1

i'd like to hack together my own little script to parse conntrack data, to get customized network information from some Linux boxes that are also NAT routers.

an example of a line from the conntrack tables is:

ipv4 2 tcp 6 300 ESTABLISHED src=1.1.1.2 dst=2.2.2.2 sport=2000 dport=80 src=2.2.2.2 dst=1.1.1.1 sport=80 dport=12000 [ASSURED] mark=0 use=2

all those fields have been described elsewhere, but I can't find any information on the very last column (use=2, but usually use=1).

while planning my script, it has occurred to me that the exact same IP/port combinations might in theory repeat themselves - i.e. get opened, pass some data, get closed, and after a while get opened again.

Might this "use" column indicate that this ip/port combination has already been seen before? If so, in what timespan?

Moritz von Schweinitz
  • 243
  • 1
  • 2
  • 10

1 Answers1

2

The use property is a reference count. Mainly it used by the garbage collector. Instead periodic parsing of /proc/net/nf_conntrack file you can parse the output of conntrack -E command to handle conntrack events in real time.

If you interested in details, you can read the chapter 9 of "Linux kernel networking: Implementation and Theory".

Anton Danilov
  • 4,874
  • 2
  • 11
  • 20