ntpq - Network Time Protocol query program
/usr/sbin/ntpq [-46dpinv?!] [-c command] [-D debuglvl] [-< optfile] [-> optfile] [host] [...]
System Administration Commands ntpq(8)
NAME
ntpq - Network Time Protocol query program
SYNOPSIS
/usr/sbin/ntpq [-46dpinv?!] [-c command]
[-D debuglvl] [-< optfile] [-> optfile] [host] [...]
DESCRIPTION
The ntpq utility program is used to monitor NTP daemon ntpd operations
and determine performance. It uses the standard NTP mode 6 control mes-
sage formats defined in Appendix B of the NTPv3 specification RFC1305.
The same formats are used in NTPv4, although some of the variables have
changed and new ones added. The description on this page is for the
NTPv4 variables.
The program can be run either in interactive mode or controlled using
command line arguments. Requests to read and write arbitrary variables
can be assembled, with raw and pretty-printed output options being
available. The ntpq utility can also obtain and print a list of peers
in a common format by sending multiple queries to the server.
If one or more request options are included on the command line when
ntpq is executed, each of the requests will be sent to the NTP servers
running on each of the hosts given as command line arguments, or on the
localhost by default. If no request options are given, ntpq will
attempt to read commands from the standard input and execute these on
the NTP server running on the first host given on the command line,
again defaulting to localhost when no other host is specified. ntpq
will prompt for commands if the standard input is a terminal device.
The ntpq utility uses NTP mode 6 packets to communicate with the NTP
server, and hence can be used to query any compatible server on the
network which permits it. Note that since NTP is a UDP protocol this
communication will be somewhat unreliable, especially over large dis-
tances in terms of network topology. The ntpq program makes one attempt
to retransmit requests, and will time requests out if the remote host
is not heard from within a suitable timeout time.
In contexts where a host name is expected, a -4 qualifier preceding the
host name forces DNS resolution to the IPv4 namespace, while a -6 qual-
ifier forces DNS resolution to the IPv6 namespace. On the command line,
only one of the two can be given.
For examples of usage of ntpq, see the NTP Debugging Techniques page at
file:///usr/share/doc/ntp/debug.html.
OPTIONS
Specifying a command line option other than -i or -n will cause the
specified query (queries) to be sent to the indicated host(s) immedi-
ately. Otherwise, ntpq will attempt to read interactive format com-
mands from the standard input.
-4, --ipv4
Force DNS resolution of following host names on the command line
to the IPv4 namespace. Cannot be used with the --ipv6 option.
-6, --ipv6
Force DNS resolution of following host names on the command line
to the IPv6 namespace. Cannot be used with the --ipv4 option.
-c cmd, --command=cmd
The following argument is interpreted as an interactive format
command and is added to the list of commands to be executed on
the specified host(s). This option may appear an unlimited num-
ber of times. After all such commands are executed against all
listed hosts, the program exits.
-d, --debug-level
Increase output debug message level. This option may appear an
unlimited number of times.
-D number, --set-debug-level=string
Set the output debug message level. This option may appear an
unlimited number of times, but only the last one will be used.
-p, --peers
Print a list of the peers known to the server as well as a sum-
mary of their state. This is equivalent to the 'peers' interac-
tive command.
-i, --interactive
Force ntpq to operate in interactive mode. Prompts will be
written to the standard output and commands read from the stan-
dard input. This option must not appear in combination with
either the --command or --peers options.
-n, --numeric
Output all host addresses in numeric format rather than convert-
ing to the host names.
-?, --help
Display usage information and exit.
-!, --more-help
Extended usage information passed thru a pager.
-> rcfile, --save-opts=rcfile
Save the option state to rcfile.
-< rcfile, --load-opts=rcfile, --no-load-opts
Load options from rcfile. The no-load-opts form will disable
the loading of earlier RC/INI files. --no-load-opts is handled
early, out of order.
-v, --version
Output version of program and exit.
OPTION PRESETS
Most options may be preset by loading values from configuration file(s)
and values from environment variables named:
NTPQ_<option-name> or NTPQ
The environmental presets take precedence (are processed later than)
the configuration files. The option-name should be in all capital let-
ters. For example, to set the --command option, you would set the
NTPQ_COMMAND environment variable. The users home directory and the
current directory are searched for a file named .ntprc.
USAGE
Interactive format commands consist of a keyword followed by zero to
four arguments. Only enough characters of the full keyword to uniquely
identify the command need be typed. The output of a command is nor-
mally sent to the standard output, but optionally the output of indi-
vidual commands may be sent to a file by appending a >, followed by a
file name, to the command line.
Internal Commands
A number of interactive commands are executed entirely within the ntpq
utility itself and do not result in requests being sent to a server.
These commands are as follows:
? [command_keyword], help [command_keyword]
Prints a list of all the command keywords known to ntpq. Fol-
lowed by a command keyword will print function and usage infor-
mation about the command.
addvars variable_name[=value] ...
rmvars variable_name ...
showvars
clearvars
The data carried by NTP mode 6 messages consists of a list of
items of the form variable_name=value. In requests to read vari-
able, the =value is ignored, and can be omitted. The ntpq util-
ity maintains an internal list in which data to be included in
control messages can be assembled, and sent using the readlist
and writelist commands described below. The addvars command
allows variables and their optional values to be added to the
list. If more than one variable is to be added, the list should
be comma-separated and not contain white space. The showvars
command lists the current variable list. The rmvars command can
be used to remove individual variables from the list, while the
clearlist command removes all variables from the list.
authenticate [ yes | no ]
Normally ntpq only sends authentication with write requests.
The command authenticate yes causes ntpq to send authentication
with all requests it makes. The command authenticate with no
keyword causes ntpq to display whether or not ntpq is currently
authenticating requests.
cooked Causes output from query commands to be "cooked", so that vari-
ables which are recognized by ntpq will have their values refor-
matted for human consumption. Variables which ntpq thinks
should have a decodable value but didn't are marked with a
trailing ?.
debug [ more | less | off ]
With no argument, displays the current debug level. Otherwise,
the debug level is changed by the indicated amount.
delay milliseconds
Specify a time interval to be added to timestamps included in
requests which require authentication. This is used to enable
(unreliable) server reconfiguration over long delay network
paths or between machines whose clocks are unsynchronized.
Actually the server does not now require timestamps in authenti-
cated requests, so this command may be obsolete.
host [ [ -4 | -6 ] hostname ]
Set the host to which future queries will be sent. The hostname
may be either a host name or a numeric address. With no argu-
ment, prints the current host.
hostnames [ yes | no ]
If yes is specified, host names are printed in information dis-
plays. If no is specified, numeric addresses are printed
instead. With no argument, prints the current setting. The
default is yes, unless modified using the command line -n
switch.
keyid [ keyid# ]
This command specifies the key number to be used to authenticate
configuration requests. This must correspond to a key number
the server has been configured to use for this purpose.
keytype [ md5 ]
Prints or sets the type of key used for authentication. Cur-
rently only md5 is accepted.
ntpversion [ 1 | 2 | 3 | 4 ]
Sets the NTP version number which ntpq claims in packets.
Defaults to 2. Note that mode 6 control messages didn't exist in
NTP version 1. Luckily there appear to be no servers left which
demand version 1. With no argument, displays the current NTP
version that will be used when communicating with servers.
passwd This command prompts you to type in a password (which will not
be echoed) which will be used to authenticate configuration
requests. The password must correspond to the key configured
for use by the NTP server for this purpose.
quit Exit ntpq .
raw Causes all output from query commands is printed as received
from the remote server. The only formatting/interpretation done
on the data is to transform nonascii data into a printable (but
barely understandable) form.
timeout milliseconds
Specify a timeout period for responses to server queries. The
default is about 5000 milliseconds. Note that since ntpq
retries each query once after a timeout, the total waiting time
for a timeout will be twice the timeout value set.
Control Message Commands
Each association known to an NTP server has a 16 bit integer associa-
tion identifier. NTP control messages which carry peer variables must
identify the peer the values correspond to by including its association
ID. An association ID of 0 is special, and indicates the variables are
system variables, whose names are drawn from a separate name space.
Control message commands result in one or more NTP mode 6 messages
being sent to the server, and cause the data returned to be printed in
some format. Most commands currently implemented send a single message
and expect a single response. The current exceptions are the peers com-
mand, which will send a preprogrammed series of messages to obtain the
data it needs, and the mreadlist and mreadvar commands, which will
iterate over a range of associations.
associations
Obtains and prints a list of association identifiers and peer
statuses for in-spec peers of the server being queried. The list
is printed in columns. The first of these is an index numbering
the associations from 1 for internal use, the second the actual
association identifier returned by the server and the third the
status word for the peer. This is followed by a number of col-
umns containing data decoded from the status word. See the peers
command for a decode of the condition field. The data returned
by the associations command is cached internally in ntpq and
used in subsequent commands. After the first associations com-
mand the index can be used in place of the association identi-
fier by specifying the identifier in the form &index.
clocklist [assocID]
cl [assocID]
Read the values of the clock variables included in the variable
list
clockvar [assocID] [variable_name [ = value [...]] [...]
cv [assocID] [variable_name [ = value [...] ][...]
Requests that a list of the server's clock variables be sent.
Servers which have a radio clock or other external synchroniza-
tion will respond positively to this. If the association identi-
fier is omitted or zero the request is for the variables of the
system clock and will generally get a positive response from all
servers with a clock. If the server treats clocks as pseudo-
peers, and hence can possibly have more than one clock connected
at once, referencing the appropriate peer association ID will
show the variables of a particular clock. Omitting the variable
list will cause the server to return a default variable display.
:config config_command
Sends the entire line after :config to the ntpd daemon to be
interpreted as a configuration file command. Multiple commands
may be separated by semi-colons.
config-from-file config_file
Sends the entire file config_file to the ntpd daemon to be
interpreted as configuration file commands.
ifstats
Display statistics for each local network address. Authentica-
tion is required.
iostats
Display network and reference clock I/O statistics.
kerninfo
Display kernel loop and PPS statistics. As with other ntpq out-
put, times are in milliseconds. The precision value displayed is
in milliseconds as well, unlike the precision system variable.
lassociations Obtains and prints a list of association identi-
fiers and peer statuses for all associations for which the
server is maintaining state. This command differs from the asso-
ciations command only for servers which retain state for out-of-
spec client associations (i.e., fuzzballs). Such associations
are normally omitted from the display when the associations com-
mand is used, but are included in the output of lassociations.
When used with the ntpd in this distribution, this command is
idenitical to associations.
lpassociations
Print data for all associations, including out-of-spec client
associations, from the internally cached list of associations.
lopeers
Same as opeers but from the internally cached data.
lpeers Like peers, except a summary of all associations for which the
server is maintaining state is printed. This can produce a much
longer list of peers from fuzzball servers, but for most servers
this is identical with peers.
monstats
Display monitor facility statistics.
mrulist [limited | kod | mincount=count | laddr=localaddr | sort=sor-
torder | resany=hexmask | resall=hexmask ]
Obtain and print traffic counts collected and maintained by the
monitor facility. With the exception of sort=sortorder, the
options filter the list returned by ntpd. The limited and kod
options return only entries representing client addresses from
which the last packet received triggered either discarding or a
KoD response. The mincount=count option filters entries repre-
senting less than count packets. The laddr=localaddr option fil-
ters entries for packets received on any local address other
than localaddr. resany=hexmask and resall=hexmask filter entries
containing none or less than all, respectively, of the bits in
hexmask, which must begin with 0x.
mreadlist assocID assocID
mrl assocID assocID
Like the readlist command, except the query is done for each of
a range of (nonzero) association IDs. This range is determined
from the association list cached by the most recent associations
command. An assocIDs may be either an association identify or
the equivalent &index form.
mreadvar assocID assocID [ variable_name [ = value[ ... ]
mrv assocID assocID [ variable_name [ = value[ ... ]
Like the readvar command, except the query is done for each of a
range of (nonzero) association IDs. This range is determined
from the association list cached by the most recent associations
command.
opeers An old form of the peers command with the reference ID replaced
by the local interface address.
passociations
Displays association data concerning in-spec peers from the
internally cached list of associations. This command performs
identically to the associations except that it displays the
internally stored data rather than making a new query.
peers Obtains a current list peers of the server, along with a summary
of each peer's state. Summary information includes the address
of the remote peer, the reference ID (0.0.0.0 if this is
unknown), the stratum of the remote peer, the type of the peer
(local, unicast, multicast or broadcast), when the last packet
was received, the polling interval, in seconds, the reachability
register, in octal, and the current estimated delay, offset and
dispersion of the peer, all in milliseconds. The character at
the left margin of each line shows the synchronization status of
the association and is a valuable diagnostic tool. The encoding
and meaning of this character, called the tally code, is given
later in this page.
readlist [ assocID ]
rl [ assocID ]
Requests that the values of the variables in the internal vari-
able list be returned by the server. If the association ID is
omitted or is 0 the variables are assumed to be system vari-
ables. Otherwise they are treated as peer variables. If the
internal variable list is empty a request is sent without data,
which should induce the remote server to return a default dis-
play.
readvar assocID variable_name [ = value ] [ ...]
rv assocID [ variable_name [ = value ] [...]
Requests that the values of the specified variables be returned
by the server by sending a read variables request. If the asso-
ciation ID is omitted or is given as zero the variables are sys-
tem variables, otherwise they are peer variables and the values
returned will be those of the corresponding peer. Omitting the
variable list will send a request with no data which should
induce the server to return a default display. The encoding and
meaning of the variables derived from NTPv3 is given in
RFC-1305; the encoding and meaning of the additional NTPv4 vari-
ables are given later in this page.
saveconfig filename
Write the current configuration, including any runtime modifica-
tions given with :config or config-from-file, to the ntpd host's
file filename. This command will be rejected by the server
unless saveconfigdir appears in the ntpd configuration file.
filename can use strftime() format which specifies to substitute
the current date and time, for example, "saveconfig
ntp-%Y%m%d-%H%M%S.conf". The filename used is stored in system
variable savedconfig. Authentication is required.
writevar assocID variable_name [ = value [ ...]
Like the readvar request, except the specified variables are
written instead of read.
writelist [ assocID ]
Like the readlist request, except the internal list variables
are written instead of read.
sysinfo
Display operational summary.
sysstats
Print statistics counters maintained in the protocol module.
Tally Codes
The character in the left margin in the peers billboard, called the
tally code, shows the fate of each association in the clock selection
process. Following is a list of these characters, the pidgeon used in
the rv command, and a short explanation of the condition revealed.
space reject
The peer is discarded as unreachable, synchronized to this
server (synch loop) or outrageous synchronization distance.
x falseticker
The peer is discarded by the intersection algorithm as a falset-
icker.
. excess
The peer is discarded as not among the first ten peers sorted by
synchronization distance and so is probably a poor candidate for
further consideration.
- outlyer
The peer is discarded by the clustering algorithm as an outlyer.
+ candidate
The peer is a survivor and a candidate for the combining algo-
rithm.
# selected
The peer is a survivor, but not among the first six peers sorted
by synchronization distance. If the association is ephemeral, it
may be demobilized to conserve resources.
* sys.peer
The peer has been declared the system peer and lends its vari-
ables to the system variables.
o pps.peer
The peer has been declared the system peer and lends its vari-
ables to thesystem variables. However, the actual system syn-
chronization is derived from a pulse-per-second (PPS) signal,
either indirectly via the PPS reference clock driver or directly
via kernel interface.
System Variables
The status, leap, stratum, precision, rootdelay, rootdispersion, refid,
reftime, poll, offset, and frequency variables are described in
RFC-1305 specification. Additional NTPv4 system variables include the
following:
version
Everything you might need to know about the software version and
generation time.
processor
The processor and kernel identification string.
system The operating system version and release identifier.
state The state of the clock discipline state machine. The values are
described in the architecture briefing on the NTP Project page
linked from www.ntp.org.
peer The internal integer used to identify the association currently
designated the system peer.
jitter The estimated time error of the system clock measured as an
exponential average of RMS time differences.
stability
The estimated frequency stability of the system clock measured
as an exponential average of RMS frequency differences.
In addition, some or all of the following system variables related to
the crypto authentication are displayed, depending on the state of the
particular crypto dance in use:
hostname
The name of the host as returned by the Unix gethostname()
library function.
hostkey
The NTP filestamp of the host key file.
flags The current flags word bits and message digest algorithm identi-
fier (NID) in hex format. The high order 16 bits of the four-
byte word contain the NID from the OpenSSL ligrary, while the
low-order bits are interpreted as follows: 0x01: autokey
enabled, 0x02: NIST leapseconds file loaded, 0x10: PC identity
scheme, 0x20: IFF identity scheme, 0x40: GQ identity scheme.
cert A list of certificates held by the host. Each entry includes the
subject, issuer, flags and NTP filestamp in order. The bits are
interpreted as follows: 0x01: signed by the server, 0x02:
trusted, 0x04: private, 0x08: contains errors and is not
trusted.
leapseconds
The NTP filestamp of the NIST leapseconds file.
refresh
The NTP timestamp when the host public cryptographic values were
refreshed and signed.
signature
The host digest/signature scheme name from the OpenSSL library.
tai The TAI-UTC offset in seconds obtained from the NIST leapseconds
table.
Peer Variables
The status, srcadr, srcport, dstadr, dstport, leap, stratum, precision,
rootdelay, rootdispersion, readh, hmode, pmode, hpoll, ppoll, offset,
delay, dspersion, reftime variables are described in the RFC-1305 spec-
ification, as are the timestamps org, rec and xmt. Additional NTPv4
system variables include the following.
flash The flash code for the most recent packet received. The encoding
and meaning of these codes is given later in this page.
jitter The estimated time error of the peer clock measured as an expo-
nential average of RMS time differences.
unreach
The value of the counter which records the number of poll inter-
vals since the last valid packet was received.
In addition, some or all of the following peer variables are displayed
related to the crypto auithentication:
flags The current flag bits. This word is the server host status word
with additional bits used by the Autokey state machine. See the
source code for the bit encoding.
hostname
The server host name.
initkey key
The initial key used by the key list generator in the Autokey
protocol.
initsequence index
The initial index used by the key list generator in the Autokey
protocol.
signature
The server message digest/signature scheme name from the OpenSSL
software library.
timestamp time
The NTP timestamp when the last Autokey key list was generated
and signed.
Flash Codes
The flash code is a valuable debugging aid displayed in the peer vari-
ables list. It shows the results of the original sanity checks defined
in the NTP specification RFC-1305 and additional ones added in NTPv4.
There are 12 tests designated TEST1 through TEST12. The tests are per-
formed in a certain order designed to gain maximum diagnostic informa-
tion while protecting against accidental or malicious errors. The flash
variable is initialized to zero as each packet is received. If after
each set of tests one or more bits are set, the packet is discarded.
Tests TEST1 through TEST3 check the packet timestamps from which the
offset and delay are calculated. If any bits are set, the packet is
discarded; otherwise, the packet header variables are saved. TEST4 and
TEST5 are associated with access control and cryptographic authentica-
tion. If any bits are set, the packet is discarded immediately with
nothing changed.
Tests TEST6 through TEST8 check the health of the server. If any bits
are set, the packet is discarded; otherwise, the offset and delay rela-
tive to the server are calculated and saved. TEST9 checks the health of
the association itself. If any bits are set, the packet is discarded;
otherwise, the saved variables are passed to the clock filter and miti-
gation algorithms.
Tests TEST10 through TEST12 check the authentication state using
Autokey public-key cryptography, as described in the Authentication
Options page at file:///usr/share/doc/ntp/authopt.html. If any bits are
set and the association has previously been marked reachable, the
packet is discarded; otherwise, the originate and receive timestamps
are saved, as required by the NTP protocol, and processing continues.
The flash bits for each test are defined as follows.
0x001 TEST1
Duplicate packet. The packet is at best a casual retransmission
and at worst a malicious replay.
0x002 TEST2
Bogus packet. The packet is not a reply to a message previously
sent. This can happen when the NTP daemon is restarted and
before somebody else notices.
0x004 TEST3
Unsynchronized. One or more timestamp fields are invalid. This
normally happens when the first packet from a peer is received.
0x008 TEST4
Access is denied. See the Access Control Options page at
file:///usr/share/doc/ntp/accopt.html.
0x010 TEST5
Cryptographic authentication fails. See the Authentication
Options page referenced above.
0x020TEST6
The server is unsynchronized. Wind up its clock first.
0x040 TEST7
The server stratum is at the maximum of 15. It is probably
unsynchronized and its clock needs to be wound up.
0x080 TEST8
Either the root delay or dispersion is greater than one second,
which is highly unlikely unless the peer is unsynchronized to
Mars.
0x100 TEST9
Either the peer delay or dispersion is greater than one second,
which is highly unlikely unless the peer is on Mars.
0x200 TEST10
The autokey protocol has detected an authentication failure. See
the Authentication Options page.
0x400 TEST11
The autokey protocol has not verified the server or peer is
proventic and has valid public key credentials. See the Authen-
tication Options page.
0x800 TEST12
A protocol or configuration error has occurred in the public key
algorithms or a possible intrusion event has been detected. See
the Authentication Options page.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
+---------------+---------------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+---------------------+
|Availability | service/network/ntp |
+---------------+---------------------+
|Stability | Uncommitted |
+---------------+---------------------+
NOTES
The documentation available at /usr/share/doc/ntp is provided as is
from the NTP distribution and may contain information that is not
applicable to the software as provided in this partIcular distribution.
The output of the ntpqP in version 4 differs from that in version 3 by
the replacement of the dispersion value with the jitter value in the
peers output.
Source code for open source software components in Oracle Solaris can
be found at https://www.oracle.com/downloads/opensource/solaris-source-
code-downloads.html.
This software was built from source available at
https://github.com/oracle/solaris-userland. The original community
source was downloaded from http://ar-
chive.ntp.org/ntp4/ntp-4.2/ntp-4.2.8p15.tar.gz.
Further information about this software can be found on the open source
community website at http://www.ntp.org/.
SEE ALSO
ntpd(8), ntprc(5), attributes(7)
ntpq(8)