Operating System - HP-UX
1850340 Members
2487 Online
104054 Solutions
New Discussion

figure out all ntp clinets

 
Dan Copeland
Regular Advisor

figure out all ntp clinets

Admins,

I have a hp-ux NTP server that I'm decommissioning and want to find out all clients that are using it. It's a 10.20 hosts so I believe tcpdump will not work. Other than a network sniffer, is there a way to tell which clients are connecting to my NTP server. I played w/ ntpq for a while but didn't get what I was looking for.

tia,
Frank
6 REPLIES 6
RAC_1
Honored Contributor

Re: figure out all ntp clinets

from this server run ntpq -p "hostname" This inquires the peer for ntp.

run this command on all hosts you have. Those pointing to you are using this server(which you plan to decommission) as ntp.
There is no substitute to HARDWORK
Dan Copeland
Regular Advisor

Re: figure out all ntp clinets

The problem is---I don't know what all the boxes are. This box is extremely old and has been a NTP server forever. Previous employees are gone, don't know what they did, just trying to be proactive to avoid a mess.
James R. Ferguson
Acclaimed Contributor

Re: figure out all ntp clinets

Hi Frank:

Ideally your clients have specified more than one ntp source to which they listen, so the disappearance of your old server should not precipitate catastrophe for them.

Regards!

...JRF...
RAC_1
Honored Contributor

Re: figure out all ntp clinets

for i in `cat /etc/hosts|awk '{print $1}'`
do
ntpq -p $i|grep "your host"
done

Those pointing to your server are using your server as ntp server.

(You need to have list of servers in your environment to further check it)
There is no substitute to HARDWORK
Helen French
Honored Contributor

Re: figure out all ntp clinets

If you have the log file for ntp requests (some can be found from syslog.log) you will be able to figure out some cleints. If you are going to replace this ntp server with another one, then check the config files /etc/ntp.conf, /etc/ntp.drift, /etc/ntp.keys and /etc/rc.config.d/netdaemons.
Life is a promise, fulfill it!
Ron Kinner
Honored Contributor

Re: figure out all ntp clinets

Assuming you are not running in broadcast mode: if you run
netstat -an |grep 123

you will get any tcp connections on the server's ntp port 123 at that instant in time. However the ntp faq says:
"For xntp3-5.93e the smallest and largest allowable polling values are 4 (16 seconds) and 14 (4.5 hours) respectively."
so there is no guarantee that you would catch all (or even any of the clients) unless you just happened to get lucky.

IF there is a router in the network and most of your potential clients pass through the router your network admin can probably help you. It is simple on a Cisco router to build a logging access list which permit all traffic but which log traffic which meets a certain requirement.

conf t

logging buff

access-list 100 permit tcp any host "ipaddressof10.20" eq 123 log
access-list 100 permit ip any any

int e0/0 (or whatever interface the 10.20 lives on)
ip access-list 100 out

end

wr me

now wait overnight and

show log

will show any traffic to the 10.20's ntp port which passed through the router.

Actually tcpdump used to work for 10.20. The problem is finding the old version. The faq at http://www.pimpworks.org/hp/hpuxfaq.html
says:

"HP-UX 10.20 and 11.X can use tcpdump/libpcap as found at
ftp://ftp.ee.lbl.gov./ To select the interface to trace, one uses the -i
option and gives the interface name as "/dev/dlpiN" where N is the PPA
of the device. One uses lanscan to find PPAs. On 10.20, the PPA happens
to be the same as the Network Management ID (NMID) and is not the same
as the N in "lanN." On 11.X, the PPA happens to be the same as the Card
Instance number and happens to be the same as the N in "lanN." The
/dev/dlpiN specified to tcpdump/libpcap is not the same as the device
file /dev/dlpiM. What actually happens is tcpdump/libcap opens /dev/dlpi
and bind to PPA N. The /dev/dlpiM device files are for other uses."

This appears to be a quote from our own Rick Jones. Note you will need libpcap installed before you install tcpdump.

Ron