1SS(8)                       System Manager's Manual                      SS(8)
2
3
4

NAME

6       ss - another utility to investigate sockets
7

SYNOPSIS

9       ss [options] [ FILTER ]
10

DESCRIPTION

12       ss  is  used  to  dump socket statistics. It allows showing information
13       similar to netstat.  It can display more TCP and state information than
14       other tools.
15
16

OPTIONS

18       When no option is used ss displays a list of open non-listening sockets
19       (e.g. TCP/UNIX/UDP) that have established connection.
20
21       -h, --help
22              Show summary of options.
23
24       -V, --version
25              Output version information.
26
27       -H, --no-header
28              Suppress header line.
29
30       -O, --oneline
31              Print each socket's data on a single line.
32
33       -n, --numeric
34              Do not try to resolve service names. Show exact  bandwidth  val‐
35              ues, instead of human-readable.
36
37       -r, --resolve
38              Try to resolve numeric address/ports.
39
40       -a, --all
41              Display  both  listening  and  non-listening (for TCP this means
42              established connections) sockets.
43
44       -l, --listening
45              Display only listening sockets (these are omitted by default).
46
47       -o, --options
48              Show timer information. For TCP protocol, the output format is:
49
50              timer:(<timer_name>,<expire_time>,<retrans>)
51
52              <timer_name>
53                     the name of the timer,  there  are  five  kind  of  timer
54                     names:
55
56                     on  :  means  one of these timers: TCP retrans timer, TCP
57                     early retrans timer and tail loss probe timer
58
59                     keepalive: tcp keep alive timer
60
61                     timewait: timewait stage timer
62
63                     persist: zero window probe timer
64
65                     unknown: none of the above timers
66
67              <expire_time>
68                     how long time the timer will expire
69
70              <retrans>
71                     how many times the retransmission occured
72
73       -e, --extended
74              Show detailed socket information. The output format is:
75
76              uid:<uid_number> ino:<inode_number> sk:<cookie>
77
78              <uid_number>
79                     the user id the socket belongs to
80
81              <inode_number>
82                     the socket's inode number in VFS
83
84              <cookie>
85                     an uuid of the socket
86
87       -m, --memory
88              Show socket memory usage. The output format is:
89
90              skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
91                            f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
92                            bl<back_log>,d<sock_drop>)
93
94              <rmem_alloc>
95                     the memory allocated for receiving packet
96
97              <rcv_buf>
98                     the total memory can be allocated for receiving packet
99
100              <wmem_alloc>
101                     the memory used for sending packet (which has  been  sent
102                     to layer 3)
103
104              <snd_buf>
105                     the total memory can be allocated for sending packet
106
107              <fwd_alloc>
108                     the memory allocated by the socket as cache, but not used
109                     for receiving/sending  packet  yet.  If  need  memory  to
110                     send/receive  packet,  the  memory  in this cache will be
111                     used before allocate additional memory.
112
113              <wmem_queued>
114                     The memory allocated for sending packet  (which  has  not
115                     been sent to layer 3)
116
117              <ropt_mem>
118                     The  memory used for storing socket option, e.g., the key
119                     for TCP MD5 signature
120
121              <back_log>
122                     The memory used for the sk backlog queue.  On  a  process
123                     context,  if  the  process is receiving packet, and a new
124                     packet is received, it will be put into  the  sk  backlog
125                     queue, so it can be received by the process immediately
126
127              <sock_drop>
128                     the  number  of packets dropped before they are de-multi‐
129                     plexed into the socket
130
131       -p, --processes
132              Show process using socket.
133
134       -i, --info
135              Show internal TCP information. Below fields may appear:
136
137              ts     show string "ts" if the timestamp option is set
138
139              sack   show string "sack" if the sack option is set
140
141              ecn    show string "ecn" if the explicit congestion notification
142                     option is set
143
144              ecnseen
145                     show  string  "ecnseen"  if  the saw ecn flag is found in
146                     received packets
147
148              fastopen
149                     show string "fastopen" if the fastopen option is set
150
151              cong_alg
152                     the congestion algorithm  name,  the  default  congestion
153                     algorithm is "cubic"
154
155              wscale:<snd_wscale>:<rcv_wscale>
156                     if window scale option is used, this field shows the send
157                     scale factor and receive scale factor
158
159              rto:<icsk_rto>
160                     tcp re-transmission timeout value, the unit is  millisec‐
161                     ond
162
163              backoff:<icsk_backoff>
164                     used  for exponential backoff re-transmission, the actual
165                     re-transmission timeout value is icsk_rto << icsk_backoff
166
167              rtt:<rtt>/<rttvar>
168                     rtt is the average round trip time, rttvar  is  the  mean
169                     deviation of rtt, their units are millisecond
170
171              ato:<ato>
172                     ack timeout, unit is millisecond, used for delay ack mode
173
174              mss:<mss>
175                     max segment size
176
177              cwnd:<cwnd>
178                     congestion window size
179
180              pmtu:<pmtu>
181                     path MTU value
182
183              ssthresh:<ssthresh>
184                     tcp congestion window slow start threshold
185
186              bytes_acked:<bytes_acked>
187                     bytes acked
188
189              bytes_received:<bytes_received>
190                     bytes received
191
192              segs_out:<segs_out>
193                     segments sent out
194
195              segs_in:<segs_in>
196                     segments received
197
198              send <send_bps>bps
199                     egress bps
200
201              lastsnd:<lastsnd>
202                     how  long  time  since  the last packet sent, the unit is
203                     millisecond
204
205              lastrcv:<lastrcv>
206                     how long time since the last packet received, the unit is
207                     millisecond
208
209              lastack:<lastack>
210                     how  long  time  since the last ack received, the unit is
211                     millisecond
212
213              pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
214                     the pacing rate and max pacing rate
215
216              rcv_space:<rcv_space>
217                     a helper variable for TCP  internal  auto  tuning  socket
218                     receive buffer
219
220              tcp-ulp-mptcp                                  flags:[MmBbJjecv]
221              token:<rem_token(rem_id)/loc_token(loc_id)> seq:<sn> sfseq:<ssn>
222              ssnoff:<off> maplen:<maplen>
223                     MPTCP subflow information
224
225       --tos  Show ToS and priority information. Below fields may appear:
226
227              tos    IPv4 Type-of-Service byte
228
229              tclass IPv6 Traffic Class byte
230
231              class_id
232                     Class  id  set  by  net_cls cgroup. If class is zero this
233                     shows priority set by SO_PRIORITY.
234
235       --cgroup
236              Show cgroup information. Below fields may appear:
237
238              cgroup Cgroup v2 pathname. This  pathname  is  relative  to  the
239                     mount point of the hierarchy.
240
241       -K, --kill
242              Attempts to forcibly close sockets. This option displays sockets
243              that are successfully closed and silently skips sockets that the
244              kernel does not support closing. It supports IPv4 and IPv6 sock‐
245              ets only.
246
247       -s, --summary
248              Print summary statistics. This  option  does  not  parse  socket
249              lists  obtaining summary from various sources. It is useful when
250              amount of sockets is  so  huge  that  parsing  /proc/net/tcp  is
251              painful.
252
253       -E, --events
254              Continually display sockets as they are destroyed
255
256       -Z, --context
257              As the -p option but also shows process security context.
258
259              For  netlink(7)  sockets  the initiating process context is dis‐
260              played as follows:
261
262                     1.  If valid pid show the process context.
263
264                     2.  If destination is kernel (pid = 0) show  kernel  ini‐
265                         tial context.
266
267                     3.  If a unique identifier has been allocated by the ker‐
268                         nel or netlink user, show context  as  "unavailable".
269                         This  will generally indicate that a process has more
270                         than one netlink socket active.
271
272       -z, --contexts
273              As the -Z option but also shows the socket context.  The  socket
274              context is taken from the associated inode and is not the actual
275              socket context held by the kernel. Sockets are typically labeled
276              with  the  context  of the creating process, however the context
277              shown will reflect any policy role, type and/or range transition
278              rules applied, and is therefore a useful reference.
279
280       -N NSNAME, --net=NSNAME
281              Switch to the specified network namespace name.
282
283       -b, --bpf
284              Show  socket BPF filters (only administrators are allowed to get
285              these information).
286
287       -4, --ipv4
288              Display only IP version 4 sockets (alias for -f inet).
289
290       -6, --ipv6
291              Display only IP version 6 sockets (alias for -f inet6).
292
293       -0, --packet
294              Display PACKET sockets (alias for -f link).
295
296       -t, --tcp
297              Display TCP sockets.
298
299       -u, --udp
300              Display UDP sockets.
301
302       -d, --dccp
303              Display DCCP sockets.
304
305       -w, --raw
306              Display RAW sockets.
307
308       -x, --unix
309              Display Unix domain sockets (alias for -f unix).
310
311       -S, --sctp
312              Display SCTP sockets.
313
314       --vsock
315              Display vsock sockets (alias for -f vsock).
316
317       --xdp  Display XDP sockets (alias for -f xdp).
318
319       -f FAMILY, --family=FAMILY
320              Display sockets of type FAMILY.  Currently the  following  fami‐
321              lies  are  supported:  unix,  inet, inet6, link, netlink, vsock,
322              xdp.
323
324       -A QUERY, --query=QUERY, --socket=QUERY
325              List of socket tables to dump, separated by commas. The  follow‐
326              ing  identifiers are understood: all, inet, tcp, udp, raw, unix,
327              packet,  netlink,   unix_dgram,   unix_stream,   unix_seqpacket,
328              packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram,
329              xdp Any item in the list may optionally be prefixed by an excla‐
330              mation mark (!)  to exclude that socket table from being dumped.
331
332       -D FILE, --diag=FILE
333              Do  not  display  anything,  just dump raw information about TCP
334              sockets to FILE after applying filters. If FILE is -  stdout  is
335              used.
336
337       -F FILE, --filter=FILE
338              Read  filter information from FILE.  Each line of FILE is inter‐
339              preted like single command line option. If FILE is  -  stdin  is
340              used.
341
342       FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
343              Please  take  a  look  at the official documentation for details
344              regarding filters.
345
346

STATE-FILTER

348       STATE-FILTER allows to construct arbitrary set of states to match.  Its
349       syntax is sequence of keywords state and exclude followed by identifier
350       of state.
351
352       Available identifiers are:
353
354              All standard TCP states: established, syn-sent,  syn-recv,  fin-
355              wait-1,  fin-wait-2,  time-wait,  closed,  close-wait, last-ack,
356              listening and closing.
357
358              all - for all the states
359
360              connected - all the states except for listening and closed
361
362              synchronized - all the connected states except for syn-sent
363
364              bucket - states,  which  are  maintained  as  minisockets,  i.e.
365              time-wait and syn-recv
366
367              big - opposite to bucket
368
369

USAGE EXAMPLES

371       ss -t -a
372              Display all TCP sockets.
373
374       ss -t -a -Z
375              Display all TCP sockets with process SELinux security contexts.
376
377       ss -u -a
378              Display all UDP sockets.
379
380       ss -o state established '( dport = :ssh or sport = :ssh )'
381              Display all established ssh connections.
382
383       ss -x src /tmp/.X11-unix/*
384              Find all local processes connected to X server.
385
386       ss  -o  state  fin-wait-1  '(  sport  =  :http or sport = :https )' dst
387       193.233.7/24
388              List all the tcp sockets in state FIN-WAIT-1 for our  apache  to
389              network 193.233.7/24 and look at their timers.
390
391       ss -a -A 'all,!tcp'
392              List sockets in all states from all socket tables but TCP.
393

SEE ALSO

395       ip(8),
396       RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
397
398

AUTHOR

400       ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
401
402       This  manual page was written by Michael Prokop <mika@grml.org> for the
403       Debian project (but may be used by others).
404
405
406
407                                                                         SS(8)
Impressum