[ntp:questions] Detecting ntp broadcast packets
Miroslav Lichvar
mlichvar at redhat.com
Thu Feb 28 13:46:11 UTC 2019
On Wed, Feb 27, 2019 at 08:39:45AM -0900, John Thurston wrote:
> And since I'm on a switched ethernet LAN, my network port is only going to
> see traffic destined for my own MAC (or broadcast) anyway. So I really can't
> see any benefit to enabling promiscuous mode. What am I missing?
Nothing. I was aiming for simplicity. For lowest CPU usage the other
approach with an NTP broadcast client configured to log packets might
be better as it would avoid the BPF filter.
> Wouldn't this work just as well?
>
> tcpdump -U -p -n -s 128 'broadcast and port 123 and udp[8] & 7 == 5'
Yes, assuming nothing is using multicast messaging or switches are
snooping and your machine didn't join the group.
--
Miroslav Lichvar
More information about the questions
mailing list