xref: /trueos/usr.sbin/ntp/doc/ntpq.8 (revision 8fe640108653f13042f1b15213769e338aa524f6)
1.\"
2.\" $FreeBSD$
3.\"
4.Dd May 17, 2006
5.Dt NTPQ 8
6.Os
7.Sh NAME
8.Nm ntpq
9.Nd standard NTP query program
10.Sh SYNOPSIS
11.Nm
12.Op Fl inp
13.Op Fl c Ar command
14.Op Ar host
15.Op Ar ...
16.Sh DESCRIPTION
17The
18.Nm
19utility is used to monitor NTP daemon
20.Xr ntpd 8
21operations and determine performance.
22It uses the standard NTP mode 6 control message formats
23defined in Appendix B of the NTPv3 specification RFC1305.
24The same formats are used in NTPv4, although some of the variables
25have changed and new ones added.
26The description on this page is for the NTPv4 variables.
27.Pp
28The program can be run either in interactive mode or controlled
29using command line arguments.
30Requests to read and write arbitrary variables can be assembled,
31with raw and pretty-printed output options being available.
32The
33.Nm
34can also obtain and print a list of peers in a common format
35by sendingmultiple queries to the server.
36.Pp
37If one or more request options is included on the command line
38when
39.Nm
40is executed, each of the requests will be sent
41to the NTP servers running on each of the hosts given as command
42line arguments, or on localhost by default.
43If no request options
44are given,
45.Nm
46will attempt to read commands from the
47standard input and execute these on the NTP server running on the
48first host given on the command line, again defaulting to localhost
49when no other host is specified.
50The
51.Nm
52utility will prompt for
53commands if the standard input is a terminal device.
54.Pp
55The
56.Nm
57utility uses NTP mode 6 packets to communicate with the
58NTP server, and hence can be used to query any compatible server on
59the network which permits it.
60Note that since NTP is a UDP protocol
61this communication will be somewhat unreliable, especially over
62large distances in terms of network topology.
63The
64.Nm
65utility makes
66one attempt to retransmit requests, and will time requests out if
67the remote host is not heard from within a suitable timeout
68time.
69.Pp
70For examples and usage, see the
71.Qq NTP Debugging Techniques
72page
73(available as part of the HTML documentation
74provided in
75.Pa /usr/share/doc/ntp ) .
76.Pp
77The following options are available:
78.Bl -tag -width indent
79.It Fl 4
80Force DNS resolution of following host names on the command line to the
81IPv4 namespace.
82.It Fl 6
83Force DNS resolution of following host names on the command line to the
84IPv6 namespace.
85.It Fl c
86The following argument is interpreted as an interactive format
87command and is added to the list of commands to be executed on the
88specified host(s).
89Multiple
90.Fl c
91options may be given.
92.It Fl d
93Turn on debugging mode.
94.It Fl i
95Force
96.Nm
97to operate in interactive mode.
98Prompts
99will be written to the standard output and commands read from the
100standard input.
101.It Fl n
102Output all host addresses in dotted-quad numeric format rather
103than converting to the canonical host names.
104.It Fl p
105Print a list of the peers known to the server as well as a
106summary of their state.
107This is equivalent to the
108.Ic peers
109interactive command.
110.El
111.Pp
112Note that in contexts where a host name is expected, a
113.Fl 4
114qualifier preceding the host name forces DNS resolution to the
115IPv4 namespace, while a
116.Fl 6
117qualifier forces DNS resolution to the IPv6 namespace.
118Specifying a
119command line option other than
120.Fl i
121or
122.Fl n
123will
124cause the specified query (queries) to be sent to the indicated
125host(s) immediately.
126Otherwise,
127.Nm
128will attempt to read
129interactive format commands from the standard input.
130.Ss "Internal Commands"
131Interactive format commands consist of a keyword followed by zero
132to four arguments.
133Only enough characters of the full keyword to
134uniquely identify the command need be typed.
135The output of a
136command is normally sent to the standard output, but optionally the
137output of individual commands may be sent to a file by appending a
138.Ql \&> ,
139followed by a file name, to the command line.
140A
141number of interactive format commands are executed entirely within
142the
143.Nm
144utility itself and do not result in NTP mode 6
145requests being sent to a server.
146These are described following.
147.Bl -tag -width indent
148.It Ic \&? Op Ar command_keyword
149.It Ic help Op Ar command_keyword
150A
151.Sq Ic \&?
152by itself will print a list of all the command
153keywords known to this incarnation of
154.Nm .
155A
156.Sq Ic \&?
157followed by a command keyword will print function and usage
158information about the command.
159This command is probably a better
160source of information about
161.Nm
162than this manual
163page.
164.It Xo Ic addvars
165.Ar variable_name Ns Op = Ns Ar value ...
166.Xc
167.It Ic rmvars Ar variable_name ...
168.It Ic clearvars
169The data carried by NTP mode 6 messages consists of a list of
170items of the form
171.Ql variable_name=value ,
172where the
173.Ql =value
174is ignored, and can be omitted,
175in requests to the server to read variables.
176The
177.Nm
178utility maintains an internal list in which data to be included in control
179messages can be assembled, and sent using the
180.Ic readlist
181and
182.Ic writelist
183commands described below.
184The
185.Ic addvars
186command allows variables and their optional values to be added to
187the list.
188If more than one variable is to be added, the list should
189be comma-separated and not contain white space.
190The
191.Ic rmvars
192command can be used to remove individual variables from the list,
193while the
194.Ic clearlist
195command removes all variables from the
196list.
197.It Ic cooked
198Causes output from query commands to be "cooked", so that
199variables which are recognized by
200.Nm
201will have their
202values reformatted for human consumption.
203Variables which
204.Nm
205thinks should have a decodable value but did not are
206marked with a trailing
207.Ql \&? .
208.It Xo Ic debug
209.Cm more |
210.Cm less |
211.Cm off
212.Xc
213Turns internal query program debugging on and off.
214.It Ic delay Ar milliseconds
215Specify a time interval to be added to timestamps included in
216requests which require authentication.
217This is used to enable
218(unreliable) server reconfiguration over long delay network paths
219or between machines whose clocks are unsynchronized.
220Actually the
221server does not now require timestamps in authenticated requests,
222so this command may be obsolete.
223.It Ic host Ar hostname
224Set the host to which future queries will be sent.
225Hostname may
226be either a host name or a numeric address.
227.It Ic hostnames Cm yes | Cm no
228If
229.Cm yes
230is specified, host names are printed in
231information displays.
232If
233.Cm no
234is specified, numeric
235addresses are printed instead.
236The default is
237.Cm yes ,
238unless
239modified using the command line
240.Fl n
241switch.
242.It Ic keyid Ar keyid
243This command specifies the key number to be used to authenticate
244configuration requests.
245This must correspond to a key number the server has
246been configured to use for this purpose.
247.It Xo Ic ntpversion
248.Cm 1 |
249.Cm 2 |
250.Cm 3 |
251.Cm 4
252.Xc
253Sets the NTP version number which
254.Nm
255claims in
256packets.
257Defaults to 3, Note that mode 6 control messages (and
258modes, for that matter) did not exist in NTP version 1.
259There appear
260to be no servers left which demand version 1.
261.It Ic passwd
262This command prompts for a password (which will not be echoed) which will
263be used to authenticate configuration requests.
264The password must
265correspond to the key configured for NTP server for this purpose.
266.It Ic quit
267Exit
268.Nm .
269.It Ic raw
270Causes all output from query commands is printed as received
271from the remote server.
272The only formatting/interpretation done on
273the data is to transform nonascii data into a printable (but barely
274understandable) form.
275.It Ic timeout Ar milliseconds
276Specify a timeout period for responses to server queries.
277The
278default is about 5000 milliseconds.
279Note that since
280.Nm
281retries each query once after a timeout, the total waiting time for
282a timeout will be twice the timeout value set.
283.El
284.Ss Control Message Commands
285Each association known to an NTP server has a 16 bit integer association
286identifier.
287NTP control messages which carry peer variables must identify the
288peer the values correspond to by including its association ID.
289An association
290ID of 0 is special, and indicates the variables are system variables, whose
291names are drawn from a separate name space.
292.Pp
293Control message commands result in one or more NTP mode 6
294messages being sent to the server, and cause the data returned to
295be printed in some format.
296Most commands currently implemented send
297a single message and expect a single response.
298The current
299exceptions are the peers command, which will send a preprogrammed
300series of messages to obtain the data it needs, and the mreadlist
301and mreadvar commands, which will iterate over a range of
302associations.
303.Bl -tag -width indent
304.It Ic associations
305Obtains and prints a list of association identifiers and peer
306statuses for in-spec peers of the server being queried.
307The list is
308printed in columns.
309The first of these is an index numbering the
310associations from 1 for internal use, the second the actual
311association identifier returned by the server and the third the
312status word for the peer.
313This is followed by a number of columns
314containing data decoded from the status word.
315See the peers command
316for a decode of the
317.Sq condition
318field.
319Note that the data
320returned by the
321.Ic associations
322command is cached internally
323in
324.Nm .
325The index is then of use when dealing with stupid
326servers which use association identifiers which are hard for humans
327to type, in that for any subsequent commands which require an
328association identifier as an argument, the form and index may be
329used as an alternative.
330.It Xo Ic clockvar Op Ar assocID
331.Oo
332.Ar variable_name Ns Op = Ns Ar value ...
333.Oc
334.Ar ...
335.Xc
336.It Xo Ic cv Op Ar assocID
337.Oo
338.Ar variable_name Ns Op = Ns Ar value ...
339.Oc
340.Ar ...
341.Xc
342Requests that a list of the server's clock variables be sent.
343Servers which have a radio clock or other external synchronization
344will respond positively to this.
345If the association identifier is
346omitted or zero the request is for the variables of the
347.Sq system clock
348and will generally get a positive response from all
349servers with a clock.
350If the server treats clocks as pseudo-peers,
351and hence can possibly have more than one clock connected at once,
352referencing the appropriate peer association ID will show the
353variables of a particular clock.
354Omitting the variable list will
355cause the server to return a default variable display.
356.It Ic lassociations
357Obtains and prints a list of association identifiers and peer
358statuses for all associations for which the server is maintaining
359state.
360This command differs from the
361.Ic associations
362command
363only for servers which retain state for out-of-spec client
364associations (i.e., fuzzballs).
365Such associations are normally
366omitted from the display when the
367.Ic associations
368command is
369used, but are included in the output of
370.Ic lassociations .
371.It Ic lpassociations
372Print data for all associations, including out-of-spec client
373associations, from the internally cached list of associations.
374This
375command differs from
376.Ic passociations
377only when dealing with
378fuzzballs.
379.It Ic lpeers
380Like R peers, except a summary of all associations for which
381the server is maintaining state is printed.
382This can produce a much
383longer list of peers from fuzzball servers.
384.It Ic mreadlist Ar assocID Ar assocID
385.It Ic mrl Ar assocID Ar assocID
386Like the
387.Ic readlist
388command, except the query is done
389for each of a range of (nonzero) association IDs.
390This range is
391determined from the association list cached by the most recent
392.Ic associations
393command.
394.It Xo Ic mreadvar Ar assocID Ar assocID
395.Oo
396.Ar variable_name Ns Op = Ns Ar value ...
397.Oc
398.Xc
399.It Xo Ic mrv Ar assocID Ar assocID
400.Oo
401.Ar variable_name Ns Op = Ns Ar value ...
402.Oc
403.Xc
404Like the
405.Ic readvar
406command, except the query is done for
407each of a range of (nonzero) association IDs.
408This range is
409determined from the association list cached by the most recent
410.Ic associations
411command.
412.It Ic opeers
413An old form of the
414.Ic peers
415command with the reference ID
416replaced by the local interface address.
417.It Ic passociations
418Displays association data concerning in-spec peers from the
419internally cached list of associations.
420This command performs
421identically to the
422.Ic associations
423except that it displays
424the internally stored data rather than making a new query.
425.It Ic peers
426Obtains a current list peers of the server, along with a
427summary of each peer's state.
428Summary information includes the
429address of the remote peer, the reference ID (0.0.0.0 if this is
430unknown), the stratum of the remote peer, the type of the peer
431(local, unicast, multicast or broadcast), when the last packet was
432received, the polling interval, in seconds, the reachability
433register, in octal, and the current estimated delay,
434offset and dispersion of the peer, all in milliseconds.
435The character at the left margin of each line shows the
436synchronization status of the association and is a valuable
437diagnostic tool.
438The encoding and meaning of this character,
439called the tally code, is given later in this page.
440.It Ic pstatus Ar assocID
441Sends a read status request to the server for the given
442association.
443The names and values of the peer variables returned
444will be printed.
445Note that the status word from the header is
446displayed preceding the variables, both in hexadecimal and in
447pidgeon English.
448.It Ic readlist Ar assocID
449.It Ic rl Ar assocID
450Requests that the values of the variables in the internal
451variable list be returned by the server.
452If the association ID is
453omitted or is 0 the variables are assumed to be system variables.
454Otherwise they are treated as peer variables.
455If the internal
456variable list is empty a request is sent without data, which should
457induce the remote server to return a default display.
458.It Xo Ic readvar Ar assocID
459.Ar variable_name Ns Op = Ns Ar value
460.Ar ...
461.Xc
462.It Xo Ic rv Ar assocID
463.Ar variable_name Ns Op = Ns Ar value
464.Ar ...
465.Xc
466Requests that the values of the specified variables be returned
467by the server by sending a read variables request.
468If the
469association ID is omitted or is given as zero the variables are
470system variables, otherwise they are peer variables and the values
471returned will be those of the corresponding peer.
472Omitting the
473variable list will send a request with no data which should induce
474the server to return a default display.
475The
476encoding and meaning of the variables derived from NTPv3 is given in
477RFC-1305; the encoding and meaning of the additional NTPv4 variables are
478given later in this page.
479.It Xo Ic writevar Ar assocID
480.Ar variable_name Ns Op = Ns Ar value
481.Ar ...
482.Xc
483Like the readvar request, except the specified variables are
484written instead of read.
485.It Ic writelist Op Ar assocID
486Like the readlist request, except the internal list variables
487are written instead of read.
488.El
489.Ss Tally Codes
490The character in the left margin in the
491.Sq peers
492billboard,
493called the tally code, shows the fate of each association
494in the clock selection process.
495Following is a list of these characters, the pigeon used
496in the
497.Ic rv
498command, and a short explanation of the condition revealed.
499.Bl -tag -width indent
500.It space
501.Pq reject
502The peer is discarded as unreachable, synchronized to this server (synch
503loop) or outrageous synchronization distance.
504.It x
505.Pq falsetick
506The peer is discarded by the intersection algorithm as a falseticker.
507.It \&.
508.Pq excess
509The peer is discarded as not among the first ten peers sorted by
510synchronization distance and so is probably a poor candidate for further
511consideration.
512.It \&-
513.Pq outlyer
514The peer is discarded by the clustering algorithm as an outlyer.
515.It \&+
516.Pq candidat
517The peer is a survivor and a candidate for the combining algorithm.
518.It \&#
519.Pq selected
520The peer is a survivor, but not among the first six peers sorted by
521synchronization distance.
522If the association is ephemeral, it may be
523demobilized to conserve resources.
524.It \&*
525.Pq sys.peer
526The peer has been declared the system peer and lends its variables to the
527system variables.
528.It o
529.Pq pps.peer
530The peer has been declared the system peer and lends its variables to
531the system variables.
532However, the actual system synchronization is derived
533from a pulse-per-second (PPS) signal, either indirectly via the PPS
534reference clock driver or directly via kernel interface.
535.El
536.Ss System Variables
537The
538.Cm status ,
539.Cm leap ,
540.Cm stratum ,
541.Cm precision ,
542.Cm rootdelay ,
543.Cm rootdispersion ,
544.Cm refid ,
545.Cm reftime ,
546.Cm poll ,
547.Cm offset ,
548and
549.Cm frequency
550variables are described in RFC-1305
551specification.
552Additional NTPv4 system variables include the following.
553.Bl -tag -width indent
554.It version
555Everything you might need to know about the software version and generation
556time.
557.It processor
558The processor and kernel identification string.
559.It system
560The operating system version and release identifier.
561.It state
562The state of the clock discipline state machine.
563The values are described
564in the architecture briefing on the NTP Project page linked from
565www.ntp.org.
566.It peer
567The internal integer used to identify the association currently designated
568the system peer.
569.It jitter
570The estimated time error of the system clock measured as an exponential
571average of RMS time differences.
572.It stability
573The estimated frequency stability of the system clock measured as an
574exponential average of RMS frequency differences.
575.El
576.Pp
577When the NTPv4 daemon is compiled with the OpenSSL software library, additional
578system variables are displayed, including some or all of the following,
579depending on the particular dance:
580.Bl -tag -width indent
581.It flags
582The current flags word bits and message digest algorithm identifier (NID)
583in hex format.
584The high order 16 bits of the four-byte word contain the NID
585from the OpenSSL ligrary, while the low-order bits are interpreted as
586follows:
587.Bl -tag -width indent
588.It 0x01
589autokey enabled
590.It 0x02
591NIST leapseconds file loaded
592.It 0x10
593PC identity scheme
594.It 0x20
595IFF identity scheme
596.It 0x40
597GQ identity scheme
598.El
599.It hostname
600The name of the host as returned by the Unix
601.Fn gethostname
602library
603function.
604.It hostkey
605The NTP filestamp of the host key file.
606.It cert
607A list of certificates held by the host.
608Each entry includes the subject,
609issuer, flags and NTP filestamp in order.
610The bits are interpreted as
611follows:
612.Bl -tag -width indent
613.It 0x01
614certificate has been signed by the server
615.It 0x02
616certificate is trusted
617.It 0x04
618certificate is private
619.It 0x08
620certificate contains errors and should not be trusted
621.El
622.It leapseconds
623The NTP filestamp of the NIST leapseconds file.
624.It refresh
625The NTP timestamp when the host public cryptographic values were refreshed
626and signed.
627.It signature
628The host digest/signature scheme name from the OpenSSL library.
629.It tai
630The TAI-UTC offset in seconds obtained from the NIST leapseconds table.
631.El
632.Ss Peer Variables
633The
634.Cm status ,
635.Cm srcadr ,
636.Cm srcport ,
637.Cm dstadr ,
638.Cm dstport ,
639.Cm leap ,
640.Cm stratum ,
641.Cm precision ,
642.Cm rootdelay ,
643.Cm rootdispersion ,
644.Cm readh ,
645.Cm hmode ,
646.Cm pmode ,
647.Cm hpoll ,
648.Cm ppoll ,
649.Cm offset ,
650.Cm delay ,
651.Cm dspersion ,
652.Cm reftime
653variables are described in the RFC-1305 specification, as
654are the timestamps
655.Cm org ,
656.Cm rec
657and
658.Cm xmt .
659Additional NTPv4 system variables include
660the following.
661.Bl -tag -width indent
662.It flash
663The flash code for the most recent packet received.
664The encoding and
665meaning of these codes is given later in this page.
666.It jitter
667The estimated time error of the peer clock measured as an exponential
668average of RMS time differences.
669.It unreach
670The value of the counter which records the number of poll intervals since
671the last valid packet was received.
672.El
673.Pp
674When the NTPv4 daemon is compiled with the OpenSSL software library, additional
675peer variables are displayed, including the following:
676.Bl -tag -width indent
677.It flags
678The current flag bits.
679This word is the server host status word with
680additional bits used by the Autokey state machine.
681See the source code for
682the bit encoding.
683.It hostname
684The server host name.
685.It initkey Ar key
686The initial key used by the key list generator in the Autokey protocol.
687.It initsequence Ar index
688The initial index used by the key list generator in the Autokey protocol.
689.It signature
690The server message digest/signature scheme name from the OpenSSL software
691library.
692.It timestamp Ar time
693The NTP timestamp when the last Autokey key list was generated and signed.
694.El
695.Ss Flash Codes
696The
697.Cm flash
698code is a valuable debugging aid displayed in the peer variables
699list.
700It shows the results of the original sanity checks defined in the NTP
701specification RFC-1305 and additional ones added in NTPv4.
702There are 12 tests
703designated
704.Sy TEST1
705through
706.Sy TEST12 .
707The tests are performed in a certain order
708designed to gain maximum diagnostic information while protecting against
709accidental or malicious errors.
710The
711.Sy flash
712variable is initialized to zero as
713each packet is received.
714If after each set of tests one or more bits are set,
715the packet is discarded.
716.Pp
717Tests
718.Sy TEST1
719through
720.Sy TEST3
721check the packet timestamps from which the offset and
722delay are calculated.
723If any bits are set, the packet is discarded; otherwise,
724the packet header variables are saved.
725.Sy TEST4
726and
727.Sy TEST5
728are associated with
729access control and cryptographic authentication.
730If any bits are set, the
731packet is discarded immediately with nothing changed.
732.Pp
733Tests
734.Sy TEST6
735through
736.Sy TEST8
737check the health of the server.
738If any bits are set,
739the packet is discarded; otherwise, the offset and delay relative to the server
740are calculated and saved.
741TEST9 checks the health of the association itself.
742If
743any bits are set, the packet is discarded; otherwise, the saved variables are
744passed to the clock filter and mitigation algorithms.
745.Pp
746Tests
747.Sy TEST10
748through
749.Sy TEST12
750check the authentication state using Autokey
751public-key cryptography, as described in the
752.Sx Authentication Options
753section of
754.Xr ntp.conf 5 .
755If
756any bits are set and the association has previously been marked reachable, the
757packet is discarded; otherwise, the originate and receive timestamps are saved,
758as required by the NTP protocol, and processing continues.
759.Pp
760The
761.Cm flash
762bits for each test are defined as follows.
763.Bl -tag -width indent
764.It 0x001
765.Pq TEST1
766Duplicate packet.
767The packet is at best a casual retransmission and at
768worst a malicious replay.
769.It 0x002
770.Pq TEST2
771Bogus packet.
772The packet is not a reply to a message previously sent.
773This
774can happen when the NTP daemon is restarted and before somebody else
775notices.
776.It 0x004
777.Pq TEST3
778Unsynchronized.
779One or more timestamp fields are invalid.
780This normally
781happens when the first packet from a peer is received.
782.It 0x008
783.Pq TEST4
784Access is denied.
785See the
786.Sx Access Control Support
787section of
788.Xr ntp.conf 5 .
789.It 0x010
790.Pq TEST5
791Cryptographic authentication fails.
792See the
793.Sx Authentication Options
794section of
795.Xr ntp.conf 5 .
796.It 0x020
797.Pq TEST6
798The server is unsynchronized.
799Wind up its clock first.
800.It 0x040
801.Pq TEST7
802The server stratum is at the maximum than 15.
803It is probably unsynchronized
804and its clock needs to be wound up.
805.It 0x080
806.Pq TEST8
807Either the root delay or dispersion is greater than one second, which is
808highly unlikely unless the peer is unsynchronized to Mars.
809.It 0x100
810.Pq TEST9
811Either the peer delay or dispersion is greater than one second, which is
812higly unlikely unless the peer is on Mars.
813.It 0x200
814.Pq TEST10
815The autokey protocol has detected an authentication failure.
816See the
817.Sx Authentication Options
818section of
819.Xr ntp.conf 5 .
820.It 0x400
821.Pq TEST11
822The autokey protocol has not verified the server or peer is proventic and
823has valid public key credentials.
824See the
825.Sx Authentication Options
826section of
827.Xr ntp.conf 5 .
828.It 0x800
829.Pq TEST12
830A protocol or configuration error has occurred in the public key algorithms
831or a possible intrusion event has been detected.
832See the
833.Sx Authentication Options
834section of
835.Xr ntp.conf 5 .
836.El
837.Sh SEE ALSO
838.Xr ntp.conf 5 ,
839.Xr ntpd 8 ,
840.Xr ntpdc 8
841.Sh BUGS
842The
843.Ic peers
844command is non-atomic and may occasionally result in
845spurious error messages about invalid associations occurring and
846terminating the command.
847The timeout time is a fixed constant,
848which means you wait a long time for timeouts since it assumes sort
849of a worst case.
850The program should improve the timeout estimate as
851it sends queries to a particular host, but does not.
852