Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
m3ua_reason |
Reason |
Unsigned 32-bit integer |
m3ua_si |
Service indicator |
Unsigned 8-bit integer |
m3ua_ssn |
Subsystem number |
Unsigned 8-bit integer |
MTP2 Peer Adaptation Layer (m2pa)
Table A-128. MTP2 Peer Adaptation Layer (m2pa)
Field |
Field Name |
Type |
m2pa.bsn |
BSN |
Unsigned 16-bit integer |
m2pa.class |
Message Class |
Unsigned 8-bit integer |
m2pa.filler |
Filler |
Byte array |
m2pa.fsn |
FSN |
Unsigned 16-bit integer |
m2pa.length |
Message length |
Unsigned 32-bit integer |
m2pa.li_priority |
Priority |
Unsigned 8-bit integer |
m2pa.li_spare |
Spare |
Unsigned 8-bit integer |
m2pa.spare |
Spare |
Unsigned 8-bit integer |
m2pa.status |
Link Status Status |
Unsigned 32-bit integer |
m2pa.type |
Message Type |
Unsigned 8-bit integer |
m2pa.unknown_data |
Unknown Data |
Byte array |
m2pa.version |
Version |
Unsigned 8-bit integer |
Malformed Packet (malformed)
Table A-129. Malformed Packet (malformed)
Field |
Field Name |
Type |
|
|
|
Message Transfer Part Level 2 (mtp2)
Table A-130. Message Transfer Part Level 2 (mtp2)
Field |
Field Name |
Type |
mtp2.bib |
Backward indicator bit |
Unsigned 8-bit integer |
201
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
mtp2.bsn |
Backward sequence |
Unsigned 8-bit integer |
|
number |
|
mtp2.fib |
Forward indicator bit |
Unsigned 8-bit integer |
mtp2.fsn |
Forward sequence number |
Unsigned 8-bit integer |
mtp2.li |
Length Indicator |
Unsigned 8-bit integer |
mtp2.long_sf |
Status field |
Unsigned 16-bit integer |
mtp2.sf |
Status field |
Unsigned 8-bit integer |
mtp2.spare |
Spare |
Unsigned 8-bit integer |
Message Transfer Part Level 3 (mtp3)
Table A-131. Message Transfer Part Level 3 (mtp3)
Field |
Field Name |
Type |
mtp3.dpc |
DPC |
Unsigned 32-bit integer |
mtp3.dpc.cluster |
DPC Cluster |
Unsigned 24-bit integer |
mtp3.dpc.member |
DPC Member |
Unsigned 24-bit integer |
mtp3.dpc.network |
DPC Network |
Unsigned 24-bit integer |
mtp3.network_indicator |
Network indicator |
Unsigned 8-bit integer |
mtp3.opc |
OPC |
Unsigned 32-bit integer |
mtp3.opc.cluster |
OPC Cluster |
Unsigned 24-bit integer |
mtp3.opc.member |
OPC Member |
Unsigned 24-bit integer |
mtp3.opc.network |
OPC Network |
Unsigned 24-bit integer |
mtp3.priority |
Priority |
Unsigned 8-bit integer |
mtp3.service_indicator |
Service indicator |
Unsigned 8-bit integer |
mtp3.sls |
Signalling Link Selector |
Unsigned 32-bit integer |
mtp3.spare |
Spare |
Unsigned 8-bit integer |
Microsoft Distributed File System (dfs)
Table A-132. Microsoft Distributed File System (dfs)
Field |
Field Name |
Type |
dfs.opnum |
Operation |
Unsigned 16-bit integer |
202
Appendix A. Ethereal Display Filter Fields
Microsoft Exchange MAPI (mapi)
Table A-133. Microsoft Exchange MAPI (mapi)
Field |
Field Name |
Type |
mapi.decrypted.data |
Decrypted data |
Byte array |
mapi.decrypted.data.len |
Length |
Unsigned 32-bit integer |
mapi.decrypted.data.maxlenMax |
Length |
Unsigned 32-bit integer |
|
|
|
mapi.decrypted.data.offset |
Offset |
Unsigned 32-bit integer |
|
|
|
mapi.encap_len |
Length |
Unsigned 16-bit integer |
mapi.hnd |
Context Handle |
Byte array |
mapi.pdu.extra_trailer |
unknown |
Byte array |
mapi.pdu.len |
Length |
Unsigned 16-bit integer |
mapi.pdu.trailer |
Trailer |
Unsigned 32-bit integer |
mapi.rc |
Return code |
Unsigned 32-bit integer |
mapi.unknown_data |
unknown encrypted data |
Byte array |
mapi.unknown_short |
Unknown short |
Unsigned 16-bit integer |
mapi.unknown_string |
Unknown string |
String |
Microsoft Local Security Architecture (lsa)
Table A-134. Microsoft Local Security Architecture (lsa)
Field |
Field Name |
Type |
lsa.access_mask |
Access Mask |
Unsigned 32-bit integer |
lsa.acct |
Account |
String |
lsa.attr |
Attr |
|
lsa.auth.blob |
Auth blob |
Byte array |
lsa.auth.len |
Auth Len |
Unsigned 32-bit integer |
lsa.auth.type |
Auth Type |
Unsigned 32-bit integer |
lsa.auth.update |
Update |
|
lsa.controller |
Controller |
String |
lsa.count |
Count |
Unsigned 32-bit integer |
lsa.cur.mtime |
Current MTime |
Date/Time stamp |
lsa.domain |
Domain |
String |
lsa.flat_name |
Flat Name |
String |
203
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
lsa.forest |
Forest |
String |
lsa.hnd |
Context Handle |
Byte array |
lsa.index |
Index |
Unsigned 32-bit integer |
lsa.info.level |
Level |
Unsigned 16-bit integer |
lsa.info_type |
Info Type |
Unsigned 32-bit integer |
lsa.key |
Key |
Byte array |
lsa.max_count |
Max Count |
Unsigned 32-bit integer |
lsa.mod.mtime |
MTime |
Date/Time stamp |
lsa.mod.seq_no |
Seq No |
|
lsa.name |
Name |
String |
lsa.new_pwd |
New Password |
Byte array |
lsa.num_mapped |
Num Mapped |
Unsigned 32-bit integer |
lsa.obj_attr |
Attributes |
Unsigned 32-bit integer |
lsa.obj_attr.len |
Length |
Unsigned 32-bit integer |
lsa.obj_attr.name |
Name |
String |
lsa.old.mtime |
Old MTime |
Date/Time stamp |
lsa.old_pwd |
Old Password |
Byte array |
lsa.opnum |
Operation |
Unsigned 16-bit integer |
lsa.paei.enabled |
Enabled |
Unsigned 8-bit integer |
lsa.paei.settings |
Settings |
Unsigned 32-bit integer |
lsa.pali.log_size |
Log Size |
Unsigned 32-bit integer |
lsa.pali.next_audit_record |
Next Audit Record |
Unsigned 32-bit integer |
lsa.pali.percent_full |
Percent Full |
Unsigned 32-bit integer |
lsa.pali.retention_period |
Retention Period |
Time duration |
lsa.pali.shutdown_in_progressShutdown in progress |
Unsigned 8-bit integer |
|
|
|
|
lsa.pali.time_to_shutdown |
Time to shutdown |
Time duration |
lsa.policy.info |
Info Class |
Unsigned 16-bit integer |
lsa.privilege.name |
Name |
String |
lsa.qos.effective_only |
Effective only |
Unsigned 8-bit integer |
lsa.qos.imp_lev |
Impersonation level |
Unsigned 16-bit integer |
lsa.qos.len |
Length |
Unsigned 32-bit integer |
lsa.qos.track_ctx |
Context Tracking |
Unsigned 8-bit integer |
lsa.quota.max_wss |
Max WSS |
Unsigned 32-bit integer |
lsa.quota.min_wss |
Min WSS |
Unsigned 32-bit integer |
lsa.quota.non_paged_pool |
Non Paged Pool |
Unsigned 32-bit integer |
204
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
lsa.quota.paged_pool |
Paged Pool |
Unsigned 32-bit integer |
lsa.quota.pagefile |
Pagefile |
Unsigned 32-bit integer |
lsa.rc |
Return code |
Unsigned 32-bit integer |
lsa.remove_all |
Remove All |
Unsigned 8-bit integer |
lsa.resume_handle |
Resume Handle |
Unsigned 32-bit integer |
lsa.rid |
RID |
Unsigned 32-bit integer |
lsa.rid.offset |
RID Offset |
Unsigned 32-bit integer |
lsa.rights |
Rights |
String |
lsa.sd_size |
Size |
Unsigned 32-bit integer |
lsa.secret |
LSA Secret |
Byte array |
lsa.server |
Server |
String |
lsa.server_role |
Role |
Unsigned 16-bit integer |
lsa.sid_type |
SID Type |
Unsigned 16-bit integer |
lsa.size |
Size |
Unsigned 32-bit integer |
lsa.size_needed |
Size Needed |
Unsigned 16-bit integer |
lsa.source |
Source |
String |
lsa.trust.attr |
Trust Attr |
Unsigned 32-bit integer |
lsa.trust.attr.non_trans |
Non Transitive |
Boolean |
lsa.trust.attr.tree_parent |
Tree Parent |
Boolean |
lsa.trust.attr.tree_root |
Tree Root |
Boolean |
lsa.trust.attr.uplevel_only |
Upleve only |
Boolean |
lsa.trust.direction |
Trust Direction |
Unsigned 32-bit integer |
lsa.trust.type |
Trust Type |
Unsigned 32-bit integer |
lsa.trusted.info_level |
Info Level |
Unsigned 16-bit integer |
lsa.unknown.char |
Unknown char |
Unsigned 8-bit integer |
lsa.unknown.hyper |
Unknown hyper |
|
lsa.unknown.long |
Unknown long |
Unsigned 32-bit integer |
lsa.unknown.short |
Unknown short |
Unsigned 16-bit integer |
lsa.unknown_string |
Unknown string |
String |
nt.luid.high |
High |
Unsigned 32-bit integer |
nt.luid.low |
Low |
Unsigned 32-bit integer |
205
Appendix A. Ethereal Display Filter Fields
Microsoft Network Logon (rpc_netlogon)
Table A-135. Microsoft Network Logon (rpc_netlogon)
Field |
Field Name |
Type |
netlogon.acct.expiry_time |
Acct Expiry Time |
Date/Time stamp |
netlogon.acct_desc |
Acct Desc |
String |
netlogon.acct_name |
Acct Name |
String |
netlogon.alias_name |
Alias Name |
String |
netlogon.alias_rid |
Alias RID |
Unsigned 32-bit integer |
netlogon.attrs |
Attributes |
Unsigned 32-bit integer |
netlogon.audit_retention_periodAu it Retention Period |
Time duration |
|
|
|
|
netlogon.auditing_mode |
Auditing Mode |
Unsigned 8-bit integer |
netlogon.auth.data |
Auth Data |
Byte array |
netlogon.auth.size |
Auth Size |
Unsigned 32-bit integer |
netlogon.auth_flags |
Auth Flags |
Unsigned 32-bit integer |
netlogon.authoritative |
Authoritative |
Unsigned 8-bit integer |
netlogon.bad_pw_count |
Bad PW Count |
Unsigned 32-bit integer |
netlogon.bad_pw_count16 |
Bad PW Count |
Unsigned 16-bit integer |
netlogon.blob |
BLOB |
Byte array |
netlogon.blob.size |
Size |
Unsigned 32-bit integer |
netlogon.challenge |
Challenge |
Byte array |
netlogon.change_log_size |
Change Log Entry Size |
Unsigned 32-bit integer |
netlogon.cipher_current_dataCipher Current Data |
Byte array |
|
|
|
|
netlogon.cipher_current_setCtipherme Current Set Time |
Date/Time stamp |
|
|
|
|
netlogon.cipher_len |
Cipher Len |
Unsigned 32-bit integer |
netlogon.cipher_maxlen |
Cipher Max Len |
Unsigned 32-bit integer |
netlogon.cipher_old_data |
Cipher Old Data |
Byte array |
netlogon.cipher_old_set_timeCipher Old Set Time |
Date/Time stamp |
|
|
|
|
netlogon.client.name |
Client Name |
String |
netlogon.client.site_name |
Client Site Name |
String |
netlogon.code |
Code |
Unsigned 32-bit integer |
netlogon.codepage |
Codepage |
Unsigned 16-bit integer |
netlogon.comment |
Comment |
String |
netlogon.computer_name |
Computer Name |
String |
206
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
netlogon.count |
Count |
Unsigned 32-bit integer |
netlogon.country |
Country |
Unsigned 16-bit integer |
netlogon.credential |
Credential |
Byte array |
netlogon.database_id |
Database Id |
Unsigned 32-bit integer |
netlogon.db_create_time |
DB Create Time |
Date/Time stamp |
netlogon.db_modify_time |
DB Modify Time |
Date/Time stamp |
netlogon.dc.address |
DC Address |
String |
netlogon.dc.address_type |
DC Address Type |
Unsigned 32-bit integer |
netlogon.dc.name |
DC Name |
String |
netlogon.dc.site_name |
DC Site Name |
String |
netlogon.delta_type |
Delta Type |
Unsigned 16-bit integer |
netlogon.dir_drive |
Dir Drive |
String |
netlogon.dns.forest_name |
DNS Forest Name |
String |
netlogon.dns_host |
DNS Host |
String |
netlogon.domain |
Domain |
String |
netlogon.domain_create_timeDomain Create Time |
Date/Time stamp |
|
|
|
|
netlogon.domain_modify_timeDomain Modify Time |
Date/Time stamp |
|
|
|
|
netlogon.dummy |
Dummy |
String |
netlogon.entries |
Entries |
Unsigned 32-bit integer |
netlogon.event_audit_optionEvent Audit Option |
Unsigned 32-bit integer |
|
|
|
|
netlogon.flags |
Flags |
Unsigned 32-bit integer |
netlogon.full_name |
Full Name |
String |
netlogon.group_desc |
Group Desc |
String |
netlogon.group_name |
Group Name |
String |
netlogon.group_rid |
Group RID |
Unsigned 32-bit integer |
netlogon.handle |
Handle |
String |
netlogon.home_dir |
Home Dir |
String |
netlogon.kickoff_time |
Kickoff Time |
Date/Time stamp |
netlogon.last_logoff |
Last Logoff |
Unsigned 32-bit integer |
netlogon.last_logon |
Last Logon |
Unsigned 32-bit integer |
netlogon.len |
Len |
Unsigned 32-bit integer |
netlogon.level |
Level |
Unsigned 32-bit integer |
netlogon.level16 |
Level |
Unsigned 16-bit integer |
netlogon.lm_chal_resp |
LM Chal resp |
Byte array |
207
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
netlogon.lm_owf_pwd |
LM Pwd |
Byte array |
netlogon.lm_owf_pwd.encryptedEncrypted LM Pwd |
Byte array |
|
|
|
|
netlogon.lm_pwd_present |
LM PWD Present |
Unsigned 8-bit integer |
netlogon.logoff_time |
Logoff Time |
Date/Time stamp |
netlogon.logon_attempts |
Logon Attempts |
Unsigned 32-bit integer |
netlogon.logon_count |
Logon Count |
Unsigned 32-bit integer |
netlogon.logon_count16 |
Logon Count |
Unsigned 16-bit integer |
netlogon.logon_id |
Logon ID |
|
netlogon.logon_script |
Logon Script |
String |
netlogon.logon_time |
Logon Time |
Date/Time stamp |
netlogon.max_audit_event_countMax Audit Event Count |
Unsigned 32-bit integer |
|
|
|
|
netlogon.max_log_size |
Max Log Size |
Unsigned 32-bit integer |
netlogon.max_size |
Max Size |
Unsigned 32-bit integer |
netlogon.max_working_set_Maxsize Working Set Size |
Unsigned 32-bit integer |
|
|
|
|
netlogon.min_passwd_len |
Min Password Len |
Unsigned 16-bit integer |
netlogon.min_working_set_sizeMin Working Set Size |
Unsigned 32-bit integer |
|
|
|
|
netlogon.modify_count |
Modify Count |
|
netlogon.neg_flags |
Neg Flags |
Unsigned 32-bit integer |
netlogon.next_reference |
Next Reference |
Unsigned 32-bit integer |
netlogon.nonpaged_pool_limitNon-Paged Pool Limit |
Unsigned 32-bit integer |
|
|
|
|
netlogon.nt_chal_resp |
NT Chal resp |
Byte array |
netlogon.nt_owf_pwd |
NT Pwd |
Byte array |
netlogon.nt_pwd_present |
NT PWD Present |
Unsigned 8-bit integer |
netlogon.num_dc |
Num DCs |
Unsigned 32-bit integer |
netlogon.num_deltas |
Num Deltas |
Unsigned 32-bit integer |
netlogon.num_other_groupsNum Other Groups |
Unsigned 32-bit integer |
|
|
|
|
netlogon.num_pwd_pairs |
Num PWD Pairs |
Unsigned 8-bit integer |
netlogon.num_rids |
Num RIDs |
Unsigned 32-bit integer |
netlogon.oem_info |
OEM Info |
String |
netlogon.opnum |
Operation |
Unsigned 16-bit integer |
netlogon.pac.data |
Pac Data |
Byte array |
208
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
netlogon.pac.size |
Pac Size |
Unsigned 32-bit integer |
netlogon.page_file_limit |
Page File Limit |
Unsigned 32-bit integer |
netlogon.paged_pool_limit |
Paged Pool Limit |
Unsigned 32-bit integer |
|
|
|
netlogon.param_ctrl |
Param Ctrl |
Unsigned 32-bit integer |
netlogon.parameters |
Parameters |
String |
netlogon.passwd_history_ |
lenPasswd History Len |
Unsigned 16-bit integer |
|
|
|
netlogon.pdc_connection_statusPDC Connection Status |
Unsigned 32-bit integer |
|
|
|
|
netlogon.principal |
Principal |
String |
netlogon.priv |
Priv |
Unsigned 32-bit integer |
netlogon.privilege_control |
Privilege Control |
Unsigned 32-bit integer |
netlogon.privilege_entries |
Privilege Entries |
Unsigned 32-bit integer |
netlogon.privilege_name |
Privilege Name |
String |
netlogon.profile_path |
Profile Path |
String |
netlogon.pwd_can_change_timePWD Can Change |
Date/Time stamp |
|
|
|
|
netlogon.pwd_expired |
PWD Expired |
Unsigned 8-bit integer |
netlogon.pwd_last_set_timePWD Last Set |
Date/Time stamp |
|
|
|
|
netlogon.pwd_must_changePWDtimeMust Change |
Date/Time stamp |
|
|
|
|
netlogon.rc |
Return code |
Unsigned 32-bit integer |
netlogon.reference |
Reference |
Unsigned 32-bit integer |
netlogon.reserved |
Reserved |
Unsigned 32-bit integer |
netlogon.restart_state |
Restart State |
Unsigned 16-bit integer |
netlogon.rid |
User RID |
Unsigned 32-bit integer |
netlogon.sec_chn_type |
Sec Chn Type |
Unsigned 16-bit integer |
netlogon.security_informationSecurity Information |
Unsigned 32-bit integer |
|
|
|
|
netlogon.sensitive_data |
Data |
Byte array |
netlogon.sensitive_data_flagSensitive Data |
Unsigned 8-bit integer |
|
|
|
|
netlogon.sensitive_data_lenLength |
Unsigned 32-bit integer |
|
|
|
|
netlogon.serial_number |
Serial Number |
Unsigned 32-bit integer |
netlogon.server |
Server |
String |
209