Mailing List Archive

On Wed, 22 Aug 2007, Cedrix wrote:

> Hi,
>
> this is my first request. I checked google, nf-faqs and conntrack-homepage
> without sufficient results for this problem:
>
> In Short: I need to know when a connection (TCP or UDP) gets closed. I want
> to use conntrack, because I can track UDP more easily.
>
> My thoughts so far: The /proc/net/ip_conntrack reacts very quick when a close
> happens, but it's not conveniant to check in my C/C++ application. So, in
> further reading I 've seen in the source some kind of "event-handling".
> (Listening Event for new connection, etc.)
>
> My question: What's the best method to see if a connection gets closed.
> (Also, connection opened).
>
> Btw: I use iptables -I FORWARD -m -state --NEW -m --LOG -log-prefix "New
> Connection established: " to log established connections, so it would be nice
> (but not necessary) if I can use the LOG for closing-connections, too - OR
> alternatively - use a conntrack-event for detecting NEW connections, too.
>
> Any help or comment is appreciated! Thanks.

Something like nfnetlink & "conntrack -E --event-mask NEW,DESTROY -o timestamp"?:

[1187809641.802599] [DESTROY] udp 17 src=192.168.194.11 dst=192.168.194.255 sport=138 dport=138 packets=1 bytes=233 src=192.168.194.255 dst=192.168.194.11 sport=138 dport=138 packets=0 bytes=0
[1187809641.963684] [DESTROY] tcp 6 src=192.168.50.13 dst=192.168.50.21 sport=40153 dport=80 packets=5 bytes=679 src=192.168.50.21 dst=192.168.50.13 sport=80 dport=40153 packets=3 bytes=1332
[1187809642.134908] [DESTROY] tcp 6 src=192.168.50.13 dst=192.168.50.21 sport=40154 dport=80 packets=5 bytes=519 src=192.168.50.21 dst=192.168.50.13 sport=80 dport=40154 packets=3 bytes=591
[1187809642.192142] [DESTROY] tcp 6 src=192.168.50.13 dst=192.168.50.21 sport=40155 dport=80 packets=5 bytes=515 src=192.168.50.21 dst=192.168.50.13 sport=80 dport=40155 packets=3 bytes=583
[1187809642.254526] [DESTROY] udp 17 src=192.168.148.3 dst=192.168.148.13 sport=36258 dport=137 packets=1 bytes=78 src=192.168.148.13 dst=192.168.148.3 sport=137 dport=36258 packets=1 bytes=90

I'm not sure if it is possible just to grab udp events, if not you can
filter it in an application.

Best regards,

Krzysztof Olêdzki

Hi,

Le mercredi 22 août 2007 à 20:01 +0200, Cedrix a écrit :
> Hi,
>
> this is my first request. I checked google, nf-faqs and conntrack-homepage
> without sufficient results for this problem:
>
> In Short: I need to know when a connection (TCP or UDP) gets closed. I want
> to use conntrack, because I can track UDP more easily.

The result of "conntrack -E -e DESTROY" is what you want. You can thus
look at the code to build what you want.

You can also look at NuFW (http://www.nufw.org/) which handle conntrack
destroy event. The concerned source code is browsable here:
http://software.inl.fr/trac/trac.cgi/browser/mirror/edenwall/nufw/trunk/nufw/src/nufw/conntrack.c

Hope this help,
--
Eric Leblond

>> In Short: I need to know when a connection (TCP or UDP) gets closed. I
>> want
>> to use conntrack, because I can track UDP more easily.
>>
>> Any help or comment is appreciated! Thanks.

>Something like nfnetlink & "conntrack -E --event-mask NEW,DESTROY -o
>timestamp"?:
>
>I'm not sure if it is possible just to grab udp events, if not you can
>filter it in an application.
>

That's perfect! Thanks Krzystof, Thanks Eric!

Cedrix.