System Manager's Manual

NAME¶

cttop - display Linux netfilter connection tracking entries

SYNOPSIS¶

cttop [ -bh -d delay -n iterations -g GROUPNAME [ ... ] ]

DESCRIPTION¶

cttop provides a real-time updated list of network connections currently tracked by netfilters connection tracking subsystem. It also has support for sorting and displaying connections in a grouped format. It mimics top(1) in both appearance and user interface.

cttop is Linux/netfilter specific.

OPTIONS¶

The default behaviour of cttop is to obtain the complete list of currently tracked connections using the ctnetlink interface provided by the Linux kernel and display the top entries, sorted by the amount of network traffic.

-b, --batch Starts cttop in 'Batch mode', which could be useful for sending output from cttop to other programs or to a file. In this mode, cttop will not accept input and runs until the iterations limit you've set with the '-n' command-line option or until killed.

-f, --family PROTO: Specify layer three (ipv4, ipv6) protocol to display. Default is to display both ipv4 and ipv6 connections.
-d, --delay DELAY: Change the update interval between screen updates. This also changes the frequency in which cttop will poll the kernel for netfilter counter updates. Fractions are permitted. Defaults to three seconds.
-n, --number NUMBER: Change the number of iterations (screen updates) that cttop should produce before exiting. Default is unlimited.
-g, --group GROUPNAME: Change initial view to aggregated view GROUPNAME.
NONE: This is the default. Individual entries are shown.
SRC: Show all connections originating from the same address as a single entry.
DST: Show all connections going to the same address as a single entry.
DPORT: Show entries that only differ in the source port number, but otherwise share the same addresses, as a single entry.
CTMARK: Show entries that share the same connection tracking mark (ctmark) as a single entry.
list: Display a list of recognized group names.
--ctmark-groupmask MASK: When showing entries grouped by CTMARK, then only consider those bits covered by the bitmask MASK when grouping connections.
--ctmark MARK/MASK: Only display connections matching MARK/MASK.
--filter-expression EXPRESSION: Filter events based on EXPRESSION. Example: --filter-expression ! src 127.0.0.1 To not display entries originating from localhost.
-h, --help: Display a list of options supported by cttop.

INTERACTIVE COMMANDS¶

h: Display interactive help
q: Quit cttop
f: Change displayed information fields/columns
g: Cycle through group views
R: Sort entries reverse, or return to normal sort order
s: Cycle through available sort modes
d: Set Update Interval

SIGNALS¶

cttop quits when receiving any of these signals:

INT: TERM HUP QUIT

AUTHORS¶

Florian Westphal, <fw@strlen.de>

Homepage: http://www.strlen.de/cttop.html

Source file:	cttop.8.en.gz (from cttop 0.3.g26-3.20)
Source last updated:	2020-05-23T14:19:00Z
Converted to HTML:	2024-05-06T00:58:56Z