1ntpq(8) System Manager's Manual ntpq(8)
2
6 ntpq - standard NTP query program
7
10 ntpq [-46dinp] [-c command] [host] [...]
11
14 The ntpq utility program is used to monitor NTP daemon ntpd operations
15 and determine performance. It uses the standard NTP mode 6 control mes‐
16 sage formats defined in Appendix B of the NTPv3 specification RFC1305.
17 The same formats are used in NTPv4, although some of the variables have
18 changed and new ones added. The description on this page is for the
19 NTPv4 variables.
20 The program can be run either in interactive mode or controlled using
22 command line arguments. Requests to read and write arbitrary variables
23 can be assembled, with raw and pretty-printed output options being
24 available. The ntpq can also obtain and print a list of peers in a com‐
25 mon format by sending multiple queries to the server.
26 If one or more request options is included on the command line when
28 ntpq is executed, each of the requests will be sent to the NTP servers
29 running on each of the hosts given as command line arguments, or on
30 localhost by default. If no request options are given, ntpq will
31 attempt to read commands from the standard input and execute these on
32 the NTP server running on the first host given on the command line,
33 again defaulting to localhost when no other host is specified. ntpq
34 will prompt for commands if the standard input is a terminal device.
35 ntpq uses NTP mode 6 packets to communicate with the NTP server, and
37 hence can be used to query any compatible server on the network which
38 permits it. Note that since NTP is a UDP protocol this communication
39 will be somewhat unreliable, especially over large distances in terms
40 of network topology. ntpq makes one attempt to retransmit requests, and
41 will time requests out if the remote host is not heard from within a
42 suitable timeout time.
43 Note that in contexts where a host name is expected, a -4 qualifier
45 preceding the host name forces DNS resolution to the IPv4 namespace,
46 while a -6 qualifier forces DNS resolution to the IPv6 namespace.
47 For examples and usage, see the NTP Debugging Techniques page.
49 Command line options are described following. Specifying a command line
51 option other than -i or -n will cause the specified query (queries) to
52 be sent to the indicated host(s) immediately. Otherwise, ntpq will
53 attempt to read interactive format commands from the standard input.
54 -4 Force DNS resolution of following host names on the command
57 line to the IPv4 namespace.
58 -6 Force DNS resolution of following host names on the command
60 line to the IPv6 namespace.
61 -c The following argument is interpreted as an interactive format
63 command and is added to the list of commands to be executed on
64 the specified host(s). Multiple -c options may be given.
65 -d Turn on debugging mode.
67 -i Force ntpq to operate in interactive mode. Prompts will be
69 written to the standard output and commands read from the stan‐
70 dard input.
71 -n Output all host addresses in dotted-quad numeric format rather
73 than converting to the canonical host names.
74 -p Print a list of the peers known to the server as well as a sum‐
76 mary of their state. This is equivalent to the peers interac‐
77 tive command.
78
81 Interactive format commands consist of a keyword followed by zero to
82 four arguments. Only enough characters of the full keyword to uniquely
83 identify the command need be typed. The output of a command is normally
84 sent to the standard output, but optionally the output of individual
85 commands may be sent to a file by appending a >, followed by a file
86 name, to the command line. A number of interactive format commands are
87 executed entirely within the ntpq program itself and do not result in
88 NTP mode 6 requests being sent to a server. These are described follow‐
89 ing.
90 ? [command_keyword]
93 helpl [command_keyword]
95 A ? by itself will print a list of all the command keywords
96 known to this incarnation of ntpq. A ? followed by a command
97 keyword will print function and usage information about the
98 command. This command is probably a better source of informa‐
99 tion about ntpq than this manual page.
100 addvars variable_name [ = value] [...]
102 rmvars variable_name [...]
104 clearvars
106 The data carried by NTP mode 6 messages consists of a list of
107 items of the form variable_name = value, where the = value is
108 ignored, and can be omitted, in requests to the server to read
109 variables. ntpq maintains an internal list in which data to be
110 included in control messages can be assembled, and sent using
111 the readlist and writelist commands described below. The
112 addvars command allows variables and their optional values to
113 be added to the list. If more than one variable is to be added,
114 the list should be comma-separated and not contain white space.
115 The rmvars command can be used to remove individual variables
116 from the list, while the clearlist command removes all vari‐
117 ables from the list.
118 cooked Causes output from query commands to be "cooked", so that vari‐
120 ables which are recognized by ntpq will have their values
121 reformatted for human consumption. Variables which ntpq thinks
122 should have a decodable value but didn't are marked with a
123 trailing ?.
124 debug more | less | off
126 Turns internal query program debugging on and off.
127 delay milliseconds
129 Specify a time interval to be added to timestamps included in
130 requests which require authentication. This is used to enable
131 (unreliable) server reconfiguration over long delay network
132 paths or between machines whose clocks are unsynchronized.
133 Actually the server does not now require timestamps in authen‐
134 ticated requests, so this command may be obsolete.
135 host hostname
137 Set the host to which future queries will be sent. Hostname may
138 be either a host name or a numeric address.
139 hostnames [yes | no]
141 If yes is specified, host names are printed in information dis‐
142 plays. If no is specified, numeric addresses are printed
143 instead. The default is yes, unless modified using the command
144 line -n switch.
145 keyid keyid
147 This command specifies the key number to be used to authenti‐
148 cate configuration requests. This must correspond to a key num‐
149 ber the server has been configured to use for this purpose.
150 ntpversion 1 | 2 | 3 | 4
152 Sets the NTP version number which ntpq claims in packets.
153 Defaults to 2, Note that mode 6 control messages (and modes,
154 for that matter) didn't exist in NTP version 1.
155 passwd This command prompts for a password (which will not be echoed)
157 which will be used to authenticate configuration requests. The
158 password must correspond to the key configured for NTP server
159 for this purpose.
160 quit Exit ntpq.
162 raw Causes all output from query commands is printed as received
164 from the remote server. The only formatting/interpretation done
165 on the data is to transform non-ASCII data into a printable
166 (but barely understandable) form.
167 timeout millseconds
169 Specify a timeout period for responses to server queries. The
170 default is about 5000 milliseconds. Note that since ntpq
171 retries each query once after a timeout, the total waiting time
172 for a timeout will be twice the timeout value set.
173
176 Each association known to an NTP server has a 16 bit integer associa‐
177 tion identifier. NTP control messages which carry peer variables must
178 identify the peer the values correspond to by including its association
179 ID. An association ID of 0 is special, and indicates the variables are
180 system variables, whose names are drawn from a separate name space.
181 Control message commands result in one or more NTP mode 6 messages
183 being sent to the server, and cause the data returned to be printed in
184 some format. Most commands currently implemented send a single message
185 and expect a single response. The current exceptions are the peers com‐
186 mand, which will send a preprogrammed series of messages to obtain the
187 data it needs, and the mreadlist and mreadvar commands, which will
188 iterate over a range of associations.
189 associations
192 Obtains and prints a list of association identifiers and peer
193 statuses for in-spec peers of the server being queried. The
194 list is printed in columns. The first of these is an index num‐
195 bering the associations from 1 for internal use, the second the
196 actual association identifier returned by the server and the
197 third the status word for the peer. This is followed by a num‐
198 ber of columns containing data decoded from the status word.
199 See the peers command for a decode of the condition field. Note
200 that the data returned by the associations command is cached
201 internally in ntpq. The index is then of use when dealing with
202 stupid servers which use association identifiers which are hard
203 for humans to type, in that for any subsequent commands which
204 require an association identifier as an argument, the form
205 &index may be used as an alternative.
206 clockvar [assocID] [variable_name [ = value [...]] [...]
208 cv [assocID] [variable_name [ = value [...] ][...]
210 Requests that a list of the server's clock variables be sent.
211 Servers which have a radio clock or other external synchroniza‐
212 tion will respond positively to this. If the association iden‐
213 tifier is omitted or zero the request is for the variables of
214 the system clock and will generally get a positive response
215 from all servers with a clock. If the server treats clocks as
216 pseudo-peers, and hence can possibly have more than one clock
217 connected at once, referencing the appropriate peer association
218 ID will show the variables of a particular clock. Omitting the
219 variable list will cause the server to return a default vari‐
220 able display.
221 lassociations
223 Obtains and prints a list of association identifiers and peer
224 statuses for all associations for which the server is maintain‐
225 ing state. This command differs from the associations command
226 only for servers which retain state for out-of-spec client
227 associations (i.e., fuzzballs). Such associations are normally
228 omitted from the display when the associations command is used,
229 but are included in the output of lassociations.
230 lpassociations
232 Print data for all associations, including out-of-spec client
233 associations, from the internally cached list of associations.
234 This command differs from passociations only when dealing with
235 fuzzballs.
236 lpeers Like R peers, except a summary of all associations for which
238 the server is maintaining state is printed. This can produce a
239 much longer list of peers from fuzzball servers.
240 mreadlist assocID assocID
242 mrl assocID assocID
244 Like the readlist command, except the query is done for each of
245 a range of (nonzero) association IDs. This range is determined
246 from the association list cached by the most recent associa‐
247 tions command.
248 mreadvar assocID assocID [ variable_name [ = value[ ... ]
250 mrv assocID assocID [ variable_name [ = value[ ... ]
252 Like the readvar command, except the query is done for each of
253 a range of (nonzero) association IDs. This range is determined
254 from the association list cached by the most recent associa‐
255 tions command.
256 opeers An old form of the peers command with the reference ID replaced
258 by the local interface address.
259 passociations
261 Displays association data concerning in-spec peers from the
262 internally cached list of associations. This command performs
263 identically to the associations except that it displays the
264 internally stored data rather than making a new query.
265 peers Obtains a current list peers of the server, along with a sum‐
267 mary of each peer's state. Summary information includes the
268 address of the remote peer, the reference ID (0.0.0.0 if this
269 is unknown), the stratum of the remote peer, the type of the
270 peer (local, unicast, multicast or broadcast), when the last
271 packet was received, the polling interval, in seconds, the
272 reachability register, in octal, and the current estimated
273 delay, offset and dispersion of the peer, all in milliseconds.
274 The character at the left margin of each line shows the syn‐
275 chronization status of the association and is a valuable diag‐
276 nostic tool. The encoding and meaning of this character, called
277 the tally code, is given later in this page.
278 pstatus assocID
280 Sends a read status request to the server for the given associ‐
281 ation. The names and values of the peer variables returned will
282 be printed. Note that the status word from the header is dis‐
283 played preceding the variables, both in hexadecimal and in pid‐
284 geon English.
285 readlist [ assocID ]
287 rl [ assocID ]
289 Requests that the values of the variables in the internal vari‐
290 able list be returned by the server. If the association ID is
291 omitted or is 0 the variables are assumed to be system vari‐
292 ables. Otherwise they are treated as peer variables. If the
293 internal variable list is empty a request is sent without data,
294 which should induce the remote server to return a default dis‐
295 play.
296 readvar assocID variable_name [ = value ] [ ...]
298 rv assocID [ variable_name [ = value ] [...]
300 Requests that the values of the specified variables be returned
301 by the server by sending a read variables request. If the asso‐
302 ciation ID is omitted or is given as zero the variables are
303 system variables, otherwise they are peer variables and the
304 values returned will be those of the corresponding peer. Omit‐
305 ting the variable list will send a request with no data which
306 should induce the server to return a default display. The
307 encoding and meaning of the variables derived from NTPv3 is
308 given in RFC-1305; the encoding and meaning of the additional
309 NTPv4 variables are given later in this page.
310 writevar assocID variable_name [ = value [ ...]
312 Like the readvar request, except the specified variables are
313 written instead of read.
314 writelist [ assocID ]
316 Like the readlist request, except the internal list variables
317 are written instead of read.
318
321 The character in the left margin in the peers billboard, called the
322 tally code, shows the fate of each association in the clock selection
323 process. Following is a list of these characters, the pigeon used in
324 the rv command, and a short explanation of the condition revealed.
325 space reject
328 The peer is discarded as unreachable, synchronized to this
329 server (synch loop) or outrageous synchronization distance.
330 x falsetick
332 The peer is discarded by the intersection algorithm as a
333 falseticker.
334 . excess
336 The peer is discarded as not among the first ten peers sorted
337 by synchronization distance and so is probably a poor candidate
338 for further consideration.
339 - outlyer
341 The peer is discarded by the clustering algorithm as an out‐
342 lyer.
343 + candidat
345 The peer is a survivor and a candidate for the combining algo‐
346 rithm.
347 # selected
349 The peer is a survivor, but not among the first six peers
350 sorted by synchronization distance. If the association is
351 ephemeral, it may be demobilized to conserve resources.
352 * sys.peer
354 The peer has been declared the system peer and lends its vari‐
355 ables to the system variables.
356 o pps.peer
358 The peer has been declared the system peer and lends its vari‐
359 ables to the system variables. However, the actual system syn‐
360 chronization is derived from a pulse-per-second (PPS) signal,
361 either indirectly via the PPS reference clock driver or
362 directly via kernel interface.
363
366 The status, leap, stratum, precision, rootdelay, rootdispersion, refid,
367 reftime, poll, offset, and frequency variables are described in
368 RFC-1305 specification. Additional NTPv4 system variables include the
369 following.
370 version Everything you might need to know about the software version
373 and generation time.
374 processor
376 The processor and kernel identification string.
377 system The operating system version and release identifier.
379 state The state of the clock discipline state machine. The values are
381 described in the architecture briefing on the NTP Project page
382 linked from www.ntp.org.
383 peer The internal integer used to identify the association currently
385 designated the system peer.
386 jitter The estimated time error of the system clock measured as an
388 exponential average of RMS time differences.
389 stability
391 The estimated frequency stability of the system clock measured
392 as an exponential average of RMS frequency differences.
393 When the NTPv4 daemon is compiled with the OpenSSL software library,
395 additional system variables are displayed, including some or all of the
396 following, depending on the particular dance:
397 flags The current flags word bits and message digest algorithm iden‐
400 tifier (NID) in hex format. The high order 16 bits of the four-
401 byte word contain the NID from the OpenSSL ligrary, while the
402 low-order bits are interpreted as follows:
403 0x01 autokey enabled
406 0x02 NIST leapseconds file loaded
408 0x10 PC identity scheme
410 0x20 IFF identity scheme
412 0x40 GQ identity scheme
414 hostname
417 The name of the host as returned by the Unix gethostname()
418 library function.
419 hostkey The NTP filestamp of the host key file.
421 cert A list of certificates held by the host. Each entry includes
423 the subject, issuer, flags and NTP filestamp in order. The bits
424 are interpreted as follows:
425 0x01 certificate has been signed by the server
428 0x02 certificate is trusted
430 0x04 certificate is private
432 0x08 certificate contains errors and should not be trusted
434 leapseconds
437 The NTP filestamp of the NIST leapseconds file.
438 refresh The NTP timestamp when the host public cryptographic values
440 were refreshed and signed.
441 signature
443 The host digest/signature scheme name from the OpenSSL library.
444 tai The TAI-UTC offset in seconds obtained from the NIST leapsec‐
446 onds table.
447
450 The status, srcadr, srcport, dstadr, dstport, leap, stratum, precision,
451 rootdelay, rootdispersion, readh, hmode, pmode, hpoll, ppoll, offset,
452 delay, dspersion, reftime variables are described in the RFC-1305 spec‐
453 ification, as are the timestamps org, rec and xmt. Additional NTPv4
454 system variables include the following.
455 flash The flash code for the most recent packet received. The encod‐
458 ing and meaning of these codes is given later in this page.
459 jitter The estimated time error of the peer clock measured as an expo‐
461 nential average of RMS time differences.
462 unreach The value of the counter which records the number of poll
464 intervals since the last valid packet was received.
465 When the NTPv4 daemon is compiled with the OpenSSL software library,
467 additional peer variables are displayed, including the following:
468 flags The current flag bits. This word is the server host status word
471 with additional bits used by the Autokey state machine. See the
472 source code for the bit encoding.
473 hostname
475 The server host name.
476 initkey key
478 The initial key used by the key list generator in the Autokey
479 protocol.
480 initsequence index
482 The initial index used by the key list generator in the Autokey
483 protocol.
484 signature
486 The server message digest/signature scheme name from the
487 OpenSSL software library.
488 timestamp time
490 The NTP timestamp when the last Autokey key list was generated
491 and signed.
492
495 The flash code is a valuable debugging aid displayed in the peer vari‐
496 ables list. It shows the results of the original sanity checks defined
497 in the NTP specification RFC-1305 and additional ones added in NTPv4.
498 There are 12 tests designated TEST1 through TEST12. The tests are per‐
499 formed in a certain order designed to gain maximum diagnostic informa‐
500 tion while protecting against accidental or malicious errors. The flash
501 variable is initialized to zero as each packet is received. If after
502 each set of tests one or more bits are set, the packet is discarded.
503 Tests TEST1 through TEST3 check the packet timestamps from which the
505 offset and delay are calculated. If any bits are set, the packet is
506 discarded; otherwise, the packet header variables are saved. TEST4 and
507 TEST5 are associated with access control and cryptographic authentica‐
508 tion. If any bits are set, the packet is discarded immediately with
509 nothing changed.
510 Tests TEST6 through TEST8 check the health of the server. If any bits
512 are set, the packet is discarded; otherwise, the offset and delay rela‐
513 tive to the server are calculated and saved. TEST9 checks the health of
514 the association itself. If any bits are set, the packet is discarded;
515 otherwise, the saved variables are passed to the clock filter and miti‐
516 gation algorithms.
517 Tests TEST10 through TEST12 check the authentication state using
519 Autokey public-key cryptography, as described in the Authentication
520 Options page. If any bits are set and the association has previously
521 been marked reachable, the packet is discarded; otherwise, the origi‐
522 nate and receive timestamps are saved, as required by the NTP protocol,
523 and processing continues.
524 The flash bits for each test are defined as follows.
526 0x001 TEST1
529 Duplicate packet. The packet is at best a casual retransmission
530 and at worst a malicious replay.
531 0x002 TEST2
533 Bogus packet. The packet is not a reply to a message previously
534 sent. This can happen when the NTP daemon is restarted and
535 before somebody else notices.
536 0x004 TEST3
538 Unsynchronized. One or more timestamp fields are invalid. This
539 normally happens when the first packet from a peer is received.
540 0x008 TEST4
542 Access is denied. See the Access Control Options page.
543 0x010 TEST5
545 Cryptographic authentication fails. See the Authentication
546 Options page.
547 0x020 TEST6
549 The server is unsynchronized. Wind up its clock first.
550 0x040 TEST7
552 The server stratum is at the maximum than 15. It is probably
553 unsynchronized and its clock needs to be wound up.
554 0x080 TEST8
556 Either the root delay or dispersion is greater than one second,
557 which is highly unlikely unless the peer is unsynchronized to
558 Mars.
559 0x100 TEST9
561 Either the peer delay or dispersion is greater than one second,
562 which is highly unlikely unless the peer is on Mars.
563 0x200 TEST10
565 The autokey protocol has detected an authentication failure.
566 See the Authentication Options page.
567 0x400 TEST11
569 The autokey protocol has not verified the server or peer is
570 proventic and has valid public key credentials. See the Authen‐
571 tication Options page.
572 0x800 TEST12
574 A protocol or configuration error has occurred in the public
575 key algorithms or a possible intrusion event has been detected.
576 See the Authentication Options page.
577
580 The peers command is non-atomic and may occasionally result in spurious
581 error messages about invalid associations occurring and terminating the
582 command. The timeout time is a fixed constant, which means you wait a
583 long time for timeouts since it assumes sort of a worst case. The pro‐
584 gram should improve the timeout estimate as it sends queries to a par‐
585 ticular host, but doesn't.
586
589 ntpd(8), ntpdc(8)
590 Primary source of documentation: /usr/share/doc/ntp-*
592 This file was automatically generated from HTML source.
594 ntpq(8)