[ntp:questions] Detecting ntp broadcast packets

John Thurston john.thurston at alaska.gov
Wed Feb 27 17:39:45 UTC 2019

On 2/26/2019 11:34 PM, Miroslav Lichvar wrote:
> On Tue, Feb 26, 2019 at 09:58:06AM -0900, John Thurston wrote:
>> B) use snoop or tcpdump to look at broadcast packets and tell me if it
>> uncovers any ntp
>> Is there already a better way to watch and warn of such packets?

> An easier way would be to use tcpdump to print all NTP packets (not
> just those sent to a broadcast address) that have the mode field equal
> to 5 (broadcast).
> tcpdump -n -i eth0 'port 123 and udp[8] & 7 == 5'

But does this not require tcpdump have the nic in promiscuous mode? How 
is this a benefit? If all I'm concerned with is broadcast traffic, why 
shouldn't I limit my inspection to broadcast packets and avoid 
promiscuous mode entirely?

And since I'm on a switched ethernet LAN, my network port is only going 
to see traffic destined for my own MAC (or broadcast) anyway. So I 
really can't see any benefit to enabling promiscuous mode. What am I 

Wouldn't this work just as well?

tcpdump -U -p -n -s 128 'broadcast and port 123 and udp[8] & 7 == 5'

    Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska

More information about the questions mailing list