2 * Routines for NTP packet dissection
3 * Copyright 1999, Nathan Neulinger <nneul@umr.edu>
7 * Wireshark - Network traffic analyzer
8 * By Gerald Combs <gerald@wireshark.org>
9 * Copyright 1998 Gerald Combs
11 * Copied from packet-tftp.c
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
37 #include <epan/packet.h>
38 #include <epan/addr_resolv.h>
39 #include <epan/emem.h>
41 #include <epan/tvbparse.h>
43 #include "packet-ntp.h"
46 * Dissecting NTP packets version 3 and 4 (RFC5905, RFC2030, RFC1769, RFC1361,
49 * Those packets have simple structure:
51 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
52 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
53 * |LI | VN |Mode | Stratum | Poll | Precision |
54 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
56 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
58 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59 * | Reference Identifier |
60 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
61 * | Reference Timestamp (64) |
63 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
64 * | Originate Timestamp (64) |
66 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
67 * | Receive Timestamp (64) |
69 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
70 * | Transmit Timestamp (64) |
72 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
73 * | Key Identifier (optional) (32) |
74 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
75 * | Message Digest (optional) (128) |
79 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 * NTP timestamps are represented as a 64-bit unsigned fixed-point number,
81 * in seconds relative to 0h on 1 January 1900. The integer part is in the
82 * first 32 bits and the fraction part in the last 32 bits.
85 * NTP Control messages as defined in version 2, 3 and 4 (RFC1119, RFC1305) use
86 * the following structure:
88 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
89 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
90 * |00 | VN | 110 |R E M| OpCode | Sequence |
91 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
92 * | Status | Association ID |
93 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
95 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
97 * | Data (468 octets max) |
99 * | | Padding (zeros) |
100 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
101 * | Authenticator (optional) (96) |
104 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
106 * Not yet implemented: complete dissection of TPCTRL_OP_SETTRAP,
107 * NTPCTRL_OP_ASYNCMSG, NTPCTRL_OP_UNSETTRAPSETTRAP Control-Messages
111 #define UDP_PORT_NTP 123
112 #define TCP_PORT_NTP 123
114 /* Leap indicator, 2bit field is used to warn of a inserted/deleted
115 * second, or clock unsynchronized indication.
117 #define NTP_LI_MASK 0xC0
119 #define NTP_LI_NONE 0
122 #define NTP_LI_UNKNOWN 3
124 static const value_string li_types[] = {
125 { NTP_LI_NONE, "no warning" },
126 { NTP_LI_61, "last minute of the day has 61 seconds" },
127 { NTP_LI_59, "last minute of the day has 59 seconds" },
128 { NTP_LI_UNKNOWN, "unknown (clock unsynchronized)" },
132 /* Version info, 3bit field informs about NTP version used in particular
133 * packet. According to rfc2030, version info could be only 3 or 4, but I
134 * have noticed packets with 1 or even 6 as version numbers. They are
135 * produced as a result of ntptrace command. Are those packets mailformed
136 * on purpose? I don't know yet, probably some browsing through ntp sources
137 * would help. My solution is to put them as reserved for now.
139 #define NTP_VN_MASK 0x38
141 static const value_string ver_nums[] = {
143 { 1, "NTP Version 1" },
144 { 2, "NTP Version 2" },
145 { 3, "NTP Version 3" },
146 { 4, "NTP Version 4" },
153 /* Mode, 3bit field representing mode of comunication.
155 #define NTP_MODE_MASK 7
157 #define NTP_MODE_RSV 0
158 #define NTP_MODE_SYMACT 1
159 #define NTP_MODE_SYMPAS 2
160 #define NTP_MODE_CLIENT 3
161 #define NTP_MODE_SERVER 4
162 #define NTP_MODE_BCAST 5
163 #define NTP_MODE_CTRL 6
164 #define NTP_MODE_PRIV 7
166 static const value_string mode_types[] = {
167 { NTP_MODE_RSV, "reserved" },
168 { NTP_MODE_SYMACT, "symmetric active" },
169 { NTP_MODE_SYMPAS, "symmetric passive" },
170 { NTP_MODE_CLIENT, "client" },
171 { NTP_MODE_SERVER, "server" },
172 { NTP_MODE_BCAST, "broadcast" },
173 { NTP_MODE_CTRL, "reserved for NTP control message"},
174 { NTP_MODE_PRIV, "reserved for private use" },
178 static const value_string info_mode_types[] = {
179 { NTP_MODE_RSV, "reserved" },
180 { NTP_MODE_SYMACT, "symmetric active" },
181 { NTP_MODE_SYMPAS, "symmetric passive" },
182 { NTP_MODE_CLIENT, "client" },
183 { NTP_MODE_SERVER, "server" },
184 { NTP_MODE_BCAST, "broadcast" },
185 { NTP_MODE_CTRL, "control"},
186 { NTP_MODE_PRIV, "private" },
190 /* According to rfc, primary (stratum-0 and stratum-1) servers should set
191 * their Reference ID (4bytes field) according to following table:
193 static const struct {
196 } primary_sources[] = {
197 /* IANA / RFC 5905 */
198 { "GOES", "Geostationary Orbit Environment Satellite" },
199 { "GPS\0", "Global Position System" },
200 { "GAL\0", "Galileo Positioning System" },
201 { "PPS\0", "Generic pulse-per-second" },
202 { "IRIG", "Inter-Range Instrumentation Group" },
203 { "WWVB", "LF Radio WWVB Ft. Collins, CO 60 kHz" },
204 { "DCF\0", "LF Radio DCF77 Mainflingen, DE 77.5 kHz" },
205 { "HBG\0", "LF Radio HBG Prangins, HB 75 kHz" },
206 { "MSF\0", "LF Radio MSF Anthorn, UK 60 kHz" },
207 { "JJY\0", "LF Radio JJY Fukushima, JP 40 kHz, Saga, JP 60 kHz" },
208 { "LORC", "MF Radio LORAN C station, 100 kHz" },
209 { "TDF\0", "MF Radio Allouis, FR 162 kHz" },
210 { "CHU\0", "HF Radio CHU Ottawa, Ontario" },
211 { "WWV\0", "HF Radio WWV Ft. Collins, CO" },
212 { "WWVH", "HF Radio WWVH Kauai, HI" },
213 { "NIST", "NIST telephone modem" },
214 { "ACTS", "NIST telephone modem" },
215 { "USNO", "USNO telephone modem" },
216 { "PTB\0", "European telephone modem" },
218 /* Unofficial codes */
219 { "LOCL", "uncalibrated local clock" },
220 { "CESM", "calibrated Cesium clock" },
221 { "RBDM", "calibrated Rubidium clock" },
222 { "OMEG", "OMEGA radionavigation system" },
223 { "DCN\0", "DCN routing protocol" },
224 { "TSP\0", "TSP time protocol" },
225 { "DTS\0", "Digital Time Service" },
226 { "ATOM", "Atomic clock (calibrated)" },
227 { "VLF\0", "VLF radio (OMEGA,, etc.)" },
228 { "1PPS", "External 1 PPS input" },
229 { "FREE", "(Internal clock)" },
230 { "INIT", "(Initialization)" },
231 { "\0\0\0\0", "NULL" },
235 #define NTP_EXT_R_MASK 0x80
237 static const value_string ext_r_types[] = {
243 #define NTP_EXT_ERROR_MASK 0x40
244 #define NTP_EXT_VN_MASK 0x3f
246 static const value_string ext_op_types[] = {
260 #define NTPCTRL_R_MASK 0x80
262 #define ctrl_r_types ext_r_types
264 #define NTPCTRL_ERROR_MASK 0x40
265 #define NTPCTRL_MORE_MASK 0x20
266 #define NTPCTRL_OP_MASK 0x1f
268 #define NTPCTRL_OP_UNSPEC 0
269 #define NTPCTRL_OP_READSTAT 1
270 #define NTPCTRL_OP_READVAR 2
271 #define NTPCTRL_OP_WRITEVAR 3
272 #define NTPCTRL_OP_READCLOCK 4
273 #define NTPCTRL_OP_WRITECLOCK 5
274 #define NTPCTRL_OP_SETTRAP 6
275 #define NTPCTRL_OP_ASYNCMSG 7
276 #define NTPCTRL_OP_UNSETTRAP 31
278 static const value_string ctrl_op_types[] = {
279 { NTPCTRL_OP_UNSPEC, "UNSPEC" },
280 { NTPCTRL_OP_READSTAT, "READSTAT" },
281 { NTPCTRL_OP_READVAR, "READVAR" },
282 { NTPCTRL_OP_WRITEVAR, "WRITEVAR" },
283 { NTPCTRL_OP_READCLOCK, "READCLOCK" },
284 { NTPCTRL_OP_WRITECLOCK, "WRITECLOCK" },
285 { NTPCTRL_OP_SETTRAP, "SETTRAP" },
286 { NTPCTRL_OP_ASYNCMSG, "ASYNCMSG" },
287 { NTPCTRL_OP_UNSETTRAP, "UNSETTRAP" },
291 #define NTPCTRL_SYSSTATUS_LI_MASK 0xC000
292 #define NTPCTRL_SYSSTATUS_CLK_MASK 0x3F00
293 #define NTPCTRL_SYSSTATUS_COUNT_MASK 0x00F0
294 #define NTPCTRL_SYSSTATUS_CODE_MASK 0x000F
296 static const value_string ctrl_sys_status_clksource_types[] = {
297 { 0, "unspecified or unknown" },
298 { 1, "Calibrated atomic clock (e.g. HP 5061)" },
299 { 2, "VLF (band 4) or LF (band 5) radio (e.g. OMEGA, WWVB)" },
300 { 3, "HF (band 7) radio (e.g. CHU, MSF, WWV/H)" },
301 { 4, "UHF (band 9) satellite (e.g. GOES, GPS)" },
302 { 5, "local net (e.g. DCN, TSP, DTS)" },
305 { 8, "eyeball-and-wristwatch" },
306 { 9, "telephone modem (e.g. NIST)" },
310 static const value_string ctrl_sys_status_event_types[] = {
311 { 0, "unspecified" },
312 { 1, "system restart" },
313 { 2, "system or hardware fault" },
314 { 3, "system new status word (leap bits or synchronization change)" },
315 { 4, "system new synchronization source or stratum (sys.peer or sys.stratum change)" },
316 { 5, "system clock reset (offset correction exceeds CLOCK.MAX)" },
317 { 6, "system invalid time or date (see NTP spec.)" },
318 { 7, "system clock exception (see system clock status word)" },
322 #define NTPCTRL_PEERSTATUS_STATUS_MASK 0xF800
323 #define NTPCTRL_PEERSTATUS_CONFIG_MASK 0x8000
324 #define NTPCTRL_PEERSTATUS_AUTHENABLE_MASK 0x4000
325 #define NTPCTRL_PEERSTATUS_AUTHENTIC_MASK 0x2000
326 #define NTPCTRL_PEERSTATUS_REACH_MASK 0x1000
327 #define NTPCTRL_PEERSTATUS_RESERVED_MASK 0x0800
328 #define NTPCTRL_PEERSTATUS_SEL_MASK 0x0700
329 #define NTPCTRL_PEERSTATUS_COUNT_MASK 0x00F0
330 #define NTPCTRL_PEERSTATUS_CODE_MASK 0x000F
332 static const value_string ctrl_peer_status_config_types[] = {
333 { 0, "not configured (peer.config)" },
334 { 1, "configured (peer.config)" },
338 static const value_string ctrl_peer_status_authenable_types[] = {
339 { 0, "authentication disabled (peer.authenable" },
340 { 1, "authentication enabled (peer.authenable" },
344 static const value_string ctrl_peer_status_authentic_types[] = {
345 { 0, "authentication not okay (peer.authentic)" },
346 { 1, "authentication okay (peer.authentic)" },
350 static const value_string ctrl_peer_status_reach_types[] = {
351 { 0, "reachability not okay (peer.reach != 0)" },
352 { 1, "reachability okay (peer.reach != 0)" },
356 static const value_string ctrl_peer_status_selection_types[] = {
358 { 1, "passed sanity checks (tests 1 trough 8 in Section 3.4.3)" },
359 { 2, "passed correctness checks (intersection algorithm in Section 4.2.1)" },
360 { 3, "passed candidate checks (if limit check implemented)" },
361 { 4, "passed outlyer checks (clustering algorithm in Section 4.2.2)" },
362 { 5, "current synchronization source; max distance exceeded (if limit check implemented)" },
363 { 6, "current synchronization source; max distance okay" },
368 static const value_string ctrl_peer_status_event_types[] = {
369 { 0, "unspecified" },
370 { 1, "peer IP error" },
371 { 2, "peer authentication failure (peer.authentic bit was one now zero)" },
372 { 3, "peer unreachable (peer.reach was nonzero now zero)" },
373 { 4, "peer reachable (peer.reach was zero now nonzero)" },
374 { 5, "peer clock exception (see peer clock status word)" },
378 #define NTPCTRL_CLKSTATUS_STATUS_MASK 0xFF00
379 #define NTPCTRL_CLKSTATUS_CODE_MASK 0x00FF
381 static const value_string ctrl_clk_status_types[] = {
382 { 0, "clock operating within nominals" },
383 { 1, "reply timeout" },
384 { 2, "bad reply format" },
385 { 3, "hardware or software fault" },
386 { 4, "propagation failure" },
387 { 5, "bad date format or value" },
388 { 6, "bad time format or value" },
392 #define NTP_CTRL_ERRSTATUS_CODE_MASK 0xFF00
394 static const value_string ctrl_err_status_types[] = {
395 { 0, "unspecified" },
396 { 1, "authentication failure" },
397 { 2, "invalid message length or format" },
398 { 3, "invalid opcode" },
399 { 4, "unknown association identifier" },
400 { 5, "unknown variable name" },
401 { 6, "invalid variable value" },
402 { 7, "administratively prohibited" },
407 #define NTPPRIV_R_MASK 0x80
409 #define priv_r_types ext_r_types
411 #define NTPPRIV_MORE_MASK 0x40
413 #define NTPPRIV_AUTH_MASK 0x80
414 #define NTPPRIV_SEQ_MASK 0x7f
416 static const value_string priv_impl_types[] = {
418 { 2, "XNTPD_OLD (pre-IPv6)" },
423 static const value_string priv_rc_types[] = {
425 { 1, "PEER_LIST_SUM" },
433 { 9, "TIMER_STATS" },
436 { 12, "SET_SYS_FLAG" },
437 { 13, "CLR_SYS_FLAG" },
438 { 16, "GET_RESTRICT" },
439 { 17, "RESADDFLAGS" },
440 { 18, "RESSUBFLAGS" },
441 { 19, "UNRESTRICT" },
442 { 20, "MON_GETLIST" },
443 { 21, "RESET_STATS" },
444 { 22, "RESET_PEER" },
445 { 23, "REREAD_KEYS" },
447 { 27, "UNTRUSTKEY" },
452 { 32, "REQUEST_KEY" },
453 { 33, "CONTROL_KEY" },
454 { 34, "GET_CTLSTATS" },
455 { 36, "GET_CLOCKINFO" },
456 { 37, "SET_CLKFUDGE" },
457 { 38, "GET_KERNEL" },
458 { 39, "GET_CLKBUGINFO" },
459 { 42, "MON_GETLIST_1" },
460 { 43, "HOSTNAME_ASSOCID" },
465 * Maximum MAC length.
467 #define MAX_MAC_LEN (5 * sizeof (guint32))
469 static int proto_ntp = -1;
471 static int hf_ntp_flags = -1;
472 static int hf_ntp_flags_li = -1;
473 static int hf_ntp_flags_vn = -1;
474 static int hf_ntp_flags_mode = -1;
475 static int hf_ntp_stratum = -1;
476 static int hf_ntp_ppoll = -1;
477 static int hf_ntp_precision = -1;
478 static int hf_ntp_rootdelay = -1;
479 static int hf_ntp_rootdispersion = -1;
480 static int hf_ntp_refid = -1;
481 static int hf_ntp_reftime = -1;
482 static int hf_ntp_org = -1;
483 static int hf_ntp_rec = -1;
484 static int hf_ntp_xmt = -1;
485 static int hf_ntp_keyid = -1;
486 static int hf_ntp_mac = -1;
488 static int hf_ntp_ext = -1;
489 static int hf_ntp_ext_flags = -1;
490 static int hf_ntp_ext_flags_r = -1;
491 static int hf_ntp_ext_flags_error = -1;
492 static int hf_ntp_ext_flags_vn = -1;
493 static int hf_ntp_ext_op = -1;
494 static int hf_ntp_ext_len = -1;
495 static int hf_ntp_ext_associd = -1;
496 static int hf_ntp_ext_tstamp = -1;
497 static int hf_ntp_ext_fstamp = -1;
498 static int hf_ntp_ext_vallen = -1;
499 static int hf_ntp_ext_val = -1;
500 static int hf_ntp_ext_siglen = -1;
501 static int hf_ntp_ext_sig = -1;
503 static int hf_ntpctrl_flags2 = -1;
504 static int hf_ntpctrl_flags2_r = -1;
505 static int hf_ntpctrl_flags2_error = -1;
506 static int hf_ntpctrl_flags2_more = -1;
507 static int hf_ntpctrl_flags2_opcode = -1;
508 static int hf_ntpctrl_sequence = -1;
509 static int hf_ntpctrl_status = -1;
510 static int hf_ntpctrl_error_status_word = -1;
511 static int hf_ntpctrl_sys_status_li = -1;
512 static int hf_ntpctrl_sys_status_clksrc = -1;
513 static int hf_ntpctrl_sys_status_count = -1;
514 static int hf_ntpctrl_sys_status_code = -1;
515 static int hf_ntpctrl_peer_status_b0 = -1;
516 static int hf_ntpctrl_peer_status_b1 = -1;
517 static int hf_ntpctrl_peer_status_b2 = -1;
518 static int hf_ntpctrl_peer_status_b3 = -1;
519 static int hf_ntpctrl_peer_status_b4 = -1;
520 static int hf_ntpctrl_peer_status_selection = -1;
521 static int hf_ntpctrl_peer_status_count = -1;
522 static int hf_ntpctrl_peer_status_code = -1;
523 static int hf_ntpctrl_clk_status = -1;
524 static int hf_ntpctrl_clk_status_code = -1;
525 static int hf_ntpctrl_associd = -1;
526 static int hf_ntpctrl_offset = -1;
527 static int hf_ntpctrl_count = -1;
528 static int hf_ntpctrl_data = -1;
529 static int hf_ntpctrl_item = -1;
530 static int hf_ntpctrl_trapmsg = -1;
532 static int hf_ntppriv_flags_r = -1;
533 static int hf_ntppriv_flags_more = -1;
534 static int hf_ntppriv_auth_seq = -1;
535 static int hf_ntppriv_auth = -1;
536 static int hf_ntppriv_seq = -1;
537 static int hf_ntppriv_impl = -1;
538 static int hf_ntppriv_reqcode = -1;
540 static gint ett_ntp = -1;
541 static gint ett_ntp_flags = -1;
542 static gint ett_ntp_ext = -1;
543 static gint ett_ntp_ext_flags = -1;
544 static gint ett_ntpctrl_flags2 = -1;
545 static gint ett_ntpctrl_status = -1;
546 static gint ett_ntpctrl_data = -1;
547 static gint ett_ntpctrl_item = -1;
548 static gint ett_ntppriv_auth_seq = -1;
550 static void dissect_ntp_std(tvbuff_t *, proto_tree *, guint8);
551 static void dissect_ntp_ctrl(tvbuff_t *, proto_tree *, guint8);
552 static void dissect_ntp_priv(tvbuff_t *, proto_tree *, guint8);
553 static int dissect_ntp_ext(tvbuff_t *, proto_tree *, int);
555 static const char *mon_names[12] = {
571 /* parser definitions */
572 static tvbparse_wanted_t* want;
573 static tvbparse_wanted_t* want_ignore;
575 /* NTP_BASETIME is in fact epoch - ntp_start_time */
576 #define NTP_BASETIME 2208988800ul
577 #define NTP_FLOAT_DENOM 4294967296.0
578 #define NTP_TS_SIZE 100
580 /* tvb_ntp_fmt_ts - converts NTP timestamp to human readable string.
581 * TVB and an offset (IN).
582 * returns pointer to filled buffer. This buffer will be freed automatically once
583 * dissection of the next packet occurs.
586 tvb_ntp_fmt_ts(tvbuff_t *tvb, gint offset)
588 guint32 tempstmp, tempfrac;
594 tempstmp = tvb_get_ntohl(tvb, offset);
595 tempfrac = tvb_get_ntohl(tvb, offset+4);
596 if ((tempstmp == 0) && (tempfrac == 0)) {
600 temptime = tempstmp - (guint32) NTP_BASETIME;
601 bd = gmtime(&temptime);
603 return "Not representable";
606 fractime = bd->tm_sec + tempfrac / NTP_FLOAT_DENOM;
607 buff=ep_alloc(NTP_TS_SIZE);
608 g_snprintf(buff, NTP_TS_SIZE,
609 "%s %2d, %d %02d:%02d:%09.6f UTC",
610 mon_names[bd->tm_mon],
620 ntp_to_nstime(tvbuff_t *tvb, gint offset, nstime_t *nstime)
622 nstime->secs = tvb_get_ntohl(tvb, offset);
624 nstime->secs -= NTP_BASETIME;
625 nstime->nsecs = (int)(1000000000*tvb_get_ntohl(tvb, offset+4)/NTP_FLOAT_DENOM);
628 /* dissect_ntp - dissects NTP packet data
629 * tvb - tvbuff for packet data (IN)
630 * pinfo - packet info
631 * proto_tree - resolved protocol tree
634 dissect_ntp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
636 proto_tree *ntp_tree;
637 proto_item *ti = NULL;
639 void (*dissector)(tvbuff_t *, proto_item *, guint8);
641 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NTP");
643 col_clear(pinfo->cinfo, COL_INFO);
645 flags = tvb_get_guint8(tvb, 0);
646 switch (flags & NTP_MODE_MASK) {
648 dissector = dissect_ntp_std;
651 dissector = dissect_ntp_ctrl;
654 dissector = dissect_ntp_priv;
658 /* Adding NTP item and subtree */
659 ti = proto_tree_add_item(tree, proto_ntp, tvb, 0, -1, ENC_BIG_ENDIAN);
660 ntp_tree = proto_item_add_subtree(ti, ett_ntp);
662 /* Show version and mode in info column and NTP root */
663 col_add_fstr(pinfo->cinfo, COL_INFO, "%s, %s",
664 val_to_str((flags & NTP_VN_MASK) >> 3, ver_nums,
666 val_to_str(flags & NTP_MODE_MASK, info_mode_types, "Unknown"));
668 proto_item_append_text(ti, " (%s, %s)",
669 val_to_str((flags & NTP_VN_MASK) >> 3, ver_nums,
671 val_to_str(flags & NTP_MODE_MASK, info_mode_types, "Unknown"));
673 /* Dissect according to mode */
674 (*dissector)(tvb, ntp_tree, flags);
678 dissect_ntp_std(tvbuff_t *tvb, proto_tree *ntp_tree, guint8 flags)
680 proto_tree *flags_tree;
686 double rootdispersion;
694 tf = proto_tree_add_uint(ntp_tree, hf_ntp_flags, tvb, 0, 1, flags);
696 /* Adding flag subtree and items */
697 flags_tree = proto_item_add_subtree(tf, ett_ntp_flags);
698 proto_tree_add_uint(flags_tree, hf_ntp_flags_li, tvb, 0, 1, flags);
699 proto_tree_add_uint(flags_tree, hf_ntp_flags_vn, tvb, 0, 1, flags);
700 proto_tree_add_uint(flags_tree, hf_ntp_flags_mode, tvb, 0, 1, flags);
702 /* Stratum, 1byte field represents distance from primary source
704 stratum = tvb_get_guint8(tvb, 1);
706 buffc="Peer Clock Stratum: unspecified or invalid (%u)";
707 } else if (stratum == 1) {
708 buffc="Peer Clock Stratum: primary reference (%u)";
709 } else if ((stratum >= 2) && (stratum <= 15)) {
710 buffc="Peer Clock Stratum: secondary reference (%u)";
711 } else if (stratum == 16) {
712 buffc="Peer Clock Stratum: unsynchronized (%u)";
714 buffc="Peer Clock Stratum: reserved: %u";
716 proto_tree_add_uint_format(ntp_tree, hf_ntp_stratum, tvb, 1, 1,
717 stratum, buffc, stratum);
718 /* Poll interval, 1byte field indicating the maximum interval
719 * between successive messages, in seconds to the nearest
722 ppoll = tvb_get_guint8(tvb, 2);
723 if ((ppoll >= 4) && (ppoll <= 17)) {
724 proto_tree_add_uint_format(ntp_tree, hf_ntp_ppoll, tvb, 2, 1,
726 "Peer Polling Interval: %u (%u sec)",
730 proto_tree_add_uint_format(ntp_tree, hf_ntp_ppoll, tvb, 2, 1,
732 "Peer Polling Interval: invalid (%u)",
736 /* Precision, 1byte field indicating the precision of the
737 * local clock, in seconds to the nearest power of two.
739 precision = tvb_get_guint8(tvb, 3);
740 proto_tree_add_int_format(ntp_tree, hf_ntp_precision, tvb, 3, 1,
742 "Peer Clock Precision: %8.6f sec",
745 /* Root Delay is a 32-bit signed fixed-point number indicating
746 * the total roundtrip delay to the primary reference source,
747 * in seconds with fraction point between bits 15 and 16.
749 rootdelay = ((gint16)tvb_get_ntohs(tvb, 4)) +
750 (tvb_get_ntohs(tvb, 6) / 65536.0);
751 proto_tree_add_double_format(ntp_tree, hf_ntp_rootdelay, tvb, 4, 4,
753 "Root Delay: %9.4f sec",
756 /* Root Dispersion, 32-bit unsigned fixed-point number indicating
757 * the nominal error relative to the primary reference source, in
758 * seconds with fraction point between bits 15 and 16.
760 rootdispersion = ((gint16)tvb_get_ntohs(tvb, 8)) +
761 (tvb_get_ntohs(tvb, 10) / 65536.0);
762 proto_tree_add_double_format(ntp_tree, hf_ntp_rootdispersion, tvb, 8, 4,
764 "Root Dispersion: %9.4f sec",
767 /* Now, there is a problem with secondary servers. Standards
768 * asks from stratum-2 - stratum-15 servers to set this to the
769 * low order 32 bits of the latest transmit timestamp of the
771 * But, all V3 and V4 servers set this to IP address of their
772 * higher level server. My decision was to resolve this address.
774 buff = ep_alloc(NTP_TS_SIZE);
776 g_snprintf (buff, NTP_TS_SIZE, "Unidentified reference source '%.4s'",
777 tvb_get_ephemeral_string(tvb, 12, 4));
778 for (i = 0; primary_sources[i].id; i++) {
779 if (tvb_memeql(tvb, 12, primary_sources[i].id, 4) == 0) {
780 g_snprintf(buff, NTP_TS_SIZE, "%s",
781 primary_sources[i].data);
787 refid_addr = tvb_get_ipv4(tvb, 12);
788 buffpos = g_snprintf(buff, NTP_TS_SIZE, "%s", get_hostname (refid_addr));
789 if (buffpos >= NTP_TS_SIZE) {
790 buff[NTP_TS_SIZE-4]='.';
791 buff[NTP_TS_SIZE-3]='.';
792 buff[NTP_TS_SIZE-2]='.';
793 buff[NTP_TS_SIZE-1]=0;
796 proto_tree_add_bytes_format(ntp_tree, hf_ntp_refid, tvb, 12, 4,
797 NULL, "Reference ID: %s", buff);
799 /* Reference Timestamp: This is the time at which the local clock was
800 * last set or corrected.
802 proto_tree_add_item(ntp_tree, hf_ntp_reftime, tvb, 16, 8, ENC_TIME_NTP|ENC_BIG_ENDIAN);
804 /* Originate Timestamp: This is the time at which the request departed
805 * the client for the server.
807 proto_tree_add_item(ntp_tree, hf_ntp_org, tvb, 24, 8, ENC_TIME_NTP|ENC_BIG_ENDIAN);
809 /* Receive Timestamp: This is the time at which the request arrived at
812 proto_tree_add_item(ntp_tree, hf_ntp_rec, tvb, 32, 8, ENC_TIME_NTP|ENC_BIG_ENDIAN);
814 /* Transmit Timestamp: This is the time at which the reply departed the
815 * server for the client.
817 proto_tree_add_item(ntp_tree, hf_ntp_xmt, tvb, 40, 8, ENC_TIME_NTP|ENC_BIG_ENDIAN);
819 /* MAX_MAC_LEN is the largest message authentication code
820 * (MAC) length. If we have more data left in the packet
821 * after the header than that, the extra data is NTP4
822 * extensions; parse them as such.
825 while (tvb_reported_length_remaining(tvb, macofs) > (gint)MAX_MAC_LEN)
826 macofs = dissect_ntp_ext(tvb, ntp_tree, macofs);
828 /* When the NTP authentication scheme is implemented, the
829 * Key Identifier and Message Digest fields contain the
830 * message authentication code (MAC) information defined in
831 * Appendix C of RFC-1305. Will print this as hex code for now.
833 if (tvb_reported_length_remaining(tvb, macofs) >= 4)
834 proto_tree_add_item(ntp_tree, hf_ntp_keyid, tvb, macofs, 4,
837 maclen = tvb_reported_length_remaining(tvb, macofs);
839 proto_tree_add_item(ntp_tree, hf_ntp_mac, tvb, macofs,
844 dissect_ntp_ext(tvbuff_t *tvb, proto_tree *ntp_tree, int offset)
846 proto_tree *ext_tree, *flags_tree;
851 guint32 vallen, vallen_round, siglen;
853 extlen = tvb_get_ntohs(tvb, offset+2);
855 /* Extension length isn't enough for the extension header.
856 * Report the error, and return an offset that goes to
857 * the end of the tvbuff, so we stop dissecting.
859 proto_tree_add_text(ntp_tree, tvb, offset+2, 2,
860 "Extension length %u < 8", extlen);
861 offset += tvb_length_remaining(tvb, offset);
865 /* Extension length isn't a multiple of 4.
866 * Report the error, and return an offset that goes
867 * to the end of the tvbuff, so we stop dissecting.
869 proto_tree_add_text(ntp_tree, tvb, offset+2, 2,
870 "Extension length %u isn't a multiple of 4",
872 offset += tvb_length_remaining(tvb, offset);
875 endoffset = offset + extlen;
877 tf = proto_tree_add_item(ntp_tree, hf_ntp_ext, tvb, offset, extlen,
879 ext_tree = proto_item_add_subtree(tf, ett_ntp_ext);
881 flags = tvb_get_guint8(tvb, offset);
882 tf = proto_tree_add_uint(ext_tree, hf_ntp_ext_flags, tvb, offset, 1,
884 flags_tree = proto_item_add_subtree(tf, ett_ntp_ext_flags);
885 proto_tree_add_uint(flags_tree, hf_ntp_ext_flags_r, tvb, offset, 1,
887 proto_tree_add_uint(flags_tree, hf_ntp_ext_flags_error, tvb, offset, 1,
889 proto_tree_add_uint(flags_tree, hf_ntp_ext_flags_vn, tvb, offset, 1,
893 proto_tree_add_item(ext_tree, hf_ntp_ext_op, tvb, offset, 1, ENC_BIG_ENDIAN);
896 proto_tree_add_uint(ext_tree, hf_ntp_ext_len, tvb, offset, 2, extlen);
899 if ((flags & NTP_EXT_VN_MASK) != 2) {
900 /* don't care about autokey v1 */
904 proto_tree_add_item(ext_tree, hf_ntp_ext_associd, tvb, offset, 4,
908 /* check whether everything up to "vallen" is present */
909 if (extlen < MAX_MAC_LEN) {
910 /* XXX - report as error? */
914 proto_tree_add_item(ext_tree, hf_ntp_ext_tstamp, tvb, offset, 4,
917 proto_tree_add_item(ext_tree, hf_ntp_ext_fstamp, tvb, offset, 4,
920 /* XXX fstamp can be server flags */
922 vallen = tvb_get_ntohl(tvb, offset);
923 proto_tree_add_uint(ext_tree, hf_ntp_ext_vallen, tvb, offset, 4,
926 vallen_round = (vallen + 3) & (-4);
928 if ((guint32)(endoffset - offset) < vallen_round) {
930 * Value goes past the length of the extension
933 proto_tree_add_text(ext_tree, tvb, offset,
935 "Value length makes value go past the end of the extension field");
938 proto_tree_add_item(ext_tree, hf_ntp_ext_val, tvb, offset,
941 offset += vallen_round;
943 siglen = tvb_get_ntohl(tvb, offset);
944 proto_tree_add_uint(ext_tree, hf_ntp_ext_siglen, tvb, offset, 4,
948 if (offset + (int)siglen > endoffset) {
950 * Value goes past the length of the extension
953 proto_tree_add_text(ext_tree, tvb, offset,
955 "Signature length makes value go past the end of the extension field");
958 proto_tree_add_item(ext_tree, hf_ntp_ext_sig, tvb,
959 offset, siglen, ENC_NA);
965 dissect_ntp_ctrl_peerstatus(tvbuff_t *tvb, proto_tree *status_tree, guint16 offset, guint16 status)
968 * dissect peer status word:
970 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
971 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
972 * | Status | Sel | Count | Code |
973 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
975 proto_tree_add_uint(status_tree, hf_ntpctrl_peer_status_b0, tvb, offset, 2, status);
976 proto_tree_add_uint(status_tree, hf_ntpctrl_peer_status_b1, tvb, offset, 2, status);
977 proto_tree_add_uint(status_tree, hf_ntpctrl_peer_status_b2, tvb, offset, 2, status);
978 proto_tree_add_uint(status_tree, hf_ntpctrl_peer_status_b3, tvb, offset, 2, status);
979 proto_tree_add_uint(status_tree, hf_ntpctrl_peer_status_b4, tvb, offset, 2, status);
980 proto_tree_add_uint(status_tree, hf_ntpctrl_peer_status_selection, tvb, offset, 2, status);
981 proto_tree_add_uint(status_tree, hf_ntpctrl_peer_status_count, tvb, offset, 2, status);
982 proto_tree_add_uint(status_tree, hf_ntpctrl_peer_status_code, tvb, offset, 2, status);
986 dissect_ntp_ctrl_systemstatus(tvbuff_t *tvb, proto_tree *status_tree, guint16 offset, guint16 status)
989 * dissect system status word:
991 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
992 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
993 * |LI | ClkSource | Count | Code |
994 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
996 proto_tree_add_uint(status_tree, hf_ntpctrl_sys_status_li, tvb, offset, 2, status);
997 proto_tree_add_uint(status_tree, hf_ntpctrl_sys_status_clksrc, tvb, offset, 2, status);
998 proto_tree_add_uint(status_tree, hf_ntpctrl_sys_status_count, tvb, offset, 2, status);
999 proto_tree_add_uint(status_tree, hf_ntpctrl_sys_status_code, tvb, offset, 2, status);
1003 dissect_ntp_ctrl_errorstatus(tvbuff_t *tvb, proto_tree *status_tree, guint16 offset, guint16 status)
1006 * if error bit is set: dissect error status word
1008 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
1009 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1010 * | Error Code | reserved |
1011 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1013 proto_tree_add_uint(status_tree, hf_ntpctrl_error_status_word, tvb, offset, 2, status);
1017 dissect_ntp_ctrl_clockstatus(tvbuff_t *tvb, proto_tree *status_tree, guint16 offset, guint16 status)
1020 * dissect clock status word:
1022 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
1023 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1024 * | Clock Status | Event Code |
1025 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1027 proto_tree_add_uint(status_tree, hf_ntpctrl_clk_status, tvb, offset, 2, status);
1028 proto_tree_add_uint(status_tree, hf_ntpctrl_clk_status_code, tvb, offset, 2, status);
1032 dissect_ntp_ctrl(tvbuff_t *tvb, proto_tree *ntp_tree, guint8 flags)
1034 proto_tree *flags_tree;
1038 proto_tree *status_tree, *data_tree, *item_tree;
1039 proto_item *ts, *td, *ti;
1043 guint16 data_offset;
1046 tvbparse_elem_t *element;
1048 tf = proto_tree_add_uint(ntp_tree, hf_ntp_flags, tvb, 0, 1, flags);
1050 /* Adding flag subtree and items */
1051 flags_tree = proto_item_add_subtree(tf, ett_ntp_flags);
1052 proto_tree_add_uint(flags_tree, hf_ntp_flags_li, tvb, 0, 1, flags);
1053 proto_tree_add_uint(flags_tree, hf_ntp_flags_vn, tvb, 0, 1, flags);
1054 proto_tree_add_uint(flags_tree, hf_ntp_flags_mode, tvb, 0, 1, flags);
1056 flags2 = tvb_get_guint8(tvb, 1);
1057 tf = proto_tree_add_uint(ntp_tree, hf_ntpctrl_flags2, tvb, 1, 1, flags2);
1058 flags_tree = proto_item_add_subtree(tf, ett_ntpctrl_flags2);
1059 proto_tree_add_uint(flags_tree, hf_ntpctrl_flags2_r, tvb, 1, 1, flags2);
1060 proto_tree_add_uint(flags_tree, hf_ntpctrl_flags2_error, tvb, 1, 1, flags2);
1061 proto_tree_add_uint(flags_tree, hf_ntpctrl_flags2_more, tvb, 1, 1, flags2);
1062 proto_tree_add_uint(flags_tree, hf_ntpctrl_flags2_opcode, tvb, 1, 1, flags2);
1064 proto_tree_add_uint(ntp_tree, hf_ntpctrl_sequence, tvb, 2, 2, tvb_get_ntohs(tvb, 2));
1066 status = tvb_get_ntohs(tvb, 4);
1067 associd = tvb_get_ntohs(tvb, 6);
1068 ts = proto_tree_add_uint(ntp_tree, hf_ntpctrl_status, tvb, 4, 2, status);
1069 status_tree = proto_item_add_subtree(ts, ett_ntpctrl_status);
1071 * further processing of status is only necessary in server responses
1073 if (flags2 & NTPCTRL_R_MASK) {
1074 if (flags2 & NTPCTRL_ERROR_MASK) {
1075 /* Check if this is an error response... */
1076 dissect_ntp_ctrl_errorstatus(tvb, status_tree, 4, status);
1078 /* ...otherwise status word depends on OpCode */
1079 switch (flags2 & NTPCTRL_OP_MASK) {
1080 case NTPCTRL_OP_READSTAT:
1081 case NTPCTRL_OP_READVAR:
1082 case NTPCTRL_OP_WRITEVAR:
1083 case NTPCTRL_OP_ASYNCMSG:
1085 dissect_ntp_ctrl_peerstatus(tvb, status_tree, 4, status);
1087 dissect_ntp_ctrl_systemstatus(tvb, status_tree, 4, status);
1089 case NTPCTRL_OP_READCLOCK:
1090 case NTPCTRL_OP_WRITECLOCK:
1091 dissect_ntp_ctrl_clockstatus(tvb, status_tree, 4, status);
1093 case NTPCTRL_OP_SETTRAP:
1094 case NTPCTRL_OP_UNSETTRAP:
1099 proto_tree_add_uint(ntp_tree, hf_ntpctrl_associd, tvb, 6, 2, associd);
1100 proto_tree_add_uint(ntp_tree, hf_ntpctrl_offset, tvb, 8, 2, tvb_get_ntohs(tvb, 8));
1101 datalen = tvb_get_ntohs(tvb, 10);
1102 proto_tree_add_uint(ntp_tree, hf_ntpctrl_count, tvb, 10, 2, datalen);
1105 * dissect Data part of the NTP control message
1109 td = proto_tree_add_item(ntp_tree, hf_ntpctrl_data, tvb, data_offset, datalen, ENC_NA);
1110 data_tree = proto_item_add_subtree(td, ett_ntpctrl_data);
1111 switch(flags2 & NTPCTRL_OP_MASK) {
1112 case NTPCTRL_OP_READSTAT:
1115 * if associd == 0 then data part contains a list of the form
1116 * <association identifier><status word>,
1119 ti = proto_tree_add_item(data_tree, hf_ntpctrl_item, tvb, data_offset, 4, ENC_NA);
1120 item_tree = proto_item_add_subtree(ti, ett_ntpctrl_item);
1121 proto_tree_add_uint(item_tree, hf_ntpctrl_associd, tvb, data_offset, 2, tvb_get_ntohs(tvb, data_offset));
1123 status = tvb_get_ntohs(tvb, data_offset);
1124 ts = proto_tree_add_uint(item_tree, hf_ntpctrl_status, tvb, data_offset, 2, status);
1125 status_tree = proto_item_add_subtree(ts, ett_ntpctrl_status);
1126 dissect_ntp_ctrl_peerstatus( tvb, status_tree, 4, status );
1133 * but if associd != 0,
1134 * then data part could be the same as if opcode is NTPCTRL_OP_READVAR
1135 * --> so, no "break" here!
1137 case NTPCTRL_OP_READVAR:
1138 case NTPCTRL_OP_WRITEVAR:
1139 case NTPCTRL_OP_READCLOCK:
1140 case NTPCTRL_OP_WRITECLOCK:
1141 tt = tvbparse_init(tvb, data_offset, datalen, NULL, want_ignore);
1142 while( (element = tvbparse_get(tt, want)) != NULL ) {
1143 tvbparse_tree_add_elem(data_tree, element);
1146 case NTPCTRL_OP_ASYNCMSG:
1147 proto_tree_add_item(data_tree, hf_ntpctrl_trapmsg, tvb, data_offset, datalen, ENC_ASCII|ENC_NA);
1149 /* these opcodes doesn't carry any data: NTPCTRL_OP_SETTRAP, NTPCTRL_OP_UNSETTRAP, NTPCTRL_OP_UNSPEC */
1155 * Initialize tvb-parser, which is used to dissect data part of NTP control
1158 * Here some constants are defined, which describes character groups used for
1159 * various purposes. These groups are then used to configure the two global
1160 * variables "want_ignore" and "want" that we use for dissection
1165 /* specify what counts as character */
1166 tvbparse_wanted_t* want_identifier = tvbparse_chars(-1, 1, 0,
1167 "abcdefghijklmnopqrstuvwxyz-_ABCDEFGHIJKLMNOPQRSTUVWXYZ.0123456789", NULL, NULL, NULL);
1168 /* this is the equal sign used in assignments */
1169 tvbparse_wanted_t* want_equalsign = tvbparse_chars(-1, 1, 0, "=", NULL, NULL, NULL);
1170 /* possible characters allowed for values */
1171 tvbparse_wanted_t* want_value = tvbparse_set_oneof(0, NULL, NULL, NULL,
1172 tvbparse_quoted(-1, NULL, NULL, tvbparse_shrink_token_cb, '\"', '\\'),
1173 tvbparse_quoted(-1, NULL, NULL, tvbparse_shrink_token_cb, '\'', '\\'),
1174 tvbparse_chars(-1, 1, 0, "abcdefghijklmnopqrstuvwxyz-_ABCDEFGHIJKLMNOPQRSTUVWXYZ.0123456789 ", NULL, NULL, NULL),
1176 /* the following specifies an assignment of the form identifier=value */
1177 tvbparse_wanted_t* want_assignment = tvbparse_set_seq(-1, NULL, NULL, NULL,
1183 /* we ignore white space characters */
1184 want_ignore = tvbparse_chars(-1, 1, 0, ", \t\r\n", NULL, NULL, NULL);
1185 /* data part of control messages consists of either identifiers or assignments */
1186 want = tvbparse_set_oneof(-1, NULL, NULL, NULL,
1193 dissect_ntp_priv(tvbuff_t *tvb, proto_tree *ntp_tree, guint8 flags)
1195 proto_tree *flags_tree;
1197 guint8 auth_seq, impl, reqcode;
1199 tf = proto_tree_add_uint(ntp_tree, hf_ntp_flags, tvb, 0, 1, flags);
1201 /* Adding flag subtree and items */
1202 flags_tree = proto_item_add_subtree(tf, ett_ntp_flags);
1203 proto_tree_add_uint(flags_tree, hf_ntppriv_flags_r, tvb, 0, 1, flags);
1204 proto_tree_add_uint(flags_tree, hf_ntppriv_flags_more, tvb, 0, 1,
1206 proto_tree_add_uint(flags_tree, hf_ntp_flags_vn, tvb, 0, 1, flags);
1207 proto_tree_add_uint(flags_tree, hf_ntp_flags_mode, tvb, 0, 1, flags);
1209 auth_seq = tvb_get_guint8(tvb, 1);
1210 tf = proto_tree_add_uint(ntp_tree, hf_ntppriv_auth_seq, tvb, 1, 1,
1212 flags_tree = proto_item_add_subtree(tf, ett_ntppriv_auth_seq);
1213 proto_tree_add_uint(flags_tree, hf_ntppriv_auth, tvb, 1, 1, auth_seq);
1214 proto_tree_add_uint(flags_tree, hf_ntppriv_seq, tvb, 1, 1, auth_seq);
1216 impl = tvb_get_guint8(tvb, 2);
1217 proto_tree_add_uint(ntp_tree, hf_ntppriv_impl, tvb, 2, 1, impl);
1219 reqcode = tvb_get_guint8(tvb, 3);
1220 proto_tree_add_uint(ntp_tree, hf_ntppriv_reqcode, tvb, 3, 1, reqcode);
1224 proto_register_ntp(void)
1226 static hf_register_info hf[] = {
1228 "Flags", "ntp.flags", FT_UINT8, BASE_HEX,
1229 NULL, 0, "Flags (Leap/Version/Mode)", HFILL }},
1230 { &hf_ntp_flags_li, {
1231 "Leap Indicator", "ntp.flags.li", FT_UINT8, BASE_DEC,
1232 VALS(li_types), NTP_LI_MASK, "Warning of an impending leap second to be inserted or deleted in the last minute of the current month", HFILL }},
1233 { &hf_ntp_flags_vn, {
1234 "Version number", "ntp.flags.vn", FT_UINT8, BASE_DEC,
1235 VALS(ver_nums), NTP_VN_MASK, NULL, HFILL }},
1236 { &hf_ntp_flags_mode, {
1237 "Mode", "ntp.flags.mode", FT_UINT8, BASE_DEC,
1238 VALS(mode_types), NTP_MODE_MASK, NULL, HFILL }},
1239 { &hf_ntp_stratum, {
1240 "Peer Clock Stratum", "ntp.stratum", FT_UINT8, BASE_DEC,
1241 NULL, 0, NULL, HFILL }},
1243 "Peer Polling Interval", "ntp.ppoll", FT_UINT8, BASE_DEC,
1244 NULL, 0, "Maximum interval between successive messages", HFILL }},
1245 { &hf_ntp_precision, {
1246 "Peer Clock Precision", "ntp.precision", FT_INT8, BASE_DEC,
1247 NULL, 0, "The precision of the system clock", HFILL }},
1248 { &hf_ntp_rootdelay, {
1249 "Root Delay", "ntp.rootdelay", FT_DOUBLE, BASE_NONE,
1250 NULL, 0, "Total round-trip delay to the reference clock", HFILL }},
1251 { &hf_ntp_rootdispersion, {
1252 "Root Dispersion", "ntp.rootdispersion", FT_DOUBLE, BASE_NONE,
1253 NULL, 0, "Total dispersion to the reference clock", HFILL }},
1255 "Reference ID", "ntp.refid", FT_BYTES, BASE_NONE,
1256 NULL, 0, "Particular server or reference clock being used", HFILL }},
1257 { &hf_ntp_reftime, {
1258 "Reference Timestamp", "ntp.reftime", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC,
1259 NULL, 0, "Time when the system clock was last set or corrected", HFILL }},
1261 "Origin Timestamp", "ntp.org", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC,
1262 NULL, 0, "Time at the client when the request departed for the server", HFILL }},
1264 "Receive Timestamp", "ntp.rec", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC,
1265 NULL, 0, "Time at the server when the request arrived from the client", HFILL }},
1267 "Transmit Timestamp", "ntp.xmt", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC,
1268 NULL, 0, "Time at the server when the response left for the client", HFILL }},
1270 "Key ID", "ntp.keyid", FT_BYTES, BASE_NONE,
1271 NULL, 0, NULL, HFILL }},
1273 "Message Authentication Code", "ntp.mac", FT_BYTES, BASE_NONE,
1274 NULL, 0, NULL, HFILL }},
1277 "Extension", "ntp.ext", FT_NONE, BASE_NONE,
1278 NULL, 0, NULL, HFILL }},
1279 { &hf_ntp_ext_flags, {
1280 "Flags", "ntp.ext.flags", FT_UINT8, BASE_HEX,
1281 NULL, 0, "Flags (Response/Error/Version)", HFILL }},
1282 { &hf_ntp_ext_flags_r, {
1283 "Response bit", "ntp.ext.flags.r", FT_UINT8, BASE_DEC,
1284 VALS(ext_r_types), NTP_EXT_R_MASK, NULL, HFILL }},
1285 { &hf_ntp_ext_flags_error, {
1286 "Error bit", "ntp.ext.flags.error", FT_UINT8, BASE_DEC,
1287 NULL, NTP_EXT_ERROR_MASK, NULL, HFILL }},
1288 { &hf_ntp_ext_flags_vn, {
1289 "Version", "ntp.ext.flags.vn", FT_UINT8, BASE_DEC,
1290 NULL, NTP_EXT_VN_MASK, NULL, HFILL }},
1292 "Opcode", "ntp.ext.op", FT_UINT8, BASE_DEC,
1293 VALS(ext_op_types), 0, NULL, HFILL }},
1294 { &hf_ntp_ext_len, {
1295 "Extension length", "ntp.ext.len", FT_UINT16, BASE_DEC,
1296 NULL, 0, NULL, HFILL }},
1297 { &hf_ntp_ext_associd, {
1298 "Association ID", "ntp.ext.associd", FT_UINT32, BASE_DEC,
1299 NULL, 0, NULL, HFILL }},
1300 { &hf_ntp_ext_tstamp, {
1301 "Timestamp", "ntp.ext.tstamp", FT_UINT32, BASE_HEX,
1302 NULL, 0, NULL, HFILL }},
1303 { &hf_ntp_ext_fstamp, {
1304 "File Timestamp", "ntp.ext.fstamp", FT_UINT32, BASE_HEX,
1305 NULL, 0, NULL, HFILL }},
1306 { &hf_ntp_ext_vallen, {
1307 "Value length", "ntp.ext.vallen", FT_UINT32, BASE_DEC,
1308 NULL, 0, NULL, HFILL }},
1309 { &hf_ntp_ext_val, {
1310 "Value", "ntp.ext.val", FT_BYTES, BASE_NONE,
1311 NULL, 0, NULL, HFILL }},
1312 { &hf_ntp_ext_siglen, {
1313 "Signature length", "ntp.ext.siglen", FT_UINT32, BASE_DEC,
1314 NULL, 0, NULL, HFILL }},
1315 { &hf_ntp_ext_sig, {
1316 "Signature", "ntp.ext.sig", FT_BYTES, BASE_NONE,
1317 NULL, 0, NULL, HFILL }},
1319 { &hf_ntpctrl_flags2, {
1320 "Flags 2", "ntpctrl.flags2", FT_UINT8, BASE_HEX,
1321 NULL, 0, "Flags (Response/Error/More/Opcode)", HFILL }},
1322 { &hf_ntpctrl_flags2_r, {
1323 "Response bit", "ntpctrl.flags2.r", FT_UINT8, BASE_DEC,
1324 VALS(ctrl_r_types), NTPCTRL_R_MASK, NULL, HFILL }},
1325 { &hf_ntpctrl_flags2_error, {
1326 "Error bit", "ntpctrl.flags2.error", FT_UINT8, BASE_DEC,
1327 NULL, NTPCTRL_ERROR_MASK, NULL, HFILL }},
1328 { &hf_ntpctrl_flags2_more, {
1329 "More bit", "ntpctrl.flags2.more", FT_UINT8, BASE_DEC,
1330 NULL, NTPCTRL_MORE_MASK, NULL, HFILL }},
1331 { &hf_ntpctrl_flags2_opcode, {
1332 "Opcode", "ntpctrl.flags2.opcode", FT_UINT8, BASE_DEC,
1333 VALS(ctrl_op_types), NTPCTRL_OP_MASK, NULL, HFILL }},
1334 { &hf_ntpctrl_sequence, {
1335 "Sequence", "ntpctrl.sequence", FT_UINT16, BASE_DEC,
1336 NULL, 0, NULL, HFILL }},
1337 { &hf_ntpctrl_status, {
1338 "Status", "ntpctrl.status", FT_UINT16, BASE_DEC,
1339 NULL, 0, NULL, HFILL }},
1340 { &hf_ntpctrl_error_status_word, {
1341 "Error Status Word", "ntpctrl.err_status", FT_UINT16, BASE_DEC,
1342 VALS(ctrl_err_status_types), NTP_CTRL_ERRSTATUS_CODE_MASK, NULL, HFILL }},
1343 { &hf_ntpctrl_sys_status_li, {
1344 "Leap Indicator", "ntpctrl.sys_status.li", FT_UINT16, BASE_DEC,
1345 VALS(li_types), NTPCTRL_SYSSTATUS_LI_MASK, "Warning of an impending leap second to be inserted or deleted in the last minute of the current month", HFILL }},
1346 { &hf_ntpctrl_sys_status_clksrc, {
1347 "Clock Source", "ntpctrl.sys_status.clksrc", FT_UINT16, BASE_DEC,
1348 VALS(ctrl_sys_status_clksource_types), NTPCTRL_SYSSTATUS_CLK_MASK, NULL, HFILL }},
1349 { &hf_ntpctrl_sys_status_count, {
1350 "System Event Counter", "ntpctrl.sys_status.count", FT_UINT16, BASE_DEC,
1351 NULL, NTPCTRL_SYSSTATUS_COUNT_MASK, NULL, HFILL }},
1352 { &hf_ntpctrl_sys_status_code, {
1353 "System Event Code", "ntpctrl.sys_status.code", FT_UINT16, BASE_DEC,
1354 VALS(ctrl_sys_status_event_types), NTPCTRL_SYSSTATUS_CODE_MASK, NULL, HFILL }},
1355 { &hf_ntpctrl_peer_status_b0, {
1356 "Peer Status", "ntpctrl.peer_status.config", FT_UINT16, BASE_DEC,
1357 VALS(ctrl_peer_status_config_types), NTPCTRL_PEERSTATUS_CONFIG_MASK, NULL, HFILL }},
1358 { &hf_ntpctrl_peer_status_b1, {
1359 "Peer Status", "ntpctrl.peer_status.authenable", FT_UINT16, BASE_DEC,
1360 VALS(ctrl_peer_status_authenable_types), NTPCTRL_PEERSTATUS_AUTHENABLE_MASK, NULL, HFILL }},
1361 { &hf_ntpctrl_peer_status_b2, {
1362 "Peer Status", "ntpctrl.peer_status.authentic", FT_UINT16, BASE_DEC,
1363 VALS(ctrl_peer_status_authentic_types), NTPCTRL_PEERSTATUS_AUTHENTIC_MASK, NULL, HFILL }},
1364 { &hf_ntpctrl_peer_status_b3, {
1365 "Peer Status", "ntpctrl.peer_status.reach", FT_UINT16, BASE_DEC,
1366 VALS(ctrl_peer_status_reach_types), NTPCTRL_PEERSTATUS_REACH_MASK, NULL, HFILL }},
1367 { &hf_ntpctrl_peer_status_b4, {
1368 "Peer Status: reserved", "ntpctrl.peer_status.reserved", FT_UINT16, BASE_DEC,
1369 NULL, NTPCTRL_PEERSTATUS_RESERVED_MASK, NULL, HFILL }},
1370 { &hf_ntpctrl_peer_status_selection, {
1371 "Peer Selection", "ntpctrl.peer_status.selection", FT_UINT16, BASE_DEC,
1372 VALS(ctrl_peer_status_selection_types), NTPCTRL_PEERSTATUS_SEL_MASK, NULL, HFILL }},
1373 { &hf_ntpctrl_peer_status_count, {
1374 "Peer Event Counter", "ntpctrl.peer_status.count", FT_UINT16, BASE_DEC,
1375 NULL, NTPCTRL_PEERSTATUS_COUNT_MASK, NULL, HFILL }},
1376 { &hf_ntpctrl_peer_status_code, {
1377 "Peer Event Code", "ntpctrl.peer_status.code", FT_UINT16, BASE_DEC,
1378 VALS(ctrl_peer_status_event_types), NTPCTRL_PEERSTATUS_CODE_MASK, NULL, HFILL }},
1379 { &hf_ntpctrl_clk_status, {
1380 "Clock Status", "ntpctrl.clock_status.status", FT_UINT16, BASE_DEC,
1381 VALS(ctrl_clk_status_types), NTPCTRL_CLKSTATUS_STATUS_MASK, NULL, HFILL }},
1382 { &hf_ntpctrl_clk_status_code, {
1383 "Clock Event Code", "ntpctrl.clock_status.code", FT_UINT16, BASE_DEC,
1384 NULL, NTPCTRL_CLKSTATUS_CODE_MASK, NULL, HFILL }},
1385 { &hf_ntpctrl_data, {
1386 "Data", "ntpctrl.data", FT_NONE, BASE_NONE,
1387 NULL, 0, NULL, HFILL }},
1388 { &hf_ntpctrl_item, {
1389 "Item", "ntpctrl.item", FT_NONE, BASE_NONE,
1390 NULL, 0, NULL, HFILL }},
1391 { &hf_ntpctrl_associd, {
1392 "AssociationID", "ntpctrl.associd", FT_UINT16, BASE_DEC,
1393 NULL, 0, NULL, HFILL }},
1394 { &hf_ntpctrl_offset, {
1395 "Offset", "ntpctrl.offset", FT_UINT16, BASE_DEC,
1396 NULL, 0, NULL, HFILL }},
1397 { &hf_ntpctrl_count, {
1398 "Count", "ntpctrl.count", FT_UINT16, BASE_DEC,
1399 NULL, 0, NULL, HFILL }},
1400 { &hf_ntpctrl_trapmsg, {
1401 "Trap message", "ntpctrl.trapmsg", FT_STRING, BASE_NONE,
1402 NULL, 0, NULL, HFILL }},
1404 { &hf_ntppriv_flags_r, {
1405 "Response bit", "ntppriv.flags.r", FT_UINT8, BASE_DEC,
1406 VALS(priv_r_types), NTPPRIV_R_MASK, NULL, HFILL }},
1407 { &hf_ntppriv_flags_more, {
1408 "More bit", "ntppriv.flags.more", FT_UINT8, BASE_DEC,
1409 NULL, NTPPRIV_MORE_MASK, NULL, HFILL }},
1410 { &hf_ntppriv_auth_seq, {
1411 "Auth, sequence", "ntppriv.auth_seq", FT_UINT8, BASE_DEC,
1412 NULL, 0, "Auth bit, sequence number", HFILL }},
1413 { &hf_ntppriv_auth, {
1414 "Auth bit", "ntppriv.auth", FT_UINT8, BASE_DEC,
1415 NULL, NTPPRIV_AUTH_MASK, NULL, HFILL }},
1416 { &hf_ntppriv_seq, {
1417 "Sequence number", "ntppriv.seq", FT_UINT8, BASE_DEC,
1418 NULL, NTPPRIV_SEQ_MASK, NULL, HFILL }},
1419 { &hf_ntppriv_impl, {
1420 "Implementation", "ntppriv.impl", FT_UINT8, BASE_DEC,
1421 VALS(priv_impl_types), 0, NULL, HFILL }},
1422 { &hf_ntppriv_reqcode, {
1423 "Request code", "ntppriv.reqcode", FT_UINT8, BASE_DEC,
1424 VALS(priv_rc_types), 0, NULL, HFILL }}
1426 static gint *ett[] = {
1431 &ett_ntpctrl_flags2,
1432 &ett_ntpctrl_status,
1435 &ett_ntppriv_auth_seq
1438 proto_ntp = proto_register_protocol("Network Time Protocol", "NTP",
1440 proto_register_field_array(proto_ntp, hf, array_length(hf));
1441 proto_register_subtree_array(ett, array_length(ett));
1447 proto_reg_handoff_ntp(void)
1449 dissector_handle_t ntp_handle;
1451 ntp_handle = create_dissector_handle(dissect_ntp, proto_ntp);
1452 dissector_add_uint("udp.port", UDP_PORT_NTP, ntp_handle);
1453 dissector_add_uint("tcp.port", TCP_PORT_NTP, ntp_handle);