Hi Mike and Matthew, I just ran the same on my personal router (which is reasonably quiet at the moment). To remove any delays from one command to the next from me I did the following (note the command is all on one line): /ip/firewall/connection/print count-only ; :put [/ip/firewall/connection/tracking/get total-entries] ; /ip/firewall/connection/print count-only ; :put [/ip/firewall/connection/tracking/get total-entries] ; /ip/firewall/connection/print count-only ; :put [/ip/firewall/connection/tracking/get total-entries] 100 132 100 132 100 132 So completely consistent from one iteration to the next and sub-second execution. I haven’t dug into it, but my assumption would be that the total-entries would include connections that are in states such as syn-sent, close-wait, etc. Strictly these aren’t active connections and may not be in the print, but they must be accounted for and therefore may be listed in the total-entries. Now to play devils advocate to myself, I do see 1 close (I assume that’s the same as a standard Linux close-wait) and 1 syn-sent in my list. But… they each only had a timeout of 0s or 1s. And there is absolutely no way there aren’t more in a close-wait state since I ran this a few times a few seconds apart where I saw the total connection count decrease by 10 to 20 and yet there is only one in that close state. I can’t recall the default close-wait time but it’s definitely a lot longer than a second or two. I’d be very interested to know others opinions. Cheers, Andrew
On 5 Oct 2023, at 5:13 pm, Mike Everest <mike@duxtel.com> wrote:
G'day Matthew!
Yes, I think that they are essentially reporting the same metric: being the number of active connection tracking entries in the connection tracking table at time time of running the command.
Keep in mind that connection tracking entries are highly variable, and could easily change by a few hundred connections in just 1 second - so it is unlikely that they will ever be the same even if you run the same command over and over.
But assuming you already know that, I think that the get-total-entries does tend to show a higher number on average, and although I can't tell you exactly WHY, I /suspect/ that it will come down to how the two command work:
'print' command, when you run it just like "/ip firewall connection print" dumps a summary of each active connection to the console - but it takes time to run, so while it is running, some connections may have expired, and some that have started might not get counted in the list (because of the way the list is 'ordered', the way 'print' command works, and probably other factors) So it is not unexpected that the print command will not be an accurate measure of how many entries are there at any given time.
'total-entries', however, is a count register that will be incremented by routerOS each time a connection is added and decremented each time one is expired - when you run the get command, it simply reads the value of that register and displays it to the console. Therefore, it will always be a more accurate measure of the actual number of connections present at the time.
I honestly don't know for certain why the numbers are different, but I feel confident that the latter is the most accurate measure ; )
Cheers!
Mike.
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Matthew Kobayashi Sent: Thursday, 5 October 2023 1:09 PM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Conntrack count vs. total-entries, different values?
Hi all,
I've come across something in RouterOS that I don't quite understand, and I was hoping someone could shed a little light on what I'm seeing.
The values for the output of the below commands on my router are always quite different (approx. 150-200 apart) and I'm not sure why. As best I can tell from the documentation, these values should be identical (or at least very close), but they never seem to be close to one another. Does anyone know of a reason why they wouldn't be the same? Does total-entries mean something other than the total number of connections currently in the conntrack table?
[matthew@gateway] > /ip/firewall/connection/print count-only 445 [matthew@gateway] > :put [/ip/firewall/connection/tracking/get total-entries] 648
Kind regards, Matthew Kobayashi _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au