Parsing conntrack entries - Dennis Jacobfeuerborn

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dennis Jacobfeuerborn <dennisml@conversis.de>
To: netfilter@vger.kernel.org
Subject: Parsing conntrack entries
Date: Thu, 01 Jan 2015 23:14:38 +0100	[thread overview]
Message-ID: <54A5C6CE.6090409@conversis.de> (raw)

Hi,
I'm trying to write a small python script that creates some statistics
from the current conntrack entries of a system. The problem I've run
into is that I cannot find a good description of the output format of
the conntrack tool and while I initially though the format is reasonably
straightforward to deduce I ran into some snags.

The format of a line not only changes with protocol and entry state but
even entries with the same protocol and state seem to have different
formats:

tcp      6 3 CLOSE src=<IP1> dst=<IP2> sport=X dport=Y src=<IP2>
dst=<IP1> sport=Y dport=X mark=0 use=1

vs

tcp      6 3 CLOSE src=<IP1> dst=<IP2> sport=X dport=Y src=<IP2>
dst=<IP1> sport=Y dport=X [ASSURED] mark=0 use=1

Why does one entry contain the [ASSURED] but the other does not?

Also for some connections I see the [ASSURED] near the end of the line
but for others I see an [UNREPLIED] in the *middle* of the line and no
flag near the end of the line.

What is the meaning of the "use" field?

What is the best way to parse this information in a reliable way?

Regards,
  Dennis

next             reply	other threads:[~2015-01-01 22:14 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-01 22:14 Dennis Jacobfeuerborn [this message]
2015-01-02  0:10 ` Parsing conntrack entries Karsten Hohmeier
2015-01-02  0:26   ` Stig Thormodsrud
2015-01-03  7:51 ` Hendrik Visage

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54A5C6CE.6090409@conversis.de \
    --to=dennisml@conversis.de \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.