[Pool] ntp queries, icmp unreachable, traffic graph

Fabian Wenk fabian at wenks.ch
Tue Feb 11 16:43:31 UTC 2014


Hello Thomas

On 10.02.14 23:03, Thomas Pfaff wrote:
> Looking at a tcpdump on my external interface I see, obviously, a lot
> of ntp requests and responses.  Now, once in a while a response gets
> answered with an icmp port unreachable, transaction something like
>
>     example.com.2690 > ntp.tp76.info.123: v4 client strat 0 poll 0 prec 0 (DF)
>     ntp.tp76.info.123 > example.com.2690: v4 server strat 4 poll 0 prec -6 [tos 0x10]
>     example.com > ntp.tp76.info: icmp: example.com udp port 2690 unreachable
>
> Why does it say "answer me on port 2690" and when I do I get "sorry,
> that port is unreachable"?  (read on; graph coming up)

As others pointed out, the system doing the request (or if his IP 
address is spoofed), does block / reject upd traffic from port 
123 do any other port in. If it just happens seldom, just ignore it.

> My second question; why is the ntp traffic so spikey?  For an hour I
> get about 150 requests per minute and then suddenly I get about 7000
> requests per minute for a short time, and then it drops.

I do not know how you do measure the requests. For my graphs [1] 
I do measure the packets with the 'packets received' and 'packets 
sent' from the 'ntpdc -c sysstats -c iostats' output. But I guess 
they do correspond to requests.

   [1] http://www.home4u.ch/ntp/

If you look at my graphs, I have much higher peaks. But it does 
not affect the operation of the system itself, even if some of 
them are only single core Xeon with 3 GHz.
My servers are also in the TR zone, from which we know, that 
there are probably CPE from one large ISP, which are doing sntp 
on fixed times.


bye
Fabian


More information about the pool mailing list