conntrack

List all currently tracked connections

$ conntrack [[-L|--dump]]

$ conntrack [[-E|--event]]

$ conntrack [[-E|--event]] [[-o|--output]] timestamp

$ conntrack [[-E|--event]] [[-s|--orig-src]] [ip_address]

$ conntrack [[-D|--delete]] [[-s|--orig-src]] [ip_address]

conntrack [-h] [-V] [-c] [-L[=table]] [-D[=table][match]] [-F[=table]] [-A|-U|-I orig|reply] [-E] [options...]

-h, --help
    Print help information

-V, --version
    Print version information

-c, --count
    Count all entries in table(s)

-L, --list [=table]
    List current entries (default: all tables)

-D, --delete [=table] [match]
    Delete matching entries (default: all)

-F, --flush [=table]
    Flush all entries in table(s)

-A, --add orig|reply
    Add/update connection entry

-U, --update orig|reply
    Update existing connection entry

-I, --create orig|reply
    Create new connection entry

-E, --event
    Monitor connection tracking events

-o, --output fmt
    Output format (xml,json,help)

-f, --family family
    Protocol family (ip,ipv4,ipv6,inet,bridge)

-i, --in ifname
    Input interface name

-o, --out ifname
    Output interface name

-p, --proto proto
    Protocol (tcp,udp,icmp,...)

-s, --src [port]/mask
    Source IP address and optional port

--sport portrange
    Source port range

-d, --dst [port]/mask
    Destination IP address and optional port

--dport portrange
    Destination port range

--src-nat ip[:port]
    SNAT IP and port

--dst-nat ip[:port]
    DNAT IP and port

--tcp-flags mask,comp
    TCP flags to match

--icmp-type type
    ICMP type

--icmp-code code
    ICMP code

--mark value[/mask]
    Connection mark

--label label
    Connection label

--helper name
    Helper name

--zone id
    Conntrack zone

--timeout name
    Timeout name

--ctstate state
    Connection state(s)

--status status
    Connection status(es)

--id id
    Conntrack ID

-j, --jump target
    Jump to extension

-g, --group dir
    Grouping direction (src,dst)

--any
    Any tuple position

-n, --netns pid|name
    Network namespace

The conntrack command is a userspace tool from the conntrack-tools package for interacting with Linux kernel's Netfilter connection tracking (conntrack) subsystem. It enables listing, counting, deleting, flushing, adding, updating, creating, and monitoring network connections tracked by the kernel.

Conntrack maintains stateful information for TCP, UDP, SCTP, DCCP, ICMP, and other protocols, crucial for stateful firewalls, NAT, load balancing, and traffic shaping. Each entry records tuple details like source/destination IP, ports, protocol, state (NEW, ESTABLISHED, RELATED, INVALID), timestamps, counters, and marks.

Common uses include troubleshooting connectivity issues (conntrack -L), cleaning stale entries (conntrack -F), or scripting dynamic rules. It supports IPv4/IPv6, network namespaces, zones, helpers, labels, and expects. Filters allow precise matching by IP, port, interface, state, etc. Output formats include plain text, XML, JSON for parsing.

Requires CAP_NET_ADMIN or root. Integrates with iptables/nftables for advanced networking.

Requires root or CAP_NET_ADMIN. Not available without kernel CONFIG_NF_CONNTRACK. High load on large tables. IPv6 support varies. Events (-E) block until SIGINT.

Use -o for plain (default), xml, json. Example: conntrack -L -o json.

Supports multiple zones (--zone) for VRF isolation. Helpers (--helper) for ALGs like FTP, SIP.

conntrack -E prints real-time events like NEW, DESTROY. Filter with other options.

Developed as part of Netfilter project; conntrack-tools first released ~2006 (v0.9.0). Evolved with kernel conntrack since 2.4 (2001). Current versions support nftables integration and JSON output.

iptables(8), nft(8), ip(8), ss(8), nfct(8)