Ask Your Question
0

why is my NTP client timestamp wrong?

asked 2018-03-05 22:38:28 +0000

mzimmers gravatar image

updated 2018-10-26 17:51:16 +0000

cmaynard gravatar image

This has been puzzling me for several hours now, and I'm pretty out of ideas. I'm modifying an embedded application to use NTP. I can send a request and get a reply (so I guess it's working), but my client timestamps show up in Wireshark incorrectly. They seem to be off by about 66 years, which makes me think it's related to how WS is interpreting my timestamp era, but my online research hasn't found anything.

I'd attribute this to a preference setting, except that the timestamps in the response are correct.

Thanks for any ideas... I realize that a snapshot would be very useful here, but I can't yet post images (or files).

Edit: posting a link to a file (hope I did this right):

link to capture file

Edit again: image file. Note the different interpretations of the transmit timestamp data:

image description

URL to this image file:

link text

edit retag flag offensive close merge delete

Comments

You could try posting a capture file to somewhere else like cloudshark, Google Docs, Drive, pastebin, ...

EDIT: It should be noted that some people (like myself) aren't always able to access these files from within their corporate environments though. I just discovered that Google Drive is apparently one of them. Maybe someone else can access it and have a look though ...

cmaynard gravatar imagecmaynard ( 2018-03-05 23:39:36 +0000 )edit

That pcap file contains three NTP packets, but not the one shown in the image. Not even from the same client, since the picture shows NTP version 3 packets, while the capture file has version 4 packets.

Jaap gravatar imageJaap ( 2018-03-06 18:50:25 +0000 )edit

Jaap -

I apologize for the confusion -- I didn't mean to imply that the capture file was associated with the image.

In looking at the image, I don't understand how two seemingly identical timestamps (the Transmit Timestamps) can be interpreted into two different human-readable dates. If I could get an answer to this, I'd be close to solving my issue. Thanks.

mzimmers gravatar imagemzimmers ( 2018-03-06 19:10:17 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
1

answered 2018-03-06 20:14:55 +0000

cmaynard gravatar image

They're not identical. The last line of bytes of the image on the left are:

0050  00 00 d3 49 43 01 00 00  00 00

whereas on the image on the right they are:

0050  00 00 de 49 43 01 00 00  00 00

Note that the 3rd byte at offset 0052 is d3 on the left image vs de on the right image.

edit flag offensive delete link more

Comments

Oops. sigh... It sucks getting old and having your eyes go south (that's my excuse anyway). Thanks, cmaynard.

With that little miscue out of the way, I'm still seeing results that I don't understand. Just for debugging purposes, I've modified my NTP client to populate all 4 timestamps in the message, as follows:

NTPRefTs = 0xde494301;              //  2018 03 06 mzimmers: try different time.

NTPTxBuf->REFTSS = htonl(0);        //  Reference TimeStamp Seconds 
NTPTxBuf->ORGTSS = 1;               //  Origin TimeStamp Seconds
NTPTxBuf->RXTSS = htonl(1);         //  Receive TimeStamp Seconds
NTPTxBuf->TXTSS = htonl(NTPRefTs);  //  Big Endian Transmit TimeStamp Seconds

The fractions are all 0.

As you can see, I'm using two byte orders of the value 1 in the middle timestamps. My layman expectation is that one of these should reveal a timestamp only one second off the timestamp with the value of 0. But they're both in 2036. Can someone explain what's happening here ...(more)

mzimmers gravatar imagemzimmers ( 2018-03-06 22:00:22 +0000 )edit

Well, the folks at Cloudshark apparently don't even allow one to view others' pcap files once the 30 day trial period has expired, so I can't view this pcap file. If it's a small enough file, you can try the trick I described before for attaching pcaps to questions, but I haven't tried it on the new Q & A site yet, so I don't know if it will work. Looking at the old question, maybe something was modified so it no longer works there either since I no longer see the images, but at least at one point in the past it worked.

Long ago, Joe McEachern from QA Café (Cloudshark) offered to provide the Wireshark project with its own Cloudshark appliance. If the offer still stood and Wireshark did have its own appliance, that would probably solve all of these annoying problems with ...(more)

cmaynard gravatar imagecmaynard ( 2018-03-07 15:50:34 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-03-05 22:38:28 +0000

Seen: 1,662 times

Last updated: Mar 06 '18

Related questions

NTP timestamp display

I'd like to extract the timestamp from the wireless LAN management frame

What is the syntax for wireshark custom column

RST, ACK from Client. Is this normal ?

RST packets sent by both client and server during file transfer

timestamp diameter after decode as

Who sets the value of Timestamps fields inside TCP?

Why my server does not respond to client's [SYN]?

Datetime in VoIP Call

What exactly mean TSval and TSecr

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2