NTP: Network Time Protocol
layer 7 NTP
Contents
Introduction
This tutorial discusses the plugin ntpDecode. It is a common standard for synchronizing network equipment of all sorts.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow ntpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAP used in this tutorial can be downloaded here: ntp.pcap.
Please save it in your ~/data folder.
Now you are all set for analyzing NTP traffic!
ntpDecode
This plugin was originally developed for troubleshooting purposes and evolved in the last time a bit.
Let’s look at the plugin configuration first:
ntpDecode
vi src/ntpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define NTP_TS 1 // 1: print NTP timestamps, 0: no timestamps
#define NTP_LIVM_HEX 0 // Leap indicator, version number and mode:
// 0: split into three values, 1: aggregated hex number
i/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for ntpDecode */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...NTP_TS controls the output of NTP timestamps while NTP_LIVM_HEX controls
the display of the leap indicator. We leave everything by default.
Now run t2 on the supplied pcap.
t2 -r ~/data/ntp.pcap -w ~/results/
The end report detect 38 NTP packets.
The aggregated ntpStat currently has only one bit which states, there is NTP.
The ntpStat column with value 0x01 is to be interpreted as follows:
bit | ntpStat | Description
=============================================================================
0 | 0x01 | NTP port detected
Now let’s look at the flow file. You will see all relevant information about time synchronization including stratum, precision, time stamps, etc. So you can troubleshoot whether the time synchronization works as configured.
tcol ~/results/ntp_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType vlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto ntpStat ntpLi_V_M ntpStrat ntpRefClkId ntpRefStrId ntpPollInt ntpPrec ntpRtDelMin ntpRtDelMax ntpRtDispMin ntpRtDispMax ntpRefTS ntpOrigTS ntpRecTS ntpTranTS
A 1 0x0400000000004000 1472570513.207925000 1472570513.207925000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.245.18.26 ch "NEXELLENT-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.00453193 0.00453193 0.06161593 0.06161593 1472569999.211569237 1472569999.211361690 1472569999.211569237 1472570513.207891971
B 1 0x0400000000004001 1472570513.211535000 1472570513.211535000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.245.18.26 ch "NEXELLENT-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 192.33.96.102 512 1 0.0009613184 0.0009613184 0.01878386 0.01878386 1472570362.242637441 1472570513.207891971 1472570513.211010256 1472570513.211078693
A 2 0x0400000000004000 1472570618.207919000 1472570618.207919000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.109.139.83 ch "Init7" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.00453193 0.00453193 0.03067063 0.03067063 1472570513.211536326 1472570091.211276905 1472570091.211306711 1472570618.207885562
B 2 0x0400000000004001 1472570618.211312000 1472570618.211312000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.109.139.83 ch "Init7" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 192.33.96.102 512 1 0.003860533 0.003860533 0.0301976 0.0301976 1472569796.057972929 1472570618.207885562 1472570618.210994411 1472570618.211015764
A 3 0x0400000000004000 1472570632.207919000 1472570632.207919000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 193.225.118.129 hu "NIIF-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.00453193 0.00453193 0.03088426 0.03088426 1472570513.211536326 1472570108.224029677 1472570108.240425109 1472570632.207887806
B 3 0x0400000000004001 1472570632.240444000 1472570632.240444000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 193.225.118.129 hu "NIIF-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 228.143.95.23 512 1 0.0005951019 0.0005951019 0.005096513 0.005096513 1472570591.047067700 1472570632.207887806 1472570632.223725169 1472570632.223768640
A 4 0x0400000000004000 1472570705.207932000 1472570705.207932000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 130.60.204.10 ch "SWITCH-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.00453193 0.00453193 0.03198291 0.03198291 1472570513.211536326 1472570180.212284269 1472570180.212053167 1472570705.207906738
B 4 0x0400000000004001 1472570705.212115000 1472570705.212115000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 130.60.204.10 ch "SWITCH-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x04 130.60.204.8 512 1 0.002197299 0.002197299 0.07370108 0.07370108 1472570312.541679000 1472570705.207906738 1472570705.211867843 1472570705.211971567
A 5 0x0400000000004000 1472571032.207897000 1472571032.207897000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.245.18.26 ch "NEXELLENT-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.00453193 0.00453193 0.03688106 0.03688106 1472570513.211536326 1472570513.211078693 1472570513.211536326 1472571032.207868770
B 5 0x0400000000004001 1472571032.211551000 1472571032.211551000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.245.18.26 ch "NEXELLENT-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 192.33.96.102 512 1 0.0009613184 0.0009613184 0.02656596 0.02656596 1472570362.242637441 1472571032.207868770 1472571032.210783000 1472571032.210863186
A 6 0x0400000000004000 1472571132.207904000 1472571132.207904000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.109.139.83 ch "Init7" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.00453193 0.00453193 0.0383917 0.0383917 1472570513.211536326 1472570618.211015764 1472570618.211313211 1472571132.207872098
B 6 0x0400000000004001 1472571132.211246000 1472571132.211246000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.109.139.83 ch "Init7" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 192.33.96.102 512 1 0.003860533 0.003860533 0.03790341 0.03790341 1472569796.057972929 1472571132.207872098 1472571132.210707974 1472571132.210740269
A 7 0x0400000000004000 1472571173.207923000 1472571173.207923000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 193.225.118.129 hu "NIIF-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.00453193 0.00453193 0.03900206 0.03900206 1472570513.211536326 1472570632.223768640 1472570632.240444603 1472571173.207881668
B 7 0x0400000000004001 1472571173.240507000 1472571173.240507000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 193.225.118.129 hu "NIIF-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 228.143.95.23 512 1 0.0005798428 0.0005798428 0.009277485 0.009277485 1472570657.047002926 1472571173.207881668 1472571173.223569845 1472571173.223611802
A 8 0x0400000000004000 1472571238.207912000 1472571238.207912000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 130.60.204.10 ch "SWITCH-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.00453193 0.00453193 0.03997864 0.03997864 1472570513.211536326 1472570705.211971567 1472570705.212116512 1472571238.207879442
B 8 0x0400000000004001 1472571238.212333000 1472571238.212333000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 130.60.204.10 ch "SWITCH-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x04 130.60.205.7 512 1 0.002014191 0.002014191 0.07621881 0.07621881 1472570950.541664917 1472571238.207879442 1472571238.211619285 1472571238.211725223
A 9 0x0400000000004000 1472571559.207906000 1472571559.207906000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.245.18.26 ch "NEXELLENT-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.00453193 0.00453193 0.04478523 0.04478523 1472570513.211536326 1472571032.210863186 1472571032.211552335 1472571559.207875832
B 9 0x0400000000004001 1472571559.211524000 1472571559.211524000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.245.18.26 ch "NEXELLENT-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 192.33.96.102 512 1 0.0009613184 0.0009613184 0.03447013 0.03447013 1472570362.242637441 1472571559.207875832 1472571559.210827294 1472571559.210926321
A 10 0x0400000000004000 1472571673.207910000 1472571673.207910000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.109.139.83 ch "Init7" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.04644846 0.04644846 1472571559.211524872 1472571132.210740269 1472571132.211247393 1472571673.207877233
B 10 0x0400000000004001 1472571673.211296000 1472571673.211296000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.109.139.83 ch "Init7" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 36.224.68.195 512 1 0.009536888 0.009536888 0.03100633 0.03100633 1472571055.903184721 1472571673.207877233 1472571673.210864681 1472571673.210889936
A 11 0x0400000000004000 1472571688.207908000 1472571688.207908000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 193.225.118.129 hu "NIIF-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.04667735 0.04667735 1472571559.211524872 1472571173.223611802 1472571173.240508277 1472571688.207881776
B 11 0x0400000000004001 1472571688.240453000 1472571688.240453000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 193.225.118.129 hu "NIIF-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 228.143.95.23 512 1 0.0005951019 0.0005951019 0.006424048 0.006424048 1472571517.047096553 1472571688.207881776 1472571688.223647101 1472571688.223687885
A 12 0x0400000000004000 1472571758.207963000 1472571758.207963000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 130.60.204.10 ch "SWITCH-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.04773022 0.04773022 1472571559.211524872 1472571238.211725223 1472571238.212334049 1472571758.207917422
B 12 0x0400000000004001 1472571758.212042000 1472571758.212042000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 130.60.204.10 ch "SWITCH-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x04 130.60.205.7 512 1 0.002014191 0.002014191 0.08403143 0.08403143 1472570950.541664917 1472571758.207917422 1472571758.211324158 1472571758.211429396
A 13 0x0400000000004000 1472572098.207900000 1472572098.207900000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.245.18.26 ch "NEXELLENT-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.05282673 0.05282673 1472571559.211524872 1472571559.210926321 1472571559.211524872 1472572098.207872400
B 13 0x0400000000004001 1472572098.211679000 1472572098.211679000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.245.18.26 ch "NEXELLENT-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 192.33.96.102 512 1 0.0009613184 0.0009613184 0.04255741 0.04255741 1472570362.242637441 1472572098.207872400 1472572098.210856543 1472572098.211036357
A 14 0x0400000000004000 1472572213.207905000 1472572213.207905000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 193.225.118.129 hu "NIIF-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.054551 0.054551 1472571559.211524872 1472571688.223687885 1472571688.240453802 1472572213.207876449
B 14 0x0400000000004001 1472572213.240438000 1472572213.240438000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 193.225.118.129 hu "NIIF-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 228.143.95.23 512 1 0.0005645838 0.0005645838 0.009735256 0.009735256 1472571715.047003997 1472572213.207876449 1472572213.223584354 1472572213.223626915
A 15 0x0400000000004000 1472572216.207903000 1472572216.207903000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.109.139.83 ch "Init7" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.05459678 0.05459678 1472571559.211524872 1472571673.210889936 1472571673.211297471 1472572216.207873602
B 15 0x0400000000004001 1472572216.211180000 1472572216.211180000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.109.139.83 ch "Init7" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 36.224.68.195 512 1 0.009536888 0.009536888 0.03915465 0.03915465 1472571055.903184721 1472572216.207873602 1472572216.210727937 1472572216.210749891
A 16 0x0400000000004000 1472572288.207935000 1472572288.207935000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 130.60.204.10 ch "SWITCH-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.05568017 0.05568017 1472571559.211524872 1472571758.211429396 1472571758.212043335 1472572288.207892169
B 16 0x0400000000004001 1472572288.212004000 1472572288.212004000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 130.60.204.10 ch "SWITCH-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x04 130.60.159.7 512 1 0.003051804 0.003051804 0.07574578 0.07574578 1472571694.542394938 1472572288.207892169 1472572288.210963999 1472572288.211098802
A 17 0x0400000000004000 1472572618.207949000 1472572618.207949000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.245.18.26 ch "NEXELLENT-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.06062409 0.06062409 1472571559.211524872 1472572098.211036357 1472572098.211679877 1472572618.207904146
B 17 0x0400000000004001 1472572618.211592000 1472572618.211592000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.245.18.26 ch "NEXELLENT-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 192.33.96.102 512 1 0.001022354 0.001022354 0.02244602 0.02244602 1472572499.377970284 1472572618.207904146 1472572618.210951558 1472572618.211018844
A 18 0x0400000000004000 1472572746.207951000 1472572746.207951000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 193.225.118.129 hu "NIIF-MNT" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.06254673 0.06254673 1472571559.211524872 1472572213.223626915 1472572213.240438806 1472572746.207916779
B 18 0x0400000000004001 1472572746.240517000 1472572746.240517000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 193.225.118.129 hu "NIIF-MNT" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 228.143.95.23 512 1 0.0005493248 0.0005493248 0.004928664 0.004928664 1472572570.046974731 1472572746.207916779 1472572746.223698152 1472572746.223740332
A 19 0x0400000000004000 1472572749.207920000 1472572749.207920000 0.000000000 1 3 eth:ipv4:udp e0:3f:49:7e:59:79 00:00:5e:00:01:11 0x0800 10.20.6.146 04 "Private network" 123 77.109.139.83 ch "Init7" 123 17 0x01 0_4_3 0x03 77.245.18.26 512 1 0.004501412 0.004501412 0.06259251 0.06259251 1472571559.211524872 1472572216.210749891 1472572216.211181259 1472572749.207888683
B 19 0x0400000000004001 1472572749.211326000 1472572749.211326000 0.000000000 1 3 eth:ipv4:udp 90:e2:ba:0c:39:84 e0:3f:49:7e:59:79 0x0800 77.109.139.83 ch "Init7" 123 10.20.6.146 04 "Private network" 123 17 0x01 0_4_4 0x02 192.33.96.102 512 1 0.003845274 0.003845274 0.03022812 0.03022812 1472571916.912230594 1472572749.207888683 1472572749.210904178 1472572749.210928030Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf ntpDecode --reset && t2build ntpDecode
Have fun analyzing.