1SS(8)                       System Manager's Manual                      SS(8)
2
3
4

NAME

6       ss - another utility to investigate sockets
7

SYNOPSIS

9       ss [options] [ FILTER ]
10

DESCRIPTION

12       ss  is  used  to  dump socket statistics. It allows showing information
13       similar to netstat.  It can display more TCP and state information than
14       other tools.
15
16

OPTIONS

18       When no option is used ss displays a list of open non-listening sockets
19       (e.g. TCP/UNIX/UDP) that have established connection.
20
21       -h, --help
22              Show summary of options.
23
24       -V, --version
25              Output version information.
26
27       -H, --no-header
28              Suppress header line.
29
30       -O, --oneline
31              Print each socket's data on a single line.
32
33       -n, --numeric
34              Do not try to resolve service names. Show exact  bandwidth  val‐
35              ues, instead of human-readable.
36
37       -r, --resolve
38              Try to resolve numeric address/ports.
39
40       -a, --all
41              Display  both  listening  and  non-listening (for TCP this means
42              established connections) sockets.
43
44       -l, --listening
45              Display only listening sockets (these are omitted by default).
46
47       -o, --options
48              Show timer information. For TCP protocol, the output format is:
49
50              timer:(<timer_name>,<expire_time>,<retrans>)
51
52              <timer_name>
53                     the name of the timer,  there  are  five  kind  of  timer
54                     names:
55
56                     on  :  means  one of these timers: TCP retrans timer, TCP
57                     early retrans timer and tail loss probe timer
58
59                     keepalive: tcp keep alive timer
60
61                     timewait: timewait stage timer
62
63                     persist: zero window probe timer
64
65                     unknown: none of the above timers
66
67              <expire_time>
68                     how long time the timer will expire
69
70              <retrans>
71                     how many times the retransmission occured
72
73       -e, --extended
74              Show detailed socket information. The output format is:
75
76              uid:<uid_number> ino:<inode_number> sk:<cookie>
77
78              <uid_number>
79                     the user id the socket belongs to
80
81              <inode_number>
82                     the socket's inode number in VFS
83
84              <cookie>
85                     an uuid of the socket
86
87       -m, --memory
88              Show socket memory usage. The output format is:
89
90              skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
91                            f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
92                            bl<back_log>,d<sock_drop>)
93
94              <rmem_alloc>
95                     the memory allocated for receiving packet
96
97              <rcv_buf>
98                     the total memory can be allocated for receiving packet
99
100              <wmem_alloc>
101                     the memory used for sending packet (which has  been  sent
102                     to layer 3)
103
104              <snd_buf>
105                     the total memory can be allocated for sending packet
106
107              <fwd_alloc>
108                     the memory allocated by the socket as cache, but not used
109                     for receiving/sending  packet  yet.  If  need  memory  to
110                     send/receive  packet,  the  memory  in this cache will be
111                     used before allocate additional memory.
112
113              <wmem_queued>
114                     The memory allocated for sending packet  (which  has  not
115                     been sent to layer 3)
116
117              <ropt_mem>
118                     The  memory used for storing socket option, e.g., the key
119                     for TCP MD5 signature
120
121              <back_log>
122                     The memory used for the sk backlog queue.  On  a  process
123                     context,  if  the  process is receiving packet, and a new
124                     packet is received, it will be put into  the  sk  backlog
125                     queue, so it can be received by the process immediately
126
127              <sock_drop>
128                     the  number  of packets dropped before they are de-multi‐
129                     plexed into the socket
130
131       -p, --processes
132              Show process using socket.
133
134       -i, --info
135              Show internal TCP information. Below fields may appear:
136
137              ts     show string "ts" if the timestamp option is set
138
139              sack   show string "sack" if the sack option is set
140
141              ecn    show string "ecn" if the explicit congestion notification
142                     option is set
143
144              ecnseen
145                     show  string  "ecnseen"  if  the saw ecn flag is found in
146                     received packets
147
148              fastopen
149                     show string "fastopen" if the fastopen option is set
150
151              cong_alg
152                     the congestion algorithm  name,  the  default  congestion
153                     algorithm is "cubic"
154
155              wscale:<snd_wscale>:<rcv_wscale>
156                     if window scale option is used, this field shows the send
157                     scale factor and receive scale factor
158
159              rto:<icsk_rto>
160                     tcp re-transmission timeout value, the unit is  millisec‐
161                     ond
162
163              backoff:<icsk_backoff>
164                     used  for exponential backoff re-transmission, the actual
165                     re-transmission timeout value is icsk_rto << icsk_backoff
166
167              rtt:<rtt>/<rttvar>
168                     rtt is the average round trip time, rttvar  is  the  mean
169                     deviation of rtt, their units are millisecond
170
171              ato:<ato>
172                     ack timeout, unit is millisecond, used for delay ack mode
173
174              mss:<mss>
175                     max segment size
176
177              cwnd:<cwnd>
178                     congestion window size
179
180              pmtu:<pmtu>
181                     path MTU value
182
183              ssthresh:<ssthresh>
184                     tcp congestion window slow start threshold
185
186              bytes_acked:<bytes_acked>
187                     bytes acked
188
189              bytes_received:<bytes_received>
190                     bytes received
191
192              segs_out:<segs_out>
193                     segments sent out
194
195              segs_in:<segs_in>
196                     segments received
197
198              send <send_bps>bps
199                     egress bps
200
201              lastsnd:<lastsnd>
202                     how  long  time  since  the last packet sent, the unit is
203                     millisecond
204
205              lastrcv:<lastrcv>
206                     how long time since the last packet received, the unit is
207                     millisecond
208
209              lastack:<lastack>
210                     how  long  time  since the last ack received, the unit is
211                     millisecond
212
213              pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
214                     the pacing rate and max pacing rate
215
216              rcv_space:<rcv_space>
217                     a helper variable for TCP  internal  auto  tuning  socket
218                     receive buffer
219
220       --tos  Show ToS and priority information. Below fields may appear:
221
222              tos    IPv4 Type-of-Service byte
223
224              tclass IPv6 Traffic Class byte
225
226              class_id
227                     Class  id  set  by  net_cls cgroup. If class is zero this
228                     shows priority set by SO_PRIORITY.
229
230       -K, --kill
231              Attempts to forcibly close sockets. This option displays sockets
232              that are successfully closed and silently skips sockets that the
233              kernel does not support closing. It supports IPv4 and IPv6 sock‐
234              ets only.
235
236       -s, --summary
237              Print  summary  statistics.  This  option  does not parse socket
238              lists obtaining summary from various sources. It is useful  when
239              amount  of  sockets  is  so  huge  that parsing /proc/net/tcp is
240              painful.
241
242       -E, --events
243              Continually display sockets as they are destroyed
244
245       -Z, --context
246              As the -p option but also shows process security context.
247
248              For netlink(7) sockets the initiating process  context  is  dis‐
249              played as follows:
250
251                     1.  If valid pid show the process context.
252
253                     2.  If  destination  is kernel (pid = 0) show kernel ini‐
254                         tial context.
255
256                     3.  If a unique identifier has been allocated by the ker‐
257                         nel  or  netlink user, show context as "unavailable".
258                         This will generally indicate that a process has  more
259                         than one netlink socket active.
260
261       -z, --contexts
262              As  the  -Z option but also shows the socket context. The socket
263              context is taken from the associated inode and is not the actual
264              socket context held by the kernel. Sockets are typically labeled
265              with the context of the creating process,  however  the  context
266              shown will reflect any policy role, type and/or range transition
267              rules applied, and is therefore a useful reference.
268
269       -N NSNAME, --net=NSNAME
270              Switch to the specified network namespace name.
271
272       -b, --bpf
273              Show socket BPF filters (only administrators are allowed to  get
274              these information).
275
276       -4, --ipv4
277              Display only IP version 4 sockets (alias for -f inet).
278
279       -6, --ipv6
280              Display only IP version 6 sockets (alias for -f inet6).
281
282       -0, --packet
283              Display PACKET sockets (alias for -f link).
284
285       -t, --tcp
286              Display TCP sockets.
287
288       -u, --udp
289              Display UDP sockets.
290
291       -d, --dccp
292              Display DCCP sockets.
293
294       -w, --raw
295              Display RAW sockets.
296
297       -x, --unix
298              Display Unix domain sockets (alias for -f unix).
299
300       -S, --sctp
301              Display SCTP sockets.
302
303       --vsock
304              Display vsock sockets (alias for -f vsock).
305
306       --xdp  Display XDP sockets (alias for -f xdp).
307
308       -f FAMILY, --family=FAMILY
309              Display  sockets  of type FAMILY.  Currently the following fami‐
310              lies are supported: unix, inet,  inet6,  link,  netlink,  vsock,
311              xdp.
312
313       -A QUERY, --query=QUERY, --socket=QUERY
314              List  of socket tables to dump, separated by commas. The follow‐
315              ing identifiers are understood: all, inet, tcp, udp, raw,  unix,
316              packet,   netlink,   unix_dgram,   unix_stream,  unix_seqpacket,
317              packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram,
318              xdp Any item in the list may optionally be prefixed by an excla‐
319              mation mark (!)  to exclude that socket table from being dumped.
320
321       -D FILE, --diag=FILE
322              Do not display anything, just dump  raw  information  about  TCP
323              sockets  to  FILE after applying filters. If FILE is - stdout is
324              used.
325
326       -F FILE, --filter=FILE
327              Read filter information from FILE.  Each line of FILE is  inter‐
328              preted  like  single  command line option. If FILE is - stdin is
329              used.
330
331       FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
332              Please take a look at the  official  documentation  for  details
333              regarding filters.
334
335

STATE-FILTER

337       STATE-FILTER  allows to construct arbitrary set of states to match. Its
338       syntax is sequence of keywords state and exclude followed by identifier
339       of state.
340
341       Available identifiers are:
342
343              All  standard  TCP states: established, syn-sent, syn-recv, fin-
344              wait-1, fin-wait-2,  time-wait,  closed,  close-wait,  last-ack,
345              listening and closing.
346
347              all - for all the states
348
349              connected - all the states except for listening and closed
350
351              synchronized - all the connected states except for syn-sent
352
353              bucket  -  states,  which  are  maintained  as minisockets, i.e.
354              time-wait and syn-recv
355
356              big - opposite to bucket
357
358

USAGE EXAMPLES

360       ss -t -a
361              Display all TCP sockets.
362
363       ss -t -a -Z
364              Display all TCP sockets with process SELinux security contexts.
365
366       ss -u -a
367              Display all UDP sockets.
368
369       ss -o state established '( dport = :ssh or sport = :ssh )'
370              Display all established ssh connections.
371
372       ss -x src /tmp/.X11-unix/*
373              Find all local processes connected to X server.
374
375       ss -o state fin-wait-1 '( sport =  :http  or  sport  =  :https  )'  dst
376       193.233.7/24
377              List  all  the tcp sockets in state FIN-WAIT-1 for our apache to
378              network 193.233.7/24 and look at their timers.
379
380       ss -a -A 'all,!tcp'
381              List sockets in all states from all socket tables but TCP.
382

SEE ALSO

384       ip(8),
385       RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
386
387

AUTHOR

389       ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
390
391       This manual page was written by Michael Prokop <mika@grml.org> for  the
392       Debian project (but may be used by others).
393
394
395
396                                                                         SS(8)
Impressum