The ss command is used to dump socket statistics on Linux methods. It serves as a alternative for the netstat command and is usually used for troubleshooting community issues.
What’s a socket?
To make one of the best use of the ss command, it’s essential to grasp what a socket is. A socket is a sort of pseudo file (i.e., not an precise file) that represents a community connection. A socket identifies each the distant host and the port that it connects to in order that information could be despatched between the methods. Sockets are just like pipes besides that pipes solely facilitate connections between processes on the identical system the place sockets work on the identical or completely different methods. In contrast to pipes, sockets additionally present bidirectional communication.
As soon as a socket is created, communications between the native and a distant host will take the type of community packets.
Utilizing the ss command
With no arguments, ss will listing all established (open non-listening) community connections no matter their standing. Right here’s an instance exhibiting simply the primary few traces of the command’s output together with a single line together with IP addresses:
$ ss | head -3; ss | grep 192 | tail -1 Netid State Recv-Q Ship-Q Native Tackle:Port Peer Tackle:Port Course of u_str ESTAB 0 0 * 31510 * 31511 u_str ESTAB 0 0 * 30253 * 30254 tcp ESTAB 0 288 192.168.0.18:ssh 192.168.0.17:activesync
The fields as proven within the ss command output above embody:
- Netid – The kind of socket – TCP, UDP, u_str (Unix stream), or u_seq (Unix sequence)
- State – The state of the socket – ESTAB (established), UNCONN (unconnected) and LISTEN (listening)
- Recv-Q – The variety of obtained packets within the queue ready to be learn
- Ship-Q – The variety of packets within the queue ready to be despatched
- Native handle:port – Tackle of the native system and port
- Peer handle:port – Tackle of the distant system and port
The * characters within the above output point out that the sockets are listening for visitors on all addresses. I included the final line to indicate a connection between two particular methods – this technique and an ssh connection to a neighborhood host.
You’ll be able to anticipate to see a whole lot of traces of output while you use the ss command. To depend the socket connections which are established in your system (including one line for the heading), you should utilize a command like this:
$ ss | wc -l 622
The command beneath, which makes use of awk to look solely on the second subject in every line of ss output, reveals that one socket is unconnected whereas 620 are established connections. This command is sorting on the content material of the “State” subject. The second row within the output proven beneath reveals that column heading.
$ ss | awk '{print $2}' | type | uniq -c 620 ESTAB 1 State 1 UNCONN
Utilizing the ss -a (present all sockets) command will make the ss output show each listening and non-listening sockets. For TCP, “non-listening” means established connections whereas “listening” means ready for a connection. The instructions beneath present the distinction within the quantity of output.
$ ss | wc -l 617 $ ss -a | wc -l 820
For instance, the ss -a output is prone to begin with output like this:
$ ss -a | head -7
Netid State Recv-Q Ship-Q Native Tackle:Port Peer Tackle:Port Course of nl UNCONN 0 0 rtnl:packagekitd/1032 * nl UNCONN 0 0 rtnl:evolution-calen/1685 * nl UNCONN 0 0 rtnl:kernel * nl UNCONN 0 0 rtnl:NetworkManager/772 * nl UNCONN 0 0 rtnl:abrt-applet/1863 * nl UNCONN 0 0 rtnl:goa-daemon/1653 *
The Netid values embody:
- icmp6 — Web management message protocol
- nl — netlink
- tcp — transmission management protocol (connection-oriented)
- u_dgr — Unix datagram
- udp — person datagram protocol (connectionless)
- u_seq — Unix sequence
- u_str — Unix_stream
Socket summaries
To get a abstract socket report, use the -s possibility as proven within the command beneath.
$ ss -s Whole: 777 TCP: 9 (estab 1, closed 1, orphaned 0, timewait 1) Transport Whole IP IPv6 RAW 1 0 1 UDP 10 6 4 TCP 8 5 3 INET 19 11 8 FRAG 0 0 0
Utilizing a script to view ss output
The script beneath will type and summarize the content material of any subject within the ss command output.
For those who add -a as an argument (or, in reality, any single argument), the script will summarize the output of the ss -a command reasonably than the ss command with no choices. Choose any subject by quantity to pick that column.
#!/bin/bash if [ $# != 0 ] then ss="ss -a" else ss="ss" fi echo "What column do you wish to see?" echo 1: Netid echo 2: State echo 3: Recv-Q echo 4: Ship-Q echo 5: Native Tackle:Port echo 6: Peer Tackle:Port echo 7: Course of echo -n "> " learn quantity case $quantity in 1) echo Netid; $ss | tail -n+2 | awk '{print $1}' | type | uniq -c;; 2) echo State; $ss | tail -n+2 | awk '{print $2}' | type | uniq -c;; 3) echo Recv-Q; $ss | tail -n+2 | awk '{print $3}' | type | uniq -c;; 4) echo Ship-Q; $ss | tail -n+2 | awk '{print $4}' | type | uniq -c;; 5) echo Native Tackle:Port; $ss | tail -n+2 | awk '{print $5}' | type | uniq -c;; 6) echo Peer Tackle:port; $ss | tail -n+2 | awk '{print $6}' | type | column;; 7) echo Course of; $ss | tail -n+2 | awk '{print $7}' | type | uniq -c;; *) echo "huh?";; esac
For instance, to view what number of instances every Netid worth seems, you’ll be able to run the script like this:
$ ss_summary What column do you wish to see? 1: Netid 2: State 3: Recv-Q 4: Ship-Q 5: Native Tackle:Port 6: Peer Tackle:Port 7: Course of > 1 Netid 1 icmp6 1 tcp 46 u_dgr 1 udp 567 u_str
Getting assist
Use the ss -h command to get a listing of the command’s many choices with temporary descriptions.
$ ss -h Utilization: ss [ OPTIONS ] ss [ OPTIONS ] [ FILTER ] -h, --help this message -V, --version output model info -n, --numeric do not resolve service names -r, --resolve resolve host names -a, --all show all sockets -l, --listening show listening sockets -o, --options present timer info -e, --extended present detailed socket info -m, --memory present socket reminiscence utilization -p, --processes present course of utilizing socket -i, --info present inner TCP info --tipcinfo present inner tipc socket info -s, --summary present socket utilization abstract --tos present tos and precedence info --cgroup present cgroup info -b, --bpf present bpf filter socket info -E, --events frequently show sockets as they're destroyed -Z, --context show course of SELinux safety contexts -z, --contexts show course of and socket SELinux safety contexts -N, --net swap to the desired community namespace title -4, --ipv4 show solely IP model 4 sockets -6, --ipv6 show solely IP model 6 sockets -0, --packet show PACKET sockets -t, --tcp show solely TCP sockets -M, --mptcp show solely MPTCP sockets -S, --sctp show solely SCTP sockets -u, --udp show solely UDP sockets -d, --dccp show solely DCCP sockets -w, --raw show solely RAW sockets -x, --unix show solely Unix area sockets --tipc show solely TIPC sockets --vsock show solely vsock sockets -f, --family=FAMILY show sockets of kind FAMILY FAMILY := unix -Ok, --kill forcibly shut sockets, show what was closed -H, --no-header Suppress header line -O, --oneline socket's information printed on a single line --inet-sockopt present varied inet socket choices -A, --query=QUERY, --socket=QUERY QUERY := tcp[,QUERY] -D, --diag=FILE Dump uncooked details about TCP sockets to FILE -F, --filter=FILE learn filter info from FILE FILTER := [ state STATE-FILTER ] [ EXPRESSION ] STATE-FILTER := synchronized TCP-STATES := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|closed|close-wait|last-ack|listening|closing} related := {established|syn-sent|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing} synchronized := {established|syn-recv|fin-wait-{1,2}|time-wait|close-wait|last-ack|closing} bucket := time-wait large := {established|syn-sent|fin-wait-{1,2}|closed|close-wait|last-ack|listening|closing}
Word that with the –S possibility, ss will present SCTP sockets solely. With the -a possibility, ss will show each listening and non-listening sockets of each sort. With the -l parameter, ss will show listening sockets (omitted by default). With the -e possibility, ss will show detailed socket info. These are solely a handful of the choices accessible. Test the listing above or use the ss -h command to view accessible choices in your Linux host.
Wrap-up
The ss command can present essential particulars on sockets – possible greater than a few of us imagined had been accessible. Getting used to the command and its big range of choices could take some time, however this stage of element could be important to understanding how your Linux methods are speaking with one another and with exterior methods.
Copyright © 2022 IDG Communications, Inc.