Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use the ss command of Linux". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn how to use the ss command of Linux.

The common Linux command ss is an acronym for Socket Statistics. As the name implies, the ss command can be used to get socket statistics, which can display something similar to netstat. The advantage of ss is that it displays more and more detailed information about TCP and connection status, and is faster and more efficient than netstat.

Syntax: ss [options] [FILTER] 1. Example 1. List established connections

By default, if we run the ss command without specifying other options, it displays a list of all open non-listening sockets with established connections, such as TCP,UDP or UNIX sockets.

[root@renwolecom] # ss | head-n 5Netid State Recv-Q Send-Q Local Address:Port Peer Address:Portu_str ESTAB 0 0 * 19098 * 18222u_str ESTAB 0 0 * 19441 * 19440u_str ESTAB 0 0 * 19440 * 19441u_str ESTAB 0 0 * 19396 * 193971.2.3.4.5.6.2. Show monitoring sockets

Instead of listing all sockets, we can use the-l option to specifically list the sockets that are currently listening for the connection.

[root@renwolecom ~] # ss-ltState Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 0 128 *: http *: * LISTEN 0 100 127.0.0.1:smtp *: * LISTEN 0 128 *: entexthigh *: * LISTEN 0 128 172.28.204.62:zabbix-trapper *: * LISTEN 0 128 127.0.0.1:cslistener *: * LISTEN 0 80: mysql: * LISTEN 0 100:: 1:smtp: * LISTEN 0 128 : entexthigh: * 1.2.3.4.5.6.7.8.9.10. In this example, we also use the-t option to list only TCP, which will be explained in more detail later. In later examples, you will see that I will combine a variety of options to filter them out quickly to achieve our goal.

3. Show process

We can print out the process or PID number that has the socket with the-p option.

[root@renwolecom ~] # ss-plNetid State Recv-Q Send-Q Local Address:Port Peer Address:Porttcp LISTEN 0 128: http:: * users: ("httpd", pid=10522,fd=4), ("httpd", pid=10521,fd=4), ("httpd", pid=10520,fd=4), ("httpd", pid=10519,fd=4), ("httpd", pid=10518,fd=4), ("httpd", pid=10516) Fd=4) 1.2.3.4. In the above example, I listed only one result and no further options, because the full output of ss prints more than 500 lines to standard output. So I only list one result, so we can see the various Apache processes ID running on the server.

4. Do not resolve service name

By default, ss parses only the port number, for example, in the following line, we can see 172.28.204.62:mysql, where mysql is listed as the local port.

[root@renwolecom] # ssNetid State Recv-Q Send-Q Local Address:Port Peer Address:Porttcp ESTAB 0 0:: ffff:172.28.204.62:mysql:: ffff:172.28.204.62:38920tcp ESTAB 0 0:: ffff:172.28.204.62:mysql:: ffff:172.28.204.62:51598tcp ESTAB 0 0:: ffff:172.28.204.62:mysql:: ffff:172.28.204. 62:51434tcp ESTAB 0 0:: ffff:172.28.204.62:mysql:: ffff:172.28.204.62:363601.2.3.4.5.6. However, if we specify the-n option, we will see the port number instead of the service name.

[root@renwolecom ~] # ss-nNetid State Recv-Q Send-Q Local Address:Port Peer Address:Porttcp ESTAB 0 0:: ffff:172.28.204.62:3306:: ffff:172.28.204.62:38920tcp ESTAB 0 0:: ffff:172.28.204.62:3306:: ffff:172.28.204.62:51598tcp ESTAB 00:: ffff:172.28.204.62:3306:: ffff:172 .28.204.62: 51434tcp ESTAB 0 0:: ffff:172.28.204.62:3306:: ffff:172.28.204.62:363601.2.3.4.5.6. 3306 is now displayed instead of mysql because all name resolution for hostnames and ports is disabled. In addition, you can also check / etc/services to get a list of ports for all services.

5. Resolve numeric address / port

The IP address and port number can be resolved with the-r option. Use this method to list the hostname of the 172.28.204.62 server.

[root@renwolecom ~] # ss-rNetid State Recv-Q Send-Q Local Address:Port Peer Address:Porttcp ESTAB 0 0 renwolecom:mysql renwolecom:481341.2.6.IPv4 socket

We can use the-4 option to display only the information corresponding to the IPv4 socket. In the following example, we also use the-l option to list everything that is listening on the IPv4 address.

[root@renwolecom ~] # ss-l4Netid State Recv-Q Send-Q Local Address:Port Peer Address:Porttcp LISTEN 0 128 *: http *: * tcp LISTEN 0 100 127.0.0.1:smtp *: * tcp LISTEN 0 128 *: Entexthigh *: * tcp LISTEN 0128 172.28.204.62:zabbix-trapper *: * tcp LISTEN 0128 127.0.0.1:cslistener *: * 1.2.3.4.5.6.7.7.IPv6 socket

Similarly, we can use the-6 option to display only information related to IPv6 sockets. In the following example, we also use the-l option to list everything that is listening on the IPv6 address.

[root@renwolecom ~] # ss-l6Netid State Recv-Q Send-Q Local Address:Port Peer Address:Portudp UNCONN 0 0: ipv6-icmp: * udp UNCONN 0 0: ipv6-icmp: * udp UNCONN 0 0 : 21581:: * tcp LISTEN 0 80: mysql: * tcp LISTEN 0 100:: 1:smtp: * tcp LISTEN 0128: entexthigh: :: * 1.2.3.4.5.6.7.8.8. Show only TCP

The-t option displays only TCP sockets. When combined with-l to print only the listening socket, we can see everything we are listening to on the TCP.

[root@renwolecom ~] # ss-ltState Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 0 128 *: http *: * LISTEN 0 100 127.0.0.1:smtp *: * LISTEN 0 128 *: entexthigh *: * LISTEN 0 128 172.28.204.62:zabbix-trapper *: * LISTEN 0 128 127.0.0.1:cslistener *: * LISTEN 0 80: mysql: * LISTEN 0 100:: 1:smtp: * LISTEN 0 128: entexthigh: * 1.2.3.4.5.6.7.8.9.10.9. Show UDP

The-u option can be used to display only UDP sockets. Because UDP is a connectionless protocol, running only the-u option will not display output, and we can use it with the-an or-l option to view all listening UDP sockets, as shown below:

[root@renwolecom ~] # ss-ulState Recv-Q Send-Q Local Address:Port Peer Address:PortUNCONN 0 0 *: sunwebadmins *: * UNCONN 0 0 *: etlservicemgr *: * UNCONN 0 0 *: dynamid *: * UNCONN 00 *: 9003 *: * UNCONN 00 *: 9004 *: * UNCONN 00 127.0.0.1:terabase *: * UNCONN 00 *: 56803 *: * 1.2.3.4.5.6.7.8.9.10. Unix socket

The-x option can only be used to display unix domain sockets.

[root@renwolecom ~] # ss-xNetid State Recv-Q Send-Q Local Address:Port Peer Address:Portu_str ESTAB 00 / tmp/zabbix_server_preprocessing.sock 23555 * 21093u_str ESTAB 00 / tmp/zabbix_server_ipmi.sock 20155 * 19009u_str ESTAB 00 / tmp/zabbix_server_preprocessing.sock 19354 * 22573u_str ESTAB 0 0 / tmp/zabbix_server_preprocessing.sock 21844 * 19375. 1.2.3.4.5.6.7.11. Show all information

The-an option displays all listening and non-listening sockets, which in the case of TCP means established connections. This option is useful in combination with other options, such as adding the-an option to display all UDP sockets. By default, we don't see much information only with the-u option.

[root@renwolecom ~] # ss-uRecv-Q Send-Q Local Address:Port Peer Address:Port0 0 172.28.204.66 uRecv-Q Send-Q Local Address:Port Peer Address:Port0 36371 8.8.8.8:domain1.2.3. [root@renwolecom ~] # ss-uaState Recv-Q Send-Q Local Address:Port Peer Address:PortUNCONN 0 0 *: sunwebadmins *: * UNCONN 00 *: etlservicemgr *: * UNCONN 00 *: dynamid *: * UNCONN 00 *: 9003 *: * UNCONN 00 *: 9004 *: * UNCONN 00 127.0.0.1:terabase *: * UNCONN 00 *: 56803 *: * ESTAB 00 172.28.204.66 UNCONN 36371 8.8.8.8:domain1.2.3.4.5.6.7.8.9.10.12. Displays socket memory usage

The-m option can be used to display the amount of memory used by each socket.

[root@renwolecom ~] # ss-ltmState Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 0128 *: http *: * skmem: (r0Libre rb87380 ltmState Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN t0 tb16384) LISTEN 0100 127.0.0.1:smtp *: * skmem: Bl0) LISTEN 0128 *: entexthigh *: * skmem: (r0rec rb87380 recorder t0memery tb16384) LISTEN 0128 172.28.204.62:zabbix-trapper *: * skmem: (r0memrb87380) t0: * skmem: (r0memrb87380) LISTEN 0128 127.0.0.1:cslistener *: * skmem: (r0memrb87380) Bl0) LISTEN 0 80:: mysql: * skmem: (r0rec rb87380 skmem:) LISTEN 0100:: 1:smtp:: * skmem: (r0meme rb87380) LISTEN 0128: entexthigh: * skmem: Bl0) 1.2.3.4.5.6.7.8.9.10.13. Display TCP internal information

We can use the-I option to request additional internal TCP information.

[root@renwolecom ~] # ss-ltiState Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 0128 *: chimera-hwm *: * bbr cwnd:10LISTEN 0128 *: etlservicemgr *: * bbr cwnd:10LISTEN 0128 172.28.204.66 virtual 27017 *: * bbr cwnd:10LISTEN 0 128 127.0.1 dynamid 27017 *: * bbr cwnd:10LISTEN 0 128 *: dynamid *: * bbr cwnd:10LISTEN 0 128 *: 9003 *: * bbr cwnd:10LISTEN 0 128 *: 9004 *: * bbr cwnd:10LISTEN 0128 *: http *: * bbr cwnd:10LISTEN 0128 *: ssh *: * bbr cwnd:10LISTEN 0100 127.0.0.1:smtp *: * bbr cwnd:10LISTEN 0128 *: sunwebadmins *: * bbr cwnd:10LISTEN 0128: ssh:: * bbr cwnd:101.2.3.4.5.6.7.8.9.10.11.12.13.14. We can see more information under each listening socket. Note: the-I option does not apply to UDP, and if you specify-u instead of-t, this additional information will not be displayed.

14. Display statistics

We can use the-s option to quickly view the statistics.

[root@renwolecom] # ss-sTotal: 798 (kernel 1122) TCP: 192 (estab 99, closed 81, orphaned 0, synrecv 0, timewait 1 timewait 0) Ports 0Transport Total IP IPv6* 1122-- RAW 10 1UDP 0 0 0TCP 11159 52INET 11259 53FRAG 0.001.3.4.5.7.8.9.10.11. This allows us to quickly see the total number of established connections, the count of various types of sockets and the use of IPv4 or IPv6.

15. State-based filter

We can specify the state of a socket and print only the sockets in that state. For example, we can specify to include established, established, syn-sent, syn-recv, fin-wait-1, fin-wait-2, time-wait, closed, closed-wait, last-ack snooping and shutdown states. The following example shows all established TCP connections. To generate this, I connect to the server via SSH and load a web page from Apache. Then we can see that the connection to Apache quickly turns into wait time.

[root@renwolecom ~] # ss-t state establishedRecv-Q Send-Q Local Address:Port Peer Address:Port0 52 172.28.204.67:ssh 123.125.71.38 172.28.204.67:ssh 4951800:: ffff:172.28.204.67:http:: ffff:123.125.71.38:492371.2.3.4. [root@renwolecom ~] # ss-t state establishedRecv- Q Send-Q Local Address:Port Peer Address:Port0 0 172.28.204.67:ssh 103.240.143.126:556820 52 172.28.204.67:ssh 123.125.71.38:495180 0:: ffff:172.28.204.67:http:: ffff:123.125.71.38:492621.2.3.4.5.16. Filter based on port number

All ports that are less than (lt), greater than (gt), equal to (eq), not equal to (ne), less than or equal to (le), or greater than or equal to (ge) can also be listed by filtering.

For example, the following command displays all listening ports with a port number of 500 or less:

[root@renwolecom ~] # ss-ltn sport le 500State Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 0 128 *: 80 *: * LISTEN 0 100 127.0.1 ltn sport le 500State Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 25 *: * LISTEN 0 100:: 1:25 :: * 1.2.3.4.5. For comparison, we can do the opposite and look at all ports greater than 500:

[root@renwolecom] # ss-ltn sport gt 500State Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 0128 *: 12002 *: * LISTEN 0128 172.28.204.62 LISTEN 10051 *: * LISTEN 0128 127.0.1 9000 * : * LISTEN 0 80: 3306: * LISTEN 0128: 12002:: * 1.2.3.4.5.6.7. We can also filter based on items such as source or destination ports, for example, we search for TCP sockets with SSH source ports running:

[root@renwolecom] # ss-t'(sport =: ssh) 'State Recv-Q Send-Q Local Address:Port Peer Address:PortESTAB 0 0 172.28.204.66:ssh 123.125.71.38 State Recv-Q Send-Q Local Address:Port Peer Address:PortESTAB 501401.2.3.17. Show SELinux context

The-Z` and `- z` options can be used to display the SELinux security context of the socket. In the following example, we use the `- t` and-l` options to list the listening TCP sockets, and using the-Z option we can also see the context of the SELinux. [root@renwolecom ~] # ss-tlZState Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 0 128 *: sunrpc *: * users: (("systemd", pid=1,proc_ctx=system_u:system_r:init_t:s0,fd=71)) LISTEN 0 5 172.28.204.62:domain *: * users: ("dnsmasq", pid=1810 Proc_ctx=system_u:system_r:dnsmasq_t:s0-s0:c0.c1023,fd=6) LISTEN 0 128 *: ssh *: * users: (("sshd", pid=1173,proc_ctx=system_u:system_r:sshd_t:s0-s0:c0.c1023,fd=3)) LISTEN 0 128 127.0.0.1:ipp *: * users: (("cupsd", pid=1145) Proc_ctx=system_u:system_r:cupsd_t:s0-s0:c0.c1023,fd=12) LISTEN 0 100 127.0.0.1:smtp *: * users: (("master", pid=1752,proc_ctx=system_u:system_r:postfix_master_t:s0,fd=13)) 1.2.3.4.5.6.7.8.9.10.11.12.18. Show version number

The-v option can be used to display specific version information of the ss command, in which case we can see the version of the iproute package that provides ss.

[root@renwolecom] # ss-vss utility, iproute2-ss1307161.2.19. Show help documentation information

The-h option can be used to display further help on the ss command, or as a quick reference if you need a brief description of some of the most commonly used options. Please note that the complete list is not entered here.

[root@renwolecom] # ss-hUsage: ss [OPTIONS] 1.2.20. Display extended information

We can use the-e option to display the details of the extension, as shown below, and we can see the extension information attached to the end of each line.

[root@renwolecom ~] # ss-lteState Recv-Q Send-Q Local Address:Port Peer Address:PortLISTEN 0 128 *: sunrpc *: * ino:16090 sk:ffff880000100000 LISTEN 0 5 172.28.204.62:domain *: * ino:23750 sk:ffff880073e70f80 LISTEN 0 128 *: ssh *: * ino:22789 sk:ffff880073e70000 LISTEN 0 128 127. 0.0.1:ipp *: * ino:23091 sk:ffff880073e707c0 LISTEN 0100 127.0.0.1:smtp *: * ino:24659 sk:ffff880000100f80 1.2.3.4.5.6.7.21. Display timer information

The-o option can be used to display timer information. This information shows us things such as the retransmission timer value, the number of retransmissions that have occurred, and the number of keepalive probes that have been sent.

[root@renwolecom] # ss-toState Recv-Q Send-Q Local Address:Port Peer Address:PortESTAB 0 52 172.28.204.67:ssh 123.125.71.38:49518timer: (on,406ms,0) LAST-ACK 0 1 172.28.204.67:ssh 103.240.143.126:49603timer: (on,246ms,0) Thank you for reading. This is the content of "how to use Linux's ss commands". After the study of this article, I believe you have a deeper understanding of how to use the ss command of Linux, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.