX,
9657 NULL((void*)0), 0x0, "Is NT password present for this account?", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9658
9659 { &hf_netlogon_lm_pwd_present,
9660 { "LM PWD Present", "netlogon.lm_pwd_present", FT_UINT8, BASE_HEX,
9661 NULL((void*)0), 0x0, "Is LanManager password present for this account?", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9662
9663 { &hf_netlogon_pwd_expired,
9664 { "PWD Expired", "netlogon.pwd_expired", FT_UINT8, BASE_HEX,
9665 NULL((void*)0), 0x0, "Whether this password has expired or not", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9666
9667 { &hf_netlogon_authoritative,
9668 { "Authoritative", "netlogon.authoritative", FT_UINT8, BASE_DEC,
9669 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9670
9671 { &hf_netlogon_sensitive_data_flag,
9672 { "Sensitive Data", "netlogon.sensitive_data_flag", FT_UINT8, BASE_DEC,
9673 NULL((void*)0), 0x0, "Sensitive data flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9674
9675 { &hf_netlogon_auditing_mode,
9676 { "Auditing Mode", "netlogon.auditing_mode", FT_UINT8, BASE_DEC,
9677 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9678
9679 { &hf_netlogon_max_audit_event_count,
9680 { "Max Audit Event Count", "netlogon.max_audit_event_count", FT_UINT32, BASE_DEC,
9681 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9682
9683 { &hf_netlogon_event_audit_option,
9684 { "Event Audit Option", "netlogon.event_audit_option", FT_UINT32, BASE_HEX,
9685 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9686
9687 { &hf_netlogon_sensitive_data_len,
9688 { "Length", "netlogon.sensitive_data_len", FT_UINT32, BASE_DEC,
9689 NULL((void*)0), 0x0, "Length of sensitive data", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9690
9691 { &hf_netlogon_nt_chal_resp,
9692 { "NT Chal resp", "netlogon.nt_chal_resp", FT_BYTES, BASE_NONE,
9693 NULL((void*)0), 0, "Challenge response for NT authentication", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9694
9695 { &hf_netlogon_lm_chal_resp,
9696 { "LM Chal resp", "netlogon.lm_chal_resp", FT_BYTES, BASE_NONE,
9697 NULL((void*)0), 0, "Challenge response for LM authentication", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9698
9699 { &hf_netlogon_cipher_len,
9700 { "Cipher Len", "netlogon.cipher_len", FT_UINT32, BASE_DEC,
9701 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9702
9703 { &hf_netlogon_cipher_maxlen,
9704 { "Cipher Max Len", "netlogon.cipher_maxlen", FT_UINT32, BASE_DEC,
9705 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9706
9707#if 0
9708 { &hf_netlogon_pac_data,
9709 { "Pac Data", "netlogon.pac.data", FT_BYTES, BASE_NONE,
9710 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9711#endif
9712
9713 { &hf_netlogon_sensitive_data,
9714 { "Data", "netlogon.sensitive_data", FT_BYTES, BASE_NONE,
9715 NULL((void*)0), 0, "Sensitive Data", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9716
9717#if 0
9718 { &hf_netlogon_auth_data,
9719 { "Auth Data", "netlogon.auth.data", FT_BYTES, BASE_NONE,
9720 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9721#endif
9722
9723 { &hf_netlogon_cipher_current_data,
9724 { "Cipher Current Data", "netlogon.cipher_current_data", FT_BYTES, BASE_NONE,
9725 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9726
9727 { &hf_netlogon_cipher_old_data,
9728 { "Cipher Old Data", "netlogon.cipher_old_data", FT_BYTES, BASE_NONE,
9729 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9730
9731 { &hf_netlogon_acct_name,
9732 { "Acct Name", "netlogon.acct_name", FT_STRING, BASE_NONE,
9733 NULL((void*)0), 0, "Account Name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9734
9735 { &hf_netlogon_acct_desc,
9736 { "Acct Desc", "netlogon.acct_desc", FT_STRING, BASE_NONE,
9737 NULL((void*)0), 0, "Account Description", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9738
9739 { &hf_netlogon_group_desc,
9740 { "Group Desc", "netlogon.group_desc", FT_STRING, BASE_NONE,
9741 NULL((void*)0), 0, "Group Description", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9742
9743 { &hf_netlogon_full_name,
9744 { "Full Name", "netlogon.full_name", FT_STRING, BASE_NONE,
9745 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9746
9747 { &hf_netlogon_comment,
9748 { "Comment", "netlogon.comment", FT_STRING, BASE_NONE,
9749 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9750
9751 { &hf_netlogon_parameters,
9752 { "Parameters", "netlogon.parameters", FT_STRING, BASE_NONE,
9753 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9754
9755 { &hf_netlogon_logon_script,
9756 { "Logon Script", "netlogon.logon_script", FT_STRING, BASE_NONE,
9757 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9758
9759 { &hf_netlogon_profile_path,
9760 { "Profile Path", "netlogon.profile_path", FT_STRING, BASE_NONE,
9761 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9762
9763 { &hf_netlogon_home_dir,
9764 { "Home Dir", "netlogon.home_dir", FT_STRING, BASE_NONE,
9765 NULL((void*)0), 0, "Home Directory", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9766
9767 { &hf_netlogon_dir_drive,
9768 { "Dir Drive", "netlogon.dir_drive", FT_STRING, BASE_NONE,
9769 NULL((void*)0), 0, "Drive letter for home directory", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9770
9771 { &hf_netlogon_logon_srv,
9772 { "Server", "netlogon.server", FT_STRING, BASE_NONE,
9773 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9774
9775#if 0
9776 { &hf_netlogon_principal,
9777 { "Principal", "netlogon.principal", FT_STRING, BASE_NONE,
9778 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9779#endif
9780
9781 { &hf_netlogon_logon_dom,
9782 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
9783 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9784
9785 { &hf_netlogon_resourcegroupcount,
9786 { "ResourceGroup count", "netlogon.resourcegroupcount", FT_UINT32, BASE_DEC,
9787 NULL((void*)0), 0, "Number of Resource Groups", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9788
9789 { &hf_netlogon_accountdomaingroupcount,
9790 { "AccountDomainGroup count", "netlogon.accountdomaingroupcount", FT_UINT32, BASE_DEC,
9791 NULL((void*)0), 0, "Number of Account Domain Groups", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9792
9793 { &hf_netlogon_domaingroupcount,
9794 { "DomainGroup count", "netlogon.domaingroupcount", FT_UINT32, BASE_DEC,
9795 NULL((void*)0), 0, "Number of Domain Groups", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9796
9797 { &hf_netlogon_membership_domains_count,
9798 { "Membership Domains count", "netlogon.membershipsdomainscount", FT_UINT32, BASE_DEC,
9799 NULL((void*)0), 0, "Number of ExtraDomain Membership Arrays", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9800
9801 { &hf_netlogon_computer_name,
9802 { "Computer Name", "netlogon.computer_name", FT_STRING, BASE_NONE,
9803 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9804
9805 { &hf_netlogon_site_name,
9806 { "Site Name", "netlogon.site_name", FT_STRING, BASE_NONE,
9807 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9808
9809 { &hf_netlogon_dc_name,
9810 { "DC Name", "netlogon.dc.name", FT_STRING, BASE_NONE,
9811 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9812
9813 { &hf_netlogon_dc_site_name,
9814 { "DC Site Name", "netlogon.dc.site_name", FT_STRING, BASE_NONE,
9815 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9816
9817 { &hf_netlogon_dns_forest_name,
9818 { "DNS Forest Name", "netlogon.dns.forest_name", FT_STRING, BASE_NONE,
9819 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9820
9821 { &hf_netlogon_dc_address,
9822 { "DC Address", "netlogon.dc.address", FT_STRING, BASE_NONE,
9823 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9824
9825 { &hf_netlogon_dc_address_type,
9826 { "DC Address Type", "netlogon.dc.address_type", FT_UINT32, BASE_DEC,
9827 VALS(dc_address_types)((0 ? (const struct _value_string*)0 : ((dc_address_types)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9828
9829 { &hf_netlogon_client_site_name,
9830 { "Client Site Name", "netlogon.client.site_name", FT_STRING, BASE_NONE,
9831 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9832
9833 { &hf_netlogon_workstation_site_name,
9834 { "Wkst Site Name", "netlogon.wkst.site_name", FT_STRING, BASE_NONE,
9835 NULL((void*)0), 0, "Workstation Site Name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9836
9837 { &hf_netlogon_workstation,
9838 { "Wkst Name", "netlogon.wkst.name", FT_STRING, BASE_NONE,
9839 NULL((void*)0), 0, "Workstation Name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9840
9841 { &hf_netlogon_os_version,
9842 { "OS version", "netlogon.os.version", FT_STRING, BASE_NONE,
9843 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9844
9845 { &hf_netlogon_workstation_os,
9846 { "Wkst OS", "netlogon.wkst.os", FT_STRING, BASE_NONE,
9847 NULL((void*)0), 0, "Workstation OS", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9848
9849 { &hf_netlogon_workstations,
9850 { "Workstations", "netlogon.wksts", FT_STRING, BASE_NONE,
9851 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9852
9853 { &hf_netlogon_workstation_fqdn,
9854 { "Wkst FQDN", "netlogon.wkst.fqdn", FT_STRING, BASE_NONE,
9855 NULL((void*)0), 0, "Workstation FQDN", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9856
9857 { &hf_netlogon_group_name,
9858 { "Group Name", "netlogon.group_name", FT_STRING, BASE_NONE,
9859 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9860
9861 { &hf_netlogon_alias_name,
9862 { "Alias Name", "netlogon.alias_name", FT_STRING, BASE_NONE,
9863 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9864
9865 { &hf_netlogon_dns_host,
9866 { "DNS Host", "netlogon.dns_host", FT_STRING, BASE_NONE,
9867 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9868
9869 { &hf_netlogon_downlevel_domain_name,
9870 { "Downlevel Domain", "netlogon.downlevel_domain", FT_STRING, BASE_NONE,
9871 NULL((void*)0), 0, "Downlevel Domain Name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9872
9873 { &hf_netlogon_dns_domain_name,
9874 { "DNS Domain", "netlogon.dns_domain", FT_STRING, BASE_NONE,
9875 NULL((void*)0), 0, "DNS Domain Name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9876
9877 { &hf_netlogon_ad_client_dns_name,
9878 { "Client DNS Name", "netlogon.client_dns_name", FT_STRING, BASE_NONE,
9879 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9880
9881 { &hf_netlogon_domain_name,
9882 { "Domain", "netlogon.domain", FT_STRING, BASE_NONE,
9883 NULL((void*)0), 0, "Domain Name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9884
9885 { &hf_netlogon_oem_info,
9886 { "OEM Info", "netlogon.oem_info", FT_STRING, BASE_NONE,
9887 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9888
9889 { &hf_netlogon_trusted_dc_name,
9890 { "Trusted DC", "netlogon.trusted_dc", FT_STRING, BASE_NONE,
9891 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9892
9893 { &hf_netlogon_logon_dnslogondomainname,
9894 { "DNS Logon Domain name", "netlogon.logon.dnslogondomainname", FT_STRING, BASE_NONE,
9895 NULL((void*)0), 0, "DNS Name of the logon domain", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9896
9897 { &hf_netlogon_logon_upn,
9898 { "UPN", "netlogon.logon.upn", FT_STRING, BASE_NONE,
9899 NULL((void*)0), 0, "User Principal Name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9900
9901 { &hf_netlogon_logonsrv_handle,
9902 { "Handle", "netlogon.handle", FT_STRING, BASE_NONE,
9903 NULL((void*)0), 0, "Logon Srv Handle", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9904
9905 { &hf_netlogon_dummy,
9906 { "Dummy", "netlogon.dummy", FT_STRING, BASE_NONE,
9907 NULL((void*)0), 0, "Dummy string", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9908
9909 { &hf_netlogon_logon_count16,
9910 { "Logon Count", "netlogon.logon_count16", FT_UINT16, BASE_DEC,
9911 NULL((void*)0), 0x0, "Number of successful logins", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9912
9913 { &hf_netlogon_logon_count,
9914 { "Logon Count", "netlogon.logon_count", FT_UINT32, BASE_DEC,
9915 NULL((void*)0), 0x0, "Number of successful logins", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9916
9917 { &hf_netlogon_bad_pw_count16,
9918 { "Bad PW Count", "netlogon.bad_pw_count16", FT_UINT16, BASE_DEC,
9919 NULL((void*)0), 0x0, "Number of failed logins", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9920
9921 { &hf_netlogon_bad_pw_count,
9922 { "Bad PW Count", "netlogon.bad_pw_count", FT_UINT32, BASE_DEC,
9923 NULL((void*)0), 0x0, "Number of failed logins", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9924
9925 { &hf_netlogon_country,
9926 { "Country", "netlogon.country", FT_UINT16, BASE_DEC | BASE_EXT_STRING0x00000200,
9927 &ms_country_codes_ext, 0x0, "Country setting for this account", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9928
9929 { &hf_netlogon_codepage,
9930 { "Codepage", "netlogon.codepage", FT_UINT16, BASE_DEC,
9931 NULL((void*)0), 0x0, "Codepage setting for this account", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9932
9933 { &hf_netlogon_level16,
9934 { "Level", "netlogon.level16", FT_UINT16, BASE_DEC,
9935 NULL((void*)0), 0x0, "Which option of the union is represented here", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9936
9937 { &hf_netlogon_validation_level,
9938 { "Validation Level", "netlogon.validation_level", FT_UINT16, BASE_DEC,
9939 NULL((void*)0), 0x0, "Requested level of validation", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9940
9941 { &hf_netlogon_minpasswdlen,
9942 { "Min Password Len", "netlogon.min_passwd_len", FT_UINT16, BASE_DEC,
9943 NULL((void*)0), 0x0, "Minimum length of password", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9944
9945 { &hf_netlogon_passwdhistorylen,
9946 { "Passwd History Len", "netlogon.passwd_history_len", FT_UINT16, BASE_DEC,
9947 NULL((void*)0), 0x0, "Length of password history", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9948
9949 { &hf_netlogon_secure_channel_type,
9950 { "Sec Chan Type", "netlogon.sec_chan_type", FT_UINT16, BASE_DEC,
9951 VALS(misc_netr_SchannelType_vals)((0 ? (const struct _value_string*)0 : ((misc_netr_SchannelType_vals
))))
, 0x0, "Secure Channel Type", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9952
9953 { &hf_netlogon_restart_state,
9954 { "Restart State", "netlogon.restart_state", FT_UINT16, BASE_DEC,
9955 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9956
9957 { &hf_netlogon_delta_type,
9958 { "Delta Type", "netlogon.delta_type", FT_UINT16, BASE_DEC,
9959 VALS(delta_type_vals)((0 ? (const struct _value_string*)0 : ((delta_type_vals)))), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9960
9961 { &hf_netlogon_blob_size,
9962 { "Size", "netlogon.blob.size", FT_UINT32, BASE_DEC,
9963 NULL((void*)0), 0x0, "Size in bytes of BLOB", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9964
9965 { &hf_netlogon_code,
9966 { "Code", "netlogon.code", FT_UINT32, BASE_HEX,
9967 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9968
9969 { &hf_netlogon_level,
9970 { "Level", "netlogon.level", FT_UINT32, BASE_DEC,
9971 NULL((void*)0), 0x0, "Which option of the union is represented here", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9972
9973 { &hf_netlogon_reference,
9974 { "Reference", "netlogon.reference", FT_UINT32, BASE_DEC,
9975 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9976
9977 { &hf_netlogon_next_reference,
9978 { "Next Reference", "netlogon.next_reference", FT_UINT32, BASE_DEC,
9979 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9980
9981 { &hf_netlogon_timestamp,
9982 { "Timestamp", "netlogon.timestamp", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
9983 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9984
9985 { &hf_netlogon_user_rid,
9986 { "User RID", "netlogon.rid", FT_UINT32, BASE_DEC,
9987 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9988
9989 { &hf_netlogon_alias_rid,
9990 { "Alias RID", "netlogon.alias_rid", FT_UINT32, BASE_DEC,
9991 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9992
9993 { &hf_netlogon_group_rid,
9994 { "Group RID", "netlogon.group_rid", FT_UINT32, BASE_DEC,
9995 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
9996
9997 { &hf_netlogon_num_rids,
9998 { "Num RIDs", "netlogon.num_rids", FT_UINT32, BASE_DEC,
9999 NULL((void*)0), 0x0, "Number of RIDs", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10000
10001 { &hf_netlogon_num_controllers,
10002 { "Num DCs", "netlogon.num_dc", FT_UINT32, BASE_DEC,
10003 NULL((void*)0), 0x0, "Number of domain controllers", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10004
10005 { &hf_netlogon_num_sid,
10006 { "Num Extra SID", "netlogon.num_sid", FT_UINT32, BASE_DEC,
10007 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10008
10009 { &hf_netlogon_flags,
10010 { "Flags", "netlogon.flags", FT_UINT32, BASE_HEX,
10011 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10012
10013 { &hf_netlogon_user_account_control,
10014 { "User Account Control", "netlogon.user_account_control", FT_UINT32, BASE_HEX,
10015 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10016
10017 { &hf_netlogon_user_flags,
10018 { "User Flags", "netlogon.user_flags", FT_UINT32, BASE_HEX,
10019 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10020
10021 { &hf_netlogon_auth_flags,
10022 { "Auth Flags", "netlogon.auth_flags", FT_UINT32, BASE_HEX,
10023 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10024
10025 { &hf_netlogon_systemflags,
10026 { "System Flags", "netlogon.system_flags", FT_UINT32, BASE_HEX,
10027 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10028
10029 { &hf_netlogon_database_id,
10030 { "Database Id", "netlogon.database_id", FT_UINT32, BASE_DEC,
10031 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10032
10033 { &hf_netlogon_sync_context,
10034 { "Sync Context", "netlogon.sync_context", FT_UINT32, BASE_DEC,
10035 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10036
10037 { &hf_netlogon_max_size,
10038 { "Max Size", "netlogon.max_size", FT_UINT32, BASE_DEC,
10039 NULL((void*)0), 0x0, "Max Size of database", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10040
10041 { &hf_netlogon_max_log_size,
10042 { "Max Log Size", "netlogon.max_log_size", FT_UINT32, BASE_DEC,
10043 NULL((void*)0), 0x0, "Max Size of log", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10044
10045#if 0
10046 { &hf_netlogon_pac_size,
10047 { "Pac Size", "netlogon.pac.size", FT_UINT32, BASE_DEC,
10048 NULL((void*)0), 0x0, "Size of PacData in bytes", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10049#endif
10050
10051#if 0
10052 { &hf_netlogon_auth_size,
10053 { "Auth Size", "netlogon.auth.size", FT_UINT32, BASE_DEC,
10054 NULL((void*)0), 0x0, "Size of AuthData in bytes", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10055#endif
10056
10057 { &hf_netlogon_num_deltas,
10058 { "Num Deltas", "netlogon.num_deltas", FT_UINT32, BASE_DEC,
10059 NULL((void*)0), 0x0, "Number of SAM Deltas in array", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10060
10061 { &hf_netlogon_num_trusts,
10062 { "Num Trusts", "netlogon.num_trusts", FT_UINT32, BASE_DEC,
10063 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10064
10065 { &hf_netlogon_logon_attempts,
10066 { "Logon Attempts", "netlogon.logon_attempts", FT_UINT32, BASE_DEC,
10067 NULL((void*)0), 0x0, "Number of logon attempts", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10068
10069 { &hf_netlogon_pagefilelimit,
10070 { "Page File Limit", "netlogon.page_file_limit", FT_UINT32, BASE_DEC,
10071 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10072
10073 { &hf_netlogon_pagedpoollimit,
10074 { "Paged Pool Limit", "netlogon.paged_pool_limit", FT_UINT32, BASE_DEC,
10075 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10076
10077 { &hf_netlogon_nonpagedpoollimit,
10078 { "Non-Paged Pool Limit", "netlogon.nonpaged_pool_limit", FT_UINT32, BASE_DEC,
10079 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10080
10081 { &hf_netlogon_minworkingsetsize,
10082 { "Min Working Set Size", "netlogon.min_working_set_size", FT_UINT32, BASE_DEC,
10083 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10084
10085 { &hf_netlogon_maxworkingsetsize,
10086 { "Max Working Set Size", "netlogon.max_working_set_size", FT_UINT32, BASE_DEC,
10087 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10088
10089 { &hf_netlogon_serial_number,
10090 { "Serial Number", "netlogon.serial_number", FT_UINT32, BASE_DEC,
10091 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10092
10093 { &hf_netlogon_neg_flags,
10094 { "Negotiation options", "netlogon.neg_flags", FT_UINT32, BASE_HEX,
10095 NULL((void*)0), 0x0, "Negotiation Flags", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10096
10097 { &hf_netlogon_neg_flags_80000000,
10098 { "Supports Kerberos Auth", "ntlmssp.neg_flags.supports_kerberos_auth", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_800000000x80000000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10099
10100 { &hf_netlogon_neg_flags_40000000,
10101 { "Authenticated RPC supported", "ntlmssp.neg_flags.na4000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_400000000x40000000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10102
10103 { &hf_netlogon_neg_flags_20000000,
10104 { "Authenticated RPC via lsass supported", "ntlmssp.neg_flags.na2000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_200000000x20000000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10105
10106#if 0
10107 { &hf_netlogon_neg_flags_10000000,
10108 { "Not used 10000000", "ntlmssp.neg_flags.na1000000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_100000000x10000000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10109#endif
10110
10111#if 0
10112 { &hf_netlogon_neg_flags_8000000,
10113 { "Not used 8000000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_80000000x8000000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10114#endif
10115
10116#if 0
10117 { &hf_netlogon_neg_flags_4000000,
10118 { "Not used 4000000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_40000000x4000000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10119#endif
10120
10121#if 0
10122 { &hf_netlogon_neg_flags_2000000,
10123 { "Not used 2000000", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_20000000x2000000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10124#endif
10125
10126 { &hf_netlogon_neg_flags_1000000,
10127 { "AES supported", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_AES0x1000000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10128
10129#if 0
10130 { &hf_netlogon_neg_flags_800000,
10131 { "Not used 800000", "ntlmssp.neg_flags.na800000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_8000000x800000, "Not used", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10132#endif
10133
10134#if 0
10135 { &hf_netlogon_neg_flags_400000,
10136 { "Not used 400000", "ntlmssp.neg_flags.na400000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_4000000x400000, "AES&SHA2", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10137#endif
10138
10139 { &hf_netlogon_neg_flags_200000,
10140 { "RODC pass-through", "ntlmssp.neg_flags.na200000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_2000000x200000, "rodc pt", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10141
10142 { &hf_netlogon_neg_flags_100000,
10143 { "NO NT4 emulation", "ntlmssp.neg_flags.na100000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_1000000x100000, "No NT4 emu", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10144
10145 { &hf_netlogon_neg_flags_80000,
10146 { "Cross forest trust", "ntlmssp.neg_flags.na80000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_800000x80000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10147
10148 { &hf_netlogon_neg_flags_40000,
10149 { "GetDomainInfo supported", "ntlmssp.neg_flags.na40000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_400000x40000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10150
10151 { &hf_netlogon_neg_flags_20000,
10152 { "ServerPasswordSet2 supported", "ntlmssp.neg_flags.na20000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_200000x20000, "PasswordSet2", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10153
10154 { &hf_netlogon_neg_flags_10000,
10155 { "DNS trusts supported", "ntlmssp.neg_flags.na10000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_100000x10000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10156
10157 { &hf_netlogon_neg_flags_8000,
10158 { "Transitive trusts", "ntlmssp.neg_flags.na8000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_80000x8000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10159
10160 { &hf_netlogon_neg_flags_4000,
10161 { "Strong key", "ntlmssp.neg_flags.na4000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_STRONGKEY0x4000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10162
10163 { &hf_netlogon_neg_flags_2000,
10164 { "Avoid replication Auth database", "ntlmssp.neg_flags.na2000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_20000x2000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10165
10166 { &hf_netlogon_neg_flags_1000,
10167 { "Avoid replication account database", "ntlmssp.neg_flags.na1000", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_10000x1000, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10168
10169 { &hf_netlogon_neg_flags_800,
10170 { "Concurrent RPC", "ntlmssp.neg_flags.na800", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_8000x800, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10171
10172 { &hf_netlogon_neg_flags_400,
10173 { "Generic pass-through", "ntlmssp.neg_flags.na400", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_4000x400, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10174
10175 { &hf_netlogon_neg_flags_200,
10176 { "SendToSam", "ntlmssp.neg_flags.na200", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_2000x200, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10177
10178 { &hf_netlogon_neg_flags_100,
10179 { "Refusal of password change", "ntlmssp.neg_flags.na100", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_1000x100, "PWD change refusal", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10180
10181 { &hf_netlogon_neg_flags_80,
10182 { "DatabaseRedo call", "ntlmssp.neg_flags.na80", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_800x80, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10183
10184 { &hf_netlogon_neg_flags_40,
10185 { "Handle multiple SIDs", "ntlmssp.neg_flags.na40", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_400x40, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10186
10187 { &hf_netlogon_neg_flags_20,
10188 { "Restarting full DC sync", "ntlmssp.neg_flags.na20", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_200x20, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10189
10190 { &hf_netlogon_neg_flags_10,
10191 { "BDC handling Changelogs", "ntlmssp.neg_flags.na10", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_100x10, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10192
10193 { &hf_netlogon_neg_flags_8,
10194 { "Promotion count(deprecated)", "ntlmssp.neg_flags.na8", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_80x8, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10195
10196 { &hf_netlogon_neg_flags_4,
10197 { "RC4 encryption", "ntlmssp.neg_flags.na4", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_40x4, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10198
10199 { &hf_netlogon_neg_flags_2,
10200 { "NT3.5 BDC continuous update", "ntlmssp.neg_flags.na2", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_20x2, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10201
10202 { &hf_netlogon_neg_flags_1,
10203 { "Account lockout", "ntlmssp.neg_flags.na1", FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, NETLOGON_FLAG_10x1, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10204
10205 { &hf_netlogon_dc_flags,
10206 { "Domain Controller Flags", "netlogon.dc.flags", FT_UINT32, BASE_HEX,
10207 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10208
10209 { &hf_netlogon_dc_flags_pdc_flag,
10210 { "PDC", "netlogon.dc.flags.pdc",
10211 FT_BOOLEAN, 32, TFS(&dc_flags_pdc_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_pdc_flag
))))
, DS_PDC_FLAG0x00000001,
10212 "If this server is a PDC", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10213
10214 { &hf_netlogon_dc_flags_gc_flag,
10215 { "GC", "netlogon.dc.flags.gc",
10216 FT_BOOLEAN, 32, TFS(&dc_flags_gc_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_gc_flag
))))
, DS_GC_FLAG0x00000004,
10217 "If this server is a GC", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10218
10219 { &hf_netlogon_dc_flags_ldap_flag,
10220 { "LDAP", "netlogon.dc.flags.ldap",
10221 FT_BOOLEAN, 32, TFS(&dc_flags_ldap_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_ldap_flag
))))
, DS_LDAP_FLAG0x00000008,
10222 "If this is an LDAP server", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10223
10224 { &hf_netlogon_dc_flags_ds_flag,
10225 { "DS", "netlogon.dc.flags.ds",
10226 FT_BOOLEAN, 32, TFS(&dc_flags_ds_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_ds_flag
))))
, DS_DS_FLAG0x00000010,
10227 "If this server is a DS", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10228
10229 { &hf_netlogon_dc_flags_kdc_flag,
10230 { "KDC", "netlogon.dc.flags.kdc",
10231 FT_BOOLEAN, 32, TFS(&dc_flags_kdc_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_kdc_flag
))))
, DS_KDC_FLAG0x00000020,
10232 "If this is a KDC", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10233
10234 { &hf_netlogon_dc_flags_timeserv_flag,
10235 { "Timeserv", "netlogon.dc.flags.timeserv",
10236 FT_BOOLEAN, 32, TFS(&dc_flags_timeserv_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_timeserv_flag
))))
, DS_TIMESERV_FLAG0x00000040,
10237 "If this server is a TimeServer", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10238
10239 { &hf_netlogon_dc_flags_closest_flag,
10240 { "Closest", "netlogon.dc.flags.closest",
10241 FT_BOOLEAN, 32, TFS(&dc_flags_closest_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_closest_flag
))))
, DS_CLOSEST_FLAG0x00000080,
10242 "If this is the closest server", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10243
10244 { &hf_netlogon_dc_flags_writable_flag,
10245 { "Writable", "netlogon.dc.flags.writable",
10246 FT_BOOLEAN, 32, TFS(&dc_flags_writable_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_writable_flag
))))
, DS_WRITABLE_FLAG0x00000100,
10247 "If this server can do updates to the database", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10248
10249 { &hf_netlogon_dc_flags_good_timeserv_flag,
10250 { "Good Timeserv", "netlogon.dc.flags.good_timeserv",
10251 FT_BOOLEAN, 32, TFS(&dc_flags_good_timeserv_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_good_timeserv_flag
))))
, DS_GOOD_TIMESERV_FLAG0x00000200,
10252 "If this is a Good TimeServer", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10253
10254 { &hf_netlogon_dc_flags_ndnc_flag,
10255 { "NDNC", "netlogon.dc.flags.ndnc",
10256 FT_BOOLEAN, 32, TFS(&dc_flags_ndnc_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_ndnc_flag
))))
, DS_NDNC_FLAG0x00000400,
10257 "If this is an NDNC server", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10258
10259 { &hf_netlogon_dc_flags_dns_controller_flag,
10260 { "DNS Controller", "netlogon.dc.flags.dns_controller",
10261 FT_BOOLEAN, 32, TFS(&dc_flags_dns_controller_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_dns_controller_flag
))))
, DS_DNS_CONTROLLER_FLAG0x20000000,
10262 "If this server is a DNS Controller", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10263
10264 { &hf_netlogon_dc_flags_dns_domain_flag,
10265 { "DNS Domain", "netlogon.dc.flags.dns_domain",
10266 FT_BOOLEAN, 32, TFS(&dc_flags_dns_domain_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_dns_domain_flag
))))
, DS_DNS_DOMAIN_FLAG0x40000000,
10267 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10268
10269 { &hf_netlogon_dc_flags_dns_forest_flag,
10270 { "DNS Forest", "netlogon.dc.flags.dns_forest",
10271 FT_BOOLEAN, 32, TFS(&dc_flags_dns_forest_flag)((0 ? (const struct true_false_string*)0 : ((&dc_flags_dns_forest_flag
))))
, DS_DNS_FOREST_FLAG0x80000000,
10272 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10273
10274 { &hf_netlogon_get_dcname_request_flags,
10275 { "Flags", "netlogon.get_dcname.request.flags", FT_UINT32, BASE_HEX,
10276 NULL((void*)0), 0x0, "Flags for DSGetDCName request", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10277
10278 { &hf_netlogon_get_dcname_request_flags_force_rediscovery,
10279 { "Force Rediscovery", "netlogon.get_dcname.request.flags.force_rediscovery",
10280 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_force_rediscovery)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_force_rediscovery
))))
, DS_FORCE_REDISCOVERY0x00000001,
10281 "Whether to allow the server to returned cached information or not", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10282
10283 { &hf_netlogon_get_dcname_request_flags_directory_service_required,
10284 { "DS Required", "netlogon.get_dcname.request.flags.ds_required",
10285 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_required)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_directory_service_required
))))
, DS_DIRECTORY_SERVICE_REQUIRED0x00000010,
10286 "Whether we require that the returned DC supports w2k or not", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10287
10288 { &hf_netlogon_get_dcname_request_flags_directory_service_preferred,
10289 { "DS Preferred", "netlogon.get_dcname.request.flags.ds_preferred",
10290 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_directory_service_preferred)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_directory_service_preferred
))))
, DS_DIRECTORY_SERVICE_PREFERRED0x00000020,
10291 "Whether we prefer the call to return a w2k server (if available)", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10292
10293 { &hf_netlogon_get_dcname_request_flags_gc_server_required,
10294 { "GC Required", "netlogon.get_dcname.request.flags.gc_server_required",
10295 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_gc_server_required)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_gc_server_required
))))
, DS_GC_SERVER_REQUIRED0x00000040,
10296 "Whether we require that the returned DC is a Global Catalog server", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10297
10298 { &hf_netlogon_get_dcname_request_flags_pdc_required,
10299 { "PDC Required", "netlogon.get_dcname.request.flags.pdc_required",
10300 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_pdc_required)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_pdc_required
))))
, DS_PDC_REQUIRED0x00000080,
10301 "Whether we require the returned DC to be the PDC", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10302
10303 { &hf_netlogon_get_dcname_request_flags_background_only,
10304 { "Background Only", "netlogon.get_dcname.request.flags.background_only",
10305 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_background_only)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_background_only
))))
, DS_BACKGROUND_ONLY0x00000100,
10306 "If we want cached data, even if it may have expired", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10307
10308 { &hf_netlogon_get_dcname_request_flags_ip_required,
10309 { "IP Required", "netlogon.get_dcname.request.flags.ip_required",
10310 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_ip_required)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_ip_required
))))
, DS_IP_REQUIRED0x00000200,
10311 "If we require the IP of the DC in the reply", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10312
10313 { &hf_netlogon_get_dcname_request_flags_kdc_required,
10314 { "KDC Required", "netlogon.get_dcname.request.flags.kdc_required",
10315 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_kdc_required)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_kdc_required
))))
, DS_KDC_REQUIRED0x00000400,
10316 "If we require that the returned server is a KDC", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10317
10318 { &hf_netlogon_get_dcname_request_flags_timeserv_required,
10319 { "Timeserv Required", "netlogon.get_dcname.request.flags.timeserv_required",
10320 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_timeserv_required)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_timeserv_required
))))
, DS_TIMESERV_REQUIRED0x00000800,
10321 "If we require the returned server to be a WindowsTimeServ server", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10322
10323 { &hf_netlogon_get_dcname_request_flags_writable_required,
10324 { "Writable Required", "netlogon.get_dcname.request.flags.writable_required",
10325 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_writable_required)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_writable_required
))))
, DS_WRITABLE_REQUIRED0x00001000,
10326 "If we require that the returned server is writable", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10327
10328 { &hf_netlogon_get_dcname_request_flags_good_timeserv_preferred,
10329 { "Timeserv Preferred", "netlogon.get_dcname.request.flags.good_timeserv_preferred",
10330 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_good_timeserv_preferred)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_good_timeserv_preferred
))))
, DS_GOOD_TIMESERV_PREFERRED0x00002000,
10331 "If we prefer Windows Time Servers", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10332
10333 { &hf_netlogon_get_dcname_request_flags_avoid_self,
10334 { "Avoid Self", "netlogon.get_dcname.request.flags.avoid_self",
10335 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_avoid_self)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_avoid_self
))))
, DS_AVOID_SELF0x00004000,
10336 "Return another DC than the one we ask", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10337
10338 { &hf_netlogon_get_dcname_request_flags_only_ldap_needed,
10339 { "Only LDAP Needed", "netlogon.get_dcname.request.flags.only_ldap_needed",
10340 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_only_ldap_needed)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_only_ldap_needed
))))
, DS_ONLY_LDAP_NEEDED0x00008000,
10341 "We just want an LDAP server, it does not have to be a DC", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10342
10343 { &hf_netlogon_get_dcname_request_flags_is_flat_name,
10344 { "Is Flat Name", "netlogon.get_dcname.request.flags.is_flat_name",
10345 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_flat_name)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_is_flat_name
))))
, DS_IS_FLAT_NAME0x00010000,
10346 "If the specified domain name is a NetBIOS name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10347
10348 { &hf_netlogon_get_dcname_request_flags_is_dns_name,
10349 { "Is DNS Name", "netlogon.get_dcname.request.flags.is_dns_name",
10350 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_is_dns_name)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_is_dns_name
))))
, DS_IS_DNS_NAME0x00020000,
10351 "If the specified domain name is a DNS name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10352
10353 { &hf_netlogon_get_dcname_request_flags_return_dns_name,
10354 { "Return DNS Name", "netlogon.get_dcname.request.flags.return_dns_name",
10355 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_dns_name)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_return_dns_name
))))
, DS_RETURN_DNS_NAME0x40000000,
10356 "Only return a DNS name (or an error)", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10357
10358 { &hf_netlogon_get_dcname_request_flags_return_flat_name,
10359 { "Return Flat Name", "netlogon.get_dcname.request.flags.return_flat_name",
10360 FT_BOOLEAN, 32, TFS(&get_dcname_request_flags_return_flat_name)((0 ? (const struct true_false_string*)0 : ((&get_dcname_request_flags_return_flat_name
))))
, DS_RETURN_FLAT_NAME0x80000000,
10361 "Only return a NetBIOS name (or an error)", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10362
10363 { &hf_netlogon_trust_attribs,
10364 { "Trust Attributes", "netlogon.trust_attribs", FT_UINT32, BASE_HEX,
10365 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10366
10367 { &hf_netlogon_trust_attribs_non_transitive,
10368 { "Non Transitive", "netlogon.trust.attribs.non_transitive", FT_BOOLEAN, 32,
10369 TFS(&trust_attribs_non_transitive)((0 ? (const struct true_false_string*)0 : ((&trust_attribs_non_transitive
))))
, 0x00000001, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10370
10371 { &hf_netlogon_trust_attribs_uplevel_only,
10372 { "Uplevel Only", "netlogon.trust.attribs.uplevel_only", FT_BOOLEAN, 32,
10373 TFS(&trust_attribs_uplevel_only)((0 ? (const struct true_false_string*)0 : ((&trust_attribs_uplevel_only
))))
, 0x00000002, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10374
10375 { &hf_netlogon_trust_attribs_quarantined_domain,
10376 { "Quarantined Domain", "netlogon.trust.attribs.quarantined_domain", FT_BOOLEAN, 32,
10377 TFS(&trust_attribs_quarantined_domain)((0 ? (const struct true_false_string*)0 : ((&trust_attribs_quarantined_domain
))))
, 0x00000004, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10378
10379 { &hf_netlogon_trust_attribs_forest_transitive,
10380 { "Forest Transitive", "netlogon.trust.attribs.forest_transitive", FT_BOOLEAN, 32,
10381 TFS(&trust_attribs_forest_transitive)((0 ? (const struct true_false_string*)0 : ((&trust_attribs_forest_transitive
))))
, 0x00000008, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10382
10383 { &hf_netlogon_trust_attribs_cross_organization,
10384 { "Cross Organization", "netlogon.trust.attribs.cross_organization", FT_BOOLEAN, 32,
10385 TFS(&trust_attribs_cross_organization)((0 ? (const struct true_false_string*)0 : ((&trust_attribs_cross_organization
))))
, 0x00000010, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10386
10387 { &hf_netlogon_trust_attribs_within_forest,
10388 { "Within Forest", "netlogon.trust.attribs.within_forest", FT_BOOLEAN, 32,
10389 TFS(&trust_attribs_within_forest)((0 ? (const struct true_false_string*)0 : ((&trust_attribs_within_forest
))))
, 0x00000020, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10390
10391 { &hf_netlogon_trust_attribs_treat_as_external,
10392 { "Treat As External", "netlogon.trust.attribs.treat_as_external", FT_BOOLEAN, 32,
10393 TFS(&trust_attribs_treat_as_external)((0 ? (const struct true_false_string*)0 : ((&trust_attribs_treat_as_external
))))
, 0x00000040, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10394
10395 { &hf_netlogon_trust_type,
10396 { "Trust Type", "netlogon.trust_type", FT_UINT32, BASE_DEC,
10397 VALS(trust_type_vals)((0 ? (const struct _value_string*)0 : ((trust_type_vals)))), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10398
10399 { &hf_netlogon_extraflags,
10400 { "Extra Flags", "netlogon.extra_flags", FT_UINT32, BASE_HEX,
10401 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10402
10403 { &hf_netlogon_extra_flags_root_forest,
10404 { "Request passed to DC of root forest", "netlogon.extra.flags.rootdc",
10405 FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, RQ_ROOT_FOREST0x00000001,
10406 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10407
10408 { &hf_netlogon_trust_flags_dc_firsthop,
10409 { "DC at the end of the first hop of cross forest", "netlogon.extra.flags.dc_firsthop",
10410 FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, RQ_DC_XFOREST0x00000002,
10411 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10412
10413 { &hf_netlogon_trust_flags_rodc_to_dc,
10414 { "Request from a RODC to a DC from another domain", "netlogon.extra.flags.rodc_to_dc",
10415 FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, RQ_RODC_DIF_DOMAIN0x00000004,
10416 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10417
10418 { &hf_netlogon_trust_flags_rodc_ntlm,
10419 { "Request is a NTLM auth passed by a RODC", "netlogon.extra.flags.rodc_ntlm",
10420 FT_BOOLEAN, 32, TFS(&tfs_set_notset)((0 ? (const struct true_false_string*)0 : ((&tfs_set_notset
))))
, RQ_NTLM_FROM_RODC0x00000008,
10421 NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10422
10423 { &hf_netlogon_trust_flags,
10424 { "Trust Flags", "netlogon.trust_flags", FT_UINT32, BASE_HEX,
10425 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10426
10427 { &hf_netlogon_trust_flags_inbound,
10428 { "Inbound Trust", "netlogon.trust.flags.inbound",
10429 FT_BOOLEAN, 32, TFS(&trust_inbound)((0 ? (const struct true_false_string*)0 : ((&trust_inbound
))))
, DS_DOMAIN_DIRECT_INBOUND0x00000020,
10430 "Inbound trust. Whether the domain directly trusts the queried servers domain", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10431
10432 { &hf_netlogon_trust_flags_outbound,
10433 { "Outbound Trust", "netlogon.trust.flags.outbound",
10434 FT_BOOLEAN, 32, TFS(&trust_outbound)((0 ? (const struct true_false_string*)0 : ((&trust_outbound
))))
, DS_DOMAIN_DIRECT_OUTBOUND0x00000002,
10435 "Outbound Trust. Whether the domain is directly trusted by the servers domain", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10436
10437 { &hf_netlogon_trust_flags_in_forest,
10438 { "In Forest", "netlogon.trust.flags.in_forest",
10439 FT_BOOLEAN, 32, TFS(&trust_in_forest)((0 ? (const struct true_false_string*)0 : ((&trust_in_forest
))))
, DS_DOMAIN_IN_FOREST0x00000001,
10440 "Whether this domain is a member of the same forest as the servers domain", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10441
10442 { &hf_netlogon_trust_flags_native_mode,
10443 { "Native Mode", "netlogon.trust.flags.native_mode",
10444 FT_BOOLEAN, 32, TFS(&trust_native_mode)((0 ? (const struct true_false_string*)0 : ((&trust_native_mode
))))
, DS_DOMAIN_NATIVE_MODE0x00000010,
10445 "Whether the domain is a w2k native mode domain or not", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10446
10447 { &hf_netlogon_trust_flags_primary,
10448 { "Primary", "netlogon.trust.flags.primary",
10449 FT_BOOLEAN, 32, TFS(&trust_primary)((0 ? (const struct true_false_string*)0 : ((&trust_primary
))))
, DS_DOMAIN_PRIMARY0x00000008,
10450 "Whether the domain is the primary domain for the queried server or not", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10451
10452 { &hf_netlogon_trust_flags_tree_root,
10453 { "Tree Root", "netlogon.trust.flags.tree_root",
10454 FT_BOOLEAN, 32, TFS(&trust_tree_root)((0 ? (const struct true_false_string*)0 : ((&trust_tree_root
))))
, DS_DOMAIN_TREE_ROOT0x00000004,
10455 "Whether the domain is the root of the tree for the queried server", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10456
10457 { &hf_netlogon_trust_parent_index,
10458 { "Parent Index", "netlogon.parent_index", FT_UINT32, BASE_HEX,
10459 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10460
10461 { &hf_netlogon_logon_time,
10462 { "Logon Time", "netlogon.logon_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10463 NULL((void*)0), 0, "Time for last time this user logged on", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10464
10465 { &hf_netlogon_kickoff_time,
10466 { "Kickoff Time", "netlogon.kickoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10467 NULL((void*)0), 0, "Time when this user will be kicked off", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10468
10469 { &hf_netlogon_logoff_time,
10470 { "Logoff Time", "netlogon.logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10471 NULL((void*)0), 0, "Time for last time this user logged off", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10472
10473 { &hf_netlogon_last_logoff_time,
10474 { "Last Logoff Time", "netlogon.last_logoff_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10475 NULL((void*)0), 0, "Time for last time this user logged off", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10476
10477 { &hf_netlogon_pwd_last_set_time,
10478 { "PWD Last Set", "netlogon.pwd_last_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10479 NULL((void*)0), 0, "Last time this users password was changed", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10480
10481 { &hf_netlogon_pwd_age,
10482 { "PWD Age", "netlogon.pwd_age", FT_RELATIVE_TIME, BASE_NONE,
10483 NULL((void*)0), 0, "Time since this users password was changed", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10484
10485 { &hf_netlogon_pwd_can_change_time,
10486 { "PWD Can Change", "netlogon.pwd_can_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10487 NULL((void*)0), 0, "When this users password may be changed", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10488
10489 { &hf_netlogon_pwd_must_change_time,
10490 { "PWD Must Change", "netlogon.pwd_must_change_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10491 NULL((void*)0), 0, "When this users password must be changed", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10492
10493 { &hf_netlogon_domain_create_time,
10494 { "Domain Create Time", "netlogon.domain_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10495 NULL((void*)0), 0, "Time when this domain was created", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10496
10497 { &hf_netlogon_domain_modify_time,
10498 { "Domain Modify Time", "netlogon.domain_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10499 NULL((void*)0), 0, "Time when this domain was last modified", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10500
10501 { &hf_netlogon_db_modify_time,
10502 { "DB Modify Time", "netlogon.db_modify_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10503 NULL((void*)0), 0, "Time when last modified", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10504
10505 { &hf_netlogon_db_create_time,
10506 { "DB Create Time", "netlogon.db_create_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10507 NULL((void*)0), 0, "Time when created", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10508
10509 { &hf_netlogon_cipher_current_set_time,
10510 { "Cipher Current Set Time", "netlogon.cipher_current_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10511 NULL((void*)0), 0, "Time when current cipher was initiated", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10512
10513 { &hf_netlogon_cipher_old_set_time,
10514 { "Cipher Old Set Time", "netlogon.cipher_old_set_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
10515 NULL((void*)0), 0, "Time when previous cipher was initiated", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10516
10517 { &hf_netlogon_audit_retention_period,
10518 { "Audit Retention Period", "netlogon.audit_retention_period", FT_RELATIVE_TIME, BASE_NONE,
10519 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10520
10521 { &hf_netlogon_timelimit,
10522 { "Time Limit", "netlogon.time_limit", FT_RELATIVE_TIME, BASE_NONE,
10523 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10524
10525
10526 { &hf_client_credential,
10527 { "Client Credential", "netlogon.clientcred", FT_BYTES, BASE_NONE,
10528 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10529
10530 { &hf_server_credential,
10531 { "Server Credential", "netlogon.servercred", FT_BYTES, BASE_NONE,
10532 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10533
10534 { &hf_server_rid,
10535 { "Account RID", "netlogon.serverrid", FT_UINT32, BASE_DEC,
10536 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10537
10538 { &hf_client_challenge,
10539 { "Client Challenge", "netlogon.clientchallenge", FT_BYTES, BASE_NONE,
10540 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10541
10542 { &hf_server_challenge,
10543 { "Server Challenge", "netlogon.serverchallenge", FT_BYTES, BASE_NONE,
10544 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10545
10546 { &hf_netlogon_secchan_nl_message_type,
10547 { "Message Type", "netlogon.secchan.nl_auth_message.message_type", FT_UINT32, BASE_HEX,
10548 VALS(nl_auth_types)((0 ? (const struct _value_string*)0 : ((nl_auth_types)))), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10549
10550 { &hf_netlogon_secchan_nl_message_flags,
10551 { "Message Flags", "netlogon.secchan.nl_auth_message.message_flags", FT_UINT32, BASE_HEX,
10552 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10553
10554 { &hf_netlogon_secchan_nl_message_flags_nb_domain,
10555 { "NetBios Domain", "netlogon.secchan.nl_auth_message.message_flags.nb_domain", FT_BOOLEAN, 32,
10556 NULL((void*)0), 0x00000001, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10557
10558 { &hf_netlogon_secchan_nl_message_flags_nb_host,
10559 { "NetBios Host", "netlogon.secchan.nl_auth_message.message_flags.nb_host", FT_BOOLEAN, 32,
10560 NULL((void*)0), 0x00000002, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10561
10562 { &hf_netlogon_secchan_nl_message_flags_dns_domain,
10563 { "DNS Domain", "netlogon.secchan.nl_auth_message.message_flags.dns_domain", FT_BOOLEAN, 32,
10564 NULL((void*)0), 0x00000004, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10565
10566 { &hf_netlogon_secchan_nl_message_flags_dns_host,
10567 { "DNS Host", "netlogon.secchan.nl_auth_message.message_flags.dns_host", FT_BOOLEAN, 32,
10568 NULL((void*)0), 0x00000008, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10569
10570 { &hf_netlogon_secchan_nl_message_flags_nb_host_utf8,
10571 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.message_flags.nb_host_utf8", FT_BOOLEAN, 32,
10572 NULL((void*)0), 0x00000010, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10573
10574 { &hf_netlogon_secchan_nl_nb_domain,
10575 { "NetBios Domain", "netlogon.secchan.nl_auth_message.nb_domain", FT_STRING, BASE_NONE,
10576 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10577
10578 { &hf_netlogon_secchan_nl_nb_host,
10579 { "NetBios Host", "netlogon.secchan.nl_auth_message.nb_host", FT_STRING, BASE_NONE,
10580 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10581
10582 { &hf_netlogon_secchan_nl_nb_host_utf8,
10583 { "NetBios Host(UTF8)", "netlogon.secchan.nl_auth_message.nb_host_utf8", FT_STRING, BASE_NONE,
10584 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10585
10586 { &hf_netlogon_secchan_nl_dns_domain,
10587 { "DNS Domain", "netlogon.secchan.nl_auth_message.dns_domain", FT_STRING, BASE_NONE,
10588 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10589
10590 { &hf_netlogon_secchan_nl_dns_host,
10591 { "DNS Host", "netlogon.secchan.nl_auth_message.dns_host", FT_STRING, BASE_NONE,
10592 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10593
10594 { &hf_netlogon_data_length,
10595 { "Length of Data", "netlogon.data.length", FT_UINT32, BASE_DEC,
10596 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10597
10598 { &hf_netlogon_package_name,
10599 { "SSP Package Name", "netlogon.data.package_name", FT_STRING, BASE_NONE,
10600 NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10601
10602 { &hf_netlogon_secchan_verf,
10603 { "Secure Channel Verifier", "netlogon.secchan.verifier", FT_NONE, BASE_NONE,
10604 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10605
10606 { &hf_netlogon_secchan_verf_signalg,
10607 { "Sign algorithm", "netlogon.secchan.signalg", FT_UINT16, BASE_HEX,
10608 VALS(sign_algs)((0 ? (const struct _value_string*)0 : ((sign_algs)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10609
10610 { &hf_netlogon_secchan_verf_sealalg,
10611 { "Seal algorithm", "netlogon.secchan.sealalg", FT_UINT16, BASE_HEX,
10612 VALS(seal_algs)((0 ? (const struct _value_string*)0 : ((seal_algs)))), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10613
10614 { &hf_netlogon_secchan_verf_flag,
10615 { "Flags", "netlogon.secchan.flags", FT_BYTES, BASE_NONE, NULL((void*)0),
10616 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10617
10618 { &hf_netlogon_secchan_verf_digest,
10619 { "Packet Digest", "netlogon.secchan.digest", FT_BYTES, BASE_NONE, NULL((void*)0),
10620 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10621
10622 { &hf_netlogon_secchan_verf_seq,
10623 { "Sequence No", "netlogon.secchan.seq", FT_BYTES, BASE_NONE, NULL((void*)0),
10624 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10625
10626 { &hf_netlogon_secchan_verf_nonce,
10627 { "Nonce", "netlogon.secchan.nonce", FT_BYTES, BASE_NONE, NULL((void*)0),
10628 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10629
10630 { &hf_netlogon_user_flags_extra_sids,
10631 { "Extra SIDs", "netlogon.user.flags.extra_sids",
10632 FT_BOOLEAN, 32, TFS(&user_flags_extra_sids)((0 ? (const struct true_false_string*)0 : ((&user_flags_extra_sids
))))
, 0x00000020,
10633 "The user flags EXTRA_SIDS", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10634
10635 { &hf_netlogon_user_flags_resource_groups,
10636 { "Resource Groups", "netlogon.user.flags.resource_groups",
10637 FT_BOOLEAN, 32, TFS(&user_flags_resource_groups)((0 ? (const struct true_false_string*)0 : ((&user_flags_resource_groups
))))
, 0x00000200,
10638 "The user flags RESOURCE_GROUPS", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10639
10640 { &hf_netlogon_user_account_control_dont_require_preauth,
10641 { "Don't Require PreAuth", "netlogon.user.account_control.dont_require_preauth",
10642 FT_BOOLEAN, 32, TFS(&user_account_control_dont_require_preauth)((0 ? (const struct true_false_string*)0 : ((&user_account_control_dont_require_preauth
))))
, 0x00010000,
10643 "The user account control DONT_REQUIRE_PREAUTH flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10644
10645 { &hf_netlogon_user_account_control_use_des_key_only,
10646 { "Use DES Key Only", "netlogon.user.account_control.use_des_key_only",
10647 FT_BOOLEAN, 32, TFS(&user_account_control_use_des_key_only)((0 ? (const struct true_false_string*)0 : ((&user_account_control_use_des_key_only
))))
, 0x00008000,
10648 "The user account control use_des_key_only flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10649
10650 { &hf_netlogon_user_account_control_not_delegated,
10651 { "Not Delegated", "netlogon.user.account_control.not_delegated",
10652 FT_BOOLEAN, 32, TFS(&user_account_control_not_delegated)((0 ? (const struct true_false_string*)0 : ((&user_account_control_not_delegated
))))
, 0x00004000,
10653 "The user account control not_delegated flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10654
10655 { &hf_netlogon_user_account_control_trusted_for_delegation,
10656 { "Trusted For Delegation", "netlogon.user.account_control.trusted_for_delegation",
10657 FT_BOOLEAN, 32, TFS(&user_account_control_trusted_for_delegation)((0 ? (const struct true_false_string*)0 : ((&user_account_control_trusted_for_delegation
))))
, 0x00002000,
10658 "The user account control trusted_for_delegation flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10659
10660 { &hf_netlogon_user_account_control_smartcard_required,
10661 { "SmartCard Required", "netlogon.user.account_control.smartcard_required",
10662 FT_BOOLEAN, 32, TFS(&user_account_control_smartcard_required)((0 ? (const struct true_false_string*)0 : ((&user_account_control_smartcard_required
))))
, 0x00001000,
10663 "The user account control smartcard_required flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10664
10665 { &hf_netlogon_user_account_control_encrypted_text_password_allowed,
10666 { "Encrypted Text Password Allowed", "netlogon.user.account_control.encrypted_text_password_allowed",
10667 FT_BOOLEAN, 32, TFS(&user_account_control_encrypted_text_password_allowed)((0 ? (const struct true_false_string*)0 : ((&user_account_control_encrypted_text_password_allowed
))))
, 0x00000800,
10668 "The user account control encrypted_text_password_allowed flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10669
10670 { &hf_netlogon_user_account_control_account_auto_locked,
10671 { "Account Auto Locked", "netlogon.user.account_control.account_auto_locked",
10672 FT_BOOLEAN, 32, TFS(&user_account_control_account_auto_locked)((0 ? (const struct true_false_string*)0 : ((&user_account_control_account_auto_locked
))))
, 0x00000400,
10673 "The user account control account_auto_locked flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10674
10675 { &hf_netlogon_user_account_control_dont_expire_password,
10676 { "Don't Expire Password", "netlogon.user.account_control.dont_expire_password",
10677 FT_BOOLEAN, 32, TFS(&user_account_control_dont_expire_password)((0 ? (const struct true_false_string*)0 : ((&user_account_control_dont_expire_password
))))
, 0x00000200,
10678 "The user account control dont_expire_password flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10679
10680 { &hf_netlogon_user_account_control_server_trust_account,
10681 { "Server Trust Account", "netlogon.user.account_control.server_trust_account",
10682 FT_BOOLEAN, 32, TFS(&user_account_control_server_trust_account)((0 ? (const struct true_false_string*)0 : ((&user_account_control_server_trust_account
))))
, 0x00000100,
10683 "The user account control server_trust_account flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10684
10685 { &hf_netlogon_user_account_control_workstation_trust_account,
10686 { "Workstation Trust Account", "netlogon.user.account_control.workstation_trust_account",
10687 FT_BOOLEAN, 32, TFS(&user_account_control_workstation_trust_account)((0 ? (const struct true_false_string*)0 : ((&user_account_control_workstation_trust_account
))))
, 0x00000080,
10688 "The user account control workstation_trust_account flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10689
10690 { &hf_netlogon_user_account_control_interdomain_trust_account,
10691 { "Interdomain trust Account", "netlogon.user.account_control.interdomain_trust_account",
10692 FT_BOOLEAN, 32, TFS(&user_account_control_interdomain_trust_account)((0 ? (const struct true_false_string*)0 : ((&user_account_control_interdomain_trust_account
))))
, 0x00000040,
10693 "The user account control interdomain_trust_account flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10694
10695 { &hf_netlogon_user_account_control_mns_logon_account,
10696 { "MNS Logon Account", "netlogon.user.account_control.mns_logon_account",
10697 FT_BOOLEAN, 32, TFS(&user_account_control_mns_logon_account)((0 ? (const struct true_false_string*)0 : ((&user_account_control_mns_logon_account
))))
, 0x00000020,
10698 "The user account control mns_logon_account flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10699
10700 { &hf_netlogon_user_account_control_normal_account,
10701 { "Normal Account", "netlogon.user.account_control.normal_account",
10702 FT_BOOLEAN, 32, TFS(&user_account_control_normal_account)((0 ? (const struct true_false_string*)0 : ((&user_account_control_normal_account
))))
, 0x00000010,
10703 "The user account control normal_account flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10704
10705 { &hf_netlogon_user_account_control_temp_duplicate_account,
10706 { "Temp Duplicate Account", "netlogon.user.account_control.temp_duplicate_account",
10707 FT_BOOLEAN, 32, TFS(&user_account_control_temp_duplicate_account)((0 ? (const struct true_false_string*)0 : ((&user_account_control_temp_duplicate_account
))))
, 0x00000008,
10708 "The user account control temp_duplicate_account flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10709
10710 { &hf_netlogon_user_account_control_password_not_required,
10711 { "Password Not Required", "netlogon.user.account_control.password_not_required",
10712 FT_BOOLEAN, 32, TFS(&user_account_control_password_not_required)((0 ? (const struct true_false_string*)0 : ((&user_account_control_password_not_required
))))
, 0x00000004,
10713 "The user account control password_not_required flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10714
10715 { &hf_netlogon_user_account_control_home_directory_required,
10716 { "Home Directory Required", "netlogon.user.account_control.home_directory_required",
10717 FT_BOOLEAN, 32, TFS(&user_account_control_home_directory_required)((0 ? (const struct true_false_string*)0 : ((&user_account_control_home_directory_required
))))
, 0x00000002,
10718 "The user account control home_directory_required flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10719
10720 { &hf_netlogon_user_account_control_account_disabled,
10721 { "Account Disabled", "netlogon.user.account_control.account_disabled",
10722 FT_BOOLEAN, 32, TFS(&user_account_control_account_disabled)((0 ? (const struct true_false_string*)0 : ((&user_account_control_account_disabled
))))
, 0x00000001,
10723 "The user account control account_disabled flag", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10724
10725#if 0
10726 { &hf_netlogon_dnsdomaininfo,
10727 { "DnsDomainInfo", "netlogon.dnsdomaininfo", FT_NONE, BASE_NONE,
10728 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10729#endif
10730
10731 { &hf_dns_domain_info_sid,
10732 { "Sid", "netlogon.lsa_DnsDomainInfo.sid", FT_NONE, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10733 { &hf_domain_info_sid,
10734 { "Sid", "netlogon.lsa_DomainInfo.sid", FT_NONE, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10735 { &hf_dns_domain_info_domain_guid,
10736 { "Domain Guid", "netlogon.lsa_DnsDomainInfo.domain_guid", FT_GUID, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10737 { &hf_dns_domain_info_dns_forest,
10738 { "Dns Forest", "netlogon.lsa_DnsDomainInfo.dns_forest", FT_NONE, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10739 { &hf_dns_domain_info_dns_domain,
10740 { "Dns Domain", "netlogon.lsa_DnsDomainInfo.dns_domain", FT_NONE, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10741 { &hf_dns_domain_info_name,
10742 { "Name", "netlogon.lsa_DnsDomainInfo.name", FT_NONE, BASE_NONE, NULL((void*)0), 0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10743 { &hf_netlogon_s4u2proxytarget,
10744 { "S4U2proxyTarget", "netlogon.s4u2proxytarget", FT_STRING, BASE_NONE,
10745 NULL((void*)0), 0, "Target for constrained delegation using s4u2proxy", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10746 { &hf_netlogon_transitedlistsize,
10747 { "TransitedListSize", "netlogon.transited_list_size", FT_UINT32, BASE_HEX,
10748 NULL((void*)0), 0x0, "Number of elements in the TransitedServices array.", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10749 { &hf_netlogon_transited_service,
10750 { "Transited Service", "netlogon.transited_service", FT_STRING, BASE_NONE,
10751 NULL((void*)0), 0, "S4U2 Transited Service name", HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10752 { &hf_netlogon_logon_duration,
10753 { "Duration", "netlogon.logon_duration", FT_UINT32, BASE_DEC,
10754 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10755 { &hf_netlogon_time_created,
10756 { "Time Created", "netlogon.time_created", FT_UINT32, BASE_DEC,
10757 NULL((void*)0), 0x0, NULL((void*)0), HFILL-1, 0, HF_REF_TYPE_NONE, -1, ((void*)0) }},
10758 };
10759
10760 static int *ett[] = {
10761 &ett_dcerpc_netlogon,
10762 &ett_authenticate_flags,
10763 &ett_CYPHER_VALUE,
10764 &ett_QUOTA_LIMITS,
10765 &ett_IDENTITY_INFO,
10766 &ett_DELTA_ENUM,
10767 &ett_UNICODE_MULTI,
10768 &ett_DOMAIN_CONTROLLER_INFO,
10769 &ett_netr_CryptPassword,
10770 &ett_NL_PASSWORD_VERSION,
10771 &ett_NL_GENERIC_RPC_DATA,
10772 &ett_TYPE_50,
10773 &ett_TYPE_52,
10774 &ett_DELTA_ID_UNION,
10775 &ett_CAPABILITIES,
10776 &ett_DELTA_UNION,
10777 &ett_LM_OWF_PASSWORD,
10778 &ett_NT_OWF_PASSWORD,
10779 &ett_GROUP_MEMBERSHIP,
10780 &ett_DS_DOMAIN_TRUSTS,
10781 &ett_BLOB,
10782 &ett_DOMAIN_TRUST_INFO,
10783 &ett_LSA_POLICY_INFO,
10784 &ett_trust_flags,
10785 &ett_trust_attribs,
10786 &ett_get_dcname_request_flags,
10787 &ett_dc_flags,
10788 &ett_secchan_nl_auth_message,
10789 &ett_secchan_nl_auth_message_flags,
10790 &ett_secchan_verf,
10791 &ett_group_attrs,
10792 &ett_user_flags,
10793 &ett_nt_counted_longs_as_string,
10794 &ett_user_account_control,
10795 &ett_wstr_LOGON_IDENTITY_INFO_string,
10796 &ett_domain_group_memberships,
10797 &ett_domains_group_memberships,
10798 };
10799 static ei_register_info ei[] = {
10800 { &ei_netlogon_auth_nthash, {
10801 "netlogon.authenticated", PI_SECURITY0x0a000000, PI_CHAT0x00200000,
10802 "Authenticated NTHASH", EXPFILL0, ((void*)0), 0, {0, {((void*)0), ((void*)0), FT_NONE, BASE_NONE
, ((void*)0), 0, ((void*)0), -1, 0, HF_REF_TYPE_NONE, -1, ((void
*)0)}}
10803 }},
10804 { &ei_netlogon_session_key, {
10805 "netlogon.sessionkey", PI_SECURITY0x0a000000, PI_CHAT0x00200000,
10806 "SessionKey", EXPFILL0, ((void*)0), 0, {0, {((void*)0), ((void*)0), FT_NONE, BASE_NONE
, ((void*)0), 0, ((void*)0), -1, 0, HF_REF_TYPE_NONE, -1, ((void
*)0)}}
10807 }},
10808 };
10809 expert_module_t* expert_netlogon;
10810
10811 proto_dcerpc_netlogon = proto_register_protocol("Microsoft Network Logon", "RPC_NETLOGON", "rpc_netlogon");
10812
10813 proto_register_field_array(proto_dcerpc_netlogon, hf, array_length(hf)(sizeof (hf) / sizeof (hf)[0]));
10814 proto_register_subtree_array(ett, array_length(ett)(sizeof (ett) / sizeof (ett)[0]));
10815 expert_netlogon = expert_register_protocol(proto_dcerpc_netlogon);
10816 expert_register_field_array(expert_netlogon, ei, array_length(ei)(sizeof (ei) / sizeof (ei)[0]));
10817
10818 netlogon_auths = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), netlogon_auth_hash, netlogon_auth_equal);
10819 schannel_auths = wmem_map_new_autoreset(wmem_epan_scope(), wmem_file_scope(), dcerpc_auth_schannel_key_hash, dcerpc_auth_schannel_key_equal);
10820}
10821
10822static dcerpc_auth_subdissector_fns secchan_auth_fns = {
10823 dissect_secchan_nl_auth_message, /* Bind */
10824 dissect_secchan_nl_auth_message, /* Bind ACK */
10825 NULL((void*)0), /* AUTH3 */
10826 dissect_request_secchan_verf, /* Request verifier */
10827 dissect_response_secchan_verf, /* Response verifier */
10828 dissect_request_data, /* Request data */
10829 dissect_response_data /* Response data */
10830};
10831
10832void
10833proto_reg_handoff_dcerpc_netlogon(void)
10834{
10835 /* Register protocol as dcerpc */
10836 seen.isseen = false0;
10837 seen.num = 0;
10838 dcerpc_init_uuid(proto_dcerpc_netlogon, ett_dcerpc_netlogon,
10839 &uuid_dcerpc_netlogon, ver_dcerpc_netlogon,
10840 dcerpc_netlogon_dissectors, hf_netlogon_opnum);
10841
10842
10843 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_INTEGRITY5,
10844 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN68,
10845 &secchan_auth_fns);
10846 register_dcerpc_auth_subdissector(DCE_C_AUTHN_LEVEL_PKT_PRIVACY6,
10847 DCE_C_RPC_AUTHN_PROTOCOL_SEC_CHAN68,
10848 &secchan_auth_fns);
10849}
10850
10851/*
10852 * Editor modelines - https://www.wireshark.org/tools/modelines.html
10853 *
10854 * Local variables:
10855 * c-basic-offset: 4
10856 * tab-width: 8
10857 * indent-tabs-mode: nil
10858 * End:
10859 *
10860 * vi: set shiftwidth=4 tabstop=8 expandtab:
10861 * :indentSize=4:tabSize=8:noTabs=true:
10862 */