/* packet-ntp.c * Routines for NTP packet dissection * Copyright 1999, Nathan Neulinger * * Wireshark - Network traffic analyzer * By Gerald Combs * Copyright 1998 Gerald Combs * * Copied from packet-tftp.c * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. */ #include "config.h" #include #include #include #include #include #include "packet-ntp.h" void proto_register_ntp(void); void proto_reg_handoff_ntp(void); /* * Dissecting NTP packets version 3 and 4 (RFC5905, RFC2030, RFC1769, RFC1361, * RFC1305). * * Those packets have simple structure: * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * |LI | VN |Mode | Stratum | Poll | Precision | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Root Delay | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Root Dispersion | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Reference Identifier | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Reference Timestamp (64) | * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Originate Timestamp (64) | * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Receive Timestamp (64) | * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Transmit Timestamp (64) | * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Key Identifier (optional) (32) | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Message Digest (optional) (128/160) | * | | * | | * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * NTP timestamps are represented as a 64-bit unsigned fixed-point number, * in seconds relative to 0h on 1 January 1900. The integer part is in the * first 32 bits and the fraction part in the last 32 bits. * * * NTP Control messages as defined in version 2, 3 and 4 (RFC1119, RFC1305) use * the following structure: * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * |00 | VN | 110 |R E M| OpCode | Sequence | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Status | Association ID | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Offset | Count | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | | * | Data (468 octets max) | * | | * | | Padding (zeros) | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Authenticator (optional) (96) | * | | * | | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * * Not yet implemented: complete dissection of TPCTRL_OP_SETTRAP, * NTPCTRL_OP_ASYNCMSG, NTPCTRL_OP_UNSETTRAPSETTRAP Control-Messages * */ #define UDP_PORT_NTP 123 #define TCP_PORT_NTP 123 /* Leap indicator, 2bit field is used to warn of a inserted/deleted * second, or clock unsynchronized indication. */ #define NTP_LI_MASK 0xC0 #define NTP_LI_NONE 0 #define NTP_LI_61 1 #define NTP_LI_59 2 #define NTP_LI_UNKNOWN 3 static const value_string li_types[] = { { NTP_LI_NONE, "no warning" }, { NTP_LI_61, "last minute of the day has 61 seconds" }, { NTP_LI_59, "last minute of the day has 59 seconds" }, { NTP_LI_UNKNOWN, "unknown (clock unsynchronized)" }, { 0, NULL} }; /* Version info, 3bit field informs about NTP version used in particular * packet. According to rfc2030, version info could be only 3 or 4, but I * have noticed packets with 1 or even 6 as version numbers. They are * produced as a result of ntptrace command. Are those packets malformed * on purpose? I don't know yet, probably some browsing through ntp sources * would help. My solution is to put them as reserved for now. */ #define NTP_VN_MASK 0x38 static const value_string ver_nums[] = { { 0, "reserved" }, { 1, "NTP Version 1" }, { 2, "NTP Version 2" }, { 3, "NTP Version 3" }, { 4, "NTP Version 4" }, { 5, "reserved" }, { 6, "reserved" }, { 7, "reserved" }, { 0, NULL} }; /* Mode, 3bit field representing mode of communication. */ #define NTP_MODE_MASK 7 #define NTP_MODE_RSV 0 #define NTP_MODE_SYMACT 1 #define NTP_MODE_SYMPAS 2 #define NTP_MODE_CLIENT 3 #define NTP_MODE_SERVER 4 #define NTP_MODE_BCAST 5 #define NTP_MODE_CTRL 6 #define NTP_MODE_PRIV 7 static const value_string mode_types[] = { { NTP_MODE_RSV, "reserved" }, { NTP_MODE_SYMACT, "symmetric active" }, { NTP_MODE_SYMPAS, "symmetric passive" }, { NTP_MODE_CLIENT, "client" }, { NTP_MODE_SERVER, "server" }, { NTP_MODE_BCAST, "broadcast" }, { NTP_MODE_CTRL, "reserved for NTP control message"}, { NTP_MODE_PRIV, "reserved for private use" }, { 0, NULL} }; static const value_string info_mode_types[] = { { NTP_MODE_RSV, "reserved" }, { NTP_MODE_SYMACT, "symmetric active" }, { NTP_MODE_SYMPAS, "symmetric passive" }, { NTP_MODE_CLIENT, "client" }, { NTP_MODE_SERVER, "server" }, { NTP_MODE_BCAST, "broadcast" }, { NTP_MODE_CTRL, "control"}, { NTP_MODE_PRIV, "private" }, { 0, NULL} }; /* According to rfc, primary (stratum-0 and stratum-1) servers should set * their Reference ID (4bytes field) according to following table: */ static const struct { const char *id; const char *data; } primary_sources[] = { /* IANA / RFC 5905 */ { "GOES", "Geostationary Orbit Environment Satellite" }, { "GPS\0", "Global Position System" }, { "GAL\0", "Galileo Positioning System" }, { "PPS\0", "Generic pulse-per-second" }, { "IRIG", "Inter-Range Instrumentation Group" }, { "WWVB", "LF Radio WWVB Ft. Collins, CO 60 kHz" }, { "DCF\0", "LF Radio DCF77 Mainflingen, DE 77.5 kHz" }, { "HBG\0", "LF Radio HBG Prangins, HB 75 kHz" }, { "MSF\0", "LF Radio MSF Anthorn, UK 60 kHz" }, { "JJY\0", "LF Radio JJY Fukushima, JP 40 kHz, Saga, JP 60 kHz" }, { "LORC", "MF Radio LORAN C station, 100 kHz" }, { "TDF\0", "MF Radio Allouis, FR 162 kHz" }, { "CHU\0", "HF Radio CHU Ottawa, Ontario" }, { "WWV\0", "HF Radio WWV Ft. Collins, CO" }, { "WWVH", "HF Radio WWVH Kauai, HI" }, { "NIST", "NIST telephone modem" }, { "ACTS", "NIST telephone modem" }, { "USNO", "USNO telephone modem" }, { "PTB\0", "European telephone modem" }, /* Unofficial codes */ { "LOCL", "uncalibrated local clock" }, { "CESM", "calibrated Cesium clock" }, { "RBDM", "calibrated Rubidium clock" }, { "OMEG", "OMEGA radionavigation system" }, { "DCN\0", "DCN routing protocol" }, { "TSP\0", "TSP time protocol" }, { "DTS\0", "Digital Time Service" }, { "ATOM", "Atomic clock (calibrated)" }, { "VLF\0", "VLF radio (OMEGA,, etc.)" }, { "1PPS", "External 1 PPS input" }, { "FREE", "(Internal clock)" }, { "INIT", "(Initialization)" }, { "\0\0\0\0", "NULL" }, { NULL, NULL} }; #define NTP_EXT_R_MASK 0x80 static const value_string ext_r_types[] = { { 0, "Request" }, { 1, "Response" }, { 0, NULL} }; #define NTP_EXT_ERROR_MASK 0x40 #define NTP_EXT_VN_MASK 0x3f static const value_string ext_op_types[] = { { 0, "NULL" }, { 1, "ASSOC" }, { 2, "CERT" }, { 3, "COOK" }, { 4, "AUTO" }, { 5, "TAI" }, { 6, "SIGN" }, { 7, "IFF" }, { 8, "GQ" }, { 9, "MV" }, { 0, NULL} }; #define NTPCTRL_R_MASK 0x80 #define ctrl_r_types ext_r_types #define NTPCTRL_ERROR_MASK 0x40 #define NTPCTRL_MORE_MASK 0x20 #define NTPCTRL_OP_MASK 0x1f #define NTPCTRL_OP_UNSPEC 0 #define NTPCTRL_OP_READSTAT 1 #define NTPCTRL_OP_READVAR 2 #define NTPCTRL_OP_WRITEVAR 3 #define NTPCTRL_OP_READCLOCK 4 #define NTPCTRL_OP_WRITECLOCK 5 #define NTPCTRL_OP_SETTRAP 6 #define NTPCTRL_OP_ASYNCMSG 7 #define NTPCTRL_OP_UNSETTRAP 31 static const value_string ctrl_op_types[] = { { NTPCTRL_OP_UNSPEC, "UNSPEC" }, { NTPCTRL_OP_READSTAT, "READSTAT" }, { NTPCTRL_OP_READVAR, "READVAR" }, { NTPCTRL_OP_WRITEVAR, "WRITEVAR" }, { NTPCTRL_OP_READCLOCK, "READCLOCK" }, { NTPCTRL_OP_WRITECLOCK, "WRITECLOCK" }, { NTPCTRL_OP_SETTRAP, "SETTRAP" }, { NTPCTRL_OP_ASYNCMSG, "ASYNCMSG" }, { NTPCTRL_OP_UNSETTRAP, "UNSETTRAP" }, { 0, NULL} }; #define NTPCTRL_SYSSTATUS_LI_MASK 0xC000 #define NTPCTRL_SYSSTATUS_CLK_MASK 0x3F00 #define NTPCTRL_SYSSTATUS_COUNT_MASK 0x00F0 #define NTPCTRL_SYSSTATUS_CODE_MASK 0x000F static const value_string ctrl_sys_status_clksource_types[] = { { 0, "unspecified or unknown" }, { 1, "Calibrated atomic clock (e.g. HP 5061)" }, { 2, "VLF (band 4) or LF (band 5) radio (e.g. OMEGA, WWVB)" }, { 3, "HF (band 7) radio (e.g. CHU, MSF, WWV/H)" }, { 4, "UHF (band 9) satellite (e.g. GOES, GPS)" }, { 5, "local net (e.g. DCN, TSP, DTS)" }, { 6, "UDP/NTP" }, { 7, "UDP/TIME" }, { 8, "eyeball-and-wristwatch" }, { 9, "telephone modem (e.g. NIST)" }, { 0, NULL} }; static const value_string ctrl_sys_status_event_types[] = { { 0, "unspecified" }, { 1, "system restart" }, { 2, "system or hardware fault" }, { 3, "system new status word (leap bits or synchronization change)" }, { 4, "system new synchronization source or stratum (sys.peer or sys.stratum change)" }, { 5, "system clock reset (offset correction exceeds CLOCK.MAX)" }, { 6, "system invalid time or date (see NTP spec.)" }, { 7, "system clock exception (see system clock status word)" }, { 0, NULL} }; #define NTPCTRL_PEERSTATUS_STATUS_MASK 0xF800 #define NTPCTRL_PEERSTATUS_CONFIG_MASK 0x8000 #define NTPCTRL_PEERSTATUS_AUTHENABLE_MASK 0x4000 #define NTPCTRL_PEERSTATUS_AUTHENTIC_MASK 0x2000 #define NTPCTRL_PEERSTATUS_REACH_MASK 0x1000 #define NTPCTRL_PEERSTATUS_RESERVED_MASK 0x0800 #define NTPCTRL_PEERSTATUS_SEL_MASK 0x0700 #define NTPCTRL_PEERSTATUS_COUNT_MASK 0x00F0 #define NTPCTRL_PEERSTATUS_CODE_MASK 0x000F static const true_false_string tfs_ctrl_peer_status_config = {"configured (peer.config)", "not configured (peer.config)" }; static const true_false_string tfs_ctrl_peer_status_authenable = { "authentication enabled (peer.authenable", "authentication disabled (peer.authenable" }; static const true_false_string tfs_ctrl_peer_status_authentic = { "authentication okay (peer.authentic)", "authentication not okay (peer.authentic)" }; static const true_false_string tfs_ctrl_peer_status_reach = {"reachability okay (peer.reach != 0)", "reachability not okay (peer.reach != 0)" }; static const value_string ctrl_peer_status_selection_types[] = { { 0, "rejected" }, { 1, "passed sanity checks (tests 1 through 8 in Section 3.4.3)" }, { 2, "passed correctness checks (intersection algorithm in Section 4.2.1)" }, { 3, "passed candidate checks (if limit check implemented)" }, { 4, "passed outlyer checks (clustering algorithm in Section 4.2.2)" }, { 5, "current synchronization source; max distance exceeded (if limit check implemented)" }, { 6, "current synchronization source; max distance okay" }, { 7, "reserved" }, { 0, NULL} }; static const value_string ctrl_peer_status_event_types[] = { { 0, "unspecified" }, { 1, "peer IP error" }, { 2, "peer authentication failure (peer.authentic bit was one now zero)" }, { 3, "peer unreachable (peer.reach was nonzero now zero)" }, { 4, "peer reachable (peer.reach was zero now nonzero)" }, { 5, "peer clock exception (see peer clock status word)" }, { 0, NULL} }; #define NTPCTRL_CLKSTATUS_STATUS_MASK 0xFF00 #define NTPCTRL_CLKSTATUS_CODE_MASK 0x00FF static const value_string ctrl_clk_status_types[] = { { 0, "clock operating within nominals" }, { 1, "reply timeout" }, { 2, "bad reply format" }, { 3, "hardware or software fault" }, { 4, "propagation failure" }, { 5, "bad date format or value" }, { 6, "bad time format or value" }, { 0, NULL} }; #define NTP_CTRL_ERRSTATUS_CODE_MASK 0xFF00 static const value_string ctrl_err_status_types[] = { { 0, "unspecified" }, { 1, "authentication failure" }, { 2, "invalid message length or format" }, { 3, "invalid opcode" }, { 4, "unknown association identifier" }, { 5, "unknown variable name" }, { 6, "invalid variable value" }, { 7, "administratively prohibited" }, { 0, NULL} }; static const value_string err_values_types[] = { { 0, "No error" }, { 1, "incompatible implementation number"}, { 2, "unimplemented request code" }, { 3, "format error" }, { 4, "no data available" }, { 5, "unknown" }, { 6, "unknown" }, { 7, "authentication failure"}, { 0, NULL} }; #define NTPPRIV_R_MASK 0x80 #define priv_r_types ext_r_types #define NTPPRIV_MORE_MASK 0x40 #define NTPPRIV_AUTH_MASK 0x80 #define NTPPRIV_SEQ_MASK 0x7f #define XNTPD 0x03 static const value_string priv_impl_types[] = { { 0, "UNIV" }, { 2, "XNTPD_OLD (pre-IPv6)" }, { 3, "XNTPD" }, { 0, NULL} }; #define MON_GETLIST_1 42 static const value_string priv_rc_types[] = { { 0, "PEER_LIST" }, { 1, "PEER_LIST_SUM" }, { 2, "PEER_INFO" }, { 3, "PEER_STATS" }, { 4, "SYS_INFO" }, { 5, "SYS_STATS" }, { 6, "IO_STATS" }, { 7, "MEM_STATS" }, { 8, "LOOP_INFO" }, { 9, "TIMER_STATS" }, { 10, "CONFIG" }, { 11, "UNCONFIG" }, { 12, "SET_SYS_FLAG" }, { 13, "CLR_SYS_FLAG" }, { 16, "GET_RESTRICT" }, { 17, "RESADDFLAGS" }, { 18, "RESSUBFLAGS" }, { 19, "UNRESTRICT" }, { 20, "MON_GETLIST" }, { 21, "RESET_STATS" }, { 22, "RESET_PEER" }, { 23, "REREAD_KEYS" }, { 26, "TRUSTKEY" }, { 27, "UNTRUSTKEY" }, { 28, "AUTHINFO" }, { 29, "TRAPS" }, { 30, "ADD_TRAP" }, { 31, "CLR_TRAP" }, { 32, "REQUEST_KEY" }, { 33, "CONTROL_KEY" }, { 34, "GET_CTLSTATS" }, { 36, "GET_CLOCKINFO" }, { 37, "SET_CLKFUDGE" }, { 38, "GET_KERNEL" }, { 39, "GET_CLKBUGINFO" }, { 42, "MON_GETLIST_1" }, { 43, "HOSTNAME_ASSOCID" }, { 0, NULL} }; static value_string_ext priv_rc_types_ext = VALUE_STRING_EXT_INIT(priv_rc_types); static const range_string stratum_rvals[] = { { 0, 0, "unspecified or invalid" }, { 1, 1, "primary reference" }, { 2, 15, "secondary reference" }, { 16, 16, "unsynchronized" }, { 17, 255, "reserved" }, { 0, 0, NULL } }; #define NTP_MD5_ALGO 0 #define NTP_SHA_ALGO 1 static const value_string authentication_types[] = { { NTP_MD5_ALGO, "MD5" }, { NTP_SHA_ALGO, "SHA" }, { 0, NULL} }; /* * Maximum MAC length : 160 bits MAC + 32 bits Key ID */ #define MAX_MAC_LEN (6 * sizeof (guint32)) static int proto_ntp = -1; static int hf_ntp_flags = -1; static int hf_ntp_flags_li = -1; static int hf_ntp_flags_vn = -1; static int hf_ntp_flags_mode = -1; static int hf_ntp_stratum = -1; static int hf_ntp_ppoll = -1; static int hf_ntp_precision = -1; static int hf_ntp_rootdelay = -1; static int hf_ntp_rootdispersion = -1; static int hf_ntp_refid = -1; static int hf_ntp_reftime = -1; static int hf_ntp_org = -1; static int hf_ntp_rec = -1; static int hf_ntp_xmt = -1; static int hf_ntp_keyid = -1; static int hf_ntp_mac = -1; static int hf_ntp_key_type = -1; static int hf_ntp_key_index = -1; static int hf_ntp_key_signature = -1; static int hf_ntp_ext = -1; static int hf_ntp_ext_flags = -1; static int hf_ntp_ext_flags_r = -1; static int hf_ntp_ext_flags_error = -1; static int hf_ntp_ext_flags_vn = -1; static int hf_ntp_ext_op = -1; static int hf_ntp_ext_len = -1; static int hf_ntp_ext_associd = -1; static int hf_ntp_ext_tstamp = -1; static int hf_ntp_ext_fstamp = -1; static int hf_ntp_ext_vallen = -1; static int hf_ntp_ext_val = -1; static int hf_ntp_ext_siglen = -1; static int hf_ntp_ext_sig = -1; static int hf_ntpctrl_flags2 = -1; static int hf_ntpctrl_flags2_r = -1; static int hf_ntpctrl_flags2_error = -1; static int hf_ntpctrl_flags2_more = -1; static int hf_ntpctrl_flags2_opcode = -1; static int hf_ntpctrl_sequence = -1; static int hf_ntpctrl_status = -1; static int hf_ntpctrl_error_status_word = -1; static int hf_ntpctrl_sys_status_li = -1; static int hf_ntpctrl_sys_status_clksrc = -1; static int hf_ntpctrl_sys_status_count = -1; static int hf_ntpctrl_sys_status_code = -1; static int hf_ntpctrl_peer_status_b0 = -1; static int hf_ntpctrl_peer_status_b1 = -1; static int hf_ntpctrl_peer_status_b2 = -1; static int hf_ntpctrl_peer_status_b3 = -1; static int hf_ntpctrl_peer_status_b4 = -1; static int hf_ntpctrl_peer_status_selection = -1; static int hf_ntpctrl_peer_status_count = -1; static int hf_ntpctrl_peer_status_code = -1; static int hf_ntpctrl_clk_status = -1; static int hf_ntpctrl_clk_status_code = -1; static int hf_ntpctrl_associd = -1; static int hf_ntpctrl_offset = -1; static int hf_ntpctrl_count = -1; static int hf_ntpctrl_data = -1; static int hf_ntpctrl_item = -1; static int hf_ntpctrl_trapmsg = -1; static int hf_ntppriv_flags_r = -1; static int hf_ntppriv_flags_more = -1; static int hf_ntppriv_auth_seq = -1; static int hf_ntppriv_auth = -1; static int hf_ntppriv_seq = -1; static int hf_ntppriv_impl = -1; static int hf_ntppriv_reqcode = -1; static int hf_ntppriv_errcode = -1; static int hf_ntppriv_numitems = -1; static int hf_ntppriv_mbz = -1; static int hf_monlist_item = -1; static int hf_ntppriv_itemsize = -1; static int hf_ntppriv_avgint = -1; static int hf_ntppriv_lsint = -1; static int hf_ntppriv_count = -1; static int hf_ntppriv_restr = -1; static int hf_ntppriv_addr = -1; static int hf_ntppriv_daddr = -1; static int hf_ntppriv_flags = -1; static int hf_ntppriv_port = -1; static int hf_ntppriv_mode = -1; static int hf_ntppriv_version = -1; static int hf_ntppriv_v6_flag = -1; static int hf_ntppriv_addr6 = -1; static int hf_ntppriv_daddr6 = -1; static gint ett_ntp = -1; static gint ett_ntp_flags = -1; static gint ett_ntp_ext = -1; static gint ett_ntp_ext_flags = -1; static gint ett_ntpctrl_flags2 = -1; static gint ett_ntpctrl_status = -1; static gint ett_ntpctrl_data = -1; static gint ett_ntpctrl_item = -1; static gint ett_ntppriv_auth_seq = -1; static gint ett_monlist_item = -1; static gint ett_ntp_authenticator = -1; static expert_field ei_ntp_ext = EI_INIT; static const char *mon_names[12] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }; static const int *ntp_header_fields[] = { &hf_ntp_flags_li, &hf_ntp_flags_vn, &hf_ntp_flags_mode, NULL }; /* * dissect peer status word: * 1 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Status | Sel | Count | Code | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ static const int *peer_status_flags[] = { &hf_ntpctrl_peer_status_b0, &hf_ntpctrl_peer_status_b1, &hf_ntpctrl_peer_status_b2, &hf_ntpctrl_peer_status_b3, &hf_ntpctrl_peer_status_b4, &hf_ntpctrl_peer_status_selection, &hf_ntpctrl_peer_status_count, &hf_ntpctrl_peer_status_code, NULL }; /* parser definitions */ static tvbparse_wanted_t *want; static tvbparse_wanted_t *want_ignore; /* NTP_BASETIME is in fact epoch - ntp_start_time */ #define NTP_BASETIME 2208988800u #define NTP_FLOAT_DENOM 4294967296.0 #define NTP_TS_SIZE 100 /* Modified tvb_ntp_fmt_ts * tvb_mip6_fmt_ts - converts MIP6 timestamp to human readable string. * Timestamp * * A 64-bit unsigned integer field containing a timestamp. The * value indicates the number of seconds since January 1, 1970, * 00:00 UTC, by using a fixed point format. In this format, the * integer number of seconds is contained in the first 48 bits of * the field, and the remaining 16 bits indicate the number of * 1/65536 fractions of a second. * * TVB and an offset (IN). * returns pointer to filled buffer. This buffer will be freed automatically once * dissection of the next packet occurs. */ const char * tvb_mip6_fmt_ts(tvbuff_t *tvb, gint offset) { guint64 tempstmp; guint32 tempfrac; time_t temptime; struct tm *bd; double fractime; char *buff; tempstmp = tvb_get_ntoh48(tvb, offset); tempfrac = tvb_get_ntohs(tvb, offset+6); tempfrac <<= 16; if ((tempstmp == 0) && (tempfrac == 0)) { return "NULL"; } temptime = (time_t)(tempstmp /*- NTP_BASETIME*/); bd = gmtime(&temptime); if(!bd){ return "Not representable"; } fractime = bd->tm_sec + tempfrac / NTP_FLOAT_DENOM; buff = (char *)wmem_alloc(wmem_packet_scope(), NTP_TS_SIZE); g_snprintf(buff, NTP_TS_SIZE, "%s %2d, %d %02d:%02d:%07.4f UTC", mon_names[bd->tm_mon], bd->tm_mday, bd->tm_year + 1900, bd->tm_hour, bd->tm_min, fractime); return buff; } /* tvb_ntp_fmt_ts - converts NTP timestamp to human readable string. * TVB and an offset (IN). * returns pointer to filled buffer. This buffer will be freed automatically once * dissection of the next packet occurs. */ const char * tvb_ntp_fmt_ts(tvbuff_t *tvb, gint offset) { guint32 tempstmp, tempfrac; time_t temptime; struct tm *bd; double fractime; char *buff; tempstmp = tvb_get_ntohl(tvb, offset); tempfrac = tvb_get_ntohl(tvb, offset+4); if ((tempstmp == 0) && (tempfrac == 0)) { return "NULL"; } /* We need a temporary variable here so the unsigned math * works correctly (for years > 2036 according to RFC 2030 * chapter 3). */ temptime = (time_t)(tempstmp - NTP_BASETIME); bd = gmtime(&temptime); if(!bd){ return "Not representable"; } fractime = bd->tm_sec + tempfrac / NTP_FLOAT_DENOM; buff=(char *)wmem_alloc(wmem_packet_scope(), NTP_TS_SIZE); g_snprintf(buff, NTP_TS_SIZE, "%s %2d, %d %02d:%02d:%09.6f UTC", mon_names[bd->tm_mon], bd->tm_mday, bd->tm_year + 1900, bd->tm_hour, bd->tm_min, fractime); return buff; } /* tvb_ntp_fmt_ts_sec - converts an NTP timestamps second part (32bits) to an human readable string. * TVB and an offset (IN). * returns pointer to filled buffer. This buffer will be freed automatically once * dissection of the next packet occurs. */ const char * tvb_ntp_fmt_ts_sec(tvbuff_t *tvb, gint offset) { guint32 tempstmp; time_t temptime; struct tm *bd; char *buff; tempstmp = tvb_get_ntohl(tvb, offset); if (tempstmp == 0){ return "NULL"; } /* We need a temporary variable here so the unsigned math * works correctly (for years > 2036 according to RFC 2030 * chapter 3). */ temptime = (time_t)(tempstmp - NTP_BASETIME); bd = gmtime(&temptime); if (!bd){ return "Not representable"; } buff = (char *)wmem_alloc(wmem_packet_scope(), NTP_TS_SIZE); g_snprintf(buff, NTP_TS_SIZE, "%s %2d, %d %02d:%02d:%02d UTC", mon_names[bd->tm_mon], bd->tm_mday, bd->tm_year + 1900, bd->tm_hour, bd->tm_min, bd->tm_sec); return buff; } void ntp_to_nstime(tvbuff_t *tvb, gint offset, nstime_t *nstime) { guint32 tempstmp; /* We need a temporary variable here so the unsigned math * works correctly (for years > 2036 according to RFC 2030 * chapter 3). */ tempstmp = tvb_get_ntohl(tvb, offset); if (tempstmp) nstime->secs = (time_t)(tempstmp - NTP_BASETIME); else nstime->secs = (time_t)tempstmp; /* 0 */ nstime->nsecs = (int)(tvb_get_ntohl(tvb, offset+4)/(NTP_FLOAT_DENOM/1000000000.0)); } static int dissect_ntp_ext(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ntp_tree, int offset) { proto_tree *ext_tree, *flags_tree; proto_item *tf, *ext_item; guint16 extlen; int endoffset; guint8 flags; guint32 vallen, vallen_round, siglen; extlen = tvb_get_ntohs(tvb, offset+2); tf = proto_tree_add_item(ntp_tree, hf_ntp_ext, tvb, offset, extlen, ENC_NA); ext_tree = proto_item_add_subtree(tf, ett_ntp_ext); if (extlen < 8) { /* Extension length isn't enough for the extension header. * Report the error, and return an offset that goes to * the end of the tvbuff, so we stop dissecting. */ expert_add_info_format(pinfo, tf, &ei_ntp_ext, "Extension length %u < 8", extlen); return tvb_reported_length(tvb); } if (extlen % 4) { /* Extension length isn't a multiple of 4. * Report the error, and return an offset that goes * to the end of the tvbuff, so we stop dissecting. */ expert_add_info_format(pinfo, tf, &ei_ntp_ext, "Extension length %u isn't a multiple of 4", extlen); return tvb_reported_length(tvb); } endoffset = offset + extlen; flags = tvb_get_guint8(tvb, offset); tf = proto_tree_add_uint(ext_tree, hf_ntp_ext_flags, tvb, offset, 1, flags); flags_tree = proto_item_add_subtree(tf, ett_ntp_ext_flags); proto_tree_add_uint(flags_tree, hf_ntp_ext_flags_r, tvb, offset, 1, flags); proto_tree_add_uint(flags_tree, hf_ntp_ext_flags_error, tvb, offset, 1, flags); proto_tree_add_uint(flags_tree, hf_ntp_ext_flags_vn, tvb, offset, 1, flags); offset += 1; proto_tree_add_item(ext_tree, hf_ntp_ext_op, tvb, offset, 1, ENC_BIG_ENDIAN); offset += 1; proto_tree_add_uint(ext_tree, hf_ntp_ext_len, tvb, offset, 2, extlen); offset += 2; if ((flags & NTP_EXT_VN_MASK) != 2) { /* don't care about autokey v1 */ return endoffset; } proto_tree_add_item(ext_tree, hf_ntp_ext_associd, tvb, offset, 4, ENC_BIG_ENDIAN); offset += 4; /* check whether everything up to "vallen" is present */ if (extlen < MAX_MAC_LEN) { /* XXX - report as error? */ return endoffset; } proto_tree_add_item(ext_tree, hf_ntp_ext_tstamp, tvb, offset, 4, ENC_BIG_ENDIAN); offset += 4; proto_tree_add_item(ext_tree, hf_ntp_ext_fstamp, tvb, offset, 4, ENC_BIG_ENDIAN); offset += 4; /* XXX fstamp can be server flags */ vallen = tvb_get_ntohl(tvb, offset); ext_item = proto_tree_add_uint(ext_tree, hf_ntp_ext_vallen, tvb, offset, 4, vallen); offset += 4; vallen_round = (vallen + 3) & (-4); if (vallen != 0) { if ((guint32)(endoffset - offset) < vallen_round) { /* * Value goes past the length of the extension * field. */ expert_add_info_format(pinfo, ext_item, &ei_ntp_ext, "Value length makes value go past the end of the extension field"); return endoffset; } proto_tree_add_item(ext_tree, hf_ntp_ext_val, tvb, offset, vallen, ENC_NA); } offset += vallen_round; siglen = tvb_get_ntohl(tvb, offset); ext_item = proto_tree_add_uint(ext_tree, hf_ntp_ext_siglen, tvb, offset, 4, siglen); offset += 4; if (siglen != 0) { if (offset + (int)siglen > endoffset) { /* * Value goes past the length of the extension * field. */ expert_add_info_format(pinfo, ext_item, &ei_ntp_ext, "Signature length makes value go past the end of the extension field"); return endoffset; } proto_tree_add_item(ext_tree, hf_ntp_ext_sig, tvb, offset, siglen, ENC_NA); } return endoffset; } static void dissect_ntp_std(tvbuff_t *tvb, packet_info *pinfo, proto_tree *ntp_tree) { guint8 stratum; guint8 ppoll; gint8 precision; double rootdelay; double rootdispersion; guint32 refid_addr; gchar *buff; int i; int macofs; gint maclen; proto_tree_add_bitmask(ntp_tree, tvb, 0, hf_ntp_flags, ett_ntp_flags, ntp_header_fields, ENC_NA); /* Stratum, 1byte field represents distance from primary source */ proto_tree_add_item(ntp_tree, hf_ntp_stratum, tvb, 1, 1, ENC_NA); stratum = tvb_get_guint8(tvb, 1); /* Poll interval, 1byte field indicating the maximum interval * between successive messages, in seconds to the nearest * power of two. */ ppoll = tvb_get_guint8(tvb, 2); if ((ppoll >= 4) && (ppoll <= 17)) { proto_tree_add_uint_format_value(ntp_tree, hf_ntp_ppoll, tvb, 2, 1, ppoll, "%u (%u sec)", ppoll, 1 << ppoll); } else { proto_tree_add_uint_format_value(ntp_tree, hf_ntp_ppoll, tvb, 2, 1, ppoll, "invalid (%u)", ppoll); } /* Precision, 1 byte field indicating the precision of the * local clock, in seconds to the nearest power of two. */ precision = tvb_get_guint8(tvb, 3); proto_tree_add_int_format_value(ntp_tree, hf_ntp_precision, tvb, 3, 1, precision, "%8.6f sec", pow(2, precision)); /* Root Delay is a 32-bit signed fixed-point number indicating * the total roundtrip delay to the primary reference source, * in seconds with fraction point between bits 15 and 16. */ rootdelay = ((gint16)tvb_get_ntohs(tvb, 4)) + (tvb_get_ntohs(tvb, 6) / 65536.0); proto_tree_add_double(ntp_tree, hf_ntp_rootdelay, tvb, 4, 4, rootdelay); /* Root Dispersion, 32-bit unsigned fixed-point number indicating * the nominal error relative to the primary reference source, in * seconds with fraction point between bits 15 and 16. */ rootdispersion = ((gint16)tvb_get_ntohs(tvb, 8)) + (tvb_get_ntohs(tvb, 10) / 65536.0); proto_tree_add_double(ntp_tree, hf_ntp_rootdispersion, tvb, 8, 4, rootdispersion); /* Now, there is a problem with secondary servers. Standards * asks from stratum-2 - stratum-15 servers to set this to the * low order 32 bits of the latest transmit timestamp of the * reference source. * But, all V3 and V4 servers set this to IP address of their * higher level server. My decision was to resolve this address. */ buff = (gchar *)wmem_alloc(wmem_packet_scope(), NTP_TS_SIZE); if (stratum <= 1) { g_snprintf (buff, NTP_TS_SIZE, "Unidentified reference source '%.4s'", tvb_get_string_enc(wmem_packet_scope(), tvb, 12, 4, ENC_ASCII)); for (i = 0; primary_sources[i].id; i++) { if (tvb_memeql(tvb, 12, primary_sources[i].id, 4) == 0) { g_snprintf(buff, NTP_TS_SIZE, "%s", primary_sources[i].data); break; } } } else { int buffpos; refid_addr = tvb_get_ipv4(tvb, 12); buffpos = g_snprintf(buff, NTP_TS_SIZE, "%s", get_hostname (refid_addr)); if (buffpos >= NTP_TS_SIZE) { buff[NTP_TS_SIZE-4]='.'; buff[NTP_TS_SIZE-3]='.'; buff[NTP_TS_SIZE-2]='.'; buff[NTP_TS_SIZE-1]=0; } } proto_tree_add_bytes_format_value(ntp_tree, hf_ntp_refid, tvb, 12, 4, NULL, "%s", buff); /* Reference Timestamp: This is the time at which the local clock was * last set or corrected. */ proto_tree_add_item(ntp_tree, hf_ntp_reftime, tvb, 16, 8, ENC_TIME_NTP|ENC_BIG_ENDIAN); /* Originate Timestamp: This is the time at which the request departed * the client for the server. */ proto_tree_add_item(ntp_tree, hf_ntp_org, tvb, 24, 8, ENC_TIME_NTP|ENC_BIG_ENDIAN); /* Receive Timestamp: This is the time at which the request arrived at * the server. */ proto_tree_add_item(ntp_tree, hf_ntp_rec, tvb, 32, 8, ENC_TIME_NTP|ENC_BIG_ENDIAN); /* Transmit Timestamp: This is the time at which the reply departed the * server for the client. */ proto_tree_add_item(ntp_tree, hf_ntp_xmt, tvb, 40, 8, ENC_TIME_NTP|ENC_BIG_ENDIAN); /* MAX_MAC_LEN is the largest message authentication code * (MAC) length. If we have more data left in the packet * after the header than that, the extra data is NTP4 * extensions; parse them as such. */ macofs = 48; while (tvb_reported_length_remaining(tvb, macofs) > (gint)MAX_MAC_LEN) macofs = dissect_ntp_ext(tvb, pinfo, ntp_tree, macofs); /* When the NTP authentication scheme is implemented, the * Key Identifier and Message Digest fields contain the * message authentication code (MAC) information defined in * Appendix C of RFC-1305. Will print this as hex code for now. */ if (tvb_reported_length_remaining(tvb, macofs) >= 4) proto_tree_add_item(ntp_tree, hf_ntp_keyid, tvb, macofs, 4, ENC_NA); macofs += 4; maclen = tvb_reported_length_remaining(tvb, macofs); if (maclen > 0) proto_tree_add_item(ntp_tree, hf_ntp_mac, tvb, macofs, maclen, ENC_NA); } static void dissect_ntp_ctrl(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *ntp_tree) { guint8 flags2; proto_tree *data_tree, *item_tree, *auth_tree; proto_item *td, *ti; guint16 associd; guint16 datalen; guint16 data_offset; int length_remaining; tvbparse_t *tt; tvbparse_elem_t *element; static const int *ntpctrl_flags[] = { &hf_ntpctrl_flags2_r, &hf_ntpctrl_flags2_error, &hf_ntpctrl_flags2_more, &hf_ntpctrl_flags2_opcode, NULL }; proto_tree_add_bitmask(ntp_tree, tvb, 0, hf_ntp_flags, ett_ntp_flags, ntp_header_fields, ENC_NA); proto_tree_add_bitmask(ntp_tree, tvb, 1, hf_ntpctrl_flags2, ett_ntpctrl_flags2, ntpctrl_flags, ENC_NA); flags2 = tvb_get_guint8(tvb, 1); proto_tree_add_item(ntp_tree, hf_ntpctrl_sequence, tvb, 2, 2, ENC_BIG_ENDIAN); associd = tvb_get_ntohs(tvb, 6); /* * further processing of status is only necessary in server responses */ if (flags2 & NTPCTRL_R_MASK) { if (flags2 & NTPCTRL_ERROR_MASK) { /* * if error bit is set: dissect error status word * 1 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Error Code | reserved | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ static const int *errorstatus[] = { &hf_ntpctrl_error_status_word, NULL }; /* Check if this is an error response... */ proto_tree_add_bitmask(ntp_tree, tvb, 4, hf_ntpctrl_status, ett_ntpctrl_status, errorstatus, ENC_BIG_ENDIAN); } else { /* ...otherwise status word depends on OpCode */ switch (flags2 & NTPCTRL_OP_MASK) { case NTPCTRL_OP_READSTAT: case NTPCTRL_OP_READVAR: case NTPCTRL_OP_WRITEVAR: case NTPCTRL_OP_ASYNCMSG: if (associd) proto_tree_add_bitmask(ntp_tree, tvb, 4, hf_ntpctrl_status, ett_ntpctrl_status, peer_status_flags, ENC_BIG_ENDIAN); else { /* * dissect system status word: * 1 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * |LI | ClkSource | Count | Code | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ static const int *systemstatus[] = { &hf_ntpctrl_sys_status_li, &hf_ntpctrl_sys_status_clksrc, &hf_ntpctrl_sys_status_count, &hf_ntpctrl_sys_status_code, NULL }; proto_tree_add_bitmask(ntp_tree, tvb, 4, hf_ntpctrl_status, ett_ntpctrl_status, systemstatus, ENC_BIG_ENDIAN); } break; case NTPCTRL_OP_READCLOCK: case NTPCTRL_OP_WRITECLOCK: { /* * dissect clock status word: * 1 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Clock Status | Event Code | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ static const int *clockstatus[] = { &hf_ntpctrl_clk_status, &hf_ntpctrl_clk_status_code, NULL }; proto_tree_add_bitmask(ntp_tree, tvb, 4, hf_ntpctrl_status, ett_ntpctrl_status, clockstatus, ENC_BIG_ENDIAN); } break; case NTPCTRL_OP_SETTRAP: case NTPCTRL_OP_UNSETTRAP: default: proto_tree_add_item(ntp_tree, hf_ntpctrl_status, tvb, 4, 2, ENC_BIG_ENDIAN); break; } } } else { proto_tree_add_item(ntp_tree, hf_ntpctrl_status, tvb, 4, 2, ENC_BIG_ENDIAN); } proto_tree_add_item(ntp_tree, hf_ntpctrl_associd, tvb, 6, 2, ENC_BIG_ENDIAN); proto_tree_add_item(ntp_tree, hf_ntpctrl_offset, tvb, 8, 2, ENC_BIG_ENDIAN); datalen = tvb_get_ntohs(tvb, 10); proto_tree_add_uint(ntp_tree, hf_ntpctrl_count, tvb, 10, 2, datalen); /* * dissect Data part of the NTP control message */ if (datalen) { data_offset = 12; td = proto_tree_add_item(ntp_tree, hf_ntpctrl_data, tvb, data_offset, datalen, ENC_NA); data_tree = proto_item_add_subtree(td, ett_ntpctrl_data); switch(flags2 & NTPCTRL_OP_MASK) { case NTPCTRL_OP_READSTAT: if (!associd) { /* * if associd == 0 then data part contains a list of the form * , */ while(datalen) { ti = proto_tree_add_item(data_tree, hf_ntpctrl_item, tvb, data_offset, 4, ENC_NA); item_tree = proto_item_add_subtree(ti, ett_ntpctrl_item); proto_tree_add_item(item_tree, hf_ntpctrl_associd, tvb, data_offset, 2, ENC_BIG_ENDIAN); data_offset += 2; proto_tree_add_bitmask(ntp_tree, tvb, data_offset, hf_ntpctrl_status, ett_ntpctrl_status, peer_status_flags, ENC_BIG_ENDIAN); data_offset += 2; datalen -= 4; } break; } /* * but if associd != 0, * then data part could be the same as if opcode is NTPCTRL_OP_READVAR * --> so, no "break" here! */ case NTPCTRL_OP_READVAR: case NTPCTRL_OP_WRITEVAR: case NTPCTRL_OP_READCLOCK: case NTPCTRL_OP_WRITECLOCK: tt = tvbparse_init(tvb, data_offset, datalen, NULL, want_ignore); while( (element = tvbparse_get(tt, want)) != NULL ) { tvbparse_tree_add_elem(data_tree, element); } break; case NTPCTRL_OP_ASYNCMSG: proto_tree_add_item(data_tree, hf_ntpctrl_trapmsg, tvb, data_offset, datalen, ENC_ASCII|ENC_NA); break; /* these opcodes doesn't carry any data: NTPCTRL_OP_SETTRAP, NTPCTRL_OP_UNSETTRAP, NTPCTRL_OP_UNSPEC */ } } data_offset = 12+datalen; length_remaining = tvb_reported_length_remaining(tvb, data_offset); /* Check if there is authentication */ if ((flags2 & NTPCTRL_R_MASK) == 0) { if (length_remaining > 0) { auth_tree = proto_tree_add_subtree(ntp_tree, tvb, data_offset, -1, ett_ntp_authenticator, NULL, "Authenticator"); switch (length_remaining) { case 20: ti = proto_tree_add_uint(auth_tree, hf_ntp_key_type, tvb, data_offset, 0, NTP_MD5_ALGO); PROTO_ITEM_SET_GENERATED(ti); proto_tree_add_item(auth_tree, hf_ntp_key_index, tvb, data_offset, 4, ENC_BIG_ENDIAN); proto_tree_add_item(auth_tree, hf_ntp_key_signature, tvb, data_offset+4, 16, ENC_NA); break; case 24: ti = proto_tree_add_uint(auth_tree, hf_ntp_key_type, tvb, data_offset, 0, NTP_SHA_ALGO); PROTO_ITEM_SET_GENERATED(ti); proto_tree_add_item(auth_tree, hf_ntp_key_index, tvb, data_offset, 4, ENC_BIG_ENDIAN); proto_tree_add_item(auth_tree, hf_ntp_key_signature, tvb, data_offset+4, 20, ENC_NA); break; } } } } /* * Initialize tvb-parser, which is used to dissect data part of NTP control * messages * * Here some constants are defined, which describes character groups used for * various purposes. These groups are then used to configure the two global * variables "want_ignore" and "want" that we use for dissection */ static void init_parser(void) { /* specify what counts as character */ tvbparse_wanted_t *want_identifier = tvbparse_chars(-1, 1, 0, "abcdefghijklmnopqrstuvwxyz-_ABCDEFGHIJKLMNOPQRSTUVWXYZ.0123456789", NULL, NULL, NULL); /* this is the equal sign used in assignments */ tvbparse_wanted_t *want_equalsign = tvbparse_char(-1, "=", NULL, NULL, NULL); /* possible characters allowed for values */ tvbparse_wanted_t *want_value = tvbparse_set_oneof(0, NULL, NULL, NULL, tvbparse_quoted(-1, NULL, NULL, tvbparse_shrink_token_cb, '\"', '\\'), tvbparse_quoted(-1, NULL, NULL, tvbparse_shrink_token_cb, '\'', '\\'), tvbparse_chars(-1, 1, 0, "abcdefghijklmnopqrstuvwxyz-_ABCDEFGHIJKLMNOPQRSTUVWXYZ.0123456789 ", NULL, NULL, NULL), NULL); tvbparse_wanted_t *want_comma = tvbparse_until(-1, NULL, NULL, NULL, tvbparse_char(-1, ",", NULL, NULL, NULL), TP_UNTIL_SPEND); /* the following specifies an assignment of the form identifier=value */ tvbparse_wanted_t *want_assignment = tvbparse_set_seq(-1, NULL, NULL, NULL, want_identifier, want_equalsign, tvbparse_some(-1, 0, 1, NULL, NULL, NULL, want_value), tvbparse_some(-1, 0, 1, NULL, NULL, NULL, want_comma), NULL); /* we ignore white space characters */ want_ignore = tvbparse_chars(-1, 1, 0, " \t\r\n", NULL, NULL, NULL); /* data part of control messages consists of either identifiers or assignments */ want = tvbparse_set_oneof(-1, NULL, NULL, NULL, want_assignment, want_identifier, NULL); } static void dissect_ntp_priv(tvbuff_t *tvb, packet_info *pinfo _U_, proto_tree *ntp_tree) { guint8 impl, reqcode; static const int *priv_flags[] = { &hf_ntppriv_flags_r, &hf_ntppriv_flags_more, &hf_ntp_flags_vn, &hf_ntp_flags_mode, NULL }; static const int *auth_flags[] = { &hf_ntppriv_auth, &hf_ntppriv_seq, NULL }; proto_tree_add_bitmask(ntp_tree, tvb, 0, hf_ntp_flags, ett_ntp_flags, priv_flags, ENC_NA); proto_tree_add_bitmask(ntp_tree, tvb, 0, hf_ntppriv_auth_seq, ett_ntppriv_auth_seq, auth_flags, ENC_NA); impl = tvb_get_guint8(tvb, 2); proto_tree_add_uint(ntp_tree, hf_ntppriv_impl, tvb, 2, 1, impl); reqcode = tvb_get_guint8(tvb, 3); proto_tree_add_uint(ntp_tree, hf_ntppriv_reqcode, tvb, 3, 1, reqcode); if (impl == XNTPD && reqcode == MON_GETLIST_1) { guint16 numitems; guint16 itemsize; guint16 offset; guint i; guint32 v6_flag = 0; proto_item* monlist_item; proto_tree* monlist_item_tree; proto_tree_add_bits_item(ntp_tree, hf_ntppriv_errcode, tvb, 32, 4, ENC_BIG_ENDIAN); proto_tree_add_bits_item(ntp_tree, hf_ntppriv_numitems, tvb, 36, 12, ENC_BIG_ENDIAN); proto_tree_add_bits_item(ntp_tree, hf_ntppriv_mbz, tvb, 48, 4, ENC_BIG_ENDIAN); proto_tree_add_bits_item(ntp_tree, hf_ntppriv_itemsize, tvb, 52, 12, ENC_BIG_ENDIAN); numitems = tvb_get_letohs(tvb, 5) & 0x0FFF; itemsize = tvb_get_letohs(tvb, 7) & 0x0FFF; for (i = 0; i < numitems; i++) { offset = 8 + itemsize * i; monlist_item = proto_tree_add_string_format(ntp_tree, hf_monlist_item, tvb, offset, itemsize, "Monlist Item", "Monlist item: address: %s:%u", tvb_ip_to_str(tvb, offset + 16), tvb_get_ntohs(tvb, offset + 28)); monlist_item_tree = proto_item_add_subtree(monlist_item, ett_monlist_item); proto_tree_add_item(monlist_item_tree, hf_ntppriv_avgint, tvb, offset, 4, ENC_BIG_ENDIAN); proto_tree_add_item(monlist_item_tree, hf_ntppriv_lsint, tvb, offset + 4, 4, ENC_BIG_ENDIAN); proto_tree_add_item(monlist_item_tree, hf_ntppriv_restr, tvb, offset + 8, 4, ENC_BIG_ENDIAN); proto_tree_add_item(monlist_item_tree, hf_ntppriv_count, tvb, offset + 12, 4, ENC_BIG_ENDIAN); proto_tree_add_item(monlist_item_tree, hf_ntppriv_addr, tvb, offset + 16, 4, ENC_BIG_ENDIAN); proto_tree_add_item(monlist_item_tree, hf_ntppriv_daddr, tvb, offset + 20, 4, ENC_BIG_ENDIAN); proto_tree_add_item(monlist_item_tree, hf_ntppriv_flags, tvb, offset + 24, 4, ENC_BIG_ENDIAN); proto_tree_add_item(monlist_item_tree, hf_ntppriv_port, tvb, offset + 28, 2, ENC_BIG_ENDIAN); proto_tree_add_item(monlist_item_tree, hf_ntppriv_mode, tvb, offset + 30, 1, ENC_BIG_ENDIAN); proto_tree_add_item(monlist_item_tree, hf_ntppriv_version, tvb, offset + 31, 1, ENC_BIG_ENDIAN); proto_tree_add_item_ret_uint(monlist_item_tree, hf_ntppriv_v6_flag, tvb, offset + 32, 4, ENC_BIG_ENDIAN, &v6_flag); if (v6_flag != 0) { proto_tree_add_item(monlist_item_tree, hf_ntppriv_addr6, tvb, offset + 36, 16, ENC_NA); proto_tree_add_item(monlist_item_tree, hf_ntppriv_daddr6, tvb, offset + 52, 16, ENC_NA); } } } } /* dissect_ntp - dissects NTP packet data * tvb - tvbuff for packet data (IN) * pinfo - packet info * proto_tree - resolved protocol tree */ static int dissect_ntp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_) { proto_tree *ntp_tree; proto_item *ti = NULL; guint8 flags; void (*dissector)(tvbuff_t *, packet_info *, proto_tree *); col_set_str(pinfo->cinfo, COL_PROTOCOL, "NTP"); col_clear(pinfo->cinfo, COL_INFO); flags = tvb_get_guint8(tvb, 0); switch (flags & NTP_MODE_MASK) { default: dissector = dissect_ntp_std; break; case NTP_MODE_CTRL: dissector = dissect_ntp_ctrl; break; case NTP_MODE_PRIV: dissector = dissect_ntp_priv; break; } /* Adding NTP item and subtree */ ti = proto_tree_add_item(tree, proto_ntp, tvb, 0, -1, ENC_NA); ntp_tree = proto_item_add_subtree(ti, ett_ntp); /* Show version and mode in info column and NTP root */ col_add_fstr(pinfo->cinfo, COL_INFO, "%s, %s", val_to_str_const((flags & NTP_VN_MASK) >> 3, ver_nums, "Unknown version"), val_to_str_const(flags & NTP_MODE_MASK, info_mode_types, "Unknown")); proto_item_append_text(ti, " (%s, %s)", val_to_str_const((flags & NTP_VN_MASK) >> 3, ver_nums, "Unknown version"), val_to_str_const(flags & NTP_MODE_MASK, info_mode_types, "Unknown")); /* Dissect according to mode */ (*dissector)(tvb, pinfo, ntp_tree); return tvb_captured_length(tvb); } void proto_register_ntp(void) { static hf_register_info hf[] = { { &hf_ntp_flags, { "Flags", "ntp.flags", FT_UINT8, BASE_HEX, NULL, 0, "Flags (Leap/Version/Mode)", HFILL }}, { &hf_ntp_flags_li, { "Leap Indicator", "ntp.flags.li", FT_UINT8, BASE_DEC, VALS(li_types), NTP_LI_MASK, "Warning of an impending leap second to be inserted or deleted in the last minute of the current month", HFILL }}, { &hf_ntp_flags_vn, { "Version number", "ntp.flags.vn", FT_UINT8, BASE_DEC, VALS(ver_nums), NTP_VN_MASK, NULL, HFILL }}, { &hf_ntp_flags_mode, { "Mode", "ntp.flags.mode", FT_UINT8, BASE_DEC, VALS(mode_types), NTP_MODE_MASK, NULL, HFILL }}, { &hf_ntp_stratum, { "Peer Clock Stratum", "ntp.stratum", FT_UINT8, BASE_DEC|BASE_RANGE_STRING, RVALS(stratum_rvals), 0, NULL, HFILL }}, { &hf_ntp_ppoll, { "Peer Polling Interval", "ntp.ppoll", FT_UINT8, BASE_DEC, NULL, 0, "Maximum interval between successive messages", HFILL }}, { &hf_ntp_precision, { "Peer Clock Precision", "ntp.precision", FT_INT8, BASE_DEC, NULL, 0, "The precision of the system clock", HFILL }}, { &hf_ntp_rootdelay, { "Root Delay", "ntp.rootdelay", FT_DOUBLE, BASE_NONE|BASE_UNIT_STRING, &units_second_seconds, 0, "Total round-trip delay to the reference clock", HFILL }}, { &hf_ntp_rootdispersion, { "Root Dispersion", "ntp.rootdispersion", FT_DOUBLE, BASE_NONE|BASE_UNIT_STRING, &units_second_seconds, 0, "Total dispersion to the reference clock", HFILL }}, { &hf_ntp_refid, { "Reference ID", "ntp.refid", FT_BYTES, BASE_NONE, NULL, 0, "Particular server or reference clock being used", HFILL }}, { &hf_ntp_reftime, { "Reference Timestamp", "ntp.reftime", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0, "Time when the system clock was last set or corrected", HFILL }}, { &hf_ntp_org, { "Origin Timestamp", "ntp.org", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0, "Time at the client when the request departed for the server", HFILL }}, { &hf_ntp_rec, { "Receive Timestamp", "ntp.rec", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0, "Time at the server when the request arrived from the client", HFILL }}, { &hf_ntp_xmt, { "Transmit Timestamp", "ntp.xmt", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_UTC, NULL, 0, "Time at the server when the response left for the client", HFILL }}, { &hf_ntp_keyid, { "Key ID", "ntp.keyid", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntp_mac, { "Message Authentication Code", "ntp.mac", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntp_key_type, { "Key type", "ntp.key_type", FT_UINT8, BASE_DEC, VALS(authentication_types), 0, "Authentication algorithm used", HFILL }}, { &hf_ntp_key_index, { "KeyIndex", "ntp.key_index", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_ntp_key_signature, { "Signature", "ntp.key_signature", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntp_ext, { "Extension", "ntp.ext", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntp_ext_flags, { "Flags", "ntp.ext.flags", FT_UINT8, BASE_HEX, NULL, 0, "Flags (Response/Error/Version)", HFILL }}, { &hf_ntp_ext_flags_r, { "Response bit", "ntp.ext.flags.r", FT_UINT8, BASE_DEC, VALS(ext_r_types), NTP_EXT_R_MASK, NULL, HFILL }}, { &hf_ntp_ext_flags_error, { "Error bit", "ntp.ext.flags.error", FT_UINT8, BASE_DEC, NULL, NTP_EXT_ERROR_MASK, NULL, HFILL }}, { &hf_ntp_ext_flags_vn, { "Version", "ntp.ext.flags.vn", FT_UINT8, BASE_DEC, NULL, NTP_EXT_VN_MASK, NULL, HFILL }}, { &hf_ntp_ext_op, { "Opcode", "ntp.ext.op", FT_UINT8, BASE_DEC, VALS(ext_op_types), 0, NULL, HFILL }}, { &hf_ntp_ext_len, { "Extension length", "ntp.ext.len", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntp_ext_associd, { "Association ID", "ntp.ext.associd", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntp_ext_tstamp, { "Timestamp", "ntp.ext.tstamp", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_ntp_ext_fstamp, { "File Timestamp", "ntp.ext.fstamp", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_ntp_ext_vallen, { "Value length", "ntp.ext.vallen", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntp_ext_val, { "Value", "ntp.ext.val", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntp_ext_siglen, { "Signature length", "ntp.ext.siglen", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntp_ext_sig, { "Signature", "ntp.ext.sig", FT_BYTES, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntpctrl_flags2, { "Flags 2", "ntp.ctrl.flags2", FT_UINT8, BASE_HEX, NULL, 0, "Flags (Response/Error/More/Opcode)", HFILL }}, { &hf_ntpctrl_flags2_r, { "Response bit", "ntp.ctrl.flags2.r", FT_UINT8, BASE_DEC, VALS(ctrl_r_types), NTPCTRL_R_MASK, NULL, HFILL }}, { &hf_ntpctrl_flags2_error, { "Error bit", "ntp.ctrl.flags2.error", FT_UINT8, BASE_DEC, NULL, NTPCTRL_ERROR_MASK, NULL, HFILL }}, { &hf_ntpctrl_flags2_more, { "More bit", "ntp.ctrl.flags2.more", FT_UINT8, BASE_DEC, NULL, NTPCTRL_MORE_MASK, NULL, HFILL }}, { &hf_ntpctrl_flags2_opcode, { "Opcode", "ntp.ctrl.flags2.opcode", FT_UINT8, BASE_DEC, VALS(ctrl_op_types), NTPCTRL_OP_MASK, NULL, HFILL }}, { &hf_ntpctrl_sequence, { "Sequence", "ntp.ctrl.sequence", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntpctrl_status, { "Status", "ntp.ctrl.status", FT_UINT16, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_ntpctrl_error_status_word, { "Error Status Word", "ntp.ctrl.err_status", FT_UINT16, BASE_DEC, VALS(ctrl_err_status_types), NTP_CTRL_ERRSTATUS_CODE_MASK, NULL, HFILL }}, { &hf_ntpctrl_sys_status_li, { "Leap Indicator", "ntp.ctrl.sys_status.li", FT_UINT16, BASE_DEC, VALS(li_types), NTPCTRL_SYSSTATUS_LI_MASK, "Warning of an impending leap second to be inserted or deleted in the last minute of the current month", HFILL }}, { &hf_ntpctrl_sys_status_clksrc, { "Clock Source", "ntp.ctrl.sys_status.clksrc", FT_UINT16, BASE_DEC, VALS(ctrl_sys_status_clksource_types), NTPCTRL_SYSSTATUS_CLK_MASK, NULL, HFILL }}, { &hf_ntpctrl_sys_status_count, { "System Event Counter", "ntp.ctrl.sys_status.count", FT_UINT16, BASE_DEC, NULL, NTPCTRL_SYSSTATUS_COUNT_MASK, NULL, HFILL }}, { &hf_ntpctrl_sys_status_code, { "System Event Code", "ntp.ctrl.sys_status.code", FT_UINT16, BASE_DEC, VALS(ctrl_sys_status_event_types), NTPCTRL_SYSSTATUS_CODE_MASK, NULL, HFILL }}, { &hf_ntpctrl_peer_status_b0, { "Peer Status", "ntp.ctrl.peer_status.config", FT_BOOLEAN, 16, TFS(&tfs_ctrl_peer_status_config), NTPCTRL_PEERSTATUS_CONFIG_MASK, NULL, HFILL }}, { &hf_ntpctrl_peer_status_b1, { "Peer Status", "ntp.ctrl.peer_status.authenable", FT_BOOLEAN, 16, TFS(&tfs_ctrl_peer_status_authenable), NTPCTRL_PEERSTATUS_AUTHENABLE_MASK, NULL, HFILL }}, { &hf_ntpctrl_peer_status_b2, { "Peer Status", "ntp.ctrl.peer_status.authentic", FT_BOOLEAN, 16, TFS(&tfs_ctrl_peer_status_authentic), NTPCTRL_PEERSTATUS_AUTHENTIC_MASK, NULL, HFILL }}, { &hf_ntpctrl_peer_status_b3, { "Peer Status", "ntp.ctrl.peer_status.reach", FT_BOOLEAN, 16, TFS(&tfs_ctrl_peer_status_reach), NTPCTRL_PEERSTATUS_REACH_MASK, NULL, HFILL }}, { &hf_ntpctrl_peer_status_b4, { "Peer Status: reserved", "ntp.ctrl.peer_status.reserved", FT_UINT16, BASE_DEC, NULL, NTPCTRL_PEERSTATUS_RESERVED_MASK, NULL, HFILL }}, { &hf_ntpctrl_peer_status_selection, { "Peer Selection", "ntp.ctrl.peer_status.selection", FT_UINT16, BASE_DEC, VALS(ctrl_peer_status_selection_types), NTPCTRL_PEERSTATUS_SEL_MASK, NULL, HFILL }}, { &hf_ntpctrl_peer_status_count, { "Peer Event Counter", "ntp.ctrl.peer_status.count", FT_UINT16, BASE_DEC, NULL, NTPCTRL_PEERSTATUS_COUNT_MASK, NULL, HFILL }}, { &hf_ntpctrl_peer_status_code, { "Peer Event Code", "ntp.ctrl.peer_status.code", FT_UINT16, BASE_DEC, VALS(ctrl_peer_status_event_types), NTPCTRL_PEERSTATUS_CODE_MASK, NULL, HFILL }}, { &hf_ntpctrl_clk_status, { "Clock Status", "ntp.ctrl.clock_status.status", FT_UINT16, BASE_DEC, VALS(ctrl_clk_status_types), NTPCTRL_CLKSTATUS_STATUS_MASK, NULL, HFILL }}, { &hf_ntpctrl_clk_status_code, { "Clock Event Code", "ntp.ctrl.clock_status.code", FT_UINT16, BASE_DEC, NULL, NTPCTRL_CLKSTATUS_CODE_MASK, NULL, HFILL }}, { &hf_ntpctrl_data, { "Data", "ntp.ctrl.data", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntpctrl_item, { "Item", "ntp.ctrl.item", FT_NONE, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntpctrl_associd, { "AssociationID", "ntp.ctrl.associd", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntpctrl_offset, { "Offset", "ntp.ctrl.offset", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntpctrl_count, { "Count", "ntp.ctrl.count", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntpctrl_trapmsg, { "Trap message", "ntp.ctrl.trapmsg", FT_STRING, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_flags_r, { "Response bit", "ntp.priv.flags.r", FT_UINT8, BASE_DEC, VALS(priv_r_types), NTPPRIV_R_MASK, NULL, HFILL }}, { &hf_ntppriv_flags_more, { "More bit", "ntp.priv.flags.more", FT_UINT8, BASE_DEC, NULL, NTPPRIV_MORE_MASK, NULL, HFILL }}, { &hf_ntppriv_auth_seq, { "Auth, sequence", "ntp.priv.auth_seq", FT_UINT8, BASE_DEC, NULL, 0, "Auth bit, sequence number", HFILL }}, { &hf_ntppriv_auth, { "Auth bit", "ntp.priv.auth", FT_UINT8, BASE_DEC, NULL, NTPPRIV_AUTH_MASK, NULL, HFILL }}, { &hf_ntppriv_seq, { "Sequence number", "ntp.priv.seq", FT_UINT8, BASE_DEC, NULL, NTPPRIV_SEQ_MASK, NULL, HFILL }}, { &hf_ntppriv_impl, { "Implementation", "ntp.priv.impl", FT_UINT8, BASE_DEC, VALS(priv_impl_types), 0, NULL, HFILL }}, { &hf_ntppriv_reqcode, { "Request code", "ntp.priv.reqcode", FT_UINT8, BASE_DEC | BASE_EXT_STRING, &priv_rc_types_ext, 0, NULL, HFILL }}, { &hf_ntppriv_errcode, { "Err", "ntp.priv.err", FT_UINT8, BASE_HEX, VALS(err_values_types), 0, NULL, HFILL }}, { &hf_ntppriv_numitems, { "Number of data items", "ntp.priv.numitems", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_mbz, { "Reserved", "ntp.priv.reserved", FT_UINT8, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_monlist_item, { "Monlist item", "ntp.priv.monlist.item", FT_STRINGZ, BASE_NONE, NULL, 0x00, NULL, HFILL }}, { &hf_ntppriv_itemsize, { "Size of data item", "ntp.priv.monlist.itemsize", FT_UINT16, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_avgint, { "avgint", "ntp.priv.monlist.avgint", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_lsint, { "lsint", "ntp.priv.monlist.lsint", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_restr, { "restr", "ntp.priv.monlist.restr", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_count, { "count", "ntp.priv.monlist.count", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_addr, { "remote address", "ntp.priv.monlist.remote_address", FT_IPv4, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_daddr, { "local address", "ntp.priv.monlist.local_address", FT_IPv4, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_flags, { "flags", "ntp.priv.monlist.flags", FT_UINT32, BASE_HEX, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_port, { "port", "ntp.priv.monlist.port", FT_UINT16, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_mode, { "mode", "ntp.priv.monlist.mode", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_version, { "version", "ntp.priv.monlist.version", FT_UINT8, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_v6_flag, { "ipv6", "ntp.priv.monlist.ipv6", FT_UINT32, BASE_DEC, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_addr6, { "ipv6 remote addr", "ntp.priv.monlist.addr6", FT_IPv6, BASE_NONE, NULL, 0, NULL, HFILL }}, { &hf_ntppriv_daddr6, { "ipv6 local addr", "ntp.priv.monlist.daddr6", FT_IPv6, BASE_NONE, NULL, 0, NULL, HFILL }} }; static gint *ett[] = { &ett_ntp, &ett_ntp_flags, &ett_ntp_ext, &ett_ntp_ext_flags, &ett_ntpctrl_flags2, &ett_ntpctrl_status, &ett_ntpctrl_data, &ett_ntpctrl_item, &ett_ntppriv_auth_seq, &ett_monlist_item, &ett_ntp_authenticator }; static ei_register_info ei[] = { { &ei_ntp_ext, { "ntp.ext.invalid_length", PI_PROTOCOL, PI_WARN, "Extension invalid length", EXPFILL }}, }; expert_module_t* expert_ntp; proto_ntp = proto_register_protocol("Network Time Protocol", "NTP", "ntp"); proto_register_field_array(proto_ntp, hf, array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); expert_ntp = expert_register_protocol(proto_ntp); expert_register_field_array(expert_ntp, ei, array_length(ei)); init_parser(); } void proto_reg_handoff_ntp(void) { dissector_handle_t ntp_handle; ntp_handle = create_dissector_handle(dissect_ntp, proto_ntp); dissector_add_uint_with_preference("udp.port", UDP_PORT_NTP, ntp_handle); dissector_add_uint_with_preference("tcp.port", TCP_PORT_NTP, ntp_handle); } /* * Editor modelines - http://www.wireshark.org/tools/modelines.html * * Local variables: * c-basic-offset: 8 * tab-width: 8 * indent-tabs-mode: t * End: * * vi: set shiftwidth=8 tabstop=8 noexpandtab: * :indentSize=8:tabSize=8:noTabs=false: */