https://www.systutorials.com/docs/linux/man/8-conntrack/
Command to display conntrack manual in Linux: $ man 8 conntrack
conntrack - command line interface for netfilter connection tracking
conntrack -L [table] [options] [-z] conntrack -G [table] parameters conntrack -D [table] parameters conntrack -I [table] parameters conntrack -U [table] parameters conntrack -E [table] [options] conntrack -F [table] conntrack -C [table] conntrack -S
The conntrack utilty provides a full featured userspace interface to the Netfilter connection tracking system that is intended to replace the old /proc/net/ip_conntrack interface. This tool can be used to search, list, inspect and maintain the connection tracking subsystem of the Linux kernel.
Using conntrack, you can dump a list of all (or a filtered selection of) currently tracked connections, delete connections from the state table, and even add new ones.
In addition, you can also monitor connection tracking events, e.g. show an event message (one line) per newly established connection.
The connection tracking subsystem maintains several internal tables:
conntrack: This is the default table. It contains a list of all currently tracked connections through the system. If you don't use connection tracking exemptions (NOTRACK iptables target), this means all connections that go through the system. expect: This is the table of expectations. Connection tracking expectations are the mechanism used to "expect" RELATED connections to existing ones. Expectations are generally used by "connection tracking helpers" (sometimes called application level gateways [ALGs]) for more complex protocols such as FTP, SIP or H.323. dying: This table shows the conntrack entries, that have expired and that have been destroyed by the connection tracking system itself, or via the conntrack utility. unconfirmed: This table shows new entries, that are not yet inserted into the conntrack table. These entries are attached to packets that are traversing the stack, but did not reach the confirmation point at the postrouting hook. The tables "dying" and "unconfirmed" are basically only useful for debugging purposes. Under normal operation, it is hard to see entries in any of them. There are corner cases, where it is valid to see entries in the unconfirmed table, eg. when packets that are enqueued via nfqueue, and the dying table, eg. when **conntrackd(8)** runs in event reliable mode.
The options recognized by conntrack can be divided into several different groups.
These options specify the particular operation to perform. Only one of them can be specified at any given time.