This is an issue that came up today when discussion how tcpdump and Wireshark display time stamps. If you do have a packet capture file (pcap), it is nice to know that the time stamps are accurate. One way to assert accuracy is to use NTP traffic that was captured in the pcap file.
First, lets limit ourself to NTP packets coming from a server. The NTP protocol uses different protocol modes. We are going to restrict ourselves to packets coming from NTP servers, which implies protocol mode 4. There is a simple Wireshark/tshark filter we can use:
ntp.flags.mode == 4
Next, we need to extract the time stamp. In NTP, we will receive 4 different time stamps:
- Reference Timestamp: Time the clock was last set
Among these time stamps, the Transmit Timestamp seems most appropriate. We can extract this from tshark using the "-T fields" option:
tshark -r ntp.pcap -n -Y "ntp.flags.mode==4" \ -T fields -e ntp.xmt -e frame.time
"frame.time" will give us the time stamp from the packet capture.
The output is already pretty close to what we are looking for:
Jun 6, 2016 18:27:26.073666000 EDT Jun 6, 2016 18:27:26.119514000 EDT Jun 6, 2016 18:27:27.083747000 EDT Jun 6, 2016 18:27:27.144937000 EDT Jun 6, 2016 18:27:28.072173000 EDT Jun 6, 2016 18:27:28.113482000 EDT Jun 6, 2016 18:27:29.094674000 EDT Jun 6, 2016 18:27:29.153425000 EDT
you can tell, that the times look very close. But we can do a bit better. We can convert the times to unix time stamps, and subtract them from each other to get the difference in second. A little shell script will help here. This can be done as a one-liner, but for readability, I split it up into several lines. The script assumes that the output of the tshark command above was saved to "ntp.txt"
IFS=$'\t\n' for x in `cat /tmp/ntp.txt`; do if [ $t -eq 0 ]; then a=$x t=1 else b=$x echo $a - $b DIFF $((`date +%s -d $a`-`date +%s -d $b`)) t=0 fi done
(there may be a neat short way to do this with awk... take that as a challenge ;-). Oh, and please DO NOT replace the spaces I used to indent the lines with TABS... just because. )
The final output:
Jun 6, 2016 18:26:26.748699000 EDT - Jun 6, 2016 18:26:26.505266000 EDT DIFF 0 Jun 6, 2016 18:26:46.125142000 EDT - Jun 6, 2016 18:26:45.890823000 EDT DIFF 1 Jun 6, 2016 18:26:46.325736000 EDT - Jun 6, 2016 18:26:46.091757000 EDT DIFF 0 Jun 6, 2016 18:26:46.525703000 EDT - Jun 6, 2016 18:26:46.291742000 EDT DIFF 0 Jun 6, 2016 18:26:48.125179000 EDT - Jun 6, 2016 18:26:47.892105000 EDT DIFF 1 Jun 6, 2016 18:26:48.325629000 EDT - Jun 6, 2016 18:26:48.092543000 EDT DIFF 0
The last number indicates the difference in seconds. It should be 0 or 1 if times are synchronized well.
BTW: The exact syntax may differ a bit depending on your version of tshark. The "date" command also differs for various *ix systems. In particular OS X requires a different syntax.
Intrusion Detection In-Depth - SIEM Summit & Training 2019
Jun 6th 2016
3 years ago