First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
1

NTPv4 Autokey protocol: pcap does not meet the standard

  • retag add tags

In RFC 5906: Section 10 standard it is written:

In Autokey the 8-bit Field Type field is interpreted as the version number, currently 2.

REM: Look at Figure 7 above.

But in fact, the version is not specified in the "Field Type" (second byte), it is parsed by Wireshark on "Flags" field (last 6 bits of first byte). By default, the "Opcode" should be in the first byte, the "Version" should be in the second byte. In fact, the opposite is true.

Is this a bug of Wireshark or ntpd or should I believe the implementation?

Link to pcap: https://yadi.sk/d/hahMZm2xYJPhoQ

REM: Look at "Extensional" fields in client's requests .

oup_job's avatar
11
oup_job
asked 2020-09-09 15:09:34 +0000, updated 2020-09-09 15:15:12 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

Your capture doesn't seem to comply with the RFC, that field type value (0x0201) isn't on the IANA list.

The NTP dissector doesn't currently perform any dissection of Extension fields other than that specified in RFC 5905, i.e. Type (as a uint16), Length and the Value.

Edit: My tests were performed with the development version that doesn't have support for Autokey post the merge of change 38037.

grahamb's avatar
23.8k
grahamb
answered 2020-09-09 15:42:46 +0000, updated 2020-09-10 08:28:32 +0000
edit flag offensive 0 remove flag delete link
more

Comments

"The NTP dissector doesn't currently perform any dissection of Extension fields"

This isn't true, at least not prior to https://code.wireshark.org/review/git...

I don't know why Autokey was removed instead of fixed. So this looks like a Wireshark bug to me, and thus a bug report should be filed to not only add AutoKey dissection back but to also fix it.

See also: Bug 16640.

cmaynard's avatar cmaynard (2020-09-09 16:23:36 +0000) edit
more
  • delete

"The NTP dissector doesn't currently perform any dissection of Extension fields" This isn't true, at least not prior to https://code.wireshark.org/review/git...

Lol, I forgot to add "at the time of writing".

grahamb's avatar grahamb (2020-09-09 16:39:21 +0000) edit
more
  • delete

It is currently supported as of this writing in the stable releases, albeit with bugs.

cmaynard's avatar cmaynard (2020-09-09 16:45:33 +0000) edit
more
  • delete

Another file in which the "Field type" matches IANA list: https://yadi.sk/d/jSN7nyK7O-2eqA.

The problem is the same. Why "Version" is in the first byte?

oup_job's avatar oup_job (2020-09-10 08:08:17 +0000) edit
more
  • delete

As noted by @cmaynard, there is a bug in the dissector in the stable versions, and the Extension Field dissection was actually removed. The version I was testing your capture with (a locally built copy of the development version) doesn't have the buggy Autokey dissection.

See Issue 16640 for discussion of the removal and Issue 16222 for discussion on the Autokey replacement.

Although 16440 notes that Autokey will be replaced with NTS, there will still be Autokey implementations out in the wild and thus Wireshark should support that. Again as noted by @cmaynard, raise an Issue to request Autokey support (or better still submit a Merge Request).

grahamb's avatar grahamb (2020-09-10 08:25:38 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer