search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MSWSP: add two more Property Sets
[wireshark-wip.git] / epan / dissectors / packet-smb-logon.c
blob9ef54414868c41b23b8160924170ed1e4b1e59fe
1 /* packet-smb-logon.c
2 * Routines for SMB net logon packet dissection
3 * Copyright 2000, Jeffrey C. Foster <jfoste@woodward.com>
4 *
5 * $Id$
6 *
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
10 *
11 * Copied from packet-pop.c
12 *
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
17 *
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
22 *
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 */
27
28 #include "config.h"
29
30 #include <glib.h>
31
32 #include <epan/packet.h>
33 #include "packet-windows-common.h"
34 #include "packet-smb-common.h"
35
36 static int proto_smb_logon = -1;
37 static int hf_command = -1;
38 static int hf_computer_name = -1;
39 static int hf_unicode_computer_name = -1;
40 static int hf_server_name = -1;
41 static int hf_user_name = -1;
42 static int hf_domain_name = -1;
43 static int hf_server_dns_name = -1;
44 static int hf_forest_dns_name = -1;
45 static int hf_domain_dns_name = -1;
46 static int hf_mailslot_name = -1;
47 static int hf_pdc_name = -1;
48 static int hf_unicode_pdc_name = -1;
49 static int hf_script_name = -1;
50 static int hf_nt_version = -1;
51 static int hf_lmnt_token = -1;
52 static int hf_lm_token = -1;
53 static int hf_major_version = -1;
54 static int hf_minor_version = -1;
55 static int hf_os_version = -1;
56 static int hf_date_time = -1;
57 static int hf_update_type = -1;
58 static int hf_request_count = -1;
59 static int hf_flags_autolock = -1;
60 static int hf_flags_expire = -1;
61 static int hf_flags_server_trust = -1;
62 static int hf_flags_workstation_trust = -1;
63 static int hf_flags_interdomain_trust = -1;
64 static int hf_flags_mns_user = -1;
65 static int hf_flags_normal_user = -1;
66 static int hf_flags_temp_dup_user = -1;
67 static int hf_flags_password_required = -1;
68 static int hf_flags_homedir_required = -1;
69 static int hf_flags_enabled = -1;
70 static int hf_domain_sid_size = -1;
71 static int hf_low_serial = -1;
72 static int hf_pulse = -1;
73 static int hf_random = -1;
74 static int hf_db_count = -1;
75 static int hf_db_index = -1;
76 static int hf_large_serial = -1;
77 static int hf_nt_date_time = -1;
78
79 static int hf_unknown8 = -1;
80 static int hf_unknown32 = -1;
81
82 static int hf_domain_guid = -1;
83 static int hf_server_ip = -1;
84
85 static int hf_server_site_name = -1;
86 static int hf_client_site_name = -1;
87
88 static int ett_smb_logon = -1;
89 static int ett_smb_account_flags = -1;
90 static int ett_smb_db_info = -1;
91
92 #define ACC_FLAG_AUTO_LOCKED 0x0400
93 #define ACC_FLAG_EXPIRE 0x0200
94 #define ACC_FLAG_SERVER_TRUST 0x0100
95 #define ACC_FLAG_WORKSTATION_TRUST 0x0080
96 #define ACC_FLAG_INTERDOMAIN_TRUST 0x0040
97 #define ACC_FLAG_MNS_USER 0x0020
98 #define ACC_FLAG_NORMAL_USER 0x0010
99 #define ACC_FLAG_TEMP_DUP_USER 0x0008
100 #define ACC_FLAG_PASSWORD_REQUIRED 0x0004
101 #define ACC_FLAG_HOMEDIR_REQUIRED 0x0002
102 #define ACC_FLAG_ENABLED 0x0001
103
104 static const true_false_string tfs_flags_autolock = {
105 "User account auto-locked",
106 "User account NOT auto-locked"
107 };
108 static const true_false_string tfs_flags_expire = {
109 "User password will NOT expire",
110 "User password will expire"
111 };
112 static const true_false_string tfs_flags_server_trust = {
113 "Server Trust user account",
114 "NOT a Server Trust user account"
115 };
116 static const true_false_string tfs_flags_workstation_trust = {
117 "Workstation Trust user account",
118 "NOT a Workstation Trust user account"
119 };
120 static const true_false_string tfs_flags_interdomain_trust = {
121 "Inter-domain Trust user account",
122 "NOT a Inter-domain Trust user account"
123 };
124 static const true_false_string tfs_flags_mns_user = {
125 "MNS Logon user account",
126 "NOT a MNS Logon user account"
127 };
128 static const true_false_string tfs_flags_normal_user = {
129 "Normal user account",
130 "NOT a normal user account"
131 };
132 static const true_false_string tfs_flags_temp_dup_user = {
133 "Temp duplicate user account",
134 "NOT a temp duplicate user account"
135 };
136 static const true_false_string tfs_flags_password_required = {
137 "NO password required",
138 "Password required"
139 };
140 static const true_false_string tfs_flags_homedir_required = {
141 "NO homedir required",
142 "Homedir required"
143 };
144 static const true_false_string tfs_flags_enabled = {
145 "User account enabled",
146 "User account disabled"
147 };
148
149
150
151 static int
152 dissect_account_control(tvbuff_t *tvb, proto_tree *tree, int offset)
153 {
154 /* display the Allowable Account control bits */
155
156 proto_item *ti = NULL;
157 proto_tree *flags_tree = NULL;
158 guint32 flags;
159
160 flags = tvb_get_letohl(tvb, offset);
161
162 if (tree) {
163 ti = proto_tree_add_text(tree, tvb, offset, 4,
164 "Account control = 0x%04x", flags);
165
166 flags_tree = proto_item_add_subtree(ti, ett_smb_account_flags);
167 }
168
169 proto_tree_add_boolean(flags_tree, hf_flags_autolock, tvb, offset, 4, flags);
170 proto_tree_add_boolean(flags_tree, hf_flags_expire, tvb, offset, 4, flags);
171 proto_tree_add_boolean(flags_tree, hf_flags_server_trust, tvb, offset, 4, flags);
172 proto_tree_add_boolean(flags_tree, hf_flags_workstation_trust, tvb, offset, 4, flags);
173 proto_tree_add_boolean(flags_tree, hf_flags_interdomain_trust, tvb, offset, 4, flags);
174 proto_tree_add_boolean(flags_tree, hf_flags_mns_user, tvb, offset, 4, flags);
175 proto_tree_add_boolean(flags_tree, hf_flags_normal_user, tvb, offset, 4, flags);
176 proto_tree_add_boolean(flags_tree, hf_flags_temp_dup_user, tvb, offset, 4, flags);
177 proto_tree_add_boolean(flags_tree, hf_flags_password_required, tvb, offset, 4, flags);
178 proto_tree_add_boolean(flags_tree, hf_flags_homedir_required, tvb, offset, 4, flags);
179 proto_tree_add_boolean(flags_tree, hf_flags_enabled, tvb, offset, 4, flags);
180
181 offset += 4;
182
183 return offset;
184 }
185
186 static int
187 display_LM_token(tvbuff_t *tvb, int offset, proto_tree *tree)
188 {
189 guint16 Token;
190
191 Token = tvb_get_letohs(tvb, offset);
192
193 if (Token & 0x01) {
194 proto_tree_add_uint_format(tree, hf_lm_token, tvb, offset, 2,
195 Token,
196 "LM20 Token: 0x%04x (LanMan 2.0 or higher)", Token);
197 } else {
198 /*
199 * XXX - are all values with the lower bit set LM 2.0,
200 * and all values with it not set LM 1.0?
201 * What do the other bits mean, if anything?
202 */
203 proto_tree_add_uint_format(tree, hf_lm_token, tvb, offset, 2,
204 Token,
205 "LM10 Token: 0x%04x (WFW Networking)", Token);
206 }
207
208 offset += 2;
209
210 return offset;
211 }
212
213 static int
214 display_LMNT_token(tvbuff_t *tvb, int offset, proto_tree *tree)
215 {
216 guint16 Token;
217
218 Token = tvb_get_letohs(tvb, offset);
219
220 if (Token == 0xffff) {
221 proto_tree_add_uint_format_value(tree, hf_lmnt_token, tvb, offset, 2,
222 Token,
223 "0x%04x (Windows NT Networking)", Token);
224 } else {
225 /*
226 * XXX - what is it if it's not 0xffff?
227 */
228 proto_tree_add_uint_format(tree, hf_lm_token, tvb, offset, 2,
229 Token,
230 "LMNT Token: 0x%04x (Unknown)", Token);
231 }
232
233 offset += 2;
234
235 return offset;
236 }
237
238 static int
239 dissect_smb_logon_request(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
240 {
241 /*** 0x00 (LM1.0/LM2.0 LOGON Request) ***/
242
243 /* computer name */
244 offset = display_ms_string(tvb, tree, offset, hf_computer_name, NULL);
245
246 /* user name */
247 offset = display_ms_string(tvb, tree, offset, hf_user_name, NULL);
248
249 /* mailslot name */
250 offset = display_ms_string(tvb, tree, offset, hf_mailslot_name, NULL);
251
252 /*$$$$$ here add the Mailslot to the response list (if needed) */
253
254 /* Request count */
255 proto_tree_add_item(tree, hf_request_count, tvb, offset, 1, ENC_LITTLE_ENDIAN);
256 offset += 1;
257
258 /* NT version */
259 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
260 offset += 2;
261
262 /* LM token */
263 offset = display_LM_token(tvb, offset, tree);
264
265 return offset;
266 }
267
268
269
270 static int
271 dissect_smb_logon_LM10_resp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
272 {
273 /*** 0x01 LanMan 1.0 Logon response ***/
274
275 /* user name */
276 offset = display_ms_string(tvb, tree, offset, hf_user_name, NULL);
277
278 /* script name */
279 offset = display_ms_string(tvb, tree, offset, hf_script_name, NULL);
280
281 return offset;
282 }
283
284
285 static int
286 dissect_smb_logon_2(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
287 {
288 /*** 0x02 LM1.0 Query - Centralized Initialization ***/
289 /*** 0x03 LM1.0 Query - Distributed Initialization ***/
290 /*** 0x04 LM1.0 Query - Centralized Query Response ***/
291 /*** 0x04 LM1.0 Query - Distributed Query Response ***/
292
293 /* computer name */
294 offset = display_ms_string(tvb, tree, offset, hf_computer_name, NULL);
295
296 /* mailslot name */
297 offset = display_ms_string(tvb, tree, offset, hf_mailslot_name, NULL);
298
299 /* NT version */
300 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 2, ENC_LITTLE_ENDIAN);
301 offset += 2;
302
303 /* LM token */
304 offset = display_LM_token(tvb, offset, tree);
305
306 return offset;
307 }
308
309
310
311 static int
312 dissect_smb_logon_LM20_resp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
313 {
314 /*** 0x06 (LM2.0 LOGON Response) ***/
315
316 /* server name */
317 offset = display_ms_string(tvb, tree, offset, hf_server_name, NULL);
318
319 /* LM token */
320 offset = display_LM_token(tvb, offset, tree);
321
322 return offset;
323 }
324
325
326
327 static int
328 dissect_smb_pdc_query(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
329 {
330 char *name;
331
332 /*** 0x07 Query for Primary PDC ***/
333
334 /* computer name */
335 offset = display_ms_string(tvb, tree, offset, hf_computer_name, &name);
336
337 col_append_fstr(pinfo->cinfo, COL_INFO, " from %s", name);
338
339 /* mailslot name */
340 offset = display_ms_string(tvb, tree, offset, hf_mailslot_name, NULL);
341
342 if (tvb_reported_length_remaining(tvb, offset) > 2) {
343 /*
344 * NT-style Query for PDC?
345 * If only 2 bytes remain, it's probably a Windows 95-style
346 * query, which has only an LM token after the mailslot
347 * name.
348 *
349 * XXX - base this on flags in the SMB header, e.g.
350 * the ASCII/Unicode strings flag?
351 */
352 if (offset % 2) offset++; /* word align ... */
353
354 /* Unicode computer name */
355 offset = display_unicode_string(tvb, tree, offset, hf_unicode_computer_name, NULL);
356
357 /* NT version */
358 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
359 offset += 4;
360
361 /* LMNT token */
362 offset = display_LMNT_token(tvb, offset, tree);
363 }
364
365 /* LM token */
366 offset = display_LM_token(tvb, offset, tree);
367
368 return offset;
369 }
370
371
372
373 static int
374 dissect_smb_pdc_startup(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
375 {
376 /*** 0x08 Announce startup of PDC ***/
377
378 /* pdc name */
379 offset = display_ms_string(tvb, tree, offset, hf_pdc_name, NULL);
380
381 /* A short Announce will not have the rest */
382
383 if (tvb_reported_length_remaining(tvb, offset) != 0) {
384 char *name = NULL;
385
386 if (offset % 2) offset++; /* word align ... */
387
388 /* pdc name */
389 offset = display_unicode_string(tvb, tree, offset, hf_unicode_pdc_name, &name);
390
391 if (name) {
392 col_append_fstr(pinfo->cinfo, COL_INFO, ": host %s", name);
393 name = NULL;
394 }
395
396 if (offset % 2) offset++;
397
398 /* domain name */
399 offset = display_unicode_string(tvb, tree, offset, hf_domain_name, &name);
400
401 if (name) {
402 col_append_fstr(pinfo->cinfo, COL_INFO, ", domain %s", name);
403 name = NULL;
404 }
405
406 /* NT version */
407 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
408 offset += 4;
409
410 /* LMNT token */
411 offset = display_LMNT_token(tvb, offset, tree);
412
413 /* LM token */
414 offset = display_LM_token(tvb, offset, tree);
415 }
416
417 return offset;
418 }
419
420
421
422 static int
423 dissect_smb_pdc_failure(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
424 {
425 /*** 0x09 Announce failure of the PDC ***/
426 /*** 0x0F LM2.0 Resp. during LOGON pause ***/
427 /*** 0x10 (LM 2.0 Unknown user response) ***/
428
429 /* NT version */
430 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
431 offset += 4;
432
433 /* LM token */
434 offset = display_LM_token(tvb, offset, tree);
435
436 return offset;
437 }
438
439
440 static int
441 dissect_announce_change(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
442 {
443 /*** 0x0A ( Announce change to UAS or SAM ) ***/
444 guint32 info_count;
445 proto_item *ti = NULL;
446 proto_tree *info_tree = NULL;
447 guint32 db_index;
448 guint32 domain_sid_size;
449
450 /* low serial number */
451 proto_tree_add_item(tree, hf_low_serial, tvb, offset, 4, ENC_LITTLE_ENDIAN);
452 offset += 4;
453
454 /* date/time */
455 /* XXX - what format is this? Neither SMB_Date/SMB_Time nor
456 "time_t but in the local time zone" appear to be correct. */
457 proto_tree_add_item(tree, hf_date_time, tvb, offset, 4, ENC_LITTLE_ENDIAN);
458 offset += 4;
459
460 /* pulse */
461 proto_tree_add_item(tree, hf_pulse, tvb, offset, 4, ENC_LITTLE_ENDIAN);
462 offset += 4;
463
464 /* random */
465 proto_tree_add_item(tree, hf_random, tvb, offset, 4, ENC_LITTLE_ENDIAN);
466 offset += 4;
467
468 /* pdc name */
469 offset = display_ms_string(tvb, tree, offset, hf_pdc_name, NULL);
470
471 /* domain name */
472 offset = display_ms_string(tvb, tree, offset, hf_domain_name, NULL);
473
474 if (offset % 2) offset++; /* word align ... */
475
476 if (tvb_reported_length_remaining(tvb, offset) > 2) {
477 /*
478 * XXX - older protocol versions don't have this stuff?
479 */
480 /* pdc name */
481 offset = display_unicode_string(tvb, tree, offset, hf_unicode_pdc_name, NULL);
482
483 /* domain name */
484 offset = display_unicode_string(tvb, tree, offset, hf_domain_name, NULL);
485
486 /* DB count */
487 info_count = tvb_get_letohl(tvb, offset);
488 proto_tree_add_uint(tree, hf_db_count, tvb, offset, 4, info_count);
489 offset += 4;
490
491 while (info_count != 0) {
492 db_index = tvb_get_letohl(tvb, offset);
493 if (tree) {
494 ti = proto_tree_add_text(tree, tvb, offset, 20,
495 "DBChange Info Structure: index %u", db_index);
496 info_tree = proto_item_add_subtree(ti, ett_smb_db_info);
497 }
498
499 proto_tree_add_uint(info_tree, hf_db_index, tvb, offset, 4,
500 db_index);
501 offset += 4;
502
503 proto_tree_add_item(info_tree, hf_large_serial, tvb, offset, 8,
504 ENC_LITTLE_ENDIAN);
505 offset += 8;
506
507 offset = dissect_nt_64bit_time(tvb, info_tree, offset,
508 hf_nt_date_time);
509
510 info_count--;
511 }
512
513 /* Domain SID Size */
514 domain_sid_size = tvb_get_letohl(tvb, offset);
515 proto_tree_add_uint(tree, hf_domain_sid_size, tvb, offset, 4,
516 domain_sid_size);
517 offset += 4;
518
519 if (domain_sid_size != 0) {
520 /* Align to four-byte boundary */
521 offset = ((offset + 3)/4)*4;
522
523 /* Domain SID */
524 offset = dissect_nt_sid(
525 tvb, offset, tree, "Domain", NULL, -1);
526 }
527
528 /* NT version */
529 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
530 offset += 4;
531
532 /* LMNT token */
533 offset = display_LMNT_token(tvb, offset, tree);
534 }
535
536 /* LM token */
537 offset = display_LM_token(tvb, offset, tree);
538
539 return offset;
540 }
541
542
543 static int
544 dissect_smb_sam_logon_req(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
545 {
546 /* Netlogon command 0x12 - decode the SAM logon request from client */
547
548 guint32 domain_sid_size;
549
550 /* Request count */
551 proto_tree_add_item(tree, hf_request_count, tvb, offset, 2, ENC_LITTLE_ENDIAN);
552 offset += 2;
553
554 /* computer name */
555 offset = display_unicode_string(tvb, tree, offset, hf_unicode_computer_name, NULL);
556
557 /* user name */
558 offset = display_unicode_string(tvb, tree, offset, hf_user_name, NULL);
559
560 /* mailslot name */
561 offset = display_ms_string(tvb, tree, offset, hf_mailslot_name, NULL);
562
563 /* account control */
564 offset = dissect_account_control(tvb, tree, offset);
565
566 /* Domain SID Size */
567 domain_sid_size = tvb_get_letohl(tvb, offset);
568 proto_tree_add_uint(tree, hf_domain_sid_size, tvb, offset, 4,
569 domain_sid_size);
570 offset += 4;
571
572 if (domain_sid_size != 0) {
573 /* Align to four-byte boundary */
574 offset = ((offset + 3)/4)*4;
575
576 /* Domain SID */
577 offset = dissect_nt_sid(tvb, offset, tree, "Domain", NULL, -1);
578 }
579
580 /* NT version */
581 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
582 offset += 4;
583
584 /* LMNT token */
585 offset = display_LMNT_token(tvb, offset, tree);
586
587 /* LM token */
588 offset = display_LM_token(tvb, offset, tree);
589
590 return offset;
591 }
592
593
594
595 static int
596 dissect_smb_no_user(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
597 {
598 /* 0x0B (Announce no user on machine) */
599
600 /* computer name */
601 offset = display_ms_string(tvb, tree, offset, hf_computer_name, NULL);
602
603 return offset;
604 }
605
606
607
608 static int
609 dissect_smb_relogon_resp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
610 {
611 /*** 0x0d LanMan Response to relogon request ***/
612
613 /* Major version */
614 proto_tree_add_item(tree, hf_major_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
615 offset += 1;
616
617 /* Minor version */
618 proto_tree_add_item(tree, hf_minor_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
619 offset += 1;
620
621 /* OS version */
622 proto_tree_add_item(tree, hf_os_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
623 offset += 1;
624
625 /* NT version */
626 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
627 offset += 4;
628
629 /* LM token */
630 offset = display_LM_token(tvb, offset, tree);
631
632 return offset;
633 }
634
635
636
637 static int
638 dissect_smb_acc_update(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
639 {
640 /*** 0x11 LM2.1 Announce Acc updates ***/
641
642 guint32 Temp1, Temp2;
643
644 Temp1 = tvb_get_letohl(tvb, offset);
645 Temp2 = tvb_get_letohl(tvb, offset + 4);
646
647 /* signature */
648 proto_tree_add_text(tree, tvb, offset, 8, "Signature: 0x%08x%08x",
649 Temp1, Temp2);
650 offset += 8;
651
652 /* date/time */
653 /* XXX - what format is this? Neither SMB_Date/SMB_Time nor
654 "time_t but in the local time zone" appear to be correct. */
655 proto_tree_add_item(tree, hf_date_time, tvb, offset, 4, ENC_LITTLE_ENDIAN);
656 offset += 4;
657
658 /* computer name */
659 offset = display_ms_string(tvb, tree, offset, hf_computer_name, NULL);
660
661 /* user name */
662 offset = display_ms_string(tvb, tree, offset, hf_user_name, NULL);
663
664 /* update type */
665 proto_tree_add_item(tree, hf_update_type, tvb, offset, 2, ENC_LITTLE_ENDIAN);
666 offset += 2;
667
668 /* NT version */
669 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
670 offset += 4;
671
672 /* LM token */
673 offset = display_LM_token(tvb, offset, tree);
674
675 return offset;
676 }
677
678
679
680 static int
681 dissect_smb_inter_resp(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
682 {
683 /* 0x0e LanMan Response to interrogate request */
684
685 /* Major version */
686 proto_tree_add_item(tree, hf_major_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
687 offset += 1;
688
689 /* Minor version */
690 proto_tree_add_item(tree, hf_minor_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
691 offset += 1;
692
693 /* OS version */
694 proto_tree_add_item(tree, hf_os_version, tvb, offset, 1, ENC_LITTLE_ENDIAN);
695 offset += 1;
696
697 /* NT version */
698 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
699 offset += 4;
700
701 /* LMNT token */
702 offset = display_LMNT_token(tvb, offset, tree);
703
704 /* XXX - no LM token? Every other packet has one after the LMNT
705 token. */
706
707 return offset;
708 }
709
710
711 static int
712 dissect_smb_sam_logon_resp(tvbuff_t *tvb, packet_info *pinfo _U_,
713 proto_tree *tree, int offset)
714 {
715 /* Netlogon command 0x13 - decode the SAM logon response from server */
716 /* Netlogon command 0x15 - decode the SAM logon response from server unknown user */
717
718 /* server name */
719 offset = display_unicode_string(tvb, tree, offset, hf_server_name, NULL);
720
721 /* user name */
722 offset = display_unicode_string(tvb, tree, offset, hf_user_name, NULL);
723
724 /* domain name */
725 offset = display_unicode_string(tvb, tree, offset, hf_domain_name, NULL);
726
727 /* NT version */
728 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
729 offset += 4;
730
731 /* LMNT token */
732 offset = display_LMNT_token(tvb, offset, tree);
733
734 /* LM token */
735 offset = display_LM_token(tvb, offset, tree);
736
737 return offset;
738 }
739
740 static int
741 dissect_smb_pdc_response_ads(tvbuff_t *tvb, packet_info *pinfo _U_,
742 proto_tree *tree, int offset)
743 {
744 /* Netlogon command 0x17 - decode the response from PDC ADS */
745 /* Netlogon command 0x19 - decode the response from PDC ADS USER ?*/
746
747 /* Align to four-byte boundary */
748 offset = ((offset + 3)/4)*4;
749
750 /* unknown uint32 type */
751 proto_tree_add_item(tree, hf_unknown32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
752 offset += 4;
753
754 /* Domain GUID */
755 proto_tree_add_item(tree, hf_domain_guid, tvb, offset, 16, ENC_NA);
756 offset += 16;
757
758 /* forest dns name */
759 offset=dissect_ms_compressed_string(tvb, tree, offset, hf_forest_dns_name, NULL);
760
761 /* domain dns name */
762 offset=dissect_ms_compressed_string(tvb, tree, offset, hf_domain_dns_name, NULL);
763
764 /* server dns name */
765 offset=dissect_ms_compressed_string(tvb, tree, offset, hf_server_dns_name, NULL);
766
767 /* domain name */
768 offset=dissect_ms_compressed_string(tvb, tree, offset, hf_domain_name, NULL);
769
770 /* server name */
771 offset=dissect_ms_compressed_string(tvb, tree, offset, hf_server_name, NULL);
772
773 /* user name */
774 offset=dissect_ms_compressed_string(tvb, tree, offset, hf_user_name, NULL);
775
776 /* server_site name */
777 offset=dissect_ms_compressed_string(tvb, tree, offset, hf_server_site_name, NULL);
778
779 /* client_site name */
780 offset=dissect_ms_compressed_string(tvb, tree, offset, hf_client_site_name, NULL);
781
782 /* unknown uint8 type */
783 proto_tree_add_item(tree, hf_unknown8, tvb, offset, 1, ENC_LITTLE_ENDIAN);
784 offset += 1;
785
786 /* unknown uint32 type */
787 proto_tree_add_item(tree, hf_unknown32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
788 offset += 4;
789
790 /* server ip */
791 proto_tree_add_item(tree, hf_server_ip, tvb, offset, 4, ENC_BIG_ENDIAN);
792 offset += 4;
793
794 /* unknown uint32 type */
795 proto_tree_add_item(tree, hf_unknown32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
796 offset += 4;
797
798 /* unknown uint32 type */
799 proto_tree_add_item(tree, hf_unknown32, tvb, offset, 4, ENC_LITTLE_ENDIAN);
800 offset += 4;
801
802 /* NT version */
803 proto_tree_add_item(tree, hf_nt_version, tvb, offset, 4, ENC_LITTLE_ENDIAN);
804 offset += 4;
805
806 /* LMNT token */
807 offset = display_LMNT_token(tvb, offset, tree);
808
809 /* LM token */
810 offset = display_LM_token(tvb, offset, tree);
811
812 return offset;
813 }
814
815 static int
816 dissect_smb_unknown(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *tree, int offset)
817 {
818 /* display data as unknown */
819
820 proto_tree_add_text(tree, tvb, offset, -1, "Data (%u bytes)",
821 tvb_reported_length_remaining(tvb, offset));
822
823 return offset+tvb_length_remaining(tvb, offset);
824 }
825
826 #define LOGON_LM10_LOGON_REQUEST 0x00
827 #define LOGON_LM10_LOGON_RESPONSE 0x01
828 #define LOGON_LM10_QUERY_CI 0x02
829 #define LOGON_LM10_QUERY_DI 0x03
830 #define LOGON_LM10_RESPONSE_CI 0x04
831 #define LOGON_LM10_RESPONSE_DI 0x05
832 #define LOGON_LM20_LOGON_RESPONSE 0x06
833 #define LOGON_PDC_QUERY 0x07
834 #define LOGON_PDC_STARTUP 0x08
835 #define LOGON_PDC_FAILED 0x09
836 #define LOGON_UAS_SAM 0x0a
837 #define LOGON_NO_USER 0x0b
838 #define LOGON_PDC_RESPONSE 0x0c
839 #define LOGON_RELOGON_RESPONSE 0x0d
840 #define LOGON_INTERROGATE_RESPONSE 0x0e
841 #define LOGON_LM20_RESPONSE_DURING_LOGON 0x0f
842 #define LOGON_LM20_USER_UNKNOWN 0x10
843 #define LOGON_LM20_ACCOUNT_UPDATE 0x11
844 #define LOGON_SAM_LOGON_REQUEST 0x12
845 #define LOGON_SAM_LOGON_RESPONSE 0x13
846 #define LOGON_SAM_RESPONSE_DURING_LOGON 0x14
847 #define LOGON_SAM_USER_UNKNOWN 0x15
848 #define LOGON_SAM_INTERROGATE_RESPONSE 0x16
849 #define LOGON_SAM_AD_USER_UNKNOWN 0x17
850 #define LOGON_SAM_UNKNOWN_18 0x18
851 #define LOGON_SAM_AD_LOGON_RESPONSE 0x19
852 #define LOGON_LAST_CMD 0x19
853
854 static const value_string commands[] = {
855 {LOGON_LM10_LOGON_REQUEST, "LM1.0/LM2.0 LOGON Request"},
856 {LOGON_LM10_LOGON_RESPONSE, "LM1.0 LOGON Response"},
857 {LOGON_LM10_QUERY_CI, "LM1.0 Query - Centralized Initialization"},
858 {LOGON_LM10_QUERY_DI, "LM1.0 Query - Distributed Initialization"},
859 {LOGON_LM10_RESPONSE_CI, "LM1.0 Response - Centralized Query"},
860 {LOGON_LM10_RESPONSE_DI, "LM1.0 Response - Distributed Initialization"},
861 {LOGON_LM20_LOGON_RESPONSE, "LM2.0 Response to LOGON Request"},
862 {LOGON_PDC_QUERY, "Query for PDC"},
863 {LOGON_PDC_STARTUP, "Announce Startup of PDC"},
864 {LOGON_PDC_FAILED, "Announce Failed PDC"},
865 {LOGON_UAS_SAM, "Announce Change to UAS or SAM"},
866 {LOGON_NO_USER, "Announce no user on machine"},
867 {LOGON_PDC_RESPONSE, "Response from PDC"},
868 {LOGON_RELOGON_RESPONSE, "LM1.0/LM2.0 Response to re-LOGON Request"},
869 {LOGON_INTERROGATE_RESPONSE, "LM1.0/LM2.0 Response to Interrogate Request"},
870 {LOGON_LM20_RESPONSE_DURING_LOGON,"LM2.0 Response during LOGON pause"},
871 {LOGON_LM20_USER_UNKNOWN, "LM2.0 Response - user unknown"},
872 {LOGON_LM20_ACCOUNT_UPDATE, "LM2.0 Announce account updates"},
873 {LOGON_SAM_LOGON_REQUEST, "SAM LOGON request from client"},
874 {LOGON_SAM_LOGON_RESPONSE, "Response to SAM LOGON request"},
875 {LOGON_SAM_RESPONSE_DURING_LOGON,"SAM Response during LOGON pause"},
876 {LOGON_SAM_USER_UNKNOWN, "SAM Response - user unknown"},
877 {LOGON_SAM_INTERROGATE_RESPONSE,"SAM Response to Interrogate Request"},
878 {LOGON_SAM_AD_USER_UNKNOWN, "SAM Active Directory Response - user unknown"},
879 {LOGON_SAM_UNKNOWN_18, "SAM unknown command 0x18"},
880 {LOGON_SAM_AD_LOGON_RESPONSE, "Active Directory Response to SAM LOGON request"},
881 {0, NULL}
882 };
883
884 static int (*dissect_smb_logon_cmds[])(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int offset) = {
885 dissect_smb_logon_request, /* 0x00 (LM1.0/LM2.0 LOGON Request) */
886 dissect_smb_logon_LM10_resp,/* 0x01 (LM1.0 LOGON Response) */
887 dissect_smb_logon_2, /* 0x02 (LM1.0 Query Centralized Init.)*/
888 dissect_smb_logon_2, /* 0x03 (LM1.0 Query Distributed Init.)*/
889 dissect_smb_logon_2, /* 0x04 (LM1.0 Centralized Query Resp.)*/
890 dissect_smb_logon_2, /* 0x05 (LM1.0 Distributed Query Resp.) */
891 dissect_smb_logon_LM20_resp,/* 0x06 (LM2.0 LOGON Response) */
892 dissect_smb_pdc_query, /* 0x07 (Query for PDC) */
893 dissect_smb_pdc_startup, /* 0x08 (Announce PDC startup) */
894 dissect_smb_pdc_failure, /* 0x09 (Announce Failed PDC) */
895 dissect_announce_change, /* 0x0A (Announce Change to UAS or SAM)*/
896 dissect_smb_no_user, /* 0x0B (Announce no user on machine)*/
897 dissect_smb_pdc_startup, /* 0x0C (Response from PDC) */
898 dissect_smb_relogon_resp, /* 0x0D (Relogon response) */
899 dissect_smb_inter_resp, /* 0x0E (Interrogate response) */
900 dissect_smb_pdc_failure, /* 0x0F (LM2.0 Resp. during LOGON pause*/
901 dissect_smb_pdc_failure, /* 0x10 (LM 2.0 Unknown user response)*/
902 dissect_smb_acc_update, /* 0x11 (LM2.1 Announce Acc updates)*/
903 dissect_smb_sam_logon_req, /* 0x12 (SAM LOGON request ) */
904 dissect_smb_sam_logon_resp, /* 0x13 (SAM LOGON response) */
905 dissect_smb_unknown, /* 0x14 (SAM Response during LOGON Pause) */
906 dissect_smb_sam_logon_resp, /* 0x15 (SAM Response User Unknown) */
907 dissect_smb_unknown, /* 0x16 (SAM Response to Interrogate)*/
908 dissect_smb_pdc_response_ads, /* 0x17 (SAM AD response User Unknown*/
909 dissect_smb_unknown, /* 0x18 (Unknown command) */
910 dissect_smb_pdc_response_ads /* 0x19 (SAM LOGON AD response) */
911 };
912
913
914 static void
915 dissect_smb_logon(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
916 {
917 int offset = 0;
918 guint8 cmd;
919 proto_tree *smb_logon_tree = NULL;
920 proto_item *item = NULL;
921
922 col_set_str(pinfo->cinfo, COL_PROTOCOL, "SMB_NETLOGON");
923 col_clear(pinfo->cinfo, COL_INFO);
924
925 /* get the Command field */
926 cmd = tvb_get_guint8(tvb, offset);
927
928 col_add_str(pinfo->cinfo, COL_INFO, val_to_str(cmd, commands, "Unknown Command:%02x") );
929
930 if (tree) {
931 item = proto_tree_add_item(tree, proto_smb_logon, tvb,
932 offset, -1, ENC_NA);
933
934 smb_logon_tree = proto_item_add_subtree(item, ett_smb_logon);
935 }
936
937 /* command */
938 proto_tree_add_uint(smb_logon_tree, hf_command, tvb, offset, 1, cmd);
939 offset += 1;
940
941 /* skip next byte */
942 offset += 1;
943
944 if (cmd<LOGON_LAST_CMD) {
945 (dissect_smb_logon_cmds[cmd])(tvb, pinfo,
946 smb_logon_tree, offset);
947 } else {
948 /* unknown command */
949 dissect_smb_unknown(tvb, pinfo, smb_logon_tree,
950 offset);
951 }
952 }
953
954 void
955 proto_register_smb_logon( void)
956 {
957 static hf_register_info hf[] = {
958 { &hf_command,
959 { "Command", "smb_netlogon.command", FT_UINT8, BASE_HEX,
960 VALS(commands), 0, "SMB NETLOGON Command", HFILL }},
961
962 { &hf_computer_name,
963 { "Computer Name", "smb_netlogon.computer_name", FT_STRING, BASE_NONE,
964 NULL, 0, "SMB NETLOGON Computer Name", HFILL }},
965
966 { &hf_unicode_computer_name,
967 { "Unicode Computer Name", "smb_netlogon.unicode_computer_name", FT_STRING, BASE_NONE,
968 NULL, 0, "SMB NETLOGON Unicode Computer Name", HFILL }},
969
970 { &hf_server_name,
971 { "Server Name", "smb_netlogon.server_name", FT_STRING, BASE_NONE,
972 NULL, 0, "SMB NETLOGON Server Name", HFILL }},
973
974 { &hf_server_dns_name,
975 { "Server DNS Name", "smb_netlogon.server_dns_name", FT_STRING, BASE_NONE,
976 NULL, 0, "SMB NETLOGON Server DNS Name", HFILL }},
977
978 { &hf_user_name,
979 { "User Name", "smb_netlogon.user_name", FT_STRING, BASE_NONE,
980 NULL, 0, "SMB NETLOGON User Name", HFILL }},
981
982 { &hf_domain_name,
983 { "Domain Name", "smb_netlogon.domain_name", FT_STRING, BASE_NONE,
984 NULL, 0, "SMB NETLOGON Domain Name", HFILL }},
985
986 { &hf_domain_dns_name,
987 { "Domain DNS Name", "smb_netlogon.domain_dns_name", FT_STRING, BASE_NONE,
988 NULL, 0, "SMB NETLOGON Domain DNS Name", HFILL }},
989
990 { &hf_forest_dns_name,
991 { "Forest DNS Name", "smb_netlogon.forest_dns_name", FT_STRING, BASE_NONE,
992 NULL, 0, "SMB NETLOGON Forest DNS Name", HFILL }},
993
994 { &hf_mailslot_name,
995 { "Mailslot Name", "smb_netlogon.mailslot_name", FT_STRING, BASE_NONE,
996 NULL, 0, "SMB NETLOGON Mailslot Name", HFILL }},
997
998 { &hf_pdc_name,
999 { "PDC Name", "smb_netlogon.pdc_name", FT_STRING, BASE_NONE,
1000 NULL, 0, "SMB NETLOGON PDC Name", HFILL }},
1001
1002 { &hf_unicode_pdc_name,
1003 { "Unicode PDC Name", "smb_netlogon.unicode_pdc_name", FT_STRING, BASE_NONE,
1004 NULL, 0, "SMB NETLOGON Unicode PDC Name", HFILL }},
1005
1006 { &hf_script_name,
1007 { "Script Name", "smb_netlogon.script_name", FT_STRING, BASE_NONE,
1008 NULL, 0, "SMB NETLOGON Script Name", HFILL }},
1009
1010 { &hf_nt_version,
1011 { "NT Version", "smb_netlogon.nt_version", FT_UINT32, BASE_DEC,
1012 NULL, 0, "SMB NETLOGON NT Version", HFILL }},
1013
1014 /* An LMNT Token, if 0xffff, is "WindowsNT Networking";
1015 what is it otherwise? */
1016 { &hf_lmnt_token,
1017 { "LMNT Token", "smb_netlogon.lmnt_token", FT_UINT16, BASE_HEX,
1018 NULL, 0, "SMB NETLOGON LMNT Token", HFILL }},
1019
1020 { &hf_lm_token,
1021 { "LM Token", "smb_netlogon.lm_token", FT_UINT16, BASE_HEX,
1022 NULL, 0, "SMB NETLOGON LM Token", HFILL }},
1023
1024 { &hf_major_version,
1025 { "Workstation Major Version", "smb_netlogon.major_version", FT_UINT8, BASE_DEC,
1026 NULL, 0, "SMB NETLOGON Workstation Major Version", HFILL }},
1027
1028 { &hf_minor_version,
1029 { "Workstation Minor Version", "smb_netlogon.minor_version", FT_UINT8, BASE_DEC,
1030 NULL, 0, "SMB NETLOGON Workstation Minor Version", HFILL }},
1031
1032 { &hf_os_version,
1033 { "Workstation OS Version", "smb_netlogon.os_version", FT_UINT8, BASE_DEC,
1034 NULL, 0, "SMB NETLOGON Workstation OS Version", HFILL }},
1035
1036 { &hf_date_time,
1037 { "Date/Time", "smb_netlogon.date_time", FT_UINT32, BASE_DEC,
1038 NULL, 0, "SMB NETLOGON Date/Time", HFILL }},
1039
1040 { &hf_update_type,
1041 { "Update Type", "smb_netlogon.update", FT_UINT16, BASE_DEC,
1042 NULL, 0, "SMB NETLOGON Update Type", HFILL }},
1043
1044 { &hf_request_count,
1045 { "Request Count", "smb_netlogon.request_count", FT_UINT16, BASE_DEC,
1046 NULL, 0, "SMB NETLOGON Request Count", HFILL }},
1047
1048 { &hf_flags_autolock,
1049 { "Autolock", "smb_netlogon.flags.autolock", FT_BOOLEAN, 32,
1050 TFS(&tfs_flags_autolock), ACC_FLAG_AUTO_LOCKED, "SMB NETLOGON Account Autolock", HFILL}},
1051
1052 { &hf_flags_expire,
1053 { "Expire", "smb_netlogon.flags.expire", FT_BOOLEAN, 32,
1054 TFS(&tfs_flags_expire), ACC_FLAG_EXPIRE, "SMB NETLOGON Will Account Expire", HFILL}},
1055
1056 { &hf_flags_server_trust,
1057 { "Server Trust", "smb_netlogon.flags.server", FT_BOOLEAN, 32,
1058 TFS(&tfs_flags_server_trust), ACC_FLAG_SERVER_TRUST, "SMB NETLOGON Server Trust Account", HFILL}},
1059
1060 { &hf_flags_workstation_trust,
1061 { "Workstation Trust", "smb_netlogon.flags.workstation", FT_BOOLEAN, 32,
1062 TFS(&tfs_flags_workstation_trust), ACC_FLAG_WORKSTATION_TRUST, "SMB NETLOGON Workstation Trust Account", HFILL}},
1063
1064 { &hf_flags_interdomain_trust,
1065 { "Interdomain Trust", "smb_netlogon.flags.interdomain", FT_BOOLEAN, 32,
1066 TFS(&tfs_flags_interdomain_trust), ACC_FLAG_INTERDOMAIN_TRUST, "SMB NETLOGON Inter-domain Trust Account", HFILL}},
1067
1068 { &hf_flags_mns_user,
1069 { "MNS User", "smb_netlogon.flags.mns", FT_BOOLEAN, 32,
1070 TFS(&tfs_flags_mns_user), ACC_FLAG_MNS_USER, "SMB NETLOGON MNS User Account", HFILL}},
1071
1072 { &hf_flags_normal_user,
1073 { "Normal User", "smb_netlogon.flags.normal", FT_BOOLEAN, 32,
1074 TFS(&tfs_flags_normal_user), ACC_FLAG_NORMAL_USER, "SMB NETLOGON Normal User Account", HFILL}},
1075
1076 { &hf_flags_temp_dup_user,
1077 { "Temp Duplicate User", "smb_netlogon.flags.temp_dup", FT_BOOLEAN, 32,
1078 TFS(&tfs_flags_temp_dup_user), ACC_FLAG_TEMP_DUP_USER, "SMB NETLOGON Temp Duplicate User Account", HFILL}},
1079
1080 { &hf_flags_password_required,
1081 { "Password", "smb_netlogon.flags.password", FT_BOOLEAN, 32,
1082 TFS(&tfs_flags_password_required), ACC_FLAG_PASSWORD_REQUIRED, "SMB NETLOGON Password Required", HFILL}},
1083
1084 { &hf_flags_homedir_required,
1085 { "Homedir", "smb_netlogon.flags.homedir", FT_BOOLEAN, 32,
1086 TFS(&tfs_flags_homedir_required), ACC_FLAG_HOMEDIR_REQUIRED, "SMB NETLOGON Homedir Required", HFILL}},
1087
1088 { &hf_flags_enabled,
1089 { "Enabled", "smb_netlogon.flags.enabled", FT_BOOLEAN, 32,
1090 TFS(&tfs_flags_enabled), ACC_FLAG_ENABLED, "SMB NETLOGON Is This Account Enabled", HFILL}},
1091
1092 { &hf_domain_sid_size,
1093 { "Domain SID Size", "smb_netlogon.domain_sid_size", FT_UINT32, BASE_DEC,
1094 NULL, 0, "SMB NETLOGON Domain SID Size", HFILL }},
1095
1096 { &hf_low_serial,
1097 { "Low Serial Number", "smb_netlogon.low_serial", FT_UINT32, BASE_DEC,
1098 NULL, 0, "SMB NETLOGON Low Serial Number", HFILL }},
1099
1100 { &hf_pulse,
1101 { "Pulse", "smb_netlogon.pulse", FT_UINT32, BASE_DEC,
1102 NULL, 0, "SMB NETLOGON Pulse", HFILL }},
1103
1104 { &hf_random,
1105 { "Random", "smb_netlogon.random", FT_UINT32, BASE_DEC,
1106 NULL, 0, "SMB NETLOGON Random", HFILL }},
1107
1108 { &hf_db_count,
1109 { "DB Count", "smb_netlogon.db_count", FT_UINT32, BASE_DEC,
1110 NULL, 0, "SMB NETLOGON DB Count", HFILL }},
1111
1112 { &hf_db_index,
1113 { "Database Index", "smb_netlogon.db_index", FT_UINT32, BASE_DEC,
1114 NULL, 0, "SMB NETLOGON Database Index", HFILL }},
1115
1116 { &hf_large_serial,
1117 { "Large Serial Number", "smb_netlogon.large_serial", FT_UINT64, BASE_DEC,
1118 NULL, 0, "SMB NETLOGON Large Serial Number", HFILL }},
1119
1120 { &hf_nt_date_time,
1121 { "NT Date/Time", "smb_netlogon.nt_date_time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL,
1122 NULL, 0, "SMB NETLOGON NT Date/Time", HFILL }},
1123
1124 { &hf_unknown8,
1125 { "Unknown", "smb_netlogon.unknown", FT_UINT8, BASE_HEX,
1126 NULL, 0, NULL, HFILL }},
1127
1128 { &hf_unknown32,
1129 { "Unknown", "smb_netlogon.unknown", FT_UINT32, BASE_HEX,
1130 NULL, 0, NULL, HFILL }},
1131
1132 { &hf_domain_guid,
1133 { "Domain GUID", "smb_netlogon.domain.guid", FT_BYTES, BASE_NONE,
1134 NULL, 0x0, NULL, HFILL }},
1135
1136 { &hf_server_ip, {
1137 "Server IP", "smb_netlogon.server_ip", FT_IPv4, BASE_NONE,
1138 NULL, 0x0, "Server IP Address", HFILL }},
1139
1140 { &hf_server_site_name,
1141 { "Server Site Name", "smb_netlogon.server_site_name", FT_STRING, BASE_NONE,
1142 NULL, 0, "SMB NETLOGON Server Site Name", HFILL }},
1143
1144 { &hf_client_site_name,
1145 { "Client Site Name", "smb_netlogon.client_site_name", FT_STRING, BASE_NONE,
1146 NULL, 0, "SMB NETLOGON Client Site Name", HFILL }},
1147 };
1148
1149 static gint *ett[] = {
1150 &ett_smb_logon,
1151 &ett_smb_account_flags,
1152 &ett_smb_db_info
1153 };
1154
1155 proto_smb_logon = proto_register_protocol(
1156 "Microsoft Windows Logon Protocol (Old)", "SMB_NETLOGON", "smb_netlogon");
1157
1158 proto_register_field_array(proto_smb_logon, hf, array_length(hf));
1159 proto_register_subtree_array(ett, array_length(ett));
1160
1161 register_dissector("smb_netlogon", dissect_smb_logon, proto_smb_logon);
1162 }