Manual Pages for UNIX Darwin command on man ntpq

NTPQ(8) BSD System Manager's Manual NTPQ(8)

NAME

nnttppqq - standard NTP query program

SYNOPSIS

nnttppqq [-iinnpp] [-cc command] [host ...]

DESCRIPTION

The nnttppqq utility is used to query NTP servers which implement the recom-

mended NTP mode 6 control message format about current state and to

request changes in that state. The program may be run either in interac-

tive mode or controlled using command line arguments. Requests to read

and write arbitrary variables can be assembled, with raw and pretty-

printed output options being available. The nnttppqq utility can also obtain and print a list of peers in a common format by sending multiple queries to the server. If one or more request options is included on the command line when nnttppqq is executed, each of the requests will be sent to the NTP servers running on each of the hosts given as command line arguments, or on localhost by

default. If no request options are given, nnttppqq will attempt to read com-

mands from the standard input and execute these on the NTP server running

on the first host given on the command line, again defaulting to local-

host when no other host is specified. The nnttppqq utility will prompt for commands if the standard input is a terminal device. The nnttppqq utility uses NTP mode 6 packets to communicate with the NTP

server, and hence can be used to query any compatible server on the net-

work which permits it. Note that since NTP is a UDP protocol this commu-

nication will be somewhat unreliable, especially over large distances in terms of network topology. The nnttppqq utility makes one attempt to retransmit requests, and will time requests out if the remote host is not heard from within a suitable timeout time.

For examples and usage, see the "NTP Debugging Techniques" page (avail-

able as part of the HTML documentation provided in /usr/share/doc/ntp). The following options are available:

-cc The following argument is interpreted as an interactive format

command and is added to the list of commands to be executed on

the specified host(s). Multiple -cc options may be given.

-ii Force nnttppqq to operate in interactive mode. Prompts will be writ-

ten to the standard output and commands read from the standard input.

-nn Output all host addresses in dotted-quad numeric format rather

than converting to the canonical host names.

-pp Print a list of the peers known to the server as well as a sum-

mary of their state. This is equivalent to the ppeeeerrss interactive command.

Specifying a command line option other than -ii or -nn will cause the spec-

ified query (queries) to be sent to the indicated host(s) immediately. Otherwise, nnttppqq will attempt to read interactive format commands from the standard input. IInntteerrnnaall CCoommmmaannddss Interactive format commands consist of a keyword followed by zero to four

arguments. Only enough characters of the full keyword to uniquely iden-

tify the command need be typed. The output of a command is normally sent to the standard output, but optionally the output of individual commands may be sent to a file by appending a `>', followed by a file name, to the command line. A number of interactive format commands are executed entirely within the nnttppqq utility itself and do not result in NTP mode 6 requests being sent to a server. These are described following. ?? [commandkeyword] hheellpp [commandkeyword] A `?' by itself will print a list of all the command keywords known to this incarnation of nnttppqq. A `?' followed by a command

keyword will print function and usage information about the com-

mand. This command is probably a better source of information about nnttppqq than this manual page. aaddddvvaarrss variablename[=value ...] rrmmvvaarrss variablename ... cclleeaarrvvaarrss The data carried by NTP mode 6 messages consists of a list of items of the form `variablename=value', where the `=value' is ignored, and can be omitted, in requests to the server to read variables. The nnttppqq utility maintains an internal list in which data to be included in control messages can be assembled, and sent using the rreeaaddlliisstt and wwrriitteelliisstt commands described below. The aaddddvvaarrss command allows variables and their optional values to be added to the list. If more than one variable is to be added,

the list should be comma-separated and not contain white space.

The rrmmvvaarrss command can be used to remove individual variables from the list, while the cclleeaarrlliisstt command removes all variables from the list. aauutthheennttiiccaattee yyeess | nnoo Normally nnttppqq does not authenticate requests unless they are write requests. The command `authenticate yes' causes nnttppqq to send authentication with all requests it makes. Authenticated

requests causes some servers to handle requests slightly differ-

ently, and can occasionally melt the CPU in fuzzballs if you turn authentication on before doing a ppeeeerr display.

ccooookkeedd Causes output from query commands to be "cooked", so that vari-

ables which are recognized by nnttppqq will have their values refor-

matted for human consumption. Variables which nnttppqq thinks should have a decodable value but didn't are marked with a trailing `?'. ddeebbuugg mmoorree | lleessss | ooffff Turns internal query program debugging on and off. ddeellaayy milliseconds Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable (unreliable) server reconfiguration over long delay network paths or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. hhoosstt hostname Set the host to which future queries will be sent. Hostname may be either a host name or a numeric address. hhoossttnnaammeess yyeess | nnoo

If yyeess is specified, host names are printed in information dis-

plays. If nnoo is specified, numeric addresses are printed instead. The default is yyeess, unless modified using the command

line -nn switch.

kkeeyyiidd keyid This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond to

a key number the server has been configured to use for this pur-

pose. nnttppvveerrssiioonn 11 | 22 | 33 | 44 Sets the NTP version number which nnttppqq claims in packets. Defaults to 3, Note that mode 6 control messages (and modes, for that matter) didn't exist in NTP version 1. There appear to be no servers left which demand version 1. qquuiitt Exit nnttppqq. ppaasssswwdd This command prompts you to type in a password (which will not be echoed) which will be used to authenticate configuration requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful. rraaww Causes all output from query commands is printed as received from the remote server. The only formating/interpretation done on the data is to transform nonascii data into a printable (but barely understandable) form. ttiimmeeoouutt milliseconds Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. Note that since nnttppqq retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set. CCoonnttrrooll MMeessssaaggee CCoommmmaannddss

Each peer known to an NTP server has a 16 bit integer association identi-

fier assigned to it. NTP control messages which carry peer variables

must identify the peer the values correspond to by including its associa-

tion ID. An association ID of 0 is special, and indicates the variables are system variables, whose names are drawn from a separate name space. Control message commands result in one or more NTP mode 6 messages being sent to the server, and cause the data returned to be printed in some format. Most commands currently implemented send a single message and expect a single response. The current exceptions are the peers command, which will send a preprogrammed series of messages to obtain the data it needs, and the mreadlist and mreadvar commands, which will iterate over a range of associations. aassssoocciiaattiioonnss Obtains and prints a list of association identifiers and peer

statuses for in-spec peers of the server being queried. The list

is printed in columns. The first of these is an index numbering the associations from 1 for internal use, the second the actual association identifier returned by the server and the third the

status word for the peer. This is followed by a number of col-

umns containing data decoded from the status word. See the peers command for a decode of the `condition' field. Note that the data returned by the aassssoocciiaattiioonnss command is cached internally in nnttppqq. The index is then of use when dealing with stupid servers which use association identifiers which are hard for humans to

type, in that for any subsequent commands which require an asso-

ciation identifier as an argument, the form of index may be used as an alternative. cclloocckkvvaarr [assocID] [variablename[=value ...]] ... ccvv [assocID] [variablename[=value ...]] ... Requests that a list of the server's clock variables be sent.

Servers which have a radio clock or other external synchroniza-

tion will respond positively to this. If the association identi-

fier is omitted or zero the request is for the variables of the `system clock' and will generally get a positive response from

all servers with a clock. If the server treats clocks as pseudo-

peers, and hence can possibly have more than one clock connected at once, referencing the appropriate peer association ID will show the variables of a particular clock. Omitting the variable list will cause the server to return a default variable display. llaassssoocciiaattiioonnss Obtains and prints a list of association identifiers and peer statuses for all associations for which the server is maintaining state. This command differs from the aassssoocciiaattiioonnss command only

for servers which retain state for out-of-spec client associa-

tions (i.e., fuzzballs). Such associations are normally omitted from the display when the aassssoocciiaattiioonnss command is used, but are included in the output of llaassssoocciiaattiioonnss. llppaassssoocciiaattiioonnss

Print data for all associations, including out-of-spec client

associations, from the internally cached list of associations. This command differs from ppaassssoocciiaattiioonnss only when dealing with fuzzballs. llppeeeerrss Like R peers, except a summary of all associations for which the server is maintaining state is printed. This can produce a much longer list of peers from fuzzball servers. mmrreeaaddlliisstt assocID assocID mmrrll assocID assocID Like the rreeaaddlliisstt command, except the query is done for each of a range of (nonzero) association IDs. This range is determined from the association list cached by the most recent aassssoocciiaattiioonnss command. mmrreeaaddvvaarr assocID assocID [variablename[=value ...]] mmrrvv assocID assocID [variablename[=value ...]] Like the rreeaaddvvaarr command, except the query is done for each of a range of (nonzero) association IDs. This range is determined from the association list cached by the most recent aassssoocciiaattiioonnss command. ooppeeeerrss An old form of the ppeeeerrss command with the reference ID replaced by the local interface address. ppaassssoocciiaattiioonnss

Displays association data concerning in-spec peers from the

internally cached list of associations. This command performs identically to the aassssoocciiaattiioonnss except that it displays the internally stored data rather than making a new query. ppeeeerrss Obtains a current list peers of the server, along with a summary of each peer's state. Summary information includes the address of the remote peer, the reference ID (0.0.0.0 if this is unknown), the stratum of the remote peer, the type of the peer (local, unicast, multicast or broadcast), when the last packet was received, the polling interval, in seconds, the reachability register, in octal, and the current estimated delay, offset and dispersion of the peer, all in milliseconds. The character in the left margin indicates the fate of this peer in the clock selection process. Following is a list of these characters, the pigeon used in the rrvv command, and a short explanation of the condition revealed.

space (reject) The peer is discarded as unreachable, synchro-

nized to this server (synch loop) or outrageous synchro-

nization distance. x (falsetick) The peer is discarded by the intersection algorithm as a falseticker. . (excess) The peer is discarded as not among the first ten

peers sorted by synchronization distance and so is proba-

bly a poor candidate for further consideration.

- (outlyer) The peer is discarded by the clustering algo-

rithm as an outlyer. + (candidate) The peer is a survivor and a candidate for the combining algorithm.

# (selected) The peer is a survivor, but not among the

first six peers sorted by synchronization distance. If the association is ephemeral, it may be demobilized to conserve resources. * (peer) The peer has been declared the system peer and lends its variables to the system variables. o ((pps.peer)) The peer has been declared the system peer

and lends its variables to the system variables. How-

ever, the actual system synchronization is derived from a

pulse-per-second (PPS) signal, either indirectly via the

PPS reference clock driver or directly via kernel inter-

face. The flash variable is a valuable debugging aid. It displays the results

of the original sanity checks defined in the NTP specification RFC-1305

and additional ones added in NTP Version 4. There are eleven tests called TTEESSTT11 through TTEESSTT1111. The tests are performed in a certain order designed to gain maximum diagnostic information while protecting against accidental or malicious errors. The flash variable is first initialized to zero. If after each set of tests one or more bits are set, the packet is discarded.

Tests TTEESSTT44 and TTEESSTT55 check the access permissions and cryptographic mes-

sage digest. If any bits are set after that, the packet is discarded.

Tests TTEESSTT1100 and TTEESSTT1111 check the authentication state using Autokey pub-

lic-key cryptography, as described in the Authentication Options section

of ntp.conf(5). If any bits are set and the association has previously been marked reachable, the packet is discarded; otherwise, the originate and receive timestamps are saved, as required by the NTP protocol, and processing continues.

Tests TTEESSTT11 through TTEESSTT33 check the packet timestamps from which the off-

set and delay are calculated. If any bits are set, the packet is dis-

carded; otherwise, the packet header variables are saved. Tests TTEESSTT66 through TTEESSTT88 check the health of the server. If any bits are set, the packet is discarded; otherwise, the offset and delay relative to the server are calculated and saved. Test TTEESSTT99 checks the health of the

association itself. If any bits are set, the packet is discarded; other-

wise, the saved variables are passed to the clock filter and mitigation algorithms.

The flash bits for each test read in increasing order from the least sig-

nificant bit are defined as follows. TTEESSTT11 Duplicate packet. The packet is at best a casual retransmission and at worst a malicious replay. TTEESSTT22 Bogus packet. The packet is not a reply to a message previously sent. This can happen when the NTP daemon is restarted and before somebody else notices. TTEESSTT33 Unsynchronized. One or more timestamp fields are invalid. This normally happens when the first packet from a peer is received. TTEESSTT44 Access is denied. See the "Access Control" page. TTEESSTT55 Cryptographic authentication fails. See the Authentication Options section of ntp.conf(5). TTEESSTT66 The server is unsynchronized. Wind up its clock first. TTEESSTT77 The server stratum is at the maximum than 15. It is probably unsynchronized and its clock needs to be wound up. TTEESSTT88 Either the root delay or dispersion is greater than one second, which is highly unlikely unless the peer is synchronized to Mars. TTEESSTT99 Either the peer delay or dispersion is greater than one second, which is highly unlikely unless the peer is on Mars. TTEESSTT1100 The autokey protocol has detected an authentication failure. See the Authentication Options section of ntp.conf(5). TTEESSTT1111 The autokey protocol has not verified the server or peer is authentic and has valid public key credentials. See the Authentication Options section of ntp.conf(5). Additional system variables used by the NTP Version 4 Autokey support include the following: cceerrttiiffiiccaattee filestamp Shows the NTP seconds when the certificate file was created. hhoossttnnaammee host Shows the name of the host as returned by the Unix gethostname(3) library function. ffllaaggss hex Shows the current flag bits, where the hex bits are interpreted as follows: 0x01 autokey enabled 0x02 RSA public/private key files present 0x04 PKI certificate file present

0x08 Diffie-Hellman parameters file present

0x10 NIST leapseconds table file present lleeaappsseeccoonnddss filestamp Shows the NTP seconds when the NIST leapseconds table file was created. ppaarraammss filestamp

Shows the NTP seconds when the Diffie-Hellman agreement parameter

file was created. ppuubblliicckkeeyy filestamp Shows the NTP seconds when the RSA public/private key files were created. rreeffrreesshh filestamp Shows the NTP seconds when the public cryptographic values were refreshed and signed. ttaaii offset

Shows the TAI-UTC offset in seconds obtained from the NIST

leapseconds table. Additional peer variables used by the NTP Version 4 Autokey support include the following: cceerrttiiffiiccaattee filestamp Shows the NTP seconds when the certificate file was created. ffllaaggss hex Shows the current flag bits, where the hex bits are interpreted as in the system variable of the same name. The bits are set in the first autokey message received from the server and then reset as the associated data are obtained from the server and stored. hhccooookkiiee hex Shows the host cookie used in the key agreement algorithm. iinniittkkeeyy key Shows the initial key used by the key list generator in the autokey protocol. iinniittsseeqquueennccee index Shows the initial index used by the key list generator in the autokey protocol. ppccooookkiiee hex Specifies the peer cookie used in the key agreement algorithm. ttiimmeessttaammpp time

Shows the NTP seconds when the last autokey key list was gener-

ated and signed. ppssttaattuuss assocID

Sends a read status request to the server for the given associa-

tion. The names and values of the peer variables returned will

be printed. Note that the status word from the header is dis-

played preceding the variables, both in hexadecimal and in pid-

geon English. rreeaaddlliisstt assocID rrll assocID

Requests that the values of the variables in the internal vari-

able list be returned by the server. If the association ID is omitted or is 0 the variables are assumed to be system variables. Otherwise they are treated as peer variables. If the internal variable list is empty a request is sent without data, which should induce the remote server to return a default display. rreeaaddvvaarr assocID variablename[=value] ... rrvv assocID variablename[=value] ... Requests that the values of the specified variables be returned

by the server by sending a read variables request. If the asso-

ciation ID is omitted or is given as zero the variables are sys-

tem variables, otherwise they are peer variables and the values returned will be those of the corresponding peer. Omitting the variable list will send a request with no data which should induce the server to return a default display. wwrriitteevvaarr assocID variablename[=value] ... Like the readvar request, except the specified variables are written instead of read. wwrriitteelliisstt [assocID] Like the readlist request, except the internal list variables are written instead of read.

BUGS

The ppeeeerrss command is non-atomic and may occasionally result in spurious

error messages about invalid associations occurring and terminating the command. The timeout time is a fixed constant, which means you wait a

long time for timeouts since it assumes sort of a worst case. The pro-

gram should improve the timeout estimate as it sends queries to a partic-

ular host, but doesn't. BSD January 7, 2000 BSD