ip_conntrack vs netstat

ip_conntrack vs netstat

[Jonas Lindborg]

Hello,

When comparing the output of /proc/net/ip_conntrack with the "netstat"
command, I'm seeing a few established connections in ip_conntrack that are
not presented by netstat.

These are familiar connections (ssh, imap) to known hosts that could very
well have been done by me but not in the last 24 hrs so they should have
timed out a long time ago.

"ps" shows no such processes running so this immediately raises the
suspicion that the machine could be compromised and connections are hidden
from netstat and ps.
But if this was the case there should be some connections to unknown hosts
showing in ip_conntrack as well so I should be able to rule out that
possibility (?).

Now for my question:
Can anyone confirm that ip_conntrack can show "ghost" connections like
these?

Re: ip_conntrack vs netstat

[Eric Constantineau]

I want to unsubscribe !
thanks

----- Original Message -----
From: "Jonas Lindborg" <jools@apollo.nu>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, August 30, 2003 2:37 PM
Subject: ip_conntrack vs netstat


> Hello,
>
> When comparing the output of /proc/net/ip_conntrack with the "netstat"
> command, I'm seeing a few established connections in ip_conntrack that are
> not presented by netstat.
>
> These are familiar connections (ssh, imap) to known hosts that could very
> well have been done by me but not in the last 24 hrs so they should have
> timed out a long time ago.
>
> "ps" shows no such processes running so this immediately raises the
> suspicion that the machine could be compromised and connections are hidden
> from netstat and ps.
> But if this was the case there should be some connections to unknown hosts
> showing in ip_conntrack as well so I should be able to rule out that
> possibility (?).
>
> Now for my question:
> Can anyone confirm that ip_conntrack can show "ghost" connections like
> these?
>

Re: ip_conntrack vs netstat

[Ralf Spenneberg]

Am Sam, 2003-08-30 um 14.37 schrieb Jonas Lindborg:
> Hello,
> 
> When comparing the output of /proc/net/ip_conntrack with the "netstat"
> command, I'm seeing a few established connections in ip_conntrack that are
> not presented by netstat.
> 
> These are familiar connections (ssh, imap) to known hosts that could very
> well have been done by me but not in the last 24 hrs so they should have
> timed out a long time ago.
It takes five days for an established TCP connection to time out in the
conntrack table.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

RE: ip_conntrack vs netstat

[James Mullens]

The firewall will keep a TCP link in its connection tables through 5
days of inactivity.  It will close its connection quickly if it sees the
closure handshaking (FIN, ACK) or a RST is sent.  I think that ACK from
the public side, followed by a response from the private side, may also
establish a connection unless the "TCP window tracking" patch is
installed.  But this is from memory. 

Try this.  If you dump the conntrack table and see the time out left (in
seconds, 2nd number, large).  This counts down from 5 days (of seconds)
for established TCP connections.  If the connection is inactive, the
number will be smaller by the period of inactivity.  

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Jonas Lindborg
Sent: Saturday, August 30, 2003 08:38
To: netfilter@lists.netfilter.org
Subject: ip_conntrack vs netstat


Hello,

When comparing the output of /proc/net/ip_conntrack with the "netstat"
command, I'm seeing a few established connections in ip_conntrack that
are not presented by netstat.

These are familiar connections (ssh, imap) to known hosts that could
very well have been done by me but not in the last 24 hrs so they should
have timed out a long time ago.

"ps" shows no such processes running so this immediately raises the
suspicion that the machine could be compromised and connections are
hidden from netstat and ps. But if this was the case there should be
some connections to unknown hosts showing in ip_conntrack as well so I
should be able to rule out that possibility (?).

Now for my question:
Can anyone confirm that ip_conntrack can show "ghost" connections like
these?

Re: ip_conntrack vs netstat

[Kevin Smith]

[-- Attachment #1: Type: text/plain, Size: 250 bytes --]

No, we won't let you. So there. 

--

Message: 3
From: "Eric Constantineau" <mekanik@nerim.net>
To: "Jonas Lindborg" <jools@apollo.nu>,
	<netfilter@lists.netfilter.org>
Subject: 
Date: Tue, 2 Sep 2003 22:04:53 +0200

I want to unsubscribe !
thanks



[-- Attachment #2: winmail.dat --]
[-- Type: application/ms-tnef, Size: 1608 bytes --]