Network Time Protocol (NTP)

NTP is used to synchronize the clock of a network client with a server. It's the primary work of David L. Mills, PhD.

The NTP server will (hopefully) have the precise time (probably directly from an atomic clock). The NTP client asks the NTP server about the current time, and then will adjust it's internal clock to that value. Adjusting the clock is not instantaneously, but smoothed over time towards the reference time sources selected. A lot of intricate details are involved, which are described in the relevant research project pages


The Wikipedia article has a relevant writeup of the protocol.

Protocol dependencies

  • UDP: Typically, NTP uses UDP as its transport protocol. The well known UDP port for NTP traffic is 123.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).


The NTP dissector is fully functional.

Preference Settings

There are no NTP related preference settings.

Example capture file

Display Filter

A complete list of NTP display filter fields can be found in the display filter reference

Show only the NTP based traffic:


Capture Filter

You cannot directly filter NTP protocols while capturing. However, you can filter on the well known NTP UDP port 123.

Capture only the NTP based traffic:

 udp port 123

On many systems, you can say "udp port ntp" rather than "udp port 123".

External links

Current RFC:

  • RFC 5905 Network Time Protocol Version 4: Protocol and Algorithms Specification

Obsoleted RFCs:

  • RFC 958 Network Time Protocol

  • RFC 1059 Network Time Protocol (Version 1) Specification and Implementation

  • RFC 1119 Network Time Protocol (Version 2) Specification and Implementation

  • RFC 1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis

Other Information:


Note: On WinXP the 'Windows Time' service must be stopped for NTP packets to be passed up the stack and visible to Wireshark.

Imported from on 2020-08-11 23:17:35 UTC