RE: Linux - nf_conntrack_count = 30684?

André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> · Wed, 14 Sep 2016 13:29:48 +0000

Looks like 192.168.171.100 is trying to find other machines with :
asa-appl-proto     502/tcp      # asa-appl-proto  [Dennis_Dube]
in the same "segment" as it self ( maybe it is probing all 192.168.0.0/16 ) ...

... maybe all you have to do is to go on the machine and find the process that does this and disable/remove it .
( or tweak it to do less of this - if this is something you have intended to install and use )

Best regards
André Paulsberg-Csibi
Senior Network Engineer 
Fault Handling
IBM Services AS
andre.paulsberg-csibi@xxxxxxxx
M +47 9070 5988

-----Original Message-----
From: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Jens Koehler
Sent: 14. september 2016 14:54
To: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Cc: netfilter@xxxxxxxxxxxxxxx
Subject: Re: Linux - nf_conntrack_count = 30684?

On Fri, Sep 9, 2016 at 3:29 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On Fri, Sep 09, 2016 at 10:29:33AM +0200, Jens Koehler wrote:
>>  A Linux application reads cyclically data from up to 32 severs by
>> Tcp. After disconnecting of many/ all servers another Linux
>> application could not send data via the network interface by UDP.
>> nf_conntrack_count shows an unexpected high value:
>>
>> net.netfilter.nf_conntrack_count = 30684
>>
>> What means the number exactly?
>
> This is the number of conntrack entries in the table.
>
>> And what could be reason for so many open connections if no server
>> is connected?
>
> Do `conntrack -L' or `cat /proc/net/nf_conntrack' show entries?

 Yes, 'cat /proc/net/nf_conntrack' shows a huge number of following entries:
ipv4     2 tcp      6 109 SYN_SENT src=192.168.171.100
dst=192.168.171.160 sport=37660 dport=502 [UNREPLIED]
src=192.168.171.160 dst=192.168.171.100 sport=502 dport=37660 mark=0
use=2
ipv4     2 tcp      6 95 SYN_SENT src=192.168.171.100
dst=192.168.171.168 sport=6341 dport=502 [UNREPLIED]
src=192.168.171.168 dst=192.168.171.100 sport=502 dport=6341 mark=0
use=2
ipv4     2 tcp      6 105 SYN_SENT src=192.168.171.100
dst=192.168.171.112 sport=50811 dport=502 [UNREPLIED]
src=192.168.171.112 dst=192.168.171.100 sport=502 dport=50811 mark=0
use=2
ipv4     2 tcp      6 109 SYN_SENT src=192.168.171.100
dst=192.168.171.111 sport=25782 dport=502 [UNREPLIED]
src=192.168.171.111 dst=192.168.171.100 sport=502 dport=25782 mark=0
use=2
ipv4     2 tcp      6 103 SYN_SENT src=192.168.171.100
dst=192.168.171.155 sport=14076 dport=502 [UNREPLIED]
src=192.168.171.155 dst=192.168.171.100 sport=502 dport=14076 mark=0
use=2
ipv4     2 tcp      6 95 SYN_SENT src=192.168.171.100
dst=192.168.171.160 sport=34017 dport=502 [UNREPLIED]
src=192.168.171.160 dst=192.168.171.100 sport=502 dport=34017 mark=0
use=2
ipv4     2 tcp      6 100 SYN_SENT src=192.168.171.100
dst=192.168.171.105 sport=43547 dport=502 [UNREPLIED]
src=192.168.171.105 dst=192.168.171.100 sport=502 dport=43547 mark=0
use=2
ipv4     2 tcp      6 96 SYN_SENT src=192.168.171.100
dst=192.168.171.162 sport=22357 dport=502 [UNREPLIED]
src=192.168.171.162 dst=192.168.171.100 sport=502 dport=22357 mark=0
use=2
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥