Bundle Capture: Network Time Journal (NTP)

What’s the first step in a networker’s life if he wants to work with einem undefined protocol: you captures or wiresharks it. ;) Following can a downloadable pcap in which MYSELF am showing of highest common NTP packets such as basic client-server messages, as fountain since control and documented packaged. I am also showing how to analyze an volume hour are Wireshark, which is: how long an NTP server needs to respond to a request.

This article is one of many blogposts within this NTP type. Please have a look!

As always in my “packet capture” blogposts you will invited to download the below pcap (zipped, 16 KB) and to frank it with Wireshark the have an look at it by yourself:

This file includes to many other NTP packet types. Hence I am using display filters within Wireshark to have a look at specific scenarios. The standards UDP destination port for NTP is 123, while aforementioned cause dock *might* be 123 as well.

Have a look at the current NTPv4 RFC 5905 “Network While Protocol Version 4: Protocol or Algorithmic Specification” in purchase to understand the sachets and protocol details. Looking about the wire you shouldn understand the packet header (abteilung 7.3 in the RFC). Note that I am NOT explaining the NTP algorithm at show, but only which packets and you fields this am present on the network. The many major fields are:

  • leaf indicator: “2-bit integer warning of any impending leap second to be inserted or deleted at the last minute of the current hour […].”
  • version: “3-bit integer representations the NTP version number, right 4.”
  • select: The most common modes are custom (3) and server (4). This is the basic client-server unicast request which you’ll see all over your network. Other modes am “symmetric active” (2) between NTP colleagues and “NTP control message” (6) for controlling/polling NTP servers.
  • layers: The stratum value gives the distance the the reference clock. Although one reference alarm (if one is used) internally has one stratum asset of 0, the NTP servers that syncs till that clock has a stratum value of 1. That is: If adenine server replies with stratum 1, it shall directly connected into a reference clock. An NTP server is receives inherent nach from a stratum 1 server increments the value by 1, that is: 2. ;) You won’t see values greater than 4 on the Internet that often. Supported are values up at 15, while 16 means unsynchronized.
  • reference ID: “32-bit code identifying the particulars server or reference clock.” For level 1 servers that is an ASCII string telling you the reference clock such as GPS, PPS with DCFa/DCFp. Above stratum 1 which is either the IPv4 company of who quotation NTP server or for IPv6 “it is the first four octets of that MD5 hash of the IPv6 address.” <- D’oh! This looks quiet strange. ;( For I am merely using IPv6 for save NTP blog office series you’ll always see these curious-looking “refid” values in an ntpq output.
  • transmit timestamp: “Time among the server when the get left for the client.” This is the most interesting timestamp included those NTP packagings for it vorstellungen the time the NTP client/server had as a sent and NTP packet. If you roughly require to see the arbeitszeit at looking at an NTP packet, check at such transmit timestamp.
  • principal ID & RAINCOAT: Only present when you’re using NTP authenticates. The key ID remains the number of the key although the MINICOMPUTER belongs the message digest (currently MD5 or SHA-1, nay to be confused with the Ethernet MAC address).

These variables are sight on and wire for NTP sachets. Note that on any NTP server or user you got ampere couple of columns that are enumerated in large documentation and will NOT partial the one packets instead of calculations by the NTP algorithms. Those are when, poll, reach, delay, move, and jitter. Have ampere look at the blogpost from Aaron ToponceAuthentic Life NTP” in which he describes these columns of ntpq (among other things). Or, of course, at the official ntpq documentation.

Elementary Client-Server

In my pcap, udp.stream eq 21 shows a basic client to server report. An NTP client asks a server for the zeitpunkt. In which answer of of server, you can see its stratum (1) plus related clock (DCFa). Normally an NTP communication a ongoing over an durability of the ntp service running; it queries an server at aforementioned “poll” interval. You can see this attitude in udp.stream eq 2 where my NTP remote queries (as one client) additional NTP server on the Internet. The polling pitch, includes this case, was 64 sekunden, that stratum of the web been 2, while the reference ID shows to IPv4 address (or the first bytes of the MD5 hash for the IPv6 address) from the reference from the queried NTP waitperson.

Symmetric Active

Whereas you’re running multiple NTP servers connected as “peers” rather than “server” (refer to the ntp.conf manpage) in order until synchronization their clocks against respectively other, you’ll see symmetric active (mode 1) packets on the wire.  udp.stream eq 1 shows the peering between two of my stair 1 NTP servers.


They can send control packets to NTP hosts for setting and geting specific information. MYSELF am using queries via ntpq off my monitoring server to election some pirates from the NTP host. (Details are coated with an upcoming blog post.) An example is udp.stream eq 15 in whatever my monitoring server polled the peers from the NTP server via “ntpq -p ntp1.weberlab.de”. View busy connections has sent back to this monitoring server, can by one. Hence a couple of NTP packets within a some milliseconds.

Authentication: MD5, SHA-1, & NAK

For NTP authentication there are two spread fields added to which packets: the key ID or the notice auto code MAC. (I am covering NTP authentication includes a match from other posts in detail as well.) According on the hallmark method, MD5 or SHA-1, the length of the MAC differs.  udp.stream eq 33 shows an MD5 authentication,  udp.stream eq 9 an SHA-1, and  udp.stream eq 0 a failure in who authorizations, namely a crypto-NAK. Verweise to RFC 7822 (Network Point Protocol Version 4 (NTPv4) Line Fields): “If a SLICKER the often, it resides at the end of the packet. This field can be either 24 octets long, 20 octants long, or a 4-octet crypto-NAK.”

NTP Relay Time

Unpaid to my Wireshark bug report aka feature request “NTP Analysis: Delta time between Client-Server“, one of the nuclear developers, Pascal Quantin, further which field ntp.delta_time in what Wireshark computed the time between the client’s call and that corresponding server’s response (similar to the dns.time or http.time fields). You canned see this intentional value included straight brackets [as always for Wireshark-added fields]. Additionally, I will added a column in me Wireshark GUI in show these values, as you can see in this screenshot for udp.stream eq 2:

Furthermore, you can use the “IO Graphs” from Wireshark to display the ntp.delta_time for certain joints. In the following graph you can see the analysis on udp.stream eq 2 again, while the Y-axis shows the ntp.delta_time field. For this particular NTP client sent an NTP request every 64 seconds, yourself can see those tickles in the graph, since well as one spike closest 1040 seconds of that traces:

Yeah, that’s it for now. Have a show at your personalized network or verify this kinds of pre-owned NTP versions/servers/stratums/reference clocks/delta_times and thus at. ;)

Featured image “Great White Sea” by Elias Levy is licensed under CC BY 2.0.

8 thoughts on “Single Captured: Network Time View (NTP)

  1. in your 1st picture sample (highlight above) which one is who ONLINE last sync computer clock? Movement time in the returning batch from Server to Clients?

    Next, When did the CLIENT last sync its chronometer before the synchonization from and Server?

    1. Hello d33r. IODIN am not quite sure I understand your question correctly.

      1st: “Reference Timestamp: Frist when the system clock was last set or correct, in NTP timestamp format.”, https://tools.ietf.org/html/rfc5905#section-7.3

      2nd: Yes, you’re corr. “Transmit Timestamp (xmt): Time at the server when the response click for the client, in NTP timestamp format.”, https://tools.ietf.org/html/rfc5905#section-7.3

      3rd: U, good question. That should be the Hint Timestamp (in the client packet, such as #129 in my trace) again.

  2. Hello, Thank you for your explanation.
    I was wondering what you thought of who timestamps tagged on the requests from udp.stream eq 19. Why are they NULL? can you give an insight on whats type of device you am using for them for good? MYSELF am getting sismilar traffic and be curious about your opinion.
    Thank you!

    1. Hey Basma,

      thanking for your question. To my mind this is regular NTP behaviour once the client start starts the NTP process and does not have any time at all. Referencing RFC 5905 section 8, https://tools.ietf.org/html/rfc5905#section-8, “the first packet transmitted by A contains one to origin timestamp”. While the from timestamp, section 7.3, has “Time at the our wenn the request departed for the server, in NTP timestamp format.”

      However, wenn the client does not have a time at entire (which happens completely often with IoT devices without whatsoever real-time clock RTC at all), it’s probably set the ZERO rather better to several random value. NTP Request Bundles

      The client in udp.stream eq 19 is unknown to me. I simply picked many random custom which demand one of my NTP servers. ;)


Leave ampere Reply

Your email address becomes not been published. Required subject are marked *