Ask Your Question
0

NTP timestamp display

asked 2018-04-25 04:10:51 +0000

TheWirelessGuy gravatar image

Hi,

I think there is some issue with the date display for NTP 64 bit timestamps in WS.

The startTimestamp with a higher hex value shows the year as 1983. However, the endTimestamp with a lower hex value shows 2076. Can someone please clarify how does this display work?

startTimestamp: 9c6a0500 (Feb 27, 1983 14:43:12 UTC)
endTimestamp: 4cb948f7 (Nov 21, 2076 13:09:11 UTC)

I am using the below version of wireshark: Version 2.9.0-262-g4f492559 (v2.9.0rc0-262-g4f492559)

Thanks!!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-04-25 08:22:00 +0000

mrEEde gravatar image

updated 2018-04-25 08:23:53 +0000

Per https://www.meinbergglobal.com/ the timestamps in NTP is a 32 bit field for seconds so it will wrap at some point in the future.
Using https://www.gasmi.net/hpd/ with a crafted NTP packet reveals that this point is is Feb 7 2036 06:28:16 UTC so the lower hex value is the offset from that date vs. 1.1.1900
The timestamps you provide don't seem to be real anyways, so this might come from a bogus NTP packet ...

00 1C 0F 09 00 10 00 1C 0F 5C A2 83 81 00 00 CA 08 00 45 00 00 4C D5 5C 40 00 3B 11 EA 27 0A 50 07 BD 0A 04 64 0C 00 7B 00 7B 00 38 DD 04 1B 02 0F FA 00 00 08 00 00 00 15 3D 0A 04 64 0C 9C 6A 05 00 00 00 00 00 4C B9 48 F7 00 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 01 00 00 00 00

image description

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-04-25 04:10:51 +0000

Seen: 1,137 times

Last updated: Apr 25 '18