[ntp:questions] Detecting ntp broadcast packets

Miroslav Lichvar mlichvar at redhat.com
Thu Feb 28 13:46:11 UTC 2019

On Wed, Feb 27, 2019 at 08:39:45AM -0900, John Thurston wrote:
> And since I'm on a switched ethernet LAN, my network port is only going to
> see traffic destined for my own MAC (or broadcast) anyway. So I really can't
> see any benefit to enabling promiscuous mode. What am I missing?

Nothing. I was aiming for simplicity. For lowest CPU usage the other
approach with an NTP broadcast client configured to log packets might
be better as it would avoid the BPF filter.

> Wouldn't this work just as well?
> tcpdump -U -p -n -s 128 'broadcast and port 123 and udp[8] & 7 == 5'

Yes, assuming nothing is using multicast messaging or switches are
snooping and your machine didn't join the group.

Miroslav Lichvar

More information about the questions mailing list