1SS(8) System Manager's Manual SS(8)
2
3
4
6 ss - another utility to investigate sockets
7
9 ss [options] [ FILTER ]
10
12 ss is used to dump socket statistics. It allows showing information
13 similar to netstat. It can display more TCP and state information than
14 other tools.
15
16
18 When no option is used ss displays a list of open non-listening sockets
19 (e.g. TCP/UNIX/UDP) that have established connection.
20
21 -h, --help
22 Show summary of options.
23
24 -V, --version
25 Output version information.
26
27 -H, --no-header
28 Suppress header line.
29
30 -O, --oneline
31 Print each socket's data on a single line.
32
33 -n, --numeric
34 Do not try to resolve service names. Show exact bandwidth val‐
35 ues, instead of human-readable.
36
37 -r, --resolve
38 Try to resolve numeric address/ports.
39
40 -a, --all
41 Display both listening and non-listening (for TCP this means es‐
42 tablished connections) sockets.
43
44 -l, --listening
45 Display only listening sockets (these are omitted by default).
46
47 -o, --options
48 Show timer information. For TCP protocol, the output format is:
49
50 timer:(<timer_name>,<expire_time>,<retrans>)
51
52 <timer_name>
53 the name of the timer, there are five kind of timer
54 names:
55
56 on : means one of these timers: TCP retrans timer, TCP
57 early retrans timer and tail loss probe timer
58
59 keepalive: tcp keep alive timer
60
61 timewait: timewait stage timer
62
63 persist: zero window probe timer
64
65 unknown: none of the above timers
66
67 <expire_time>
68 how long time the timer will expire
69
70 <retrans>
71 how many times the retransmission occurred
72
73 -e, --extended
74 Show detailed socket information. The output format is:
75
76 uid:<uid_number> ino:<inode_number> sk:<cookie>
77
78 <uid_number>
79 the user id the socket belongs to
80
81 <inode_number>
82 the socket's inode number in VFS
83
84 <cookie>
85 an uuid of the socket
86
87 -m, --memory
88 Show socket memory usage. The output format is:
89
90 skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
91 f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
92 bl<back_log>,d<sock_drop>)
93
94 <rmem_alloc>
95 the memory allocated for receiving packet
96
97 <rcv_buf>
98 the total memory can be allocated for receiving packet
99
100 <wmem_alloc>
101 the memory used for sending packet (which has been sent
102 to layer 3)
103
104 <snd_buf>
105 the total memory can be allocated for sending packet
106
107 <fwd_alloc>
108 the memory allocated by the socket as cache, but not used
109 for receiving/sending packet yet. If need memory to
110 send/receive packet, the memory in this cache will be
111 used before allocate additional memory.
112
113 <wmem_queued>
114 The memory allocated for sending packet (which has not
115 been sent to layer 3)
116
117 <ropt_mem>
118 The memory used for storing socket option, e.g., the key
119 for TCP MD5 signature
120
121 <back_log>
122 The memory used for the sk backlog queue. On a process
123 context, if the process is receiving packet, and a new
124 packet is received, it will be put into the sk backlog
125 queue, so it can be received by the process immediately
126
127 <sock_drop>
128 the number of packets dropped before they are de-multi‐
129 plexed into the socket
130
131 -p, --processes
132 Show process using socket.
133
134 -i, --info
135 Show internal TCP information. Below fields may appear:
136
137 ts show string "ts" if the timestamp option is set
138
139 sack show string "sack" if the sack option is set
140
141 ecn show string "ecn" if the explicit congestion notification
142 option is set
143
144 ecnseen
145 show string "ecnseen" if the saw ecn flag is found in re‐
146 ceived packets
147
148 fastopen
149 show string "fastopen" if the fastopen option is set
150
151 cong_alg
152 the congestion algorithm name, the default congestion al‐
153 gorithm is "cubic"
154
155 wscale:<snd_wscale>:<rcv_wscale>
156 if window scale option is used, this field shows the send
157 scale factor and receive scale factor
158
159 rto:<icsk_rto>
160 tcp re-transmission timeout value, the unit is millisec‐
161 ond
162
163 backoff:<icsk_backoff>
164 used for exponential backoff re-transmission, the actual
165 re-transmission timeout value is icsk_rto << icsk_backoff
166
167 rtt:<rtt>/<rttvar>
168 rtt is the average round trip time, rttvar is the mean
169 deviation of rtt, their units are millisecond
170
171 ato:<ato>
172 ack timeout, unit is millisecond, used for delay ack mode
173
174 mss:<mss>
175 max segment size
176
177 cwnd:<cwnd>
178 congestion window size
179
180 pmtu:<pmtu>
181 path MTU value
182
183 ssthresh:<ssthresh>
184 tcp congestion window slow start threshold
185
186 bytes_acked:<bytes_acked>
187 bytes acked
188
189 bytes_received:<bytes_received>
190 bytes received
191
192 segs_out:<segs_out>
193 segments sent out
194
195 segs_in:<segs_in>
196 segments received
197
198 send <send_bps>bps
199 egress bps
200
201 lastsnd:<lastsnd>
202 how long time since the last packet sent, the unit is
203 millisecond
204
205 lastrcv:<lastrcv>
206 how long time since the last packet received, the unit is
207 millisecond
208
209 lastack:<lastack>
210 how long time since the last ack received, the unit is
211 millisecond
212
213 pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
214 the pacing rate and max pacing rate
215
216 rcv_space:<rcv_space>
217 a helper variable for TCP internal auto tuning socket re‐
218 ceive buffer
219
220 tcp-ulp-mptcp flags:[MmBbJjecv] token:<rem_token(rem_id)/loc_to‐
221 ken(loc_id)> seq:<sn> sfseq:<ssn> ssnoff:<off> maplen:<maplen>
222 MPTCP subflow information
223
224 --tos Show ToS and priority information. Below fields may appear:
225
226 tos IPv4 Type-of-Service byte
227
228 tclass IPv6 Traffic Class byte
229
230 class_id
231 Class id set by net_cls cgroup. If class is zero this
232 shows priority set by SO_PRIORITY.
233
234 --cgroup
235 Show cgroup information. Below fields may appear:
236
237 cgroup Cgroup v2 pathname. This pathname is relative to the
238 mount point of the hierarchy.
239
240 -K, --kill
241 Attempts to forcibly close sockets. This option displays sockets
242 that are successfully closed and silently skips sockets that the
243 kernel does not support closing. It supports IPv4 and IPv6 sock‐
244 ets only.
245
246 -s, --summary
247 Print summary statistics. This option does not parse socket
248 lists obtaining summary from various sources. It is useful when
249 amount of sockets is so huge that parsing /proc/net/tcp is
250 painful.
251
252 -E, --events
253 Continually display sockets as they are destroyed
254
255 -Z, --context
256 As the -p option but also shows process security context.
257
258 For netlink(7) sockets the initiating process context is dis‐
259 played as follows:
260
261 1. If valid pid show the process context.
262
263 2. If destination is kernel (pid = 0) show kernel ini‐
264 tial context.
265
266 3. If a unique identifier has been allocated by the ker‐
267 nel or netlink user, show context as "unavailable".
268 This will generally indicate that a process has more
269 than one netlink socket active.
270
271 -z, --contexts
272 As the -Z option but also shows the socket context. The socket
273 context is taken from the associated inode and is not the actual
274 socket context held by the kernel. Sockets are typically labeled
275 with the context of the creating process, however the context
276 shown will reflect any policy role, type and/or range transition
277 rules applied, and is therefore a useful reference.
278
279 -N NSNAME, --net=NSNAME
280 Switch to the specified network namespace name.
281
282 -b, --bpf
283 Show socket classic BPF filters (only administrators are allowed
284 to get these information).
285
286 -4, --ipv4
287 Display only IP version 4 sockets (alias for -f inet).
288
289 -6, --ipv6
290 Display only IP version 6 sockets (alias for -f inet6).
291
292 -0, --packet
293 Display PACKET sockets (alias for -f link).
294
295 -t, --tcp
296 Display TCP sockets.
297
298 -u, --udp
299 Display UDP sockets.
300
301 -d, --dccp
302 Display DCCP sockets.
303
304 -w, --raw
305 Display RAW sockets.
306
307 -x, --unix
308 Display Unix domain sockets (alias for -f unix).
309
310 -S, --sctp
311 Display SCTP sockets.
312
313 --vsock
314 Display vsock sockets (alias for -f vsock).
315
316 --xdp Display XDP sockets (alias for -f xdp).
317
318 --inet-sockopt
319 Display inet socket options.
320
321 -f FAMILY, --family=FAMILY
322 Display sockets of type FAMILY. Currently the following fami‐
323 lies are supported: unix, inet, inet6, link, netlink, vsock,
324 xdp.
325
326 -A QUERY, --query=QUERY, --socket=QUERY
327 List of socket tables to dump, separated by commas. The follow‐
328 ing identifiers are understood: all, inet, tcp, udp, raw, unix,
329 packet, netlink, unix_dgram, unix_stream, unix_seqpacket,
330 packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram,
331 xdp Any item in the list may optionally be prefixed by an excla‐
332 mation mark (!) to exclude that socket table from being dumped.
333
334 -D FILE, --diag=FILE
335 Do not display anything, just dump raw information about TCP
336 sockets to FILE after applying filters. If FILE is - stdout is
337 used.
338
339 -F FILE, --filter=FILE
340 Read filter information from FILE. Each line of FILE is inter‐
341 preted like single command line option. If FILE is - stdin is
342 used.
343
344 FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
345 Please take a look at the official documentation for details re‐
346 garding filters.
347
348
350 STATE-FILTER allows to construct arbitrary set of states to match. Its
351 syntax is sequence of keywords state and exclude followed by identifier
352 of state.
353
354 Available identifiers are:
355
356 All standard TCP states: established, syn-sent, syn-recv, fin-
357 wait-1, fin-wait-2, time-wait, closed, close-wait, last-ack,
358 listening and closing.
359
360 all - for all the states
361
362 connected - all the states except for listening and closed
363
364 synchronized - all the connected states except for syn-sent
365
366 bucket - states, which are maintained as minisockets, i.e.
367 time-wait and syn-recv
368
369 big - opposite to bucket
370
371
373 EXPRESSION allows filtering based on specific criteria. EXPRESSION
374 consists of a series of predicates combined by boolean operators. The
375 possible operators in increasing order of precedence are or (or | or
376 ||), and (or & or &&), and not (or !). If no operator is between con‐
377 secutive predicates, an implicit and operator is assumed. Subexpres‐
378 sions can be grouped with "(" and ")".
379
380 The following predicates are supported:
381
382
383 {dst|src} [=] HOST
384 Test if the destination or source matches HOST. See HOST SYNTAX
385 for details.
386
387 {dport|sport} [OP] [FAMILY:]:PORT
388 Compare the destination or source port to PORT. OP can be any of
389 "<", "<=", "=", "!=", ">=" and ">". Following normal arithmetic
390 rules. FAMILY and PORT are as described in HOST SYNTAX below.
391
392 dev [=|!=] DEVICE
393 Match based on the device the connection uses. DEVICE can either
394 be a device name or the index of the interface.
395
396 fwmark [=|!=] MASK
397 Matches based on the fwmark value for the connection. This can
398 either be a specific mark value or a mark value followed by a
399 "/" and a bitmask of which bits to use in the comparison. For
400 example "fwmark = 0x01/0x03" would match if the two least sig‐
401 nificant bits of the fwmark were 0x01.
402
403 cgroup [=|!=] PATH
404 Match if the connection is part of a cgroup at the given path.
405
406 autobound
407 Match if the port or path of the source address was automati‐
408 cally allocated (rather than explicitly specified).
409
410 Most operators have aliases. If no operator is supplied "=" is assumed.
411 Each of the following groups of operators are all equivalent:
412
413 • = == eq
414
415 • != ne neq
416
417 • > gt
418
419 • < lt
420
421 • >= ge geq
422
423 • <= le leq
424
425 • ! not
426
427 • | || or
428
429 • & && and
430
432 The general host syntax is [FAMILY:]ADDRESS[:PORT].
433
434 FAMILY must be one of the families supported by the -f option. If not
435 given it defaults to the family given with the -f option, and if that
436 is also missing, will assume either inet or inet6. Note that all host
437 conditions in the expression should either all be the same family or be
438 only inet and inet6. If there is some other mixture of families, the
439 results will probably be unexpected.
440
441 The form of ADDRESS and PORT depends on the family used. "*" can be
442 used as a wildcard for either the address or port. The details for each
443 family are as follows:
444
445 unix ADDRESS is a glob pattern (see fnmatch(3)) that will be matched
446 case-insensitively against the unix socket's address. Both path
447 and abstract names are supported. Unix addresses do not support
448 a port, and "*" cannot be used as a wildcard.
449
450 link ADDRESS is the case-insensitive name of an Ethernet protocol to
451 match. PORT is either a device name or a device index for the
452 desired link device, as seen in the output of ip link.
453
454 netlink
455 ADDRESS is a descriptor of the netlink family. Possible values
456 come from /etc/iproute2/nl_protos. PORT is the port id of the
457 socket, which is usually the same as the owning process id. The
458 value "kernel" can be used to represent the kernel (port id of
459 0).
460
461 vsock ADDRESS is an integer representing the CID address, and PORT is
462 the port.
463
464 inet and inet6
465 ADDRESS is an ip address (either v4 or v6 depending on the fam‐
466 ily) or a DNS hostname that resolves to an ip address of the re‐
467 quired version. An ipv6 address must be enclosed in "[" and "]"
468 to disambiguate the port separator. The address may additionally
469 have a prefix length given in CIDR notation (a slash followed by
470 the prefix length in bits). PORT is either the numerical socket
471 port, or the service name for the port to match.
472
473
475 ss -t -a
476 Display all TCP sockets.
477
478 ss -t -a -Z
479 Display all TCP sockets with process SELinux security contexts.
480
481 ss -u -a
482 Display all UDP sockets.
483
484 ss -o state established '( dport = :ssh or sport = :ssh )'
485 Display all established ssh connections.
486
487 ss -x src /tmp/.X11-unix/*
488 Find all local processes connected to X server.
489
490 ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst
491 193.233.7/24
492 List all the tcp sockets in state FIN-WAIT-1 for our apache to
493 network 193.233.7/24 and look at their timers.
494
495 ss -a -A 'all,!tcp'
496 List sockets in all states from all socket tables but TCP.
497
499 ip(8),
500 RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
501
502
504 ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
505
506 This manual page was written by Michael Prokop <mika@grml.org> for the
507 Debian project (but may be used by others).
508
509
510
511 SS(8)