Apply requested changes:

- file dpd.sig and TODO comments for signature protocol detection removed - missing doc field filled in events.bif - rename OpCode and ReqCode fields into op_code and req_code respectively - removed unnecessary child method in NTP.h/.cc - main.zeek and ntp-protocol.pac reformatted
2025-10-06 16:48:19 +00:00 · 2019-06-14 12:30:29 +02:00 · 2019-06-14 12:30:29 +02:00 · 32663cec04
commit 32663cec04
parent b130cc7931
8 changed files with 229 additions and 248 deletions
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@ -4995,7 +4995,7 @@ export {
 	## 6 set trap address/port command/response
 	## 7 trap response
 	## Other values are reserved.
-        OpCode     	: count;
+        op_code     	: count;
 	## The response bit. Set to zero for commands, one for responses.
        resp_bit        : bool;
        ## The error bit. Set to zero for normal response, one for error response.
@ -5029,7 +5029,7 @@ export {
        ## An implementation-specific code which specifies the
 	## operation to be (which has been) performed and/or the
 	## format and semantics of the data included in the packet.
-        ReqCode		: count;
+        req_code		: count;
        ## The authenticated bit. If set, this packet is authenticated.
        auth_bit        : bool;
        ## For a multipacket response, contains the sequence
--- a/scripts/base/protocols/ntp/load.zeek
+++ b/scripts/base/protocols/ntp/load.zeek
@ -1,2 +1 @@
@load ./main
 #@load-sigs ./dpd.sig
--- a/scripts/base/protocols/ntp/dpd.sig
+++ b/scripts/base/protocols/ntp/dpd.sig
@ -1,12 +0,0 @@
 signature dpd_ntp {
 	ip-proto == udp
 	# ## TODO: Define the payload. When Bro sees this regex, on
 	# ## any port, it will enable your analyzer on that
 	# ## connection.
 	# ## payload /^NTP/
 	enable "ntp"
 }
--- a/scripts/base/protocols/ntp/main.zeek
+++ b/scripts/base/protocols/ntp/main.zeek
@ -1,138 +1,137 @@
 module NTP;
 # TODO: The recommended method to do dynamic protocol detection
 # (DPD) is with the signatures in dpd.sig. 
 # For the time being, we use port detection. 
 const ports = { 123/udp };
 redef likely_server_ports += { ports };
 export {
-        redef enum Log::ID += { LOG };
+	redef enum Log::ID += { LOG };
-        type Info: record {
+	type Info: record {
-                ## Timestamp for when the event happened.
+		## Timestamp for when the event happened.
-                ts:     	time    &log;
+		ts:		time	&log;
-                ## Unique ID for the connection.
+		## Unique ID for the connection.
-                uid:    	string  &log;
+		uid:		string  &log;
-                ## The connection's 4-tuple of endpoint addresses/ports.
+		## The connection's 4-tuple of endpoint addresses/ports.
-                id:     	conn_id &log;
+		id:		conn_id &log;
 		## The NTP version number (1, 2, 3, 4)
-        	version:	count &log;
+		version:	count &log;
-        	## The NTP mode being used
+		## The NTP mode being used
-                mode:		count &log;
+		mode:		count &log;
-        	## The stratum (primary server, secondary server, etc.)
+		## The stratum (primary server, secondary server, etc.)
-        	stratum:	count &log;
+		stratum:	count &log;
-        	## The maximum interval between successive messages
+		## The maximum interval between successive messages
-        	poll:		interval &log;
+		poll:		interval &log;
-        	## The precision of the system clock
+		## The precision of the system clock
-        	precision:	interval &log;
+		precision:	interval &log;
-        	## Total round-trip delay to the reference clock
+		## Total round-trip delay to the reference clock
-        	root_delay:	interval &log;
+		root_delay:	interval &log;
-        	## Total dispersion to the reference clock
+		## Total dispersion to the reference clock
-        	root_disp:	interval &log;
+		root_disp:	interval &log;
-        	## For stratum 0, 4 character string used for debugging
+		## For stratum 0, 4 character string used for debugging
-        	kiss_code:	string &optional &log;
+		kiss_code:	string &optional &log;
-        	## For stratum 1, ID assigned to the reference clock by IANA
+		## For stratum 1, ID assigned to the reference clock by IANA
-        	ref_id:         string &optional &log;
+		ref_id:		string &optional &log;
-        	## Above stratum 1, when using IPv4, the IP address of the reference clock
+		## Above stratum 1, when using IPv4, the IP address of the reference clock
-        	ref_addr:	addr &optional &log;
+		ref_addr:	addr &optional &log;
-        	## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
+		## Above stratum 1, when using IPv6, the first four bytes of the MD5 hash of the
-        	## IPv6 address of the reference clock
+		## IPv6 address of the reference clock
-        	ref_v6_hash_prefix: string &optional &log;
+		ref_v6_hash_prefix: string &optional &log;
-        	## Time when the system clock was last set or correct
+		## Time when the system clock was last set or correct
-        	ref_time:	time &log;
+		ref_time:	time &log;
-        	## Time at the client when the request departed for the NTP server
+		## Time at the client when the request departed for the NTP server
-        	org_time:	time &log;
+		org_time:	time &log;
-        	## Time at the server when the request arrived from the NTP client
+		## Time at the server when the request arrived from the NTP client
-        	rec_time:	time &log;
+		rec_time:	time &log;
-        	## Time at the server when the response departed for the NTP client
+		## Time at the server when the response departed for the NTP client
-        	xmt_time:	time &log;
+		xmt_time:	time &log;
-        	## Key used to designate a secret MD5 key
+		## Key used to designate a secret MD5 key
-        	key_id:		count &optional &log;
+		key_id:		count &optional &log;
-        	## MD5 hash computed over the key followed by the NTP packet header and extension fields
+		## MD5 hash computed over the key followed by the NTP packet header and extension fields
-        	digest:		string &optional &log;
+		digest:		string &optional &log;
-        	## Number of extension fields  (which are not currently parsed)
+		## Number of extension fields  (which are not currently parsed)
-        	num_exts:	count &default=0 &log;
+		num_exts:	count &default=0 &log;
-        	## An integer specifying the command function. Values currently defined includes:
+		## An integer specifying the command function. Values currently defined includes:
-        	## 1 read status command/response
+		## 1 read status command/response
-        	## 2 read variables command/response
+		## 2 read variables command/response
-        	## 3 write variables command/response
+		## 3 write variables command/response
-        	## 4 read clock variables command/response
+		## 4 read clock variables command/response
-        	## 5 write clock variables command/response
+		## 5 write clock variables command/response
-        	## 6 set trap address/port command/response
+		## 6 set trap address/port command/response
-        	## 7 trap response
+		## 7 trap response
-        	## Other values are reserved.
+		## Other values are reserved.
-        	OpCode          : count &log;
+		op_code	  : count &log;
-        	## The response bit. Set to zero for commands, one for responses.
+		## The response bit. Set to zero for commands, one for responses.
-        	resp_bit        : bool &log;
+		resp_bit	: bool &log;
-        	## The error bit. Set to zero for normal response, one for error response.
+		## The error bit. Set to zero for normal response, one for error response.
-		err_bit         : bool &log;
+		err_bit	 : bool &log;
-        	## The more bit. Set to zero for last fragment, one for all others.
+		## The more bit. Set to zero for last fragment, one for all others.
-	        more_bit        : bool &log;
+		more_bit	: bool &log;
-        	## The sequence number of the command or response
+		## The sequence number of the command or response
-	        sequence        : count &log;
+		sequence	: count &log;
-        	## The current status of the system, peer or clock
+		## The current status of the system, peer or clock
-	        status          : count &log;    
+		status	  : count &log;
-        	## A 16-bit integer identifying a valid association
+		## A 16-bit integer identifying a valid association
-	        association_id  : count &log;
+		association_id  : count &log;
-	        ## This is an integer identifying the cryptographic
+		## This is an integer identifying the cryptographic
-	        ## key used to generate the message-authentication code
+		## key used to generate the message-authentication code
-        	ctrl_key_id          : count &optional &log;
+		ctrl_key_id	  : count &optional &log;
-        	## This is a crypto-checksum computed by the encryption procedure
+		## This is a crypto-checksum computed by the encryption procedure
-        	crypto_checksum : string &optional &log;
+		crypto_checksum : string &optional &log;
 		## An implementation-specific code which specifies the
 		## operation to be (which has been) performed and/or the
 		## format and semantics of the data included in the packet.
-        	ReqCode         : count &log;
+		req_code	 : count &log;
-        	## The authenticated bit. If set, this packet is authenticated.
+		## The authenticated bit. If set, this packet is authenticated.
-        	auth_bit        : bool &log;
+		auth_bit	: bool &log;
-        	## For a multipacket response, contains the sequence
+		## For a multipacket response, contains the sequence
-       		## number of this packet.  0 is the first in the sequence,
+		## number of this packet.  0 is the first in the sequence,
-        	## 127 (or less) is the last.  The More Bit must be set in
+		## 127 (or less) is the last.  The More Bit must be set in
-        	## all packets but the last.
+		## all packets but the last.
-        	sequence        : count &log;
+		sequence	: count &log;
-        	## The number of the implementation this request code
+		## The number of the implementation this request code
-        	## is defined by.  An implementation number of zero is used
+		## is defined by.  An implementation number of zero is used
-        	## for requst codes/data formats which all implementations
+		## for requst codes/data formats which all implementations
-        	## agree on.  Implementation number 255 is reserved (for
+		## agree on.  Implementation number 255 is reserved (for
-        	## extensions, in case we run out).
+		## extensions, in case we run out).
-        	implementation  : count &log;
+		implementation  : count &log;
-        	##  Must be 0 for a request.  For a response, holds an error
+		##  Must be 0 for a request.  For a response, holds an error
-        	##  code relating to the request.  If nonzero, the operation
+		##  code relating to the request.  If nonzero, the operation
-        	##  requested wasn't performed.
+		##  requested wasn't performed.
-        	##
+		##
-        	##               0 - no error
+		##	0 - no error
-        	##               1 - incompatible implementation number
+		##	1 - incompatible implementation number
-        	##               2 - unimplemented request code
+		##	2 - unimplemented request code
-        	##               3 - format error (wrong data items, data size, packet size etc.)
+		##	3 - format error (wrong data items, data size, packet size etc.)
-        	##               4 - no data available (e.g. request for details on unknown peer)
+		##	4 - no data available (e.g. request for details on unknown peer)
-        	##               5-6 I don't know
+		##	5-6 I don't know
-        	##               7 - authentication failure (i.e. permission denied)
+		##	7 - authentication failure (i.e. permission denied)
-        	err             : count &log;
+		err		: count &log;
 	};
-        ## Event that can be handled to access the NTP record as it is sent on
+	## Event that can be handled to access the NTP record as it is sent on
-        ## to the logging framework.
+	## to the logging framework.
-        global log_ntp: event(rec: Info);
+	global log_ntp: event(rec: Info);
 }
 redef record connection += {
-        ntp: Info &optional;
+	ntp: Info &optional;
 };
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
-{
+	{
 	local info: Info;
-	  info$ts  = network_time();
+	info$ts  = network_time();
-	  info$uid = c$uid;
+	info$uid = c$uid;
-	  info$id  = c$id;
+	info$id  = c$id;
-	  info$version = msg$version;
+	info$version = msg$version;
-          info$mode = msg$mode;
+	info$mode = msg$mode;
-	  if ( msg$mode < 6 ) { 
+	if ( msg$mode < 6 ) 
 		{ 
 		info$stratum = msg$std_msg$stratum;
 		info$poll =  msg$std_msg$poll;
 		info$precision =  msg$std_msg$precision;
@ -141,69 +140,70 @@ event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=5
 		if ( msg$std_msg?$kiss_code) 
 			info$kiss_code =  msg$std_msg$kiss_code;
-                if ( msg$std_msg?$ref_id)
+		if ( msg$std_msg?$ref_id)
-                        info$ref_id =  msg$std_msg$ref_id;
+			info$ref_id =  msg$std_msg$ref_id;
-                if ( msg$std_msg?$ref_addr)
+		if ( msg$std_msg?$ref_addr)
-                        info$ref_addr =  msg$std_msg$ref_addr;
+			info$ref_addr =  msg$std_msg$ref_addr;
-                if ( msg$std_msg?$ref_v6_hash_prefix)
+		if ( msg$std_msg?$ref_v6_hash_prefix)
-                        info$ref_v6_hash_prefix =  msg$std_msg$ref_v6_hash_prefix;
+			info$ref_v6_hash_prefix =  msg$std_msg$ref_v6_hash_prefix;
-                info$ref_time =  msg$std_msg$ref_time;
+		info$ref_time =  msg$std_msg$ref_time;
-                info$org_time =  msg$std_msg$org_time;
+		info$org_time =  msg$std_msg$org_time;
-                info$rec_time =  msg$std_msg$rec_time;
+		info$rec_time =  msg$std_msg$rec_time;
-                info$xmt_time =  msg$std_msg$xmt_time;
+		info$xmt_time =  msg$std_msg$xmt_time;
-                if ( msg$std_msg?$key_id)
+		if ( msg$std_msg?$key_id)
-                        info$key_id =  msg$std_msg$key_id;
+			info$key_id =  msg$std_msg$key_id;
-                if ( msg$std_msg?$digest)
+		if ( msg$std_msg?$digest)
-                        info$digest =  msg$std_msg$digest;
+			info$digest =  msg$std_msg$digest;
 		info$num_exts =  msg$std_msg$num_exts;
-	  }
+		}
-          if ( msg$mode==6 ) {
+	if ( msg$mode==6 ) 
-             info$OpCode = msg$control_msg$OpCode;
+		{
-             info$resp_bit = msg$control_msg$resp_bit;
+		info$op_code = msg$control_msg$op_code;
-             info$err_bit = msg$control_msg$err_bit;
+		info$resp_bit = msg$control_msg$resp_bit;
-             info$more_bit = msg$control_msg$more_bit;
+		info$err_bit = msg$control_msg$err_bit;
-             info$sequence = msg$control_msg$sequence;
+		info$more_bit = msg$control_msg$more_bit;
-             info$status = msg$control_msg$status;
+		info$sequence = msg$control_msg$sequence;
-             info$association_id = msg$control_msg$association_id;
+		info$status = msg$control_msg$status;
 		info$association_id = msg$control_msg$association_id;
-                if ( msg$control_msg?$key_id)
+		if ( msg$control_msg?$key_id)
-                        info$ctrl_key_id =  msg$control_msg$key_id;
+			info$ctrl_key_id =  msg$control_msg$key_id;
-                if ( msg$control_msg?$crypto_checksum)
+		if ( msg$control_msg?$crypto_checksum)
-                        info$crypto_checksum =  msg$control_msg$crypto_checksum;
+			info$crypto_checksum =  msg$control_msg$crypto_checksum;
 		}
-	  }
+	if ( msg$mode==7 ) 
 		{
 		info$req_code = msg$mode7_msg$req_code;
 		info$auth_bit = msg$mode7_msg$auth_bit;
 		info$sequence = msg$mode7_msg$sequence;
 		info$implementation = msg$mode7_msg$implementation;
 		info$err = msg$mode7_msg$err;
 		}
-          if ( msg$mode==7 ) {
+	# Copy the present packet info into the connection record
             info$ReqCode = msg$mode7_msg$ReqCode;
 	     info$auth_bit = msg$mode7_msg$auth_bit;
 	     info$sequence = msg$mode7_msg$sequence;
 	     info$implementation = msg$mode7_msg$implementation;
 	     info$err = msg$mode7_msg$err;
 	  }
        # Copy the present packet info into the connection record
 	# If more ntp packets are sent on the same connection, the newest one
 	# will overwrite the previous
 	c$ntp = info;
 	# Add the service to the Conn::LOG
 	add c$service["ntp"];
-}
+	}
 event ntp_message(c: connection, is_orig: bool, msg: NTP::Message) &priority=-5
-{
+	{
-        # Log every ntp packet into ntp.log
+	# Log every ntp packet into ntp.log
-        Log::write(NTP::LOG, c$ntp);
+	Log::write(NTP::LOG, c$ntp);
-}
+	}
 event zeek_init() &priority=5
-{
+	{
-    Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
+	Analyzer::register_for_ports(Analyzer::ANALYZER_NTP, ports);
-    Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
+	Log::create_stream(NTP::LOG, [$columns = Info, $ev = log_ntp]);
-}
+	}
--- a/src/analyzer/protocol/ntp/NTP.cc
+++ b/src/analyzer/protocol/ntp/NTP.cc
@ -17,11 +17,6 @@ NTP_Analyzer::~NTP_Analyzer()
 	delete interp;
 	}
 void NTP_Analyzer::Done()
 	{
 	Analyzer::Done();
 	}
 void NTP_Analyzer::DeliverPacket(int len, const u_char* data,
 				    bool orig, uint64 seq, const IP_Hdr* ip, int caplen)
 	{
--- a/src/analyzer/protocol/ntp/NTP.h
+++ b/src/analyzer/protocol/ntp/NTP.h
@ -16,7 +16,6 @@ public:
 	~NTP_Analyzer() override;
 	// Overriden from Analyzer.
 	void Done() override;
 	void DeliverPacket(int len, const u_char* data, bool orig,
 					uint64 seq, const IP_Hdr* ip, int caplen) override;
--- a/src/analyzer/protocol/ntp/events.bif
+++ b/src/analyzer/protocol/ntp/events.bif
@ -6,7 +6,7 @@
 ##
 ## c: The connection record describing the corresponding UDP flow.
 ##
-## is_orig: 
+## is_orig: True if the message was sent by the originator.
 ##
 ## msg: The parsed NTP message.
 ##
--- a/src/analyzer/protocol/ntp/ntp-protocol.pac
+++ b/src/analyzer/protocol/ntp/ntp-protocol.pac
@ -3,52 +3,52 @@
 type NTP_PDU(is_orig: bool) = record {
 	# The first byte of the NTP header contains the leap indicator,
 	# the version and the mode
-	first_byte     	: uint8;
+	first_byte	: uint8;
-  	# Modes 1-5 are standard NTP time sync
+		# Modes 1-5 are standard NTP time sync
-  	standard_modes  : case (mode>=1 && mode<=5) of {
+	standard_modes	: case (mode>=1 && mode<=5) of {
-  		true  	-> std		: NTP_std_msg;
+		true	-> std		: NTP_std_msg;
-    		false 	-> emp		: empty;
+ 		false 	-> emp		: empty;
-  	};
+	};
-  	modes_6_7     	: case (mode) of {
+	modes_6_7	: case (mode) of {
 		# mode 6 is for control messages (format is different from modes 6-7)
-    		6 	-> control 	: NTP_control_msg;
+ 		6 	-> control 	: NTP_control_msg;
 		# mode 7 is reserved or private (and implementation dependent). For example used for some commands such as MONLIST 
-    		7 	-> mode7  	: NTP_mode7_msg;
+ 		7 	-> mode7	: NTP_mode7_msg;
-  		default -> unknown	: bytestring &restofdata;
+		default -> unknown	: bytestring &restofdata;
-  	};
+	};
 } &let {
-	leap	:	uint8  = (first_byte & 0xc0)>>6;   	# First 2 bits of 8-bits value
+	leap	:	uint8	= (first_byte & 0xc0)>>6;	# First 2 bits of 8-bits value
-	version	:	uint8  = (first_byte & 0x38)>>3; 	# Bits 3-5 of 8-bits value
+	version	:	uint8	= (first_byte & 0x38)>>3; 	# Bits 3-5 of 8-bits value
-	mode	:	uint8  = (first_byte & 0x07);  		# Bits 6-8 of 8-bits value
+	mode	:	uint8	= (first_byte & 0x07);		# Bits 6-8 of 8-bits value
 } &byteorder=bigendian &exportsourcedata;
 # This is the most common type of message, corresponding to modes 1-5
 # This kind of msg are used for normal operation of syncronization
 # See RFC 5905 for details
 type NTP_std_msg = record {
-        stratum        : uint8;
+	stratum		: uint8;
-        poll           : int8;
+	poll		: int8;
-        precision      : int8;
+	precision	: int8;
-        root_delay     : NTP_Short_Time;
+	root_delay	: NTP_Short_Time;
-        root_dispersion: NTP_Short_Time;
+	root_dispersion	: NTP_Short_Time;
-        reference_id   : bytestring &length=4;
+	reference_id	: bytestring &length=4;
-        reference_ts   : NTP_Time;
+	reference_ts	: NTP_Time;
-        origin_ts      : NTP_Time;
+	origin_ts	: NTP_Time;
-        receive_ts     : NTP_Time;
+	receive_ts	: NTP_Time;
-        transmit_ts    : NTP_Time;
+	transmit_ts	: NTP_Time;
-        extensions     : case (has_exts) of {
+	extensions	: case (has_exts) of {
-				true  -> exts	: Extension_Field[] &until($input.length() > 24); 
+				true	-> exts	: Extension_Field[] &until($input.length() > 24); 
-				false -> nil 	: empty;
+				false	-> nil 	: empty;
-                         } &requires(has_exts);
+			 } &requires(has_exts);
-        mac_fields     : case (mac_len) of {
+	mac_fields	: case (mac_len) of {
-                                20	-> mac		: NTP_MAC;
+				20	-> mac		: NTP_MAC;
-                                24 	-> mac_ext 	: NTP_MAC_ext;
+				24 	-> mac_ext 	: NTP_MAC_ext;
-                                default -> nil2 	: empty;
+				default -> nil2 	: empty;
-                         } &requires(mac_len);
+			 } &requires(mac_len);
 } &let {
-        length          = sourcedata.length();
+	length		= sourcedata.length();
 	has_exts: bool	= (length - offsetof(extensions)) > 24;
 	mac_len: uint32	= (length - offsetof(mac_fields));
 } &byteorder=bigendian &exportsourcedata;
@ -56,24 +56,24 @@ type NTP_std_msg = record {
 # This format is for mode==6, control msg
 # See RFC 1119 for details
 type NTP_control_msg = record {
-        second_byte	: uint8;
+	second_byte	: uint8;
-        sequence	: uint16;
+	sequence	: uint16;
-        status      	: uint16;    #TODO: this can be further parsed internally
+	status		: uint16;	#TODO: this can be further parsed internally
-        association_id	: uint16;
+	association_id	: uint16;
-        offs		: uint16;
+	offs		: uint16;
-        c	   	: uint16;
+	c		: uint16;
 	data		: bytestring &length=c;
-        mac_fields	: case (has_control_mac) of {
+	mac_fields	: case (has_control_mac) of {
-                                true  -> mac : NTP_CONTROL_MAC;
+				true	-> mac : NTP_CONTROL_MAC;
-                                false -> nil : empty;
+				false	-> nil : empty;
-                         } &requires(has_control_mac);
+			 } &requires(has_control_mac);
 } &let {
-        R	: bool   = (second_byte & 0x80) > 0;	# First bit of 8-bits value
+	R	: bool	= (second_byte & 0x80) > 0;	# First bit of 8-bits value
-        E	: bool   = (second_byte & 0x40) > 0;	# Second bit of 8-bits value
+	E	: bool	= (second_byte & 0x40) > 0;	# Second bit of 8-bits value
-        M	: bool   = (second_byte & 0x20) > 0;	# Third bit of 8-bits value
+	M	: bool	= (second_byte & 0x20) > 0;	# Third bit of 8-bits value
-        OpCode	: uint8  = (second_byte & 0x1F);	# Last 5 bits of 8-bits value
+	OpCode	: uint8	= (second_byte & 0x1F);	# Last 5 bits of 8-bits value
-        length	= sourcedata.length();
+	length	= sourcedata.length();
-        has_control_mac: bool   = (length - offsetof(mac_fields)) == 12;
+	has_control_mac: bool	= (length - offsetof(mac_fields)) == 12;
 } &byteorder=bigendian &exportsourcedata;
 # As in RFC 5905
@ -90,35 +90,35 @@ type NTP_MAC_ext = record {
 # As in RFC 1119
 type NTP_CONTROL_MAC = record {
-        key_id		: uint32;
+	key_id		: uint32;
-     	crypto_checksum	: bytestring &length=8;
+	crypto_checksum	: bytestring &length=8;
 } &length=12;
 # As defined in RFC 5906
 type Extension_Field = record {
-  first_byte_ext: uint8;
+	first_byte_ext: uint8;
-  field_type	: uint8;
+	field_type	: uint8;
-  len		: uint16;
+	len		: uint16;
-  association_id: uint16;
+	association_id	: uint16;
-  timestamp	: uint32;
+	timestamp	: uint32;
-  filestamp	: uint32;
+	filestamp	: uint32;
-  value_len	: uint32;
+	value_len	: uint32;
-  value		: bytestring &length=value_len;
+	value		: bytestring &length=value_len;
-  sig_len	: uint32;
+	sig_len		: uint32;
-  signature	: bytestring &length=sig_len;
+	signature	: bytestring &length=sig_len;
-  pad		: padding to (len - offsetof(first_byte_ext));
+	pad		: padding to (len - offsetof(first_byte_ext));
 } &let {
-        R:	bool   = (first_byte_ext & 0x80) > 0;	# First bit of 8-bits value
+	R:	bool	= (first_byte_ext & 0x80) > 0;	# First bit of 8-bits value
-        E:	bool   = (first_byte_ext & 0x40) > 0;	# Second bit of 8-bits value
+	E:	bool	= (first_byte_ext & 0x40) > 0;	# Second bit of 8-bits value
-        Code:	uint8  = (first_byte_ext & 0x3F);	# Last 6 bits of 8-bits value
+	Code:	uint8	= (first_byte_ext & 0x3F);	# Last 6 bits of 8-bits value
 };
 type NTP_Short_Time = record {
-  seconds	: int16;
+	seconds	: int16;
-  fractions	: int16;
+	fractions	: int16;
 };
 type NTP_Time = record {
-  seconds	: uint32;
+	seconds	: uint32;
-  fractions	: uint32;
+	fractions	: uint32;
 };
`@ -1,2 +1 @@`
	`@load ./main`	`@load ./main`
	`#@load-sigs ./dpd.sig`