Wireshark: Discover NTP Traffic
Security - Security Tools

NTP is a Network Time Protocol that connects your local machine to a remote server to configure your local time correctly. Often users do not realize that their machine is actually making these remote connections. NTP is a service so it could be viewed in the Services Window on a CentOS machine.



The goal of this project is to capture those frames as they move on the network.

This is an easy setup as all that is required is to open ethereal as root and select capture and choose the interface you will capture on, in this example it is eth0.


Notice in this capture that the Packets are UDP and ARP, not the typical TCP that you would see with web browsing for example.


capture traffic

The example shows that the source is the local computer and it is connecting to a NTP server, Destinations. The protocol is listed as UDP first for the Domain Name Query and then NTP for the time check.





Here is some additional Information explaining what you see.

Frame 6 - the specific Frame that is viewed below

Ethernet II - shows the brand and MAC address of originating network card as well as the destination brand and MAC address of server network card.

Internet Protocol - provides the source IP Address and destination IP Address

User Datagram Protocol - this is a Domain Name System Query

Now note the first window is a domain name query finding the NTP server and the second is a NTP protocol time check once the server was located.


Each Frame, or think of it like an envelope in a mail system, contains data and has a limited size. Here you can see the Frame is 90 bytes. All of these Frames need to be put back together to create a message.



Here is listed the Ethernet information and it shows that it is listed as IP Type (0x0800).



This next window shows that it contains the NTP information that connects on port 123.


Below you see the actual information used to update the time on the local machine.