NTP Peerstats Status Word Secret Decoder Ring

By Thomas Vachon

In /var/log/ntpstats/peerstats you see lines like (I put them in table form for readability - normally space delimited)

Day Seconds Peer IP Peer Status Word Offset Delay Dispersion Skew (variance)
56791 36043.625 8023 -0.000106166 0.000316335 7.946282622 0.000000119
56791 36824.626 9034 0.000068454 0.000453367 7.937500123 0.000000119
56791 36839.626 9034 -0.000027949 0.000240638 7.937500121 0.000000119
56791 37082.626 9034 -0.000047201 0.000307433 3.938467683 0.000115655
56791 37108.626 8023 -0.000128532 0.000392425 7.937500122 0.000000119
56791 37110.626 9034 -0.000071405 0.000344577 3.937507683 0.000057128
56791 37112.626 8023 -0.000142907 0.000267320 1.937515213 0.000051571
56791 38177.626 964a -0.000114107 0.000233899 0.007741648 0.000038685

Decoding Peer Status Word

The Peer Status Word is a multi-byte disaster which represents things to NTP. Normally ntpq -c “associations” shows you this in english but to debug you need to look at the peerstats file which does not reveal.

Decoding the first byte

Using the table below you get the value. For instance 9XXX status means 10+80 (reachable and configured in ntp.conf). 8XXX means It is configured but it is not reachable (80).

Code Message Description
08 bcst broadcast association
10 reach host reachable
20 authenb authentication enabled
40 auth authentication ok
80 config persistent association

Decoding the second byte

Given 96XX the host is reachable and configured (as seen above) the second byte from the table below means it is the system peer (you will also see a * next to it in ntpq -p)

Another example from the sample above is "8023" this means it is configured but it is NOT reachable and it is discarded (see bolded 0 meaning sel_reject)

Code Message T Description
0 sel_reject   discarded as not valid (TEST10-TEST13)
1 sel_falsetick x discarded by intersection algorithm
2 sel_excess . discarded by table overflow (not used)
3 sel_outlyer - discarded by the cluster algorithm
4 sel_candidate + included by the combine algorithm
5 sel_backup # backup (more than tos maxclock sources)
6 sel_sys.peer * system peer
7 sel_pps.peer o PPS peer (when the prefer peer is valid)

Decoding the third and fourth byte

The third byte is the count of occurrences of the 4th byte (event code) and yes that seems backwards to normal thought

The fourth byte as seen below is the event code which is counted by the third byte.

Given the example of "941a" from above we know its configured and reachable its a candidate and there has been one occurrence of becoming a system peer (1 times of a)

Another example is "8023" from above we know its configured but its unreachable and there has been two occurrences of it being unreachable (2 times of 3).

Code Message Description
01 mobilize association mobilized
02 demobilize association demobilized
03 unreachable server unreachable
04 reachable server reachable
05 restart association restart
06 no_reply no server found (ntpdate mode)
07 rate_exceeded rate exceeded (kiss code RATE)
08 access_denied access denied (kiss code DENY)
09 leap_armed leap armed from server LI code
0a sys_peer become system peer
0b clock_event see clock status word
0c bad_auth authentication failure
0d popcorn popcorn spike suppressor
0e interleave_mode entering interleave mode
0f interleave_error interleave error (recovered)