Parsing conntrack entries

Parsing conntrack entries

[Dennis Jacobfeuerborn]

Hi,
I'm trying to write a small python script that creates some statistics
from the current conntrack entries of a system. The problem I've run
into is that I cannot find a good description of the output format of
the conntrack tool and while I initially though the format is reasonably
straightforward to deduce I ran into some snags.

The format of a line not only changes with protocol and entry state but
even entries with the same protocol and state seem to have different
formats:

tcp      6 3 CLOSE src=<IP1> dst=<IP2> sport=X dport=Y src=<IP2>
dst=<IP1> sport=Y dport=X mark=0 use=1

vs

tcp      6 3 CLOSE src=<IP1> dst=<IP2> sport=X dport=Y src=<IP2>
dst=<IP1> sport=Y dport=X [ASSURED] mark=0 use=1

Why does one entry contain the [ASSURED] but the other does not?

Also for some connections I see the [ASSURED] near the end of the line
but for others I see an [UNREPLIED] in the *middle* of the line and no
flag near the end of the line.

What is the meaning of the "use" field?

What is the best way to parse this information in a reliable way?

Regards,
  Dennis

Re: Parsing conntrack entries

[Karsten Hohmeier]

Hi Dennis,

> What is the best way to parse this information in a reliable way?

Maybe you could try dumping the table in XML as mentioned by the manpage?

conntrack -L -o xml
    Dump the connection tracking table in XML

Best Regards

Karsten

Re: Parsing conntrack entries

[Stig Thormodsrud]

I wrote this script to parse nat translations, maybe it could be a
starting point.
https://github.com/vyos/vyatta-nat/blob/lithium/scripts/vyatta-nat-translations.pl

On Thu, Jan 1, 2015 at 4:10 PM, Karsten Hohmeier
<karsten.hohmeier@tu-ilmenau.de> wrote:
> Hi Dennis,
>
>> What is the best way to parse this information in a reliable way?
>
> Maybe you could try dumping the table in XML as mentioned by the manpage?
>
> conntrack -L -o xml
>     Dump the connection tracking table in XML
>
> Best Regards
>
> Karsten
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Parsing conntrack entries

[Hendrik Visage]

On Fri, Jan 2, 2015 at 12:14 AM, Dennis Jacobfeuerborn
<dennisml@conversis.de> wrote:
> Hi,
> I'm trying to write a small python script that creates some statistics
> from the current conntrack entries of a system. The problem I've run
> into is that I cannot find a good description of the output format of
> the conntrack tool and while I initially though the format is reasonably
> straightforward to deduce I ran into some snags.
>
> The format of a line not only changes with protocol and entry state but
> even entries with the same protocol and state seem to have different
> formats:
>
> tcp      6 3 CLOSE src=<IP1> dst=<IP2> sport=X dport=Y src=<IP2>
> dst=<IP1> sport=Y dport=X mark=0 use=1
>
> vs
>
> tcp      6 3 CLOSE src=<IP1> dst=<IP2> sport=X dport=Y src=<IP2>
> dst=<IP1> sport=Y dport=X [ASSURED] mark=0 use=1
>
> Why does one entry contain the [ASSURED] but the other does not?
>
> Also for some connections I see the [ASSURED] near the end of the line
> but for others I see an [UNREPLIED] in the *middle* of the line and no
> flag near the end of the line.

You have had a look at conntrack -E's output to see those transitions
happening in the [UPDATES]s?

>
> What is the meaning of the "use" field?
>
> What is the best way to parse this information in a reliable way?
>
> Regards,
>   Dennis
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html