Traceroute to check NTP - possible?

Question

In the past I mostly used tcptraceroute to check http and ssh.

Now I need to check if my host can reach the NTP server.

Is this possible at all?

I have two machines.

At application level I see: Machine qual can't reach the ntp server, and machine prod can reach the ntp server.

If I run this command, the output of both is equal:

Prod:

prod:(/root/home/root)(root)#traceroute -U -p ntp 30.252.33.1
traceroute to 30.252.33.1 (30.252.33.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *

Qual:

qual:~ # traceroute -U -p ntp 30.252.33.1
traceroute to 30.252.33.1 (30.252.33.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *

I guess the NTP server just drops the UDP packages from traceroute, and traceroute receives not answer.

(for TCP based services this works fine, since there is some "connection established" reply).

Is it possible to check ntp at network level with networking tools like traceroute?

If not, how to check if a machine can reach the ntp server?

score 2 · Answer 1 · answered May 03 '19 at 17:45

"Check ntp" should be done with NTP aware utilities. Both ntpd and chrony report the success of the last few packets as the "reach" register.

"Is a port open on the remote host" can be answered with a port scanner.

$ sudo nmap -6 -sU -p 123 2.pool.ntp.org

Starting Nmap 6.40 ( http://nmap.org ) at 2019-05-03 16:55 UTC
Nmap scan report for 2.pool.ntp.org (2600:3c01::f03c:91ff:fec8:5c8)
Host is up (0.067s latency).
Other addresses for 2.pool.ntp.org (not scanned): 2607:f3c8:3803:1::6 2001:19f0:8001:1de:5400:ff:fe60:f647 2001:4998:c:1028::1001
rDNS record for 2600:3c01::f03c:91ff:fec8:5c8: chl.la
PORT    STATE SERVICE
123/udp open  ntp

Nmap done: 1 IP address (1 host up) scanned in 0.38 seconds

"Find a path to a host" can be answered with tracepath or traceroute style utilities. These require ICMP responses to be accurate, which may be excessively filtered on various networks.

$ tracepath6 -b  2.pool.ntp.org
 1?: [LOCALHOST]                        0.007ms pmtu 1500
 1:  2600:3c03::8678:acff:fe0d:97c1 (2600:3c03::8678:acff:fe0d:97c1)   1.537ms
 1:  2600:3c03::8678:acff:fe0d:97c1 (2600:3c03::8678:acff:fe0d:97c1)   4.161ms
 2:  2600:3c03:6666:12::1 (2600:3c03:6666:12::1)           3.062ms
 3:  2600:3c03:6666:5::2 (2600:3c03:6666:5::2)             1.075ms asymm  2
 4:  2001:678:34c:56::2 (2001:678:34c:56::2)              26.746ms asymm  3
 5:  2001:678:34c:6a::1 (2001:678:34c:6a::1)              35.811ms asymm  4
 6:  2001:678:34c:52::2 (2001:678:34c:52::2)              67.198ms asymm  3
 7:  2600:3c01:3333:3::2 (2600:3c01:3333:3::2)            67.826ms asymm  5
 8:  chl.la (2600:3c01::f03c:91ff:fec8:5c8)               67.376ms reached
     Resume: pmtu 1500 hops 8 back 5

Work forward and backward in the path until you find what happened to your packets. For example, check the configuration files of the NTP server allows your host, and also check all firewalls on the path.

Thank you for your answer. With other words: You can't check if a udp port is accessible with traceroute/tracepath. This works for tcp, but not for udp. Is this correct? — guettli, May 07 '19 at 08:27
Not quite. Connection tests are to check if a port is open. Traceroute/tracepath are to find the route to a host, not any particular port on the host. Different purposes. The tricks trace{path,route} use can be UDP, TCP, or raw ICMP based. — John Mahowald, May 07 '19 at 21:13

Traceroute to check NTP - possible?

1 Answers1