search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / epan / dissectors / packet-rdp.c
blob0c03d7ae07f6a81dac1d76c234320102d6425e4b
1 /* Packet-rdp.c
2 * Routines for Remote Desktop Protocol (RDP) packet dissection
3 * Copyright 2010, Graeme Lunt
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11
12 /*
13 * See: "[MS-RDPBCGR] Remote Desktop Protocol: Basic Connectivity and Graphics Remoting"
14 */
15
16 #include "config.h"
17
18 #include <epan/packet.h>
19 #include <epan/prefs.h>
20 #include <epan/conversation.h>
21 #include <epan/asn1.h>
22 #include <epan/expert.h>
23 #include <epan/strutil.h>
24 #include "packet-tls.h"
25 #include "packet-t124.h"
26 #include "packet-rdp.h"
27
28 #define PNAME "Remote Desktop Protocol"
29 #define PSNAME "RDP"
30 #define PFNAME "rdp"
31
32 void proto_register_rdp(void);
33 void proto_reg_handoff_rdp(void);
34
35 static heur_dissector_list_t rdp_heur_subdissector_list;
36
37 int proto_rdp;
38
39 static dissector_handle_t drdynvc_handle;
40 static dissector_handle_t rail_handle;
41 static dissector_handle_t cliprdr_handle;
42 static dissector_handle_t snd_handle;
43
44 static int ett_rdp;
45
46 static int ett_negReq_flags;
47 static int ett_requestedProtocols;
48
49 static int ett_negRsp_flags;
50 static int ett_selectedProtocol;
51
52 static int ett_rdp_SendData;
53 static int ett_rdp_MessageData;
54
55 static int ett_rdp_ClientData;
56 static int ett_rdp_clientCoreData;
57 static int ett_rdp_clientSecurityData;
58 static int ett_rdp_clientNetworkData;
59 static int ett_rdp_clientClusterData;
60 static int ett_rdp_clientClusterFlags;
61 static int ett_rdp_clientMonitorData;
62 static int ett_rdp_clientMonitorDefData;
63 static int ett_rdp_clientMsgChannelData;
64 static int ett_rdp_clientMonitorExData;
65 static int ett_rdp_clientMultiTransportData;
66 static int ett_rdp_clientUnknownData;
67 static int ett_rdp_ServerData;
68 static int ett_rdp_serverCoreData;
69 static int ett_rdp_serverSecurityData;
70 static int ett_rdp_serverNetworkData;
71 static int ett_rdp_serverMsgChannelData;
72 static int ett_rdp_serverMultiTransportData;
73 static int ett_rdp_serverUnknownData;
74 static int ett_rdp_channelIdArray;
75 static int ett_rdp_securityExchangePDU;
76 static int ett_rdp_clientInfoPDU;
77 static int ett_rdp_validClientLicenseData;
78 static int ett_rdp_shareControlHeader;
79 static int ett_rdp_pduType;
80 static int ett_rdp_flags;
81 static int ett_rdp_compressedType;
82 static int ett_rdp_mapFlags;
83 static int ett_rdp_options;
84 static int ett_rdp_channelDefArray;
85 static int ett_rdp_channelDef;
86 static int ett_rdp_channelPDUHeader;
87 static int ett_rdp_channelFlags;
88 static int ett_rdp_capabilitySet;
89 static int ett_rdp_capa_rail;
90
91 static int ett_rdp_StandardDate;
92 static int ett_rdp_DaylightDate;
93 static int ett_rdp_clientTimeZone;
94 static int ett_rdp_mt_req;
95 static int ett_rdp_mt_rsp;
96 static int ett_rdp_heartbeat;
97
98 static int ett_rdp_fastpath;
99 static int ett_rdp_fastpath_header;
100 static int ett_rdp_fastpath_scancode_flags;
101 static int ett_rdp_fastpath_mouse_flags;
102 static int ett_rdp_fastpath_mousex_flags;
103 static int ett_rdp_fastpath_relmouse_flags;
104 static int ett_rdp_fastpath_compression;
105
106 static expert_field ei_rdp_neg_len_invalid;
107 static expert_field ei_rdp_not_correlation_info;
108
109 static int hf_rdp_rt_cookie;
110 static int hf_rdp_neg_type;
111 static int hf_rdp_negReq_flags;
112 static int hf_rdp_negReq_flag_restricted_admin_mode_req;
113 static int hf_rdp_negReq_flag_redirected_auth_req;
114 static int hf_rdp_negReq_flag_correlation_info_present;
115 static int hf_rdp_neg_length;
116 static int hf_rdp_requestedProtocols;
117 static int hf_rdp_requestedProtocols_flag_ssl;
118 static int hf_rdp_requestedProtocols_flag_hybrid;
119 static int hf_rdp_requestedProtocols_flag_rdstls;
120 static int hf_rdp_requestedProtocols_flag_hybrid_ex;
121 static int hf_rdp_correlationInfo_flags;
122 static int hf_rdp_correlationId;
123 static int hf_rdp_correlationInfo_reserved;
124 static int hf_rdp_negRsp_flags;
125 static int hf_rdp_negRsp_flag_extended_client_data_supported;
126 static int hf_rdp_negRsp_flag_dynvc_gfx_protocol_supported;
127 static int hf_rdp_negRsp_flag_restricted_admin_mode_supported;
128 static int hf_rdp_negRsp_flag_restricted_authentication_mode_supported;
129 static int hf_rdp_selectedProtocol;
130 static int hf_rdp_negFailure_failureCode;
131
132 static int hf_rdp_ClientData;
133 static int hf_rdp_SendData;
134 static int hf_rdp_MessageData;
135 static int hf_rdp_clientCoreData;
136 static int hf_rdp_clientSecurityData;
137 static int hf_rdp_clientNetworkData;
138 static int hf_rdp_clientClusterData;
139 static int hf_rdp_clientMonitorData;
140 static int hf_rdp_clientMonitorDefData;
141 static int hf_rdp_clientMsgChannelData;
142 static int hf_rdp_clientMonitorExData;
143 static int hf_rdp_clientMultiTransportData;
144 static int hf_rdp_clientUnknownData;
145 static int hf_rdp_ServerData;
146 static int hf_rdp_serverCoreData;
147 static int hf_rdp_serverSecurityData;
148 static int hf_rdp_serverNetworkData;
149 static int hf_rdp_serverMsgChannelData;
150 static int hf_rdp_serverMultiTransportData;
151 static int hf_rdp_serverUnknownData;
152
153 static int hf_rdp_rdstls_version;
154 static int hf_rdp_rdstls_pduType;
155 static int hf_rdp_rdstls_dataTypeCapabilities;
156 static int hf_rdp_rdstls_supportedVersions;
157 static int hf_rdp_rdstls_dataTypeAuthReq;
158 static int hf_rdp_rdstls_redirectionGuidLen;
159 static int hf_rdp_rdstls_redirectionGuid;
160 static int hf_rdp_rdstls_usernameLen;
161 static int hf_rdp_rdstls_username;
162 static int hf_rdp_rdstls_domainLen;
163 static int hf_rdp_rdstls_domain;
164 static int hf_rdp_rdstls_passwordLen;
165 static int hf_rdp_rdstls_password;
166 static int hf_rdp_rdstls_sessionId;
167 static int hf_rdp_rdstls_autoReconnectCookieLen;
168 static int hf_rdp_rdstls_autoReconnectCookie;
169 static int hf_rdp_rdstls_dataTypeAuthResp;
170 static int hf_rdp_rdstls_resultCode;
171
172
173 static int hf_rdp_securityExchangePDU;
174 static int hf_rdp_clientInfoPDU;
175 static int hf_rdp_validClientLicenseData;
176
177 static int hf_rdp_headerType;
178 static int hf_rdp_headerLength;
179 static int hf_rdp_versionMajor;
180 static int hf_rdp_versionMinor;
181 static int hf_rdp_desktopWidth;
182 static int hf_rdp_desktopHeight;
183 static int hf_rdp_colorDepth;
184 static int hf_rdp_SASSequence;
185 static int hf_rdp_keyboardLayout;
186 static int hf_rdp_clientBuild;
187 static int hf_rdp_clientName;
188 static int hf_rdp_keyboardType;
189 static int hf_rdp_keyboardSubType;
190 static int hf_rdp_keyboardFunctionKey;
191 static int hf_rdp_imeFileName;
192 static int hf_rdp_postBeta2ColorDepth;
193 static int hf_rdp_clientProductId;
194 static int hf_rdp_serialNumber;
195 static int hf_rdp_highColorDepth;
196 static int hf_rdp_supportedColorDepths;
197 static int hf_rdp_earlyCapabilityFlags;
198 static int hf_rdp_clientDigProductId;
199 static int hf_rdp_connectionType;
200 static int hf_rdp_pad1octet;
201 static int hf_rdp_serverSelectedProtocol;
202
203 static int hf_rdp_encryptionMethods;
204 static int hf_rdp_extEncryptionMethods;
205 static int hf_rdp_cluster_flags;
206 static int hf_rdp_cluster_redirectionSupported;
207 static int hf_rdp_cluster_sessionIdValid;
208 static int hf_rdp_cluster_redirectionVersion;
209 static int hf_rdp_cluster_redirectedSmartcard;
210 static int hf_rdp_redirectedSessionId;
211 static int hf_rdp_msgChannelFlags;
212 static int hf_rdp_msgChannelId;
213 static int hf_rdp_monitorFlags;
214 static int hf_rdp_monitorExFlags;
215 static int hf_rdp_monitorAttributeSize;
216 static int hf_rdp_monitorCount;
217 static int hf_rdp_multiTransportFlags;
218
219 static int hf_rdp_monitorDefLeft;
220 static int hf_rdp_monitorDefTop;
221 static int hf_rdp_monitorDefRight;
222 static int hf_rdp_monitorDefBottom;
223 static int hf_rdp_monitorDefFlags;
224
225 static int hf_rdp_encryptionMethod;
226 static int hf_rdp_encryptionLevel;
227 static int hf_rdp_serverRandomLen;
228 static int hf_rdp_serverCertLen;
229 static int hf_rdp_serverRandom;
230 static int hf_rdp_serverCertificate;
231 static int hf_rdp_clientRequestedProtocols;
232 static int hf_rdp_MCSChannelId;
233 static int hf_rdp_channelCount;
234 static int hf_rdp_channelIdArray;
235 static int hf_rdp_Pad;
236 static int hf_rdp_length;
237 static int hf_rdp_encryptedClientRandom;
238 static int hf_rdp_dataSignature;
239 static int hf_rdp_fipsLength;
240 static int hf_rdp_fipsVersion;
241 static int hf_rdp_padlen;
242 static int hf_rdp_flags;
243 static int hf_rdp_flagsPkt;
244 static int hf_rdp_flagsEncrypt;
245 static int hf_rdp_flagsResetSeqno;
246 static int hf_rdp_flagsIgnoreSeqno;
247 static int hf_rdp_flagsLicenseEncrypt;
248 static int hf_rdp_flagsSecureChecksum;
249 static int hf_rdp_flagsFlagsHiValid;
250 static int hf_rdp_flagsAutodetectReq;
251 static int hf_rdp_flagsAutodetectResp;
252 static int hf_rdp_flagsHeartbeat;
253 static int hf_rdp_flagsTransportReq;
254 static int hf_rdp_flagsTransportResp;
255 static int hf_rdp_heartbeat_reserved;
256 static int hf_rdp_heartbeat_period;
257 static int hf_rdp_heartbeat_count1;
258 static int hf_rdp_heartbeat_count2;
259 static int hf_rdp_bandwidth_header_len;
260 static int hf_rdp_bandwidth_header_type;
261 static int hf_rdp_bandwidth_seqnumber;
262 static int hf_rdp_bandwidth_reqtype;
263 static int hf_rdp_bandwidth_resptype;
264 static int hf_rdp_bandwidth_measure_payload_len;
265 static int hf_rdp_bandwidth_measure_payload_data;
266 static int hf_rdp_network_characteristics_basertt;
267 static int hf_rdp_network_characteristics_bandwidth;
268 static int hf_rdp_network_characteristics_averagertt;
269 static int hf_rdp_rtt_measure_time_delta;
270 static int hf_rdp_rtt_measure_time_bytecount;
271 static int hf_rdp_mt_req_requestId;
272 static int hf_rdp_mt_req_protocol;
273 static int hf_rdp_mt_req_reserved;
274 static int hf_rdp_mt_req_securityCookie;
275 static int hf_rdp_mt_rsp_requestId;
276 static int hf_rdp_mt_rsp_hrResponse;
277 static int hf_rdp_flagsHi;
278 static int hf_rdp_codePage;
279 static int hf_rdp_optionFlags;
280 static int hf_rdp_cbDomain;
281 static int hf_rdp_cbUserName;
282 static int hf_rdp_cbPassword;
283 static int hf_rdp_cbAlternateShell;
284 static int hf_rdp_cbWorkingDir;
285 static int hf_rdp_cbClientAddress;
286 static int hf_rdp_cbClientDir;
287 static int hf_rdp_cbAutoReconnectLen;
288 static int hf_rdp_domain;
289 static int hf_rdp_userName;
290 static int hf_rdp_password;
291 static int hf_rdp_alternateShell;
292 static int hf_rdp_workingDir;
293 static int hf_rdp_clientAddressFamily;
294 static int hf_rdp_clientAddress;
295 static int hf_rdp_clientDir;
296 static int hf_rdp_clientTimeZone;
297 static int hf_rdp_clientSessionId;
298 static int hf_rdp_performanceFlags;
299 static int hf_rdp_autoReconnectCookie;
300 static int hf_rdp_reserved1;
301 static int hf_rdp_reserved2;
302 static int hf_rdp_cbDynamicDSTTimeZoneKeyName;
303 static int hf_rdp_dynamicDSTTimeZoneKeyName;
304 static int hf_rdp_dynamicDaylightTimeDisabled;
305
306 static int hf_rdp_bMsgType;
307 static int hf_rdp_bVersion;
308 static int hf_rdp_wMsgSize;
309 static int hf_rdp_wBlobType;
310 static int hf_rdp_wBlobLen;
311 static int hf_rdp_blobData;
312 static int hf_rdp_shareControlHeader;
313 static int hf_rdp_totalLength;
314 static int hf_rdp_pduType;
315 static int hf_rdp_pduTypeType;
316 static int hf_rdp_pduTypeVersionLow;
317 static int hf_rdp_pduTypeVersionHigh;
318 static int hf_rdp_pduSource;
319
320 static int hf_rdp_shareId;
321 static int hf_rdp_pad1;
322 static int hf_rdp_streamId;
323 static int hf_rdp_uncompressedLength;
324 static int hf_rdp_pduType2;
325 static int hf_rdp_compressedType;
326 static int hf_rdp_compressedTypeType;
327 static int hf_rdp_compressedTypeCompressed;
328 static int hf_rdp_compressedTypeAtFront;
329 static int hf_rdp_compressedTypeFlushed;
330 static int hf_rdp_compressedLength;
331 static int hf_rdp_wErrorCode;
332 static int hf_rdp_wStateTransition;
333 static int hf_rdp_numberEntries;
334 static int hf_rdp_totalNumberEntries;
335 static int hf_rdp_mapFlags;
336 static int hf_rdp_fontMapFirst;
337 static int hf_rdp_fontMapLast;
338
339 /* Control */
340 static int hf_rdp_action;
341 static int hf_rdp_grantId;
342 static int hf_rdp_controlId;
343
344 /* Synchronize */
345 static int hf_rdp_messageType;
346 static int hf_rdp_targetUser;
347
348 /* BitmapCache Persistent List */
349 static int hf_rdp_numEntriesCache0;
350 static int hf_rdp_numEntriesCache1;
351 static int hf_rdp_numEntriesCache2;
352 static int hf_rdp_numEntriesCache3;
353 static int hf_rdp_numEntriesCache4;
354 static int hf_rdp_totalEntriesCache0;
355 static int hf_rdp_totalEntriesCache1;
356 static int hf_rdp_totalEntriesCache2;
357 static int hf_rdp_totalEntriesCache3;
358 static int hf_rdp_totalEntriesCache4;
359 static int hf_rdp_bBitMask;
360 static int hf_rdp_Pad2;
361 static int hf_rdp_Pad3;
362
363 static int hf_rdp_statusInfo_status;
364
365 /* BitmapCache Persistent List Entry */
366 /* static int hf_rdp_Key1; */
367 /* static int hf_rdp_Key2; */
368
369 /* FontList */
370 #if 0
371 static int hf_rdp_numberFonts;
372 static int hf_rdp_totalNumFonts;
373 static int hf_rdp_listFlags;
374 #endif
375 static int hf_rdp_entrySize;
376
377 /* Confirm Active PDU */
378 static int hf_rdp_originatorId;
379 static int hf_rdp_lengthSourceDescriptor;
380 static int hf_rdp_lengthCombinedCapabilities;
381 static int hf_rdp_sourceDescriptor;
382 static int hf_rdp_numberCapabilities;
383 static int hf_rdp_pad2Octets;
384 static int hf_rdp_capabilitySet;
385 static int hf_rdp_capabilitySetType;
386 static int hf_rdp_lengthCapability;
387 static int hf_rdp_capabilityData;
388 static int hf_rdp_capaRail_supportedLevel;
389 static int hf_rdp_capaRail_flag_supported;
390 static int hf_rdp_capaRail_flag_dockedlangbar;
391 static int hf_rdp_capaRail_flag_shellintegration;
392 static int hf_rdp_capaRail_flag_lang_ime_sync;
393 static int hf_rdp_capaRail_flag_server_to_client_ime_sync;
394 static int hf_rdp_capaRail_flag_hide_minimized;
395 static int hf_rdp_capaRail_flag_windows_cloaking;
396 static int hf_rdp_capaRail_flag_handshakeex;
397 static int hf_rdp_sessionId;
398
399 /* static int hf_rdp_unknownData; */
400 static int hf_rdp_notYetImplemented;
401 static int hf_rdp_encrypted;
402 /* static int hf_rdp_compressed; */
403
404 static int hf_rdp_channelDefArray;
405 static int hf_rdp_channelDef;
406 static int hf_rdp_name;
407 static int hf_rdp_options;
408 static int hf_rdp_optionsInitialized;
409 static int hf_rdp_optionsEncryptRDP;
410 static int hf_rdp_optionsEncryptSC;
411 static int hf_rdp_optionsEncryptCS;
412 static int hf_rdp_optionsPriHigh;
413 static int hf_rdp_optionsPriMed;
414 static int hf_rdp_optionsPriLow;
415 static int hf_rdp_optionsCompressRDP;
416 static int hf_rdp_optionsCompress;
417 static int hf_rdp_optionsShowProtocol;
418 static int hf_rdp_optionsRemoteControlPersistent;
419
420 static int hf_rdp_channelPDUHeader;
421 static int hf_rdp_channelFlags;
422 static int hf_rdp_channelFlagFirst;
423 static int hf_rdp_channelFlagLast;
424 static int hf_rdp_channelFlagShowProtocol;
425 static int hf_rdp_channelFlagSuspend;
426 static int hf_rdp_channelFlagResume;
427 static int hf_rdp_channelPacketCompressed;
428 static int hf_rdp_channelPacketAtFront;
429 static int hf_rdp_channelPacketFlushed;
430 static int hf_rdp_channelPacketCompressionType;
431 static int hf_rdp_virtualChannelData;
432
433 static int hf_rdp_pointerFlags;
434 static int hf_rdp_pointerFlags_move;
435 static int hf_rdp_pointerFlags_down;
436 static int hf_rdp_pointerFlags_button1;
437 static int hf_rdp_pointerFlags_button2;
438 static int hf_rdp_pointerFlags_button3;
439 static int hf_rdp_pointerFlags_wheel_rotation;
440 static int hf_rdp_pointerFlags_wheel_neg;
441 static int hf_rdp_pointerFlags_wheel;
442 static int hf_rdp_pointerFlags_hwheel;
443 static int hf_rdp_pointer_xpos;
444 static int hf_rdp_pointer_ypos;
445
446 static int hf_rdp_pointerxFlags;
447 static int hf_rdp_pointerxFlags_down;
448 static int hf_rdp_pointerxFlags_button1;
449 static int hf_rdp_pointerxFlags_button2;
450 static int hf_rdp_pointerx_xpos;
451 static int hf_rdp_pointerx_ypos;
452
453
454 static int hf_rdp_fastpathHeader;
455 static int hf_rdp_fastpathAction;
456 static int hf_rdp_fastpathFlags;
457 static int hf_rdp_fastpathClientNumEvents;
458 static int hf_rdp_fastpathServerReserved;
459
460 static int hf_rdp_fastpathPDULength;
461 static int hf_rdp_fastpathServerCompressionType;
462 static int hf_rdp_fastpathServerCompressionType_compressed;
463 static int hf_rdp_fastpathServerCompressionType_atfront;
464 static int hf_rdp_fastpathServerCompressionType_flushed;
465 static int hf_rdp_fastpathServerCompressionFlags;
466
467 static int hf_rdp_fastpathServerUpdateCode;
468 static int hf_rdp_fastpathServerFragmentation;
469 static int hf_rdp_fastpathServerCompression;
470 static int hf_rdp_fastpathServerSize;
471
472 static int hf_rdp_fastpathInputHeader;
473 static int hf_rdp_fastpathClientNumEvents2;
474 static int hf_rdp_fastpathClientEventCode;
475 static int hf_rdp_fastpathClientFlags;
476 static int hf_rdp_fastpathScancodeRelease;
477 static int hf_rdp_fastpathScancodeExtended;
478 static int hf_rdp_fastpathScancodeExtended1;
479 static int hf_rdp_fastpathScancodeKeyCode;
480 static int hf_rdp_fastpathSyncScrollLock;
481 static int hf_rdp_fastpathSyncNumLock;
482 static int hf_rdp_fastpathSyncCapsLock;
483 static int hf_rdp_fastpathSyncKanaLock;
484 static int hf_rdp_fastpathQoeTimestamp;
485 static int hf_rdp_fastpathUnicodeFlagsRelease;
486 static int hf_rdp_fastpathUnicodeCode;
487 static int hf_rdp_fastpathRelMouseFlags;
488 static int hf_rdp_fastpathRelMouseFlags_Move;
489 static int hf_rdp_fastpathRelMouseFlags_Down;
490 static int hf_rdp_fastpathRelMouseFlags_Button1;
491 static int hf_rdp_fastpathRelMouseFlags_Button2;
492 static int hf_rdp_fastpathRelMouseFlags_Button3;
493 static int hf_rdp_fastpathRelMouseFlags_XButton1;
494 static int hf_rdp_fastpathRelMouseFlags_XButton2;
495 static int hf_rdp_fastpathRelMouseDeltaX;
496 static int hf_rdp_fastpathRelMouseDeltaY;
497
498 static int * const fastpath_clientHeader_flags[] = {
499 &hf_rdp_fastpathAction,
500 &hf_rdp_fastpathClientNumEvents,
501 &hf_rdp_fastpathFlags,
502 NULL
503 };
504
505 static int * const fastpath_inputHeader_flags[] = {
506 &hf_rdp_fastpathClientFlags,
507 &hf_rdp_fastpathClientEventCode,
508 NULL
509 };
510
511 static int * const fastpath_inputsync_flags[] = {
512 &hf_rdp_fastpathSyncScrollLock,
513 &hf_rdp_fastpathSyncNumLock,
514 &hf_rdp_fastpathSyncCapsLock,
515 &hf_rdp_fastpathSyncKanaLock,
516 &hf_rdp_fastpathClientEventCode,
517 NULL
518 };
519
520 static int * const fastpath_inputunicode_flags[] = {
521 &hf_rdp_fastpathUnicodeFlagsRelease,
522 &hf_rdp_fastpathClientEventCode,
523 NULL
524 };
525
526 static int * const fastpath_scancode_flags[] = {
527 &hf_rdp_fastpathScancodeRelease,
528 &hf_rdp_fastpathScancodeExtended,
529 &hf_rdp_fastpathScancodeExtended1,
530 &hf_rdp_fastpathClientEventCode,
531 NULL
532 };
533
534 static int * const ts_pointer_flags[] = {
535 &hf_rdp_pointerFlags_move,
536 &hf_rdp_pointerFlags_down,
537 &hf_rdp_pointerFlags_button1,
538 &hf_rdp_pointerFlags_button2,
539 &hf_rdp_pointerFlags_button3,
540 &hf_rdp_pointerFlags_wheel_rotation,
541 &hf_rdp_pointerFlags_wheel_neg,
542 &hf_rdp_pointerFlags_wheel,
543 &hf_rdp_pointerFlags_hwheel,
544 NULL
545 };
546
547 static int * const ts_pointerx_flags[] = {
548 &hf_rdp_pointerxFlags_down,
549 &hf_rdp_pointerxFlags_button1,
550 &hf_rdp_pointerxFlags_button2,
551 NULL
552 };
553
554 static int * const ts_relpointer_flags[] = {
555 &hf_rdp_fastpathRelMouseFlags_Move,
556 &hf_rdp_fastpathRelMouseFlags_Down,
557 &hf_rdp_fastpathRelMouseFlags_Button1,
558 &hf_rdp_fastpathRelMouseFlags_Button2,
559 &hf_rdp_fastpathRelMouseFlags_Button3,
560 &hf_rdp_fastpathRelMouseFlags_XButton1,
561 &hf_rdp_fastpathRelMouseFlags_XButton2,
562 NULL
563 };
564
565 static int * const fastpath_serverHeader_flags[] = {
566 &hf_rdp_fastpathAction,
567 &hf_rdp_fastpathServerReserved,
568 &hf_rdp_fastpathFlags,
569 NULL
570 };
571
572 static int * const fastpath_servercompression_flags[] = {
573 &hf_rdp_fastpathServerCompressionType_compressed,
574 &hf_rdp_fastpathServerCompressionType_atfront,
575 &hf_rdp_fastpathServerCompressionType_flushed,
576 &hf_rdp_fastpathServerCompressionFlags,
577 NULL,
578 };
579
580
581 static int hf_rdp_wYear;
582 static int hf_rdp_wMonth;
583 static int hf_rdp_wDayOfWeek;
584 static int hf_rdp_wDay;
585 static int hf_rdp_wHour;
586 static int hf_rdp_wMinute;
587 static int hf_rdp_wSecond;
588 static int hf_rdp_wMilliseconds;
589
590 static int hf_rdp_Bias;
591 static int hf_rdp_StandardName;
592 static int hf_rdp_StandardDate;
593 static int hf_rdp_StandardBias;
594 static int hf_rdp_DaylightName;
595 static int hf_rdp_DaylightDate;
596 static int hf_rdp_DaylightBias;
597
598 #define TYPE_RDP_NEG_REQ 0x01
599 #define TYPE_RDP_NEG_RSP 0x02
600 #define TYPE_RDP_NEG_FAILURE 0x03
601 #define TYPE_RDP_CORRELATION_INFO 0x06
602
603 static const value_string neg_type_vals[] = {
604 { TYPE_RDP_NEG_REQ, "RDP Negotiation Request" },
605 { TYPE_RDP_NEG_RSP, "RDP Negotiation Response" },
606 { TYPE_RDP_NEG_FAILURE, "RDP Negotiation Failure" },
607 { TYPE_RDP_CORRELATION_INFO, "RDP Correlation Info" },
608 { 0, NULL }
609 };
610
611
612 #define RESTRICTED_ADMIN_MODE_REQUIRED 0x01
613 #define REDIRECTED_AUTH_REQUIRED 0x02
614 #define CORRELATION_INFO_PRESENT 0x08
615
616 static const value_string failure_code_vals[] = {
617 { 0x00000001, "TLS required by server" },
618 { 0x00000002, "TLS not allowed by server" },
619 { 0x00000003, "TLS certificate not on server" },
620 { 0x00000004, "Inconsistent flags" },
621 { 0x00000005, "Server requires Enhanced RDP Security with CredSSP" },
622 { 0x00000006, "Server requires Enhanced RDP Security with TLS and certificate-based client authentication" },
623 { 0, NULL }
624 };
625
626 static const value_string redirectionVersions_vals[] = {
627 { 0x00, "Version 1" },
628 { 0x01, "Version 2" },
629 { 0x02, "Version 3" },
630 { 0x03, "Version 4" },
631 { 0x04, "Version 5" },
632 { 0x05, "Version 6" },
633 { 0, NULL }
634 };
635
636 #define CS_CORE 0xC001
637 #define CS_SECURITY 0xC002
638 #define CS_NET 0xC003
639 #define CS_CLUSTER 0xC004
640 #define CS_MONITOR 0xC005
641 #define CS_MCS_MSGCHANNEL 0xC006
642 #define CS_MONITOR_EX 0xC008
643 #define CS_MULTITRANSPORT 0xC00A
644
645 #define SC_CORE 0x0C01
646 #define SC_SECURITY 0x0C02
647 #define SC_NET 0x0C03
648 #define SC_MCS_MSGCHANNEL 0x0C04
649 #define SC_MULTITRANSPORT 0x0C08
650
651 #define SEC_EXCHANGE_PKT 0x0001
652 #define SEC_TRANSPORT_REQ 0x0002
653 #define SEC_TRANSPORT_RSP 0x0004
654 #define SEC_ENCRYPT 0x0008
655 #define SEC_RESET_SEQNO 0x0010
656 #define SEC_IGNORE_SEQNO 0x0020
657 #define SEC_INFO_PKT 0x0040
658 #define SEC_LICENSE_PKT 0x0080
659 #define SEC_LICENSE_ENCRYPT_CS 0x0200
660 #define SEC_LICENSE_ENCRYPT_SC 0x0200
661 #define SEC_REDIRECTION_PKT 0x0400
662 #define SEC_SECURE_CHECKSUM 0x0800
663 #define SEC_AUTODETECT_REQ 0x1000
664 #define SEC_AUTODETECT_RSP 0x2000
665 #define SEC_HEARTBEAT 0x4000
666 #define SEC_FLAGSHI_VALID 0x8000
667
668 #define SEC_PKT_MASK 0x04c1
669
670 #define ENCRYPTION_METHOD_NONE 0x00000000
671 #define ENCRYPTION_METHOD_40BIT 0x00000001
672 #define ENCRYPTION_METHOD_128BIT 0x00000002
673 #define ENCRYPTION_METHOD_56BIT 0x00000008
674 #define ENCRYPTION_METHOD_FIPS 0x00000010
675
676 #define ENCRYPTION_LEVEL_NONE 0x00000000
677 #define ENCRYPTION_LEVEL_LOW 0x00000001
678 #define ENCRYPTION_LEVEL_CLIENT_COMPATIBLE 0x00000002
679 #define ENCRYPTION_LEVEL_HIGH 0x00000003
680 #define ENCRYPTION_LEVEL_FIPS 0x00000004
681
682 /* sent by server */
683 #define LICENSE_REQUEST 0x01
684 #define PLATFORM_CHALLENGE 0x02
685 #define NEW_LICENSE 0x03
686 #define UPGRADE_LICENSE 0x04
687 /* sent by client */
688 #define LICENSE_INFO 0x12
689 #define NEW_LICENSE_REQUEST 0x13
690 #define PLATFORM_CHALLENGE_RESPONSE 0x15
691 /* sent by either */
692 #define ERROR_ALERT 0xff
693
694 #define ERR_INVALID_SERVER_CERTIFICIATE 0x00000001
695 #define ERR_NO_LICENSE 0x00000002
696 #define ERR_INVALID_MAC 0x00000003
697 #define ERR_INVALID_SCOPE 0x00000004
698 #define ERR_NO_LICENSE_SERVER 0x00000006
699 #define STATUS_VALID_CLIENT 0x00000007
700 #define ERR_INVALID_CLIENT 0x00000008
701 #define ERR_INVALID_PRODUCTID 0x0000000B
702 #define ERR_INVALID_MESSAGE_LEN 0x0000000C
703
704 #define ST_TOTAL_ABORT 0x00000001
705 #define ST_NO_TRANSITION 0x00000002
706 #define ST_RESET_PHASE_TO_START 0x00000003
707 #define ST_RESEND_LAST_MESSAGE 0x00000004
708
709 #define BB_DATA_BLOB 0x0001
710 #define BB_RANDOM_BLOB 0x0002
711 #define BB_CERTIFICATE_BLOB 0x0003
712 #define BB_ERROR_BLOB 0x0004
713 #define BB_ENCRYPTED_DATA_BLOB 0x0009
714 #define BB_KEY_EXCHG_ALG_BLOB 0x000D
715 #define BB_SCOPE_BLOB 0x000E
716 #define BB_CLIENT_USER_NAME_BLOB 0x000F
717 #define BB_CLIENT_MACHINE_NAME_BLOB 0x0010
718
719 #define PDUTYPE_TYPE_MASK 0x000F
720 #define PDUTYPE_VERSIONLOW_MASK 0x00F0
721 #define PDUTYPE_VERSIONHIGH_MASK 0xFF00
722
723 #define PDUTYPE_DEMANDACTIVEPDU 0x1
724 #define PDUTYPE_CONFIRMACTIVEPDU 0x3
725 #define PDUTYPE_DEACTIVATEALLPDU 0x6
726 #define PDUTYPE_DATAPDU 0x7
727 #define PDUTYPE_SERVER_REDIR_PKT 0xA
728
729 #define TS_PROTOCOL_VERSION 0x1
730
731 #define PDUTYPE2_UPDATE 0x02
732 #define PDUTYPE2_CONTROL 0x14
733 #define PDUTYPE2_POINTER 0x1B
734 #define PDUTYPE2_INPUT 0x1C
735 #define PDUTYPE2_SYNCHRONIZE 0x1F
736 #define PDUTYPE2_REFRESH_RECT 0x21
737 #define PDUTYPE2_PLAY_SOUND 0x22
738 #define PDUTYPE2_SUPPRESS_OUTPUT 0x23
739 #define PDUTYPE2_SHUTDOWN_REQUEST 0x24
740 #define PDUTYPE2_SHUTDOWN_DENIED 0x25
741 #define PDUTYPE2_SAVE_SESSION_INFO 0x26
742 #define PDUTYPE2_FONTLIST 0x27
743 #define PDUTYPE2_FONTMAP 0x28
744 #define PDUTYPE2_SET_KEYBOARD_INDICATORS 0x29
745 #define PDUTYPE2_BITMAPCACHE_PERSISTENT_LIST 0x2B
746 #define PDUTYPE2_BITMAPCACHE_ERROR_PDU 0x2C
747 #define PDUTYPE2_SET_KEYBOARD_IME_STATUS 0x2D
748 #define PDUTYPE2_OFFSCRCACHE_ERROR_PDU 0x2E
749 #define PDUTYPE2_SET_ERROR_INFO_PDU 0x2F
750 #define PDUTYPE2_DRAWNINEGRID_ERROR_PDU 0x30
751 #define PDUTYPE2_DRAWGDIPLUS_ERROR_PDU 0x31
752 #define PDUTYPE2_ARC_STATUS_PDU 0x32
753 #define PDUTYPE2_STATUS_INFO_PDU 0x36
754 #define PDUTYPE2_MONITOR_LAYOUT_PDU 0x37
755
756 #define PACKET_COMPRESSED 0x20
757 #define PACKET_AT_FRONT 0x40
758 #define PACKET_FLUSHED 0x80
759
760 #define PacketCompressionTypeMask 0x0f
761 #define PACKET_COMPR_TYPE_8K 0x0
762 #define PACKET_COMPR_TYPE_64K 0x1
763 #define PACKET_COMPR_TYPE_RDP6 0x2
764 #define PACKET_COMPR_TYPE_RDP61 0x3
765
766
767 #define CHANNEL_FLAG_FIRST 0x00000001
768 #define CHANNEL_FLAG_LAST 0x00000002
769 #define CHANNEL_FLAG_SHOW_PROTOCOL 0x00000010
770 #define CHANNEL_FLAG_SUSPEND 0x00000020
771 #define CHANNEL_FLAG_RESUME 0x00000040
772 #define CHANNEL_PACKET_COMPRESSED 0x00200000
773 #define CHANNEL_PACKET_AT_FRONT 0x00400000
774 #define CHANNEL_PACKET_FLUSHED 0x00800000
775
776 #define ChannelCompressionTypeMask 0x000f0000
777 #define CHANNEL_COMPR_TYPE_8K 0x00000000
778 #define CHANNEL_COMPR_TYPE_64K 0x00010000
779 #define CHANNEL_COMPR_TYPE_RDP6 0x00020000
780 #define CHANNEL_COMPR_TYPE_RDP61 0x00030000
781
782 #define MapFlagsMask 0xffff
783 #define FONTMAP_FIRST 0x0001
784 #define FONTMAP_LAST 0x0002
785 /* There may well be others */
786
787 #define CTRLACTION_REQUEST_CONTROL 0x0001
788 #define CTRLACTION_GRANTED_CONTROL 0x0002
789 #define CTRLACTION_DETACH 0x0003
790 #define CTRLACTION_COOPERATE 0x0004
791
792 #define CAPSTYPE_GENERAL 0x0001
793 #define CAPSTYPE_BITMAP 0x0002
794 #define CAPSTYPE_ORDER 0x0003
795 #define CAPSTYPE_BITMAPCACHE 0x0004
796 #define CAPSTYPE_CONTROL 0x0005
797 #define CAPSTYPE_ACTIVATION 0x0007
798 #define CAPSTYPE_POINTER 0x0008
799 #define CAPSTYPE_SHARE 0x0009
800 #define CAPSTYPE_COLORCACHE 0x000A
801 #define CAPSTYPE_SOUND 0x000C
802 #define CAPSTYPE_INPUT 0x000D
803 #define CAPSTYPE_FONT 0x000E
804 #define CAPSTYPE_BRUSH 0x000F
805 #define CAPSTYPE_GLYPHCACHE 0x0010
806 #define CAPSTYPE_OFFSCREENCACHE 0x0011
807 #define CAPSTYPE_BITMAPCACHE_HOSTSUPPORT 0x0012
808 #define CAPSTYPE_BITMAPCACHE_REV2 0x0013
809 #define CAPSTYPE_BITMAPCACHE_VIRTUALCHANNEL 0x0014
810 #define CAPSTYPE_DRAWNINEGRIDCACHE 0x0015
811 #define CAPSTYPE_DRAWGDIPLUS 0x0016
812 #define CAPSTYPE_RAIL 0x0017
813 #define CAPSTYPE_WINDOW 0x0018
814 #define CAPSTYPE_COMPDESK 0x0019
815 #define CAPSTYPE_MULTIFRAGMENTUPDATE 0x001A
816 #define CAPSTYPE_LARGE_POINTER 0x001B
817 #define CAPSTYPE_SURFACE_COMMANDS 0x001C
818 #define CAPSTYPE_BITMAP_CODECS 0x001D
819 #define CAPSTYPE_FRAME_ACKNOWLEDGE 0x001E
820
821
822 #define CHANNEL_OPTION_INITIALIZED 0x80000000
823 #define CHANNEL_OPTION_ENCRYPT_RDP 0x40000000
824 #define CHANNEL_OPTION_ENCRYPT_SC 0x20000000
825 #define CHANNEL_OPTION_ENCRYPT_CS 0x10000000
826 #define CHANNEL_OPTION_PRI_HIGH 0x08000000
827 #define CHANNEL_OPTION_PRI_MED 0x04000000
828 #define CHANNEL_OPTION_PRI_LOW 0x02000000
829 #define CHANNEL_OPTION_COMPRESS_RDP 0x00800000
830 #define CHANNEL_OPTION_COMPRESS 0x00400000
831 #define CHANNEL_OPTION_SHOW_PROTOCOL 0x00200000
832 #define CHANNEL_OPTION_REMOTE_CONTROL_PERSISTENT 0x00100000
833
834
835 #define RDP_FI_NONE 0x00
836 #define RDP_FI_OPTIONAL 0x01
837 #define RDP_FI_STRING 0x02
838 #define RDP_FI_UNICODE 0x04 /* field is always Unicode (UTF-16) */
839 #define RDP_FI_ANSI 0x08 /* field is always ANSI (code page) */
840 #define RDP_FI_NOINCOFFSET 0x10 /* do not increase the offset */
841 #define RDP_FI_SUBTREE 0x20
842 #define RDP_FI_INFO_FLAGS 0x40
843
844 typedef struct rdp_field_info_t {
845 const int *pfield;
846 int32_t fixedLength;
847 uint32_t *variableLength;
848 int offsetOrTree;
849 uint32_t flags;
850 const struct rdp_field_info_t *subfields;
851 } rdp_field_info_t;
852
853 #define FI_FIXEDLEN(_hf_, _len_) { _hf_, _len_, NULL, 0, 0, NULL }
854 #define FI_FIXEDLEN_ANSI_STRING(_hf_, _len_) { _hf_, _len_, NULL, 0, RDP_FI_STRING|RDP_FI_ANSI, NULL }
855 #define FI_VALUE(_hf_, _len_, _value_) { _hf_, _len_, &_value_, 0, 0, NULL }
856 #define FI_VARLEN(_hf, _length_) { _hf_, 0, &_length_, 0, 0, NULL }
857 #define FI_SUBTREE(_hf_, _len_, _ett_, _sf_) { _hf_, _len_, NULL, _ett_, RDP_FI_SUBTREE, _sf_ }
858 #define FI_TERMINATOR {NULL, 0, NULL, 0, 0, NULL}
859
860 static const value_string rdp_rdstls_pduTypes_vals[] = {
861 { 0x0001, "RDSTLS capabilities" },
862 { 0x0002, "RDSTLS authReq" },
863 { 0x0004, "RDSTLS authResp" },
864 { 0, NULL }
865 };
866
867 static const value_string rdp_rdstls_authDataTypes_vals[] = {
868 { 0x0001, "PASSWORD_CREDS" },
869 { 0x0002, "AUTORECONNECT_COOKIE" },
870 { 0x0003, "FEDAUTH_TOKEN"},
871 { 0x0004, "LogonCert" },
872 { 0, NULL }
873 };
874
875 static const value_string rdp_rdstls_result_vals[] = {
876 { 0x00000000, "Success" },
877 { 0x00000005, "Access denied" },
878 { 0x0000052e, "Logon failure"},
879 { 0x00000530, "Invalid logon hours" },
880 { 0x00000532, "Password expired" },
881 { 0x00000533, "Account disabled" },
882 { 0x00000773, "Password must change" },
883 { 0x00000775, "Account locked out" },
884 { 0, NULL }
885 };
886
887 static const value_string rdp_headerType_vals[] = {
888 { CS_CORE, "clientCoreData" },
889 { CS_SECURITY, "clientSecurityData" },
890 { CS_NET, "clientNetworkData" },
891 { CS_CLUSTER, "clientClusterData" },
892 { CS_MONITOR, "clientMonitorData" },
893 { CS_MCS_MSGCHANNEL, "clientMsgChannelData" },
894 { CS_MONITOR_EX, "clientMonitorExData" },
895 { CS_MULTITRANSPORT, "clientMultiTransportData" },
896 { SC_CORE, "serverCoreData" },
897 { SC_SECURITY, "serverSecurityData" },
898 { SC_NET, "serverNetworkData" },
899 { SC_MCS_MSGCHANNEL, "serverMsgChannelData" },
900 { SC_MULTITRANSPORT, "serverMultiTransportData" },
901 { 0, NULL }
902 };
903
904 static const value_string rdp_colorDepth_vals[] = {
905 { 0xCA00, "4 bits-per-pixel (bpp)"},
906 { 0xCA01, "8 bits-per-pixel (bpp)"},
907 { 0xCA02, "15-bit 555 RGB mask"},
908 { 0xCA03, "16-bit 565 RGB mask"},
909 { 0xCA04, "24-bit RGB mask"},
910 { 0, NULL }
911 };
912
913 static const value_string rdp_highColorDepth_vals[] = {
914 { 0x0004, "4 bits-per-pixel (bpp)"},
915 { 0x0008, "8 bits-per-pixel (bpp)"},
916 { 0x000F, "15-bit 555 RGB mask"},
917 { 0x0010, "16-bit 565 RGB mask"},
918 { 0x0018, "24-bit RGB mask"},
919 { 0, NULL }
920 };
921
922
923 static const value_string rdp_keyboardType_vals[] = {
924 { 1, "IBM PC/XT or compatible (83-key) keyboard" },
925 { 2, "Olivetti \"ICO\" (102-key) keyboard" },
926 { 3, "IBM PC/AT (84-key) and similar keyboards" },
927 { 4, "IBM enhanced (101-key or 102-key) keyboard" },
928 { 5, "Noki 1050 and similar keyboards" },
929 { 6, "Nokia 9140 and similar keyboards" },
930 { 7, "Japanese keyboard" },
931 { 0, NULL }
932 };
933
934 static const value_string rdp_connectionType_vals[] = {
935 { 1, "Modem (56 Kbps)" },
936 { 2, "Low-speed broadband (256 Kbps - 2Mbps)" },
937 { 3, "Satellite (2 Mbps - 16Mbps with high latency)" },
938 { 4, "High-speed broadband (2 Mbps - 10Mbps)" },
939 { 5, "WAN (10 Mbps or higher with high latency)" },
940 { 6, "LAN (10 Mbps or higher)" },
941 { 7, "Auto Detect" },
942 { 0, NULL},
943 };
944
945 static const value_string rdp_selectedProtocol_vals[] = {
946 { 0x00, "Standard RDP Security" },
947 { 0x01, "TLS 1.0, 1.1 or 1.2" },
948 { 0x02, "CredSSP" },
949 { 0x04, "RDSTLS protocol" },
950 { 0x08, "CredSSP with Early User Authorization Result PDU" },
951 { 0x10, "RDS AAD Auth security" },
952 { 0x0, NULL},
953 };
954
955 static const value_string rdp_flagsPkt_vals[] = {
956 {0, "(None)" },
957 {SEC_EXCHANGE_PKT, "Security Exchange PDU" },
958 {SEC_INFO_PKT, "Client Info PDU" },
959 {SEC_LICENSE_PKT, "Licensing PDU" },
960 {SEC_REDIRECTION_PKT, "Standard Security Server Redirection PDU"},
961 {0, NULL},
962 };
963
964 static const value_string rdp_encryptionMethod_vals[] = {
965 { ENCRYPTION_METHOD_NONE, "None" },
966 { ENCRYPTION_METHOD_40BIT, "40-bit RC4" },
967 { ENCRYPTION_METHOD_128BIT, "128-bit RC4" },
968 { ENCRYPTION_METHOD_56BIT, "56-bit RC4" },
969 { ENCRYPTION_METHOD_FIPS, "FIPS140-1 3DES" },
970 { 0, NULL},
971 };
972
973 static const value_string rdp_encryptionLevel_vals[] = {
974 { ENCRYPTION_LEVEL_NONE, "None" },
975 { ENCRYPTION_LEVEL_LOW, "Low" },
976 { ENCRYPTION_LEVEL_CLIENT_COMPATIBLE, "Client Compatible" },
977 { ENCRYPTION_LEVEL_HIGH, "High" },
978 { ENCRYPTION_LEVEL_FIPS, "FIPS140-1" },
979 { 0, NULL},
980 };
981
982 static const value_string rdp_bMsgType_vals[] = {
983 { LICENSE_REQUEST, "License Request" },
984 { PLATFORM_CHALLENGE, "Platform Challenge" },
985 { NEW_LICENSE, "New License" },
986 { UPGRADE_LICENSE, "Upgrade License" },
987 { LICENSE_INFO, "License Info" },
988 { NEW_LICENSE_REQUEST, "New License Request" },
989 { PLATFORM_CHALLENGE_RESPONSE, "Platform Challenge Response" },
990 { ERROR_ALERT, "Error Alert" },
991 { 0, NULL},
992 };
993
994 static const value_string rdp_wErrorCode_vals[] = {
995 { ERR_INVALID_SERVER_CERTIFICIATE, "Invalid Server Certificate" },
996 { ERR_NO_LICENSE, "No License" },
997 { ERR_INVALID_MAC, "Invalid MAC" },
998 { ERR_INVALID_SCOPE, "Invalid Scope" },
999 { ERR_NO_LICENSE_SERVER, "No License Server" },
1000 { STATUS_VALID_CLIENT, "Valid Client" },
1001 { ERR_INVALID_CLIENT, "Invalid Client" },
1002 { ERR_INVALID_PRODUCTID, "Invalid Product Id" },
1003 { ERR_INVALID_MESSAGE_LEN, "Invalid Message Length" },
1004 { 0, NULL},
1005 };
1006
1007 static const value_string rdp_wStateTransition_vals[] = {
1008 { ST_TOTAL_ABORT, "Total Abort" },
1009 { ST_NO_TRANSITION, "No Transition" },
1010 { ST_RESET_PHASE_TO_START, "Reset Phase to Start" },
1011 { ST_RESEND_LAST_MESSAGE, "Resend Last Message" },
1012 { 0, NULL},
1013 };
1014
1015 static const value_string rdp_wBlobType_vals[] = {
1016 { BB_DATA_BLOB, "Data" },
1017 { BB_RANDOM_BLOB, "Random" },
1018 { BB_CERTIFICATE_BLOB, "Certificate" },
1019 { BB_ERROR_BLOB, "Error" },
1020 { BB_ENCRYPTED_DATA_BLOB, "Encrypted Data" },
1021 { BB_KEY_EXCHG_ALG_BLOB, "Key Exchange Algorithm" },
1022 { BB_SCOPE_BLOB, "Scope" },
1023 { BB_CLIENT_USER_NAME_BLOB, "Client User Name" },
1024 { BB_CLIENT_MACHINE_NAME_BLOB, "Client Machine Name" },
1025 { 0, NULL}
1026 };
1027
1028 static const value_string rdp_fastpath_action_vals[] = {
1029 { 0x0, "Fastpath" },
1030 { 0x3, "X224" },
1031 { 0, NULL},
1032 };
1033
1034
1035 static const value_string serverstatus_vals[] = {
1036 {0x00000401, "TS_STATUS_FINDING_DESTINATION"},
1037 {0x00000402, "TS_STATUS_LOADING_DESTINATION"},
1038 {0x00000403, "TS_STATUS_BRINGING_SESSION_ONLINE"},
1039 {0x00000404, "TS_STATUS_REDIRECTING_TO_DESTINATION"},
1040 {0x00000501, "TS_STATUS_VM_LOADING"},
1041 {0x00000502, "TS_STATUS_VM_WAKING"},
1042 {0x00000503, "TS_STATUS_VM_STARTING"},
1043 {0x00000504, "TS_STATUS_VM_STARTING_MONITORING"},
1044 {0x00000505, "TS_STATUS_VM_RETRYING_MONITORING"},
1045 { 0, NULL},
1046 };
1047
1048 enum {
1049 TYPE_ID_AUTODETECT_REQUEST = 0x00,
1050 TYPE_ID_AUTODETECT_RESPONSE = 0x01
1051 };
1052
1053 static const value_string bandwidth_typeid_vals[] = {
1054 { TYPE_ID_AUTODETECT_REQUEST, "AUTODETECT_REQUEST"},
1055 { TYPE_ID_AUTODETECT_RESPONSE, "AUTODETECT_RESPONSE"},
1056 { 0, NULL}
1057 };
1058
1059 static const value_string bandwidth_request_vals[] = {
1060 { 0x0001, "RTT Measure Request" },
1061 { 0x1001, "RTT Measure Request (auto detection phase)" },
1062 { 0x0014, "Bandwidth Measure Start" },
1063 { 0x0114, "Bandwidth Measure Start (UDP lossy)" },
1064 { 0x1014, "Bandwidth Measure Start (connect time)" },
1065 { 0x0002, "Bandwidth Measure Payload" },
1066 { 0x002B, "Bandwidth Measure Stop (connect time)" },
1067 { 0x0429, "Bandwidth Measure Stop (UDP reliable or autodetect after connection)" },
1068 { 0x0629, "Bandwidth Measure Stop (UDP lossy)" },
1069 { 0x0840, "Network Characteristics Result (baseRTT, averageRTT)" },
1070 { 0x0880, "Network Characteristics Result (bandwidth, averageRTT)" },
1071 { 0x08C0, "Network Characteristics Result (baseRTT, bandwidth, averageRTT)" },
1072 { 0, NULL}
1073 };
1074
1075 static const value_string bandwidth_response_vals[] = {
1076 { 0x0000, "RTT Measure Response" },
1077 { 0x0003, "Bandwidth Measure Results (connect time)" },
1078 { 0x000B, "Bandwidth Measure Results (auto-detect or UDP)" },
1079 { 0x0018, "Network Characteristics Sync" },
1080 { 0, NULL}
1081 };
1082
1083
1084 enum {
1085 INITITATE_REQUEST_PROTOCOL_UDPFECR = 0x1,
1086 INITITATE_REQUEST_PROTOCOL_UDPFECL = 0x2
1087 };
1088 static const value_string rdp_mt_protocol_vals[] = {
1089 { INITITATE_REQUEST_PROTOCOL_UDPFECR, "Reliable" },
1090 { INITITATE_REQUEST_PROTOCOL_UDPFECL, "Lossy" },
1091 { 0, NULL}
1092 };
1093
1094 static const value_string rdp_mt_response_vals[] = {
1095 { 0x00000000, "S_OK" },
1096 { 0x80004004, "E_ABORT" },
1097 { 0, NULL}
1098 };
1099
1100 enum {
1101 FASTPATH_INPUT_SECURE_CHECKSUM = 1,
1102 FASTPATH_INPUT_ENCRYPTED = 2,
1103 };
1104
1105 enum {
1106 FASTPATH_INPUT_EVENT_SCANCODE = 0x0,
1107 FASTPATH_INPUT_EVENT_MOUSE = 0x1,
1108 FASTPATH_INPUT_EVENT_MOUSEX = 0x2,
1109 FASTPATH_INPUT_EVENT_SYNC = 0x3,
1110 FASTPATH_INPUT_EVENT_UNICODE = 0x4,
1111 FASTPATH_INPUT_EVENT_RELMOUSE = 0x5,
1112 FASTPATH_INPUT_EVENT_QOE_TIMESTAMP = 0x6
1113 };
1114
1115 static const value_string rdp_fastpath_client_event_vals[] = {
1116 { FASTPATH_INPUT_EVENT_SCANCODE, "Scancode" },
1117 { FASTPATH_INPUT_EVENT_MOUSE, "Mouse" },
1118 { FASTPATH_INPUT_EVENT_MOUSEX, "MouseEx" },
1119 { FASTPATH_INPUT_EVENT_SYNC, "Sync" },
1120 { FASTPATH_INPUT_EVENT_UNICODE, "Unicode" },
1121 { FASTPATH_INPUT_EVENT_RELMOUSE, "RelMouse" },
1122 { FASTPATH_INPUT_EVENT_QOE_TIMESTAMP, "QUOE Timestamp"},
1123 { 0, NULL},
1124 };
1125
1126 enum {
1127 FASTPATH_UPDATETYPE_ORDERS = 0x0,
1128 FASTPATH_UPDATETYPE_BITMAP = 0x1,
1129 FASTPATH_UPDATETYPE_PALETTE = 0x2,
1130 FASTPATH_UPDATETYPE_SYNCHRONIZE = 0x3,
1131 FASTPATH_UPDATETYPE_SURFCMDS = 0x4,
1132 FASTPATH_UPDATETYPE_PTR_NULL = 0x5,
1133 FASTPATH_UPDATETYPE_PTR_DEFAULT = 0x6,
1134 FASTPATH_UPDATETYPE_PTR_POSITION = 0x8,
1135 FASTPATH_UPDATETYPE_COLOR = 0x9,
1136 FASTPATH_UPDATETYPE_CACHED = 0xa,
1137 FASTPATH_UPDATETYPE_POINTER = 0xb,
1138 FASTPATH_UPDATETYPE_LARGE_POINTER = 0xc
1139 };
1140
1141 static const value_string rdp_fastpath_server_event_vals[] = {
1142 { FASTPATH_UPDATETYPE_ORDERS, "Orders" },
1143 { FASTPATH_UPDATETYPE_BITMAP, "Bitmap" },
1144 { FASTPATH_UPDATETYPE_PALETTE, "Palette" },
1145 { FASTPATH_UPDATETYPE_SYNCHRONIZE, "Synchronize" },
1146 { FASTPATH_UPDATETYPE_SURFCMDS, "Surface command" },
1147 { FASTPATH_UPDATETYPE_PTR_NULL, "Pointer null" },
1148 { FASTPATH_UPDATETYPE_PTR_DEFAULT, "Pointer default" },
1149 { FASTPATH_UPDATETYPE_PTR_POSITION, "Pointer position" },
1150 { FASTPATH_UPDATETYPE_COLOR, "Color pointer" },
1151 { FASTPATH_UPDATETYPE_CACHED, "Cached pointer" },
1152 { FASTPATH_UPDATETYPE_POINTER, "New pointer" },
1153 { FASTPATH_UPDATETYPE_LARGE_POINTER, "Large pointer" },
1154 { 0, NULL},
1155 };
1156
1157 enum {
1158 FASTPATH_FRAGMENT_SINGLE = 0x0,
1159 FASTPATH_FRAGMENT_LAST = 0x1,
1160 FASTPATH_FRAGMENT_FIRST = 0x2,
1161 FASTPATH_FRAGMENT_NEXT = 0x3,
1162 };
1163
1164 static const value_string rdp_fastpath_server_fragmentation_vals[] = {
1165 { FASTPATH_FRAGMENT_SINGLE, "Single fragment" },
1166 { FASTPATH_FRAGMENT_LAST, "Last fragment" },
1167 { FASTPATH_FRAGMENT_FIRST, "First fragment" },
1168 { FASTPATH_FRAGMENT_NEXT, "Next fragment" },
1169 { 0, NULL},
1170 };
1171
1172
1173 static const value_string rdp_pduTypeType_vals[] = {
1174 { PDUTYPE_DEMANDACTIVEPDU, "Demand Active PDU" },
1175 { PDUTYPE_CONFIRMACTIVEPDU, "Confirm Active PDU" },
1176 { PDUTYPE_DEACTIVATEALLPDU, "Deactivate All PDU" },
1177 { PDUTYPE_DATAPDU, "Data PDU" },
1178 { PDUTYPE_SERVER_REDIR_PKT, "Server Redirection PDU" },
1179 { 0, NULL},
1180 };
1181
1182 static const value_string rdp_pduType2_vals[] = {
1183 { PDUTYPE2_UPDATE, "Update"},
1184 { PDUTYPE2_CONTROL, "Control"},
1185 { PDUTYPE2_POINTER, "Pointer"},
1186 { PDUTYPE2_INPUT, "Input"},
1187 { PDUTYPE2_SYNCHRONIZE, "Synchronize"},
1188 { PDUTYPE2_REFRESH_RECT, "Refresh Rect"},
1189 { PDUTYPE2_PLAY_SOUND, "Play Sound"},
1190 { PDUTYPE2_SUPPRESS_OUTPUT, "Suppress Output"},
1191 { PDUTYPE2_SHUTDOWN_REQUEST, "Shutdown Request" },
1192 { PDUTYPE2_SHUTDOWN_DENIED, "Shutdown Denied" },
1193 { PDUTYPE2_SAVE_SESSION_INFO, "Save Session Info" },
1194 { PDUTYPE2_FONTLIST, "FontList" },
1195 { PDUTYPE2_FONTMAP, "FontMap" },
1196 { PDUTYPE2_SET_KEYBOARD_INDICATORS, "Set Keyboard Indicators" },
1197 { PDUTYPE2_BITMAPCACHE_PERSISTENT_LIST, "BitmapCache Persistent List" },
1198 { PDUTYPE2_BITMAPCACHE_ERROR_PDU, "BitmapCache Error" },
1199 { PDUTYPE2_SET_KEYBOARD_IME_STATUS, "Set Keyboard IME Status" },
1200 { PDUTYPE2_OFFSCRCACHE_ERROR_PDU, "OffScrCache Error" },
1201 { PDUTYPE2_SET_ERROR_INFO_PDU, "Set Error Info" },
1202 { PDUTYPE2_DRAWNINEGRID_ERROR_PDU, "DrawNineGrid Error" },
1203 { PDUTYPE2_DRAWGDIPLUS_ERROR_PDU, "DrawGDIPlus Error" },
1204 { PDUTYPE2_ARC_STATUS_PDU, "Arc Status" },
1205 { PDUTYPE2_STATUS_INFO_PDU, "Status Info" },
1206 { PDUTYPE2_MONITOR_LAYOUT_PDU, "Monitor Layout" },
1207 { 0, NULL},
1208 };
1209
1210 static const value_string rdp_compressionType_vals[] = {
1211 { PACKET_COMPR_TYPE_8K, "RDP 4.0 bulk compression" },
1212 { PACKET_COMPR_TYPE_64K, "RDP 5.0 bulk compression" },
1213 { PACKET_COMPR_TYPE_RDP6, "RDP 6.0 bulk compression" },
1214 { PACKET_COMPR_TYPE_RDP61, "RDP 6.1 bulk compression" },
1215 { 0, NULL},
1216 };
1217
1218 static const value_string rdp_channelCompressionType_vals[] = {
1219 { CHANNEL_COMPR_TYPE_8K, "RDP 4.0 bulk compression" },
1220 { CHANNEL_COMPR_TYPE_64K >> 16, "RDP 5.0 bulk compression" },
1221 { CHANNEL_COMPR_TYPE_RDP6 >> 16, "RDP 6.0 bulk compression" },
1222 { CHANNEL_COMPR_TYPE_RDP61 >> 16, "RDP 6.1 bulk compression" },
1223 { 0, NULL},
1224 };
1225
1226 static const value_string rdp_action_vals[] = {
1227 { CTRLACTION_REQUEST_CONTROL, "Request control" },
1228 { CTRLACTION_GRANTED_CONTROL, "Granted control" },
1229 { CTRLACTION_DETACH, "Detach" },
1230 { CTRLACTION_COOPERATE, "Cooperate" },
1231 {0, NULL },
1232 };
1233
1234 static const value_string rdp_capabilityType_vals[] = {
1235 { CAPSTYPE_GENERAL, "General" },
1236 { CAPSTYPE_BITMAP, "Bitmap" },
1237 { CAPSTYPE_ORDER, "Order" },
1238 { CAPSTYPE_BITMAPCACHE, "Bitmap Cache" },
1239 { CAPSTYPE_CONTROL, "Control" },
1240 { CAPSTYPE_ACTIVATION, "Activation" },
1241 { CAPSTYPE_POINTER, "Pointer" },
1242 { CAPSTYPE_SHARE, "Share" },
1243 { CAPSTYPE_COLORCACHE, "Color Cache" },
1244 { CAPSTYPE_SOUND, "Sound" },
1245 { CAPSTYPE_INPUT, "Input" },
1246 { CAPSTYPE_FONT, "Font" },
1247 { CAPSTYPE_BRUSH, "Brush" },
1248 { CAPSTYPE_GLYPHCACHE, "Glyph Cache" },
1249 { CAPSTYPE_OFFSCREENCACHE, "Off-screen Cache" },
1250 { CAPSTYPE_BITMAPCACHE_HOSTSUPPORT, "Bitmap Cache Host Support" },
1251 { CAPSTYPE_BITMAPCACHE_REV2, "Bitmap Cache Rev 2" },
1252 { CAPSTYPE_BITMAPCACHE_VIRTUALCHANNEL, "Virtual Channel"},
1253 { CAPSTYPE_DRAWNINEGRIDCACHE, "Draw Nine Grid Cache" },
1254 { CAPSTYPE_DRAWGDIPLUS, "Draw GDI Plus" },
1255 { CAPSTYPE_RAIL, "Rail" },
1256 { CAPSTYPE_WINDOW, "Window" },
1257 { CAPSTYPE_COMPDESK, "Comp Desk" },
1258 { CAPSTYPE_MULTIFRAGMENTUPDATE, "Multi-Fragment Update" },
1259 { CAPSTYPE_LARGE_POINTER, "Large Pointer" },
1260 { CAPSTYPE_SURFACE_COMMANDS, "Surface Commands" },
1261 { CAPSTYPE_BITMAP_CODECS, "Bitmap Codecs" },
1262 { CAPSTYPE_FRAME_ACKNOWLEDGE, "Frame acknowledge" },
1263 {0, NULL },
1264 };
1265
1266 static const value_string rdp_monitorDefFlags_vals[] = {
1267 { 0, "None" },
1268 { 1, "Primary" },
1269 {0, NULL },
1270 };
1271
1272 static const value_string rdp_wDayOfWeek_vals[] = {
1273 { 0, "Sunday" },
1274 { 1, "Monday" },
1275 { 2, "Tuesday" },
1276 { 3, "Wednesday" },
1277 { 4, "Thursday" },
1278 { 5, "Friday" },
1279 { 6, "Saturday" },
1280 {0, NULL },
1281 };
1282
1283 static const value_string rdp_wDay_vals[] = {
1284 { 1, "First occurrence" },
1285 { 2, "Second occurrence" },
1286 { 3, "Third occurrence" },
1287 { 4, "Fourth occurrence" },
1288 { 5, "Last occurrence" },
1289 {0, NULL },
1290 };
1291
1292 static const value_string rdp_wMonth_vals[] = {
1293 { 1, "January" },
1294 { 2, "February" },
1295 { 3, "March" },
1296 { 4, "April" },
1297 { 5, "May" },
1298 { 6, "June" },
1299 { 7, "July" },
1300 { 8, "August" },
1301 { 9, "September" },
1302 { 10, "October" },
1303 { 11, "November" },
1304 { 12, "December" },
1305 {0, NULL },
1306 };
1307
1308
1309 static wmem_map_t *rdp_transport_links;
1310
1311 typedef struct {
1312 address serverAddr;
1313 uint16_t serverPort;
1314 bool reliable;
1315 uint32_t requestId;
1316 uint8_t securityCookie[16];
1317
1318 } rdp_transports_key_t;
1319
1320 typedef struct {
1321 rdp_transports_key_t key;
1322
1323 conversation_t *tcp_conversation;
1324 conversation_t *udp_conversation;
1325 } rdp_transports_link_t;
1326
1327
1328 static unsigned
1329 rdp_udp_conversation_hash(const void *k)
1330 {
1331 unsigned h;
1332 int i;
1333 const rdp_transports_key_t *key = (const rdp_transports_key_t *)k;
1334
1335 h = key->serverPort + key->reliable + key->requestId;
1336 h = add_address_to_hash(h, &key->serverAddr);
1337 for (i = 0; i < 16; i++)
1338 h += key->securityCookie[i];
1339
1340 return h;
1341 }
1342
1343 static gboolean
1344 rdp_udp_conversation_equal_matched(const void *k1, const void *k2)
1345 {
1346 const rdp_transports_key_t *key1 = (const rdp_transports_key_t *)k1;
1347 const rdp_transports_key_t *key2 = (const rdp_transports_key_t *)k2;
1348
1349 return addresses_equal(&key1->serverAddr, &key2->serverAddr) &&
1350 (key1->serverPort == key2->serverPort) &&
1351 (key1->reliable == key2->reliable) &&
1352 (key1->requestId == key2->requestId) &&
1353 memcmp(key1->securityCookie, key2->securityCookie, 16) == 0;
1354 }
1355
1356 /*
1357 * Flags in the flags field of a TS_INFO_PACKET.
1358 * XXX - define more, and show them underneath that field.
1359 */
1360 #define INFO_UNICODE 0x00000010
1361
1362 static rdp_conv_info_t *
1363 rdp_get_conversation_data(packet_info *pinfo)
1364 {
1365 conversation_t *conversation;
1366 rdp_conv_info_t *rdp_info;
1367
1368 conversation = find_or_create_conversation(pinfo);
1369
1370 rdp_info = (rdp_conv_info_t *)conversation_get_proto_data(conversation, proto_rdp);
1371
1372 if (rdp_info == NULL) {
1373 rdp_info = wmem_new0(wmem_file_scope(), rdp_conv_info_t);
1374 rdp_info->staticChannelId = -1;
1375 rdp_info->messageChannelId = -1;
1376 rdp_info->encryptionMethod = 0;
1377 rdp_info->encryptionLevel = 0;
1378 rdp_info->licenseAgreed = 0;
1379 rdp_info->maxChannels = 0;
1380 rdp_info->isRdstls = false;
1381 memset(&rdp_info->serverAddr, 0, sizeof(rdp_info->serverAddr));
1382
1383 conversation_add_proto_data(conversation, proto_rdp, rdp_info);
1384 }
1385
1386 return rdp_info;
1387 }
1388
1389 static int
1390 // NOLINTNEXTLINE(misc-no-recursion)
1391 dissect_rdp_fields(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, const rdp_field_info_t *fields, int totlen)
1392 {
1393 const rdp_field_info_t *c;
1394 int len;
1395 int base_offset = offset;
1396 uint32_t info_flags = 0;
1397 unsigned encoding;
1398
1399 increment_dissection_depth(pinfo);
1400
1401 for ( ; fields->pfield != NULL; fields++) {
1402 c = fields;
1403 if ((c->fixedLength == 0) && (c->variableLength)) {
1404 len = *(c->variableLength);
1405 } else {
1406 len = c->fixedLength;
1407
1408 if ((c->variableLength) && (c->fixedLength <= 4)) {
1409 switch (c->fixedLength) {
1410 case 1:
1411 *(c->variableLength) = tvb_get_uint8(tvb, offset);
1412 break;
1413 case 2:
1414 *(c->variableLength) = tvb_get_letohs(tvb, offset);
1415 break;
1416 case 4:
1417 *(c->variableLength) = tvb_get_letohl(tvb, offset);
1418 break;
1419 default:
1420 REPORT_DISSECTOR_BUG("Invalid length");
1421 }
1422
1423 *(c->variableLength) += c->offsetOrTree; /* XXX: ??? */
1424 }
1425 }
1426
1427 if (len) {
1428 proto_item *pi;
1429 if (c->flags & RDP_FI_STRING) {
1430 /* If this is always Unicode, or if the INFO_UNICODE flag is set,
1431 treat this as UTF-16; otherwise, treat it as "ANSI". */
1432 if (c->flags & RDP_FI_UNICODE)
1433 encoding = ENC_UTF_16|ENC_LITTLE_ENDIAN;
1434 else if (c->flags & RDP_FI_ANSI)
1435 encoding = ENC_ASCII|ENC_NA; /* XXX - code page */
1436 else {
1437 /* Could be Unicode, could be ANSI, based on INFO_UNICODE flag */
1438 encoding = (info_flags & INFO_UNICODE) ? ENC_UTF_16|ENC_LITTLE_ENDIAN : ENC_ASCII|ENC_NA; /* XXX - code page */
1439 }
1440 } else
1441 encoding = ENC_LITTLE_ENDIAN;
1442
1443 pi = proto_tree_add_item(tree, *c->pfield, tvb, offset, len, encoding);
1444
1445 if (c->flags & RDP_FI_INFO_FLAGS) {
1446 /* TS_INFO_PACKET flags field; save it for later use */
1447 DISSECTOR_ASSERT(len == 4);
1448 info_flags = tvb_get_letohl(tvb, offset);
1449 }
1450
1451 if (c->flags & RDP_FI_SUBTREE) {
1452 proto_tree *next_tree;
1453 if (c->offsetOrTree != -1)
1454 next_tree = proto_item_add_subtree(pi, c->offsetOrTree);
1455 else
1456 REPORT_DISSECTOR_BUG("Tree Error!!");
1457
1458 if (c->subfields)
1459 dissect_rdp_fields(tvb, offset, pinfo, next_tree, c->subfields, 0);
1460 }
1461
1462 if (!(c->flags & RDP_FI_NOINCOFFSET))
1463 offset += len;
1464 }
1465
1466 if ((totlen > 0) && ((offset-base_offset) >= totlen))
1467 break; /* we're done: skip optional fields */
1468 /* XXX: err if > totlen ?? */
1469 }
1470
1471 decrement_dissection_depth(pinfo);
1472 return offset;
1473 }
1474
1475 static int
1476 dissect_rdp_nyi(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, const char *info)
1477 {
1478 rdp_field_info_t nyi_fields[] = {
1479 {&hf_rdp_notYetImplemented, -1, NULL, 0, 0, NULL },
1480 FI_TERMINATOR
1481 };
1482
1483 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, nyi_fields, 0);
1484
1485 if ((tree != NULL) && (info != NULL))
1486 proto_item_append_text(tree->last_child, " (%s)", info);
1487
1488 return offset;
1489 }
1490
1491 static int
1492 dissect_rdp_encrypted(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, const char *info)
1493 {
1494 rdp_field_info_t enc_fields[] = {
1495 {&hf_rdp_encrypted, -1, NULL, 0, 0, NULL },
1496 FI_TERMINATOR
1497 };
1498
1499 offset = dissect_rdp_fields(tvb, offset,pinfo, tree, enc_fields, 0);
1500
1501 if ((tree != NULL) && (info != NULL))
1502 proto_item_append_text(tree->last_child, " (%s)", info);
1503
1504 col_append_sep_str(pinfo->cinfo, COL_INFO, ", ", "[Encrypted]");
1505
1506 return offset;
1507 }
1508
1509 static rdp_known_channel_t
1510 find_known_channel_by_name(const char *name) {
1511 if (g_ascii_strcasecmp(name, "drdynvc") == 0)
1512 return RDP_CHANNEL_DRDYNVC;
1513 if (g_ascii_strcasecmp(name, "rdpdr") == 0)
1514 return RDP_CHANNEL_DISK;
1515 if (g_ascii_strcasecmp(name, "rdpsnd") == 0)
1516 return RDP_CHANNEL_SOUND;
1517 if (g_ascii_strcasecmp(name, "cliprdr") == 0)
1518 return RDP_CHANNEL_CLIPBOARD;
1519 if (g_ascii_strcasecmp(name, "rail") == 0)
1520 return RDP_CHANNEL_RAIL;
1521 return RDP_CHANNEL_UNKNOWN;
1522 }
1523
1524 static int
1525 dissect_rdp_clientNetworkData(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, unsigned length, rdp_conv_info_t *rdp_info)
1526 {
1527 proto_tree *next_tree;
1528 proto_item *pi;
1529 uint32_t channelCount = 0;
1530
1531 rdp_field_info_t net_fields[] = {
1532 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
1533 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
1534 FI_VALUE(&hf_rdp_channelCount, 4, channelCount),
1535 FI_TERMINATOR
1536 };
1537 rdp_field_info_t option_fields[] = {
1538 {&hf_rdp_optionsInitialized, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1539 {&hf_rdp_optionsEncryptRDP, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1540 {&hf_rdp_optionsEncryptSC, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1541 {&hf_rdp_optionsEncryptCS, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1542 {&hf_rdp_optionsPriHigh, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1543 {&hf_rdp_optionsPriMed, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1544 {&hf_rdp_optionsPriLow, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1545 {&hf_rdp_optionsCompressRDP, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1546 {&hf_rdp_optionsCompress, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1547 {&hf_rdp_optionsShowProtocol, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1548 {&hf_rdp_optionsRemoteControlPersistent, 4, NULL, 0, 0, NULL },
1549 FI_TERMINATOR,
1550 };
1551 rdp_field_info_t channel_fields[] = {
1552 FI_FIXEDLEN_ANSI_STRING(&hf_rdp_name, 8),
1553 FI_SUBTREE(&hf_rdp_options, 4, ett_rdp_options, option_fields),
1554 FI_TERMINATOR
1555 };
1556 rdp_field_info_t def_fields[] = {
1557 FI_SUBTREE(&hf_rdp_channelDef, 12, ett_rdp_channelDef, channel_fields),
1558 FI_TERMINATOR
1559 };
1560
1561 pi = proto_tree_add_item(tree, hf_rdp_clientNetworkData, tvb, offset, length, ENC_NA);
1562 next_tree = proto_item_add_subtree(pi, ett_rdp_clientNetworkData);
1563
1564 offset = dissect_rdp_fields(tvb, offset, pinfo, next_tree, net_fields, 0);
1565
1566 if (channelCount > 0) {
1567 unsigned i;
1568 pi = proto_tree_add_item(next_tree, hf_rdp_channelDefArray, tvb, offset, channelCount * 12, ENC_NA);
1569 next_tree = proto_item_add_subtree(pi, ett_rdp_channelDefArray);
1570
1571 if (rdp_info)
1572 rdp_info->maxChannels = MIN(channelCount, RDP_MAX_CHANNELS);
1573
1574 for (i = 0; i < MIN(channelCount, RDP_MAX_CHANNELS); i++) {
1575 if (rdp_info) {
1576 rdp_channel_def_t *channel = &rdp_info->staticChannels[i];
1577 channel->value = -1; /* unset */
1578 channel->strptr = tvb_get_string_enc(wmem_file_scope(), tvb, offset, 8, ENC_ASCII);
1579 channel->channelType = find_known_channel_by_name(channel->strptr);
1580 }
1581 offset = dissect_rdp_fields(tvb, offset, pinfo, next_tree, def_fields, 0);
1582 }
1583
1584 if (rdp_info) {
1585 /* value_strings are normally terminated with a {0, NULL} entry */
1586 rdp_info->staticChannels[i].value = 0;
1587 rdp_info->staticChannels[i].strptr = NULL;
1588 }
1589 }
1590
1591 return offset;
1592 }
1593
1594 static int
1595 dissect_rdp_basicSecurityHeader(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, uint32_t *flags_ptr) {
1596
1597 uint32_t flags = 0;
1598
1599 rdp_field_info_t secFlags_fields[] = {
1600 {&hf_rdp_flagsPkt, 2, &flags, 0, RDP_FI_NOINCOFFSET, NULL },
1601 {&hf_rdp_flagsEncrypt, 2, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1602 {&hf_rdp_flagsResetSeqno, 2, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1603 {&hf_rdp_flagsIgnoreSeqno, 2, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1604 {&hf_rdp_flagsLicenseEncrypt,2, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1605 {&hf_rdp_flagsSecureChecksum,2, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1606 {&hf_rdp_flagsFlagsHiValid, 2, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1607 FI_TERMINATOR
1608 };
1609
1610 rdp_field_info_t flags_fields[] = {
1611 FI_SUBTREE(&hf_rdp_flags, 2, ett_rdp_flags, secFlags_fields),
1612 FI_FIXEDLEN(&hf_rdp_flagsHi, 2),
1613 FI_TERMINATOR
1614 };
1615
1616 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, flags_fields, 0);
1617
1618 if (flags_ptr)
1619 *flags_ptr = flags;
1620
1621 return offset;
1622 }
1623
1624
1625 static int
1626 dissect_rdp_securityHeader(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, rdp_conv_info_t *rdp_info, bool alwaysBasic, uint32_t *flags_ptr) {
1627
1628 rdp_field_info_t fips_fields[] = {
1629 {&hf_rdp_fipsLength, 2, NULL, 0, 0, NULL },
1630 {&hf_rdp_fipsVersion, 1, NULL, 0, 0, NULL },
1631 {&hf_rdp_padlen, 1, NULL, 0, 0, NULL },
1632 {&hf_rdp_dataSignature, 8, NULL, 0, 0, NULL },
1633 FI_TERMINATOR
1634 };
1635 rdp_field_info_t enc_fields[] = {
1636 {&hf_rdp_dataSignature, 8, NULL, 0, 0, NULL },
1637 FI_TERMINATOR
1638 };
1639 const rdp_field_info_t *fields = NULL;
1640
1641 if (rdp_info) {
1642
1643 if (alwaysBasic || (rdp_info->encryptionLevel != ENCRYPTION_LEVEL_NONE))
1644 offset = dissect_rdp_basicSecurityHeader(tvb, offset, pinfo, tree, flags_ptr);
1645
1646 if (rdp_info->encryptionMethod &
1647 (ENCRYPTION_METHOD_40BIT |
1648 ENCRYPTION_METHOD_128BIT |
1649 ENCRYPTION_METHOD_56BIT)) {
1650 fields = enc_fields;
1651 } else if (rdp_info->encryptionMethod == ENCRYPTION_METHOD_FIPS) {
1652 fields = fips_fields;
1653 }
1654
1655 if (fields)
1656 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, fields, 0);
1657 }
1658 return offset;
1659 }
1660
1661 static rdp_channel_def_t* find_channel(packet_info *pinfo, uint16_t channelId) {
1662 conversation_t *conversation;
1663 rdp_conv_info_t *rdp_info;
1664 uint8_t i;
1665
1666 conversation = find_or_create_conversation(pinfo);
1667 if (!conversation)
1668 return NULL;
1669
1670 rdp_info = (rdp_conv_info_t *)conversation_get_proto_data(conversation, proto_rdp);
1671 if (!rdp_info)
1672 return NULL;
1673
1674 for (i = 0; i < rdp_info->maxChannels; i++) {
1675 if (rdp_info->staticChannels[i].value == channelId)
1676 return &rdp_info->staticChannels[i];
1677 }
1678 return NULL;
1679 }
1680
1681 static rdp_known_channel_t
1682 find_channel_type(packet_info *pinfo, uint16_t channelId) {
1683 rdp_channel_def_t* channel = find_channel(pinfo, channelId);
1684 if (!channel)
1685 return RDP_CHANNEL_UNKNOWN;
1686
1687 return channel->channelType;
1688 }
1689
1690
1691 static int
1692 dissect_rdp_channelPDU(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) {
1693 rdp_known_channel_t channelType;
1694 uint32_t length = 0;
1695 tvbuff_t *subtvb;
1696 uint32_t compressed;
1697
1698 rdp_field_info_t flag_fields[] = {
1699 {&hf_rdp_channelFlagFirst, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1700 {&hf_rdp_channelFlagLast, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1701 {&hf_rdp_channelFlagShowProtocol, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1702 {&hf_rdp_channelFlagSuspend, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1703 {&hf_rdp_channelFlagResume, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1704 {&hf_rdp_channelPacketCompressed, 4, &compressed, 0, RDP_FI_NOINCOFFSET, NULL },
1705 {&hf_rdp_channelPacketAtFront, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1706 {&hf_rdp_channelPacketFlushed, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1707 {&hf_rdp_channelPacketCompressionType, 4, NULL, 0, 0, NULL },
1708 FI_TERMINATOR
1709 };
1710
1711 rdp_field_info_t channel_fields[] = {
1712 FI_VALUE(&hf_rdp_length, 4, length),
1713 FI_SUBTREE(&hf_rdp_channelFlags, 4, ett_rdp_channelFlags, flag_fields),
1714 FI_TERMINATOR
1715 };
1716
1717 rdp_field_info_t channelPDU_fields[] = {
1718 FI_SUBTREE(&hf_rdp_channelPDUHeader, 8, ett_rdp_channelPDUHeader, channel_fields),
1719 FI_FIXEDLEN(&hf_rdp_virtualChannelData, -1),
1720 FI_TERMINATOR
1721 };
1722
1723 channelType = find_channel_type(pinfo, t124_get_last_channelId());
1724 switch (channelType) {
1725 case RDP_CHANNEL_DRDYNVC:
1726 case RDP_CHANNEL_RAIL:
1727 case RDP_CHANNEL_CLIPBOARD:
1728 case RDP_CHANNEL_SOUND:
1729 memset(&channelPDU_fields[1], 0, sizeof(channelPDU_fields[1]));
1730 break;
1731 default:
1732 break;
1733 }
1734
1735 /* length is the uncompressed length, and the PDU may be compressed */
1736 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, channelPDU_fields, 0);
1737
1738 if (compressed & CHANNEL_PACKET_COMPRESSED) {
1739 dissect_rdp_nyi(tvb, offset, pinfo, tree, "Compressed channel PDU not implemented");
1740 return offset;
1741 }
1742
1743 switch (channelType) {
1744 case RDP_CHANNEL_DRDYNVC:
1745 subtvb = tvb_new_subset_length(tvb, offset, length);
1746 offset += call_dissector(drdynvc_handle, subtvb, pinfo, tree);
1747 break;
1748 case RDP_CHANNEL_RAIL:
1749 subtvb = tvb_new_subset_length(tvb, offset, length);
1750 offset += call_dissector(rail_handle, subtvb, pinfo, tree);
1751 break;
1752 case RDP_CHANNEL_CLIPBOARD:
1753 subtvb = tvb_new_subset_length(tvb, offset, length);
1754 offset += call_dissector(cliprdr_handle, subtvb, pinfo, tree);
1755 break;
1756 case RDP_CHANNEL_SOUND:
1757 subtvb = tvb_new_subset_length(tvb, offset, length);
1758 offset += call_dissector(snd_handle, subtvb, pinfo, tree);
1759 break;
1760 default: {
1761 rdp_channel_def_t* channel = find_channel(pinfo, t124_get_last_channelId());
1762 if (channel)
1763 col_append_fstr(pinfo->cinfo, COL_INFO, " channel=%s", channel->strptr);
1764 break;
1765 }
1766 }
1767
1768 return offset;
1769 }
1770
1771 static int
1772 dissect_rdp_shareDataHeader(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) {
1773 uint32_t pduType2 = 0;
1774 uint32_t compressedType;
1775 uint32_t action = 0;
1776
1777 rdp_field_info_t compressed_fields[] = {
1778 {&hf_rdp_compressedTypeType, 1, &compressedType, 0, RDP_FI_NOINCOFFSET, NULL },
1779 {&hf_rdp_compressedTypeCompressed, 1, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1780 {&hf_rdp_compressedTypeAtFront, 1, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1781 {&hf_rdp_compressedTypeFlushed, 1, NULL, 0, 0, NULL },
1782 FI_TERMINATOR
1783 };
1784 rdp_field_info_t share_fields[] = {
1785 {&hf_rdp_shareId, 4, NULL, 0, 0, NULL },
1786 {&hf_rdp_pad1, 1, NULL, 0, 0, NULL },
1787 {&hf_rdp_streamId, 1, NULL, 0, 0, NULL },
1788 {&hf_rdp_uncompressedLength, 2, NULL, 0, 0, NULL },
1789 {&hf_rdp_pduType2, 1, &pduType2, 0, 0, NULL },
1790 FI_SUBTREE(&hf_rdp_compressedType, 1, ett_rdp_compressedType, compressed_fields),
1791 {&hf_rdp_compressedLength, 2, NULL, 0, 0, NULL },
1792 FI_TERMINATOR
1793 };
1794 rdp_field_info_t control_fields[] = {
1795 {&hf_rdp_action, 2, &action, 0, 0, NULL },
1796 {&hf_rdp_grantId, 2, NULL, 0, 0, NULL },
1797 {&hf_rdp_controlId, 4, NULL, 0, 0, NULL },
1798 FI_TERMINATOR
1799 };
1800 rdp_field_info_t sync_fields[] = {
1801 {&hf_rdp_messageType, 2, NULL, 0, 0, NULL },
1802 {&hf_rdp_targetUser, 2, NULL, 0, 0, NULL },
1803 FI_TERMINATOR
1804 };
1805 rdp_field_info_t mapflags_fields[] = {
1806 {&hf_rdp_fontMapFirst, 2, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1807 {&hf_rdp_fontMapLast, 2, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1808 FI_TERMINATOR
1809 };
1810 rdp_field_info_t fontmap_fields[] = {
1811 {&hf_rdp_numberEntries, 2, NULL, 0, 0, NULL },
1812 {&hf_rdp_totalNumberEntries, 2, NULL, 0, 0, NULL },
1813 FI_SUBTREE(&hf_rdp_mapFlags, 2, ett_rdp_mapFlags, mapflags_fields),
1814 {&hf_rdp_entrySize, 2, NULL, 0, 0, NULL },
1815 FI_TERMINATOR
1816 };
1817 rdp_field_info_t persistent_fields[] = {
1818 {&hf_rdp_numEntriesCache0, 2, NULL, 0, 0, NULL },
1819 {&hf_rdp_numEntriesCache1, 2, NULL, 0, 0, NULL },
1820 {&hf_rdp_numEntriesCache2, 2, NULL, 0, 0, NULL },
1821 {&hf_rdp_numEntriesCache3, 2, NULL, 0, 0, NULL },
1822 {&hf_rdp_numEntriesCache4, 2, NULL, 0, 0, NULL },
1823 {&hf_rdp_totalEntriesCache0, 2, NULL, 0, 0, NULL },
1824 {&hf_rdp_totalEntriesCache1, 2, NULL, 0, 0, NULL },
1825 {&hf_rdp_totalEntriesCache2, 2, NULL, 0, 0, NULL },
1826 {&hf_rdp_totalEntriesCache3, 2, NULL, 0, 0, NULL },
1827 {&hf_rdp_totalEntriesCache4, 2, NULL, 0, 0, NULL },
1828 {&hf_rdp_bBitMask, 1, NULL, 0, 0, NULL },
1829 {&hf_rdp_Pad2, 1, NULL, 0, 0, NULL },
1830 {&hf_rdp_Pad3, 2, NULL, 0, 0, NULL },
1831 FI_TERMINATOR
1832 };
1833
1834 rdp_field_info_t serverStatusInfo_fields[] = {
1835 {&hf_rdp_statusInfo_status, 4, NULL, 0, 0, NULL },
1836 FI_TERMINATOR
1837 };
1838
1839 const rdp_field_info_t *fields;
1840
1841 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, share_fields, 0);
1842
1843 col_append_str(pinfo->cinfo, COL_INFO, "RDP PDU Type: ");
1844 col_append_sep_str(pinfo->cinfo, COL_INFO, "", val_to_str_const(pduType2, rdp_pduType2_vals, "Unknown"));
1845
1846 fields = NULL;
1847 switch(pduType2) {
1848 case PDUTYPE2_UPDATE:
1849 break;
1850 case PDUTYPE2_CONTROL:
1851 fields = control_fields;
1852 break;
1853 case PDUTYPE2_POINTER:
1854 break;
1855 case PDUTYPE2_INPUT:
1856 break;
1857 case PDUTYPE2_SYNCHRONIZE:
1858 fields = sync_fields;
1859 break;
1860 case PDUTYPE2_REFRESH_RECT:
1861 break;
1862 case PDUTYPE2_PLAY_SOUND:
1863 break;
1864 case PDUTYPE2_SUPPRESS_OUTPUT:
1865 break;
1866 case PDUTYPE2_SHUTDOWN_REQUEST:
1867 break;
1868 case PDUTYPE2_SHUTDOWN_DENIED:
1869 break;
1870 case PDUTYPE2_SAVE_SESSION_INFO:
1871 break;
1872 case PDUTYPE2_FONTLIST:
1873 break;
1874 case PDUTYPE2_FONTMAP:
1875 fields = fontmap_fields;
1876 break;
1877 case PDUTYPE2_SET_KEYBOARD_INDICATORS:
1878 break;
1879 case PDUTYPE2_BITMAPCACHE_PERSISTENT_LIST:
1880 fields = persistent_fields;
1881 break;
1882 case PDUTYPE2_BITMAPCACHE_ERROR_PDU:
1883 break;
1884 case PDUTYPE2_SET_KEYBOARD_IME_STATUS:
1885 break;
1886 case PDUTYPE2_OFFSCRCACHE_ERROR_PDU:
1887 break;
1888 case PDUTYPE2_SET_ERROR_INFO_PDU:
1889 break;
1890 case PDUTYPE2_DRAWNINEGRID_ERROR_PDU:
1891 break;
1892 case PDUTYPE2_DRAWGDIPLUS_ERROR_PDU:
1893 break;
1894 case PDUTYPE2_ARC_STATUS_PDU:
1895 break;
1896 case PDUTYPE2_STATUS_INFO_PDU:
1897 fields = serverStatusInfo_fields;
1898 break;
1899 case PDUTYPE2_MONITOR_LAYOUT_PDU:
1900 break;
1901 default:
1902 break;
1903 }
1904
1905 if (fields) {
1906 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, fields, 0);
1907 }
1908
1909 if (pduType2 == PDUTYPE2_CONTROL) {
1910 col_append_sep_str(pinfo->cinfo, COL_INFO, ", ", "Action: ");
1911 col_append_sep_str(pinfo->cinfo, COL_INFO, "", val_to_str_const(action, rdp_action_vals, "Unknown"));
1912 }
1913
1914 return offset;
1915 }
1916
1917
1918 static int
1919 dissect_rdp_capabilitySets(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, uint32_t numberCapabilities) {
1920 unsigned i;
1921 uint32_t lengthCapability = 0;
1922 uint32_t capabilityType = 0;
1923
1924 rdp_field_info_t cs_fields[] = {
1925 {&hf_rdp_capabilitySetType, 2, &capabilityType, 0, 0, NULL },
1926 {&hf_rdp_lengthCapability, 2, &lengthCapability, -4, 0, NULL },
1927 {&hf_rdp_capabilityData, 0, &lengthCapability, 0, 0, NULL },
1928 FI_TERMINATOR
1929 };
1930
1931 rdp_field_info_t railFlags_fields[] = {
1932 {&hf_rdp_capaRail_flag_supported, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1933 {&hf_rdp_capaRail_flag_dockedlangbar, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1934 {&hf_rdp_capaRail_flag_shellintegration, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1935 {&hf_rdp_capaRail_flag_lang_ime_sync, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1936 {&hf_rdp_capaRail_flag_server_to_client_ime_sync, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1937 {&hf_rdp_capaRail_flag_hide_minimized, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1938 {&hf_rdp_capaRail_flag_windows_cloaking, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1939 {&hf_rdp_capaRail_flag_handshakeex, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
1940 FI_TERMINATOR
1941 };
1942
1943 rdp_field_info_t cs_rail[] = {
1944 {&hf_rdp_capabilitySetType, 2, NULL, 0, 0, NULL },
1945 {&hf_rdp_lengthCapability, 2, NULL, 0, 0, NULL },
1946 FI_SUBTREE(&hf_rdp_capaRail_supportedLevel, 4, ett_rdp_capa_rail, railFlags_fields),
1947 FI_TERMINATOR
1948 };
1949
1950 for (i = 0; i < numberCapabilities; i++) {
1951 proto_item *capaItem;
1952 proto_tree *capaTree;
1953 rdp_field_info_t *targetFields;
1954 capabilityType = tvb_get_uint16(tvb, offset, ENC_LITTLE_ENDIAN);
1955 lengthCapability = tvb_get_uint16(tvb, offset + 2, ENC_LITTLE_ENDIAN);
1956
1957 capaItem = proto_tree_add_item(tree, hf_rdp_capabilitySet, tvb, offset, lengthCapability, ENC_NA);
1958 proto_item_set_text(capaItem, "%s", val_to_str_const(capabilityType, rdp_capabilityType_vals, "<unknown capability>"));
1959 capaTree = proto_item_add_subtree(capaItem, ett_rdp_capabilitySet);
1960
1961 switch (capabilityType) {
1962 case CAPSTYPE_RAIL:
1963 targetFields = cs_rail;
1964 break;
1965 default:
1966 targetFields = cs_fields;
1967 break;
1968 }
1969
1970 offset = dissect_rdp_fields(tvb, offset, pinfo, capaTree, targetFields, 0);
1971 }
1972
1973 return offset;
1974 }
1975
1976 static int
1977 dissect_rdp_demandActivePDU(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) {
1978
1979 uint32_t lengthSourceDescriptor;
1980 uint32_t numberCapabilities = 0;
1981
1982 rdp_field_info_t fields[] = {
1983 {&hf_rdp_shareId, 4, NULL, 0, 0, NULL },
1984 {&hf_rdp_lengthSourceDescriptor, 2, &lengthSourceDescriptor, 0, 0, NULL },
1985 {&hf_rdp_lengthCombinedCapabilities, 2, NULL, 0, 0, NULL },
1986 {&hf_rdp_sourceDescriptor, 0, &lengthSourceDescriptor, 0, RDP_FI_STRING|RDP_FI_ANSI, NULL }, /* XXX - T.128 says this is T.50, which is ISO 646, which is only ASCII in its US form */
1987 {&hf_rdp_numberCapabilities, 2, &numberCapabilities, 0, 0, NULL },
1988 {&hf_rdp_pad2Octets, 2, NULL, 0, 0, NULL },
1989 FI_TERMINATOR
1990 };
1991 rdp_field_info_t final_fields[] = {
1992 {&hf_rdp_sessionId, 4, NULL, 0, 0, NULL },
1993 FI_TERMINATOR
1994 };
1995
1996 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, fields, 0);
1997
1998 offset = dissect_rdp_capabilitySets(tvb, offset, pinfo, tree, numberCapabilities);
1999
2000 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, final_fields, 0);
2001
2002 return offset;
2003 }
2004
2005 static int
2006 dissect_rdp_confirmActivePDU(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) {
2007
2008 uint32_t lengthSourceDescriptor;
2009 uint32_t numberCapabilities = 0;
2010
2011 rdp_field_info_t fields[] = {
2012 {&hf_rdp_shareId, 4, NULL, 0, 0, NULL },
2013 {&hf_rdp_originatorId, 2, NULL, 0, 0, NULL },
2014 {&hf_rdp_lengthSourceDescriptor, 2, &lengthSourceDescriptor, 0, 0, NULL },
2015 {&hf_rdp_lengthCombinedCapabilities, 2, NULL, 0, 0, NULL },
2016 {&hf_rdp_sourceDescriptor, 0, &lengthSourceDescriptor, 0, 0, NULL },
2017 {&hf_rdp_numberCapabilities, 2, &numberCapabilities, 0, 0, NULL },
2018 {&hf_rdp_pad2Octets, 2, NULL, 0, 0, NULL },
2019 FI_TERMINATOR
2020 };
2021
2022 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, fields, 0);
2023
2024 offset = dissect_rdp_capabilitySets(tvb, offset, pinfo, tree, numberCapabilities);
2025
2026 return offset;
2027 }
2028
2029
2030 static proto_tree *
2031 dissect_rdp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree)
2032 {
2033 proto_item *item;
2034 proto_tree *tree;
2035
2036 col_set_str(pinfo->cinfo, COL_PROTOCOL, "RDP");
2037 col_clear(pinfo->cinfo, COL_INFO);
2038
2039 item = proto_tree_add_item(parent_tree, proto_rdp, tvb, 0, -1, ENC_NA);
2040 tree = proto_item_add_subtree(item, ett_rdp);
2041
2042 return tree;
2043 }
2044
2045
2046 int
2047 dissect_rdp_bandwidth_req(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, bool to_server)
2048 {
2049 uint16_t payloadLength;
2050 rdp_field_info_t bandwidth_fields[] = {
2051 {&hf_rdp_bandwidth_header_len, 1, NULL , 0, 0, NULL },
2052 {&hf_rdp_bandwidth_header_type, 1, NULL , 0, 0, NULL },
2053 {&hf_rdp_bandwidth_seqnumber, 2, NULL , 0, 0, NULL },
2054 {&hf_rdp_bandwidth_reqtype, 2, NULL , 0, 0, NULL },
2055 FI_TERMINATOR
2056 };
2057 uint8_t typeId = tvb_get_uint8(tvb, offset + 1);
2058 uint16_t reqRespType = tvb_get_uint16(tvb, offset + 4, ENC_LITTLE_ENDIAN);
2059
2060 if (typeId == TYPE_ID_AUTODETECT_RESPONSE)
2061 bandwidth_fields[3].pfield = &hf_rdp_bandwidth_resptype;
2062
2063 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, bandwidth_fields, 0);
2064
2065 if (!to_server) {
2066 switch (reqRespType) {
2067 case 0x0001:
2068 case 0x1001:
2069 /* RTT Measure Request*/
2070 break;
2071
2072 case 0x0014:
2073 case 0x0114:
2074 case 0x1014:
2075 /* Bandwidth Measure Start message */
2076 break;
2077
2078 case 0x0002:
2079 /* Bandwidth Measure Payload */
2080 payloadLength = tvb_get_uint16(tvb, offset, ENC_LITTLE_ENDIAN);
2081 proto_tree_add_item(tree, hf_rdp_bandwidth_measure_payload_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2082 offset += 2;
2083
2084 proto_tree_add_item(tree, hf_rdp_bandwidth_measure_payload_data, tvb, offset, payloadLength, ENC_NA);
2085 offset += payloadLength;
2086 break;
2087
2088 case 0x002B:
2089 case 0x0429:
2090 case 0x0629:
2091 /* Bandwidth Measure Stop */
2092 if (reqRespType == 0x002B) {
2093 payloadLength = tvb_get_uint16(tvb, offset, ENC_LITTLE_ENDIAN);
2094 proto_tree_add_item(tree, hf_rdp_bandwidth_measure_payload_len, tvb, offset, 2, ENC_LITTLE_ENDIAN);
2095 offset += 2;
2096
2097 proto_tree_add_item(tree, hf_rdp_bandwidth_measure_payload_data, tvb, offset, payloadLength, ENC_NA);
2098 offset += payloadLength;
2099 }
2100 break;
2101
2102 case 0x0840:
2103 case 0x0880:
2104 case 0x08C0:
2105 /* Network Characteristics Result*/
2106 if (reqRespType == 0x840 || reqRespType == 0x8C0) {
2107 proto_tree_add_item(tree, hf_rdp_network_characteristics_basertt, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2108 offset += 4;
2109 }
2110 if (reqRespType == 0x880 || reqRespType == 0x8C0) {
2111 proto_tree_add_item(tree, hf_rdp_network_characteristics_bandwidth, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2112 offset += 4;
2113 }
2114 if (reqRespType == 0x840 || reqRespType == 0x8C0) {
2115 proto_tree_add_item(tree, hf_rdp_network_characteristics_averagertt, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2116 offset += 4;
2117 }
2118 break;
2119 }
2120 } else {
2121 switch (reqRespType) {
2122 case 0x0000:
2123 /* RTT Measure Response */
2124 break;
2125 case 0x0003:
2126 case 0x000B:
2127 /* Bandwidth Measure Results */
2128 proto_tree_add_item(tree, hf_rdp_rtt_measure_time_delta, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2129 offset += 4;
2130
2131 proto_tree_add_item(tree, hf_rdp_rtt_measure_time_bytecount, tvb, offset, 4, ENC_LITTLE_ENDIAN);
2132 offset += 4;
2133 break;
2134 }
2135 }
2136
2137 return offset;
2138 }
2139
2140 static bool
2141 rdp_isServerAddressTarget(packet_info *pinfo)
2142 {
2143 conversation_t *conv;
2144 rdp_conv_info_t *rdp_info;
2145
2146 conv = find_conversation_pinfo(pinfo, 0);
2147 if (!conv)
2148 return false;
2149
2150 rdp_info = (rdp_conv_info_t *)conversation_get_proto_data(conv, proto_rdp);
2151 if (rdp_info) {
2152 rdp_server_address_t *server = &rdp_info->serverAddr;
2153 return addresses_equal(&server->addr, &pinfo->dst) && (pinfo->destport == server->port);
2154 }
2155
2156 return false;
2157 }
2158
2159 void
2160 rdp_transport_set_udp_conversation(const address *serverAddr, uint16_t serverPort, bool reliable, uint32_t reqId, uint8_t *cookie, conversation_t *conv)
2161 {
2162 rdp_transports_key_t key;
2163 rdp_transports_link_t *transport_link;
2164
2165 key.reliable = reliable;
2166 key.requestId = reqId;
2167 memcpy(key.securityCookie, cookie, 16);
2168 copy_address_shallow(&key.serverAddr, serverAddr);
2169 key.serverPort = serverPort;
2170
2171 transport_link = (rdp_transports_link_t *)wmem_map_lookup(rdp_transport_links, &key);
2172 if (!transport_link) {
2173 transport_link = wmem_new(wmem_file_scope(), rdp_transports_link_t);
2174
2175 memcpy(&transport_link->key, &key, sizeof(key));
2176 copy_address_wmem(wmem_file_scope(), &key.serverAddr, serverAddr);
2177 }
2178
2179 transport_link->udp_conversation = conv;
2180 }
2181
2182 typedef struct {
2183 conversation_t *udp;
2184 conversation_t *result;
2185 } find_tcp_conversation_t;
2186
2187 static void
2188 map_find_tcp_conversation_fn(rdp_transports_key_t *key _U_, rdp_transports_link_t *transport, find_tcp_conversation_t *criteria)
2189 {
2190 if (criteria->udp == transport->udp_conversation)
2191 criteria->result = transport->tcp_conversation;
2192 }
2193
2194 conversation_t *
2195 rdp_find_tcp_conversation_from_udp(conversation_t *udp)
2196 {
2197 find_tcp_conversation_t criteria = { udp, NULL };
2198
2199 wmem_map_foreach(rdp_transport_links, (GHFunc)map_find_tcp_conversation_fn, &criteria);
2200 return criteria.result;
2201 }
2202
2203 static int
2204 dissect_rdp_MessageChannelData(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) {
2205 proto_item *pi;
2206 proto_tree *next_tree;
2207 int offset = 0;
2208 uint32_t flags = 0;
2209
2210 rdp_field_info_t secFlags_fields[] = {
2211 {&hf_rdp_flagsTransportReq, 2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2212 {&hf_rdp_flagsTransportResp, 2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2213 {&hf_rdp_flagsAutodetectReq, 2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2214 {&hf_rdp_flagsAutodetectResp,2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2215 {&hf_rdp_flagsHeartbeat, 2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2216 FI_TERMINATOR
2217 };
2218
2219 rdp_field_info_t se_fields[] = {
2220 FI_SUBTREE(&hf_rdp_flags, 2, ett_rdp_flags, secFlags_fields),
2221 FI_FIXEDLEN(&hf_rdp_flagsHi, 2),
2222 FI_TERMINATOR
2223 };
2224
2225 tree = dissect_rdp(tvb, pinfo, tree);
2226 pi = proto_tree_add_item(tree, hf_rdp_MessageData, tvb, offset, -1, ENC_NA);
2227 tree = proto_item_add_subtree(pi, ett_rdp_MessageData);
2228
2229 flags = tvb_get_letohs(tvb, offset);
2230 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, se_fields, 0);
2231
2232 if (flags & SEC_TRANSPORT_REQ) {
2233 uint16_t reqProto;
2234 rdp_transports_key_t transport_key;
2235 rdp_transports_link_t *transport_link;
2236
2237 rdp_field_info_t mt_req_fields[] = {
2238 { &hf_rdp_mt_req_requestId, 4, NULL, 0, 0, NULL },
2239 { &hf_rdp_mt_req_protocol, 2, NULL, 0, 0, NULL },
2240 { &hf_rdp_mt_req_reserved, 2, NULL, 0, 0, NULL },
2241 { &hf_rdp_mt_req_securityCookie, 16, NULL, 0, 0, NULL },
2242 FI_TERMINATOR
2243 };
2244 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "MultiTransportRequest");
2245
2246 reqProto = tvb_get_uint16(tvb, offset + 4, ENC_LITTLE_ENDIAN);
2247
2248 transport_key.reliable = !!(reqProto & INITITATE_REQUEST_PROTOCOL_UDPFECR);
2249 transport_key.requestId = tvb_get_uint32(tvb, offset, ENC_LITTLE_ENDIAN);
2250 copy_address_shallow(&transport_key.serverAddr, &pinfo->src);
2251 transport_key.serverPort = pinfo->srcport;
2252 tvb_memcpy(tvb, transport_key.securityCookie, offset + 8, 16);
2253
2254 transport_link = (rdp_transports_link_t *)wmem_map_lookup(rdp_transport_links, &transport_key);
2255 if (!transport_link) {
2256 transport_link = wmem_new(wmem_file_scope(), rdp_transports_link_t);
2257
2258 memcpy(&transport_link->key, &transport_key, sizeof(transport_key));
2259 copy_address_wmem(wmem_file_scope(), &transport_key.serverAddr, &pinfo->src);
2260 transport_link->tcp_conversation = find_or_create_conversation(pinfo);
2261
2262 wmem_map_insert(rdp_transport_links, &transport_link->key , transport_link);
2263 }
2264
2265 next_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
2266 ett_rdp_mt_req, NULL, "MultiTransport request");
2267 offset = dissect_rdp_fields(tvb, offset, pinfo, next_tree, mt_req_fields, 0);
2268
2269 } else if (flags & SEC_TRANSPORT_RSP) {
2270 rdp_field_info_t mt_resp_fields[] = {
2271 { &hf_rdp_mt_rsp_requestId, 4, NULL, 0, 0, NULL },
2272 { &hf_rdp_mt_rsp_hrResponse, 4, NULL, 0, 0, NULL },
2273 FI_TERMINATOR
2274 };
2275
2276 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "MultiTransport response");
2277
2278 next_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
2279 ett_rdp_mt_rsp, NULL, "MultiTransport response");
2280 dissect_rdp_fields(tvb, offset, pinfo, next_tree, mt_resp_fields, 0);
2281
2282 } else if (flags & SEC_AUTODETECT_REQ) {
2283 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "Autodetect Req");
2284
2285 next_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
2286 ett_rdp_mt_req, NULL, "Autodetect request");
2287 offset = dissect_rdp_bandwidth_req(tvb, offset, pinfo, next_tree, rdp_isServerAddressTarget(pinfo));
2288 } else if (flags & SEC_AUTODETECT_RSP) {
2289 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "Autodetect Resp");
2290
2291 next_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
2292 ett_rdp_mt_req, NULL, "Autodetect response");
2293 offset = dissect_rdp_bandwidth_req(tvb, offset, pinfo, next_tree, rdp_isServerAddressTarget(pinfo));
2294 } else if (flags & SEC_HEARTBEAT) {
2295 rdp_field_info_t heartbeat_fields[] = {
2296 { &hf_rdp_heartbeat_reserved, 1, NULL, 0, 0, NULL },
2297 { &hf_rdp_heartbeat_period, 1, NULL, 0, 0, NULL },
2298 { &hf_rdp_heartbeat_count1, 1, NULL, 0, 0, NULL },
2299 { &hf_rdp_heartbeat_count2, 1, NULL, 0, 0, NULL },
2300 FI_TERMINATOR
2301 };
2302
2303 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "Heartbeat");
2304
2305 next_tree = proto_tree_add_subtree(tree, tvb, offset, -1,
2306 ett_rdp_heartbeat, NULL, "Heartbeat");
2307
2308 offset = dissect_rdp_fields(tvb, offset, pinfo, next_tree,
2309 heartbeat_fields, 0);
2310 }
2311
2312 return offset;
2313 }
2314
2315 static int
2316 dissect_rdp_SendData(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) {
2317 proto_item *pi;
2318 int offset = 0;
2319 uint32_t flags = 0;
2320 uint32_t cbDomain, cbUserName, cbPassword, cbAlternateShell, cbWorkingDir,
2321 cbClientAddress, cbClientDir, cbAutoReconnectLen, wBlobLen, cbDynamicDSTTimeZoneKeyName, pduType = 0;
2322 uint32_t bMsgType = 0xffffffff;
2323 uint32_t encryptedLen = 0;
2324 conversation_t *conversation;
2325 rdp_conv_info_t *rdp_info;
2326
2327 rdp_field_info_t secFlags_fields[] = {
2328 {&hf_rdp_flagsPkt, 2, &flags, 0, RDP_FI_NOINCOFFSET, NULL },
2329 {&hf_rdp_flagsEncrypt, 2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2330 {&hf_rdp_flagsResetSeqno, 2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2331 {&hf_rdp_flagsIgnoreSeqno, 2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2332 {&hf_rdp_flagsLicenseEncrypt,2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2333 {&hf_rdp_flagsSecureChecksum,2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2334 {&hf_rdp_flagsFlagsHiValid, 2, NULL , 0, RDP_FI_NOINCOFFSET, NULL },
2335 FI_TERMINATOR
2336 };
2337
2338 rdp_field_info_t se_fields[] = {
2339 FI_SUBTREE(&hf_rdp_flags, 2, ett_rdp_flags, secFlags_fields),
2340 FI_FIXEDLEN(&hf_rdp_flagsHi, 2),
2341 {&hf_rdp_length, 4, &encryptedLen, 0, 0, NULL },
2342 {&hf_rdp_encryptedClientRandom, 0, &encryptedLen, 0, 0, NULL },
2343 FI_TERMINATOR
2344 };
2345 rdp_field_info_t systime_fields [] = {
2346 FI_FIXEDLEN(&hf_rdp_wYear , 2),
2347 FI_FIXEDLEN(&hf_rdp_wMonth , 2),
2348 FI_FIXEDLEN(&hf_rdp_wDayOfWeek , 2),
2349 FI_FIXEDLEN(&hf_rdp_wDay , 2),
2350 FI_FIXEDLEN(&hf_rdp_wHour , 2),
2351 FI_FIXEDLEN(&hf_rdp_wMinute , 2),
2352 FI_FIXEDLEN(&hf_rdp_wSecond , 2),
2353 FI_FIXEDLEN(&hf_rdp_wMilliseconds, 2),
2354 FI_TERMINATOR,
2355 };
2356 rdp_field_info_t tz_info_fields [] = {
2357 FI_FIXEDLEN(&hf_rdp_Bias, 4),
2358 {&hf_rdp_StandardName, 64, NULL, 0, RDP_FI_STRING|RDP_FI_UNICODE, NULL },
2359 FI_SUBTREE(&hf_rdp_StandardDate, 16, ett_rdp_StandardDate, systime_fields),
2360 FI_FIXEDLEN(&hf_rdp_StandardBias, 4),
2361 {&hf_rdp_DaylightName, 64, NULL, 0, RDP_FI_STRING|RDP_FI_UNICODE, NULL },
2362 FI_SUBTREE(&hf_rdp_DaylightDate, 16, ett_rdp_DaylightDate, systime_fields),
2363 FI_FIXEDLEN(&hf_rdp_DaylightBias, 4),
2364 FI_TERMINATOR,
2365 };
2366
2367 rdp_field_info_t ue_fields[] = {
2368 {&hf_rdp_codePage, 4, NULL, 0, 0, NULL },
2369 {&hf_rdp_optionFlags, 4, NULL, 0, RDP_FI_INFO_FLAGS, NULL },
2370 {&hf_rdp_cbDomain, 2, &cbDomain, 2, 0, NULL },
2371 {&hf_rdp_cbUserName, 2, &cbUserName, 2, 0, NULL },
2372 {&hf_rdp_cbPassword, 2, &cbPassword, 2, 0, NULL },
2373 {&hf_rdp_cbAlternateShell, 2, &cbAlternateShell, 2, 0, NULL },
2374 {&hf_rdp_cbWorkingDir, 2, &cbWorkingDir, 2, 0, NULL },
2375 {&hf_rdp_domain, 0, &cbDomain, 0, RDP_FI_STRING, NULL },
2376 {&hf_rdp_userName, 0, &cbUserName, 0, RDP_FI_STRING, NULL },
2377 {&hf_rdp_password, 0, &cbPassword, 0, RDP_FI_STRING, NULL },
2378 {&hf_rdp_alternateShell, 0, &cbAlternateShell, 0, RDP_FI_STRING, NULL },
2379 {&hf_rdp_workingDir, 0, &cbWorkingDir, 0, RDP_FI_STRING, NULL },
2380 {&hf_rdp_clientAddressFamily,2, NULL, 0, 0, NULL },
2381 {&hf_rdp_cbClientAddress, 2, &cbClientAddress, 0, 0, NULL },
2382 {&hf_rdp_clientAddress, 0, &cbClientAddress, 0, RDP_FI_STRING, NULL },
2383 {&hf_rdp_cbClientDir, 2, &cbClientDir, 0, 0, NULL },
2384 {&hf_rdp_clientDir, 0, &cbClientDir, 0, RDP_FI_STRING, NULL },
2385 FI_SUBTREE(&hf_rdp_clientTimeZone, 172, ett_rdp_clientTimeZone, tz_info_fields),
2386 {&hf_rdp_clientSessionId, 4, NULL, 0, 0, NULL },
2387 {&hf_rdp_performanceFlags, 4, NULL, 0, 0, NULL },
2388 {&hf_rdp_cbAutoReconnectLen, 2, &cbAutoReconnectLen, 0, 0, NULL },
2389 {&hf_rdp_autoReconnectCookie,0, &cbAutoReconnectLen, 0, 0, NULL },
2390 {&hf_rdp_reserved1, 2, NULL, 0, 0, NULL },
2391 {&hf_rdp_reserved2, 2, NULL, 0, 0, NULL },
2392 {&hf_rdp_cbDynamicDSTTimeZoneKeyName, 2, &cbDynamicDSTTimeZoneKeyName, 0, 0, NULL },
2393 {&hf_rdp_dynamicDSTTimeZoneKeyName, 0, &cbDynamicDSTTimeZoneKeyName, 0, RDP_FI_STRING, NULL },
2394 {&hf_rdp_dynamicDaylightTimeDisabled, 2, NULL, 0, 0, NULL },
2395 FI_TERMINATOR
2396 };
2397 rdp_field_info_t msg_fields[] = {
2398 {&hf_rdp_bMsgType, 1, &bMsgType, 0, 0, NULL },
2399 {&hf_rdp_bVersion, 1, NULL, 0, 0, NULL },
2400 {&hf_rdp_wMsgSize, 2, NULL, 0, 0, NULL },
2401 FI_TERMINATOR
2402 };
2403 rdp_field_info_t error_fields[] = {
2404 {&hf_rdp_wErrorCode, 4, NULL, 0, 0, NULL },
2405 {&hf_rdp_wStateTransition, 4, NULL, 0, 0, NULL },
2406 {&hf_rdp_wBlobType, 2, NULL, 0, 0, NULL },
2407 {&hf_rdp_wBlobLen, 2, &wBlobLen, 0, 0, NULL },
2408 {&hf_rdp_blobData, 0, &wBlobLen, 0, 0, NULL },
2409 FI_TERMINATOR
2410 };
2411
2412 rdp_field_info_t pdu_fields[] = {
2413 {&hf_rdp_pduTypeType, 2, &pduType, 0, RDP_FI_NOINCOFFSET, NULL },
2414 {&hf_rdp_pduTypeVersionLow, 2, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
2415 {&hf_rdp_pduTypeVersionHigh, 2, NULL, 0, 0, NULL },
2416 FI_TERMINATOR
2417 };
2418 rdp_field_info_t ctrl_fields[] = {
2419 {&hf_rdp_totalLength, 2, NULL, 0, 0, NULL },
2420 {&hf_rdp_pduType, 2, NULL, ett_rdp_pduType, RDP_FI_SUBTREE,
2421 pdu_fields },
2422 {&hf_rdp_pduSource, 2, NULL, 0, 0, NULL },
2423 FI_TERMINATOR
2424 };
2425
2426 tree = dissect_rdp(tvb, pinfo, tree);
2427
2428 pi = proto_tree_add_item(tree, hf_rdp_SendData, tvb, offset, -1, ENC_NA);
2429 tree = proto_item_add_subtree(pi, ett_rdp_SendData);
2430
2431 conversation = find_or_create_conversation(pinfo);
2432 rdp_info = (rdp_conv_info_t *)conversation_get_proto_data(conversation, proto_rdp);
2433
2434 if (rdp_info &&
2435 ((rdp_info->licenseAgreed == 0) ||
2436 (pinfo->num <= rdp_info->licenseAgreed))) {
2437 /* licensing stage hasn't been completed */
2438 proto_tree *next_tree;
2439
2440 flags = tvb_get_letohs(tvb, offset);
2441
2442 switch(flags & SEC_PKT_MASK) {
2443 case SEC_EXCHANGE_PKT:
2444 pi = proto_tree_add_item(tree, hf_rdp_securityExchangePDU, tvb, offset, -1, ENC_NA);
2445 next_tree = proto_item_add_subtree(pi, ett_rdp_securityExchangePDU);
2446
2447 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "SecurityExchange");
2448
2449 /*offset=*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, se_fields, 0);
2450
2451 break;
2452
2453 case SEC_INFO_PKT:
2454 pi = proto_tree_add_item(tree, hf_rdp_clientInfoPDU, tvb, offset, -1, ENC_NA);
2455 next_tree = proto_item_add_subtree(pi, ett_rdp_clientInfoPDU);
2456
2457 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "ClientInfo");
2458
2459 offset = dissect_rdp_securityHeader(tvb, offset, pinfo, next_tree, rdp_info, true, NULL);
2460
2461 if (!(flags & SEC_ENCRYPT)) {
2462
2463 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, ue_fields, 0);
2464 } else {
2465
2466 /*offset =*/ dissect_rdp_encrypted(tvb, offset, pinfo, next_tree, NULL);
2467 }
2468 break;
2469
2470 case SEC_LICENSE_PKT:
2471 pi = proto_tree_add_item(tree, hf_rdp_validClientLicenseData, tvb, offset, -1, ENC_NA);
2472 next_tree = proto_item_add_subtree(pi, ett_rdp_validClientLicenseData);
2473
2474 offset = dissect_rdp_securityHeader(tvb, offset, pinfo, next_tree, rdp_info, true, NULL);
2475 if (!(flags & SEC_ENCRYPT)) {
2476
2477 offset = dissect_rdp_fields(tvb, offset, pinfo, next_tree, msg_fields, 0);
2478
2479 col_append_sep_str(pinfo->cinfo, COL_INFO, ", ", val_to_str_const(bMsgType, rdp_bMsgType_vals, "Unknown"));
2480
2481 switch(bMsgType) {
2482 case LICENSE_REQUEST:
2483 case PLATFORM_CHALLENGE:
2484 case NEW_LICENSE:
2485 case UPGRADE_LICENSE:
2486 case LICENSE_INFO:
2487 case NEW_LICENSE_REQUEST:
2488 case PLATFORM_CHALLENGE_RESPONSE:
2489 /* RDPELE Not supported */
2490 /*offset =*/ dissect_rdp_nyi(tvb, offset, pinfo, next_tree, "RDPELE not implemented");
2491 break;
2492 case ERROR_ALERT:
2493 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, error_fields, 0);
2494 rdp_info->licenseAgreed = pinfo->num;
2495 break;
2496 default:
2497 /* Unknown msgType */
2498 break;
2499 }
2500 } else {
2501 /*offset =*/ dissect_rdp_encrypted(tvb, offset, pinfo, next_tree, NULL);
2502
2503 /* XXX: we assume the license is agreed in this exchange */
2504 rdp_info->licenseAgreed = pinfo->num;
2505 }
2506 break;
2507
2508 case SEC_REDIRECTION_PKT:
2509 /* NotYetImplemented */
2510 break;
2511
2512 default:
2513 break;
2514 }
2515
2516 return tvb_captured_length(tvb);
2517 } /* licensing stage */
2518
2519 if (rdp_info && (t124_get_last_channelId() == rdp_info->staticChannelId)) {
2520
2521 offset = dissect_rdp_securityHeader(tvb, offset, pinfo, tree, rdp_info, false, &flags);
2522
2523 if (!(flags & SEC_ENCRYPT)) {
2524 proto_tree *next_tree;
2525 pi = proto_tree_add_item(tree, hf_rdp_shareControlHeader, tvb, offset, -1, ENC_NA);
2526 next_tree = proto_item_add_subtree(pi, ett_rdp_shareControlHeader);
2527
2528 offset = dissect_rdp_fields(tvb, offset, pinfo, next_tree, ctrl_fields, 0);
2529
2530 pduType &= PDUTYPE_TYPE_MASK; /* mask out just the type */
2531
2532 if (pduType != PDUTYPE_DATAPDU)
2533 col_append_sep_str(pinfo->cinfo, COL_INFO, ", ", val_to_str_const(pduType, rdp_pduTypeType_vals, "Unknown"));
2534
2535 switch(pduType) {
2536 case PDUTYPE_DEMANDACTIVEPDU:
2537 /*offset =*/ dissect_rdp_demandActivePDU(tvb, offset, pinfo, next_tree);
2538 break;
2539 case PDUTYPE_CONFIRMACTIVEPDU:
2540 /*offset =*/ dissect_rdp_confirmActivePDU(tvb, offset, pinfo, next_tree);
2541 break;
2542 case PDUTYPE_DEACTIVATEALLPDU:
2543 break;
2544 case PDUTYPE_DATAPDU:
2545 /*offset =*/ dissect_rdp_shareDataHeader(tvb, offset, pinfo, next_tree);
2546 break;
2547 case PDUTYPE_SERVER_REDIR_PKT:
2548 break;
2549 default:
2550 break;
2551 }
2552 } else {
2553
2554 /*offset =*/ dissect_rdp_encrypted(tvb, offset, pinfo, tree, NULL);
2555 }
2556
2557 /* we may get multiple control headers in a single frame */
2558 col_set_fence(pinfo->cinfo, COL_INFO);
2559
2560 return tvb_captured_length(tvb);
2561 } /* (rdp_info && (t124_get_last_channelId() == rdp_info->staticChannelId)) */
2562
2563 /* Virtual Channel */
2564 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "Virtual Channel PDU");
2565
2566 offset = dissect_rdp_securityHeader(tvb, offset, pinfo, tree, rdp_info, false, &flags);
2567
2568 if (!(flags & SEC_ENCRYPT))
2569 /*offset =*/ dissect_rdp_channelPDU(tvb, offset, pinfo, tree);
2570 else
2571 /*offset =*/ dissect_rdp_encrypted(tvb, offset, pinfo, tree, "Channel PDU");
2572
2573 return tvb_captured_length(tvb);
2574 }
2575
2576 static int
2577 dissect_rdp_monitor(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) {
2578
2579 uint32_t monitorCount, i;
2580 proto_item *monitorDef_item;
2581 proto_tree *monitorDef_tree;
2582
2583 rdp_field_info_t monitor_fields[] = {
2584 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2585 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2586 {&hf_rdp_monitorFlags, 4, NULL, 0, 0, NULL },
2587 {&hf_rdp_monitorCount, 4, &monitorCount, 0, 0, NULL },
2588 FI_TERMINATOR
2589 };
2590
2591 rdp_field_info_t monitorDef_fields[] = {
2592 {&hf_rdp_monitorDefLeft, 4, NULL, 0, 0, NULL },
2593 {&hf_rdp_monitorDefTop, 4, NULL, 0, 0, NULL },
2594 {&hf_rdp_monitorDefRight, 4, NULL, 0, 0, NULL },
2595 {&hf_rdp_monitorDefBottom, 4, NULL, 0, 0, NULL },
2596 {&hf_rdp_monitorDefFlags, 4, NULL, 0, 0, NULL },
2597 FI_TERMINATOR
2598 };
2599
2600 offset = dissect_rdp_fields(tvb, offset, pinfo, tree, monitor_fields, 0);
2601 for (i = 0; i < monitorCount; i++) {
2602 monitorDef_item = proto_tree_add_item(tree, hf_rdp_clientMonitorDefData, tvb, offset, 20, ENC_NA);
2603 monitorDef_tree = proto_item_add_subtree(monitorDef_item, ett_rdp_clientMonitorDefData);
2604
2605 offset = dissect_rdp_fields(tvb, offset, pinfo, monitorDef_tree, monitorDef_fields, 0);
2606 }
2607
2608 return offset;
2609 }
2610
2611 static int
2612 dissect_rdp_ClientData(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) {
2613 int offset = 0;
2614 proto_item *pi;
2615 proto_tree *next_tree;
2616 uint16_t type;
2617 unsigned length;
2618 rdp_conv_info_t *rdp_info;
2619
2620 rdp_field_info_t header_fields[] = {
2621 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2622 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2623 FI_TERMINATOR
2624 };
2625 rdp_field_info_t core_fields[] = {
2626 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2627 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2628 {&hf_rdp_versionMajor, 2, NULL, 0, 0, NULL },
2629 {&hf_rdp_versionMinor, 2, NULL, 0, 0, NULL },
2630 {&hf_rdp_desktopWidth, 2, NULL, 0, 0, NULL },
2631 {&hf_rdp_desktopHeight, 2, NULL, 0, 0, NULL },
2632 {&hf_rdp_colorDepth, 2, NULL, 0, 0, NULL },
2633 {&hf_rdp_SASSequence, 2, NULL, 0, 0, NULL },
2634 {&hf_rdp_keyboardLayout, 4, NULL, 0, 0, NULL },
2635 {&hf_rdp_clientBuild, 4, NULL, 0, 0, NULL },
2636 {&hf_rdp_clientName, 32, NULL, 0, RDP_FI_STRING|RDP_FI_UNICODE, NULL },
2637 {&hf_rdp_keyboardType, 4, NULL, 0, 0, NULL },
2638 {&hf_rdp_keyboardSubType, 4, NULL, 0, 0, NULL },
2639 {&hf_rdp_keyboardFunctionKey, 4, NULL, 0, 0, NULL },
2640 {&hf_rdp_imeFileName, 64, NULL, 0, 0, NULL },
2641 /* The following fields are *optional*. */
2642 /* I.E., a sequence of one or more of the trailing */
2643 /* fields at the end of the Data Block need not be */
2644 /* present. The length from the header field determines */
2645 /* the actual number of fields which are present. */
2646 {&hf_rdp_postBeta2ColorDepth, 2, NULL, 0, 0, NULL },
2647 {&hf_rdp_clientProductId, 2, NULL, 0, 0, NULL },
2648 {&hf_rdp_serialNumber, 4, NULL, 0, 0, NULL },
2649 {&hf_rdp_highColorDepth, 2, NULL, 0, 0, NULL },
2650 {&hf_rdp_supportedColorDepths, 2, NULL, 0, 0, NULL },
2651 {&hf_rdp_earlyCapabilityFlags, 2, NULL, 0, 0, NULL },
2652 {&hf_rdp_clientDigProductId, 64, NULL, 0, RDP_FI_STRING|RDP_FI_UNICODE, NULL }, /* XXX - is this always a string? MS-RDPBCGR doesn't say so */
2653 {&hf_rdp_connectionType, 1, NULL, 0, 0, NULL },
2654 {&hf_rdp_pad1octet, 1, NULL, 0, 0, NULL },
2655 {&hf_rdp_serverSelectedProtocol, 4, NULL, 0, 0, NULL },
2656 FI_TERMINATOR
2657 };
2658 rdp_field_info_t security_fields[] = {
2659 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2660 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2661 {&hf_rdp_encryptionMethods, 4, NULL, 0, 0, NULL },
2662 {&hf_rdp_extEncryptionMethods, 4, NULL, 0, 0, NULL },
2663 FI_TERMINATOR
2664 };
2665
2666 rdp_field_info_t secFlags_fields[] = {
2667 {&hf_rdp_cluster_redirectionSupported, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
2668 {&hf_rdp_cluster_sessionIdValid, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
2669 {&hf_rdp_cluster_redirectionVersion, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
2670 {&hf_rdp_cluster_redirectedSmartcard, 4, NULL, 0, RDP_FI_NOINCOFFSET, NULL },
2671 FI_TERMINATOR
2672 };
2673
2674 rdp_field_info_t cluster_fields[] = {
2675 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2676 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2677 FI_SUBTREE(&hf_rdp_cluster_flags, 4, ett_rdp_clientClusterFlags, secFlags_fields),
2678 {&hf_rdp_redirectedSessionId, 4, NULL, 0, 0, NULL },
2679 FI_TERMINATOR
2680 };
2681 rdp_field_info_t msgchannel_fields[] = {
2682 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2683 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2684 {&hf_rdp_msgChannelFlags, 4, NULL, 0, 0, NULL },
2685 FI_TERMINATOR
2686 };
2687 rdp_field_info_t monitorex_fields[] = {
2688 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2689 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2690 {&hf_rdp_monitorExFlags, 4, NULL, 0, 0, NULL },
2691 {&hf_rdp_monitorAttributeSize, 4, NULL, 0, 0, NULL },
2692 {&hf_rdp_monitorCount, 4, NULL, 0, 0, NULL },
2693 FI_TERMINATOR
2694 };
2695
2696 rdp_field_info_t multitransport_fields[] = {
2697 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2698 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2699 {&hf_rdp_multiTransportFlags, 4, NULL, 0, 0, NULL },
2700 FI_TERMINATOR
2701 };
2702
2703 tree = dissect_rdp(tvb, pinfo, tree);
2704
2705 rdp_info = rdp_get_conversation_data(pinfo);
2706
2707 copy_address_wmem(wmem_file_scope(), &rdp_info->serverAddr.addr, &pinfo->dst);
2708 rdp_info->serverAddr.port = pinfo->destport;
2709
2710 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "ClientData");
2711
2712 pi = proto_tree_add_item(tree, hf_rdp_ClientData, tvb, offset, -1, ENC_NA);
2713 tree = proto_item_add_subtree(pi, ett_rdp_ClientData);
2714
2715 /* Advance through the data blocks using the length from the header for each block.
2716 * ToDo: Expert if actual amount dissected (based upon field array) is not equal to length ??
2717 * Note: If length is less than the header size (4 bytes) offset is advanced by 4 bytes
2718 * to ensure that dissection eventually terminates.
2719 */
2720
2721 while (tvb_reported_length_remaining(tvb, offset) > 0) {
2722
2723 type = tvb_get_letohs(tvb, offset);
2724 length = tvb_get_letohs(tvb, offset+2);
2725
2726 #if 0
2727 printf("offset=%d, type=%x, length=%d, remaining=%d\n",
2728 offset, type, length, tvb_captured_length_remaining(tvb, offset));
2729 #endif
2730
2731 switch(type) {
2732 case CS_CORE:
2733 pi = proto_tree_add_item(tree, hf_rdp_clientCoreData, tvb, offset, length, ENC_NA);
2734 next_tree = proto_item_add_subtree(pi, ett_rdp_clientCoreData);
2735 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, core_fields, length);
2736 break;
2737
2738 case CS_SECURITY:
2739 pi = proto_tree_add_item(tree, hf_rdp_clientSecurityData, tvb, offset, length, ENC_NA);
2740 next_tree = proto_item_add_subtree(pi, ett_rdp_clientSecurityData);
2741 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, security_fields, 0);
2742 break;
2743
2744 case CS_NET:
2745 /*offset =*/ dissect_rdp_clientNetworkData(tvb, offset, pinfo, tree, length, rdp_info);
2746 break;
2747
2748 case CS_CLUSTER:
2749 pi = proto_tree_add_item(tree, hf_rdp_clientClusterData, tvb, offset, length, ENC_NA);
2750 next_tree = proto_item_add_subtree(pi, ett_rdp_clientClusterData);
2751 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, cluster_fields, 0);
2752
2753 break;
2754
2755 case CS_MONITOR:
2756 pi = proto_tree_add_item(tree, hf_rdp_clientMonitorData, tvb, offset, length, ENC_NA);
2757 next_tree = proto_item_add_subtree(pi, ett_rdp_clientMonitorData);
2758 /*offset =*/ dissect_rdp_monitor(tvb, offset, pinfo, next_tree);
2759 break;
2760
2761 case CS_MONITOR_EX:
2762 pi = proto_tree_add_item(tree, hf_rdp_clientMonitorExData, tvb, offset, length, ENC_NA);
2763 next_tree = proto_item_add_subtree(pi, ett_rdp_clientMonitorExData);
2764 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, monitorex_fields, 0);
2765 break;
2766
2767 case CS_MCS_MSGCHANNEL:
2768 pi = proto_tree_add_item(tree, hf_rdp_clientMsgChannelData, tvb, offset, length, ENC_NA);
2769 next_tree = proto_item_add_subtree(pi, ett_rdp_clientMsgChannelData);
2770 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, msgchannel_fields, 0);
2771 break;
2772
2773 case CS_MULTITRANSPORT:
2774 pi = proto_tree_add_item(tree, hf_rdp_clientMultiTransportData, tvb, offset, length, ENC_NA);
2775 next_tree = proto_item_add_subtree(pi, ett_rdp_clientMultiTransportData);
2776 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, multitransport_fields, 0);
2777 break;
2778
2779 default: /* unknown */
2780 pi = proto_tree_add_item(tree, hf_rdp_clientUnknownData, tvb, offset, length, ENC_NA);
2781 next_tree = proto_item_add_subtree(pi, ett_rdp_clientUnknownData);
2782 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, header_fields, 0);
2783 break;
2784 }
2785 offset += MAX(4, length); /* Use length from header, but advance at least 4 bytes */
2786 }
2787 return tvb_captured_length(tvb);
2788 }
2789
2790 static int
2791 dissect_rdp_ServerData(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) {
2792 int offset = 0;
2793 proto_item *pi;
2794 proto_tree *next_tree;
2795 uint16_t type;
2796 unsigned length;
2797 uint32_t serverRandomLen = 0;
2798 uint32_t serverCertLen = 0;
2799 uint32_t encryptionMethod = 0;
2800 uint32_t encryptionLevel = 0;
2801 uint32_t channelCount = 0;
2802 uint32_t channelId = 0;
2803 uint32_t messageChannelId = 0;
2804 unsigned i;
2805 rdp_conv_info_t *rdp_info;
2806
2807 rdp_field_info_t header_fields[] = {
2808 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2809 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2810 FI_TERMINATOR
2811 };
2812 rdp_field_info_t sc_fields[] = {
2813 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2814 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2815 {&hf_rdp_versionMajor, 2, NULL, 0, 0, NULL },
2816 {&hf_rdp_versionMinor, 2, NULL, 0, 0, NULL },
2817 /* The following fields are *optional*. */
2818 /* I.E., a sequence of one or more of the trailing */
2819 /* fields at the end of the Data Block need not be */
2820 /* present. The length from the header field determines */
2821 /* the actual number of fields which are present. */
2822 {&hf_rdp_clientRequestedProtocols, 4, NULL, 0, 0, NULL },
2823 {&hf_rdp_earlyCapabilityFlags, 2, NULL, 0, 0, NULL },
2824 FI_TERMINATOR
2825 };
2826 rdp_field_info_t ss_fields[] = {
2827 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2828 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2829 {&hf_rdp_encryptionMethod, 4, &encryptionMethod, 0, 0, NULL },
2830 {&hf_rdp_encryptionLevel, 4, &encryptionLevel, 0, 0, NULL },
2831 FI_TERMINATOR
2832 };
2833 rdp_field_info_t encryption_fields[] = {
2834 {&hf_rdp_serverRandomLen, 4, &serverRandomLen, 0, 0, NULL },
2835 {&hf_rdp_serverCertLen, 4, &serverCertLen, 0, 0, NULL },
2836 {&hf_rdp_serverRandom, 0, &serverRandomLen, 0, 0, NULL },
2837 {&hf_rdp_serverCertificate, 0, &serverCertLen, 0, 0, NULL },
2838 FI_TERMINATOR
2839 };
2840 rdp_field_info_t sn_fields[] = {
2841 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2842 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2843 {&hf_rdp_MCSChannelId, 2, &channelId, 0, 0, NULL },
2844 {&hf_rdp_channelCount, 2, &channelCount, 0, 0, NULL },
2845 FI_TERMINATOR
2846 };
2847 rdp_field_info_t array_fields[] = {
2848 {&hf_rdp_channelIdArray, 0 /*(channelCount * 2)*/, NULL, 0, 0, NULL },
2849 FI_TERMINATOR
2850 };
2851 rdp_field_info_t channel_fields[] = {
2852 {&hf_rdp_MCSChannelId, 2, &channelId, 0, 0, NULL },
2853 FI_TERMINATOR
2854 };
2855 rdp_field_info_t pad_fields[] = {
2856 {&hf_rdp_Pad, 2, NULL, 0, 0, NULL },
2857 FI_TERMINATOR
2858 };
2859 rdp_field_info_t msgchannel_fields[] = {
2860 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2861 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2862 {&hf_rdp_msgChannelId, 2, &messageChannelId, 0, 0, NULL },
2863 FI_TERMINATOR
2864 };
2865 rdp_field_info_t multitransport_fields[] = {
2866 {&hf_rdp_headerType, 2, NULL, 0, 0, NULL },
2867 {&hf_rdp_headerLength, 2, NULL, 0, 0, NULL },
2868 {&hf_rdp_multiTransportFlags, 4, NULL, 0, 0, NULL },
2869 FI_TERMINATOR
2870 };
2871
2872 tree = dissect_rdp(tvb, pinfo, tree);
2873
2874 rdp_info = rdp_get_conversation_data(pinfo);
2875
2876 col_append_sep_str(pinfo->cinfo, COL_INFO, " ", "ServerData");
2877
2878 pi = proto_tree_add_item(tree, hf_rdp_ServerData, tvb, offset, -1, ENC_NA);
2879 tree = proto_item_add_subtree(pi, ett_rdp_ServerData);
2880
2881 /* Advance through the data blocks using the length from the header for each block.
2882 * ToDo: Expert if actual amount dissected (based upon field array) is not equal to length ??
2883 * Note: If length is less than the header size (4 bytes) offset is advanced by 4 bytes
2884 * to ensure that dissection eventually terminates.
2885 */
2886 while (tvb_reported_length_remaining(tvb, offset) > 0) {
2887
2888 type = tvb_get_letohs(tvb, offset);
2889 length = tvb_get_letohs(tvb, offset+2);
2890
2891 /* printf("offset=%d, type=%x, length=%d, remaining=%d\n",
2892 offset, type, length, tvb_captured_length_remaining(tvb, offset)); */
2893
2894 switch(type) {
2895 case SC_CORE:
2896 pi = proto_tree_add_item(tree, hf_rdp_serverCoreData, tvb, offset, length, ENC_NA);
2897 next_tree = proto_item_add_subtree(pi, ett_rdp_serverCoreData);
2898 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, sc_fields, length);
2899 break;
2900
2901 case SC_SECURITY: {
2902 int lcl_offset;
2903 pi = proto_tree_add_item(tree, hf_rdp_serverSecurityData, tvb, offset, length, ENC_NA);
2904 next_tree = proto_item_add_subtree(pi, ett_rdp_serverSecurityData);
2905
2906 lcl_offset = dissect_rdp_fields(tvb, offset, pinfo, next_tree, ss_fields, 0);
2907
2908 col_append_sep_fstr(pinfo->cinfo, COL_INFO, " ", "Encryption: %s (%s)",
2909 val_to_str_const(encryptionMethod, rdp_encryptionMethod_vals, "Unknown"),
2910 val_to_str_const(encryptionLevel, rdp_encryptionLevel_vals, "Unknown"));
2911
2912 if ((encryptionLevel != 0) || (encryptionMethod != 0)) {
2913 /*lcl_offset =*/ dissect_rdp_fields(tvb, lcl_offset, pinfo, next_tree, encryption_fields, 0);
2914 }
2915
2916 rdp_info->encryptionMethod = encryptionMethod;
2917 rdp_info->encryptionLevel = encryptionLevel;
2918 break;
2919 }
2920
2921 case SC_NET: {
2922 int lcl_offset;
2923 pi = proto_tree_add_item(tree, hf_rdp_serverNetworkData, tvb, offset, length, ENC_NA);
2924 next_tree = proto_item_add_subtree(pi, ett_rdp_serverNetworkData);
2925
2926 lcl_offset = dissect_rdp_fields(tvb, offset, pinfo, next_tree, sn_fields, 0);
2927
2928 rdp_info->staticChannelId = channelId;
2929 register_t124_sd_dissector(pinfo, channelId, dissect_rdp_SendData, proto_rdp);
2930
2931 if (channelCount > 0) {
2932 array_fields[0].fixedLength = channelCount * 2;
2933 dissect_rdp_fields(tvb, lcl_offset, pinfo, next_tree, array_fields, 0);
2934
2935 if (next_tree)
2936 next_tree = proto_item_add_subtree(next_tree->last_child, ett_rdp_channelIdArray);
2937 for (i = 0; i < channelCount; i++) {
2938 lcl_offset = dissect_rdp_fields(tvb, lcl_offset, pinfo, next_tree, channel_fields, 0);
2939 if (i < RDP_MAX_CHANNELS) {
2940 rdp_info->staticChannels[i].value = channelId;
2941 //printf("%d: %s -> %d\n", pinfo->num, rdp_info->staticChannels[i].strptr, channelId);
2942 }
2943
2944 /* register SendData on this for now */
2945 register_t124_sd_dissector(pinfo, channelId, dissect_rdp_SendData, proto_rdp);
2946 }
2947 if (channelCount % 2)
2948 /*lcl_offset =*/ dissect_rdp_fields(tvb, lcl_offset, pinfo, next_tree, pad_fields, 0);
2949 }
2950 break;
2951 }
2952
2953 case SC_MCS_MSGCHANNEL:
2954 pi = proto_tree_add_item(tree, hf_rdp_serverMsgChannelData, tvb, offset, length, ENC_NA);
2955 next_tree = proto_item_add_subtree(pi, ett_rdp_serverMsgChannelData);
2956 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, msgchannel_fields, length);
2957 rdp_info->messageChannelId = messageChannelId;
2958 register_t124_sd_dissector(pinfo, messageChannelId, dissect_rdp_MessageChannelData, proto_rdp);
2959 break;
2960
2961 case SC_MULTITRANSPORT:
2962 pi = proto_tree_add_item(tree, hf_rdp_serverMultiTransportData, tvb, offset, length, ENC_NA);
2963 next_tree = proto_item_add_subtree(pi, ett_rdp_serverMultiTransportData);
2964 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, multitransport_fields, length);
2965 break;
2966
2967 default: /* unknown */
2968 pi = proto_tree_add_item(tree, hf_rdp_serverUnknownData, tvb, offset, length, ENC_NA);
2969 next_tree = proto_item_add_subtree(pi, ett_rdp_serverUnknownData);
2970
2971 /*offset =*/ dissect_rdp_fields(tvb, offset, pinfo, next_tree, header_fields, 0);
2972 break;
2973 }
2974 offset += MAX(4, length); /* Use length from header, but advance at least 4 bytes */
2975 }
2976 return tvb_captured_length(tvb);
2977 }
2978
2979 /* Dissect extra data in a CR PDU */
2980 static int
2981 dissect_rdpCorrelationInfo(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) {
2982 uint32_t type;
2983 uint32_t length;
2984 proto_item *type_item, *length_item;
2985
2986 type_item = proto_tree_add_item_ret_uint(tree, hf_rdp_neg_type, tvb, offset, 1, ENC_NA, &type);
2987 offset += 1;
2988 if (type != TYPE_RDP_CORRELATION_INFO) {
2989 expert_add_info(pinfo, type_item, &ei_rdp_not_correlation_info);
2990 return offset;
2991 }
2992 proto_tree_add_item(tree, hf_rdp_correlationInfo_flags, tvb, offset, 1, ENC_NA);
2993 offset += 1;
2994 length_item = proto_tree_add_item_ret_uint(tree, hf_rdp_neg_length, tvb, offset, 1, ENC_LITTLE_ENDIAN, &length);
2995 offset += 2;
2996 if (length != 36) {
2997 expert_add_info_format(pinfo, length_item, &ei_rdp_neg_len_invalid, "RDP Correlation Info length is %u, not 36", length);
2998 return offset;
2999 }
3000 proto_tree_add_item(tree, hf_rdp_correlationId, tvb, offset, 16, ENC_NA);
3001 offset += 16;
3002 proto_tree_add_item(tree, hf_rdp_correlationInfo_reserved, tvb, offset, 16, ENC_NA);
3003 offset += 16;
3004 return offset;
3005 }
3006
3007 static int
3008 dissect_rdpNegReq(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) {
3009 uint64_t flags;
3010 uint32_t length;
3011 proto_item *length_item;
3012 static int * const flag_bits[] = {
3013 &hf_rdp_negReq_flag_restricted_admin_mode_req,
3014 &hf_rdp_negReq_flag_redirected_auth_req,
3015 &hf_rdp_negReq_flag_correlation_info_present,
3016 NULL
3017 };
3018 static int * const requestedProtocols_bits[] = {
3019 &hf_rdp_requestedProtocols_flag_ssl,
3020 &hf_rdp_requestedProtocols_flag_hybrid,
3021 &hf_rdp_requestedProtocols_flag_rdstls,
3022 &hf_rdp_requestedProtocols_flag_hybrid_ex,
3023 NULL
3024 };
3025
3026 col_append_str(pinfo->cinfo, COL_INFO, "Negotiate Request");
3027
3028 proto_tree_add_item(tree, hf_rdp_neg_type, tvb, offset, 1, ENC_NA);
3029 offset += 1;
3030 proto_tree_add_bitmask_ret_uint64(tree, tvb, offset, hf_rdp_negReq_flags,
3031 ett_negReq_flags, flag_bits,
3032 ENC_LITTLE_ENDIAN, &flags);
3033 offset += 1;
3034 length_item = proto_tree_add_item_ret_uint(tree, hf_rdp_neg_length, tvb, offset, 1, ENC_LITTLE_ENDIAN, &length);
3035 offset += 2;
3036 if (length != 8) {
3037 expert_add_info_format(pinfo, length_item, &ei_rdp_neg_len_invalid, "RDP Negotiate Request length is %u, not 8", length);
3038 return offset;
3039 }
3040 proto_tree_add_bitmask(tree, tvb, offset, hf_rdp_requestedProtocols,
3041 ett_requestedProtocols, requestedProtocols_bits,
3042 ENC_LITTLE_ENDIAN);
3043 offset += 4;
3044 if (flags & CORRELATION_INFO_PRESENT)
3045 offset = dissect_rdpCorrelationInfo(tvb, offset, pinfo, tree);
3046 return offset;
3047 }
3048
3049 static int
3050 dissect_rdp_cr(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data _U_)
3051 {
3052 int offset = 0;
3053 bool have_cookie = false;
3054 bool have_rdpNegRequest = false;
3055 proto_item *item;
3056 proto_tree *tree;
3057 int linelen, next_offset;
3058 const uint8_t *stringval;
3059 const char *sep = "";
3060
3061 /*
3062 * routingToken or cookie? Both begin with "Cookie: ".
3063 */
3064 if (tvb_memeql(tvb, offset, (const uint8_t*)"Cookie: ", 8) == 0 ||
3065 tvb_memeql(tvb, offset, (const uint8_t*)"tsv:", 4) == 0 ||
3066 tvb_memeql(tvb, offset, (const uint8_t*)"mth://", 6) == 0) {
3067 /* Looks like a routing token or cookie */
3068 have_cookie = true;
3069 } else if (tvb_bytes_exist(tvb, offset, 4) &&
3070 tvb_get_uint8(tvb, offset) == TYPE_RDP_NEG_REQ &&
3071 tvb_get_letohs(tvb, offset + 2) == 8) {
3072 /* Looks like a Negotiate Request (TYPE_RDP_NEG_REQ, length 8) */
3073 have_rdpNegRequest = true;
3074 }
3075 if (!have_cookie && !have_rdpNegRequest) {
3076 /* Doesn't look like our data */
3077 return 0;
3078 }
3079
3080 col_set_str(pinfo->cinfo, COL_PROTOCOL, "RDP");
3081 col_clear(pinfo->cinfo, COL_INFO);
3082
3083 item = proto_tree_add_item(parent_tree, proto_rdp, tvb, 0, -1, ENC_NA);
3084 tree = proto_item_add_subtree(item, ett_rdp);
3085
3086 if (have_cookie) {
3087 /* XXX - distinguish between routing token and cookie? */
3088 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, true);
3089 proto_tree_add_item_ret_string(tree, hf_rdp_rt_cookie, tvb, offset,
3090 linelen, ENC_ASCII|ENC_NA,
3091 pinfo->pool, &stringval);
3092 offset = (linelen == -1) ? (int)tvb_captured_length(tvb) : next_offset;
3093 col_append_str(pinfo->cinfo, COL_INFO, format_text(pinfo->pool, stringval, strlen(stringval)));
3094 sep = ", ";
3095 }
3096 /*
3097 * rdpNegRequest?
3098 */
3099 if (tvb_reported_length_remaining(tvb, offset) > 0) {
3100 col_append_str(pinfo->cinfo, COL_INFO, sep);
3101 offset = dissect_rdpNegReq(tvb, offset, pinfo, tree);
3102 }
3103 return offset; /* returns 0 if nothing was dissected, which is what we want */
3104 }
3105
3106 static bool
3107 dissect_rdp_cr_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
3108 {
3109 return dissect_rdp_cr(tvb, pinfo, tree, data) > 0;
3110 }
3111
3112 /* Dissect extra data in a CC PDU */
3113 static int
3114 dissect_rdpNegRsp(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) {
3115 uint32_t length;
3116 uint32_t selectedProto;
3117 proto_item *length_item;
3118 static int * const flag_bits[] = {
3119 &hf_rdp_negRsp_flag_extended_client_data_supported,
3120 &hf_rdp_negRsp_flag_dynvc_gfx_protocol_supported,
3121 &hf_rdp_negRsp_flag_restricted_admin_mode_supported,
3122 &hf_rdp_negRsp_flag_restricted_authentication_mode_supported,
3123 NULL
3124 };
3125
3126 col_append_str(pinfo->cinfo, COL_INFO, "Negotiate Response");
3127
3128 proto_tree_add_item(tree, hf_rdp_neg_type, tvb, offset, 1, ENC_NA);
3129 offset += 1;
3130 proto_tree_add_bitmask(tree, tvb, offset, hf_rdp_negRsp_flags,
3131 ett_negRsp_flags, flag_bits,
3132 ENC_LITTLE_ENDIAN);
3133 offset += 1;
3134 length_item = proto_tree_add_item_ret_uint(tree, hf_rdp_neg_length, tvb, offset, 1, ENC_LITTLE_ENDIAN, &length);
3135 offset += 2;
3136 if (length != 8) {
3137 expert_add_info_format(pinfo, length_item, &ei_rdp_neg_len_invalid, "RDP Negotiate Response length is %u, not 8", length);
3138 return offset;
3139 }
3140 proto_tree_add_item_ret_uint(tree, hf_rdp_selectedProtocol, tvb, offset, 4, ENC_LITTLE_ENDIAN, &selectedProto);
3141 if (selectedProto == 0x00000004) {
3142 /* if it's RDSTLS auth then mark it as such so that we can try decoding RDSTLS
3143 * packets in the heuristic
3144 */
3145 rdp_conv_info_t *info = rdp_get_conversation_data(pinfo);
3146 info->isRdstls = true;
3147 }
3148 offset += 4;
3149 return offset;
3150 }
3151
3152 static int
3153 dissect_rdpNegFailure(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree) {
3154 uint32_t length;
3155 proto_item *length_item;
3156 uint32_t failureCode;
3157
3158 col_append_str(pinfo->cinfo, COL_INFO, "Negotiate Failure");
3159
3160 proto_tree_add_item(tree, hf_rdp_neg_type, tvb, offset, 1, ENC_NA);
3161 offset += 1;
3162 proto_tree_add_item(tree, hf_rdp_negReq_flags, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3163 offset += 1;
3164 length_item = proto_tree_add_item_ret_uint(tree, hf_rdp_neg_length, tvb, offset, 1, ENC_LITTLE_ENDIAN, &length);
3165 offset += 2;
3166 if (length != 8) {
3167 expert_add_info_format(pinfo, length_item, &ei_rdp_neg_len_invalid, "RDP Negotiate Failure length is %u, not 8", length);
3168 return offset;
3169 }
3170 proto_tree_add_item_ret_uint(tree, hf_rdp_negFailure_failureCode, tvb, offset, 4, ENC_LITTLE_ENDIAN, &failureCode);
3171 offset += 4;
3172 col_append_fstr(pinfo->cinfo, COL_INFO, ", failureCode %s",
3173 val_to_str(failureCode, failure_code_vals, "Unknown (0x%08x)"));
3174 return offset;
3175 }
3176
3177 static int
3178 dissect_rdp_cc(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data _U_)
3179 {
3180 int offset = 0;
3181 uint8_t type;
3182 uint16_t length;
3183 bool ours = false;
3184 proto_item *item;
3185 proto_tree *tree;
3186
3187 if (tvb_bytes_exist(tvb, offset, 4)) {
3188 type = tvb_get_uint8(tvb, offset);
3189 length = tvb_get_letohs(tvb, offset + 2);
3190 if ((type == TYPE_RDP_NEG_RSP || type == TYPE_RDP_NEG_FAILURE) &&
3191 length == 8) {
3192 /* Looks like a Negotiate Response (TYPE_RDP_NEG_RSP, length 8)
3193 or a Negotaiate Failure (TYPE_RDP_NEG_FAILURE, length 8) */
3194 ours = true;
3195 }
3196 }
3197 if (!ours) {
3198 /* Doesn't look like our data */
3199 return 0;
3200 }
3201
3202 col_set_str(pinfo->cinfo, COL_PROTOCOL, "RDP");
3203 col_clear(pinfo->cinfo, COL_INFO);
3204
3205 item = proto_tree_add_item(parent_tree, proto_rdp, tvb, 0, -1, ENC_NA);
3206 tree = proto_item_add_subtree(item, ett_rdp);
3207
3208 switch (type) {
3209
3210 case TYPE_RDP_NEG_RSP:
3211 offset = dissect_rdpNegRsp(tvb, offset, pinfo, tree);
3212 break;
3213
3214 case TYPE_RDP_NEG_FAILURE:
3215 offset = dissect_rdpNegFailure(tvb, offset, pinfo, tree);
3216 break;
3217 }
3218 return offset;
3219 }
3220
3221 static bool
3222 dissect_rdp_cc_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
3223 {
3224 return dissect_rdp_cc(tvb, pinfo, tree, data) > 0;
3225 }
3226
3227 static bool
3228 dissect_rdp_fastpath(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data _U_)
3229 {
3230 uint8_t fp_hdr;
3231 proto_item *item;
3232 proto_tree *tree;
3233 uint16_t pdu_length;
3234 uint8_t len_size = 1;
3235 unsigned offset = 0;
3236 uint32_t flags, nevents, i;
3237 bool client_to_server;
3238
3239 if (tvb_captured_length(tvb) < 3)
3240 return false;
3241
3242 fp_hdr = tvb_get_uint8(tvb, 0);
3243 if (fp_hdr & 0x3)
3244 return false;
3245
3246 pdu_length = tvb_get_uint8(tvb, 1);
3247 if (pdu_length == 0)
3248 return false;
3249
3250 if (pdu_length & 0x80) {
3251 pdu_length &= ~(0x80);
3252 pdu_length = (pdu_length << 8);
3253 pdu_length += tvb_get_uint8(tvb, 2);
3254 len_size = 2;
3255 }
3256
3257 if (pdu_length != tvb_captured_length(tvb))
3258 return false;
3259
3260 client_to_server = rdp_isServerAddressTarget(pinfo);
3261 col_set_str(pinfo->cinfo, COL_PROTOCOL, "RDP");
3262 col_clear(pinfo->cinfo, COL_INFO);
3263 col_set_str(pinfo->cinfo, COL_INFO, "Fast-Path PDU");
3264
3265 item = proto_tree_add_item(parent_tree, proto_rdp, tvb, 0, pdu_length, ENC_NA);
3266 tree = proto_item_add_subtree(item, ett_rdp);
3267
3268 proto_tree_add_bitmask(tree, tvb, 0, hf_rdp_fastpathHeader, ett_rdp_fastpath_header,
3269 client_to_server ? fastpath_clientHeader_flags : fastpath_serverHeader_flags,
3270 ENC_LITTLE_ENDIAN);
3271 proto_tree_add_uint(tree, hf_rdp_fastpathPDULength, tvb, 1, len_size, pdu_length);
3272
3273 flags = (fp_hdr >> 6);
3274 if (client_to_server)
3275 nevents = (fp_hdr >> 2) & 0xf;
3276
3277 offset = 1 + len_size;
3278
3279 if (flags & FASTPATH_INPUT_ENCRYPTED) {
3280 // TODO: handle encryption
3281 offset += 8;
3282 }
3283
3284
3285 if (client_to_server) {
3286 if (!nevents) {
3287 proto_tree_add_item_ret_uint(tree, hf_rdp_fastpathClientNumEvents2, tvb, offset, 1, ENC_NA, &nevents);
3288 offset++;
3289 }
3290
3291 for (i = 0; i < nevents; i++) {
3292 uint8_t flagsCode;
3293 uint8_t eventCode;
3294 uint8_t eventSize;
3295 proto_tree *event_tree;
3296 const char *event_name;
3297 int * const *flagsList = fastpath_inputHeader_flags;
3298
3299 flagsCode = tvb_get_uint8(tvb, offset);
3300 eventCode = (flagsCode >> 5) & 0x07;
3301
3302 switch (eventCode) {
3303 case FASTPATH_INPUT_EVENT_SCANCODE:
3304 event_name = "Scancode";
3305 eventSize = 2;
3306 flagsList = fastpath_scancode_flags;
3307 break;
3308 case FASTPATH_INPUT_EVENT_MOUSE:
3309 event_name = "Mouse";
3310 eventSize = 7;
3311 break;
3312 case FASTPATH_INPUT_EVENT_MOUSEX:
3313 event_name = "MouseEx";
3314 eventSize = 7;
3315 break;
3316 case FASTPATH_INPUT_EVENT_SYNC:
3317 event_name = "Sync";
3318 eventSize = 1;
3319 flagsList = fastpath_inputsync_flags;
3320 break;
3321 case FASTPATH_INPUT_EVENT_UNICODE:
3322 event_name = "Unicode";
3323 eventSize = 3;
3324 flagsList = fastpath_inputunicode_flags;
3325 break;
3326 case FASTPATH_INPUT_EVENT_RELMOUSE:
3327 event_name = "RelMouse";
3328 eventSize = 7;
3329 break;
3330 case FASTPATH_INPUT_EVENT_QOE_TIMESTAMP:
3331 event_name = "QoE timestamp";
3332 eventSize = 5;
3333 break;
3334 default:
3335 eventSize = 1;
3336 event_name = NULL;
3337 break;
3338 }
3339
3340 if (event_name) {
3341 col_append_sep_str(pinfo->cinfo, COL_INFO, ",", event_name);
3342 event_tree = proto_tree_add_subtree(tree, tvb, offset, eventSize, ett_rdp_fastpath, NULL, event_name);
3343 proto_tree_add_bitmask(event_tree, tvb, offset, hf_rdp_fastpathInputHeader, ett_rdp_fastpath_header, flagsList, ENC_LITTLE_ENDIAN);
3344
3345 switch (eventCode) {
3346 case FASTPATH_INPUT_EVENT_SCANCODE:
3347 proto_tree_add_item(event_tree, hf_rdp_fastpathScancodeKeyCode, tvb, offset+1, 1, ENC_LITTLE_ENDIAN);
3348 break;
3349 case FASTPATH_INPUT_EVENT_MOUSE:
3350 proto_tree_add_bitmask(event_tree, tvb, offset+1, hf_rdp_pointerFlags, ett_rdp_fastpath_mouse_flags, ts_pointer_flags, ENC_LITTLE_ENDIAN);
3351 proto_tree_add_item(event_tree, hf_rdp_pointer_xpos, tvb, offset+1+2, 2, ENC_LITTLE_ENDIAN);
3352 proto_tree_add_item(event_tree, hf_rdp_pointer_ypos, tvb, offset+1+4, 2, ENC_LITTLE_ENDIAN);
3353 break;
3354 case FASTPATH_INPUT_EVENT_MOUSEX:
3355 proto_tree_add_bitmask(event_tree, tvb, offset+1, hf_rdp_pointerxFlags, ett_rdp_fastpath_mousex_flags, ts_pointerx_flags, ENC_LITTLE_ENDIAN);
3356 proto_tree_add_item(event_tree, hf_rdp_pointerx_xpos, tvb, offset+1+2, 2, ENC_LITTLE_ENDIAN);
3357 proto_tree_add_item(event_tree, hf_rdp_pointerx_ypos, tvb, offset+1+4, 2, ENC_LITTLE_ENDIAN);
3358 break;
3359 case FASTPATH_INPUT_EVENT_SYNC:
3360 break;
3361 case FASTPATH_INPUT_EVENT_UNICODE:
3362 proto_tree_add_item(event_tree, hf_rdp_fastpathUnicodeCode, tvb, offset+1, 2, ENC_LITTLE_ENDIAN);
3363 break;
3364 case FASTPATH_INPUT_EVENT_RELMOUSE:
3365 proto_tree_add_bitmask(event_tree, tvb, offset+1, hf_rdp_fastpathRelMouseFlags, ett_rdp_fastpath_relmouse_flags, ts_relpointer_flags, ENC_LITTLE_ENDIAN);
3366 proto_tree_add_item(event_tree, hf_rdp_fastpathRelMouseDeltaX, tvb, offset+1+2, 2, ENC_LITTLE_ENDIAN);
3367 proto_tree_add_item(event_tree, hf_rdp_fastpathRelMouseDeltaY, tvb, offset+1+4, 2, ENC_LITTLE_ENDIAN);
3368 break;
3369 case FASTPATH_INPUT_EVENT_QOE_TIMESTAMP:
3370 proto_tree_add_item(event_tree, hf_rdp_fastpathQoeTimestamp, tvb, offset+1, 4, ENC_LITTLE_ENDIAN);
3371 break;
3372 }
3373 }
3374
3375 offset += eventSize;
3376 }
3377 } else {
3378 while (offset < (unsigned)(pdu_length - 1)) {
3379 uint8_t updateCode, flagsCode;
3380 uint8_t frag, compression;
3381 uint64_t compFlags;
3382 uint16_t eventSize = 1;
3383 uint16_t recordSize;
3384 unsigned tmp_offset = offset;
3385 proto_tree *event_tree;
3386 const char *event_name;
3387
3388 flagsCode = tvb_get_uint8(tvb, tmp_offset);
3389 updateCode = (flagsCode & 0xf);
3390 frag = (flagsCode >> 4) & 0x03;
3391 compression = (flagsCode >> 6) & 0x03;
3392 tmp_offset++;
3393
3394 tmp_offset = offset + 1;
3395 if (compression) {
3396 tmp_offset++;
3397 eventSize++;
3398 }
3399 recordSize = tvb_get_uint16(tvb, tmp_offset, ENC_LITTLE_ENDIAN);
3400 eventSize += recordSize;
3401
3402 switch (updateCode) {
3403 case FASTPATH_UPDATETYPE_ORDERS:
3404 event_name = "Orders";
3405 break;
3406 case FASTPATH_UPDATETYPE_BITMAP:
3407 event_name = "Bitmap";
3408 break;
3409 case FASTPATH_UPDATETYPE_PALETTE:
3410 event_name = "Palette";
3411 break;
3412 case FASTPATH_UPDATETYPE_SYNCHRONIZE:
3413 event_name = "Synchronize";
3414 break;
3415 case FASTPATH_UPDATETYPE_SURFCMDS:
3416 event_name = "Surface";
3417 break;
3418 case FASTPATH_UPDATETYPE_PTR_NULL:
3419 event_name = "NullPointer";
3420 break;
3421 case FASTPATH_UPDATETYPE_PTR_DEFAULT:
3422 event_name = "DefaultPointer";
3423 break;
3424 case FASTPATH_UPDATETYPE_PTR_POSITION:
3425 event_name = "PointerPosition";
3426 break;
3427 case FASTPATH_UPDATETYPE_COLOR:
3428 event_name = "ColorPointer";
3429 break;
3430 case FASTPATH_UPDATETYPE_CACHED:
3431 event_name = "CachedPointer";
3432 break;
3433 case FASTPATH_UPDATETYPE_POINTER:
3434 event_name = "NewPointer";
3435 break;
3436 case FASTPATH_UPDATETYPE_LARGE_POINTER:
3437 event_name = "LargePointer";
3438 break;
3439 default:
3440 event_name = "Unknown";
3441 break;
3442 }
3443
3444 col_append_sep_str(pinfo->cinfo, COL_INFO, ",", event_name);
3445 event_tree = proto_tree_add_subtree(tree, tvb, offset, eventSize, ett_rdp_fastpath, NULL, event_name);
3446 proto_tree_add_item(event_tree, hf_rdp_fastpathServerUpdateCode, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3447 proto_tree_add_item(event_tree, hf_rdp_fastpathServerFragmentation, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3448 proto_tree_add_item(event_tree, hf_rdp_fastpathServerCompression, tvb, offset, 1, ENC_LITTLE_ENDIAN);
3449 offset++;
3450
3451 if (frag) {
3452 // TODO: reassemble fragments
3453 }
3454
3455 if (compression) {
3456 proto_tree_add_bitmask_ret_uint64(event_tree, tvb, offset, hf_rdp_fastpathServerCompressionType,
3457 ett_rdp_fastpath_compression, fastpath_servercompression_flags,
3458 ENC_LITTLE_ENDIAN, &compFlags);
3459
3460 if (compFlags) {
3461 // TODO: decompress
3462 }
3463 offset++;
3464 }
3465
3466 proto_tree_add_item(event_tree, hf_rdp_fastpathServerSize, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3467 offset += 2;
3468
3469 switch (updateCode) {
3470 case FASTPATH_UPDATETYPE_ORDERS:
3471 break;
3472 case FASTPATH_UPDATETYPE_BITMAP:
3473 break;
3474 case FASTPATH_UPDATETYPE_PALETTE:
3475 break;
3476 case FASTPATH_UPDATETYPE_SURFCMDS:
3477 break;
3478 case FASTPATH_UPDATETYPE_PTR_NULL:
3479 case FASTPATH_UPDATETYPE_PTR_DEFAULT:
3480 case FASTPATH_UPDATETYPE_SYNCHRONIZE:
3481 break;
3482 case FASTPATH_UPDATETYPE_PTR_POSITION:
3483 break;
3484 case FASTPATH_UPDATETYPE_COLOR:
3485 break;
3486 case FASTPATH_UPDATETYPE_CACHED:
3487 break;
3488 case FASTPATH_UPDATETYPE_POINTER:
3489 break;
3490 case FASTPATH_UPDATETYPE_LARGE_POINTER:
3491 break;
3492 default:
3493 break;
3494 }
3495
3496 offset += recordSize;
3497 }
3498
3499 }
3500 return true;
3501 }
3502
3503 static bool
3504 dissect_rdp_rdstls(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree _U_, void* data _U_)
3505 {
3506 int pdu_length = 6;
3507 int datatype_hf;
3508 uint32_t cbRedirectionGuid = 0;
3509 uint32_t cbUsername = 0;
3510 uint32_t cbDomain = 0;
3511 uint32_t cbPassword = 0;
3512 uint32_t cbCookie = 0;
3513
3514 rdp_field_info_t passCred_fields[] = {
3515 {&hf_rdp_rdstls_redirectionGuidLen, 2, &cbRedirectionGuid, 0, 0, NULL},
3516 {&hf_rdp_rdstls_redirectionGuid, 0, &cbRedirectionGuid, 0, RDP_FI_STRING|RDP_FI_UNICODE, NULL },
3517 {&hf_rdp_rdstls_usernameLen, 2, &cbUsername, 0, 0, NULL},
3518 {&hf_rdp_rdstls_username, 0, &cbUsername, 0, RDP_FI_STRING|RDP_FI_UNICODE, NULL },
3519 {&hf_rdp_rdstls_domainLen, 2, &cbDomain, 0, 0, NULL},
3520 {&hf_rdp_rdstls_domain, 0, &cbDomain, 0, RDP_FI_STRING|RDP_FI_UNICODE, NULL },
3521 {&hf_rdp_rdstls_passwordLen, 2, &cbPassword, 0, 0, NULL},
3522 {&hf_rdp_rdstls_password, 0, &cbPassword, 0, 0, NULL },
3523 FI_TERMINATOR,
3524 };
3525
3526 rdp_field_info_t reconCookie_fields[] = {
3527 {&hf_rdp_rdstls_sessionId, 4, NULL, 0, 0, NULL},
3528 {&hf_rdp_rdstls_autoReconnectCookieLen, 2, &cbCookie, 0, 0, NULL},
3529 {&hf_rdp_rdstls_autoReconnectCookie, 0, &cbCookie, 0, 0, NULL },
3530 FI_TERMINATOR,
3531 };
3532 rdp_field_info_t *authReqFields = NULL;
3533
3534 /* this is called from heuristics so let's do some preliminary checks */
3535 if (tvb_captured_length_remaining(tvb, 0) < 6)
3536 return false;
3537
3538 uint16_t version = tvb_get_uint16(tvb, 0, ENC_LITTLE_ENDIAN);
3539 if (version != 0x0001)
3540 return false;
3541
3542 uint16_t pduType = tvb_get_uint16(tvb, 2, ENC_LITTLE_ENDIAN);
3543 uint16_t dataType = tvb_get_uint16(tvb, 4, ENC_LITTLE_ENDIAN);
3544 switch (pduType) {
3545 case 1:
3546 /* capabilities */
3547
3548 if (dataType != 1)
3549 return false;
3550
3551 pdu_length += 2;
3552 datatype_hf = hf_rdp_rdstls_dataTypeCapabilities;
3553 break;
3554 case 2: {
3555 /* auth request */
3556 unsigned nstrings;
3557 int tmpOffset = 6;
3558
3559 datatype_hf = hf_rdp_rdstls_dataTypeAuthReq;
3560 switch (dataType) {
3561 case 1:
3562 /* Authentication Request PDU with Password Credentials */
3563 nstrings = 4;
3564 authReqFields = passCred_fields;
3565 break;
3566 case 2:
3567 /* Authentication Request PDU with Auto-Reconnect Cookie */
3568
3569 /* SessionId */
3570 if(tvb_captured_length_remaining(tvb, tmpOffset) < 4)
3571 return false;
3572 tmpOffset += 4;
3573
3574 authReqFields = reconCookie_fields;
3575 nstrings = 1;
3576 break;
3577 default:
3578 return false;
3579 }
3580
3581 for (unsigned i = 0; i < nstrings; i++) {
3582 if(tvb_captured_length_remaining(tvb, tmpOffset) < 2)
3583 return false;
3584
3585 unsigned tmpStringLength = tvb_get_uint16(tvb, tmpOffset, ENC_LITTLE_ENDIAN);
3586 tmpOffset += 2;
3587 if(tvb_captured_length_remaining(tvb, tmpOffset) < (int)tmpStringLength)
3588 return false;
3589
3590 pdu_length += 2 + tmpStringLength;
3591 tmpOffset += tmpStringLength;
3592 }
3593 break;
3594 }
3595 case 4:
3596 /* RDSTLS Authentication Response PDU */
3597 if (dataType != 1)
3598 return false;
3599
3600 pdu_length += 4;
3601 datatype_hf = hf_rdp_rdstls_dataTypeAuthResp;
3602 break;
3603 default:
3604 return false;
3605 }
3606
3607 proto_item *item = proto_tree_add_item(parent_tree, proto_rdp, tvb, 0, pdu_length, ENC_NA);
3608 proto_item *tree = proto_item_add_subtree(item, ett_rdp);
3609
3610 proto_tree_add_item(tree, hf_rdp_rdstls_version, tvb, 0, 2, ENC_LITTLE_ENDIAN);
3611 proto_tree_add_item(tree, hf_rdp_rdstls_pduType, tvb, 2, 2, ENC_LITTLE_ENDIAN);
3612 proto_tree_add_item(tree, datatype_hf, tvb, 4, 2, ENC_LITTLE_ENDIAN);
3613
3614 int offset = 6;
3615 switch (pduType) {
3616 case 1:
3617 /* capabilities */
3618 col_set_str(pinfo->cinfo, COL_INFO, "RDSTLS Capabilities");
3619 proto_tree_add_item(tree, hf_rdp_rdstls_supportedVersions, tvb, offset, 2, ENC_LITTLE_ENDIAN);
3620 break;
3621 case 2:
3622 /* auth req */
3623 col_set_str(pinfo->cinfo, COL_INFO, "RDSTLS AuthReq");
3624 dissect_rdp_fields(tvb, offset, pinfo, tree, authReqFields, pdu_length-6);
3625 break;
3626 case 4:
3627 /* auth resp */
3628 col_set_str(pinfo->cinfo, COL_INFO, "RDSTLS AuthResp");
3629 proto_tree_add_item(tree, hf_rdp_rdstls_resultCode, tvb, offset, 4, ENC_LITTLE_ENDIAN);
3630 break;
3631 }
3632 return true;
3633 }
3634
3635
3636 static bool
3637 dissect_rdp_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *parent_tree, void* data _U_) {
3638 heur_dtbl_entry_t *hdtbl_entry;
3639 rdp_conv_info_t *info;
3640
3641 if (dissector_try_heuristic(rdp_heur_subdissector_list, tvb, pinfo, parent_tree,
3642 &hdtbl_entry, NULL)) {
3643 return true;
3644 }
3645
3646 info = rdp_get_conversation_data(pinfo);
3647 if (info && info->isRdstls && dissect_rdp_rdstls(tvb, pinfo, parent_tree, NULL))
3648 return true;
3649
3650 return dissect_rdp_fastpath(tvb, pinfo, parent_tree, NULL);
3651 }
3652
3653
3654 static void
3655 init_server_conversations(void)
3656 {
3657 rdp_transport_links = wmem_map_new(wmem_file_scope(), rdp_udp_conversation_hash, rdp_udp_conversation_equal_matched);
3658 }
3659
3660
3661 /*--- proto_register_rdp -------------------------------------------*/
3662 void
3663 proto_register_rdp(void) {
3664
3665 /* List of fields */
3666 static hf_register_info hf[] = {
3667 { &hf_rdp_rt_cookie,
3668 { "Routing Token/Cookie", "rdp.rt_cookie",
3669 FT_STRING, BASE_NONE, NULL, 0,
3670 NULL, HFILL }},
3671 { &hf_rdp_neg_type,
3672 { "Type", "rdp.neg_type",
3673 FT_UINT8, BASE_HEX, VALS(neg_type_vals), 0,
3674 NULL, HFILL }},
3675 { &hf_rdp_negReq_flags,
3676 { "Flags", "rdp.negReq.flags",
3677 FT_UINT8, BASE_HEX, NULL, 0,
3678 NULL, HFILL }},
3679 { &hf_rdp_negReq_flag_restricted_admin_mode_req,
3680 { "Restricted admin mode required", "rdp.negReq.flags.restricted_admin_mode_req",
3681 FT_BOOLEAN, 8, NULL, RESTRICTED_ADMIN_MODE_REQUIRED,
3682 NULL, HFILL }},
3683 { &hf_rdp_negReq_flag_redirected_auth_req,
3684 { "Redirected Authentication required", "rdp.negReq.flags.redirected_auth_req",
3685 FT_BOOLEAN, 8, NULL, REDIRECTED_AUTH_REQUIRED,
3686 NULL, HFILL }},
3687 { &hf_rdp_negReq_flag_correlation_info_present,
3688 { "Correlation info present", "rdp.negReq.flags.correlation_info_present",
3689 FT_BOOLEAN, 8, NULL, CORRELATION_INFO_PRESENT,
3690 NULL, HFILL }},
3691 { &hf_rdp_neg_length,
3692 { "Length", "rdp.neg_length",
3693 FT_UINT16, BASE_DEC, NULL, 0,
3694 NULL, HFILL }},
3695 { &hf_rdp_requestedProtocols,
3696 { "requestedProtocols", "rdp.negReq.requestedProtocols",
3697 FT_UINT32, BASE_HEX, NULL, 0,
3698 NULL, HFILL }},
3699 { &hf_rdp_requestedProtocols_flag_ssl,
3700 { "TLS security supported", "rdp.negReq.requestedProtocols.ssl",
3701 FT_BOOLEAN, 32, NULL, 0x00000001,
3702 NULL, HFILL }},
3703 { &hf_rdp_requestedProtocols_flag_hybrid,
3704 { "CredSSP supported", "rdp.negReq.requestedProtocols.hybrid",
3705 FT_BOOLEAN, 32, NULL, 0x00000002,
3706 NULL, HFILL }},
3707 { &hf_rdp_requestedProtocols_flag_rdstls,
3708 { "RDSTLS supported", "rdp.negReq.requestedProtocols.rdstls",
3709 FT_BOOLEAN, 32, NULL, 0x00000004,
3710 NULL, HFILL }},
3711 { &hf_rdp_requestedProtocols_flag_hybrid_ex,
3712 { "CredSSP with Early User Authorization Result PDU supported", "rdp.negReq.requestedProtocols.hybrid_ex",
3713 FT_BOOLEAN, 32, NULL, 0x00000008,
3714 NULL, HFILL }},
3715 { &hf_rdp_correlationInfo_flags,
3716 { "Flags", "rdp.correlationInfo.flags",
3717 FT_UINT8, BASE_HEX, NULL, 0,
3718 NULL, HFILL }},
3719 { &hf_rdp_correlationId,
3720 { "correlationId", "rdp.correlationInfo.correlationId",
3721 FT_BYTES, BASE_NONE, NULL, 0,
3722 NULL, HFILL }},
3723 { &hf_rdp_correlationInfo_reserved,
3724 { "Reserved", "rdp.correlationInfo.reserved",
3725 FT_BYTES, BASE_NONE, NULL, 0,
3726 NULL, HFILL }},
3727 { &hf_rdp_negRsp_flags,
3728 { "Flags", "rdp.negRsp.flags",
3729 FT_UINT8, BASE_HEX, NULL, 0,
3730 NULL, HFILL }},
3731 { &hf_rdp_negRsp_flag_extended_client_data_supported,
3732 { "Extended Client Data Blocks supported", "rdp.negRsp.flags.extended_client_data_supported",
3733 FT_BOOLEAN, 8, NULL, 0x01,
3734 NULL, HFILL }},
3735 { &hf_rdp_negRsp_flag_dynvc_gfx_protocol_supported,
3736 { "Graphics Pipeline Extension Protocol supported", "rdp.negRsp.flags.dynvc_gfx_protocol_supported",
3737 FT_BOOLEAN, 8, NULL, 0x02,
3738 NULL, HFILL }},
3739 { &hf_rdp_negRsp_flag_restricted_admin_mode_supported,
3740 { "Restricted admin mode supported", "rdp.negRsp.flags.restricted_admin_mode_supported",
3741 FT_BOOLEAN, 8, NULL, 0x08,
3742 NULL, HFILL }},
3743 { &hf_rdp_negRsp_flag_restricted_authentication_mode_supported,
3744 { "Restricted authentication mode supported", "rdp.negRsp.flags.restricted_authentication_mode_supported",
3745 FT_BOOLEAN, 8, NULL, 0x10,
3746 NULL, HFILL }},
3747 { &hf_rdp_selectedProtocol,
3748 { "selectedProtocol", "rdp.negReq.selectedProtocol",
3749 FT_UINT32, BASE_HEX, VALS(rdp_selectedProtocol_vals), 0,
3750 NULL, HFILL }},
3751 { &hf_rdp_negFailure_failureCode,
3752 { "failureCode", "rdp.negFailure.failureCode",
3753 FT_UINT32, BASE_HEX, VALS(failure_code_vals), 0,
3754 NULL, HFILL }},
3755 { &hf_rdp_ClientData,
3756 { "ClientData", "rdp.clientData",
3757 FT_NONE, BASE_NONE, NULL, 0,
3758 NULL, HFILL }},
3759 { &hf_rdp_SendData,
3760 { "SendData", "rdp.sendData",
3761 FT_NONE, BASE_NONE, NULL, 0,
3762 NULL, HFILL }},
3763 { &hf_rdp_MessageData,
3764 { "MessageData", "rdp.messageData",
3765 FT_NONE, BASE_NONE, NULL, 0,
3766 NULL, HFILL }},
3767 { &hf_rdp_clientCoreData,
3768 { "clientCoreData", "rdp.client.coreData",
3769 FT_NONE, BASE_NONE, NULL, 0,
3770 NULL, HFILL }},
3771 { &hf_rdp_clientSecurityData,
3772 { "clientSecurityData", "rdp.client.securityData",
3773 FT_NONE, BASE_NONE, NULL, 0,
3774 NULL, HFILL }},
3775 { &hf_rdp_clientNetworkData,
3776 { "clientNetworkData", "rdp.client.networkData",
3777 FT_NONE, BASE_NONE, NULL, 0,
3778 NULL, HFILL }},
3779 { &hf_rdp_clientClusterData,
3780 { "clientClusterData", "rdp.client.clusterData",
3781 FT_NONE, BASE_NONE, NULL, 0,
3782 NULL, HFILL }},
3783 { &hf_rdp_cluster_redirectionSupported,
3784 { "redirectionSupported", "rdp.client.cluster.redirectionSupported",
3785 FT_UINT32, BASE_DEC, NULL, 0x1,
3786 NULL, HFILL }},
3787 { &hf_rdp_cluster_sessionIdValid,
3788 { "sessionIdValid", "rdp.client.cluster.sessionidvalid",
3789 FT_UINT32, BASE_DEC, NULL, 0x2,
3790 NULL, HFILL }},
3791 { &hf_rdp_cluster_redirectionVersion,
3792 { "SessionRedirectionVersion", "rdp.client.cluster.redirectionversion",
3793 FT_UINT32, BASE_DEC, VALS(redirectionVersions_vals), 0x3C,
3794 NULL, HFILL }},
3795 { &hf_rdp_cluster_redirectedSmartcard,
3796 { "redirectedSmartcard", "rdp.client.cluster.redirectedsmartcard",
3797 FT_UINT32, BASE_DEC, NULL, 0x40,
3798 NULL, HFILL }},
3799 { &hf_rdp_clientMonitorData,
3800 { "clientMonitorData", "rdp.client.monitorData",
3801 FT_NONE, BASE_NONE, NULL, 0,
3802 NULL, HFILL }},
3803 { &hf_rdp_clientMonitorDefData,
3804 { "clientMonitorDefData", "rdp.client.monitorDefData",
3805 FT_NONE, BASE_NONE, NULL, 0,
3806 NULL, HFILL }},
3807 { &hf_rdp_clientMsgChannelData,
3808 { "clientMsgChannelData", "rdp.client.msgChannelData",
3809 FT_NONE, BASE_NONE, NULL, 0,
3810 NULL, HFILL }},
3811 { &hf_rdp_clientMonitorExData,
3812 { "clientMonitorExData", "rdp.client.monitorExData",
3813 FT_NONE, BASE_NONE, NULL, 0,
3814 NULL, HFILL }},
3815 { &hf_rdp_clientMultiTransportData,
3816 { "clientMultiTransportData", "rdp.client.multiTransportData",
3817 FT_NONE, BASE_NONE, NULL, 0,
3818 NULL, HFILL }},
3819 { &hf_rdp_clientUnknownData,
3820 { "clientUnknownData", "rdp.unknownData.client",
3821 FT_NONE, BASE_NONE, NULL, 0,
3822 NULL, HFILL }},
3823 { &hf_rdp_ServerData,
3824 { "ServerData", "rdp.serverData",
3825 FT_NONE, BASE_NONE, NULL, 0,
3826 NULL, HFILL }},
3827 { &hf_rdp_serverCoreData,
3828 { "serverCoreData", "rdp.server.coreData",
3829 FT_NONE, BASE_NONE, NULL, 0,
3830 NULL, HFILL }},
3831 { &hf_rdp_serverSecurityData,
3832 { "serverSecurityData", "rdp.server.securityData",
3833 FT_NONE, BASE_NONE, NULL, 0,
3834 NULL, HFILL }},
3835 { &hf_rdp_serverNetworkData,
3836 { "serverNetworkData", "rdp.server.networkData",
3837 FT_NONE, BASE_NONE, NULL, 0,
3838 NULL, HFILL }},
3839 { &hf_rdp_serverMsgChannelData,
3840 { "serverMsgChannelData", "rdp.server.msgChannelData",
3841 FT_NONE, BASE_NONE, NULL, 0,
3842 NULL, HFILL }},
3843 { &hf_rdp_serverMultiTransportData,
3844 { "serverMultiTransportData", "rdp.server.multiTransportData",
3845 FT_NONE, BASE_NONE, NULL, 0,
3846 NULL, HFILL }},
3847 { &hf_rdp_rdstls_version,
3848 { "Version", "rdp.rdstls.version",
3849 FT_UINT16, BASE_HEX, NULL, 0,
3850 NULL, HFILL }},
3851 { &hf_rdp_rdstls_pduType,
3852 { "Pdu type", "rdp.rdstls.pdutype",
3853 FT_UINT16, BASE_HEX, VALS(rdp_rdstls_pduTypes_vals), 0,
3854 NULL, HFILL }},
3855 { &hf_rdp_rdstls_dataTypeCapabilities,
3856 { "Data type", "rdp.rdstls.datatype",
3857 FT_UINT16, BASE_HEX, NULL, 0,
3858 NULL, HFILL }},
3859 { &hf_rdp_rdstls_supportedVersions,
3860 { "Supported versions", "rdp.rdstls.supportedversions",
3861 FT_UINT16, BASE_DEC, NULL, 0,
3862 NULL, HFILL }},
3863 { &hf_rdp_rdstls_dataTypeAuthReq,
3864 { "Data type", "rdp.rdstls.datatype",
3865 FT_UINT16, BASE_HEX, VALS(rdp_rdstls_authDataTypes_vals), 0,
3866 NULL, HFILL }},
3867 { &hf_rdp_rdstls_redirectionGuidLen,
3868 { "redirectionGUID length", "rdp.rdstls.redirectionguidlen",
3869 FT_UINT16, BASE_DEC, NULL, 0,
3870 NULL, HFILL }},
3871 { &hf_rdp_rdstls_redirectionGuid,
3872 { "redirectionGUID", "rdp.rdstls.redirectionguid",
3873 FT_STRINGZ, BASE_NONE, NULL, 0,
3874 NULL, HFILL }},
3875 { &hf_rdp_rdstls_usernameLen,
3876 { "Username length", "rdp.rdstls.usernamelen",
3877 FT_UINT16, BASE_DEC, NULL, 0,
3878 NULL, HFILL }},
3879 { &hf_rdp_rdstls_username,
3880 { "Username", "rdp.rdstls.username",
3881 FT_STRINGZ, BASE_NONE, NULL, 0,
3882 NULL, HFILL }},
3883 { &hf_rdp_rdstls_domainLen,
3884 { "Domain length", "rdp.rdstls.domainlen",
3885 FT_UINT16, BASE_DEC, NULL, 0,
3886 NULL, HFILL }},
3887 { &hf_rdp_rdstls_domain,
3888 { "Domain", "rdp.rdstls.domain",
3889 FT_STRINGZ, BASE_NONE, NULL, 0,
3890 NULL, HFILL }},
3891 { &hf_rdp_rdstls_passwordLen,
3892 { "Password length", "rdp.rdstls.passwordlen",
3893 FT_UINT16, BASE_DEC, NULL, 0,
3894 NULL, HFILL }},
3895 { &hf_rdp_rdstls_password,
3896 { "Password", "rdp.rdstls.password",
3897 FT_BYTES, BASE_NONE, NULL, 0,
3898 NULL, HFILL }},
3899 { &hf_rdp_rdstls_sessionId,
3900 { "SessionId", "rdp.rdstls.sessionid",
3901 FT_UINT32, BASE_HEX, NULL, 0,
3902 NULL, HFILL }},
3903 { &hf_rdp_rdstls_autoReconnectCookieLen,
3904 { "AutoReconnect cookie length", "rdp.rdstls.reconnectcookielen",
3905 FT_UINT16, BASE_DEC, NULL, 0,
3906 NULL, HFILL }},
3907 { &hf_rdp_rdstls_autoReconnectCookie,
3908 { "AutoReconnect cookie", "rdp.rdstls.reconnectcookie",
3909 FT_BYTES, BASE_NONE, NULL, 0,
3910 NULL, HFILL }},
3911 { &hf_rdp_rdstls_dataTypeAuthResp,
3912 { "Data type", "rdp.rdstls.datatype",
3913 FT_UINT16, BASE_HEX, NULL, 0,
3914 NULL, HFILL }},
3915 { &hf_rdp_rdstls_resultCode,
3916 { "Result code", "rdp.rdstls.resultcode",
3917 FT_UINT32, BASE_HEX, VALS(rdp_rdstls_result_vals), 0,
3918 NULL, HFILL }},
3919 { &hf_rdp_serverUnknownData,
3920 { "serverUnknownData", "rdp.unknownData.server",
3921 FT_NONE, BASE_NONE, NULL, 0,
3922 NULL, HFILL }},
3923 { &hf_rdp_securityExchangePDU,
3924 { "securityExchangePDU", "rdp.securityExchangePDU",
3925 FT_NONE, BASE_NONE, NULL, 0,
3926 NULL, HFILL }},
3927 { &hf_rdp_clientInfoPDU,
3928 { "clientInfoPDU", "rdp.clientInfoPDU",
3929 FT_NONE, BASE_NONE, NULL, 0,
3930 NULL, HFILL }},
3931 { &hf_rdp_validClientLicenseData,
3932 { "validClientLicenseData", "rdp.validClientLicenseData",
3933 FT_NONE, BASE_NONE, NULL, 0,
3934 NULL, HFILL }},
3935 { &hf_rdp_headerType,
3936 { "headerType", "rdp.header.type",
3937 FT_UINT16, BASE_HEX, VALS(rdp_headerType_vals), 0,
3938 NULL, HFILL }},
3939 { &hf_rdp_headerLength,
3940 { "headerLength", "rdp.header.length",
3941 FT_UINT16, BASE_DEC, NULL, 0,
3942 NULL, HFILL }},
3943 { &hf_rdp_versionMajor,
3944 { "versionMajor", "rdp.version.major",
3945 FT_UINT16, BASE_DEC, NULL, 0,
3946 NULL, HFILL }},
3947 { &hf_rdp_versionMinor,
3948 { "versionMinor", "rdp.version.minor",
3949 FT_UINT16, BASE_DEC, NULL, 0,
3950 NULL, HFILL }},
3951 { &hf_rdp_desktopWidth,
3952 { "desktopWidth", "rdp.desktop.width",
3953 FT_UINT16, BASE_DEC, NULL, 0,
3954 NULL, HFILL }},
3955 { &hf_rdp_desktopHeight,
3956 { "desktopHeight", "rdp.desktop.height",
3957 FT_UINT16, BASE_DEC, NULL, 0,
3958 NULL, HFILL }},
3959 { &hf_rdp_colorDepth,
3960 { "colorDepth", "rdp.colorDepth",
3961 FT_UINT16, BASE_HEX, VALS(rdp_colorDepth_vals), 0,
3962 NULL, HFILL }},
3963 { &hf_rdp_SASSequence,
3964 { "SASSequence", "rdp.SASSequence",
3965 FT_UINT16, BASE_DEC, NULL, 0,
3966 NULL, HFILL }},
3967 { &hf_rdp_keyboardLayout,
3968 { "keyboardLayout", "rdp.keyboardLayout",
3969 FT_UINT32, BASE_DEC, NULL, 0,
3970 NULL, HFILL }},
3971 { &hf_rdp_clientBuild,
3972 { "clientBuild", "rdp.client.build",
3973 FT_UINT32, BASE_DEC, NULL, 0,
3974 NULL, HFILL }},
3975 { &hf_rdp_clientName,
3976 { "clientName", "rdp.client.name",
3977 FT_STRINGZ, BASE_NONE, NULL, 0, /* supposed to be null-terminated */
3978 NULL, HFILL }},
3979 { &hf_rdp_keyboardType,
3980 { "keyboardType", "rdp.keyboard.type",
3981 FT_UINT32, BASE_DEC, VALS(rdp_keyboardType_vals), 0,
3982 NULL, HFILL }},
3983 { &hf_rdp_keyboardSubType,
3984 { "keyboardSubType", "rdp.keyboard.subtype",
3985 FT_UINT32, BASE_DEC, NULL, 0,
3986 NULL, HFILL }},
3987 { &hf_rdp_keyboardFunctionKey,
3988 { "keyboardFunctionKey", "rdp.keyboard.functionkey",
3989 FT_UINT32, BASE_DEC, NULL, 0,
3990 NULL, HFILL }},
3991 { &hf_rdp_imeFileName,
3992 { "imeFileName", "rdp.imeFileName",
3993 FT_BYTES, BASE_NONE, NULL, 0,
3994 NULL, HFILL }},
3995 { &hf_rdp_postBeta2ColorDepth,
3996 { "postBeta2ColorDepth", "rdp.postBeta2ColorDepth",
3997 FT_UINT16, BASE_HEX, VALS(rdp_colorDepth_vals), 0,
3998 NULL, HFILL }},
3999 { &hf_rdp_clientProductId,
4000 { "clientProductId", "rdp.client.productId",
4001 FT_UINT16, BASE_DEC, NULL, 0,
4002 NULL, HFILL }},
4003 { &hf_rdp_serialNumber,
4004 { "serialNumber", "rdp.serialNumber",
4005 FT_UINT32, BASE_DEC, NULL, 0,
4006 NULL, HFILL }},
4007 { &hf_rdp_highColorDepth,
4008 { "highColorDepth", "rdp.highColorDepth",
4009 FT_UINT16, BASE_HEX, VALS(rdp_highColorDepth_vals), 0,
4010 NULL, HFILL }},
4011 { &hf_rdp_supportedColorDepths,
4012 { "supportedColorDepths", "rdp.supportedColorDepths",
4013 FT_UINT16, BASE_HEX, NULL, 0,
4014 NULL, HFILL }},
4015 { &hf_rdp_earlyCapabilityFlags,
4016 { "earlyCapabilityFlags", "rdp.earlyCapabilityFlags",
4017 FT_UINT16, BASE_HEX, NULL, 0,
4018 NULL, HFILL }},
4019 { &hf_rdp_clientDigProductId,
4020 { "clientDigProductId", "rdp.client.digProductId",
4021 FT_STRINGZ, BASE_NONE, NULL, 0, /* XXX - is this always a string? MS-RDPBCGR doesn't say so */
4022 NULL, HFILL }},
4023 { &hf_rdp_connectionType,
4024 { "connectionType", "rdp.connectionType",
4025 FT_UINT8, BASE_DEC, VALS(rdp_connectionType_vals), 0,
4026 NULL, HFILL }},
4027 { &hf_rdp_pad1octet,
4028 { "pad1octet", "rdp.pad1octet",
4029 FT_UINT8, BASE_HEX, NULL, 0,
4030 NULL, HFILL }},
4031 { &hf_rdp_serverSelectedProtocol,
4032 { "serverSelectedProtocol", "rdp.serverSelectedProtocol",
4033 FT_UINT32, BASE_DEC, NULL, 0,
4034 NULL, HFILL }},
4035 { &hf_rdp_encryptionMethods,
4036 { "encryptionMethods", "rdp.encryptionMethods",
4037 FT_UINT32, BASE_HEX, NULL, 0,
4038 NULL, HFILL }},
4039 { &hf_rdp_extEncryptionMethods,
4040 { "extEncryptionMethods", "rdp.extEncryptionMethods",
4041 FT_UINT32, BASE_HEX, NULL, 0,
4042 NULL, HFILL }},
4043 { &hf_rdp_cluster_flags, /* ToDo: Display flags in detail */
4044 { "clusterFlags", "rdp.clusterFlags",
4045 FT_UINT32, BASE_HEX, NULL, 0,
4046 NULL, HFILL }},
4047 { &hf_rdp_redirectedSessionId,
4048 { "redirectedSessionId", "rdp.redirectedSessionId",
4049 FT_UINT32, BASE_HEX, NULL, 0,
4050 NULL, HFILL }},
4051 { &hf_rdp_msgChannelFlags,
4052 { "msgChannelFlags", "rdp.msgChannelFlags",
4053 FT_UINT32, BASE_HEX, NULL, 0,
4054 NULL, HFILL }},
4055 { &hf_rdp_msgChannelId,
4056 { "msgChannelId", "rdp.msgChannelId",
4057 FT_UINT16, BASE_DEC, NULL, 0,
4058 NULL, HFILL }},
4059 { &hf_rdp_monitorFlags,
4060 { "monitorFlags", "rdp.monitorFlags",
4061 FT_UINT32, BASE_HEX, NULL, 0,
4062 NULL, HFILL }},
4063 { &hf_rdp_monitorExFlags,
4064 { "monitorExFlags", "rdp.monitorExFlags",
4065 FT_UINT32, BASE_HEX, NULL, 0,
4066 NULL, HFILL }},
4067 { &hf_rdp_monitorAttributeSize,
4068 { "monitorAttributeSize", "rdp.monitorAttributeSize",
4069 FT_UINT32, BASE_DEC, NULL, 0,
4070 NULL, HFILL }},
4071 { &hf_rdp_monitorCount,
4072 { "monitorCount", "rdp.monitorCount",
4073 FT_UINT32, BASE_DEC, NULL, 0,
4074 NULL, HFILL }},
4075 { &hf_rdp_monitorDefLeft,
4076 { "left", "rdp.monitorDef.left",
4077 FT_INT32, BASE_DEC, NULL, 0,
4078 NULL, HFILL }},
4079 { &hf_rdp_monitorDefTop,
4080 { "top", "rdp.monitorDef.top",
4081 FT_INT32, BASE_DEC, NULL, 0,
4082 NULL, HFILL }},
4083 { &hf_rdp_monitorDefRight,
4084 { "right", "rdp.monitorDef.right",
4085 FT_INT32, BASE_DEC, NULL, 0,
4086 NULL, HFILL }},
4087 { &hf_rdp_monitorDefBottom,
4088 { "bottom", "rdp.monitorDef.bottom",
4089 FT_INT32, BASE_DEC, NULL, 0,
4090 NULL, HFILL }},
4091 { &hf_rdp_monitorDefFlags,
4092 { "flags", "rdp.monitorDef.flags",
4093 FT_UINT32, BASE_DEC, VALS(rdp_monitorDefFlags_vals), 0,
4094 NULL, HFILL }},
4095 { &hf_rdp_multiTransportFlags,
4096 { "multiTransportFlags", "rdp.multiTransportFlags",
4097 FT_UINT32, BASE_HEX, NULL, 0,
4098 NULL, HFILL }},
4099 { &hf_rdp_encryptionMethod,
4100 { "encryptionMethod", "rdp.encryptionMethod",
4101 FT_UINT32, BASE_HEX, VALS(rdp_encryptionMethod_vals), 0,
4102 NULL, HFILL }},
4103 { &hf_rdp_encryptionLevel,
4104 { "encryptionLevel", "rdp.encryptionLevel",
4105 FT_UINT32, BASE_HEX, VALS(rdp_encryptionLevel_vals), 0,
4106 NULL, HFILL }},
4107 { &hf_rdp_serverRandomLen,
4108 { "serverRandomLen", "rdp.serverRandomLen",
4109 FT_UINT32, BASE_DEC, NULL, 0,
4110 NULL, HFILL }},
4111 { &hf_rdp_serverCertLen,
4112 { "serverCertLen", "rdp.serverCertLen",
4113 FT_UINT32, BASE_DEC, NULL, 0,
4114 NULL, HFILL }},
4115 { &hf_rdp_serverRandom,
4116 { "serverRandom", "rdp.serverRandom",
4117 FT_BYTES, BASE_NONE, NULL, 0,
4118 NULL, HFILL }},
4119 { &hf_rdp_serverCertificate,
4120 { "serverCertificate", "rdp.serverCertificate",
4121 FT_BYTES, BASE_NONE, NULL, 0,
4122 NULL, HFILL }},
4123 { &hf_rdp_clientRequestedProtocols,
4124 { "clientRequestedProtocols", "rdp.client.requestedProtocols",
4125 FT_UINT32, BASE_HEX, NULL, 0,
4126 NULL, HFILL }},
4127 { &hf_rdp_MCSChannelId,
4128 { "MCSChannelId", "rdp.MCSChannelId",
4129 FT_UINT16, BASE_DEC, NULL, 0,
4130 NULL, HFILL }},
4131 { &hf_rdp_channelCount,
4132 { "channelCount", "rdp.channelCount",
4133 FT_UINT16, BASE_DEC, NULL, 0,
4134 NULL, HFILL }},
4135 { &hf_rdp_channelIdArray,
4136 { "channelIdArray", "rdp.channelIdArray",
4137 FT_NONE, BASE_NONE, NULL, 0,
4138 NULL, HFILL }},
4139 { &hf_rdp_Pad,
4140 { "Pad", "rdp.Pad",
4141 FT_UINT16, BASE_DEC, NULL, 0,
4142 NULL, HFILL }},
4143 { &hf_rdp_flags,
4144 { "flags", "rdp.flags",
4145 FT_UINT16, BASE_HEX, NULL, 0,
4146 NULL, HFILL }},
4147 { &hf_rdp_channelFlags,
4148 { "channelFlags", "rdp.channelFlags",
4149 FT_UINT32, BASE_HEX, NULL, 0,
4150 NULL, HFILL }},
4151 { &hf_rdp_flagsPkt,
4152 { "flagsPkt", "rdp.flags.pkt",
4153 FT_UINT16, BASE_HEX, VALS(rdp_flagsPkt_vals), SEC_PKT_MASK,
4154 NULL, HFILL }},
4155 { &hf_rdp_flagsEncrypt,
4156 { "flagsEncrypt", "rdp.flags.encrypt",
4157 FT_UINT16, BASE_HEX, NULL, SEC_ENCRYPT,
4158 NULL, HFILL }},
4159 { &hf_rdp_flagsResetSeqno,
4160 { "flagsResetSeqno", "rdp.flags.resetseqno",
4161 FT_UINT16, BASE_HEX, NULL, SEC_RESET_SEQNO,
4162 NULL, HFILL }},
4163 { &hf_rdp_flagsIgnoreSeqno,
4164 { "flagsIgnoreSeqno", "rdp.flags.ignoreseqno",
4165 FT_UINT16, BASE_HEX, NULL, SEC_IGNORE_SEQNO,
4166 NULL, HFILL }},
4167 { &hf_rdp_flagsLicenseEncrypt,
4168 { "flagsLicenseEncrypt", "rdp.flags.licenseencrypt",
4169 FT_UINT16, BASE_HEX, NULL, SEC_LICENSE_ENCRYPT_CS,
4170 NULL, HFILL }},
4171 { &hf_rdp_flagsSecureChecksum,
4172 { "flagsSecureChecksum", "rdp.flags.securechecksum",
4173 FT_UINT16, BASE_HEX, NULL, SEC_SECURE_CHECKSUM,
4174 NULL, HFILL }},
4175 { &hf_rdp_flagsFlagsHiValid,
4176 { "flagsHiValid", "rdp.flags.flagshivalid",
4177 FT_UINT16, BASE_HEX, NULL, SEC_FLAGSHI_VALID,
4178 NULL, HFILL }},
4179 { &hf_rdp_flagsAutodetectReq,
4180 { "autodetect request", "rdp.flags.autodetectreq",
4181 FT_UINT16, BASE_HEX, NULL, SEC_AUTODETECT_REQ,
4182 NULL, HFILL }},
4183 { &hf_rdp_flagsAutodetectResp,
4184 { "autodetect response", "rdp.flags.autodetectresp",
4185 FT_UINT16, BASE_HEX, NULL, SEC_AUTODETECT_RSP,
4186 NULL, HFILL }},
4187 { &hf_rdp_flagsHeartbeat,
4188 { "heartbeat", "rdp.flags.heartbeat",
4189 FT_UINT16, BASE_HEX, NULL, SEC_HEARTBEAT,
4190 NULL, HFILL }},
4191 { &hf_rdp_flagsTransportReq,
4192 { "multiTransport request", "rdp.flags.transportreq",
4193 FT_UINT16, BASE_HEX, NULL, SEC_TRANSPORT_REQ,
4194 NULL, HFILL }},
4195 { &hf_rdp_flagsTransportResp,
4196 { "transport response", "rdp.flags.transportrsp",
4197 FT_UINT16, BASE_HEX, NULL, SEC_TRANSPORT_RSP,
4198 NULL, HFILL }},
4199 { &hf_rdp_flagsHi,
4200 { "flagsHi", "rdp.flagsHi",
4201 FT_UINT16, BASE_HEX, NULL, 0,
4202 NULL, HFILL }},
4203 { &hf_rdp_length,
4204 { "length", "rdp.length",
4205 FT_UINT32, BASE_DEC, NULL, 0,
4206 NULL, HFILL }},
4207 { &hf_rdp_heartbeat_reserved,
4208 { "reserved", "rdp.heartbeat.reserved",
4209 FT_UINT8, BASE_HEX, NULL, 0,
4210 NULL, HFILL }},
4211 { &hf_rdp_heartbeat_period,
4212 { "Period", "rdp.heartbeat.period",
4213 FT_UINT8, BASE_DEC, NULL, 0,
4214 NULL, HFILL }},
4215 { &hf_rdp_heartbeat_count1,
4216 { "Count1", "rdp.heartbeat.count1",
4217 FT_UINT8, BASE_DEC, NULL, 0,
4218 NULL, HFILL }},
4219 { &hf_rdp_heartbeat_count2,
4220 { "Count2", "rdp.heartbeat.count2",
4221 FT_UINT8, BASE_DEC, NULL, 0,
4222 NULL, HFILL }},
4223 { &hf_rdp_bandwidth_header_len,
4224 { "HeaderLength", "rdp.bandwidth.headerlen",
4225 FT_UINT8, BASE_HEX, NULL, 0,
4226 NULL, HFILL }},
4227 { &hf_rdp_bandwidth_header_type,
4228 { "HeaderTypeId", "rdp.bandwidth.typeid",
4229 FT_UINT8, BASE_HEX, VALS(bandwidth_typeid_vals), 0,
4230 NULL, HFILL}},
4231 { &hf_rdp_bandwidth_seqnumber,
4232 { "Sequence number", "rdp.bandwidth.sequencenumber",
4233 FT_UINT16, BASE_HEX, NULL, 0,
4234 NULL, HFILL }},
4235 { &hf_rdp_bandwidth_reqtype,
4236 { "Request type", "rdp.bandwidth.reqtype",
4237 FT_UINT16, BASE_HEX, VALS(bandwidth_request_vals), 0,
4238 NULL, HFILL }},
4239 { &hf_rdp_bandwidth_resptype,
4240 { "Response type", "rdp.bandwidth.resptype",
4241 FT_UINT16, BASE_HEX, VALS(bandwidth_response_vals), 0,
4242 NULL, HFILL }},
4243 { &hf_rdp_bandwidth_measure_payload_len,
4244 { "Payload length", "rdp.bandwidth.measure.len",
4245 FT_UINT16, BASE_DEC, NULL, 0,
4246 NULL, HFILL }},
4247 { &hf_rdp_bandwidth_measure_payload_data,
4248 { "Payload data", "rdp.bandwidth.measure.payload",
4249 FT_BYTES, BASE_NONE, NULL, 0,
4250 NULL, HFILL }},
4251 { &hf_rdp_network_characteristics_basertt,
4252 { "Base RTT", "rdp.networkcharacteristics.basertt",
4253 FT_UINT32, BASE_DEC, NULL, 0,
4254 NULL, HFILL }},
4255 { &hf_rdp_network_characteristics_bandwidth,
4256 { "Bandwidth", "rdp.networkcharacteristics.bandwidth",
4257 FT_UINT32, BASE_DEC, NULL, 0,
4258 NULL, HFILL }},
4259 { &hf_rdp_network_characteristics_averagertt,
4260 { "Average RTT", "rdp.networkcharacteristics.averagertt",
4261 FT_UINT32, BASE_DEC, NULL, 0,
4262 NULL, HFILL }},
4263 { &hf_rdp_rtt_measure_time_delta,
4264 { "Time delta", "rdp.rttmeasure.timedelta",
4265 FT_UINT32, BASE_DEC, NULL, 0,
4266 NULL, HFILL }},
4267 { &hf_rdp_rtt_measure_time_bytecount,
4268 { "Byte count", "rdp.rttmeasure.bytecount",
4269 FT_UINT32, BASE_DEC, NULL, 0,
4270 NULL, HFILL }},
4271 { &hf_rdp_mt_req_requestId,
4272 { "Request id", "rdp.mtreq.requestid",
4273 FT_UINT32, BASE_HEX, NULL, 0,
4274 NULL, HFILL }},
4275 { &hf_rdp_mt_req_protocol,
4276 { "Protocol", "rdp.mtreq.protocol",
4277 FT_UINT16, BASE_HEX, VALS(rdp_mt_protocol_vals), 0,
4278 NULL, HFILL }},
4279 { &hf_rdp_mt_req_reserved,
4280 { "Reserved", "rdp.mtreq.reserved",
4281 FT_UINT16, BASE_HEX, NULL, 0,
4282 NULL, HFILL }},
4283 { &hf_rdp_mt_req_securityCookie,
4284 { "Security cookie", "rdp.mtreq.securitycookie",
4285 FT_BYTES, BASE_NONE, NULL, 0,
4286 NULL, HFILL }},
4287 { &hf_rdp_mt_rsp_requestId,
4288 { "Request id", "rdp.mtresp.requestid",
4289 FT_UINT32, BASE_HEX, NULL, 0,
4290 NULL, HFILL }},
4291 { &hf_rdp_mt_rsp_hrResponse,
4292 { "hrResponse", "rdp.mtresp.hrresponse",
4293 FT_UINT32, BASE_HEX, VALS(rdp_mt_response_vals), 0,
4294 NULL, HFILL }},
4295 { &hf_rdp_encryptedClientRandom,
4296 { "encryptedClientRandom", "rdp.encryptedClientRandom",
4297 FT_BYTES, BASE_NONE, NULL, 0,
4298 NULL, HFILL }},
4299 { &hf_rdp_dataSignature,
4300 { "dataSignature", "rdp.dataSignature",
4301 FT_BYTES, BASE_NONE, NULL, 0,
4302 NULL, HFILL }},
4303 { &hf_rdp_fipsLength,
4304 { "fipsLength", "rdp.fipsLength",
4305 FT_UINT16, BASE_DEC, NULL, 0,
4306 NULL, HFILL }},
4307 { &hf_rdp_fipsVersion,
4308 { "fipsVersion", "rdp.fipsVersion",
4309 FT_UINT8, BASE_HEX, NULL, 0,
4310 NULL, HFILL }},
4311 { &hf_rdp_padlen,
4312 { "padlen", "rdp.padlen",
4313 FT_UINT8, BASE_DEC, NULL, 0,
4314 NULL, HFILL }},
4315 { &hf_rdp_codePage,
4316 { "codePage", "rdp.codePage",
4317 FT_UINT32, BASE_DEC, NULL, 0,
4318 NULL, HFILL }},
4319 { &hf_rdp_optionFlags,
4320 { "optionFlags", "rdp.optionFlags",
4321 FT_UINT32, BASE_HEX, NULL, 0,
4322 NULL, HFILL }},
4323 { &hf_rdp_cbDomain,
4324 { "cbDomain", "rdp.domain.length",
4325 FT_UINT16, BASE_DEC, NULL, 0,
4326 NULL, HFILL }},
4327 { &hf_rdp_cbUserName,
4328 { "cbUserName", "rdp.userName.length",
4329 FT_UINT16, BASE_DEC, NULL, 0,
4330 NULL, HFILL }},
4331 { &hf_rdp_cbPassword,
4332 { "cbPassword", "rdp.password.length",
4333 FT_UINT16, BASE_DEC, NULL, 0,
4334 NULL, HFILL }},
4335 { &hf_rdp_cbAlternateShell,
4336 { "cbAlternateShell", "rdp.alternateShell.length",
4337 FT_UINT16, BASE_DEC, NULL, 0,
4338 NULL, HFILL }},
4339 { &hf_rdp_cbWorkingDir,
4340 { "cbWorkingDir", "rdp.workingDir.length",
4341 FT_UINT16, BASE_DEC, NULL, 0,
4342 NULL, HFILL }},
4343 { &hf_rdp_cbClientAddress,
4344 { "cbClientAddress", "rdp.client.address.length",
4345 FT_UINT16, BASE_DEC, NULL, 0,
4346 NULL, HFILL }},
4347 { &hf_rdp_cbClientDir,
4348 { "cbClientDir", "rdp.client.dir.length",
4349 FT_UINT16, BASE_DEC, NULL, 0,
4350 NULL, HFILL }},
4351 { &hf_rdp_cbAutoReconnectLen,
4352 { "cbAutoReconnectLen", "rdp.autoReconnectCookie.length",
4353 FT_UINT16, BASE_DEC, NULL, 0,
4354 NULL, HFILL }},
4355 { &hf_rdp_domain,
4356 { "domain", "rdp.domain",
4357 FT_STRINGZ, BASE_NONE, NULL, 0, /* null-terminated, count includes terminator */
4358 NULL, HFILL }},
4359 { &hf_rdp_userName,
4360 { "userName", "rdp.userName",
4361 FT_STRINGZ, BASE_NONE, NULL, 0, /* null-terminated, count includes terminator */
4362 NULL, HFILL }},
4363 { &hf_rdp_password,
4364 { "password", "rdp.password",
4365 FT_STRINGZ, BASE_NONE, NULL, 0, /* null-terminated, count includes terminator */
4366 NULL, HFILL }},
4367 { &hf_rdp_alternateShell,
4368 { "alternateShell", "rdp.alternateShell",
4369 FT_STRINGZ, BASE_NONE, NULL, 0, /* null-terminated, count includes terminator */
4370 NULL, HFILL }},
4371 { &hf_rdp_workingDir,
4372 { "workingDir", "rdp.workingDir",
4373 FT_STRINGZ, BASE_NONE, NULL, 0, /* null-terminated, count includes terminator */
4374 NULL, HFILL }},
4375 { &hf_rdp_clientAddressFamily,
4376 { "clientAddressFamily", "rdp.client.addressFamily",
4377 FT_UINT16, BASE_HEX, NULL, 0,
4378 NULL, HFILL }},
4379 { &hf_rdp_clientAddress,
4380 { "clientAddress", "rdp.client.address",
4381 FT_STRINGZ, BASE_NONE, NULL, 0, /* null-terminated, count includes terminator */
4382 NULL, HFILL }},
4383 { &hf_rdp_clientDir,
4384 { "clientDir", "rdp.client.dir",
4385 FT_STRINGZ, BASE_NONE, NULL, 0, /* null-terminated, count includes terminator */
4386 NULL, HFILL }},
4387 { &hf_rdp_clientTimeZone,
4388 { "clientTimeZone", "rdp.client.timeZone",
4389 FT_NONE, BASE_NONE, NULL, 0,
4390 NULL, HFILL }},
4391 { &hf_rdp_clientSessionId,
4392 { "clientSessionId", "rdp.client.sessionId",
4393 FT_UINT32, BASE_HEX, NULL, 0,
4394 NULL, HFILL }},
4395 { &hf_rdp_performanceFlags,
4396 { "performanceFlags", "rdp.performanceFlags",
4397 FT_UINT32, BASE_HEX, NULL, 0,
4398 NULL, HFILL }},
4399 { &hf_rdp_autoReconnectCookie,
4400 { "autoReconnectCookie", "rdp.autoReconnectCookie",
4401 FT_BYTES, BASE_NONE, NULL, 0,
4402 NULL, HFILL }},
4403 { &hf_rdp_reserved1,
4404 { "reserved1", "rdp.reserved1",
4405 FT_UINT16, BASE_HEX, NULL, 0,
4406 NULL, HFILL }},
4407 { &hf_rdp_reserved2,
4408 { "reserved2", "rdp.reserved2",
4409 FT_UINT16, BASE_HEX, NULL, 0,
4410 NULL, HFILL }},
4411 { &hf_rdp_cbDynamicDSTTimeZoneKeyName,
4412 { "cbDynamicDSTTimeZoneKeyName", "rdp.dynamicdsttimezone.length",
4413 FT_UINT16, BASE_DEC, NULL, 0,
4414 NULL, HFILL }},
4415 { &hf_rdp_dynamicDSTTimeZoneKeyName,
4416 { "dynamicDSTTimeZoneKeyName", "rdp.dynamicdsttimezone",
4417 FT_STRINGZ, BASE_NONE, NULL, 0, /* null-terminated, count includes terminator */
4418 NULL, HFILL }},
4419 { &hf_rdp_dynamicDaylightTimeDisabled,
4420 { "dynamicDaylightTimeDisabled", "rdp.dynamicdaylighttimedisabled",
4421 FT_UINT16, BASE_DEC, NULL, 0,
4422 NULL, HFILL }},
4423 { &hf_rdp_bMsgType,
4424 { "bMsgType", "rdp.bMsgType",
4425 FT_UINT8, BASE_HEX, VALS(rdp_bMsgType_vals), 0,
4426 NULL, HFILL }},
4427 { &hf_rdp_bVersion,
4428 { "bVersion", "rdp.bVersion",
4429 FT_UINT8, BASE_DEC, NULL, 0,
4430 NULL, HFILL }},
4431 { &hf_rdp_wMsgSize,
4432 { "wMsgSize", "rdp.wMsgSize",
4433 FT_UINT16, BASE_DEC, NULL, 0,
4434 NULL, HFILL }},
4435 { &hf_rdp_wBlobType,
4436 { "wBlobType", "rdp.wBlobType",
4437 FT_UINT16, BASE_DEC, VALS(rdp_wBlobType_vals), 0,
4438 NULL, HFILL }},
4439 { &hf_rdp_wBlobLen,
4440 { "wBlobLen", "rdp.wBlobLen",
4441 FT_UINT16, BASE_DEC, NULL, 0,
4442 NULL, HFILL }},
4443 { &hf_rdp_blobData,
4444 { "blobData", "rdp.blobData",
4445 FT_BYTES, BASE_NONE, NULL, 0,
4446 NULL, HFILL }},
4447 { &hf_rdp_shareControlHeader,
4448 { "shareControlHeader", "rdp.shareControlHeader",
4449 FT_BYTES, BASE_NONE, NULL, 0,
4450 NULL, HFILL }},
4451 { &hf_rdp_channelPDUHeader,
4452 { "channelPDUHeader", "rdp.channelPDUHeader",
4453 FT_BYTES, BASE_NONE, NULL, 0,
4454 NULL, HFILL }},
4455 { &hf_rdp_virtualChannelData,
4456 { "virtualChannelData", "rdp.virtualChannelData",
4457 FT_BYTES, BASE_NONE, NULL, 0,
4458 NULL, HFILL }},
4459 { &hf_rdp_pointerFlags,
4460 { "pointerFlags", "rdp.pointerflags",
4461 FT_UINT16, BASE_HEX, NULL, 0,
4462 NULL, HFILL }},
4463 { &hf_rdp_pointerFlags_move,
4464 { "Move", "rdp.pointerflags.move",
4465 FT_BOOLEAN, 16, NULL, 0x0800,
4466 NULL, HFILL }},
4467 { &hf_rdp_pointerFlags_down,
4468 { "Down", "rdp.pointerflags.down",
4469 FT_BOOLEAN, 16, NULL, 0x8000,
4470 NULL, HFILL }},
4471 { &hf_rdp_pointerFlags_button1,
4472 { "Button1", "rdp.pointerflags.button1",
4473 FT_BOOLEAN, 16, NULL, 0x1000,
4474 NULL, HFILL }},
4475 { &hf_rdp_pointerFlags_button2,
4476 { "Button2", "rdp.pointerflags.button2",
4477 FT_BOOLEAN, 16, NULL, 0x2000,
4478 NULL, HFILL }},
4479 { &hf_rdp_pointerFlags_button3,
4480 { "Button3", "rdp.pointerflags.button3",
4481 FT_BOOLEAN, 16, NULL, 0x4000,
4482 NULL, HFILL }},
4483 { &hf_rdp_pointerFlags_wheel_rotation,
4484 { "Wheel rotation", "rdp.pointerflags.wheelrotation",
4485 FT_UINT16, BASE_DEC, NULL, 0x01ff,
4486 NULL, HFILL }},
4487 { &hf_rdp_pointerFlags_wheel_neg,
4488 { "Wheel negative", "rdp.pointerflags.wheelnegative",
4489 FT_BOOLEAN, 16, NULL, 0x0100,
4490 NULL, HFILL }},
4491 { &hf_rdp_pointerFlags_wheel,
4492 { "Wheel", "rdp.pointerflags.wheel",
4493 FT_BOOLEAN, 16, NULL, 0x0200,
4494 NULL, HFILL }},
4495 { &hf_rdp_pointerFlags_hwheel,
4496 { "Horizontal wheel", "rdp.pointerflags.hwheel",
4497 FT_BOOLEAN, 16, NULL, 0x0400,
4498 NULL, HFILL }},
4499 { &hf_rdp_pointer_xpos,
4500 { "xPos", "rdp.pointer.xpos",
4501 FT_UINT16, BASE_DEC, NULL, 0x0,
4502 NULL, HFILL }},
4503 { &hf_rdp_pointer_ypos,
4504 { "yPos", "rdp.pointer.ypos",
4505 FT_UINT16, BASE_DEC, NULL, 0x0,
4506 NULL, HFILL }},
4507 { &hf_rdp_pointerxFlags,
4508 { "PointerFlags", "rdp.pointerxflags",
4509 FT_UINT16, BASE_HEX, NULL, 0x0,
4510 NULL, HFILL }},
4511 { &hf_rdp_pointerxFlags_down,
4512 { "Down", "rdp.pointerxflags.down",
4513 FT_BOOLEAN, 16, NULL, 0x8000,
4514 NULL, HFILL }},
4515 { &hf_rdp_pointerxFlags_button1,
4516 { "Button1", "rdp.pointerxflags.button1",
4517 FT_BOOLEAN, 16, NULL, 0x0001,
4518 NULL, HFILL }},
4519 { &hf_rdp_pointerxFlags_button2,
4520 { "Button2", "rdp.pointerxflags.button2",
4521 FT_BOOLEAN, 16, NULL, 0x0002,
4522 NULL, HFILL }},
4523 { &hf_rdp_pointerx_xpos,
4524 { "xPos", "rdp.pointerx.xpos",
4525 FT_UINT16, BASE_DEC, NULL, 0x0,
4526 NULL, HFILL }},
4527 { &hf_rdp_pointerx_ypos,
4528 { "yPos", "rdp.pointerx.ypos",
4529 FT_UINT16, BASE_DEC, NULL, 0x0,
4530 NULL, HFILL }},
4531 { &hf_rdp_fastpathHeader,
4532 { "Header", "rdp.fastpath.header",
4533 FT_UINT8, BASE_HEX, NULL, 0x0,
4534 NULL, HFILL }},
4535 { &hf_rdp_fastpathAction,
4536 { "Action", "rdp.fastpath.action",
4537 FT_UINT8, BASE_DEC, VALS(rdp_fastpath_action_vals), 0x3,
4538 NULL, HFILL }},
4539 { &hf_rdp_fastpathClientNumEvents,
4540 { "numEvents", "rdp.fastpath.numevents",
4541 FT_UINT8, BASE_DEC, NULL, 0x3c,
4542 NULL, HFILL }},
4543 { &hf_rdp_fastpathFlags,
4544 { "flags", "rdp.fastpath.flags",
4545 FT_UINT8, BASE_DEC, NULL, 0xc0,
4546 NULL, HFILL }},
4547 { &hf_rdp_fastpathServerReserved,
4548 { "Reserved", "rdp.fastpath.reserved",
4549 FT_UINT8, BASE_HEX, NULL, 0x3c,
4550 NULL, HFILL }},
4551 { &hf_rdp_fastpathPDULength,
4552 { "fastpathPDULength", "rdp.fastpathPDULength",
4553 FT_UINT16, BASE_DEC, NULL, 0,
4554 NULL, HFILL }},
4555 { &hf_rdp_fastpathClientNumEvents2,
4556 { "NumEvents2", "rdp.fastpath.numevents2",
4557 FT_UINT8, BASE_DEC, NULL, 0x00,
4558 NULL, HFILL }},
4559 #if 0
4560 { &hf_rdp_fastpathOutputHeader,
4561 { "fpOutputHeader", "rdp.fastpath.outputheader",
4562 FT_UINT8, BASE_HEX, NULL, 0x00,
4563 NULL, HFILL }},
4564 #endif
4565 { &hf_rdp_fastpathServerUpdateCode,
4566 { "Code", "rdp.fastpath.clienteventcode",
4567 FT_UINT8, BASE_DEC, VALS(rdp_fastpath_server_event_vals), 0x0f,
4568 NULL, HFILL }},
4569 { &hf_rdp_fastpathServerFragmentation,
4570 { "Fragmentation", "rdp.fastpath.serverfragmentation",
4571 FT_UINT8, BASE_DEC, VALS(rdp_fastpath_server_fragmentation_vals), 0x30,
4572 NULL, HFILL }},
4573 { &hf_rdp_fastpathServerCompression,
4574 { "Compression", "rdp.fastpath.servercompression",
4575 FT_UINT8, BASE_HEX, NULL, 0xc0,
4576 NULL, HFILL }},
4577 { &hf_rdp_fastpathInputHeader,
4578 { "EventHeaderCode", "rdp.fastpath.eventheader",
4579 FT_UINT8, BASE_HEX, NULL, 0x0,
4580 NULL, HFILL }},
4581 { &hf_rdp_fastpathClientEventCode,
4582 { "Code", "rdp.fastpath.clienteventcode",
4583 FT_UINT8, BASE_DEC, VALS(rdp_fastpath_client_event_vals), 0xe0,
4584 NULL, HFILL }},
4585 { &hf_rdp_fastpathClientFlags,
4586 { "Flags", "rdp.fastpath.eventflags",
4587 FT_UINT8, BASE_DEC, NULL, 0x1f,
4588 NULL, HFILL }},
4589 { &hf_rdp_fastpathScancodeRelease,
4590 { "Release", "rdp.fastpath.scancode.release",
4591 FT_BOOLEAN, 8, NULL, 0x01,
4592 NULL, HFILL }},
4593 { &hf_rdp_fastpathScancodeExtended,
4594 { "Extended", "rdp.fastpath.scancode.extended",
4595 FT_BOOLEAN, 8, NULL, 0x02,
4596 NULL, HFILL }},
4597 { &hf_rdp_fastpathScancodeExtended1,
4598 { "Extended1", "rdp.fastpath.scancode.extended1",
4599 FT_BOOLEAN, 8, NULL, 0x04,
4600 NULL, HFILL }},
4601 { &hf_rdp_fastpathScancodeKeyCode,
4602 { "KeyCode", "rdp.fastpath.scancode.keycode",
4603 FT_UINT8, BASE_HEX, NULL, 0x00,
4604 NULL, HFILL }},
4605 { &hf_rdp_fastpathSyncScrollLock,
4606 { "ScrollLock", "rdp.fastpath.sync.scrolllock",
4607 FT_BOOLEAN, 8, NULL, 0x01,
4608 NULL, HFILL }},
4609 { &hf_rdp_fastpathSyncNumLock,
4610 { "NumLock", "rdp.fastpath.sync.numlock",
4611 FT_BOOLEAN, 8, NULL, 0x02,
4612 NULL, HFILL }},
4613 { &hf_rdp_fastpathSyncCapsLock,
4614 { "CapsLock", "rdp.fastpath.sync.capslock",
4615 FT_BOOLEAN, 8, NULL, 0x04,
4616 NULL, HFILL }},
4617 { &hf_rdp_fastpathSyncKanaLock,
4618 { "ScrollLock", "rdp.fastpath.sync.kanalock",
4619 FT_BOOLEAN, 8, NULL, 0x08,
4620 NULL, HFILL }},
4621 { &hf_rdp_fastpathQoeTimestamp,
4622 { "Timestamp", "rdp.fastpath.qoe.timestamp",
4623 FT_UINT32, BASE_HEX, NULL, 0x00,
4624 NULL, HFILL }},
4625 { &hf_rdp_fastpathUnicodeFlagsRelease,
4626 { "Release", "rdp.fastpath.unicode.release",
4627 FT_BOOLEAN, 5, NULL, 0x01,
4628 NULL, HFILL }},
4629 { &hf_rdp_fastpathUnicodeCode,
4630 { "unicodeCode", "rdp.fastpath.unicode.code",
4631 FT_UINT16, BASE_HEX, NULL, 0x00,
4632 NULL, HFILL }},
4633 { &hf_rdp_fastpathRelMouseFlags,
4634 { "Flags", "rdp.relmouse.flags",
4635 FT_UINT16, BASE_HEX, NULL, 0x00,
4636 NULL, HFILL }},
4637 { &hf_rdp_fastpathRelMouseFlags_Move,
4638 { "Move", "rdp.relmouse.flags.move",
4639 FT_UINT16, BASE_HEX, NULL, 0x0800,
4640 NULL, HFILL }},
4641 { &hf_rdp_fastpathRelMouseFlags_Down,
4642 { "Down", "rdp.relmouse.flags.down",
4643 FT_UINT16, BASE_HEX, NULL, 0x8000,
4644 NULL, HFILL }},
4645 { &hf_rdp_fastpathRelMouseFlags_Button1,
4646 { "Button1", "rdp.relmouse.flags.button1",
4647 FT_UINT16, BASE_HEX, NULL, 0x1000,
4648 NULL, HFILL }},
4649 { &hf_rdp_fastpathRelMouseFlags_Button2,
4650 { "Button2", "rdp.relmouse.flags.button2",
4651 FT_UINT16, BASE_HEX, NULL, 0x2000,
4652 NULL, HFILL }},
4653 { &hf_rdp_fastpathRelMouseFlags_Button3,
4654 { "Button3", "rdp.relmouse.flags.button3",
4655 FT_UINT16, BASE_HEX, NULL, 0x4000,
4656 NULL, HFILL }},
4657 { &hf_rdp_fastpathRelMouseFlags_XButton1,
4658 { "XButton1", "rdp.relmouse.flags.xbutton1",
4659 FT_UINT16, BASE_HEX, NULL, 0x0001,
4660 NULL, HFILL }},
4661 { &hf_rdp_fastpathRelMouseFlags_XButton2,
4662 { "XButton2", "rdp.relmouse.flags.xbutton2",
4663 FT_UINT16, BASE_HEX, NULL, 0x0002,
4664 NULL, HFILL }},
4665 { &hf_rdp_fastpathRelMouseDeltaX,
4666 { "deltaX", "rdp.relmouse.deltax",
4667 FT_INT16, BASE_DEC, NULL, 0x00,
4668 NULL, HFILL }},
4669 { &hf_rdp_fastpathRelMouseDeltaY,
4670 { "deltaY", "rdp.relmouse.deltay",
4671 FT_INT16, BASE_DEC, NULL, 0x00,
4672 NULL, HFILL }},
4673 { &hf_rdp_fastpathServerCompressionType,
4674 { "CompressionType", "rdp.fastpath.server.compressiontype",
4675 FT_UINT8, BASE_HEX, NULL, 0x00,
4676 NULL, HFILL }},
4677 { &hf_rdp_fastpathServerCompressionType_compressed,
4678 { "Compressed", "rdp.fastpath.server.compressionflags.compressed",
4679 FT_BOOLEAN, 8, NULL, PACKET_COMPRESSED,
4680 NULL, HFILL }},
4681 { &hf_rdp_fastpathServerCompressionType_atfront,
4682 { "At front", "rdp.fastpath.server.compressionflags.atfront",
4683 FT_BOOLEAN, 8, NULL, PACKET_AT_FRONT,
4684 NULL, HFILL }},
4685 { &hf_rdp_fastpathServerCompressionType_flushed,
4686 { "Flushed", "rdp.fastpath.server.compressionflags.flushed",
4687 FT_BOOLEAN, 8, NULL, PACKET_FLUSHED,
4688 NULL, HFILL }},
4689 { &hf_rdp_fastpathServerCompressionFlags,
4690 { "CompressionFlags", "rdp.fastpath.server.compressionflags",
4691 FT_UINT8, BASE_HEX, VALS(rdp_compressionType_vals), 0x0f,
4692 NULL, HFILL }},
4693 { &hf_rdp_fastpathServerSize,
4694 { "Size", "rdp.fastpath.server.size",
4695 FT_UINT16, BASE_DEC, NULL, 0x00,
4696 NULL, HFILL }},
4697 { &hf_rdp_totalLength,
4698 { "totalLength", "rdp.totalLength",
4699 FT_UINT16, BASE_DEC, NULL, 0,
4700 NULL, HFILL }},
4701 { &hf_rdp_pduType,
4702 { "pduType", "rdp.pduType",
4703 FT_UINT16, BASE_HEX, NULL, 0,
4704 NULL, HFILL }},
4705 { &hf_rdp_pduTypeType,
4706 { "pduTypeType", "rdp.pduType.type",
4707 FT_UINT16, BASE_HEX, VALS(rdp_pduTypeType_vals), PDUTYPE_TYPE_MASK,
4708 NULL, HFILL }},
4709 { &hf_rdp_pduTypeVersionLow,
4710 { "pduTypeVersionLow", "rdp.pduType.versionLow",
4711 FT_UINT16, BASE_DEC, NULL, PDUTYPE_VERSIONLOW_MASK,
4712 NULL, HFILL }},
4713 { &hf_rdp_pduTypeVersionHigh,
4714 { "pduTypeVersionHigh", "rdp.pduType.versionHigh",
4715 FT_UINT16, BASE_DEC, NULL, PDUTYPE_VERSIONHIGH_MASK,
4716 NULL, HFILL }},
4717 { &hf_rdp_pduSource,
4718 { "pduSource", "rdp.pduSource",
4719 FT_UINT16, BASE_DEC, NULL, 0,
4720 NULL, HFILL }},
4721 { &hf_rdp_shareId,
4722 { "shareId", "rdp.shareId",
4723 FT_UINT32, BASE_HEX, NULL, 0,
4724 NULL, HFILL }},
4725 { &hf_rdp_pad1,
4726 { "pad1", "rdp.pad1",
4727 FT_UINT8, BASE_HEX, NULL, 0,
4728 NULL, HFILL }},
4729 { &hf_rdp_streamId,
4730 { "streamId", "rdp.streamId",
4731 FT_UINT8, BASE_DEC, NULL, 0,
4732 NULL, HFILL }},
4733 { &hf_rdp_uncompressedLength,
4734 { "uncompressedLength", "rdp.uncompressedLength",
4735 FT_UINT16, BASE_DEC, NULL, 0,
4736 NULL, HFILL }},
4737 { &hf_rdp_pduType2,
4738 { "pduType2", "rdp.pduType2",
4739 FT_UINT8, BASE_DEC, VALS(rdp_pduType2_vals), 0,
4740 NULL, HFILL }},
4741 { &hf_rdp_compressedType,
4742 { "compressedType", "rdp.compressedType",
4743 FT_UINT8, BASE_HEX, NULL, 0,
4744 NULL, HFILL }},
4745 { &hf_rdp_compressedTypeType,
4746 { "compressedTypeType", "rdp.compressedType.type",
4747 FT_UINT8, BASE_HEX, VALS(rdp_compressionType_vals),
4748 PacketCompressionTypeMask,
4749 NULL, HFILL }},
4750 { &hf_rdp_compressedTypeCompressed,
4751 { "compressedTypeCompressed", "rdp.compressedType.compressed",
4752 FT_UINT8, BASE_HEX, NULL, PACKET_COMPRESSED,
4753 NULL, HFILL }},
4754 { &hf_rdp_compressedTypeAtFront,
4755 { "compressedTypeAtFront", "rdp.compressedType.atFront",
4756 FT_UINT8, BASE_HEX, NULL, PACKET_AT_FRONT,
4757 NULL, HFILL }},
4758 { &hf_rdp_compressedTypeFlushed,
4759 { "compressedTypeFlushed", "rdp.compressedType.flushed",
4760 FT_UINT8, BASE_HEX, NULL, PACKET_FLUSHED,
4761 NULL, HFILL }},
4762 { &hf_rdp_compressedLength,
4763 { "compressedLength", "rdp.compressedLength",
4764 FT_UINT16, BASE_DEC, NULL, 0,
4765 NULL, HFILL }},
4766 { &hf_rdp_wErrorCode,
4767 { "errorCode", "rdp.errorCode",
4768 FT_UINT32, BASE_DEC, VALS(rdp_wErrorCode_vals), 0,
4769 NULL, HFILL }},
4770 { &hf_rdp_wStateTransition,
4771 { "stateTransition", "rdp.stateTransition",
4772 FT_UINT32, BASE_DEC, VALS(rdp_wStateTransition_vals), 0,
4773 NULL, HFILL }},
4774 { &hf_rdp_numberEntries,
4775 { "numberEntries", "rdp.numberEntries",
4776 FT_UINT16, BASE_DEC, NULL, 0,
4777 NULL, HFILL }},
4778 { &hf_rdp_totalNumberEntries,
4779 { "totalNumberEntries", "rdp.totalNumberEntries",
4780 FT_UINT16, BASE_DEC, NULL, 0,
4781 NULL, HFILL }},
4782 { &hf_rdp_mapFlags,
4783 { "mapFlags", "rdp.mapFlags",
4784 FT_UINT16, BASE_HEX, NULL, 0,
4785 NULL, HFILL }},
4786 { &hf_rdp_fontMapFirst,
4787 { "fontMapFirst", "rdp.mapFlags.fontMapFirst",
4788 FT_UINT16, BASE_HEX, NULL, FONTMAP_FIRST,
4789 NULL, HFILL }},
4790 { &hf_rdp_fontMapLast,
4791 { "fontMapLast", "rdp.mapFlags.fontMapLast",
4792 FT_UINT16, BASE_HEX, NULL, FONTMAP_LAST,
4793 NULL, HFILL }},
4794 { &hf_rdp_entrySize,
4795 { "entrySize", "rdp.entrySize",
4796 FT_UINT16, BASE_DEC, NULL, 0,
4797 NULL, HFILL }},
4798 { &hf_rdp_action,
4799 { "action", "rdp.action",
4800 FT_UINT16, BASE_HEX, VALS(rdp_action_vals),
4801 0,
4802 NULL, HFILL }},
4803 { &hf_rdp_grantId,
4804 { "grantId", "rdp.grantId",
4805 FT_UINT16, BASE_DEC, NULL, 0,
4806 NULL, HFILL }},
4807 { &hf_rdp_controlId,
4808 { "controlId", "rdp.controlId",
4809 FT_UINT32, BASE_DEC, NULL, 0,
4810 NULL, HFILL }},
4811 { &hf_rdp_messageType,
4812 { "messageType", "rdp.messageType",
4813 FT_UINT16, BASE_DEC, NULL, 0,
4814 NULL, HFILL }},
4815 { &hf_rdp_targetUser,
4816 { "targetUser", "rdp.targetUser",
4817 FT_UINT16, BASE_DEC, NULL, 0,
4818 NULL, HFILL }},
4819 { &hf_rdp_numEntriesCache0,
4820 { "numEntriesCache0", "rdp.numEntriesCache0",
4821 FT_UINT16, BASE_DEC, NULL, 0,
4822 NULL, HFILL }},
4823 { &hf_rdp_numEntriesCache1,
4824 { "numEntriesCache1", "rdp.numEntriesCache1",
4825 FT_UINT16, BASE_DEC, NULL, 0,
4826 NULL, HFILL }},
4827 { &hf_rdp_numEntriesCache2,
4828 { "numEntriesCache2", "rdp.numEntriesCache2",
4829 FT_UINT16, BASE_DEC, NULL, 0,
4830 NULL, HFILL }},
4831 { &hf_rdp_numEntriesCache3,
4832 { "numEntriesCache3", "rdp.numEntriesCache3",
4833 FT_UINT16, BASE_DEC, NULL, 0,
4834 NULL, HFILL }},
4835 { &hf_rdp_numEntriesCache4,
4836 { "numEntriesCache4", "rdp.numEntriesCache4",
4837 FT_UINT16, BASE_DEC, NULL, 0,
4838 NULL, HFILL }},
4839 { &hf_rdp_totalEntriesCache0,
4840 { "totalEntriesCache0", "rdp.totalEntriesCache0",
4841 FT_UINT16, BASE_DEC, NULL, 0,
4842 NULL, HFILL }},
4843 { &hf_rdp_totalEntriesCache1,
4844 { "totalEntriesCache1", "rdp.totalEntriesCache1",
4845 FT_UINT16, BASE_DEC, NULL, 0,
4846 NULL, HFILL }},
4847 { &hf_rdp_totalEntriesCache2,
4848 { "totalEntriesCache2", "rdp.totalEntriesCache2",
4849 FT_UINT16, BASE_DEC, NULL, 0,
4850 NULL, HFILL }},
4851 { &hf_rdp_totalEntriesCache3,
4852 { "totalEntriesCache3", "rdp.totalEntriesCache3",
4853 FT_UINT16, BASE_DEC, NULL, 0,
4854 NULL, HFILL }},
4855 { &hf_rdp_totalEntriesCache4,
4856 { "totalEntriesCache4", "rdp.totalEntriesCache4",
4857 FT_UINT16, BASE_DEC, NULL, 0,
4858 NULL, HFILL }},
4859 { &hf_rdp_bBitMask,
4860 { "bBitMask", "rdp.bBitMask",
4861 FT_UINT8, BASE_HEX, NULL, 0,
4862 NULL, HFILL }},
4863 { &hf_rdp_Pad2,
4864 { "Pad2", "rdp.Pad2",
4865 FT_UINT8, BASE_HEX, NULL, 0,
4866 NULL, HFILL }},
4867 { &hf_rdp_Pad3,
4868 { "Pad3", "rdp.Pad3",
4869 FT_UINT16, BASE_HEX, NULL, 0,
4870 NULL, HFILL }},
4871 #if 0
4872 { &hf_rdp_Key1,
4873 { "Key1", "rdp.Key1",
4874 FT_UINT32, BASE_HEX, NULL, 0,
4875 NULL, HFILL }},
4876 #endif
4877 #if 0
4878 { &hf_rdp_Key2,
4879 { "Key2", "rdp.Key2",
4880 FT_UINT32, BASE_HEX, NULL, 0,
4881 NULL, HFILL }},
4882 #endif
4883 { &hf_rdp_statusInfo_status,
4884 { "statusCode", "rdp.serverstatus.code",
4885 FT_UINT32, BASE_HEX, VALS(serverstatus_vals), 0,
4886 NULL, HFILL }},
4887 { &hf_rdp_originatorId,
4888 { "originatorId", "rdp.OriginatorId",
4889 FT_UINT32, BASE_DEC, NULL, 0,
4890 NULL, HFILL }},
4891 { &hf_rdp_lengthSourceDescriptor,
4892 { "lengthSourceDescriptor", "rdp.lengthSourceDescriptor",
4893 FT_UINT16, BASE_DEC, NULL, 0,
4894 NULL, HFILL }},
4895 { &hf_rdp_lengthCombinedCapabilities,
4896 { "lengthCombinedCapabilities", "rdp.lengthCombinedCapabilities",
4897 FT_UINT16, BASE_DEC, NULL, 0,
4898 NULL, HFILL }},
4899 { &hf_rdp_sourceDescriptor,
4900 { "sourceDescriptor", "rdp.sourceDescriptor",
4901 FT_STRING, BASE_NONE, NULL, 0,
4902 NULL, HFILL }},
4903 { &hf_rdp_numberCapabilities,
4904 { "numberCapabilities", "rdp.numberCapabilities",
4905 FT_UINT16, BASE_DEC, NULL, 0,
4906 NULL, HFILL }},
4907 { &hf_rdp_pad2Octets,
4908 { "pad2Octets", "rdp.pad2Octets",
4909 FT_UINT16, BASE_DEC, NULL, 0,
4910 NULL, HFILL }},
4911 { &hf_rdp_capabilitySetType,
4912 { "capabilitySetType", "rdp.capabilitySetType",
4913 FT_UINT16, BASE_HEX, VALS(rdp_capabilityType_vals), 0,
4914 NULL, HFILL }},
4915 { &hf_rdp_capabilitySet,
4916 { "capabilitySet", "rdp.capabilitySet",
4917 FT_NONE, BASE_NONE, NULL, 0,
4918 NULL, HFILL }},
4919 { &hf_rdp_lengthCapability,
4920 { "lengthCapability", "rdp.lengthCapability",
4921 FT_UINT16, BASE_DEC, NULL, 0,
4922 NULL, HFILL }},
4923 { &hf_rdp_capabilityData,
4924 { "capabilityData", "rdp.capabilityData",
4925 FT_NONE, BASE_NONE, NULL, 0,
4926 NULL, HFILL }},
4927 { &hf_rdp_capaRail_supportedLevel,
4928 { "RailSupportLevel", "rdp.capability.rail.supportedlevel",
4929 FT_UINT32, BASE_HEX, NULL, 0,
4930 NULL, HFILL }},
4931 { &hf_rdp_capaRail_flag_supported,
4932 { "SUPPORTED", "rdp.capability.rail.supported",
4933 FT_UINT32, BASE_HEX, NULL, 0x00000001,
4934 NULL, HFILL }},
4935 { &hf_rdp_capaRail_flag_dockedlangbar,
4936 { "DOCKED_LANGBAR", "rdp.capability.rail.dockedlangbar",
4937 FT_UINT32, BASE_HEX, NULL, 0x00000002,
4938 NULL, HFILL }},
4939 { &hf_rdp_capaRail_flag_shellintegration,
4940 { "SHELL_INTEGRATION", "rdp.capability.rail.shellintegration",
4941 FT_UINT32, BASE_HEX, NULL, 0x00000004,
4942 NULL, HFILL }},
4943 { &hf_rdp_capaRail_flag_lang_ime_sync,
4944 { "LANGUAGE_IME_SYNC", "rdp.capability.rail.langimesync",
4945 FT_UINT32, BASE_HEX, NULL, 0x00000008,
4946 NULL, HFILL }},
4947 { &hf_rdp_capaRail_flag_server_to_client_ime_sync,
4948 { "SERVER_TO_CLIENT_IME_SYNC", "rdp.capability.rail.servertoclientimesync",
4949 FT_UINT32, BASE_HEX, NULL, 0x00000010,
4950 NULL, HFILL }},
4951 { &hf_rdp_capaRail_flag_hide_minimized,
4952 { "HIDE_MINIMIZED_APPS", "rdp.capability.rail.hideminimized",
4953 FT_UINT32, BASE_HEX, NULL, 0x00000020,
4954 NULL, HFILL }},
4955 { &hf_rdp_capaRail_flag_windows_cloaking,
4956 { "WINDOW_CLOAKING", "rdp.capability.rail.windowcloaking",
4957 FT_UINT32, BASE_HEX, NULL, 0x00000040,
4958 NULL, HFILL }},
4959 { &hf_rdp_capaRail_flag_handshakeex,
4960 { "HANDSHAKE_EX", "rdp.capability.rail.handshakeex",
4961 FT_UINT32, BASE_HEX, NULL, 0x00000080,
4962 NULL, HFILL }},
4963 #if 0
4964 { &hf_rdp_unknownData,
4965 { "unknownData", "rdp.unknownData",
4966 FT_NONE, BASE_NONE, NULL, 0,
4967 NULL, HFILL }},
4968 #endif
4969 { &hf_rdp_notYetImplemented,
4970 { "notYetImplemented", "rdp.notYetImplemented",
4971 FT_NONE, BASE_NONE, NULL, 0,
4972 NULL, HFILL }},
4973 { &hf_rdp_encrypted,
4974 { "encryptedData", "rdp.encryptedData",
4975 FT_NONE, BASE_NONE, NULL, 0,
4976 NULL, HFILL }},
4977 #if 0
4978 { &hf_rdp_compressed,
4979 { "compressedData", "rdp.compressedData",
4980 FT_NONE, BASE_NONE, NULL, 0,
4981 NULL, HFILL }},
4982 #endif
4983 { &hf_rdp_sessionId,
4984 { "sessionId", "rdp.sessionId",
4985 FT_UINT32, BASE_HEX, NULL, 0,
4986 NULL, HFILL }},
4987 { &hf_rdp_channelDefArray,
4988 { "channelDefArray", "rdp.channelDefArray",
4989 FT_NONE, BASE_NONE, NULL, 0,
4990 NULL, HFILL }},
4991 { &hf_rdp_channelDef,
4992 { "channelDef", "rdp.channelDef",
4993 FT_NONE, BASE_NONE, NULL, 0,
4994 NULL, HFILL }},
4995 { &hf_rdp_name,
4996 { "name", "rdp.name",
4997 FT_STRING, BASE_NONE, NULL, 0,
4998 NULL, HFILL }},
4999 { &hf_rdp_options,
5000 { "options", "rdp.options",
5001 FT_UINT32, BASE_HEX, NULL, 0,
5002 NULL, HFILL }},
5003 { &hf_rdp_optionsInitialized,
5004 { "optionsInitialized", "rdp.options.initialized",
5005 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_INITIALIZED,
5006 NULL, HFILL }},
5007 { &hf_rdp_optionsEncryptRDP,
5008 { "encryptRDP", "rdp.options.encrypt.rdp",
5009 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_ENCRYPT_RDP,
5010 NULL, HFILL }},
5011 { &hf_rdp_optionsEncryptSC,
5012 { "encryptSC", "rdp.options.encrypt.sc",
5013 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_ENCRYPT_SC,
5014 NULL, HFILL }},
5015 { &hf_rdp_optionsEncryptCS,
5016 { "encryptCS", "rdp.options.encrypt.cs",
5017 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_ENCRYPT_CS,
5018 NULL, HFILL }},
5019 { &hf_rdp_optionsPriHigh,
5020 { "priorityHigh", "rdp.options.priority.high",
5021 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_PRI_HIGH,
5022 NULL, HFILL }},
5023 { &hf_rdp_optionsPriMed,
5024 { "priorityMed", "rdp.options.priority.med",
5025 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_PRI_MED,
5026 NULL, HFILL }},
5027 { &hf_rdp_optionsPriLow,
5028 { "priorityLow", "rdp.options.priority.low",
5029 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_PRI_LOW,
5030 NULL, HFILL }},
5031 { &hf_rdp_optionsCompressRDP,
5032 { "compressRDP", "rdp.options.compress.rdp",
5033 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_COMPRESS_RDP,
5034 NULL, HFILL }},
5035 { &hf_rdp_optionsCompress,
5036 { "compress", "rdp.options.compress",
5037 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_COMPRESS,
5038 NULL, HFILL }},
5039 { &hf_rdp_optionsShowProtocol,
5040 { "showProtocol", "rdp.options.showprotocol",
5041 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_SHOW_PROTOCOL,
5042 NULL, HFILL }},
5043 { &hf_rdp_optionsRemoteControlPersistent,
5044 { "remoteControlPersistent", "rdp.options.remotecontrolpersistent",
5045 FT_UINT32, BASE_HEX, NULL, CHANNEL_OPTION_REMOTE_CONTROL_PERSISTENT,
5046 NULL, HFILL }},
5047 { &hf_rdp_channelFlagFirst,
5048 { "channelFlagFirst", "rdp.channelFlag.first",
5049 FT_UINT32, BASE_HEX, NULL, CHANNEL_FLAG_FIRST,
5050 NULL, HFILL }},
5051 { &hf_rdp_channelFlagLast,
5052 { "channelFlagLast", "rdp.channelFlag.last",
5053 FT_UINT32, BASE_HEX, NULL, CHANNEL_FLAG_LAST,
5054 NULL, HFILL }},
5055 { &hf_rdp_channelFlagShowProtocol,
5056 { "channelFlagShowProtocol", "rdp.channelFlag.showProtocol",
5057 FT_UINT32, BASE_HEX, NULL, CHANNEL_FLAG_SHOW_PROTOCOL,
5058 NULL, HFILL }},
5059 { &hf_rdp_channelFlagSuspend,
5060 { "channelFlagSuspend", "rdp.channelFlag.suspend",
5061 FT_UINT32, BASE_HEX, NULL, CHANNEL_FLAG_SUSPEND,
5062 NULL, HFILL }},
5063 { &hf_rdp_channelFlagResume,
5064 { "channelFlagResume", "rdp.channelFlag.resume",
5065 FT_UINT32, BASE_HEX, NULL, CHANNEL_FLAG_RESUME,
5066 NULL, HFILL }},
5067 { &hf_rdp_channelPacketCompressed,
5068 { "channelPacketCompressed", "rdp.channelPacket.compressed",
5069 FT_UINT32, BASE_HEX, NULL, CHANNEL_PACKET_COMPRESSED,
5070 NULL, HFILL }},
5071 { &hf_rdp_channelPacketAtFront,
5072 { "channelPacketAtFront", "rdp.channelPacket.atFront",
5073 FT_UINT32, BASE_HEX, NULL, CHANNEL_PACKET_AT_FRONT,
5074 NULL, HFILL }},
5075 { &hf_rdp_channelPacketFlushed,
5076 { "channelPacketFlushed", "rdp.channelPacket.flushed",
5077 FT_UINT32, BASE_HEX, NULL, CHANNEL_PACKET_FLUSHED,
5078 NULL, HFILL }},
5079 { &hf_rdp_channelPacketCompressionType,
5080 { "channelPacketCompressionType", "rdp.channelPacket.compressionType",
5081 FT_UINT32, BASE_HEX, VALS(rdp_channelCompressionType_vals), ChannelCompressionTypeMask,
5082 NULL, HFILL }},
5083 { &hf_rdp_wYear,
5084 { "wYear", "rdp.wYear",
5085 FT_UINT16, BASE_DEC, NULL, 0,
5086 NULL, HFILL }},
5087 { &hf_rdp_wMonth,
5088 { "wMonth", "rdp.wMonth",
5089 FT_UINT16, BASE_DEC, VALS(rdp_wMonth_vals), 0,
5090 NULL, HFILL }},
5091 { &hf_rdp_wDayOfWeek,
5092 { "wDayOfWeek", "rdp.wDayOfWeek",
5093 FT_UINT16, BASE_DEC, VALS(rdp_wDayOfWeek_vals), 0,
5094 NULL, HFILL }},
5095 { &hf_rdp_wDay,
5096 { "wDay", "rdp.wDay",
5097 FT_UINT16, BASE_DEC, VALS(rdp_wDay_vals), 0,
5098 NULL, HFILL }},
5099 { &hf_rdp_wHour,
5100 { "wHour", "rdp.wHour",
5101 FT_UINT16, BASE_DEC, NULL, 0,
5102 NULL, HFILL }},
5103 { &hf_rdp_wMinute,
5104 { "wMinute", "rdp.wMinute",
5105 FT_UINT16, BASE_DEC, NULL, 0,
5106 NULL, HFILL }},
5107 { &hf_rdp_wSecond,
5108 { "wSecond", "rdp.wSecond",
5109 FT_UINT16, BASE_DEC, NULL, 0,
5110 NULL, HFILL }},
5111 { &hf_rdp_wMilliseconds,
5112 { "wMilliseconds", "rdp.wMilliseconds",
5113 FT_UINT16, BASE_DEC, NULL, 0,
5114 NULL, HFILL }},
5115 { &hf_rdp_Bias,
5116 { "Bias", "rdp.Bias",
5117 FT_UINT32, BASE_DEC, NULL, 0,
5118 NULL, HFILL }},
5119 { &hf_rdp_StandardBias,
5120 { "StandardBias", "rdp.Bias.standard",
5121 FT_UINT32, BASE_DEC, NULL, 0,
5122 NULL, HFILL }},
5123 { &hf_rdp_DaylightBias,
5124 { "DaylightBias", "rdp.Bias.daylight",
5125 FT_UINT32, BASE_DEC, NULL, 0,
5126 NULL, HFILL }},
5127 { &hf_rdp_StandardName,
5128 { "StandardName", "rdp.Name.Standard",
5129 FT_STRINGZ, BASE_NONE, NULL, 0, /* zero-padded, not null-terminated */
5130 NULL, HFILL }},
5131 { &hf_rdp_StandardDate,
5132 { "StandardDate", "rdp.Date.Standard",
5133 FT_NONE, BASE_NONE, NULL, 0,
5134 NULL, HFILL }},
5135 { &hf_rdp_DaylightName,
5136 { "DaylightName", "rdp.Name.Daylight",
5137 FT_STRINGZ, BASE_NONE, NULL, 0, /* zero-padded, not null-terminated */
5138 NULL, HFILL }},
5139 { &hf_rdp_DaylightDate,
5140 { "DaylightDate", "rdp.Date.Daylight",
5141 FT_NONE, BASE_NONE, NULL, 0,
5142 NULL, HFILL }},
5143 };
5144
5145 /* List of subtrees */
5146 static int *ett[] = {
5147 &ett_rdp,
5148 &ett_negReq_flags,
5149 &ett_requestedProtocols,
5150 &ett_negRsp_flags,
5151 &ett_selectedProtocol,
5152 &ett_rdp_ClientData,
5153 &ett_rdp_ServerData,
5154 &ett_rdp_SendData,
5155 &ett_rdp_MessageData,
5156 &ett_rdp_capabilitySet,
5157 &ett_rdp_capa_rail,
5158 &ett_rdp_channelDef,
5159 &ett_rdp_channelDefArray,
5160 &ett_rdp_channelFlags,
5161 &ett_rdp_channelIdArray,
5162 &ett_rdp_channelPDUHeader,
5163 &ett_rdp_clientClusterData,
5164 &ett_rdp_clientClusterFlags,
5165 &ett_rdp_clientCoreData,
5166 &ett_rdp_clientInfoPDU,
5167 &ett_rdp_clientMonitorData,
5168 &ett_rdp_clientMonitorDefData,
5169 &ett_rdp_clientMonitorExData,
5170 &ett_rdp_clientMsgChannelData,
5171 &ett_rdp_clientMultiTransportData,
5172 &ett_rdp_clientNetworkData,
5173 &ett_rdp_clientSecurityData,
5174 &ett_rdp_clientUnknownData,
5175 &ett_rdp_compressedType,
5176 &ett_rdp_mt_req,
5177 &ett_rdp_mt_rsp,
5178 &ett_rdp_heartbeat,
5179 &ett_rdp_flags,
5180 &ett_rdp_mapFlags,
5181 &ett_rdp_options,
5182 &ett_rdp_pduType,
5183 &ett_rdp_securityExchangePDU,
5184 &ett_rdp_serverCoreData,
5185 &ett_rdp_serverMsgChannelData,
5186 &ett_rdp_serverMultiTransportData,
5187 &ett_rdp_serverNetworkData,
5188 &ett_rdp_serverSecurityData,
5189 &ett_rdp_serverUnknownData,
5190 &ett_rdp_shareControlHeader,
5191 &ett_rdp_validClientLicenseData,
5192 &ett_rdp_StandardDate,
5193 &ett_rdp_DaylightDate,
5194 &ett_rdp_clientTimeZone,
5195 &ett_rdp_fastpath,
5196 &ett_rdp_fastpath_header,
5197 &ett_rdp_fastpath_scancode_flags,
5198 &ett_rdp_fastpath_mouse_flags,
5199 &ett_rdp_fastpath_mousex_flags,
5200 &ett_rdp_fastpath_relmouse_flags,
5201 &ett_rdp_fastpath_compression,
5202 };
5203 static ei_register_info ei[] = {
5204 { &ei_rdp_neg_len_invalid, { "rdp.neg_len.invalid", PI_PROTOCOL, PI_ERROR, "Invalid length", EXPFILL }},
5205 { &ei_rdp_not_correlation_info, { "rdp.not_correlation_info", PI_PROTOCOL, PI_ERROR, "What follows RDP Negotiation Request is not an RDP Correlation Info", EXPFILL }},
5206 };
5207 module_t *rdp_module;
5208 expert_module_t* expert_rdp;
5209
5210 /* Register protocol */
5211 proto_rdp = proto_register_protocol(PNAME, PSNAME, PFNAME);
5212 /* Register fields and subtrees */
5213 proto_register_field_array(proto_rdp, hf, array_length(hf));
5214 proto_register_subtree_array(ett, array_length(ett));
5215 expert_rdp = expert_register_protocol(proto_rdp);
5216 expert_register_field_array(expert_rdp, ei, array_length(ei));
5217
5218 register_init_routine(init_server_conversations);
5219
5220 /* Register our configuration options for RDP, particularly our port */
5221 rdp_module = prefs_register_protocol(proto_rdp, NULL);
5222
5223 prefs_register_obsolete_preference(rdp_module, "tcp.port");
5224
5225 prefs_register_static_text_preference(rdp_module, "tcp_port_info",
5226 "The TCP ports used by the RDP protocol should be added to the TPKT preference \"TPKT TCP ports\", or by selecting \"TPKT\" as the \"Transport\" protocol in the \"Decode As\" dialog.",
5227 "RDP TCP Port preference moved information");
5228
5229 rdp_heur_subdissector_list = register_heur_dissector_list_with_description("rdp", "RDP payload", proto_rdp);
5230 }
5231
5232 void
5233 proto_reg_handoff_rdp(void)
5234 {
5235 drdynvc_handle = find_dissector("rdp_drdynvc");
5236 rail_handle = find_dissector("rdp_rail");
5237 cliprdr_handle = find_dissector("rdp_cliprdr");
5238 snd_handle = find_dissector("rdp_snd");
5239
5240 heur_dissector_add("cotp_cr", dissect_rdp_cr_heur, "RDP", "rdp_cr", proto_rdp, HEURISTIC_ENABLE);
5241 heur_dissector_add("cotp_cc", dissect_rdp_cc_heur, "RDP", "rdp_cc", proto_rdp, HEURISTIC_ENABLE);
5242
5243 heur_dissector_add("tpkt", dissect_rdp_heur, "RDP", "rdp_fastpath", proto_rdp, HEURISTIC_ENABLE);
5244
5245 register_t124_ns_dissector("Duca", dissect_rdp_ClientData, proto_rdp);
5246 register_t124_ns_dissector("McDn", dissect_rdp_ServerData, proto_rdp);
5247 }
5248
5249 /*
5250 * Editor modelines - https://www.wireshark.org/tools/modelines.html
5251 *
5252 * Local Variables:
5253 * c-basic-offset: 2
5254 * tab-width: 8
5255 * indent-tabs-mode: nil
5256 * End:
5257 *
5258 * ex: set shiftwidth=2 tabstop=8 expandtab:
5259 * :indentSize=2:tabSize=8:noTabs=true:
5260 */
Metzes wireshark repo