1SS(8) System Manager's Manual SS(8)
2
6 ss - another utility to investigate sockets
7
9 ss [options] [ FILTER ]
10
12 ss is used to dump socket statistics. It allows showing information
13 similar to netstat. It can display more TCP and state information than
14 other tools.
15
18 When no option is used ss displays a list of open non-listening sockets
19 (e.g. TCP/UNIX/UDP) that have established connection.
20 -h, --help
22 Show summary of options.
23 -V, --version
25 Output version information.
26 -H, --no-header
28 Suppress header line.
29 -O, --oneline
31 Print each socket's data on a single line.
32 -n, --numeric
34 Do not try to resolve service names. Show exact bandwidth val‐
35 ues, instead of human-readable.
36 -r, --resolve
38 Try to resolve numeric address/ports.
39 -a, --all
41 Display both listening and non-listening (for TCP this means
42 established connections) sockets.
43 -l, --listening
45 Display only listening sockets (these are omitted by default).
46 -o, --options
48 Show timer information. For TCP protocol, the output format is:
49 timer:(<timer_name>,<expire_time>,<retrans>)
51 <timer_name>
53 the name of the timer, there are five kind of timer
54 names:
55 on : means one of these timers: TCP retrans timer, TCP
57 early retrans timer and tail loss probe timer
58 keepalive: tcp keep alive timer
60 timewait: timewait stage timer
62 persist: zero window probe timer
64 unknown: none of the above timers
66 <expire_time>
68 how long time the timer will expire
69 <retrans>
71 how many times the retransmission occured
72 -e, --extended
74 Show detailed socket information. The output format is:
75 uid:<uid_number> ino:<inode_number> sk:<cookie>
77 <uid_number>
79 the user id the socket belongs to
80 <inode_number>
82 the socket's inode number in VFS
83 <cookie>
85 an uuid of the socket
86 -m, --memory
88 Show socket memory usage. The output format is:
89 skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
91 f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
92 bl<back_log>,d<sock_drop>)
93 <rmem_alloc>
95 the memory allocated for receiving packet
96 <rcv_buf>
98 the total memory can be allocated for receiving packet
99 <wmem_alloc>
101 the memory used for sending packet (which has been sent
102 to layer 3)
103 <snd_buf>
105 the total memory can be allocated for sending packet
106 <fwd_alloc>
108 the memory allocated by the socket as cache, but not used
109 for receiving/sending packet yet. If need memory to
110 send/receive packet, the memory in this cache will be
111 used before allocate additional memory.
112 <wmem_queued>
114 The memory allocated for sending packet (which has not
115 been sent to layer 3)
116 <ropt_mem>
118 The memory used for storing socket option, e.g., the key
119 for TCP MD5 signature
120 <back_log>
122 The memory used for the sk backlog queue. On a process
123 context, if the process is receiving packet, and a new
124 packet is received, it will be put into the sk backlog
125 queue, so it can be received by the process immediately
126 <sock_drop>
128 the number of packets dropped before they are de-multi‐
129 plexed into the socket
130 -p, --processes
132 Show process using socket.
133 -i, --info
135 Show internal TCP information. Below fields may appear:
136 ts show string "ts" if the timestamp option is set
138 sack show string "sack" if the sack option is set
140 ecn show string "ecn" if the explicit congestion notification
142 option is set
143 ecnseen
145 show string "ecnseen" if the saw ecn flag is found in
146 received packets
147 fastopen
149 show string "fastopen" if the fastopen option is set
150 cong_alg
152 the congestion algorithm name, the default congestion
153 algorithm is "cubic"
154 wscale:<snd_wscale>:<rcv_wscale>
156 if window scale option is used, this field shows the send
157 scale factor and receive scale factor
158 rto:<icsk_rto>
160 tcp re-transmission timeout value, the unit is millisec‐
161 ond
162 backoff:<icsk_backoff>
164 used for exponential backoff re-transmission, the actual
165 re-transmission timeout value is icsk_rto << icsk_backoff
166 rtt:<rtt>/<rttvar>
168 rtt is the average round trip time, rttvar is the mean
169 deviation of rtt, their units are millisecond
170 ato:<ato>
172 ack timeout, unit is millisecond, used for delay ack mode
173 mss:<mss>
175 max segment size
176 cwnd:<cwnd>
178 congestion window size
179 pmtu:<pmtu>
181 path MTU value
182 ssthresh:<ssthresh>
184 tcp congestion window slow start threshold
185 bytes_acked:<bytes_acked>
187 bytes acked
188 bytes_received:<bytes_received>
190 bytes received
191 segs_out:<segs_out>
193 segments sent out
194 segs_in:<segs_in>
196 segments received
197 send <send_bps>bps
199 egress bps
200 lastsnd:<lastsnd>
202 how long time since the last packet sent, the unit is
203 millisecond
204 lastrcv:<lastrcv>
206 how long time since the last packet received, the unit is
207 millisecond
208 lastack:<lastack>
210 how long time since the last ack received, the unit is
211 millisecond
212 pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
214 the pacing rate and max pacing rate
215 rcv_space:<rcv_space>
217 a helper variable for TCP internal auto tuning socket
218 receive buffer
219 --tos Show ToS and priority information. Below fields may appear:
221 tos IPv4 Type-of-Service byte
223 tclass IPv6 Traffic Class byte
225 class_id
227 Class id set by net_cls cgroup. If class is zero this
228 shows priority set by SO_PRIORITY.
229 -K, --kill
231 Attempts to forcibly close sockets. This option displays sockets
232 that are successfully closed and silently skips sockets that the
233 kernel does not support closing. It supports IPv4 and IPv6 sock‐
234 ets only.
235 -s, --summary
237 Print summary statistics. This option does not parse socket
238 lists obtaining summary from various sources. It is useful when
239 amount of sockets is so huge that parsing /proc/net/tcp is
240 painful.
241 -E, --events
243 Continually display sockets as they are destroyed
244 -Z, --context
246 As the -p option but also shows process security context.
247 For netlink(7) sockets the initiating process context is dis‐
249 played as follows:
250 1. If valid pid show the process context.
252 2. If destination is kernel (pid = 0) show kernel ini‐
254 tial context.
255 3. If a unique identifier has been allocated by the ker‐
257 nel or netlink user, show context as "unavailable".
258 This will generally indicate that a process has more
259 than one netlink socket active.
260 -z, --contexts
262 As the -Z option but also shows the socket context. The socket
263 context is taken from the associated inode and is not the actual
264 socket context held by the kernel. Sockets are typically labeled
265 with the context of the creating process, however the context
266 shown will reflect any policy role, type and/or range transition
267 rules applied, and is therefore a useful reference.
268 -N NSNAME, --net=NSNAME
270 Switch to the specified network namespace name.
271 -b, --bpf
273 Show socket BPF filters (only administrators are allowed to get
274 these information).
275 -4, --ipv4
277 Display only IP version 4 sockets (alias for -f inet).
278 -6, --ipv6
280 Display only IP version 6 sockets (alias for -f inet6).
281 -0, --packet
283 Display PACKET sockets (alias for -f link).
284 -t, --tcp
286 Display TCP sockets.
287 -u, --udp
289 Display UDP sockets.
290 -d, --dccp
292 Display DCCP sockets.
293 -w, --raw
295 Display RAW sockets.
296 -x, --unix
298 Display Unix domain sockets (alias for -f unix).
299 -S, --sctp
301 Display SCTP sockets.
302 --vsock
304 Display vsock sockets (alias for -f vsock).
305 --xdp Display XDP sockets (alias for -f xdp).
307 -f FAMILY, --family=FAMILY
309 Display sockets of type FAMILY. Currently the following fami‐
310 lies are supported: unix, inet, inet6, link, netlink, vsock,
311 xdp.
312 -A QUERY, --query=QUERY, --socket=QUERY
314 List of socket tables to dump, separated by commas. The follow‐
315 ing identifiers are understood: all, inet, tcp, udp, raw, unix,
316 packet, netlink, unix_dgram, unix_stream, unix_seqpacket,
317 packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram,
318 xdp Any item in the list may optionally be prefixed by an excla‐
319 mation mark (!) to exclude that socket table from being dumped.
320 -D FILE, --diag=FILE
322 Do not display anything, just dump raw information about TCP
323 sockets to FILE after applying filters. If FILE is - stdout is
324 used.
325 -F FILE, --filter=FILE
327 Read filter information from FILE. Each line of FILE is inter‐
328 preted like single command line option. If FILE is - stdin is
329 used.
330 FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
332 Please take a look at the official documentation for details
333 regarding filters.
334
337 STATE-FILTER allows to construct arbitrary set of states to match. Its
338 syntax is sequence of keywords state and exclude followed by identifier
339 of state.
340 Available identifiers are:
342 All standard TCP states: established, syn-sent, syn-recv, fin-
344 wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack,
345 listening and closing.
346 all - for all the states
348 connected - all the states except for listening and closed
350 synchronized - all the connected states except for syn-sent
352 bucket - states, which are maintained as minisockets, i.e.
354 time-wait and syn-recv
355 big - opposite to bucket
357
360 ss -t -a
361 Display all TCP sockets.
362 ss -t -a -Z
364 Display all TCP sockets with process SELinux security contexts.
365 ss -u -a
367 Display all UDP sockets.
368 ss -o state established '( dport = :ssh or sport = :ssh )'
370 Display all established ssh connections.
371 ss -x src /tmp/.X11-unix/*
373 Find all local processes connected to X server.
374 ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst
376 193.233.7/24
377 List all the tcp sockets in state FIN-WAIT-1 for our apache to
378 network 193.233.7/24 and look at their timers.
379 ss -a -A 'all,!tcp'
381 List sockets in all states from all socket tables but TCP.
382
384 ip(8),
385 RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
386
389 ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
390 This manual page was written by Michael Prokop <mika@grml.org> for the
392 Debian project (but may be used by others).
393 SS(8)