1SS(8) System Manager's Manual SS(8)
2
6 ss - another utility to investigate sockets
7
9 ss [options] [ FILTER ]
10
12 ss is used to dump socket statistics. It allows showing information
13 similar to netstat. It can display more TCP and state informations
14 than other tools.
15
18 When no option is used ss displays a list of open non-listening sockets
19 (e.g. TCP/UNIX/UDP) that have established connection.
20 -h, --help
22 Show summary of options.
23 -V, --version
25 Output version information.
26 -H, --no-header
28 Suppress header line.
29 -n, --numeric
31 Do not try to resolve service names.
32 -r, --resolve
34 Try to resolve numeric address/ports.
35 -a, --all
37 Display both listening and non-listening (for TCP this means
38 established connections) sockets.
39 -l, --listening
41 Display only listening sockets (these are omitted by default).
42 -o, --options
44 Show timer information.
45 -e, --extended
47 Show detailed socket information
48 -m, --memory
50 Show socket memory usage.
51 -p, --processes
53 Show process using socket.
54 -i, --info
56 Show internal TCP information.
57 -K, --kill
59 Attempts to forcibly close sockets. This option displays sockets
60 that are successfully closed and silently skips sockets that the
61 kernel does not support closing. It supports IPv4 and IPv6 sock‐
62 ets only.
63 -s, --summary
65 Print summary statistics. This option does not parse socket
66 lists obtaining summary from various sources. It is useful when
67 amount of sockets is so huge that parsing /proc/net/tcp is
68 painful.
69 -Z, --context
71 As the -p option but also shows process security context.
72 For netlink(7) sockets the initiating process context is dis‐
74 played as follows:
75 1. If valid pid show the process context.
77 2. If destination is kernel (pid = 0) show kernel ini‐
79 tial context.
80 3. If a unique identifier has been allocated by the ker‐
82 nel or netlink user, show context as "unavailable".
83 This will generally indicate that a process has more
84 than one netlink socket active.
85 -z, --contexts
87 As the -Z option but also shows the socket context. The socket
88 context is taken from the associated inode and is not the actual
89 socket context held by the kernel. Sockets are typically labeled
90 with the context of the creating process, however the context
91 shown will reflect any policy role, type and/or range transition
92 rules applied, and is therefore a useful reference.
93 -N NSNAME, --net=NSNAME
95 Switch to the specified network namespace name.
96 -b, --bpf
98 Show socket BPF filters (only administrators are allowed to get
99 these information).
100 -4, --ipv4
102 Display only IP version 4 sockets (alias for -f inet).
103 -6, --ipv6
105 Display only IP version 6 sockets (alias for -f inet6).
106 -0, --packet
108 Display PACKET sockets (alias for -f link).
109 -t, --tcp
111 Display TCP sockets.
112 -u, --udp
114 Display UDP sockets.
115 -d, --dccp
117 Display DCCP sockets.
118 -w, --raw
120 Display RAW sockets.
121 -x, --unix
123 Display Unix domain sockets (alias for -f unix).
124 -S, --sctp
126 Display SCTP sockets.
127 --vsock
129 Display vsock sockets (alias for -f vsock).
130 -f FAMILY, --family=FAMILY
132 Display sockets of type FAMILY. Currently the following fami‐
133 lies are supported: unix, inet, inet6, link, netlink, vsock.
134 -A QUERY, --query=QUERY, --socket=QUERY
136 List of socket tables to dump, separated by commas. The follow‐
137 ing identifiers are understood: all, inet, tcp, udp, raw, unix,
138 packet, netlink, unix_dgram, unix_stream, unix_seqpacket,
139 packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram.
140 -D FILE, --diag=FILE
142 Do not display anything, just dump raw information about TCP
143 sockets to FILE after applying filters. If FILE is - stdout is
144 used.
145 -F FILE, --filter=FILE
147 Read filter information from FILE. Each line of FILE is inter‐
148 preted like single command line option. If FILE is - stdin is
149 used.
150 FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
152 Please take a look at the official documentation (Debian package
153 iproute-doc) for details regarding filters.
154
157 STATE-FILTER allows to construct arbitrary set of states to match. Its
158 syntax is sequence of keywords state and exclude followed by identifier
159 of state.
160 Available identifiers are:
162 All standard TCP states: established, syn-sent, syn-recv, fin-
164 wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack,
165 listen and closing.
166 all - for all the states
168 connected - all the states except for listen and closed
170 synchronized - all the connected states except for syn-sent
172 bucket - states, which are maintained as minisockets, i.e.
174 time-wait and syn-recv
175 big - opposite to bucket
177
180 ss -t -a
181 Display all TCP sockets.
182 ss -t -a -Z
184 Display all TCP sockets with process SELinux security contexts.
185 ss -u -a
187 Display all UDP sockets.
188 ss -o state established '( dport = :ssh or sport = :ssh )'
190 Display all established ssh connections.
191 ss -x src /tmp/.X11-unix/*
193 Find all local processes connected to X server.
194 ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst
196 193.233.7/24
197 List all the tcp sockets in state FIN-WAIT-1 for our apache to
198 network 193.233.7/24 and look at their timers.
199
201 ip(8), /usr/share/doc/iproute-doc/ss.html (package iproutedoc),
202 RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
203
206 ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
207 This manual page was written by Michael Prokop <mika@grml.org> for the
209 Debian project (but may be used by others).
210 SS(8)