1SS(8)                       System Manager's Manual                      SS(8)
2
3
4

NAME

6       ss - another utility to investigate sockets
7

SYNOPSIS

9       ss [options] [ FILTER ]
10

DESCRIPTION

12       ss  is  used  to  dump socket statistics. It allows showing information
13       similar to netstat.  It can display more TCP and state information than
14       other tools.
15
16

OPTIONS

18       When no option is used ss displays a list of open non-listening sockets
19       (e.g. TCP/UNIX/UDP) that have established connection.
20
21       -h, --help
22              Show summary of options.
23
24       -V, --version
25              Output version information.
26
27       -H, --no-header
28              Suppress header line.
29
30       -O, --oneline
31              Print each socket's data on a single line.
32
33       -n, --numeric
34              Do not try to resolve service names. Show exact  bandwidth  val‐
35              ues, instead of human-readable.
36
37       -r, --resolve
38              Try to resolve numeric address/ports.
39
40       -a, --all
41              Display both listening and non-listening (for TCP this means es‐
42              tablished connections) sockets.
43
44       -l, --listening
45              Display only listening sockets (these are omitted by default).
46
47       -o, --options
48              Show timer information. For TCP protocol, the output format is:
49
50              timer:(<timer_name>,<expire_time>,<retrans>)
51
52              <timer_name>
53                     the name of the timer,  there  are  five  kind  of  timer
54                     names:
55
56                     on  :  means  one of these timers: TCP retrans timer, TCP
57                     early retrans timer and tail loss probe timer
58
59                     keepalive: tcp keep alive timer
60
61                     timewait: timewait stage timer
62
63                     persist: zero window probe timer
64
65                     unknown: none of the above timers
66
67              <expire_time>
68                     how long time the timer will expire
69
70              <retrans>
71                     how many times the retransmission occurred
72
73       -e, --extended
74              Show detailed socket information. The output format is:
75
76              uid:<uid_number> ino:<inode_number> sk:<cookie>
77
78              <uid_number>
79                     the user id the socket belongs to
80
81              <inode_number>
82                     the socket's inode number in VFS
83
84              <cookie>
85                     an uuid of the socket
86
87       -m, --memory
88              Show socket memory usage. The output format is:
89
90              skmem:(r<rmem_alloc>,rb<rcv_buf>,t<wmem_alloc>,tb<snd_buf>,
91                            f<fwd_alloc>,w<wmem_queued>,o<opt_mem>,
92                            bl<back_log>,d<sock_drop>)
93
94              <rmem_alloc>
95                     the memory allocated for receiving packet
96
97              <rcv_buf>
98                     the total memory can be allocated for receiving packet
99
100              <wmem_alloc>
101                     the memory used for sending packet (which has  been  sent
102                     to layer 3)
103
104              <snd_buf>
105                     the total memory can be allocated for sending packet
106
107              <fwd_alloc>
108                     the memory allocated by the socket as cache, but not used
109                     for receiving/sending  packet  yet.  If  need  memory  to
110                     send/receive  packet,  the  memory  in this cache will be
111                     used before allocate additional memory.
112
113              <wmem_queued>
114                     The memory allocated for sending packet  (which  has  not
115                     been sent to layer 3)
116
117              <ropt_mem>
118                     The  memory used for storing socket option, e.g., the key
119                     for TCP MD5 signature
120
121              <back_log>
122                     The memory used for the sk backlog queue.  On  a  process
123                     context,  if  the  process is receiving packet, and a new
124                     packet is received, it will be put into  the  sk  backlog
125                     queue, so it can be received by the process immediately
126
127              <sock_drop>
128                     the  number  of packets dropped before they are de-multi‐
129                     plexed into the socket
130
131       -p, --processes
132              Show process using socket.
133
134       -i, --info
135              Show internal TCP information. Below fields may appear:
136
137              ts     show string "ts" if the timestamp option is set
138
139              sack   show string "sack" if the sack option is set
140
141              ecn    show string "ecn" if the explicit congestion notification
142                     option is set
143
144              ecnseen
145                     show string "ecnseen" if the saw ecn flag is found in re‐
146                     ceived packets
147
148              fastopen
149                     show string "fastopen" if the fastopen option is set
150
151              cong_alg
152                     the congestion algorithm name, the default congestion al‐
153                     gorithm is "cubic"
154
155              wscale:<snd_wscale>:<rcv_wscale>
156                     if window scale option is used, this field shows the send
157                     scale factor and receive scale factor
158
159              rto:<icsk_rto>
160                     tcp re-transmission timeout value, the unit is  millisec‐
161                     ond
162
163              backoff:<icsk_backoff>
164                     used  for exponential backoff re-transmission, the actual
165                     re-transmission timeout value is icsk_rto << icsk_backoff
166
167              rtt:<rtt>/<rttvar>
168                     rtt is the average round trip time, rttvar  is  the  mean
169                     deviation of rtt, their units are millisecond
170
171              ato:<ato>
172                     ack timeout, unit is millisecond, used for delay ack mode
173
174              mss:<mss>
175                     max segment size
176
177              cwnd:<cwnd>
178                     congestion window size
179
180              pmtu:<pmtu>
181                     path MTU value
182
183              ssthresh:<ssthresh>
184                     tcp congestion window slow start threshold
185
186              bytes_acked:<bytes_acked>
187                     bytes acked
188
189              bytes_received:<bytes_received>
190                     bytes received
191
192              segs_out:<segs_out>
193                     segments sent out
194
195              segs_in:<segs_in>
196                     segments received
197
198              send <send_bps>bps
199                     egress bps
200
201              lastsnd:<lastsnd>
202                     how  long  time  since  the last packet sent, the unit is
203                     millisecond
204
205              lastrcv:<lastrcv>
206                     how long time since the last packet received, the unit is
207                     millisecond
208
209              lastack:<lastack>
210                     how  long  time  since the last ack received, the unit is
211                     millisecond
212
213              pacing_rate <pacing_rate>bps/<max_pacing_rate>bps
214                     the pacing rate and max pacing rate
215
216              rcv_space:<rcv_space>
217                     a helper variable for TCP internal auto tuning socket re‐
218                     ceive buffer
219
220              tcp-ulp-mptcp flags:[MmBbJjecv] token:<rem_token(rem_id)/loc_to‐
221              ken(loc_id)> seq:<sn> sfseq:<ssn> ssnoff:<off> maplen:<maplen>
222                     MPTCP subflow information
223
224       --tos  Show ToS and priority information. Below fields may appear:
225
226              tos    IPv4 Type-of-Service byte
227
228              tclass IPv6 Traffic Class byte
229
230              class_id
231                     Class id set by net_cls cgroup. If  class  is  zero  this
232                     shows priority set by SO_PRIORITY.
233
234       --cgroup
235              Show cgroup information. Below fields may appear:
236
237              cgroup Cgroup  v2  pathname.  This  pathname  is relative to the
238                     mount point of the hierarchy.
239
240       -K, --kill
241              Attempts to forcibly close sockets. This option displays sockets
242              that are successfully closed and silently skips sockets that the
243              kernel does not support closing. It supports IPv4 and IPv6 sock‐
244              ets only.
245
246       -s, --summary
247              Print  summary  statistics.  This  option  does not parse socket
248              lists obtaining summary from various sources. It is useful  when
249              amount  of  sockets  is  so  huge  that parsing /proc/net/tcp is
250              painful.
251
252       -E, --events
253              Continually display sockets as they are destroyed
254
255       -Z, --context
256              As the -p option but also shows process security context.
257
258              For netlink(7) sockets the initiating process  context  is  dis‐
259              played as follows:
260
261                     1.  If valid pid show the process context.
262
263                     2.  If  destination  is kernel (pid = 0) show kernel ini‐
264                         tial context.
265
266                     3.  If a unique identifier has been allocated by the ker‐
267                         nel  or  netlink user, show context as "unavailable".
268                         This will generally indicate that a process has  more
269                         than one netlink socket active.
270
271       -z, --contexts
272              As  the  -Z option but also shows the socket context. The socket
273              context is taken from the associated inode and is not the actual
274              socket context held by the kernel. Sockets are typically labeled
275              with the context of the creating process,  however  the  context
276              shown will reflect any policy role, type and/or range transition
277              rules applied, and is therefore a useful reference.
278
279       -N NSNAME, --net=NSNAME
280              Switch to the specified network namespace name.
281
282       -b, --bpf
283              Show socket classic BPF filters (only administrators are allowed
284              to get these information).
285
286       -4, --ipv4
287              Display only IP version 4 sockets (alias for -f inet).
288
289       -6, --ipv6
290              Display only IP version 6 sockets (alias for -f inet6).
291
292       -0, --packet
293              Display PACKET sockets (alias for -f link).
294
295       -t, --tcp
296              Display TCP sockets.
297
298       -u, --udp
299              Display UDP sockets.
300
301       -d, --dccp
302              Display DCCP sockets.
303
304       -w, --raw
305              Display RAW sockets.
306
307       -x, --unix
308              Display Unix domain sockets (alias for -f unix).
309
310       -S, --sctp
311              Display SCTP sockets.
312
313       --vsock
314              Display vsock sockets (alias for -f vsock).
315
316       --xdp  Display XDP sockets (alias for -f xdp).
317
318       --inet-sockopt
319              Display inet socket options.
320
321       -f FAMILY, --family=FAMILY
322              Display  sockets  of type FAMILY.  Currently the following fami‐
323              lies are supported: unix, inet,  inet6,  link,  netlink,  vsock,
324              xdp.
325
326       -A QUERY, --query=QUERY, --socket=QUERY
327              List  of socket tables to dump, separated by commas. The follow‐
328              ing identifiers are understood: all, inet, tcp, udp, raw,  unix,
329              packet,   netlink,   unix_dgram,   unix_stream,  unix_seqpacket,
330              packet_raw, packet_dgram, dccp, sctp, vsock_stream, vsock_dgram,
331              xdp Any item in the list may optionally be prefixed by an excla‐
332              mation mark (!)  to exclude that socket table from being dumped.
333
334       -D FILE, --diag=FILE
335              Do not display anything, just dump  raw  information  about  TCP
336              sockets  to  FILE after applying filters. If FILE is - stdout is
337              used.
338
339       -F FILE, --filter=FILE
340              Read filter information from FILE.  Each line of FILE is  inter‐
341              preted  like  single  command line option. If FILE is - stdin is
342              used.
343
344       FILTER := [ state STATE-FILTER ] [ EXPRESSION ]
345              Please take a look at the official documentation for details re‐
346              garding filters.
347
348

STATE-FILTER

350       STATE-FILTER  allows to construct arbitrary set of states to match. Its
351       syntax is sequence of keywords state and exclude followed by identifier
352       of state.
353
354       Available identifiers are:
355
356              All  standard  TCP states: established, syn-sent, syn-recv, fin-
357              wait-1, fin-wait-2,  time-wait,  closed,  close-wait,  last-ack,
358              listening and closing.
359
360              all - for all the states
361
362              connected - all the states except for listening and closed
363
364              synchronized - all the connected states except for syn-sent
365
366              bucket  -  states,  which  are  maintained  as minisockets, i.e.
367              time-wait and syn-recv
368
369              big - opposite to bucket
370
371

EXPRESSION

373       EXPRESSION allows filtering based  on  specific  criteria.   EXPRESSION
374       consists  of  a series of predicates combined by boolean operators. The
375       possible operators in increasing order of precedence are or  (or  |  or
376       ||),  and  (or & or &&), and not (or !). If no operator is between con‐
377       secutive predicates, an implicit and operator  is  assumed.  Subexpres‐
378       sions can be grouped with "(" and ")".
379
380       The following predicates are supported:
381
382
383       {dst|src} [=] HOST
384              Test  if the destination or source matches HOST. See HOST SYNTAX
385              for details.
386
387       {dport|sport} [OP] [FAMILY:]:PORT
388              Compare the destination or source port to PORT. OP can be any of
389              "<",  "<=", "=", "!=", ">=" and ">". Following normal arithmetic
390              rules. FAMILY and PORT are as described in HOST SYNTAX below.
391
392       dev [=|!=] DEVICE
393              Match based on the device the connection uses. DEVICE can either
394              be a device name or the index of the interface.
395
396       fwmark [=|!=] MASK
397              Matches  based  on the fwmark value for the connection. This can
398              either be a specific mark value or a mark value  followed  by  a
399              "/"  and  a  bitmask of which bits to use in the comparison. For
400              example "fwmark = 0x01/0x03" would match if the two  least  sig‐
401              nificant bits of the fwmark were 0x01.
402
403       cgroup [=|!=] PATH
404              Match if the connection is part of a cgroup at the given path.
405
406       autobound
407              Match  if  the  port or path of the source address was automati‐
408              cally allocated (rather than explicitly specified).
409
410       Most operators have aliases. If no operator is supplied "=" is assumed.
411       Each of the following groups of operators are all equivalent:
412
413              • = == eq
414
415              • != ne neq
416
417              • > gt
418
419              • < lt
420
421              • >= ge geq
422
423              • <= le leq
424
425              • ! not
426
427              • | || or
428
429              • & && and
430

HOST SYNTAX

432       The general host syntax is [FAMILY:]ADDRESS[:PORT].
433
434       FAMILY  must  be one of the families supported by the -f option. If not
435       given it defaults to the family given with the -f option, and  if  that
436       is  also  missing, will assume either inet or inet6. Note that all host
437       conditions in the expression should either all be the same family or be
438       only  inet  and  inet6. If there is some other mixture of families, the
439       results will probably be unexpected.
440
441       The form of ADDRESS and PORT depends on the family  used.  "*"  can  be
442       used as a wildcard for either the address or port. The details for each
443       family are as follows:
444
445       unix   ADDRESS is a glob pattern (see fnmatch(3)) that will be  matched
446              case-insensitively  against the unix socket's address. Both path
447              and abstract names are supported. Unix addresses do not  support
448              a port, and "*" cannot be used as a wildcard.
449
450       link   ADDRESS  is the case-insensitive name of an Ethernet protocol to
451              match. PORT is either a device name or a device  index  for  the
452              desired link device, as seen in the output of ip link.
453
454       netlink
455              ADDRESS  is  a descriptor of the netlink family. Possible values
456              come from /etc/iproute2/nl_protos. PORT is the port  id  of  the
457              socket,  which is usually the same as the owning process id. The
458              value "kernel" can be used to represent the kernel (port  id  of
459              0).
460
461       vsock  ADDRESS  is an integer representing the CID address, and PORT is
462              the port.
463
464       inet and inet6
465              ADDRESS is an ip address (either v4 or v6 depending on the  fam‐
466              ily) or a DNS hostname that resolves to an ip address of the re‐
467              quired version. An ipv6 address must be enclosed in "[" and  "]"
468              to disambiguate the port separator. The address may additionally
469              have a prefix length given in CIDR notation (a slash followed by
470              the  prefix length in bits). PORT is either the numerical socket
471              port, or the service name for the port to match.
472
473

USAGE EXAMPLES

475       ss -t -a
476              Display all TCP sockets.
477
478       ss -t -a -Z
479              Display all TCP sockets with process SELinux security contexts.
480
481       ss -u -a
482              Display all UDP sockets.
483
484       ss -o state established '( dport = :ssh or sport = :ssh )'
485              Display all established ssh connections.
486
487       ss -x src /tmp/.X11-unix/*
488              Find all local processes connected to X server.
489
490       ss -o state fin-wait-1 '( sport =  :http  or  sport  =  :https  )'  dst
491       193.233.7/24
492              List  all  the tcp sockets in state FIN-WAIT-1 for our apache to
493              network 193.233.7/24 and look at their timers.
494
495       ss -a -A 'all,!tcp'
496              List sockets in all states from all socket tables but TCP.
497

SEE ALSO

499       ip(8),
500       RFC 793 - https://tools.ietf.org/rfc/rfc793.txt (TCP states)
501
502

AUTHOR

504       ss was written by Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>.
505
506       This manual page was written by Michael Prokop <mika@grml.org> for  the
507       Debian project (but may be used by others).
508
509
510
511                                                                         SS(8)
Impressum