[ntp:questions] Strange timestamps in ntp packets

Unruh unruh-spam at physics.ubc.ca
Thu Nov 13 05:18:03 UTC 2008


bjourne at gmail.com (=?ISO-8859-1?Q?BJ=F6rn_Lindqvist?=) writes:

>Hello good people,

>I get some very weird and (to me) unexplainable results when I tcpdump
>ntp conversations. Here is a sample request-reply
>exchange. 169.254.96.5 is the ntp client and 169.254.96.2 is the
>server.

># tcpdump -vvv -ni eth0 port ntp
>tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96
>bytes
>10:03:36.885381 IP [cut] 169.254.96.5.123 > 169.254.96.2.123: NTPv4, length
>48
>        Client, Leap indicator:  (0), Stratum 12, poll 6s, precision -20
>        Root Delay: 0.000091, Root dispersion: 0.025070, Reference-ID:
>169.254.96.2
>          Reference Timestamp:  3435472680.883139208 (2008/11/12 09:58:00)
>          Originator Timestamp: 3435472950.882161999 (2008/11/12 10:02:30)
>          Receive Timestamp:    3435472950.882674179 (2008/11/12 10:02:30)
>          Transmit Timestamp:   3435473016.885340604 (2008/11/12 10:03:36)
>            Originator - Receive Timestamp:  +0.000512179
>            Originator - Transmit Timestamp: +66.003178604
>10:03:36.885495 IP [cut] 169.254.96.2.123 > 169.254.96.5.123: NTPv4, length
>48
>        Server, Leap indicator:  (0), Stratum 11, poll 6s, precision -20
>        Root Delay: 0.000000, Root dispersion: 0.010070, Reference-ID:
>127.127.1.0
>          Reference Timestamp:  3435473012.959659999 (2008/11/12 10:03:32)
>          Originator Timestamp: 3435473016.885340604 (2008/11/12 10:03:36)
>          Receive Timestamp:    3435473016.884957999 (2008/11/12 10:03:36)
>          Transmit Timestamp:   3435473016.884979999 (2008/11/12 10:03:36)
>            Originator - Receive Timestamp:  -0.000382604
>            Originator - Transmit Timestamp: -0.000360604

>Note the difference in the originator and transmit timestamp in the
>first packet which is a whopping 66 seconds. Note also the strange
>reference timestamp. How can that be? It does not look sane. ntpq on
>the other hand reports totally different values:

In the outgoing timestamp everything but the transmit timestamp is garbage
and is left over from the last time a packet was configured. Nothing ever
looks at it because only one timestamp is relevant.  On the return,
the reference  timestamp is garbage, again becaue the client has not yet
filled it in which it will do when it receives the return from the server. 

 

># ntpq -np
>     remote           refid      st t when poll reach   delay   offset
>jitter
>=============================================================================
>=
> 127.127.1.0     LOCAL(0)        12 l    2   16  377    0.000    0.000
>0.001
>*169.254.96.2    LOCAL(0)        11 u   16   64  377    0.155   -0.425
>0.080

>The only thing that I can think of that could explain the discrepancy
>would be a bug in tcpdump, but google doesn't find any information
>about a problem like this. And surely, such a glaring problem would
>have been discovered a long time ago... My versions:

Nope, just a bug in your understanding of the packet. That's OK. We have
all gone through this. (Well, at least I did and I should not speak for
all)





More information about the questions mailing list