Help/guidance with automatic CT helper assignment

[Mauro Santos <registo.mailling@gmail.com>]

Hello,

I'm running linux 4.10.8 and I am aware that automatic connection
tracker loading has been disabled by default for security reasons.

I'm currently seeing:

nf_conntrack: default automatic helper assignment has been turned off
for security reasons and CT-based  firewall rule not found. Use the
iptables CT target to attach helpers instead.

in my kernel logs, which is to be expected to some degree I suppose.

What I would like some help/guidance with is finding out what is causing
this, that is, finding out which program would cause an automatic helper
to be loaded if automatic loading was enabled.

I have currently setup two helpers, one for ftp and one for pptp (which
pulls the gre helper if I'm not mistaken). These two helpers have been
added with:
iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp
iptables -t raw -A OUTPUT -p tcp --dport 1723 -j CT --helper pptp

I have tried monitoring incoming and outgoing connections with source
and destination ports that the other helpers should work with (I've
taken the list from here http://www.shorewall.net/Helpers.html) but the
timestamps of the messages (ports log and nf_conntrack message) are too
far for me to believe I'm catching what is causing this.

Short of logging everything in bulk, is there anything else I can try to
catch the culprit? I'd like to avoid logging in bulk because I have not
found a way to trigger this on demand and sometimes I see the
nf_conntrack message several hours after boot, which would make for huge
logs with normal machine usage (youtube, video calls, etc).

-- 
Mauro Santos