2 * Routines for NTP packet dissection
3 * Copyright 1999, Nathan Neulinger <nneul@umr.edu>
5 * $Id: packet-ntp.c,v 1.34 2002/01/24 09:20:50 guy Exp $
7 * Ethereal - Network traffic analyzer
8 * By Gerald Combs <gerald@ethereal.com>
9 * Copyright 1998 Gerald Combs
11 * Copied from packet-tftp.c
13 * This program is free software; you can redistribute it and/or
14 * modify it under the terms of the GNU General Public License
15 * as published by the Free Software Foundation; either version 2
16 * of the License, or (at your option) any later version.
18 * This program is distributed in the hope that it will be useful,
19 * but WITHOUT ANY WARRANTY; without even the implied warranty of
20 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21 * GNU General Public License for more details.
23 * You should have received a copy of the GNU General Public License
24 * along with this program; if not, write to the Free Software
25 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
34 #ifdef HAVE_SYS_TYPES_H
35 # include <sys/types.h>
38 #ifdef HAVE_NETINET_IN_H
39 # include <netinet/in.h>
47 #ifdef NEED_SNPRINTF_H
48 # include "snprintf.h"
51 #include <epan/packet.h>
52 #include <epan/resolv.h>
53 #include "packet-ntp.h"
56 * Dissecting NTP packets version 3 and 4 (RFC2030, RFC1769, RFC1361,
59 * Those packets have simple structure:
61 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
62 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
63 * |LI | VN |Mode | Stratum | Poll | Precision |
64 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
69 * | Reference Identifier |
70 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
71 * | Reference Timestamp (64) |
73 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
74 * | Originate Timestamp (64) |
76 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
77 * | Receive Timestamp (64) |
79 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
80 * | Transmit Timestamp (64) |
82 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
83 * | Key Identifier (optional) (32) |
84 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
85 * | Message Digest (optional) (128) |
89 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
90 * NTP timestamps are represented as a 64-bit unsigned fixed-point number,
91 * in seconds relative to 0h on 1 January 1900. The integer part is in the
92 * first 32 bits and the fraction part in the last 32 bits.
95 #define UDP_PORT_NTP 123
96 #define TCP_PORT_NTP 123
98 /* Leap indicator, 2bit field is used to warn of a inserted/deleted
99 * second, or to alarm loosed synchronization.
101 #define NTP_LI_MASK 0xC0
103 #define NTP_LI_NONE 0
106 #define NTP_LI_ALARM 3
108 static const value_string li_types[] = {
109 { NTP_LI_NONE, "no warning" },
110 { NTP_LI_61, "last minute has 61 seconds" },
111 { NTP_LI_59, "last minute has 59 seconds" },
112 { NTP_LI_ALARM, "alarm condition (clock not synchronized)" },
116 /* Version info, 3bit field informs about NTP version used in particular
117 * packet. According to rfc2030, version info could be only 3 or 4, but I
118 * have noticed packets with 1 or even 6 as version numbers. They are
119 * produced as a result of ntptrace command. Are those packets mailformed
120 * on purpose? I don't know yet, probably some browsing through ntp sources
121 * would help. My solution is to put them as reserved for now.
123 #define NTP_VN_MASK 0x38
125 static const value_string ver_nums[] = {
129 { 3, "NTP Version 3" },
130 { 4, "NTP Version 4" },
137 /* Mode, 3bit field representing mode of comunication.
139 #define NTP_MODE_MASK 7
141 #define NTP_MODE_RSV 0
142 #define NTP_MODE_SYMACT 1
143 #define NTP_MODE_SYMPAS 2
144 #define NTP_MODE_CLIENT 3
145 #define NTP_MODE_SERVER 4
146 #define NTP_MODE_BCAST 5
147 #define NTP_MODE_CTRL 6
148 #define NTP_MODE_PRIV 7
150 static const value_string mode_types[] = {
151 { NTP_MODE_RSV, "reserved" },
152 { NTP_MODE_SYMACT, "symmetric active" },
153 { NTP_MODE_SYMPAS, "symmetric passive" },
154 { NTP_MODE_CLIENT, "client" },
155 { NTP_MODE_SERVER, "server" },
156 { NTP_MODE_BCAST, "broadcast" },
157 { NTP_MODE_CTRL, "reserved for NTP control message"},
158 { NTP_MODE_PRIV, "reserved for private use" },
162 /* According to rfc, primary (stratum-0 and stratum-1) servers should set
163 * their Reference Clock ID (4bytes field) according to following table:
165 static const struct {
168 } primary_sources[] = {
169 { "LOCL", "uncalibrated local clock" },
170 { "PPS\0", "atomic clock or other pulse-per-second source" },
171 { "ACTS", "NIST dialup modem service" },
172 { "USNO", "USNO modem service" },
173 { "PTB\0", "PTB (Germany) modem service" },
174 { "TDF\0", "Allouis (France) Radio 164 kHz" },
175 { "DCF\0", "Mainflingen (Germany) Radio 77.5 kHz" },
176 { "MSF\0", "Rugby (UK) Radio 60 kHz" },
177 { "WWV\0", "Ft. Collins (US) Radio 2.5, 5, 10, 15, 20 MHz" },
178 { "WWVB", "Boulder (US) Radio 60 kHz" },
179 { "WWVH", "Kaui Hawaii (US) Radio 2.5, 5, 10, 15 MHz" },
180 { "CHU\0", "Ottawa (Canada) Radio 3330, 7335, 14670 kHz" },
181 { "LORC", "LORAN-C radionavigation system" },
182 { "OMEG", "OMEGA radionavigation system" },
183 { "GPS\0", "Global Positioning Service" },
184 { "GOES", "Geostationary Orbit Environment Satellite" },
185 { "DCN\0", "DCN routing protocol" },
186 { "NIST", "NIST public modem" },
187 { "TSP\0", "TSP time protocol" },
188 { "DTS\0", "Digital Time Service" },
189 { "ATOM", "Atomic clock (calibrated)" },
190 { "VLF\0", "VLF radio (OMEGA,, etc.)" },
191 { "IRIG", "IRIG-B timecode" },
192 { "1PPS", "External 1 PPS input" },
193 { "FREE", "(Internal clock)" },
197 static int proto_ntp = -1;
198 static int hf_ntp_flags = -1;
199 static int hf_ntp_flags_li = -1;
200 static int hf_ntp_flags_vn = -1;
201 static int hf_ntp_flags_mode = -1;
202 static int hf_ntp_stratum = -1;
203 static int hf_ntp_ppoll = -1;
204 static int hf_ntp_precision = -1;
205 static int hf_ntp_rootdelay = -1;
206 static int hf_ntp_rootdispersion = -1;
207 static int hf_ntp_refid = -1;
208 static int hf_ntp_reftime = -1;
209 static int hf_ntp_org = -1;
210 static int hf_ntp_rec = -1;
211 static int hf_ntp_xmt = -1;
212 static int hf_ntp_keyid = -1;
213 static int hf_ntp_mac = -1;
215 static gint ett_ntp = -1;
216 static gint ett_ntp_flags = -1;
218 /* ntp_fmt_ts - converts NTP timestamp to human readable string.
219 * reftime - 64bit timestamp (IN)
220 * buff - string buffer for result (OUT)
221 * returns pointer to filled buffer.
224 ntp_fmt_ts(const guint8 *reftime, char* buff)
226 guint32 tempstmp, tempfrac;
231 tempstmp = pntohl(&reftime[0]);
232 tempfrac = pntohl(&reftime[4]);
233 if ((tempstmp == 0) && (tempfrac == 0)) {
234 strcpy (buff, "NULL");
237 temptime = tempstmp - (guint32) NTP_BASETIME;
238 bd = gmtime(&temptime);
240 fractime = bd->tm_sec + tempfrac / 4294967296.0;
241 snprintf(buff, NTP_TS_SIZE,
242 "%04d-%02d-%02d %02d:%02d:%07.4f UTC",
243 bd->tm_year + 1900, bd->tm_mon + 1, bd->tm_mday,
244 bd->tm_hour, bd->tm_min, fractime);
246 strncpy(buff, "Not representable", NTP_TS_SIZE);
251 /* dissect_ntp - dissects NTP packet data
252 * tvb - tvbuff for packet data (IN)
253 * pinfo - packet info
254 * proto_tree - resolved protocol tree
257 dissect_ntp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
259 proto_tree *ntp_tree, *flags_tree;
266 double rootdispersion;
268 const guint8 *reftime;
272 gchar buff[NTP_TS_SIZE];
275 if (check_col(pinfo->cinfo, COL_PROTOCOL))
276 col_set_str(pinfo->cinfo, COL_PROTOCOL, "NTP");
278 if (check_col(pinfo->cinfo, COL_INFO))
279 col_set_str(pinfo->cinfo, COL_INFO, "NTP");
282 /* Adding NTP item and subtree */
283 ti = proto_tree_add_item(tree, proto_ntp, tvb, 0, -1, FALSE);
284 ntp_tree = proto_item_add_subtree(ti, ett_ntp);
286 flags = tvb_get_guint8(tvb, 0);
287 tf = proto_tree_add_uint(ntp_tree, hf_ntp_flags, tvb, 0, 1,
290 /* Adding flag subtree and items */
291 flags_tree = proto_item_add_subtree(tf, ett_ntp_flags);
292 proto_tree_add_uint(flags_tree, hf_ntp_flags_li, tvb, 0, 1,
294 proto_tree_add_uint(flags_tree, hf_ntp_flags_vn, tvb, 0, 1,
296 proto_tree_add_uint(flags_tree, hf_ntp_flags_mode, tvb, 0, 1,
299 /* Stratum, 1byte field represents distance from primary source
301 stratum = tvb_get_guint8(tvb, 1);
303 strcpy (buff, "Peer Clock Stratum: unspecified or unavailable (%u)");
304 } else if (stratum == 1) {
305 strcpy (buff, "Peer Clock Stratum: primary reference (%u)");
306 } else if ((stratum >= 2) && (stratum <= 15)) {
307 strcpy (buff, "Peer Clock Stratum: secondary reference (%u)");
309 strcpy (buff, "Peer Clock Stratum: reserved: %u");
311 proto_tree_add_uint_format(ntp_tree, hf_ntp_stratum, tvb, 1, 1,
312 stratum, buff, stratum);
313 /* Poll interval, 1byte field indicating the maximum interval
314 * between successive messages, in seconds to the nearest
317 ppoll = tvb_get_guint8(tvb, 2);
318 proto_tree_add_uint_format(ntp_tree, hf_ntp_ppoll, tvb, 2, 1,
320 (((ppoll >= 4) && (ppoll <= 16)) ?
321 "Peer Polling Interval: %u (%u sec)" :
322 "Peer Polling Interval: invalid (%u)"),
326 /* Precision, 1byte field indicating the precision of the
327 * local clock, in seconds to the nearest power of two.
329 precision = tvb_get_guint8(tvb, 3);
330 proto_tree_add_uint_format(ntp_tree, hf_ntp_precision, tvb, 3, 1,
332 "Peer Clock Precision: %8.6f sec",
335 /* Root Delay is a 32-bit signed fixed-point number indicating
336 * the total roundtrip delay to the primary reference source,
337 * in seconds with fraction point between bits 15 and 16.
339 rootdelay = ((gint16)tvb_get_ntohs(tvb, 4)) +
340 (tvb_get_ntohs(tvb, 6) / 65536.0);
341 proto_tree_add_double_format(ntp_tree, hf_ntp_rootdelay, tvb, 4, 4,
343 "Root Delay: %9.4f sec",
346 /* Root Dispersion, 32-bit unsigned fixed-point number indicating
347 * the nominal error relative to the primary reference source, in
348 * seconds with fraction point between bits 15 and 16.
350 rootdispersion = ((gint16)tvb_get_ntohs(tvb, 8)) +
351 (tvb_get_ntohs(tvb, 10) / 65536.0);
352 proto_tree_add_double_format(ntp_tree, hf_ntp_rootdispersion, tvb, 8, 4,
354 "Clock Dispersion: %9.4f sec",
357 /* Now, there is a problem with secondary servers. Standards
358 * asks from stratum-2 - stratum-15 servers to set this to the
359 * low order 32 bits of the latest transmit timestamp of the
361 * But, all V3 and V4 servers set this to IP adress of their
362 * higher level server. My decision was to resolve this address.
364 refid = tvb_get_ptr(tvb, 12, 4);
366 snprintf (buff, sizeof buff,
367 "Unindentified reference source '%.4s'",
369 for (i = 0; primary_sources[i].id; i++) {
370 if (memcmp (refid, primary_sources[i].id,
372 strcpy (buff, primary_sources[i].data);
377 buff[sizeof(buff) - 1] = '\0';
378 strncpy (buff, get_hostname (htonl(tvb_get_ntohl(tvb, 12))),
380 if (buff[sizeof(buff) - 1] != '\0')
381 strcpy(&buff[sizeof(buff) - 4], "...");
383 proto_tree_add_bytes_format(ntp_tree, hf_ntp_refid, tvb, 12, 4,
385 "Reference Clock ID: %s", buff);
387 /* Reference Timestamp: This is the time at which the local clock was
388 * last set or corrected.
390 reftime = tvb_get_ptr(tvb, 16, 8);
391 proto_tree_add_bytes_format(ntp_tree, hf_ntp_reftime, tvb, 16, 8,
393 "Reference Clock Update Time: %s",
394 ntp_fmt_ts(reftime, buff));
396 /* Originate Timestamp: This is the time at which the request departed
397 * the client for the server.
399 org = tvb_get_ptr(tvb, 24, 8);
400 proto_tree_add_bytes_format(ntp_tree, hf_ntp_org, tvb, 24, 8,
402 "Originate Time Stamp: %s",
403 ntp_fmt_ts(org, buff));
404 /* Receive Timestamp: This is the time at which the request arrived at
407 rec = tvb_get_ptr(tvb, 32, 8);
408 proto_tree_add_bytes_format(ntp_tree, hf_ntp_rec, tvb, 32, 8,
410 "Receive Time Stamp: %s",
411 ntp_fmt_ts(rec, buff));
412 /* Transmit Timestamp: This is the time at which the reply departed the
413 * server for the client.
415 xmt = tvb_get_ptr(tvb, 40, 8);
416 proto_tree_add_bytes_format(ntp_tree, hf_ntp_xmt, tvb, 40, 8,
418 "Transmit Time Stamp: %s",
419 ntp_fmt_ts(xmt, buff));
421 /* When the NTP authentication scheme is implemented, the
422 * Key Identifier and Message Digest fields contain the
423 * message authentication code (MAC) information defined in
424 * Appendix C of RFC-1305. Will print this as hex code for now.
426 if ( tvb_reported_length_remaining(tvb, 48) >= 4 )
427 proto_tree_add_item(ntp_tree, hf_ntp_keyid, tvb, 48, 4,
429 if ( tvb_reported_length_remaining(tvb, 52) > 0 )
430 proto_tree_add_item(ntp_tree, hf_ntp_mac, tvb, 52,
431 tvb_reported_length_remaining(tvb, 52),
438 proto_register_ntp(void)
440 static hf_register_info hf[] = {
442 "Flags", "ntp.flags", FT_UINT8, BASE_HEX,
443 NULL, 0, "Flags (Leap/Version/Mode)", HFILL }},
444 { &hf_ntp_flags_li, {
445 "Leap Indicator", "ntp.flags.li", FT_UINT8, BASE_DEC,
446 VALS(li_types), NTP_LI_MASK, "Leap Indicator", HFILL }},
447 { &hf_ntp_flags_vn, {
448 "Version number", "ntp.flags.vn", FT_UINT8, BASE_DEC,
449 VALS(ver_nums), NTP_VN_MASK, "Version number", HFILL }},
450 { &hf_ntp_flags_mode, {
451 "Mode", "ntp.flags.mode", FT_UINT8, BASE_DEC,
452 VALS(mode_types), NTP_MODE_MASK, "Mode", HFILL }},
454 "Peer Clock Stratum", "ntp.stratum", FT_UINT8, BASE_DEC,
455 NULL, 0, "Peer Clock Stratum", HFILL }},
457 "Peer Polling Interval", "ntp.ppoll", FT_UINT8, BASE_DEC,
458 NULL, 0, "Peer Polling Interval", HFILL }},
459 { &hf_ntp_precision, {
460 "Peer Clock Precision", "ntp.precision", FT_UINT8, BASE_DEC,
461 NULL, 0, "Peer Clock Precision", HFILL }},
462 { &hf_ntp_rootdelay, {
463 "Root Delay", "ntp.rootdelay", FT_DOUBLE, BASE_DEC,
464 NULL, 0, "Root Delay", HFILL }},
465 { &hf_ntp_rootdispersion, {
466 "Clock Dispersion", "ntp.rootdispersion", FT_DOUBLE, BASE_DEC,
467 NULL, 0, "Clock Dispersion", HFILL }},
469 "Reference Clock ID", "ntp.refid", FT_BYTES, BASE_NONE,
470 NULL, 0, "Reference Clock ID", HFILL }},
472 "Reference Clock Update Time", "ntp.reftime", FT_BYTES, BASE_NONE,
473 NULL, 0, "Reference Clock Update Time", HFILL }},
475 "Originate Time Stamp", "ntp.org", FT_BYTES, BASE_NONE,
476 NULL, 0, "Originate Time Stamp", HFILL }},
478 "Receive Time Stamp", "ntp.rec", FT_BYTES, BASE_NONE,
479 NULL, 0, "Receive Time Stamp", HFILL }},
481 "Transmit Time Stamp", "ntp.xmt", FT_BYTES, BASE_NONE,
482 NULL, 0, "Transmit Time Stamp", HFILL }},
484 "Key ID", "ntp.keyid", FT_BYTES, BASE_HEX,
485 NULL, 0, "Key ID", HFILL }},
487 "Message Authentication Code", "ntp.mac", FT_BYTES, BASE_HEX,
488 NULL, 0, "Message Authentication Code", HFILL }},
490 static gint *ett[] = {
495 proto_ntp = proto_register_protocol("Network Time Protocol", "NTP",
497 proto_register_field_array(proto_ntp, hf, array_length(hf));
498 proto_register_subtree_array(ett, array_length(ett));
502 proto_reg_handoff_ntp(void)
504 dissector_handle_t ntp_handle;
506 ntp_handle = create_dissector_handle(dissect_ntp, proto_ntp);
507 dissector_add("udp.port", UDP_PORT_NTP, ntp_handle);
508 dissector_add("tcp.port", TCP_PORT_NTP, ntp_handle);