1*a71a9546SAutomerger Merge WorkerMatch by how many bytes or packets a connection (or one of the two 2*a71a9546SAutomerger Merge Workerflows constituting the connection) has transferred so far, or by 3*a71a9546SAutomerger Merge Workeraverage bytes per packet. 4*a71a9546SAutomerger Merge Worker.PP 5*a71a9546SAutomerger Merge WorkerThe counters are 64-bit and are thus not expected to overflow ;) 6*a71a9546SAutomerger Merge Worker.PP 7*a71a9546SAutomerger Merge WorkerThe primary use is to detect long-lived downloads and mark them to be 8*a71a9546SAutomerger Merge Workerscheduled using a lower priority band in traffic control. 9*a71a9546SAutomerger Merge Worker.PP 10*a71a9546SAutomerger Merge WorkerThe transferred bytes per connection can also be viewed through 11*a71a9546SAutomerger Merge Worker`conntrack \-L` and accessed via ctnetlink. 12*a71a9546SAutomerger Merge Worker.PP 13*a71a9546SAutomerger Merge WorkerNOTE that for connections which have no accounting information, the match will 14*a71a9546SAutomerger Merge Workeralways return false. The "net.netfilter.nf_conntrack_acct" sysctl flag controls 15*a71a9546SAutomerger Merge Workerwhether \fBnew\fP connections will be byte/packet counted. Existing connection 16*a71a9546SAutomerger Merge Workerflows will not be gaining/losing a/the accounting structure when be sysctl flag 17*a71a9546SAutomerger Merge Workeris flipped. 18*a71a9546SAutomerger Merge Worker.TP 19*a71a9546SAutomerger Merge Worker[\fB!\fP] \fB\-\-connbytes\fP \fIfrom\fP[\fB:\fP\fIto\fP] 20*a71a9546SAutomerger Merge Workermatch packets from a connection whose packets/bytes/average packet 21*a71a9546SAutomerger Merge Workersize is more than FROM and less than TO bytes/packets. if TO is 22*a71a9546SAutomerger Merge Workeromitted only FROM check is done. "!" is used to match packets not 23*a71a9546SAutomerger Merge Workerfalling in the range. 24*a71a9546SAutomerger Merge Worker.TP 25*a71a9546SAutomerger Merge Worker\fB\-\-connbytes\-dir\fP {\fBoriginal\fP|\fBreply\fP|\fBboth\fP} 26*a71a9546SAutomerger Merge Workerwhich packets to consider 27*a71a9546SAutomerger Merge Worker.TP 28*a71a9546SAutomerger Merge Worker\fB\-\-connbytes\-mode\fP {\fBpackets\fP|\fBbytes\fP|\fBavgpkt\fP} 29*a71a9546SAutomerger Merge Workerwhether to check the amount of packets, number of bytes transferred or 30*a71a9546SAutomerger Merge Workerthe average size (in bytes) of all packets received so far. Note that 31*a71a9546SAutomerger Merge Workerwhen "both" is used together with "avgpkt", and data is going (mainly) 32*a71a9546SAutomerger Merge Workeronly in one direction (for example HTTP), the average packet size will 33*a71a9546SAutomerger Merge Workerbe about half of the actual data packets. 34*a71a9546SAutomerger Merge Worker.TP 35*a71a9546SAutomerger Merge WorkerExample: 36*a71a9546SAutomerger Merge Workeriptables .. \-m connbytes \-\-connbytes 10000:100000 \-\-connbytes\-dir both \-\-connbytes\-mode bytes ... 37