Hello! I'm trying to write a traffic logger in C that can provide accurate/semi-accurate data on the traffic logged by reading conntrack entries in the netfilter subsystem. I'm using libmnl and libnetfilter-conntrack. It works by getting the conntrack entries for a provided IP address and parses them to extract bytes, destinations and timestamps. Here is my current logger: https://pastebin.com/raw/NCCRALb4 I have managed to parse only the entries that I am interested in, but it looks like I'm getting duplicate entries that have different ATTR_IDs in place which makes any results inaccurate. I tried to resolve this by adding the flag IPCTNL_MSG_CT_GET_CTRZERO in the netlink message type. As I understand it, this is supposed to reset the counters to zero after a read. However, I still get what seems to be duplicate entries. How would I get a more accurate picture here? Is there an option that I'm missing. Any help would be appreciated! Thanks Wambui.
