NTP epoch versus Posix epoch
Summary
Wireshark incorrectly decodes the NTP timestamp 0x00000000 (seconds) [Fractional seconds are don't care)
Steps to reproduce
The samplentp.pcap file contains 7 NTP Reference Timestamps that are decoded as follows:
NTP time stamp Wireshark display
(seconds)
0xfffffffd Feb 7, 2036 06:28:13.000000000 UTC
0xfffffffe Feb 7, 2036 06:28:14.000000000 UTC
0xffffffff Feb 7, 2036 06:28:15.000000000 UTC
0x00000000 Jan 1, 1970 00:00:00.000000000 UTC <Wrong
0x00000001 Feb 7, 2036 06:28:17.000000000 UTC
0x00000002 Feb 7, 2036 06:28:18.000000000 UTC
0x00000003 Feb 7, 2036 06:28:19.000000000 UTC
The capture file was artificially created to illustrate the problem.
What is the current bug behavior?
Current bug behavior shown above
What is the expected correct behavior?
0x00000000 should decode as Feb 7, 2036 06:28:16.000000000 UTC
The problem is in packet-ntp.c, ntp_to_nstime().
The conditional is inappropriate.
nstime->secs = (time_t)(tempstmp - NTP_BASETIME);
suffices
A more thorough fix would introduce a pivot date preference, but that can probably wait.
Discussion may be appropriate. Fixing the problem as described above would likely be visible to Wireshark users who decode NTP packets.
Sample capture file
Attached.
Relevant logs and/or screenshots
(Paste any relevant logs here)
(Paste any relevant screenshots here)
Build information
Same behavior exists for at least the last 8 years. I didn't check earlier.
Edited by Alexis La Goutte