How to monitor the country and type of connection of users connecting to my ntp

Could you recommend a software to see these stats, tcpdump can only show IP but not country and type of connection

The type of connection is UDP only…

If you want to know the country you would have to capture the IPs, then match them against existing databases… Like MaxMind or ip2location.

Hello, I just want to add that tcpdump is a general packet dumper. So you might find yourself running tcpdump udp port 123 it should also take service names

if anyone is taking notes the -n tells tcpdump to avoid doing DNS lookups of ip addresses

tcpdump -n udp port ntp

@Kyle , welcome to the community!
I use twice the -n flag to avoid not only name lookup of IP addresses but service name lookups of port numbers too.

I prefer to use 'ntpq -c “hostname no” -c “mrulist” on a regular interval and than use that output for some MaxMind-analysis.

I’ve been playing around with something similar.

With some help from Stack Overflow on losing the source port number via this absurd cut/awk magic, I ended up using this for tcpdump to just emit IPs for inbound connections (-Q in):

sudo tcpdump -nn --no-promiscuous-mode port 123 -Q in | cut -d ' ' -f 3 | awk -F. '{ if (NF == 2) { print $1 } else { print $1 FS $2 FS $3 FS $4 }}'

It turns out that when tcpdump is writing to a pipe or file (vs. stdout), it buffers the output, so you’ll see a wave of IPs every second or so, rather than a continual stream.

I’m currently feeding it into a script (too slipshod for me to want to share right now) that opens up a Maxmind GeoIP database (I’m actually using their ASN database to map to IP rather than country) and then just reads stdin for each IP and builds up counters per-network (could just as easily be per-country). (Aside: I was doing this because it seemed like Amazon’s AWS was using inordinately much bandwidth. Indeed, they account for about a third of all queries to my US-zone server.)

It’s worth keeping in mind that tcpdump “sits in front of” iptables of ntpd/chronyd’s rate limiting, so monitoring your outbound traffic (-Q out with tcpdump) may give a truer picture of what queries are actually being answered.

You may want to use the -l flag for the tcpdump to switch to line buffering.

1 Like