The following command: # conntrack -E -o userspace & # conntrack -F [DESTROY] tcp 6 src=122.127.186.172 dst=192.168.10.195 sport=443 dport=48232 packets=56 bytes=5313 src=192.168.10.195 dst=122.127.186.172 sport=48232 dport=443 packets=49 bytes=5174 [ASSURED] [USERSPACE] prints the [USERSPACE] tag at the end of the event, this tells users if this event has been triggered by process, eg. via conntrack command invocation. Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- conntrack.8 | 3 ++- src/conntrack.c | 19 ++++++++++++++----- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/conntrack.8 b/conntrack.8 index e069dfe3809e..3c1e960e910e 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -109,13 +109,14 @@ Show the in-kernel connection tracking system statistics. Atomically zero counters after reading them. This option is only valid in combination with the "\-L, \-\-dump" command options. .TP -.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] " +.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels,userspace] " Display output in a certain format. With the extended output option, this tool displays the layer 3 information. With ktimestamp, it displays the in-kernel timestamp available since 2.6.38 (you can enable it via the \fBsysctl(8)\fP key \fBnet.netfilter.nf_conntrack_timestamp\fP). The labels output option tells \fBconntrack\fP to show the names of connection tracking labels that might be present. +The userspace output options tells if the event has been triggered by a process. .TP .BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]" Set the bitmask of events that are to be generated by the in-kernel ctnetlink diff --git a/src/conntrack.c b/src/conntrack.c index e3abe9ff698e..daa93dbbdfe2 100644 --- a/src/conntrack.c +++ b/src/conntrack.c @@ -854,6 +854,7 @@ enum { _O_ID = (1 << 3), _O_KTMS = (1 << 4), _O_CL = (1 << 5), + _O_US = (1 << 6), }; enum { @@ -864,16 +865,16 @@ enum { }; static struct parse_parameter { - const char *parameter[6]; + const char *parameter[7]; size_t size; - unsigned int value[6]; + unsigned int value[7]; } parse_array[PARSE_MAX] = { { {"ASSURED", "SEEN_REPLY", "UNSET", "FIXED_TIMEOUT", "EXPECTED"}, 5, { IPS_ASSURED, IPS_SEEN_REPLY, 0, IPS_FIXED_TIMEOUT, IPS_EXPECTED} }, { {"ALL", "NEW", "UPDATES", "DESTROY"}, 4, { CT_EVENT_F_ALL, CT_EVENT_F_NEW, CT_EVENT_F_UPD, CT_EVENT_F_DEL } }, - { {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", }, 6, - { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS, _O_CL }, + { {"xml", "extended", "timestamp", "id", "ktimestamp", "labels", "userspace" }, 7, + { _O_XML, _O_EXT, _O_TMS, _O_ID, _O_KTMS, _O_CL, _O_US }, }, }; @@ -1427,6 +1428,7 @@ static int event_cb(const struct nlmsghdr *nlh, void *data) enum nf_conntrack_msg_type type; unsigned int op_flags = 0; struct nf_conntrack *ct; + bool userspace = false; char buf[1024]; switch(nlh->nlmsg_type & 0xff) { @@ -1480,7 +1482,14 @@ static int event_cb(const struct nlmsghdr *nlh, void *data) nfct_snprintf_labels(buf, sizeof(buf), ct, type, op_type, op_flags, labelmap); - printf("%s\n", buf); + if (output_mask & _O_US) { + if (nlh->nlmsg_pid) + userspace = true; + else + userspace = false; + } + + printf("%s%s\n", buf, userspace ? " [USERSPACE]" : ""); fflush(stdout); counter++; -- 2.11.0