logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

ss.8 (15182B)


  1. .TH SS 8
  2. .SH NAME
  3. ss \- another utility to investigate sockets
  4. .SH SYNOPSIS
  5. .B ss
  6. .RI [ options ] " [ FILTER ]"
  7. .SH DESCRIPTION
  8. .B ss
  9. is used to dump socket statistics. It allows showing information similar
  10. to
  11. .IR netstat .
  12. It can display more TCP and state information than other tools.
  13. .SH OPTIONS
  14. When no option is used ss displays a list of open non-listening
  15. sockets (e.g. TCP/UNIX/UDP) that have established connection.
  16. .TP
  17. .B \-h, \-\-help
  18. Show summary of options.
  19. .TP
  20. .B \-V, \-\-version
  21. Output version information.
  22. .TP
  23. .B \-H, \-\-no-header
  24. Suppress header line.
  25. .TP
  26. .B \-O, \-\-oneline
  27. Print each socket's data on a single line.
  28. .TP
  29. .B \-n, \-\-numeric
  30. Do not try to resolve service names. Show exact bandwidth values, instead of human-readable.
  31. .TP
  32. .B \-r, \-\-resolve
  33. Try to resolve numeric address/ports.
  34. .TP
  35. .B \-a, \-\-all
  36. Display both listening and non-listening (for TCP this means
  37. established connections) sockets.
  38. .TP
  39. .B \-l, \-\-listening
  40. Display only listening sockets (these are omitted by default).
  41. .TP
  42. .B \-B, \-\-bound-inactive
  43. Display only TCP bound but inactive (not listening, connecting, etc.) sockets
  44. (these are omitted by default).
  45. .TP
  46. .B \-o, \-\-options
  47. Show timer information. For TCP protocol, the output format is:
  48. .RS
  49. .P
  50. timer:(<timer_name>,<expire_time>,<retrans>)
  51. .P
  52. .TP
  53. .B <timer_name>
  54. the name of the timer, there are five kind of timer names:
  55. .RS
  56. .P
  57. .B on
  58. : means one of these timers: TCP retrans timer, TCP early retrans
  59. timer and tail loss probe timer
  60. .P
  61. .BR keepalive ": tcp keep alive timer"
  62. .P
  63. .BR timewait ": timewait stage timer"
  64. .P
  65. .BR persist ": zero window probe timer"
  66. .P
  67. .BR unknown ": none of the above timers"
  68. .RE
  69. .TP
  70. .B <expire_time>
  71. how long time the timer will expire
  72. .P
  73. .TP
  74. .B <retrans>
  75. how many times the retransmission occurred
  76. .RE
  77. .TP
  78. .B \-e, \-\-extended
  79. Show detailed socket information. The output format is:
  80. .RS
  81. .P
  82. uid:<uid_number> ino:<inode_number> sk:<cookie>
  83. .P
  84. .TP
  85. .B <uid_number>
  86. the user id the socket belongs to
  87. .P
  88. .TP
  89. .B <inode_number>
  90. the socket's inode number in VFS
  91. .P
  92. .TP
  93. .B <cookie>
  94. an uuid of the socket
  95. .RE
  96. .TP
  97. .B \-m, \-\-memory
  98. Show socket memory usage. The output format is:
  99. .RS
  100. .P
  101. skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
  102. .br
  103. .RS
  104. .RS
  105. f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
  106. .RE
  107. .RE
  108. .br
  109. .RS
  110. .RS
  111. bl<back_log>,d<sock_drop>)
  112. .RE
  113. .RE
  114. .P
  115. .TP
  116. .B <rmem_alloc>
  117. the memory allocated for receiving packet
  118. .P
  119. .TP
  120. .B <rcv_buf>
  121. the total memory can be allocated for receiving packet
  122. .P
  123. .TP
  124. .B <wmem_alloc>
  125. the memory used for sending packet (which has been sent to layer 3)
  126. .P
  127. .TP
  128. .B <snd_buf>
  129. the total memory can be allocated for sending packet
  130. .P
  131. .TP
  132. .B <fwd_alloc>
  133. the memory allocated by the socket as cache, but not used for
  134. receiving/sending packet yet. If need memory to send/receive packet,
  135. the memory in this cache will be used before allocate additional
  136. memory.
  137. .P
  138. .TP
  139. .B <wmem_queued>
  140. The memory allocated for sending packet (which has not been sent to layer 3)
  141. .P
  142. .TP
  143. .B <opt_mem>
  144. The memory used for storing socket option, e.g., the key for TCP MD5 signature
  145. .P
  146. .TP
  147. .B <back_log>
  148. The memory used for the sk backlog queue. On a process context, if the
  149. process is receiving packet, and a new packet is received, it will be
  150. put into the sk backlog queue, so it can be received by the process
  151. immediately
  152. .P
  153. .TP
  154. .B <sock_drop>
  155. the number of packets dropped before they are de-multiplexed into the socket
  156. .RE
  157. .TP
  158. .B \-p, \-\-processes
  159. Show process using socket.
  160. .TP
  161. .B \-T, \-\-threads
  162. Show thread using socket. Implies
  163. .BR \-p .
  164. .TP
  165. .B \-i, \-\-info
  166. Show internal TCP information. Below fields may appear:
  167. .RS
  168. .P
  169. .TP
  170. .B ts
  171. show string "ts" if the timestamp option is set
  172. .P
  173. .TP
  174. .B sack
  175. show string "sack" if the sack option is set
  176. .P
  177. .TP
  178. .B ecn
  179. show string "ecn" if the explicit congestion notification option is set
  180. .P
  181. .TP
  182. .B ecnseen
  183. show string "ecnseen" if the saw ecn flag is found in received packets
  184. .P
  185. .TP
  186. .B fastopen
  187. show string "fastopen" if the fastopen option is set
  188. .P
  189. .TP
  190. .B cong_alg
  191. the congestion algorithm name, the default congestion algorithm is "cubic"
  192. .P
  193. .TP
  194. .B wscale:<snd_wscale>:<rcv_wscale>
  195. if window scale option is used, this field shows the send scale factor
  196. and receive scale factor
  197. .P
  198. .TP
  199. .B rto:<icsk_rto>
  200. tcp re-transmission timeout value, the unit is millisecond
  201. .P
  202. .TP
  203. .B backoff:<icsk_backoff>
  204. used for exponential backoff re-transmission, the actual
  205. re-transmission timeout value is icsk_rto << icsk_backoff
  206. .P
  207. .TP
  208. .B rtt:<rtt>/<rttvar>
  209. rtt is the average round trip time, rttvar is the mean deviation of
  210. rtt, their units are millisecond
  211. .P
  212. .TP
  213. .B ato:<ato>
  214. ack timeout, unit is millisecond, used for delay ack mode
  215. .P
  216. .TP
  217. .B mss:<mss>
  218. max segment size
  219. .P
  220. .TP
  221. .B cwnd:<cwnd>
  222. congestion window size
  223. .P
  224. .TP
  225. .B pmtu:<pmtu>
  226. path MTU value
  227. .P
  228. .TP
  229. .B ssthresh:<ssthresh>
  230. tcp congestion window slow start threshold
  231. .P
  232. .TP
  233. .B bytes_acked:<bytes_acked>
  234. bytes acked
  235. .P
  236. .TP
  237. .B bytes_received:<bytes_received>
  238. bytes received
  239. .P
  240. .TP
  241. .B segs_out:<segs_out>
  242. segments sent out
  243. .P
  244. .TP
  245. .B segs_in:<segs_in>
  246. segments received
  247. .P
  248. .TP
  249. .B send <send_bps>bps
  250. egress bps
  251. .P
  252. .TP
  253. .B lastsnd:<lastsnd>
  254. how long time since the last packet sent, the unit is millisecond
  255. .P
  256. .TP
  257. .B lastrcv:<lastrcv>
  258. how long time since the last packet received, the unit is millisecond
  259. .P
  260. .TP
  261. .B lastack:<lastack>
  262. how long time since the last ack received, the unit is millisecond
  263. .P
  264. .TP
  265. .B pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
  266. the pacing rate and max pacing rate
  267. .P
  268. .TP
  269. .B rcv_space:<rcv_space>
  270. a helper variable for TCP internal auto tuning socket receive buffer
  271. .P
  272. .TP
  273. .B tcp-ulp-mptcp flags:[MmBbJjecv] token:<rem_token(rem_id)/loc_token(loc_id)> seq:<sn> sfseq:<ssn> ssnoff:<off> maplen:<maplen>
  274. MPTCP subflow information
  275. .P
  276. .RE
  277. .TP
  278. .B \-\-tos
  279. Show ToS and priority information. Below fields may appear:
  280. .RS
  281. .P
  282. .TP
  283. .B tos
  284. IPv4 Type-of-Service byte
  285. .P
  286. .TP
  287. .B tclass
  288. IPv6 Traffic Class byte
  289. .P
  290. .TP
  291. .B class_id
  292. Class id set by net_cls cgroup. If class is zero this shows priority
  293. set by SO_PRIORITY.
  294. .RE
  295. .TP
  296. .B \-\-cgroup
  297. Show cgroup information. Below fields may appear:
  298. .RS
  299. .P
  300. .TP
  301. .B cgroup
  302. Cgroup v2 pathname. This pathname is relative to the mount point of the hierarchy.
  303. .RE
  304. .TP
  305. .B \-\-tipcinfo
  306. Show internal tipc socket information.
  307. .TP
  308. .B \-K, \-\-kill
  309. Attempts to forcibly close sockets. This option displays sockets that are
  310. successfully closed and silently skips sockets that the kernel does not support
  311. closing. It supports IPv4 and IPv6 sockets only.
  312. .TP
  313. .B \-s, \-\-summary
  314. Print summary statistics. This option does not parse socket lists obtaining
  315. summary from various sources. It is useful when amount of sockets is so huge
  316. that parsing /proc/net/tcp is painful.
  317. .TP
  318. .B \-E, \-\-events
  319. Continually display sockets as they are destroyed
  320. .TP
  321. .B \-Z, \-\-context
  322. As the
  323. .B \-p
  324. option but also shows process security context. If the
  325. .B \-T
  326. option is used, also shows thread security context.
  327. .sp
  328. For
  329. .BR netlink (7)
  330. sockets the initiating process context is displayed as follows:
  331. .RS
  332. .RS
  333. .IP "1." 4
  334. If valid pid show the process context.
  335. .IP "2." 4
  336. If destination is kernel (pid = 0) show kernel initial context.
  337. .IP "3." 4
  338. If a unique identifier has been allocated by the kernel or netlink user,
  339. show context as "unavailable". This will generally indicate that a
  340. process has more than one netlink socket active.
  341. .RE
  342. .RE
  343. .TP
  344. .B \-z, \-\-contexts
  345. As the
  346. .B \-Z
  347. option but also shows the socket context. The socket context is
  348. taken from the associated inode and is not the actual socket
  349. context held by the kernel. Sockets are typically labeled with the
  350. context of the creating process, however the context shown will reflect
  351. any policy role, type and/or range transition rules applied,
  352. and is therefore a useful reference.
  353. .TP
  354. .B \-N NSNAME, \-\-net=NSNAME
  355. Switch to the specified network namespace name.
  356. .TP
  357. .B \-b, \-\-bpf
  358. Show socket classic BPF filters (only administrators are allowed to get these
  359. information).
  360. .TP
  361. .B \-4, \-\-ipv4
  362. Display only IP version 4 sockets (alias for -f inet).
  363. .TP
  364. .B \-6, \-\-ipv6
  365. Display only IP version 6 sockets (alias for -f inet6).
  366. .TP
  367. .B \-0, \-\-packet
  368. Display PACKET sockets (alias for -f link).
  369. .TP
  370. .B \-t, \-\-tcp
  371. Display TCP sockets.
  372. .TP
  373. .B \-u, \-\-udp
  374. Display UDP sockets.
  375. .TP
  376. .B \-d, \-\-dccp
  377. Display DCCP sockets.
  378. .TP
  379. .B \-w, \-\-raw
  380. Display RAW sockets.
  381. .TP
  382. .B \-x, \-\-unix
  383. Display Unix domain sockets (alias for -f unix).
  384. .TP
  385. .B \-S, \-\-sctp
  386. Display SCTP sockets.
  387. .TP
  388. .B \-\-tipc
  389. Display tipc sockets (alias for -f tipc).
  390. .TP
  391. .TP
  392. .B \-\-vsock
  393. Display vsock sockets (alias for -f vsock).
  394. .TP
  395. .B \-\-xdp
  396. Display XDP sockets (alias for -f xdp).
  397. .TP
  398. .B \-M, \-\-mptcp
  399. Display MPTCP sockets.
  400. .TP
  401. .B \-\-inet-sockopt
  402. Display inet socket options.
  403. .TP
  404. .B \-f FAMILY, \-\-family=FAMILY
  405. Display sockets of type FAMILY. Currently the following families are
  406. supported: unix, inet, inet6, link, netlink, vsock, tipc, xdp.
  407. .TP
  408. .B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY
  409. List of socket tables to dump, separated by commas. The following identifiers
  410. are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram,
  411. unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp, tipc,
  412. vsock_stream, vsock_dgram, xdp, mptcp. Any item in the list may optionally be
  413. prefixed by an exclamation mark
  414. .RB ( ! )
  415. to exclude that socket table from being dumped.
  416. .TP
  417. .B \-D FILE, \-\-diag=FILE
  418. Do not display anything, just dump raw information about TCP sockets
  419. to FILE after applying filters. If FILE is - stdout is used.
  420. .TP
  421. .B \-F FILE, \-\-filter=FILE
  422. Read filter information from FILE. Each line of FILE is interpreted
  423. like single command line option. If FILE is - stdin is used.
  424. .TP
  425. .B FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
  426. Please take a look at the official documentation for details regarding filters.
  427. .SH STATE-FILTER
  428. .B STATE-FILTER
  429. allows one to construct arbitrary set of states to match. Its syntax is
  430. sequence of keywords state and exclude followed by identifier of
  431. state.
  432. .TP
  433. Available identifiers are:
  434. All standard TCP states:
  435. .BR established ", " syn-sent ", " syn-recv ", " fin-wait-1 ", " fin-wait-2 ", " time-wait ", " closed ", " close-wait ", " last-ack ", "
  436. .BR listening " and " closing.
  437. .B all
  438. - for all the states
  439. .B connected
  440. - all the states except for
  441. .BR listening " and " closed
  442. .B synchronized
  443. - all the
  444. .B connected
  445. states except for
  446. .B syn-sent
  447. .B bucket
  448. - states, which are maintained as minisockets, i.e.
  449. .BR time-wait " and " syn-recv
  450. .B big
  451. - opposite to
  452. .B bucket
  453. .B bound-inactive
  454. - bound but otherwise inactive sockets (not listening, connecting, etc.)
  455. .SH EXPRESSION
  456. .B EXPRESSION
  457. allows filtering based on specific criteria.
  458. .B EXPRESSION
  459. consists of a series of predicates combined by boolean operators. The possible operators in increasing
  460. order of precedence are
  461. .B or
  462. (or | or ||),
  463. .B and
  464. (or & or &&), and
  465. .B not
  466. (or !). If no operator is between consecutive predicates, an implicit
  467. .B and
  468. operator is assumed. Subexpressions can be grouped with "(" and ")".
  469. .P
  470. The following predicates are supported:
  471. .TP
  472. .B {dst|src} [=] HOST
  473. Test if the destination or source matches HOST. See HOST SYNTAX for details.
  474. .TP
  475. .B {dport|sport} [OP] [FAMILY:]:PORT
  476. Compare the destination or source port to PORT. OP can be any of "<", "<=", "=", "!=",
  477. ">=" and ">". Following normal arithmetic rules. FAMILY and PORT are as described in
  478. HOST SYNTAX below.
  479. .TP
  480. .B dev [=|!=] DEVICE
  481. Match based on the device the connection uses. DEVICE can either be a device name or the
  482. index of the interface.
  483. .TP
  484. .B fwmark [=|!=] MASK
  485. Matches based on the fwmark value for the connection. This can either be a specific mark value
  486. or a mark value followed by a "/" and a bitmask of which bits to use in the comparison. For example
  487. "fwmark = 0x01/0x03" would match if the two least significant bits of the fwmark were 0x01.
  488. .TP
  489. .B cgroup [=|!=] PATH
  490. Match if the connection is part of a cgroup at the given path.
  491. .TP
  492. .B autobound
  493. Match if the port or path of the source address was automatically allocated
  494. (rather than explicitly specified).
  495. .P
  496. Most operators have aliases. If no operator is supplied "=" is assumed.
  497. Each of the following groups of operators are all equivalent:
  498. .RS
  499. .IP \(bu 2
  500. = == eq
  501. .IP \(bu
  502. != ne neq
  503. .IP \(bu
  504. > gt
  505. .IP \(bu
  506. < lt
  507. .IP \(bu
  508. >= ge geq
  509. .IP \(bu
  510. <= le leq
  511. .IP \(bu
  512. ! not
  513. .IP \(bu
  514. | || or
  515. .IP \(bu
  516. & && and
  517. .RE
  518. .SH HOST SYNTAX
  519. .P
  520. The general host syntax is [FAMILY:]ADDRESS[:PORT].
  521. .P
  522. FAMILY must be one of the families supported by the -f option. If not given
  523. it defaults to the family given with the -f option, and if that is also
  524. missing, will assume either inet or inet6. Note that all host conditions in the
  525. expression should either all be the same family or be only inet and inet6. If there
  526. is some other mixture of families, the results will probably be unexpected.
  527. .P
  528. The form of ADDRESS and PORT depends on the family used. "*" can be used as
  529. a wildcard for either the address or port. The details for each family are as
  530. follows:
  531. .TP
  532. .B unix
  533. ADDRESS is a glob pattern (see
  534. .BR fnmatch (3))
  535. that will be matched case-insensitively against the unix socket's address. Both path and abstract
  536. names are supported. Unix addresses do not support a port, and "*" cannot be used as a wildcard.
  537. .TP
  538. .B link
  539. ADDRESS is the case-insensitive name of an Ethernet protocol to match. PORT
  540. is either a device name or a device index for the desired link device, as seen
  541. in the output of ip link.
  542. .TP
  543. .B netlink
  544. ADDRESS is a descriptor of the netlink family. Possible values come from
  545. /etc/iproute2/nl_protos. PORT is the port id of the socket, which is usually
  546. the same as the owning process id. The value "kernel" can be used to represent
  547. the kernel (port id of 0).
  548. .TP
  549. .B vsock
  550. ADDRESS is an integer representing the CID address, and PORT is the port.
  551. .TP
  552. .BR inet \ and\ inet6
  553. ADDRESS is an ip address (either v4 or v6 depending on the family) or a DNS
  554. hostname that resolves to an ip address of the required version. An ipv6
  555. address must be enclosed in "[" and "]" to disambiguate the port separator. The
  556. address may additionally have a prefix length given in CIDR notation (a slash
  557. followed by the prefix length in bits). PORT is either the numerical
  558. socket port, or the service name for the port to match.
  559. .SH USAGE EXAMPLES
  560. .TP
  561. .B ss -t -a
  562. Display all TCP sockets.
  563. .TP
  564. .B ss -t -a -Z
  565. Display all TCP sockets with process SELinux security contexts.
  566. .TP
  567. .B ss -u -a
  568. Display all UDP sockets.
  569. .TP
  570. .B ss -o state established '( dport = :ssh or sport = :ssh )'
  571. Display all established ssh connections.
  572. .TP
  573. .B ss -x src /tmp/.X11-unix/*
  574. Find all local processes connected to X server.
  575. .TP
  576. .B ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24
  577. List all the tcp sockets in state FIN-WAIT-1 for our apache to network
  578. 193.233.7/24 and look at their timers.
  579. .TP
  580. .B ss -a -A 'all,!tcp'
  581. List sockets in all states from all socket tables but TCP.
  582. .SH SEE ALSO
  583. .BR ip (8),
  584. .br
  585. .BR RFC " 793 "
  586. - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
  587. .SH AUTHOR
  588. .I ss
  589. was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
  590. .PP
  591. This manual page was written by Michael Prokop <mika@grml.org>
  592. for the Debian project (but may be used by others).