I noticed requests for port 37/udp in our firewall to our ntp server. That
is the 'daytime' protocol which is absolutely ancient in an Internet timescale.
I opened the port and started the service as an experiment and started
tcpdump on it. The results are interesting:
09:50:09.749723 IP xx.xx.178.51.37 > 131.211.84.189.123: NTPv4 client, strat 2, poll 7, prec -20
09:50:09.749782 IP 131.211.84.189.123 > xx.xx.178.51.37: NTPv4 server, strat 2, poll 7, prec -19
09:52:19.808243 IP xx.xx.178.51.37 > 131.211.84.189.123: NTPv4 client, strat 3, poll 7, prec -20
09:52:19.808301 IP 131.211.84.189.123 > xx.xx.178.51.37: NTPv4 server, strat 2, poll 7, prec -19
09:53:08.511939 IP xx.xxx.183.183.34505 > 131.211.84.189.37: UDP, length: 0
09:53:08.513364 IP 131.211.84.189.37 > xx.xxx.183.183.34505: UDP, length: 4
Most traffic seen by 'tcpdump port 37' is from
source port 37.
Which is an artifact of certain NAT devices translating privileged
ports (< 1024) to other privileged ports. Certain versions ntpd seem to
ignore these requests. But there are real clients using the 'daytime' protocol.