Microsoft has
released Network Monitor 3.0, it includes a NTP parser.
I recommend downloading and using that version.
A notable omission from Microsoft Netmon is full decoding and display of NTP packets. That is where NTP is the Network Time Protocol as defined in RFC 1305 .
I have created a Parser DLL to handle these packets. It can be downloaded below.
Alan J. McFarlane |
14th October 2002 |
Update 16th August 2004 |
Update 29th January 2007 |
This is an example of the output produced by the parser, it shows a query and reply to a SNTP (Simple NTP) query from a Windows 2000 client.
Network Monitor trace Mon 10/14/02 21:11:00 Captur 2.txt ********************************************************************************************************************************************** Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr 1667 1598.964855 LOCAL cblRtr NTP Client: v2 NoLeap TxTime.integer: 2002-Oct-14 18: JYRAALAN2K 62.253.64.3 + Frame: Base frame properties + ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol + IP: ID = 0x812B; Proto = UDP; Len: 76 + UDP: Src Port: Unknown, (3163); Dst Port: Network Time Protocol (123); Length = 56 (0x38) NTP: Client: v2 NoLeap TxTime.integer: 2002-Oct-14 18:39:00 (3243609540 secs) NTP: Leap Indicator = No warning (0x0) NTP: Version Number = 2 (0x2) NTP: Mode = Client (0x3) NTP: Stratum = 0 (0x0) NTP: Poll Interval = 11 (0xB) NTP: Precision = 0 (0x0) NTP: Root Delay = 0 (0x0) NTP: Root Dispersion = 0 (0x0) NTP: Reference Clock Identifier = 0 (0x0) NTP: Reference Clock Name = NTP: Reference Timestamp, integer seconds = Zero (0 0x0) NTP: Reference Timestamp, fraction seconds = 0 (0x0) NTP: Originate Timestamp, integer seconds = Zero (0 0x0) NTP: Originate Timestamp, fraction seconds = 0 (0x0) NTP: Receive Timestamp, integer seconds = Zero (0 0x0) NTP: Receive Timestamp, fraction seconds = 0 (0x0) NTP: Transmit Timestamp, integer seconds = 2002-Oct-14 18:39:00 (3243609540 0xC1558DC4) NTP: Transmit Timestamp, fraction seconds = 1348619731 (0x50624DD3) 00000: 00 06 2A C8 AC 70 00 60 08 95 06 19 08 00 45 00 ..*Ȭp.`......E. 00010: 00 4C 81 2B 00 00 80 11 0A A6 0A 0A 0A 0A 3E FD .L.+.....¦....>ý 00020: 40 03 0C 5B 00 7B 00 38 38 88 13 00 0B 00 00 00 @..[.{.88....... 00030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00050: 00 00 C1 55 8D C4 50 62 4D D3 ..ÁU.ÄPbMÓ *********************************************************************************************************************************************** Frame Time Src MAC Addr Dst MAC Addr Protocol Description Src Other Addr Dst Other Addr Type Other Addr 1668 1598.974870 cblRtr LOCAL NTP Server: v2 NoLeap TxTime.integer: 2002-Oct-14 18: 62.253.64.3 10.10.10.10 + Frame: Base frame properties + ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol + IP: ID = 0xBF77; Proto = UDP; Len: 76 + UDP: Src Port: Network Time Protocol, (123); Dst Port: Unknown (3163); Length = 56 (0x38) NTP: Server: v2 NoLeap TxTime.integer: 2002-Oct-14 18:39:00 (3243609540 secs) NTP: Leap Indicator = No warning (0x0) NTP: Version Number = 2 (0x2) NTP: Mode = Server (0x4) NTP: Stratum = 4 (0x4) NTP: Poll Interval = 11 (0xB) NTP: Precision = 240 (0xF0) NTP: Root Delay = 1294 (0x50E) NTP: Root Dispersion = 3006 (0xBBE) NTP: Reference Clock Identifier = 3265791052 (0xC2A8044C) NTP: Reference Clock IP Address = 194.168.4.76 NTP: Reference Timestamp, integer seconds = 2002-Oct-14 18:38:23 (3243609503 0xC1558D9F) NTP: Reference Timestamp, fraction seconds = 1360416768 (0x51165000) NTP: Originate Timestamp, integer seconds = 2002-Oct-14 18:39:00 (3243609540 0xC1558DC4) NTP: Originate Timestamp, fraction seconds = 1348619731 (0x50624DD3) NTP: Receive Timestamp, integer seconds = 2002-Oct-14 18:39:00 (3243609540 0xC1558DC4) NTP: Receive Timestamp, fraction seconds = 2926501888 (0xAE6EE000) NTP: Transmit Timestamp, integer seconds = 2002-Oct-14 18:39:00 (3243609540 0xC1558DC4) NTP: Transmit Timestamp, fraction seconds = 2927091712 (0xAE77E000) 00000: 00 60 08 95 06 19 00 06 2A C8 AC 70 08 00 45 00 .`......*Ȭp..E. 00010: 00 4C BF 77 40 00 FC 11 10 59 3E FD 40 03 0A 0A .L¿w@.ü..Y>ý@... 00020: 0A 0A 00 7B 0C 5B 00 38 B3 AA 14 04 0B F0 00 00 ...{.[.8³ª...ð.. 00030: 05 0E 00 00 0B BE C2 A8 04 4C C1 55 8D 9F 51 16 .....¾Â¨.LÁU..Q. 00040: 50 00 C1 55 8D C4 50 62 4D D3 C1 55 8D C4 AE 6E P.ÁU.ÄPbMÓÁU.Ä®n 00050: E0 00 C1 55 8D C4 AE 77 E0 00 à.ÁU.Ä®wà.
Note that the "Reference Clock Identifier" is further decoded, as suggested by the RFC, as an textual string for strata 0 and 1 and as an IP Address for higher strata.
I am not 100% happy with the detailed decoding and display of the time related fields. For instance the delay and dispersion fields are each a "32-bit signed fixed-point number ... in seconds with fraction point between bits 15 and 16." and should thus be displayed as such. Also the Timestamp fields are not displayed very prettily...
Note, I have not done a thorough audit of the source code for this parser since some Netmon parsers were found to crash when parsing invalid capture data and since security issue has also (correctly) become such a visible issue. So I have to say, download and use at your own risk.
Download the DLL from here NTP.dll. To
install simply place in the "Netmon\Parser\"
directory
(e.g. "C:\WINNT\system32\NetmonFull\Parsers\"
). Netmon
(at least in version 2) will notice its appearance and will
auto-install it (making changes to parser.ini
and
tcpip.ini
) and any packets to or from UDP port 123 will
be decoded.
The following manual changes can be made if the
auto-installation process does not occur. This will be
required when it is observed that NTP packets (UDP port
123) are not decoded, and the following lines are not seen in
the .ini
files.
The changes:
In the [PARSERS]
section:
NTP.dll=0: NTP
As a new section:
[NTP] Comment=Network Time Protocol (RFC1305) by AlanJMcF FollowSet= HelpFile=
In the [UDP_HandoffSet]
section:
123=NTP