from Pogo, Walt Kelly

A typical NTP monitoring packet

1. Manual Pages

2. Table of Contents

3. Synopsis

ntpq [-46adhinpkwWu] [-c command] [host] […​]

4. Description

The ntpq utility program is used to monitor NTP daemon ntpd operations and determine performance. It uses the standard NTP mode 6 control message formats defined in Appendix B of the NTPv3 specification RFC 1305. The same formats are used in NTPv4, although some of the variable names have changed, and new ones added. The description on this page is for the NTPv4 variables.

The program can be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary variables can be assembled, with raw and pretty-printed output options being available. It can also obtain and print a list of peers in a common format by sending multiple queries to the server.

If one or more request options are included on the command line when ntpq is executed, each of the requests will be sent to the NTP servers running on each of the hosts given as command line arguments, or on localhost by default. If no request options are given, ntpq will attempt to read commands from the standard input and execute these on the NTP server running on the first host given on the command line, again defaulting to localhost when no other host is specified. ntpq will prompt for commands if the standard input is a terminal device.

ntpq uses NTP mode 6 packets to communicate with the NTP server, and hence can be used to query any compatible server on the network which permits it. Note that since NTP is a UDP protocol this communication will be somewhat unreliable, especially over large distances in terms of network topology. ntpq makes one attempt to retransmit requests and will time requests out if the remote host is not heard from within a suitable timeout time.

Note that in contexts where a host name is expected, a -4 qualifier preceding the host name forces DNS resolution to the IPv4 namespace, while a -6 qualifier forces DNS resolution to the IPv6 namespace.

For examples and usage, see the NTP Debugging Techniques page.

For a simpler near-real-time monitor, see ntpmon(1).

5. Options

Command line options are described following. Specifying the command line options -c or -p will cause the specified query (queries) to be sent to the indicated host(s) immediately. Otherwise, ntpq will attempt to read interactive format commands from the standard input.

-4, --ipv4

Force DNS resolution of following host names on the command line to the IPv4 namespace.

-6, --ipv6

Force DNS resolution of following host names on the command line to the IPv6 namespace.

-a num, --authentication=num

Enable authentication with the numbered key.

-c cmd, --command=cmd

The following argument is interpreted as an interactive format command and is added to the list of commands to be executed on the specified host(s). Multiple -c options may be given.

-d, --debug

Increase debugging level by 1.

-D num, --set-debug-level=num

The debug level is set to the following integer argument.

-l filename, --logfile=filename

Log debugging output to the specified file.

-h, --help

Print a usage message summarizing options end exit.

-n, --numeric

Output all host addresses in numeric format rather than converting to the canonical host names. You may get hostnames anyway for peers in the initialization phase before DNS has resolved the peer name.

-s, --srcname

Output host addresses by: Names passed to ntpd, then names reverse resolved from addresses and finally, IP addresses themselves

-S, --srcnumber

Output host addresses by: Names passed to ntpd, then IP addresses themselves

-p, --peers

Print a list of the peers known to the server as well as a summary of their state; this is equivalent to the peers interactive command. The refid field is as described under "Event Messages and Status Words" in the NTP documentation on the Web.

-k filename, --keyfile=filename

Specify a keyfile. ntpq will look in this file for the key specified with -a.

-V, --version

Print the version string and exit.

-w, --wide

Wide mode: if the host name or IP Address doesn’t fit, write the full name/address and indent the next line, so columns line up. The default truncates the name or address.

-W num, --width=num

Force the terminal width. Only relevant for composition of the peers display.

-u, --units

Display timing information with units.

6. Internal Commands

Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. The output of a command is normally sent to the standard output, but optionally the output of individual commands may be sent to a file by appending a >, followed by a file name, to the command line. Some interactive format commands are executed entirely within the ntpq program itself and do not result in NTP mode 6 requests being sent to a server. These are described as following.

? [command_keyword]
help [command_keyword]

A ? by itself will print a list of all the command keywords known to ntpq. A ? followed by a command keyword will print function and usage information about the command.

addvars name [ = value] […​]; rmvars name […​]; clearvars

The arguments to this command consist of a list of items of the form name = value, where the = value is ignored and can be omitted in read requests. ntpq maintains an internal list in which data to be included in control messages can be assembled and sent using the readlist and writelist commands described below. The addvars command allows variables and optional values to be added to the list. If more than one variable is to be added, the list should be comma-separated and not contain white space. The rmvars command can be used to remove individual variables from the list, while the clearlist command removes all variables from the list.

authenticate [yes | no]

Normally ntpq does not authenticate requests unless they are write requests. The command authenticate yes causes ntpq to send authentication with all requests it makes. Authenticated requests causes some servers to handle requests slightly differently. The command authenticate without arguments causes ntpq to display whether or not ntpq is currently authenticating requests.


Display server messages in prettyprint format.

debug more | less | off

Turns internal query program debugging on and off.

+doflake probability

Disables or enables the dropping of control packets by ntpq for testing. Probabilities 0 and 1 should be certainly accepted and discarded respectively. No default, but 0.1 should be a one in ten loss rate.

logfile <stderr> | filename

Displays or sets the file for debug logging. <stderr> will send logs to standard error.

delay milliseconds

Specify a time interval to be added to timestamps included in requests which require authentication; this is used to enable (unreliable) server reconfiguration over long delay network paths or between machines whose clocks are unsynchronized. The server does not now require timestamps in authenticated requests so that this command may be obsolete.


Exit ntpq.

host name

Set the host to which future queries will be sent. The name may be either a DNS name or a numeric address.

hostnames [yes | no]

If yes is specified, host names are printed in information displays. If no is specified, numeric addresses are printed instead. The default is yes unless modified using the command line -n switch.

keyid keyid

This command specifies the key number to be used to authenticate configuration requests; this must correspond to a key ID configured with the controlkey command in the server’s ntp.conf


Specify the digest algorithm to use for authenticated requests, with default MD5. The keytype must match what the server is expecting for the specified key ID.

ntpversion 1 | 2 | 3 | 4

Sets the NTP version number which ntpq claims in packets. Defaults to 2, Note that mode 6 control messages (and modes, for that matter) didn’t exist in NTP version 1.


This command prompts for a password to authenticate requests. The password must match what the server is expecting. Passwords longer than 20 bytes are assumed to be hex encoding.


Exit ntpq.


Display server messages as received and without reformatting. The only formatting/interpretation done on the data is to transform non-ASCII data into a printable (but barely understandable) form.

timeout milliseconds

Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. Note that since ntpq retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set.


Toggle whether times in the peers display are shown with units.


Print the version of the ntpq program.

7. Control Message Commands

Association IDs are used to identify system, peer and clock variables. System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. Most control commands send a single mode 6 message to the server and expect a single response message. The exceptions are the peers command, which sends a series of messages, and the mreadlist and mreadvar commands, which iterate over a range of associations.


Display a list of mobilized associations in the form

ind assid status conf reach auth condition last_event cnt




index on this list


association ID


peer status word


yes: persistent, no: ephemeral


yes: reachable, no: unreachable


ok, yes, bad and none


selection status (see the select field of the peer status word)


event report (see the event field of the peer status word)


event count (see the count field of the peer status word)


Display the authentication statistics.

clockvar assocID [name [ = value […​] ][…​]
cv assocID [name [ = value […​] ][…​]

Display a list of clock variables for those associations supporting a reference clock.

:config […​]

Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.

config-from-file filename

Send each line of filename to the server as run-time configuration commands in the same format as the configuration file. This command is experimental until further notice and clarification. Authentication is required.


Display statistics for each local network address. Authentication is required.


Display network and reference clock I/O statistics.


Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.


Perform the same function as the associations command, except display mobilized and unmobilized associations.

lpeers [-4 | -6]

Print a peer spreadsheet for the appropriate IP version(s). dstadr (associated with any given IP version).


Display monitor facility statistics.


Normally, the mrulist command retrieves an entire MRU report (possibly consisting of more than one MRU span), sorts it, and presents the result. But attempting to fetch an entire MRU report may fail on a server so loaded that none of its MRU entries age out before they are shipped. With this option, each segment is reported as it arrives.

mrulist [limited | kod | mincount=count | mindrop=drop | minscore=score | maxlstint=seconds | minlstint=seconds | laddr=localaddr | sort=sortorder | resany=hexmask | resall=hexmask | limit=limit | addr.num=address]

Obtain and print traffic counts collected and maintained by the monitor facility. This is useful for tracking who uses or abuses your server.

Except for sort=sortorder, the options filter the list returned by ntpd. The limited and kod options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. the addr.num= option adds specific addresses to retrieve when limit=1. Values of 0 to 15 are supported for num. Also, used internally with last.num=hextime to select the starting point for retrieving continued response. the frags=frags option limits the number of datagrams (fragments) in response. Used by newer ntpq versions instead of limit= when retrieving multiple entries. The limit= option limits the MRU entries returned per response. limit=1 is a special case: Instead of fetching beginning with the supplied starting points (provided by a last.x and addr.x where 0 ⇐ x ⇐ 15, default the beginning of time) newer neighbor, fetch the supplied entries. This enables fetching multiple entries from given IP addresses (provided by addr.x= entries where 0 ⇐ x ⇐ 15). When limit is not one and frags= is provided, the fragment limit controls. NOTE: a single mrulist command may cause many query/response rounds allowing limits as low as 3 to potentially retrieve thousands of entries in responses. The mincount=count option filters out entries that have received less than count packets. The mindrop=drop option filters out entries that have dropped less than drop packets. The minscore=score option filters out entries with a score less than score. The maxlstint=seconds option filters out entries where no packets have arrived within seconds. The minlstint=seconds option filters out entries with a packet has arrived within seconds. The laddr=localaddr option filters out entries for packets received on any local address other than localaddr. resany=hexmask and resall=hexmask filter entries containing none or less than all, respectively, of the bits in hexmask, which must begin with 0x.

The sortorder defaults to lstint and may be any of addr, count, avgint, lstint, score, drop or any of those preceded by a minus sign (hyphen) to reverse the sort order. The output columns are:




Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by ntpq.


Average interval in s between packets from this address.


Restriction flags associated with this address. Most are copied unchanged from the matching restrict command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.


Rate control indicator, either a period, L or K for no rate control response, rate limiting by discarding, or rate limiting with a KoD response, respectively.


Packet mode.


Packet version number.


Packets received from this address.


Packets per second (averaged with exponential decay).


Packets dropped (or KoDed) from this address.


Source port of last packet from this address.

remote address

DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses.

mreadvar assocID assocID [ variable_name [ = value[ …​ ]
mrv assocID assocID [ variable_name [ = value[ …​ ]

Perform the same function as the readvar command, except for a range of association IDs. This range is determined from the association list cached by the most recent associations command.


Obtain and print the old-style list of all peers and clients showing dstadr (associated with any given IP version), rather than the refid.


Perform the same function as the associations command, except that it uses previously stored data rather than making a new query.


Display a list of peers in the form

tally remote refid st t when pool reach delay offset jitter




single-character code indicating current value of the select field of the peer status word


host name (or IP address) of server


association ID or kiss code




u: server (u for unicast), l: local (reference clock), p: Pool name, 1-8 NTS server with this number of cookies stored.


sec/min/hr since last received packet


poll interval (log2 s)


reach shift register (octal)


roundtrip delay


offset of server relative to this host



The t column has strange encodings due to historical use by old code. If you are looking at an old server, you might also see: s: symmetric (peer), server, B: broadcast server,

The tally code is one of the following:



discarded as not valid


discarded by intersection algorithm


discarded by table overflow (not used)


discarded by the cluster algorithm


included by the combine algorithm


backup (more than tos maxclock sources)


system peer


PPS peer (when the prefer peer is valid)


Display a list of peers in the form:

[tally]remote refid assid st t when pool reach delay offset jitter

where the output is just like the peers command except that the refid is displayed in hex format and the association number is also displayed.


Display a list of peers in the form

st t when pool reach delay offset jitter refid tally remote

pstats assocID

Show the statistics for the peer with the given assocID.

readvar assocID [ name ] [,…​]
rv assocID [ name ] [,…​]

Display the specified variables. If assocID is zero, the variables are from the system variables name space, otherwise they are from the peer variables name space. The assocID is required, as the same name can occur in both spaces. If no name is included, all operative variables in the name space are displayed. In this case only, if the assocID is omitted, it is assumed zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts-per-million (PPM). Some NTP timestamps are represented in the format YYYYMMDDTTTT, where YYYY is the year, MM the month of the year, DD the day of the month and TTTT the time of day.


Show the access control (restrict) list for ntpq.


Display interval timer counters.

writelist assocID

Write the system or peer variables included in the variable list.

writevar assocID name = value [,…​]

Write the specified variables. If the assocID is zero, the variables are from the system variables name space, otherwise they are from the peer variables name space. The assocID is required, as the same name can occur in both spaces.


Display operational summary.


Print statistics counters maintained in the protocol module. Note that the relationships among these counters can look unlikely because packets can get flagged for inclusion in exception statistics in more than one way, for example by having both a bad length and an old version.


Display a summary of the MS-SNTP traffic to a Samba server. This won’t work unless the server you are looking at was built with the --enable-mssntp option.


Display a summary of the NTS state, including both the the NTS client and NTS server components. Note that the format of the output text may change as this feature is developed. This command is experimental until further notice and clarification.

8. Authentication

Four commands require authentication to the server: config-from-file, config, ifstats, and reslist. An authkey file must be in place and a control key declared in ntp.conf for these commands to work.

If you are running as root or otherwise have read access to the authkey and ntp.conf file, ntpq will mine the required credentials for you. Otherwise, you will be prompted to enter a key ID and password.

Credentials once entered, are retained and used for the duration of your ntpq session.

9. Status Words and Kiss Codes

The current state of the operating program is shown in a set of status words maintained by the system and each association separately. These words are displayed in the rv and as commands both in hexadecimal and decoded short tip strings. The codes, tips, and short explanations are on the Event Messages and Status Words page. The page also includes a list of system and peer messages, the code for the latest of which is included in the status word.

Information resulting from protocol machine state transitions is displayed using an informal set of ASCII strings called kiss codes. The original purpose was for kiss-o'-death (KoD) packets sent by the server to advise the client of an unusual condition. They are now displayed, when appropriate, in the reference identifier field in various billboards.

10. System Variables

The following system variables appear in the rv billboard. Not all variables are displayed in some configurations.




system status word


NTP software version and build time


hardware platform and version


operating system and version


leap warning indicator (0-3)


stratum (1-15)


precision (log2 s)


total roundtrip delay to the primary reference clock


total dispersion to the primary reference clock


system peer association ID


time constant and poll exponent (log2 s) (3-17)


minimum time constant (log2 s) (3-10)


date and time of day


reference ID or kiss code


reference time


combined offset of server relative to this host


combined system jitter


frequency offset (PPM) relative to hardware clock


clock frequency wander (PPM)


clock jitter


TAI-UTC offset (s)


NTP seconds when the next leap second is/was inserted


NTP seconds when the NIST leapseconds file expires

The jitter and wander statistics are exponentially-weighted RMS averages. The system jitter is defined in the NTPv4 specification; the clock jitter statistic is computed by the clock discipline module.

11. Peer Variables

The following peer variables appear in the rv billboard for each association. Not all variables are displayed in some configurations.




association ID


peer status word

srcadr srcport

source (remote) IP address and port

dstadr dstport

destination (local) IP address and port


leap indicator (0-3)


stratum (0-15)


precision (log2 s)


total roundtrip delay to the primary reference clock


total root dispersion to the primary reference clock


reference ID or kiss code


reference time


reach register (octal)


unreach counter


host mode (1-6)


peer mode (1-5)


host poll exponent (log2 s) (3-17)


peer poll exponent (log2 s) (3-17)


headway (see Rate Management and the Kiss-o'-Death Packet)


flash status word


filter offset


filter delay


filter dispersion


filter jitter


fudge for asymmetric links/paths

12. Clock Variables

The following clock variables appear in the cv billboard for each association with a reference clock. Not all variables are displayed in some configurations.




association ID


clock status word


device description


ASCII time code string (specific to device)


poll messages sent


no reply


bad format


bad date or time


fudge time 1


fudge time 2


driver stratum


driver reference ID


driver flags

13. Compatibility

When listing refids, addresses of the form 127.127.x.x are no longer automatically interpreted as local refclocks as in older versions of ntpq. Instead, a clock-format display is requested by the NTPsec daemon when appropriate (by setting the srcaddr peer variable). This means that when used to query legacy versions of ntpd, which do not know how to request this, this program will do a slightly wrong thing.

In older versions, the type variable associated with a reference clock was a numeric driver type index. It has been replaced by name, a shortname for the driver type.

In older versions, no count of control packets was listed under sysstats.

The -O (--old-rv) option of legacy versions has been retired.

14. Known Limitations

It is possible for a ":config unpeer" command to fail silently, yielding "Config Succeeded", if it is given a peer identifier that looks like a driver type name or a hostname not present in the peer list. The error will, however, be reported in the system log.

The config command cannot be used to change a server’s default restrictions.

Under some circumstances python 2 cannot emit unicode. When true, the display of units is downgraded to non-unicode alternatives. One place a user is likely to encounter this is when diverting output through a pipe. Attempts have been made to force the use of UTF-8, all of which break the command history feature.

When using the -u option, very old xterms may fail to render μ correctly. If this happens, be sure your xterm is started with the -u8 option, or the utf8 resource', and that your console font contains the UTF-8 μ character. Also confirm your LANG environment variable is set to a UTF-8 language, like this: "export LANG=en_US.utf8".

Timestamp interpretation in this program is likely to fail in flaky ways if the local system clock has not already been approximately synchronized to UTC. Querying a server based in a different NTP era than the current one is especially likely to fail.

This program will behave in apparently buggy and only semi-predictable ways when fetching MRU lists from any server with sufficiently high traffic.

The problem is fundamental. The Mode 6 protocol can’t ship (and your client cannot accept) MRU records as fast as the daemon accepts incoming traffic. Under these circumstances, the daemon will repeatedly fail to ship an entire report, leading to long hangs as your client repeatedly re-sends the request. Eventually the Mode 6 client library will throw an error indicating that a maximum number of restarts has been exceeded.

To avoid this problem, avoid monitoring over links that don’t have enough capacity to handle the monitored server’s entire NTP load.

You may be able to retrieve partial data in very high-traffic conditions by using the direct option.

15. Mode 6 Protocol

The Mode 6 protocol used by ntpq to communicate with ntpd is described here.

homeHome Page

sitemapSite Map