ss Command Examples In Linux
|
The
Socket Statistics (ss) command is similar to netstat, in that it is used to
display useful network socket information.
“This program is obsolete. Replacement for
netstat is ss
The
ss command syntax that we’ll be using here is shown below, essentially we can
specify optional flags and filters, as we will now discuss.
ss [options] [ FILTER ]
How To Use ss – Command Examples· 1. List Established Connections
By
default if we run the ss command with no further options specified it will
display a list of open non-listening sockets that have established
connections, so for example TCP, UDP or UNIX sockets.
[root@centos7 ~]# ss | head -n 5
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 * 23740 * 23739
u_str ESTAB 0 0 * 23707 * 23706
u_str ESTAB 0 0 * 87021 * 88383
u_str ESTAB 0 0 * 17056 * 17112
In
the above example I have limited the output, on my server I have over 500
lines printed out by running the ss command, so you may wish to pipe it into
something like less to easily read it, or otherwise append additional options
on the end to only show what you’re after.
· 2. Show Listening Sockets
Rather
than listing all sockets, we can use the -l option to specifically list the
sockets that are currently listening for a connection.
[root@centos7 ~]# ss -lt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 2 *:kerberos-adm *:*
LISTEN 0 128 *:sunrpc *:*
LISTEN 0 5 *:kpasswd *:*
LISTEN 0 10 192.168.1.14:domain *:*
LISTEN 0 10 127.0.0.1:domain *:*
LISTEN 0 5 192.168.122.1:domain *:*
LISTEN 0 128 *:ssh *:*
In
this example we have also used the -t option to only list TCP, more on this
later. In future examples you will see that we will combine multiple options
like this in order to quickly filter down to what we’re after.
· 3. Show Processes
We
can print out the process or PID number that owns a socket with the -p
option.
[root@centos7 ~]# ss -pl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 128 :::http :::* users:(("httpd",pid=10522,fd=4),("httpd",pid=10521,fd=4),("httpd",pid=10520,fd=4),("httpd",pid=10519,fd=4),("httpd",pid=10518,fd=4),("httpd",pid=10516,fd=4))
In
the above example I have only listed a single result, without any further
options the full output of ss prints out over 500 lines to stdout.
Regardless, we can see the process ID’s of the various Apache processes that
are running on this server.
· 4. Don’t Resolve Service Names
By
default ss will only resolve port numbers as we have previously seen, for
example in the line below we can see 192.168.1.14:ssh where ssh is listed as
the local port.
[root@centos7 ~]# ss
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 64 192.168.1.14:ssh 192.168.1.191:57091
However
if we specify the -n option, this resolution will not take place and we will
instead see the port number rather than the service name.
[root@centos7 ~]# ss -n
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.1.14:22 192.168.1.191:57091
Note
that :22 is now displayed rather than :ssh as we have disabled all name
resolution of hostnames and ports. You can check the /etc/services file to
see a full list of which ports map to which services.
· 5. Resolve Numeric Address/Ports
We
can also do the opposite of this and resolve both the IP address and port
number with the -r option. With this we now see the hostname of the 192.168.1.14
server listed.
[root@centos7 ~]# ss -r
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 64 centos7.example.com:ssh 192.168.1.191:57091
· 6. IPv4 Sockets
We
can use the -4 option to only display information corresponding to IPv4
sockets. In the below example we also make use of the -l option to list
everything listening on an IPv4 address.
[root@centos7 ~]# ss -l4
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.1:323 *:*
udp UNCONN 0 0 192.168.122.1:domain *:*
udp UNCONN 0 0 *%virbr0:bootps *:*
udp UNCONN 0 0 *:bootpc *:*
tcp LISTEN 0 128 *:sunrpc *:*
tcp LISTEN 0 5 192.168.122.1:domain *:*
tcp LISTEN 0 128 *:ssh *:*
tcp LISTEN 0 128 127.0.0.1:ipp *:*
tcp LISTEN 0 100 127.0.0.1:smtp *:*
· 7. IPv6 Sockets
Likewise,
we can use the -6 option to only display information related to IPv6 sockets.
In the below example we also make use of the -l option to list everything
listening on an IPv6 address.
[root@centos7 ~]# ss -l6
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 :::ipv6-icmp :::*
udp UNCONN 0 0 :::22834 :::*
udp UNCONN 0 0 ::1:323 :::*
tcp LISTEN 0 128 :::sunrpc :::*
tcp LISTEN 0 128 :::http :::*
tcp LISTEN 0 128 :::ssh :::*
tcp LISTEN 0 128 ::1:ipp :::*
tcp LISTEN 0 100 ::1:smtp :::*
· 8. TCP Only
The
-t option can be used to display only TCP sockets. When combined with -l to
only print out listening sockets we can see everything listening on TCP.
[root@centos7 ~]# ss -lt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:sunrpc *:*
LISTEN 0 5 192.168.122.1:domain *:*
LISTEN 0 128 *:ssh *:*
LISTEN 0 128 127.0.0.1:ipp *:*
LISTEN 0 100 127.0.0.1:smtp *:*
LISTEN 0 128 :::sunrpc :::*
LISTEN 0 128 :::http :::*
LISTEN 0 128 :::ssh :::*
LISTEN 0 128 ::1:ipp :::*
LISTEN 0 100 ::1:smtp :::*
· 9. UDP Only
The
-u option can be used to display only UDP sockets. As UDP is a
connection-less protocol, simply running with only the -u option will display
no output. We can instead combine this with the -a or -l option to see all
listening UDP sockets, as shown below.
[root@centos7 ~]# ss -ul
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:mdns *:*
UNCONN 0 0 *:kpasswd *:*
UNCONN 0 0 *:839 *:*
UNCONN 0 0 *:36812 *:*
UNCONN 0 0 192.168.122.1:domain *:*
UNCONN 0 0 192.168.1.14:domain *:*
· 10. Unix Sockets
The
-x option can be used to display unix domain sockets only.
[root@centos7 ~]# ss -x
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
u_str ESTAB 0 0 @/tmp/.X11-unix/X0 27818 * 27817
u_str ESTAB 0 0 @/tmp/.X11-unix/X0 26656 * 26655
u_str ESTAB 0 0 * 28344 * 26607
u_str ESTAB 0 0 * 24704 * 24705
u_str ESTAB 0 0 @/tmp/.X11-unix/X0 25195 * 24086
u_str ESTAB 0 0 @/tmp/dbus-CRqRiw6V 28388 * 28693
...
· 11. Display All Information
the
-a option shows all, both listening and non-listening sockets. In the case of
TCP this means established connections. This option is useful for combining
with others, for instance to show all UDP sockets we can add -a, as by
default with just the -u option we don’t see as much information.
[root@centos7 ~]# ss -u
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 192.168.1.14:56658 129.250.35.251:ntp
[root@centos7 ~]# ss -ua
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:mdns *:*
UNCONN 0 0 127.0.0.1:323 *:*
ESTAB 0 0 192.168.1.14:56658 129.250.35.251:ntp
UNCONN 0 0 *:21014 *:*
UNCONN 0 0 *:60009 *:*
UNCONN 0 0 192.168.122.1:domain *:*
UNCONN 0 0 *%virbr0:bootps *:*
UNCONN 0 0 *:bootpc *:*
UNCONN 0 0 ::1:323 :::*
UNCONN 0 0 :::43209 :::*
· 12. Show Socket Memory Usage
The
-m option can be used to display the amount of memory that each socket is
using.
[root@centos7 ~]# ss -ltm
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:sunrpc *:*
skmem:(r0,rb87380,t0,tb16384,f0,w0,o0,bl0)
LISTEN 0 5 192.168.122.1:domain *:*
skmem:(r0,rb87380,t0,tb16384,f0,w0,o0,bl0)
LISTEN 0 128 *:ssh *:*
skmem:(r0,rb87380,t0,tb16384,f0,w0,o0,bl0)
LISTEN 0 128 127.0.0.1:ipp *:*
skmem:(r0,rb87380,t0,tb16384,f0,w0,o0,bl0)
LISTEN 0 100 127.0.0.1:smtp *:*
skmem:(r0,rb87380,t0,tb16384,f0,w0,o0,bl0)
· 13. Show Internal TCP Information
We
can request additional internal TCP information with the -i info option.
[root@centos7 ~]# ss -lti
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:sunrpc *:*
cubic rto:1000 mss:536 cwnd:10 lastsnd:373620 lastrcv:373620 lastack:373620
LISTEN 0 5 192.168.122.1:domain *:*
cubic rto:1000 mss:536 cwnd:10 lastsnd:373620 lastrcv:373620 lastack:373620
LISTEN 0 128 *:ssh *:*
cubic rto:1000 mss:536 cwnd:10 segs_in:2 lastsnd:373620 lastrcv:373620 lastack:373620
LISTEN 0 128 127.0.0.1:ipp *:*
cubic rto:1000 mss:536 cwnd:10 lastsnd:373620 lastrcv:373620 lastack:373620
LISTEN 0 100 127.0.0.1:smtp *:*
cubic rto:1000 mss:536 cwnd:10 lastsnd:373620 lastrcv:373620 lastack:373620
Underneath
each listening socket we can see additional information. Note that the -i
option does not work with UDP, if you instead specify -u instead of -t this
extra information will not be present.
· 14. Show Summary
We
can see a quick overview of the statistics with the -s option.
[root@centos7 ~]# ss -s
Total: 1253 (kernel 1721)
TCP: 13 (estab 1, closed 2, orphaned 0, synrecv 0, timewait 0/0), ports 0
Transport Total IP IPv6
* 1721 - -
RAW 1 0 1
UDP 9 7 2
TCP 11 6 5
INET 21 13 8
FRAG 0 0 0
This
quickly allows us to see things like the total number of established
connections, as well as counts of each type of socket and whether IPv4 or
IPv6 is in use.
· 15. Filter Based On State
We
can specify the state of a socket to only print out sockets in this state.
For example we can specify states including established, syn-sent, syn-recv,
fin-wait-1, fin-wait-2, time-wait, closed, closed-wait, last-ack, listen and
closing. The below example shows all established TCP connections. To generate
this I was connected to the server by SSH and just loaded a web page from
Apache. We can then see that the connections to Apache quickly change to
time-wait.
[root@centos7 ~]# ss -t state established
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 64 192.168.1.14:ssh 192.168.1.191:57091
0 0 ::ffff:192.168.1.14:http ::ffff:192.168.1.191:57373
0 0 ::ffff:192.168.1.14:http ::ffff:192.168.1.191:57372
[root@centos7 ~]# ss -t state time-wait
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 ::ffff:192.168.1.14:http ::ffff:192.168.1.191:57373
0 0 ::ffff:192.168.1.14:http ::ffff:192.168.1.191:57372
· 16. Filter Based On Port Number
Filtering
can also be performed to list all ports that are less than (lt), greater than
(gt), equal to (eq), not equal to (ne), less than or equal to (le), or
greater than or equal to (ge).
For
example, the below command shows all listening ports on port number 500 or
below.
[root@centos7 ~]# ss -ltn sport le 500
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:111 *:*
LISTEN 0 5 192.168.122.1:53 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
For
comparison we can perform the opposite, and view all ports greater than 500
with ‘gt’
[root@centos7 ~]# ss -ltn sport gt 500
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:631 *:*
LISTEN 0 128 ::1:631 :::*
We
can also filter based on items such as source or destination port, for
example below we search for TCP sockets that have a source port (sport) of
ssh.
[root@centos7 ~]# ss -t '( sport = :ssh )'
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 64 192.168.1.14:ssh 192.168.1.191:57091
· 17. Show SELinux Context
The
-Z and -z options can be used to show the SELinux security context of a
socket. In the example below we also use the -t and -l options to only list
listening TCP sockets, with the -Z option we can also see the SELinux
contexts.
[root@centos7 ~]# ss -tlZ
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:sunrpc *:* users:(("systemd",pid=1,proc_ctx=system_u:system_r:init_t:s0,fd=71))
LISTEN 0 5 192.168.122.1:domain *:* users:(("dnsmasq",pid=1810,proc_ctx=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023,fd=6))
LISTEN 0 128 *:ssh *:* users:(("sshd",pid=1173,proc_ctx=system_u:system_r:sshd_t:s0-s0:c0.c1023,fd=3))
LISTEN 0 128 127.0.0.1:ipp *:* users:(("cupsd",pid=1145,proc_ctx=system_u:system_r:cupsd_t:s0-s0:c0.c1023,fd=12))
LISTEN 0 100 127.0.0.1:smtp *:* users:(("master",pid=1752,proc_ctx=system_u:system_r:postfix_master_t:s0,fd=13))
· 18. Display Version
The
-v option can be used to display specific version information for the ss
command, in this instance we see the version of the iproute package which
provides ss.
[root@centos7 ~]# ss -v
ss utility, iproute2-ss130716
· 19. Print Help Documentation
The
-h option can be used to display further help regarding the ss command, it’s
good to use as a quick reference if you need a short description on some of
the most commonly used options. Note that the full output here has not been
included for brevity.
[root@centos7 ~]# ss -h
Usage: ss [ OPTIONS ]
· 20. Show Extended Information
We
can use the -e option which shows extended detailed information, as shown
below we can see the extended information appended to the end of each line.
[root@centos7 ~]# ss -lte
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:sunrpc *:* ino:16090 sk:ffff880000100000 <->
LISTEN 0 5 192.168.122.1:domain *:* ino:23750 sk:ffff880073e70f80 <->
LISTEN 0 128 *:ssh *:* ino:22789 sk:ffff880073e70000 <->
LISTEN 0 128 127.0.0.1:ipp *:* ino:23091 sk:ffff880073e707c0 <->
LISTEN 0 100 127.0.0.1:smtp *:* ino:24659 sk:ffff880000100f80 <->
· 21. Show Timer Information
The
-o option can be used to display the timer information. This information
shows us things such as the retransmission timer value, number of
retransmissions that have occurred, and the number of keepalive probes that
have been sent.
[root@centos7 ~]# ss -to
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 64 192.168.1.14:ssh 192.168.1.191:57091 timer:(on,242ms,0)
ESTAB 0 0 ::ffff:192.168.1.14:http ::ffff:192.168.1.191:57295 timer:(keepalive,120min,0)
ESTAB 0 0 ::ffff:192.168.1.14:http ::ffff:192.168.1.191:57296 timer:(keepalive,120min,0)
|
Comments
Post a Comment