ip_conntrack shows old and closed connections

[Kim84]

Hello.

I am using netstat-nat fairly often for monitoring. As far as I'm aware of, it's a parsing output from the ip_conntrack module (/proc/net/ip_conntrack). After a few days of running, I can see some old connections from computers which are not even online at the time. How can it be? My guess is that it waits for the FIN package and the connections I can see haven't yet sent this one. Am I right about this -- and is there anyway I can fix this?

I am running Gentoo with the gentoo-sources kernel "2.4.26-gentoo-r8".

[befa]

i think the best way to see your ip_conntrack module is to do

[Kim84]

Sure, but I already have 'netstat-nat' for that. I wish to get rid of the connections, which really aren't there anymore (like the ones i've had the last 4 days, which points to a machine which is turned off)

[befa]

in fact i know

[Kim84]

Oh, take a look at the package "net-misc/netstat-nat" then

[befa]

oops sorry...so i post for nothing....excuse me...
_________________
Open Minds! Open Sources! Open Future!
think_tux@jabber.org

[Kim84]

No problems at all

[Kim84]

Noone knows anything about this at all?

[3lithium]

Are those ESTABLISHED tcp connections?

ip_conntrack seems to use a ttl of 5 days (432 000 seconds) for those. I think you have to patch iptables if you need to decrease this timeout. It has never been a problem for me though - I've got a few of them but there's plenty of room left for other connections.

[Kim84]

> Are those ESTABLISHED tcp connections?

Yes they are.

> ip_conntrack seems to use a ttl of 5 days (432 000 seconds) for those. I think you have to patch iptables if you need to decrease this timeout. It has never been a problem for me though - I've got a few of them but there's plenty of room left for other connections.

Okay, 5 days isn't that bad - as long as they have a ttl in the long run. I currently have about 800 of those connections... I could live with that, but is there another way around fixing this, other than using a lower ttl?

[3lithium]

Like you guessed, the connection tracking code is waiting for an indication that the connection has been closed (FIN or RST or whatever). The 5 day ttl is conservative, but it's perfectly possible for a connection to be valid even though no packets have been seen for a couple of days.

If you don't want to lower the timeout you're probably pretty much left with trying to find out why those connections doesn't get closed and doing something about that. If there's a lot of them it might be an indication of a suboptimal configuration elsewhere, or perhaps ill-mannered software being used on the network.

[Kim84]

You got a point there -- and thanks for confirming that my guess right. I think it's most likely to be bad software on the network, but in this position, it's nothing I can do anything about.

I have a minor subquestion for this. Is it possible to tell the tracker that some connections aren't being used?

Thanks a lot for your help so far. I really appreciate it.

[3lithium]

AFAIK there's no way to kill specific tracked connections.

[Kim84]

Okay, thanks a lot for your help