[ntp:questions] Strange timestamps in ntp packets
BJörn Lindqvist
bjourne at gmail.com
Wed Nov 12 10:18:53 UTC 2008
Hello good people,
I get some very weird and (to me) unexplainable results when I tcpdump
ntp conversations. Here is a sample request-reply
exchange. 169.254.96.5 is the ntp client and 169.254.96.2 is the
server.
# tcpdump -vvv -ni eth0 port ntp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
10:03:36.885381 IP [cut] 169.254.96.5.123 > 169.254.96.2.123: NTPv4, length 48
Client, Leap indicator: (0), Stratum 12, poll 6s, precision -20
Root Delay: 0.000091, Root dispersion: 0.025070, Reference-ID:
169.254.96.2
Reference Timestamp: 3435472680.883139208 (2008/11/12 09:58:00)
Originator Timestamp: 3435472950.882161999 (2008/11/12 10:02:30)
Receive Timestamp: 3435472950.882674179 (2008/11/12 10:02:30)
Transmit Timestamp: 3435473016.885340604 (2008/11/12 10:03:36)
Originator - Receive Timestamp: +0.000512179
Originator - Transmit Timestamp: +66.003178604
10:03:36.885495 IP [cut] 169.254.96.2.123 > 169.254.96.5.123: NTPv4, length 48
Server, Leap indicator: (0), Stratum 11, poll 6s, precision -20
Root Delay: 0.000000, Root dispersion: 0.010070, Reference-ID:
127.127.1.0
Reference Timestamp: 3435473012.959659999 (2008/11/12 10:03:32)
Originator Timestamp: 3435473016.885340604 (2008/11/12 10:03:36)
Receive Timestamp: 3435473016.884957999 (2008/11/12 10:03:36)
Transmit Timestamp: 3435473016.884979999 (2008/11/12 10:03:36)
Originator - Receive Timestamp: -0.000382604
Originator - Transmit Timestamp: -0.000360604
Note the difference in the originator and transmit timestamp in the
first packet which is a whopping 66 seconds. Note also the strange
reference timestamp. How can that be? It does not look sane. ntpq on
the other hand reports totally different values:
# ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
127.127.1.0 LOCAL(0) 12 l 2 16 377 0.000 0.000 0.001
*169.254.96.2 LOCAL(0) 11 u 16 64 377 0.155 -0.425 0.080
The only thing that I can think of that could explain the discrepancy
would be a bug in tcpdump, but google doesn't find any information
about a problem like this. And surely, such a glaring problem would
have been discovered a long time ago... My versions:
# tcpdump --help
tcpdump version 3.9.4
libpcap version 0.9.4
# ntpd --version
ntpd: ntpd 4.2.0a at 1.1196-r Thu May 3 13:48:09 UTC 2007 (1)
# uname -r
2.6.16.27-0.9-smp
What is going on here?
--
mvh Björn
More information about the questions
mailing list