TCPdump What does this output mean?

I was looking for a problem with wireguard while I found this output, when running tcpdump

-# tcpdump icmp

13:22:48.974345 IP R2S.faro.xa > 192.168.100.201: ICMP mail.pfuideifi.org udp port 123 unreachable, length 84
13:22:53.798018 IP R2S.faro.xa > UAP-ACM-Hof.faro.xa: ICMP kuehlich.com udp port 123 unreachable, length 8413:22:56.630361 IP R2S.faro.xa > UAP-AC-LiteFlur.faro.xa: ICMP static.72.44.161.5.clients.your-server.de udp port 123 unreachable, length 84
13:23:08.128690 IP R2S.faro.xa > US-8-60W-Buero.faro.xa: ICMP vbrandl.net udp port 123 unreachable, length 84
13:23:08.214809 IP R2S.faro.xa > US-8-60W-Technikraum.faro.xa: ICMP ntp1.lwlcom.net udp port 123 unreachable, length 84
13:23:08.812086 IP R2S.faro.xa > UAP-ACM-Hof.faro.xa: ICMP kuehlich.com udp port 123 unreachable, length 84

My local domain is faro.xa. The openwrt router is named R2S.
Thats the only thing I understand in tcpdump output.

But what does "ICMP external-domain udp port 123 unreachable" mean?

  • I did not know what port 123 (NTP) and ICMP/ping has to do with each other
  • And I did not know where these external domain names come from

Can someone enlighten me?

I forgot to say.
There is a traffic rule on the router, that rejects forwarding NTP port 123 from lan to wan.
All devices have to use the provided local NTP on the router instead ...

The device RS2 is telling you that your time servers are unreachable.

All your devices obviously aren't set to use RS2. These devices are using other servers for NTP (you can use tcpdump -n and it shows only IPs):

  • 192.168.100.201
  • UAP-ACM-Hof.faro.xa
  • US-8-60W-Technikraum.faro.xa

It's not Ping, it's a Network Control Error (ICMP) from RS2 - telling your client's it can't reach that. See: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-codes-3

2 Likes

@ lleachii
Thank you for your quick response.

I see. The ping command just uses the icmp protocol. And any other command can use icmp too.
Because I do a "tcpdump icmp" I got messages about all services which are using icmp. Not only from ping.

The other problem is, that several devices seems to simply ignore dhcp option 42.
Like my Hisense-TV. Thats annoying, because there is no option to set a ntp server even when I'm not using dhcp :frowning:

:spiral_notepad: A client is not required to obey DHCP Option No. 42 (NTP servers).

I've never tried this...but maybe you can redirect 123/udp to the RS2. This is similar to OpenWrt Wikis on doing local redirects for DNS (53/udp).

config redirect
        option name 'LAN_NTP_Redirect'
        option src 'lan'
        option src_dport '123'
        option dest_port '123'
        option target 'DNAT'
        option proto 'udp'
        option dest 'lan'

I've observed a lot of devices from Asia have hardcoded choices, or hardcoded an NTP server the user can't change whatsoever. Yea, that sux.

Ok, I will check this later on.
Thank you so far.