DOKK / manpages / debian 12 / ntpsec / ntpq.1.en
NTPQ(1) NTPsec NTPQ(1)

ntpq - standard NTP query program

ntpq [-46adhinpkwWu] [-c command] [host] [...]

The ntpq utility program is used to monitor NTP daemon ntpd operations and determine performance. It uses the standard NTP mode 6 control message formats defined in Appendix B of the NTPv3 specification RFC 1305. The same formats are used in NTPv4, although some of the variable names have changed, and new ones added. The description on this page is for the NTPv4 variables.

The program can be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary variables can be assembled, with raw and pretty-printed output options being available. It can also obtain and print a list of peers in a common format by sending multiple queries to the server.

If one or more request options are included on the command line when ntpq is executed, each of the requests will be sent to the NTP servers running on each of the hosts given as command line arguments, or on localhost by default. If no request options are given, ntpq will attempt to read commands from the standard input and execute these on the NTP server running on the first host given on the command line, again defaulting to localhost when no other host is specified. ntpq will prompt for commands if the standard input is a terminal device.

ntpq uses NTP mode 6 packets to communicate with the NTP server, and hence can be used to query any compatible server on the network which permits it. Note that since NTP is a UDP protocol this communication will be somewhat unreliable, especially over large distances in terms of network topology. ntpq makes one attempt to retransmit requests and will time requests out if the remote host is not heard from within a suitable timeout time.

Note that in contexts where a host name is expected, a -4 qualifier preceding the host name forces DNS resolution to the IPv4 namespace, while a -6 qualifier forces DNS resolution to the IPv6 namespace.

For examples and usage, see the NTP Debugging <debug.html> Techniques" page.

For a simpler near-real-time monitor, see ntpmon(1).

Command line options are described following. Specifying the command line options -c or -p will cause the specified query (queries) to be sent to the indicated host(s) immediately. Otherwise, ntpq will attempt to read interactive format commands from the standard input.

-4, --ipv4

Force DNS resolution of following host names on the command line to the IPv4 namespace.

-6, --ipv6

Force DNS resolution of following host names on the command line to the IPv6 namespace.

-a num, --authentication=num

Enable authentication with the numbered key.

-c cmd, --command=cmd

The following argument is interpreted as an interactive format command and is added to the list of commands to be executed on the specified host(s). Multiple -c options may be given.

-d, --debug

Increase debugging level by 1.

-D num, --set-debug-level=num

The debug level is set to the following integer argument.

-l filename, --logfile=filename

Log debugging output to the specified file.

-h, --help

Print a usage message summarizing options end exit.

-n, --numeric

Output all host addresses in numeric format rather than converting to the canonical host names. You may get hostnames anyway for peers in the initialization phase before DNS has resolved the peer name.

-s, --srcname

Output host addresses by: Names passed to ntpd, then names reverse resolved from addresses and finally, IP addresses themselves

-S, --srcnumber

Output host addresses by: Names passed to ntpd, then IP addresses themselves

-p, --peers

Print a list of the peers known to the server as well as a summary of their state; this is equivalent to the peers interactive command. The refid field is as described under "Event Messages and Status Words" in the NTP documentation on the Web.

-k filename, --keyfile=filename

Specify a keyfile. ntpq will look in this file for the key specified with -a.

-V, --version

Print the version string and exit.

-w, --wide

Wide mode: if the host name or IP Address doesn’t fit, write the full name/address and indent the next line, so columns line up. The default truncates the name or address.

-W num, --width=num

Force the terminal width. Only relevant for composition of the peers display.

-u, --units

Display timing information with units.

Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. The output of a command is normally sent to the standard output, but optionally the output of individual commands may be sent to a file by appending a >, followed by a file name, to the command line. Some interactive format commands are executed entirely within the ntpq program itself and do not result in NTP mode 6 requests being sent to a server. These are described as following.

? [command_keyword], help [command_keyword]

A ? by itself will print a list of all the command keywords known to ntpq. A ? followed by a command keyword will print function and usage information about the command.

addvars name [ = value] [...]; rmvars name [...]; clearvars

The arguments to this command consist of a list of items of the form name = value, where the = value is ignored and can be omitted in read requests. ntpq maintains an internal list in which data to be included in control messages can be assembled and sent using the readlist and writelist commands described below. The addvars command allows variables and optional values to be added to the list. If more than one variable is to be added, the list should be comma-separated and not contain white space. The rmvars command can be used to remove individual variables from the list, while the clearlist command removes all variables from the list.

authenticate [yes | no]

Normally ntpq does not authenticate requests unless they are write requests. The command authenticate yes causes ntpq to send authentication with all requests it makes. Authenticated requests causes some servers to handle requests slightly differently. The command authenticate without arguments causes ntpq to display whether or not ntpq is currently authenticating requests.

cooked

Display server messages in prettyprint format.

debug more | less | off

Turns internal query program debugging on and off.

noflake, +doflake probability

Disables or enables the dropping of control packets by ntpq for testing. Probabilities 0 and 1 should be certainly accepted and discarded respectively. No default, but 0.1 should be a one in ten loss rate.

logfile <stderr> | filename

Displays or sets the file for debug logging. <stderr> will send logs to standard error.

delay milliseconds

Specify a time interval to be added to timestamps included in requests which require authentication; this is used to enable (unreliable) server reconfiguration over long delay network paths or between machines whose clocks are unsynchronized. The server does not now require timestamps in authenticated requests so that this command may be obsolete.

exit

Exit ntpq.

host name

Set the host to which future queries will be sent. The name may be either a DNS name or a numeric address.

hostnames [yes | no]

If yes is specified, host names are printed in information displays. If no is specified, numeric addresses are printed instead. The default is yes unless modified using the command line -n switch.

keyid keyid

This command specifies the key number to be used to authenticate configuration requests; this must correspond to a key ID configured with the controlkey command in the server’s ntp.conf

keytype

Specify the digest algorithm to use for authenticated requests, with default MD5. The keytype must match what the server is expecting for the specified key ID.

ntpversion 1 | 2 | 3 | 4

Sets the NTP version number which ntpq claims in packets. Defaults to 2, Note that mode 6 control messages (and modes, for that matter) didn’t exist in NTP version 1.

passwd

This command prompts for a password to authenticate requests. The password must match what the server is expecting. Passwords longer than 20 bytes are assumed to be hex encoding.

quit

Exit ntpq.

raw

Display server messages as received and without reformatting. The only formatting/interpretation done on the data is to transform non-ASCII data into a printable (but barely understandable) form.

timeout milliseconds

Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. Note that since ntpq retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set.

units

Toggle whether times in the peers display are shown with units.

version

Print the version of the ntpq program.

Association IDs are used to identify system, peer and clock variables. System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. Most control commands send a single mode 6 message to the server and expect a single response message. The exceptions are the peers command, which sends a series of messages, and the mreadlist and mreadvar commands, which iterate over a range of associations.

associations

Display a list of mobilized associations in the form

ind assid status conf reach auth condition last_event cnt
Variable Description
ind index on this list
assid association ID
status peer status word <decode.html#peer>
conf yes: persistent, no: ephemeral
reach yes: reachable, no: unreachable
auth ok, yes, bad and none
condition selection status (see the select field of the peer status word <decode.html#peer>)
last_event event report (see the event field of the peer <decode.html#peer> status word" )
cnt event count (see the count field of the peer <decode.html#peer> status word" )

authinfo

Display the authentication statistics.

clockvar assocID [name [ = value [...] ][...], cv assocID [name [ = value [...] ][...]

Display a list of clock variables <#clock> for those associations supporting a reference clock.

:config [...]

Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.

config-from-file filename

Send each line of filename to the server as run-time configuration commands in the same format as the configuration file. This command is experimental until further notice and clarification. Authentication is required.

ifstats

Display statistics for each local network address. Authentication is required.

iostats

Display network and reference clock I/O statistics.

kerninfo

Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.

lassociations

Perform the same function as the associations command, except display mobilized and unmobilized associations.

lpeers [-4 | -6]

Print a peer spreadsheet for the appropriate IP version(s). dstadr (associated with any given IP version).

monstats

Display monitor facility statistics.

direct

Normally, the mrulist command retrieves an entire MRU report (possibly consisting of more than one MRU span), sorts it, and presents the result. But attempting to fetch an entire MRU report may fail on a server so loaded that none of its MRU entries age out before they are shipped. With this option, each segment is reported as it arrives.

mrulist [limited | kod | mincount=count | mindrop=drop | minscore=score | maxlstint=seconds | minlstint=seconds | laddr=localaddr | sort=sortorder | resany=hexmask | resall=hexmask | limit=limit | addr.num=address]

Obtain and print traffic counts collected and maintained by the monitor facility. This is useful for tracking who uses or abuses your server.

Except for sort=sortorder, the options filter the list returned by ntpd. The limited and kod options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. the addr.num= option adds specific addresses to retrieve when limit=1. Values of 0 to 15 are supported for num. Also, used internally with last.num=hextime to select the starting point for retrieving continued response. the frags=frags option limits the number of datagrams (fragments) in response. Used by newer ntpq versions instead of limit= when retrieving multiple entries. The limit= option limits the MRU entries returned per response. limit=1 is a special case: Instead of fetching beginning with the supplied starting points (provided by a last.x and addr.x where 0 ⇐ x ⇐ 15, default the beginning of time) newer neighbor, fetch the supplied entries. This enables fetching multiple entries from given IP addresses (provided by addr.x= entries where 0 ⇐ x ⇐ 15). When limit is not one and frags= is provided, the fragment limit controls. NOTE: a single mrulist command may cause many query/response rounds allowing limits as low as 3 to potentially retrieve thousands of entries in responses. The mincount=count option filters out entries that have received less than count packets. The mindrop=drop option filters out entries that have dropped less than drop packets. The minscore=score option filters out entries with a score less than score. The maxlstint=seconds option filters out entries where no packets have arrived within seconds. The minlstint=seconds option filters out entries with a packet has arrived within seconds. The laddr=localaddr option filters out entries for packets received on any local address other than localaddr. resany=hexmask and resall=hexmask filter entries containing none or less than all, respectively, of the bits in hexmask, which must begin with 0x.

The sortorder defaults to lstint and may be any of addr, count, avgint, lstint, score, drop or any of those preceded by a minus sign (hyphen) to reverse the sort order. The output columns are:

Column Description
lstint Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by ntpq.
avgint Average interval in s between packets from this address.
rstr Restriction flags associated with this address. Most are copied unchanged from the matching restrict command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.
r Rate control indicator, either a period, L or K for no rate control response, rate limiting by discarding, or rate limiting with a KoD response, respectively.
m Packet mode.
v Packet version number.
count Packets received from this address.
score Packets per second (averaged with exponential decay).
drop Packets dropped (or KoDed) from this address.
rport Source port of last packet from this address.
remote address DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses.

mreadvar assocID assocID [ variable_name [ = value[ ... ], mrv assocID assocID [ variable_name [ = value[ ... ]

Perform the same function as the readvar command, except for a range of association IDs. This range is determined from the association list cached by the most recent associations command.

opeers

Obtain and print the old-style list of all peers and clients showing dstadr (associated with any given IP version), rather than the refid.

passociations

Perform the same function as the associations command, except that it uses previously stored data rather than making a new query.

peers

Display a list of peers in the form

tally remote refid st t when pool reach delay offset jitter

Variable Description
tally single-character code indicating current value of the select field of the peer status word <decode.html#peer>
remote host name (or IP number) of peer
refid association ID or kiss code <decode.html#kiss>
st stratum
t u: unicast or manycast client, l: local (reference clock), s: symmetric (peer), server, B: broadcast server, 1-8 NTS unicast with this number of cookies stored.
when sec/min/hr since last received packet
poll poll interval (log2 s)
reach reach shift register (octal)
delay roundtrip delay
offset offset of server relative to this host
jitter jitter

The tally code is one of the following:

Code Description
discarded as not valid
x discarded by intersection algorithm
. discarded by table overflow (not used)
- discarded by the cluster algorithm
+ included by the combine algorithm
# backup (more than tos maxclock sources)
* system peer
o PPS peer (when the prefer peer is valid)

apeers

Display a list of peers in the form:

[tally]remote refid assid st t when pool reach delay offset jitter

where the output is just like the peers command except that the refid is displayed in hex format and the association number is also displayed.

rpeers

Display a list of peers in the form

st t when pool reach delay offset jitter refid tally remote

pstats assocID

Show the statistics for the peer with the given assocID.

readvar assocID [ name ] [,...], rv assocID [ name ] [,...]

Display the specified variables. If assocID is zero, the variables are from the system variables <#system> name space, otherwise they are from the peer variables <#peer> name space. The assocID is required, as the same name can occur in both spaces. If no name is included, all operative variables in the name space are displayed. In this case only, if the assocID is omitted, it is assumed zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts-per-million (PPM). Some NTP timestamps are represented in the format YYYYMMDDTTTT, where YYYY is the year, MM the month of the year, DD the day of the month and TTTT the time of day.

reslist

Show the access control (restrict) list for ntpq.

timerstats

Display interval timer counters.

writelist assocID

Write the system or peer variables included in the variable list.

writevar assocID name = value [,...]

Write the specified variables. If the assocID is zero, the variables are from the system variables <#system> name space, otherwise they are from the peer variables <#peer> name space. The assocID is required, as the same name can occur in both spaces.

sysinfo

Display operational summary.

sysstats

Print statistics counters maintained in the protocol module. Note that the relationships among these counters can look unlikely because packets can get flagged for inclusion in exception statistics in more than one way, for example by having both a bad length and an old version.

ntsinfo

Display a summary of the NTS state, including both the the NTS client and NTS server components. Note that the format of the output text may change as this feature is developed. This command is experimental until further notice and clarification.

Four commands require authentication to the server: config-from-file, config, ifstats, and reslist. An authkey file must be in place and a control key declared in ntp.conf for these commands to work.

If you are running as root or otherwise have read access to the authkey and ntp.conf file, ntpq will mine the required credentials for you. Otherwise, you will be prompted to enter a key ID and password.

Credentials once entered, are retained and used for the duration of your ntpq session.

The current state of the operating program is shown in a set of status words maintained by the system and each association separately. These words are displayed in the rv and as commands both in hexadecimal and decoded short tip strings. The codes, tips, and short explanations are on the Event Messages and Status Words <decode.html> page. The page also includes a list of system and peer messages, the code for the latest of which is included in the status word.

Information resulting from protocol machine state transitions is displayed using an informal set of ASCII strings called kiss codes <decode.html#kiss>. The original purpose was for kiss-o'-death (KoD) packets sent by the server to advise the client of an unusual condition. They are now displayed, when appropriate, in the reference identifier field in various billboards.

The following system variables appear in the rv billboard. Not all variables are displayed in some configurations.

Variable Description
status system status word <decode.html#sys>
version NTP software version and build time
processor hardware platform and version
system operating system and version
leap leap warning indicator (0-3)
stratum stratum (1-15)
precision precision (log2 s)
rootdelay total roundtrip delay to the primary reference clock
rootdisp total dispersion to the primary reference clock
peer system peer association ID
tc time constant and poll exponent (log2 s) (3-17)
mintc minimum time constant (log2 s) (3-10)
clock date and time of day
refid reference ID or kiss code <decode.html#kiss>
reftime reference time
offset combined offset of server relative to this host
sys_jitter combined system jitter
frequency frequency offset (PPM) relative to hardware clock
clk_wander clock frequency wander (PPM)
clk_jitter clock jitter
tai TAI-UTC offset (s)
leapsec NTP seconds when the next leap second is/was inserted
expire NTP seconds when the NIST leapseconds file expires

The jitter and wander statistics are exponentially-weighted RMS averages. The system jitter is defined in the NTPv4 specification; the clock jitter statistic is computed by the clock discipline module.

The following peer variables appear in the rv billboard for each association. Not all variables are displayed in some configurations.

Variable Description
associd association ID
status peer status word <decode.html#peer>
srcadr srcport source (remote) IP address and port
dstadr dstport destination (local) IP address and port
leap leap indicator (0-3)
stratum stratum (0-15)
precision precision (log2 s)
rootdelay total roundtrip delay to the primary reference clock
rootdisp total root dispersion to the primary reference clock
refid reference ID or kiss code <decode.html#kiss>
reftime reference time
reach reach register (octal)
unreach unreach counter
hmode host mode (1-6)
pmode peer mode (1-5)
hpoll host poll exponent (log2 s) (3-17)
ppoll peer poll exponent (log2 s) (3-17)
headway headway (see Rate Management and <rate.html> the Kiss-o'-Death Packet)"
flash flash status word <decode.html#flash>
offset filter offset
delay filter delay
dispersion filter dispersion
jitter filter jitter
bias fudge for asymmetric links/paths

The following clock variables appear in the cv billboard for each association with a reference clock. Not all variables are displayed in some configurations.

Variable Description
associd association ID
status clock status word <decode.html#clock>
device device description
timecode ASCII time code string (specific to device)
poll poll messages sent
noreply no reply
badformat bad format
baddata bad date or time
fudgetime1 fudge time 1
fudgetime2 fudge time 2
stratum driver stratum
refid driver reference ID
flags driver flags

When listing refids, addresses of the form 127.127.x.x are no longer automatically interpreted as local refclocks as in older versions of ntpq. Instead, a clock-format display is requested by the NTPsec daemon when appropriate (by setting the srcaddr peer variable). This means that when used to query legacy versions of ntpd, which do not know how to request this, this program will do a slightly wrong thing.

In older versions, the type variable associated with a reference clock was a numeric driver type index. It has been replaced by name, a shortname for the driver type.

In older versions, no count of control packets was listed under sysstats.

The -O (--old-rv) option of legacy versions has been retired.

It is possible for a ":config unpeer" command to fail silently, yielding "Config Succeeded", if it is given a peer identifier that looks like a driver type name or a hostname not present in the peer list. The error will, however, be reported in the system log.

The config command cannot be used to change a server’s default restrictions.

Under some circumstances python 2 cannot emit unicode. When true, the display of units is downgraded to non-unicode alternatives. One place a user is likely to encounter this is when diverting output through a pipe. Attempts have been made to force the use of UTF-8, all of which break the command history feature.

When using the -u option, very old xterms may fail to render &mu; correctly. If this happens, be sure your xterm is started with the -u8 option, or the utf8 resource', and that your console font contains the UTF-8 &mu; character. Also confirm your LANG environment variable is set to a UTF-8 language, like this: "export LANG=en_US.utf8".

Timestamp interpretation in this program is likely to fail in flaky ways if the local system clock has not already been approximately synchronized to UTC. Querying a server based in a different NTP era than the current one is especially likely to fail.

This program will behave in apparently buggy and only semi-predictable ways when fetching MRU lists from any server with sufficiently high traffic.

The problem is fundamental. The Mode 6 protocol can’t ship (and your client cannot accept) MRU records as fast as the daemon accepts incoming traffic. Under these circumstances, the daemon will repeatedly fail to ship an entire report, leading to long hangs as your client repeatedly re-sends the request. Eventually the Mode 6 client library will throw an error indicating that a maximum number of restarts has been exceeded.

To avoid this problem, avoid monitoring over links that don’t have enough capacity to handle the monitored server’s entire NTP load.

You may be able to retrieve partial data in very high-traffic conditions by using the direct option.

One of the following exit values will be returned:

0 (EXIT_SUCCESS)

Successful program execution.

1 (EXIT_FAILURE)

The operation failed or the command syntax was not valid.
2023-07-29 NTPsec