One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 2480 |
| Date de publication | 2016-06-06 23:36:09 (vue: 2016-06-06 23:36:09) |
| Titre | What Time Is It? Using NTP Traffic to Calibrate PCAP Timestamps, (Mon, Jun 6th) |
| Texte | This is an issue that came up today when discussion how tcpdump and Wireshark display timestamps. If you do have a packet capture file (pcap), it is nice to know that the time stamps are accurate. One way to assert accuracy is to use NTP traffic that was captured in the pcap file.First, lets limit ourself to NTP packets coming from a server. The NTP protocol uses different protocol modes. We are going to restrict ourselves to packets coming from NTP servers, which implies protocol mode 4. There is a simple Wireshark/tshark filter we can use: ntp.flags.mode == 4Next, we need to extract the time stamp. In NTP, we will receive 4 different time stamps:- Reference Timestamp: Time the clock was last set- Origin Timestamp: Time the request was sent from the client to the server- Receive Timestamp: Time the request was received by the server- Transmit Timestamp: Time at the server when the request left for the clientAmong these timestamps, the Transmit Timestamp seems most appropriate. We can extract this from tsharkusing the -T fields option:tshark -r ntp.pcap -n -Y ntp.flags.mode==4 \ -T fields -e ntp.xmt -e frame.timeframe.time will give us the time stamp from the packet capture.The output is already pretty close to what we are looking for:Jun 6, 2016 18:27:26.073666000 EDT Jun 6, 2016 18:27:26.119514000 EDTJun 6, 2016 18:27:27.083747000 EDT Jun 6, 2016 18:27:27.144937000 EDTJun 6, 2016 18:27:28.072173000 EDT Jun 6, 2016 18:27:28.113482000 EDTJun 6, 2016 18:27:29.094674000 EDT Jun 6, 2016 18:27:29.153425000 EDTyou can tell, that the times look very close. But we can do a bit better. We can convert the times to unix timestamps, and subtract them from each other to get the difference in second. A little shell script will help here. This can be done as a one-liner, but for readability, I split it up into several lines. The script assumes that the output of the tshark command above was saved to ntp.txtIFS=$\t\n do then a=$x t=1 else b=$x echo $a - $b DIFF $((`date +%s -d $a`-`date +%s -d $b`)) t=0 fi -). Oh, and please DO NOT replace the spaces I used to indent the lines with TABS... just because.)The final output:Jun 6, 2016 18:26:26.748699000 EDT - Jun 6, 2016 18:26:26.505266000 EDT DIFF 0Jun 6, 2016 18:26:46.125142000 EDT - Jun 6, 2016 18:26:45.890823000 EDT DIFF 1Jun 6, 2016 18:26:46.325736000 EDT - Jun 6, 2016 18:26:46.091757000 EDT DIFF 0Jun 6, 2016 18:26:46.525703000 EDT - Jun 6, 2016 18:26:46.291742000 EDT DIFF 0Jun 6, 2016 18:26:48.125179000 EDT - Jun 6, 2016 18:26:47.892105000 EDT DIFF 1Jun 6, 2016 18:26:48.325629000 EDT - Jun 6, 2016 18:26:48.092543000 EDT DIFF 0The last number indicates the difference in seconds. It should be 0 or 1 if times are synchronized well.BTW: The exact syntax may differ a bit depending on your version of tshark. The date command also differs for various *ix systems. In particular OS X requires a different syntax.---Johannes B. Ullrich, Ph.D.STI|Twitter|LinkedIn (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. |
| Envoyé | Oui |
| Condensat | $a` $b` *ix 072173000 073666000 083747000 091757000 092543000 094674000 0jun 0the 113482000 119514000 125142000 125179000 144937000 153425000 18:26:26 18:26:45 18:26:46 18:26:47 18:26:48 18:27:26 18:27:27 18:27:28 18:27:29 1jun 2016 291742000 325629000 325736000 4next 505266000 525703000 6th 748699000 890823000 892105000 `date a=$x above accuracy accurate already also appropriate are assert assumes attribution b=$x because better bit btw: but calibrate came can capture captured center client clientamong clock close coming command commons convert creative date depending diff differ difference different differs discussion display done each echo edt edtjun edtyou edu else exact extract fields file filter final first flags for:jun frame from get give going have help here how https://isc implies indent indicates internet issue johannes jun just know last left lets license limit liner lines little look looking may mode mode==4 modes mon most need nice noncommercial not ntp number one option:tshark origin other ourself ourselves output output:jun packet packets particular pcap please pretty protocol readability receive received reference replace request requires restrict sans saved script second seconds seems sent server servers set several shell should simple spaces split stamp stamps stamps: states sti|twitter|linkedin storm subtract synchronized syntax systems t=0 t=1 tabs tcpdump tell them then these time timeframe times timestamp timestamp: timestamps today traffic transmit tshark tsharkusing txtifs=$ ullrich united unix use use: used uses using various version very way well what when which will wireshark wireshark/tshark xmt your |
| Tags | |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.