On Monday 2011-05-16 08:43, Andrew Beverley wrote: >> > >> >Yes, it shows the outgoing packets: >> > >> >udp 17 23 src=10.0.10.206 dst=212.110.185.119 sport=35259 dport=53 >> >packets=3 bytes=168 [UNREPLIED] src=212.110.185.119 dst=10.0.10.206 >> >sport=53 dport=35259 packets=0 bytes=0 mark=0 secmark=0 use=2 >> > >> >But it doesn't show the "ICMP port unreachable" packets that are sent in >> >reply. The question is: should it show them? > >Sorry, when I say it doesn't show them, I mean they are not counted. They are: >The ones in this case are coming in as RELATED. >> >> Monitor with conntrack -E for details. >> >conntrack -E -d 212.110.185.119 gives: > > [NEW] udp 17 30 src=10.0.10.206 dst=212.110.185.119 sport=35676 dport=53 [UNREPLIED] src=212.110.185.119 dst=10.0.10.206 sport=53 dport=35676 Since it is a new/related CT (with sport=35676), the packets won't be counted towards the original ct (sport=35259). >[DESTROY] udp 17 src=10.0.10.206 dst=212.110.185.119 sport=35676 dport=53 [UNREPLIED] src=212.110.185.119 dst=10.0.10.206 sport=53 dport=35676 I observe that only UNREPLIED ones carry no counters - and that such is a minority of CT events - probably hinting to nonresponsive servers. >But conntrack -E -s 212.110.185.119 gives nothing No connection was initiated (=packet first seen) from 212.110.185.119. Note that -s filters on an NFCT tuple's address, not packet address. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
