Linux network status tool ss command usage details

The SS command is used to display the socket status It can display PACKET sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix domain sockets and other statistics It displays more tcp and state information than other tools It is a very practical, fast and effective new tool to track IP connections and sockets SS command The following information can be provided:

  • All TCP sockets
  • All UDP sockets
  • All ssh/ftp/ttp/https persistent connections
  • All local processes connected to Xserver
  • Use state (for example: connected, synchronized, SYN-RECV, SYN-SENT,TIME-WAIT), address and port filtering
  • All state FIN-WAIT-1 tcpsocket connections and more

Many popular Linux distributions support ss and many monitoring tools use ss commands Being familiar with this tool will help you better find and solve system performance problems I strongly recommend using ss command to replace some commands of netstat, such as netsat -ant/lnt, etc

Show him to make a comparison and count the number of concurrent connections to the server

# time netstat -ant | grep EST | wc -l
real 0m12.960s
user 0m0.334s
sys 0m12.561s
# time ss -o state established | wc -l
real 0m0.030s
user 0m0.005s
sys 0m0.026s

It is obvious that the efficiency of ss in counting the number of concurrent connections is better than netstat. If ss can handle it, will you still choose netstat or hesitate? Take the following example or jump to the help page

Common ss commands:

  • ss -l displays all ports opened locally
  • ss -pl displays the specific open socket s of each process
  • ss -t -a displays all TCP sockets
  • ss -u -a displays all UDP Socekt
  • SS - O state established '(dport =: SMTP or sport =: SMTP)' displays all established SMTP connections
  • SS - O state established '(dport =: http or sport =: HTTP)' displays all established HTTP connections
  • ss -x src /tmp/. X11 UNIX / * find out all processes connected to the X server
  • ss -s lists the current socket details:

Displays the brief information of sockets, and lists the tcp connections that are currently connected, closed, and waiting

# ss -s
Total: 3519 (kernel 3691)
TCP: 26557 (estab 3163, closed 23182, orphaned 194, synrecv 0, timewait 23182/0), ports 1452
Transport Total IP IPv6
* 3691 - -
RAW 2 2 0
UDP 10 7 3
TCP 3375 3368 7
INET 3387 3377 10
FRAG 0 0 0

List current listening ports

# ss -lRecv-Q Send-Q Local Address:Port Peer Address:Port
0 10 :::5989 :::*
0 5 *:rsync *:*
0 128 :::sunrpc :::*
0 128 *:sunrpc *:*
0 511 *:http *:*
0 128 :::ssh :::*
0 128 *:ssh *:*
0 128 :::35766 :::*
0 128 *:*
0 128 ::1:ipp :::*
0 100 ::1:smtp :::*
0 100 *:*
0 511 *:https *:*
0 100 :::1311 :::*
0 5 *:5666 *:*
0 128 *:3044 *:*

ss lists each process name and the port it listens on

# ss -pl

ss column all tcp sockets

# ss -t -a

ss list all udp sockets

# ss -u -a

ss lists the connections in all http connections

# ss -o state established '( dport = :http or sport = :http )'

The above includes 80 provided externally and 80 accessed externally Use the above command to perfectly replace netstat to obtain the number of http concurrent connections, which is commonly used in monitoring

ss lists which local process is connected to the x server

# ss -x src /tmp/.X11-unix/*

ss lists the http and https connections in FIN-WAIT-1 status

# ss -o state fin-wait-1 '( sport = :http or sport = :https )'

ss common state status:

  • established
  • syn-sent
  • syn-recv
  • fin-wait-1
  • fin-wait-2
  • time-wait
  • closed
  • close-wait
  • last-ack
  • listen
  • closing
  • all : All of the above states
  • connected : All the states except for listen and closed
  • synchronized : All the connected states except for syn-sent
  • bucket : Show states, which are maintained as minisockets, i.e. time-wait and syn-recv.
  • big : Opposite to bucket state.

ss use IP address filtering

  • src: indicates the source
  • ADDRESS_PATTERN: indicates the address rule

As follows:

ss src 
#Connections listed in
# List to,80 Port connection
ss src
ss src

ss using port filtering

  • ss dport OP PORT
  • OP: Yes operator
  • PORT: indicates the PORT
  • dport: indicates the target port for filtering. Conversely, there is sport

OP operators are as follows:

<= or le : Less than or equal to >= or ge : Greater than or equal to
== or eq : be equal to
!= or ne : Not equal to port
< or lt : Less than this port > or gt : Greater than port

OP instance

ss sport = :http It can also be ss sport = :80
ss dport = :http
ss dport > :1024
ss sport > :1024
ss sport < :32000
ss sport eq :22
ss dport != :22
ss state connected sport = :http
ss ( sport = :http or sport = :https )
ss -o state fin-wait-1 ( sport = :http or sport = :https ) dst 192.168.1/24

Why ss is faster than netstat:

Netstat traverses each PID directory under / proc, and ss directly reads the statistics under / proc/net. Therefore, ss consumes much less resources and time than netstat

ss command help

# ss -h
Usage: ss [ OPTIONS ]
       ss [ OPTIONS ] [ FILTER ]
   -h, --help           this message
   -V, --version        output version information
   -n, --numeric        don't resolve service names
   -r, --resolve       resolve host names
   -a, --all            display all sockets
   -l, --listening      display listening sockets
   -o, --options       show timer information
   -e, --extended      show detailed socket information
   -m, --memory        show socket memory usage
   -p, --processes      show process using socket
   -i, --info           show internal TCP information
   -s, --summary        show socket usage summary
   -4, --ipv4          display only IP version 4 sockets
   -6, --ipv6          display only IP version 6 sockets
   -0, --packet display PACKET sockets
   -t, --tcp            display only TCP sockets
   -u, --udp            display only UDP sockets
   -d, --dccp           display only DCCP sockets
   -w, --raw            display only RAW sockets
   -x, --unix           display only Unix domain sockets
   -f, --family=FAMILY display sockets of type FAMILY
   -A, --query=QUERY, --socket=QUERY
       QUERY := {all|inet|tcp|udp|raw|unix|packet|netlink}[,QUERY]
   -D, --diag=FILE      Dump raw information about TCP sockets to FILE
   -F, --filter=FILE   read filter information from FILE
       FILTER := [ state TCP-STATE ] [ EXPRESSION ]

Source: com/linux-command/ss-replace-netstat/

Tags: Linux Operation & Maintenance Back-end Programmer cli

Posted by mackevin on Sun, 08 May 2022 06:57:12 +0300