On attached pic highlighted is download queue tree for traffic with connection mark large. Window beneath the queue tree windows is connections. As shown there are no large connections listed yet queue is passing >800kbps of traffic.
On the other hand Upload side lists large connections just fine (second pic). Is this a bug?
Download:
Upload:
‘connection’ is bi-directional. so one connection is two flows: upload and download
A stateful connection for TCP traffic shows as the src IP address the IP address of the host that sent the initial SYN. In your case it looks like 18x.x.x.x/8 were the traffic initiators for all connections.
Hey, that’s not I was told 
…or so I misunderstood…to summarize mangle rules are not stateful but conntrack is?
Mangle rules see packets, which can have the source address of either endpoint as they are unidirectional. Connection tracking sees what for TCP is called virtual circuits, which are bidirectional and have the source address of the endpoint that initiated the connection.
Mangle rules can access the state of a connection via the services provided by the connection tracking facility and use the state for a rule decision, but they inherently deal with single packets.
Is there a mangle rule that will tell if src IP was the one that initiated the connection (based on connection tracking)?
To the best of my knowledge there is not. The state information available are the possible values for the connection-state parameter:
Interprets the connection tracking analysis data for a particular packet:
- established - a packet which belongs to an existing connection
- invalid - a packet which could not be identified for some reason
- new - a packet which begins a new connection
- related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection
What would you use that information for? I’m curious.
you should do it manually. for example, use different connection marks, like ‘client-incoming’ and ‘client-outgoing’
Do you base who the client is according to who sen’t the syn packet?
Since connection tracking lists only one side of the connection mark (src-dst) how can I find out what other side connection mark is?
yep, mark connection with connection-state=new according to src/dst. at this moment you know who initiates the connection
I still think it’s not right that dst-src and src-dst are not listed under connections tab. In addition how can one explain pic below: config same as above pics - traffic based on large connection mark yet there are no connections with large mark listed under connections at all:
have you tried it in Terminal?
Same in terminal. However, I do sometimes see more entires in terminal than what’s listed under connections…
it’s because WinBox shows only part of connections (not more than ~2000). Terminal shows much more, but probably not all, too…