[ntp:questions] Detecting ntp broadcast packets

Miroslav Lichvar mlichvar at redhat.com
Wed Feb 27 08:34:37 UTC 2019


On Tue, Feb 26, 2019 at 09:58:06AM -0900, John Thurston wrote:
> B) use snoop or tcpdump to look at broadcast packets and tell me if it
> uncovers any ntp
> 
> Is there already a better way to watch and warn of such packets?

An easier way would be to use tcpdump to print all NTP packets (not
just those sent to a broadcast address) that have the mode field equal
to 5 (broadcast).

tcpdump -n -i eth0 'port 123 and udp[8] & 7 == 5'

If it doesn't print anything, nothing in the network is using the NTP
broadcast mode.

-- 
Miroslav Lichvar


More information about the questions mailing list