>

字数 1.4k 阅读 12 评论 6

ss (Socket Statistics) is part of the iproute2 (utilities for controlling TCP/IP networking and traffic) package. iproute2 is intended to replace an entire suite of standard Unix networking tools (often called "net-tools") that were previously used for the tasks of configuring network interfaces, routing tables, and managing the ARP table. The ss utility is used to dump socket statistics, it displays information similar to or even more TCP and state information as compared to netstat.

Besides, the ss command should perform faster as it gets information directly from kernel space, while netstat reads various /proc files to gather information (This is slow when there are lots of connections to display).

The options used with the ss commands are very similar to netstat making it an easy replacement.

Note
On Arch Linux, net-tools is deprecated sine 2011, see this for details.

Syntax and common options

ss is very similar to netstat, by default it will show you a list of open non-listening TCP sockets that have established connection and you can shape the output with the following options:

-n - Do now try to resolve service names.
-r - Try to resolve numeric address/ports.
-a - Display all sockets.
-l - Display listening sockets.
-p - Show process using socket.
-s - Print summary statistics.
-t - Display only TCP sockets.
-u - Display only UDP sockets.
-d - Display only DCCP sockets.
-w - Display only RAW sockets.
-x - Display only Unix domain sockets.
-f FAMILY - Display sockets of type FAMILY. Currently the following families are supported: unix, inet, inet6, link, netlink.
-A QUERY - List of socket tables to dump, separated by commas. The following identifiers are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram, unix_stream, packet_raw, packet_dgram.

Examples

1. List all connections

$ ss | less

2. Display tcp ports and process/pid

$ ss -natp

3. Show only listening sockets with process/pid

$ ss -nltp

4. Print summary statistics

$ ss -s

5. Display timer information

With the ‘-o’ option, the time information of each connection would be displayed. The timer information tells how long with

$ ss -tn -o
State      Recv-Q Send-Q      Local Address:Port        Peer Address:Port 
ESTAB      0      0             192.168.1.2:43839     108.160.162.37:80    
ESTAB      0      0             192.168.1.2:36335     204.144.140.26:80     timer:(keepalive,26sec,0)
ESTAB      0      0             192.168.1.2:33141      83.170.73.249:6667  
ESTAB      0      0             192.168.1.2:58857      74.121.141.84:80     timer:(keepalive,23sec,0)
ESTAB      0      0             192.168.1.2:42794     173.194.40.239:80     timer:(keepalive,32sec,0)

6. Filtering connections by tcp state

ss [ OPTIONS ] [ STATE-FILTER ] [ ADDRESS-FILTER ]

(1) To display all Ipv4 tcp sockets that are in “connected” state.

$ ss -t4 state established
Recv-Q Send-Q         Local Address:Port             Peer Address:Port   
0      0                192.168.1.2:54436          165.193.246.23:https   
0      0                192.168.1.2:43386          173.194.72.125:xmpp-client 
0      0                192.168.1.2:38355           199.59.150.46:https   
0      0                192.168.1.2:56198          108.160.162.37:http

(2) Display sockets with state time-wait

$ ss -t4 state time-wait
Recv-Q Send-Q         Local Address:Port             Peer Address:Port   
0      0                192.168.1.2:42261           199.59.150.39:https   
0      0                  127.0.0.1:43541               127.0.0.1:2633

The state can be either of the following:

1. established
2. syn-sent 
3. syn-recv 
4. fin-wait-1 
5. fin-wait-2 
6. time-wait 
7. closed 
8. close-wait 
9. last-ack 
10. closing 
11. all - All of the above states 
12. connected - All the states except for listen and closed 
13. synchronized - All the connected states except for syn-sent 
14. bucket - Show states, which are maintained as minisockets, i.e. time-wait and syn-recv. 
15. big - Opposite to bucket state.

Note that many states like syn-sent, syn-recv would not show any sockets most of the time, since sockets remain in such states for a very short time. It would be ideal to use the watch command to detect such socket states in real time.

Here is an example

$ watch -n 1 "ss -t4 state syn-sent"

After running the above command, try opening some website in a browser or download something from some url. Immediately you should see socket connections appearing in the output, but for a very short while.

Every 1.0s: ss -t4 state syn-sent                   Tue Apr  1 10:07:33 2014

Recv-Q Send-Q           Local Address:Port               Peer Address:Port

0      1                  192.168.1.2:55089            202.79.210.121:https

0      1                  192.168.1.2:33733             203.84.220.80:https

7. Filter connections by address and port number

Apart from tcp socket states, the ss command also supports filtering based on address and port number of the socket. The following examples demonstrate that.

Display all socket connections with source or destination port of ssh.

$ ss -at '( dport = :ssh or sport = :ssh )'
State      Recv-Q Send-Q    Local Address:Port        Peer Address:Port   
LISTEN     0      128                   *:ssh                    *:*       
LISTEN     0      128                  :::ssh                   :::*

Sockets with destination port 443 or 80

$ ss -nt '( dst :443 or dst :80 )'
State      Recv-Q Send-Q      Local Address:Port        Peer Address:Port 
ESTAB      0      0             192.168.1.2:58844      199.59.148.82:443   
ESTAB      0      0             192.168.1.2:55320     165.193.246.23:443   
ESTAB      0      0             192.168.1.2:56198     108.160.162.37:80    
ESTAB      0      0             192.168.1.2:54889    192.241.177.148:443   
ESTAB      0      0             192.168.1.2:39893      173.255.230.5:80

The following syntax would also work

$ ss -nt dst :443 or dst :80

Display All Established HTTP Connections

$ ss -o state established '( dport = :http or sport = :http )'

Matches Remote Address And Port Numbers?

ss dst ADDRESS_PATTERN

(1) Show all ports connected from remote 192.168.1.5

$ ss dst 192.168.1.5

(2) show all ports connected from remote 192.168.1.5:http port

$ ss dst 192.168.1.5:http
$ ss dst 192.168.1.5:smtp
$ ss dst 192.168.1.5:443

(3) Find out connection made by remote 123.1.2.100:http to our local virtual servers

$ ss dst 123.1.2.100:http
State   Recv-Q Send-Q   Local Address:Port    Peer Address:Port   
ESTAB   0      0        75.126.153.206:http   123.1.2.100:35710   
ESTAB   0      0        75.126.153.206:http   123.1.2.100:35758

Matches Local Address And Port Numbers?

ss src ADDRESS_PATTERN

(1) Show all ports connected to local host

$ ss src localhost

(2) http (80) port only

$ ss src localhost:80

or 

$ ss src localhost:http

More examples

# Filter by address
$ ss -nt dst 74.125.236.178

# CIDR notation is also supported
$ ss -nt dst 74.125.236.178/16

# Address and Port combined
$ ss -nt dst 74.125.236.178:80

Ports can also be filtered with dport/sport options. Port numbers must be prefixed with a “:”.

$ ss -nt dport = :80
State      Recv-Q Send-Q      Local Address:Port        Peer Address:Port 
ESTAB      0      0             192.168.1.2:56198     108.160.162.37:80    
ESTAB      0      0             192.168.1.2:39893      173.255.230.5:80    
ESTAB      0      0             192.168.1.2:55043     74.125.236.178:80

The above is same as > ss -nt dst :80

Some more examples of filtering

# source address is 127.0.0.1 and source port is greater than 5000
$ ss -nt src 127.0.0.1 sport gt :5000

# local smtp (port 25) sockets
$ sudo ss -ntlp sport eq :smtp

# port numbers greater than 25
$ sudo ss -nt sport gt :1024

# sockets with remote ports less than 100
$ sudo ss -nt dport \< :100

# connections to remote port 80
$ sudo ss -nt state connected dport = :80

The following operators are supported when comparing port numbers

[high]
<= or le : Less than or equal to port >= or ge : Greater than or equal to port
== or eq : Equal to port
!= or ne : Not equal to port
< or gt : Less than to port > or lt : Greater than to port
[/high]

ss vs netstat speed comparison

Use the time command to run both programs and summarize system resource usage. Type the netstat command as follows:

$ time netstat -at
real    2m52.254s
user    0m0.178s
sys     0m0.170s

Now, try ss:

$ time ss -atr
real    2m11.102s
user    0m0.124s
sys     0m0.068s

Reference
http://www.binarytides.com/linux-ss-command/
https://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/