During my work with a couple of NTP servers, I had many situations in which I just wanted to know whether an NTP server is up and running or not. For this purpose, I used two small Linux tools that fulfil almost the same: single CLI command while not actually updating any clock but only displaying the result. That is: ntpdate & sntp. Of course, the usage of IPv6 is mandatory as well as the possibility to test NTP authentication.
Refer to my “Packet Capture: Network Time Protocol (NTP)” blog post in order to download a pcap with different NTP packets, or at least heaving a view of them at the screenshots.
ntpdate
You can use ntpdate with the “-q” switch to “Query only – don’t set the clock”. This is a very basic run:
|
1 2 3 |
weberjoh@nb15-lx:~$ ntpdate -q ntp3.weberlab.de server 2003:de:2016:330::dcfb:123, stratum 1, offset -0.002689, delay 0.02620 21 Mar 16:56:05 ntpdate[30627]: adjust time server 2003:de:2016:330::dcfb:123 offset -0.002689 sec |
When using an FQDN with a couple of A/AAAA records, ntpdate queries all of them:
|
1 2 3 4 5 |
weberjoh@nb15-lx:~$ ntpdate -q ntp.weberlab.de server 2003:de:2016:330::dcfb:123, stratum 1, offset -0.002768, delay 0.02623 server 2003:de:2016:336::dcf7:123, stratum 1, offset -0.024801, delay 0.07458 server 2003:de:2016:330::6b5:123, stratum 1, offset -0.002645, delay 0.02663 21 Mar 17:00:55 ntpdate[30631]: adjust time server 2003:de:2016:330::dcfb:123 offset -0.002768 sec |
Furthermore, you can query several names at once:
|
1 2 3 4 5 6 7 8 9 |
weberjoh@nb15-lx:~$ ntpdate -q ntp.weberlab.de de.pool.ntp.org server 2003:de:2016:336::dcf7:123, stratum 1, offset -0.003254, delay 0.03484 server 2003:de:2016:330::6b5:123, stratum 1, offset -0.002702, delay 0.02657 server 2003:de:2016:330::dcfb:123, stratum 1, offset -0.002803, delay 0.02618 server 81.7.4.127, stratum 2, offset 0.000870, delay 0.03607 server 217.91.44.17, stratum 2, offset -0.000245, delay 0.03961 server 212.112.228.242, stratum 2, offset -0.003942, delay 0.03146 server 81.3.27.46, stratum 3, offset -0.001936, delay 0.03152 21 Mar 17:02:30 ntpdate[30636]: adjust time server 2003:de:2016:330::dcfb:123 offset -0.002803 sec |
Debugging & NTP Authentication
Even more relevant for my lab tests is the ability to test NTP authentication. Therefore I am using the debugging mode “-d” which will print out all steps (while still not updating the local clock) in conjunction with -a <key-id> and -k <keyfile>. For this example I used two SHA1 keys from one of my NTP servers (ntp3.weberlab.de):
|
1 2 3 |
weberjoh@nb15-lx:~$ cat ntp3.keys 11 SHA1 c8ea1e9d5496925e12b903945a4d87c93450f37d # SHA1 key 12 SHA1 b8ea1e9d5496925e12b903945a4d87c93450f37d # SHA1 key |
While key number 11 is indeed correct (receive: authentication passed):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
weberjoh@nb15-lx:~$ ntpdate -a 11 -k ~/ntp3.keys -d ntp3.weberlab.de 21 Mar 17:08:34 ntpdate[30707]: ntpdate 4.2.8p4@1.3265-o Fri Jul 6 20:10:56 UTC 2018 (1) Looking for host ntp3.weberlab.de and service ntp host found : 2003:de:2016:330::dcfb:123 transmit(2003:de:2016:330::dcfb:123) receive(2003:de:2016:330::dcfb:123) receive: authentication passed transmit(2003:de:2016:330::dcfb:123) receive(2003:de:2016:330::dcfb:123) receive: authentication passed transmit(2003:de:2016:330::dcfb:123) receive(2003:de:2016:330::dcfb:123) receive: authentication passed transmit(2003:de:2016:330::dcfb:123) receive(2003:de:2016:330::dcfb:123) receive: authentication passed server 2003:de:2016:330::dcfb:123, port 123 stratum 1, precision -18, leap 00, trust 000 refid [PZF], delay 0.02641, dispersion 0.00002 transmitted 4, in filter 4 reference time: e03e3586.0962cd3a Thu, Mar 21 2019 17:08:38.036 originate timestamp: e03e3588.28a90bc1 Thu, Mar 21 2019 17:08:40.158 transmit timestamp: e03e3588.290dd0a3 Thu, Mar 21 2019 17:08:40.160 filter delay: 0.02678 0.02641 0.02644 0.02647 0.00000 0.00000 0.00000 0.00000 filter offset: -0.00247 -0.00259 -0.00262 -0.00258 0.000000 0.000000 0.000000 0.000000 delay 0.02641, dispersion 0.00002 offset -0.002595 21 Mar 17:08:40 ntpdate[30707]: adjust time server 2003:de:2016:330::dcfb:123 offset -0.002595 sec |
I falsified key number 12 on purpose to test the output (receive: authentication failed):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
weberjoh@nb15-lx:~$ ntpdate -a 12 -k ~/ntp3.keys -d ntp3.weberlab.de 21 Mar 17:14:13 ntpdate[30778]: ntpdate 4.2.8p4@1.3265-o Fri Jul 6 20:10:56 UTC 2018 (1) Looking for host ntp3.weberlab.de and service ntp host found : 2003:de:2016:330::dcfb:123 transmit(2003:de:2016:330::dcfb:123) receive(2003:de:2016:330::dcfb:123) receive: authentication failed transmit(2003:de:2016:330::dcfb:123) receive(2003:de:2016:330::dcfb:123) receive: authentication failed transmit(2003:de:2016:330::dcfb:123) receive(2003:de:2016:330::dcfb:123) receive: authentication failed transmit(2003:de:2016:330::dcfb:123) receive(2003:de:2016:330::dcfb:123) receive: authentication failed 2003:de:2016:330::dcfb:123: Server dropped: Server is untrusted server 2003:de:2016:330::dcfb:123, port 123 stratum 1, precision -18, leap 00, trust 017 refid [PZF], delay 0.02647, dispersion 0.00002 transmitted 4, in filter 4 reference time: e03e36d6.096369ef Thu, Mar 21 2019 17:14:14.036 originate timestamp: e03e36db.eeb096a4 Thu, Mar 21 2019 17:14:19.932 transmit timestamp: e03e36db.eefa3bbd Thu, Mar 21 2019 17:14:19.933 filter delay: 0.02681 0.02658 0.02650 0.02647 0.00000 0.00000 0.00000 0.00000 filter offset: -0.00200 -0.00217 -0.00213 -0.00214 0.000000 0.000000 0.000000 0.000000 delay 0.02647, dispersion 0.00002 offset -0.002146 21 Mar 17:14:19 ntpdate[30778]: no server suitable for synchronization found |
Mission accomplished.
sntp
Just as an alternative you can use sntp as well. Sntp by default writes “the estimated correct local date and time (i.e. not UTC) to the standard output”:
|
1 2 3 4 |
pi@pi05-random:~ $ sntp ntp3.weberlab.de sntp 4.2.8p10@1.3728-o Sat Mar 10 17:59:48 UTC 2018 (1) kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory 2019-03-21 17:23:56.922791 (-0100) +0.00035 +/- 0.000474 ntp3.weberlab.de 2003:de:2016:330::dcfb:123 s1 no-leap |
The “kod_init_kod_db” warning is normal and can be ignored.
Debugging & NTP Authentication
Fortunately, the options are quite the same when it comes to debugging and NTP authentication. That is: -d -a <key-id> -k <keyfile>. Having the same two keys (11 ok, 12 not ok) in place, gives the following output for “authenticated using key id 11“:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
pi@ntp2-gps:~ $ sntp -d -a 11 -k ~/ntp3.keys ntp3.weberlab.de sntp 4.2.8p12@1.3728-o Thu Nov 8 11:39:41 UTC 2018 (1) kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory handle_lookup(ntp3.weberlab.de,0x2) move_fd: estimated max descriptors: 1024, initial socket boundary: 16 generate_pkt: key_id 11, key pointer 0x2416878 generate_pkt: mac_size is 20 sntp sendpkt: Sending packet to [2003:de:2016:330::dcfb:123]:123 ... Packet sent. sock_cb: ntp3.weberlab.de [2003:de:2016:330::dcfb:123]:123 sntp sock_cb: packet from 2003:de:2016:330::dcfb:123 authenticated using key id 11. 2019-03-21 17:37:39.872110 (-0100) +0.00241 +/- 0.001833 ntp3.weberlab.de 2003:de:2016:330::dcfb:123 s1 no-leap |
as well as for “Crypto NAK“:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
pi@ntp2-gps:~ $ sntp -d -a 12 -k ~/ntp3.keys ntp3.weberlab.de sntp 4.2.8p12@1.3728-o Thu Nov 8 11:39:41 UTC 2018 (1) kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory handle_lookup(ntp3.weberlab.de,0x2) move_fd: estimated max descriptors: 1024, initial socket boundary: 16 generate_pkt: key_id 12, key pointer 0x10018e0 generate_pkt: mac_size is 20 sntp sendpkt: Sending packet to [2003:de:2016:330::dcfb:123]:123 ... Packet sent. sock_cb: ntp3.weberlab.de [2003:de:2016:330::dcfb:123]:123 Crypto NAK = 0x00000000 from 2003:de:2016:330::dcfb:123 sock_cb: handle_pkt() returned 1 |
Please note that to my mind there was a bug at least in sntp version 4.2.8p10, since I got this “Segmentation fault” output from another machine (while the above-listed outputs were from version 4.2.8p12):
|
1 2 3 4 5 |
pi@pi05-random:~ $ sntp -d -a 11 -k ~/ntp3.keys ntp3.weberlab.de sntp 4.2.8p10@1.3728-o Sat Mar 10 17:59:48 UTC 2018 (1) kod_init_kod_db(): Cannot open KoD db file /var/db/ntp-kod: No such file or directory handle_lookup(ntp3.weberlab.de,0x2) Segmentation fault |
That’s it. ;) Happy troubleshooting.
Featured image “Reading glasses over a book” by Marco Verch is licensed under CC BY 2.0.
2 thoughts on “Basic NTP Client Test: ntpdate & sntp”