added serialization for ntp timestamp fields

Author: koltiradw

src/include/ndpi_typedefs.h

@@ -1054,6 +1054,9 @@ struct ndpi_flow_udp_struct {
   /* NDPI_PROTOCOL_TFTP */
   u_int16_t tftp_data_num;
   u_int16_t tftp_ack_num;
+
+  /* NDPI_PROTOCOL_NTP*/
+  u_int8_t ntp_stage;
 };
 
 /* ************************************************** */
@@ -1716,14 +1719,14 @@ struct ndpi_flow_struct {
       char ptr_domain_name[64 /* large enough but smaller than { } tls */];
     } dns;
 
-    struct {
+    struct ntp_info {
       u_int8_t leap_indicator: 2, version: 3, mode: 3;
       u_int8_t stratum;
       int8_t ppol, precision;
       float root_delay, root_dispersion;
-      char ref_id[16];
+      char ref_id[20];
       uint64_t ref_time, org_time, rec_time, trans_time;
-    } ntp;
+    } ntp[2];
 
     struct {
       char hostname[48], domain[48], username[48];

src/lib/ndpi_utils.c

@@ -23,6 +23,7 @@
 #include <errno.h>
 #include <math.h>
 #include <sys/types.h>
+#include <time.h>
 
 #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UNKNOWN
 
@@ -76,8 +77,38 @@ typedef struct {
   UT_hash_handle hh;
 } ndpi_str_hash_priv;
 
+typedef struct {
+  uint32_t seconds;
+  uint32_t fraction;
+} ntp_t;
+
+#define NTP_DELTA 2208988800UL
+
 /* ****************************************** */
 
+// https://tickelton.gitlab.io/articles/ntp-timestamps/
+void ntp_ts_to_string(uint64_t timestamp, char *buffer, size_t buffer_size) {
+
+  if (timestamp == 0) {
+    buffer[0] = '\0';
+    return;
+  }
+
+  ntp_t ntp;
+
+  memcpy(&ntp, &timestamp, sizeof(uint64_t));
+
+  time_t sec = ntohl(ntp.seconds) - NTP_DELTA;
+  uint32_t usec = (uint32_t)((double)ntohl(ntp.fraction) * 1.0e9 / (double)(1LL << 32));
+
+  struct tm tm;
+
+  (void)ndpi_gmtime_r(&sec, &tm);
+  size_t offset = strftime(buffer, buffer_size, "%Y-%m-%d %H:%M:%S", &tm);
+  snprintf(buffer + offset, buffer_size - offset, ".%d", usec);
+}
+
+
 /* implementation of the punycode check function */
 int ndpi_check_punycode_string(char * buffer , int len) {
   int i = 0;
@@ -1626,19 +1657,30 @@ int ndpi_dpi2json(struct ndpi_detection_module_struct *ndpi_struct,
 
   case NDPI_PROTOCOL_NTP:
     ndpi_serialize_start_of_block(serializer, "ntp");
-    ndpi_serialize_string_uint32(serializer, "leap_indicator", flow->protos.ntp.leap_indicator);
-    ndpi_serialize_string_uint32(serializer, "version", flow->protos.ntp.version);
-    ndpi_serialize_string_uint32(serializer, "mode", flow->protos.ntp.mode);
-    ndpi_serialize_string_uint32(serializer, "stratum", flow->protos.ntp.stratum);
-    ndpi_serialize_string_int32(serializer, "ppol", flow->protos.ntp.ppol);
-    ndpi_serialize_string_int32(serializer, "precision", flow->protos.ntp.precision);
-    ndpi_serialize_string_float(serializer, "root_delay", flow->protos.ntp.root_delay, "%f");
-    ndpi_serialize_string_float(serializer, "root_dispersion", flow->protos.ntp.root_dispersion, "%f");
-    ndpi_serialize_string_string(serializer, "ref_id", flow->protos.ntp.ref_id);
-    ndpi_serialize_string_uint64(serializer, "ref_time", flow->protos.ntp.ref_time);
-    ndpi_serialize_string_uint64(serializer, "org_time", flow->protos.ntp.org_time);
-    ndpi_serialize_string_uint64(serializer, "rec_time", flow->protos.ntp.rec_time);
-    ndpi_serialize_string_uint64(serializer, "trans_time", flow->protos.ntp.trans_time);
+    for (i = 0; i < 2; i++) {
+      ndpi_serialize_start_of_block_uint32(serializer,i);
+      ndpi_serialize_string_uint32(serializer, "leap_indicator", flow->protos.ntp[i].leap_indicator);
+      ndpi_serialize_string_uint32(serializer, "version", flow->protos.ntp[i].version);
+      ndpi_serialize_string_uint32(serializer, "mode", flow->protos.ntp[i].mode);
+      ndpi_serialize_string_uint32(serializer, "stratum", flow->protos.ntp[i].stratum);
+      ndpi_serialize_string_int32(serializer, "ppol", flow->protos.ntp[i].ppol);
+      ndpi_serialize_string_int32(serializer, "precision", flow->protos.ntp[i].precision);
+      ndpi_serialize_string_float(serializer, "root_delay", flow->protos.ntp[i].root_delay, "%f");
+      ndpi_serialize_string_float(serializer, "root_dispersion", flow->protos.ntp[i].root_dispersion, "%f");
+      ndpi_serialize_string_string(serializer, "ref_id", flow->protos.ntp[i].ref_id);
+
+
+      char timestamp[64];
+      ntp_ts_to_string(flow->protos.ntp[i].ref_time, timestamp, sizeof timestamp);
+      ndpi_serialize_string_string(serializer, "ref_time", timestamp);
+      ntp_ts_to_string(flow->protos.ntp[i].org_time, timestamp, sizeof timestamp);
+      ndpi_serialize_string_string(serializer, "org_time", timestamp);
+      ntp_ts_to_string(flow->protos.ntp[i].rec_time, timestamp, sizeof timestamp);
+      ndpi_serialize_string_string(serializer, "rec_time", timestamp);
+      ntp_ts_to_string(flow->protos.ntp[i].trans_time, timestamp, sizeof timestamp);
+      ndpi_serialize_string_string(serializer, "trans_time", timestamp);
+      ndpi_serialize_end_of_block(serializer);
+    }
     ndpi_serialize_end_of_block(serializer);
     break;
 

src/lib/protocols/ntp.c

@@ -19,7 +19,7 @@
  *
  * You should have received a copy of the GNU Lesser General Public License
  * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
- * 
+ *
  */
 
 #include "ndpi_protocol_ids.h"
@@ -30,69 +30,109 @@
 #include "ndpi_private.h"
 
 
+static void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow);
+
+
+static int ndpi_search_ntp_again(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  ndpi_search_ntp_udp(ndpi_struct, flow);
+  return 1;
+}
+
+static void ndpi_set_extra_dissection(struct ndpi_flow_struct *flow)
+{
+    flow->max_extra_packets_to_check = 1;
+    flow->extra_packets_func = ndpi_search_ntp_again;
+}
+
 static void ndpi_int_ntp_add_connection(struct ndpi_detection_module_struct
 					*ndpi_struct, struct ndpi_flow_struct *flow)
 {
   ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NTP, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
 }
 
-static void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+static void get_ntp_info(struct ndpi_flow_struct *flow, struct ndpi_packet_struct *packet, uint8_t stage)
 {
-  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
-  
-  NDPI_LOG_DBG(ndpi_struct, "search NTP\n");
-
-  if (packet->udp->dest == htons(123) || packet->udp->source == htons(123)) {
-  
-    NDPI_LOG_DBG2(ndpi_struct, "NTP port and length detected\n");
-    uint8_t version = (packet->payload[0] & 56) >> 3;
-
-    if (version <= 4) {
-      flow->protos.ntp.version = version;
-      flow->protos.ntp.mode = packet->payload[0] & 7;
-      flow->protos.ntp.leap_indicator = (packet->payload[0] & 192) >> 6;
-
-      if (packet->payload_packet_len >= 48) {
-        u_int32_t tmp = 0;
-        flow->protos.ntp.stratum = packet->payload[1];
-        flow->protos.ntp.ppol = (int8_t)packet->payload[2];
-        flow->protos.ntp.precision = (int8_t)packet->payload[3];
-
-        // https://github.com/wireshark/wireshark/blob/c383ce5173cb15463259ca862cd5b469c2a3aab8/epan/dissectors/packet-ntp.c#L1574
-        tmp = ntohl(get_u_int32_t(packet->payload, 4));
-        flow->protos.ntp.root_delay = (tmp >> 16) + (tmp & 0xffff) / 65536.0;
-        tmp = ntohl(get_u_int32_t(packet->payload, 8));
-        flow->protos.ntp.root_dispersion = (tmp >> 16) + (tmp & 0xffff) / 65536.0;
-
-        if (flow->protos.ntp.stratum == 0 || flow->protos.ntp.stratum == 1) {
-          ndpi_snprintf(flow->protos.ntp.ref_id, sizeof(flow->protos.ntp.ref_id), "%c%c%c%c", packet->payload[12],
+  u_int32_t tmp = 0;
+  flow->protos.ntp[stage].ppol = (int8_t)packet->payload[2];
+  flow->protos.ntp[stage].precision = (int8_t)packet->payload[3];
+
+  // https://github.com/wireshark/wireshark/blob/c383ce5173cb15463259ca862cd5b469c2a3aab8/epan/dissectors/packet-ntp.c#L1574
+  tmp = ntohl(get_u_int32_t(packet->payload, 4));
+  flow->protos.ntp[stage].root_delay = (tmp >> 16) + (tmp & 0xffff) / 65536.0;
+  tmp = ntohl(get_u_int32_t(packet->payload, 8));
+  flow->protos.ntp[stage].root_dispersion = (tmp >> 16) + (tmp & 0xffff) / 65536.0;
+
+  if (flow->protos.ntp[stage].stratum == 0 || flow->protos.ntp[stage].stratum == 1) {
+      ndpi_snprintf(flow->protos.ntp[stage].ref_id, sizeof(flow->protos.ntp[stage].ref_id), "%c%c%c%c", packet->payload[12],
                                                               packet->payload[13],
                                                               packet->payload[14],
                                                               packet->payload[15]);
-        } else {
-          if(packet->iph) {
-            tmp = get_u_int32_t(packet->payload, 12);
-            inet_ntop(AF_INET, &tmp, flow->protos.ntp.ref_id, sizeof(flow->protos.ntp.ref_id));
-          } else {
-            ndpi_snprintf(flow->protos.ntp.ref_id, sizeof(flow->protos.ntp.ref_id), "%c%c%c%c", packet->payload[12],
+  } else {
+    if(packet->iph) {
+      tmp = get_u_int32_t(packet->payload, 12);
+      inet_ntop(AF_INET, &tmp, flow->protos.ntp[stage].ref_id, sizeof(flow->protos.ntp[stage].ref_id));
+    } else {
+      ndpi_snprintf(flow->protos.ntp[stage].ref_id, sizeof(flow->protos.ntp[stage].ref_id), "%c:%c:%c:%c", packet->payload[12],
                                                               packet->payload[13],
                                                               packet->payload[14],
                                                               packet->payload[15]);
-          }
-        }
-        flow->protos.ntp.ref_time = get_u_int64_t(packet->payload, 16);
-        flow->protos.ntp.org_time = get_u_int64_t(packet->payload, 24);
-        flow->protos.ntp.rec_time = get_u_int64_t(packet->payload, 32);
-        flow->protos.ntp.trans_time = get_u_int64_t(packet->payload, 40);
       }
     }
+  flow->protos.ntp[stage].ref_time = get_u_int64_t(packet->payload, 16);
+  flow->protos.ntp[stage].org_time = get_u_int64_t(packet->payload, 24);
+  flow->protos.ntp[stage].rec_time = get_u_int64_t(packet->payload, 32);
+  flow->protos.ntp[stage].trans_time = get_u_int64_t(packet->payload, 40);
+}
 
-      NDPI_LOG_INFO(ndpi_struct, "found NTP\n");
-      ndpi_int_ntp_add_connection(ndpi_struct, flow);
-      return;
+static void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
+{
+  struct ndpi_packet_struct *packet = &ndpi_struct->packet;
+
+  NDPI_LOG_DBG(ndpi_struct, "search NTP\n");
+
+  if (packet->udp->dest != htons(123) && packet->udp->source != htons(123)) {
+    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+    return;
   }
 
-  NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+  if (packet->payload_packet_len < 48) {
+    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+    return;
+  }
+
+  uint8_t version = (packet->payload[0] & 56) >> 3;
+
+  if (version == 2) {
+    flow->protos.ntp[flow->l4.udp.ntp_stage].version = version;
+    ndpi_int_ntp_add_connection(ndpi_struct, flow);
+    return;
+  }
+
+  if (version > 4) {
+    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+    return;
+  }
+
+  uint8_t mode = packet->payload[0] & 7;
+  uint8_t stratum = packet->payload[1];
+
+  if (stratum > 16) {
+    NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
+    return;
+  }
+
+  flow->protos.ntp[flow->l4.udp.ntp_stage].version = version;
+  flow->protos.ntp[flow->l4.udp.ntp_stage].mode = mode;
+  flow->protos.ntp[flow->l4.udp.ntp_stage].leap_indicator = (packet->payload[0] & 192) >> 6;
+  flow->protos.ntp[flow->l4.udp.ntp_stage].stratum = stratum;
+
+  get_ntp_info(flow, packet, flow->l4.udp.ntp_stage);
+  flow->l4.udp.ntp_stage = 1;
+  NDPI_LOG_INFO(ndpi_struct, "found NTP\n");
+  ndpi_set_extra_dissection(flow);
+  ndpi_int_ntp_add_connection(ndpi_struct, flow);
+  return;
 }
 
 
@@ -103,4 +143,3 @@ void init_ntp_dissector(struct ndpi_detection_module_struct *ndpi_struct)
                      NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_UDP_WITH_PAYLOAD,
                      1, NDPI_PROTOCOL_NTP);
 }
-

tests/cfgs/default/result/android.pcap.out

@@ -1,7 +1,7 @@
 Guessed flow protos:	3
 
 DPI Packets (TCP):	147	(5.25 pkts/flow)
-DPI Packets (UDP):	52	(1.68 pkts/flow)
+DPI Packets (UDP):	53	(1.71 pkts/flow)
 DPI Packets (other):	4	(1.00 pkts/flow)
 Confidence Match by port    : 2 (flows)
 Confidence DPI              : 60 (flows)
@@ -105,7 +105,7 @@ JA Host Stats:
 	36	UDP 192.168.2.16:7660 <-> 192.168.2.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/84 bytes <-> 1 pkts/100 bytes][Goodput ratio: 49/57][0.04 sec][Hostname/SNI: datasaver.googleapis.com][172.217.21.202][DNS Id: 0xfda8][PLAIN TEXT (datasaver)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	37	UDP 192.168.2.16:18379 <-> 192.168.2.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/84 bytes <-> 1 pkts/100 bytes][Goodput ratio: 49/57][0.00 sec][Hostname/SNI: datasaver.googleapis.com][172.217.21.202][DNS Id: 0x3c64][PLAIN TEXT (datasaver)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	38	UDP 192.168.2.16:39760 <-> 192.168.2.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/82 bytes <-> 1 pkts/98 bytes][Goodput ratio: 48/57][0.04 sec][Hostname/SNI: android.googleapis.com][172.217.22.10][DNS Id: 0xb8a5][PLAIN TEXT (android)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
-	39	UDP 192.168.2.16:45863 <-> 216.239.35.8:123 [proto: 9/NTP][Stack: NTP][IP: 126/Google][ClearText][Confidence: DPI][FPC: 9/NTP, Confidence: DPI][DPI packets: 1][cat: System/18][Breed: Acceptable][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 53/53][0.04 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
+	39	UDP 192.168.2.16:45863 <-> 216.239.35.8:123 [proto: 9/NTP][Stack: NTP][IP: 126/Google][ClearText][Confidence: DPI][FPC: 9/NTP, Confidence: DPI][DPI packets: 2][cat: System/18][Breed: Acceptable][1 pkts/90 bytes <-> 1 pkts/90 bytes][Goodput ratio: 53/53][0.04 sec][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	40	ICMPV6 [::]:0 -> [ff02::16]:0 [proto: 102/ICMPV6][Stack: ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 102/ICMPV6, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][2 pkts/180 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][0.22 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	41	ICMPV6 [fe80::4e6a:f6ff:fe9f:f627]:0 -> [ff02::16]:0 [proto: 102/ICMPV6][Stack: ICMPV6][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 102/ICMPV6, Confidence: DPI][DPI packets: 1][cat: Network/14][Breed: Acceptable][2 pkts/180 bytes -> 0 pkts/0 bytes][Goodput ratio: 22/0][0.09 sec][Plen Bins: 100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]
 	42	UDP 192.168.2.16:10677 <-> 192.168.2.1:53 [proto: 5/DNS][Stack: DNS][IP: 0/Unknown][ClearText][Confidence: DPI][FPC: 5/DNS, Confidence: DPI][DPI packets: 2][cat: Network/14][Breed: Acceptable][1 pkts/79 bytes <-> 1 pkts/95 bytes][Goodput ratio: 46/55][0.00 sec][Hostname/SNI: proxy.googlezip.net][172.217.20.76][DNS Id: 0xd5f9][PLAIN TEXT (googlezip)][Plen Bins: 0,100,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]