“ss”
command is another very useful command available in Linux. The “ss”
command is used to show socket statistics. Statistics for PACKET
sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix
domain sockets can be seen using the ss command. This command is much
similar to netstat command in linux. The command displays the list of
all socket and port status and related information's.
Basic
Example
Dev:vx11aaa:jbs002-~
$ ss -s
Total:
186 (kernel 218)
TCP:
73 (estab 20, closed 13, orphaned 0, synrecv 0, timewait 1/0),
ports 54
|
Transport Total
IP IPv6 |
|
* 218 - - |
|
RAW 0 0 0 |
|
UDP 17 9 8 |
|
TCP 60 52 8 |
|
INET 77 61 16 |
|
FRAG 0 0 0 |
From
the above output ,we can see the established , closed ,orphaned and
many more details divided by the protocol family.
Display
All Open Network Ports
Dev:vx11aaa:jbs002-~
$ ss -l
|
Recv-Q Send-Q
Local Address:Port Peer
Address:Port
|
|
0 0 :::48578 :::* |
See
the Process Using the Sockets
Dev:vx11aaa:jbs002-~
$ ss -pl
|
Recv-Q Send-Q Local Address:Port Peer
Address:Port |
|
0 0 :::48578 :::* users:(("java",32506,12)) |
In
the above out put we can see both the Open Ports as well as the
process that is using that (in this case a Java process
Find
out who is responsible for opening socket / port
|
Dev:vx11aaa:jbs002-~
$ ss -lp | grep 10012( |
|
0 0 :::10012 :::* users:(("java",32506,67)) |
connected
host's
Dev:vx11aaa:jbs002-~
$ ss -r
|
State Recv-Q Send-Q Local Address:Port Peer Address:Port |
|
ESTAB 0 0 vx1379:8629 eth0.vx1d81.uprr.com:11580 |
|
ESTAB 0 0 vx1379:24035 eth0.vx1d81.uprr.com:4708 |
Socket
Memory usage
Dev:vx11aaa:jbs002-~
$ ss -m
|
State Recv-Q
Send-Q Local Address:Port Peer Address:Port |
|
ESTAB 0 0 192.229.125.12:8629 173.229.152.83:11580
mem:(r0,w0,f0,t0) |
|
ESTAB 0 0 192.229.125.12:24035 173.229.152.83:4708
mem:(r0,w0,f0,t0) |
r
represents the read (inbound) buffer
w
represents the write (outbound) buffer
f
represents the "forward allocated memory" (memory available
to the socket)
t
represents the transmit queue (stuff waiting to be sent or waiting on
an ACK)
ss
-t -a dumps all TCP sockets
ss
-u -a dumps all UDP sockets
ss
-w -a dumps all RAW sockets
ss
-x -a dumps all UNIX sockets
Filtering
as
we said earlier , ss is almost equal to netstat command but it
provides a lot more than netstat like the filtering capabilities.
“Ss”
allows to filter socket states, using keywords state and exclude,
followed by some state identifier.
State
identifier are standard TCP state names
Find
all the Established Ports
Dev:vx11aaa:jbs002-~
$ ss -o state established ( )
|
Recv-Q Send-Q
Local Address:Port Address:Port |
|
0 0 192.229.125.12:8629 173.229.152.83:11580 |
Where
FILTER-NAME can be any from the below list,
established
syn-sent
syn-recv
fin-wait-1
fin-wait-2
time-wait
closed
close-wait
last-ack
listen
closing
all
: All of the above states
connected
: All the states except for listen and closed
synchronized
: All the connected states except for syn-sent
bucket
: Show states, which are maintained as mini sockets, i.e. time-wait
and syn-recv.
big
: Opposite to bucket state.
For
example , to dump all tcp sockets except TIME_WAIT:
Dev:vx11aaa:jbs002-~
$ ss exclude TIME_WAIT
Mapping
of PID to Port
Dev:vx11aaa:jbs002-~
$ ss -p -l '( sport = :10012 )'
|
Recv-Q Send-Q Local Address:Port Peer Address:Port |
|
0 0 :::10012 :::* users:(("java",32506,67)) |
How
to list all unique ip address currently connected to a specific port?
ss
-o state established '( dport = :10012 )'|awk -F"[\t :]+"
'NR!=1{ ip[$5]+=1 } END{ for (i in ip){n++};print n }'
User
ID Information's
Dev:vx11aaa:jbs002-~
$ ss -e | head
|
State Recv-Q Send-Q Local Address:Port Peer Address:Port |
|
ESTAB 0 0 192.229.125.12:8629 173.229.152.83:11580
ino:24265172 sk:f28c4080ffff8800 |
|
ESTAB 0 0 192.229.125.12:24035 173.229.152.83:4708
ino:22405856 sk:9e954080ffff8800 |
|
ESTAB 0 0 192.229.125.12:43730 167.132.85.252:ncube-lm
uid:7281 ino:24335602 sk:9e955340ffff8800 |
|
ESTAB 0 0 192.229.125.12:43712 167.132.85.252:ncube-lm
uid:7281 ino:24334169 sk:62d6e080ffff8800 |
More
To Come On Advanced Socket Management With ss. Stay Tuned
