Enhance NTP support, add protocol version identification; Add pcap examples for NTPv2, NTPv3, NTPv4; Fix bug with identification of NTP monlist packets as QUIC

1 files changed, 11 insertions, 2 deletions

diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c
index 8a2a8aa25..233317a57 100644
--- a/src/lib/protocols/ntp.c
+++ b/src/lib/protocols/ntp.c
@@ -46,14 +46,23 @@ void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struc
 
 	NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP port detected\n");
 
-	if (packet->payload_packet_len != 48)
-		goto exclude_ntp;
+        // It's not correct because packets could be bigger
+	//if (packet->payload_packet_len != 48)
+	//	goto exclude_ntp;
 
 	NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP length detected\n");
 
 
 	if ((((packet->payload[0] & 0x38) >> 3) <= 4)) {
 		NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "detected NTP.");
+    
+                // 38 in binary representation is 00111000 
+                flow->protos.ntp.version = (packet->payload[0] & 0x38) >> 3;
+
+                if (flow->protos.ntp.version == 2) {
+                    flow->protos.ntp.request_code = packet->payload[3];
+                }
+ 
 		ndpi_int_ntp_add_connection(ndpi_struct, flow);
 		return;
 	}