CenterClick NTP200 and NTP250 Documentation - Client List


o Features
o Hardware
o Software
o Getting Started
o Release Notes
o Front Panel Button
o Front Panel LEDs
o USB Console
o Admin CLI
o Using HTTPS
o SSH Authentication
o Client List
o Antenna Issues
o Graphs
o PPS Output
o Reimage

Live Demo

Contact Us
Feedback and Bug Reports
Follow us on LinkedIn

Privacy Policy
Shipping and Tax
Returns and Warranty

Understanding the NTP Client List

The NTP200 and NTP250 will track all NTP clients that send packets to the device.

Age-out and Limits

Each client IP is tracked and aged out after 7 days of inactivity.

The device can track up to 1 million clients. If that limit is reached, the age-out time will by dynamically reduced in an attempt to clear out old entries. Under extreme cases such as a Denial of Service where the reduced age-out time is still insufficient, new client entries will simply not be created to bound RAM usage.

The client tracking data is not persistent, it is cleared on each reboot or if there is an unexpected time step.


Use the sort and sort buttons to sort the client list ascending or descending.

Download and Export

The client list is available on the web interface, but also available for download in JSON and CSV formats. To see example data, just visit the Live Demo.

Entry Details

Each client entry records 8 pieces of data:

  1. The Client IP
  2. The Client Reverse DNS Entry (if enabled)
  3. First packet time
  4. Last (most recent) packet time
  5. RX packet count
  6. TX packet count
  7. RX packet flags
  8. TX packet flags

Using the above data, 2 additional items are computed:

  1. The RX packet frequency
  2. Any alerts

The RX frequency (called 'RX Every') is simply the average amount of time between each received packet over the entire lifetime the Client has been known

Each entry can be in one of 4 alert states:

  1. No alerts
  2. sleep Sleep alert: a client hasn't been heard from in more than 2x its expected RX frequency (subject to some bounds)
  3. yellow Yellow alert: a client is sending way more packets than are responded to (likely rate limit) or the rx frequency is very short
  4. red Red alert: a client appears to be blocked due to ACLs or sending only invalid packets

DNS Lookups

The device will perform reverse DNS lookups in the background for all clients that send requests. These lookups are rate limited to at most 1 lookup per second and are refreshed once per day.

The DNS lookup functionality can be disabled using the Admin Console if not desired. Lookups are also automatically suspended if the device has more than 50000 clients.

Packet Flags

A set of flags is stored for each client in each direction (RX and TX). For each RX and TX packet, flags are computed from the packet content and are OR'ed with the stored flags from every previous packet. Only the OR'ed flags are stored so the flags shown is a union of all packets for that client since client tracking began for that client.

The individual flags are currently (this is subject to change in future software releases):

TTruncated packet (ex: short UDP)
1NTP Version 1
2NTP Version 2
3NTP Version 3
4NTP Version 4
VOther NTP Version (Not 1-4)
ANTP Mode Symmetric Active
PNTP Mode Symmetric Passive
CNTP Mode Client
SNTP Mode Server
BNTP Mode Broadcast
NNTP Mode Control
MOther NTP Mode
*NTP REFID Matches Our IP (RX only)


The below example from the Live Demo and some clients have come and gone idle causing Sleep alerts, but otherwise all is well.

NTP250 Clients

The below example from an Internet exposed and NTP Pool registered NTP250 and includes both well behaved clients but also DDoS attack attempts. This appliance receives over 2 million unique clients IPs per day, most of which are only active for a few hours. Sorted by descending RX Count we can see some frequent (<30 second) clients, but also some DDoS attempts using spoofed source IPs. In the latter we can see that the rate limiting algorithm has blocked the DDoS attempts and only responded a few times.

NTP250 Clients

© 2023 CenterClick LLC