2 * Routines for NTP packet dissection
3 * Copyright 1999, Nathan Neulinger <nneul@umr.edu>
5 * $Id: packet-ntp.c,v 1.21 2001/01/03 06:55:30 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@zing.org>
9 * Copyright 1998 Gerald Combs
11 * Copied from packet-tftp.c
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
34 #ifdef HAVE_SYS_TYPES_H
35 # include <sys/types.h>
38 #ifdef HAVE_NETINET_IN_H
39 # include <netinet/in.h>
47 #ifdef NEED_SNPRINTF_H
48 # include "snprintf.h"
53 #include "packet-ntp.h"
56 * Dissecting NTP packets version 3 and 4 (RFC2030, RFC1769, RFC1361,
59 * Those packets have simple structure:
61 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
62 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
63 * |LI | VN |Mode | Stratum | Poll | Precision |
64 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 * | Reference Identifier |
70 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 * | Reference Timestamp (64) |
73 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 * | Originate Timestamp (64) |
76 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 * | Receive Timestamp (64) |
79 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 * | Transmit Timestamp (64) |
82 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
83 * | Key Identifier (optional) (32) |
84 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
85 * | Message Digest (optional) (128) |
89 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
90 * NTP timestamps are represented as a 64-bit unsigned fixed-point number,
91 * in seconds relative to 0h on 1 January 1900. The integer part is in the
92 * first 32 bits and the fraction part in the last 32 bits.
95 #define UDP_PORT_NTP 123
96 #define TCP_PORT_NTP 123
98 /* Leap indicator, 2bit field is used to warn of a inserted/deleted
99 * second, or to alarm loosed synchronization.
101 static const value_string li_types[] = {
102 { NTP_LI_NONE, "no warning" },
103 { NTP_LI_61, "last minute has 61 seconds" },
104 { NTP_LI_59, "last minute has 59 seconds" },
105 { NTP_LI_ALARM, "alarm condition (clock not synchronized)" },
109 /* Version info, 3bit field informs about NTP version used in particular
110 * packet. According to rfc2030, version info could be only 3 or 4, but I
111 * have noticed packets with 1 or even 6 as version numbers. They are
112 * produced as a result of ntptrace command. Are those packets mailformed
113 * on purpose? I don't know yet, probably some browsing through ntp sources
114 * would help. My solution is to put them as reserved for now.
116 static const value_string ver_nums[] = {
117 { NTP_VN_R0, "reserved" },
118 { NTP_VN_R1, "reserved" },
119 { NTP_VN_R2, "reserved" },
120 { NTP_VN_3, "NTP Version 3" },
121 { NTP_VN_4, "NTP Version 4" },
122 { NTP_VN_R5, "reserved" },
123 { NTP_VN_R6, "reserved" },
124 { NTP_VN_R7, "reserved" },
128 /* Mode, 3bit field representing mode of comunication.
130 static const value_string mode_types[] = {
131 { NTP_MODE_RSV, "reserved" },
132 { NTP_MODE_SYMACT, "symmetric active" },
133 { NTP_MODE_SYMPAS, "symmetric passive" },
134 { NTP_MODE_CLIENT, "client" },
135 { NTP_MODE_SERVER, "server" },
136 { NTP_MODE_BCAST, "broadcast" },
137 { NTP_MODE_CTRL, "reserved for NTP control message"},
138 { NTP_MODE_PRIV, "reserved for private use" },
142 /* According to rfc, primary (stratum-0 and stratum-1) servers should set
143 * their Reference Clock ID (4bytes field) according to following table:
145 static const struct {
148 } primary_sources[] = {
149 { "LOCL", "uncalibrated local clock" },
150 { "PPS\0", "atomic clock or other pulse-per-second source" },
151 { "ACTS", "NIST dialup modem service" },
152 { "USNO", "USNO modem service" },
153 { "PTB\0", "PTB (Germany) modem service" },
154 { "TDF\0", "Allouis (France) Radio 164 kHz" },
155 { "DCF\0", "Mainflingen (Germany) Radio 77.5 kHz" },
156 { "MSF\0", "Rugby (UK) Radio 60 kHz" },
157 { "WWV\0", "Ft. Collins (US) Radio 2.5, 5, 10, 15, 20 MHz" },
158 { "WWVB", "Boulder (US) Radio 60 kHz" },
159 { "WWVH", "Kaui Hawaii (US) Radio 2.5, 5, 10, 15 MHz" },
160 { "CHU\0", "Ottawa (Canada) Radio 3330, 7335, 14670 kHz" },
161 { "LORC", "LORAN-C radionavigation system" },
162 { "OMEG", "OMEGA radionavigation system" },
163 { "GPS\0", "Global Positioning Service" },
164 { "GOES", "Geostationary Orbit Environment Satellite" },
165 { "DCN\0", "DCN routing protocol" },
166 { "NIST", "NIST public modem" },
167 { "TSP\0", "TSP time protocol" },
168 { "DTS\0", "Digital Time Service" },
169 { "ATOM", "Atomic clock (calibrated)" },
170 { "VLF\0", "VLF radio (OMEGA,, etc.)" },
171 { "IRIG", "IRIG-B timecode" },
172 { "1PPS", "External 1 PPS input" },
173 { "FREE", "(Internal clock)" },
177 static int proto_ntp = -1;
178 static int hf_ntp_flags = -1;
179 static int hf_ntp_flags_li = -1;
180 static int hf_ntp_flags_vn = -1;
181 static int hf_ntp_flags_mode = -1;
182 static int hf_ntp_stratum = -1;
183 static int hf_ntp_ppoll = -1;
184 static int hf_ntp_precision = -1;
185 static int hf_ntp_rootdelay = -1;
186 static int hf_ntp_rootdispersion = -1;
187 static int hf_ntp_refid = -1;
188 static int hf_ntp_reftime = -1;
189 static int hf_ntp_org = -1;
190 static int hf_ntp_rec = -1;
191 static int hf_ntp_xmt = -1;
192 static int hf_ntp_keyid = -1;
193 static int hf_ntp_mac = -1;
195 static gint ett_ntp = -1;
196 static gint ett_ntp_flags = -1;
198 /* ntp_fmt_ts - converts NTP timestamp to human readable string.
199 * tsdata - 64bit timestamp (IN)
200 * buff - string buffer for result (OUT)
201 * returns pointer to filled buffer.
204 ntp_fmt_ts(unsigned char * reftime, char* buff)
206 guint32 tempstmp, tempfrac;
211 tempstmp = pntohl(&reftime[0]);
212 tempfrac = pntohl(&reftime[4]);
213 if ((tempstmp == 0) && (tempfrac == 0)) {
214 strcpy (buff, "NULL");
217 temptime = tempstmp - (guint32) NTP_BASETIME;
218 bd = gmtime(&temptime);
219 fractime = bd->tm_sec + tempfrac / 4294967296.0;
220 snprintf(buff, NTP_TS_SIZE, "%04d-%02d-%02d %02d:%02d:%07.4f UTC",
221 bd->tm_year + 1900, bd->tm_mon + 1, bd->tm_mday,
222 bd->tm_hour, bd->tm_min, fractime);
227 /* dissect_ntp - dissects NTP packet data
228 * pd - pointer to packet data (IN)
229 * offset - offset of NTP data in pd (IN)
231 * proto_tree - resolved protocol tree
234 dissect_ntp(const u_char *pd, int offset, frame_data *fd, proto_tree *tree)
236 proto_tree *ntp_tree, *flags_tree;
238 struct ntp_packet *pkt;
239 gchar buff[NTP_TS_SIZE];
242 OLD_CHECK_DISPLAY_AS_DATA(proto_ntp, pd, offset, fd, tree);
244 /* get at least a full packet structure */
245 if ( !BYTES_ARE_IN_FRAME(offset, 48) ) /* 48 without keyid or mac */
248 pkt = (struct ntp_packet *) &pd[offset];
250 if (check_col(fd, COL_PROTOCOL))
251 col_set_str(fd, COL_PROTOCOL, "NTP");
253 if (check_col(fd, COL_INFO))
254 col_set_str(fd, COL_INFO, "NTP");
257 /* Adding NTP item and subtree */
258 ti = proto_tree_add_item(tree, proto_ntp, NullTVB, offset, END_OF_FRAME, FALSE);
259 ntp_tree = proto_item_add_subtree(ti, ett_ntp);
260 tf = proto_tree_add_bytes(ntp_tree, hf_ntp_flags, NullTVB, offset, 1, pkt->flags);
262 /* Adding flag subtree and items */
263 flags_tree = proto_item_add_subtree(tf, ett_ntp_flags);
264 proto_tree_add_uint_format(flags_tree, hf_ntp_flags_li, NullTVB, offset, 1,
265 *pkt->flags & NTP_LI_MASK,
266 decode_enumerated_bitfield(*pkt->flags, NTP_LI_MASK,
267 sizeof(pkt->flags) * 8, li_types, "Leap Indicator: %s"));
268 proto_tree_add_uint_format(flags_tree, hf_ntp_flags_vn, NullTVB, offset, 1,
269 *pkt->flags & NTP_VN_MASK,
270 decode_enumerated_bitfield(*pkt->flags, NTP_VN_MASK,
271 sizeof(pkt->flags) * 8, ver_nums, "Version number: %s"));
272 proto_tree_add_uint_format(flags_tree, hf_ntp_flags_mode, NullTVB, offset, 1,
273 *pkt->flags & NTP_MODE_MASK,
274 decode_enumerated_bitfield(*pkt->flags, NTP_MODE_MASK,
275 sizeof(pkt->flags) * 8, mode_types, "Mode: %s"));
277 /* Stratum, 1byte field represents distance from primary source
279 if (*pkt->stratum == 0) {
280 strcpy (buff, "Peer Clock Stratum: unspecified or unavailable (%d)");
281 } else if (*pkt->stratum == 1) {
282 strcpy (buff, "Peer Clock Stratum: primary reference (%d)");
283 } else if ((*pkt->stratum >= 2) && (*pkt->stratum <= 15)) {
284 strcpy (buff, "Peer Clock Stratum: secondary reference (%d)");
286 strcpy (buff, "Peer Clock Stratum: reserved: %d");
288 proto_tree_add_bytes_format(ntp_tree, hf_ntp_stratum, NullTVB, offset+1, 1, pkt->stratum,
289 buff, (int) *pkt->stratum);
290 /* Poll interval, 1byte field indicating the maximum interval between
291 * successive messages, in seconds to the nearest power of two.
293 proto_tree_add_bytes_format(ntp_tree, hf_ntp_ppoll, NullTVB, offset+2, 1, pkt->ppoll,
294 (((*pkt->ppoll >= 4) && (*pkt->ppoll <= 16)) ?
295 "Peer Pooling Interval: %d (%d sec)" :
296 "Peer Pooling Interval: invalid (%d)"), (int) *pkt->ppoll,
298 /* Precision, 1byte field indicating the precision of the
299 * local clock, in seconds to the nearest power of two.
301 proto_tree_add_bytes_format(ntp_tree, hf_ntp_precision, NullTVB, offset+3, 1, pkt->precision,
302 "Peer Clock Precision: %8.6f sec", pow(2, *pkt->precision));
303 /* Root Delay is a 32-bit signed fixed-point number indicating the
304 * total roundtrip delay to the primary reference source, in seconds
305 * with fraction point between bits 15 and 16.
307 proto_tree_add_bytes_format(ntp_tree, hf_ntp_rootdelay, NullTVB, offset+4, 4, pkt->rootdelay,
308 "Root Delay: %9.4f sec",
309 ((gint32) pntohs(pkt->rootdelay)) +
310 pntohs(pkt->rootdelay + 2) / 65536.0);
311 /* Root Dispersion, 32-bit unsigned fixed-point number indicating
312 * the nominal error relative to the primary reference source, in
313 * seconds with fraction point between bits 15 and 16.
315 proto_tree_add_bytes_format(ntp_tree, hf_ntp_rootdispersion, NullTVB, offset+8, 4, pkt->rootdispersion,
316 "Clock Dispersion: %9.4f sec",
317 ((gint32) pntohs(pkt->rootdispersion)) +
318 pntohs(pkt->rootdispersion + 2) / 65536.0);
319 /* Now, there is a problem with secondary servers. Standards asks
320 * from stratum-2 - stratum-15 servers to set this to the low order
321 * 32 bits of the latest transmit timestamp of the reference source.
322 * But, all V3 and V4 servers set this to IP adress of their higher
323 * level server. My decision was to resolve this address.
325 if (*pkt->stratum <= 1) {
326 snprintf (buff, sizeof buff,
327 "Unindentified reference source '%.4s'",
329 for (i = 0; primary_sources[i].id; i++) {
330 if (memcmp (pkt->refid, primary_sources[i].id,
332 strcpy (buff, primary_sources[i].data);
337 buff[sizeof(buff) - 1] = '\0';
338 strncpy (buff, get_hostname (pntohl(pkt->refid)), sizeof(buff));
339 if (buff[sizeof(buff) - 1] != '\0')
340 strcpy(&buff[sizeof(buff) - 4], "...");
342 proto_tree_add_bytes_format(ntp_tree, hf_ntp_refid, NullTVB, offset+12, 4, pkt->refid,
343 "Reference Clock ID: %s", buff);
344 /* Reference Timestamp: This is the time at which the local clock was
345 * last set or corrected.
347 proto_tree_add_bytes_format(ntp_tree, hf_ntp_reftime, NullTVB, offset+16, 8, pkt->reftime,
348 "Reference Clock Update Time: %s",
349 ntp_fmt_ts(pkt->reftime, buff));
350 /* Originate Timestamp: This is the time at which the request departed
351 * the client for the server.
353 proto_tree_add_bytes_format(ntp_tree, hf_ntp_org, NullTVB, offset+24, 8, pkt->org,
354 "Originate Time Stamp: %s",
355 ntp_fmt_ts(pkt->org, buff));
356 /* Receive Timestamp: This is the time at which the request arrived at
359 proto_tree_add_bytes_format(ntp_tree, hf_ntp_rec, NullTVB, offset+32, 8, pkt->rec,
360 "Receive Time Stamp: %s",
361 ntp_fmt_ts(pkt->rec, buff));
362 /* Transmit Timestamp: This is the time at which the reply departed the
363 * server for the client.
365 proto_tree_add_bytes_format(ntp_tree, hf_ntp_xmt, NullTVB, offset+40, 8, pkt->xmt,
366 "Transmit Time Stamp: %s",
367 ntp_fmt_ts(pkt->xmt, buff));
369 /* When the NTP authentication scheme is implemented, the Key Identifier
370 * and Message Digest fields contain the message authentication code
371 * (MAC) information defined in Appendix C of RFC-1305. Will print this as
374 if ( BYTES_ARE_IN_FRAME(offset, 50) )
375 proto_tree_add_bytes(ntp_tree, hf_ntp_keyid, NullTVB, offset+48, 4, pkt->keyid);
376 if ( BYTES_ARE_IN_FRAME(offset, 53) )
377 proto_tree_add_bytes(ntp_tree, hf_ntp_mac, NullTVB, offset+52, END_OF_FRAME, pkt->mac);
383 proto_register_ntp(void)
385 static hf_register_info hf[] = {
387 "Flags", "ntp.flags", FT_BYTES, BASE_HEX,
388 NULL, 0, "Flags (Leap/Version/Mode)" }},
389 { &hf_ntp_flags_li, {
390 "Leap Indicator", "ntp.flags.li", FT_UINT8, BASE_DEC,
391 VALS(li_types), 0, "Leap Indicator" }},
392 { &hf_ntp_flags_vn, {
393 "Version number", "ntp.flags.vn", FT_UINT8, BASE_DEC,
394 VALS(ver_nums), 0, "Version number" }},
395 { &hf_ntp_flags_mode, {
396 "Leap Indicator", "ntp.flags.mode", FT_UINT8, BASE_DEC,
397 VALS(mode_types), 0, "Leap Indicator" }},
399 "Peer Clock Stratum", "ntp.stratum", FT_BYTES, BASE_DEC,
400 NULL, 0, "Peer Clock Stratum" }},
402 "Peer Polling Interval", "ntp.ppoll", FT_BYTES, BASE_DEC,
403 NULL, 0, "Peer Polling Interval" }},
404 { &hf_ntp_precision, {
405 "Peer Clock Precision", "ntp.precision", FT_BYTES, BASE_DEC,
406 NULL, 0, "Peer Clock Precision" }},
407 { &hf_ntp_rootdelay, {
408 "Root Delay", "ntp.rootdelay", FT_BYTES, BASE_DEC,
409 NULL, 0, "Root Delay" }},
410 { &hf_ntp_rootdispersion, {
411 "Clock Dispersion", "ntp.rootdispersion", FT_BYTES, BASE_DEC,
412 NULL, 0, "Clock Dispersion" }},
414 "Reference Clock ID", "ntp.refid", FT_BYTES, BASE_NONE,
415 NULL, 0, "Reference Clock ID" }},
417 "Reference Clock Update Time", "ntp.reftime", FT_BYTES, BASE_NONE,
418 NULL, 0, "Reference Clock Update Time" }},
420 "Originate Time Stamp", "ntp.org", FT_BYTES, BASE_NONE,
421 NULL, 0, "Originate Time Stamp" }},
423 "Receive Time Stamp", "ntp.rec", FT_BYTES, BASE_NONE,
424 NULL, 0, "Receive Time Stamp" }},
426 "Transmit Time Stamp", "ntp.xmt", FT_BYTES, BASE_NONE,
427 NULL, 0, "Transmit Time Stamp" }},
429 "Key ID", "ntp.keyid", FT_BYTES, BASE_HEX,
430 NULL, 0, "Key ID" }},
432 "Message Authentication Code", "ntp.mac", FT_BYTES, BASE_HEX,
433 NULL, 0, "Message Authentication Code" }},
435 static gint *ett[] = {
440 proto_ntp = proto_register_protocol("Network Time Protocol", "NTP", "ntp");
441 proto_register_field_array(proto_ntp, hf, array_length(hf));
442 proto_register_subtree_array(ett, array_length(ett));
446 proto_reg_handoff_ntp(void)
448 old_dissector_add("udp.port", UDP_PORT_NTP, dissect_ntp);
449 old_dissector_add("tcp.port", TCP_PORT_NTP, dissect_ntp);