From 293e7eff59e0bfc4401d620b6d38e096fc0e3b04 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Wed, 20 Feb 2019 19:41:45 +0100 Subject: conntrack: add -o userspace option to tag user-triggered events The following command: # conntrack -E -o userspace & # conntrack -F [DESTROY] tcp 6 src=122.127.186.172 dst=192.168.10.195 sport=443 dport=48232 packets=56 bytes=5313 src=192.168.10.195 dst=122.127.186.172 sport=48232 dport=443 packets=49 bytes=5174 [ASSURED] [USERSPACE] prints the [USERSPACE] tag at the end of the event, this tells users if this event has been triggered by process, eg. via conntrack command invocation. Signed-off-by: Pablo Neira Ayuso --- conntrack.8 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'conntrack.8') diff --git a/conntrack.8 b/conntrack.8 index e069dfe..3c1e960 100644 --- a/conntrack.8 +++ b/conntrack.8 @@ -109,13 +109,14 @@ Show the in-kernel connection tracking system statistics. Atomically zero counters after reading them. This option is only valid in combination with the "\-L, \-\-dump" command options. .TP -.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels] " +.BI "-o, --output [extended,xml,timestamp,id,ktimestamp,labels,userspace] " Display output in a certain format. With the extended output option, this tool displays the layer 3 information. With ktimestamp, it displays the in-kernel timestamp available since 2.6.38 (you can enable it via the \fBsysctl(8)\fP key \fBnet.netfilter.nf_conntrack_timestamp\fP). The labels output option tells \fBconntrack\fP to show the names of connection tracking labels that might be present. +The userspace output options tells if the event has been triggered by a process. .TP .BI "-e, --event-mask " "[ALL|NEW|UPDATES|DESTROY][,...]" Set the bitmask of events that are to be generated by the in-kernel ctnetlink -- cgit v1.2.3