r26 - 2021-04-29 - 00:27:34 - HarlanStennYou are here: NTP >  Support Web > MonitoringAndControllingNTP
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
REFACTOR See MonitoringAndControllingNTPDev for discussion of this topic.

8. Monitoring and Controlling NTP

See TroubleshootingNTP for checking the behavior of a particular machine.

Monitoring NTP

For ongoing monitoring of an NTP network there are a variety of choices, including:

  • whatever else we can find

scripts/stats tools

Foremost among these tools is peer.awk, a script that computes statistics from a peerstats file. It is invoked with:

 % gawk -f peer.awk peerstats

where peerstats is the path and name of the peerstats file to be analyzed. awk or nawk may work as well.

The output looks like this:

% gawk -f peer.awk $NTPSTATS/peerstats.20061120
       ident     cnt     mean     rms      max     delay     dist     disp
==========================================================================    5241   -0.000    0.002    0.008    0.000    0.000    0.000
server1         1339    2.055    0.346    4.077   17.993   16.592    3.414
server2         1337    3.542    0.339    3.591   16.791   17.514    3.399
server3         1215    2.196    0.348    2.161   12.954  945.456    4.737
server4         1341    0.897    4.305   36.682    0.538   23.602    3.446
server5         1341    2.580    0.316    3.566   16.445   16.261    3.384     1339    0.000    0.000    0.000    0.000    0.000    0.000

The ident column identifies the server by IP address or pseudo IP address. The line beginning with is a such a pseudo IP address. It designates a hardware reference clock using driver thirty - the Motorola Oncore GPS driver. I have replaced actual IP addresses with server1, server2, etc. The cnt column gives the number of samples in the peerstats file for the ident. The mean column contains the arithmetic mean or average of the offsets for that server or reference clock. The rms column contains the root mean square of the offsets. This is a measure of central tendency computed as the square root of the sum of the squares of the offsets divided by the number of samples. The max column contains the offset with the greatest absolute value. The delay column has the mean round trip network delay for a network server. dist is the maximum observed synchronization distance, where synchcronization distance is defined as the dispersion plus one half the round trip delay. disp is defined as the maximum error of the server or peer clock relative to the local clock over the network path between them, in seconds. For all of mean, RMS, max, delay, dist, and disp values closer to 0 (zero) are better.


RRDTOOL defaults to storing non-negative numbers.

NTP offsets will sometimes go negative. To allow negative numbers to be stored you need to tune your RRD databases:

   rrdtool tune foo.rrd -i ds0:u -i ds1:u

(Do we need to do this for both ds0 and ds1?)

See also: Using rrdgraph for better NTP monitoring

Who is using my NTP server?

You can check which hosts are talking to your time server by using the mru command of ntpq (or in older versions of NTP, the monlist command of ntpdc), e.g.

   ntpq -c mru

Please note that a maximum of 600 entries is supported with current versions of ntpq and ntpdc. The protocol (or better: the contents of the return packets) used by ntpq or ntpdc is not standardized, therefore it is recommended to only use ntpq or ntpdc with a matching ntpd, i.e. both should have the same version number.

To get by this 600 entry limitation, many server operators run client statistics scripts, such as Wayne Schlitt's ntp_clients and ntp_clients_stats scripts, which can be found at https://www.schlitt.net/scripts/ntp/index.html . They work very well, but can use quite a bit of system resources if your client counts are in the high thousands. Examples of these scripts in action can be found at:

Controlling NTP

Start and stop NTP on your server

Depending on your operating system there are a number of possibilities how to start and stop the NTP daemon.

On most Linux machines you can use these commands:

   /etc/init.d/ntpd start      # start NTP daemon
   /etc/init.d/ntpd stop       # stop NTP daemon

Some Linux distributions use xntpd instead of ntpd, even if they are referring to a Version 4 NTP implementation (and not a Version 3, which often has been called xntpd).

On a Windows machine, you can use the commands:

   net start ntp
   net stop ntp

if you used the Meinberg Installer for NTP. The NTP Time Server Monitor Application by Meinberg (see above) provides functions to start/stop and restart the service on a graphical interface.

Topic attachments
I Attachment Action Size Date Who Comment
elseEXT check_ntpq manage 8.3 K 2005-12-29 - 02:09 HarlanStenn  
elseEXT ntp_pkt manage 0.6 K 2012-07-28 - 17:03 VasilKolev munin plugin to track packet rates
Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r26 < r25 < r24 < r23 < r22 | More topic actions
Support.MonitoringAndControllingNTP moved from Support.MonitoringNTP on 2004-07-01 - 02:46 by HarlanStenn - put it back
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2021 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback