[ntp:questions] Detecting ntp broadcast packets
Miroslav Lichvar
mlichvar at redhat.com
Wed Feb 27 08:34:37 UTC 2019
On Tue, Feb 26, 2019 at 09:58:06AM -0900, John Thurston wrote:
> B) use snoop or tcpdump to look at broadcast packets and tell me if it
> uncovers any ntp
>
> Is there already a better way to watch and warn of such packets?
An easier way would be to use tcpdump to print all NTP packets (not
just those sent to a broadcast address) that have the mode field equal
to 5 (broadcast).
tcpdump -n -i eth0 'port 123 and udp[8] & 7 == 5'
If it doesn't print anything, nothing in the network is using the NTP
broadcast mode.
--
Miroslav Lichvar
More information about the questions
mailing list