Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
NTPQ(8)                 FreeBSD System Manager's Manual                NTPQ(8)

NAME
     ntpq - standard NTP query program

SYNOPSIS
     ntpq [-inp] [-c command] [host ...]

DESCRIPTION
     The ntpq utility is used to query NTP servers which implement the
     recommended NTP mode 6 control message format about current state and to
     request changes in that state.  The program may be run either in
     interactive mode or controlled using command line arguments.  Requests to
     read and write arbitrary variables can be assembled, with raw and pretty-
     printed output options being available.  The ntpq utility can also obtain
     and print a list of peers in a common format by sending multiple queries
     to the server.

     If one or more request options is included on the command line when ntpq
     is executed, each of the requests will be sent to the NTP servers running
     on each of the hosts given as command line arguments, or on localhost by
     default.  If no request options are given, ntpq will attempt to read
     commands from the standard input and execute these on the NTP server
     running on the first host given on the command line, again defaulting to
     localhost when no other host is specified.  The ntpq utility will prompt
     for commands if the standard input is a terminal device.

     The ntpq utility uses NTP mode 6 packets to communicate with the NTP
     server, and hence can be used to query any compatible server on the
     network which permits it.  Note that since NTP is a UDP protocol this
     communication will be somewhat unreliable, especially over large
     distances in terms of network topology.  The ntpq utility makes one
     attempt to retransmit requests, and will time requests out if the remote
     host is not heard from within a suitable timeout time.

     For examples and usage, see the "NTP Debugging Techniques" page
     (available as part of the HTML documentation provided in
     /usr/share/doc/ntp).

     The following options are available:

     -c      The following argument is interpreted as an interactive format
             command and is added to the list of commands to be executed on
             the specified host(s).  Multiple -c options may be given.

     -i      Force ntpq to operate in interactive mode.  Prompts will be
             written to the standard output and commands read from the
             standard input.

     -n      Output all host addresses in dotted-quad numeric format rather
             than converting to the canonical host names.

     -p      Print a list of the peers known to the server as well as a
             summary of their state.  This is equivalent to the peers
             interactive command.

     Specifying a command line option other than -i or -n will cause the
     specified query (queries) to be sent to the indicated host(s)
     immediately.  Otherwise, ntpq will attempt to read interactive format
     commands from the standard input.

   Internal Commands
     Interactive format commands consist of a keyword followed by zero to four
     arguments.  Only enough characters of the full keyword to uniquely
     identify the command need be typed.  The output of a command is normally
     sent to the standard output, but optionally the output of individual
     commands may be sent to a file by appending a `>', followed by a file
     name, to the command line.  A number of interactive format commands are
     executed entirely within the ntpq utility itself and do not result in NTP
     mode 6 requests being sent to a server.  These are described following.

     ? [command_keyword]

     help [command_keyword]
             A `?' by itself will print a list of all the command keywords
             known to this incarnation of ntpq.  A `?' followed by a command
             keyword will print function and usage information about the
             command.  This command is probably a better source of information
             about ntpq than this manual page.

     addvars variable_name[=value ...]

     rmvars variable_name ...

     clearvars
             The data carried by NTP mode 6 messages consists of a list of
             items of the form `variable_name=value', where the `=value' is
             ignored, and can be omitted, in requests to the server to read
             variables.  The ntpq utility maintains an internal list in which
             data to be included in control messages can be assembled, and
             sent using the readlist and writelist commands described below.
             The addvars command allows variables and their optional values to
             be added to the list.  If more than one variable is to be added,
             the list should be comma-separated and not contain white space.
             The rmvars command can be used to remove individual variables
             from the list, while the clearlist command removes all variables
             from the list.

     authenticate yes | no
             Normally ntpq does not authenticate requests unless they are
             write requests.  The command `authenticate yes' causes ntpq to
             send authentication with all requests it makes.  Authenticated
             requests causes some servers to handle requests slightly
             differently, and can occasionally melt the CPU in fuzzballs if
             you turn authentication on before doing a peer display.

     cooked  Causes output from query commands to be "cooked", so that
             variables which are recognized by ntpq will have their values
             reformatted for human consumption.  Variables which ntpq thinks
             should have a decodable value but didn't are marked with a
             trailing `?'.

     debug more | less | off
             Turns internal query program debugging on and off.

     delay milliseconds
             Specify a time interval to be added to timestamps included in
             requests which require authentication.  This is used to enable
             (unreliable) server reconfiguration over long delay network paths
             or between machines whose clocks are unsynchronized.  Actually
             the server does not now require timestamps in authenticated
             requests, so this command may be obsolete.

     host hostname
             Set the host to which future queries will be sent.  Hostname may
             be either a host name or a numeric address.

     hostnames yes | no
             If yes is specified, host names are printed in information
             displays.  If no is specified, numeric addresses are printed
             instead.  The default is yes, unless modified using the command
             line -n switch.

     keyid keyid
             This command allows the specification of a key number to be used
             to authenticate configuration requests.  This must correspond to
             a key number the server has been configured to use for this
             purpose.

     ntpversion 1 | 2 | 3 | 4
             Sets the NTP version number which ntpq claims in packets.
             Defaults to 3, Note that mode 6 control messages (and modes, for
             that matter) didn't exist in NTP version 1.  There appear to be
             no servers left which demand version 1.

     quit    Exit ntpq.

     passwd  This command prompts you to type in a password (which will not be
             echoed) which will be used to authenticate configuration
             requests.  The password must correspond to the key configured for
             use by the NTP server for this purpose if such requests are to be
             successful.

     raw     Causes all output from query commands is printed as received from
             the remote server.  The only formating/interpretation done on the
             data is to transform nonascii data into a printable (but barely
             understandable) form.

     timeout milliseconds
             Specify a timeout period for responses to server queries.  The
             default is about 5000 milliseconds.  Note that since ntpq retries
             each query once after a timeout, the total waiting time for a
             timeout will be twice the timeout value set.

   Control Message Commands
     Each peer known to an NTP server has a 16 bit integer association
     identifier assigned to it.  NTP control messages which carry peer
     variables must identify the peer the values correspond to by including
     its association ID.  An association ID of 0 is special, and indicates the
     variables are system variables, whose names are drawn from a separate
     name space.

     Control message commands result in one or more NTP mode 6 messages being
     sent to the server, and cause the data returned to be printed in some
     format.  Most commands currently implemented send a single message and
     expect a single response.  The current exceptions are the peers command,
     which will send a preprogrammed series of messages to obtain the data it
     needs, and the mreadlist and mreadvar commands, which will iterate over a
     range of associations.

     associations
             Obtains and prints a list of association identifiers and peer
             statuses for in-spec peers of the server being queried.  The list
             is printed in columns.  The first of these is an index numbering
             the associations from 1 for internal use, the second the actual
             association identifier returned by the server and the third the
             status word for the peer.  This is followed by a number of
             columns containing data decoded from the status word.  See the
             peers command for a decode of the `condition' field.  Note that
             the data returned by the associations command is cached
             internally in ntpq.  The index is then of use when dealing with
             stupid servers which use association identifiers which are hard
             for humans to type, in that for any subsequent commands which
             require an association identifier as an argument, the form of
             index may be used as an alternative.

     clockvar [assocID] [variable_name[=value ...]] ...

     cv [assocID] [variable_name[=value ...]] ...
             Requests that a list of the server's clock variables be sent.
             Servers which have a radio clock or other external
             synchronization will respond positively to this.  If the
             association identifier is omitted or zero the request is for the
             variables of the `system clock' and will generally get a positive
             response from all servers with a clock.  If the server treats
             clocks as pseudo-peers, and hence can possibly have more than one
             clock connected at once, referencing the appropriate peer
             association ID will show the variables of a particular clock.
             Omitting the variable list will cause the server to return a
             default variable display.

     lassociations
             Obtains and prints a list of association identifiers and peer
             statuses for all associations for which the server is maintaining
             state.  This command differs from the associations command only
             for servers which retain state for out-of-spec client
             associations (i.e., fuzzballs).  Such associations are normally
             omitted from the display when the associations command is used,
             but are included in the output of lassociations.

     lpassociations
             Print data for all associations, including out-of-spec client
             associations, from the internally cached list of associations.
             This command differs from passociations only when dealing with
             fuzzballs.

     lpeers  Like R peers, except a summary of all associations for which the
             server is maintaining state is printed.  This can produce a much
             longer list of peers from fuzzball servers.

     mreadlist assocID assocID

     mrl assocID assocID
             Like the readlist command, except the query is done for each of a
             range of (nonzero) association IDs.  This range is determined
             from the association list cached by the most recent associations
             command.

     mreadvar assocID assocID [variable_name[=value ...]]

     mrv assocID assocID [variable_name[=value ...]]
             Like the readvar command, except the query is done for each of a
             range of (nonzero) association IDs.  This range is determined
             from the association list cached by the most recent associations
             command.

     opeers  An old form of the peers command with the reference ID replaced
             by the local interface address.

     passociations
             Displays association data concerning in-spec peers from the
             internally cached list of associations.  This command performs
             identically to the associations except that it displays the
             internally stored data rather than making a new query.

     peers   Obtains a current list peers of the server, along with a summary
             of each peer's state.  Summary information includes the address
             of the remote peer, the reference ID (0.0.0.0 if this is
             unknown), the stratum of the remote peer, the type of the peer
             (local, unicast, multicast or broadcast), when the last packet
             was received, the polling interval, in seconds, the reachability
             register, in octal, and the current estimated delay, offset and
             dispersion of the peer, all in milliseconds.  The character in
             the left margin indicates the fate of this peer in the clock
             selection process.  Following is a list of these characters, the
             pigeon used in the rv command, and a short explanation of the
             condition revealed.

             space   (reject) The peer is discarded as unreachable,
                     synchronized to this server (synch loop) or outrageous
                     synchronization distance.

             x       (falsetick) The peer is discarded by the intersection
                     algorithm as a falseticker.

             .       (excess) The peer is discarded as not among the first ten
                     peers sorted by synchronization distance and so is
                     probably a poor candidate for further consideration.

             -       (outlyer) The peer is discarded by the clustering
                     algorithm as an outlyer.

             +       (candidate) The peer is a survivor and a candidate for
                     the combining algorithm.

             #       (selected) The peer is a survivor, but not among the
                     first six peers sorted by synchronization distance.  If
                     the association is ephemeral, it may be demobilized to
                     conserve resources.

             *       (peer) The peer has been declared the system peer and
                     lends its variables to the system variables.

             o       ((pps.peer)) The peer has been declared the system peer
                     and lends its variables to the system variables.
                     However, the actual system synchronization is derived
                     from a pulse-per-second (PPS) signal, either indirectly
                     via the PPS reference clock driver or directly via kernel
                     interface.

     The flash variable is a valuable debugging aid.  It displays the results
     of the original sanity checks defined in the NTP specification RFC-1305
     and additional ones added in NTP Version 4.  There are eleven tests
     called TEST1 through TEST11.  The tests are performed in a certain order
     designed to gain maximum diagnostic information while protecting against
     accidental or malicious errors.  The flash variable is first initialized
     to zero.  If after each set of tests one or more bits are set, the packet
     is discarded.

     Tests TEST4 and TEST5 check the access permissions and cryptographic
     message digest.  If any bits are set after that, the packet is discarded.
     Tests TEST10 and TEST11 check the authentication state using Autokey
     public-key cryptography, as described in the Authentication Options
     section of ntp.conf(5).  If any bits are set and the association has
     previously been marked reachable, the packet is discarded; otherwise, the
     originate and receive timestamps are saved, as required by the NTP
     protocol, and processing continues.

     Tests TEST1 through TEST3 check the packet timestamps from which the
     offset and delay are calculated.  If any bits are set, the packet is
     discarded; otherwise, the packet header variables are saved.  Tests TEST6
     through TEST8 check the health of the server.  If any bits are set, the
     packet is discarded; otherwise, the offset and delay relative to the
     server are calculated and saved.  Test TEST9 checks the health of the
     association itself.  If any bits are set, the packet is discarded;
     otherwise, the saved variables are passed to the clock filter and
     mitigation algorithms.

     The flash bits for each test read in increasing order from the least
     significant bit are defined as follows.

     TEST1   Duplicate packet.  The packet is at best a casual retransmission
             and at worst a malicious replay.

     TEST2   Bogus packet.  The packet is not a reply to a message previously
             sent.  This can happen when the NTP daemon is restarted and
             before somebody else notices.

     TEST3   Unsynchronized.  One or more timestamp fields are invalid.  This
             normally happens when the first packet from a peer is received.

     TEST4   Access is denied.  See the "Access Control" page.

     TEST5   Cryptographic authentication fails.  See the Authentication
             Options section of ntp.conf(5).

     TEST6   The server is unsynchronized.  Wind up its clock first.

     TEST7   The server stratum is at the maximum than 15.  It is probably
             unsynchronized and its clock needs to be wound up.

     TEST8   Either the root delay or dispersion is greater than one second,
             which is highly unlikely unless the peer is synchronized to Mars.

     TEST9   Either the peer delay or dispersion is greater than one second,
             which is highly unlikely unless the peer is on Mars.

     TEST10  The autokey protocol has detected an authentication failure.  See
             the Authentication Options section of ntp.conf(5).

     TEST11  The autokey protocol has not verified the server or peer is
             authentic and has valid public key credentials.  See the
             Authentication Options section of ntp.conf(5).

     Additional system variables used by the NTP Version 4 Autokey support
     include the following:

     certificate filestamp
             Shows the NTP seconds when the certificate file was created.

     hostname host
             Shows the name of the host as returned by the Unix gethostname(3)
             library function.

     flags hex
             Shows the current flag bits, where the hex bits are interpreted
             as follows:

             0x01    autokey enabled

             0x02    RSA public/private key files present

             0x04    PKI certificate file present

             0x08    Diffie-Hellman parameters file present

             0x10    NIST leapseconds table file present

     leapseconds filestamp
             Shows the NTP seconds when the NIST leapseconds table file was
             created.

     params filestamp
             Shows the NTP seconds when the Diffie-Hellman agreement parameter
             file was created.

     publickey filestamp
             Shows the NTP seconds when the RSA public/private key files were
             created.

     refresh filestamp
             Shows the NTP seconds when the public cryptographic values were
             refreshed and signed.

     tai offset
             Shows the TAI-UTC offset in seconds obtained from the NIST
             leapseconds table.

     Additional peer variables used by the NTP Version 4 Autokey support
     include the following:

     certificate filestamp
             Shows the NTP seconds when the certificate file was created.

     flags hex
             Shows the current flag bits, where the hex bits are interpreted
             as in the system variable of the same name.  The bits are set in
             the first autokey message received from the server and then reset
             as the associated data are obtained from the server and stored.

     hcookie hex
             Shows the host cookie used in the key agreement algorithm.

     initkey key
             Shows the initial key used by the key list generator in the
             autokey protocol.

     initsequence index
             Shows the initial index used by the key list generator in the
             autokey protocol.

     pcookie hex
             Specifies the peer cookie used in the key agreement algorithm.

     timestamp time
             Shows the NTP seconds when the last autokey key list was
             generated and signed.

     pstatus assocID
             Sends a read status request to the server for the given
             association.  The names and values of the peer variables returned
             will be printed.  Note that the status word from the header is
             displayed preceding the variables, both in hexadecimal and in
             pidgeon English.

     readlist assocID

     rl assocID
             Requests that the values of the variables in the internal
             variable list be returned by the server.  If the association ID
             is omitted or is 0 the variables are assumed to be system
             variables.  Otherwise they are treated as peer variables.  If the
             internal variable list is empty a request is sent without data,
             which should induce the remote server to return a default
             display.

     readvar assocID variable_name[=value] ...

     rv assocID variable_name[=value] ...
             Requests that the values of the specified variables be returned
             by the server by sending a read variables request.  If the
             association ID is omitted or is given as zero the variables are
             system variables, otherwise they are peer variables and the
             values returned will be those of the corresponding peer.
             Omitting the variable list will send a request with no data which
             should induce the server to return a default display.

     writevar assocID variable_name[=value] ...
             Like the readvar request, except the specified variables are
             written instead of read.

     writelist [assocID]
             Like the readlist request, except the internal list variables are
             written instead of read.

SEE ALSO
     ntp.conf(5), ntpd(8), ntpdc(8)

BUGS
     The peers command is non-atomic and may occasionally result in spurious
     error messages about invalid associations occurring and terminating the
     command.  The timeout time is a fixed constant, which means you wait a
     long time for timeouts since it assumes sort of a worst case.  The
     program should improve the timeout estimate as it sends queries to a
     particular host, but doesn't.

FreeBSD 11.0-PRERELEASE         January 7, 2000        FreeBSD 11.0-PRERELEASE

NAME | SYNOPSIS | DESCRIPTION | SEE ALSO | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ntpq&sektion=8&manpath=FreeBSD+5.2.1-RELEASE>

home | help