4

I have a linux box which is setup as firewall/gateway for the network. Was just wondering why ss and other iproute2 tools show much less than iptables conntrack. Is it because the router function is happening in kernel only?

ss -na

Shows only two established connections where as a

conntrack -L -n

Shows 18 Established connections.

Adrian Cornish
  • 521
  • 1
  • 4
  • 11

1 Answers1

5

ss and netstat show connections terminated at that host, i.e. either outgoing connections created by a process on the host, or incoming connections handled by a process on the host. (Technically these show you sockets.) conntrack shows connections known by the connection tracking system, which includes connections being routed by but not terminated by that host. (Sockets don't exist for connections only being routed.)

mgorven
  • 30,036
  • 7
  • 76
  • 121
  • Makes sense - is there another tool like ss that will show things like windows sizes etc of established sockets that do not have their endpoints on the box? – Adrian Cornish Jul 05 '12 at 01:21
  • @AdrianCornish Not that I know of. Routers don't deal with that information so I doubt that it is recorded. – mgorven Jul 05 '12 at 01:36
  • Shame really since this router has a full blown OS on it - but I guess windows sizes, keepalives etc is really more relevant at the endpoints - would be nice to it all at the gateway though. – Adrian Cornish Jul 05 '12 at 01:43