Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
netlogon.site_name |
Site Name |
String |
netlogon.sync_context |
Sync Context |
Unsigned 32-bit integer |
netlogon.system_flags |
System Flags |
Unsigned 32-bit integer |
netlogon.tc_connection_statusTC Connection Status |
Unsigned 32-bit integer |
|
|
|
|
netlogon.time_limit |
Time Limit |
Time duration |
netlogon.timestamp |
Timestamp |
Date/Time stamp |
netlogon.trusted_dc |
Trusted DC |
String |
netlogon.trusted_domain |
Trusted Domain |
String |
netlogon.unknown.char |
Unknown char |
Unsigned 8-bit integer |
netlogon.unknown.long |
Unknown long |
Unsigned 32-bit integer |
netlogon.unknown.short |
Unknown short |
Unsigned 16-bit integer |
netlogon.unknown.time |
Unknown time |
Date/Time stamp |
netlogon.unknown_string |
Unknown string |
String |
netlogon.user_flags |
User Flags |
Unsigned 32-bit integer |
netlogon.user_session_key |
User Session Key |
Byte array |
netlogon.validation_level |
Validation Level |
Unsigned 16-bit integer |
netlogon.wkst.fqdn |
Wkst FQDN |
String |
netlogon.wkst.name |
Wkst Name |
String |
netlogon.wkst.os |
Wkst OS |
String |
netlogon.wkst.site_name |
Wkst Site Name |
String |
netlogon.wksts |
Workstations |
String |
Microsoft Registry (winreg)
Table A-136. Microsoft Registry (winreg)
Field |
Field Name |
Type |
reg.access_mask |
Access mask |
Unsigned 32-bit integer |
reg.hnd |
Context handle |
Byte array |
reg.keyname |
Key name |
String |
reg.openentry.unknown1 |
Unknown 1 |
Unsigned 32-bit integer |
reg.openhklm.unknown1 |
Unknown 1 |
Unsigned 16-bit integer |
reg.openhklm.unknown2 |
Unknown 2 |
Unsigned 16-bit integer |
reg.opnum |
Operation |
Unsigned 16-bit integer |
reg.querykey.class |
Class |
String |
210
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
reg.querykey.max_subkey_ |
lenMax subkey len |
Unsigned 32-bit integer |
|
|
|
reg.querykey.max_valbuf_sizeMax valbuf size |
Unsigned 32-bit integer |
|
|
|
|
reg.querykey.max_valname_Maxlen valnum len |
Unsigned 32-bit integer |
|
|
|
|
reg.querykey.modtime |
Mod time |
Date/Time stamp |
reg.querykey.num_subkeys |
Num subkeys |
Unsigned 32-bit integer |
|
|
|
reg.querykey.num_values |
Num values |
Unsigned 32-bit integer |
reg.querykey.reserved |
Reserved |
Unsigned 32-bit integer |
reg.querykey.secdesc |
Secdesc |
Unsigned 32-bit integer |
reg.rc |
Return code |
Unsigned 32-bit integer |
reg.unknown1A.unknown1 Unknown 1 |
Unsigned 32-bit integer |
|
|
|
|
Microsoft Security Account Manager (samr)
Table A-137. Microsoft Security Account Manager (samr)
Field |
Field Name |
Type |
nt.acct_ctrl |
Acct Ctrl |
Unsigned 32-bit integer |
nt.str.len |
Length |
Unsigned 32-bit integer |
nt.str.max_len |
Max Length |
Unsigned 32-bit integer |
nt.str.offset |
Offset |
Unsigned 32-bit integer |
nt.string.length |
Length |
Unsigned 16-bit integer |
nt.string.size |
Size |
Unsigned 16-bit integer |
samr.access |
Access Mask |
Unsigned 32-bit integer |
samr.acct_desc |
Account Desc |
String |
samr.acct_expiry_time |
Acct Expiry |
Date/Time stamp |
samr.acct_name |
Account Name |
String |
samr.alias |
Alias |
Unsigned 32-bit integer |
samr.alias_name |
Alias Name |
String |
samr.attr |
Attributes |
Unsigned 32-bit integer |
samr.bad_pwd_count |
Bad Pwd Count |
Unsigned 16-bit integer |
samr.codepage |
Codepage |
Unsigned 16-bit integer |
samr.comment |
Comment |
String |
211
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
samr.count |
Count |
Unsigned 32-bit integer |
samr.country |
Country |
Unsigned 16-bit integer |
samr.crypt_hash |
Hash |
Byte array |
samr.crypt_password |
Password |
Byte array |
samr.dc |
DC |
String |
samr.divisions |
Divisions |
Unsigned 16-bit integer |
samr.domain |
Domain |
String |
samr.entries |
Entries |
Unsigned 32-bit integer |
samr.full_name |
Full Name |
String |
samr.group |
Group |
Unsigned 32-bit integer |
samr.group_name |
Group Name |
String |
samr.hnd |
Context Handle |
Byte array |
samr.home |
Home |
String |
samr.home_drive |
Home Drive |
String |
samr.index |
Index |
Unsigned 32-bit integer |
samr.info_type |
Info Type |
Unsigned 32-bit integer |
samr.kickoff_time |
Kickoff Time |
Date/Time stamp |
samr.level |
Level |
Unsigned 16-bit integer |
samr.lm_change |
LM Change |
Unsigned 8-bit integer |
samr.lm_pwd_set |
LM Pwd Set |
Unsigned 8-bit integer |
samr.logoff_time |
Logoff Time |
Date/Time stamp |
samr.logon_count |
Logon Count |
Unsigned 16-bit integer |
samr.logon_time |
Logon Time |
Date/Time stamp |
samr.mask |
Mask |
Unsigned 32-bit integer |
samr.max_entries |
Max Entries |
Unsigned 32-bit integer |
samr.max_pwd_age |
Max Pwd Age |
Time duration |
samr.min_pwd_age |
Min Pwd Age |
Time duration |
samr.min_pwd_len |
Min Pwd Len |
Unsigned 16-bit integer |
samr.nt_pwd_set |
NT Pwd Set |
Unsigned 8-bit integer |
samr.num_aliases |
Num Aliases |
Unsigned 32-bit integer |
samr.num_groups |
Num Groups |
Unsigned 32-bit integer |
samr.num_users |
Num Users |
Unsigned 32-bit integer |
samr.opnum |
Operation |
Unsigned 16-bit integer |
samr.parameters |
Parameters |
String |
samr.pref_maxsize |
Pref MaxSize |
Unsigned 32-bit integer |
samr.profile |
Profile |
String |
212
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
samr.pwd_Expired |
Expired flag |
Unsigned 8-bit integer |
samr.pwd_can_change_timePWD Can Change |
Date/Time stamp |
|
|
|
|
samr.pwd_history_len |
Pwd History Len |
Unsigned 16-bit integer |
samr.pwd_last_set_time |
PWD Last Set |
Date/Time stamp |
samr.pwd_must_change_timePWD Must Change |
Date/Time stamp |
|
|
|
|
samr.rc |
Return code |
Unsigned 32-bit integer |
samr.resume_hnd |
Resume Hnd |
Unsigned 32-bit integer |
samr.ret_size |
Returned Size |
Unsigned 32-bit integer |
samr.revision |
Revision |
|
samr.rid |
Rid |
Unsigned 32-bit integer |
samr.rid.attrib |
Rid Attrib |
Unsigned 32-bit integer |
samr.script |
Script |
String |
samr.server |
Server |
String |
samr.start_idx |
Start Idx |
Unsigned 32-bit integer |
samr.total_size |
Total Size |
Unsigned 32-bit integer |
samr.type |
Type |
Unsigned 32-bit integer |
samr.unknown.char |
Unknown char |
Unsigned 8-bit integer |
samr.unknown.hyper |
Unknown hyper |
|
samr.unknown.long |
Unknown long |
Unsigned 32-bit integer |
samr.unknown.short |
Unknown short |
Unsigned 16-bit integer |
samr.unknown_string |
Unknown string |
String |
samr.unknown_time |
Unknown time |
Date/Time stamp |
samr.workstations |
Workstations |
String |
Microsoft Server Service (srvsvc)
Table A-138. Microsoft Server Service (srvsvc)
Field |
Field Name |
Type |
srvsvc. |
Max Raw Buf Len |
Unsigned 32-bit integer |
srvsvc.acceptdownlevelapisAccept |
Downlevel APIs |
Unsigned 32-bit integer |
|
|
|
srvsvc.accessalert |
Access Alerts |
Unsigned 32-bit integer |
srvsvc.activelocks |
Active Locks |
Unsigned 32-bit integer |
213
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
srvsvc.alerts |
Alerts |
String |
srvsvc.alertsched |
Alert Sched |
Unsigned 32-bit integer |
srvsvc.alist_mtime |
Alist mtime |
Unsigned 32-bit integer |
srvsvc.ann_delta |
Announce Delta |
Unsigned 32-bit integer |
srvsvc.announce |
Announce |
Unsigned 32-bit integer |
srvsvc.auditedevents |
Audited Events |
Unsigned 32-bit integer |
srvsvc.auditprofile |
Audit Profile |
Unsigned 32-bit integer |
srvsvc.autopath |
Autopath |
String |
srvsvc.chdevjobs |
Char Dev Jobs |
Unsigned 32-bit integer |
srvsvc.chdevqs |
Char Devqs |
Unsigned 32-bit integer |
srvsvc.chdevs |
Char Devs |
Unsigned 32-bit integer |
srvsvc.chrdev |
Char Device |
String |
srvsvc.chrdev_opcode |
Opcode |
Unsigned 32-bit integer |
srvsvc.chrdev_status |
Status |
Unsigned 32-bit integer |
srvsvc.chrdev_time |
Time |
Unsigned 32-bit integer |
srvsvc.chrdevq |
Device Queue |
String |
srvsvc.chrqdev_numahead |
Num Ahead |
Unsigned 32-bit integer |
|
|
|
srvsvc.chrqdev_numusers |
Num Users |
Unsigned 32-bit integer |
srvsvc.chrqdev_pri |
Priority |
Unsigned 32-bit integer |
srvsvc.client.type |
Client Type |
String |
srvsvc.comment |
Comment |
String |
srvsvc.computer |
Computer |
String |
srvsvc.con_id |
Connection ID |
Unsigned 32-bit integer |
srvsvc.con_num_opens |
Num Opens |
Unsigned 32-bit integer |
srvsvc.con_time |
Connection Time |
Unsigned 32-bit integer |
srvsvc.con_type |
Connection Type |
Unsigned 32-bit integer |
srvsvc.connections |
Connections |
Unsigned 32-bit integer |
srvsvc.cur_uses |
Current Uses |
Unsigned 32-bit integer |
srvsvc.disc |
Disc |
Unsigned 32-bit integer |
srvsvc.disk_name |
Disk Name |
String |
srvsvc.disk_name_len |
Disk Name Length |
Unsigned 32-bit integer |
srvsvc.diskalert |
Disk Alerts |
Unsigned 32-bit integer |
srvsvc.diskspacetreshold |
Diskspace Treshold |
Unsigned 32-bit integer |
srvsvc.domain |
Domain |
String |
srvsvc.emulated_server |
Emulated Server |
String |
214
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
srvsvc.enablefcbopens |
Enable FCB Opens |
Unsigned 32-bit integer |
srvsvc.enableforcedlogoff |
Enable Forced Logoff |
Unsigned 32-bit integer |
srvsvc.enableoplockforcecloseEnable |
Oplock Force Close |
Unsigned 32-bit integer |
|
|
|
srvsvc.enableoplocks |
Enable Oplocks |
Unsigned 32-bit integer |
srvsvc.enableraw |
Enable RAW |
Unsigned 32-bit integer |
srvsvc.enablesharednetdrivesEnable |
Shared Net Drives |
Unsigned 32-bit integer |
|
|
|
srvsvc.enablesoftcompat |
Enable Soft Compat |
Unsigned 32-bit integer |
srvsvc.enum_hnd |
Enumeration handle |
Byte array |
srvsvc.erroralert |
Error Alerts |
Unsigned 32-bit integer |
srvsvc.errortreshold |
Error Treshold |
Unsigned 32-bit integer |
srvsvc.file_id |
File ID |
Unsigned 32-bit integer |
srvsvc.file_num_locks |
Num Locks |
Unsigned 32-bit integer |
srvsvc.glist_mtime |
Glist mtime |
Unsigned 32-bit integer |
srvsvc.guest |
Guest Account |
String |
srvsvc.hidden |
Hidden |
Unsigned 32-bit integer |
srvsvc.hnd |
Context Handle |
Byte array |
srvsvc.info.platform_id |
Platform ID |
Unsigned 32-bit integer |
srvsvc.initconntable |
Init Connection Table |
Unsigned 32-bit integer |
srvsvc.initfiletable |
Init File Table |
Unsigned 32-bit integer |
srvsvc.initsearchtable |
Init Search Table |
Unsigned 32-bit integer |
srvsvc.initsesstable |
Init Session Table |
Unsigned 32-bit integer |
srvsvc.initworkitems |
Init Workitems |
Unsigned 32-bit integer |
srvsvc.irpstacksize |
Irp Stack Size |
Unsigned 32-bit integer |
srvsvc.lanmask |
LANMask |
Unsigned 32-bit integer |
srvsvc.licences |
Licences |
Unsigned 32-bit integer |
srvsvc.linkinfovalidtime |
Link Info Valid Time |
Unsigned 32-bit integer |
srvsvc.lmannounce |
LM Announce |
Unsigned 32-bit integer |
srvsvc.logonalert |
Logon Alerts |
Unsigned 32-bit integer |
srvsvc.max_uses |
Max Uses |
Unsigned 32-bit integer |
srvsvc.maxaudits |
Max Audits |
Unsigned 32-bit integer |
srvsvc.maxcopyreadlen |
Max Copy Read Len |
Unsigned 32-bit integer |
srvsvc.maxcopywritelen |
Max Copy Write Len |
Unsigned 32-bit integer |
srvsvc.maxfreeconnections |
Max Free Conenctions |
Unsigned 32-bit integer |
|
|
|
215
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
srvsvc.maxkeepcomplsearchMax |
Keep Compl Search |
Unsigned 32-bit integer |
|
|
|
srvsvc.maxkeepsearch |
Max Keep Search |
Unsigned 32-bit integer |
srvsvc.maxlinkdelay |
Max Link Delay |
Unsigned 32-bit integer |
srvsvc.maxmpxct |
MaxMpxCt |
Unsigned 32-bit integer |
srvsvc.maxnonpagedmemoryusageMax |
Non-Paged Memory |
Unsigned 32-bit integer |
|
Usage |
|
srvsvc.maxpagedmemoryusageMax |
Paged Memory Usage |
Unsigned 32-bit integer |
|
|
|
srvsvc.maxworkitemidletimeMax |
Workitem Idle Time |
Unsigned 32-bit integer |
|
|
|
srvsvc.maxworkitems |
Max Workitems |
Unsigned 32-bit integer |
srvsvc.minfreeconnections |
Min Free Conenctions |
Unsigned 32-bit integer |
srvsvc.minfreeworkitems |
Min Free Workitems |
Unsigned 32-bit integer |
srvsvc.minkeepcomplsearchMin |
Keep Compl Search |
Unsigned 32-bit integer |
|
|
|
srvsvc.minkeepsearch |
Min Keep Search |
Unsigned 32-bit integer |
srvsvc.minlinkthroughput |
Min Link Throughput |
Unsigned 32-bit integer |
srvsvc.minrcvqueue |
Min Rcv Queue |
Unsigned 32-bit integer |
srvsvc.netioalert |
Net I/O Alerts |
Unsigned 32-bit integer |
srvsvc.networkerrortresholdNetwork |
Error Treshold |
Unsigned 32-bit integer |
|
|
|
srvsvc.num_admins |
Num Admins |
Unsigned 32-bit integer |
srvsvc.numbigbufs |
Num Big Bufs |
Unsigned 32-bit integer |
srvsvc.numblockthreads |
Num Block Threads |
Unsigned 32-bit integer |
srvsvc.numfiletasks |
Num Filetasks |
Unsigned 32-bit integer |
srvsvc.openfiles |
Open Files |
Unsigned 32-bit integer |
srvsvc.opensearch |
Open Search |
Unsigned 32-bit integer |
srvsvc.oplockbreakresponsewaitOplock |
Break Response |
Unsigned 32-bit integer |
|
wait |
|
srvsvc.oplockbreakwait |
Oplock Break Wait |
Unsigned 32-bit integer |
srvsvc.opnum |
Operation |
Unsigned 16-bit integer |
srvsvc.outbuflen |
OutBufLen |
Unsigned 32-bit integer |
srvsvc.parm_error |
Parameter Error |
Unsigned 32-bit integer |
srvsvc.path |
Path |
String |
srvsvc.path_flags |
Flags |
Unsigned 32-bit integer |
srvsvc.path_len |
Len |
Unsigned 32-bit integer |
srvsvc.path_type |
Type |
Unsigned 32-bit integer |
216
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
srvsvc.perm |
Permissions |
Unsigned 32-bit integer |
srvsvc.preferred_len |
Preferred length |
Unsigned 32-bit integer |
srvsvc.prefix |
Prefix |
String |
srvsvc.qualifier |
Qualifier |
String |
srvsvc.rawworkitems |
Raw Workitems |
Unsigned 32-bit integer |
srvsvc.rc |
Return code |
Unsigned 32-bit integer |
srvsvc.reserved |
Reserved |
Unsigned 32-bit integer |
srvsvc.scavqosinfoupdatetimeScav |
QoS Info Update |
Unsigned 32-bit integer |
|
Time |
|
srvsvc.scavtimeout |
Scav Timeout |
Unsigned 32-bit integer |
srvsvc.security |
Security |
Unsigned 32-bit integer |
srvsvc.server |
Server |
String |
srvsvc.server.type |
Server Type |
Unsigned 32-bit integer |
srvsvc.server_stat.avresponseAvresponse |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.server_stat.bigbufneedBig Buf Need |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.server_stat.bytesrcvdBytes Rcvd |
|
|
|
|
|
srvsvc.server_stat.bytessent Bytes Sent |
|
|
|
|
|
srvsvc.server_stat.devopensDevopens |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.server_stat.fopens |
Fopens |
Unsigned 32-bit integer |
srvsvc.server_stat.jobsqueuedJobs Queued |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.server_stat.permerrorsPermerrors |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.server_stat.pwerrors Pwerrors |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.server_stat.reqbufneedReq Buf Need |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.server_stat.serrorout Serrorout |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.server_stat.sopens |
Sopens |
Unsigned 32-bit integer |
srvsvc.server_stat.start |
Start |
Unsigned 32-bit integer |
srvsvc.server_stat.stimeoutsstimeouts |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.server_stat.syserrors Syserrors |
Unsigned 32-bit integer |
|
|
|
|
217
Appendix A. Ethereal Display Filter Fields
Field |
Field Name |
Type |
srvsvc.service |
Service |
String |
srvsvc.service_bits |
Service Bits |
Unsigned 32-bit integer |
srvsvc.service_bits_of_interestService Bits Of Interest |
Unsigned 32-bit integer |
|
|
|
|
srvsvc.service_options |
Options |
Unsigned 32-bit integer |
srvsvc.session |
Session |
String |
srvsvc.session.idle_time |
Idle Time |
Unsigned 32-bit integer |
srvsvc.session.num_opens |
Num Opens |
Unsigned 32-bit integer |
srvsvc.session.time |
Time |
Unsigned 32-bit integer |
srvsvc.session.user_flags |
User Flags |
Unsigned 32-bit integer |
srvsvc.sessopens |
Sessions Open |
Unsigned 32-bit integer |
srvsvc.sessreqs |
Sessions Reqs |
Unsigned 32-bit integer |
srvsvc.sessvcs |
Sessions VCs |
Unsigned 32-bit integer |
srvsvc.share |
Share |
String |
srvsvc.share.num_entries |
Number of entries |
Unsigned 32-bit integer |
srvsvc.share_passwd |
Share Passwd |
String |
srvsvc.share_type |
Share Type |
Unsigned 32-bit integer |
srvsvc.shares |
Shares |
Unsigned 32-bit integer |
srvsvc.sizreqbufs |
Siz Req Bufs |
Unsigned 32-bit integer |
srvsvc.srvheuristics |
Server Heuristics |
String |
srvsvc.threadcountadd |
Thread Count Add |
Unsigned 32-bit integer |
srvsvc.threadpriority |
Thread Priority |
Unsigned 32-bit integer |
srvsvc.timesource |
Timesource |
Unsigned 32-bit integer |
srvsvc.tod.day |
Day |
Unsigned 32-bit integer |
srvsvc.tod.elapsed |
Elapsed |
Unsigned 32-bit integer |
srvsvc.tod.hours |
Hours |
Unsigned 32-bit integer |
srvsvc.tod.hunds |
Hunds |
Unsigned 32-bit integer |
srvsvc.tod.mins |
Mins |
Unsigned 32-bit integer |
srvsvc.tod.month |
Month |
Unsigned 32-bit integer |
srvsvc.tod.msecs |
msecs |
Unsigned 32-bit integer |
srvsvc.tod.secs |
Secs |
Unsigned 32-bit integer |
srvsvc.tod.timezone |
Timezone |
Unsigned 32-bit integer |
srvsvc.tod.tinterval |
Tinterval |
Unsigned 32-bit integer |
srvsvc.tod.weekday |
Weekday |
Unsigned 32-bit integer |
srvsvc.tod.year |
Year |
Unsigned 32-bit integer |
srvsvc.transport |
Transport |
String |
218