[ntp:questions] Detecting ntp broadcast packets
john.thurston at alaska.gov
Wed Feb 27 17:39:45 UTC 2019
On 2/26/2019 11:34 PM, Miroslav Lichvar wrote:
> On Tue, Feb 26, 2019 at 09:58:06AM -0900, John Thurston wrote:
>> B) use snoop or tcpdump to look at broadcast packets and tell me if it
>> uncovers any ntp
>> Is there already a better way to watch and warn of such packets?
> An easier way would be to use tcpdump to print all NTP packets (not
> just those sent to a broadcast address) that have the mode field equal
> to 5 (broadcast).
> tcpdump -n -i eth0 'port 123 and udp & 7 == 5'
But does this not require tcpdump have the nic in promiscuous mode? How
is this a benefit? If all I'm concerned with is broadcast traffic, why
shouldn't I limit my inspection to broadcast packets and avoid
promiscuous mode entirely?
And since I'm on a switched ethernet LAN, my network port is only going
to see traffic destined for my own MAC (or broadcast) anyway. So I
really can't see any benefit to enabling promiscuous mode. What am I
Wouldn't this work just as well?
tcpdump -U -p -n -s 128 'broadcast and port 123 and udp & 7 == 5'
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
More information about the questions