1SS(8) System Manager's Manual SS(8)
2
3
4
6 ss - another utility to investigate sockets
7
9 ss [options] [ FILTER ]
10
12 ss is used to dump socket statistics. It allows showing information
13 similar to netstat. It can display more TCP and state information than
14 other tools.
15
16
18 When no option is used ss displays a list of open non-listening sockets
19 (e.g. TCP/UNIX/UDP) that have established connection.
20
21 -h, --help
22 Show summary of options.
23
24 -V, --version
25 Output version information.
26
27 -H, --no-header
28 Suppress header line.
29
30 -O, --oneline
31 Print each socket's data on a single line.
32
33 -n, --numeric
34 Do not try to resolve service names. Show exact bandwidth val‐
35 ues, instead of human-readable.
36
37 -r, --resolve
38 Try to resolve numeric address/ports.
39
40 -a, --all
41 Display both listening and non-listening (for TCP this means
42 established connections) sockets.
43
44 -l, --listening
45 Display only listening sockets (these are omitted by default).
46
47 -o, --options
48 Show timer information. For TCP protocol, the output format is:
49
50 timer:(<timer_name>,<expire_time>,<retrans>)
51
52 <timer_name>
53 the name of the timer, there are five kind of timer
54 names:
55
56 on : means one of these timers: TCP retrans timer, TCP
57 early retrans timer and tail loss probe timer
58
59 keepalive: tcp keep alive timer
60
61 timewait: timewait stage timer
62
63 persist: zero window probe timer
64
65 unknown: none of the above timers
66
67 <expire_time>
68 how long time the timer will expire
69
70 <retrans>
71 how many times the retransmission occured
72
73 -e, --extended
74 Show detailed socket information. The output format is:
75
76 uid:<uid_number> ino:<inode_number> sk:<cookie>
77
78 <uid_number>
79 the user id the socket belongs to
80
81 <inode_number>
82 the socket's inode number in VFS
83
84 <cookie>
85 an uuid of the socket
86
87 -m, --memory
88 Show socket memory usage. The output format is:
89
90 skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
91 f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
92 bl<back_log>,d<sock_drop>)
93
94 <rmem_alloc>
95 the memory allocated for receiving packet
96
97 <rcv_buf>
98 the total memory can be allocated for receiving packet
99
100 <wmem_alloc>
101 the memory used for sending packet (which has been sent
102 to layer 3)
103
104 <snd_buf>
105 the total memory can be allocated for sending packet
106
107 <fwd_alloc>
108 the memory allocated by the socket as cache, but not used
109 for receiving/sending packet yet. If need memory to
110 send/receive packet, the memory in this cache will be
111 used before allocate additional memory.
112
113 <wmem_queued>
114 The memory allocated for sending packet (which has not
115 been sent to layer 3)
116
117 <ropt_mem>
118 The memory used for storing socket option, e.g., the key
119 for TCP MD5 signature
120
121 <back_log>
122 The memory used for the sk backlog queue. On a process
123 context, if the process is receiving packet, and a new
124 packet is received, it will be put into the sk backlog
125 queue, so it can be received by the process immediately
126
127 <sock_drop>
128 the number of packets dropped before they are de-multi‐
129 plexed into the socket
130
131 -p, --processes
132 Show process using socket.
133
134 -i, --info
135 Show internal TCP information. Below fields may appear:
136
137 ts show string "ts" if the timestamp option is set
138
139 sack show string "sack" if the sack option is set
140
141 ecn show string "ecn" if the explicit congestion notification
142 option is set
143
144 ecnseen
145 show string "ecnseen" if the saw ecn flag is found in
146 received packets
147
148 fastopen
149 show string "fastopen" if the fastopen option is set
150
151 cong_alg
152 the congestion algorithm name, the default congestion
153 algorithm is "cubic"
154
155 wscale:<snd_wscale>:<rcv_wscale>
156 if window scale option is used, this field shows the send
157 scale factor and receive scale factor
158
159 rto:<icsk_rto>
160 tcp re-transmission timeout value, the unit is millisec‐
161 ond
162
163 backoff:<icsk_backoff>
164 used for exponential backoff re-transmission, the actual
165 re-transmission timeout value is icsk_rto << icsk_backoff
166
167 rtt:<rtt>/<rttvar>
168 rtt is the average round trip time, rttvar is the mean
169 deviation of rtt, their units are millisecond
170
171 ato:<ato>
172 ack timeout, unit is millisecond, used for delay ack mode
173
174 mss:<mss>
175 max segment size
176
177 cwnd:<cwnd>
178 congestion window size
179
180 pmtu:<pmtu>
181 path MTU value
182
183 ssthresh:<ssthresh>
184 tcp congestion window slow start threshold
185
186 bytes_acked:<bytes_acked>
187 bytes acked
188
189 bytes_received:<bytes_received>
190 bytes received
191
192 segs_out:<segs_out>
193 segments sent out
194
195 segs_in:<segs_in>
196 segments received
197
198 send <send_bps>bps
199 egress bps
200
201 lastsnd:<lastsnd>
202 how long time since the last packet sent, the unit is
203 millisecond
204
205 lastrcv:<lastrcv>
206 how long time since the last packet received, the unit is
207 millisecond
208
209 lastack:<lastack>
210 how long time since the last ack received, the unit is
211 millisecond
212
213 pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
214 the pacing rate and max pacing rate
215
216 rcv_space:<rcv_space>
217 a helper variable for TCP internal auto tuning socket
218 receive buffer
219
220 tcp-ulp-mptcp flags:[MmBbJjecv]
221 token:<rem_token(rem_id)/loc_token(loc_id)> seq:<sn> sfseq:<ssn>
222 ssnoff:<off> maplen:<maplen>
223 MPTCP subflow information
224
225 --tos Show ToS and priority information. Below fields may appear:
226
227 tos IPv4 Type-of-Service byte
228
229 tclass IPv6 Traffic Class byte
230
231 class_id
232 Class id set by net_cls cgroup. If class is zero this
233 shows priority set by SO_PRIORITY.
234
235 --cgroup
236 Show cgroup information. Below fields may appear:
237
238 cgroup Cgroup v2 pathname. This pathname is relative to the
239 mount point of the hierarchy.
240
241 -K, --kill
242 Attempts to forcibly close sockets. This option displays sockets
243 that are successfully closed and silently skips sockets that the
244 kernel does not support closing. It supports IPv4 and IPv6 sock‐
245 ets only.
246
247 -s, --summary
248 Print summary statistics. This option does not parse socket
249 lists obtaining summary from various sources. It is useful when
250 amount of sockets is so huge that parsing /proc/net/tcp is
251 painful.
252
253 -E, --events
254 Continually display sockets as they are destroyed
255
256 -Z, --context
257 As the -p option but also shows process security context.
258
259 For netlink(7) sockets the initiating process context is dis‐
260 played as follows:
261
262 1. If valid pid show the process context.
263
264 2. If destination is kernel (pid = 0) show kernel ini‐
265 tial context.
266
267 3. If a unique identifier has been allocated by the ker‐
268 nel or netlink user, show context as "unavailable".
269 This will generally indicate that a process has more
270 than one netlink socket active.
271
272 -z, --contexts
273 As the -Z option but also shows the socket context. The socket
274 context is taken from the associated inode and is not the actual
275 socket context held by the kernel. Sockets are typically labeled
276 with the context of the creating process, however the context
277 shown will reflect any policy role, type and/or range transition
278 rules applied, and is therefore a useful reference.
279
280 -N NSNAME, --net=NSNAME
281 Switch to the specified network namespace name.
282
283 -b, --bpf
284 Show socket BPF filters (only administrators are allowed to get
285 these information).
286
287 -4, --ipv4
288 Display only IP version 4 sockets (alias for -f inet).
289
290 -6, --ipv6
291 Display only IP version 6 sockets (alias for -f inet6).
292
293 -0, --packet
294 Display PACKET sockets (alias for -f link).
295
296 -t, --tcp
297 Display TCP sockets.
298
299 -u, --udp
300 Display UDP sockets.
301
302 -d, --dccp
303 Display DCCP sockets.
304
305 -w, --raw
306 Display RAW sockets.
307
308 -x, --unix
309 Display Unix domain sockets (alias for -f unix).
310
311 -S, --sctp
312 Display SCTP sockets.
313
314 --vsock
315 Display vsock sockets (alias for -f vsock).
316
317 --xdp Display XDP sockets (alias for -f xdp).
318
319 -f FAMILY, --family=FAMILY
320 Display sockets of type FAMILY. Currently the following fami‐
321 lies are supported: unix, inet, inet6, link, netlink, vsock,
322 xdp.
323
324 -A QUERY, --query=QUERY, --socket=QUERY
325 List of socket tables to dump, separated by commas. The follow‐
326 ing identifiers are understood: all, inet, tcp, udp, raw, unix,
327 packet, netlink, unix_dgram, unix_stream, unix_seqpacket,
328 packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram,
329 xdp Any item in the list may optionally be prefixed by an excla‐
330 mation mark (!) to exclude that socket table from being dumped.
331
332 -D FILE, --diag=FILE
333 Do not display anything, just dump raw information about TCP
334 sockets to FILE after applying filters. If FILE is - stdout is
335 used.
336
337 -F FILE, --filter=FILE
338 Read filter information from FILE. Each line of FILE is inter‐
339 preted like single command line option. If FILE is - stdin is
340 used.
341
342 FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
343 Please take a look at the official documentation for details
344 regarding filters.
345
346
348 STATE-FILTER allows to construct arbitrary set of states to match. Its
349 syntax is sequence of keywords state and exclude followed by identifier
350 of state.
351
352 Available identifiers are:
353
354 All standard TCP states: established, syn-sent, syn-recv, fin-
355 wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack,
356 listening and closing.
357
358 all - for all the states
359
360 connected - all the states except for listening and closed
361
362 synchronized - all the connected states except for syn-sent
363
364 bucket - states, which are maintained as minisockets, i.e.
365 time-wait and syn-recv
366
367 big - opposite to bucket
368
369
371 ss -t -a
372 Display all TCP sockets.
373
374 ss -t -a -Z
375 Display all TCP sockets with process SELinux security contexts.
376
377 ss -u -a
378 Display all UDP sockets.
379
380 ss -o state established '( dport = :ssh or sport = :ssh )'
381 Display all established ssh connections.
382
383 ss -x src /tmp/.X11-unix/*
384 Find all local processes connected to X server.
385
386 ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst
387 193.233.7/24
388 List all the tcp sockets in state FIN-WAIT-1 for our apache to
389 network 193.233.7/24 and look at their timers.
390
391 ss -a -A 'all,!tcp'
392 List sockets in all states from all socket tables but TCP.
393
395 ip(8),
396 RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
397
398
400 ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
401
402 This manual page was written by Michael Prokop <mika@grml.org> for the
403 Debian project (but may be used by others).
404
405
406
407 SS(8)