i'd like to hack together my own little script to parse conntrack data, to get customized network information from some Linux boxes that are also NAT routers.
an example of a line from the conntrack tables is:
ipv4 2 tcp 6 300 ESTABLISHED src=1.1.1.2 dst=2.2.2.2 sport=2000 dport=80 src=2.2.2.2 dst=1.1.1.1 sport=80 dport=12000 [ASSURED] mark=0 use=2
all those fields have been described elsewhere, but I can't find any information on the very last column (use=2, but usually use=1).
while planning my script, it has occurred to me that the exact same IP/port combinations might in theory repeat themselves - i.e. get opened, pass some data, get closed, and after a while get opened again.
Might this "use" column indicate that this ip/port combination has already been seen before? If so, in what timespan?
The
useproperty is a reference count. Mainly it used by the garbage collector. Instead periodic parsing of/proc/net/nf_conntrackfile you can parse the output ofconntrack -Ecommand to handle conntrack events in real time.If you interested in details, you can read the chapter 9 of "Linux kernel networking: Implementation and Theory".