1SS(8) System Manager's Manual SS(8)
2
6 ss - another utility to investigate sockets
7
9 ss [options] [ FILTER ]
10
12 ss is used to dump socket statistics. It allows showing information
13 similar to netstat. It can display more TCP and state informations
14 than other tools.
15
18 When no option is used ss displays a list of open non-listening sockets
19 (e.g. TCP/UNIX/UDP) that have established connection.
20 -h, --help
22 Show summary of options.
23 -V, --version
25 Output version information.
26 -H, --no-header
28 Suppress header line.
29 -n, --numeric
31 Do not try to resolve service names.
32 -r, --resolve
34 Try to resolve numeric address/ports.
35 -a, --all
37 Display both listening and non-listening (for TCP this means
38 established connections) sockets.
39 -l, --listening
41 Display only listening sockets (these are omitted by default).
42 -o, --options
44 Show timer information. For tcp protocol, the output format is:
45 timer:(<timer_name>,<expire_time>,<retrans>)
47 <timer_name>
49 the name of the timer, there are five kind of timer
50 names:
51 on: means one of these timers: tcp retrans timer, tcp
53 early retrans timer and tail loss probe timer
54 keepalive: tcp keep alive timer
56 timewait: timewait stage timer
58 persist: zero window probe timer
60 unknown: none of the above timers
62 <expire_time>
64 how long time the timer will expire
65 <retrans>
67 how many times the retran occurs
68 -e, --extended
70 Show detailed socket information. The output format is:
71 uid:<uid_number> ino:<inode_number> sk:<cookie>
73 <uid_number>
75 the user id the socket belongs to
76 <inode_number>
78 the socket's inode number in VFS
79 <cookie>
81 an uuid of the socket
82 -m, --memory
84 Show socket memory usage. The output format is:
85 skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
87 f<fwd_alloc>,w<wmem_queued>,
88 o<opt_mem>,bl<back_log>)
89 <rmem_alloc>
91 the memory allocated for receiving packet
92 <rcv_buf>
94 the total memory can be allocated for receiving packet
95 <wmem_alloc>
97 the memory used for sending packet (which has been sent
98 to layer 3)
99 <snd_buf>
101 the total memory can be allocated for sending packet
102 <fwd_alloc>
104 the memory allocated by the socket as cache, but not used
105 for receiving/sending packet yet. If need memory to
106 send/receive packet, the memory in this cache will be
107 used before allocate additional memory.
108 <wmem_queued>
110 The memory allocated for sending packet (which has not
111 been sent to layer 3)
112 <opt_mem>
114 The memory used for storing socket option, e.g., the key
115 for TCP MD5 signature
116 <back_log>
118 The memory used for the sk backlog queue. On a process
119 context, if the process is receiving packet, and a new
120 packet is received, it will be put into the sk backlog
121 queue, so it can be received by the process immediately
122 -p, --processes
124 Show process using socket.
125 -i, --info
127 Show internal TCP information. Below fields may appear:
128 ts show string "ts" if the timestamp option is set
130 sack show string "sack" if the sack option is set
132 ecn show string "ecn" if the explicit congestion notification
134 option is set
135 ecnseen
137 show string "ecnseen" if the saw ecn flag is found in
138 received packets
139 fastopen
141 show string "fastopen" if the fastopen option is set
142 cong_alg
144 the congestion algorithm name, the default congestion
145 algorithm is "cubic"
146 wscale:<snd_wscale>:<rcv_wscale>
148 if window scale option is used, this field shows the send
149 scale factor and receive scale factor
150 rto:<icsk_rto>
152 tcp re-transmission timeout value, the unit is millisec‐
153 ond
154 backoff:<icsk_backoff>
156 used for exponential backoff re-transmission, the actual
157 re-transmission timeout value is icsk_rto << icsk_backoff
158 rtt:<rtt>/<rttvar>
160 rtt is the average round trip time, rttvar is the mean
161 deviation of rtt, their units are millisecond
162 ato:<ato>
164 ack timeout, unit is millisecond, used for delay ack mode
165 mss:<mss>
167 max segment size
168 cwnd:<cwnd>
170 congestion window size
171 pmtu:<pmtu>
173 path MTU value
174 ssthresh:<ssthresh>
176 tcp congestion window slow start threshold
177 bytes_acked:<bytes_acked>
179 bytes acked
180 bytes_received:<bytes_received>
182 bytes received
183 segs_out:<segs_out>
185 segments sent out
186 segs_in:<segs_in>
188 segments received
189 send <send_bps>bps
191 egress bps
192 lastsnd:<lastsnd>
194 how long time since the last packet sent, the unit is
195 millisecond
196 lastrcv:<lastrcv>
198 how long time since the last packet received, the unit is
199 millisecond
200 lastack:<lastack>
202 how long time since the last ack received, the unit is
203 millisecond
204 pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
206 the pacing rate and max pacing rate
207 rcv_space:<rcv_space>
209 a helper variable for TCP internal auto tuning socket
210 receive buffer
211 --tos Show ToS and priority information. Below fields may appear:
213 tos IPv4 Type-of-Service byte
215 tclass IPv6 Traffic Class byte
217 class_id
219 Class id set by net_cls cgroup. If class is zero this
220 shows priority set by SO_PRIORITY.
221 -K, --kill
223 Attempts to forcibly close sockets. This option displays sockets
224 that are successfully closed and silently skips sockets that the
225 kernel does not support closing. It supports IPv4 and IPv6 sock‐
226 ets only.
227 -s, --summary
229 Print summary statistics. This option does not parse socket
230 lists obtaining summary from various sources. It is useful when
231 amount of sockets is so huge that parsing /proc/net/tcp is
232 painful.
233 -E, --events
235 Continually display sockets as they are destroyed
236 -Z, --context
238 As the -p option but also shows process security context.
239 For netlink(7) sockets the initiating process context is dis‐
241 played as follows:
242 1. If valid pid show the process context.
244 2. If destination is kernel (pid = 0) show kernel ini‐
246 tial context.
247 3. If a unique identifier has been allocated by the ker‐
249 nel or netlink user, show context as "unavailable".
250 This will generally indicate that a process has more
251 than one netlink socket active.
252 -z, --contexts
254 As the -Z option but also shows the socket context. The socket
255 context is taken from the associated inode and is not the actual
256 socket context held by the kernel. Sockets are typically labeled
257 with the context of the creating process, however the context
258 shown will reflect any policy role, type and/or range transition
259 rules applied, and is therefore a useful reference.
260 -N NSNAME, --net=NSNAME
262 Switch to the specified network namespace name.
263 -b, --bpf
265 Show socket BPF filters (only administrators are allowed to get
266 these information).
267 -4, --ipv4
269 Display only IP version 4 sockets (alias for -f inet).
270 -6, --ipv6
272 Display only IP version 6 sockets (alias for -f inet6).
273 -0, --packet
275 Display PACKET sockets (alias for -f link).
276 -t, --tcp
278 Display TCP sockets.
279 -u, --udp
281 Display UDP sockets.
282 -d, --dccp
284 Display DCCP sockets.
285 -w, --raw
287 Display RAW sockets.
288 -x, --unix
290 Display Unix domain sockets (alias for -f unix).
291 -S, --sctp
293 Display SCTP sockets.
294 --vsock
296 Display vsock sockets (alias for -f vsock).
297 -f FAMILY, --family=FAMILY
299 Display sockets of type FAMILY. Currently the following fami‐
300 lies are supported: unix, inet, inet6, link, netlink, vsock.
301 -A QUERY, --query=QUERY, --socket=QUERY
303 List of socket tables to dump, separated by commas. The follow‐
304 ing identifiers are understood: all, inet, tcp, udp, raw, unix,
305 packet, netlink, unix_dgram, unix_stream, unix_seqpacket,
306 packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram.
307 Any item in the list may optionally be prefixed by an exclama‐
308 tion mark (!) to exclude that socket table from being dumped.
309 -D FILE, --diag=FILE
311 Do not display anything, just dump raw information about TCP
312 sockets to FILE after applying filters. If FILE is - stdout is
313 used.
314 -F FILE, --filter=FILE
316 Read filter information from FILE. Each line of FILE is inter‐
317 preted like single command line option. If FILE is - stdin is
318 used.
319 FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
321 Please take a look at the official documentation for details
322 regarding filters.
323
326 STATE-FILTER allows to construct arbitrary set of states to match. Its
327 syntax is sequence of keywords state and exclude followed by identifier
328 of state.
329 Available identifiers are:
331 All standard TCP states: established, syn-sent, syn-recv, fin-
333 wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack,
334 listening and closing.
335 all - for all the states
337 connected - all the states except for listening and closed
339 synchronized - all the connected states except for syn-sent
341 bucket - states, which are maintained as minisockets, i.e.
343 time-wait and syn-recv
344 big - opposite to bucket
346
349 ss -t -a
350 Display all TCP sockets.
351 ss -t -a -Z
353 Display all TCP sockets with process SELinux security contexts.
354 ss -u -a
356 Display all UDP sockets.
357 ss -o state established '( dport = :ssh or sport = :ssh )'
359 Display all established ssh connections.
360 ss -x src /tmp/.X11-unix/*
362 Find all local processes connected to X server.
363 ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst
365 193.233.7/24
366 List all the tcp sockets in state FIN-WAIT-1 for our apache to
367 network 193.233.7/24 and look at their timers.
368 ss -a -A 'all,!tcp'
370 List sockets in all states from all socket tables but TCP.
371
373 ip(8),
374 RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
375
378 ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
379 This manual page was written by Michael Prokop <mika@grml.org> for the
381 Debian project (but may be used by others).
382 SS(8)