forked from osmocom/wireshark
74e19c696e
you need this patch ontop of svn pidl to regenerate the files :
Index: lib/Parse/Pidl/Wireshark/NDR.pm
===================================================================
--- lib/Parse/Pidl/Wireshark/NDR.pm (revision 22005)
+++ lib/Parse/Pidl/Wireshark/NDR.pm (working copy)
@@ -916,6 +916,14 @@
$res{headers} .= "#ifdef HAVE_CONFIG_H\n";
$res{headers} .= "#include \"config.h\"\n";
$res{headers} .= "#endif\n\n";
+
+ $res{headers} .= "#ifdef _MSC_VER\n";
+ $res{headers} .= "#pragma warning(disable:4005)\n";
+ $res{headers} .= "#pragma warning(disable:4013)\n";
+ $res{headers} .= "#pragma warning(disable:4018)\n";
+ $res{headers} .= "#pragma warning(disable:4101)\n";
+ $res{headers} .= "#endif\n\n";
+
$res{headers} .= "#include <glib.h>\n";
$res{headers} .= "#include <string.h>\n";
$res{headers} .= "#include <epan/packet.h>\n\n";
svn path=/trunk/; revision=21262
2369 lines
108 KiB
C
2369 lines
108 KiB
C
/* DO NOT EDIT
|
|
This filter was automatically generated
|
|
from eventlog.idl and eventlog.cnf.
|
|
|
|
Pidl is a perl based IDL compiler for DCE/RPC idl files.
|
|
It is maintained by the Samba team, not the Wireshark team.
|
|
Instructions on how to download and install Pidl can be
|
|
found at http://wiki.wireshark.org/Pidl
|
|
*/
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#ifdef _MSC_VER
|
|
#pragma warning(disable:4005)
|
|
#pragma warning(disable:4013)
|
|
#pragma warning(disable:4018)
|
|
#pragma warning(disable:4101)
|
|
#endif
|
|
|
|
#include <glib.h>
|
|
#include <string.h>
|
|
#include <epan/packet.h>
|
|
|
|
#include "packet-dcerpc.h"
|
|
#include "packet-dcerpc-nt.h"
|
|
#include "packet-windows-common.h"
|
|
#include "packet-dcerpc-eventlog.h"
|
|
|
|
/* Ett declarations */
|
|
static gint ett_dcerpc_eventlog = -1;
|
|
static gint ett_eventlog_eventlogReadFlags = -1;
|
|
static gint ett_eventlog_eventlogEventTypes = -1;
|
|
static gint ett_eventlog_eventlog_OpenUnknown0 = -1;
|
|
static gint ett_eventlog_eventlog_Record = -1;
|
|
static gint ett_eventlog_eventlog_ChangeUnknown0 = -1;
|
|
|
|
|
|
/* Header field declarations */
|
|
static gint hf_eventlog_eventlog_ReadEventLogW_offset = -1;
|
|
static gint hf_eventlog_eventlog_ChangeNotify_unknown2 = -1;
|
|
static gint hf_eventlog_eventlog_ChangeNotify_unknown3 = -1;
|
|
static gint hf_eventlog_eventlog_Record_data_offset = -1;
|
|
static gint hf_eventlog_eventlog_Record_sid_length = -1;
|
|
static gint hf_eventlog_eventlog_RegisterEventSourceW_handle = -1;
|
|
static gint hf_eventlog_eventlog_BackupEventLogW_backupfilename = -1;
|
|
static gint hf_eventlog_eventlog_ChangeUnknown0_unknown0 = -1;
|
|
static gint hf_eventlog_eventlog_Record_computer_name = -1;
|
|
static gint hf_eventlog_eventlogEventTypes_EVENTLOG_SUCCESS = -1;
|
|
static gint hf_eventlog_eventlog_ChangeUnknown0_unknown1 = -1;
|
|
static gint hf_eventlog_eventlog_Record_strings = -1;
|
|
static gint hf_eventlog_eventlog_GetLogIntormation_cbBytesNeeded = -1;
|
|
static gint hf_eventlog_eventlog_GetNumRecords_handle = -1;
|
|
static gint hf_eventlog_status = -1;
|
|
static gint hf_eventlog_eventlog_Record_sid_offset = -1;
|
|
static gint hf_eventlog_eventlog_OpenBackupEventLogW_logname = -1;
|
|
static gint hf_eventlog_eventlog_Record_source_name = -1;
|
|
static gint hf_eventlog_eventlog_ReadEventLogW_handle = -1;
|
|
static gint hf_eventlog_eventlog_ClearEventLogW_backupfilename = -1;
|
|
static gint hf_eventlog_Record_string = -1;
|
|
static gint hf_eventlog_eventlog_OpenEventLogW_servername = -1;
|
|
static gint hf_eventlog_eventlog_Record_event_type = -1;
|
|
static gint hf_eventlog_eventlog_ReadEventLogW_real_size = -1;
|
|
static gint hf_eventlog_eventlog_CloseEventLog_handle = -1;
|
|
static gint hf_eventlog_eventlogEventTypes_EVENTLOG_AUDIT_SUCCESS = -1;
|
|
static gint hf_eventlog_eventlog_RegisterEventSourceW_logname = -1;
|
|
static gint hf_eventlog_eventlog_Record_num_of_strings = -1;
|
|
static gint hf_eventlog_eventlog_Record_time_written = -1;
|
|
static gint hf_eventlog_eventlog_ReadEventLogW_flags = -1;
|
|
static gint hf_eventlog_eventlog_Record_size = -1;
|
|
static gint hf_eventlog_eventlog_Record_record_number = -1;
|
|
static gint hf_eventlog_eventlog_GetLogIntormation_cbBufSize = -1;
|
|
static gint hf_eventlog_eventlog_GetLogIntormation_handle = -1;
|
|
static gint hf_eventlog_eventlog_ReadEventLogW_number_of_bytes = -1;
|
|
static gint hf_eventlog_eventlog_RegisterEventSourceW_servername = -1;
|
|
static gint hf_eventlog_eventlog_Record_reserved = -1;
|
|
static gint hf_eventlog_eventlogEventTypes_EVENTLOG_AUDIT_FAILURE = -1;
|
|
static gint hf_eventlog_eventlog_Record_raw_data = -1;
|
|
static gint hf_eventlog_eventlog_ChangeNotify_handle = -1;
|
|
static gint hf_eventlog_eventlogEventTypes_EVENTLOG_WARNING_TYPE = -1;
|
|
static gint hf_eventlog_eventlog_OpenUnknown0_unknown0 = -1;
|
|
static gint hf_eventlog_eventlog_OpenUnknown0_unknown1 = -1;
|
|
static gint hf_eventlog_Record_length = -1;
|
|
static gint hf_eventlog_eventlogReadFlags_EVENTLOG_SEEK_READ = -1;
|
|
static gint hf_eventlog_eventlogReadFlags_EVENTLOG_BACKWARDS_READ = -1;
|
|
static gint hf_eventlog_eventlog_ReadEventLogW_data = -1;
|
|
static gint hf_eventlog_eventlog_Record_event_category = -1;
|
|
static gint hf_eventlog_eventlog_DeregisterEventSource_handle = -1;
|
|
static gint hf_eventlog_eventlogEventTypes_EVENTLOG_ERROR_TYPE = -1;
|
|
static gint hf_eventlog_Record_source_name = -1;
|
|
static gint hf_eventlog_eventlog_ReadEventLogW_sent_size = -1;
|
|
static gint hf_eventlog_eventlogEventTypes_EVENTLOG_INFORMATION_TYPE = -1;
|
|
static gint hf_eventlog_opnum = -1;
|
|
static gint hf_eventlog_eventlog_Record_time_generated = -1;
|
|
static gint hf_eventlog_eventlog_Record_stringoffset = -1;
|
|
static gint hf_eventlog_Record_computer_name = -1;
|
|
static gint hf_eventlog_eventlog_OpenBackupEventLogW_unknown0 = -1;
|
|
static gint hf_eventlog_eventlogReadFlags_EVENTLOG_FORWARDS_READ = -1;
|
|
static gint hf_eventlog_eventlog_OpenBackupEventLogW_unknown2 = -1;
|
|
static gint hf_eventlog_eventlog_OpenBackupEventLogW_unknown3 = -1;
|
|
static gint hf_eventlog_eventlog_Record_event_id = -1;
|
|
static gint hf_eventlog_eventlog_GetNumRecords_number = -1;
|
|
static gint hf_eventlog_eventlog_OpenEventLogW_unknown0 = -1;
|
|
static gint hf_eventlog_eventlog_GetLogIntormation_dwInfoLevel = -1;
|
|
static gint hf_eventlog_eventlog_OpenEventLogW_unknown2 = -1;
|
|
static gint hf_eventlog_eventlog_OpenEventLogW_unknown3 = -1;
|
|
static gint hf_eventlog_eventlog_Record_reserved_flags = -1;
|
|
static gint hf_eventlog_eventlog_OpenEventLogW_logname = -1;
|
|
static gint hf_eventlog_eventlog_GetLogIntormation_lpBuffer = -1;
|
|
static gint hf_eventlog_eventlogReadFlags_EVENTLOG_SEQUENTIAL_READ = -1;
|
|
static gint hf_eventlog_eventlog_FlushEventLog_handle = -1;
|
|
static gint hf_eventlog_eventlog_GetOldestRecord_oldest = -1;
|
|
static gint hf_eventlog_eventlog_RegisterEventSourceW_unknown0 = -1;
|
|
static gint hf_eventlog_eventlog_BackupEventLogW_handle = -1;
|
|
static gint hf_eventlog_eventlog_OpenEventLogW_handle = -1;
|
|
static gint hf_eventlog_eventlog_RegisterEventSourceW_unknown2 = -1;
|
|
static gint hf_eventlog_eventlog_Record_data_length = -1;
|
|
static gint hf_eventlog_eventlog_GetOldestRecord_handle = -1;
|
|
static gint hf_eventlog_eventlog_RegisterEventSourceW_unknown3 = -1;
|
|
static gint hf_eventlog_eventlog_ClearEventLogW_handle = -1;
|
|
static gint hf_eventlog_Record = -1;
|
|
static gint hf_eventlog_eventlog_Record_closing_record_number = -1;
|
|
static gint hf_eventlog_eventlog_OpenBackupEventLogW_handle = -1;
|
|
|
|
static gint proto_dcerpc_eventlog = -1;
|
|
/* Version information */
|
|
|
|
|
|
static e_uuid_t uuid_dcerpc_eventlog = {
|
|
0x82273fdc, 0xe32a, 0x18c3,
|
|
{ 0x3f, 0x78, 0x82, 0x79, 0x29, 0xdc, 0x23, 0xea }
|
|
};
|
|
static guint16 ver_dcerpc_eventlog = 0;
|
|
|
|
static const true_false_string eventlogReadFlags_EVENTLOG_SEQUENTIAL_READ_tfs = {
|
|
"EVENTLOG_SEQUENTIAL_READ is SET",
|
|
"EVENTLOG_SEQUENTIAL_READ is NOT SET",
|
|
};
|
|
static const true_false_string eventlogReadFlags_EVENTLOG_SEEK_READ_tfs = {
|
|
"EVENTLOG_SEEK_READ is SET",
|
|
"EVENTLOG_SEEK_READ is NOT SET",
|
|
};
|
|
static const true_false_string eventlogReadFlags_EVENTLOG_FORWARDS_READ_tfs = {
|
|
"EVENTLOG_FORWARDS_READ is SET",
|
|
"EVENTLOG_FORWARDS_READ is NOT SET",
|
|
};
|
|
static const true_false_string eventlogReadFlags_EVENTLOG_BACKWARDS_READ_tfs = {
|
|
"EVENTLOG_BACKWARDS_READ is SET",
|
|
"EVENTLOG_BACKWARDS_READ is NOT SET",
|
|
};
|
|
static const true_false_string eventlogEventTypes_EVENTLOG_SUCCESS_tfs = {
|
|
"EVENTLOG_SUCCESS is SET",
|
|
"EVENTLOG_SUCCESS is NOT SET",
|
|
};
|
|
static const true_false_string eventlogEventTypes_EVENTLOG_ERROR_TYPE_tfs = {
|
|
"EVENTLOG_ERROR_TYPE is SET",
|
|
"EVENTLOG_ERROR_TYPE is NOT SET",
|
|
};
|
|
static const true_false_string eventlogEventTypes_EVENTLOG_WARNING_TYPE_tfs = {
|
|
"EVENTLOG_WARNING_TYPE is SET",
|
|
"EVENTLOG_WARNING_TYPE is NOT SET",
|
|
};
|
|
static const true_false_string eventlogEventTypes_EVENTLOG_INFORMATION_TYPE_tfs = {
|
|
"EVENTLOG_INFORMATION_TYPE is SET",
|
|
"EVENTLOG_INFORMATION_TYPE is NOT SET",
|
|
};
|
|
static const true_false_string eventlogEventTypes_EVENTLOG_AUDIT_SUCCESS_tfs = {
|
|
"EVENTLOG_AUDIT_SUCCESS is SET",
|
|
"EVENTLOG_AUDIT_SUCCESS is NOT SET",
|
|
};
|
|
static const true_false_string eventlogEventTypes_EVENTLOG_AUDIT_FAILURE_tfs = {
|
|
"EVENTLOG_AUDIT_FAILURE is SET",
|
|
"EVENTLOG_AUDIT_FAILURE is NOT SET",
|
|
};
|
|
static int eventlog_dissect_element_OpenUnknown0_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenUnknown0_unknown1(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_size(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_reserved(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_record_number(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_time_generated(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_time_written(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_event_id(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_event_type(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_num_of_strings(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_event_category(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_reserved_flags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_closing_record_number(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_stringoffset(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_sid_length(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_sid_offset(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_data_length(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_data_offset(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_source_name(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_computer_name(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_strings(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_strings_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_Record_raw_data(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ChangeUnknown0_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ChangeUnknown0_unknown1(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ClearEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ClearEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ClearEventLogW_backupfilename(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ClearEventLogW_backupfilename_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_BackupEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_BackupEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_BackupEventLogW_backupfilename(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_BackupEventLogW_backupfilename_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_CloseEventLog_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_CloseEventLog_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_DeregisterEventSource_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_DeregisterEventSource_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetNumRecords_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetNumRecords_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetNumRecords_number(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetNumRecords_number_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetOldestRecord_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetOldestRecord_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetOldestRecord_oldest(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetOldestRecord_oldest_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ChangeNotify_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ChangeNotify_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ChangeNotify_unknown2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ChangeNotify_unknown2_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ChangeNotify_unknown3(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenEventLogW_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenEventLogW_unknown0_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenEventLogW_logname(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenEventLogW_servername(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenEventLogW_unknown2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenEventLogW_unknown3(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_RegisterEventSourceW_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_RegisterEventSourceW_unknown0_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_RegisterEventSourceW_logname(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_RegisterEventSourceW_servername(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_RegisterEventSourceW_unknown2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_RegisterEventSourceW_unknown3(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_RegisterEventSourceW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_RegisterEventSourceW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenBackupEventLogW_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenBackupEventLogW_unknown0_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenBackupEventLogW_logname(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenBackupEventLogW_unknown2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenBackupEventLogW_unknown3(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenBackupEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_OpenBackupEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_flags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_offset(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_number_of_bytes(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_data(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_data_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_data__(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_sent_size(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_sent_size_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_real_size(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_ReadEventLogW_real_size_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetLogIntormation_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetLogIntormation_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetLogIntormation_dwInfoLevel(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetLogIntormation_lpBuffer(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetLogIntormation_lpBuffer_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetLogIntormation_cbBufSize(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetLogIntormation_cbBytesNeeded(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_GetLogIntormation_cbBytesNeeded_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_FlushEventLog_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
static int eventlog_dissect_element_FlushEventLog_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_);
|
|
/* Add this one manually until we can compile LSA */
|
|
static int
|
|
eventlog_dissect_struct_lsa_String(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep, int hf_index,int notused _U_)
|
|
{
|
|
dcerpc_info *di;
|
|
di=pinfo->private_data;
|
|
if(di->conformant_run){
|
|
/*just a run to handle conformant arrays, nothing to dissect */
|
|
return offset;
|
|
}
|
|
offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep,
|
|
hf_index, 0);
|
|
return offset;
|
|
}
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_data_(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
|
|
{
|
|
guint32 len;
|
|
dcerpc_info *di;
|
|
tvbuff_t *record_tvb;
|
|
di=pinfo->private_data;
|
|
if(di->conformant_run){
|
|
/*just a run to handle conformant arrays, nothing to dissect */
|
|
return offset;
|
|
}
|
|
offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep,
|
|
hf_eventlog_Record_length, &len);
|
|
/* Create a new tvb so that we know that offset==0 is the beginning
|
|
* of the record. We need to know this since the data is not really
|
|
* NDR encoded at all and there are byte offsets into this buffer
|
|
* encoded therein.
|
|
*/
|
|
record_tvb=tvb_new_subset(tvb, offset, MIN((gint)len, tvb_length_remaining(tvb, offset)), len);
|
|
eventlog_dissect_struct_Record(record_tvb, 0, pinfo, tree, drep, hf_eventlog_Record, 0);
|
|
offset+=len;
|
|
return offset;
|
|
}
|
|
/* sid_length and sid_offset handled by manual code since this is not NDR
|
|
and we want to dissect the sid from the data blob */
|
|
static guint32 sid_length;
|
|
static int
|
|
eventlog_dissect_element_Record_sid_length(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
|
|
{
|
|
sid_length=0;
|
|
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_sid_length,&sid_length);
|
|
return offset;
|
|
}
|
|
static int
|
|
eventlog_dissect_element_Record_sid_offset(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
|
|
{
|
|
guint32 sid_offset=0;
|
|
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_sid_offset,&sid_offset);
|
|
if(sid_offset && sid_length){
|
|
tvbuff_t *sid_tvb;
|
|
/* this blob contains an NT SID.
|
|
* tvb starts at the beginning of the record.
|
|
*/
|
|
sid_tvb=tvb_new_subset(tvb, sid_offset, MIN((gint)sid_length, tvb_length_remaining(tvb, offset)), sid_length);
|
|
dissect_nt_sid(sid_tvb, 0, tree, "SID", NULL, -1);
|
|
}
|
|
return offset;
|
|
}
|
|
static int
|
|
eventlog_get_unicode_string_length(tvbuff_t *tvb, int offset)
|
|
{
|
|
int len;
|
|
len=0;
|
|
while(1){
|
|
if(!tvb_get_ntohs(tvb, offset+len*2)){
|
|
len++;
|
|
break;
|
|
}
|
|
len++;
|
|
}
|
|
return len;
|
|
}
|
|
static int
|
|
eventlog_dissect_element_Record_source_name(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep _U_)
|
|
{
|
|
char *str;
|
|
int len;
|
|
len=eventlog_get_unicode_string_length(tvb, offset);
|
|
str=tvb_get_ephemeral_faked_unicode(tvb, offset, len, TRUE);
|
|
proto_tree_add_string_format(tree, hf_eventlog_Record_source_name, tvb, offset, len*2, str, "source_name: %s", str);
|
|
offset+=len*2;
|
|
return offset;
|
|
}
|
|
static int
|
|
eventlog_dissect_element_Record_computer_name(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep _U_)
|
|
{
|
|
char *str;
|
|
int len;
|
|
len=eventlog_get_unicode_string_length(tvb, offset);
|
|
str=tvb_get_ephemeral_faked_unicode(tvb, offset, len, TRUE);
|
|
proto_tree_add_string_format(tree, hf_eventlog_Record_computer_name, tvb, offset, len*2, str, "computer_name: %s", str);
|
|
offset+=len*2;
|
|
return offset;
|
|
}
|
|
static guint16 num_of_strings;
|
|
static int
|
|
eventlog_dissect_element_Record_num_of_strings(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
|
|
{
|
|
num_of_strings=0;
|
|
offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_num_of_strings,&num_of_strings);
|
|
return offset;
|
|
}
|
|
static guint32 string_offset;
|
|
static int
|
|
eventlog_dissect_element_Record_stringoffset(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep)
|
|
{
|
|
string_offset=0;
|
|
offset = dissect_ndr_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_stringoffset,&string_offset);
|
|
return offset;
|
|
}
|
|
static int
|
|
eventlog_dissect_element_Record_strings(tvbuff_t *tvb, int offset, packet_info *pinfo _U_, proto_tree *tree, guint8 *drep _U_)
|
|
{
|
|
while(string_offset && num_of_strings){
|
|
char *str;
|
|
int len;
|
|
len=eventlog_get_unicode_string_length(tvb, string_offset);
|
|
str=tvb_get_ephemeral_faked_unicode(tvb, string_offset, len, TRUE);
|
|
proto_tree_add_string_format(tree, hf_eventlog_Record_string, tvb, string_offset, len*2, str, "string: %s", str);
|
|
string_offset+=len*2;
|
|
|
|
num_of_strings--;
|
|
}
|
|
return offset;
|
|
}
|
|
|
|
|
|
/* IDL: bitmap { */
|
|
/* IDL: EVENTLOG_SEQUENTIAL_READ = 0x0001 , */
|
|
/* IDL: EVENTLOG_SEEK_READ = 0x0002 , */
|
|
/* IDL: EVENTLOG_FORWARDS_READ = 0x0004 , */
|
|
/* IDL: EVENTLOG_BACKWARDS_READ = 0x0008 , */
|
|
/* IDL: } */
|
|
|
|
int
|
|
eventlog_dissect_bitmap_eventlogReadFlags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_)
|
|
{
|
|
proto_item *item = NULL;
|
|
proto_tree *tree = NULL;
|
|
|
|
guint32 flags;
|
|
ALIGN_TO_4_BYTES;
|
|
|
|
if (parent_tree) {
|
|
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, 4, TRUE);
|
|
tree = proto_item_add_subtree(item,ett_eventlog_eventlogReadFlags);
|
|
}
|
|
|
|
offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep, -1, &flags);
|
|
proto_item_append_text(item, ": ");
|
|
|
|
if (!flags)
|
|
proto_item_append_text(item, "(No values set)");
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogReadFlags_EVENTLOG_SEQUENTIAL_READ, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0001 )){
|
|
proto_item_append_text(item, "EVENTLOG_SEQUENTIAL_READ");
|
|
if (flags & (~( 0x0001 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0001 ));
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogReadFlags_EVENTLOG_SEEK_READ, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0002 )){
|
|
proto_item_append_text(item, "EVENTLOG_SEEK_READ");
|
|
if (flags & (~( 0x0002 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0002 ));
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogReadFlags_EVENTLOG_FORWARDS_READ, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0004 )){
|
|
proto_item_append_text(item, "EVENTLOG_FORWARDS_READ");
|
|
if (flags & (~( 0x0004 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0004 ));
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogReadFlags_EVENTLOG_BACKWARDS_READ, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0008 )){
|
|
proto_item_append_text(item, "EVENTLOG_BACKWARDS_READ");
|
|
if (flags & (~( 0x0008 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0008 ));
|
|
|
|
if (flags) {
|
|
proto_item_append_text(item, "Unknown bitmap value 0x%x", flags);
|
|
}
|
|
|
|
return offset;
|
|
}
|
|
|
|
|
|
/* IDL: bitmap { */
|
|
/* IDL: EVENTLOG_SUCCESS = 0x0000 , */
|
|
/* IDL: EVENTLOG_ERROR_TYPE = 0x0001 , */
|
|
/* IDL: EVENTLOG_WARNING_TYPE = 0x0002 , */
|
|
/* IDL: EVENTLOG_INFORMATION_TYPE = 0x0004 , */
|
|
/* IDL: EVENTLOG_AUDIT_SUCCESS = 0x0008 , */
|
|
/* IDL: EVENTLOG_AUDIT_FAILURE = 0x0010 , */
|
|
/* IDL: } */
|
|
|
|
int
|
|
eventlog_dissect_bitmap_eventlogEventTypes(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_)
|
|
{
|
|
proto_item *item = NULL;
|
|
proto_tree *tree = NULL;
|
|
|
|
guint32 flags;
|
|
ALIGN_TO_4_BYTES;
|
|
|
|
if (parent_tree) {
|
|
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, 4, TRUE);
|
|
tree = proto_item_add_subtree(item,ett_eventlog_eventlogEventTypes);
|
|
}
|
|
|
|
offset = dissect_ndr_uint32(tvb, offset, pinfo, NULL, drep, -1, &flags);
|
|
proto_item_append_text(item, ": ");
|
|
|
|
if (!flags)
|
|
proto_item_append_text(item, "(No values set)");
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogEventTypes_EVENTLOG_SUCCESS, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0000 )){
|
|
proto_item_append_text(item, "EVENTLOG_SUCCESS");
|
|
if (flags & (~( 0x0000 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0000 ));
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogEventTypes_EVENTLOG_ERROR_TYPE, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0001 )){
|
|
proto_item_append_text(item, "EVENTLOG_ERROR_TYPE");
|
|
if (flags & (~( 0x0001 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0001 ));
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogEventTypes_EVENTLOG_WARNING_TYPE, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0002 )){
|
|
proto_item_append_text(item, "EVENTLOG_WARNING_TYPE");
|
|
if (flags & (~( 0x0002 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0002 ));
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogEventTypes_EVENTLOG_INFORMATION_TYPE, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0004 )){
|
|
proto_item_append_text(item, "EVENTLOG_INFORMATION_TYPE");
|
|
if (flags & (~( 0x0004 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0004 ));
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogEventTypes_EVENTLOG_AUDIT_SUCCESS, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0008 )){
|
|
proto_item_append_text(item, "EVENTLOG_AUDIT_SUCCESS");
|
|
if (flags & (~( 0x0008 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0008 ));
|
|
|
|
proto_tree_add_boolean(tree, hf_eventlog_eventlogEventTypes_EVENTLOG_AUDIT_FAILURE, tvb, offset-4, 4, flags);
|
|
if (flags&( 0x0010 )){
|
|
proto_item_append_text(item, "EVENTLOG_AUDIT_FAILURE");
|
|
if (flags & (~( 0x0010 )))
|
|
proto_item_append_text(item, ", ");
|
|
}
|
|
flags&=(~( 0x0010 ));
|
|
|
|
if (flags) {
|
|
proto_item_append_text(item, "Unknown bitmap value 0x%x", flags);
|
|
}
|
|
|
|
return offset;
|
|
}
|
|
|
|
|
|
/* IDL: struct { */
|
|
/* IDL: uint16 unknown0; */
|
|
/* IDL: uint16 unknown1; */
|
|
/* IDL: } */
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenUnknown0_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint16(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_OpenUnknown0_unknown0, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenUnknown0_unknown1(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint16(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_OpenUnknown0_unknown1, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
int
|
|
eventlog_dissect_struct_OpenUnknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_)
|
|
{
|
|
proto_item *item = NULL;
|
|
proto_tree *tree = NULL;
|
|
int old_offset;
|
|
|
|
ALIGN_TO_2_BYTES;
|
|
|
|
old_offset = offset;
|
|
|
|
if (parent_tree) {
|
|
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE);
|
|
tree = proto_item_add_subtree(item, ett_eventlog_eventlog_OpenUnknown0);
|
|
}
|
|
|
|
offset = eventlog_dissect_element_OpenUnknown0_unknown0(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_OpenUnknown0_unknown1(tvb, offset, pinfo, tree, drep);
|
|
|
|
|
|
proto_item_set_len(item, offset-old_offset);
|
|
|
|
return offset;
|
|
}
|
|
|
|
|
|
/* IDL: struct { */
|
|
/* IDL: uint32 size; */
|
|
/* IDL: uint32 reserved; */
|
|
/* IDL: uint32 record_number; */
|
|
/* IDL: uint32 time_generated; */
|
|
/* IDL: uint32 time_written; */
|
|
/* IDL: uint32 event_id; */
|
|
/* IDL: uint16 event_type; */
|
|
/* IDL: uint16 num_of_strings; */
|
|
/* IDL: uint16 event_category; */
|
|
/* IDL: uint16 reserved_flags; */
|
|
/* IDL: uint32 closing_record_number; */
|
|
/* IDL: uint32 stringoffset; */
|
|
/* IDL: uint32 sid_length; */
|
|
/* IDL: uint32 sid_offset; */
|
|
/* IDL: uint32 data_length; */
|
|
/* IDL: uint32 data_offset; */
|
|
/* IDL: [flag(LIBNDR_FLAG_STR_NULLTERM)] string source_name; */
|
|
/* IDL: [flag(LIBNDR_FLAG_STR_NULLTERM)] string computer_name; */
|
|
/* IDL: [flag(LIBNDR_FLAG_STR_NULLTERM)] string strings[num_of_strings]; */
|
|
/* IDL: [flag(LIBNDR_FLAG_STR_ASCII|LIBNDR_FLAG_STR_NULLTERM)] string raw_data; */
|
|
/* IDL: } */
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_size(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_size, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_reserved(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_reserved, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_record_number(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_record_number, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_time_generated(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_time_generated, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_time_written(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_time_written, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_event_id(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_event_id, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_event_type(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint16(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_event_type, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_event_category(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint16(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_event_category, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_reserved_flags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint16(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_reserved_flags, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_closing_record_number(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_closing_record_number, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_data_length(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_data_length, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_data_offset(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_Record_data_offset, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_strings_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_Record_raw_data(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
|
|
return offset;
|
|
}
|
|
|
|
int
|
|
eventlog_dissect_struct_Record(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_)
|
|
{
|
|
proto_item *item = NULL;
|
|
proto_tree *tree = NULL;
|
|
int old_offset;
|
|
|
|
ALIGN_TO_4_BYTES;
|
|
|
|
old_offset = offset;
|
|
|
|
if (parent_tree) {
|
|
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE);
|
|
tree = proto_item_add_subtree(item, ett_eventlog_eventlog_Record);
|
|
}
|
|
|
|
offset = eventlog_dissect_element_Record_size(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_reserved(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_record_number(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_time_generated(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_time_written(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_event_id(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_event_type(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_num_of_strings(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_event_category(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_reserved_flags(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_closing_record_number(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_stringoffset(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_sid_length(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_sid_offset(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_data_length(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_data_offset(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_source_name(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_computer_name(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_strings(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_Record_raw_data(tvb, offset, pinfo, tree, drep);
|
|
|
|
|
|
proto_item_set_len(item, offset-old_offset);
|
|
|
|
return offset;
|
|
}
|
|
|
|
|
|
/* IDL: struct { */
|
|
/* IDL: uint32 unknown0; */
|
|
/* IDL: uint32 unknown1; */
|
|
/* IDL: } */
|
|
|
|
static int
|
|
eventlog_dissect_element_ChangeUnknown0_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ChangeUnknown0_unknown0, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ChangeUnknown0_unknown1(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ChangeUnknown0_unknown1, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
int
|
|
eventlog_dissect_struct_ChangeUnknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *parent_tree _U_, guint8 *drep _U_, int hf_index _U_, guint32 param _U_)
|
|
{
|
|
proto_item *item = NULL;
|
|
proto_tree *tree = NULL;
|
|
int old_offset;
|
|
|
|
ALIGN_TO_4_BYTES;
|
|
|
|
old_offset = offset;
|
|
|
|
if (parent_tree) {
|
|
item = proto_tree_add_item(parent_tree, hf_index, tvb, offset, -1, TRUE);
|
|
tree = proto_item_add_subtree(item, ett_eventlog_eventlog_ChangeUnknown0);
|
|
}
|
|
|
|
offset = eventlog_dissect_element_ChangeUnknown0_unknown0(tvb, offset, pinfo, tree, drep);
|
|
|
|
offset = eventlog_dissect_element_ChangeUnknown0_unknown1(tvb, offset, pinfo, tree, drep);
|
|
|
|
|
|
proto_item_set_len(item, offset-old_offset);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ClearEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_ClearEventLogW_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_ClearEventLogW_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ClearEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ClearEventLogW_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ClearEventLogW_backupfilename(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_ClearEventLogW_backupfilename_, NDR_POINTER_UNIQUE, "Pointer to Backupfilename (lsa_String)",hf_eventlog_eventlog_ClearEventLogW_backupfilename);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ClearEventLogW_backupfilename_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_lsa_String(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_ClearEventLogW_backupfilename,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_ClearEventLogW( */
|
|
/* IDL: [in] [ref] policy_handle *handle, */
|
|
/* IDL: [in] [unique(1)] lsa_String *backupfilename */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_ClearEventLogW_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="ClearEventLogW";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_ClearEventLogW_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="ClearEventLogW";
|
|
offset = eventlog_dissect_element_ClearEventLogW_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_ClearEventLogW_backupfilename(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_BackupEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_BackupEventLogW_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_BackupEventLogW_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_BackupEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_BackupEventLogW_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_BackupEventLogW_backupfilename(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_BackupEventLogW_backupfilename_, NDR_POINTER_UNIQUE, "Pointer to Backupfilename (lsa_String)",hf_eventlog_eventlog_BackupEventLogW_backupfilename);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_BackupEventLogW_backupfilename_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_lsa_String(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_BackupEventLogW_backupfilename,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_BackupEventLogW( */
|
|
/* IDL: [in] [ref] policy_handle *handle, */
|
|
/* IDL: [in] [unique(1)] lsa_String *backupfilename */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_BackupEventLogW_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="BackupEventLogW";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_BackupEventLogW_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="BackupEventLogW";
|
|
offset = eventlog_dissect_element_BackupEventLogW_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_BackupEventLogW_backupfilename(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_CloseEventLog_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_CloseEventLog_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_CloseEventLog_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_CloseEventLog_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_CloseEventLog_handle, PIDL_POLHND_CLOSE);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_CloseEventLog( */
|
|
/* IDL: [out] [in] [ref] policy_handle *handle */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_CloseEventLog_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="CloseEventLog";
|
|
offset = eventlog_dissect_element_CloseEventLog_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_CloseEventLog_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="CloseEventLog";
|
|
offset = eventlog_dissect_element_CloseEventLog_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_DeregisterEventSource_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_DeregisterEventSource_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_DeregisterEventSource_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_DeregisterEventSource_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_DeregisterEventSource_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_DeregisterEventSource( */
|
|
/* IDL: [out] [in] [ref] policy_handle *handle */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_DeregisterEventSource_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="DeregisterEventSource";
|
|
offset = eventlog_dissect_element_DeregisterEventSource_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_DeregisterEventSource_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="DeregisterEventSource";
|
|
offset = eventlog_dissect_element_DeregisterEventSource_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetNumRecords_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_GetNumRecords_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_GetNumRecords_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetNumRecords_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_GetNumRecords_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetNumRecords_number(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_GetNumRecords_number_, NDR_POINTER_REF, "Pointer to Number (uint32)",hf_eventlog_eventlog_GetNumRecords_number);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetNumRecords_number_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_GetNumRecords_number, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_GetNumRecords( */
|
|
/* IDL: [in] [ref] policy_handle *handle, */
|
|
/* IDL: [out] [ref] uint32 *number */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_GetNumRecords_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="GetNumRecords";
|
|
offset = eventlog_dissect_element_GetNumRecords_number(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_GetNumRecords_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="GetNumRecords";
|
|
offset = eventlog_dissect_element_GetNumRecords_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetOldestRecord_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_GetOldestRecord_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_GetOldestRecord_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetOldestRecord_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_GetOldestRecord_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetOldestRecord_oldest(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_GetOldestRecord_oldest_, NDR_POINTER_REF, "Pointer to Oldest (uint32)",hf_eventlog_eventlog_GetOldestRecord_oldest);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetOldestRecord_oldest_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_GetOldestRecord_oldest, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_GetOldestRecord( */
|
|
/* IDL: [in] [ref] policy_handle *handle, */
|
|
/* IDL: [out] [ref] uint32 *oldest */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_GetOldestRecord_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="GetOldestRecord";
|
|
offset = eventlog_dissect_element_GetOldestRecord_oldest(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_GetOldestRecord_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="GetOldestRecord";
|
|
offset = eventlog_dissect_element_GetOldestRecord_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ChangeNotify_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_ChangeNotify_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_ChangeNotify_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ChangeNotify_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ChangeNotify_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ChangeNotify_unknown2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_ChangeNotify_unknown2_, NDR_POINTER_REF, "Pointer to Unknown2 (eventlog_ChangeUnknown0)",hf_eventlog_eventlog_ChangeNotify_unknown2);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ChangeNotify_unknown2_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_ChangeUnknown0(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_ChangeNotify_unknown2,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ChangeNotify_unknown3(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ChangeNotify_unknown3, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_ChangeNotify( */
|
|
/* IDL: [in] [ref] policy_handle *handle, */
|
|
/* IDL: [in] [ref] eventlog_ChangeUnknown0 *unknown2, */
|
|
/* IDL: [in] uint32 unknown3 */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_ChangeNotify_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="ChangeNotify";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_ChangeNotify_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="ChangeNotify";
|
|
offset = eventlog_dissect_element_ChangeNotify_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_ChangeNotify_unknown2(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_ChangeNotify_unknown3(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenEventLogW_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_OpenEventLogW_unknown0_, NDR_POINTER_UNIQUE, "Pointer to Unknown0 (eventlog_OpenUnknown0)",hf_eventlog_eventlog_OpenEventLogW_unknown0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenEventLogW_unknown0_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_OpenUnknown0(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_OpenEventLogW_unknown0,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenEventLogW_logname(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_lsa_String(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_OpenEventLogW_logname,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenEventLogW_servername(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_lsa_String(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_OpenEventLogW_servername,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenEventLogW_unknown2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_OpenEventLogW_unknown2, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenEventLogW_unknown3(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_OpenEventLogW_unknown3, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_OpenEventLogW_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_OpenEventLogW_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_OpenEventLogW_handle, PIDL_POLHND_OPEN);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_OpenEventLogW( */
|
|
/* IDL: [in] [unique(1)] eventlog_OpenUnknown0 *unknown0, */
|
|
/* IDL: [in] lsa_String logname, */
|
|
/* IDL: [in] lsa_String servername, */
|
|
/* IDL: [in] uint32 unknown2, */
|
|
/* IDL: [in] uint32 unknown3, */
|
|
/* IDL: [out] [ref] policy_handle *handle */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_OpenEventLogW_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="OpenEventLogW";
|
|
offset = eventlog_dissect_element_OpenEventLogW_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_OpenEventLogW_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="OpenEventLogW";
|
|
offset = eventlog_dissect_element_OpenEventLogW_unknown0(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_OpenEventLogW_logname(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_OpenEventLogW_servername(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_OpenEventLogW_unknown2(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_OpenEventLogW_unknown3(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_RegisterEventSourceW_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_RegisterEventSourceW_unknown0_, NDR_POINTER_UNIQUE, "Pointer to Unknown0 (eventlog_OpenUnknown0)",hf_eventlog_eventlog_RegisterEventSourceW_unknown0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_RegisterEventSourceW_unknown0_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_OpenUnknown0(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_RegisterEventSourceW_unknown0,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_RegisterEventSourceW_logname(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_lsa_String(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_RegisterEventSourceW_logname,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_RegisterEventSourceW_servername(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_lsa_String(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_RegisterEventSourceW_servername,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_RegisterEventSourceW_unknown2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_RegisterEventSourceW_unknown2, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_RegisterEventSourceW_unknown3(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_RegisterEventSourceW_unknown3, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_RegisterEventSourceW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_RegisterEventSourceW_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_RegisterEventSourceW_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_RegisterEventSourceW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_RegisterEventSourceW_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_RegisterEventSourceW( */
|
|
/* IDL: [in] [unique(1)] eventlog_OpenUnknown0 *unknown0, */
|
|
/* IDL: [in] lsa_String logname, */
|
|
/* IDL: [in] lsa_String servername, */
|
|
/* IDL: [in] uint32 unknown2, */
|
|
/* IDL: [in] uint32 unknown3, */
|
|
/* IDL: [out] [ref] policy_handle *handle */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_RegisterEventSourceW_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="RegisterEventSourceW";
|
|
offset = eventlog_dissect_element_RegisterEventSourceW_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_RegisterEventSourceW_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="RegisterEventSourceW";
|
|
offset = eventlog_dissect_element_RegisterEventSourceW_unknown0(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_RegisterEventSourceW_logname(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_RegisterEventSourceW_servername(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_RegisterEventSourceW_unknown2(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_RegisterEventSourceW_unknown3(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenBackupEventLogW_unknown0(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_OpenBackupEventLogW_unknown0_, NDR_POINTER_UNIQUE, "Pointer to Unknown0 (eventlog_OpenUnknown0)",hf_eventlog_eventlog_OpenBackupEventLogW_unknown0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenBackupEventLogW_unknown0_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_OpenUnknown0(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_OpenBackupEventLogW_unknown0,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenBackupEventLogW_logname(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = eventlog_dissect_struct_lsa_String(tvb,offset,pinfo,tree,drep,hf_eventlog_eventlog_OpenBackupEventLogW_logname,0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenBackupEventLogW_unknown2(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_OpenBackupEventLogW_unknown2, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenBackupEventLogW_unknown3(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_OpenBackupEventLogW_unknown3, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenBackupEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_OpenBackupEventLogW_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_OpenBackupEventLogW_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_OpenBackupEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_OpenBackupEventLogW_handle, PIDL_POLHND_OPEN);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_OpenBackupEventLogW( */
|
|
/* IDL: [in] [unique(1)] eventlog_OpenUnknown0 *unknown0, */
|
|
/* IDL: [in] lsa_String logname, */
|
|
/* IDL: [in] uint32 unknown2, */
|
|
/* IDL: [in] uint32 unknown3, */
|
|
/* IDL: [out] [ref] policy_handle *handle */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_OpenBackupEventLogW_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="OpenBackupEventLogW";
|
|
offset = eventlog_dissect_element_OpenBackupEventLogW_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_OpenBackupEventLogW_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="OpenBackupEventLogW";
|
|
offset = eventlog_dissect_element_OpenBackupEventLogW_unknown0(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_OpenBackupEventLogW_logname(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_OpenBackupEventLogW_unknown2(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_OpenBackupEventLogW_unknown3(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_ReadEventLogW_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_ReadEventLogW_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ReadEventLogW_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_flags(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ReadEventLogW_flags, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_offset(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ReadEventLogW_offset, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_number_of_bytes(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ReadEventLogW_number_of_bytes, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_data(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_ReadEventLogW_data_, NDR_POINTER_REF, "Pointer to Data (uint8)",hf_eventlog_eventlog_ReadEventLogW_data);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_sent_size(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_ReadEventLogW_sent_size_, NDR_POINTER_REF, "Pointer to Sent Size (uint32)",hf_eventlog_eventlog_ReadEventLogW_sent_size);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_sent_size_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ReadEventLogW_sent_size, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_real_size(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_ReadEventLogW_real_size_, NDR_POINTER_REF, "Pointer to Real Size (uint32)",hf_eventlog_eventlog_ReadEventLogW_real_size);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_ReadEventLogW_real_size_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_ReadEventLogW_real_size, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_ReadEventLogW( */
|
|
/* IDL: [in] [ref] policy_handle *handle, */
|
|
/* IDL: [in] uint32 flags, */
|
|
/* IDL: [in] uint32 offset, */
|
|
/* IDL: [in] uint32 number_of_bytes, */
|
|
/* IDL: [size_is(number_of_bytes)] [out] [ref] uint8 *data, */
|
|
/* IDL: [out] [ref] uint32 *sent_size, */
|
|
/* IDL: [out] [ref] uint32 *real_size */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_ReadEventLogW_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="ReadEventLogW";
|
|
offset = eventlog_dissect_element_ReadEventLogW_data(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = eventlog_dissect_element_ReadEventLogW_sent_size(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = eventlog_dissect_element_ReadEventLogW_real_size(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_ReadEventLogW_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="ReadEventLogW";
|
|
offset = eventlog_dissect_element_ReadEventLogW_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_ReadEventLogW_flags(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_ReadEventLogW_offset(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_ReadEventLogW_number_of_bytes(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_ReportEventW( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_ReportEventW_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="ReportEventW";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_ReportEventW_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="ReportEventW";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_ClearEventLogA( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_ClearEventLogA_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="ClearEventLogA";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_ClearEventLogA_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="ClearEventLogA";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_BackupEventLogA( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_BackupEventLogA_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="BackupEventLogA";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_BackupEventLogA_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="BackupEventLogA";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_OpenEventLogA( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_OpenEventLogA_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="OpenEventLogA";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_OpenEventLogA_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="OpenEventLogA";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_RegisterEventSourceA( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_RegisterEventSourceA_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="RegisterEventSourceA";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_RegisterEventSourceA_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="RegisterEventSourceA";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_OpenBackupEventLogA( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_OpenBackupEventLogA_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="OpenBackupEventLogA";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_OpenBackupEventLogA_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="OpenBackupEventLogA";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_ReadEventLogA( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_ReadEventLogA_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="ReadEventLogA";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_ReadEventLogA_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="ReadEventLogA";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_ReportEventA( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_ReportEventA_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="ReportEventA";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_ReportEventA_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="ReportEventA";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_RegisterClusterSvc( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_RegisterClusterSvc_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="RegisterClusterSvc";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_RegisterClusterSvc_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="RegisterClusterSvc";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_DeregisterClusterSvc( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_DeregisterClusterSvc_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="DeregisterClusterSvc";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_DeregisterClusterSvc_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="DeregisterClusterSvc";
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_WriteClusterEvents( */
|
|
/* IDL: */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_WriteClusterEvents_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="WriteClusterEvents";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_WriteClusterEvents_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="WriteClusterEvents";
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetLogIntormation_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_GetLogIntormation_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_GetLogIntormation_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetLogIntormation_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_GetLogIntormation_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetLogIntormation_dwInfoLevel(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_GetLogIntormation_dwInfoLevel, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetLogIntormation_lpBuffer(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_ucarray(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_GetLogIntormation_lpBuffer_);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetLogIntormation_lpBuffer_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint8(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_GetLogIntormation_lpBuffer, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetLogIntormation_cbBufSize(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_GetLogIntormation_cbBufSize, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetLogIntormation_cbBytesNeeded(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_GetLogIntormation_cbBytesNeeded_, NDR_POINTER_REF, "Pointer to Cbbytesneeded (int32)",hf_eventlog_eventlog_GetLogIntormation_cbBytesNeeded);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_GetLogIntormation_cbBytesNeeded_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_uint32(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_GetLogIntormation_cbBytesNeeded, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_GetLogIntormation( */
|
|
/* IDL: [in] [ref] policy_handle *handle, */
|
|
/* IDL: [in] uint32 dwInfoLevel, */
|
|
/* IDL: [size_is(cbBufSize)] [out] uint8 lpBuffer[*], */
|
|
/* IDL: [in] uint32 cbBufSize, */
|
|
/* IDL: [out] [ref] int32 *cbBytesNeeded */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_GetLogIntormation_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="GetLogIntormation";
|
|
offset = eventlog_dissect_element_GetLogIntormation_lpBuffer(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = eventlog_dissect_element_GetLogIntormation_cbBytesNeeded(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_GetLogIntormation_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="GetLogIntormation";
|
|
offset = eventlog_dissect_element_GetLogIntormation_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_GetLogIntormation_dwInfoLevel(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
offset = eventlog_dissect_element_GetLogIntormation_cbBufSize(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_FlushEventLog_handle(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = dissect_ndr_toplevel_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_element_FlushEventLog_handle_, NDR_POINTER_REF, "Pointer to Handle (policy_handle)",hf_eventlog_eventlog_FlushEventLog_handle);
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_element_FlushEventLog_handle_(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
offset = PIDL_dissect_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_eventlog_FlushEventLog_handle, 0);
|
|
|
|
return offset;
|
|
}
|
|
|
|
/* IDL: NTSTATUS eventlog_FlushEventLog( */
|
|
/* IDL: [in] [ref] policy_handle *handle */
|
|
/* IDL: ); */
|
|
|
|
static int
|
|
eventlog_dissect_FlushEventLog_response(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
guint32 status;
|
|
|
|
pinfo->dcerpc_procedure_name="FlushEventLog";
|
|
offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_status, &status);
|
|
|
|
if (status != 0 && check_col(pinfo->cinfo, COL_INFO))
|
|
col_append_fstr(pinfo->cinfo, COL_INFO, ", Error: %s", val_to_str(status, NT_errors, "Unknown NT status 0x%08x"));
|
|
|
|
return offset;
|
|
}
|
|
|
|
static int
|
|
eventlog_dissect_FlushEventLog_request(tvbuff_t *tvb _U_, int offset _U_, packet_info *pinfo _U_, proto_tree *tree _U_, guint8 *drep _U_)
|
|
{
|
|
pinfo->dcerpc_procedure_name="FlushEventLog";
|
|
offset = eventlog_dissect_element_FlushEventLog_handle(tvb, offset, pinfo, tree, drep);
|
|
offset = dissect_deferred_pointers(pinfo, tvb, offset, drep);
|
|
return offset;
|
|
}
|
|
|
|
|
|
static dcerpc_sub_dissector eventlog_dissectors[] = {
|
|
{ 0, "ClearEventLogW",
|
|
eventlog_dissect_ClearEventLogW_request, eventlog_dissect_ClearEventLogW_response},
|
|
{ 1, "BackupEventLogW",
|
|
eventlog_dissect_BackupEventLogW_request, eventlog_dissect_BackupEventLogW_response},
|
|
{ 2, "CloseEventLog",
|
|
eventlog_dissect_CloseEventLog_request, eventlog_dissect_CloseEventLog_response},
|
|
{ 3, "DeregisterEventSource",
|
|
eventlog_dissect_DeregisterEventSource_request, eventlog_dissect_DeregisterEventSource_response},
|
|
{ 4, "GetNumRecords",
|
|
eventlog_dissect_GetNumRecords_request, eventlog_dissect_GetNumRecords_response},
|
|
{ 5, "GetOldestRecord",
|
|
eventlog_dissect_GetOldestRecord_request, eventlog_dissect_GetOldestRecord_response},
|
|
{ 6, "ChangeNotify",
|
|
eventlog_dissect_ChangeNotify_request, eventlog_dissect_ChangeNotify_response},
|
|
{ 7, "OpenEventLogW",
|
|
eventlog_dissect_OpenEventLogW_request, eventlog_dissect_OpenEventLogW_response},
|
|
{ 8, "RegisterEventSourceW",
|
|
eventlog_dissect_RegisterEventSourceW_request, eventlog_dissect_RegisterEventSourceW_response},
|
|
{ 9, "OpenBackupEventLogW",
|
|
eventlog_dissect_OpenBackupEventLogW_request, eventlog_dissect_OpenBackupEventLogW_response},
|
|
{ 10, "ReadEventLogW",
|
|
eventlog_dissect_ReadEventLogW_request, eventlog_dissect_ReadEventLogW_response},
|
|
{ 11, "ReportEventW",
|
|
eventlog_dissect_ReportEventW_request, eventlog_dissect_ReportEventW_response},
|
|
{ 12, "ClearEventLogA",
|
|
eventlog_dissect_ClearEventLogA_request, eventlog_dissect_ClearEventLogA_response},
|
|
{ 13, "BackupEventLogA",
|
|
eventlog_dissect_BackupEventLogA_request, eventlog_dissect_BackupEventLogA_response},
|
|
{ 14, "OpenEventLogA",
|
|
eventlog_dissect_OpenEventLogA_request, eventlog_dissect_OpenEventLogA_response},
|
|
{ 15, "RegisterEventSourceA",
|
|
eventlog_dissect_RegisterEventSourceA_request, eventlog_dissect_RegisterEventSourceA_response},
|
|
{ 16, "OpenBackupEventLogA",
|
|
eventlog_dissect_OpenBackupEventLogA_request, eventlog_dissect_OpenBackupEventLogA_response},
|
|
{ 17, "ReadEventLogA",
|
|
eventlog_dissect_ReadEventLogA_request, eventlog_dissect_ReadEventLogA_response},
|
|
{ 18, "ReportEventA",
|
|
eventlog_dissect_ReportEventA_request, eventlog_dissect_ReportEventA_response},
|
|
{ 19, "RegisterClusterSvc",
|
|
eventlog_dissect_RegisterClusterSvc_request, eventlog_dissect_RegisterClusterSvc_response},
|
|
{ 20, "DeregisterClusterSvc",
|
|
eventlog_dissect_DeregisterClusterSvc_request, eventlog_dissect_DeregisterClusterSvc_response},
|
|
{ 21, "WriteClusterEvents",
|
|
eventlog_dissect_WriteClusterEvents_request, eventlog_dissect_WriteClusterEvents_response},
|
|
{ 22, "GetLogIntormation",
|
|
eventlog_dissect_GetLogIntormation_request, eventlog_dissect_GetLogIntormation_response},
|
|
{ 23, "FlushEventLog",
|
|
eventlog_dissect_FlushEventLog_request, eventlog_dissect_FlushEventLog_response},
|
|
{ 0, NULL, NULL, NULL }
|
|
};
|
|
|
|
void proto_register_dcerpc_eventlog(void)
|
|
{
|
|
static hf_register_info hf[] = {
|
|
{ &hf_eventlog_eventlog_ReadEventLogW_offset,
|
|
{ "Offset", "eventlog.eventlog_ReadEventLogW.offset", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ChangeNotify_unknown2,
|
|
{ "Unknown2", "eventlog.eventlog_ChangeNotify.unknown2", FT_NONE, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ChangeNotify_unknown3,
|
|
{ "Unknown3", "eventlog.eventlog_ChangeNotify.unknown3", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_data_offset,
|
|
{ "Data Offset", "eventlog.eventlog_Record.data_offset", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_sid_length,
|
|
{ "Sid Length", "eventlog.eventlog_Record.sid_length", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_RegisterEventSourceW_handle,
|
|
{ "Handle", "eventlog.eventlog_RegisterEventSourceW.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_BackupEventLogW_backupfilename,
|
|
{ "Backupfilename", "eventlog.eventlog_BackupEventLogW.backupfilename", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ChangeUnknown0_unknown0,
|
|
{ "Unknown0", "eventlog.eventlog_ChangeUnknown0.unknown0", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_computer_name,
|
|
{ "Computer Name", "eventlog.eventlog_Record.computer_name", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlogEventTypes_EVENTLOG_SUCCESS,
|
|
{ "Eventlog Success", "eventlog.eventlogEventTypes.EVENTLOG_SUCCESS", FT_BOOLEAN, 32, TFS(&eventlogEventTypes_EVENTLOG_SUCCESS_tfs), ( 0x0000 ), "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ChangeUnknown0_unknown1,
|
|
{ "Unknown1", "eventlog.eventlog_ChangeUnknown0.unknown1", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_strings,
|
|
{ "Strings", "eventlog.eventlog_Record.strings", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_GetLogIntormation_cbBytesNeeded,
|
|
{ "Cbbytesneeded", "eventlog.eventlog_GetLogIntormation.cbBytesNeeded", FT_INT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_GetNumRecords_handle,
|
|
{ "Handle", "eventlog.eventlog_GetNumRecords.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_status,
|
|
{ "NT Error", "eventlog.status", FT_UINT32, BASE_HEX, VALS(NT_errors), 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_sid_offset,
|
|
{ "Sid Offset", "eventlog.eventlog_Record.sid_offset", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenBackupEventLogW_logname,
|
|
{ "Logname", "eventlog.eventlog_OpenBackupEventLogW.logname", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_source_name,
|
|
{ "Source Name", "eventlog.eventlog_Record.source_name", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ReadEventLogW_handle,
|
|
{ "Handle", "eventlog.eventlog_ReadEventLogW.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ClearEventLogW_backupfilename,
|
|
{ "Backupfilename", "eventlog.eventlog_ClearEventLogW.backupfilename", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_Record_string,
|
|
{ "string", "eventlog.Record.string", FT_STRING, BASE_NONE, NULL, 0, " ", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenEventLogW_servername,
|
|
{ "Servername", "eventlog.eventlog_OpenEventLogW.servername", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_event_type,
|
|
{ "Event Type", "eventlog.eventlog_Record.event_type", FT_UINT16, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ReadEventLogW_real_size,
|
|
{ "Real Size", "eventlog.eventlog_ReadEventLogW.real_size", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_CloseEventLog_handle,
|
|
{ "Handle", "eventlog.eventlog_CloseEventLog.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlogEventTypes_EVENTLOG_AUDIT_SUCCESS,
|
|
{ "Eventlog Audit Success", "eventlog.eventlogEventTypes.EVENTLOG_AUDIT_SUCCESS", FT_BOOLEAN, 32, TFS(&eventlogEventTypes_EVENTLOG_AUDIT_SUCCESS_tfs), ( 0x0008 ), "", HFILL }},
|
|
{ &hf_eventlog_eventlog_RegisterEventSourceW_logname,
|
|
{ "Logname", "eventlog.eventlog_RegisterEventSourceW.logname", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_num_of_strings,
|
|
{ "Num Of Strings", "eventlog.eventlog_Record.num_of_strings", FT_UINT16, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_time_written,
|
|
{ "Time Written", "eventlog.eventlog_Record.time_written", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ReadEventLogW_flags,
|
|
{ "Flags", "eventlog.eventlog_ReadEventLogW.flags", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_size,
|
|
{ "Size", "eventlog.eventlog_Record.size", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_record_number,
|
|
{ "Record Number", "eventlog.eventlog_Record.record_number", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_GetLogIntormation_cbBufSize,
|
|
{ "Cbbufsize", "eventlog.eventlog_GetLogIntormation.cbBufSize", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_GetLogIntormation_handle,
|
|
{ "Handle", "eventlog.eventlog_GetLogIntormation.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ReadEventLogW_number_of_bytes,
|
|
{ "Number Of Bytes", "eventlog.eventlog_ReadEventLogW.number_of_bytes", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_RegisterEventSourceW_servername,
|
|
{ "Servername", "eventlog.eventlog_RegisterEventSourceW.servername", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_reserved,
|
|
{ "Reserved", "eventlog.eventlog_Record.reserved", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlogEventTypes_EVENTLOG_AUDIT_FAILURE,
|
|
{ "Eventlog Audit Failure", "eventlog.eventlogEventTypes.EVENTLOG_AUDIT_FAILURE", FT_BOOLEAN, 32, TFS(&eventlogEventTypes_EVENTLOG_AUDIT_FAILURE_tfs), ( 0x0010 ), "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_raw_data,
|
|
{ "Raw Data", "eventlog.eventlog_Record.raw_data", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ChangeNotify_handle,
|
|
{ "Handle", "eventlog.eventlog_ChangeNotify.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlogEventTypes_EVENTLOG_WARNING_TYPE,
|
|
{ "Eventlog Warning Type", "eventlog.eventlogEventTypes.EVENTLOG_WARNING_TYPE", FT_BOOLEAN, 32, TFS(&eventlogEventTypes_EVENTLOG_WARNING_TYPE_tfs), ( 0x0002 ), "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenUnknown0_unknown0,
|
|
{ "Unknown0", "eventlog.eventlog_OpenUnknown0.unknown0", FT_UINT16, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenUnknown0_unknown1,
|
|
{ "Unknown1", "eventlog.eventlog_OpenUnknown0.unknown1", FT_UINT16, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_Record_length,
|
|
{ "Record Length", "eventlog.Record.length", FT_UINT32, BASE_DEC, NULL, 0, " ", HFILL }},
|
|
{ &hf_eventlog_eventlogReadFlags_EVENTLOG_SEEK_READ,
|
|
{ "Eventlog Seek Read", "eventlog.eventlogReadFlags.EVENTLOG_SEEK_READ", FT_BOOLEAN, 32, TFS(&eventlogReadFlags_EVENTLOG_SEEK_READ_tfs), ( 0x0002 ), "", HFILL }},
|
|
{ &hf_eventlog_eventlogReadFlags_EVENTLOG_BACKWARDS_READ,
|
|
{ "Eventlog Backwards Read", "eventlog.eventlogReadFlags.EVENTLOG_BACKWARDS_READ", FT_BOOLEAN, 32, TFS(&eventlogReadFlags_EVENTLOG_BACKWARDS_READ_tfs), ( 0x0008 ), "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ReadEventLogW_data,
|
|
{ "Data", "eventlog.eventlog_ReadEventLogW.data", FT_UINT8, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_event_category,
|
|
{ "Event Category", "eventlog.eventlog_Record.event_category", FT_UINT16, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_DeregisterEventSource_handle,
|
|
{ "Handle", "eventlog.eventlog_DeregisterEventSource.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlogEventTypes_EVENTLOG_ERROR_TYPE,
|
|
{ "Eventlog Error Type", "eventlog.eventlogEventTypes.EVENTLOG_ERROR_TYPE", FT_BOOLEAN, 32, TFS(&eventlogEventTypes_EVENTLOG_ERROR_TYPE_tfs), ( 0x0001 ), "", HFILL }},
|
|
{ &hf_eventlog_Record_source_name,
|
|
{ "Source Name", "eventlog.Record.source_name", FT_STRING, BASE_NONE, NULL, 0, " ", HFILL }},
|
|
{ &hf_eventlog_eventlog_ReadEventLogW_sent_size,
|
|
{ "Sent Size", "eventlog.eventlog_ReadEventLogW.sent_size", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlogEventTypes_EVENTLOG_INFORMATION_TYPE,
|
|
{ "Eventlog Information Type", "eventlog.eventlogEventTypes.EVENTLOG_INFORMATION_TYPE", FT_BOOLEAN, 32, TFS(&eventlogEventTypes_EVENTLOG_INFORMATION_TYPE_tfs), ( 0x0004 ), "", HFILL }},
|
|
{ &hf_eventlog_opnum,
|
|
{ "Operation", "eventlog.opnum", FT_UINT16, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_time_generated,
|
|
{ "Time Generated", "eventlog.eventlog_Record.time_generated", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_stringoffset,
|
|
{ "Stringoffset", "eventlog.eventlog_Record.stringoffset", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_Record_computer_name,
|
|
{ "Computer Name", "eventlog.Record.computer_name", FT_STRING, BASE_NONE, NULL, 0, " ", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenBackupEventLogW_unknown0,
|
|
{ "Unknown0", "eventlog.eventlog_OpenBackupEventLogW.unknown0", FT_NONE, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlogReadFlags_EVENTLOG_FORWARDS_READ,
|
|
{ "Eventlog Forwards Read", "eventlog.eventlogReadFlags.EVENTLOG_FORWARDS_READ", FT_BOOLEAN, 32, TFS(&eventlogReadFlags_EVENTLOG_FORWARDS_READ_tfs), ( 0x0004 ), "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenBackupEventLogW_unknown2,
|
|
{ "Unknown2", "eventlog.eventlog_OpenBackupEventLogW.unknown2", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenBackupEventLogW_unknown3,
|
|
{ "Unknown3", "eventlog.eventlog_OpenBackupEventLogW.unknown3", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_event_id,
|
|
{ "Event Id", "eventlog.eventlog_Record.event_id", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_GetNumRecords_number,
|
|
{ "Number", "eventlog.eventlog_GetNumRecords.number", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenEventLogW_unknown0,
|
|
{ "Unknown0", "eventlog.eventlog_OpenEventLogW.unknown0", FT_NONE, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_GetLogIntormation_dwInfoLevel,
|
|
{ "Dwinfolevel", "eventlog.eventlog_GetLogIntormation.dwInfoLevel", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenEventLogW_unknown2,
|
|
{ "Unknown2", "eventlog.eventlog_OpenEventLogW.unknown2", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenEventLogW_unknown3,
|
|
{ "Unknown3", "eventlog.eventlog_OpenEventLogW.unknown3", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_reserved_flags,
|
|
{ "Reserved Flags", "eventlog.eventlog_Record.reserved_flags", FT_UINT16, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenEventLogW_logname,
|
|
{ "Logname", "eventlog.eventlog_OpenEventLogW.logname", FT_NONE, BASE_HEX, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_GetLogIntormation_lpBuffer,
|
|
{ "Lpbuffer", "eventlog.eventlog_GetLogIntormation.lpBuffer", FT_UINT8, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlogReadFlags_EVENTLOG_SEQUENTIAL_READ,
|
|
{ "Eventlog Sequential Read", "eventlog.eventlogReadFlags.EVENTLOG_SEQUENTIAL_READ", FT_BOOLEAN, 32, TFS(&eventlogReadFlags_EVENTLOG_SEQUENTIAL_READ_tfs), ( 0x0001 ), "", HFILL }},
|
|
{ &hf_eventlog_eventlog_FlushEventLog_handle,
|
|
{ "Handle", "eventlog.eventlog_FlushEventLog.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_GetOldestRecord_oldest,
|
|
{ "Oldest", "eventlog.eventlog_GetOldestRecord.oldest", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_RegisterEventSourceW_unknown0,
|
|
{ "Unknown0", "eventlog.eventlog_RegisterEventSourceW.unknown0", FT_NONE, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_BackupEventLogW_handle,
|
|
{ "Handle", "eventlog.eventlog_BackupEventLogW.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenEventLogW_handle,
|
|
{ "Handle", "eventlog.eventlog_OpenEventLogW.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_RegisterEventSourceW_unknown2,
|
|
{ "Unknown2", "eventlog.eventlog_RegisterEventSourceW.unknown2", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_data_length,
|
|
{ "Data Length", "eventlog.eventlog_Record.data_length", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_GetOldestRecord_handle,
|
|
{ "Handle", "eventlog.eventlog_GetOldestRecord.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_RegisterEventSourceW_unknown3,
|
|
{ "Unknown3", "eventlog.eventlog_RegisterEventSourceW.unknown3", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_ClearEventLogW_handle,
|
|
{ "Handle", "eventlog.eventlog_ClearEventLogW.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_Record,
|
|
{ "Record", "eventlog.Record", FT_NONE, BASE_NONE, NULL, 0, " ", HFILL }},
|
|
{ &hf_eventlog_eventlog_Record_closing_record_number,
|
|
{ "Closing Record Number", "eventlog.eventlog_Record.closing_record_number", FT_UINT32, BASE_DEC, NULL, 0, "", HFILL }},
|
|
{ &hf_eventlog_eventlog_OpenBackupEventLogW_handle,
|
|
{ "Handle", "eventlog.eventlog_OpenBackupEventLogW.handle", FT_BYTES, BASE_NONE, NULL, 0, "", HFILL }},
|
|
};
|
|
|
|
|
|
static gint *ett[] = {
|
|
&ett_dcerpc_eventlog,
|
|
&ett_eventlog_eventlogReadFlags,
|
|
&ett_eventlog_eventlogEventTypes,
|
|
&ett_eventlog_eventlog_OpenUnknown0,
|
|
&ett_eventlog_eventlog_Record,
|
|
&ett_eventlog_eventlog_ChangeUnknown0,
|
|
};
|
|
|
|
proto_dcerpc_eventlog = proto_register_protocol("Event Logger", "EVENTLOG", "eventlog");
|
|
proto_register_field_array(proto_dcerpc_eventlog, hf, array_length (hf));
|
|
proto_register_subtree_array(ett, array_length(ett));
|
|
}
|
|
|
|
void proto_reg_handoff_dcerpc_eventlog(void)
|
|
{
|
|
dcerpc_init_uuid(proto_dcerpc_eventlog, ett_dcerpc_eventlog,
|
|
&uuid_dcerpc_eventlog, ver_dcerpc_eventlog,
|
|
eventlog_dissectors, hf_eventlog_opnum);
|
|
}
|