1CONNTRACK(8) CONNTRACK(8)
2
6 conntrack - command line interface for netfilter connection tracking
7
9 conntrack -L [table] [-z]
10 conntrack -G [table] parameters
11 conntrack -D [table] paramaters
12 conntrack -I [table] parameters
13 conntrack -E [table] parameters
14 conntrack -F [table]
15
17 conntrack provides a full featured userspace interface to the netfilter
18 connection tracking system that is intended to replace the old
19 /proc/net/ip_conntrack interface. This tool can be used to search,
20 list, inspect and maintain the connection tracking subsystem of the
21 Linux kernel. Using conntrack , you can dump a list of all (or a fil‐
22 tered selection of) currently tracked connections, delete connections
23 from the state table, and even add new ones.
24 In addition, you can also monitor connection tracking events, e.g. show
26 an event message (one line) per newly established connection.
27
29 The connection tracking subsystem maintains two internal tables:
30 conntrack:
32 This is the default table. It contains a list of all currently
33 tracked connections through the system. If you don't use con‐
34 nection tracking exemptions (NOTRACK iptables target), this
35 means all connections that go through the system.
36 expect:
38 This is the table of expectations. Connection tracking expecta‐
39 tions are the mechanism used to "expect" RELATED connections to
40 existing ones. Expectations are generally used by "connection
41 tracking helpers" (sometimes called application level gateways
42 [ALGs]) for more complex protocols such as FTP, SIP, H.323.
43
45 The options recognized by conntrack can be divided into several differ‐
46 ent groups.
47 COMMANDS
49 These options specify the particular operation to perform. Only one of
50 them can be specified at any given time.
51 -L --dump
53 List connection tacking or expectation table
54 -G, --get
56 Search for and show a particular (matching) entry in the given
57 table.
58 -D, --delete
60 Delete an entry from the given table.
61 -I, --create
63 Create a new entry from the given table.
64 -E, --event
66 Display a real-time event log.
67 -F, --flush
69 Flush the whole given table
70 PARAMETERS
72 -z, --zero
73 Atomically zero counters after reading them. This option is
74 only valid in combination with the "-L, --dump" command options.
75 -o, --output [extended,xml,timestamp]
77 Display output in a certain format. This option is only valid in
78 combination with the "-L, --dump", "-E, --event" and "-G, --get"
79 command options.
80 -e, --event-mask [ALL|NEW|UPDATES|DESTROY][,...]
82 Set the bitmask of events that are to be generated by the in-
83 kernel ctnetlink event code. Using this parameter, you can
84 reduce the event messages generated by the kernel to those types
85 to those that you are actually interested in. This option can
86 only be used in conjunction with "-E, --event".
87 FILTER PARAMETERS
89 -s, --orig-src IP_ADDRESS
90 Match only entries whose source address in the original direc‐
91 tion equals the one specified as argument.
92 -d, --orig-dst IP_ADDRESS
94 Match only entries whose destination address in the original
95 direction equals the one specified as argument.
96 -r, --reply-src IP_ADDRESS
98 Match only entries whose source address in the reply direction
99 equals the one specified as argument.
100 -q, --reply-dst IP_ADDRESS
102 Match only entries whose destination address in the reply direc‐
103 tion equals the one specified as argument.
104 -p, --proto PROTO
106 Specify layer four (TCP, UDP, ...) protocol.
107 -f, --family PROTO
109 Specify layer three (ipv4, ipv6) protocol This option is only
110 required in conjunction with "-L, --dump". If this option is not
111 passed, the default layer 3 protocol will be IPv4.
112 -t, --timeout TIMEOUT
114 Specify the timeout.
115 -u, --status [ASSURED|SEEN_REPLY|UNSET][,...]
117 Specify the conntrack status.
118 -n, --src-nat
120 Filter source NAT connections.
121 -g, --dst-nat
123 Filter destination NAT connections.
124 --tuple-src IP_ADDRESS
126 Specify the tuple source address of an expectation.
127 --tuple-dst IP_ADDRESS
129 Specify the tuple destination address of an expectation.
130 --mask-src IP_ADDRESS
132 Specify the source address mask of an expectation.
133 --mask-dst IP_ADDRESS
135 Specify the destination address mask of an expectation.
136 PROTOCOL FILTER PARAMETERS
138 TCP-specific fields:
139 --orig-port-src PORT
141 Source port in original direction
142 --orig-port-dst PORT
144 Destination port in original direction
145 --reply-port-src PORT
147 Source port in reply direction
148 --reply-port-dst PORT
150 Destination port in reply direction
151 --state [NONE | SYN_SENT | SYN_RECV | ESTABLISHED | FIN_WAIT |
153 CLOSE_WAIT | LAST_ACK | TIME_WAIT | CLOSE | LISTEN]
154 TCP state
155 UDP-specific fields:
157 --orig-port-src PORT
159 Source port in original direction
160 --orig-port-dst PORT
162 Destination port in original direction
163 --reply-port-src PORT
165 Source port in reply direction
166 --reply-port-dst PORT
168 Destination port in reply direction
169 ICMP-specific fields:
171 --icmp-type TYPE
173 ICMP Type. Has to be specified numerically.
174 --icmp-code CODE
176 ICMP Code. Has to be specified numerically.
177 --icmp-id ID
179 ICMP Id. Has to be specified numerically (non-mandatory)
180
182 The exit code is 0 for correct function. Errors which appear to be
183 caused by invalid command line parameters cause an exit code of 2. Any
184 other errors cause an exit code of 1.
185
187 conntrack -L
188 Dump the connection tracking table in /proc/net/ip_conntrack
189 format
190 conntrack -L -o extended
192 Dump the connection tracking table in /proc/net/nf_conntrack
193 format
194 conntrack -L -o xml
196 Dump the connection tracking table in XML
197 conntrack -L -f ipv6 -o extended
199 Only dump IPv6 connections in /proc/net/nf_conntrack format
200 conntrack -L --src-nat
202 Dump source NAT connections
203 conntrack -E -o timestamp
205 Show connection events together with the timestamp
206
208 Bugs? What's this ;-)
209
211 iptables(8)
212 See http://netfilter.org/.
213
215 Jay Schulist, Patrick McHardy, Harald Welte and Pablo Neira wrote the
216 kernel-level "ctnetlink" interface that is used by the conntrack tool.
217 Pablo Neira wrote the conntrack tool, Harald Welte added support for
219 conntrack based accounting counters.
220 Man page written by Harald Welte <laforge@netfilter.org> and Pablo
222 Neira Ayuso <pablo@netfilter.org>.
223 May 6, 2007 CONNTRACK(8)