Hello, When comparing the output of /proc/net/ip_conntrack with the "netstat" command, I'm seeing a few established connections in ip_conntrack that are not presented by netstat. These are familiar connections (ssh, imap) to known hosts that could very well have been done by me but not in the last 24 hrs so they should have timed out a long time ago. "ps" shows no such processes running so this immediately raises the suspicion that the machine could be compromised and connections are hidden from netstat and ps. But if this was the case there should be some connections to unknown hosts showing in ip_conntrack as well so I should be able to rule out that possibility (?). Now for my question: Can anyone confirm that ip_conntrack can show "ghost" connections like these?
