Homepage


Microsoft has released Network Monitor 3.0, it includes a NTP parser.
I recommend downloading and using that version.

Summary

A notable omission from Microsoft Netmon is full decoding and display of NTP packets. That is where NTP is the Network Time Protocol as defined in RFC 1305 (PDF).

I have created a Parser DLL to handle these packets. It can be downloaded below.

Alan J. McFarlane
14th October 2002
Update 16th August 2004
Update 29th January 2007

Parser output

This is an example of the output produced by the parser, it shows a query and reply to a SNTP (Simple NTP) query from a Windows 2000 client.



Network Monitor trace  Mon 10/14/02 21:11:00  Captur 2.txt

**********************************************************************************************************************************************
Frame    Time      Src MAC Addr    Dst MAC Addr    Protocol    Description      Src Other Addr     Dst Other Addr     Type Other Addr
1667     1598.964855      LOCAL      cblRtr      NTP      Client: v2 NoLeap TxTime.integer: 2002-Oct-14 18: JYRAALAN2K      62.253.64.3       

+ Frame: Base frame properties
+ ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol
+ IP: ID = 0x812B; Proto = UDP; Len: 76
+ UDP: Src Port: Unknown, (3163); Dst Port: Network Time Protocol (123); Length = 56 (0x38)
  NTP: Client: v2 NoLeap TxTime.integer: 2002-Oct-14 18:39:00 (3243609540 secs)
      NTP: Leap Indicator = No warning (0x0)
      NTP: Version Number = 2 (0x2)
      NTP: Mode = Client (0x3)
      NTP: Stratum = 0 (0x0)
      NTP: Poll Interval = 11 (0xB)
      NTP: Precision = 0 (0x0)
      NTP: Root Delay = 0 (0x0)
      NTP: Root Dispersion = 0 (0x0)
      NTP: Reference Clock Identifier = 0 (0x0)
          NTP: Reference Clock Name = 
      NTP: Reference Timestamp, integer seconds = Zero (0 0x0)
      NTP: Reference Timestamp, fraction seconds = 0 (0x0)
      NTP: Originate Timestamp, integer seconds = Zero (0 0x0)
      NTP: Originate Timestamp, fraction seconds = 0 (0x0)
      NTP: Receive Timestamp, integer seconds = Zero (0 0x0)
      NTP: Receive Timestamp, fraction seconds = 0 (0x0)
      NTP: Transmit Timestamp, integer seconds = 2002-Oct-14 18:39:00 (3243609540 0xC1558DC4)
      NTP: Transmit Timestamp, fraction seconds = 1348619731 (0x50624DD3)

00000:  00 06 2A C8 AC 70 00 60 08 95 06 19 08 00 45 00   ..*Ȭp.`......E.
00010:  00 4C 81 2B 00 00 80 11 0A A6 0A 0A 0A 0A 3E FD   .L.+.....¦....>ý
00020:  40 03 0C 5B 00 7B 00 38 38 88 13 00 0B 00 00 00   @..[.{.88.......
00030:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00040:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00050:  00 00 C1 55 8D C4 50 62 4D D3                     ..ÁU.ÄPbMÓ      

***********************************************************************************************************************************************
Frame    Time      Src MAC Addr    Dst MAC Addr    Protocol    Description      Src Other Addr     Dst Other Addr     Type Other Addr
1668     1598.974870      cblRtr      LOCAL      NTP      Server: v2 NoLeap TxTime.integer: 2002-Oct-14 18: 62.253.64.3      10.10.10.10       

+ Frame: Base frame properties
+ ETHERNET: ETYPE = 0x0800 : Protocol = IP:  DOD Internet Protocol
+ IP: ID = 0xBF77; Proto = UDP; Len: 76
+ UDP: Src Port: Network Time Protocol, (123); Dst Port: Unknown (3163); Length = 56 (0x38)
  NTP: Server: v2 NoLeap TxTime.integer: 2002-Oct-14 18:39:00 (3243609540 secs)
      NTP: Leap Indicator = No warning (0x0)
      NTP: Version Number = 2 (0x2)
      NTP: Mode = Server (0x4)
      NTP: Stratum = 4 (0x4)
      NTP: Poll Interval = 11 (0xB)
      NTP: Precision = 240 (0xF0)
      NTP: Root Delay = 1294 (0x50E)
      NTP: Root Dispersion = 3006 (0xBBE)
      NTP: Reference Clock Identifier = 3265791052 (0xC2A8044C)
          NTP: Reference Clock IP Address = 194.168.4.76
      NTP: Reference Timestamp, integer seconds = 2002-Oct-14 18:38:23 (3243609503 0xC1558D9F)
      NTP: Reference Timestamp, fraction seconds = 1360416768 (0x51165000)
      NTP: Originate Timestamp, integer seconds = 2002-Oct-14 18:39:00 (3243609540 0xC1558DC4)
      NTP: Originate Timestamp, fraction seconds = 1348619731 (0x50624DD3)
      NTP: Receive Timestamp, integer seconds = 2002-Oct-14 18:39:00 (3243609540 0xC1558DC4)
      NTP: Receive Timestamp, fraction seconds = 2926501888 (0xAE6EE000)
      NTP: Transmit Timestamp, integer seconds = 2002-Oct-14 18:39:00 (3243609540 0xC1558DC4)
      NTP: Transmit Timestamp, fraction seconds = 2927091712 (0xAE77E000)

00000:  00 60 08 95 06 19 00 06 2A C8 AC 70 08 00 45 00   .`......*Ȭp..E.
00010:  00 4C BF 77 40 00 FC 11 10 59 3E FD 40 03 0A 0A   .L¿w@.ü..Y>ý@...
00020:  0A 0A 00 7B 0C 5B 00 38 B3 AA 14 04 0B F0 00 00   ...{.[.8³ª...ð..
00030:  05 0E 00 00 0B BE C2 A8 04 4C C1 55 8D 9F 51 16   .....¾Â¨.LÁU..Q.
00040:  50 00 C1 55 8D C4 50 62 4D D3 C1 55 8D C4 AE 6E   P.ÁU.ÄPbMÓÁU.Ä®n
00050:  E0 00 C1 55 8D C4 AE 77 E0 00                     à.ÁU.Ä®wà.      

Note that the "Reference Clock Identifier" is further decoded, as suggested by the RFC, as an textual string for strata 0 and 1 and as an IP Address for higher strata.

I am not 100% happy with the detailed decoding and display of the time related fields. For instance the delay and dispersion fields are each a "32-bit signed fixed-point number ... in seconds with fraction point between bits 15 and 16." and should thus be displayed as such. Also the Timestamp fields are not displayed very prettily...

Download and Installation

Note, I have not done a thorough audit of the source code for this parser since some Netmon parsers were found to crash when parsing invalid capture data and since security issue has also (correctly) become such a visible issue. So I have to say, download and use at your own risk.

Download the DLL from here NTP.dll. To install simply place in the "Netmon\Parser\" directory (e.g. "C:\WINNT\system32\NetmonFull\Parsers\"). Netmon (at least in version 2) will notice its appearance and will auto-install it (making changes to parser.ini and tcpip.ini) and any packets to or from UDP port 123 will be decoded.

Manual .ini changes if required

The following manual changes can be made if the auto-installation process does not occur. This will be required when it is observed that NTP packets (UDP port 123) are not decoded, and the following lines are not seen in the .ini files.

The changes:

Netmon\parser.ini

In the [PARSERS] section:

NTP.dll=0: NTP

As a new section:

[NTP]
Comment=Network Time Protocol (RFC1305) by AlanJMcF
FollowSet=
HelpFile=

Netmon\Parser\tcpip.ini

In the [UDP_HandoffSet] section:

123=NTP

Any information on this or any other relevant information including any errors in this document would be appreciated in order to improve this document. Please send emails to alanjmcf AT yahoo.com.
Copyright © 2002 Alan J. McFarlane. All rights reserved.
Document for information only, no warranties blah de blah, all trademarks etc.