* Routines for NTP packet dissection
* Copyright 1999, Nathan Neulinger <nneul@umr.edu>
*
- * $Id: packet-ntp.c,v 1.2 1999/10/22 06:30:45 guy Exp $
+ * $Id: packet-ntp.c,v 1.36 2002/08/02 23:35:55 jmayer Exp $
*
* Ethereal - Network traffic analyzer
- * By Gerald Combs <gerald@unicom.net>
+ * By Gerald Combs <gerald@ethereal.com>
* Copyright 1998 Gerald Combs
*
* Copied from packet-tftp.c
#include <stdio.h>
-#ifdef HAVE_SYS_TYPES_H
-# include <sys/types.h>
-#endif
-
-#ifdef HAVE_NETINET_IN_H
-# include <netinet/in.h>
-#endif
-
#include <string.h>
#include <time.h>
#include <math.h>
#include <glib.h>
-#include "packet.h"
-#include "resolv.h"
+
+#ifdef NEED_SNPRINTF_H
+# include "snprintf.h"
+#endif
+
+#include <epan/packet.h>
+#include <epan/resolv.h>
#include "packet-ntp.h"
+/*
+ * Dissecting NTP packets version 3 and 4 (RFC2030, RFC1769, RFC1361,
+ * RFC1305).
+ *
+ * Those packets have simple structure:
+ * 1 2 3
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |LI | VN |Mode | Stratum | Poll | Precision |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Root Delay |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Root Dispersion |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Reference Identifier |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Reference Timestamp (64) |
+ * | |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Originate Timestamp (64) |
+ * | |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Receive Timestamp (64) |
+ * | |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Transmit Timestamp (64) |
+ * | |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Key Identifier (optional) (32) |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Message Digest (optional) (128) |
+ * | |
+ * | |
+ * | |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * NTP timestamps are represented as a 64-bit unsigned fixed-point number,
+ * in seconds relative to 0h on 1 January 1900. The integer part is in the
+ * first 32 bits and the fraction part in the last 32 bits.
+ */
+
+#define UDP_PORT_NTP 123
+#define TCP_PORT_NTP 123
+
+/* Leap indicator, 2bit field is used to warn of a inserted/deleted
+ * second, or to alarm loosed synchronization.
+ */
+#define NTP_LI_MASK 0xC0
+
+#define NTP_LI_NONE 0
+#define NTP_LI_61 1
+#define NTP_LI_59 2
+#define NTP_LI_ALARM 3
+
static const value_string li_types[] = {
{ NTP_LI_NONE, "no warning" },
{ NTP_LI_61, "last minute has 61 seconds" },
{ 0, NULL}
};
+/* Version info, 3bit field informs about NTP version used in particular
+ * packet. According to rfc2030, version info could be only 3 or 4, but I
+ * have noticed packets with 1 or even 6 as version numbers. They are
+ * produced as a result of ntptrace command. Are those packets mailformed
+ * on purpose? I don't know yet, probably some browsing through ntp sources
+ * would help. My solution is to put them as reserved for now.
+ */
+#define NTP_VN_MASK 0x38
+
static const value_string ver_nums[] = {
- { NTP_VN_R0, "reserved" },
- { NTP_VN_R1, "reserved" },
- { NTP_VN_R2, "reserved" },
- { NTP_VN_3, "NTP Version 3" },
- { NTP_VN_4, "NTP Version 4" },
- { NTP_VN_R5, "reserved" },
- { NTP_VN_R6, "reserved" },
- { NTP_VN_R7, "reserved" },
- { 0, NULL}
+ { 0, "reserved" },
+ { 1, "reserved" },
+ { 2, "reserved" },
+ { 3, "NTP Version 3" },
+ { 4, "NTP Version 4" },
+ { 5, "reserved" },
+ { 6, "reserved" },
+ { 7, "reserved" },
+ { 0, NULL}
};
+/* Mode, 3bit field representing mode of comunication.
+ */
+#define NTP_MODE_MASK 7
+
+#define NTP_MODE_RSV 0
+#define NTP_MODE_SYMACT 1
+#define NTP_MODE_SYMPAS 2
+#define NTP_MODE_CLIENT 3
+#define NTP_MODE_SERVER 4
+#define NTP_MODE_BCAST 5
+#define NTP_MODE_CTRL 6
+#define NTP_MODE_PRIV 7
+
static const value_string mode_types[] = {
{ NTP_MODE_RSV, "reserved" },
{ NTP_MODE_SYMACT, "symmetric active" },
{ 0, NULL}
};
+/* According to rfc, primary (stratum-0 and stratum-1) servers should set
+ * their Reference Clock ID (4bytes field) according to following table:
+ */
static const struct {
char *id;
char *data;
{ "DTS\0", "Digital Time Service" },
{ "ATOM", "Atomic clock (calibrated)" },
{ "VLF\0", "VLF radio (OMEGA,, etc.)" },
+ { "IRIG", "IRIG-B timecode" },
+ { "1PPS", "External 1 PPS input" },
+ { "FREE", "(Internal clock)" },
{ NULL, NULL}
};
static int hf_ntp_keyid = -1;
static int hf_ntp_mac = -1;
-char *
-ntp_fmt_ts(guint32 tsdata[2], char* buff)
+static gint ett_ntp = -1;
+static gint ett_ntp_flags = -1;
+
+/* ntp_fmt_ts - converts NTP timestamp to human readable string.
+ * reftime - 64bit timestamp (IN)
+ * buff - string buffer for result (OUT)
+ * returns pointer to filled buffer.
+ */
+static char *
+ntp_fmt_ts(const guint8 *reftime, char* buff)
{
guint32 tempstmp, tempfrac;
time_t temptime;
struct tm *bd;
double fractime;
- tempstmp = ntohl(tsdata[0]);
- tempfrac = ntohl(tsdata[1]);
+ tempstmp = pntohl(&reftime[0]);
+ tempfrac = pntohl(&reftime[4]);
if ((tempstmp == 0) && (tempfrac == 0)) {
strcpy (buff, "NULL");
return buff;
} else {
temptime = tempstmp - (guint32) NTP_BASETIME;
bd = gmtime(&temptime);
- fractime = bd->tm_sec + tempfrac / 4294967296.0;
- snprintf(buff, NTP_TS_SIZE, "%04d-%02d-%02d %02d:%02d:%07.4f UTC",
- bd->tm_year + 1900, bd->tm_mon, bd->tm_mday, bd->tm_hour,
- bd->tm_min, fractime);
+ if (bd != NULL) {
+ fractime = bd->tm_sec + tempfrac / 4294967296.0;
+ snprintf(buff, NTP_TS_SIZE,
+ "%04d-%02d-%02d %02d:%02d:%07.4f UTC",
+ bd->tm_year + 1900, bd->tm_mon + 1, bd->tm_mday,
+ bd->tm_hour, bd->tm_min, fractime);
+ } else
+ strncpy(buff, "Not representable", NTP_TS_SIZE);
}
return buff;
}
-
-void
-dissect_ntp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
+/* dissect_ntp - dissects NTP packet data
+ * tvb - tvbuff for packet data (IN)
+ * pinfo - packet info
+ * proto_tree - resolved protocol tree
+ */
+static void
+dissect_ntp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
{
proto_tree *ntp_tree, *flags_tree;
proto_item *ti, *tf;
- struct ntp_packet *pkt;
- gchar buff[NTP_TS_SIZE];
- int i;
-
- /* get at least a full packet structure */
- if ( !BYTES_ARE_IN_FRAME(offset, 48) ) /* 48 without keyid or mac */
- return;
+ guint8 flags;
+ guint8 stratum;
+ guint8 ppoll;
+ gint8 precision;
+ double rootdelay;
+ double rootdispersion;
+ const guint8 *refid;
+ guint32 refid_addr;
+ const guint8 *reftime;
+ const guint8 *org;
+ const guint8 *rec;
+ const guint8 *xmt;
+ gchar buff[NTP_TS_SIZE];
+ int i;
- pkt = (struct ntp_packet *) &pd[offset];
-
- if (check_col(fd, COL_PROTOCOL))
- col_add_str(fd, COL_PROTOCOL, "NTP");
+ if (check_col(pinfo->cinfo, COL_PROTOCOL))
+ col_set_str(pinfo->cinfo, COL_PROTOCOL, "NTP");
- if (check_col(fd, COL_INFO))
- col_add_str(fd, COL_INFO, "NTP");
+ if (check_col(pinfo->cinfo, COL_INFO))
+ col_set_str(pinfo->cinfo, COL_INFO, "NTP");
if (tree) {
- ti = proto_tree_add_item(tree, proto_ntp, offset, END_OF_FRAME, NULL);
- ntp_tree = proto_item_add_subtree(ti, ETT_NTP);
- tf = proto_tree_add_item(ntp_tree, hf_ntp_flags, offset, 1, pkt->flags);
-
- flags_tree = proto_item_add_subtree(tf, ETT_NTP_FLAGS);
- proto_tree_add_item_format(flags_tree, hf_ntp_flags_li, offset, 1,
- *pkt->flags & NTP_LI_MASK,
- decode_enumerated_bitfield(*pkt->flags, NTP_LI_MASK,
- sizeof(pkt->flags) * 8, li_types, "Leap Indicator: %s"));
- proto_tree_add_item_format(flags_tree, hf_ntp_flags_vn, offset, 1,
- *pkt->flags & NTP_VN_MASK,
- decode_enumerated_bitfield(*pkt->flags, NTP_VN_MASK,
- sizeof(pkt->flags) * 8, ver_nums, "Version number: %s"));
- proto_tree_add_item_format(flags_tree, hf_ntp_flags_mode, offset, 1,
- *pkt->flags & NTP_MODE_MASK,
- decode_enumerated_bitfield(*pkt->flags, NTP_MODE_MASK,
- sizeof(pkt->flags) * 8, mode_types, "Mode: %s"));
-
- if (*pkt->stratum == 0) {
- strcpy (buff, "Peer Clock Stratum: unspecified or unavailable (%d)");
- } else if (*pkt->stratum == 1) {
- strcpy (buff, "Peer Clock Stratum: primary reference (%d)");
- } else if ((*pkt->stratum >= 2) && (*pkt->stratum <= 15)) {
- strcpy (buff, "Peer Clock Stratum: secondary reference (%d)");
+ /* Adding NTP item and subtree */
+ ti = proto_tree_add_item(tree, proto_ntp, tvb, 0, -1, FALSE);
+ ntp_tree = proto_item_add_subtree(ti, ett_ntp);
+
+ flags = tvb_get_guint8(tvb, 0);
+ tf = proto_tree_add_uint(ntp_tree, hf_ntp_flags, tvb, 0, 1,
+ flags);
+
+ /* Adding flag subtree and items */
+ flags_tree = proto_item_add_subtree(tf, ett_ntp_flags);
+ proto_tree_add_uint(flags_tree, hf_ntp_flags_li, tvb, 0, 1,
+ flags);
+ proto_tree_add_uint(flags_tree, hf_ntp_flags_vn, tvb, 0, 1,
+ flags);
+ proto_tree_add_uint(flags_tree, hf_ntp_flags_mode, tvb, 0, 1,
+ flags);
+
+ /* Stratum, 1byte field represents distance from primary source
+ */
+ stratum = tvb_get_guint8(tvb, 1);
+ if (stratum == 0) {
+ strcpy (buff, "Peer Clock Stratum: unspecified or unavailable (%u)");
+ } else if (stratum == 1) {
+ strcpy (buff, "Peer Clock Stratum: primary reference (%u)");
+ } else if ((stratum >= 2) && (stratum <= 15)) {
+ strcpy (buff, "Peer Clock Stratum: secondary reference (%u)");
} else {
- strcpy (buff, "Peer Clock Stratum: reserved: %d");
+ strcpy (buff, "Peer Clock Stratum: reserved: %u");
}
- proto_tree_add_item_format(ntp_tree, hf_ntp_stratum, offset+1, 1, pkt->stratum,
- buff, (int) *pkt->stratum);
- proto_tree_add_item_format(ntp_tree, hf_ntp_ppoll, offset+2, 1, pkt->ppoll,
- (((*pkt->ppoll >= 4) && (*pkt->ppoll <= 16)) ?
- "Peer Pooling Interval: %d (%d sec)" :
- "Peer Pooling Interval: invalid (%d)"), (int) *pkt->ppoll,
- 1 << *pkt->ppoll);
- proto_tree_add_item_format(ntp_tree, hf_ntp_precision, offset+3, 1, pkt->precision,
- "Peer Clock Precision: %8.6f sec", pow(2, *pkt->precision));
- proto_tree_add_item_format(ntp_tree, hf_ntp_rootdelay, offset+4, 4, pkt->rootdelay,
+ proto_tree_add_uint_format(ntp_tree, hf_ntp_stratum, tvb, 1, 1,
+ stratum, buff, stratum);
+ /* Poll interval, 1byte field indicating the maximum interval
+ * between successive messages, in seconds to the nearest
+ * power of two.
+ */
+ ppoll = tvb_get_guint8(tvb, 2);
+ proto_tree_add_uint_format(ntp_tree, hf_ntp_ppoll, tvb, 2, 1,
+ ppoll,
+ (((ppoll >= 4) && (ppoll <= 16)) ?
+ "Peer Polling Interval: %u (%u sec)" :
+ "Peer Polling Interval: invalid (%u)"),
+ ppoll,
+ 1 << ppoll);
+
+ /* Precision, 1byte field indicating the precision of the
+ * local clock, in seconds to the nearest power of two.
+ */
+ precision = tvb_get_guint8(tvb, 3);
+ proto_tree_add_uint_format(ntp_tree, hf_ntp_precision, tvb, 3, 1,
+ precision,
+ "Peer Clock Precision: %8.6f sec",
+ pow(2, precision));
+
+ /* Root Delay is a 32-bit signed fixed-point number indicating
+ * the total roundtrip delay to the primary reference source,
+ * in seconds with fraction point between bits 15 and 16.
+ */
+ rootdelay = ((gint16)tvb_get_ntohs(tvb, 4)) +
+ (tvb_get_ntohs(tvb, 6) / 65536.0);
+ proto_tree_add_double_format(ntp_tree, hf_ntp_rootdelay, tvb, 4, 4,
+ rootdelay,
"Root Delay: %9.4f sec",
- ((gint32) pntohs(pkt->rootdelay)) +
- pntohs(pkt->rootdelay + 2) / 65536.0);
- proto_tree_add_item_format(ntp_tree, hf_ntp_rootdispersion, offset+8, 4, pkt->rootdispersion,
+ rootdelay);
+
+ /* Root Dispersion, 32-bit unsigned fixed-point number indicating
+ * the nominal error relative to the primary reference source, in
+ * seconds with fraction point between bits 15 and 16.
+ */
+ rootdispersion = ((gint16)tvb_get_ntohs(tvb, 8)) +
+ (tvb_get_ntohs(tvb, 10) / 65536.0);
+ proto_tree_add_double_format(ntp_tree, hf_ntp_rootdispersion, tvb, 8, 4,
+ rootdispersion,
"Clock Dispersion: %9.4f sec",
- ((gint32) pntohs(pkt->rootdispersion)) +
- pntohs(pkt->rootdispersion + 2) / 65536.0);
-
- if (*pkt->stratum <= 1) {
- strcpy (buff, "unindentified reference source");
- for (i = 0; primary_sources[i].id; i++)
- if (*((guint32 *) pkt->refid) == *((guint32 *) primary_sources[i].id))
- strcpy (buff, primary_sources[i].data);
- } else strcpy (buff, get_hostname (*((u_int *) pkt->refid)));
- proto_tree_add_item_format(ntp_tree, hf_ntp_refid, offset+12, 4, pkt->refid,
+ rootdispersion);
+
+ /* Now, there is a problem with secondary servers. Standards
+ * asks from stratum-2 - stratum-15 servers to set this to the
+ * low order 32 bits of the latest transmit timestamp of the
+ * reference source.
+ * But, all V3 and V4 servers set this to IP adress of their
+ * higher level server. My decision was to resolve this address.
+ */
+ refid = tvb_get_ptr(tvb, 12, 4);
+ if (stratum <= 1) {
+ snprintf (buff, sizeof buff,
+ "Unindentified reference source '%.4s'",
+ refid);
+ for (i = 0; primary_sources[i].id; i++) {
+ if (memcmp (refid, primary_sources[i].id,
+ 4) == 0) {
+ strcpy (buff, primary_sources[i].data);
+ break;
+ }
+ }
+ } else {
+ buff[sizeof(buff) - 1] = '\0';
+ tvb_memcpy(tvb, (guint8 *)&refid_addr, 12, 4);
+ strncpy (buff, get_hostname (refid_addr),
+ sizeof(buff));
+ if (buff[sizeof(buff) - 1] != '\0')
+ strcpy(&buff[sizeof(buff) - 4], "...");
+ }
+ proto_tree_add_bytes_format(ntp_tree, hf_ntp_refid, tvb, 12, 4,
+ refid,
"Reference Clock ID: %s", buff);
- proto_tree_add_item_format(ntp_tree, hf_ntp_reftime, offset+16, 8, pkt->reftime,
+
+ /* Reference Timestamp: This is the time at which the local clock was
+ * last set or corrected.
+ */
+ reftime = tvb_get_ptr(tvb, 16, 8);
+ proto_tree_add_bytes_format(ntp_tree, hf_ntp_reftime, tvb, 16, 8,
+ reftime,
"Reference Clock Update Time: %s",
- ntp_fmt_ts((guint32 *) pkt->reftime, buff));
- proto_tree_add_item_format(ntp_tree, hf_ntp_org, offset+24, 8, pkt->org,
+ ntp_fmt_ts(reftime, buff));
+
+ /* Originate Timestamp: This is the time at which the request departed
+ * the client for the server.
+ */
+ org = tvb_get_ptr(tvb, 24, 8);
+ proto_tree_add_bytes_format(ntp_tree, hf_ntp_org, tvb, 24, 8,
+ org,
"Originate Time Stamp: %s",
- ntp_fmt_ts((guint32 *) pkt->org, buff));
- proto_tree_add_item_format(ntp_tree, hf_ntp_rec, offset+32, 8, pkt->rec,
+ ntp_fmt_ts(org, buff));
+ /* Receive Timestamp: This is the time at which the request arrived at
+ * the server.
+ */
+ rec = tvb_get_ptr(tvb, 32, 8);
+ proto_tree_add_bytes_format(ntp_tree, hf_ntp_rec, tvb, 32, 8,
+ rec,
"Receive Time Stamp: %s",
- ntp_fmt_ts((guint32 *) pkt->rec, buff));
- proto_tree_add_item_format(ntp_tree, hf_ntp_xmt, offset+40, 8, pkt->xmt,
+ ntp_fmt_ts(rec, buff));
+ /* Transmit Timestamp: This is the time at which the reply departed the
+ * server for the client.
+ */
+ xmt = tvb_get_ptr(tvb, 40, 8);
+ proto_tree_add_bytes_format(ntp_tree, hf_ntp_xmt, tvb, 40, 8,
+ xmt,
"Transmit Time Stamp: %s",
- ntp_fmt_ts((guint32 *) pkt->xmt, buff));
+ ntp_fmt_ts(xmt, buff));
- if ( BYTES_ARE_IN_FRAME(offset, 50) )
- proto_tree_add_item(ntp_tree, hf_ntp_keyid, offset+48, 4, pkt->keyid);
- if ( BYTES_ARE_IN_FRAME(offset, 53) )
- proto_tree_add_item(ntp_tree, hf_ntp_mac, offset+52, END_OF_FRAME, pkt->mac);
+ /* When the NTP authentication scheme is implemented, the
+ * Key Identifier and Message Digest fields contain the
+ * message authentication code (MAC) information defined in
+ * Appendix C of RFC-1305. Will print this as hex code for now.
+ */
+ if ( tvb_reported_length_remaining(tvb, 48) >= 4 )
+ proto_tree_add_item(ntp_tree, hf_ntp_keyid, tvb, 48, 4,
+ FALSE);
+ if ( tvb_reported_length_remaining(tvb, 52) > 0 )
+ proto_tree_add_item(ntp_tree, hf_ntp_mac, tvb, 52,
+ tvb_reported_length_remaining(tvb, 52),
+ FALSE);
}
}
proto_register_ntp(void)
{
static hf_register_info hf[] = {
- { &hf_ntp_flags, {
- "Flags", "ntp.flags", FT_BYTES, BASE_HEX,
- NULL, 0, "Flags (Leap/Version/Mode)" }},
- { &hf_ntp_flags_li, {
- "Leap Indicator", "ntp.flags.li", FT_UINT8, BASE_DEC,
- VALS(li_types), 0, "Leap Indicator" }},
- { &hf_ntp_flags_vn, {
- "Version number", "ntp.flags.vn", FT_UINT8, BASE_DEC,
- VALS(ver_nums), 0, "Version number" }},
- { &hf_ntp_flags_mode, {
- "Leap Indicator", "ntp.flags.mode", FT_UINT8, BASE_DEC,
- VALS(mode_types), 0, "Leap Indicator" }},
- { &hf_ntp_stratum, {
- "Peer Clock Stratum", "ntp.stratum", FT_BYTES, BASE_DEC,
- NULL, 0, "Peer Clock Stratum" }},
- { &hf_ntp_ppoll, {
- "Peer Polling Interval", "ntp.ppoll", FT_BYTES, BASE_DEC,
- NULL, 0, "Peer Polling Interval" }},
- { &hf_ntp_precision, {
- "Peer Clock Precision", "ntp.precision", FT_BYTES, BASE_DEC,
- NULL, 0, "Peer Clock Precision" }},
- { &hf_ntp_rootdelay, {
- "Root Delay", "ntp.rootdelay", FT_BYTES, BASE_DEC,
- NULL, 0, "Root Delay" }},
- { &hf_ntp_rootdispersion, {
- "Clock Dispersion", "ntp.rootdispersion", FT_BYTES, BASE_DEC,
- NULL, 0, "Clock Dispersion" }},
- { &hf_ntp_refid, {
- "Reference Clock ID", "ntp.refid", FT_BYTES, BASE_NONE,
- NULL, 0, "Reference Clock ID" }},
- { &hf_ntp_reftime, {
- "Reference Clock Update Time", "ntp.reftime", FT_BYTES, BASE_NONE,
- NULL, 0, "Reference Clock Update Time" }},
- { &hf_ntp_org, {
- "Originate Time Stamp", "ntp.org", FT_BYTES, BASE_NONE,
- NULL, 0, "Originate Time Stamp" }},
- { &hf_ntp_rec, {
- "Receive Time Stamp", "ntp.rec", FT_BYTES, BASE_NONE,
- NULL, 0, "Receive Time Stamp" }},
- { &hf_ntp_xmt, {
- "Transmit Time Stamp", "ntp.xmt", FT_BYTES, BASE_NONE,
- NULL, 0, "Transmit Time Stamp" }},
- { &hf_ntp_keyid, {
- "Key ID", "ntp.keyid", FT_BYTES, BASE_HEX,
- NULL, 0, "Key ID" }},
- { &hf_ntp_mac, {
- "Message Authentication Code", "ntp.mac", FT_BYTES, BASE_HEX,
- NULL, 0, "Message Authentication Code" }},
+ { &hf_ntp_flags, {
+ "Flags", "ntp.flags", FT_UINT8, BASE_HEX,
+ NULL, 0, "Flags (Leap/Version/Mode)", HFILL }},
+ { &hf_ntp_flags_li, {
+ "Leap Indicator", "ntp.flags.li", FT_UINT8, BASE_DEC,
+ VALS(li_types), NTP_LI_MASK, "Leap Indicator", HFILL }},
+ { &hf_ntp_flags_vn, {
+ "Version number", "ntp.flags.vn", FT_UINT8, BASE_DEC,
+ VALS(ver_nums), NTP_VN_MASK, "Version number", HFILL }},
+ { &hf_ntp_flags_mode, {
+ "Mode", "ntp.flags.mode", FT_UINT8, BASE_DEC,
+ VALS(mode_types), NTP_MODE_MASK, "Mode", HFILL }},
+ { &hf_ntp_stratum, {
+ "Peer Clock Stratum", "ntp.stratum", FT_UINT8, BASE_DEC,
+ NULL, 0, "Peer Clock Stratum", HFILL }},
+ { &hf_ntp_ppoll, {
+ "Peer Polling Interval", "ntp.ppoll", FT_UINT8, BASE_DEC,
+ NULL, 0, "Peer Polling Interval", HFILL }},
+ { &hf_ntp_precision, {
+ "Peer Clock Precision", "ntp.precision", FT_UINT8, BASE_DEC,
+ NULL, 0, "Peer Clock Precision", HFILL }},
+ { &hf_ntp_rootdelay, {
+ "Root Delay", "ntp.rootdelay", FT_DOUBLE, BASE_DEC,
+ NULL, 0, "Root Delay", HFILL }},
+ { &hf_ntp_rootdispersion, {
+ "Clock Dispersion", "ntp.rootdispersion", FT_DOUBLE, BASE_DEC,
+ NULL, 0, "Clock Dispersion", HFILL }},
+ { &hf_ntp_refid, {
+ "Reference Clock ID", "ntp.refid", FT_BYTES, BASE_NONE,
+ NULL, 0, "Reference Clock ID", HFILL }},
+ { &hf_ntp_reftime, {
+ "Reference Clock Update Time", "ntp.reftime", FT_BYTES, BASE_NONE,
+ NULL, 0, "Reference Clock Update Time", HFILL }},
+ { &hf_ntp_org, {
+ "Originate Time Stamp", "ntp.org", FT_BYTES, BASE_NONE,
+ NULL, 0, "Originate Time Stamp", HFILL }},
+ { &hf_ntp_rec, {
+ "Receive Time Stamp", "ntp.rec", FT_BYTES, BASE_NONE,
+ NULL, 0, "Receive Time Stamp", HFILL }},
+ { &hf_ntp_xmt, {
+ "Transmit Time Stamp", "ntp.xmt", FT_BYTES, BASE_NONE,
+ NULL, 0, "Transmit Time Stamp", HFILL }},
+ { &hf_ntp_keyid, {
+ "Key ID", "ntp.keyid", FT_BYTES, BASE_HEX,
+ NULL, 0, "Key ID", HFILL }},
+ { &hf_ntp_mac, {
+ "Message Authentication Code", "ntp.mac", FT_BYTES, BASE_HEX,
+ NULL, 0, "Message Authentication Code", HFILL }},
};
+ static gint *ett[] = {
+ &ett_ntp,
+ &ett_ntp_flags,
+ };
- proto_ntp = proto_register_protocol("Network Time Protocol", "ntp");
+ proto_ntp = proto_register_protocol("Network Time Protocol", "NTP",
+ "ntp");
proto_register_field_array(proto_ntp, hf, array_length(hf));
+ proto_register_subtree_array(ett, array_length(ett));
+}
+
+void
+proto_reg_handoff_ntp(void)
+{
+ dissector_handle_t ntp_handle;
+
+ ntp_handle = create_dissector_handle(dissect_ntp, proto_ntp);
+ dissector_add("udp.port", UDP_PORT_NTP, ntp_handle);
+ dissector_add("tcp.port", TCP_PORT_NTP, ntp_handle);
}