[Pool] ntp queries, icmp unreachable, traffic graph

Thomas Pfaff tpfaff at tp76.info
Tue Feb 11 19:19:46 UTC 2014

On Tue, 11 Feb 2014 17:43:31 +0100
Fabian Wenk <fabian at wenks.ch> wrote:
> I do not know how you do measure the requests. For my graphs [1] 
> I do measure the packets with the 'packets received' and 'packets 
> sent' from the 'ntpdc -c sysstats -c iostats' output.

The data for the graph is just tcpdump output, something like

   tcpdump -p -D in -ni em0 -l 'udp port 123' > ntp.log

run for one minute then "wc -l ntp.log" and add that to the rrd.
It's a bit of a hack I guess, but it gets the job done and the
ntpd I run does not keep counters like that.  Thanks for sharing
your graphs.

lst_hoe02 at 79365-rhs.de wrote:
> [...] fixed time of day to sync with the pool instead of using a random
> starttime or interval. So these clients all rush in at nearly the same
> time. But 7000 request per minute isn't something to worry about, no?

That should explain what I'm seeing.  And no, 7000 requests (or queries)
per minute is definitely not a problem, I just like to know what's going
on ;-)

As for the icmp unreachable, I thought it was something like NAT or
a firewall not allowing return traffic, but I really wanted to make
sure I've not misconfigured anything on my side (whatever that might
be).  Some are probably also spoofed addresses but that's just fine.
It's on the Internet after all ;-)

Thanks again guys.


