[ntp:questions] what does it take to get on the npdc monlist?

dave morgan morgad at eclipse.co.uk
Sat Apr 9 19:53:04 UTC 2005


I am experimenting with using the following packet sniffer to monitor
how my inbound ntp traffic (the following has been cut down a bit)

---start---
#!/usr/bin/perl -T -W
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;

my $myip = "10.0.0.4";
my $progin = "udp port 123 and dst host $myip";

Net::PcapUtils::loop(\&grab_ip, FILTER => $progin, PROMISC =>0, DEV =>
"eth0"));

sub grab_ip{
        my ($arg,$hdr,$pkt) = @_ ;
        my $src_ip = NetPacket::IP->decode(
                NetPacket::Ethernet::strip($pkt))->{src_ip};
}
---stop---

and I am puzzled why I consistently get 40% more ip addresses from
the above code than from the ntpdc monlist with the following - 

cat ~/ntpstats/iplist/ipdump* | sort | uniq | grep -c -F .

(even when dumping the monlist every minute, and with the average
monlist containing 400 seconds of data.)


Is there a problem with this filter, or is there some criteria
packets must pass to get on the monlist? Which of the two
methods gives a more 'accurate' result?

best regards
Dave
-- 
http://www.morgad.no-ip.info/index.html    gpg:0x64B5E037 
Distributed Proofreaders: http://www.pgdp.net
The NTP server pool http://www.pool.ntp.org



More information about the questions mailing list