1SS(8) System Manager's Manual SS(8)
2
6 ss - another utility to investigate sockets
7
9 ss [options] [ FILTER ]
10
12 ss is used to dump socket statistics. It allows showing information
13 similar to netstat. It can display more TCP and state informations
14 than other tools.
15
18 When no option is used ss displays a list of open non-listening sockets
19 (e.g. TCP/UNIX/UDP) that have established connection.
20 -h, --help
22 Show summary of options.
23 -V, --version
25 Output version information.
26 -H, --no-header
28 Suppress header line.
29 -n, --numeric
31 Do not try to resolve service names.
32 -r, --resolve
34 Try to resolve numeric address/ports.
35 -a, --all
37 Display both listening and non-listening (for TCP this means
38 established connections) sockets.
39 -l, --listening
41 Display only listening sockets (these are omitted by default).
42 -o, --options
44 Show timer information. For tcp protocol, the output format is:
45 timer:(<timer_name>,<expire_time>,<retrans>)
47 <timer_name>
49 the name of the timer, there are five kind of timer
50 names:
51 on: means one of these timers: tcp retrans timer, tcp
53 early retrans timer and tail loss probe timer
54 keepalive: tcp keep alive timer
56 timewait: timewait stage timer
58 persist: zero window probe timer
60 unknown: none of the above timers
62 <expire_time>
64 how long time the timer will expire
65 <retrans>
67 how many times the retran occurs
68 -e, --extended
70 Show detailed socket information. The output format is:
71 uid:<uid_number> ino:<inode_number> sk:<cookie>
73 <uid_number>
75 the user id the socket belongs to
76 <inode_number>
78 the socket's inode number in VFS
79 <cookie>
81 an uuid of the socket
82 -m, --memory
84 Show socket memory usage. The output format is:
85 skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,bl<back_log>)
87 <rmem_alloc>
89 the memory allocated for receiving packet
90 <rcv_buf>
92 the total memory can be allocated for receiving packet
93 <wmem_alloc>
95 the memory used for sending packet (which has been sent
96 to layer 3)
97 <snd_buf>
99 the total memory can be allocated for sending packet
100 <fwd_alloc>
102 the memory allocated by the socket as cache, but not used
103 for receiving/sending packet yet. If need memory to
104 send/receive packet, the memory in this cache will be
105 used before allocate additional memory.
106 <wmem_queued>
108 The memory allocated for sending packet (which has not
109 been sent to layer 3)
110 <opt_mem>
112 The memory used for storing socket option, e.g., the key
113 for TCP MD5 signature
114 <back_log>
116 The memory used for the sk backlog queue. On a process
117 context, if the process is receiving packet, and a new
118 packet is received, it will be put into the sk backlog
119 queue, so it can be received by the process immediately
120 -p, --processes
122 Show process using socket.
123 -i, --info
125 Show internal TCP information. Below fields may appear:
126 ts show string "ts" if the timestamp option is set
128 sack show string "sack" if the sack option is set
130 ecn show string "ecn" if the explicit congestion notification
132 option is set
133 ecnseen
135 show string "ecnseen" if the saw ecn flag is found in
136 received packets
137 fastopen
139 show string "fastopen" if the fastopen option is set
140 cong_alg
142 the congestion algorithm name, the default congestion
143 algorithm is "cubic"
144 wscale:<snd_wscale>:<rcv_wscale>
146 if window scale option is used, this field shows the send
147 scale factory and receive scale factory
148 rto:<icsk_rto>
150 tcp re-transmission timeout value, the unit is millisec‐
151 ond
152 backoff:<icsk_backoff>
154 used for exponential backoff re-transmission, the actual
155 re-transmission timeout value is icsk_rto << icsk_backoff
156 rtt:<rtt>/<rttvar>
158 rtt is the average round trip time, rttvar is the mean
159 deviation of rtt, their units are millisecond
160 ato:<ato>
162 ack timeout, unit is millisecond, used for delay ack mode
163 mss:<mss>
165 max segment size
166 cwnd:<cwnd>
168 congestion window size
169 pmtu:<pmtu>
171 path MTU value
172 ssthresh:<ssthresh>
174 tcp congestion window slow start threshold
175 bytes_acked:<bytes_acked>
177 bytes acked
178 bytes_received:<bytes_received>
180 bytes received
181 segs_out:<segs_out>
183 segments sent out
184 segs_in:<segs_in>
186 segments received
187 send <send_bps>bps
189 egress bps
190 lastsnd:<lastsnd>
192 how long time since the last packet sent, the unit is
193 millisecond
194 lastrcv:<lastrcv>
196 how long time since the last packet received, the unit is
197 millisecond
198 lastack:<lastack>
200 how long time since the last ack received, the unit is
201 millisecond
202 pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
204 the pacing rate and max pacing rate
205 rcv_space:<rcv_space>
207 a helper variable for TCP internal auto tuning socket
208 receive buffer
209 -K, --kill
211 Attempts to forcibly close sockets. This option displays sockets
212 that are successfully closed and silently skips sockets that the
213 kernel does not support closing. It supports IPv4 and IPv6 sock‐
214 ets only.
215 -s, --summary
217 Print summary statistics. This option does not parse socket
218 lists obtaining summary from various sources. It is useful when
219 amount of sockets is so huge that parsing /proc/net/tcp is
220 painful.
221 -E, --events
223 Continually display sockets as they are destroyed
224 -Z, --context
226 As the -p option but also shows process security context.
227 For netlink(7) sockets the initiating process context is dis‐
229 played as follows:
230 1. If valid pid show the process context.
232 2. If destination is kernel (pid = 0) show kernel ini‐
234 tial context.
235 3. If a unique identifier has been allocated by the ker‐
237 nel or netlink user, show context as "unavailable".
238 This will generally indicate that a process has more
239 than one netlink socket active.
240 -z, --contexts
242 As the -Z option but also shows the socket context. The socket
243 context is taken from the associated inode and is not the actual
244 socket context held by the kernel. Sockets are typically labeled
245 with the context of the creating process, however the context
246 shown will reflect any policy role, type and/or range transition
247 rules applied, and is therefore a useful reference.
248 -N NSNAME, --net=NSNAME
250 Switch to the specified network namespace name.
251 -b, --bpf
253 Show socket BPF filters (only administrators are allowed to get
254 these information).
255 -4, --ipv4
257 Display only IP version 4 sockets (alias for -f inet).
258 -6, --ipv6
260 Display only IP version 6 sockets (alias for -f inet6).
261 -0, --packet
263 Display PACKET sockets (alias for -f link).
264 -t, --tcp
266 Display TCP sockets.
267 -u, --udp
269 Display UDP sockets.
270 -d, --dccp
272 Display DCCP sockets.
273 -w, --raw
275 Display RAW sockets.
276 -x, --unix
278 Display Unix domain sockets (alias for -f unix).
279 -S, --sctp
281 Display SCTP sockets.
282 --vsock
284 Display vsock sockets (alias for -f vsock).
285 -f FAMILY, --family=FAMILY
287 Display sockets of type FAMILY. Currently the following fami‐
288 lies are supported: unix, inet, inet6, link, netlink, vsock.
289 -A QUERY, --query=QUERY, --socket=QUERY
291 List of socket tables to dump, separated by commas. The follow‐
292 ing identifiers are understood: all, inet, tcp, udp, raw, unix,
293 packet, netlink, unix_dgram, unix_stream, unix_seqpacket,
294 packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram.
295 Any item in the list may optionally be prefixed by an exclama‐
296 tion mark (!) to exclude that socket table from being dumped.
297 -D FILE, --diag=FILE
299 Do not display anything, just dump raw information about TCP
300 sockets to FILE after applying filters. If FILE is - stdout is
301 used.
302 -F FILE, --filter=FILE
304 Read filter information from FILE. Each line of FILE is inter‐
305 preted like single command line option. If FILE is - stdin is
306 used.
307 FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
309 Please take a look at the official documentation for details
310 regarding filters.
311
314 STATE-FILTER allows to construct arbitrary set of states to match. Its
315 syntax is sequence of keywords state and exclude followed by identifier
316 of state.
317 Available identifiers are:
319 All standard TCP states: established, syn-sent, syn-recv, fin-
321 wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack,
322 listening and closing.
323 all - for all the states
325 connected - all the states except for listening and closed
327 synchronized - all the connected states except for syn-sent
329 bucket - states, which are maintained as minisockets, i.e.
331 time-wait and syn-recv
332 big - opposite to bucket
334
337 ss -t -a
338 Display all TCP sockets.
339 ss -t -a -Z
341 Display all TCP sockets with process SELinux security contexts.
342 ss -u -a
344 Display all UDP sockets.
345 ss -o state established '( dport = :ssh or sport = :ssh )'
347 Display all established ssh connections.
348 ss -x src /tmp/.X11-unix/*
350 Find all local processes connected to X server.
351 ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst
353 193.233.7/24
354 List all the tcp sockets in state FIN-WAIT-1 for our apache to
355 network 193.233.7/24 and look at their timers.
356 ss -a -A 'all,!tcp'
358 List sockets in all states from all socket tables but TCP.
359
361 ip(8),
362 RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
363
366 ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
367 This manual page was written by Michael Prokop <mika@grml.org> for the
369 Debian project (but may be used by others).
370 SS(8)