xntpdc Command

Purpose

Starts the query/control program for the Network Time Protocol daemon, xntpd.

Syntax

xntpdc-i ] [  -l ] [  -n ] [  -p ] [  -s ] [  -c SubCommand ] [  Host ... ]

Description

The xntpdc command queries the xntpd daemon about its current state and requests changes to that state. It runs either in interactive mode or by using command-line arguments. The xntpdc command interface displays extensive state and statistics information. Nearly all the configuration options that can be specified at start-up using the xntpd daemon's configuration file, can also be specified at run-time using the xntpdc command.

If you enter the xntpdc command with one or more request flags, the NTP servers running on each of the hosts specified (or defaults to local host) receive each request. If you do not enter any request flags, the xntpdc command tries to read commands from standard input and run them on the NTP server running on the first host specified or on the local host by default. It prompts for subcommands if standard input is the terminal.

The xntpdc command uses NTP mode 7 packets to communicate with the NTP server and can query any compatible server on the network that permits it.

The xntpdc command makes no attempt to retransmit requests, and will time-out requests if the remote host does not respond within a suitable time.

Specifying a flag other than -i or -n sends the queries to the specified hosts immediately. Otherwise, the xntpdc command attempts to read interactive format commands from standard input.

Flags

Item Description
-c SubCommand Specifies an interactive format command. This flag adds SubCommand to the list of commands to run on the specified hosts. You can enter multiple -c flags.
-i Specifies interactive mode. Standard output displays prompt and standard input reads commands.
-l (lowercase L) Displays a list of the peers known to the servers. This is the same as the listpeers subcommand.
-n Displays all host addresses in dotted decimal format (0.0.0.0) rather than the canonical host names.
-p Displays a list of the peers known to the server and a summary of their state. This is the same as the peers subcommand.
-s Displays a list of the peers known to the server and a summary of their state but in a format different from the -p flag. This is the same as the dmpeers subcommand.

Parameters

Item Description
Host ... Specifies the hosts.

xntpdc Internal Subcommands

You can run a number of interactive format subcommands entirely within the xntpdc command that do not send NTP mode 7 requests to a server. The following subcommands can only be used while running the xntpdc query program.

Interactive Format Subcommands

Interactive format subcommands consist of a keyword followed by zero to four arguments. You only need to type enough characters of the full keyword to uniquely identify the subcommand. The output of a subcommand goes to standard output, but you can redirect the output of individual subcommands to a file by appending a greater-than sign (>), followed by a file name, to the command line.

Item Description
SubCommand ] Displays command usage information. When used without SubCommand, displays a list of all the xntpdc command keywords. When used with SubCommand, displays function and usage information about the command.
help SubCommand ] Same as the Subcommand ] subcommand.
delay Milliseconds Specifies the time interval to add to timestamps included in requests that require authentication. This subcommand enables unreliable server reconfiguration over long delay network paths or between machines whose clocks are unsynchronized. If you enter this subcommand without an argument, it prints the current setting for this subcommand.
host HostName Specifies the host to send queries to. HostName may be either a host name or a numeric address. If you enter this subcommand without an argument, it prints the current setting for this subcommand.
hostnames yes | no Specifies whether to display the host name (yes) or the numeric address (no). The default is yes unless the -n flag is used. If you enter this subcommand without an argument, it prints the current setting for this subcommand.
keyid Number Specifies the server key number to use to authenticate configuration requests. If you enter this subcommand without an argument, it prints the current setting for this subcommand.
passwd Prompts you to type in the NTP server authentication password to use to authenticate configuration requests.
quit Exits the xntpdc query program.
timeout Milliseconds Specifies the time-out period for responses to server queries. The default is 8000 milliseconds. If you enter this subcommand without an argument, it prints the current setting for this subcommand.

Query Subcommands

The xntpdc query subcommands result in sending NTP mode 7 packets containing requests to the server. These subcommands are read-only (they do not modify the server configuration state).

Item Description
clkbug ClockPeerAddress [ Addr2 ] [ Addr3 ] [ Addr4 ] Displays debugging information for a reference clock driver. Some clock drivers provide this information that is mostly undecodable without a copy of the driver source in hand.
clockbug ClockPeerAddress [ Addr2 ] [ Addr3 ] [ Addr4 ] Displays information concerning a peer clock. The values obtained provide information on the setting of fudge factors and other clock performance information.
dmpeers Displays a list of peers for which the server is maintaining state, along with a summary of that state. Identical to the output of the peers subcommand except for the character in the leftmost column. Characters only are displayed beside peers that were included in the final stage of the clock selection algorithm.

The possible character in the leftmost column are:

.
Indicates that this peer was cast off in the falseticker detection.
+
Indicates that the peer made it through.
*
Denotes the peer the server is currently synchronizing with.
iostats Displays statistics counters maintained in the input-output module.
kerninfo Displays kernel phase-lock loop operating parameters. This information is available only if the kernel of the hosts being generated has been specially modified for a precision timekeeping function.
listpeers Displays a brief list of the peers for which the server is maintaining state. These include all configured peer associations as well as those peers whose stratum is such that the server considers them to be possible future synchronization candidates.
loopinfo [ oneline | multiline ] Displays the values of selected loop filter variables. The loop filter is the part of NTP that adjusts the local system clock. The offset is the last offset given to the loop filter by the packet processing code. The frequency is the frequency error of the local clock in parts-per-million (ppm). The poll adjust controls the stiffness (resistance to change) of the phase-lock loop and the speed at which it can adapt to oscillator drift. The watchdog timer is the number of elapsed seconds since the last sample offset given to the loop filter. The oneline and multiline options specify the format to display this information. The multiline option is the default.
memstats Displays statistics counters related to memory allocation code.
monlist Displays traffic counts collected and maintained by the monitor facility.
peers Displays a list of peers for which the server is maintaining state, along with a summary of that state. Summary information includes:
  • address of the remote peer,
  • reference ID (0.0.0.0 for an unknown reference ID),
  • the stratum of the remote peer (a stratum of 16 indicates the remote peer is unsynchronized),
  • the polling interval (seconds),
  • the reachability register (octal), and
  • the current estimated delay, offset and dispersion of the peer (seconds).

The character in the left margin indicates the mode this peer entry is in:

+
symmetric active.
-
symmetric passive.
=
remote server polled in client mode.
^
server is broadcasting to this address.
~
remote peer is sending broadcasts.
*
marks the peer the server is currently synchronizing to.

The contents of the host field may be a host name, an IP address, a reference clock implementation name with its parameter or REFCLK (ImplementationNumber, Parameter). Only IP addresses display when using hostnames no.

pstats PeerAddress [ Addr2 ] [ Addr3 ] [ Addr4 ] Displays per-peer statistic counters associated with the specified peers.
reslist Displays the server's restriction list which may help to understand how the restrictions are applied.
sysinfo Displays a variety of system state variables related to the local server. All except the last four lines are described in the NTP Version 3 specification, RFC 1305. The system flags show various system flags, some of which can be set and cleared by the enable and disable configuration statements. The stability is the residual frequency error remaining after applying the system frequency correction. You use it for maintenance and debugging. In most architectures, this value will initially decrease from as high as 500 ppm to a nominal value in the range .01 to 0.1 ppm. If it remains high for some time after starting the daemon, something may be wrong with the local clock, or the value of the kernel variable Tick may be incorrect. The broadcastdelay shows the default broadcast delay, as set by the broadcastdelay configuration statement, while the authdelay shows the default authentication delay, as set by the authdelay configuration statement.
sysstats Displays statistics counters maintained in the protocol module.
timerstats Displays statistics counters maintained in the timer/event queue support code.

Runtime Configuration Requests Subcommands

The server authenticates all requests that cause state changes in the server by using a configured NTP key. The server can also disable this facility by not configuring a key. You must make the key number and the corresponding key known to the xtnpdc command. You can do this by using the keyid and passwd subcommands, which prompts at the terminal for a password to use as the encryption key. The xtnpdc command will also prompt you automatically for both the key number and password the first time you give a subcommand that would result in an authenticated request to the server. Authentication not only verifies that the requester has permission to make such changes, but also protects against transmission errors.

Authenticated requests always include a timestamp in the packet data, as does the computation of the authentication code. The server compares this timestamp to the time at which it receives the packet.

The server rejects the request if they differ by more than 10 seconds. This makes simple replay attacks on the server, by someone able to overhear traffic on your LAN, much more difficult. It also makes it more difficult to request configuration changes to your server from topologically remote hosts. While the reconfiguration facility works well with a server on the local host, and may work adequately between time-synchronized hosts on the same LAN, it works very poorly for more distant hosts. So, if you choose reasonable passwords, take care in the distribution and protection of keys and apply appropriate source address restrictions, the run-time reconfiguration facility should provide an adequate level of security.

The following subcommands all make authenticated requests.

Item Description
addpeer PeerAddress [ Keyid ] [ Version ] [ prefer ] Adds a configured peer association operating in symmetric active mode at the specified address. You may delete an existing association with the same peer or simply convert an existing association to conform to the new configuration when using this subcommand. If the Keyid is a nonzero integer, all outgoing packets to the remote server will have an authentication field attached encrypted with this key. To specify no authentication , enter Keyid as 0 or leave blank. The values for Version can be 1, 2 or 3, with 3 as the default. The prefer option indicates a preferred peer used primarily for clock synchronization if possible. The preferred peer also determines the validity of the PPS signal. If the preferred peer is suitable for synchronization, so is the PPS signal.
addserver PeerAddress [ Keyid ] [ Version ] [ prefer ] Same as the addpeer subcommand, except that the operating mode is client.
addtrap Address [ Port ] [ Interface ] Sets a trap for asynchronous messages at the specified address and port number for sending messages with the specified local interface address. If you do not specify the port number, the value defaults to 18447. If you do not specify the interface address, the value defaults to the source address of the local interface.
authinfo Displays information concerning the authentication module, including known keys and counts of encryptions and decryptions performed.
broadcast PeerAddress [ Keyid ] [ Version ] Same as the addpeer subcommand, except that the operating mode is broadcast. The PeerAddress can be the broadcast address of the local network or a multicast group address assigned to NTP (224.0.1.1).
clrtrap Address [ Port ] [ Interface ] Clears a trap for asynchronous messages at the specified address and port number for sending messages with the specified local interface address. If you do not specify the port number, the value defaults to 18447. If you do not specify the interface address, the value defaults to the source address of the local interface.
delrestrict Address Mask [ ntpport ] Deletes the matching entry from the restrict list.
disable Option ... Disables various server options. Does not affect options not mentioned. The enable subcommand describes the options.
enable Option ... Enables various server options. Does not affect options not mentioned. You can specify one or more of the following values for Option:
auth
Causes the server to synchronize with unconfigured peers only if the peer has been correctly authenticated using a trusted key and key identifier. The default for this option is disable (off).
bclient
Causes the server to listen for a message from a broadcast or multicast server, following which an association is automatically instantiated for that server. The default for this argument is disable (off).
monitor
Enables the monitoring facility, with default enable (on).
pll
Enables the server to adjust its local clock, with default enable (on). If not set, the local clock free-runs at its intrinsic time and frequency offset. This option is useful when the local clock is controlled by some other device or protocol and NTP is used only to provide synchronization to other clients.
stats
Enables statistics facility filegen, with default enable (on).
fudge PeerAddress [ Time1 ] [ Time2 ] [ Stratum ] [ Refid ] Provides a way to set certain data for a reference clock.

Time1 and Time2 are in fixed point seconds and used in some clock drivers as calibration constants.

Stratum is a number in the range zero to 15 and used to assign a nonstandard operating stratum to the clock.

Refid is an ASCII string in the range one to four characters and used to assign a nonstandard reference identifier to the clock.

monitor yes | no Enables or disables the monitoring facility. A monitor no subcommand followed by a monitor yes subcommand is a good way of resetting the packet counts.
readkeys Purges the current set of authentication keys and obtains a new set by rereading the keys file specified in the xntpd configuration file. This allows you to change encryption keys without restarting the server.
reset Module Clears the statistics counters in various modules of the server. You can specify one or more of the following values for Module: io, sys, mem, timer, auth, allpeers.
restrict Address Mask Option ... Adds the values of Option to an existing restrict list entry, or adds a new entry to the list with the specified Option. The mask option defaults to 255.255.255.255, meaning that Address is treated as the address of an individual host. You can specify one or more of the following values for Option:
ignore
Ignore all packets from hosts that match this entry. Does not respond to queries nor time server polls.
limited
Specifies that these hosts are subject to client limitation from the same net. Net in this context refers to the IP notion of net (class A, class B, class C, etc.). Only accepts the first client_limit hosts that have shown up at the server and that have been active during the last client_limit_period seconds. Rejects requests from other clients from the same net. Only takes into account time request packets. Private, control, and broadcast packets are not subject to client limitation and therefore do not contribute to client count. The monitoring capability of the xntpd daemon keeps a history of clients. When you use this option, monitoring remains active. The default value for client_limit is 3. The default value for client_limit_period is 3600 seconds.
lowpriotrap
Declare traps set by matching hosts to low priority status. The server can maintain a limited number of traps (the current limit is 3), assigned on a first come, first served basis, and denies service to later trap requestors. This parameter modifies the assignment algorithm by allowing later requests for normal priority traps to override low priority traps.
nomodify
Ignore all NTP mode 6 and 7 packets that attempt to modify the state of the server (run time reconfiguration). Permits queries that return information.
nopeer
Provide stateless time service to polling hosts, but not to allocate peer memory resources to these hosts.
noquery
SIgnore all NTP mode 6 and 7 packets (information queries and configuration requests) from the source. Does not affect time service.
noserve
Ignore NTP packets whose mode is not 6 or 7. This denies time service, but permits queries.
notrap
Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the mode 6 control message protocol intended for use by remote event logging programs.
notrust
STreat these hosts normally in other respects, but never use them as synchronization sources.
ntpport
Match the restriction entry only if the source port in the packet is the standard NTP UDP port (123).
setprecision Precision Sets the precision that the server advertises. Precision should be a negative integer in the range -4 through -20.
traps Displays the traps set in the server.
trustkey Keyid ... Adds one or more keys to the trusted key list. When you enable authentication, authenticates peers with trusted time using a trusted key.
unconfig PeerAddress [ Addr2 ] [ Addr3 ] [ Addr4 ] Removes the configured bit from the specified peers. In many cases deletes the peer association. When appropriate, however, the association may persist in an unconfigured mode if the remote peer is willing to continue on in this fashion.
unrestrict Address Mask Option ... Removes the specified options from the restrict list entry indicated by Address and Mask. The restrict subcommand describes the values for Option.
untrustkey Keyid ... Removes one or more keys from the trusted key list.

Exit Status

This command returns the following exit values:

Item Description
0 Successful completion.
>0 An error occurred.

Security

Access Control: You must be part of the system group to run this command.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX® Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Auditing Events: N/A

Displays per-peer statistic counters associated with the specified peers.

Examples

  1. To start the query/control program for the Network Time Protocol daemon, enter:
    xntpdc
  2. To display the statistic counters of the peer at address 127.127.1.0 on host 9.3.149.107, enter:
    xntpdc -c "pstats 127.127.1.0" 9.3.149.107
    Output similar to the following is displayed:
    remote host:   LOCAL(0)
    local interface:   127.0.0.1
    time last received:   49s
    time until next send:   15s
    reachability change:   818s
    packets sent:   13
    packets received:   13
    bad authentication:   0
    bogus origin:   0
    duplicate:   0
    bad dispersion:   4
    bad reference time:   0
    candidate order:   1

Files

Item Description
/usr/sbin/xntpdc Contains the xntpdc command.