[ntp:questions] Monitoring Number of Clients

Johannes Weber johannes at webernetz.net
Fri May 19 18:21:16 UTC 2017


Hello Mike et al., 

thanks for your reply. However, I cannot reproduce this on my NTP server
and I don't know why. 

I did a couple of more tests during the last days. Since yesterday, my
NTP server is stucked at 133 addresses, for whatever reason. To my mind
it should decrease to almost 30 again (since I have about 30 clients in
fact): 

pi at ntp2:~ $ ntpq -c mon
enabled:              0x1
addresses:            133
peak addresses:       133
maximum addresses:    14563
reclaim above count:  30
reclaim older than:   1200
kilobytes:            9
maximum kilobytes:    1024 

It was like the following: 

1) Test with 50 more NTP clients: increased to 133 

2) Test with another 50 more NTP clients: still set to 133 ??? 

Due to my configuration, any address older than 1200 should dissappear,
shouldn't it? At least after some more requests (which I explicitly
tested). Currently, I have a few entries such as: 

  9498      0  1d0 . 3 4      3 36451 2c0f:feb0:a:1::2
(pb6-01-emg.za.seacomnet.com)
  9498      0  1d0 . 3 4      3 53415 2c0f:feb0:3:1::2
(pb6-01-nbo.ke.seacomnet.com) 

and still about 70 (!) entries with: 

111139      0  1d0 . 3 4     10 42826
2001:981:ab85:1:fa1a:67ff:fe4d:76f9
111139      0  1d0 . 3 4     10 36673 2001:8b0:856:1:a2f3:c1ff:fe96:1194
111139      0  1d0 . 3 4     10 47410
2a03:a200:ffff:0:ea94:f6ff:fe48:4fba
111140      0  1d0 . 3 4     10 41549 2a00:e460:2a00:caff:ee::1ce 

--> both are obviously older than 1200. ;) So why are they still stored?


(I am running IPv6-only. Don't know whether this is related to
anything?) 

Thanks and regards, 

Johannes

---
Johannes Weber
  Webernetz.net - Network Security Consulting
  mail:    johannes at webernetz.net
  mobile:  +49 174 1880211

  blog:    https://blog.webernetz.net
  twitter: @webernetz [1] 

Am 18.05.2017 12:32, schrieb Mike Cook:

>> Le 17 mai 2017 à 10:42, Johannes Weber <johannes at webernetz.net> a écrit :
>> 
>> Hi list, 
>> 
>> some months ago I asked about NTP monitoring. Thanks for your answers! 
>> 
>> I tried Brians' version which sets some mru parameters. But it's not
>> working as I expected. Does anyone see my mistake? 
>> 
>> I set the following parameter: "mru mindepth 30 maxage 1200" in order to
>> delete all addresses that are older than 1200 seconds in case the list
>> is longer than 30. 
>> 
>> However, this is not the case. I hit my NTP server with 50 probes (via
>> RIPE Atlas) yesterday, but they are still stored as you can see the "78"
>> addresses: 
>> 
>> pi at ntp2:~ $ ntpq -c mon
>> enabled:              0x1
>> addresses:            78
>> peak addresses:       78
>> maximum addresses:    14563
>> reclaim above count:  30
>> reclaim older than:   1200
> 
> Mine works ok.  I don't think there is an issue. The entries aren't deleted when the limit is reached,  unless there a request for a new client which arrives after it. 
> Maybe you had no new requests coming in?
> 
> Here I have limited the entry count to 5 and age to 30
> 
> mike at bb3:~$ ntpq -c mrulist
> Ctrl-C will stop MRU retrieval and display partial results.
> Retrieved 6 unique MRU entries and 0 updates.
> lstint avgint rstr r m v  count rport remote address
> ==============================================================================
> 3     15  1c0 . 4 4     69   123 bb2.home
> 5     15  1c0 . 4 4     69   123 bb1.home
> 5     15  1c0 . 4 4     69   123 muon.stratum1.ddns.net
> 114      1    0 . 3 4      4 49741 raspb3.stratum1.ddns.net
> 313      1    0 . 3 4      4 46493 raspb2.stratum1.ddns.net
> 328      4    0 . 3 4      8 59803 electron.home
> 
> here I did an ntpdate -d from client raspb4
> 
> mike at bb3:~$ ntpq -c mrulist
> Ctrl-C will stop MRU retrieval and display partial results.
> Retrieved 6 unique MRU entries and 0 updates.
> lstint avgint rstr r m v  count rport remote address
> ==============================================================================
> 2      1    0 . 3 4      4 36616 raspb4.stratum1.ddns.net
> 12     15  1c0 . 4 4     72   123 bb2.home
> 14     15  1c0 . 4 4     72   123 muon.stratum1.ddns.net
> 14     15  1c0 . 4 4     72   123 bb1.home
> 171      1    0 . 3 4      4 49741 raspb3.stratum1.ddns.net
> 371      1    0 . 3 4      4 46493 raspb2.stratum1.ddns.net
> 
> you can see that the entry or electron has been removed.
> 
> Mike
> 
> kilobytes:            5
> maximum kilobytes:    1024 
> 
> They are all still in the list: 
> 
> pi at ntp2:~ $ ntpq -c mru
> Ctrl-C will stop MRU retrieval and display partial results.
> Retrieved 78 unique MRU entries and 0 updates.
> lstint avgint rstr r m v  count rport remote address
> ==============================================================================
> 
> [...] 
> 
> 69885      0  1d0 . 3 4      3 55430 2001:67c:10ec:3548:8000::1337
> 69885      0  1d0 . 3 4      3 38038 2a02:a40:300::12
> 69885      0  1d0 . 3 4      3 36528 2a01:360:1:18:c24a:ff:fecc:59ac
> 69885      0  1d0 . 3 4      3 45882
> 2a02:29b0:1004:0:c66e:1fff:fe5b:cc64
> 69885      0  1d0 . 3 4      3 39951
> 2a00:ca60:11:6000:f6f2:6dff:fe5d:971a
> 69885      0  1d0 . 3 4      3 48751 2a02:f48:1:200:16cc:20ff:fe48:d0e2
> 69885      0  1d0 . 3 4      3 43509 2a06:eac0:3000::4
> 69885      0  1d0 . 3 4      3 37525 2a03:1ae0:0:270:185:65:96:253
> 69885      0  1d0 . 3 4      3 40210 2a06:6bc0:0:2:ea94:f6ff:fee3:6d5a
> 69885      0  1d0 . 3 4      3 58714 2001:638:80a:2:6666:b3ff:feb0:e194
> 69885      0  1d0 . 3 4      3 42365
> 2a00:4ae0:4000:0:6666:b3ff:feb0:d85c
> 69885      0  1d0 . 3 4      3 43873 2a0b:2f00:29:0:fa1a:67ff:fe4d:847f
> 
> Any ideas? 
> 
> Thanks again, 
> 
> Johannes
> 
> ---
> Johannes Weber
> Webernetz.net - Network Security Consulting
> mail:    johannes at webernetz.net
> mobile:  +49 174 1880211
> 
> blog:    https://blog.webernetz.net
> twitter: @webernetz [1 [1]] 
> 
> Am 14.02.2017 23:31, schrieb Brian Inglis:
> 
> On 2017-02-06 13:10, Johannes Weber wrote: 
> 
> I have one question concerning the monstats and mrulist commands. I am
> monitoring my NTP servers and I want to graph the current clients. I am
> using the "addresses" line from the monstats output.
> However, it seems that every client that is gone many days ago (!) is
> still listed within the "addresses" section and not only in the "peak
> addresses". Same is true within the mrulist output which lists addresses
> that have a lstint many days ago.
> 
> So my question is: How can I get a number of the "most recent" clients,
> i.e., clients that have a lstint < 2000 or the like. (One bad approach
> might be to use the mrulist output and to grep all lines that have an
> lstint < 2000. But I am searching for a better way to do it.) 
> You can tweak the monitor stats collection with the mru conf statement:
> 
> mru [maxdepth count | maxmem kilobytes | mindepth count | maxage seconds 
> | initalloc count | initmem kilobytes | incalloc count 
> | incmem kilobytes]
> 
> https://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#mru
> 
> e.g. you may want to increase maxage to e.g. 86400s from default 64s 
> and reduce mindepth to your max peak addresses count from default 600, 
> so when you hit your peak addresses count, anything older than a day 
> is evicted and replaced by a newer entry.
> 
> I'd use awk for simple filtering of values like this e.g.
> 
> $ ntpq -c mrulist 2> /dev/null | awk '$8 == "123" && $1 <= 86400'
> 
> which you can easily expand on to do stats, or pass to a plot package.

Links:
------
[1] https://twitter.com/webernetz
_______________________________________________
questions mailing list
questions at lists.ntp.org
http://lists.ntp.org/listinfo/questions 
"The power of accurate observation is commonly called cynicism by those
who have not got it. »
George Bernard Shaw

 

Links:
------
[1] https://twitter.com/webernetz


More information about the questions mailing list