Ethereal-dev: [Ethereal-dev] Re: Allow packet-dcerpc-samr.c to indicate lockout times and thre
chacked in,
thanks for improving ethereal.
i am not sure that the nt 64 bit time functions can handle
FT_RELATIVE_TIME at all yet and that is likely the problem you see.
(
SAMR will eventually be converted to be autogenerated by an idl
compiler but that will not happen yet for a while.
)
On Fri, 25 Mar 2005 10:03:29 -0800, "Richardson, Michael (711)"
<Michael.Richardson@xxxxxxxxxxxxx> wrote:
> <part 1 - the patch>
>
> Attached is a patch to packet-dcerpc-samr.c to decode the following
> parameters:
> - Lockout Threshold
> - Lockout Reset Time
> - Lockout Duration Time
> - Forced Logoff Time After Time Expires
>
> If you need some test packets, it's easy to recreate on a Windows box:
>
> Just run " net accounts /domain" at a command line.
>
> <part 2 - the bug>
> If you do happen to capture these packets, you will note that that
> Ethereal is unable to display the times correctly. They will always
> appear as "Time can't be converted".
>
> I believe there are bugs in the functions "nt_time_to_nstime" or
> "dissect_nt_64bit_time" in "packet-windows-common.c". I'm trying to
> figure out how to correct this and could easily be wrong.
>
> For example, it appears that these functions are unable to handle
> "relative" times. A negative value here should indicate a "relative"
> time. Positive should indicate absolute time.
>
> Here are some common values that are found in "Lockout Duration Time".
> 0x00CC1dcffbffffff (-18,000,000,000 decimal) (nano seconds), should
> equal 30 minutes - Ethereal displays as "Time can't be converted".
> 0x0080d21647b9ffff (-77,760,000,000,000 decimal) = 129600 minutes = 2160
> hours = 90 days - Ethereal displays as "Time can't be converted".
>
> But, using a hex editor to manipulate one of these values in a capture,
> the time will display.
> 0xa2028589cb2fc501 = Ethereal displays as "March 23, 2005
> 11:12:48.198928200"
>
> I also think the "Infinity" markings in "dissect_nt_64bit_time" is
> interesting. Windows is actually indicating that the values have not
> been set or never occur. The phrase "Infinity" doesn't really
> communicate what this indicates. For example with most windows
> computers (unless the default value is changed), Windows will indicate
> the "Forced Logoff Time After Times" expires value 0x0000000000000080,
> as "Never Expires". Ethereal indicates this value as "Infinity
> (relative time)". You can see this with the "net accounts" command or
> other tools.
>
> I'm currently working on a patch, but since I can barely code, I'm
> moving slowly. The following link from the "samba" team has an example
> of two
>
> References:
> http://www.samba.org/cgi-bin/cvsweb/samba/source/rpc_server/srv_samr_nt.
> c?rev=1.187&content-type=text/x-cvsweb-markup
> http://www.samba.org/cgi-bin/cvsweb/samba/source/lib/time.c?rev=1.53&con
> tent-type=text/x-cvsweb-markup - "nt_time_to_unix" and
> "nt_time_to_unix_abs" functions.
>
> Thanks,
> Mike
> Michael Richardson
> Protiviti
> http://www.protiviti.com
> <https://owa.rhi.com/exchweb/bin/redir.asp?URL=http://www.protiviti.com>
>
>
> 120 South LaSalle Street
> Suite 2200
> Chicago, IL 60603
>
> Direct: 312.476.6354
> Fax: 312.476.6854
>
>
>
> NOTICE: Protiviti is a leading international provider of independent
> internal audit and business and technology risk consulting services.
> Protiviti is not licensed or registered as a public accounting firm and does
> not issue opinions on financial statements or offer attestation services.
> This electronic mail message is intended exclusively for the individual or
> entity to which it is addressed. This message, together with any attachment,
> may contain confidential and privileged information. Any unauthorized
> review, use, print, retain, copy, disclosure or distribution is strictly
> prohibited. If you have received this message in error, please immediately
> advise the sender by reply email message to the sender and delete all copies
> of this message. Thank you
> ==============================================================================
>
>