logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

ss.8 (15182B)

    

  1. .TH SS 8
  2. .SH NAME
  3. ss \- another utility to investigate sockets
  4. .SH SYNOPSIS
  5. .B ss
  6. .RI [ options ] " [ FILTER ]"
  7. .SH DESCRIPTION
  8. .B ss
  9. is used to dump socket statistics. It allows showing information similar
  10. to
  11. .IR netstat .
  12. It can display more TCP and state information than other tools.
  14. .SH OPTIONS
  15. When no option is used ss displays a list of open non-listening
  16. sockets (e.g. TCP/UNIX/UDP) that have established connection.
  17. .TP
  18. .B \-h, \-\-help
  19. Show summary of options.
  20. .TP
  21. .B \-V, \-\-version
  22. Output version information.
  23. .TP
  24. .B \-H, \-\-no-header
  25. Suppress header line.
  26. .TP
  27. .B \-O, \-\-oneline
  28. Print each socket's data on a single line.
  29. .TP
  30. .B \-n, \-\-numeric
  31. Do not try to resolve service names. Show exact bandwidth values, instead of human-readable.
  32. .TP
  33. .B \-r, \-\-resolve
  34. Try to resolve numeric address/ports.
  35. .TP
  36. .B \-a, \-\-all
  37. Display both listening and non-listening (for TCP this means
  38. established connections) sockets.
  39. .TP
  40. .B \-l, \-\-listening
  41. Display only listening sockets (these are omitted by default).
  42. .TP
  43. .B \-B, \-\-bound-inactive
  44. Display only TCP bound but inactive (not listening, connecting, etc.) sockets
  45. (these are omitted by default).
  46. .TP
  47. .B \-o, \-\-options
  48. Show timer information. For TCP protocol, the output format is:
  49. .RS
  50. .P
  51. timer:(<timer_name>,<expire_time>,<retrans>)
  52. .P
  53. .TP
  54. .B <timer_name>
  55. the name of the timer, there are five kind of timer names:
  56. .RS
  57. .P
  58. .B on
  59. : means one of these timers: TCP retrans timer, TCP early retrans
  60. timer and tail loss probe timer
  61. .P
  62. .BR keepalive ": tcp keep alive timer"
  63. .P
  64. .BR timewait ": timewait stage timer"
  65. .P
  66. .BR persist ": zero window probe timer"
  67. .P
  68. .BR unknown ": none of the above timers"
  69. .RE
  70. .TP
  71. .B <expire_time>
  72. how long time the timer will expire
  73. .P
  74. .TP
  75. .B <retrans>
  76. how many times the retransmission occurred
  77. .RE
  78. .TP
  79. .B \-e, \-\-extended
  80. Show detailed socket information. The output format is:
  81. .RS
  82. .P
  83. uid:<uid_number> ino:<inode_number> sk:<cookie>
  84. .P
  85. .TP
  86. .B <uid_number>
  87. the user id the socket belongs to
  88. .P
  89. .TP
  90. .B <inode_number>
  91. the socket's inode number in VFS
  92. .P
  93. .TP
  94. .B <cookie>
  95. an uuid of the socket
  96. .RE
  97. .TP
  98. .B \-m, \-\-memory
  99. Show socket memory usage. The output format is:
  100. .RS
  101. .P
  102. skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
  103. .br
  104. .RS
  105. .RS
  106. f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
  107. .RE
  108. .RE
  109. .br
  110. .RS
  111. .RS
  112. bl<back_log>,d<sock_drop>)
  113. .RE
  114. .RE
  115. .P
  116. .TP
  117. .B <rmem_alloc>
  118. the memory allocated for receiving packet
  119. .P
  120. .TP
  121. .B <rcv_buf>
  122. the total memory can be allocated for receiving packet
  123. .P
  124. .TP
  125. .B <wmem_alloc>
  126. the memory used for sending packet (which has been sent to layer 3)
  127. .P
  128. .TP
  129. .B <snd_buf>
  130. the total memory can be allocated for sending packet
  131. .P
  132. .TP
  133. .B <fwd_alloc>
  134. the memory allocated by the socket as cache, but not used for
  135. receiving/sending packet yet. If need memory to send/receive packet,
  136. the memory in this cache will be used before allocate additional
  137. memory.
  138. .P
  139. .TP
  140. .B <wmem_queued>
  141. The memory allocated for sending packet (which has not been sent to layer 3)
  142. .P
  143. .TP
  144. .B <opt_mem>
  145. The memory used for storing socket option, e.g., the key for TCP MD5 signature
  146. .P
  147. .TP
  148. .B <back_log>
  149. The memory used for the sk backlog queue. On a process context, if the
  150. process is receiving packet, and a new packet is received, it will be
  151. put into the sk backlog queue, so it can be received by the process
  152. immediately
  153. .P
  154. .TP
  155. .B <sock_drop>
  156. the number of packets dropped before they are de-multiplexed into the socket
  157. .RE
  158. .TP
  159. .B \-p, \-\-processes
  160. Show process using socket.
  161. .TP
  162. .B \-T, \-\-threads
  163. Show thread using socket. Implies
  164. .BR \-p .
  165. .TP
  166. .B \-i, \-\-info
  167. Show internal TCP information. Below fields may appear:
  168. .RS
  169. .P
  170. .TP
  171. .B ts
  172. show string "ts" if the timestamp option is set
  173. .P
  174. .TP
  175. .B sack
  176. show string "sack" if the sack option is set
  177. .P
  178. .TP
  179. .B ecn
  180. show string "ecn" if the explicit congestion notification option is set
  181. .P
  182. .TP
  183. .B ecnseen
  184. show string "ecnseen" if the saw ecn flag is found in received packets
  185. .P
  186. .TP
  187. .B fastopen
  188. show string "fastopen" if the fastopen option is set
  189. .P
  190. .TP
  191. .B cong_alg
  192. the congestion algorithm name, the default congestion algorithm is "cubic"
  193. .P
  194. .TP
  195. .B wscale:<snd_wscale>:<rcv_wscale>
  196. if window scale option is used, this field shows the send scale factor
  197. and receive scale factor
  198. .P
  199. .TP
  200. .B rto:<icsk_rto>
  201. tcp re-transmission timeout value, the unit is millisecond
  202. .P
  203. .TP
  204. .B backoff:<icsk_backoff>
  205. used for exponential backoff re-transmission, the actual
  206. re-transmission timeout value is icsk_rto << icsk_backoff
  207. .P
  208. .TP
  209. .B rtt:<rtt>/<rttvar>
  210. rtt is the average round trip time, rttvar is the mean deviation of
  211. rtt, their units are millisecond
  212. .P
  213. .TP
  214. .B ato:<ato>
  215. ack timeout, unit is millisecond, used for delay ack mode
  216. .P
  217. .TP
  218. .B mss:<mss>
  219. max segment size
  220. .P
  221. .TP
  222. .B cwnd:<cwnd>
  223. congestion window size
  224. .P
  225. .TP
  226. .B pmtu:<pmtu>
  227. path MTU value
  228. .P
  229. .TP
  230. .B ssthresh:<ssthresh>
  231. tcp congestion window slow start threshold
  232. .P
  233. .TP
  234. .B bytes_acked:<bytes_acked>
  235. bytes acked
  236. .P
  237. .TP
  238. .B bytes_received:<bytes_received>
  239. bytes received
  240. .P
  241. .TP
  242. .B segs_out:<segs_out>
  243. segments sent out
  244. .P
  245. .TP
  246. .B segs_in:<segs_in>
  247. segments received
  248. .P
  249. .TP
  250. .B send <send_bps>bps
  251. egress bps
  252. .P
  253. .TP
  254. .B lastsnd:<lastsnd>
  255. how long time since the last packet sent, the unit is millisecond
  256. .P
  257. .TP
  258. .B lastrcv:<lastrcv>
  259. how long time since the last packet received, the unit is millisecond
  260. .P
  261. .TP
  262. .B lastack:<lastack>
  263. how long time since the last ack received, the unit is millisecond
  264. .P
  265. .TP
  266. .B pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
  267. the pacing rate and max pacing rate
  268. .P
  269. .TP
  270. .B rcv_space:<rcv_space>
  271. a helper variable for TCP internal auto tuning socket receive buffer
  272. .P
  273. .TP
  274. .B tcp-ulp-mptcp flags:[MmBbJjecv] token:<rem_token(rem_id)/loc_token(loc_id)> seq:<sn> sfseq:<ssn> ssnoff:<off> maplen:<maplen>
  275. MPTCP subflow information
  276. .P
  277. .RE
  278. .TP
  279. .B \-\-tos
  280. Show ToS and priority information. Below fields may appear:
  281. .RS
  282. .P
  283. .TP
  284. .B tos
  285. IPv4 Type-of-Service byte
  286. .P
  287. .TP
  288. .B tclass
  289. IPv6 Traffic Class byte
  290. .P
  291. .TP
  292. .B class_id
  293. Class id set by net_cls cgroup. If class is zero this shows priority
  294. set by SO_PRIORITY.
  295. .RE
  296. .TP
  297. .B \-\-cgroup
  298. Show cgroup information. Below fields may appear:
  299. .RS
  300. .P
  301. .TP
  302. .B cgroup
  303. Cgroup v2 pathname. This pathname is relative to the mount point of the hierarchy.
  304. .RE
  305. .TP
  306. .B \-\-tipcinfo
  307. Show internal tipc socket information.
  308. .TP
  309. .B \-K, \-\-kill
  310. Attempts to forcibly close sockets. This option displays sockets that are
  311. successfully closed and silently skips sockets that the kernel does not support
  312. closing. It supports IPv4 and IPv6 sockets only.
  313. .TP
  314. .B \-s, \-\-summary
  315. Print summary statistics. This option does not parse socket lists obtaining
  316. summary from various sources. It is useful when amount of sockets is so huge
  317. that parsing /proc/net/tcp is painful.
  318. .TP
  319. .B \-E, \-\-events
  320. Continually display sockets as they are destroyed
  321. .TP
  322. .B \-Z, \-\-context
  323. As the
  324. .B \-p
  325. option but also shows process security context. If the
  326. .B \-T
  327. option is used, also shows thread security context.
  328. .sp
  329. For
  330. .BR netlink (7)
  331. sockets the initiating process context is displayed as follows:
  332. .RS
  333. .RS
  334. .IP "1." 4
  335. If valid pid show the process context.
  336. .IP "2." 4
  337. If destination is kernel (pid = 0) show kernel initial context.
  338. .IP "3." 4
  339. If a unique identifier has been allocated by the kernel or netlink user,
  340. show context as "unavailable". This will generally indicate that a
  341. process has more than one netlink socket active.
  342. .RE
  343. .RE
  344. .TP
  345. .B \-z, \-\-contexts
  346. As the
  347. .B \-Z
  348. option but also shows the socket context. The socket context is
  349. taken from the associated inode and is not the actual socket
  350. context held by the kernel. Sockets are typically labeled with the
  351. context of the creating process, however the context shown will reflect
  352. any policy role, type and/or range transition rules applied,
  353. and is therefore a useful reference.
  354. .TP
  355. .B \-N NSNAME, \-\-net=NSNAME
  356. Switch to the specified network namespace name.
  357. .TP
  358. .B \-b, \-\-bpf
  359. Show socket classic BPF filters (only administrators are allowed to get these
  360. information).
  361. .TP
  362. .B \-4, \-\-ipv4
  363. Display only IP version 4 sockets (alias for -f inet).
  364. .TP
  365. .B \-6, \-\-ipv6
  366. Display only IP version 6 sockets (alias for -f inet6).
  367. .TP
  368. .B \-0, \-\-packet
  369. Display PACKET sockets (alias for -f link).
  370. .TP
  371. .B \-t, \-\-tcp
  372. Display TCP sockets.
  373. .TP
  374. .B \-u, \-\-udp
  375. Display UDP sockets.
  376. .TP
  377. .B \-d, \-\-dccp
  378. Display DCCP sockets.
  379. .TP
  380. .B \-w, \-\-raw
  381. Display RAW sockets.
  382. .TP
  383. .B \-x, \-\-unix
  384. Display Unix domain sockets (alias for -f unix).
  385. .TP
  386. .B \-S, \-\-sctp
  387. Display SCTP sockets.
  388. .TP
  389. .B \-\-tipc
  390. Display tipc sockets (alias for -f tipc).
  391. .TP
  392. .TP
  393. .B \-\-vsock
  394. Display vsock sockets (alias for -f vsock).
  395. .TP
  396. .B \-\-xdp
  397. Display XDP sockets (alias for -f xdp).
  398. .TP
  399. .B \-M, \-\-mptcp
  400. Display MPTCP sockets.
  401. .TP
  402. .B \-\-inet-sockopt
  403. Display inet socket options.
  404. .TP
  405. .B \-f FAMILY, \-\-family=FAMILY
  406. Display sockets of type FAMILY.  Currently the following families are
  407. supported: unix, inet, inet6, link, netlink, vsock, tipc, xdp.
  408. .TP
  409. .B \-A QUERY, \-\-query=QUERY, \-\-socket=QUERY
  410. List of socket tables to dump, separated by commas. The following identifiers
  411. are understood: all, inet, tcp, udp, raw, unix, packet, netlink, unix_dgram,
  412. unix_stream, unix_seqpacket, packet_raw, packet_dgram, dccp, sctp, tipc,
  413. vsock_stream, vsock_dgram, xdp, mptcp. Any item in the list may optionally be
  414. prefixed by an exclamation mark
  415. .RB ( ! )
  416. to exclude that socket table from being dumped.
  417. .TP
  418. .B \-D FILE, \-\-diag=FILE
  419. Do not display anything, just dump raw information about TCP sockets
  420. to FILE after applying filters. If FILE is - stdout is used.
  421. .TP
  422. .B \-F FILE, \-\-filter=FILE
  423. Read filter information from FILE.  Each line of FILE is interpreted
  424. like single command line option. If FILE is - stdin is used.
  425. .TP
  426. .B FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
  427. Please take a look at the official documentation for details regarding filters.
  429. .SH STATE-FILTER
  431. .B STATE-FILTER
  432. allows one to construct arbitrary set of states to match. Its syntax is
  433. sequence of keywords state and exclude followed by identifier of
  434. state.
  435. .TP
  436. Available identifiers are:
  438. All standard TCP states:
  439. .BR established ", " syn-sent ", " syn-recv ", " fin-wait-1 ", " fin-wait-2 ", " time-wait ", " closed ", " close-wait ", " last-ack ", "
  440. .BR  listening " and " closing.
  442. .B all
  443. - for all the states
  445. .B connected
  446. - all the states except for
  447. .BR listening " and " closed
  449. .B synchronized
  450. - all the
  451. .B connected
  452. states except for
  453. .B syn-sent
  455. .B bucket
  456. - states, which are maintained as minisockets, i.e.
  457. .BR time-wait " and " syn-recv
  459. .B big
  460. - opposite to
  461. .B bucket
  463. .B bound-inactive
  464. - bound but otherwise inactive sockets (not listening, connecting, etc.)
  466. .SH EXPRESSION
  468. .B EXPRESSION
  469. allows filtering based on specific criteria.
  470. .B EXPRESSION
  471. consists of a series of predicates combined by boolean operators. The possible operators in increasing
  472. order of precedence are
  473. .B or
  474. (or | or ||),
  475. .B and
  476. (or & or &&), and
  477. .B not
  478. (or !). If no operator is between consecutive predicates, an implicit
  479. .B and
  480. operator is assumed. Subexpressions can be grouped with "(" and ")".
  481. .P
  482. The following predicates are supported:
  484. .TP
  485. .B {dst|src} [=] HOST
  486. Test if the destination or source matches HOST. See HOST SYNTAX for details.
  487. .TP
  488. .B {dport|sport} [OP] [FAMILY:]:PORT
  489. Compare the destination or source port to PORT. OP can be any of "<", "<=", "=", "!=",
  490. ">=" and ">". Following normal arithmetic rules. FAMILY and PORT are as described in
  491. HOST SYNTAX below.
  492. .TP
  493. .B dev [=|!=] DEVICE
  494. Match based on the device the connection uses. DEVICE can either be a device name or the
  495. index of the interface.
  496. .TP
  497. .B fwmark [=|!=] MASK
  498. Matches based on the fwmark value for the connection. This can either be a specific mark value
  499. or a mark value followed by a "/" and a bitmask of which bits to use in the comparison. For example
  500. "fwmark = 0x01/0x03" would match if the two least significant bits of the fwmark were 0x01.
  501. .TP
  502. .B cgroup [=|!=] PATH
  503. Match if the connection is part of a cgroup at the given path.
  504. .TP
  505. .B autobound
  506. Match if the port or path of the source address was automatically allocated
  507. (rather than explicitly specified).
  508. .P
  509. Most operators have aliases. If no operator is supplied "=" is assumed.
  510. Each of the following groups of operators are all equivalent:
  511. .RS
  512. .IP \(bu 2
  513. = == eq
  514. .IP \(bu
  515. != ne neq
  516. .IP \(bu
  517. > gt
  518. .IP \(bu
  519. < lt
  520. .IP \(bu
  521. >= ge geq
  522. .IP \(bu
  523. <= le leq
  524. .IP \(bu
  525. ! not
  526. .IP \(bu
  527. | || or
  528. .IP \(bu
  529. & && and
  530. .RE
  531. .SH HOST SYNTAX
  532. .P
  533. The general host syntax is [FAMILY:]ADDRESS[:PORT].
  534. .P
  535. FAMILY must be one of the families supported by the -f option. If not given
  536. it defaults to the family given with the -f option, and if that is also
  537. missing, will assume either inet or inet6. Note that all host conditions in the
  538. expression should either all be the same family or be only inet and inet6. If there
  539. is some other mixture of families, the results will probably be unexpected.
  540. .P
  541. The form of ADDRESS and PORT depends on the family used. "*" can be used as
  542. a wildcard for either the address or port. The details for each family are as
  543. follows:
  544. .TP
  545. .B unix
  546. ADDRESS is a glob pattern (see
  547. .BR fnmatch (3))
  548. that will be matched case-insensitively against the unix socket's address. Both path and abstract
  549. names are supported. Unix addresses do not support a port, and "*" cannot be used as a wildcard.
  550. .TP
  551. .B link
  552. ADDRESS is the case-insensitive name of an Ethernet protocol to match. PORT
  553. is either a device name or a device index for the desired link device, as seen
  554. in the output of ip link.
  555. .TP
  556. .B netlink
  557. ADDRESS is a descriptor of the netlink family. Possible values come from
  558. /etc/iproute2/nl_protos. PORT is the port id of the socket, which is usually
  559. the same as the owning process id. The value "kernel" can be used to represent
  560. the kernel (port id of 0).
  561. .TP
  562. .B vsock
  563. ADDRESS is an integer representing the CID address, and PORT is the port.
  564. .TP
  565. .BR inet \ and\  inet6
  566. ADDRESS is an ip address (either v4 or v6 depending on the family) or a DNS
  567. hostname that resolves to an ip address of the required version. An ipv6
  568. address must be enclosed in "[" and "]" to disambiguate the port separator. The
  569. address may additionally have a prefix length given in CIDR notation (a slash
  570. followed by the prefix length in bits). PORT is either the numerical
  571. socket port, or the service name for the port to match.
  573. .SH USAGE EXAMPLES
  574. .TP
  575. .B ss -t -a
  576. Display all TCP sockets.
  577. .TP
  578. .B ss -t -a -Z
  579. Display all TCP sockets with process SELinux security contexts.
  580. .TP
  581. .B ss -u -a
  582. Display all UDP sockets.
  583. .TP
  584. .B ss -o state established '( dport = :ssh or sport = :ssh )'
  585. Display all established ssh connections.
  586. .TP
  587. .B ss -x src /tmp/.X11-unix/*
  588. Find all local processes connected to X server.
  589. .TP
  590. .B ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 193.233.7/24
  591. List all the tcp sockets in state FIN-WAIT-1 for our apache to network
  592. 193.233.7/24 and look at their timers.
  593. .TP
  594. .B ss -a -A 'all,!tcp'
  595. List sockets in all states from all socket tables but TCP.
  596. .SH SEE ALSO
  597. .BR ip (8),
  598. .br
  599. .BR RFC " 793 "
  600. - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
  602. .SH AUTHOR
  603. .I ss
  604. was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
  605. .PP
  606. This manual page was written by Michael Prokop <mika@grml.org>
  607. for the Debian project (but may be used by others).