conntrack
provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel.
Using
conntrack
, you can dump a list of all (or a filtered selection of) currently tracked
connections, delete connections from the state table, and even add new ones.
In addition, you can also monitor connection tracking events, e.g. show an
event message (one line) per newly established connection.
TABLES
The connection tracking subsystem maintains two internal tables:
conntrack:
This is the default table. It contains a list of all currently tracked
connections through the system. If you don't use connection tracking
exemptions (NOTRACK iptables target), this means all connections that go
through the system.
expect:
This is the table of expectations. Connection tracking expectations are the
mechanism used to "expect" RELATED connections to existing ones. Expectations
are generally used by "connection tracking helpers" (sometimes called
application level gateways [ALGs]) for more complex protocols such as FTP,
SIP, H.323.
OPTIONS
The options recognized by
conntrack
can be divided into several different groups.
COMMANDS
These options specify the particular operation to perform. Only one of them
can be specified at any given time.
-L --dump
List connection tracking or expectation table
-G, --get
Search for and show a particular (matching) entry in the given table.
-D, --delete
Delete an entry from the given table.
-I, --create
Create a new entry from the given table.
-U, --update
Update an entry from the given table.
-E, --event
Display a real-time event log.
-F, --flush
Flush the whole given table
-C, --count
Show the table counter.
-S, --stats
Show the in-kernel connection tracking system statistics.
PARAMETERS
-z, --zero
Atomically zero counters after reading them. This option is only valid in
combination with the "-L, --dump" command options.
-o, --output [extended,xml,timestamp,id]
Display output in a certain format.
-e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
Set the bitmask of events that are to be generated by the in-kernel ctnetlink
event code. Using this parameter, you can reduce the event messages generated
by the kernel to those types to those that you are actually interested in.
This option can only be used in conjunction with "-E, --event".
-b, --buffer-size value (in bytes)
Set the Netlink socket buffer size. This option is useful if the command line
tool reports ENOBUFS errors. If you do not pass this option, the default value
available at /proc/sys/net/core/rmem_default is used. The tool reports this
problem if your process is too slow to handle all the event messages or, in
other words, if the amount of events are big enough to overrun the socket
buffer. Note that using a big buffer reduces the chances to hit ENOBUFS,
however, this results in more memory consumption.
This option can only be used in conjunction with "-E, --event".
FILTER PARAMETERS
-s, --orig-src IP_ADDRESS
Match only entries whose source address in the original direction equals the one specified as argument.
-d, --orig-dst IP_ADDRESS
Match only entries whose destination address in the original direction equals the one specified as argument.
-r, --reply-src IP_ADDRESS
Match only entries whose source address in the reply direction equals the one specified as argument.
-q, --reply-dst IP_ADDRESS
Match only entries whose destination address in the reply direction equals the one specified as argument.
-p, --proto PROTO
Specify layer four (TCP, UDP, ...) protocol.
-f, --family PROTO
Specify layer three (ipv4, ipv6) protocol
This option is only required in conjunction with "-L, --dump". If this option is not passed, the default layer 3 protocol will be IPv4.
-t, --timeout TIMEOUT
Specify the timeout.
-m, --mark MARK
Specify the conntrack mark.
DCCP state
--role [client | server]
Role that the original conntrack tuple is tracking
GRE-specific fields:
--srckey, --orig-key-src KEY
Source key in original direction (in hexadecimal or decimal)
--dstkey, --orig-key-dst KEY
Destination key in original direction (in hexadecimal or decimal)
--reply-key-src KEY
Source key in reply direction (in hexadecimal or decimal)
--reply-key-dst KEY
Destination key in reply direction (in hexadecimal or decimal)
DIAGNOSTICS
The exit code is 0 for correct function. Errors which appear to be caused by
invalid command line parameters cause an exit code of 2. Any other errors
cause an exit code of 1.
EXAMPLES
conntrack -L
Show the connection tracking table in /proc/net/ip_conntrack format
conntrack -L -o extended
Show the connection tracking table in /proc/net/nf_conntrack format
conntrack -L -o xml
Show the connection tracking table in XML
conntrack -L -f ipv6 -o extended
Only dump IPv6 connections in /proc/net/nf_conntrack format
conntrack -L --src-nat
Show source NAT connections
conntrack -E -o timestamp
Show connection events together with the timestamp
conntrack -D -s 1.2.3.4
Delete all flow whose source address is 1.2.3.4
conntrack -U -s 1.2.3.4 -m 1
Set connmark to 1 of all the flows whose source address is 1.2.3.4