iptraf shows many connections not displayed in netstat
 

Hello,

Recently I fired up iptraf-ng on a Debian 11 machine. I've not used this utility before, however I am familiar with tcpdump.

To my surprise, there were tons of connection data shown from iptraf. At first I was concerned, but that netstat shows none of this. It looks like the usual garbage noise you get from a cable modem connection. Port scans, attempted connections to RDP port 3389, etc.

I have my systems locked down with iptables -- generally everything is set to DROP unless I need it. I have a suspicion that iptraf can see traffic that is ultimately dropped by netfilter/iptables, and this is why it's not in netstat but appears in iptraf. I've searched for awhile now and cannot find any confirmation about this from someone who would know.

Rather than just go with my suspicion or hunch, does anyone know for fact and/or from experience -- if traffic is ultimately blocked from a firewall and/or iptables, will these connection attempts still be shown by iptraf? I imagine if it is hooked directly to the ethernet interface and not the kernel that it would be able to see such traffic.

I would like to get some opinions and/or knowledge from the community from anyone who would know. Thanks for any insight or help.

Welcome to LQ!

For anyone to provide a useful answer we would need to know the iptraf and netstat commands you are using in order to compare what they will show.

In general, netstat is going to show listening applications and established connections (depending on command options) whereas iptraf may show all packets traversing the interface (again depending on command options).

If you are behind a router, which presumably you are, you should not see incoming probes unless you have some ports forwarded - but again depends on your configuration.

Hello Astrogeek --

With Netstat I usually use "netstat -atulpn | grep EST" to see established connections and "netstat -atulpn | grep LIST" to see listening ports.

With iptraf-ng, I was using "IP Traffic Monitor -- All Interfaces"

As far as direction is concerned I need to read up on iptraf in particular to discern the meaning of > vs = in the one column, I presume this specifies direction.

This PC in particular is the router -- the cable modem connects directly to the network interface, which is the reason for my aggressive and limiting iptables policy. Also is reason why I suspect this traffic is visible to iptraf. I am pretty confident all this noise I am seeing is ultimately blocked, because I have no services even running on, for example, port 3389, and I've checked and that port does not respond, however I would like to understand iptraf's reach and whether it is able to see blocked traffic and know this is the case rather than just have convinced myself.

Thanks for your input

nice

If your PC connects directly to the modem then iptraf can see everything that arrives at the inteface, meaning you will see all the probes and mal-packets that pass by.

Your netstat command will show only listeners and established connections. In a simplistic way, difference between the iptraf output and netstat will be the dropped packets.

You should be able to look at your iptables rules counters to get a sense of what is actually being dropped (or write DROP rules just to get a count).