* Linux - nf_conntrack_count = 30684?
@ 2016-09-09 8:29 Jens Koehler
2016-09-09 13:29 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Jens Koehler @ 2016-09-09 8:29 UTC (permalink / raw)
To: netfilter
A Linux application reads cyclically data from up to 32 severs by
Tcp. After disconnecting of many/ all servers another Linux
application could not send data via the network interface by UDP.
nf_conntrack_count shows an unexpected high value:
net.netfilter.nf_conntrack_count = 30684
What means the number exactly? And what could be reason for so many
open connections if no server is connected?
Thanks in advance,
Jens
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Linux - nf_conntrack_count = 30684?
2016-09-09 8:29 Linux - nf_conntrack_count = 30684? Jens Koehler
@ 2016-09-09 13:29 ` Pablo Neira Ayuso
2016-09-14 12:54 ` Jens Koehler
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2016-09-09 13:29 UTC (permalink / raw)
To: Jens Koehler; +Cc: netfilter
On Fri, Sep 09, 2016 at 10:29:33AM +0200, Jens Koehler wrote:
> A Linux application reads cyclically data from up to 32 severs by
> Tcp. After disconnecting of many/ all servers another Linux
> application could not send data via the network interface by UDP.
> nf_conntrack_count shows an unexpected high value:
>
> net.netfilter.nf_conntrack_count = 30684
>
> What means the number exactly?
This is the number of conntrack entries in the table.
> And what could be reason for so many open connections if no server
> is connected?
Do `conntrack -L' or `cat /proc/net/nf_conntrack' show entries?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Linux - nf_conntrack_count = 30684?
2016-09-09 13:29 ` Pablo Neira Ayuso
@ 2016-09-14 12:54 ` Jens Koehler
2016-09-14 13:29 ` André Paulsberg-Csibi (IBM Consultant)
0 siblings, 1 reply; 4+ messages in thread
From: Jens Koehler @ 2016-09-14 12:54 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter
On Fri, Sep 9, 2016 at 3:29 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Sep 09, 2016 at 10:29:33AM +0200, Jens Koehler wrote:
>> A Linux application reads cyclically data from up to 32 severs by
>> Tcp. After disconnecting of many/ all servers another Linux
>> application could not send data via the network interface by UDP.
>> nf_conntrack_count shows an unexpected high value:
>>
>> net.netfilter.nf_conntrack_count = 30684
>>
>> What means the number exactly?
>
> This is the number of conntrack entries in the table.
>
>> And what could be reason for so many open connections if no server
>> is connected?
>
> Do `conntrack -L' or `cat /proc/net/nf_conntrack' show entries?
Yes, 'cat /proc/net/nf_conntrack' shows a huge number of following entries:
ipv4 2 tcp 6 109 SYN_SENT src=192.168.171.100
dst=192.168.171.160 sport=37660 dport=502 [UNREPLIED]
src=192.168.171.160 dst=192.168.171.100 sport=502 dport=37660 mark=0
use=2
ipv4 2 tcp 6 95 SYN_SENT src=192.168.171.100
dst=192.168.171.168 sport=6341 dport=502 [UNREPLIED]
src=192.168.171.168 dst=192.168.171.100 sport=502 dport=6341 mark=0
use=2
ipv4 2 tcp 6 105 SYN_SENT src=192.168.171.100
dst=192.168.171.112 sport=50811 dport=502 [UNREPLIED]
src=192.168.171.112 dst=192.168.171.100 sport=502 dport=50811 mark=0
use=2
ipv4 2 tcp 6 109 SYN_SENT src=192.168.171.100
dst=192.168.171.111 sport=25782 dport=502 [UNREPLIED]
src=192.168.171.111 dst=192.168.171.100 sport=502 dport=25782 mark=0
use=2
ipv4 2 tcp 6 103 SYN_SENT src=192.168.171.100
dst=192.168.171.155 sport=14076 dport=502 [UNREPLIED]
src=192.168.171.155 dst=192.168.171.100 sport=502 dport=14076 mark=0
use=2
ipv4 2 tcp 6 95 SYN_SENT src=192.168.171.100
dst=192.168.171.160 sport=34017 dport=502 [UNREPLIED]
src=192.168.171.160 dst=192.168.171.100 sport=502 dport=34017 mark=0
use=2
ipv4 2 tcp 6 100 SYN_SENT src=192.168.171.100
dst=192.168.171.105 sport=43547 dport=502 [UNREPLIED]
src=192.168.171.105 dst=192.168.171.100 sport=502 dport=43547 mark=0
use=2
ipv4 2 tcp 6 96 SYN_SENT src=192.168.171.100
dst=192.168.171.162 sport=22357 dport=502 [UNREPLIED]
src=192.168.171.162 dst=192.168.171.100 sport=502 dport=22357 mark=0
use=2
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Linux - nf_conntrack_count = 30684?
2016-09-14 12:54 ` Jens Koehler
@ 2016-09-14 13:29 ` André Paulsberg-Csibi (IBM Consultant)
0 siblings, 0 replies; 4+ messages in thread
From: André Paulsberg-Csibi (IBM Consultant) @ 2016-09-14 13:29 UTC (permalink / raw)
To: Jens Koehler, Pablo Neira Ayuso; +Cc: netfilter@vger.kernel.org
Looks like 192.168.171.100 is trying to find other machines with :
asa-appl-proto 502/tcp # asa-appl-proto [Dennis_Dube]
in the same "segment" as it self ( maybe it is probing all 192.168.0.0/16 ) ...
... maybe all you have to do is to go on the machine and find the process that does this and disable/remove it .
( or tweak it to do less of this - if this is something you have intended to install and use )
Best regards
André Paulsberg-Csibi
Senior Network Engineer
Fault Handling
IBM Services AS
andre.paulsberg-csibi@evry.com
M +47 9070 5988
-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Jens Koehler
Sent: 14. september 2016 14:54
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter@vger.kernel.org
Subject: Re: Linux - nf_conntrack_count = 30684?
On Fri, Sep 9, 2016 at 3:29 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Sep 09, 2016 at 10:29:33AM +0200, Jens Koehler wrote:
>> A Linux application reads cyclically data from up to 32 severs by
>> Tcp. After disconnecting of many/ all servers another Linux
>> application could not send data via the network interface by UDP.
>> nf_conntrack_count shows an unexpected high value:
>>
>> net.netfilter.nf_conntrack_count = 30684
>>
>> What means the number exactly?
>
> This is the number of conntrack entries in the table.
>
>> And what could be reason for so many open connections if no server
>> is connected?
>
> Do `conntrack -L' or `cat /proc/net/nf_conntrack' show entries?
Yes, 'cat /proc/net/nf_conntrack' shows a huge number of following entries:
ipv4 2 tcp 6 109 SYN_SENT src=192.168.171.100
dst=192.168.171.160 sport=37660 dport=502 [UNREPLIED]
src=192.168.171.160 dst=192.168.171.100 sport=502 dport=37660 mark=0
use=2
ipv4 2 tcp 6 95 SYN_SENT src=192.168.171.100
dst=192.168.171.168 sport=6341 dport=502 [UNREPLIED]
src=192.168.171.168 dst=192.168.171.100 sport=502 dport=6341 mark=0
use=2
ipv4 2 tcp 6 105 SYN_SENT src=192.168.171.100
dst=192.168.171.112 sport=50811 dport=502 [UNREPLIED]
src=192.168.171.112 dst=192.168.171.100 sport=502 dport=50811 mark=0
use=2
ipv4 2 tcp 6 109 SYN_SENT src=192.168.171.100
dst=192.168.171.111 sport=25782 dport=502 [UNREPLIED]
src=192.168.171.111 dst=192.168.171.100 sport=502 dport=25782 mark=0
use=2
ipv4 2 tcp 6 103 SYN_SENT src=192.168.171.100
dst=192.168.171.155 sport=14076 dport=502 [UNREPLIED]
src=192.168.171.155 dst=192.168.171.100 sport=502 dport=14076 mark=0
use=2
ipv4 2 tcp 6 95 SYN_SENT src=192.168.171.100
dst=192.168.171.160 sport=34017 dport=502 [UNREPLIED]
src=192.168.171.160 dst=192.168.171.100 sport=502 dport=34017 mark=0
use=2
ipv4 2 tcp 6 100 SYN_SENT src=192.168.171.100
dst=192.168.171.105 sport=43547 dport=502 [UNREPLIED]
src=192.168.171.105 dst=192.168.171.100 sport=502 dport=43547 mark=0
use=2
ipv4 2 tcp 6 96 SYN_SENT src=192.168.171.100
dst=192.168.171.162 sport=22357 dport=502 [UNREPLIED]
src=192.168.171.162 dst=192.168.171.100 sport=502 dport=22357 mark=0
use=2
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-09-14 13:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-09-09 8:29 Linux - nf_conntrack_count = 30684? Jens Koehler
2016-09-09 13:29 ` Pablo Neira Ayuso
2016-09-14 12:54 ` Jens Koehler
2016-09-14 13:29 ` André Paulsberg-Csibi (IBM Consultant)
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.