The connection tracking (ct) section provides information about netfilter connection tracking state and tuples.
Fields Connection tracking state of the packet.
Base connection information including original and reply tuples.
Parent connection information for related connections (e.g., FTP data connection).
CtState Connection tracking state values:
"established" - Connection is established"related" - Related to an established connection"new" - New connection"reply" - Reply direction (same as IP_CT_ESTABLISHED_REPLY)"related_reply" - Related connection in reply direction"untracked" - Connection is not tracked
CtConnEvent Conntrack zone ID. Zones provide isolation between different network namespaces or routing domains.
Zone direction:
"original" - Original direction zone"reply" - Reply direction zone"default" - Default zone"none" - No zone Original tuple (initiating direction).
Reply tuple (return direction).
TCP connection state (only for TCP connections). Examples: "ESTABLISHED", "SYN_SENT", "SYN_RECV", "FIN_WAIT", "TIME_WAIT", "CLOSE"
Conntrack mark value. Can be set by iptables/nftables rules and used for routing decisions.
Conntrack labels as a 128-bit bitfield. Used to tag connections for policy enforcement.
Connection status bits from ct->status. See enum ip_conntrack_status in kernel headers.
CtTuple Protocol-specific information (TCP, UDP, or ICMP).
CtIp Source IP address (IPv4 or IPv6).
Destination IP address (IPv4 or IPv6).
CtProto Protocol-specific fields (one of):
TCP: UDP: ICMP: State and Status ct_state {STATE} status {status_hex}
TCP/UDP {protocol} ({tcp_state}) orig [{src_ip}.{sport} > {dst_ip}.{dport}] reply [{src_ip}.{sport} > {dst_ip}.{dport}] {zone} mark {mark} labels {labels_hex}
ICMP icmp orig [{src_ip} > {dst_ip} type {type} code {code} id {id}] reply [{src_ip} > {dst_ip} type {type} code {code} id {id}] {zone}
Parent Connection When present, parent connection appears on a new line:
\ parent [{parent_connection_info}]
Example JSON TCP Connection (Established) { "ct" : { "state" : "established" , "base" : { "zone_id" : 0 , "zone_dir" : "none" , "orig" : { "ip" : { "src" : "10.0.1.100" , "dst" : "93.184.216.34" , "version" : "v4" }, "proto" : { "tcp" : { "sport" : 54321 , "dport" : 80 } } }, "reply" : { "ip" : { "src" : "93.184.216.34" , "dst" : "10.0.1.100" , "version" : "v4" }, "proto" : { "tcp" : { "sport" : 80 , "dport" : 54321 } } }, "tcp_state" : "ESTABLISHED" , "mark" : 0 , "ct_status" : 394 }, "parent" : null } }
UDP with Zone { "ct" : { "state" : "new" , "base" : { "zone_id" : 100 , "zone_dir" : "original" , "orig" : { "ip" : { "src" : "10.0.1.100" , "dst" : "8.8.8.8" , "version" : "v4" }, "proto" : { "udp" : { "sport" : 45678 , "dport" : 53 } } }, "reply" : { "ip" : { "src" : "8.8.8.8" , "dst" : "10.0.1.100" , "version" : "v4" }, "proto" : { "udp" : { "sport" : 53 , "dport" : 45678 } } }, "tcp_state" : null , "mark" : 42 , "labels" : "0x0000000000000001" , "ct_status" : 8 }, "parent" : null } }
ICMP Echo { "ct" : { "state" : "new" , "base" : { "zone_id" : 0 , "zone_dir" : "none" , "orig" : { "ip" : { "src" : "10.0.1.100" , "dst" : "1.1.1.1" , "version" : "v4" }, "proto" : { "icmp" : { "type" : 8 , "code" : 0 , "id" : 1234 } } }, "reply" : { "ip" : { "src" : "1.1.1.1" , "dst" : "10.0.1.100" , "version" : "v4" }, "proto" : { "icmp" : { "type" : 0 , "code" : 0 , "id" : 1234 } } }, "tcp_state" : null , "mark" : null , "labels" : null , "ct_status" : 8 }, "parent" : null } }
{ "ct" : { "state" : "related" , "base" : { "zone_id" : 0 , "zone_dir" : "none" , "orig" : { "ip" : { "src" : "10.0.1.100" , "dst" : "93.184.216.34" , "version" : "v4" }, "proto" : { "tcp" : { "sport" : 50000 , "dport" : 20 } } }, "reply" : { "ip" : { "src" : "93.184.216.34" , "dst" : "10.0.1.100" , "version" : "v4" }, "proto" : { "tcp" : { "sport" : 20 , "dport" : 50000 } } }, "tcp_state" : "SYN_SENT" , "mark" : null , "ct_status" : 8 }, "parent" : { "zone_id" : 0 , "zone_dir" : "none" , "orig" : { "ip" : { "src" : "10.0.1.100" , "dst" : "93.184.216.34" , "version" : "v4" }, "proto" : { "tcp" : { "sport" : 54321 , "dport" : 21 } } }, "reply" : { "ip" : { "src" : "93.184.216.34" , "dst" : "10.0.1.100" , "version" : "v4" }, "proto" : { "tcp" : { "sport" : 21 , "dport" : 54321 } } }, "tcp_state" : "ESTABLISHED" , "mark" : null , "ct_status" : 394 } } }
When This Section Appears The ct section is populated when:
The ct collector is enabled (-c ct)
The probe has access to connection tracking information
The packet is being tracked by netfilter conntrack
Connection Status Bits The ct_status field is a bitfield. Common bits (see kernel’s enum ip_conntrack_status):
0x001 (1) - IPS_EXPECTED0x002 (2) - IPS_SEEN_REPLY0x004 (4) - IPS_ASSURED0x008 (8) - IPS_CONFIRMED0x010 (16) - IPS_SRC_NAT0x020 (32) - IPS_DST_NAT0x040 (64) - IPS_SEQ_ADJUST0x080 (128) - IPS_SRC_NAT_DONE0x100 (256) - IPS_DST_NAT_DONE
Conntrack information is only available when netfilter connection tracking is active. This typically requires iptables/nftables rules or NAT to be configured.
