In /var/log/ntpstats/peerstats you see lines like (I put them in table form for readability - normally space delimited)
| Day | Seconds | Peer IP | Peer Status Word | Offset | Delay | Dispersion | Skew (variance) |
|---|---|---|---|---|---|---|---|
| 56791 | 36043.625 | 10.39.32.12 | 8023 | -0.000106166 | 0.000316335 | 7.946282622 | 0.000000119 |
| 56791 | 36824.626 | 10.39.32.11 | 9034 | 0.000068454 | 0.000453367 | 7.937500123 | 0.000000119 |
| 56791 | 36839.626 | 10.39.32.12 | 9034 | -0.000027949 | 0.000240638 | 7.937500121 | 0.000000119 |
| 56791 | 37082.626 | 10.39.32.12 | 9034 | -0.000047201 | 0.000307433 | 3.938467683 | 0.000115655 |
| 56791 | 37108.626 | 10.39.32.11 | 8023 | -0.000128532 | 0.000392425 | 7.937500122 | 0.000000119 |
| 56791 | 37110.626 | 10.39.32.12 | 9034 | -0.000071405 | 0.000344577 | 3.937507683 | 0.000057128 |
| 56791 | 37112.626 | 10.39.32.11 | 8023 | -0.000142907 | 0.000267320 | 1.937515213 | 0.000051571 |
| 56791 | 38177.626 | 10.39.32.12 | 964a | -0.000114107 | 0.000233899 | 0.007741648 | 0.000038685 |
Decoding Peer Status Word
The Peer Status Word is a multi-byte disaster which represents things to NTP. Normally ntpq -c “associations” shows you this in english but to debug you need to look at the peerstats file which does not reveal.
Decoding the first byte
Using the table below you get the value. For instance 9XXX status means 10+80 (reachable and configured in ntp.conf). 8XXX means It is configured but it is not reachable (80).
| Code | Message | Description |
|---|---|---|
| 08 | bcst | broadcast association |
| 10 | reach | host reachable |
| 20 | authenb | authentication enabled |
| 40 | auth | authentication ok |
| 80 | config | persistent association |
Decoding the second byte
Given 96XX the host is reachable and configured (as seen above) the second byte from the table below means it is the system peer (you will also see a * next to it in ntpq -p)
Another example from the sample above is "8023" this means it is configured but it is NOT reachable and it is discarded (see bolded 0 meaning sel_reject)
| Code | Message | T | Description |
|---|---|---|---|
| 0 | sel_reject | discarded as not valid (TEST10-TEST13) | |
| 1 | sel_falsetick | x | discarded by intersection algorithm |
| 2 | sel_excess | . | discarded by table overflow (not used) |
| 3 | sel_outlyer | - | discarded by the cluster algorithm |
| 4 | sel_candidate | + | included by the combine algorithm |
| 5 | sel_backup | # | backup (more than tos maxclock sources) |
| 6 | sel_sys.peer | * | system peer |
| 7 | sel_pps.peer | o | PPS peer (when the prefer peer is valid) |
Decoding the third and fourth byte
The third byte is the count of occurrences of the 4th byte (event code) and yes that seems backwards to normal thought
The fourth byte as seen below is the event code which is counted by the third byte.
Given the example of "941a" from above we know its configured and reachable its a candidate and there has been one occurrence of becoming a system peer (1 times of a)
Another example is "8023" from above we know its configured but its unreachable and there has been two occurrences of it being unreachable (2 times of 3).
| Code | Message | Description |
|---|---|---|
| 01 | mobilize | association mobilized |
| 02 | demobilize | association demobilized |
| 03 | unreachable | server unreachable |
| 04 | reachable | server reachable |
| 05 | restart | association restart |
| 06 | no_reply | no server found (ntpdate mode) |
| 07 | rate_exceeded | rate exceeded (kiss code RATE) |
| 08 | access_denied | access denied (kiss code DENY) |
| 09 | leap_armed | leap armed from server LI code |
| 0a | sys_peer | become system peer |
| 0b | clock_event | see clock status word |
| 0c | bad_auth | authentication failure |
| 0d | popcorn | popcorn spike suppressor |
| 0e | interleave_mode | entering interleave mode |
| 0f | interleave_error | interleave error (recovered) |