16.3.13. NTP

NTP transaction details are exposed to Lua scripts with the suricata.ntp library, for example:

local ntp = require("suricata.ntp")

16.3.13.1. Setup

If your purpose is to create a logging script, initialize the buffer as:

function init (args)
   local needs = {}
   needs["protocol"] = "ntp"
   return needs
end

16.3.13.2. Transaction

NTP is transaction based, and the current transaction must be obtained before use:

local tx, err = ntp.get_tx()
if tx == nil then
    print(err)
end

All other functions are methods on the transaction table.

16.3.13.3. Transaction Methods

16.3.13.3.1. `version()`

Get the NTP version as an integer.

16.3.13.3.2. `mode()`

Get the NTP mode as an integer.

16.3.13.3.3. `stratum()`

Get the NTP stratum as an integer.

16.3.13.3.4. `reference_id()`

Get the NTP reference ID as a raw 4-byte binary string.

Example:

local tx, err = ntp.get_tx()
local ref_id = tx:reference_id()
if ref_id == "\x4c\x4f\x43\x4c" then
  -- ref_id matches "LOCL"
end

-- If looking for a specific printable string, this is also valid
if ref_id == "LOCL" then
  ...
end

16.3.13. NTP

16.3.13.1. Setup

16.3.13.2. Transaction

16.3.13.3. Transaction Methods

16.3.13.3.1. version()

16.3.13.3.2. mode()

16.3.13.3.3. stratum()

16.3.13.3.4. reference_id()

16.3.13.3.1. `version()`

16.3.13.3.2. `mode()`

16.3.13.3.3. `stratum()`

16.3.13.3.4. `reference_id()`