Ethereal-dev: [Ethereal-dev] [dcerpc] eventlog dissector
Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.
From: Jean-Baptiste Marchand <Jean-Baptiste.Marchand@xxxxxx>
Date: Mon, 12 Jul 2004 16:33:22 +0200
Hello, the two attached files are a dissector for the MSRPC eventlog interface, typically seen on the wire when the Event Viewer tool is used to view eventlogs of a remote Windows machine. Jean-Baptiste Marchand -- Jean-Baptiste.Marchand@xxxxxx HSC - http://www.hsc.fr/
/* packet-dcerpc-eventlog.c * Routines for SMB \pipe\eventlog packet disassembly * Copyright 2004 Jean-Baptiste Marchand <jbm@xxxxxx> * * $Id$ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@xxxxxxxxxxxx> * Copyright 1998 Gerald Combs * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifdef HAVE_CONFIG_H #include "config.h" #endif #include <glib.h> #include <epan/packet.h> #include "packet-dcerpc.h" #include "packet-dcerpc-nt.h" #include "packet-dcerpc-eventlog.h" #include "smb.h" static int proto_dcerpc_eventlog = -1; static int hf_eventlog_opnum = -1; static int hf_eventlog_name = -1; static int hf_eventlog_numofrecords = -1; static int hf_eventlog_oldest_record = -1; static int hf_eventlog_rc = -1; static int hf_eventlog_hnd = -1; static int hf_eventlog_backup_file = -1; static int hf_eventlog_infolevel = -1; static int hf_eventlog_bufsize = -1; static int hf_eventlog_unknown = -1; static int hf_eventlog_unknown_string = -1; static int hf_eventlog_flags = -1; static int hf_eventlog_offset = -1; static int hf_eventlog_size = -1; static gint ett_dcerpc_eventlog = -1; /* IDL [ uuid(82273fdc-e32a-18c3-3f78-827929dc23ea), IDL version(0.0), IDL implicit_handle(handle_t rpc_binding) IDL ] interface eventlog */ static e_uuid_t uuid_dcerpc_eventlog = { 0x82273fdc, 0xe32a, 0x18c3, { 0x3f, 0x78, 0x82, 0x79, 0x29, 0xdc, 0x23, 0xea } }; static guint16 ver_dcerpc_eventlog = 0; /* IDL IDL long ElfrClearELFW( IDL [in] [context_handle] void *hEventLog, IDL [in] [string] [unique] wchar_t *BackupFileName IDL ); */ static int eventlog_dissect_clearw_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, dissect_ndr_counted_string_ptr, NDR_POINTER_UNIQUE, "Backup filename", hf_eventlog_backup_file); return offset; } static int eventlog_dissect_clearw_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL long ElfrBackupELFW( IDL [in] [context_handle] void *hEventLog, IDL [in] [string] wchar_t *BackupFileName IDL ); */ static int eventlog_dissect_backupw_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, dissect_ndr_counted_string_ptr, NDR_POINTER_REF, "Backup filename", hf_eventlog_backup_file); return offset; } static int eventlog_dissect_backupw_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL long ElfrCloseEL( IDL [in,out] [context_handle] void *hEventLog, IDL ); */ static int eventlog_dissect_close_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, TRUE); return offset; } static int eventlog_dissect_close_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL IDL long ElfrDeregisterEventSource( IDL [in,out] [context_handle] void *hEventLog IDL ); */ static int eventlog_dissect_deregister_evt_src_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); return offset; } static int eventlog_dissect_deregister_evt_src_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL IDL long ElfrNumberOfRecords( IDL [in] [context_handle] void *hEventLog, IDL [out] long NumberOfRecords IDL ); */ static int eventlog_dissect_getnumofrecords_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); return offset; } static int eventlog_dissect_getnumofrecords_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_numofrecords, NULL); offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL IDL long ElfrOldestRecord( IDL [in] [context_handle] void *hEventLog, IDL [out] long OldestRecord IDL ); */ static int eventlog_dissect_oldestrecord_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); return offset; } static int eventlog_dissect_oldestrecord_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_oldest_record, NULL); offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL typedef struct { IDL long element_14; IDL long element_15; IDL } TYPE_2; */ static int eventlog_dissect_TYPE_2(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); return offset; } /* IDL long ElfrChangeNotify ( IDL [in] [context_handle] void *element_16, IDL [in] TYPE_2 element_17, IDL [in] long element_18 IDL ); */ static int eventlog_dissect_changenotify_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); offset = eventlog_dissect_TYPE_2(tvb, offset, pinfo, tree, drep); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); return offset; } static int eventlog_dissect_changenotify_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL typedef struct { IDL short unknown0; IDL short unknown1; IDL } TYPE_6; */ static int eventlog_dissect_TYPE_6(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); offset = dissect_ndr_uint16(tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); return offset; } /* IDL NTSTATUS ElfrOpenELW( IDL [in] [unique] TYPE_6 *unknown0, IDL [in] UNICODE_STRING eventlog_name, IDL [in] UNICODE_STRING unknown1, IDL [in] long unknown2, IDL [in] long unknown3, IDL [out] [context_handle] void *hEventLog IDL ); */ static int eventlog_dissect_openw_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_TYPE_6, NDR_POINTER_UNIQUE, "Unknown struct pointer:", hf_eventlog_unknown); offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep, hf_eventlog_name, 0); offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep, hf_eventlog_unknown_string, 0); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); return offset; } static int eventlog_dissect_openw_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, TRUE, FALSE); offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL IDL long ElfrRegisterEventSourceW( IDL [in] [unique] TYPE_6 *unknown0, IDL [in] UNICODE_STRING element_26, IDL [in] UNICODE_STRING element_27, IDL [in] long unknown3, IDL [in] long unknown3, IDL [out] [context_handle] void *hEventLog, IDL ); */ static int eventlog_dissect_register_evt_srcw_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_TYPE_6, NDR_POINTER_UNIQUE, "Unknown struct pointer:", hf_eventlog_unknown); offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep, hf_eventlog_name, 0); offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep, hf_eventlog_unknown_string, 0); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); return offset; } static int eventlog_dissect_register_evt_srcw_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, TRUE, FALSE); offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL NTSTATUS ElfrOpenBELW( IDL [in] [unique] TYPE_6 *unknown0, IDL [in] UNICODE_STRING eventlog_name, IDL [in] long unknown2, IDL [in] long unknown3, IDL [out] [context_handle] void *hEventLog IDL ); */ static int eventlog_dissect_open_backupw_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, eventlog_dissect_TYPE_6, NDR_POINTER_UNIQUE, "Unknown struct pointer:", hf_eventlog_unknown); offset = dissect_ndr_counted_string(tvb, offset, pinfo, tree, drep, hf_eventlog_name, 0); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_unknown, NULL); return offset; } static int eventlog_dissect_open_backupw_reply(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, TRUE, FALSE); offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, hf_eventlog_rc, NULL); return offset; } /* IDL long ElfrReadELW( IDL [in] [context_handle] void *hEventLog, IDL [in] long flags, IDL [in] long offset, IDL [in,out] long number_of_bytes, IDL [out] [size_is(number_of_bytes)] byte *data, IDL [out] long sent_size, IDL [out] long real_size IDL ); */ static int eventlog_dissect_readw_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_flags, NULL); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_offset, NULL); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_size, NULL); return offset; } /* IDL typedef struct { IDL char element_47[6]; IDL } TYPE_4; */ /* IDL typedef struct { IDL char element_43; IDL char element_44; IDL TYPE_4 element_45; IDL [size_is(element_44)] byte element_46[*]; IDL } TYPE_3; */ /* IDL long ElfrReportEventW( IDL [in] [context_handle] void *hEventLog, IDL [in] long element_49, IDL [in] short element_50, IDL [in] short element_51, IDL [in] long element_52, IDL [in] short element_53, IDL [in] long element_54, IDL [in] UNICODE_STRING element_55, IDL [in] [unique] TYPE_3 *element_56, IDL [in] [size_is(element_53)] [unique] byte *element_57, IDL [in] [size_is(element_54)] [unique] byte *element_58, IDL [in] short element_59, IDL [in,out] [unique] long *element_60, IDL [in,out] [unique] long *element_61 IDL ); */ /* * IDL typedef struct { * IDL short length; * IDL short size; * IDL [size_is(size] [unique] byte *string; * IDL } ASCII_STRING; */ /* IDL NTSTATUS ElfrClearELFA IDL [in] [context_handle] void *hEventLog, IDL [in] [unique] ASCII_STRING *BackupFileName IDL ); */ /* IDL NTSTATUS ElfrBackupELFA( IDL [in] [context_handle] void *hEventLog, IDL [in] ASCII_STRING BackupFileName IDL ); */ /* IDL NTSTATUS ElfrOpenELA( IDL [in] [unique] TYPE_6 *unknown0, IDL [in] ASCII_STRING eventlog_name, IDL [in] ASCII_STRING unknown1, IDL [in] long unknown2, IDL [in] long unknown3, IDL [out] [context_handle] void *hEventLog, IDL ); */ /* IDL long ElfrRegisterEventSourceA( IDL [in] [unique] char *element_75, IDL [in] ASCII_STRING element_76, IDL [in] ASCII_STRING element_77, IDL [in] long element_78, IDL [in] long element_79, IDL [out] [context_handle] void *hEventLog, ); */ /* IDL NTSTATUS ElfrOpenBELA( IDL [in] [unique] char *element_81, IDL [in] ASCII_STRING element_82, IDL [in] long element_83, IDL [in] long element_84, IDL [out] [context_handle] void *hEventLog ); */ /* IDL long ElfrReadELA( IDL [in] [context_handle] void *hEventLog, IDL [in] long element_87, IDL [in] long element_88, IDL [in] long element_89, IDL [out] [size_is(element_89)] byte element_90[*], IDL [out] long element_91, IDL [out] long element_92 IDL ); */ /* IDL long ElfrReportEventA IDL [in] [context_handle] void *hEventLog, IDL [in] long element_94, IDL [in] short element_95, IDL [in] short element_96, IDL [in] long element_97, IDL [in] short element_98, IDL [in] long element_99, IDL [in] ASCII_STRING element_100, IDL [in] [unique] TYPE_3 *element_101, IDL [in] [size_is(element_98)] [unique] byte *element_102, IDL [in] [size_is(element_99)] [unique] byte *element_103, IDL [in] short element_104, IDL [in,out] [unique] long *element_105, IDL [in,out] [unique] long *element_106 IDL ); */ /* IDL long ElfrRegisterClusterSvc( IDL [in] [unique] wchar_t *element_107, IDL [out] long element_108, IDL [out] [size_is(*element_108)] [ref] byte **element_109 IDL ); */ /* IDL long ElfrWriteClusterEvents( IDL [in] [unique] wchar_t *element_110 IDL ); */ /* IDL long ElfrUnregisterClusterSvc( IDL [in] [unique] wchar_t *element_111, IDL [in] long element_112, IDL [in] [size_is(element_112)] byte element_113[*] IDL ); */ static value_string infoLevels[] = { { 0, "EVENTLOG_FULL_INFORMATION" }, { 0, NULL} }; /* IDL long ElfrGetLogInformation( IDL [in] [context_handle] void *hEventLog, IDL [in] long dwInfoLevel, IDL [out] [size_is(cbBufSize)] char lpBuffer[*], IDL [in] long cbBufSize, IDL [out] long cbBytesNeeded, IDL ); */ static int eventlog_dissect_getloginfo_rqst(tvbuff_t *tvb, int offset, packet_info *pinfo, proto_tree *tree, guint8 *drep) { offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, hf_eventlog_hnd, NULL, NULL, FALSE, FALSE); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_infolevel, NULL); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_eventlog_bufsize, NULL); return offset; } static dcerpc_sub_dissector dcerpc_eventlog_dissectors[] = { { EVENTLOG_CLEAR, "ElfrClearELFW", eventlog_dissect_clearw_rqst, eventlog_dissect_clearw_reply}, { EVENTLOG_BACKUP, "ElfrBackupELFW", eventlog_dissect_backupw_rqst, eventlog_dissect_backupw_reply }, { EVENTLOG_CLOSE, "ElfrCloseEL", eventlog_dissect_close_rqst, eventlog_dissect_close_reply }, { EVENTLOG_DEREGISTER_EVT_SRC, "ElfrDeregisterEventSource", eventlog_dissect_deregister_evt_src_rqst, eventlog_dissect_deregister_evt_src_reply }, { EVENTLOG_NUMOFRECORDS, "ElfrNumberOfRecords", eventlog_dissect_getnumofrecords_rqst, eventlog_dissect_getnumofrecords_reply }, { EVENTLOG_GET_OLDEST_RECORD, "ElfrOldestRecord", eventlog_dissect_oldestrecord_rqst, eventlog_dissect_oldestrecord_reply }, { EVENTLOG_NOTIFY_CHANGE, "ElfrChangeNotify", eventlog_dissect_changenotify_rqst, eventlog_dissect_changenotify_reply }, { EVENTLOG_OPEN, "ElfrOpenELW", eventlog_dissect_openw_rqst, eventlog_dissect_openw_reply }, { EVENTLOG_REGISTER_EVT_SRC, "ElfrRegisterEventSourceW", eventlog_dissect_register_evt_srcw_rqst, eventlog_dissect_register_evt_srcw_reply }, { EVENTLOG_OPEN_BACKUP, "ElfrOpenBELW", eventlog_dissect_open_backupw_rqst, eventlog_dissect_open_backupw_reply }, { EVENTLOG_READ, "ElfrReadELW", eventlog_dissect_readw_rqst, NULL }, { EVENTLOG_REPORT, "ElfrReportEventW", NULL, NULL }, { EVENTLOG_CLEAR_ASCII, "ElfrClearELFA", NULL, NULL }, { EVENTLOG_BACKUP_ASCII, "ElfrBackupELFA", NULL, NULL }, { EVENTLOG_OPEN_ASCII, "ElfrOpenELA", NULL, NULL }, { EVENTLOG_REGISTER_EVT_SRC_ASCII, "ElfrRegisterEventSourceA", NULL, NULL }, { EVENTLOG_OPEN_BACKUP_ASCII, "ElfrOpenBELA", NULL, NULL }, { EVENTLOG_READ_ASCII, "ElfrReadELA", NULL, NULL }, { EVENTLOG_REPORT_ASCII, "ElfrReportEventA", NULL, NULL }, { EVENTLOG_REGISTER_CLUSTER_SVC, "ElfrRegisterClusterSvc", NULL, NULL }, { EVENTLOG_DEREGISTER_CLUSTER_SVC, "ElfrDeregisterClusterSvc", NULL, NULL }, { EVENTLOG_WRITE_CLUSTER_EVENTS, "ElfrWriteClusterEvents", NULL, NULL }, { EVENTLOG_GET_INFO, "ElfrGetLogInformation", eventlog_dissect_getloginfo_rqst, NULL }, { EVENTLOG_FLUSH, "ElfrFlushEL", NULL, NULL }, { 0, NULL, NULL, NULL } }; void proto_register_dcerpc_eventlog(void) { static hf_register_info hf[] = { { &hf_eventlog_opnum, { "Operation", "eventlog.opnum", FT_UINT16, BASE_DEC, NULL, 0x0, "Operation", HFILL }}, { &hf_eventlog_name, { "Eventlog name", "eventlog.name", FT_STRING, BASE_NONE, NULL, 0x0, "Eventlog name", HFILL}}, {&hf_eventlog_numofrecords, { "Number of records", "eventlog.records", FT_UINT32, BASE_DEC, NULL, 0x0, "Number of records in eventlog", HFILL }}, {&hf_eventlog_oldest_record, { "Oldest record", "eventlog.oldest_record", FT_UINT32, BASE_DEC, NULL, 0x0, "Oldest record available in eventlog", HFILL }}, {&hf_eventlog_rc, { "Return code", "eventlog.rc", FT_UINT32, BASE_HEX, VALS(NT_errors), 0x0, "Eventlog return status code", HFILL }}, { &hf_eventlog_hnd, { "Context Handle", "eventlog.hnd", FT_BYTES, BASE_NONE, NULL, 0x0, "Eventlog context handle", HFILL }}, { &hf_eventlog_backup_file, { "Backup filename", "eventlog.backup_file", FT_STRING, BASE_NONE, NULL, 0x0, "Eventlog backup file", HFILL}}, {&hf_eventlog_infolevel, { "Information level", "eventlog.info_level", FT_UINT32, BASE_DEC, &infoLevels, 0x0, "Eventlog information level", HFILL }}, {&hf_eventlog_bufsize, { "Buffer size", "eventlog.buf_size", FT_UINT32, BASE_DEC, NULL, 0x0, "Eventlog buffer size", HFILL }}, {&hf_eventlog_unknown, { "Unknown field", "eventlog.unknown", FT_UINT32, BASE_DEC, NULL, 0x0, "Unknown field", HFILL }}, { &hf_eventlog_unknown_string, { "Unknown string", "eventlog.unknown_str", FT_STRING, BASE_NONE, NULL, 0x0, "Unknown string", HFILL}}, {&hf_eventlog_flags, { "Eventlog flags", "eventlog.flags", FT_UINT32, BASE_HEX, NULL, 0x0, "Eventlog flags", HFILL }}, {&hf_eventlog_offset, { "Eventlog offset", "eventlog.offset", FT_UINT32, BASE_DEC, NULL, 0x0, "Eventlog offset", HFILL }}, {&hf_eventlog_size, { "Eventlog size", "eventlog.size", FT_UINT32, BASE_DEC, NULL, 0x0, "Eventlog size", HFILL }}, }; static gint *ett[] = { &ett_dcerpc_eventlog, }; proto_dcerpc_eventlog = proto_register_protocol( "Microsoft Eventlog Service", "EVENTLOG", "eventlog"); proto_register_field_array(proto_dcerpc_eventlog, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); } void proto_reg_handoff_dcerpc_eventlog(void) { /* register protocol as dcerpc */ dcerpc_init_uuid( proto_dcerpc_eventlog, ett_dcerpc_eventlog, &uuid_dcerpc_eventlog, ver_dcerpc_eventlog, dcerpc_eventlog_dissectors, hf_eventlog_opnum); }
/* packet-dcerpc-eventlog.h * Routines for SMB \pipe\eventlog packet disassembly * Copyright 2004 Jean-Baptiste Marchand <jbm@xxxxxx> * * $Id$ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@xxxxxxxxxxxx> * Copyright 1998 Gerald Combs * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ #ifndef __PACKET_DCERPC_EVENTLOG_H #define __PACKET_DCERPC_EVENTLOG_H /* MSRPC functions available in the eventlog interface */ #define EVENTLOG_CLEAR 0x00 #define EVENTLOG_BACKUP 0x01 #define EVENTLOG_CLOSE 0x02 #define EVENTLOG_DEREGISTER_EVT_SRC 0x03 #define EVENTLOG_NUMOFRECORDS 0x04 #define EVENTLOG_GET_OLDEST_RECORD 0x05 #define EVENTLOG_NOTIFY_CHANGE 0x06 #define EVENTLOG_OPEN 0x07 #define EVENTLOG_REGISTER_EVT_SRC 0x08 #define EVENTLOG_OPEN_BACKUP 0x09 #define EVENTLOG_READ 0x0a #define EVENTLOG_REPORT 0x0b #define EVENTLOG_CLEAR_ASCII 0x0c #define EVENTLOG_BACKUP_ASCII 0x0d #define EVENTLOG_OPEN_ASCII 0x0e #define EVENTLOG_REGISTER_EVT_SRC_ASCII 0x0f #define EVENTLOG_OPEN_BACKUP_ASCII 0x10 #define EVENTLOG_READ_ASCII 0x11 #define EVENTLOG_REPORT_ASCII 0x12 #define EVENTLOG_REGISTER_CLUSTER_SVC 0x13 #define EVENTLOG_DEREGISTER_CLUSTER_SVC 0x14 #define EVENTLOG_WRITE_CLUSTER_EVENTS 0x15 #define EVENTLOG_GET_INFO 0x16 #define EVENTLOG_FLUSH 0x17 #endif /* packet-dcerpc-eventlog.h */
- Follow-Ups:
- Re: [Ethereal-dev] [dcerpc] eventlog dissector
- From: Guy Harris
- Re: [Ethereal-dev] [dcerpc] eventlog dissector
- Prev by Date: Re: [Ethereal-dev] ethereal 0.10.5 with gtk1 on RedHat 9.0 (and Solaris 9)
- Next by Date: [Ethereal-dev] Bugs in 0.10.5
- Previous by thread: Re: [Ethereal-dev] problem with mergecap -w option
- Next by thread: Re: [Ethereal-dev] [dcerpc] eventlog dissector
- Index(es):