[Zeek] R: [EXT]Re: Time value errors
Palumbo Mauro
mauro.palumbo at aizoon.it
Fri Dec 20 07:00:48 PST 2019
Hi Scot,
If you try:
tcpdump -i your_interface udp port 123 –vv
you’ll see that sometimes there are zero values in ref time, orig time, etc. I don’t think it’s an issue with the analyzer and the NTP protocol does not require all timestamps fields to have a non-zero value.
Mauro
Da: zeek-bounces at zeek.org [mailto:zeek-bounces at zeek.org] Per conto di Scot Harris
Inviato: giovedì 19 dicembre 2019 14:21
A: Justin Azoff <justin at corelight.com>
Cc: zeek at zeek.org
Oggetto: Re: [Zeek] [EXT]Re: Time value errors
Bigger issue possibly. A lot of zero values
I check date/time on both zeek boxes and they are set correctly.
CPURlj0fxNnhawrQk 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 2019-12-19T06:59:59-0500
CPURlj0fxNnhawrQk 0.000000 0.000000 0.000000 1576756799.000161
Even the transmit date on some of the records are 1969.
CQ2SXD4XyRGPpQCu9e 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 2019-12-19T07:00:02-0500
CLpVPg3841dexUbAu6 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500
CLpVPg3841dexUbAu6 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500
CxTT3e4BKVjQ9ogjng 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 2019-12-19T07:00:00-0500
CGFPn54Ff0m4cIkr5e 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 2019-12-19T07:00:04-0500
CXMvpj1SJy4aBwQ81i 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 2019-12-19T07:00:04-0500
CQ2SXD4XyRGPpQCu9e 0.000000 0.000000 0.000000 1576756802.000145
CLpVPg3841dexUbAu6 0.000000 0.000000 0.000000 0.000000
CLpVPg3841dexUbAu6 0.000000 0.000000 0.000000 0.000000
CxTT3e4BKVjQ9ogjng 0.000000 0.000000 0.000000 1576756800.889992
CGFPn54Ff0m4cIkr5e 0.000000 0.000000 0.000000 1576756804.000129
CXMvpj1SJy4aBwQ81i 0.000000 0.000000 0.000000 1576756804.000076
Should those fields have zero values? That is why they are being displayed as start of epoch.
From: Justin Azoff [mailto:justin at corelight.com]
Sent: Wednesday, December 18, 2019 6:50 PM
To: Scot Harris <SHARRIS at hollywoodfl.org<mailto:SHARRIS at hollywoodfl.org>>
Cc: zeek at zeek.org<mailto:zeek at zeek.org>
Subject: [EXT]Re: [Zeek] Time value errors
If you run that without the -d option, what does the line containing negative times look like?
There should be 4 times at the end of each record: ref_time org_time rec_time xmt_time, knowing which one(s) have the out of range value would help. Something like
cat ntp.log |zeek-cut uid ref_time org_time rec_time xmt_time | fgrep -- -
may help see them better.
On Wed, Dec 18, 2019 at 6:08 PM Scot Harris <SHARRIS at hollywoodfl.org<mailto:SHARRIS at hollywoodfl.org>> wrote:
>
> Noted what appear to be errors in the ntp.log file.
>
>
>
> Using following command:
>
>
>
> cat ntp.log | zeek-cut –d | less
>
>
>
>
>
>
>
> af_packet::eno1 2019-12-18T17:44:39-0500 C7MULpTngYof10ymf 10.1.45.35 123 10.1.5.60 123 2 3 4 64.000000 0.000004 0.070786 0.113083 10.1.5.60 2019-12-18T17:43:35-0500 2019-12-18T17:43:35-0500 2019-12-18T17:43:35-0500 2019-12-18T17:44:39-0500 0
>
> af_packet::eno1 2019-12-18T17:44:39-0500 C7MULpTngYof10ymf 10.1.45.35 123 10.1.5.60 123 3 4 3 64.000000 0.015625 0.069839 0.077545 23.239.26.89 2019-:zeek-cut: time value out-of-range: -586465861.545972
>
> zeek-cut: time value out-of-range: -586465861.545972
>
> 12-18T17:42:18-0500 2019-12-18T17:44:39-0500 2019-12-18T17:44:39-0500 2019-12-18T17:44:39-0500 0
>
> af_packet::eno1 2019-12-18T17:44:39-0500 C5GF2T1ozzCZptCbjf 10.1.204.212 123 10.1.5.180 123 3 3 15 64.000000 0.007812 0.000000 2.009995 0.0.0.0 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 2019-12-18T17:44:46-0500 0
>
> af_packet::eno1 2019-12-18T17:44:40-0500 CxaJ6KeJfxVcN8Fw2 10.1.201.150 123 10.1.5.180 123 3 3 15 64.000000 0.007812 0.000000 2.009995 0.0.0.0 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 2019-12-18T17:44:48-0500 0
>
> af_packet::eno1 2019-12-18T17:44:40-0500 C8dZCI37SuYRZB9L7g 10.1.13.61 123 10.1.5.60 123 3 3 4 64.000000 0.007812 0.069839 0.402298 60.5.1.10 2019-12-18T17:43:37-0500 2019-12-18T17:43:36-0500 2019-12-18T17:43:37-0500 2019-12-18T17:44:41-0500 0
>
> af_packet::eno1 2019-12-18T17:44:41-0500 CBz4Ww4jjCjKgHYfwc 10.1.221.30 123 10.1.5.180 123 3 3 15 64.000000 0.007812 0.000000 2.009995 0.0.0.0 1969-12-31T19:zeek-cut: time value out-of-range: -1114760693.379112
>
> zeek-cut: time value out-of-range: -1114760693.379112
>
> zeek-cut: time value out-of-range: -1115340513.842638
>
> :00:00-0500 1969-12-31T19:00:00-0500 1969-12-31T19:00:00-0500 2019-12-18T17:44:44-0500 0
>
> af_packet::eno1 2019-12-18T17:44:40-0500 C4akh61szBCsYCPJn6 10.1.223.28 123 10.1.5.180 123 3 3 15 64.000000 0.007812 0.000000 2.009995 0.0.0.0 1969-12-31T19:
>
>
>
> Have not noticed these errors previously.
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org<mailto:zeek at zeek.org>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191220/d10e77f5/attachment-0001.html
More information about the Zeek
mailing list