libnetfilter_conntrack's NFCT_OF_TIMESTAMP is not working

libnetfilter_conntrack's NFCT_OF_TIMESTAMP is not working

[ravin goyal]

Hii

regarding libnetfilter_conntrack I have been working on getting start
and stop timestamp of the connection, I lookup source code and found
if i enable NFCT_OF_TIMESTAMP (echo "1" >
/proc/sys/net/netfilter/nf_conntrack_timestamp)  , i will get the same
but when i ran
conntrack -E -eDESTROY -otimestamp,extended , it didn't show the start
and stop time and when i print the value it said flags=1,
NFCT_OF_TIMESTAMP is 8
somehow the following line....
if (flags & NFCT_OF_TIMESTAMP) in code
/src/conntrack/snprint_default.c doesn't match hence function
__snprintf_timestamp_start and __snprintf_timestamp_stop doesn't get
called.

I don't know how else can i set or use NFCT_OF_TIMESTAMP

any help regarding this issue would be appreciated

Regards
Ravin Goyal

libnetfilter_conntrack's NFCT_OF_TIMESTAMP is not working

[ravin goyal]

Hi

this email is in reference to previous email regarding the NFCT_OF_TIMESTAMP,

setting /proc/sys/net/netfilter/nf_conntrack_timestamp to 1 or 0
doesn't run the following code in
/libnetfilter_conntrack-1.0.4/src/conntrack/snprintf_default.c file

        if (flags & NFCT_OF_TIMESTAMP) {
                if (test_bit(ATTR_TIMESTAMP_START, ct->head.set)) {
                        ret = __snprintf_timestamp_start(buf+offset, len, ct);
                        BUFFER_SIZE(ret, size, len, offset);
                }
                if (test_bit(ATTR_TIMESTAMP_STOP, ct->head.set)) {
                        ret = __snprintf_timestamp_stop(buf+offset, len, ct);
                        BUFFER_SIZE(ret, size, len, offset);
                }
        }

flags and NFCT_OF_TIMESTMP is always 1 and 8 respectively no matter value of
/proc/sys/net/netfilter/nf_conntrack_timestamp is 1 or 0

So what value should i set of nf_conntrack_timestamp if i want to get
start and stop timestamp from __snprintf_timestamp_start and
__snprintf_timestamp_stop respectively.

Regards
Ravin Goyal

Re: libnetfilter_conntrack's NFCT_OF_TIMESTAMP is not working

[Pablo Neira Ayuso]

On Tue, Mar 15, 2016 at 12:04:35PM +0530, ravin goyal wrote:
> Hi
> 
> this email is in reference to previous email regarding the NFCT_OF_TIMESTAMP,
> 
> setting /proc/sys/net/netfilter/nf_conntrack_timestamp to 1 or 0
> doesn't run the following code in
> /libnetfilter_conntrack-1.0.4/src/conntrack/snprintf_default.c file
> 
>         if (flags & NFCT_OF_TIMESTAMP) {
>                 if (test_bit(ATTR_TIMESTAMP_START, ct->head.set)) {
>                         ret = __snprintf_timestamp_start(buf+offset, len, ct);
>                         BUFFER_SIZE(ret, size, len, offset);
>                 }
>                 if (test_bit(ATTR_TIMESTAMP_STOP, ct->head.set)) {
>                         ret = __snprintf_timestamp_stop(buf+offset, len, ct);
>                         BUFFER_SIZE(ret, size, len, offset);
>                 }
>         }
> 
> flags and NFCT_OF_TIMESTMP is always 1 and 8 respectively no matter value of
> /proc/sys/net/netfilter/nf_conntrack_timestamp is 1 or 0
> 
> So what value should i set of nf_conntrack_timestamp if i want to get
> start and stop timestamp from __snprintf_timestamp_start and
> __snprintf_timestamp_stop respectively.

# echo 1 > /proc/sys/net/netfilter/nf_conntrack_timestamp

This is working fine here:

# conntrack -E -o ktimestamp
[DESTROY] udp      17 src=10.10.10.132 dst=8.8.8.8 sport=123 dport=123 src=8.8.8.8 dst=10.10.10.132 sport=123 dport=123 delta-time=30 [start=Tue Mar 15 11:15:59 2016] [stop=Tue Mar 15 11:16:29 2016]

Re: libnetfilter_conntrack's NFCT_OF_TIMESTAMP is not working

[Pablo Neira Ayuso]

On Tue, Mar 15, 2016 at 04:21:38PM +0530, ravin goyal wrote:
> Hi
> 
> Thanks for the reply, I ran same command conntrack -E -o ktimestamp
> and results are same as you have shown
> but when i ran conntrack -E -otimestamp OR conntrack -E
> -otimestamp,extended , start and stop timestamp are missing in the
> output.

-o timestamp displays the timestamp at the beginning of the line:

[1458039983.184296]      [UPDATE] udp      17 180 src=10.10.10.132 dst=8.8.8.8 sport=36310 dport=53 ...
[1458040055.867546]     [DESTROY] udp      17 ... delta-time=180

and the delta-time when the entry is destroyed.

> Can you please explain how -o ktimestamp and -otimestamp,extended
> differ in output ??

-o ktimestamp relies on the in-kernel timestamp when you search for
   more precision.
-o timestamp is a userspace timestamp.

The 'extended' options, from manpage says:

        conntrack -L -o extended
        Show the connection tracking table in /proc/net/nf_conntrack format

This basically appends the layer 3 protocol at the beginning of the
line.

Please, send me patches to update conntrack(8) manpage if you believe
this information is not available there. Thanks.