Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
NTPQ(8)			FreeBSD	System Manager's Manual		       NTPQ(8)

NAME
     ntpq -- standard NTP query	program

SYNOPSIS
     ntpq [-inp] [-c command] [host] [...]

DESCRIPTION
     The ntpq utility is used to monitor NTP daemon ntpd(8) operations and
     determine performance.  It	uses the standard NTP mode 6 control message
     formats defined in	Appendix B of the NTPv3	specification RFC1305.	The
     same formats are used in NTPv4, although some of the variables have
     changed and new ones added.  The description on this page is for the
     NTPv4 variables.

     The program can be	run either in interactive mode or controlled using
     command line arguments.  Requests to read and write arbitrary variables
     can be assembled, with raw	and pretty-printed output options being	avail-
     able.  The	ntpq can also obtain and print a list of peers in a common
     format by sendingmultiple queries to the server.

     If	one or more request options is included	on the command line when ntpq
     is	executed, each of the requests will be sent to the NTP servers running
     on	each of	the hosts given	as command line	arguments, or on localhost by
     default.  If no request options are given,	ntpq will attempt to read com-
     mands from	the standard input and execute these on	the NTP	server running
     on	the first host given on	the command line, again	defaulting to local-
     host when no other	host is	specified.  The	ntpq utility will prompt for
     commands if the standard input is a terminal device.

     The ntpq utility uses NTP mode 6 packets to communicate with the NTP
     server, and hence can be used to query any	compatible server on the net-
     work which	permits	it.  Note that since NTP is a UDP protocol this	commu-
     nication will be somewhat unreliable, especially over large distances in
     terms of network topology.	 The ntpq utility makes	one attempt to
     retransmit	requests, and will time	requests out if	the remote host	is not
     heard from	within a suitable timeout time.

     For examples and usage, see the "NTP Debugging Techniques"	page (avail-
     able as part of the HTML documentation provided in	/usr/share/doc/ntp).

     The following options are available:

     -4	     Force DNS resolution of following host names on the command line
	     to	the IPv4 namespace.

     -6	     Force DNS resolution of following host names on the command line
	     to	the IPv6 namespace.

     -c	     The following argument is interpreted as an interactive format
	     command and is added to the list of commands to be	executed on
	     the specified host(s).  Multiple -c options may be	given.

     -d	     Turn on debugging mode.

     -i	     Force ntpq	to operate in interactive mode.	 Prompts will be writ-
	     ten to the	standard output	and commands read from the standard
	     input.

     -n	     Output all	host addresses in dotted-quad numeric format rather
	     than converting to	the canonical host names.

     -p	     Print a list of the peers known to	the server as well as a	sum-
	     mary of their state.  This	is equivalent to the peers interactive
	     command.

     Note that in contexts where a host	name is	expected, a -4 qualifier pre-
     ceding the	host name forces DNS resolution	to the IPv4 namespace, while a
     -6	qualifier forces DNS resolution	to the IPv6 namespace.	Specifying a
     command line option other than -i or -n will cause	the specified query
     (queries) to be sent to the indicated host(s) immediately.	 Otherwise,
     ntpq will attempt to read interactive format commands from	the standard
     input.

   Internal Commands
     Interactive format	commands consist of a keyword followed by zero to four
     arguments.	 Only enough characters	of the full keyword to uniquely	iden-
     tify the command need be typed.  The output of a command is normally sent
     to	the standard output, but optionally the	output of individual commands
     may be sent to a file by appending	a `>', followed	by a file name,	to the
     command line.  A number of	interactive format commands are	executed
     entirely within the ntpq utility itself and do not	result in NTP mode 6
     requests being sent to a server.  These are described following.

     ? [command_keyword]

     help [command_keyword]
	     A `?' by itself will print	a list of all the command keywords
	     known to this incarnation of ntpq.	 A `?' followed	by a command
	     keyword will print	function and usage information about the com-
	     mand.  This command is probably a better source of	information
	     about ntpq	than this manual page.

     addvars variable_name[=value ...]

     rmvars variable_name ...

     clearvars
	     The data carried by NTP mode 6 messages consists of a list	of
	     items of the form `variable_name=value', where the	`=value' is
	     ignored, and can be omitted, in requests to the server to read
	     variables.	 The ntpq utility maintains an internal	list in	which
	     data to be	included in control messages can be assembled, and
	     sent using	the readlist and writelist commands described below.
	     The addvars command allows	variables and their optional values to
	     be	added to the list.  If more than one variable is to be added,
	     the list should be	comma-separated	and not	contain	white space.
	     The rmvars	command	can be used to remove individual variables
	     from the list, while the clearlist	command	removes	all variables
	     from the list.

     cooked  Causes output from	query commands to be "cooked", so that vari-
	     ables which are recognized	by ntpq	will have their	values refor-
	     matted for	human consumption.  Variables which ntpq thinks	should
	     have a decodable value but	did not	are marked with	a trailing
	     `?'.

     debug more	| less | off
	     Turns internal query program debugging on and off.

     delay milliseconds
	     Specify a time interval to	be added to timestamps included	in
	     requests which require authentication.  This is used to enable
	     (unreliable) server reconfiguration over long delay network paths
	     or	between	machines whose clocks are unsynchronized.  Actually
	     the server	does not now require timestamps	in authenticated
	     requests, so this command may be obsolete.

     host hostname
	     Set the host to which future queries will be sent.	 Hostname may
	     be	either a host name or a	numeric	address.

     hostnames yes | no
	     If	yes is specified, host names are printed in information	dis-
	     plays.  If	no is specified, numeric addresses are printed
	     instead.  The default is yes, unless modified using the command
	     line -n switch.

     keyid keyid
	     This command specifies the	key number to be used to authenticate
	     configuration requests.  This must	correspond to a	key number the
	     server has	been configured	to use for this	purpose.

     ntpversion	1 | 2 |	3 | 4
	     Sets the NTP version number which ntpq claims in packets.
	     Defaults to 3, Note that mode 6 control messages (and modes, for
	     that matter) did not exist	in NTP version 1.  There appear	to be
	     no	servers	left which demand version 1.

     passwd  This command prompts for a	password (which	will not be echoed)
	     which will	be used	to authenticate	configuration requests.	 The
	     password must correspond to the key configured for	NTP server for
	     this purpose.

     quit    Exit ntpq.

     raw     Causes all	output from query commands is printed as received from
	     the remote	server.	 The only formatting/interpretation done on
	     the data is to transform nonascii data into a printable (but
	     barely understandable) form.

     timeout milliseconds
	     Specify a timeout period for responses to server queries.	The
	     default is	about 5000 milliseconds.  Note that since ntpq retries
	     each query	once after a timeout, the total	waiting	time for a
	     timeout will be twice the timeout value set.

   Control Message Commands
     Each association known to an NTP server has a 16 bit integer association
     identifier.  NTP control messages which carry peer	variables must iden-
     tify the peer the values correspond to by including its association ID.
     An	association ID of 0 is special,	and indicates the variables are	system
     variables,	whose names are	drawn from a separate name space.

     Control message commands result in	one or more NTP	mode 6 messages	being
     sent to the server, and cause the data returned to	be printed in some
     format.  Most commands currently implemented send a single	message	and
     expect a single response.	The current exceptions are the peers command,
     which will	send a preprogrammed series of messages	to obtain the data it
     needs, and	the mreadlist and mreadvar commands, which will	iterate	over a
     range of associations.

     associations
	     Obtains and prints	a list of association identifiers and peer
	     statuses for in-spec peers	of the server being queried.  The list
	     is	printed	in columns.  The first of these	is an index numbering
	     the associations from 1 for internal use, the second the actual
	     association identifier returned by	the server and the third the
	     status word for the peer.	This is	followed by a number of	col-
	     umns containing data decoded from the status word.	 See the peers
	     command for a decode of the `condition' field.  Note that the
	     data returned by the associations command is cached internally in
	     ntpq.  The	index is then of use when dealing with stupid servers
	     which use association identifiers which are hard for humans to
	     type, in that for any subsequent commands which require an	asso-
	     ciation identifier	as an argument,	the form and index may be used
	     as	an alternative.

     clockvar [assocID]	[variable_name[=value ...]] ...

     cv	[assocID] [variable_name[=value	...]] ...
	     Requests that a list of the server's clock	variables be sent.
	     Servers which have	a radio	clock or other external	synchroniza-
	     tion will respond positively to this.  If the association identi-
	     fier is omitted or	zero the request is for	the variables of the
	     `system clock' and	will generally get a positive response from
	     all servers with a	clock.	If the server treats clocks as pseudo-
	     peers, and	hence can possibly have	more than one clock connected
	     at	once, referencing the appropriate peer association ID will
	     show the variables	of a particular	clock.	Omitting the variable
	     list will cause the server	to return a default variable display.

     lassociations
	     Obtains and prints	a list of association identifiers and peer
	     statuses for all associations for which the server	is maintaining
	     state.  This command differs from the associations	command	only
	     for servers which retain state for	out-of-spec client associa-
	     tions (i.e., fuzzballs).  Such associations are normally omitted
	     from the display when the associations command is used, but are
	     included in the output of lassociations.

     lpassociations
	     Print data	for all	associations, including	out-of-spec client
	     associations, from	the internally cached list of associations.
	     This command differs from passociations only when dealing with
	     fuzzballs.

     lpeers  Like R peers, except a summary of all associations	for which the
	     server is maintaining state is printed.  This can produce a much
	     longer list of peers from fuzzball	servers.

     mreadlist assocID assocID

     mrl assocID assocID
	     Like the readlist command,	except the query is done for each of a
	     range of (nonzero)	association IDs.  This range is	determined
	     from the association list cached by the most recent associations
	     command.

     mreadvar assocID assocID [variable_name[=value ...]]

     mrv assocID assocID [variable_name[=value ...]]
	     Like the readvar command, except the query	is done	for each of a
	     range of (nonzero)	association IDs.  This range is	determined
	     from the association list cached by the most recent associations
	     command.

     opeers  An	old form of the	peers command with the reference ID replaced
	     by	the local interface address.

     passociations
	     Displays association data concerning in-spec peers	from the
	     internally	cached list of associations.  This command performs
	     identically to the	associations except that it displays the
	     internally	stored data rather than	making a new query.

     peers   Obtains a current list peers of the server, along with a summary
	     of	each peer's state.  Summary information	includes the address
	     of	the remote peer, the reference ID (0.0.0.0 if this is
	     unknown), the stratum of the remote peer, the type	of the peer
	     (local, unicast, multicast	or broadcast), when the	last packet
	     was received, the polling interval, in seconds, the reachability
	     register, in octal, and the current estimated delay, offset and
	     dispersion	of the peer, all in milliseconds.  The character at
	     the left margin of	each line shows	the synchronization status of
	     the association and is a valuable diagnostic tool.	 The encoding
	     and meaning of this character, called the tally code, is given
	     later in this page.

     pstatus assocID
	     Sends a read status request to the	server for the given associa-
	     tion.  The	names and values of the	peer variables returned	will
	     be	printed.  Note that the	status word from the header is dis-
	     played preceding the variables, both in hexadecimal and in	pid-
	     geon English.

     readlist assocID

     rl	assocID
	     Requests that the values of the variables in the internal vari-
	     able list be returned by the server.  If the association ID is
	     omitted or	is 0 the variables are assumed to be system variables.
	     Otherwise they are	treated	as peer	variables.  If the internal
	     variable list is empty a request is sent without data, which
	     should induce the remote server to	return a default display.

     readvar assocID variable_name[=value] ...

     rv	assocID	variable_name[=value] ...
	     Requests that the values of the specified variables be returned
	     by	the server by sending a	read variables request.	 If the	asso-
	     ciation ID	is omitted or is given as zero the variables are sys-
	     tem variables, otherwise they are peer variables and the values
	     returned will be those of the corresponding peer.	Omitting the
	     variable list will	send a request with no data which should
	     induce the	server to return a default display.  The encoding and
	     meaning of	the variables derived from NTPv3 is given in RFC-1305;
	     the encoding and meaning of the additional	NTPv4 variables	are
	     given later in this page.

     writevar assocID variable_name[=value] ...
	     Like the readvar request, except the specified variables are
	     written instead of	read.

     writelist [assocID]
	     Like the readlist request,	except the internal list variables are
	     written instead of	read.

   Tally Codes
     The character in the left margin in the `peers' billboard,	called the
     tally code, shows the fate	of each	association in the clock selection
     process.  Following is a list of these characters,	the pigeon used	in the
     rv	command, and a short explanation of the	condition revealed.

     space   (reject) The peer is discarded as unreachable, synchronized to
	     this server (synch	loop) or outrageous synchronization distance.

     x	     (falsetick) The peer is discarded by the intersection algorithm
	     as	a falseticker.

     .	     (excess) The peer is discarded as not among the first ten peers
	     sorted by synchronization distance	and so is probably a poor can-
	     didate for	further	consideration.

     -	     (outlyer) The peer	is discarded by	the clustering algorithm as an
	     outlyer.

     +	     (candidat)	The peer is a survivor and a candidate for the combin-
	     ing algorithm.

     #	     (selected)	The peer is a survivor,	but not	among the first	six
	     peers sorted by synchronization distance.	If the association is
	     ephemeral,	it may be demobilized to conserve resources.

     *	     (sys.peer)	The peer has been declared the system peer and lends
	     its variables to the system variables.

     o	     (pps.peer)	The peer has been declared the system peer and lends
	     its variables to the system variables.  However, the actual sys-
	     tem synchronization is derived from a pulse-per-second (PPS) sig-
	     nal, either indirectly via	the PPS	reference clock	driver or
	     directly via kernel interface.

   System Variables
     The status, leap, stratum,	precision, rootdelay, rootdispersion, refid,
     reftime, poll, offset, and	frequency variables are	described in RFC-1305
     specification.  Additional	NTPv4 system variables include the following.

     version
	     Everything	you might need to know about the software version and
	     generation	time.

     processor
	     The processor and kernel identification string.

     system  The operating system version and release identifier.

     state   The state of the clock discipline state machine.  The values are
	     described in the architecture briefing on the NTP Project page
	     linked from www.ntp.org.

     peer    The internal integer used to identify the association currently
	     designated	the system peer.

     jitter  The estimated time	error of the system clock measured as an expo-
	     nential average of	RMS time differences.

     stability
	     The estimated frequency stability of the system clock measured as
	     an	exponential average of RMS frequency differences.

     When the NTPv4 daemon is compiled with the	OpenSSL	software library,
     additional	system variables are displayed,	including some or all of the
     following,	depending on the particular dance:

     flags   The current flags word bits and message digest algorithm identi-
	     fier (NID)	in hex format.	The high order 16 bits of the four-
	     byte word contain the NID from the	OpenSSL	ligrary, while the
	     low-order bits are	interpreted as follows:

	     0x01    autokey enabled

	     0x02    NIST leapseconds file loaded

	     0x10    PC	identity scheme

	     0x20    IFF identity scheme

	     0x40    GQ	identity scheme

     hostname
	     The name of the host as returned by the Unix gethostname()
	     library function.

     hostkey
	     The NTP filestamp of the host key file.

     cert    A list of certificates held by the	host.  Each entry includes the
	     subject, issuer, flags and	NTP filestamp in order.	 The bits are
	     interpreted as follows:

	     0x01    certificate has been signed by the	server

	     0x02    certificate is trusted

	     0x04    certificate is private

	     0x08    certificate contains errors and should not	be trusted

     leapseconds
	     The NTP filestamp of the NIST leapseconds file.

     refresh
	     The NTP timestamp when the	host public cryptographic values were
	     refreshed and signed.

     signature
	     The host digest/signature scheme name from	the OpenSSL library.

     tai     The TAI-UTC offset	in seconds obtained from the NIST leapseconds
	     table.

   Peer	Variables
     The status, srcadr, srcport, dstadr, dstport, leap, stratum, precision,
     rootdelay,	rootdispersion,	readh, hmode, pmode, hpoll, ppoll, offset,
     delay, dspersion, reftime variables are described in the RFC-1305 speci-
     fication, as are the timestamps org, rec and xmt.	Additional NTPv4 sys-
     tem variables include the following.

     flash   The flash code for	the most recent	packet received.  The encoding
	     and meaning of these codes	is given later in this page.

     jitter  The estimated time	error of the peer clock	measured as an expo-
	     nential average of	RMS time differences.

     unreach
	     The value of the counter which records the	number of poll inter-
	     vals since	the last valid packet was received.

     When the NTPv4 daemon is compiled with the	OpenSSL	software library,
     additional	peer variables are displayed, including	the following:

     flags   The current flag bits.  This word is the server host status word
	     with additional bits used by the Autokey state machine.  See the
	     source code for the bit encoding.

     hostname
	     The server	host name.

     initkey key
	     The initial key used by the key list generator in the Autokey
	     protocol.

     initsequence index
	     The initial index used by the key list generator in the Autokey
	     protocol.

     signature
	     The server	message	digest/signature scheme	name from the OpenSSL
	     software library.

     timestamp time
	     The NTP timestamp when the	last Autokey key list was generated
	     and signed.

   Flash Codes
     The flash code is a valuable debugging aid	displayed in the peer vari-
     ables list.  It shows the results of the original sanity checks defined
     in	the NTP	specification RFC-1305 and additional ones added in NTPv4.
     There are 12 tests	designated TEST1 through TEST12.  The tests are	per-
     formed in a certain order designed	to gain	maximum	diagnostic information
     while protecting against accidental or malicious errors.  The flash vari-
     able is initialized to zero as each packet	is received.  If after each
     set of tests one or more bits are set, the	packet is discarded.

     Tests TEST1 through TEST3 check the packet	timestamps from	which the off-
     set and delay are calculated.  If any bits	are set, the packet is dis-
     carded; otherwise,	the packet header variables are	saved.	TEST4 and
     TEST5 are associated with access control and cryptographic	authentica-
     tion.  If any bits	are set, the packet is discarded immediately with
     nothing changed.

     Tests TEST6 through TEST8 check the health	of the server.	If any bits
     are set, the packet is discarded; otherwise, the offset and delay rela-
     tive to the server	are calculated and saved.  TEST9 checks	the health of
     the association itself.  If any bits are set, the packet is discarded;
     otherwise,	the saved variables are	passed to the clock filter and mitiga-
     tion algorithms.

     Tests TEST10 through TEST12 check the authentication state	using Autokey
     public-key	cryptography, as described in the Authentication Options sec-
     tion of ntp.conf(5).  If any bits are set and the association has previ-
     ously been	marked reachable, the packet is	discarded; otherwise, the
     originate and receive timestamps are saved, as required by	the NTP	proto-
     col, and processing continues.

     The flash bits for	each test are defined as follows.

     0x001   (TEST1) Duplicate packet.	The packet is at best a	casual
	     retransmission and	at worst a malicious replay.

     0x002   (TEST2) Bogus packet.  The	packet is not a	reply to a message
	     previously	sent.  This can	happen when the	NTP daemon is
	     restarted and before somebody else	notices.

     0x004   (TEST3) Unsynchronized.  One or more timestamp fields are
	     invalid.  This normally happens when the first packet from	a peer
	     is	received.

     0x008   (TEST4) Access is denied.	See the	Access Control Support section
	     of	ntp.conf(5).

     0x010   (TEST5) Cryptographic authentication fails.  See the
	     Authentication Options section of ntp.conf(5).

     0x020   (TEST6) The server	is unsynchronized.  Wind up its	clock first.

     0x040   (TEST7) The server	stratum	is at the maximum than 15.  It is
	     probably unsynchronized and its clock needs to be wound up.

     0x080   (TEST8) Either the	root delay or dispersion is greater than one
	     second, which is highly unlikely unless the peer is unsynchro-
	     nized to Mars.

     0x100   (TEST9) Either the	peer delay or dispersion is greater than one
	     second, which is higly unlikely unless the	peer is	on Mars.

     0x200   (TEST10) The autokey protocol has detected	an authentication
	     failure.  See the Authentication Options section of ntp.conf(5).

     0x400   (TEST11) The autokey protocol has not verified the	server or peer
	     is	proventic and has valid	public key credentials.	 See the
	     Authentication Options section of ntp.conf(5).

     0x800   (TEST12) A	protocol or configuration error	has occurred in	the
	     public key	algorithms or a	possible intrusion event has been
	     detected.	See the	Authentication Options section of ntp.conf(5).

SEE ALSO
     ntp.conf(5), ntpd(8), ntpdc(8)

BUGS
     The peers command is non-atomic and may occasionally result in spurious
     error messages about invalid associations occurring and terminating the
     command.  The timeout time	is a fixed constant, which means you wait a
     long time for timeouts since it assumes sort of a worst case.  The	pro-
     gram should improve the timeout estimate as it sends queries to a partic-
     ular host,	but does not.

FreeBSD	10.1			 May 17, 2006			  FreeBSD 10.1

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | BUGS

Want to link to this manual page? Use this URL:
<http://www.freebsd.org/cgi/man.cgi?query=ntpq&sektion=8&manpath=FreeBSD+9.2-RELEASE>

home | help