Mozilla InvestiGator: TimeDrift module

Author: Julien Vehent <>

The timedrift module evaluates the current time on a given endpoint against the time retrieved from a list of NTP servers. If the -drift parameter is passed, the module checks that the endpoint's time is within or without the drift window.

When evaluating drift, the module returns FoundAnything=true for endpoints that have drifted beyond the accepted value, and for which the local time is out of sync compared with NTP servers.

1   Usage

timedrift can be called with empty parameters, and then only returns the local time of the target endpoint. When called with a drift parameter, NTP connections are established to evaluated the local time against network time.

  "module": "timedrift",
  "parameters": {
        "drift": "5s"

2   Examples

2.1   Endpoint non-compliant with a 10 millisecond drift

Evaluating a 10ms drift is not useful, because the latency between the endpoint and the NTP servers is most likely greater than 10ms, and endpoint would always fail that test. But it illustrates the output from an endpoint that has drifted beyond the acceptable value.

$ mig timedrift -t "name=''" -show all -drift 10ms 2>/dev/null
stat: execution time 252.902127ms local time is 2015-03-14T13:26:27.441740604-04:00 local time is out of sync from NTP servers Local time is ahead of ntp host by 17.731324ms Local time is ahead of ntp host by 16.542859ms Local time is ahead of ntp host by 20.853337ms Local time is ahead of ntp host by 33.743419ms stat: responded in 44.26132ms with time 2015-03-14 17:26:27.473289999 +0000 UTC. local time drifts by 17.731324ms stat: responded in 38.263502ms with time 2015-03-14 17:26:27.520487097 +0000 UTC. local time drifts by 16.542859ms stat: responded in 46.682002ms with time 2015-03-14 17:26:27.576307275 +0000 UTC. local time drifts by 20.853337ms stat: responded in 83.492232ms with time 2015-03-14 17:26:27.660943187 +0000 UTC. local time drifts by 33.743419ms command success

2.2   Endpoint compliant with a 5 seconds drift

$ mig timedrift -t "name=''" -show all -drift 5s 2>/dev/null
stat: execution time 1.76047894s local time is 2015-03-14T13:26:10.764244879-04:00 local time is within acceptable drift from NTP servers stat: responded in 44.574857ms with time 2015-03-14 17:26:10.996919999 +0000 UTC. local time drifts by 17.557879ms stat: responded in 38.52106ms with time 2015-03-14 17:26:12.139883892 +0000 UTC. local time drifts by 16.917595ms stat: responded in 46.79544ms with time 2015-03-14 17:26:12.38555022 +0000 UTC. local time drifts by 20.839501ms stat: responded in 82.798078ms with time 2015-03-14 17:26:12.490975185 +0000 UTC. local time drifts by 33.808416ms command success

2.3   Get localtime from endpoint

$ mig timedrift -t "name=''" 2>/dev/null local time is 2015-03-14T13:32:24.226318523-04:00