Hi,

I want to secure my ntp servers by setting restriction rules. Before doing so I want to monitor the traffic going through the ntp port of the servers to be able to change in time the configuration of "the unwanted clients" so that they do not "loose" the correct time. To do this I am using tcpdump. Mostly is working really fine, just I record 2 types of strange connections which I do not understand, maybe I did not understand how deeply work tcpdump, and I am asking your help to understand them.

the tcp command I am executing is like:

say sss.sss.sss.sss is the IP address of the machine where I am running the tcpdump (the ntp server), and ccc.ccc.ccc.<number> is the IP of another machine. Note: we have a 10. network, some machine produce a 192.168 addresses but they are not routed. Note: we are speaking about a big company i.e. tons of firewalls, routers etc lie within the servers.

A normal ntp query connection looks like:

remote client requests time (I line Client), the local server answers (II line Server): fine.

Now the strange connection Nr1:

Note:
1) it is a single line, not a pair Client, Server
2) the "source" of the packages is not the local host (the machine where I am running the tcpdump)
3) the "destination" of the packages is not the local host the machine where I am running the tcpdump)

where does this package come from?

Now the strange connection Nr2:

Note:
1) same as before but the "destination" port is not 123

where does this package come from?

Now the strange connection Nr3:

Note:
1) Now the structure remote client asks local server answers is respected
2) but the remote client has an IP which is not routed at all??!?!

How can tcpdump get those packages?

So my questions are:
1) How to interpret those packages records? (i.e. do I miss something in the understanding of tcpdump?)
2) Can I ignore those "strange records" in the configuration of my secure ntp server?

Thanks a lot.