[ntp:questions] Strange timestamps in ntp packets

BJörn Lindqvist bjourne at gmail.com
Wed Nov 12 10:18:53 UTC 2008


Hello good people,

I get some very weird and (to me) unexplainable results when I tcpdump
ntp conversations. Here is a sample request-reply
exchange. 169.254.96.5 is the ntp client and 169.254.96.2 is the
server.

# tcpdump -vvv -ni eth0 port ntp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:03:36.885381 IP [cut] 169.254.96.5.123 > 169.254.96.2.123: NTPv4, length 48
        Client, Leap indicator:  (0), Stratum 12, poll 6s, precision -20
        Root Delay: 0.000091, Root dispersion: 0.025070, Reference-ID:
169.254.96.2
          Reference Timestamp:  3435472680.883139208 (2008/11/12 09:58:00)
          Originator Timestamp: 3435472950.882161999 (2008/11/12 10:02:30)
          Receive Timestamp:    3435472950.882674179 (2008/11/12 10:02:30)
          Transmit Timestamp:   3435473016.885340604 (2008/11/12 10:03:36)
            Originator - Receive Timestamp:  +0.000512179
            Originator - Transmit Timestamp: +66.003178604
10:03:36.885495 IP [cut] 169.254.96.2.123 > 169.254.96.5.123: NTPv4, length 48
        Server, Leap indicator:  (0), Stratum 11, poll 6s, precision -20
        Root Delay: 0.000000, Root dispersion: 0.010070, Reference-ID:
127.127.1.0
          Reference Timestamp:  3435473012.959659999 (2008/11/12 10:03:32)
          Originator Timestamp: 3435473016.885340604 (2008/11/12 10:03:36)
          Receive Timestamp:    3435473016.884957999 (2008/11/12 10:03:36)
          Transmit Timestamp:   3435473016.884979999 (2008/11/12 10:03:36)
            Originator - Receive Timestamp:  -0.000382604
            Originator - Transmit Timestamp: -0.000360604

Note the difference in the originator and transmit timestamp in the
first packet which is a whopping 66 seconds. Note also the strange
reference timestamp. How can that be? It does not look sane. ntpq on
the other hand reports totally different values:

# ntpq -np
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 127.127.1.0     LOCAL(0)        12 l    2   16  377    0.000    0.000   0.001
*169.254.96.2    LOCAL(0)        11 u   16   64  377    0.155   -0.425   0.080

The only thing that I can think of that could explain the discrepancy
would be a bug in tcpdump, but google doesn't find any information
about a problem like this. And surely, such a glaring problem would
have been discovered a long time ago... My versions:

# tcpdump --help
tcpdump version 3.9.4
libpcap version 0.9.4

# ntpd --version
ntpd: ntpd 4.2.0a at 1.1196-r Thu May  3 13:48:09 UTC 2007 (1)

# uname -r
2.6.16.27-0.9-smp

What is going on here?


-- 
mvh Björn



More information about the questions mailing list