netstat and ip_conntrack connection count differ by order of magnitude. Why?

networking linux ubuntu netstat

Solution 1:

Conntrack module remembers recent connections for X seconds before they finally expire. This, in my understanding, is because iptables has several other modules that can utilize this information: for example, if you want to ban some IP address if it makes X new connections during some time frame.

netstat, on the other hand, shows real-time information and is not interested about ancient history.

Have you increased maximum amount of entries in conntrack table? With a recent-ish kernel, what does 

sysctl net.ipv4.netfilter.ip_conntrack_max

... or with some older kernel,

sysctl net.ipv4.ip_conntrack_max

return to you? You may raise that value permanently via /etc/sysctl.conf or temporarily (until next reboot) via sysctl -w net.ipv4.ip_conntrack_max

Solution 2:

We stumbled across this case when containers (docker) were in use.

Not sure if it helps in your case or not, but it looks like netstat -nat on the host OS will only show connections intended for the host's networking stack whereas conntrack -L will show information for both the host and all its containers.

If you run netstat -nat from inside the container involved in the connection reported by conntrack -L, you should see the connection information listed there.

Related

Measuring and visualing web application performance using apache logs?
Nginx reverse proxy: Not setting expires header
Webstats for large Amazon S3/Cloudfront logs?
Memcached scaling strategy
why is kswapd using high CPU on an idle system?
Can I use a CNAME to point to a 3rd Parties NS Servers? [duplicate]
ntp multicast address
What to use for software-based shared file storage?
Putty + Bash + Screen, up arrow for history not working (Ubuntu 11.10)
Windows domain share permissions basics
How to restrict user from using different forged sender email in postfix?
how to prevent direct access to DFS Namespace shared folders