Interacting with the Netfilter Connection Tracking System (with examples)

The Netfilter connection tracking system, commonly referred to as conntrack, is a powerful tool for managing and monitoring network connections. It allows you to search, list, inspect, modify, and delete connection flows. In this article, we will explore eight different use cases of the conntrack command, along with their code examples, motivations, explanations, and sample outputs.

Use Case 1: List all currently tracked connections

conntrack --dump

Motivation: It is often useful to get an overview of all the active connections on a system. This information can be helpful for troubleshooting network issues or analyzing network traffic.

Explanation: The --dump option is used to list all the currently tracked connections. It provides detailed information about each connection flow, including source and destination IP addresses, source and destination port numbers, connection state, and more.

Example Output:

tcp      6 411 ESTABLISHED src=192.168.1.100 dst=8.8.8.8 sport=53262 dport=443 src=8.8.8.8 dst=192.168.1.100 sport=443 dport=53262 [ASSURED] mark=0 zone=0 use=2
tcp      6 35953 ESTABLISHED src=192.168.1.101 dst=192.168.1.200 sport=22 dport=54362 src=192.168.1.200 dst=192.168.1.101 sport=54362 dport=22 [ASSURED] mark=0 zone=0 use=2
udp      17 31 src=192.168.1.102 dst=8.8.4.4 sport=59839 dport=53 src=8.8.4.4 dst=192.168.1.102 sport=53 dport=59839 [ASSURED] mark=0 zone=0 use=2
...

Use Case 2: Display a real-time event log of connection changes

conntrack --event

Motivation: Monitoring real-time connection events can be useful for detecting and analyzing network activity. This can be particularly important for security purposes or when diagnosing network performance issues.

Explanation: The --event option is used to display a real-time event log of connection changes. It continuously prints information about new connections, closed connections, and other connection-related events as they occur.

Example Output:

[NEW] tcp      6 120 SYN_SENT src=192.168.1.103 dst=8.8.8.8 sport=46898 dport=443 [UNREPLIED] src=8.8.8.8 dst=192.168.1.103 sport=443 dport=46898
[UPDATE] tcp      6 60 SYN_RECV src=8.8.8.8 dst=192.168.1.103 sport=443 dport=46898 src=192.168.1.103 dst=8.8.8.8 sport=46898 dport=443
[CLOSE] tcp      6 60 SYN_RECV src=8.8.8.8 dst=192.168.1.103 sport=443 dport=46898 src=192.168.1.103 dst=8.8.8.8 sport=46898 dport=443
...

Use Case 3: Display a real-time event log of connection changes and associated timestamps

conntrack --event -o timestamp

Motivation: Adding timestamps to the event log can provide valuable information about when connection events occur. This can be useful for analyzing network activity patterns or correlating connection events with other logs or events.

Explanation: The -o timestamp option is used in conjunction with the --event option to display connection events along with their associated timestamps. It prefixes each event with the current timestamp, allowing you to determine the exact time of each event.

Example Output:

2022-01-01T12:34:56.000000+00:00 [NEW] tcp      6 120 SYN_SENT src=192.168.1.103 dst=8.8.8.8 sport=46898 dport=443 [UNREPLIED] src=8.8.8.8 dst=192.168.1.103 sport=443 dport=46898
2022-01-01T12:34:57.000000+00:00 [UPDATE] tcp      6 60 SYN_RECV src=8.8.8.8 dst=192.168.1.103 sport=443 dport=46898 src=192.168.1.103 dst=8.8.8.8 sport=46898 dport=443
2022-01-01T12:34:58.000000+00:00 [CLOSE] tcp      6 60 SYN_RECV src=8.8.8.8 dst=192.168.1.103 sport=443 dport=46898 src=192.168.1.103 dst=8.8.8.8 sport=46898 dport=443
...

Use Case 4: Display a real-time event log of connection changes for a specific IP address

conntrack --event --orig-src ip_address

Motivation: When monitoring network connections, it can be beneficial to focus on a specific IP address to understand its behavior within the network. This can help identify potential issues or suspicious activity associated with that IP address.

Explanation: The --orig-src option is used to filter the connection events based on a specific source IP address (ip_address). It only displays events related to connections originating from the specified IP address.

Example Output:

[NEW] tcp      6 120 SYN_SENT src=192.168.1.103 dst=8.8.8.8 sport=46898 dport=443 [UNREPLIED] src=8.8.8.8 dst=192.168.1.103 sport=443 dport=46898
[UPDATE] tcp      6 60 SYN_RECV src=8.8.8.8 dst=192.168.1.103 sport=443 dport=46898 src=192.168.1.103 dst=8.8.8.8 sport=46898 dport=443
[CLOSE] tcp      6 60 SYN_RECV src=8.8.8.8 dst=192.168.1.103 sport=443 dport=46898 src=192.168.1.103 dst=8.8.8.8 sport=46898 dport=443
...

Use Case 5: Delete all flows for a specific source IP address

conntrack --delete --orig-src ip_address

Motivation: In certain scenarios, it may be necessary to remove all active connections originating from a specific IP address. This can be useful when cleaning up or mitigating network-related issues.

Explanation: The --delete option, when combined with the --orig-src option and a specific source IP address (ip_address), deletes all flows associated with that IP address.

Example Output:

8 flow(s) removed

By incorporating the above use cases into your network management and analysis tasks, you can gain a deeper understanding of network connections, troubleshoot issues, and efficiently manage your network infrastructure. The conntrack command offers a flexible and powerful set of tools for interacting with the Netfilter connection tracking system, empowering you to monitor and control network flows effectively.

To explore further options and functionalities of the conntrack command, refer to the official conntrack manual .