Jeff Liebermann wrote, on Mon, 11 Aug 2014 16:19:40 -0700:

Now, go away so I can get some paying work done.

Thanks for your help. I do appreciate it.
Since the documentation on interpreting the nf_conntrack file
was so dismal, I wrote my own documentation, from many sources.

Here is it, as payback, for all the help from others.

Here's my first attempt at an interpretation of a sample line from my nf_conntrack file:

ipv4 2 tcp 6 56808 ESTABLISHED src=72.167.183.54 dst=69.63.240.15 sport=80 dport=49437 [UNREPLIED] src=69.63.240.15 dst=72.167.183.54 sport=49437 dport=80 mark=0 use=2
My interpretation:
An ESTABLISHED TCP connection from source host 72.167.183.54, port 80
To destination host 69.63.240.15, port 49437
From which responses are sent to host 72.167.183.54, port 49437
Timing out in 56808 seconds (i.e., more than 15 hours)
UNREPLIED means traffic hasn't been seen in the response direction yet
In addition, the:
Network layer protocol name is ipv4
Network layer protocol number is 2
Transmission layer protocol name is tcp
Transmission layer protocol number is 6
Seconds until the entry is invalidated is 56808 (i.e., more than 15 hours)


Here is another attempt at interpreting an example from my nf_conntrack log file:

ipv4 2 icmp 1 16 src=142.28.53.15 dst=10.50.0.241 type=8 code=0 id=39196 src=10.50.0.241 dst=142.28.53.15 type=0 code=0 id=39196 mark=0 use=2
My interpretation:
An ICMP echo request packet from source host 142.28.53.15
To destination host 10.50.0.241
With an expected echo reply packet from source hosts 10.50.0.241
To destination host 142.28.53.15
Timing out in 16 seconds
In addition, the:
Network layer protocol name is ipv4
Network layer protocol number is 2
Transmission layer protocol name is icmp
Transmission layer protocol number is 1
Seconds until the entry is invalidated is 16 seconds


It seems both ip_conntrack & nf_conntrack are similar in format, where nf_conntrack simply has two extra columns at the beginning of each line, so this list below attempts to describe the first six nf_conntrack columns, as I understand them:

1. Network layer protocol name (e.g., ipv4)
2. Network layer protocol number (e.g., 2)
3. Transmission layer protocol name (e.g., tcp)Transmission layer protocol number (e.g., 6)
4. Seconds until the entry is invalidated (e.g., 75114)
5. The connection state (e.g., ESTABLISHED, but this is not always there for all protocols)

It seems that the #5 connection state can be any of the following:

DCCP

CLOSEREQ
CLOSING
IGNORE
INVALID
NONE
OPEN
PARTOPEN
REQUEST
RESPOND
TIME_WAIT

SCTP

CLOSED
COOKIE_ECHOED
COOKIE_WAIT
ESTABLISHED == many of mine were this
NONE
SHUTDOWN_ACK_SENT
SHUTDOWN_RECD
SHUTDOWN_SENT

TCP

CLOSE
CLOSE_WAIT
ESTABLISHED
FIN_WAIT
LAST_ACK
NONE
SYN_RECV
SYN_SENT
SYN_SENT2
TIME_WAIT == many of mine were this

The rest of the columns are apparently either of the format KEY=VALUE or they represent FLAGs.

KEY=VALUE examples:

src=123.456.789.001
dst=123.456.789.002
sport=80 (tcp & udp only)
dport=54259 (tcp & udp only)
mark=0 (if CONFIG_NF_CONNTRACK_MARK is enabled)
use=2
type=0 (for icmp only)
code=0 (for icmp only)
id=39196 (for icmp only)
bytes (if accounting is enabled)
delta-time (if CONFIG_NF_CONNTRACK_TIMESTAMP is enabled)
packets (if accounting is enabled, request and response)
secctx (if CONFIG_NF_CONNTRACK_SECMARK is enabled)
zone (if CONFIG_NF_CONNTRACK_ZONES is enabled)

Note that the response destination host can differ from the request source host when the request source address has been masqueraded by the response destination host.

FLAG examples:

[ASSURED]: Traffic has been seen in both directions (request & response)
[UNREPLIED]: Traffic has not been seen in the response direction yet
-----
ESTABLISHED (connection state)
TIME_WAIT (connection state)