"Michael Deutschmann" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Thu, 22 Dec 2005, Karel Sandler wrote: >> My question is, if there is a possibility how to distinguish between a >> misconfigured client or a grup of more or less standard clients behind a >> NAT. Originally, I thought, it would be easy. Ideally, the timestamps of >> a > > Perhaps you could look at the source ports. I'm not sure, but I think > NTPD > not only listens on port 123, it uses that as it's source port. A > masquerading system will remap the source port to something else, usually > quite high, and definitely outside of Unix's traditional "reserved ports" > range (< 1024). > Thanks for this hint. In both cases I mentioned, the source port was 123. I will arrange a few sntp clients behind NAT. Then, tcpdump should give more insight into this topic.
Karel Sandler _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
