SYNOPSIS

conntrack -L [table] [options] [-z]

conntrack -G [table] parameters

conntrack -D [table] parameters

conntrack -I [table] parameters

conntrack -U [table] parameters

conntrack -E [table] [options]

conntrack -F [table]

conntrack -C [table]

conntrack -S

DESCRIPTION

conntrack provides a full featured userspace interface to the netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel. Using conntrack , you can dump a list of all (or a filtered selection of) currently tracked connections, delete connections from the state table, and even add new ones.

In addition, you can also monitor connection tracking events, e.g. show an event message (one line) per newly established connection.

TABLES

The connection tracking subsystem maintains two internal tables:

conntrack:

This is the default table. It contains a list of all currently tracked connections through the system. If you don't use connection tracking exemptions (NOTRACK iptables target), this means all connections that go through the system.

expect:

This is the table of expectations. Connection tracking expectations are the mechanism used to "expect" RELATED connections to existing ones. Expectations are generally used by "connection tracking helpers" (sometimes called application level gateways [ALGs]) for more complex protocols such as FTP, SIP, H.323.

OPTIONS

The options recognized by conntrack can be divided into several different groups.

COMMANDS

These options specify the particular operation to perform. Only one of them can be specified at any given time.

-L --dump

List connection tracking or expectation table

-G, --get

Search for and show a particular (matching) entry in the given table.

-D, --delete

Delete an entry from the given table.

-I, --create

Create a new entry from the given table.

-U, --update

Update an entry from the given table.

-E, --event

Display a real-time event log.

-F, --flush

Flush the whole given table

-C, --count

Show the table counter.

-S, --stats

Show the in-kernel connection tracking system statistics.

PARAMETERS

-z, --zero

Atomically zero counters after reading them. This option is only valid in combination with the "-L, --dump" command options.

-o, --output [extended,xml,timestamp,id,ktimestamp,labels]

Display output in a certain format. With the extended output option, this tool displays the layer 3 information. With ktimestamp, it displays the in-kernel timestamp available since 2.6.38 (you can enable it via echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp). The labels output option tells conntrack to show the names of connection tracking labels that might be present.

-e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]

Set the bitmask of events that are to be generated by the in-kernel ctnetlink event code. Using this parameter, you can reduce the event messages generated by the kernel to those types to those that you are actually interested in. This option can only be used in conjunction with "-E, --event".

-b, --buffer-size value (in bytes)

Set the Netlink socket buffer size. This option is useful if the command line tool reports ENOBUFS errors. If you do not pass this option, the default value available at /proc/sys/net/core/rmem_default is used. The tool reports this problem if your process is too slow to handle all the event messages or, in other words, if the amount of events are big enough to overrun the socket buffer. Note that using a big buffer reduces the chances to hit ENOBUFS, however, this results in more memory consumption. This option can only be used in conjunction with "-E, --event".

FILTER PARAMETERS

-s, --orig-src IP_ADDRESS

Match only entries whose source address in the original direction equals the one specified as argument.

-d, --orig-dst IP_ADDRESS

Match only entries whose destination address in the original direction equals the one specified as argument.

-r, --reply-src IP_ADDRESS

Match only entries whose source address in the reply direction equals the one specified as argument.

-q, --reply-dst IP_ADDRESS

Match only entries whose destination address in the reply direction equals the one specified as argument.

-p, --proto PROTO

Specify layer four (TCP, UDP, ...) protocol.

-f, --family PROTO

Specify layer three (ipv4, ipv6) protocol This option is only required in conjunction with "-L, --dump". If this option is not passed, the default layer 3 protocol will be IPv4.

-t, --timeout TIMEOUT

Specify the timeout.

-m, --mark MARK[/MASK]

Specify the conntrack mark. Optionally, a mask value can be specified. In "--update" mode, this mask specifies the bits that should be zeroed before XORing the MARK value into the ctmark. Otherwise, the mask is logically ANDed with the existing mark before the comparision. In "--create" mode, the mask is ignored.

-l, --label LABEL,...

Specify the conntrack labels. This option is only available in conjunction with "-L, --dump" or "-E, --event". Match entries whose labels matches at least those specified as arguments.

-c, --secmark SECMARK

Specify the conntrack selinux security mark.

-u, --status [ASSURED|SEEN_REPLY|FIXED_TIMEOUT|EXPECTED|UNSET][,...]

Specify the conntrack status.

-n, --src-nat

Filter source NAT connections.

-g, --dst-nat

Filter destination NAT connections.

-j, --any-nat

Filter any NAT connections.

-w, --zone

Filter by conntrack zone. See iptables CT target for more information.

--tuple-src IP_ADDRESS

Specify the tuple source address of an expectation.

--tuple-dst IP_ADDRESS

Specify the tuple destination address of an expectation.

--mask-src IP_ADDRESS

Specify the source address mask of an expectation.

--mask-dst IP_ADDRESS

Specify the destination address mask of an expectation.

PROTOCOL FILTER PARAMETERS

TCP-specific fields:

--sport, --orig-port-src PORT

Source port in original direction

--dport, --orig-port-dst PORT

Destination port in original direction

--reply-port-src PORT

Source port in reply direction

--reply-port-dst PORT

Destination port in reply direction

--state [NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT | CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]

TCP state

UDP-specific fields:

--sport, --orig-port-src PORT

Source port in original direction

--dport, --orig-port-dst PORT

Destination port in original direction

--reply-port-src PORT

Source port in reply direction

--reply-port-dst PORT

Destination port in reply direction

ICMP-specific fields:

--icmp-type TYPE

ICMP Type. Has to be specified numerically.

--icmp-code CODE

ICMP Code. Has to be specified numerically.

--icmp-id ID

ICMP Id. Has to be specified numerically (non-mandatory)

UDPlite-specific fields:

--sport, --orig-port-src PORT

Source port in original direction

--dport, --orig-port-dst PORT

Destination port in original direction

--reply-port-src PORT

Source port in reply direction

--reply-port-dst PORT

Destination port in reply direction

SCTP-specific fields:

--sport, --orig-port-src PORT

Source port in original direction

--dport, --orig-port-dst PORT

Destination port in original direction

--reply-port-src PORT

Source port in reply direction

--reply-port-dst PORT

Destination port in reply direction

--state [NONE | CLOSED | COOKIE_WAIT | COOKIE_ECHOED | ESTABLISHED | SHUTDOWN_SENT | SHUTDOWN_RECD | SHUTDOWN_ACK_SENT]

SCTP state

--orig-vtag value

Verification tag (32-bits value) in the original direction

--reply-vtag value

Verification tag (32-bits value) in the reply direction

DCCP-specific fields (needs Linux >= 2.6.30):

--sport, --orig-port-src PORT

Source port in original direction

--dport, --orig-port-dst PORT

Destination port in original direction

--reply-port-src PORT

Source port in reply direction

--reply-port-dst PORT

Destination port in reply direction

--state [NONE | REQUEST | RESPOND | PARTOPEN | OPEN | CLOSEREQ | CLOSING | TIMEWAIT]

DCCP state --role [client | server] Role that the original conntrack tuple is tracking

GRE-specific fields:

--srckey, --orig-key-src KEY

Source key in original direction (in hexadecimal or decimal)

--dstkey, --orig-key-dst KEY

Destination key in original direction (in hexadecimal or decimal)

--reply-key-src KEY

Source key in reply direction (in hexadecimal or decimal)

--reply-key-dst KEY

Destination key in reply direction (in hexadecimal or decimal)

DIAGNOSTICS

The exit code is 0 for correct function. Errors which appear to be caused by invalid command line parameters cause an exit code of 2. Any other errors cause an exit code of 1.

EXAMPLES

conntrack -L

Show the connection tracking table in /proc/net/ip_conntrack format

conntrack -L -o extended

Show the connection tracking table in /proc/net/nf_conntrack format

conntrack -L -o xml

Show the connection tracking table in XML

conntrack -L -f ipv6 -o extended

Only dump IPv6 connections in /proc/net/nf_conntrack format

conntrack -L --src-nat

Show source NAT connections

conntrack -E -o timestamp

Show connection events together with the timestamp

conntrack -D -s 1.2.3.4

Delete all flow whose source address is 1.2.3.4

conntrack -U -s 1.2.3.4 -m 1

Set connmark to 1 of all the flows whose source address is 1.2.3.4

BUGS

Please, report them to [email protected] or file a bug in Netfilter's bugzilla (https://bugzilla.netfilter.org).

RELATED TO conntrack…

iptables(8)

See http://conntrack-tools.netfilter.org

AUTHORS

Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira Ayuso wrote the kernel-level "ctnetlink" interface that is used by the conntrack tool.

Pablo Neira Ayuso wrote and maintain the conntrack tool, Harald Welte added support for conntrack based accounting counters.

Man page written by Harald Welte <[email protected]> and Pablo Neira Ayuso <[email protected]>.