1SS(8)                       System Manager's Manual                      SS(8)
2
3
4

NAME

6       ss - another utility to investigate sockets
7

SYNOPSIS

9       ss [options] [ FILTER ]
10

DESCRIPTION

12       ss  is  used  to  dump socket statistics. It allows showing information
13       similar to netstat.  It can display more TCP and state information than
14       other tools.
15
16

OPTIONS

18       When no option is used ss displays a list of open non-listening sockets
19       (e.g. TCP/UNIX/UDP) that have established connection.
20
21       -h, --help
22              Show summary of options.
23
24       -V, --version
25              Output version information.
26
27       -H, --no-header
28              Suppress header line.
29
30       -O, --oneline
31              Print each socket's data on a single line.
32
33       -n, --numeric
34              Do not try to resolve service names. Show exact  bandwidth  val‐
35              ues, instead of human-readable.
36
37       -r, --resolve
38              Try to resolve numeric address/ports.
39
40       -a, --all
41              Display both listening and non-listening (for TCP this means es‐
42              tablished connections) sockets.
43
44       -l, --listening
45              Display only listening sockets (these are omitted by default).
46
47       -o, --options
48              Show timer information. For TCP protocol, the output format is:
49
50              timer:(<timer_name>,<expire_time>,<retrans>)
51
52              <timer_name>
53                     the name of the timer,  there  are  five  kind  of  timer
54                     names:
55
56                     on  :  means  one of these timers: TCP retrans timer, TCP
57                     early retrans timer and tail loss probe timer
58
59                     keepalive: tcp keep alive timer
60
61                     timewait: timewait stage timer
62
63                     persist: zero window probe timer
64
65                     unknown: none of the above timers
66
67              <expire_time>
68                     how long time the timer will expire
69
70              <retrans>
71                     how many times the retransmission occurred
72
73       -e, --extended
74              Show detailed socket information. The output format is:
75
76              uid:<uid_number> ino:<inode_number> sk:<cookie>
77
78              <uid_number>
79                     the user id the socket belongs to
80
81              <inode_number>
82                     the socket's inode number in VFS
83
84              <cookie>
85                     an uuid of the socket
86
87       -m, --memory
88              Show socket memory usage. The output format is:
89
90              skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
91                            f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
92                            bl<back_log>,d<sock_drop>)
93
94              <rmem_alloc>
95                     the memory allocated for receiving packet
96
97              <rcv_buf>
98                     the total memory can be allocated for receiving packet
99
100              <wmem_alloc>
101                     the memory used for sending packet (which has  been  sent
102                     to layer 3)
103
104              <snd_buf>
105                     the total memory can be allocated for sending packet
106
107              <fwd_alloc>
108                     the memory allocated by the socket as cache, but not used
109                     for receiving/sending  packet  yet.  If  need  memory  to
110                     send/receive  packet,  the  memory  in this cache will be
111                     used before allocate additional memory.
112
113              <wmem_queued>
114                     The memory allocated for sending packet  (which  has  not
115                     been sent to layer 3)
116
117              <ropt_mem>
118                     The  memory used for storing socket option, e.g., the key
119                     for TCP MD5 signature
120
121              <back_log>
122                     The memory used for the sk backlog queue.  On  a  process
123                     context,  if  the  process is receiving packet, and a new
124                     packet is received, it will be put into  the  sk  backlog
125                     queue, so it can be received by the process immediately
126
127              <sock_drop>
128                     the  number  of packets dropped before they are de-multi‐
129                     plexed into the socket
130
131       -p, --processes
132              Show process using socket.
133
134       -i, --info
135              Show internal TCP information. Below fields may appear:
136
137              ts     show string "ts" if the timestamp option is set
138
139              sack   show string "sack" if the sack option is set
140
141              ecn    show string "ecn" if the explicit congestion notification
142                     option is set
143
144              ecnseen
145                     show string "ecnseen" if the saw ecn flag is found in re‐
146                     ceived packets
147
148              fastopen
149                     show string "fastopen" if the fastopen option is set
150
151              cong_alg
152                     the congestion algorithm name, the default congestion al‐
153                     gorithm is "cubic"
154
155              wscale:<snd_wscale>:<rcv_wscale>
156                     if window scale option is used, this field shows the send
157                     scale factor and receive scale factor
158
159              rto:<icsk_rto>
160                     tcp re-transmission timeout value, the unit is  millisec‐
161                     ond
162
163              backoff:<icsk_backoff>
164                     used  for exponential backoff re-transmission, the actual
165                     re-transmission timeout value is icsk_rto << icsk_backoff
166
167              rtt:<rtt>/<rttvar>
168                     rtt is the average round trip time, rttvar  is  the  mean
169                     deviation of rtt, their units are millisecond
170
171              ato:<ato>
172                     ack timeout, unit is millisecond, used for delay ack mode
173
174              mss:<mss>
175                     max segment size
176
177              cwnd:<cwnd>
178                     congestion window size
179
180              pmtu:<pmtu>
181                     path MTU value
182
183              ssthresh:<ssthresh>
184                     tcp congestion window slow start threshold
185
186              bytes_acked:<bytes_acked>
187                     bytes acked
188
189              bytes_received:<bytes_received>
190                     bytes received
191
192              segs_out:<segs_out>
193                     segments sent out
194
195              segs_in:<segs_in>
196                     segments received
197
198              send <send_bps>bps
199                     egress bps
200
201              lastsnd:<lastsnd>
202                     how  long  time  since  the last packet sent, the unit is
203                     millisecond
204
205              lastrcv:<lastrcv>
206                     how long time since the last packet received, the unit is
207                     millisecond
208
209              lastack:<lastack>
210                     how  long  time  since the last ack received, the unit is
211                     millisecond
212
213              pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
214                     the pacing rate and max pacing rate
215
216              rcv_space:<rcv_space>
217                     a helper variable for TCP internal auto tuning socket re‐
218                     ceive buffer
219
220              tcp-ulp-mptcp flags:[MmBbJjecv] token:<rem_token(rem_id)/loc_to‐
221              ken(loc_id)> seq:<sn> sfseq:<ssn> ssnoff:<off> maplen:<maplen>
222                     MPTCP subflow information
223
224       --tos  Show ToS and priority information. Below fields may appear:
225
226              tos    IPv4 Type-of-Service byte
227
228              tclass IPv6 Traffic Class byte
229
230              class_id
231                     Class id set by net_cls cgroup. If  class  is  zero  this
232                     shows priority set by SO_PRIORITY.
233
234       --cgroup
235              Show cgroup information. Below fields may appear:
236
237              cgroup Cgroup  v2  pathname.  This  pathname  is relative to the
238                     mount point of the hierarchy.
239
240       -K, --kill
241              Attempts to forcibly close sockets. This option displays sockets
242              that are successfully closed and silently skips sockets that the
243              kernel does not support closing. It supports IPv4 and IPv6 sock‐
244              ets only.
245
246       -s, --summary
247              Print  summary  statistics.  This  option  does not parse socket
248              lists obtaining summary from various sources. It is useful  when
249              amount  of  sockets  is  so  huge  that parsing /proc/net/tcp is
250              painful.
251
252       -E, --events
253              Continually display sockets as they are destroyed
254
255       -Z, --context
256              As the -p option but also shows process security context.
257
258              For netlink(7) sockets the initiating process  context  is  dis‐
259              played as follows:
260
261                     1.  If valid pid show the process context.
262
263                     2.  If  destination  is kernel (pid = 0) show kernel ini‐
264                         tial context.
265
266                     3.  If a unique identifier has been allocated by the ker‐
267                         nel  or  netlink user, show context as "unavailable".
268                         This will generally indicate that a process has  more
269                         than one netlink socket active.
270
271       -z, --contexts
272              As  the  -Z option but also shows the socket context. The socket
273              context is taken from the associated inode and is not the actual
274              socket context held by the kernel. Sockets are typically labeled
275              with the context of the creating process,  however  the  context
276              shown will reflect any policy role, type and/or range transition
277              rules applied, and is therefore a useful reference.
278
279       -N NSNAME, --net=NSNAME
280              Switch to the specified network namespace name.
281
282       -b, --bpf
283              Show socket BPF filters (only administrators are allowed to  get
284              these information).
285
286       -4, --ipv4
287              Display only IP version 4 sockets (alias for -f inet).
288
289       -6, --ipv6
290              Display only IP version 6 sockets (alias for -f inet6).
291
292       -0, --packet
293              Display PACKET sockets (alias for -f link).
294
295       -t, --tcp
296              Display TCP sockets.
297
298       -u, --udp
299              Display UDP sockets.
300
301       -d, --dccp
302              Display DCCP sockets.
303
304       -w, --raw
305              Display RAW sockets.
306
307       -x, --unix
308              Display Unix domain sockets (alias for -f unix).
309
310       -S, --sctp
311              Display SCTP sockets.
312
313       --vsock
314              Display vsock sockets (alias for -f vsock).
315
316       --xdp  Display XDP sockets (alias for -f xdp).
317
318       --inet-sockopt
319              Display inet socket options.
320
321       -f FAMILY, --family=FAMILY
322              Display  sockets  of type FAMILY.  Currently the following fami‐
323              lies are supported: unix, inet,  inet6,  link,  netlink,  vsock,
324              xdp.
325
326       -A QUERY, --query=QUERY, --socket=QUERY
327              List  of socket tables to dump, separated by commas. The follow‐
328              ing identifiers are understood: all, inet, tcp, udp, raw,  unix,
329              packet,   netlink,   unix_dgram,   unix_stream,  unix_seqpacket,
330              packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram,
331              xdp Any item in the list may optionally be prefixed by an excla‐
332              mation mark (!)  to exclude that socket table from being dumped.
333
334       -D FILE, --diag=FILE
335              Do not display anything, just dump  raw  information  about  TCP
336              sockets  to  FILE after applying filters. If FILE is - stdout is
337              used.
338
339       -F FILE, --filter=FILE
340              Read filter information from FILE.  Each line of FILE is  inter‐
341              preted  like  single  command line option. If FILE is - stdin is
342              used.
343
344       FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
345              Please take a look at the official documentation for details re‐
346              garding filters.
347
348

STATE-FILTER

350       STATE-FILTER  allows to construct arbitrary set of states to match. Its
351       syntax is sequence of keywords state and exclude followed by identifier
352       of state.
353
354       Available identifiers are:
355
356              All  standard  TCP states: established, syn-sent, syn-recv, fin-
357              wait-1, fin-wait-2,  time-wait,  closed,  close-wait,  last-ack,
358              listening and closing.
359
360              all - for all the states
361
362              connected - all the states except for listening and closed
363
364              synchronized - all the connected states except for syn-sent
365
366              bucket  -  states,  which  are  maintained  as minisockets, i.e.
367              time-wait and syn-recv
368
369              big - opposite to bucket
370
371

USAGE EXAMPLES

373       ss -t -a
374              Display all TCP sockets.
375
376       ss -t -a -Z
377              Display all TCP sockets with process SELinux security contexts.
378
379       ss -u -a
380              Display all UDP sockets.
381
382       ss -o state established '( dport = :ssh or sport = :ssh )'
383              Display all established ssh connections.
384
385       ss -x src /tmp/.X11-unix/*
386              Find all local processes connected to X server.
387
388       ss -o state fin-wait-1 '( sport =  :http  or  sport  =  :https  )'  dst
389       193.233.7/24
390              List  all  the tcp sockets in state FIN-WAIT-1 for our apache to
391              network 193.233.7/24 and look at their timers.
392
393       ss -a -A 'all,!tcp'
394              List sockets in all states from all socket tables but TCP.
395

SEE ALSO

397       ip(8),
398       RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
399
400

AUTHOR

402       ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
403
404       This manual page was written by Michael Prokop <mika@grml.org> for  the
405       Debian project (but may be used by others).
406
407
408
409                                                                         SS(8)
Impressum